Device-dependent and device-independent quantum key distribution without a shared reference frame

Standard quantum key distribution (QKD) protocols typically assume that the distant parties share a common reference frame. In practice, however, establishing and maintaining a good alignment between distant observers is rarely a trivial issue, which may significantly restrain the implementation of long-distance quantum communication protocols. Here we propose simple QKD protocols that do not require the parties to share any reference frame, and study their security and feasibility in both the usual device-dependent (DD) case—in which the two parties use well characterized measurement devices—as well as in the device-independent (DI) case—in which the measurement devices can be untrusted, and the security relies on the violation of a Bell inequality. To illustrate the practical relevance of these ideas, we present a proof-of-principle demonstration of our protocols using polarization entangled photons distributed over a coiled 10-km long optical fiber. We consider two situations, in which either the fiber spool's polarization transformation freely drifts, or randomly chosen polarization transformations are applied. The correlations obtained from measurements allow, with high probability, to generate positive asymptotic secret key rates in both the DD and DI scenarios (under the fair-sampling assumption for the latter case).


I. INTRODUCTION
Quantum Key Distribution [1] is arguably the most developed area in quantum information processing, and has recently reached the commercial level.Currently the main limitation of QKD is the distance between the parties.State of the art experiments have reported key exchanges up to distances of ∼ 250 km [2].It is a great challenge in this area to reach much longer distances, such as intercontinental distances, and tremendous effort is made in this direction.Significant progress has been recently reported, with promising developments in quantum repeaters [3], as well as in satellite-based quantum communications [4,5].
The main reason for this challenge to practical implementations of QKD protocols, and more generally all long-distance quantum communication tasks, is the effect of noise and loss.Many studies have been devoted to these problems.There is however another key issue, often overseen, which is the alignment of a common reference frame between the parties.While usually being assumed a priori (hence not discussed) in theoretical works, the alignment of a common reference frame is rarely a trivial task in practice.Furthermore, when performing experiments outside of the laboratory, this issue can become highly cumbersome, and may significantly restrain-and even hinder-the implementation of certain quantum protocols.For instance, in fiber-based quantum communications, polarization rotations are induced by unavoidable temperature changes, which makes it challenging to maintain a good alignment.Also, in satellite-based quantum communications, establishing and maintaining a good alignment between the satellite and the ground station is a challenge [5], given the fast movement of the satellite and the limited amount of time for completing the protocol.
It is therefore relevant to consider quantum communication protocols in which the requirement of a common reference frame can be dispensed with.An elegant solution to this problem is to use decoherence-free subspaces [6,7].However, this generally amounts to using high-dimensional quantum systems, the practical implementation of which is challenging-although progress has been achieved recently [8].It turns out however that one can in fact relax the shared reference frame assumption in certain simple quantum communication protocols that only involve qubits.This approach has received some attention in the context of tests of quantum nonlocality [9]: in particular it was recently shown [10,11], and experimentally illustrated [10,12], that Bell inequality violations can be guaranteed even if the parties share no common measurement basis.In the context of QDK, Laing and colleagues [13] presented a protocol-dubbed "Reference Frame Independent", and recently implemented in Ref. [14]-which requires the parties to only have one common measurement basis.While the latter approach is well suited and proposes an interesting solution for certain QKD implementations, it is however not adapted to all systems.
Here we propose QKD protocols that do not assume the existence of any shared reference frame.We analyse their security and feasibility in two scenarios.In the first, "device-independent" (DI) case [15,16], the two communicating parties Alice and Bob use untrusted measurement devices and do not make any assumption on their functioning; the security of the protocol is ensured by the violation of a Bell inequality (for a recent review, see [17]).In the second, standard "device-dependent" (DD) case, Alice and Bob trust that their devices faithfully implement the prescribed measurements-which further constrains the possible attacks by an eavesdropper, Eve, detectable by Alice and Bob.We show in both cases that if Alice and Bob do not share a common reference frame but measure entangled pairs of quantum systems along randomly orientated measurement bases, they can still expect to generate, with reasonably large probability (which depends on the assumptions for the security analysis), secret keys with positive key rates.We then demonstrate the experimental relevance of these ideas by presenting a proof-of-principle implementation of our protocols using a photonic QKD setup with polarization entangled photons.For all cases under consideration, we could calculate, with non-zero probability, positive (asymptotic) secret key rates as obtained from the preceding security analysis (assuming the fair sampling assumption in the DI case to calculate the violation of a Bell inequality).This suggests that the requirement of a common reference frame can indeed-if need be-be completely dispensed with in experimental QKD, thus opening promising perspectives for long-distance and satellite-based QKD.

