## Abstract

Nonlocal correlations, a longstanding foundational topic in quantum information, have recently found application as a resource for cryptographic tasks where not all devices are trusted, for example, in settings with a highly secure central hub, such as a bank or government department, and less secure satellite stations, which are inherently more vulnerable to hardware “hacking” attacks. The asymmetric phenomena of Einstein–Podolsky–Rosen (EPR) steering plays a key role in one-sided device-independent (1sDI) quantum key distribution (QKD) protocols. In the context of continuous-variable (CV) QKD schemes utilizing Gaussian states and measurements, we identify all protocols that can be 1sDI and their maximum loss tolerance. Surprisingly, this includes a protocol that uses only coherent states. We also establish a direct link between the relevant EPR steering inequality and the secret key rate, further strengthening the relationship between these asymmetric notions of nonlocality and device independence. We experimentally implement both entanglement-based and coherent-state protocols, and measure the correlations necessary for 1sDI key distribution up to an applied loss equivalent to 7.5 and 3.5 km of optical fiber transmission, respectively. We also engage in detailed modeling to understand the limits of our current experiment and the potential for further improvements. The new protocols we uncover apply the cheap and efficient hardware of CV-QKD systems in a significantly more secure setting.

© 2016 Optical Society of America

## 1. INTRODUCTION

Quantum mechanics promises many new opportunities for the design of communication networks, providing highly correlated resources, such as entangled or even nonlocal states, as well as stringent restrictions on the possible knowledge of observables, as exemplified by Heisenberg’s uncertainty principle. By considering entropic versions of these uncertainty relations [1,2], the intimate connection between entanglement and uncertainty, first uncovered in the seminal work of Einstein, Podolsky, and Rosen (EPR) [3], has since begun to be formalized and quantified [4].

Both these features are of value to the would-be cryptographer, as they enable protocols in which security is grounded in the laws of quantum physics, with the most celebrated example being quantum key distribution (QKD) [5]. The earliest, and most conceptually simple, QKD schemes encode a discrete variable (DV) key in a two-dimensional Hilbert space [6,7]. As the optical implementation involves sophisticated techniques such as the generation and detection of single photons, considerable attention has also been devoted to schemes that instead utilize the quadratures of the optical field [8–12] in which one has access to deterministic, high-efficiency broadband sources and detectors. This approach is more theoretically involved, however, as the secret key is now a continuous variable (CV) that is encoded in states living in an infinite-dimensional Hilbert space.

The challenge of realizing the full promise of QKD—physically guaranteed security with minimal additional assumptions—has crystallized into two fronts. In the first place, we desire a lower bound on the extractable secret key length, including the effects of a finite number of transmitted symbols, that allows for an arbitrarily powerful eavesdropper (Eve) [13–16]. In the second place, we would like to close any gaps that may exist between a theoretical QKD protocol and its practical realization. Essentially, this is the problem of whether or not the honest parties (Alice and Bob) have correctly characterized their experimental devices. One might expect that these gaps must simply be closed on a case-by-case basis. Indeed, as various loopholes due to mischaracterized devices have been pointed out, they have usually been followed by straightforward methods for their closure. Remarkably, however, it is in-principle possible to rigorously surmount even this challenge by harnessing nonlocal quantum correlations, and it is this second problem we tackle for the entire Gaussian family of CV-QKD protocols. We identify all protocols that can be proven secure in a one-sided device-independent (1sDI) setting, i.e., independent of the devices of either Alice or Bob (but not both), and provide a proof-of-principle experimental demonstration of some of the most practical of such protocols.

Fully device-independent (DI) protocols allow Eve control over all experimental devices and are closely related to the concept of Bell nonlocality and the exclusion of local hidden variable (LHV) models [17–22]. These schemes are extremely experimentally challenging as they require the implementation of a detection-loophole-free Bell test [23–25]. As such, they are also out of reach for purely Gaussian protocols, as it is impossible to violate a Bell inequality utilizing only Gaussian resources [26]. More recently, an intermediate, asymmetric form of nonlocality known as EPR-steering has been classified, which allows Alice or Bob to rule out an LHV explanation of the other parties’ correlations [27]. A natural question to ask is whether there exist analogous cryptographic results, where only one party’s devices are untrusted. This possibility, first noted in Ref. [28], was subsequently developed to prove the security of experimentally difficult, but feasible, proposals for 1sDI DVQKD protocols, which were explicitly linked to the corresponding EPR steering inequality [29]. Note that this should not be confused with the distinct concepts of measurement-device-independent QKD, in which both Alice and Bob use trusted sources to generate a key via an untrusted measurement in the middle [30–34], and semi-device independence, in which all devices are untrusted, but assumptions are made about the Hilbert space dimension [35].

As with Bell tests, closure of the steering detection loophole has only recently been achieved in state-of-the-art single-photon experiments [36–38]. This is in stark contrast to the CV case where detection-loophole-free tests have been experimentally feasible for over 20 years [39] and very strong violations of steering inequalities have been demonstrated [40]. Protocols motivated by these hardware advantages have begun to appear. A direct extension [28] to the infinite-dimensional Hilbert spaces relevant for CV-QKD [41] has been applied to propose a discretized 1sDI-CV-QKD protocol that also accounts for finite-size effects [15,16], and a scheme independent of Bob’s devices only has recently been demonstrated [42].

