A central problem in cryptography is the distribution among distant users of secret keys, which can be used for the secure encryption of messages. This task is impossible in classical cryptography unless assumptions are made on the computational power of the eavesdropper. Quantum key distribution (QKD), on the other hand, offers security against adversaries with unbounded computing power. The ultimate level of security provided by QKD was made possible thanks to a change of paradigm. While in classical cryptography security relies on the hardness of certain mathematical problems, in QKD it relies on the fundamental laws of quantum physics. A side-effect of this change of paradigm, however, is that whereas the security of classical cryptography is based on the mathematical properties of the key itself, in QKD, the security crucially depends on the physical properties of the key generation process. But then, how can one assess the level of security provided by a real-life implementation of QKD, which inevitably differs in inconspicuous ways from the idealized, theoretical description? In fact, technological imperfections have recently been exploited to hack QKD commercial products.

Device-independent QKD (DIQKD) aims at closing the gap between theoretical analyses and practical realizations of QKD by designing protocols whose security does not require a detailed characterization of the devices used to generate the secret key. These devices are just seen as quantum black-boxes, see the Figure, generating outputs given some inputs. This stronger form of cryptography is possible if it is based on the observation of non-local quantum correlations. In some sense, DIQKD combines the advantages of classical and quantum cryptography: security against unbounded adversaries based on the law of quantum physics but which does not rely on the physical details of the generation process.

In our work, we provide a general formalism for proving the security of DIQKD protocols. The DIQKD model that we consider, however, is partly restricted as it supposes that the measurement processes generating the different bits of the raw key are causally independent of each other. This independence condition may be hard to meet in practice, but it is assumed in any of the existing security proofs, including those for standard QKD. Our analysis therefore shows that secure QKD is in principle possible independently of the internal working of the devices used in the protocol.