II. DEVICE-INDEPENDENT PROTOCOL
In our first protocol, Alice and Bob can each perform one out of 3 possible local measurements, labeled by x = 1, 2, 3 for Alice and y = 1, 2, 3 for Bob, on a shared entangled quantum state ρ AB .All measurements are dichotomic, giving a binary outcome a for Alice and b for Bob.The protocol is device-independent in the sense that we shall not make any assumption on which measurements are physically implemented by Alice and Bob's measuring apparatuses, nor of the dimension of the state ρ AB .
After repeating the above operations sufficiently many times, Alice and Bob can, by communicating a random subset of their measurement choices and results, estimate the correlations they share, i.e. the probability distribution P (a, b|x, y).For now we will focus on the correlators E xy = P (a=b|x, y) − P (a =b|x, y).From these, Alice and Bob can in particular calculate the 36 values (for all x, x , y and y ) of the Clauser-Horne-Shimony-Holt (CHSH) [18] parameters If any of these CHSH values is greater than 2, Alice and Bob can certify that the observed correlations are "nonlocal", in the sense that they violate Bell's local causality assumption [19].Observing quantum nonlocality is not only interesting for testing the foundations of quantum theory, it can also have practical applications-in our case of interest it can indeed allow one, for a large enough value of a CHSH parameter together with a large enough value for at least one correlator, to prove the security of QKD protocols in a device-independent way [15,16,20,21,24].Interestingly, it was shown in Refs.[10,11] that if Alice and Bob share a maximally entangled 2-qubit state, say the singlet state |Ψ − = 1 √ 2 (|01 − |10 ), and can each choose among 3 orthogonal measurements, represented for Alice (Bob) by 3 orthogonal vectors a x ( b y ) on the Bloch sphere, there is always at least one of the 36 CHSH values S xx yy that is above the local bound of 2-unless Alice and Bob's orthogonal measurement triads are perfectly aligned.Moreover, if Alice and Bob do not share any common reference frame and the relative orientation of their measurement triads is random, the largest CHSH value they observe is typically quite large: its average value was empirically found to be ∼ 2.6 for random relative orientations drawn from a uniform distribution on the Bloch sphere [10].
This suggests that it should be possible to extract reasonably large secret key rates from the correlations obtained by Alice and Bob, without the requirement that they share a common reference frame (i.e.their orthogonal measurement triads are not pre-aligned).We study this idea below, following the security analyses of both Pironio et al. [20]-which proves the security against collective attacks-and of Masanes et al. [21]-which considers the security against general (coherent) attacks, only assuming memoryless devices.Note that full security proofs of DI QKD, considering the most general attacks, were recently reported [22,23].However, these proofs are not robust to noise, hence of limited practical interest, and we do not consider these in this work.
A. Device-independent security analysis along the lines of Pironio et al. [20] Ref. [20] considered a DI-QKD protocol with 3 inputs for Alice (in our notations, x = 1, 2, 3) and 2 inputs for Bob (y = 1, 2).Considering the CHSH parameter S 1212 and the correlator E 31 (see Eq. 1 above), it was shown that (if S 1212 > 2) a secret key can be extracted through 1-way classical post-processing (from Bob to Alice) from the data obtained when using the settings x = 3 and y = 1-the "raw key"-at an asymptotic rate (see details in [20]) where h(p) = −p log 2 p − (1−p) log 2 (1−p) is the binary entropy function.This bound on the secret key-rate ensures the security of the QKD protocol in the DI scenario against collective attacks [1], in the limit of infinite key lengths.The term the errors in their raw keys, while the term h is a bound on Eve's Holevo information conditioned on Bob's measurement result.Both need to be reduced through privacy amplification.
The same protocol as in [20] can be run by following the protocol detailed above, in which Alice and Bob do not share a common reference frame (see start of Sec.II), with 3 settings for both Alice and Bob, by using any four correlators E x ( ) y ( ) to estimate a CHSH parameter S xx yy , and any pair of settings (x raw , y raw ) to define the raw key-with the important condition that either x raw ∈ {x, x } or y raw ∈ {y, y }.Let us then define r DI1 = max x,x ,y,y ,xraw,yraw , corresponding to the rate (2) for the optimal choice of settings used to define the CHSH parameter and the raw key (by convention, if no violation S xx yy > 2 is found we define r DI1 = −1.From the analysis of [20], if r DI1 is found to be non-negative, then Alice and Bob will indeed be able to extract a secret key with an asymptotic rate of (at least) r DI1 , in the DI scenario, secure against collective attacks 1 .
