Invited Speakers
Click on a speaker’s name to read the title and abstract for their presentation.

/sessions/invited_groblacher
Simon GröblacherDelft University of Technology

/sessions/invited_khurana
Dakshita KhuranaUniversity of Illinois UrbanaChampaign

/sessions/invited_pittaluga
Mirko PittalugaToshiba Cambridge

/sessions/invited_qi
Bing QiOak Ridge National Laboratory

/sessions/invited_upadhyaya
Twesh UpadhyayaUniversity of Waterloo

/sessions/invited_wang
XiangBin WangTsinghua University
Tutorial Speakers
Click on a speaker’s name to read the title and abstract for their presentation.
Industry Session
Click on a speaker’s name to read their bio.

/sessions/industry_huttner
Bruno HuttnerDirector of Strategic Quantum Initiatives at ID Quantique

/sessions/industry_qi
Wei QiCEO of CAS Quantum Network Co.

/sessions/industry_sasaki
Masahide SasakiNational Institute of Information and Communications Technology (NICT)

/sessions/industry_shields
Andrew ShieldsHead of Quantum Technology at Toshiba Europe

/sessions/industry_ursin
Rupert UrsinFounder and Scientist at qtlabs

/sessions/industry_wille
Eric WilleOptical System Engineer at European Space Agency (ESA)
List of Accepted Contributed Talks
(in order of submission)

Coexistence of a Quantum QKD Channel and 4×100 Gbps Classical Channels in Nested Antiresonant Nodeless Hollow Core FibreObada Alia (High performance networking group / University of Bristol); Rodrigo Stange Tessinari (High performance networking group / University of Bristol); Thomas Bradley (Optoelectronics Research Centre, University of Southampton, Southampton SO17 1BJ, UK); Hesham Sakr (Optoelectronics Research Centre, University of Southampton, Southampton SO17 1BJ, UK); Kerrianne Harrington (Optoelectronics Research Centre, University of Southampton, Southampton SO17 1BJ, UK); John Hayes (Optoelectronics Research Centre, University of Southampton, Southampton SO17 1BJ, UK); Yong Chen (Optoelectronics Research Centre, University of Southampton, Southampton SO17 1BJ, UK); Periklis Petropoulos (Optoelectronics Research Centre, University of Southampton, Southampton SO17 1BJ, UK); George Kanellos (High performance networking group / University of Bristol); David Richardson (Optoelectronics Research Centre, University of Southampton, Southampton SO17 1BJ, UK); Francesco Poletti (Optoelectronics Research Centre, University of Southampton, Southampton SO17 1BJ, UK); Reza Najebati (High performance networking group / University of Bristol); Dimitra simidunio (High performance networking group / University of Bristol)[abstract]Abstract: We demonstrated for the first time a coexistence between a quantum QKD channel and 4×100 Gbps pmqpsk carriergrade classical optical channels in a 2 km Nested Antiresonant Nodeless Hollow Core fibre. Our results show a drop of less than 10% in the Secret Key Rate (SKR) when using a HCF compared to a significant drop of 97% in the SKR when quantum and classical signals coexist on a single core of a Multicore fibre (MCF) with equal losses, indicating that NANF type HCF significantly outperforms singlemode fibres (SMF) performance for quantum/classical coexistence. This significant difference in the SKR drop is due to the ultralow nonlinear effects in HCF comparing to glass core fibres such as SMF and MCF.Presenter live session: Obada AliaThe limits of multiplexing of quantum and classical channels: Case study of a 2.5 GHz discrete variable QKD systemFadri Grünenfelder (University of Geneva); Rebecka Sax (University of Geneva); Alberto Boaron (University of Geneva); Hugo Zbinden (University of Geneva)[abstract]Abstract: To enable the widespread use of Quantum Key distribution, network integration is crucial. We present a case study where we investigate the performance of a 2.5 GHz simplified BB84 implementation using a wavelength of 1310nm multiplexed in a fiber together with 13 classical channels. We found that a secret key exchange at a distance of 95.5km and classical launch power up to 8.9dBm was possible. Further, we compare our results to previous results, both for continuous variable systems using a wavelength of 1550nm and discrete variable systems using either a wavelength of 1550nm or 1310nm. We find that both for long distance and for high power in the classical channels, the discrete variable systems perform better.Presenter live session: Fadri Grünenfelder

On the CompressedOracle Technique, and PostQuantum Security of Proofs of Sequential WorkKaiMin Chung (Academia Sinica, Taiwan); Serge Fehr (CWI Cryptology Group and Leiden University, The Netherlands); YuHsuan Huang (Academia Sinica, Taiwan); TaiNing Liao (National Taiwan University, Taiwan)[abstract]Abstract: We revisit the socalled compressed oracle technique, introduced by Zhandry for analyzing quantum algorithms in the quantum random oracle model (QROM). To start off with, we offer a concise exposition of the technique, which easily extends to the parallelquery QROM, where in each queryround the considered algorithm may make several queries to the QROM in parallel. This variant of the QROM allows for a more finegrained querycomplexity analysis. Our main technical contribution is a framework that simplifies the use of (the parallelquery generalization of) the compressed oracle technique for proving query complexity results. With our framework in place, whenever applicable, it is possible to prove quantum query complexity lower bounds by means of purely classical reasoning. More than that, for typical examples the crucial classical observations that give rise to the classical bounds are sufficient to conclude the corresponding quantum bounds. We demonstrate this on a few examples, recovering known results (like the optimality of parallel Grover), but also obtaining new results (like the optimality of parallel BHT collision search). Our main target is the hardness of finding a qchain with fewer than q parallel queries, i.e., a sequence x_0, x_1..., x_q with x_i = H(x_{i1}) for all 1 <= i <= q. The above problem of finding a hash chain is of fundamental importance in the context of proofs of sequential work. Indeed, as a concrete cryptographic application of our techniques, we prove that the "Simple Proofs of Sequential Work" proposed by Cohen and Pietrzak remains secure against quantum attacks. Such an analysis is not simply a matter of plugging in our new bound; the entire protocol needs to be analyzed in the light of a quantum attack. Thanks to our framework, this can now be done with purely classical reasoning.Presenter live session: YuHsuan Huang

Explicit asymptotic secret key rate of continuousvariable quantum key distribution with an arbitrary modulationAurélie Denys (Inria Paris); Peter Brown (ENS Lyon); Anthony Leverrier (Inria Paris)[abstract]Abstract: We establish an analytical lower bound on the asymptotic secret key rate of continuousvariable quantum key distribution with an arbitrary modulation of coherent states. Previously, such bounds were only available for protocols with a Gaussian modulation, and numerical bounds existed in the case of simple phaseshiftkeying modulations. The latter bounds were obtained as a solution of a convex optimization problem and our new analytical bound matches them, up to numerical precision. The more relevant case of quadrature amplitude modulation (QAM) could not be analyzed with the previous techniques,due to their large number of coherent states. Our bound shows that relatively small constellation sizes, with say 64 states, are essentially sufficient to obtain a performance close to a true Gaussian modulation and are therefore an attractive solution for largescale deployment of continuousvariable quantum key distribution. We also derive similar bounds when the modulation consists of arbitrary states, not necessarily pure.

Finite key effects in satellite quantum key distributionJasminder S. Sidhu (University of Strathclyde); Thomas Brougham (University of Strathclyde); Duncan McArthur (University of Strathclyde); Roberto G. Pousa (University of Strathclyde); Daniel K. L. Oi (University of Strathclyde)[abstract]Abstract: Global quantum communications will enable longdistance secure data transfer, networked distributed quantum information processing, and other entanglementenabled technologies. Satellite quantum communication overcomes optical fibre range limitations, with the first realisations of satellite quantum key distribution (SatQKD) being rapidly developed. However, limited transmission times between satellite and ground station severely constrains the amount of secret key due to finiteblock size effects. Here, we analyse these effects and the implications for system design and operation, utilising published results from the Micius satellite to construct an empiricallyderived channel and system model for a trustednode downlink employing efficient BB84 weak coherent pulse decoy states with optimised parameters. We quantify practical SatQKD performance limits and examine the effects of link efficiency, background light, source quality, and overpass geometries to estimate longterm key generation capacity. Our results provide a guide to the design and analysis of future SatQKD missions, and establishes performance benchmarks for both sources and detectors.Presenter live session: Jasminder Sidhu

The asymptotic performance of coherentoneway quantum key distributionRóbert Trényi (University of Vigo); Marcos Curty (University of Vigo)[abstract]Abstract: Coherentoneway (COW) quantum key distribution (QKD) held the promise of distributing secret keys over long distances with a simple experimental setup while being robust against the photonnumber splitting attack. Indeed, there are already commercial products implementing this scheme, and long distance realizations over 300 km have been reported recently. Surprisingly enough, however, here we show that its asymptotic secret key rate scales at most quadratically with the system's transmittance, thus solving a long standing problem. This means that COW is actually inappropriate for long distance QKD transmission. This is done by deriving the optimal zeroerror attack, which is a type of attack where the eavesdropper does not introduce any error, but still prevents Alice and Bob from distilling a secure key. In doing so, we also show, for instance, that all implementations of the COW scheme reported so far in the scientific literature are insecure.Presenter live session: Róbert Trényi

Highrate quantum key distribution with silicon photonicsLikang Zhang (Hefei National Laboratory for Physical Sciences at the Microscale and Department of Modern Physics, University of Science and Technology of China, Hefei 230026, China); Wei Li (Hefei National Laboratory for Physical Sciences at the Microscale and Department of Modern Physics, University of Science and Technology of China, Hefei 230026, China); Hao Tan (Hefei National Laboratory for Physical Sciences at the Microscale and Department of Modern Physics, University of Science and Technology of China, Hefei 230026, China); YanLin Tang (QuantumCTek Co., Ltd., Hefei, Anhui 230088, China); Kejin Wei (Hefei National Laboratory for Physical Sciences at the Microscale and Department of Modern Physics, University of Science and Technology of China, Hefei 230026, China); ShengKai Liao (Hefei National Laboratory for Physical Sciences at the Microscale and Department of Modern Physics, University of Science and Technology of China, Hefei 230026, China); ChengZhi Peng (Hefei National Laboratory for Physical Sciences at the Microscale and Department of Modern Physics, University of Science and Technology of China, Hefei 230026, China); Feihu Xu (Hefei National Laboratory for Physical Sciences at the Microscale and Department of Modern Physics, University of Science and Technology of China, Hefei 230026, China); JianWei Pan (Hefei National Laboratory for Physical Sciences at the Microscale and Department of Modern Physics, University of Science and Technology of China, Hefei 230026, China)[abstract]Abstract: Quantum key distribution (QKD) can provide informationtheoretic security governed by the law of quantum physics. Toward reallife applications, secret key rate is a key figure of merit of the QKD system. Here we demonstrate a 2.5GHz polarizationencoding QKD system with an integrated silicon photonic transmitter that is able to generate a secret key rate of 2.42±0.04 Mbps over 101km standard telecom fibers (19.6dB loss). Such high rate attributes to the high clockrate transmission and the ultralow quantum bit error rate of 0.49%. The scalability, miniaturization and stability offered by silicon photonic technologies along with highkeyrate performance indicate that our system is a promising solution for largescale deployment of QKD.Presenter live session: Likang Zhang

Realizing an entanglementbased multiuser quantum network with integrated photonicsWenjun Wen (Nanjing University); Zhiyu Chen (Nanjing University); Liangliang Lu (Nanjing University); Wenhan Yan (Nanjing University); Peiyu zhang (Nanjing University); Yanqing Lu (Nanjing University); Shining Zhu (Nanjing University); XiaoSong Ma (Nanjing University)[abstract]Abstract: Quantum network facilitates the secure transmission of information between different users. Establishing communication links among multiple users in a scalable and efficient way is important for realizing largescale quantum network. Here we develop a timeenergy entanglementbased dense wavelength division multiplexed network based on an integrated silicon nitride microring resonator, which offers a wide frequency span (>100 nm) and narrow bandwidth modes (~ 5 pm). Six pairs of photons are selected to form a fully and simultaneously connected fouruser quantum network. The observed quantum interference visibilities are well above the classical limits among all users. Our result paves the way for realizing largescale quantum networks with integrated photonic architecture.Presenter live session: Wenjun Wen