In this paper we utilize further advances in entropic uncertainty relations [43,44] to theoretically and experimentally investigate the security of the entire family of 16 Gaussian CV-QKD protocols against arbitrary attacks in the asymptotic setting. We identify the six protocols, including two prepare-and-measure (P&M) schemes, that can be proven 1sDI and compactly calculate their secret key rates. Remarkably, we show that 1sDI-CV-QKD is possible with the cheapest and most practical resource in quantum optics—coherent states. We calculate the ultimate limits for all protocols under realistic decoherence channels and show that, while reasonably robust to losses, and hence more practical than their DV counterparts over short to medium distances, all the 1sDI-CV-QKD protocols are inherently loss-limited. We also make explicit the connection between the asymmetric forms of nonlocality and DI cryptography, with the 1sDI-CV-QKD key rates displaying an elegant connection to the relevant EPR-steering parameter, a result not known for the DV protocols. Finally, we experimentally implement several protocols, including both P&M and entanglement-based (EB) schemes, finding varying degrees of robustness to losses and experimental imperfections. The best performing protocols allow equivalent losses of up to 7.5 km of optical fiber transmission. Notably, the coherent state protocol has the poorest theoretical loss tolerance, but its experimental performance lies closest to the theoretical limits, indicating it could well be the most practical candidate for short-range 1sDI metropolitan networks.

## 2. RESULTS

#### A. Entropic Uncertainty Relations and CV-QKD

The most common CV-QKD protocols are the Gaussian protocols that encode information in the quadratures of the optical field, described by operators like $\widehat{x}=\sqrt{\frac{\hslash}{2}}(\widehat{a}+{\widehat{a}}^{\u2020})$ and $\widehat{p}=\sqrt{\frac{\hslash}{2}}i({\widehat{a}}^{\u2020}-\widehat{a})$, where $\widehat{a}$ and ${\widehat{a}}^{\u2020}$ are bosonic annihilation and creation operators. One can prepare squeezed [8,9] or coherent [12] states, and measure with either homodyne detection (switching between quadratures) or heterodyne detection [45] (where both quadratures are measured simultaneously). One could also use EB schemes where two-mode squeezing is used to create Gaussian EPR-correlated states (EPR states) [10]. An equivalence between these EB schemes and the P&M approaches has been established in a device-dependent scenario [46]. The communicating parties, Alice and Bob, can also use either a direct reconciliation (DR) scheme in which Alice sends corrections to Bob or a reverse reconciliation (RR) scheme [11] in which Bob sends corrections to Alice. This makes for a total of 16 protocols. Only the RR protocols allow for losses above 50%, although one can also achieve this loss-tolerance via postselection, which discards some of the keys in order to retain a more correlated subset [47].

Previous works have proved the security of Gaussian CV-QKD in the asymptotic limit up to the level of collective attacks, via the Gaussian extremality of relevant quantities [48,49]. The proofs were finally raised to the level of the most general coherent attacks by use of the de Finetti theorem adapted to infinite dimensions [50], which shows that collective attacks are in fact optimal. Consequently, one can asymptotically lower bound the secret key rate by considering only Gaussian collective attacks. For concreteness, we first consider an RR protocol with EPR states and a secret key extracted from Alice and Bob’s homodyne measurements denoted by the random variables ${X}_{A(B)}$ with outcomes ${x}_{A(B)}$, which follow probability distributions $p({x}_{A(B)})$. Neglecting detector and reconciliation efficiencies for simplicity (we shall include these effects in our final calculations) the asymptotic RR secret key rate is lower bounded by [48,49]

where the left-pointing white triangle denotes the direction of information flow during reconciliation from Bob to Alice. A right-pointing triangle would signify DR from Alice to Bob. Here, $I({X}_{A}\text{:}{X}_{B})=H({X}_{A})-H({X}_{A}|{X}_{B})$ denotes the classical mutual information between Alice and Bob, with $H(X)=-\int \mathrm{d}xp(x)\mathrm{log}\text{\hspace{0.17em}}p(x)$ being the continuous Shannon entropy of the measurement strings and $\chi ({X}_{B}\text{:}E)=S(E)-\int \mathrm{d}{x}_{B}p({x}_{B})S(E|{x}_{B})$ denotes the Holevo bound, with $S(E)=-\mathrm{tr}({\rho}_{E}\text{\hspace{0.17em}}\mathrm{log}\text{\hspace{0.17em}}{\rho}_{E})$ the von Neumann entropy and $S(E|B)=S(EB)-S(B)$ the conditional von Neumann entropy of $E$ given $B$. In the case that systems are classical, e.g., $B={X}_{B}$, the von Neumann entropies may be replaced by Shannon entropies.One can alternatively analyze the security in terms of the conditional entropy of the observable ${\widehat{x}}_{B}$ from the perspective of a quantum eavesdropper $E$:

where ${\rho}_{E}^{{x}_{B}}$ is the conditional state of $E$ given measurement outcome ${x}_{B}$.Writing out the key rate in Eq. (1) in full and comparing with Eq. (2) we have

Bounding the conditional entropy of an observable is the longstanding goal of the study of entropic uncertainty relations [1,2]. For our purposes, we require a general tripartite relation, encompassing Alice, Bob, and Eve, that holds for continuous quadrature observables in an infinite-dimensional Hilbert space (see Supplement 1 for details). Very recently, an appropriate relation bounding the entropy of Bob and Eve regarding the conjugate quadratures of Alice has been derived [43,44,51]:

This entropic uncertainty relation now allows us to bound the eaves-droppers information on the relevant observable. Substituting from Eq. (4) and recalling that $S({P}_{A}|B)\le S({P}_{A}|{P}_{B})=H({P}_{A}|{P}_{B})$, we can write

Thus we have bounded the secret key by an expression that depends only upon the conditional Shannon entropies that are directly accessible to Alice and Bob. Furthermore, one can show via a variational calculation that, for any probability distribution $p(x)$, the corresponding Shannon entropy is maximized for a Gaussian distribution of the same variance. In other words, Alice and Bob can bound their secret key rate for this protocol by measuring Bob’s conditional variances. Substituting the Shannon entropy for a Gaussian distribution ${H}_{G}({x}_{B}|{x}_{A})=\mathrm{log}\sqrt{2\pi e{V}_{{X}_{B}|{X}_{A}}}$, where ${V}_{{X}_{B}|{X}_{A}}={V}_{{X}_{B}}-\frac{{\u27e8{X}_{A}{X}_{B}\u27e9}^{2}}{{V}_{{X}_{A}}}$ is Bob’s variance conditioned on Alice’s measurement, we arrive at the final expression for the RR key rate:

The DR expression is obtained by simply permuting the labels of Alice and Bob. We note that this expression was also calculated in Ref. [51], but the proof was incomplete, as it relied on the assumption of the applicability of the entropic uncertainty relation. Moreover, it was incorrectly concluded that this method would never predict a positive key when applied to coherent state or heterodyne protocols. In fact, the extension of Eq. (6) to the other Gaussian protocols is straightforward and is given in Supplement 1.