In order to study the experimental feasibility of such a protocol the questions we need to address are the following: How likely is r DI1 to be positive?What are its typical values, and how are they distributed if Alice and Bob's orthogonal measurement triads are randomly chosen?
To answer these questions, we estimated the distribution of r DI1 by generating 10 7 pairs of random orthogonal measurement triads { a x } and { b y }, independently drawn from a uniform distribution on the Bloch sphere.For each pair of triads, we computed the 9 correlators E xy assuming that Alice and Bob receives pure (noise-free) maximally entangled states , and calculated the bound r DI1 (3) on the secret key rate that Alice and Bob can extract.The results of our simulation are plotted on Figure 1.We found that ∼ 83.9% of our samples of r DI1 were positive (i.e., we estimate the probability for Alice and Bob to obtain r DI1 > 0 to be ∼ 83.9%), with a maximum value for the distribution of r DI1 observed around r DI1 ∼ 0.25.The average value of r DI1 was found to be ∼ 0.173; if we post-select only the cases in which r DI1 > 0, the average value becomes ∼ 0.226.The maximum value for r DI1 is found to be ∼ 0.450, obtained if two of Alice and Bob's measurement settings coincide (say, a x = b y ), while the other two pairs of settings, used to define S xx yy , are coplanar (with an angle ∼ 0.642 rad from one pair to the other).
It is also important to study the effect of noise on the secret key rates r DI1 .For that, we similarly estimated the distribution of r DI1 if the measurements are now performed on noisy singlet states (Werner states [25]) (which gives E xy = −V a x • b y ), for V = 0.98 and 0.95; see Figure 1.As expected, the secret key rates are reduced as V decreases.For V = 0.98 and V = 0.95, the probabilities that r DI1 > 0 are, however, still ∼ 72.1% and ∼ 38.0%, respectively.Note in this respect that the violations of a CHSH inequality were found in Ref. [10] to be quite robust to noise; for instance, the probability that at least one value of S xx yy is greater than 2 is still above 99.9% for V = 0.95.
B. Device-independent security analysis along the lines of Masanes et al. [21] Ref. [21] provides a different approach to prove the security of a DI-QKD scheme.For the same protocol as in Ref. [20], Masanes et al. proved that (for S 1212 > 0) a secret key-now secure against coherent attacks, but under the assumption that their measurement devices are causally independent (or memoryless)-can be extracted at an asymptotic rate [21] Again, the term h 1−E31 2 is due to the necessary error correction, while the term log 2 is now a bound on the min-entropy of Alice's raw key conditioned on Eve's information.The information of both must be removed through privacy amplification to extract a secret key.
Let us then now define, for our experimental procedure with 3 settings for Alice and Bob, As before, if r DI2 is found to be non-negative, then Alice and Bob will indeed be able to extract a secret key with a rate (at least) r DI2 .
Again, we wish to determine how likely it is that r DI2 is positive, and how its typical values and distribution look like when Alice and Bob's orthogonal measurement triads are randomly chosen from a uniform distribution on the Bloch sphere.For that, we estimated the distribution of r DI2 in a similar way as for r DI1 .The results of our simulation are plotted in Figure 2. We found that ∼ 49.0% of our samples of r DI2 were positive, and observed a peak in the distribution of r DI2 for values around ∼ 0.08.The average value of r DI2 was found to be ∼ −0.034; if we post-select only the cases in which r DI2 > 0, the average value becomes ∼ 0.093.The maximum value for r DI2 is obtained if two of Alice and Bob's measurement settings coincide, while the other two pairs of settings, used to define S xx yy , are coplanar, at 45 • from one another-i.e. they correspond to the optimal choice of settings for testing the CHSH inequality (which was not the case for the optimal settings for r DI1 ).In that case, one gets ) 0.399.We also, as before, considered the effect of depolarizing noise on the secret key rates r DI2 (see Figure 2).For V = 0.98, we found the probability that r DI2 > 0 to be ∼ 18.0%; for V = 0.95, however, no positive secret key rate r DI2 is obtained any more.
Note that r DI2 is always smaller than r DI1 .This comes from the different techniques used in the proofs: Ref. [21] is based on the calculation of min-entropies to estimate Eve's information, while Ref. [20] is based on the calculation of Eve's Holevo information (which involves von Neumann entropies).The security analysis of Ref. [21] is more stringent in that it considers more general attacks.It is an open question whether any of the two analyses can be improved to account for more general attacks or to lead to higher bounds on the secret key rates (e.g.whether the higher bound of Ref. [20] also holds for the same class of attacks as considered in Ref. [21]).