A BlackBox Approach to PostQuantum ZeroKnowledge in Constant RoundsNaiHui Chia (University of Maryland); KaiMin Chung (Academia Sinica); Takashi Yamakawa (NTT Secure Platform Laboratories)[abstract]Abstract: In a recent seminal work, Bitansky and Shmueli (STOC '20) gave the first construction of a constant round zeroknowledge argument for NP secure against quantum attacks. However, their construction has several drawbacks compared to the classical counterparts. Specifically, their construction only achieves computational soundness, requires strong assumptions of quantum hardness of learning with errors (QLWE assumption) and the existence of quantum fully homomorphic encryption (QFHE), and relies on nonblackbox simulation. In this paper, we resolve these issues at the cost of weakening the notion of zeroknowledge to what is called $\epsilon$zeroknowledge. Concretely, we construct the following protocols:  We construct a constant round interactive proof for NP that satisfies statistical soundness and blackbox $\epsilon$zeroknowledge against quantum attacks assuming the existence of collapsing hash functions, which is a quantum counterpart of collisionresistant hash functions. Interestingly, this construction is just an adapted version of the classical protocol by Goldreich and Kahan (JoC '96) though the proof of $\epsilon$zeroknowledge property against quantum adversaries requires novel ideas.  We construct a constant round interactive argument for NP that satisfies computational soundness and blackbox $\epsilon$zeroknowledge against quantum attacks only assuming the existence of postquantum oneway functions. At the heart of our results is a new quantum rewinding technique that enables a simulator to extract a committed message of a malicious verifier while simulating verifier's internal state in an appropriate sense.Presenter live session: Takashi YamakawaOn the Impossibility of PostQuantum BlackBox ZeroKnowledge in Constant RoundsNaiHui Chia (University of Maryland); KaiMin Chung (Academia Sinica); Qipeng Liu (Princeton University); Takashi Yamakawa (NTT Secure Platform Laboratories)[abstract]Abstract: We investigate the existence of constantround postquantum blackbox zeroknowledge protocols for $\mathbf{NP}$. As a main result, we show that there is no constantround postquantum blackbox zeroknowledge argument for $\mathbf{NP}$ unless $\mathbf{NP}\subseteq \mathbf{BQP}$. As constantround blackbox zeroknowledge arguments for $\mathbf{NP}$ exist in the classical setting, our main result points out a fundamental difference between postquantum and classical zeroknowledge protocols. Combining previous results, we conclude that unless $\mathbf{NP}\subseteq \mathbf{BQP}$, constantround postquantum zeroknowledge protocols for $\mathbf{NP}$ exist if and only if we use nonblackbox techniques or relax certain security requirements such as relaxing standard zeroknowledge to $\epsilon$zeroknowledge. Additionally, we also prove that threeround and publiccoin constantround postquantum blackbox $\epsilon$zeroknowledge arguments for $\mathbf{NP}$ do not exist unless $\mathbf{NP}\subseteq \mathbf{BQP}$.Presenter live session: Takashi Yamakawa

Positionbased cryptography: Singlequbit protocol secure against multiqubit attacksAndreas Bluhm (QMATH, University of Copenhagen); Matthias Christandl (QMATH, University of Copenhagen); Florian Speelman (QuSoft and University of Amsterdam)[abstract]Abstract: While it is known that unconditionally secure positionbased cryptography is impossible both in the classical and the quantum setting, it has been shown that some quantum protocols for position verification are secure against attackers which share a quantum state of bounded dimension. In this work, we consider the security of the qubit routing protocol. The protocol has the advantage that an honest prover only has to manipulate a single qubit and a classical string of length 2n. We show that the protocol is secure if each of the attackers holds at most n/2  3 qubits. With this, we show for the first time that there exists a quantum position verification protocol where the ratio between the quantum resources an honest prover needs and the quantum resources the attackers need to break the protocol is unbounded. The verifiers need only increase the amount of classical resources to force the attackers to use more quantum resources. Finally, we show that the qubit routing protocol is robust with respect to noise, making it appealing for applications.Presenter live session: Andreas Bluhm

Practical quantum tokens without quantum memories and experimental testsAdrian Kent (University of Cambridge); David Lowndes (University of Bristol); Damián PitalúaGarcía (University of Cambridge); John Rarity (University of Bristol)[abstract]Abstract: Unforgeable quantum money tokens were the rst invention of quantum information science, but remain technologically challenging as they require quantum memories and/or long distance quantum communication. More recently, virtual "Smoney" tokens were introduced. These are generated by quantum cryptography, do not require quantum memories or long distance quantum communication, and yet in principle guarantee many of the security advantages of quantum money. Here, we describe implementations of Smoney schemes with otheshelf quantum key distribution technology, and analyse security in the presence of noise, losses, and experimental imperfection. Our schemes satisfy near instant validation without crosschecking. We show that, given standard assumptions in mistrustful quantum cryptographic implementations, unforgeability and user privacy could be guaranteed with attainable re nements of our offtheshelf setup. We discuss the possibilities for unconditionally secure (assumptionfree) implementations.Presenter live session: Damián PitalúaGarcía

Pathways for entanglement based quantum communication in the face of high noiseXiaoMin Hu (CAS Key Laboratory of Quantum Information, University of Science and Technology of China, Hefei); Chao Zhang (CAS Key Laboratory of Quantum Information, University of Science and Technology of China, Hefei); Yu Guo (CAS Key Laboratory of Quantum Information, University of Science and Technology of China, Hefei); FangXiang Wang (CAS Key Laboratory of Quantum Information, University of Science and Technology of China, Hefei); WenBo Xing (CAS Key Laboratory of Quantum Information, University of Science and Technology of China, Hefei); CenXiao Huang (CAS Key Laboratory of Quantum Information, University of Science and Technology of China, Hefei); BiHeng Liu (CAS Key Laboratory of Quantum Information, University of Science and Technology of China, Hefei); YunFeng Huang (CAS Key Laboratory of Quantum Information, University of Science and Technology of China, Hefei); ChuanFeng Li (CAS Key Laboratory of Quantum Information, University of Science and Technology of China, Hefei); GuangCan Guo (CAS Key Laboratory of Quantum Information, University of Science and Technology of China, Hefei); Xiaoqin Gao (Department of physics, University of Ottawa, Advanced Research Complex, 25 Templeton Street, K1N 6N5, Ottawa, ON, Canada); Matej Pivoluska (Institute of Computer Science, Masaryk University, Brno); Marcus Huber (Vienna Center for Quantum Science and Technology, Atominstitut, TU Wien, 1020 Vienna, Austria)[abstract]Abstract: Entanglement based quantum communication offers an increased level of security in practical secret shared key distribution. One of the fundamental principles enabling this security  the fact that interfering with one photon will destroy entanglement and thus be detectable  is also the greatest obstacle. Random encounters of traveling photons, losses and technical imperfections make noise an inevitable part of any quantum communication scheme, severely limiting distance, key rate and environmental conditions in which QKD can be employed. Using photons entangled in their spatial degree of freedom, we show that the increased noise resistance of highdimensional entanglement, can indeed be harnessed for practical key distribution schemes. We perform quantum key distribution in eight entangled paths at various levels of environmental noise and show key rates that, even after error correction and privacy amplification, still exceed 1 bit per photon pair and furthermore certify a secure key at noise levels that would prohibit comparable qubit based schemes from working.Presenter live session: Matej Pivoluska

PostQuantum Succinct ArgumentsAlessandro Chiesa (UC Berkeley); Fermi Ma (Princeton and NTT Research); Nicholas Spooner (Boston University); Mark Zhandry (Princeton and NTT Research)[abstract]Abstract: We prove that Kilian's fourmessage succinct argument system is postquantum secure in the standard model when instantiated with any probabilistically checkable proof and any collapsing hash function (which in turn exist based on the postquantum hardness of Learning with Errors). At the heart of our proof is a new "measureandrepair" quantum rewinding procedure that achieves asymptotically optimal knowledge error.Presenter live session: Nick Spooner

MDIQKD with 19.2 km freespace channelYuan Cao (University of Science and Technology of China and Shanghai Research Center for Quantum Sciences); YuHuai Li (University of Science and Technology of China and Shanghai Research Center for Quantum Sciences); KuiXing Yang (University of Science and Technology of China and Shanghai Research Center for Quantum Sciences); YangFan Jiang (University of Science and Technology of China and Shanghai Research Center for Quantum Sciences); ShuangLin Li (University of Science and Technology of China and Shanghai Research Center for Quantum Sciences); XiaoLong Hu (Tsinghua University); Maimaiti Abulizi (University of Science and Technology of China and Shanghai Research Center for Quantum Sciences); ChengLong Li (University of Science and Technology of China and Shanghai Research Center for Quantum Sciences); Weijun Zhang (Shanghai Institute of Microsystem and Information Technology, Chinese Academy of Sciences); QiChao Sun (University of Science and Technology of China and Shanghai Research Center for Quantum Sciences); WeiYue Liu (University of Science and Technology of China and Shanghai Research Center for Quantum Sciences); Xiao Jiang (University of Science and Technology of China and Shanghai Research Center for Quantum Sciences); ShengKai Liao (University of Science and Technology of China and Shanghai Research Center for Quantum Sciences); JiGang Ren (University of Science and Technology of China and Shanghai Research Center for Quantum Sciences); Hao Li (Shanghai Institute of Microsystem and Information Technology, Chinese Academy of Sciences); Lixing You (Shanghai Institute of Microsystem and Information Technology, Chinese Academy of Sciences); Zhen Wang (Shanghai Institute of Microsystem and Information Technology, Chinese Academy of Sciences); Juan Yin (University of Science and Technology of China and Shanghai Research Center for Quantum Sciences); ChaoYang Lu (University of Science and Technology of China and Shanghai Research Center for Quantum Sciences); XiangBin Wang (University of Science and Technology of China and Tsinghua University); Qiang Zhang (University of Science and Technology of China and Shanghai Research Center for Quantum Sciences); ChengZhi Peng (University of Science and Technology of China and Shanghai Research Center for Quantum Sciences); JianWei Pan (University of Science and Technology of China and Shanghai Research Center for Quantum Sciences)[abstract]Abstract: Measurementdeviceindependent quantum key distribution (MDIQKD), based on twophoton interference, is immune to all attacks against the detection system and allows a QKD network with untrusted relays. Since the MDIQKD protocol was proposed, fiberbased implementations aimed at longer distance, higher key rates and network verification have been rapidly developed. However, owing to the effect of atmospheric turbulence, MDIQKD over freespace channel remains experimentally challenging. Herein, by developing a robust adaptive optics system, highprecision time synchronization and frequency locking between independent photon sources located far apart, we realized the first freespace MDIQKD over a 19.2km urban atmospheric channel, which well exceeds the effective atmospheric thickness. Our experiment takes the first step towards satellitebased MDIQKD. Moreover, the technology developed herein opens the way to quantum experiments in free space involving longdistance interference of independent single photons.