#### B. 1sDI-CV-QKD

An important benefit of utilizing entropic uncertainty relations in QKD proofs is that they lend themselves toward 1sDI protocols [28,29]. These are relaxed versions of the fully DI schemes [18–20] in which all devices are untrusted and the security is guaranteed via a detection-loophole-free Bell violation. The only assumptions that need to be made for DI schemes are the security of the stations, the causal independence of the measurement trials, and a trusted source of randomness for choosing measurement settings. We adopt the same assumptions here; however, it should be noted that recently schemes have appeared that do not require causal independence [21,22].

For 1sDI-QKD protocols, only one side, Alice or Bob, is untrusted and regarded as a black box while the other is assumed to involve a particular set of quantum operations (see Fig. 1). Now, the security is linked to the steering inequalities [27] associated with the observables on the trusted side. The 1sDI nature of these entropic proofs is manifest in expressions like Eq. (6), in that it depends upon measuring a known observable upon only one side. For example, in the derivation, we need to know only that Bob is measuring either ${\widehat{x}}_{B}$ or ${\widehat{p}}_{B}$ in order to apply the entropic uncertainty relation. Although we write expressions ${V}_{{X}_{B}|{X}_{A}}$, as this is what will be measured in experiments, Alice could be making any measurement (not necessarily a quadrature measurement), and the key rate given by Eq. (6) would still hold.

Thus, for EPR states and homodyne measurements, any positive key predicted via the entropic uncertainty relation is by definition 1sDI, independent of Alice for RR and Bob for DR [15,16]. However, this device independence does not necessarily extend to the protocols involving heterodyne detection. This is essentially because the proof to derive nonzero key rates for the heterodyne protocols depends upon characterizing the devices used in the heterodyne detection. Therefore, employing a heterodyne detection on the supposedly untrusted side immediately invalidates the device independence. Alternatively, recall that a steering demonstration requires a measurement choice by the untrusted party [27] and no such choice takes place if they heterodyne detect. Nonetheless, the remaining protocols, with the heterodyne detection taking place in the trusted station, are still implementable with high-efficiency sources and detection opening the way to several 1sDI-CV-QKD protocols with current technology. This means that, for EB protocols, both DR and RR may be 1sDI provided all parties are homodyning, while Bob may safely heterodyne for an RR protocol and Alice may heterodyne for a DR protocol. Finally, for DR protocols where Alice (who controls the source) is trusted, we may also safely make the equivalence between P&M and EB schemes. Remarkably, this means that, for DR, it is possible to generate 1sDI key using only coherent states. We summarize which of the 16 possible Gaussian protocols are potentially 1sDI in the table inset in Fig. 2.

Although they allow for 1sDI keys, the entropic proofs result in different, and, it turns out, generically lower, secret key rates than the standard proofs for Gaussian CV-QKD schemes. To map out the ultimate limits of these protocols, we first consider an idealized setup with perfect detectors and a highly squeezed (10 dB) two-mode squeezed vacuum source. To evaluate performance, we consider a Gaussian channel, an excellent model for real fiber optic cable, characterized by a transmission $T$ and an excess noise parameter $\xi $, given in units of shot noise. The noise parameter can be thought of as the noise input to the channel such that a pure state with unity variance would have a variance $1+T\xi $ after the channel. Neglecting imperfections such as detector and reconciliation efficiency, this is the chief factor that limits the range. In Fig. 2 we plot the four distinct secure regions (there are two redundancies between P&M and EB schemes) for the 1sDI protocols. The best performing scheme (in terms of loss tolerance) is the RR EPR scheme in which both parties homodyne. In the limit of low excess noise, this scheme is secure for up to 73% loss. For very low noises the next best scheme is the RR protocol in which Bob heterodyne detects, but for higher noises the DR protocol with both parties homodyning (or alternatively with Alice sending squeezed states) performs better. Finally, although the DR coherent state scheme performs the poorest, it is still secure up to around 33% loss. These results show that 1sDI-CV-QKD is reasonably robust to decoherence, but noticeably less loss tolerant than the standard CV-QKD. In this idealized case, the standard protocols tolerate arbitrarily large amounts of loss provided the excess noise is sufficiently small, whereas our results show that all the Gaussian 1sDI CV-QKD protocols are inherently loss limited. Ultimately, this is because the uncertainty relations used to bound the secret key rate are tight only when the parties involved, e.g., Bob and Eve in Eq. (6), can be approximated as sharing a pure, highly-squeezed EPR state [16,43]. In reality, this is rarely ever the case, and the entropic proof method tends to give a pessimistic bound on the eavesdroppers information. We will discuss the prospects for extending the transmission range in the final section.

#### C. Connection to EPR Steering

In the earlier DV work, a clear conceptual link was made between DI protocols and Bell nonlocality [18]. Our intuition that the 1sDI-DV-QKD protocols should be analogously related to the corresponding asymmetric form of nonlocality, EPR steering, was confirmed by Branciard *et al.*, who showed that the condition for their protocol to achieve a positive key was equivalent to a steering inequality [29].