III. DEVICE-DEPENDENT PROTOCOL
We now turn to the more standard device-dependent (DD) scenario, in which Alice and Bob trust their measurement apparatuses.We assume that the apparatuses implement dichotomic qubit measurements, that ρ AB is a 2-qubit state, and that the 3 measurement settings they can each choose from, as before, trustfully correspond to orthogonal projective measurements, represented by 3 orthogonal Bloch vectors a x for Alice, and by 3 orthogonal Bloch vectors b y for Bob.
It is convenient here to think of Alice's and Bob's measurements along the orthogonal directions a x and b y as the application of an adequate local unitary operation on their respective qubit, followed by a measurement along the axes X, Y, Z of their Bloch spheres 2 .Choosing random orientations for the orthogonal measurement triads a x and b y is equivalent to choosing random local unitary transformations to apply to the 2-qubit state ρ AB .
In this view, the QKD protocol we are considering, with a choice of measurement among three orthogonal directions, is nothing but the entanglement-based version of the well-known 6-state protocol [26,27].Its standard security analysis can thus directly be applied.The only difference in our case here will concern its typical implementation: we shall not assume that Alice and Bob can (in the ideal case) share an entangled state with any particular symmetries adapted to their measurement bases, but instead, that their qubits undergo some uncontrolled rotations before being measured.
Note already that in the device-dependent scenario, entanglement-based protocols can readily be translated into prepare-andmeasure ones [1] (whose practical implementations are typically simpler), and the following analysis would still apply.
A. Device-dependent security analysis à la 6-state protocol Following the analysis presented in Appendix A of Ref. [1], one can show that the asymptotic secret key rate one can extract in the 6-state protocol from the data measured (say) with the settings x = y = 3 (corresponding to a σ Z measurement, with the convention that x, y = 1 and x, y = 2 correspond to σ X and σ Y measurements, resp.), under 1-way classical post-processing, and secure against the most general coherent attacks (in the device-dependent scenario) is bounded by where H[{p i }] = − i p i log 2 p i is the Shannon entropy (and {p i } is a length 4 vector of probabilities).
In our case, the association between each of Alice's 3 measurement settings and one of Bob's settings is not defined a priori, but can be optimized so as to end up with the largest possible secret key rate-that is, we can choose the optimal permutation π({1, 2, 3}) = {y 1 , y 2 , y 3 } of Bob's settings to be associated to Alice's settings {1, 2, 3}.Taking into account the fact that Eq. ( 6) assumes a given handedness for the orientation of Alice and Bob's settings (that of { X, Y, Z}), we define V 1 V 0.98 V 0.95  (7) on the secret key rate for Werner states of visibilities V = 1, 0.98 and 0.95 (in the DD scenario, following the analysis "à la 6-state protocol"), obtained as in Figures 1 and 2.
where σ π = ±1 is the signature of the permutation π. r DD(6−state) is thus a lower bound on the asymptotic extractable secret key rate of our device-dependent protocol, secure against coherent attacks in the limit of infinitely long keys, obtained from the standard analysis of the 6-state protocol 3 .We again estimated the distribution of the bound r DD(6−state) in a similar manner as before, i.e. if Alice and Bob share (noisy) singlet states and their measurement orientations (or their local unitaries, equivalently-cf above) are chosen at random, uniformly on the Bloch sphere.The results are shown in Figure 3.In the noiseless case (V = 1) we found that ∼ 89.2% of our samples led to positive secret key rates r DD(6−state) > 0. The average value of r DD(6−state) was found to be ∼ 0.330; if post-selected to the cases in which r DD(6−state) > 0, it becomes ∼ 0.379.The maximum value of r DD(6−state) is 1, obtained e.g. when ρ AB is a pure singlet state and Alice and Bob's measurement axes are perfectly aligned (as in the standard case of the 6-state protocol).For V = 0.98 and 0.95, as the key rates decrease, we still found that ∼ 84.4% and ∼ 75.6% of our samples, respectively, led to positive secret key rates r DD(6−state) > 0.
We note that the key rates obtained from (7), in the DD scenario, are typically larger than those found in the DI scenario considered in the previous section.This was expected, as the assumptions on Eve's possible attacks are more restrictive in the DD scenario.For instance, Eve cannot act on Alice and Bob's measurement apparatuses-which, in the DI scenario, indeed allows her to perform more powerful attacks [20].An interesting difference between the DD and DI scenarios is the optimal orientations of settings.In the DD scenario, one only aims at maximizing three of the correlators |E xy |, and the optimal arrangement does not allow the violation of any Bell inequality; on the other hand, in the DI scenario a trade-off must be found between a large enough violation of a Bell inequality and a large enough correlator |E xrawyraw | (cf above).