Minimizing detection losses from timebin quantum cryptography systems with fewmode fibre technologyAlvaro Alarcon (Linköping University); Joakim Argillander (Linköping University); Gustavo Lima (University of Concepcion); Guilherme Xavier (Linköping University)[abstract]Abstract: Timebin quantum cryptography systems have a fundamental postselection loss at the detection stage, which increases with the dimension and that limits its application over long distances. Here, we are able to solve this longstanding hurdle by employing a fewmode fibre spacedivision multiplexing platform working with orbital angular momentum modes. In our scheme, we maintain the practicability provided by the timebin scheme, while the quantum states are transmitted through a fewmode fibre in a configuration that does not introduce postselection losses. We experimentally demonstrate our proposal by successfully transmitting phaseencoded singlephoton states for quantum cryptography over 500 m of fewmode fibre, thus opening up new paths for quantum communication systems.Presenter live session: Alvaro Alarcon

Quantum Encryption with Certified Deletion, Revisited: Public Key, AttributeBased, and Classical CommunicationTaiga Hiroka (Yukawa Institute for Theoretical Physics, Kyoto University); Tomoyuki Morimae (Yukawa Institute for Theoretical Physics, Kyoto University); Ryo Nishimaki (NTT Secure Platform Laboratories); Takashi Yamakawa (NTT Secure Platform Laboratories)[abstract]Abstract: Broadbent and Islam (TCC '20) proposed a quantum cryptographic primitive called quantum encryption with certified deletion. In this primitive, a receiver in possession of a quantum ciphertext can generate a classical certificate that the encrypted message is deleted. Although their construction is informationtheoretically secure, it is limited to the setting of onetime symmetric key encryption (SKE), where a sender and receiver have to share a common key in advance and the key can be used only once. Moreover, the sender has to generate a quantum state and send it to the receiver over a quantum channel in their construction. Although deletion certificates are privately verifiable, which means a verification key for a certificate has to be kept secret, in the definition by Broadbent and Islam, we can also consider public verifiability. In this work, we present various constructions of encryption with certified deletion.  Quantum communication case: We achieve (reusablekey) public key encryption (PKE) and attributebased encryption (ABE) with certified deletion. Our PKE scheme with certified deletion is constructed assuming the existence of INDCPA secure PKE, and our ABE scheme with certified deletion is constructed assuming the existence of indistinguishability obfuscation and oneway function. These two schemes are privately verifiable.  Classical communication case: We also achieve PKE with certified deletion that uses only classical communication. We give two schemes, a privately verifiable one and a publicly verifiable one. The former is constructed assuming the LWE assumption in the quantum random oracle model. The latter is constructed assuming the existence of oneshot signatures and extractable witness encryption.Presenter live session: Taiga Hiroka

Experimental Gaussianmodulated continuousvariable quantum key distribution with composable keysNitin Jain (Technical University of Denmark); HouMan Chin (Technical University of Denmark); Hossein Mani (Technical University of Denmark); Dino Solar Nikolic (Technical University of Denmark); Cosmo Lupo (University of Sheffield); Stefano Pirandola (University of York); Matthias Kolb (Austrian Institute of Technology); Christoph Pacher (Austrian Institute of Technology); Ulrik L. Andersen (Technical University of Denmark); Tobias Gehring (Technical University of Denmark)[abstract]Abstract: Continuousvariable quantum key distribution offers a practical way for doing secure key exchange by means of broadband modulators and coherent detectors operating in the telecom band. Recent advances in theory and practice have improved the security and eased the system implementation. These include composable security with a finite number of distributed Gaussianmodulated coherent states and the use of pilot/reference signals and a real local oscillator for sharing the phase reference across the communicating parties. Here we report the first prepareandmeasure continuousvariable quantum key distribution experiment that can produce composable keys in the finitesize regime with security against collective attacks. Through novel improvements in the existing security proofs and a fast, yet lownoise and highly stable system operation, we obtain a secret key rate $>$5 Mbps over a 20 km long fiber channel. Our demonstration verifies the security of practical continuousvariable quantum key distribution when used for encryption or other cryptographic tasks.Presenter live session: Nitin Jain

QKD Attack Rating: Prioritizing is the key to Practical SecurityRupesh Kumar (University of York); Francesco Mazzoncini (Telecom Paris); Hao Qin (CAS Quantum Network); Romain Alléaume (Telecom Paris)[abstract]Abstract: We have shown how to conduct QKD vulnerability assessment in practice, based on a sound methodology inherited from Common Criteria. Taking a running CVQKD system as a reference platform, we have experimentally tested and rated two different attack paths exploiting a common threat: detector saturation. Our results illustrate the importance of rating attacks in order to prioritize the implementation of countermeasures and to steer the design and engineering of practical QKD systems towards the highest possible security standards, paving the way to their security certification.Presenter live session: Francesco Mazzoncini

Finitesize DIQKD with noisy preprocessing and random key measurementsErnest Y.Z. Tan (ETH Zürich); Xavier Valcarce (Université ParisSaclay); Pavel Sekatski (University of Geneva); JeanDaniel Bancal (Université ParisSaclay); René Schwonnek (Universität Siegen); Renato Renner (ETH Zürich); Nicolas Sangouard (Université ParisSaclay); Charles C.W. Lim (National University of Singapore)[abstract]Abstract: The security of finitelength keys is essential for the implementation of deviceindependent quantum key distribution (DIQKD). Presently, there are several finitesize DIQKD security proofs, but they are mostly focused on standard DIQKD protocols and do not directly apply to the recent improved DIQKD protocols based on techniques such as noisy preprocessing and random key measurements. Here, we provide a general finitesize security proof that can simultaneously encompass these approaches, using tighter finitesize bounds than previous analyses. In doing so, we develop a method to compute tight lower bounds on the asymptotic keyrate for any such DIQKD protocol with binary inputs and outputs. With this, we show that positive asymptotic keyrates are achievable up to depolarizing noise values of 9.26%, exceeding all previously known noise thresholds. Furthermore, we also consider in greater detail a particular form of generalized CHSH inequality, and derive partial closedform results for such cases. We discuss the potential advantage of this approach for realistic photonic implementations of DIQKD.Presenter live session: Ernest Y.Z. Tan

Dronebased Quantum Key Distribution (QKD)Andrew Conrad (University of Illinois at UrbanaChampaign); Samantha Isaac (University of Illinois at UrbanaChampaign); Roderick Cochran (The Ohio State University); Daniel SanchezRosales (The Ohio State University); Akash Gutha (The Ohio State University); Tahereh Rezaei (University of Illinois at UrbanaChampaign); Brian Wilens (University of Illinois at UrbanaChampaign); Daniel Gauthier (The Ohio State University); Paul Kwiat (University of Illinois at UrbanaChampaign)[abstract]Abstract: Aerial Drones have been used in defense applications for decades, but recently the commercial use cases of drones have significantly increased to include package delivery, taxis, aerial photography, disaster relief, and even delivery of COVID19 vaccines. Typically drones rely on a plurality of inflight sensors for navigation and external command and control signals for tasking. As drones continue to proliferate our skies, the need to secure communication between drone constellations will become increasingly important, since the unmanned nature of drones offers new attack vectors which are not present for platforms with human operators. Quantum security protocols such as Quantum Key Distribution (QKD) offer unique advantages over classical approaches to secure the commandandcontrol signals of current and future drone constellations. In this presentation, we will report progress towards demonstrating QKD between two drones in flight. Critical subsystems and characterization data will be presented such as the QKD source, which is based on a resonant cavity Light Emitting Diodes (LED), as well as a secondary QKD source based on a fibercoupled polarization modulator. The Pointing Acquisition, and Tracking (PAT) system provides both course alignment using Infrared (IR) beacons and cameras and fine alignment is achieved using Fast Steering Mirrors (FSM) and feedback position sensors. We will discuss QKD optical payloads, which were fabricated using a 3D printed bench to achieve a compact size and weight, singlephoton detectors, an FPGAbased timetagger and two timesynchronization approaches. Providing quantum security to emerging drone networks, including airborne and groundbased systems such as selfdriving cars, is a critical enabling technology required to extend the future quantum internet to mobile platforms, with could play an essential role, e.g., for reconfigurable distributed quantum sensors.Presenter live session: Andrew Conrad

Medical Data Protection in transit and at rest during the OpenQKD testbed operation in GrazHannes Hübel (AIT Austrian Institute of Technology); Andreas Poppe (AIT Austrian Institute of Technology); Florian Kutschera (AIT Austrian Institute of Technology); Werner Strasser (fragmentiX Storage Solutions GmbH); Bernhard Zatoukal (fragmentiX Storage Solutions GmbH); Kurt Zatloukal (Medical University Graz); Heimo Müller (Medical University Graz); Sigurd Lax (Hospital LKHGraz II)[abstract]Abstract: We present data from a medical usecase demonstration from the OpenQKD project. The demonstration combined QKD with Secret Sharing to secure medical data both in transit and at rest. The network with 4 nodes and 4 links was running for more than two months in a deployed innercity fiber network.Presenter live session: Andreas Poppe

Hidden Cosets and Applications to Unclonable CryptographyAndrea Coladangelo (University of California, Berkeley); Jiahui Liu (University of Texas at Austin); Qipeng Liu (Princeton University); Mark Zhandry (Princeton University & NTT Research)[abstract]Abstract: In 2012, Aaronson and Christiano introduced the idea of hidden subspace states to build publickey quantum money [STOC '12]. Since then, this idea has been applied to realize several other cryptographic primitives which enjoy some form of unclonability. In this work, we propose a generalization of hidden subspace states to hidden coset states. We study different unclonable properties of coset states and several applications: (*) We show that, assuming indistinguishability obfuscation (iO), hidden coset states possess a certain direct product hardness property, which immediately implies a tokenized signature scheme in the plain model. Previously, a tokenized signature scheme was known only relative to an oracle, from a work of BenDavid and Sattath [QCrypt '17]. (*) Combining a tokenized signature scheme with extractable witness encryption, we give a construction of an unclonable decryption scheme in the plain model. The latter primitive was recently proposed by Georgiou and Zhandry [ePrint '20], who gave a construction relative to a classical oracle. (*) We conjecture that coset states satisfy a certain natural monogamyofentanglement property. Assuming this conjecture is true, we remove the requirement for extractable witness encryption in our unclonable decryption construction. As potential evidence in support of the conjecture, we prove a weaker version of this monogamy property, which we believe will still be of independent interest. (*) Finally, we give the first construction of a copyprotection scheme for pseudorandom functions (PRFs) in the plain model. Our scheme is secure either assuming iO, onwway functions (OWFs) and extractable witness encryption, or assuming iO, OWFs, computeandcompare obfuscation and the conjectured monogamy property mentioned above. This is the first example of a copyprotection scheme with provable security in the plain model for a class of functions that is not evasive.Presenter live session: Qipeng Liu

Deviceindependent lower bounds on the conditional von Neumann entropyPeter Brown (ENS Lyon); Hamza Fawzi (University of Cambridge); Omar Fawzi (ENS Lyon)[abstract]Abstract: The rates of several deviceindependent (DI) protocols, including quantum keydistribution (QKD) and randomness expansion (RE), can be computed via an optimization of the conditional von Neumann entropy over a particular class of quantum states. In this work we introduce a numerical method to compute lower bounds on such rates. Our rate calculations are valid for systems on general separable Hilbert spaces and we also investigate the convergence of our method to the actual rate, proving convergence in certain situations. Applying our method to compute the rates of DIRE and DIQKD protocols we find substantial improvements over all previous numerical techniques, demonstrating significantly higher rates for both DIRE and DIQKD. In particular, for DIQKD we show a new minimal detection efficiency threshold which is within the realm of current capabilities. Moreover, we demonstrate that our method is able to converge rapidly by recovering instances of all known tight analytical bounds. Finally, we note that our method is compatible with the entropy accumulation theorem and can thus be used to compute rates of finite round protocols and subsequently prove their security.Presenter live session: Peter Brown

