Upper bounds on key rates in device-independent quantum key distribution based on convex-combination attacks

The device-independent framework constitutes the most pragmatic approach to quantum protocols that does not put any trust in their implementations. It requires all claims, about e.g. security, to be made at the level of the final classical data in hands of the end-users. This imposes a great challenge for determining attainable key rates in $\textit{device-independent quantum key distribution}$ (DIQKD), but also opens the door for consideration of eavesdropping attacks that stem from the possibility of a given data being just generated by a malicious third-party. In this work, we explore this path and present the $\textit{convex-combination attack}$ as an efficient, easy-to-use technique for upper-bounding DIQKD key rates. It allows verifying the accuracy of lower bounds on key rates for state-of-the-art protocols, whether involving one-way or two-way communication. In particular, we demonstrate with its help that the currently predicted constraints on the robustness of DIQKD protocols to experimental imperfections, such as the finite visibility or detection efficiency, are already very close to the ultimate tolerable thresholds.