Incorporating device characterization into security proofs

Typical security proofs for quantum key distribution (QKD) rely on having some model for the devices, with the security guarantees implicitly relying on the values of various parameters of the model, such as dark count rates or detector efficiencies. Hence to deploy QKD in practice, we must establish how to certify or characterize the model parameters of a manufacturer's QKD devices. We present a rigorous framework for analyzing such procedures, laying out concrete requirements for both the security proofs and the certification or characterization procedures. In doing so, we describe various forms of conclusions that can and cannot be validly drawn from such procedures, addressing some potential misconceptions. We also discuss connections to composable security frameworks and some technical aspects that remain to be resolved in that direction.