For the Gaussian states and measurements relevant to CV-QKD, steering is traditionally demonstrated by a violation of a condition on the conditional variances. In particular, we must violate ${\mathcal{E}}_{\u25b8}:={V}_{{X}_{B}|{X}_{A}}{V}_{{P}_{B}|{P}_{A}}\ge 1$ for Alice to provably steer Bob, as indicated by the right black triangle, and similarly with $A$ and $B$ interchanged [27] and the arrow reversed. This is precisely the same as the EPR paradox criteria derived long ago by Reid [52]. Comparison with Eq. (6) shows that we can write the key directly in terms of the steering parameter:

For the homodyne key rate, ${K}^{\u25c3}>0$ if and only if ${\mathcal{E}}_{\u25b8}<{\left(\frac{2}{e}\right)}^{2}\approx 0.55$, with the identical relation between the DR key rate and ${\mathcal{E}}_{\u25c2}$ following straightforwardly. In other words, the condition for a positive 1sDI key is more stringent than EPR steering, similarly to the case for 1sDI-DV-QKD [29]. For the protocols where a trusted heterodyne detection takes place, the security of the protocol is instead linked to the steerability of the outcome of the heterodyne measurement, which will be more challenging due to the extra loss involved (see Supplement 1). Consequently, this connection gives us an operational interpretation for the Reid product of conditional variances [52] as being directly related to the number of secure 1sDI bits extractable from Gaussian states with Gaussian measurements. This is a particularly practical cryptographic interpretation, in addition to previous work highlighting the links between steering and one-sided device independence in quantum teleportation [53] and secret sharing [54]. Interestingly, the gap between a steering violation and the generation of a 1sDI key tells us that Eve’s optimal attack (which we know to be Gaussian) followed by a non-Gaussian collective measurement allows her to more effectively steer the Gaussian measurement results of Alice and Bob than any Gaussian measurement.

As a side note, we point out that, in the situation where Eve is restricted to individual attacks, we would expect a perfect correspondence between steering and key generation since the optimal eavesdropping strategy is known to utilize Gaussian measurements in this scenario. Recalling the secret key formulas when Eve makes Gaussian measurements, ${K}_{G}$ [11], we find this is indeed the case with

In short, one can also interpret the entropic EPR steering criteria as precisely quantifying the number of secret, 1sDI bits, extractable from a scenario where all parties are restricted to individual measurements.

#### D. Experimental Results

As mentioned in the previous sections, six of the 16 possible Gaussian protocols are 1sDI. We implement five protocols experimentally, three of which exhibit sufficient correlations to allow for 1sDI-CV-QKD. Two different experimental setups were used, the first for the EB protocols based on EPR correlations and the second for a coherent-state P&M protocol (see Fig. 4). To perform the first and second 1sDI protocols we used the EPR source while both parties performed a homodyne detection. The third and fourth protocols were implemented using the same EPR source while one party (Alice for the DR protocol and Bob for the RR protocol) heterodyned while the other homodyned. Finally, the P&M scheme was implemented for the DR protocol where Alice, who was trusted and controlled the source, generated coherent states and Bob performed a homodyne measurement.

In each protocol, Alice and Bob are connected by a lossy channel of transmission $T$. The lossy channel is constructed using a half-wave plate and a polarizing beam splitter, as detailed in Fig. 4(a)(ii). We express the applied loss as the equivalent transmission distance through a standard telecom optical fiber with a loss of 0.2 dB/km. Ideally, the secret key rate could be computed directly from the expressions in Supplement 1. However, in practice we must modify these expressions, multiplying Alice and Bob’s mutual information by a factor $\beta <1$ to account for finite information reconciliation efficiency (see Supplement 1 for explicit calculations). Reconciliation efficiencies for CV-QKD have increased substantially in the past few years [55,56], with efficiencies of between 94% and 95.5% recently reported [42]. Here, we choose $\beta =0.95$. The inclusion of $\beta <1$ will reduce the final calculated key rate. This makes the condition ${\mathcal{E}}_{\u25b8(\u25c2)}<0.55$ necessary but no longer sufficient for a positive key when $\beta $ is included. A schematic diagram of all the performed experiments and the achieved results are summarized in Fig. 3.

Among the successful implementations, protocol 2 (EB scheme RR protocol where both parties homodyned) shows the best loss tolerance and protocol 1 (EB scheme DR protocol where both parties homodyned) shows the worst, with protocol 5 (coherent state P&M scheme with homodyne detection) being intermediate. This actually demonstrates a different hierarchy of loss tolerance than the theoretical results calculated in the limit of very large squeezing and pure entanglement (Fig. 2). This difference is because in our experiment we had only about −6 dB of squeezing and 10.7 dB of anti-squeezing, which, along with other losses and imperfections, degraded the quality of the entangled source and hence limited the range of the EB protocols. This is also why the heterodyne protocols (3 and 4) fail to produce any positive key at all, as overcoming the shot noise penalty requires extremely strong correlations. Our calculations show that a perfect system with no losses of any kind and reconciliation efficiency of 0.95 would still require at least 7 dB of perfectly pure squeezing ($-7\text{\hspace{0.17em}\hspace{0.17em}}\mathrm{dB}$ squeezing and 7 dB anti-squeezing) to get a positive key rate even over a perfect channel with the heterodyne protocols.

