Device-independent cryptographic schemes aim to guarantee security to users based only on the output statistics of any components used, and without the need to verify their internal functionality. Since this would protect users against untrustworthy or incompetent manufacturers, sabotage or device degradation, this idea has excited much interest, and many device-independent schemes have been proposed. We point out here a critical weakness of device-independent quantum cryptography for tasks, such as key distribution, that rely on public communication between secure laboratories. Untrusted devices may record their inputs and outputs and reveal encoded information about them in their outputs during later runs. Reusing devices thus compromises the security of a protocol and risks leaking secret data. Possible solutions include securely destroying used devices or isolating them until previously generated data need no longer be kept secret. However, such solutions are costly and impose severe constraints on the practicality of many device-independent quantum cryptographic schemes.
A malicious manufacturer who wishes to mislead users or obtain data from them can equip devices with a memory and use it in programming them. The full scope and seriousness of this threat seems to have been overlooked in the quantum cryptographic literature to date. A task is potentially vulnerable to our attacks if it involves secret data generated by devices and if Eve can learn some function of the device outputs. Since even causing a protocol to abort communicates some information to Eve, the class of tasks potentially affected is large indeed. In particular, for the most important application, device independent QKD, every protocol so far proposed (as far as we are aware) is acutely vulnerable.
One can think of the problems our attacks raise as a new issue of cryptographic composability. One way of thinking of standard composability is that a secure output from a protocol must still have all the properties of an ideal secure output when combined with other outputs from the same or other protocols. The device independent key distribution protocols examined above fail this test because the reuse of devices causes later outputs to depend on earlier ones. In a sense, the underlying problem is that the usage of devices is not composably secure. This applies too, of course, for devices used in different protocols: devices used for secure randomness expansion cannot then securely be used for key distribution without potentially compromising the generated randomness, for example.
We should stress that our attacks do not apply to all device-independent quantum tasks. For example, even devices with memories cannot mimic nonlocal correlations
in the absence of shared entanglement, and so device-independent entanglement testing remains viable. In addition, in applications that require only short lived
secrets, devices may be reused once such secrets are no longer required. Partially secure device-independent protocols for bit commitment and coin tossing in which the committer supplies devices to the recipient are also immune from our attacks so long as the only data entering the devices comes from the committer. Nonetheless,
in our view, the attacks are generic and problematic enough to merit a serious reappraisal of the scope for device-independent quantum cryptography as a practical technology.