Quantum conference key agreement using photonic graph stateJoseph Ho (HeriotWatt University); Alex Pickston (HeriotWatt University); Francesco Graffitti (HeriotWatt University); Federico Grasselli (Heinrich Heine University Dusseldorf); Chris L Morrison (HeriotWatt University); Massimiliano Proietti (HeriotWatt University); Andres Ulibarrena (HeriotWatt University); Alessandro Fedrizzi (HeriotWatt University)[abstract]Abstract: Quantum conference key agreement (CKA) is a cryptographic task for sharing a secret common key between multiple users. CKA has been established as a network protocol that can leverage multipartite entanglement (NQKD) to gain an advantage over contemporary twoparty communication primitives (2QKD). Specifically, when performing QCKA in constrained quantum networks, e.g., with limited channel capacities, NQKD schemes can produce the conference key between N users with up to an N1 rate advantage over 2QKD. QCKA has previously been implemented by direct transmission of a 4photon GHZ state, however did not show the advantage comparison. Here we show this advantage using a universal network resource represented by a 6qubit photonic graph state.Presenter live session: Joseph Ho

Privacy amplification and decoupling without smoothingFrédéric Dupuis (Université de Montréal)[abstract]Abstract: We prove an achievability result for privacy amplification and decoupling in terms of the sandwiched Rényi entropy of order α ∈ (1,2]; this extends previous results which worked for α=2. The fact that this proof works for α close to 1 means that we can bypass the smooth minentropy in the many applications where the bound comes from the fully quantum AEP or entropy accumulation (EAT), and carry out the whole proof using the Rényi entropy, thereby easily obtaining an error exponent for the final task. This effectively replaces smoothing, which is a difficult highdimensional optimization problem, by an optimization problem over a single real parameter α. This can be applied directly to QKD security proofsincluding device independent protocolsby combining it with the entropy accumulation theorem.Presenter live session: Frédéric Dupuis

Quantum Private BroadcastingAnne Broadbent (University of Ottawa); Carlos E. GonzalezGuillen (Universidad Politecnica de Madrid); Christine Schuknecht (University of Ottawa)[abstract]Abstract: In Private Broadcasting, a single plaintext is broadcast to multiple recipients in an encrypted form, such that each recipient can decrypt locally. When the message is classical, a straightforward solution is to encrypt the plaintext with a single key shared among all parties, and to send to each recipient a copy of the ciphertext. Surprisingly, the analogous method is insufficient in the case where the message is quantum (i.e. in Quantum Private Broadcasting (QPB)). In this work, we give three solutions to QPB and compare them in terms of key lengths. The first method is the independent encryption with the quantum onetime pad, which requires a key linear in the number of recipients, t. We show that the key length can be decreased to be logarithmic in t by using unitary tdesigns. Our main contribution is to show that this can be improved to a key length that is polynomial in the dimension of the symmetric subspace, using a new concept that we define of symmetric unitary tdesigns, that may be of independent interest.Presenter live session: Christine Schuknecht

On the Round Complexity of Secure Quantum ComputationJames Bartusek (UC Berkeley); Andrea Coladangelo (UC Berkeley); Dakshita Khurana (UIUC); Fermi Ma (Princeton University and NTT Research)[abstract]Abstract: We construct the first constantround protocols for secure quantum computation in the twoparty (2PQC) and multiparty (MPQC) settings with security against malicious adversaries. Our protocols are in the common random string (CRS) model.  Assuming twomessage oblivious transfer (OT), we obtain (i) threemessage 2PQC, and (ii) fiveround MPQC with only three rounds of online (inputdependent) communication; such OT is known from quantumhard Learning with Errors (QLWE).  Assuming subexponential hardness of QLWE, we obtain (i) threeround 2PQC with two online rounds and (ii) fourround MPQC with two online rounds.  When only one (out of two) parties receives output, we achieve minimal interaction (two messages) from twomessage OT; classically, such protocols are known as noninteractive secure computation (NISC), and our result constitutes the first maliciouslysecure quantum NISC. Additionally assuming reusable malicious designatedverifier NIZK arguments for NP (MDVNIZKs), we give the first MDVNIZKs for QMA that only require one copy of the witness. Finally, we perform a preliminary investigation into tworound secure quantum computation where each party must obtain output. On the negative side, we identify a broad class of simulation strategies that suffice for classical tworound secure computation that are unlikely to work in the quantum setting. Next, as a proofofconcept, we show that tworound secure quantum computation exists with respect to a quantum oracle.Presenter live session: James Bartusek

Deviceindependent protocols from computational assumptionsTony Metger (ETH Zurich); Yfke Dulek (QuSoft and CWI Amsterdam); Andrea Coladangelo (University of California, Berkeley); Rotem ArnonFriedman (Weizmann Institute of Science); Thomas Vidick (California Institute of Technology)[abstract]Abstract: Deviceindependent protocols use untrusted quantum devices to achieve a cryptographic task. Such protocols are typically based on Bell inequalities and require the assumption that the quantum device is composed of separated noncommunicating components. In this submission, we present protocols for selftesting and deviceindependent quantum key distribution (DIQKD) that are secure even if the components of the quantum device can exchange arbitrary quantum communication. Instead, we assume that the device cannot break a standard postquantum cryptographic assumption. Importantly, the computational assumption only needs to hold during the protocol execution and only applies to the (adversarially prepared) device in possession of the (classical) user, while the adversary herself remains unbounded. The output of the protocol, e.g. secret keys in the case of DIQKD, is informationtheoretically secure. For our selftesting protocol, we build on a recently introduced cryptographic tool (Brakerski et al., FOCS 2018; Mahadev, FOCS 2018) to show that a classical user can enforce a bipartite structure on the Hilbert space of a blackbox quantum device, and certify that the device has prepared and measured a state that is entangled with respect to this bipartite structure. Using our selftesting protocol as a building block, we construct a protocol for DIQKD that leverages the computational assumption to produce informationtheoretically secure keys. The security proof of our DIQKD protocol uses the selftesting theorem in a blackbox way. Our selftesting theorem thus also serves as a first step towards a more general translation procedure for standard deviceindependent protocols to the setting of computationally bounded (but freely communicating) devices.Presenter live session: Tony Metger

System Integration of Photonic Integrated Quantum Communications ChipsTaofiq K Paraiso (Toshiba Europe Ltd); Thomas Roger (Toshiba Europe Ltd); Davide G Marangon (Toshiba Europe Ltd); Innocenzo De Marco (Toshiba Europe Ltd); Mirko Sanzaro (Toshiba Europe Ltd); Robert I Woodward (Toshiba Europe Ltd); James F Dynes (Toshiba Europe Ltd); Zhiliang Yuan (Toshiba Europe Ltd); Andrew J Shields (Toshiba Europe Ltd)[abstract]Abstract: Integrated photonics presents an opportunity for lowcost and highlyreproducible quantum cryptographic systems. However, due to numerous challenges such as packaging, power consumption and interfacing multiple chips in real, a standalone deployable photonic integrated system is still missing. Here we address all these challenges to present a realtime quantum communication system using integrated photonics. The system operated without intervention over multiple days and is capable of secure key rates of > 470 kbps over 10 km of fiberPresenter live session: Robert Woodward

Postquantum ResettablySound Zero KnowledgeNir Bitansky (Tel Aviv University); Michael Kellner (Tel Aviv University); Omri Shmueli (Tel Aviv University)[abstract]Abstract: We study postquantum zeroknowledge (classical) protocols that are sound against quantum resetting attacks. Our model is inspired by the classical model of resetting provers (BarakGoldreichGoldwasserLindell, FOCS `01), providing a malicious efficient prover with oracle access to the verifier's nextmessagefunction, fixed to some initial random tape; thereby allowing it to effectively reset (or equivalently, rewind) the verifier. In our model, the prover has quantum access to the verifier's function, and in particular can query it in superposition. The motivation behind quantum resettable soundness is twofold: First, ensuring a strong security guarantee in scenarios where quantum resetting may be possible (e.g., smart cards, or virtual machines). Second, drawing intuition from the classical setting, we hope to improve our understanding of basic questions regarding postquantum zero knowledge. We prove the following results: BlackBox Barriers: Quantum resetting exactly captures the power of blackbox zero knowledge quantum simulators. Accordingly, resettable soundness cannot be achieved in conjunction with blackbox zero knowledge, except for languages in \BQP. Leveraging this, we prove that constantround publiccoin, or three message, protocols cannot be blackbox postquantum zeroknowledge. For this, we show how to transform such protocols into quantumly resettably sound ones. The transformations are similar to classical ones, but their analysis is significantly more challenging due to the essential difference between classical and quantum resetting. A ResettablySound NonBlackBox ZeroKnowledge Protocol: Under the (quantum) Learning with Errors assumption and quantum fullyhomomorphic encryption, we construct a postquantum resettablysound zero knowledge protocol for \NP. We rely on nonblackbox simulation techniques, thus overcoming the blackbox barrier for such protocols. From Resettable Soundness to The Impossibility of Quantum Obfuscation: Assuming oneway functions, we prove that any quantumlyresettablysound zeroknowledge protocol for \NP implies the impossibility of quantum obfuscation. Combined with the above result, this gives an alternative proof to several recent results on quantum unobfuscatability.Presenter live session: Michael Kellner
List of Accepted Posters
(in order of submission)
Download a ziparchive of all posters.

Discretephaserandomized measurementdeviceindependent quantum key distributionZhu Cao (East China University of Science and Technology)[abstract]Abstract: Measurementdeviceindependent quantum key distribution removes all detectorside attacks in quantum cryptography, and in the meantime doubles the secure distance. The source side, however, is still vulnerable to various attacks. In particular, the continuous phase randomization assumption on the source side is normally not fulfilled in experimental implementation and may potentially open a loophole. In this work, we first show that indeed there are loopholes for imperfect phase randomization in measurementdeviceindependent quantum key distribution by providing a concrete attack. Then we propose a discretephaserandomized measurementdeviceindependent quantum key distribution protocol as a solution to close this sourceside loophole. [Phys. Rev. A 101, 062325]

Analysis of the effects of temperature increase on quantum random number generatorYuanhao Li (State Key Laboratory of Mathematical Engineering and Advanced Computing,Henan Key Laboratory of Network Cryptography Technology); Yangyang Fei (State Key Laboratory of Mathematical Engineering and Advanced Computing,Henan Key Laboratory of Network Cryptography Technology); Weilong Wang (State Key Laboratory of Mathematical Engineering and Advanced Computing,Henan Key Laboratory of Network Cryptography Technology); Xiangdong Meng (State Key Laboratory of Mathematical Engineering and Advanced Computing,Henan Key Laboratory of Network Cryptography Technology); Hong Wang (State Key Laboratory of Mathematical Engineering and Advanced Computing,Henan Key Laboratory of Network Cryptography Technology); Qianheng Duan (State Key Laboratory of Mathematical Engineering and Advanced Computing,Henan Key Laboratory of Network Cryptography Technology); Zhi Ma (State Key Laboratory of Mathematical Engineering and Advanced Computing,Henan Key Laboratory of Network Cryptography Technology)[abstract]Abstract: Quantum random number generator (QRNG) relies on the intrinsic randomness of quantum mechanics to produce true random numbers which are important in many fields. QRNGs with semiconductor light source have attracted a lot of attention due to their operational simplicity and high generation rate. However, the temperature of light source may vary due to imperfect devices and other factors. There is still a lack of study on the effects of temperature variations on the security of practical QRNG. We fill this gap by presenting a numerical method for studying the effects of temperature increase on the superluminescent emitting diode (SLED) based QRNG and propose some strategies toward robust QRNG against temperature increase.

Classically Veriﬁable (DualMode) NIZK for QMA with PreprocessingTomoyuki Morimae (Kyoto University); Takashi Yamakawa (NTT)[abstract]Abstract: We propose three constructions of classically verifiable noninteractive proofs (CVNIP) and noninteractive zeroknowledge proofs and arguments (CVNIZK) for QMA in various preprocessing models.

