Experimental realisations of quantum key distribution (QKD) protocols can differ in many important aspects from their original theoretical proposal. In particular these proposals typically demand technologies that are beyond our present experimental capability.

For example, in a quantum optical implementation, instead of being single photon pulses, the signals emitted by the source are usually weak coherent pulses. Or, they may be generated with spontaneous parametric down-conversion sources. The quantum channel introduces errors and considerable attenuation that affect the signals even when an eavesdropper is not present. Also, the detectors employed by the receiver are inefficient and noisy and can typically not distinguish the number of photons in arrival signals.

In this tutorial we review how to model the different elements that are present in most QKD experiments, and show how to calculate the basic quantities to evaluate their performance.

Private query protocols [1-3] use uncertainty in quantum mechanics to offer functionality similar to 1-out-of-N oblivious transfer (where a user, Ursula, retrieves a single element from a database provider, Dave, who learns nothing about which of the N elements was retrieved). The difference in functionality varies for each private query protocol, but in all cases is motivated by the fact that perfect 1-out-of-N oblivious transfer has been shown to be impossible if the attacker possess an arbitrarily powerful quantum computer [4]. Nonetheless, quantum protocols can offer security against stronger adversaries than protocols relying only on classical information, and it remains an interesting question as to what level of security can be achieved using quantum information. We present a proof-of-principle demonstration of a novel private query protocol that is loss- and fault-tolerant, making it suitable for implementation in a real-world environment, and show that it offers excellent privacy against several quantum attacks [5]. This demonstration is performed over a deployed fibre link between the University of Calgary and SAIT Polytechnic using a slightly modified quantum key distribution (QKD) system [6].

[1] V. Giovannetti, S. Lloyd, and L. Maccone, Phys. Rev. Lett. 100, 230502 (2008).
[2] M. Jakobi, et al., Phys. Rev. A 83, 022301, (2011).
[3] F. Gao, B. Liu, Q.-Y. Wen, and H. Chen, Opt. Express, Vol. 20, p. 17411-17420 (2012).
[4] H.-K. Lo, Phys. Rev. A 56, 1154 (1997).
[5] P. Chan, I. Lucio-Martinez, X.-F. Mo., C. Simon, and W. Tittel, arXiv:1303.0865 (2013).
[6] I. Lucio-Martinez, P. Chan, X.-F. Mo, S. Hosier, and W. Tittel, New J. Phys., 11, 095001 (2009).

Ground-satellite quantum key distribution is aiming at global secure communication. In a future vision of a quantum network, a satellite is employed as a trusted relay and ground stations are employed as user nodes. By demonstrating a free-space quantum network whose channel losses are comparable to the atmosphere losses, we present a feasibility test for such a ground-satellite quantum network. To simulate a satellite, we implement a moving transmitter. Meanwhile, we test quantum links in two distant locations more than 2000 km apart, whose atmosphere conditions are distinct. Moreover, a delayed privacy amplification scheme is designed and employed to minimize the computation requirement in the “satellite” and reduce the classical communication between the nodes and the relay. Our experimental result suggests that the global quantum network is feasible with current technology.

We report a quantum-noise-limited balanced homodyne detector (BHD) that can be worked in the continuous-variable quantum key distribution (CVQKD) systems at a repetition rate of 100 MHz. A high level of common mode suppression (>54 dB) and extremely low electronic noise (<–70 dBm) is achieved. The reachable 3 dB bandwidth of BHD is 300 MHz and the level of shot noise is 14 dB higher than the electronic noise of BHD at an LO level of 6·10⁸ photons per pulse.The secret key rate of a CVQKD system will reach 1 Mbps at 50 kilometers under collective attack with our high performance BHD, which increasing the secret key rate of advanced system for dozens of times.

Continuous-variable quantum key distribution has made great progress during the last years. Recently, a security proof for a finite number of measurements with composable security against arbitrary attacks was published [1] which employs Einstein-Podolsky-Rosen (EPR) entangled states. Here, we present the first implementation of this protocol, demonstrating the feasibility of secure key generation. The implementation relies on continuous-wave quadrature-entangled states at the telecommunication wavelength of 1550 nm with unprecedented EPR entanglement and homodyne detection with a random choice of quadrature for each measurement. We further present the generation of a key which is secure under collective attacks with 10⁸ measurements.

[1] F. Furrer, T. Franz, M. Berta, A. Leverrier, V. Scholz, M. Tomamichel, and R. Werner, Physical Review Letters 109, 100502 (2012).

