QKeyShield: A Practical Receiver-Device-Independent Entanglement-Swapping-Based Quantum Key Distribution

Quantum key distribution, in principle, provides information-theoretic security based on the laws of quantum mechanics. Entanglement swapping offers a unique ability to create entanglement between qubits that have not previously interacted. Entanglement-swapping setup helps in building a side-channel-free Quantum key distribution. A receiver-device-independent quantum key distribution protocol based on this idea, QKeyShield, is proposed. It adopts the use of a biased operator choice, thus, increasing the rate of generated bits. Several measures have been integrated to protect the sent qubits. Furthermore, security analyses for a list of attacks allowed by quantum mechanics are provided showing that QKeyShield can securely and effectively allow Alice and Bob to agree on a secret key. QKeyShield has certain advantages over earlier protocols including the ability to achieve high usage efficiency and the potential of enabling conference quantum key distribution.

be publicly announced and used to detect the presence of eavesdroppers. The first direct consequence of using entangled qubits is the provision of fully random bits to both parties where the qubits are correlated with each other (ideally with maximally entangled two-qubit states). Entanglementbased schemes also have the advantage of not requiring a random number generator. As a result, entanglement-based quantum key distribution offers a lot of promise for practical use. Entanglement also alleviates security problems associated with single photon-based key distribution methods. Thus, quantum entanglement's use for quantum key distribution is a hot topic in modern quantum cryptography research.
Entanglement swapping (ES), one of the properties of quantum entanglement, can entangle two quantum systems that do not interact with one another. Entanglement-swapping helps in building a side-channel-free QKD [5], [6] Several experimental studies have been conducted to investigate the ES phenomenon with discrete variables [7], [8] and continuous variables [9], or even with a hybrid approach [10]. For example, the achieved fidelity by the authors of [7] is 84.9 ± 3.6% which infers the violation of the CHSH Bell inequality by more than two standard deviations. Similarly, the swapped state of [10] violates the CHSH Bell inequality by more than 4 standard deviations, and they concluded that the obtained entangled states could be directly used for QKD. ES is used in several QKD protocols such as [11], [12], [13], and [14], where the fact that both Alice and Bob must select randomly between two potential measurements ensures the security of these protocols. Conversely, several entanglement-swapping-based protocols that do not require alternative measurements have been proposed in the literature, first appearing in Cabello's work [15]. Researchers have tried to minimizes the required number of detectors, which are by far the most expensive components in QKD according to NIST [16]. Alternative measurements require three beamsplitters and four detectors per user. QKD protocols that do need alternative measurements can perform the measurement on a single basis which requires only two detectors and one polarization beamsplitter. Schemes that do not require alternative measurements use Hadamard gateone of the least cost-efficient gates [17]-to provide the required randomization that helps in detecting eavesdroppers. Although QKD protocols can offer secure key distribution, the system's detectors are neither entirely trusted nor guarded. Currently, the majority of quantum hacking methods make use of the receiver's detectors [18]. Deviceindependent-QKD (DI-QKD) is the most optimistic scenario for closing security holes as no assumptions need to be made regarding the system's devices [19]. Another family of protocols is MDI-QKD, where only the measurement devices are not characterized [20]. The situation where the source and one of the parties are not trusted have been considered in [21] and [22]. Other recent studies consider the situation where only the receiver's device is not trusted, called receiverdevice-independent-QKD (RDI-QKD) [23], [24]. Moving to the RDI-QKD scenario can be advantageous for situations where Bob's devices are placed in an unmonitored environment.
In this work, we propose an entanglement-swapping-based RDI-QKD scheme. The main contribution of QKeyShield is fivefold: 1) it minimizes the attack surface and maximizes efficiency by reducing the number of transmitted qubits to one and the number of classical messages to zero per each expected secret bit; 2) it employs a biased probability on performing either Hadamard or identity operators on the shared-state's qubits which assures the protocol's security and efficiency; 3) it is information carrier qubits are kept secret, which filters out several attacks such as the interceptresend attack, measure-resend attack, and detector blinding attack; 4) it balances several efficiency metrics while achieving a high key rate; and 5) it has the potential to be used as an unconditionally secure conference (multiparty) QKD scheme.

II. PRELIMINARIES
Before presenting the related works and the QKeyShield protocol, let us introduce the quantum states and quantum operations, and illustrate the property of the quantum entanglement swapping, which will be used later. A state of two maximally entangled qubits, the simplest form of entanglement, is called Bell state, and a state of three or more maximally entangled states is called Greenberger-Horne-Zeilinger (GHZ) state. The following are known as the Bell basis in the computational basis {|0 , |1 } and Hadamard basis {|+ , |− } [12]: where |+ = 1 √ 2 (|0 + |1 ) and |− = 1 √ 2 (|0 − |1 ). Similar to Bell state, let us define the eight GHZ basis for three qubits, A. QUANTUM OPERATION Given a known quantum state, it is possible to transform it into any other state, and the mathematical representation is known as a quantum operation. The following are some popular quantum operations: where I, X , Y , and Z are called the Pauli operators, and H is called the Hadamard operator. I is the identity operator that keeps the state intact. The operators X , Y , and Z , respectively, rotate (flip) around the x, y, and z axes of the Bloch sphere by π radians, so X |1 = |0 , Z |+ = |− , and H |1 = |− . Unlike many classical and quantum operators, Pauli operators are self-inverse (Hermitian), meaning H ⊗2 = I . Similarly, these operations could be applied to states with more than one qubit like any of the entangled state |φ ± and |ψ ± . These states can be an entangled state on the computational basis or Hadamard basis as shown in Equation (1) All the measurements in this work are done on the computational basis (Z ). As per Equation (1), |φ ± = |φ ± Z = |φ ± X and |ψ ± = |ψ ± Z = |ψ ± X , the subscripts (Z , X ) are dropped to represent a Bell state independently of the base |φ ± and |ψ ± .
Such a quantum operation could be applied to one qubit of the entangled state but not to the other, creating its dual state [25]. If we apply a Hadamard operation on the first qubit, we get the dual states {|W ± , |X ± }. Likewise, when we perform a Hadamard operation on the second qubit, we get the dual states {|K ± , |D ± }. To illustrate, let us assume the Hadamard operation, H (1) , is applied to the first qubit (indicated by the superscripts (1)) of the entangled state |φ + , The following are the possible states of performing a Hadamard operation on one of the state's qubits, Equation (5) shows the obtained dual states when performing the Hadamard operation on one of the state's qubits. Performing another Hadamard operation on any of the qubits transforms the dual state back into the original Bell states, Given an entangled state between Alice and Bob |φ + AB , Alice and Bob can perform a local Hadamard operation on her/his qubit which affects the entangled qubits' correlation. If the Hadamard operation is performed on both of the qubits by Alice and Bob, the state H (1) H (2) |φ + AB = |φ + AB will stay intact.