Bell nonlocality is not sufficient for the security of standard deviceindependent quantum key distribution protocolsMáté Farkas (ICFO); Maria BalanzóJuandó (ICFO); Karol Łukanowski (University of Warsaw); Jan Kołodyński (University of Warsaw); Antonio Acín (ICFO)[abstract]Abstract: Deviceindependent quantum key distribution is a secure quantum cryptographic paradigm that allows two honest users to establish a secret key, while putting minimal trust in their devices. Most of the existing protocols have the following structure: First, a bipartite nonlocal quantum state is distributed between the honest users, who perform local projective measurements to establish nonlocal correlations. Then, they announce the implemented measurements and extract a secure key by postprocessing their measurement outcomes. We show that no protocol of this form allows for establishing a secret key when implemented on certain entangled nonlocal states, namely on a range of entangled twoqubit Werner states. To prove this result, we introduce a technique for upperbounding the asymptotic key rate of deviceindependent quantum key distribution protocols, based on a simple eavesdropping attack. Our results imply that either different toolssuch as different reconciliation techniques or nonprojective measurementsare needed for deviceindependent quantum key distribution in the largenoise regime, or Bell nonlocality is not sufficient for this task.

Certified Quantum Random Numbers from Untrusted LightDavid Drahi (University of Oxford); Nathan Walk (Freie Universität); Matty J Hoban (Goldsmiths, University of London); Aleksey K Federov (Russian Quantum Center); Roman Shakhovoy (Russian Quantum Center); Yury Kurochkin (Russian Quantum Center); Akky Feimov (Russian Quantum Center); W Steven Kolthammer (Imperial College); Joshua Nunn (University of Bath); Jonathan Barrett (University of Oxford); Ian A Walmsley (Imperial College)[abstract]Abstract: A remarkable aspect of quantum theory is that certain measurement outcomes are entirely unpredictable to all possible observers. Such quantum events can be harnessed to generate numbers whose randomness is asserted based upon the underlying physical processes. We formally introduce, design, and experimentally demonstrate an ultrafast optical quantum random number generator that uses a totally untrusted photonic source. While considering completely general quantum attacks and using dedicated FPGA hardware for postprocessing, we certify and generate in real time random numbers at a rate of 8.05 Gb/s with a composable security parameter of 10^{−10}. Composable security is the most stringent and useful security paradigm because any given protocol remains secure even if arbitrarily combined with other instances of the same, or other, protocols, thereby allowing the generated randomness to be utilized for arbitrary applications in cryptography and beyond. This work achieves the fastest generation of composably secure quantum random numbers ever reported.

A model for optimizing quantum key distribution with continuouswavepumped entangledphoton sourcesSebastian Philipp Neumann (IQOQI Vienna, Austria); Thomas Scheidl (IQOQI Vienna, Austria); Mirela Selimovic (IQOQI Vienna, Austria); Matej Pivoluska (IQOQI Vienna, Austria); Bo Liu (College of Advanced Interdisciplinary Studies, NUDT, Changsha, China); Martin Bohmann (IQOQI Vienna, Austria); Rupert Ursin (IQOQI Vienna, Austria)[abstract]Abstract: Quantum Key Distribution (QKD) allows unconditionally secure communication based on the laws of quantum mechanics rather then assumptions about computational hardness. Optimizing the operation parameters of a given QKD implementation is indispensable in order to achieve high secure key rates. So far, there exists no model that accurately describes entanglementbased QKD with continuouswave pump lasers. For the first time, we analyze the underlying mechanisms for QKD with temporally uniform paircreation probabilities and develop a simple but accurate model to calculate optimal tradeoffs for maximal secure key rates. In particular, we find an optimization strategy of the source brightness for given losses and detectiontime resolution. All experimental parameters utilized by the model can be inferred directly in standard QKD implementations, and no additional assessment of device performance is required. Comparison with experimental data shows the validity of our model. Our results yield a tool to determine optimal operation parameters for already existing QKD systems, to plan a full QKD implementation from scratch, and to determine fundamental key rate and distance limits of given connections.

Quantum Computationally PredicateBinding Commitments with Application in Quantum ZeroKnowledge Arguments for NPJun Yan (Jinan University)[abstract]Abstract: A quantum bit commitment scheme is to realize bit (rather than qubit) commitment by exploiting quantum communication and quantum computation. In this work, we study the binding property of the quantum string commitment scheme obtained by composing a generic quantum computationallybinding bit commitment scheme in parallel. We show that the resulting scheme satisfies a stronger quantum computational binding property than the trivial honestbinding, which we call predicatebinding. Intuitively and very roughly, the predicatebinding property guarantees that given any inconsistent predicate pair over a set of strings (i.e. no strings in this set can satisfy both predicates), if a (claimed) quantum commitment can be opened so that the revealed string satisfies one predicate with certainty, then the same commitment cannot be opened so that the revealed string satisfies the other predicate except for a negligible probability. As an application, we plug a generic quantum perfectly(resp. statistically)hiding computationallybinding bit commitment scheme in Blum's zeroknowledge protocol for the NPcomplete language Hamiltonian Cycle. The quantum computational soundness of the resulting protocol will follow immediately from the quantum computational predicatebinding property of commitments. Combined with the perfect(resp. statistical) zeroknowledge property which can be similarly established as [Watrous], as well as known constructions of quantum computationallybinding bit commitment scheme, this gives rise to the first quantum perfect(resp. statistical) zeroknowledge argument system for all NP languages merely relying on quantumsecure oneway functions.

Quantum Receiver for PhaseShift Keying at the SinglePhoton LevelJasminder S. Sidhu (University of Strathclyde); Shuro Izumi (Technical University of Denmark); Jonas S. NeergaardNielsen (Technical University of Denmark); Cosmo Lupo (University of Sheffield); Ulrik L. Andersen (Technical University of Denmark)[abstract]Abstract: Quantum enhanced receivers are endowed with resources to achieve higher sensitivities than conventional technologies. For application in optical communications, they provide improved discriminatory capabilities for multiple nonorthogonal quantum states. In this work, we propose and experimentally demonstrate a new decoding scheme for quadrature phaseshift encoded signals. Our receiver surpasses the standard quantum limit and outperforms all previously known nonadaptive detectors at low input powers. Unlike existing approaches, the receiver only exploits linear optical elements and onoff photodetection. This circumvents the requirement for challenging feedforward operations that limit communication transmission rates and can be readily implemented with current technology.

Quantum Private Information Retrieval for Quantum MessagesSeunghoan Song (Nagoya University); Masahito Hayashi (Southern University of Science and Technology)[abstract]Abstract: Quantum private information retrieval (QPIR) for quantum messages is the protocol in which a user retrieves one of the multiple quantum states from one or multiple servers without revealing which state is retrieved. We consider QPIR in two different settings: the blind setting, in which the servers contain one copy of the message states, and the visible setting, in which the servers contain the description of the message states. One trivial solution in both settings is downloading all states from the servers and the main goal of this paper is to find more efficient QPIR protocols. First, we prove that the trivial solution is optimal for oneserver QPIR in the blind setting. In oneround protocols, the same optimality holds even in the visible setting. On the other hand, when the user and the server share entanglement, we prove that there exists an efficient oneserver QPIR protocol in the blind setting. Furthermore, in the visible setting, we prove that it is possible to construct symmetric QPIR protocols in which the user obtains no information of the nontargeted messages. We construct twoserver symmetric QPIR protocols. Note that symmetric classical PIR is impossible without shared randomness unknown to the user.

A Cryptographic approach to Quantum MetrologyNathan Shettell (LIP6); Elham Kashefi (LIP6); Damian Markham (LIP6)[abstract]Abstract: We derive a general framework for a quantum metrology scheme where the quantum probes are exchanged via an unsecured quantum channel. We construct two protocols for this task which offer a tradeoff between difficulty of implementation and efficiency. We show that, for both protocols, a malicious eavesdropper cannot access any information regarding the unknown parameter. We further derive general inequalities regarding how the uncertainty in a resource state for quantum metrology can bias the estimate and the precision. From this, we link the effectiveness of the cryptographic part of the protocol to the effectiveness of the metrology scheme with a (potentially) malicious probe resource state.

Remote synchronization of multiple ultrafast multichannel time taggersTorsten Langer (PicoQuant GmbH); Tino Roehlicke (PicoQuant GmbH); Maximilian Diedrich (PicoQuant GmbH); Max Tillmann (PicoQuant GmbH); Michael Wahl (PicoQuant GmbH)[abstract]Abstract: TimeCorrelated Single Photon Counting (TCSPC) and continuous time tagging of photon arrival times are very powerful tools in many areas of applied physics [1]. In optical quantum science, they are widely used for the characterization of nonclassical light emitters and the detection of coincident photon arrival events. In light of the recent quantum technology initiatives, these timing devices play a central role as crucial technological building blocks. Here, we present a new scalable concept of multichannel event timers with up to 64 channels, 5 ps digital resolution and accurate longdistance synchronization capabilities using the White Rabbit fiber network protocol [2]. We demonstrate a relative timing precision of about 40 ps to 50 ps r.m.s. over several kilometers distance in network topologies of different complexity and with different fiber lengths, with and without additional network traffic. One set of results measuring across 5 different devices in a simple startopology using one White Rabbit switch is shown in Fig. 1 as an example. The new event timers have an extremely short dead time of <650 ps, which keeps up with the quick progress of development in the area of superconducting nanowires and other single photon detectors with short recovery times. The event timers feature two data interfaces to the host: a USB interface and a lowlatency interface to external FPGAs, on which custom algorithms for realtime data processing can be implemented. In particular, the FPGA interface is presently being employed in a demonstrator of a high speed QKD system as part of the QuPAD project, funded by the German Federal Ministry of Eduaction and research, contract number 13N14953. The new design also provides several valuable features such as adjustable timing offsets for each input channel at full resolution, four external marker inputs for imaging and other synchronization tasks, as well as in/outputs for hardware driven experiment control, as established in various trendsetting instruments developed earlier [34]. References [1] P. Kapusta, M. Wahl, and R. Erdmann (eds.), Advanced Photon Counting  Applications, Methods, Instrumentation, (Springer International Publishing, 2015) [2] J. Serrano, P. Alvarez, M. Cattin, E. G. Cota, P. M. J. H. Lewis, T. Włostowski et al., "The White Rabbit Project", Proc. ICALEPCS TUC004, Kobe, Japan (2009). [3] M. Wahl, T. Roehlicke, S. Kulisch, S. Rohilla, B. Kraemer and A.C. Hocke, "Photon arrival time tagging with many channels, subnanosecond deadtime, very high throughput, and fiber optic remote synchronization", Rev. Sci. Instrum. 91, 013108 (2020). [4] M. Wahl, H.J. Rahn, T. Roehlicke, R. Erdmann, G. Kell, A. Ahlrichs, M. Kernbach, A.W. Schell, and O. Benson, "Integrated multichannel photon timing instrument with very short dead time and high throughput ", Rev. Sci. Instrum. 84, 043102 (2013).

Improving the performance of referenceframeindependent quantum key distribution through a turbulent atmosphereYang Xue (Air Force Engineering University); Lei Shi (Air Force Engineering University)[abstract]Abstract: Referenceframeindependent quantum key distribution (RFIQKD) can dispense with the requirements of active alignment on reference frames between legitimate users, which is beneficial for freespace implementation. However, the fluctuating transmittance due to atmospheric turbulence still remains a great challenge for improving the performance and has been seldom addressed. In this paper we extend the recently proposed prefixedthreshold realtime selection method to RFIQKD while combining practical consideration of the transmittance probability distribution model based on the finite aperture theory. Through numerical simulations, we present an estimation for the variance of the lognormal model with respect to distance and receiving aperture radius, and demonstrate the effectiveness of using this method in the RFI protocol. Considering the finitekey effects, simulation results show that the gap of the key rate with different reference frame deviations can be alleviated by increasing the data size. By adopting this method one can tolerate more serious transmission loss, especially in strong turbulence cases, which is helpful for future freespace experimental designs.