Continuous-variable (CV) quantum key distribution (QKD) is proven secure against collective attacks and recent works have shown progress in proving security against arbitrary attacks. Nevertheless the validity of security proofs relies on assumptions that may be violated in practical setup, opening loophole that may be exploited to mount attacks. We have studied here the consequence of detection saturation in CV QKD, and proved that it can lead to an attack on the Gaussian-modulated coherent state protocol with homodyne detection. When Bob’s homodyne detection saturates, Bob’s quadrature measurement is not linear with the quadrature sent by Alice. Such non-linearity violates assumptions in the security model. Saturation typically occurs when the input field quadrature overpasses a threshold that depends on parameters of detector’s electronics. We have experimentally confirmed this prediction by observing saturation of our homodyne detection for high local oscillator intensity. We have moreover constructed an attack that combines the intercept-resend attack with the saturation of Bob’s detector. A full intercept-resend attack can give Eve knowledge of both quadratures from Alice but will introduce two shot noise units of excess noise. The key idea in our attack is that saturation is induced by strongly displacing the mean value of the field quadratures. By resending these field quadratures with controlled displacement value, Eve can bias the evaluation of the excess noise to arbitrarily small values. Under such attack, Alice and Bob may be led to believe they have some positive ‘secure key’ and accept keys that are however totally insecure. Our saturation attack is achievable with current technology and impacts the security of a practical CV QKD system. We have however proposed a counter measure that consists in monitoring the mean value of the quadratures.

Randomness extractors are hash functions that map sources with biased and correlated bits to almost-uniform sources. Extractors have found many important applications in various areas of computer science, e.g., in theoretical computer science, hardness of approximation, error correcting codes, classical and quantum cryptography and many other areas.

In the first part of the talk I will define extractors (and some related objects) in the classical and quantum setting, discuss the currently best known parameters of explicit and non-explicit constructions and present some classical and quantum applications.

The second half of the talk will be devoted to the challenge of explicitly constructing close to optimal extractors. I will present in some detail Trevisan’s construction of efficient extractors and its generalization to the quantum setting by De, Portmann, Vidick and Renner. If time permits I will also discuss some other approaches for the problem in the classical and quantum setting.

One-time memories (OTM’s) are a simple type of tamper-resistant cryptographic hardware, which can be used to implement many forms of secure computation, such as one-time programs. Here we investigate the possibility of building OTM’s using “isolated qubits” — qubits that can only be accessed using local operations and classical communication (LOCC). Isolated qubits can be implemented using current technologies, such as nitrogen vacancy centers in diamond.

We construct OTM’s that are information-theoretically secure against one-pass LOCC adversaries using 2-outcome measurements. (Also, these OTM’s can be prepared and accessed by honest parties using only LOCC operations.) This result is somewhat surprising, as OTM’s cannot exist in a fully-quantum world or in a fully-classical world; yet they can be built from the combination of a quantum resource (single-qubit measurements) with a classical restriction (on communication between qubits).

Our construction resembles Wiesner’s original idea of quantum conjugate coding, implemented using random error-correcting codes; our proof of security uses entropy chaining to bound the supremum of a suitable empirical process. In addition, we conjecture that our random codes can be replaced by some class of efficiently-decodable codes, to get computationally-efficient OTM’s that are secure against computationally-bounded LOCC adversaries.

In addition, we construct data-hiding states, which allow an LOCC sender to encode an (n-O(1))-bit messsage into n qubits, such that at most half of the message can be extracted by a one-pass LOCC receiver, but the whole message can be extracted by a general quantum receiver.

The noisy-storage model (NSM) allows for the secure implementation of two-party cryptographic primitives under the assumption that the adversary cannot store quantum information perfectly. A special case is the bounded-quantum-storage model (BQSM) which assumes that the adversary’s quantum memory device is noise-free but limited in size. Ever since the inception of the BQSM [DFSS05] it has been a vexing open question to determine whether security is possible as long as the adversary can store strictly less than the number of qubits n transmitted during the protocol. In particular, it was hoped that security is possible as long as the adversary cannot store more than c·n qubits for any c<1. Here we not only provide a positive answer to this question, but show that security is even possible as long as his device is not larger than n–O(log²n) qubits. This is essentially optimal and finally settles the fundamental limits of the BQSM. Our result also significantly pushes the boundaries when security can be obtained in the NSM, and we provide the first proof that security of a BB84-based protocol can be linked to the quantum capacity of the adversary’s storage device. Our security proofs are based on a new uncertainty relation for measurements in BB84 bases that takes into account quantum side-information.