B. QUANTUM CORRELATION PROPERTY
Entanglement Swapping (ES) is a technique that allows two quantum systems that do not interact directly to become entangled. The beauty of entanglement swapping can be summarized in the idea of having entangled qubits that have never interacted in the past. Let us start by briefly reviewing how this ES-based protocol works. Let us assume that the initial state of the two states are on similar basis (computational basis Z ), |φ + 12 = |φ + 34 = 1 √ 2 (|00 + |11 ); thus, the quantum state of the whole system containing the qubits 1, 2, 3 and 4 can be written as: If we measure the qubits 1, 3 and 2, 4 in the Bell basis, respectively, their measurement outcomes are as follows,

C. BIASED UNITARY OPERATOR CHOICE
The BB84 protocol, published by Bennett and Brassard in 1984, is the most well-known QKD protocol [3]. Alice encodes the secret information in BB84 at random into the rectilinear and diagonal basis and transmits the states to Bob. Bob randomly measures the received states in two basis. They then compare the basis via the classical channel. The key is derived from the states that Alice and Bob use the same measurement basis when measuring them, which means that 50% of the raw data is discarded on average. A simple adjustment to the BB84 technique that may theoretically allow one to achieve 100% efficiency asymptotically has been proposed by the authors of [26]. Their technique is based on two modifications to the BB84 protocol: biased base selection and better error analysis. The initial nonuniformity adjustment enabled Alice and Bob to attain significantly higher efficiency with their raw data. In fact, they demonstrated that this efficiency can be arbitrarily close to 100% in the long key limit. The use of biased selection probability has been extensively studied and tested experimentally [27]. Entanglement-based protocols and decoystate-based protocols employ biased approaches as well as in [27], [28], and [29], respectively.
In this work, Alice produces a maximally entangled Bell state |φ + AB . Alice keeps the qubit (A) of the maximally entangled state |φ + AB for herself and sends the qubit (B) to Bob. Alice (Bob) performs a random unitary operator, Hadamard (H ) or identity (I ), on her (his) qubits A (B). Alice (Bob) chooses between the two operators, Hadamard and identity, with probabilities p and (1 − p), respectively. Alice and Bob choose a number 0 < p ≤ 1 2 whose value is publicly revealed. Alice and Bob announce their choices through the public channel. Alice and Bob categorise their choices into four scenarios based on the actual operator employed. When they employ different operators, they discard the two situations. The remaining two cases will be used for key generation and Eve detection.

III. RELATED WORK
The early entanglement-based QKDs protocols depend on the use of alternative measurements, where Alice and Bob use several measurement bases and alternate between them randomly, to make the protocols secure against any eavesdropper attack such as Ekert protocol [4]. This approach has been used in several entanglement-swapping-based QKD, see the correlation equation (8), as well as in [11], [12], [13], and [14]. There are two main drawbacks of the use of alternative measurements. First of all, only a small portion of the transmitted quantum states is used to generate the key while the others are for eavesdropper interference detection, which reduces the key-bit rate. Secondly, a quantum memory is required to store the quantum states sequences until Alice(Bob) tells the other party on the grouped qubits indices and on what basis the measurement should be performed, which makes such solutions impractical for limited resource devices [11], [12], [13]. The advantage of such solutions is that these protocols can differentiate between bit-error-rate (related to device malfunctions of state incoherence) and quantum-biterror (related to Eve interference).
Conversely, several entanglement-swapping-based protocols that do not require alternative measurements have been proposed in the literature, the first of which appeared in Cabello's work [15]. The idea was revolutionary, which led several authors to propose successful attacks on the Cabello protocol, such as [30]. As a reaction, Cabello published another version of his protocol where Hadamard operation is suggested to make the protocol more secure [31]. Alice performs the Hadamard operation on the first qubit of a randomly prepared shared-state and sends the other qubit to Bob and informs Bob afterward whether he needs to perform the Hadamard operation on the second half or not. The Hadamard operation cannot be performed on each state as Eve can achieve an undetected collective attack by conducting entanglement-swapping between the travelling qubits and their ancilla state, | = H |φ + Alice |P + Eve .Alice, Bob, and Eve will end up sharing a maximally entangled state (|P + ). Similar to [32], Cabello suggested that Alice perform a Hadamard operation on her half of a Bell state and sends the other half to Bob and tells him whether she applied the Hadamard operator or not. Alice performs the Hadamard operator on random states; otherwise, the protocol is not secure. The authors of [33] demonstrated that the Chong protocol, [34], is open to a collective attack as simplified and they proposed a modified version where the same benefits of the Hadamard operator have been used. Similar to Cabello's suggestions, the Hadamard operation is performed on random states, otherwise the protocol is not secure [34].
Another type of entanglement-swapping QKD protocol relies on one of the parties, Alice, to generate N Bell states and divide the states qubits into two sequences, such as in [35]. Then, Alice keeps one sequence for herself and sends the other to Bob. Bob chooses a group of qubits at random and performs Bell operator measurements on them in pairs, then informs Alice of the measurement results of the chosen qubits. Alice compares her results to Bob's by doing Bell operator measurements on the corresponding qubit. If Alice's measuring findings match Bob's, she deems Bob to be legal, and the communication proceeds. Unfortunately, Eve can intercept each qubit and conduct an entanglement-swappingbased attack between the sent qubit and a prepared ancilla state. This approach is not secure for two reasons. First of all, Eve conducts no measurement during the security check stage as it is not secret; therefore, no correlation error is introduced. Secondly, once Alice(Bob) chooses two random qubits to conduct Bell measurements on them and informs Bob(Alice) publicly about the chosen qubits indices, Eve can choose the same qubits to perform the measurements on and follow the same procedure. As has been noted, some of the entanglement swapping-based protocols are either insecure due to the lack of randomization [30] that confuses the eavesdropper or due to the use of simple operators such as the bit-flip operator, which has been proven to be insecure [33]. Other protocols are inefficient as they increase the number of exchanged qubits, which increases the attack surface [36]. Some of the protocols have no potential to be used as a conference key distribution due to the use of intermediate trusted node(s) [36]. Increasing the attack surface by sending several qubits or introducing intermediate node(s) gives Eve the ability to perform a successful collective attack or decrease the protocol efficiency.
Despite the fact that QKD protocols can provide secure communication channels, the detectors utilised in the system are neither safeguarded nor entirely trusted. There are possible dangers in real-world implementations due to weaknesses in QKD devices that eavesdroppers might exploit. Most quantum hacking methods now rely on manipulating the detectors of the receiver [18]. In recent years, researchers have made significant contributions to theoretical and experimental research. Device-independent quantum key distribution (DI-QKD) is the most promising scenario for solving security holes [19]. It is not essential to make any assumptions about the underlying workings of the QKD device's security. In DI-QKD, quantum devices are considered as black boxes that produce classical outputs. These devices are thought to run a quantum algorithm, but no assumptions are made about the quantum algorithm that generates the outputs. Several notable advancements in recent years have narrowed the gap between theoretical requirements and practical performance, making DI-QKD a potential research pathway. However, due to hardware technological challenges, DI-QKD remains unattainable for the current state-of-the-art. The DI-QKD, in contrast, needs an extremely high detection efficiency in order to address the difficulty of discovering loopholes in the Bell tests [37]. In search for a better approach than DI-QKD, measurement-device-independent QKD (MDI-QKD) protocols assume that the adversary can control or build the measurement devices (detectors) [20]. The reliance on Charlie's communications is one of MDI-QKD's key drawbacks. Charlie may purposefully postpone transmitting the results in order to render the protocol unusable for real-time applications. On the other hand, it is possible to ensure security while making fewer assumptions. Some protocols rely on relaxed assumptions where only the receiver devices are uncharacterized. Recently, Ioannou et al. published a prepareand-measure RDI-QKD protocol [23], [24]. Its efficiency is not optimal as it discards more than 50% of the results. Another 1SDI-QKD protocol has been published recently by Taha et al. [38]. They did not consider the parameter estimation step where Eve's presence is detected. Only 25% of the rounds are used for key generation, and classical messages are required for each round. Another related protocol was published in 2021 by Yuan et al. [39]. Their efficiency is not optimal as only 25% of the rounds are used for key generation, and classical messages are required for each round.