Finitekey analysis of losstolerant quantum key distribution based on random sampling theoryGuillermo CurrásLorenzo (University of Leeds); Álvaro Navarrete (University of Vigo); Margarida Pereira (University of Vigo); Kiyoshi Tamaki (University of Toyama)[abstract]Abstract: The core of security proofs of quantum key distribution (QKD) is the estimation of a parameter that determines the amount of privacy amplification that the users need to apply in order to distil a secret key. To estimate this parameter using the observed data, one needs to apply concentration inequalities, such as random sampling theory or Azuma’s inequality. The latter can be straightforwardly employed in a wider class of QKD protocols, including those that do not rely on mutually unbiased encoding bases, such as the losstolerant (LT) protocol. However, when applied to reallife finitelength QKD experiments, Azuma’s inequality typically results in substantially lower secretkey rates. Here, we propose an alternative security analysis of the LT protocol against general attacks, for both its prepareandmeasure and measuredeviceindependent versions, that is based on random sampling theory. Consequently, our security proof provides considerably higher secretkey rates than the previous finitekey analysis based on Azuma’s inequality. This work opens up the possibility of using random sampling theory to provide alternative security proofs for other QKD protocols.

OnChip Quantum Autoencoder for Teleportation of HighDimensional Quantum StatesHui Zhang (Nanyang Technological University); Lingxiao Wan (Nanyang Technological University); Tobias Haug (National University of Singapore); WaiKeong Mok (National University of Singapore); Hong Cai (Institute of Microelectronics, A*STAR (Agency for Science, Technology and Research)); Muhammad Faeyz Karim (Nanyang Technological University); Kwek Leong Chuan (Nanyang Technological University; National University of Singapore; National Institute of Education, Singapore); Ai Qun Liu (Nanyang Technological University)[abstract]Abstract: Currently most quantum teleportation experiments are based on qubits. Here, we demonstrate a quantum autoencoder assisted teleportation for highdimensional quantum states. Our method of training the autoencoder allows us to take a finite sample of those states, learn how to compress them to qubits with nearly unit fidelity. After training, we can teleport any further states from the sender and reconstruct them with high fidelity on the receiver part. We verify the proposed scheme by teleporting a qutrit via a siliconphotonic chip. High fidelity is achieved between the input qutrit and the qutrit recovered from the teleported qubit.

An integrated heterogeneous superconducting–siliconphotonic platform for measurementdeviceindependent quantum key distributionXiaodong Zheng (Nanjing University); Peiyu Zhang (Nanjing University); Renyou Ge (Sun Yatsen University); Liangliang Lu (Nanjing University); Guanglong He (Nanjing University); Qi Chen (Nanjing University); Fangchao Qu (Nanjing University); Labao Zhang (Nanjing University); Xinlun Cai (Sun Yatsen University); Yanqing Lu (Nanjing University); Shining Zhu (Nanjing University); Peiheng Wu (Nanjing University); XiaoSong Ma (Nanjing University)[abstract]Abstract: Integrated photonics provides a route both to miniaturize quantum key distribution (QKD) devices and to enhance their performance. A key element for discretevariable QKD is singlephoton detector. It is necessary to integrate such device onto a photonic chip to enable the realization of practical and scalable quantum networks. Here, we report a successful interfacing of Complementary MetalOxideSemiconductor (CMOS)compatible silicon nanophotonics with optical waveguideintegrated superconducting nanowire singlephoton detector (SNSPD). We perform the first optimal Bellstate measurement (BSM) of timebin encoded qubits generated from two independent lasers benefited from the reduced dead time of SNSPD ∼3.4 ns. The optimal BSM enables an increased key rate of measurementdeviceindependent QKD, which is immune to all attacks against the detection system and hence provides the basis for a QKD network with untrusted relays. Together with the timemultiplexed technique, we have enhanced the sifted key rate by almost one order of magnitude. Combined with integrated QKD transmitters, a scalable, chipbased and costeffective QKD network should become realizable in the near future.

A simple lowlatency realtime certifiable quantum random number generatorYanbao Zhang (NTT Basic Research Lab); HsinPin Lo (NTT Basic Research Lab); Alan Mink (NIST); Takuya Ikuta (NTT Basic Research Lab); Toshimori Honjo (NTT Basic Research Lab); Hiroki Takesue (NTT Basic Research Lab); William J. Munro (NTT Basic Research Lab)[abstract]Abstract: Quantum random numbers distinguish themselves from others by their intrinsic unpredictability arising from the principles of quantum mechanics. As such they are extremely useful in many scientific and realworld applications with considerable efforts going into their realizations. Most demonstrations focus on high asymptotic generation rates. For this goal, a large number of repeated trials are required to accumulate a significant store of certifiable randomness, resulting in a high latency between the initial request and the delivery of the requested random bits. Here we demonstrate lowlatency realtime certifiable quantum randomness generation from measurements on photonic timebin states. For this, we develop methods to efficiently certify randomness taking into account adversarial imperfections in both the state preparation and the measurement apparatus. Every 0.12 seconds we generate a block of 8192 random bits which are certified against all quantum adversaries with an error bounded by 2^{64}. Our quantum random number generator is thus well suited for realizing a continuously operating, highsecurity, and highspeed quantum randomness beacon.

Efficient verification of continuousvariable quantum states and devices without assuming identical and independent operationsYadong Wu (Hong Kong University); Ge Bai (Hong Kong University); Giulio Chiribella (Hong Kong University); Nana Liu (Shanghai Jiao Tong University)[abstract]Abstract: Continuousvariable quantum information, encoded into in finitedimensional quantum systems, is a promising platform for the realization of many quantum information protocols, including quantum computation, quantum metrology, quantum cryptography, and quantum communication. To successfully demonstrate these protocols, an essential step is the certi fication of multimode continuous variable quantum states and quantum devices. This problem is well studied under the assumption that multiple uses of the same device result into identical and independently distributed (i.i.d.) operations. However, in realistic scenarios, identical and independent state preparation and calls to the quantum devices cannot be generally guaranteed. Important instances include adversarial scenarios and instances of timedependent and correlated noise. In this paper, we propose the first set of reliable protocols for verifying multimode continuousvariable entangled states and devices in these noni.i.d scenarios.

Impossibility of composable Oblivious Transfer in relativistic quantum cryptographyLorenzo Laneve (Department of Computer Science, ETH Zurich); Lidia del Rio (Institute for Theoretical Physics, ETH Zurich)[abstract]Abstract: We prove impossibility of composable oblivious transfer in relativistic and quantum settings, and provide constructions between different versions of oblivious transfer and bit commitment. We do so in the abstract cryptography framework, with cryptographic resources instantiated as causal boxes in Minkowski space. This paper can be seen as an application of Vilasini et al’s approach to other cryptographic primitives.

QEnclave  A composable treatment of quantum trusted execution environmentsYao Ma (LIP6, Sorbonne Université and VeriQloud); Elham Kashefi (LIP6, Sorbonne Université and School of Informatics, University of Edinburgh); Myrto Arapinis (School of Informatics, University of Edinburgh); Kaushik Chakraborty (School of Informatics, University of Edinburgh); Marc Kaplan (VeriQloud)[abstract]Abstract: We introduce a secure hardware device named a QEnclave that can secure the remote execution of quantum operations while only using classical controls. This device extends to quantum computing the classical concept of a secure enclave which isolates a computation from its environment to provide privacy and tamperresistance. Remarkably, our QEnclave only performs singlequbit rotations, but can nevertheless be used to secure an arbitrary quantum computation even if the qubit source is controlled by an adversary. More precisely, attaching a QEnclave to a quantum computer, a remote client controlling the QEnclave can securely delegate its computation to the server solely using classical communication. We investigate the security of our QEnclave by modeling it as an ideal functionality named Remote State Rotation. We show that this resource allows blind delegated quantum computing with perfect security. Our proof relies on standard tools from delegated quantum computing. Working in the Abstract Cryptography framework, we show a construction of remote state preparation from remote state rotation preserving the security. An immediate consequence is the weakening of the requirements for blind delegated computation. While previous delegated protocols were relying on a client that can either generate or measure quantum states, we show that this same functionality can be achieved with a client that only transforms quantum states without generating or measuring them. Combined with known impossibility results for implementing remote state preparation with classical communication, our construction suggests a new way for blind secure delegated computation. Computational assumptions that circumvent this impossibility induce large overheads that prevent their practical use. But our approach does not increase the complexity of the problem, and relies on hardware assumptions that are already used in practice for classical computations. It hence provides a better way of implementing blind remote delegation on real quantum computing systems.

Quantum Secure Direct Communication with Mutual Authentication using a Single BasisNayana Das` (Indian Statistical Institute, Kolkata); Goutam Paul (Indian Statistical Institute, Kolkata); Ritajit Majumdar (Indian Statistical Institute, Kolkata)[abstract]Abstract: In this paper, we propose a new theoretical scheme for quantum secure direct communication (QSDC) with user authentication. Different from the previous QSDC protocols, the present protocol uses only one orthogonal basis of singlequbit states to encode the secret message. Moreover, this is a onetime and oneway communication protocol, which uses qubits prepared in a randomly chosen arbitrary basis, to transmit the secret message. We discuss the security of the proposed protocol against some common attacks and show that no eavesdropper can get any information from the quantum and classical channels. We have also studied the performance of this protocol under realistic device noise. We have executed the protocol in the IBMQ Armonk device and proposed a repetition codebased protection scheme that requires minimal overhead.

Multiphoton and sidechannel attacks in mistrustful quantum cryptographyMathieu Bozzio (University of Vienna); Adrien Cavailles (Sorbonne Université); Eleni Diamanti (Sorbonne Université); Adrian Kent (University of Cambridge); Damián PitalúaGarcía (University of Cambridge)[abstract]Abstract: Mistrustful cryptography includes important tasks like bit commitment, oblivious transfer, coin flipping, secure computations, position authentication, digital signatures and secure unforgeable tokens. Practical quantum implementations presently use photonic setups. In many such implementations, Alice sends photon pulses encoding quantum states and Bob chooses measurements on these states. In practice, Bob generally uses single photon threshold detectors, which cannot distinguish the number of photons in detected pulses. Also, losses and other imperfections require Bob to report the detected pulses. Thus, malicious Alice can send and track multiphoton pulses and thereby gain information about Bob's measurement choices, violating the protocols' security. Here, we provide a theoretical framework for analysing such multiphoton attacks, and present known and new attacks. We illustrate the power of these attacks with an experiment, and study their application to earlier experimental demonstrations of mistrustful quantum cryptography. We analyse countermeasures based on selective reporting and prove them inadequate. We also discuss sidechannel attacks where Alice controls further degrees of freedom or sends other physical systems.

Imperfect quantum oblivious transfer with onesided securityDavid Reichmuth (IPaQS, HeriotWatt University, Edinburgh, UK); Ittoop V. Puthoor (IPaQS, HeriotWatt University, Edinburgh, UK); Petros Wallden (School of Informatics, University of Edinburgh, Edinburgh, UK); Erika Andersson (IPaQS, HeriotWatt University, Edinburgh, UK)[abstract]Abstract: Oblivious transfer (OT) is a cryptographic primitive which is universal for multiparty computation. Unfortunately, perfect informationtheoretically (IT) secure quantum oblivious transfer is impossible (except with restrictions on cheating parties). Imperfect IT secure quantum oblivious transfer remains possible, but the smallest possible cheating probabilities are not known. Informally, in 1outof2 oblivious transfer, a sender Alice has two bits x0, x1. A receiver Bob obtains one of these, xb, where b= 0 or b= 1. Alice should not be able to guess b, and Bob should not be able to guess the bit value he did not obtain. Bounds on cheating probabilities in quantum oblivious transfer have previously been investigated for complete protocols. “Complete” means that if sender Alice and receiver Bob both follow the protocol, the bit value Bob obtains correctly matches Alice’s bit value. Here we instead investigate incomplete protocols, where Bob obtains an incorrect bit value with probability pf. For complete protocols, both “classical” and quantum, it holds that if one party can cheat no better than with a random guess, then the other party can cheat perfectly. For incomplete protocols, in contrast, even with no restrictions on cheating parties, and when one party can cheat no better than with random guess, it is possible that the other party still cannot cheat perfectly; their cheating probability can be lower than in complete protocols. We find the optimal noninteractive protocols where Alice’s bit values are represented by four symmetric pure quantum states, and where Alice cannot cheat better than with a random guess. “Optimal” means that for a given pf, Bob’s cheating probability pr is as low as possible, and vice versa. We also show that quantum protocols can outperform classical noninteractive protocols. Our results also provide a lower bound on Bob’s cheating probability in interactive quantum protocols. An advantage of the noninteractive protocols we investigate is that they require neither entanglement nor quantum memory. The optimal protocols could be readily implemented using standard optical components.