B. Improved device-dependent security analysis
In the security analysis of the 6-state protocol that leads to the closed form (6), one uses the fact that an upper bound on Eve's information can be obtained, through a "depolarization process", by restricting oneself to Bell-diagonal states ρ AB (cf Appendix A of [1]).While this use of the symmetries of the protocol may be well adapted for standard implementations in which Alice and Bob share a common reference frame and indeed expect their state ρ AB to be (close to) a Bell-diagonal state, the upper bound thus obtained may in general be over-pessimistic, and it may be possible to actually derive larger bounds on the secret key rates-as we now show.
In the experimental situation we consider, Alice and Bob each repeatedly perform one out of three orthogonal qubit measurements.Their full statistics-i.e.their correlators E xy , together with the marginal probabilities P (a|x) and P (b|y) (which are expected to be uniformly 1/2 for maximally entangled 2-qubit states, possibly including white noise)-then actually allow them to fully reconstruct the state ρ AB , up to local unitary rotations, through quantum state tomography [31].This can be used to estimate Eve's information more tightly-e.g., in the ideal case in which the state ρ AB would be found to be a pure state (such as a maximally entangled state), then one can be assured that Eve is not correlated to it.More precisely, to study the security against collective attacks, the information potentially available to an eavesdropper can be represented by a quantum system E that is correlated to Alice and Bob's system in such a way that it "purifies" the reconstructed state ρ AB -i.e., one can define a purification |ψ ABE of ρ AB (a pure 3-partite state such that Tr E |ψ ABE ψ ABE | = ρ AB ), and give the quantum system E to Eve.
Let us denote by ρ E = Tr AB |ψ ABE ψ ABE | Eve's partial state and by ρ E|Ax=a her conditional state corresponding to Alice's measurement result A x =a for the choice of setting x, and let us define Eve's Holevo information conditioned on Alice's outcome as where where I(A xraw : B yraw ) is the mutual information between Alice's and Bob's measurement results A xraw and B yraw which, after randomization of Alice and Bob's marginals (through a simultaneous random flipping of their results), is equal to . The bound (9) ensures the security of the secret key against collective attacks (in the limit of infinitely long keys); using a de Finetti type of argument, one can show that the same secret key rate is also secure against coherent attacks [33].
In our case, Alice and Bob still have the possibility to choose the settings from which they will attempt to extract a secret key.Let us accordingly define If r DD is found to be non-negative, then Alice and Bob will actually be able to extract a secret key with a rate (at least) r DDwhich is larger than the previous bound r DD(6−state) (7).
In the ideal case in which Alice and Bob find that they share noiseless singlet states, the state ρ AB is pure.This implies in particular that Eve's Holevo information is null: χ(A xraw : E) = χ(B yraw : E) = 0.The bound r DD (10) on the secret key rate then just depends on the largest correlator (in absolute value) E xy = − a x • b y observed by Alice and Bob.One can show in that case that if Alice's and Bob's 3 measurements settings are orthogonal, this largest correlator is necessarily greater than 2   3   (obtained if all scalar products a x • b y are either ± 2 3 or ± 1 3 ), and hence r DD ≥ 1 − h 1 6 0.350 > 0; on the other hand, the maximum value 1 of r DD is attained if any two of Alice and Bob's settings are aligned.As in the previous cases, we estimated A horizontally polarized, pulsed (50 ps), 532 nm wavelength laser beam is rotated to diagonal polarization via a half wave-plate (HWP), is then split by a polarizing beam splitter (PBS) and travels both clockwise and counter-clockwise through a polarization Sagnac interferometer.The interferometer contains two type-I, spontaneous parametric down-conversion (SPDC), periodically-poled lithium niobate (PPLN) crystals configured to produce collinear, non-degenerate, 810/1550 nm wavelength photon pairs.The clockwisetravelling, vertically polarized (counter-clockwise travelling, horizontally polarized) pump light passes through the first crystal without interaction (as SPDC is polarization dependent) and may down-convert in the V-PPLN crystal (H-PPLN) to produce two horizontally (vertically) polarized photons.After exiting the interferometer, the remaining pump light is filtered out using a high-pass filter and the entangled photons are separated on a dichroic mirror (DM) and sent to qubit analyzers consisting of waveplates, a PBS and single-photon detectors.
the distribution of r DD for randomly chosen orientations for Alice and Bob's measurement triads; see Figure 4. Its average value was found to be ∼ 0.745.
If Alice and Bob determine that they find a noisy Werner state with V < 1, they calculate Eve's Holevo information to be (for all x, y) χ(A . The distribution of r DD , estimated as before, is also shown on Figure 4 for V = 0.98 and V = 0.95.In both cases we always find positive bounds r DD on the secret key rates (in fact, r DD is always positive for V 0.875).