IV. QKEYSHIELD PROTOCOL
Consider a scenario where an organization wants to establish secret keys with its customers. The organization may invest a significant amount of money in creating a reliable measuring device, but the customers on the other end of the channel might have low-cost (and unsafe) detectors. Users' measuring devices might be built by the adversary. In light of this, we propose an RDI-QKD in which Alice's measuring device and the entanglement sources are trusted but Bob's measuring device is not. We also assume that we have two types of channels: quantum and classical. Alice sends the swapping qubit to Bob through the quantum channel. Alice and Bob use the classical channel for information reconciliation and privacy amplification. The following enumerated steps describe QKeyShield in detail (see also Figure 1): 1) Hadamard operation probability: Alice and Bob choose a number 0 < p ≤ 1 2 whose value is publicly revealed. p represents the probability of performing Hadamard operation and (1 − p) the probability of performing the identity operator. Assume q total is the total number of transmitted qubits. Bob receives a series of q total qubits from Alice. The value of p is set in such a way that q total (p 2 − ) = n 1 = (logq total ), where is a small positive number (i.e., the error due to statistical fluctuations) chosen by Alice and Bob. n 1 and n 2 are the number of test samples chosen from the subsets where they both perform Hadamard operator or identity operator, respectively. 2) Initial states preparation: Alice prepares two entangled states, |φ + 12 and |φ + AB , and Bob prepares an entangled state, |φ + 34 , see Figure 1.(a). The initial quantum state of the whole system containing the qubits 1, 2, A,B, 3, and 4 can be written as: 3) Swapping state preparation: Alice produces a maximally entangled Bell state |φ + AB . 4) Swapping qubit sending: Alice keeps the qubit (A) of the maximally entangled state |φ + AB for herself and sends the qubit (B) to Bob, see Figure 1.(b). 5) Hadamard operation performing: Alice (Bob) chooses between the two operators, Hadamard and identity, to perform on her (his) qubit A (B) with probabilities p and (1 − p), respectively. If Hadamard operation is performed on both of the qubits simultaneously by Alice and Bob, the state H (1) H (2) |φ + AB = |φ + AB will stay intact. If the Hadamard operation is performed successively, let us say Alice first as she is the sender, then Bob, we get: H (1) |φ + AB = |W + AB , see Figure 1.(b). Then, Bob receives qubit B and performs the Hadamard operation, which will undo Alice's Hadamard operation, H (2) |W + AB = |φ + AB . Alice randomly chooses to perform a Hadamard operation on her qubit A before sending qubit B to Bob or after sending. If she performs the Hadamard operation after sending, Eve intercepts qubit B of the state |φ + AB . If she performs the Hadamard operation before sending, Eve intercepts qubit B of the state |W + AB . Whether this operation is conducted before or after sending; it won't affect the measurement outcomes; however, it secures the transmission of the qubit B. The security benefit of Alice's random decision is discussed in Section X-A. 6 Knowing their own BSM results, Alice and Bob, could determine which Bell state they are sharing |φ ± 24 , or |ψ ± 24 . They can decide their desired states before starting the protocol, and we do not assume such information is secret. If they choose |φ ± 24 as their desired states, they will share the same secret bit ''0'' or ''1'' when measuring qubits 2 and 4. Thus, they have to agree on a mechanism that makes sure their shared state is always |φ ± 24 . 7) Desired state preparation: If they choose |φ ± 24 as their desired state, Alice(Bob) should perform a quantum bit-flip to her(his) unmeasured qubit 2(4) only if her(his) own measurement is |ψ ± 1A (|ψ ± B3 ), where |b 2(4) represents Alice's(Bob's) qubit 2(4). By doing so, Alice and Bob collaboratively, decentrally, and without classical communication prepare the desired state between them, see Figure 1.(d) and Table 1. The final shared state is not always |φ + AB , it might have a phase shift |φ − AB ; however, the probability of measuring the state on the computational base(0 or 1) is unchanged. 8) Desired state measurement: Alice and Bob share one of the maximally entangled states |φ ± 24 = 1 √ 2 (|00 24 ±|11 24 ). Alice(Bob) performs a single-qubit measurement on qubit 2 (4) on the computational basis as no alternative measurement is required. They both got either 00 or 11. 9) Repeat: Alice and Bob repeat steps 1-8 until they get a sufficiently long string. For convenience, we consider the protocol steps 1-8 as one round. 10) Sifting: Alice and Bob will follow the previous protocol steps without sharing with each other the measurement results or the used operators. Once Bob receives the q total -qubits, they start the sifting phase. During the sifting phase, Alice and Bob reveal the operators that are being used for each qubit through the public channel. When they employ different operators, they discard the results. The remaining results are retained for further analysis. 11) Error estimation (QBER): Alice and Bob split the approved results into two subsets based on the performed unitary operator (Hadamard or Identity). They then select a predetermined number of samples, say n 1 , at random from the subset where they both conduct Hadamard operation, then compare their findings publicly. The estimated quantum bit error rate (QBER) on Hadamard operator e 1 = r 1 n 1 is determined by the number of mismatches r 1 . Similarly, Alice and Bob choose a fixed number of instances, say n 2 , at random from the subset where they both perform identity operations and compare their measurement findings publicly. e 2 = r 2 n 2 is the expected error rate based on the amount of mismatches r 2 . They require where e max is a specified maximum allowable error rate and e is a minor positive value. According to Shor-Preskill [32], e max is around 11%. If these two separate limitations are met, they proceed to the next step. Otherwise, they abort. 12) Information reconciliation and privacy amplification: If the protocol passed the error estimation step, we are left with (N − n 1 − n 2 ) measurement results, which we consider as the raw key. Alice and Bob construct the final secret key by performing information reconciliation and privacy amplification, which utilize classical algorithms. Our focus here is on raw key generation and discussion of privacy amplification algorithms (which are based on classical algorithms) is beyond the scope of our focus, which is centered on quantum key generation.