We plot our measured secret key rates as a function of effective transmission distance in Fig. 5. Solid lines are calculated from a theoretical model based upon the characterization of various imperfections in the experiment. Results for the protocols where Alice and Bob performed the homodyne measurements on a distributed EPR state are given in Fig. 5(a). By using the RR protocol, we measured a positive key rate independent of Alice’s devices up to an equivalent transmission distance of $7.57\pm 0.26\text{\hspace{0.17em}\hspace{0.17em}}\mathrm{km}$ (approximately 29% applied loss). Using the DR protocol, we measured a secret key independent of Bob’s devices up to an equivalent transmission distance of $2.52\pm 0.21\text{\hspace{0.17em}\hspace{0.17em}}\mathrm{km}$ (approximately 11% applied loss). Our theoretical model, which is in good agreement with the experimental data, predicts maximum transmission ranges of 8 and 2.8 km for the RR and DR protocols, respectively (see Supplement 1).

Figure 5(b) depicts the results of the DR coherent state protocol. We show that a secure key remains possible after an equivalent transmission distance of $3.47\pm 0.46\text{\hspace{0.17em}\hspace{0.17em}}\mathrm{km}$ (approximately 15% applied loss). This is in good agreement with our theoretical model, which predicts our current setup would be secure up to a maximum of 4.5 km. With the P&M protocol, described in Fig. 4(e), we have much more latitude to vary the modulation variance and, hence, the virtual entanglement to optimize the secret key rate for each loss setting (see Supplement 1). As such, we achieve a loss tolerance superior to the EB DR protocol, while using only the cheapest and most readily available quantum optical resource states.

We also display the behavior of the measured steering parameter with respect to the thresholds required for key generation and violation of the Reid EPR-steering criteria [see Fig. 5(c)]. For each data point, we graphically represent the relevant steering parameter with respect to these thresholds in Figs. 5(d) and 5(e). In accordance with our earlier discussion, we show that a positive key is achieved with an EB RR (DR) protocol only when ${\mathcal{E}}_{\u25b8(\u25c2)}<{\left(\frac{2}{e}\right)}^{2}\approx 0.55$. We note that, for the P&M DR protocol, since in the equivalent EB picture Alice performs a heterodyne detection, ${\mathcal{E}}_{\u25b8}={V}_{{X}_{{A}_{1}}|{X}_{B}}{V}_{{P}_{{A}_{2}}|{P}_{B}}$. Here, ${A}_{1}$ and ${A}_{2}$ are the modes upon which Alice measured $\widehat{x}$ and $\widehat{p}$, respectively. On the other hand, all plotted points demonstrate EPR steering through a violation of the Reid criteria. Consequently, the negative data points would demonstrate sufficient correlations for 1sDI key generation if we were able to restrict Eve to individual attacks as per Eq. (8).

To better understand the limitations of, and potential improvements to, our experiments, theoretical models of both the EB and P&M were constructed. Modeling all processes as Gaussian allows for compact calculations and matches the experimental data closely. As well as using these models to determine the maximum range of our current experiment, we also investigated the performance that could be achieved with an improved implementation. For the EB protocols, the dominant source of decoherence are losses in the squeezing cavities. Modeling indicates that making challenging but reasonable improvements to the amount of available squeezing and the precision of locking could extend the asymptotic range of the DR and RR homodyne protocols to around 8 and 17 km, respectively, again assuming a reconciliation efficiency of $\beta =0.95$. See Supplement 1 for detailed explanation of the model for the EB protocols.

As mentioned previously, in contrast to the EB protocols when using coherent states, we have a great deal of flexibility in tuning the virtual squeezing via an increase in the modulation strength. In this protocol, the dominant source of noise is the unwanted cross modulation between the quadratures, which worsens as the modulation strength increases. This can be thought of as an unknown phase space rotation, and means we cannot use the modulation variance that would otherwise be optimal and depend only upon $\beta $ and the channel loss. If this cross modulation could be eliminated, our model shows that the asymptotic range of the coherent state scheme would increase to around 6.5 km. Details of the P&M model and the modulation optimization can be found in Supplement 1.

## 3. DISCUSSION

To summarize, we have provided a complete taxonomy of the Gaussian CV-QKD protocols from the perspective of one-sided device-independence. We also derived the asymptotic secret key rate for all six such protocols, and made an explicit connection to the EPR steering parameters for Gaussian states and measurements. Using these derived rates, we have characterized an experimental implementation of five of the six protocols, achieving secure key under a lossy channel equivalent of up to 7.5 km of optical fiber. Of particular interest was the first demonstration of a 1sDI CV-QKD protocol using only coherent states. That such an exotic quantum communication protocol is possible with these relatively mundane quantum states is a surprising result in itself. Furthermore, the ease with which they can be generated makes them especially attractive candidates for short-range metropolitan networks.

Several comments on extensions and directions for future work are in order, beginning with the prospect of extending this security proof to include finite-size effects and comparison with the results in Refs. [15,16,42]. In particular, in the experiment in Ref. [42], the authors follow a similar program of applying entropic uncertainty relations, in this case to the smooth min-entropies, allowing them to account for all finite-size effects while providing proof against completely general attacks while implementing one of the protocols described here (protocol 1). With squeezing level of 10 dB, the key rate demonstrated was about 0.1 bit per sample at a distance of 2.7 km, while the range is about 1.6 km for our setup, or up to 6 km with comparable squeezing level (see Supplement 1). Nevertheless, this proof is only for DR homodyne protocols and limited to short distances (up to 5 km) even with extremely high levels of squeezing. Very recently, an extension to RR homodyne protocols for both the asymptotic and finite-size regimes, secure up to 15 km, has also appeared [16]. For a coherent state homodyne protocol like that discussed here, a finite-size proof has also been developed [57]. It seems very promising then, that these techniques could be adapted to prove the finite-size security of all the other protocols presented here. Nonetheless, our asymptotic analysis shows that, even in the most ideal situations, 1sDI-CV-QKD is presently limited to transmission through urban networks.