IV. PROOF-OF-PRINCIPLE EXPERIMENTS
To demonstrate the practical relevance of our theoretical discussions, we performed a proof-of-principle demonstration of QKD using the four security analyses discussed above.In our experiment Alice generated a sequence of pairs of polarization entangled photons and sent one photon of each pair to Bob via a channel with an unknown polarization transformation.Both parties projectively measured the polarization state of their photon in one of three mutually unbiased bases.Neither Alice nor Bob attempted to align their measurement devices, as we do not want to assume that they share a common reference frame.After collecting sufficient data on each pair of projectors-giving the 9 correlators E ij as described above and allowing for the tomography of the quantum state shared by Alice and Bob (for the calculation of r DD )-asymptotic secret key rates from each of the above analyses were calculated.Note that our demonstration is proof-of-principle only as we do not randomly select bases nor perform the required error correction or privacy amplification, which is required to generate actual secret keys (and which would require a rigorous finite-key analysis, which would go beyond the scope of this paper).Nor do we close the detection loophole as necessary to generate key for device-independent QKD.

A. Experimental setup
Fig. 5 shows a schematic of our experiments.Alice holds a source of polarization-entangled qubits and a qubit analyzer (details below).Her entanglement source is based on two spontaneous parametric downconversion (SPDC) crystals in a polarizing Sagnac interferometer, described and characterized previously in [34,35].Diagonally polarized pump light from a pulsed 532 nm wavelength laser is placed in a superposition of traveling clockwise (CW) and counter-clockwise (CCW) around the Sagnac interferometer.In the CCW path, vertically polarized pump light passes unaffected through the first SPDC crystal, which is oriented to down-convert horizontally polarized pump light, and then produces pairs of vertically polarized photons in the second SPDC crystal.Similarly, the CW path produces pairs of horizontally polarized photons.Each pair consists of one photon at around 810 nm wavelength and one photon at around 1550 nm.By recombining the two paths at the output of the interferometer, and keeping pump powers sufficiently low, Alice generates a two-qubit state close to the |Φ + Bell state 4 .Performing quantum state tomography based on a maximum likelihood optimization [31] with the source revealed an average tangle of T = 0.85 ± 0.02 (note that T = 1 implies a maximally entangled state and that we observed the tangle to oscillate between 0.82 and 0.88 over the course of the experiment); this value of the tangle corresponds, for an ideal Werner state, to an average visibility of about V = 0.95 ± 0.01.
During experiments, Alice separates the two entangled photons with a dichroic mirror and measures the 810 nm photon directly with her qubit analyzer, which consists of waveplates, a polarizing beam splitter (PBS) and a free-running silicon avalanche photo-diode (APD).Alice also sends the 1550 nm photon to Bob via a 10 km fiber spool with approx.6 dB loss, which serves as the quantum channel with unknown and varying polarization transformation, and, in parallel, generates an electronic signal to inform Bob of the incoming photon.Bob then projectively measures the photon with his own qubit analyzer, also consisting of waveplates, a PBS and a gated InGaAs APD.Measurement results from both Alice and Bob are recorded on the same PC for analysis.