V. ERROR CORRECTION
Following the protocol steps, Alice and Bob will share the maximally entangled state |φ ± 24 . Once they measure their shared state's qubits, Alice and Bob are supposed to share the same classical bits (00 or 11). But, due to decoherence, measurement errors, or other quantum noise, the sifted key will have some erroneous values [40]. Thus, Alice and Bob might share different classical bits (01 or 10). More generally, Alice and Bob choose a number p which represents the probability of performing the Hadamard operation, and (1−p) the probability of performing the identity operator. Normally, p value is chosen to be less than 1 2 as the biased approach is followed. A faction, p, of the measurements where they both perform Hadamard is used for eavesdropper check and remaining fraction, 1 − p, of measurements, are used to generate the key. QKeyShield always measures along the computational base. The final shared state might have a phase flip |φ + AB or |φ − AB ; however, the probability of measuring the state on the computational base(0 or 1) is unchanged. The phase-flip error rate does not affect the final measurement. The bit-flip error rate is given by: where e 1 and e 2 are the QBERs when Alice and Bob both employ the Hadamard and identity operations, respectively. The simplest classical error correction code is the three-bit code whose encoder duplicates the bit three times: 0 → 000 and 1 → 111. This method is ineffective in a quantum channel because the no-cloning theorem prohibits the repetition of a single qubit more than three times. To overcome this, a different method has to be used, such as the use of GHZ state that is consists of 3 maximally entangled qubits (|P = 1 2 (|000 + |111 )). We do not copy these qubits; we create them and entangle them in such a way that they hold the same value once measured. The GHZ state code is capable of detecting and correcting a single error. For generalization purposes, a state of Nq maximally entangled qubits can be called cat state, |Cat , where b ⊂ {0, 1} and the bar above b indicates its logical negation. Nq represents the number of qubits in the state. Alice(Bob) can replaces her(his) private state |φ + 12 (|φ + 34 )  (12) is measured, it can be found in one of 16 possibilities. These possibilities are aggregated based on the obtained states by both Alice and Bob:|φ ± 1A |φ ± B3 , |φ ± 1A |ψ ± B3 , |ψ ± 1A |ψ ± B3 , and |ψ ± 1A |φ ± B3 . The default shared stated can be either |φ ± 24 or |ψ ± 24 . Alice(Bob) follows Equation (13) to prepare the desired state. by a Cat state |Cat . Alice(Bob) can decide how many repetitive qubits (Nq) she(he) wants to use for the error correction. Alice (Bob) performs a BSM between qubit A (B) and one of her(his) Cat state qubits, |b j , which will results in a new entangled pair, let us call it |SW A (|SW B ), see Figure 2. Conducting BSM results in projecting all the remaining qubits of Alice and Bob, which are (2 × (Nq − 1)) into an entangled state, let it be |ω , Alice(Bob) measures the state |SW A (|SW B ) to know if a bit-flip operation on the remaining qubits (|Cat Nq−1 ) is required, Assuming that Nq − 1 = 3, Alice (Bob) measure three qubts and map the obtained code words into a single bit, {000, 001, 010, 100} → 0 and {011, 101, 110, 111} → 1. By doing so, they can decrease the probability of mismatch between them.

VI. TIME-REVERSED QKEYSHIELD
The time-reversal scenario where the single-qubit measurement is conducted before the swapping operation (BSM) has first appeared in [41] and its security has been proven in [6]. Interestingly, QKeyShiled can also be implemented in a time-reversal fashion, see Figure 3. This is because BSM operations commute with Alice's and Bob's singlequbit measurements. As a result, the measurements might be reversed in sequence. That is, Alice and Bob do not need to wait for the BSM results to measure half of their Bell states, but they can measure them beforehand. This converts the original QKeyShiled protocol into an analogous prepareand-measure technique, in which the unmeasured qubits 1 (3) of Alice(Bob) can be considered as BB84 states. Similar to step (6) of the QKeyShield protocol, Alice (Bob) performs BSM between qubit A (B) and her(his) qubit 1 (3). It's worth noting that BSM provides no information about the individual bit values that are obtained when measuring qubits 2(4); however, it helps in preparing the desired shared classical bit, detecting Eve's intervention, and testing Bob's device credibility. Similar to step (7), Alice (Bob) performs a classical bit-flip to her(his) obtained bit only if her(his) BSM result is |ψ ± 1A (|ψ ± B3 ). Most significantly, Alice and Bob follow the same error estimation strategy used in the original QKeyShield.
Using the time-reversed mode, the information is obtained beforehand, which provides another layer of security. It helps in securing the protocol against detector blinding attacks. This version and the original version are almost similar; therefore, throughout the rest of this paper, we only mention QKeyShield.

VII. SECURITY DEFINITIONS
QKD's security is assessed in comparison to a flawless key distribution method in which Alice and Bob share a real  random secret key. QKeyShield would consider a key (K ) to be a perfect key if it is a random bit string whose value is fully independent of Eve's knowledge. The deviation ε from a perfect key can be used to determine the security of K which is formulated in terms of security definitions that were proposed in [42]. Let S A and S B represent Alice's and Bob's bit strings.
Definition 1 (Correctness): The protocol is said to be ε correct if that is, the probability (Pr) that Alice's and Bob's keys are not identical is not greater than ε correct . Definition 2 (Secrecy): With respect to an adversary holding a quantum system E, a protocol is said to be ε secret if the joint state satisfies: where . 1 is the trace norm, τ K is the mixed state of K . That is, ρ AB is ε secret close the perfect key. ε secret can be interpreted as the maximum tolerated failure probability, where failure indicates that Eve might have gained some knowledge. Definition 3 (Security): A protocol is considered to be ε secure if its both ε correct and ε secret , with ε correct + ε secret ≤ ε secure .