An obvious avenue for future work is the investigation of methods to improve long-distance performance. One option would be to revisit the restrictions, or lack thereof, made about the eavesdropper, including physical assumptions about the quantum memory available to Eve [58–60], which has already seen application in DI-DV-QKD [61]. Another candidate to further extend the range of these protocols would be the noiseless linear amplifier [62,63], which has already been proposed for application to fully DI-DV-QKD [64]. Even more appealing may be the measurement-based versions of these amplification schemes [65,66] that have recently been experimentally demonstrated [67], although this could be applied only to RR protocols. In light of these results, it appears that several 1sDI-CV-QKD protocols are within the reach of current technology, and multiple possibilities exist to extend the secure range of such schemes to long distances.

## Funding

Australian Research Council (ARC) Centre of Excellence (CE110001027); Engineering and Physical Sciences Research Council (EPSRC) (EP/M013243/1).

## Acknowledgment

The authors would like to thank D. A. Evans, M. J. Hall, C. Branciard, E. G. Cavalcanti, H. M. Chrzanowski, F. Furrer, and M. Tomamichel for helpful discussions. N. W. acknowledges support from the EPSRC National Quantum Technology Hub in Networked Quantum Information Technologies.

See Supplement 1 for supporting content.

## REFERENCES

**1. **I. Białynicki-Birula and J. Mycielski, “Uncertainty relations for information entropy in wave mechanics,” Commun. Math. Phys. **44**, 129–132 (1975). [CrossRef]

**2. **H. Maassen and J. Uffink, “Generalized entropic uncertainty relations,” Phys. Rev. Lett. **60**, 1103–1106 (1988). [CrossRef]

**3. **A. Einstein, B. Podolsky, and N. Rosen, “Can quantum-mechanical description of physical reality be considered complete?” Phys. Rev. **47**, 777–780 (1935). [CrossRef]

**4. **M. Berta, M. Christandl, R. Colbeck, J. Renes, and R. Renner, “The uncertainty principle in the presence of quantum memory,” Nat. Phys. **6**, 659–662 (2010). [CrossRef]

**5. **V. Scarani, H. Bechmann-Pasquinucci, N. Cerf, M. Dušek, N. Lütkenhaus, and M. Peev, “The security of practical quantum key distribution,” Rev. Mod. Phys. **81**, 1301–1350 (2009). [CrossRef]

**6. **C. H. Bennett and G. Brassard, “Quantum cryptography: Public key distribution and coin tossing,” in Proceedings of International Conference on Computers, Systems and Signal Processing, Bangalore, India, 1984.

**7. **A. K. Ekert, “Quantum cryptography based on Bell’s theorem,” Phys. Rev. Lett. **67**, 661–663 (1991). [CrossRef]

**8. **T. C. Ralph, “Continuous variable quantum cryptography,” Phys. Rev. A **61**, 010303 (1999). [CrossRef]

**9. **M. Hillery, “Quantum cryptography with squeezed states,” Phys. Rev. A **61**, 022309 (2000). [CrossRef]

**10. **M. Reid, “Quantum cryptography with a predetermined key, using continuous-variable Einstein-Podolsky-Rosen correlations,” Phys. Rev. A **62**, 062308 (2000). [CrossRef]

**11. **F. Grosshans and P. Grangier, “Continuous variable quantum cryptography using coherent states,” Phys. Rev. Lett. **88**, 057902 (2002). [CrossRef]

**12. **F. Grosshans, G. V. Assche, J. Wenger, R. Brouri, N. J. Cerf, and P. Grangier, “Quantum key distribution using Gaussian-modulated coherent states,” Nature **421**, 238–241 (2003). [CrossRef]

**13. **V. Scarani and R. Renner, “Quantum cryptography with finite resources: unconditional security bound for discrete-variable protocols with one-way postprocessing,” Phys. Rev. Lett. **100**, 200501 (2008). [CrossRef]

**14. **M. Tomamichel, C. C. W. Lim, N. Gisin, and R. Renner, “Tight finite-key analysis for quantum cryptography,” Nat. Commun. **3**, 634 (2012). [CrossRef]

**15. **F. Furrer, T. Franz, M. Berta, A. Leverrier, V. Scholz, M. Tomamichel, and R. Werner, “Continuous variable quantum key distribution: finite-key analysis of composable security against coherent attacks,” Phys. Rev. Lett. **109**, 100502 (2012). [CrossRef]

**16. **F. Furrer, “Reverse-reconciliation continuous-variable quantum key distribution based on the uncertainty principle,” Phys. Rev. A **90**, 042325 (2014). [CrossRef]

**17. **J. Barrett, L. Hardy, and A. Kent, “No signaling and quantum key distribution,” Phys. Rev. Lett. **95**, 10503 (2005). [CrossRef]

**18. **A. Acín, N. Brunner, N. Gisin, S. Massar, S. Pironio, and V. Scarani, “Device-independent security of quantum cryptography against collective attacks,” Phys. Rev. Lett. **98**, 230501 (2007). [CrossRef]

**19. **L. Masanes, S. Pironio, and A. Acín, “Secure device-independent quantum key distribution with causally independent measurement devices,” Nat. Commun. **2**, 238 (2011). [CrossRef]

**20. **E. Hänggi and R. Renner, “Device-independent quantum key distribution with commuting measurements,” arXiv:1009.1833 (2010).