The key to our results is a powerful new tool called entanglement sampling, which can be understood as the fully quantum analogue of classical min-entropy sampling. Its reach extends beyond the applications to the NSM to the area of randomness extraction and quantum information theory. In particular, we show that entanglement sampling provides us with local quantum-to-classical randomness extractors, and yields bounds for fully quantum random access encodings.

[DFSS05] I. Damgård, S. Fehr, L. Salvail, and C. Schaffner. “Cryptography in the Bounded Quantum-Storage Model”. In: Proc. IEEE FOCS 2005, pp. 449–458, arXiv:quant-ph/0508222.

We present the first experimental implementation of 1–2 random oblivious transfer (ROT) in the noisy storage model based on a modified entangled quantum key distribution (QKD) system. We successfully demonstrate the protocol by performing measurements on polarization-entangled photon pairs, followed by all of the necessary classical post-processing including one-way error correction. While information-theoretic security of ROT is impossible assuming only the laws of quantum mechanics, security can be restored using the minimal assumptions of the noisy storage model. The noisy storage model relies on the realistic assumption that the quantum memories of any adversaries must necessarily be noisy.

Information-theoretical security of quantum key distribution (QKD) has been convincingly proven in recent years and remarkable experiments have shown the potential of QKD for real world application. However, the existing gap between theoretical assumptions and practical implementation represents a severe hindrance to any further advancement. One prominent example is the precise quantification of the security level of a real QKD system, which cannot be infinite if the data sample being processed is finite. Here, we provide a direct connection between the conceptual understanding of this problem and its technological realisation. We develop a finite-size security proof and apply it to a gigahertz clocked QKD system set to provide the highest security level reported to date. The obtained secure key rates are orders of magnitude larger than in all previous comparable solutions.

We consider a game in which two players collaborate to prepare a quantum system and are then asked to independently guess the outcome of a measurement in a random basis on that system. Intuitively, by the monogamy of entanglement, the probability that both players simultaneously succeed in guessing the outcome correctly is bounded.

We are interested in the question of how the success probability scales when this guessing game is repeated in parallel. We show a perfect parallel repetition theorem for this game, that is, we show that any strategy that maximizes the probability to win every round individually is also optimal for the parallel repetition of the game. In particular, our result implies that the optimal guessing probability can be achieved without the use of entanglement.

We explore several applications of this result. First, we show that it implies security for standard BB84 quantum key distribution when one party uses fully untrusted measurement devices. Second, we show that our result can be used to prove security of a one-round position-verification scheme. Finally, our techniques can be used to generalize a well-known uncertainty relation for the guessing probability to quantum side information.

The task of privacy amplification, in which Alice holds some partially secret information with respect to an adversary Eve and wishes to distill it until it is completely secret, is known to be solvable almost optimally in both the classical and quantum worlds. Unfortunately, when considering an adversary who is limited only by non-signalling constraints such a statement cannot be made in general. We consider systems which violate the chained Bell inequality and prove that under the natural assumptions of a time-ordered non-signalling system, which allow past subsystems to signal future subsystems (using the device’s memory for example), super-polynomial privacy amplification by any hashing is impossible. This is of great relevance when considering practical device independent key distribution protocols which assume a super-quantum adversary.

Single-photon detectors play a critical role in practical implementations of quantum cryptographic schemes. Recent work on attacking QKD systems have exploited vulnerabilities in these single-photon detectors. Understanding how these detectors work is, therefore, an important part of analyzing the security of a cryptographic scheme.The goal of the tutorial is to provide a high-level introduction to how detectors work. I will cover the physics behind some of the most commonly used detectors, and will also discuss a number of concepts like jitter, efficiency, after-pulsing, and dead time that are experimentally important.

Our contribution is twofold. On the one hand, we show that information-theoretic single-server Quantum Private Information Retrieval requires a linear amount of communication to be secure against specious adversaries, which are the quantum analog of honest-but-curious adversaries. On the other hand, we stress the importance of adequate comparison between classical and quantum adversaries—unfair comparisons might lead to an unjustified advantage for the quantum case.

In this work we design a multiparty protocol between m players to agree on a common direction without a prior reference frame shared between the players. Our protocol is tolerant to t < m/3 dishonest players with unbounded capabilities (the Byzantine problem). This is the first protocol to exchange non-fungible information in the Byzantine setting.