VIII. KEY RATE
Let the percentage of the used qubits in key generation (η) be where q k is the number of used qubits in the key generation and q total is the total qubits transmitted(it is used interchangeably with N , where N represents the total number of the protocol rounds). QKeyShield minimizes the number of discarded results as it adopts the use of a biased selection approach along with adequate error analysis; therefore, the probability of a qubit to used in the key generation is high. The number of discarded measurement results (bits) can be given by where p represents the probability of performing the Hadamard operation and it is bounded by 0 < p ≤ 0.5; and (1 − p) represents the probability of performing the identity operator. After we discard the mismatched measurements, we divide the remaining results between error estimation and the sifted key. As discussed earlier, two test sets, n 1 and n 2 , of length (1−p)×N are taken from both measurements. Thus, the total number of bits used for error estimations read The remaining measurements results are the sifted key and can be given by After the error estimation step, Alice and Bob are left with M measurement results, M = N −n 1 −n 2 . Alice and Bob perform local error correction, discussed in Section V, to form their raw key, denoted K M A and K M B , respectively. Then Bob performs a one-way error correction over the public channel to compare his key to Alice's key. This error correction procedure reveals b leak bits of information. The maximum tolerable probability of K M A = K M B after error correction is denoted as ε EC . To find out if the final raw keys are corrected, Alice computes a hash h A of length log( 1 ε EC ) from her raw key K M A . She sends the hash function and h A to Bob over a public channel. Then Bob computes h B . If h A = h B , the protocol aborts. The total leaked information during the error correction is given by b leak + log( 1 ). If the error correction step is successful, Alice and Bob then perform privacy amplification to distill a shorter secret key. They apply the same two-universal hash to the error corrected keys after privacy amplification is denoted as ε PA . The secret key length L satisfies where H ε min (K M A |E) is the conditional smooth min-entropy of Alice's key and Eve's knowledge. Computing H ε min (K M A |E) is a challenge as Eve information is not accessible to Alice and Bob; therefore, the correlation between K M A and K M B can be used to bound the correlation between Alice and Eve [21], which gives where H ε max (K M A |K M B ) corresponds to the amount of information that Bob needs to reconstruct Alices' key K M A with ε error probability (H ε max (K M A |K M B ) = nH (e max )); D q corresponds to the preparation device quality and we assume that the source is ideal, that is, D q = 1; e max is a specified maximum allowable error rate; and H (x) is the binary Shannon entropy, H (x) = −xlog 2 (x)−(1−x)log 2 (1−x). The secret key length reads: (28) According to the security definitions, If QKeyShield always aborts, it is still secure. Consequently, completeness is another crucial aspect that should be taken into account. It represents the protocol probability of not aborting, 1−ε abort for small ε abort . Due to the biased approach, QKeyShield allows for a significantly higher sifting efficiency. The sifted key is extracted from the measurements of the dominant operator, let say the identity operator, and the measurements of the non-dominant operator are used for error estimation. Finlay, the secret key rate for finite N reads where q total (η sif , η ES ) = η sif + η ES + 2 √ η sif η ES represents the total number of required qubits that should be sent until η sif sifted key bits and η ES error estimation bits are collected; and ω is the experiments repetition rate, i.e. the inverse of the time required for a single experiment. When q total is sufficiently large, the sifted key tend to infinity η sif → ∞, thus L/q total (η sif , η ES ) → 1. For arbitrary security bound, ε > 0, the formula of the asymptotic secret key rate can be given by where H (.) is the binary Shannon entropy; and e 1 and e 2 are the QBERs when Alice and Bob both employ the Hadamard and identity operation, respectively. This equation represents the upper bound on the secret key rate, which is only possible with ideal implantation.

IX. FINITE-KEY SECURITY PROOF
We remark that the security definitions listed in Section VII are composable. That is to say, the security of the resulting combination can be deduced from the security of the individual components proofs. Lemma 1 (Security of QKeyShield): QKeyShield protocol is ε total secure, with ε total ≥ ε EC + ε secure + ε PA Proof: To begin, we show that QKeyShield is ε EC . Alice and Bob obtained the hashes h A = h B of length log 2 ( 1 ε EC ) by performing a two-universal hash function on their raw keys. The probability of two hashes of length log 2 ( 1 ε EC ) of two different inputs to coincide is small, 2 To demonstrate the protocol's secrecy, the Quantum Leftover hashing lemma [43], [44] is used to give us the upper bound that follows, where L is the length of S A after the privacy amplification and E represents the total information that Eve learned about K M A . This comprises her quantum system E Q , information gained during Alice and Bob classical communication E C , and the knowledge about the used hash function E F , E = E q E C E F . By employing the min entropy chain-rule [43]: where log 2 |E C | represents Eve's gained knowledge during the error correction and is given by ). By substituting this in Equation 34, By inserting Equation 35 into 33 we obtain: In the above, we have proven the QKeyShield secrecy and by combining this with ε EC proof, we have demonstrated that QKeyShiled is ε t otal secure with ε total ≥ ε EC + ε secure + ε PA .

X. EAVESDROPPING STRATEGIES
In this section we explored all the attacks that are allowed by quantum mechanics.

A. ENTANGLE-MEASURE ATTACK
Eve intercepts the transmitted qubit to Bob and entangles it with her ancilla state (prepared, say, in the state |E ) by performing unitary operators. Eve then transmits the travelling qubit to Bob. Finally, Eve measures the auxiliary qubit in her hands to learn more about the shared key. As Alice randomly chooses to perform Hadamard operation on her qubit A before sending qubit B to Bob or after sending, the intercepted state by Eve is either |φ + AB or |W + AB . Eve's goal is to intercept the qubits sent from Alice to Bob and attach her ancilla state, let's say |E , to the intercepted qubits. Eve has no information about the intercepted state, so she uses the same unitary operator and the same ancilla state. Eve's unitary operation U e performed on the composite system of the shared-state can be written as: where the states |E φ + and |E W + are simply the states that Eve holds after he unitary transformation depending on the initial state that Alice has send. We know that the initial states |φ + and |W + are not orthogonal to each other; therefore, we can now compare the scalar product of the states on the right hand side with the states on the left hand side of Equations 38 and 39.
The scalar product of Eve's initial states E|E is equal to one. If Eve does not disturb Alice's state, i.e φ + |W + has not changed on the right hand side, the scalar product of E φ + |E W + has to be one as well, which directly implies that the two states have to be the same. That means, no matter which state Alice prepares, Eve always gets the same state. On the other hand, if Eve disturbs Alice's state, she can gain some information about Alice's state.
The more distinguishable Eve's states |E φ + and |E W + , the more disturbed the states |φ + and |Ẃ + . The scalar product φ+ |Ẃ + has to increase so E φ + |E W + decreases. This implies that the more disturbance Eve introduces to the system, the more information she gains. In the above, we have proven the QKeyShield's ability to resist the entanglemeasure attack.