**21. **J. Barrett, R. Colbeck, and A. Kent, “Unconditionally secure device-independent quantum key distribution with only two devices,” Phys. Rev. A **86**, 062326 (2012). [CrossRef]

**22. **U. Vazirani and T. Vidick, “Fully device-independent quantum key distribution,” Phys. Rev. Lett. **113**, 140501 (2014). [CrossRef]

**23. **B. G. Christensen, K. T. McCusker, J. B. Altepeter, B. Calkins, T. Gerrits, A. E. Lita, A. Miller, L. K. Shalm, Y. Zhang, S. W. Nam, N. Brunner, C. C. W. Lim, N. Gisin, and P. G. Kwiat, “Detection-loophole-free test of quantum nonlocality, and applications,” Phys. Rev. Lett. **111**, 130406 (2013). [CrossRef]

**24. **M. Giustina, A. Mech, S. Ramelow, B. Wittmann, J. Kofler, J. Beyer, A. Lita, B. Calkins, T. Gerrits, S. W. Nam, R. Ursin, and A. Zeilinger, “Bell violation using entangled photons without the fair-sampling assumption,” Nature **497**, 227–230 (2013). [CrossRef]

**25. **B. Hensen, H. Bernien, A. E. Dréau, A. Reiserer, N. Kalb, M. S. Blok, J. Ruitenberg, R. F. L. Vermeulen, R. N. Schouten, C. Abellán, W. Amaya, V. Pruneri, M. W. Mitchell, M. Markham, D. J. Twitchen, D. Elkouss, S. Wehner, T. H. Taminiau, and R. Hanson, “Loophole-free Bell inequality violation using electron spins separated by 1.3 kilometres,” Nature **526**, 682–686 (2015). [CrossRef]

**26. **J. S. Bell, “EPR correlations and EPW distributions,” Ann. N.Y. Acad. Sci. **480**, 263–266 (1986). [CrossRef]

**27. **H. Wiseman, S. Jones, and A. Doherty, “Steering, entanglement, nonlocality, and the Einstein-Podolsky-Rosen paradox,” Phys. Rev. Lett. **98**, 140402 (2007). [CrossRef]

**28. **M. Tomamichel and R. Renner, “Uncertainty relation for smooth entropies,” Phys. Rev. Lett. **106**, 110506 (2011). [CrossRef]

**29. **C. Branciard, E. G. Cavalcanti, S. P. Walborn, V. Scarani, and H. M. Wiseman, “One-sided device-independent quantum key distribution: security, feasibility, and the connection with steering,” Phys. Rev. A **85**, 010301 (2012). [CrossRef]

**30. **H.-K. Lo, M. Curty, and B. Qi, “Measurement-device-independent quantum key distribution,” Phys. Rev. Lett. **108**, 130503 (2012). [CrossRef]

**31. **S. Braunstein and S. Pirandola, “Side-channel-free quantum key distribution,” Phys. Rev. Lett. **108**, 130502 (2012). [CrossRef]

**32. **S. Pirandola, C. Ottaviani, G. Spedalieri, C. Weedbrook, S. L. Braunstein, S. Lloyd, T. Gehring, C. S. Jacobsen, and U. L. Andersen, “High-rate measurement-device-independent quantum cryptography,” Nat. Photonics **9**, 397–402 (2015). [CrossRef]

**33. **Y.-L. Tang, H.-L. Yin, S.-J. Chen, Y. Liu, W.-J. Zhang, X. Jiang, L. Zhang, J. Wang, L.-X. You, J.-Y. Guan, D.-X. Yang, Z. Wang, H. Liang, Z. Zhang, N. Zhou, X. Ma, T.-Y. Chen, Q. Zhang, and J.-W. Pan, “Measurement-device-independent quantum key distribution over 200 km,” Phys. Rev. Lett. **113**, 190501 (2014). [CrossRef]

**34. **A. Rubenok, J. A. Slater, P. Chan, I. Lucio-Martinez, and W. Tittel, “Real-world two-photon interference and proof-of-principle quantum key distribution immune to detector attacks,” Phys. Rev. Lett. **111**, 130501 (2013). [CrossRef]

**35. **M. Pawłowski and N. Brunner, “Semi-device-independent security of one-way quantum key distribution,” Phys. Rev. A **84**, 010302 (2011). [CrossRef]

**36. **A. J. Bennet, D. A. Evans, D. J. Saunders, C. Branciard, E. G. Cavalcanti, H. M. Wiseman, and G. J. Pryde, “Arbitrarily loss-tolerant Einstein-Podolsky-Rosen steering allowing a demonstration over 1 km of optical fiber with no detection loophole,” Phys. Rev. X **2**, 031003 (2012). [CrossRef]

**37. **D. H. Smith, G. Gillett, M. P. de Almeida, C. Branciard, A. Fedrizzi, T. J. Weinhold, A. Lita, B. Calkins, T. Gerrits, H. M. Wiseman, S. W. Nam, and A. G. White, “Conclusive quantum steering with superconducting transition-edge sensors,” Nat. Commun. **3**, 625 (2012). [CrossRef]

**38. **B. Wittmann, S. Ramelow, F. Steinlechner, N. K. Langford, N. Brunner, H. M. Wiseman, R. Ursin, and A. Zeilinger, “Loophole-free Einstein–Podolsky–Rosen experiment via quantum steering,” New J. Phys. **14**, 053030 (2012). [CrossRef]

**39. **Z. Ou, S. Pereira, and H. Kimble, “Realization of the Einstein-Podolsky-Rosen paradox for continuous variables in nondegenerate parametric amplification,” Appl. Phys. B **55**, 265–278 (1992). [CrossRef]

**40. **S. Steinlechner, J. Bauchrowitz, T. Eberle, and R. Schnabel, “Strong Einstein-Podolsky-Rosen steering with unconditional entangled states,” Phys. Rev. A **87**, 022104 (2013). [CrossRef]

**41. **M. Berta, F. Furrer, and V. B. Scholz, “The smooth entropy formalism on von Neumann algebras,” arXiv:1107.5460 (2011).