B. Experimental results
To demonstrate the feasibility of QKD without a shared reference frame with our setup, we performed two experiments.
In both experiments Alice and Bob collected statistics on one of the nine correlators for two minutes and then either Alice or Bob would change measurement settings.Hence, 18 minutes were required to collect statistics on all nine correlators.In the first experiment, Alice and Bob cycled through the measurement settings for nearly three hours while the polarization transformation of the fiber spool was allowed to freely drift, which generated nine complete iterations through the measurements of the correlators.For our second experiment, we inserted three waveplates into the channel connecting Alice and Bob to randomly vary the polarization transformation and measured the nine correlators for each transformation.
In the first (free-drifting) experiment we analyzed the nearly three hours of data with a sliding 18 minute window: We first analyzed the nine correlators and performed state tomography with the data within a window beginning at time t = 0 and going to t = 18 min.We then repeatedly stepped the window forward by 2 minutes, yielding a total of 73 sets of data (e.g. the second data set is between t = 2 min and t = 20 min, etc.), and analyzed each set independently.For each data set we calculated the asymptotic secret key rates r DI1 , r DI2 , r DD(6−state) and r DD one could extract in each of the 4 scenarios, according to Eqs. ( 3), ( 5), ( 7) and (10), respectively.In order to illustrate the role of the CHSH violation in the DI scenario and the importance of having large correlators, we also calculated the maximal CHSH value5 S max = max x,x ,y,y S xx yy , and the largest sum of 3 correlators defined as These results are presented in Fig. 6.Initially, and by chance, the channel transformation turned out to be such that a reasonably high parameter S max was found, favoring device-independent QKD, but over the course of the experiment, the channel transformation slowly drifted close to a point where Alice's and Bob's measurement bases were aligned.At this point we observed 3 high correlators (i.e. a large value for C max ) and a low parameter S max , which favours device-dependent QKD.Indeed, when one examines the key rates as a function of time (i.e.window position) one observes steadily decreasing deviceindependent key rates (in fact, r DI2 quickly falls to zero, whereas r DI1 remains positive for longer) and steadily increasing device-dependent key rates.
These observations align with our discussion at the end of Sec.III A in that the alignment of bases optimal for devicedependent and device-independent QKD are different.All our protocols require a source with a high degree of entanglement (characterized, for instance, by a high visibility or high tangle).However, device-dependent QKD is optimal when Alice's and Bob's measurement bases are well aligned such that one finds three large-valued correlators with which to generate key, which minimizes key reduction due to error correction.On the other hand, in device-independent QKD one requires a set of four correlators that generate a high S-parameter (to minimize the bound on Eve's information and thus key reduction during privacy amplification) with one correlator E xrawyraw being large so that error correction is minimal, which are conflicting requirements.This conflicting nature is indeed illustrated in Fig. 6, where one observes that S max decreases in time while C increases-just as r DI1 and r DI2 decrease as r DD(6−state) and r DD increase.
Furthermore, the difference between secret key rates granted by the two device-dependent analyses, r DD(6−state) and r DD , are apparent in Fig. 6(c).The difference between these techniques, as discussed in Sec.III B, is how one bounds an eavesdropper's information: r DD uses the Holevo information based on a reconstruction of the density matrix ρ AB while r DD(6−state) uses three correlators.If the quantum state that Alice and Bob share contains a high tangle, then Eve's Holevo information will be low and thus r DD mainly depends on the strength of the correlator used to generate key.On the other hand, the privacy bound for r DD(6−state) does depend on alignment as three high correlators are needed for key generation.We see that in our results: first, r DD always outperforms r DD(6−state) (as mentioned in Sec.III B) and, second, the difference between the two key rates is largest initially (when bases are the most misaligned) and slowly decreases as Alice's and Bob's bases begin to align.
As mentioned above, for our second experiment, we inserted three waveplates into the channel connecting Alice and Bob to randomly vary the polarization transformation.All nine correlators were measured 17 times, and state tomography was performed independently each time.Before each iteration the waveplates were re-positioned based on randomly generated numbers, thus generating a random channel transformation (note that the fiber's own transformation continued to drift as above).In Fig. 7 we present the results.We again plot the figures of merit S max and C max for each of the 17 measurements, as well as the derived asymptotic secret key rates r DI1 , r DI2 , r DD(6−state) and r DD .For device-independent QKD, we found positive secret key rates for r DI1 in 10 out of 17 measurements (i.e. with probability of 59%) and 1 out of 17 measurements (i.e.6%) for r DI2 .For device-dependent QKD, we found positive secret key rates for r DD in 17 of 17 measurements (i.e.100%) and in 15 of 17 measurements (i.e.88%) for r DD(6−state) .Although the size of our experimental sample is too small to really be statistically significant, our observations appear to agree reasonably well with the predictions from the numerical simulations above, assuming a source of entangled Werner states of visibility V slightly larger than 0.95, i.e. a tangle of 0.856-in agreement with the measured tangle of the state, which was found to oscillate from 0.82 to 0.88.
Lastly, we again point out that a consistently high tangle, which our experiment maintained (up to the oscillations), is required but not sufficient to generate positive secret key rates.A high-quality source does not guarantee the high S-parameter needed for device-independent QKD, nor the high correlators needed for device-dependent QKD.An appropriate channel transformation is also required.