B. COLLECTIVE ATTACK
The essential concept behind a collective attack is as follows: the adversary Eve attempts to find a multi-qubit state that retains the correlation between the two legitimate parties (Alice and Bob). She also provides new qubits to distinguish between Alice's and Bob's measurement findings. If Eve manages to find such a state, she can remain unnoticed throughout her intervention and obtain the shared key. As shown in Figure 4, Eve might prepare a multi-qubit complex state and try to perform a collective attack. Before explaining Eve's attack, let us summarize the QKeyShield basic principles that Alice and Bob will obey: • First, Alice(Bob) performs Hadamard/identity operation on the share-state |φ ∓ AB qubits based on biased probability.
• Alice and Bob's goal is to end up sharing maximally entangled state |φ ± 24 . Eve's attack purpose is to make the system end up in a state  2. Many scenarios that might occur when an eavesdropper applies the incorrect operators providing that eavesdropper's initial state is |P ± DEF . Alice chooses between the two operators, H and I, to perform on her qubit A with probabilities p and (1 − p), respectively. Then she sends qubit B to Bob. After that, Eve intercepts qubit (B) and performs either H or I operator on it with probabilities p 1 and p 2 , respectively. Then, she sends its qubit, F , to Bob after performing either H or I operator on it with probabilities p 1 and p 2 , respectively. Finally, Bob chooses between the two operators, H and I, to perform on the received qubit F with probabilities p and (1 − p), respectively.
In the first scenario, see Figure 4, Eve prepares a GHZ state which is |P ± . Eve intercepts the B qubit that has been sent to Bob, and she follows the same protocol by performing a Hadamard/identity operation on the intercepted qubit and then conducting a Bell operator measurement between the intercepted qubit and one of its qubits. Then, by following the protocol steps, she conducts a quantum bit-flip on her unmeasured qubits. After that, she performs a Hadamard/identity operation on one of its unmeasured qubits and sends it to Bob. Alice(Bob) follows the same steps as usual, which will project the unmeasured state into one of the states summarized in Table 2. Whenever Eve tries to gain information, the shared state of legitimate parties (Alice and Bob) is disrupted.
This attack can be performed on the time-reversed QKeyShield as well with small differences. The presence of Eve will affect Alice's and Bob's BSM results, which will affect the final shared bits due to the performed bit-flip operations.
In search for the best multi-qubit state which preserves the correlation between Alice and Bob, Eve can choose her initial state to be any GHZ states, such as |P ± , |Q ± , |R ± , and |S ± . By exploring Eve's options, we found out that no matter what initial state Eve uses, the results of the legitimate parties (Alice and Bob) are always disrupted.
As can be seen in Table 2, 50% of the results are discarded as Alice and Bob use different operators. On the other hand, 50% of the possibilities Alice and Bob use the same unitary operator; however, the presence of Eve affects 75% of them. Even though the affected results will be used for detecting Eve, only a small portion of the results are used for the key generation. Figure 5 shows the theoretical amount of useful and discarded results while varying the biased selection probability. The use of fair operator selection probability, p=0.5, indicates that 50% of the results are discarded. On the other hand, when we have a completely biased scheme, p = 0, FIGURE 5. Number of discarded results compared to the useful ones while q total = 10000 and the selection probability varies 0 ≤ p ≤ 1 2 . Fair random-based protocols such as RDI-QKD [24] discard at least 50% of the results. no results will be discarded; however, Eve cannot be detected. The use of bias operator selection probability minimizes the amount of results that will be discarded. To detect Eve while using biased probability, we need n 1 and n 2 test samples chosen from the subsets where they both perform the Hadamard operator or identity operator, respectively. The number of test samples n 1 and n 2 should be at least of order (log 2 q total ).

C. COHERENT ATTACK
In this attack, Eve creates a global auxiliary system that interacts with all qubits transmitted through the channel via a global unitary operator [45]. Eve saves the outputs of the auxiliary systems in a quantum memory, waits for Alice and Bob to complete their procedure over the public channel, and then performs an optimum joint measurement on the quantum memory.
In QKeyShield, all of the transmitted qubits are independent of one another, and all of the measurements are performed on each round in a completely independent manner as no classical messages are required. In addition to that, QKeyShield is an entanglement-swapping-based protocol, which means Eve isn't interacting with information carriers qubits, implying that a coherent attack is not more powerful than an individual or collective attack.

D. DETECTOR BLINDING ATTACK
Entanglement-swapping has been utilized in the past for building a side-channel-free QKD [5], [6]. The entanglementswapping dual teleportation channel serves as an ideal Hilbert space filter. QKeyShield is an entanglement-swapping-based scheme that allows Alice's and Bob's qubits that do not interact directly to become entangled. Unlike BB84 [3] and BBM92 [46], the qubit sent by Alice to Bob is not an information carrier; however, it is used to help Alice and Bob to establish secret entangled qubits, that are the information carrier. Bob's device performs three main operations before measuring the secret qubit. It starts by randomly performing a Hadamad operation on the received qubit. Then it conducts BSM. After that, a bit-flip operation is performed on the secret qubit if required. Finally, the secret qubit is measured. A blinding attack will affect the BSM, which will increase the error rate when measuring the secret qubit. Moreover, the time-reversed QKeyShield is more robust against detector blinding attacks as the information is extracted in advance and Eve's input cannot manipulate them.

XI. PROTOCOL EFFICIENCY
QKeyShield is an efficient QKD protocol as it manages to balance several efficiency metrics: communication (information-theoretical) efficiency, resource efficiency, keyrate efficiency, and sifting-time efficiency. We compute the communication efficiency, resource efficiency, and sifting efficiency for each round (protocol steps 1-8).

A. COMMUNICATION EFFICIENCY (σ )
To compute the protocol communication efficiency, the definition proposed by Cabello in [47] is used, where b s represents the expected number of secret bits obtained by Alice(Bob), q t is the number of qubits exchanged, andb t represents the number of classical bits sent (to be realistic, we can consider it the number of classical messages sent). The sent classical messages for the purpose of sifting are not included in this communication efficiency (only the messages that are used in each round for inferring the key). Communication efficiency σ comparison was introduced in [47] where several protocols were compared, such as Cabello, Ekert, Bennett (BB84), etc. The proposed QKeyShield has outperformed Cabello's protocol because every transmission of a single qubit can generate one classical bit of the shared key with local measurements and without the use of classical communication. Thus, the QKeyShield protocol is 100% efficient in terms of σ . The high discard rate of [24] allows for a maximum of 0.5 percent of acquiring a classical bit, similar to the case of the B92 protocol reported in [47].