**42. **T. Gehring, V. Händchen, J. Duhme, F. Furrer, T. Franz, C. Pacher, R. F. Werner, and R. Schnabel, “Implementation of continuous-variable quantum key distribution with composable and one-sided-device-independent security against coherent attacks,” Nat. Commun. **6**, 8795 (2015). [CrossRef]

**43. **F. Furrer, M. Berta, M. Tomamichel, V. B. Scholz, and M. Christandl, “Position-momentum uncertainty relations in the presence of quantum memory,” J. Math. Phys. **55**, 122205 (2014). [CrossRef]

**44. **R. L. Frank and E. H. Lieb, “Extended quantum conditional entropy and quantum uncertainty inequalities,” Commun. Math. Phys. **323**, 487–495 (2014). [CrossRef]

**45. **C. Weedbrook, A. Lance, W. P. Bowen, T. Symul, T. C. Ralph, and P. K. Lam, “Quantum cryptography without switching,” Phys. Rev. Lett. **93**, 170504 (2004). [CrossRef]

**46. **F. Grosshans, N. J. Cerf, P. Grangier, J. Wenger, and R. Tualle-Brouri, “Virtual entanglement and reconciliation protocols for quantum cryptography with continuous variables,” Quantum Inf. Comput. **3**, 535–552 (2003).

**47. **C. Silberhorn, T. C. Ralph, N. Lütkenhaus, and G. Leuchs, “Continuous variable quantum cryptography: beating the 3 dB loss limit,” Phys. Rev. Lett. **89**, 167901 (2002). [CrossRef]

**48. **R. Garca-Patrón and N. J. Cerf, “Unconditional optimality of Gaussian attacks against continuous-variable quantum key distribution,” Phys. Rev. Lett. **97**, 190503 (2006). [CrossRef]

**49. **M. Navascués, F. Grosshans, and A. Acín, “Optimality of Gaussian attacks in continuous-variable quantum cryptography,” Phys. Rev. Lett. **97**, 190502 (2006). [CrossRef]

**50. **R. Renner and J. Cirac, “de Finetti representation theorem for infinite-dimensional quantum systems and applications to quantum cryptography,” Phys. Rev. Lett. **102**, 110504 (2009). [CrossRef]

**51. **A. Ferenczi, “Security proof methods for quantum key distribution protocols,” Ph.D. thesis (University of Waterloo, 2013).

**52. **M. D. Reid, “Demonstration of the Einstein-Podolsky-Rosen paradox using nondegenerate parametric amplification,” Phys. Rev. A **40**, 913–923 (1989). [CrossRef]

**53. **M. Reid, “Signifying quantum benchmarks for qubit teleportation and secure quantum communication using Einstein-Podolsky-Rosen steering inequalities,” Phys. Rev. A **88**, 062338 (2013). [CrossRef]

**54. **S. Armstrong, M. Wang, R. Y. Teh, Q. Gong, Q. He, J. Janousek, H.-A. Bachor, M. D. Reid, and P. K. Lam, “Multipartite Einstein–Podolsky–Rosen steering and genuine tripartite entanglement with optical networks,” Nat. Phys. **11**, 167–172 (2015). [CrossRef]

**55. **P. Jouguet, S. Kunz-Jacques, and A. Leverrier, “Long-distance continuous-variable quantum key distribution with a Gaussian modulation,” Phys. Rev. A **84**, 062317 (2011). [CrossRef]

**56. **P. Jouguet, S. Kunz-Jacques, A. Leverrier, P. Grangier, and E. Diamanti, “Experimental demonstration of long-distance continuous-variable quantum key distribution,” Nat. Photonics **7**, 378–381 (2013). [CrossRef]

**57. **A. Leverrier, “Composable security proof for continuous-variable quantum key distribution with coherent states,” Phys. Rev. Lett. **114**, 070501 (2015). [CrossRef]

**58. **S. Wehner, C. Schaffner, and B. Terhal, “Cryptography from noisy storage,” Phys. Rev. Lett. **100**, 220502 (2008). [CrossRef]

**59. **S. Wehner, M. Curty, C. Schaffner, and H.-K. Lo, “Implementation of two-party protocols in the noisy-storage model,” Phys. Rev. A **81**, 052336 (2010). [CrossRef]

**60. **C. Schaffner, “Simple protocols for oblivious transfer and secure identification in the noisy-quantum-storage model,” Phys. Rev. A **82**, 032308 (2010). [CrossRef]

**61. **S. Pironio, L. Masanes, A. Leverrier, and A. Acín, “Security of device-independent quantum key distribution in the bounded-quantum-storage model,” Phys. Rev. X **3**, 031007 (2013). [CrossRef]

**62. **T. C. Ralph and A. P. Lund, “Nondeterministic noiseless linear amplification of quantum systems,” in *Quantum Communication Measurement and Computing Proceedings of 9th International Conference* (2009), pp. 155–160.

**63. **G. Y. Xiang, T. C. Ralph, A. P. Lund, N. Walk, and G. J. Pryde, “Heralded noiseless linear amplification and distillation of entanglement,” Nat. Photonics **4**, 316–319 (2010). [CrossRef]

**64. **N. Gisin, S. Pironio, and N. Sangouard, “Proposal for implementing device-independent quantum key distribution based on a heralded qubit amplifier,” Phys. Rev. Lett. **105**, 70501 (2010). [CrossRef]

**65. **N. Walk, T. C. Ralph, T. Symul, and P. K. Lam, “Security of continuous-variable quantum cryptography with Gaussian postselection,” Phys. Rev. A **87**, 020303 (2013). [CrossRef]

**66. **J. Fiurášek and N. Cerf, “Gaussian postselection and virtual noiseless amplification in continuous-variable quantum key distribution,” Phys. Rev. A **86**, 060302 (2012). [CrossRef]

**67. **H. M. Chrzanowski, N. Walk, S. M. Assad, J. Janousek, S. Hosseini, T. C. Ralph, T. Symul, and P. K. Lam, “Measurement-based noiseless linear amplification for quantum communication,” Nat. Photonics **8**, 333–338 (2014). [CrossRef]