Network-centric quantum communications (NQC) is a new, scalable instantiation of quantum cryptography providing key management with forward security for lightweight encryption, authentication and digital signatures in optical networks. Results from a multi-node experimental test-bed utilizing integrated photonics quantum communications components, known as QKarDs, include: quantum identification; verifiable quantum secret sharing; multi-party authenticated key establishment; and single-fiber quantum-secured communications that can be applied as a security retrofit/upgrade to existing optical fiber installations. A demonstration that NQC meets the challenging simultaneous latency and security requirements of electric grid control communications, which cannot be met with conventional cryptography, is described.

We propose a novel source based on a dual-drive modulator that is adaptable and allows Alice to choose the appropriate quantum key distribution (QKD) protocol for a given quantum channel. Based on preliminary experimental results it is revealed that the proposed transmitter is suitable for implementation of the BB84, coherent one way (COW) and differential phase shift (DPS) protocols where a quantum bit error rate of 0.8% and 1.9% was found for the time and phase bases respectively.

Measurement-device-independent quantum key distribution (MDI-QKD) closes all potential security loopholes due to detector imperfections without compromising the performance of a standard QKD system. Here we report the first demonstration of polarization encoding MDI-QKD over 10 km optical fibers. Decoy state techniques are employed to estimate gain and error rate of single photon signals. Intensities and probability distribution of signal and decoy states are optimized. Active phase randomization is implemented to protect against attacks on the imperfect sources. A 1600-bit secure key is generated in the experiment. Our work shows that polarization encoding MDI-QKD is a practical solution to confidential communication.

The existing relativistic bit commitment protocols (and the corresponding security proofs) assume that Alice and Bob have access to perfect devices and noiseless communication channels. Hence, they cannot be directly applied to model an experimental set-up.
In this work we extend one of the existing protocols (“Relativistic bit commitment by transmitting measurement outcomes” proposed by Adrian Kent) so it can be implemented using comercially available equipment with realistic parameters. We present a new, simpler security proof of the original protocol which can also be applied to the fault-tolerant variant. We obtain criteria on the quality of the devices used by Alice and Bob that allow for a protocol that is both robust and secure.Our results apply directly to an experiment that is being conducted between Geneva and Singapore. Hence, they form an important link between theoretical quantum cryptography and its practical implementation.

All practical implementations of QKD protocols have to rely on real optical signal sources, which are never truly single-photon. Thus, there is always a pre-defined level of optical loss in the channel, beyond which the system cannot guarantee confidentiality of generated keys, because of a non-zero probability of successful eavesdropping. Having this limit is affordable for fiber-optical links, where losses are roughly constant, but what if your channel has completely unpredictable losses as in the case of a free-space optical link? We present and experimentally demonstrate a QKD protocol, which is free from this limitation. The approach used is called relativistic quantum cryptography because it directly relies on principles of relativistic causality.

Uncertainty relations are a distinctive characteristic of quantum theory that imposes intrinsic limitations on the precision with which physical properties can be simultaneously determined. The modern work on uncertainty relations employs entropic measures to quantify the lack of knowledge associated with measuring non-commuting observables. However, I will show here that there is no fundamental reason for using entropies as quantifiers; in fact, any functional relation that characterizes the uncertainty of the measurement outcomes can be used to define an uncertainty relation. Starting from a simple assumption that any measure of uncertainty is non-decreasing under mere relabeling of the measurement outcomes, I will show that Schur-concave functions are the most general uncertainty quantifiers. I will then introduce a novel fine-grained uncertainty relation written in terms of a majorization relation, which generates an infinite family of distinct scalar uncertainty relations via the application of arbitrary measures of uncertainty. This infinite family of uncertainty relations includes all the known entropic uncertainty relations, but is not limited to them. In this sense, the relation is universally valid and captures the essence of the uncertainty principle in quantum theory.

We generalize entropic uncertainty relations in the presence of quantum memory [Nat. Phys. 6, 659 (2010); Phys. Rev. Lett. 106, 110506 (2011)] in two directions. First, we consider measurements with a continuum of outcomes, and, second, we allow for infinite-dimensional quantum memory. To achieve this, we introduce conditional differential entropies for classical-quantum states on von Neumann algebras, and show approximation properties for these entropies. As an example, we evaluate the uncertainty relations for position-momentum measurements, which has applications in continuous variable quantum cryptography and quantum information theory.