B. RESOURCES EFFICIENCY (U )
Some protocols use the communication efficiency definition (σ ) to show that their efficiency is 100%; however, they ignore that their protocols require either huge quantum memory for storing all the qubits sequences used in the protocol or several relay nodes. To evaluate the efficiency of the used resources per each protocol in obtaining a single classical bit, we have included several criteria, which are: C1 represents the number of required Bell states; C2 indicates whether the protocol causes a time delay in each round or not, i.e., Alice or Bob wait for each other's results to infer the key; C3 is the number of the performed BSMs; C4 represents the number of quantum memory cells required; C5 is the number of used relay nodes; and C6 is the number of detectors in the measurements. The proposed resource efficiency evaluation is sophisticated and general, as well as beneficial-it encompasses different criteria. The resource efficiency does not take into consideration everything performed in a QKD protocol (only the required qubits, BSMs, time delay, quantum memory cells, and relay nodes). The performed operations by each protocol, such as Hadamard and bi-flip, are not considered as well.
To identify the resource efficiency of each protocol, a multicriteria decision problem needs to be solved; therefore, the well-known Analytic Hierarchy Process (AHP) method is used [53]. Pairwise comparison is used in AHP to establish preferences between criteria, where a numerical scale that ranges from 1 to 8 is used [54]. The value 8 indicates that one criterion is highly more significant than the other, and the VOLUME 10, 2022 TABLE 4. Example of pairwise comparison: two scenarios were considered: 1) all the criteria are ''equal significant'' to each other, and 2) some criteria are ''more significant'' than others (C 4 > C 2 > C 5 > C 1, C 3, C 6). value 1 shows that both criteria are equally significant. As a result, if the significance of one criterion is stated in relation to another, the significance of the second criterion in relation to the first is the reciprocal, where C ij represents the pairwise comparison between the criterion C i and C j . The value 1/8 suggests that one criterion is extremely less significant than the other. The weight of each criterion is given by while the normalized weight is given bȳ The table (4) shows the pairwise comparison of two scenarios. In the first scenario, we considered that all the criteria are equally significant. In terms of time delay or technological challenges, some of these criteria are more expensive than others. For example, when a protocol causes a time delay, it becomes slow in establishing a shared key. Additionally, due to the limitations of current quantum memory technology, the use of quantum memory makes the protocol less efficient than others. Finally, the use of intermediate nodes (relay nodes) indicates that the protocol is slower and more expensive. From these points of view, we cannot consider that all the criteria are equally significant. The proposed resource efficiency evaluation is general and it allows us to design different scenarios that match different case study requirements. In the second scenario in the table (4), we think that time delay, quantum memory, and relay nodes are more significant than other criteria. Thus, we consider that: C4 is more significant than C2; C2 is more significant than C5; C5 is more significant than C1 and C3; and C1, C3, and C6 are equally significant to each other. The normalized weights obtained from the pairwise comparison are used to evaluate different entanglement-swapping-based QKD protocols, see Table 5. The protocol resource efficiency, U k , is given by where C ki represents the value of the criterion Ci of the protocol k, and a represents the total number of compared protocols. C ki values are given by: C k1 = #qubits b s ; C k2 = {0, 1} where 0 means that Alice and Bob do not wait for each other to proceed in measuring their qubits, and 1 means that Alice (Bob) waits for Bob's (Alice's) results to proceed in measuring her(his) qubit; C k3 = #BSMs b s ; C k4 = #quantum_memory_cells b s ; C k5 = #relay_nodes b s ; and C k5 equal the number of used detectors.
The first scenario in table 5 where all the criteria are equally significant shows that [24] protocol is the most efficient because it is a prepare-measure protocol. It uses single qubit along with classical messages to obtain a classical bit. In the second scenario, QKeyShield is the best as it eliminates the need for costly criteria such as delay time, classical messages, relay nodes, detectors, and quantum memory. Other protocols that suffer from a time delay can be considered infeasible for hard real-time applications. QKeyShield's resource efficiency makes it feasible for practical applications.

C. KEY RATE EFFICIENCY (δ fin )
Besides minimizing the communication overhead and increasing the resource utilization, QKeyShield has a high key rate efficiency. It minimizes the number of discarded results as it adopts a biased selection approach along with adequate error analysis. Therefore, the probability of a qubit being used in the key generation is high. To assure the security of the transmitted qubits, QKD protocols fall into two main categories: either random-based or memory-assisted, see Figure 6. In the random-based protocols, the legitimate parties choose the measurement basis (or the performed unitary operator) randomly. Some random-based protocols are fair, while others are biased. QKeyShield is biased. Some protocols measure on a different basis (X or Z ). Others, choose FIGURE 6. Comparison of the expected sifting efficiencies. (a) with the help of quantum memory and classical messages, a deterministic approach is used in several protocols [12], [14], [31], [49] and 50% of the obtained bits end up in the sifted key. (b) QKeyShield uses the biased approach; thus, the estimated proportion of bits with operators conflicts drops from half to 2 * p * (1 − p) × q total and the estimated proportion of bits that end up in the sifted key increases to (p 2 − (1 − p) 2 ) × q total . (c) a fair approach that is used in most traditional QKD protocols [25], [48], [50] and in most recent protocols such as [24] where only 25% of the obtained bits end up in the sifted key because the probability of performing the Hadamard operator is p = 0.5. randomly between sending decoy state or normal state [29]. QKeyShield chooses different operators randomly (H or I ). However, the probabilities is the same as we have two random realizations. In the memory-assisted, one of the parties chooses the random action (whether measurement basis or unitary operator) and informs the other party about the chosen action. In the memory-assisted approach, Bob does not perform the Hadamard operator randomly; rather, he stores the received qubits and waits for Alice to inform him if a Hadamard operation is required, as in Cabello's protocol. With the help of classical messages and quantum memory that cause great time delay in memory-assisted protocols, 50% of the obtained bits end up in the raw key. The classical messages in this comparison are the ones that are sent before the measurements by the other party. Aside from QKeyShield, none of the examined protocols (see Tables 3 and 5) used bias selection in performing the unitary operators. As shown in Figure 6, QKeyShield allows for a significantly higher sifted key length. When q total is sufficiently large, QKeyShield's efficiency can be made asymptotically close to 100%. Finite Secret-key rate log 2 (δ fin ) of the three categories shown in Figure 6. Parameters: ω = 1, e max = 0.11, b leak = 1.05h(e max ), ε EC = 10 (−10) , and ε abort = 10 −1 . The value of p of QKeyShield is set in such a way that q total (p 2 − ) = n 1 = (logq total ), where is a small positive number (i.e., the error due to statistical fluctuations) chosen by Alice and Bob. Figure 7 shows numerical comparison in terms of finite secret key rate between three approaches: memory-assisted protocols [51], [52]; random-based protocols with fair selection (p = 0.5) [39]; and the biased approach used by QKeyShield where p is set with regards to q total to provide the highest efficiency for the provided three scenarios. QKeyShield's flexibility in choosing the biased probability, p, improves the protocol key rate efficiency. Not all biased approaches perform well all the time, such as the based decoy QKD [29]. They did not mention the probabilities that Alice uses to choose between signal states, decoy pulses, or vacuum pulses. If we assume that the signal states generation probability is similar to Bob's biased probability when measuring on the Z basis, the protocol will achieve its maximum sifted key rate; however, it provides fewer error estimation pulses. As it can be seen, [29] requires large q total to achieve higher key rate. It is worth mentioning that, only a biased memory-assisted protocol can achieve a higher key rate than QKeyShield.