Subexponential rate versus distance with time multiplexed quantum repeatersPrajit Dhara (Wyant College of Optical Sciences, The University of Arizona); Ashlesha Patil (Wyant College of Optical Sciences, The University of Arizona); Hari Krovi (Raytheon BBN Technologies); Saikat Guha (Wyant College of Optical Sciences, The University of Arizona)[abstract]Abstract: Shared entanglement between two remote parties is a key resource for Quantum Cryptography. Quantum communications capacity using direct transmission over length$L$ optical fiber scales as $R \sim e^{\alpha L}$, where $\alpha$ is the fiber's loss coefficient. The rate achieved using a linear chain of quantum repeaters equipped with quantum memories, probabilistic Bell state measurements (BSMs) and switches used for spatial multiplexing, but no quantum error correction was shown to surpass the directtransmission capacity. However, this rate still decays exponentially with the endtoend distance, viz., $R \sim e^{s{\alpha L}}$, with $s < 1$. We show that the introduction of temporal multiplexingi.e., the ability to perform BSMs among qubits at a repeater node that were successfully entangled with qubits at distinct neighboring nodes at {\em different} time stepsleads to a subexponential ratevs.distance scaling, i.e., $R \sim e^{t\sqrt{\alpha L}}$, which is not attainable with just spatial or spectral multiplexing. We evaluate analytical upper and lower bounds to this rate and obtain the exact rate by numerically optimizing the timemultiplexing block length and the number of repeater nodes. We further demonstrate that incorporating losses in the optical switches used to implement timemultiplexing degrades the ratevs.distance performance, eventually falling back to exponential scaling for very lossy switches. We also examine models for quantum memory decoherence and describe optimal regimes of operation to preserve the desired boost from temporal multiplexing. QM decoherence is seen to be more detrimental to the repeater's performance over switching losses.

Efficient Routing in Quantum Key Distribution Networks with Trusted Nodes and RepeatersOmar Amer (University of Connecticut); Walter O. Krawec (University of Connecticut); Bing Wang (University of Connecticut)[abstract]Abstract: There are two critical challenges that must be addressed for Quantum Key Distribution (QKD) to achieve widescale adoption. First, overcoming distance limitations and second increasing secret key generation rates. Our work investigates the design of novel routing algorithms for nearfuture QKD networks to help mitigate these problems. The networks we consider also may serve as a bridge between today's QKD networks and the longterm goal of a true Quantum Internet.

Spooky action of a global distance: analysis of spacebased entanglement distribution for the quantum internetSumeet Khatri (Louisiana State University); Anthony J. Brady (Louisiana State University); Renee A. Desporte (Louisiana State University); Manon P. Bart (Louisiana State University); Jonathan P. Dowling (Louisiana State University)[abstract]Abstract: Recent experimental breakthroughs in satellite quantum communications have opened up the possibility of creating a global quantum internet using satellite links. This approach appears to be particularly viable in the near term, due to the lower attenuation of optical signals from satellite to ground, and due to the currently short coherence times of quantum memories. The latter prevents groundbased entanglement distribution using atmospheric or opticalfiber links at high rates over long distances. In this work, we propose a globalscale quantum internet consisting of a constellation of orbiting satellites that provides a continuous, ondemand entanglement distribution service to ground stations. The satellites can also function as untrusted nodes for the purpose of longdistance quantumkey distribution. We develop a technique for determining optimal satellite configurations with continuous coverage that balances both the total number of satellites and entanglementdistribution rates. Using this technique, we determine various optimal satellite configurations for a polarorbit constellation, and we analyze the resulting satellitetoground loss and achievable entanglementdistribution rates for multiple ground station configurations. We also provide a comparison between these entanglementdistribution rates and the rates of groundbased quantum repeater schemes. Overall, our work provides the theoretical tools and the experimental guidance needed to make a satellitebased global quantum internet a reality.

Quantum Computing Chip with ErrorCorrection EncodingLingxiao Wan (Nanyang Technological University); Hui Zhang (Nanyang Technological University); Stefano Paesani (University of Bristol); Huihui Zhu (Nanyang Technological University); Bo Wang (Nanyang Technological University); Anthony Laing (University of Bristol); Leong Chuan Kwek (National University of Singapore); AiQun Liu (Nanyang Technological University)[abstract]Abstract: We design and fabricate a quantum photonic circuit to generate a 4qubit state to load single qubit information and implement a quantum error correction code to demonstrate its capability of detecting and correcting a singlebit error. The encoded quantum information can be reconstructed from different types of errors and achieve an average state fidelity of 86%. We further extend the scheme to demonstrate faulttolerant measurementbased quantum computing that allows us to redo the qubit operation against the failure of the teleportation process.

A Boson Sampling Chip for Graph Perfect MatchingLingxiao Wan (Nanyang Technological University); Zhu Huihui (Nanyang Technological University); Bo Wang (Nanyang Technological University); Hui Zhang (Nanyang Technological University); Leong Chuan Kwek (National University of Singapore); AiQun Liu (Nanyang Technological University)[abstract]Abstract: We map the perfect matching problem in graph theory to a reconfigurable GBS model with the connection of the Hafnian of a matrix. We configure the linear optical circuit and squeeze parameter of the GBS model according to the decomposed unitary matrix and diagonal matrix of the graph’s adjacency matrix. The perfect matching numbers can be directly acquired from the 4photon coincidence counts with a distribution similarity of 0.9304.

Secure quantum key distribution with intensity correlationsVíctor Zapatero (University of Vigo, Spain); Álvaro Navarrete (University of Vigo, Spain); Marcos Curty (University of Vigo, Spain); Kiyoshi Tamaki (University of Toyama, Japan)[abstract]Abstract: In decoystatebased QKD, GHz clocked or higher frequency transmitters exhibit correlations between the intensities of succeeding pulses. As a consequence, every pulse leaks partial information about previous intensity settings to an eavesdropper, thus invalidating the fundamental principle of the decoystates method, i.e., the independent character of the yields from the intensity settings. In this work, we present a technique that allows to incorporate arbitrary intensity correlations to the decoystate analysis, thereby solving a pressing problem in the race towards practical highspeed QKD systems. As a side contribution, we present a nonstandard derivation of the asymptotic key rate formula from the nonasymptotic one, in so revealing a largely dismissed necessary condition for the significance of the former. We discuss this condition in full detail.

Equivalence of three classical algorithms with quantum side information: Privacy amplification, error correction, and data compressionToyohiro Tsurumaru (Mitsubishi Electric Corporation)[abstract]Abstract: Privacy amplification (PA) is an indispensable component in classical and quantum cryptography. Error correction (EC) and data compression (DC) algorithms are also indispensable in classical and quantum information theory. We here study these three algorithms (PA, EC, and DC) in the presence of quantum side information, and show that they all become equivalent in the oneshot scenario. As an application of this equivalence, we take previously known security bounds of PA, and translate them into coding theorems for EC and DC which have not been obtained previously. Further, we apply these results to simplify and improve our previous result that the two prevalent approaches to the security proof of quantum key distribution (QKD) are equivalent. We also propose a new method to simplify the security proof of QKD.

A realtime experimental QKD platform for quantumsecure telecom infrastructuresJan Krause (Fraunhofer Institute for Telecommunications, Heinrich Hertz Institute, HHI); Benedikt Lezius (Fraunhofer Institute for Telecommunications, Heinrich Hertz Institute, HHI); Richard Schilling (Fraunhofer Institute for Telecommunications, Heinrich Hertz Institute, HHI); Jonas Hilt (Fraunhofer Institute for Telecommunications, Heinrich Hertz Institute, HHI); Stefan Weide (Fraunhofer Institute for Telecommunications, Heinrich Hertz Institute, HHI); Nino Walenta (Fraunhofer Institute for Telecommunications, Heinrich Hertz Institute, HHI); Nicolas Perlot (Fraunhofer Institute for Telecommunications, Heinrich Hertz Institute, HHI); Ronald Freund (Fraunhofer Institute for Telecommunications, Heinrich Hertz Institute, HHI)[abstract]Abstract: We present a quantum key distribution (QKD) platform targeting midrange fiber, freespace and hybrid links. With its interfaces for thirdparty postprocessing, commercial key management, encryptors and QRNG, the modular and flexible system enables easy integration into existing telecom infrastructures. Recent experiments demonstrate its seamless operation over fiber and freespace links.

Tamper Detection against Unitary OperatorsUpendra Kapshikar (Centre for Quantum Technologies, National university of Singapore); Naresh Goud Boddu (Centre for Quantum Technologies, National university of Singapore)[abstract]Abstract: We consider (Enc, Dec) schemes which are used to encode a classical/quantum message m and derive an nqubit quantum codeword ψ_m. The quantum codeword ψ_m can adversarially tamper via a unitary U∈F_u from some known tampering unitary family F_u, resulting in Uψ_mU†. Firstly, we initiate the general study of quantum tamper detection codes, which must detect that tampering occurred with high probability. In case there was no tampering, we would like to output the message m with a probability of 1. We show that quantum tamper detection codes exist for both classical messages and quantum messages for any family F_u of unitary operators, such that F_u<2^{2^{αn}} for some known constant α∈(0,1) and all the unitary operators satisfy one additional condition : Far from Identity : For each U∈F_u, we require that its modulus of trace value isn't too much i.e. $ Trace(U) \leq \phi N$, where N=2^n. Quantum tamperdetection codes are quantum generalizations of classical tamper detection codes studied by Jafargholi et al. Additionally for classical message m, if we must either output message m or detect that tampering occurred and output ⊥ with high probability, we show that it is possible without the restriction of Far from Identity condition for any family of unitary operators F_u, such that F_u<2^{2^αn}. We also provide efficient (Enc, Dec) schemes when the family of tampering unitary operators are from Pauli group Pn, which can be thought of as a quantum version of the algebraic manipulation detection (AMD) codes of Cramer et al.

Verifying BQP Computations on Noisy Devices with Minimal OverheadDominik Leichtle (Laboratoire d’Informatique de Paris 6, Sorbonne Université); Luka Music (Laboratoire d’Informatique de Paris 6, Sorbonne Université); Elham Kashefi (University of Edinburgh and CNRS LIP6 Sorbonne Universite); Harold Ollivier (INRIA)[abstract]Abstract: With the development of delegated quantum computation, clients will want to ensure confidentiality of their data and algorithms, and the integrity of their computations. While protocols for blind and verifiable quantum computation exist, they suffer from high overheads and from oversensitivity: When running on noisy devices, imperfections trigger the same detection mechanisms as malicious attacks, resulting in perpetually aborted computations. We introduce the first blind and verifiable protocol for delegating BQP computations to a powerful server with repetition as the only overhead. It is composably statistically secure with exponentiallylow bounds and can tolerate a constant amount of global noise.