V. DISCUSSION
We have presented a practical QKD setup in which the requirement of a common reference frame can be completely dispensed with.A proof-of-principle demonstration of our protocols, which covers both the usual device-dependent case and the deviceindependent case, was performed over 10 km of spooled fiber.Specifically, we have shown that a secret key can in principle be established, considering both a freely drifting spool and randomly chosen transformations, even in the device-independent case (assuming fair sampling, and infinitely long keys).
We believe that the present ideas have potential to find applications in future long-distance quantum communication protocols, in particular in situations where the amount time available to perform the protocol is severely constrained, e.g. in satelite based quantum communications.The present results should be considered as a proof-of-principle experiment, and several technical improvements are required, such as implementing random choices of measurement settings, and a finite-key security analysis [36].For the device-independent approach, an essential step is to close the detection loophole, which has recently been achieved in fully optical systems [37,38].Finally, another challenge consists in devising efficient error-correction protocols for high error rates, as our protocols typically lead to higher error rates compared to the standard approach in which the parties share a common reference frame.

2 FIG. 2 :
FIG.2:Estimated distribution of the bound rDI 2 (5) on the secret key rate for Werner states of visibilities V = 1, 0.98 and 0.95 (in the DI scenario, following the analysis of[21]-i.e.showing security against coherent attacks, for memoryless devices), obtained as in Figure1.

FIG. 3 :
FIG.3:Estimated distribution of the bound r DD(6−state)(7) on the secret key rate for Werner states of visibilities V = 1, 0.98 and 0.95 (in the DD scenario, following the analysis "à la 6-state protocol"), obtained as in Figures1 and 2.

FIG. 4 :
FIG.4:Estimated distribution of the bound rDD (10) on the secret key rate for Werner states of visibilities V = 1, 0.98 and 0.95 (in the DD scenario, improving on the standard analysis for the 6-state protocol), obtained as in Figures1-3.
denotes the von Neumann entropy [S(ρ) = −Tr(ρlog 2 ρ)].We similarly define χ(B y : E) to be Eve's Holevo information conditioned on Bob's measurement result for the choice of setting y.A lower bound on the asymptotic secret key rate one can extract through 1-way post-processing from the data A xraw , B yraw obtained from the measurement of the settings x raw and y raw is then given by the Devetak-Winter bound [32] R ≥ I(A xraw : B yraw ) − min[χ(A xraw : E), χ(B yraw : E)],

FIG. 5 :
FIG.5: Experimental setup.A horizontally polarized, pulsed (50 ps), 532 nm wavelength laser beam is rotated to diagonal polarization via a half wave-plate (HWP), is then split by a polarizing beam splitter (PBS) and travels both clockwise and counter-clockwise through a polarization Sagnac interferometer.The interferometer contains two type-I, spontaneous parametric down-conversion (SPDC), periodically-poled lithium niobate (PPLN) crystals configured to produce collinear, non-degenerate, 810/1550 nm wavelength photon pairs.The clockwisetravelling, vertically polarized (counter-clockwise travelling, horizontally polarized) pump light passes through the first crystal without interaction (as SPDC is polarization dependent) and may down-convert in the V-PPLN crystal (H-PPLN) to produce two horizontally (vertically) polarized photons.After exiting the interferometer, the remaining pump light is filtered out using a high-pass filter and the entangled photons are separated on a dichroic mirror (DM) and sent to qubit analyzers consisting of waveplates, a PBS and single-photon detectors.

FIG. 6 :
FIG.6: Results from our free-drifting experiment, as a function of time (for each of our 72 data sets; see main text).(a-b) Our figures of merit: the maximal CHSH value Smax and the maximal sum of correlators Cmax, as defined in the main text.(c) Asymptotic secret key rates rDI 1 , rDI 2 , r DD(6−state) and rDD corresponding to each of the 4 scenarios studied in Sections II and III.

FIG. 7 :
FIG.7: Results from our randomized polarization transformation experiment, for each of our 17 experimental runs (see main text).(a-c) as in Figure6.
[20]1:Estimated distribution of the bound rDI 1 (3) on the secret key rate (in the DI scenario, following the analysis of[20]-i.e.ensuring security against collective attacks), obtained by generating 10 7 random pairs of orthogonal measurement triads uniformly distributed on the Bloch sphere, to be measured on Werner states of visibilities V = 1, 0.98 and 0.95.For each value of V , each data point corresponds to the number of samples (out of 10 7 ) giving a value rDI 1 within an interval of sive δr = 0.01.