D. KEY ESTABLISHMENT DELAY (T sif )
Many real-time applications are sensitive to delays in packet delivery. Therefore, any key distribution scheme should take this into consideration and hence minimizes the delay. The total delay of the sifted key establishment can be given by where t qm is the propagation time of the quantum messages, t cm is the propagation time for the classical messages, and 2t cm is delay caused by the two messages that are sent by Alice and Bob to inform each other about their random choices. Figure 8 shows a numerical comparison between the surveyed protocols and QKeyShield. It shows that QKeyShiled is the fastest as it eliminates the need for classical messages and minimized the quantum messages to  The key rates are depicted in blue and the channel disturbance rates are depicted in red. The parameters are as in figure 7 except Bob's detector efficiency is D q ∈ {0.6, 0.7, 0.8, 0.9}, q total = 10 5 , and the fibre channel loss is 0.2/km. the bare minimum. It is assumed that t qm = 10 −2 ms and t cm = 10 −1 ms.

E. DETECTORS EFFICIENCIES
Most DI-QKD protocols require highly efficient detectors. DI-QKD requires the detector quality/efficiency to be D q > 91.1% [22]. On the other hand, 1SDI-QKD allows the use of less efficient detectors, D q > 65.9% [22]. That means, we can use the current arbitrary low-quality detectors. This feature makes RDI-QKD protocols practical in situations in which Bob's measurement device is not trusted. Figure 9 shows the key rate along with the channel disturbance as a function of the channel loss. We assume that the channel is a fibre link. The visibility of the signal can be given by: where α represents the fibre attenuation α = 0.2, P e is the probability of an error count per clock cycle P e = 8.5 × 10 −7 , [55], µ is the average number of photons leaving Alice's device, and D q is Bob's detector efficiency. The fidelity can be given by: The channel disturbance is D r = 1−F. In the event that Alice and Bob find out the channel fidelity is insufficient based on the results of their testing, they abort and restart the protocol. They proceed if they are confident that the fidelity is high.

XII. DISCUSSION
In this work, we consider a scenario where an organization wants to establish secret keys with its customers. The organization may invest a significant amount of money to create reliable measuring devices and place them in a secure environment, but the customers on the other end of the channel might have low-cost detectors that are placed in isolated areas. We proposed an RDI-QKD protocol called QKeyShield. The entanglement source and Alice's measuring device are trusted/characterized but Bob's measuring device is not. In this work, we find that QKeyShield is an efficient and secure RDI-QKD protocol. We found out that despite the fact that entanglement-swapping-based protocols use extra Bell states and BSM, they allow for performing local error correction, defending against detector blinding attacks, and having two modes of the protocol, namely, QKeyShield and the time-reversed QKeyShield. These two modes allow us to utilize the features of both entanglement-based and prepare-measure-based protocols. The time-reversal mode of QKeyShield provides another layer of security. That is, Alice does not need to wait for her BSM results and Bob's BSM results to measure half of her Bell states, but she can measure them beforehand. This converts QKeyShield into a preparemeasure protocol; however, the sent qubits are just to detect Eve's presence and to test Bob's measurement device. We found that QKeyShield is more efficient than the prior protocols in terms of communication efficiency, resource efficiency, sifting efficiency, key establishment delay, and detection efficiency. It eliminates the need for classical messages, quantum memory, and relay nodes. It minimises the number of discarded results, the number of required detectors, the required detector quality/efficiency, the number of exchanged qubits, and key establishment delay. QKeyShield increases the key rate, which makes it a practical QKD protocol.
Finally, the security of QKeyShield is assured by the well-established quantum features such as the no-cloning theorem [56], non-locality [57], or the monogamy (i.e., non-shareability) of entanglement [58]. We have proved the protocol's security in general and its security against entangle-measure attacks. It is secure against the existing attacks allowed by quantum mechanics, which has been demonstrated by exploring all the attacks that are allowed by quantum mechanics. It ensures that Eve's intervention is detectable through the use of several measures. The trusted party, Alice, randomly chooses to perform a Hadamard operation on her qubit A before sending qubit B to Bob or after sending. The security QKeyShield protocol depends on the probability of performing the Hadamard (identity) operator. The probability of performing the Hadamard operation (p) is chosen in such a way that, n 1 , n 2 ≥ (log 2 q total ), where n 1 and n 2 are the numbers of test samples chosen from the subsets where they both perform the Hadamard operator or identity operator, respectively. Two error rates, e 1 and e 2 , are obtained from the test samples to evaluate the untrustworthiness of Bob's devices and Eve's intervention. Due to the randomization probability, p, Eve does not know which operator has been used by both Alice and Bob; hence, any eavesdropping attack will affect the correlation between Alice's and Bob's measurement results. In the absence of Eve, Alice's and Bob's measurement outcomes when they use the same operator should exhibit deterministic correlations. If different operators are used by Alice and Bob, their measurement results will not be correlated. Therefore, Eve should perform either the Hadamard operator or the identity operator to ensure her results are correlated with Alice's and Bob's results. Luckily, Eve does not know which operator has been used by both Alice and Bob; hence, any eavesdropping attack would violate the security definitions discussed above. Having enough test samples from each subset, QKeyShield is said to be ε secure protocol.

XIII. CONCLUSION
In this work, we devised an efficient QKD protocol based on entanglement swapping, called QkeyShield, by which a secret key can be established securely between two parties over an ideal quantum channel. It has integrated several measures to improve its practicality. It optimizes several factors: communication, resources, key rate, and key establishment delay. The proposed protocol requires only two medium-quality detectors that are currently on the market. It has two modes, normal mode and time-reversed, that give us the benefits of both entanglement-based and prepare-measure-based protocols. The proposed protocol is not prone to detector blinding attacks due to the use of entanglement-swapping and the timereversed mode.