Fast and Simple OneWay HighDimensional Quantum Key DistributionKfir Sulimany (The Hebrew University of Jerusalem); Rom Dudkiewicz (The Hebrew University of Jerusalem); Simcha Korenblit (The Hebrew University of Jerusalem); Hagai S. Eisenberg (The Hebrew University of Jerusalem); Yaron Bromberg (The Hebrew University of Jerusalem); Michael BenOr (The Hebrew University of Jerusalem)[abstract]Abstract: Highdimensional quantum key distribution (QKD) provides ultimate secure communication with secure key rates that cannot be obtained by QKD protocols with binary encoding. However, so far the proposed protocols required additional experimental resources, thus raising the cost of practical highdimensional systems and limiting their use. Here, we analyze and demonstrate a novel scheme for fiberbased arbitrarydimensional QKD, based on the most popular commercial hardware for binary time bins encoding. Quantum state transmission is tested over 40 km channel length of standard singlemode fiber, exhibiting a twofold enhancement of the secret key rate in comparison to the binary Coherent One Way (COW) protocol, without introducing any hardware modifications. This work holds a great potential to enhance the performance of already installed QKD systems by software update alone.

Measurementdeviceindependent quantum key distribution with directly modulated lasersYuen San Lo (Toshiba Europe Ltd and University College London); Robert Woodward (Toshiba Europe Ltd and University of York); Mirko Pittaluga (Toshiba Europe Ltd and University of Leeds); Mariella Minder (Toshiba Europe Ltd and University of Cambridge); Taofiq Paraiso (Toshiba Europe Ltd); Marco Lucamarini (Toshiba Europe Ltd); Zhiliang Yuan (Toshiba Europe Ltd); Andrew Shields (Toshiba Europe Ltd)[abstract]Abstract: We demonstrate a simple and compact MDIQKD system design based on optical injection locking and gainswitching techniques, capable of directly encoding phasemodulated timebin bits. Our results improve upon the stateoftheart key rates by an order of magnitude.

NoiseTolerant Quantum Tokens for MACAmit Behera (BenGurion University); Or Sattath (BenGurion University); Uriel Shinar (BenGurion University)[abstract]Abstract: Message Authentication Code or MAC, is a wellstudied cryptographic primitive that is used in order to authenticate communication between two parties sharing a secret key. A Tokenized MAC or TMAC is a related cryptographic primitive, introduced by BenDavid & Sattath (QCrypt'17) which allows to delegate limited signing authority to third parties via the use of singleuse quantum signing tokens. These tokens can be issued using the secret key, such that each token can be used to sign at most one document. We provide an elementary construction for TMAC based on BB84 states. Our construction can tolerate up to 14% noise, making it the first noisetolerant TMAC construction. The simplicity of the quantum states required for our construction combined with the noisetolerance, makes it practically more feasible than the previous TMAC construction. The TMAC is existentially unforgeable against adversaries with signing and verification oracles (i.e., analogous to EUFCMA security for MAC), assuming postquantum collisionresistant hash functions exist.

Hacking a Quantum Random Number GeneratorPeter Raymond Smith (Toshiba Europe Ltd, 208 Cambridge Science Park, Milton Road, Cambridge, CB4 0GZ, United Kingdom); Davide Marangon (Toshiba Europe Ltd, 208 Cambridge Science Park, Milton Road, Cambridge, CB4 0GZ, United Kingdom); Marco Lucamarini (Toshiba Europe Ltd, 208 Cambridge Science Park, Milton Road, Cambridge, CB4 0GZ, United Kingdom;Department of Physics and York Centre for Quantum Technologies, University of York, YO10 5DD York, United Kingdom); Zhiliang Yuan (Toshiba Europe Ltd, 208 Cambridge Science Park, Milton Road, Cambridge, CB4 0GZ, United Kingdom); Andrew Shields (Toshiba Europe Ltd, 208 Cambridge Science Park, Milton Road, Cambridge, CB4 0GZ, United Kingdom)[abstract]Abstract: Random number generators underpin the security of current and future cryptographic systems and are therefore a likely target for attackers. Quantum random number generators have been hailed as the ultimate sources of randomness. However, as shown in this work, the susceptibility of the sensitive electronics required to implement such devices poses a serious threat to their security. We present the first outofband electromagnetic injection attack on a quantum random number generator through which an adversary can gain full control of the output. In our first experiment, the adversary forces the binary output of the generator to become an alternating string of 1s and 0s, with near 100% success. This attack may be spotted by a vigilant user performing statistical tests on their output strings. We therefore envisage a second more subtle attack in which the adversary forces the output to be a random pattern known to them, thus rendering any protection based on statistical tests ineffective.

Practical Parallel Selftesting of Bell States via Magic RectanglesSean A. Adamson (University of Edinburgh); Petros Wallden (University of Edinburgh)[abstract]Abstract: Selftesting is a method to verify that one has a particular quantum state from purely classical statistics. For practical applications, such as deviceindependent delegated verifiable quantum computation, it is crucial that one selftests multiple Bell states in parallel while keeping the quantum capabilities required of one side to a minimum. In this work, we use the $3 \times n$ magic rectangle games (generalisations of the magic square game) to obtain a selftest for $n$ Bell states where the one side needs only to measure singlequbit Pauli observables. The protocol requires small input sizes (constant for Alice and $O(\log n)$ bits for Bob) and is robust with robustness $O(n^{5/2} \sqrt{\varepsilon})$, where $\varepsilon$ is the closeness of the observed correlations to the ideal. To achieve the desired selftest we introduce a onesidelocal quantum strategy for the magic square game that wins with certainty, generalise this strategy to the family of $3 \times n$ magic rectangle games, and supplement these nonlocal games with extra check rounds (of single and pairs of observables).

Thirtysix entangled officers of Euler and nonadditive quantum errorcorrecting codesSUHAIL AHMAD RATHER (Department of Physics, Indian Institute of Technology Madras, Chennai 600036, India); ADAM BURCHARDT (Institute of Theoretical Physics, Jagiellonian University, ul. Lojasiewicza 11, 30348 Krakow, Poland); WOJCIEH BRUZDA (Institute of Theoretical Physics, Jagiellonian University, ul. Lojasiewicza 11, 30348 Krakow, Poland); GRZEGORZ RACHEL MIELDZIOC (Center for Theoretical Physics, Polish Academy of Sciences, Al. Lotnikow 32/46, 02668 Warszawa, Poland); ARUL LAKSHMINARAYAN (Department of Physics, Indian Institute of Technology Madras, Chennai 600036, India); KAROL ZYCZKOWSKI (Center for Theoretical Physics, Polish Academy of Sciences, Al. Lotnikow 32/46, 02668 Warszawa, Poland)[abstract]Abstract: The negative solution to the famous problem of 36 officers of Euler implies that there are no two orthogonal Latin squares of order six. We show that the problem has a solution, provided the officers are entangled, and construct orthogonal quantum Latin squares of this size. As a consequence, we find an Absolutely Maximally Entangled state AME(4,6) of four subsystems with six levels each, equivalently a 2unitary matrix of size 36, which maximizes the entangling power among all bipartite unitary gates of this dimension, or a perfect tensor with four indices, each running from one to six. This special state deserves the appellation golden AME state as the golden ratio appears prominently in its elements. This result allows us to construct a pure nonadditive quhex quantum error detection code ((3,6,2))_6, which saturates the Singleton bound and allows one to encode a 6level state into a triplet of such states.

A MultiValued Quantum Fully Homomorphic Encryption SchemeYuanjing Zhang (Beihang University); Tao Shang (Beihang University); Jianwei Liu (Beihang University)[abstract]Abstract: Fully homomorphic encryption enables computation on encrypted data while maintaining secrecy. This leads to an important open question whether quantum computation can be delegated and verified in a noninteractive manner or not. In this paper, we affirmatively answer this question by constructing quantum fully homomorphic encryption (QFHE) schemes with quantum obfuscation. For different scenarios, we propose two QFHE schemes with multivalued quantum point obfuscation. One is with singlequbit point obfuscation and the other is with multiqubit point obfuscation. The correctness of two QFHE schemes is proved theoretically. The evaluator does not know the decryption key and does not require a regular interaction with a user. The output state has the property of complete mixture, which guarantees the security. Moreover, the security level of the QFHE schemes depends on quantum obfuscation and encryption operators.

Quantum magic rectangles: Characterization and application to certified randomness expansionSean Adamson (University of Edinburgh); Petros Wallden (University of Edinburgh)[abstract]Abstract: We study a generalization of the Mermin–Peres magic square game to arbitrary rectangular dimensions. After exhibiting some general properties, these rectangular games are fully characterized in terms of their optimal win probabilities for quantum strategies. We find that for $m \times n$ rectangular games of dimensions $m,n \geq 3$, there are quantum strategies that win with certainty, while for dimensions $1 \times n$ quantum strategies do not outperform classical strategies. The final case of dimensions $2 \times n$ is richer, and we give upper and lower bounds that both outperform the classical strategies. Finally, we apply our findings to quantum certified randomness expansion to find the noise tolerance and rates for all magic rectangle games. To do this, we use our previous results to obtain the winning probability of games with a distinguished input for which the devices give a deterministic outcome and follow the analysis of C. A. Miller and Y. Shi (2017).

Secure Software Leasing Without AssumptionsAnne Broadbent (University of Ottawa); Stacey Jeffery (QuSoft and CWI); Sébastien Lord (University of Ottawa); Supartha Podder (University of Ottawa); Aarthi Sundaram (Microsoft)[abstract]Abstract: Quantum cryptography is known for enabling functionalities that are unattainable using classical information alone. Recently, Secure Software Leasing (SSL) has emerged as one of these areas of interest. Given a target circuit C from a circuit class, SSL produces an encoding of C that enables a recipient to evaluate C, and also enables the originator of the software to verify that the software has been returned  meaning that the recipient has relinquished the possibility of any further use of the software. Clearly, such a functionality is unachievable using classical information alone, since it is impossible to prevent a user from keeping a copy of the software. Recent results have shown the achievability of SSL using quantum information for a class of functions called computeandcompare (these are a generalization of the wellknown point functions). These prior works, however all make use of setup or computational assumptions. Here, we show that SSL is achievable for computeandcompare circuits without any assumptions. Our technique involves the study of quantum copyprotection, which is a notion related to SSL, but where the encoding procedure inherently prevents a wouldbe quantum software pirate from splitting a single copy of an encoding for C into two parts, each of which enables a user to evaluate C. We show that point functions can be copyprotected without any assumptions, for a novel security definition involving one honest and one malicious evaluator; this is achieved by showing that from any quantum message authentication code, we can derive such an honestmalicious copyprotection scheme. We then show that a generic honestmalicious copyprotection scheme implies SSL; by prior work, this yields SSL for computeandcompare functions.

Quantum Key Distribution with Few AssumptionsMarie Ioannou (GAP, University of Geneva); Maria Ana Pereira (GAP, University of Geneva); Davide Rusca (GAP, University of Geneva); Fadri Grünenfelder (GAP, University of Geneva); Alberto Boaron (GAP, University of Geneva); Matthieu Perrenoud (GAP, University of Geneva); Alastair A. Abbott (GAP, University of Geneva); Pavel Sekatski (GAP, University of Geneva); JeanDaniel Bancal (Université ParisSaclay, CEA, CNRS); Nicolas Maring (GAP, University of Geneva); Hugo Zbinden (GAP, University of Geneva); Nicolas Brunner (GAP, University of Geneva)[abstract]Abstract: We investigate a class of partially deviceindependent quantum key distribution protocols based on a prepareandmeasure setup which simplifies their implementation. The security of the protocols is based on the assumption that Alice’s prepared states have limited overlaps, but no explicit bound on the Hilbert space dimension is required. The protocols are therefore immune to attacks on Bob’s device, such as blinding attacks. The users can establish a secret key while continuously monitoring the correct functioning of their devices through observed statistics. We report a proof ofprinciple demonstration, involving mostly offtheshelf equipment, as well as a highefficiency superconducting nanowire detector. A positive key rate is demonstrated over a 4.8km lowloss optical fiber with finitekey analysis. The prospects of implementing these protocols over longer distances is discussed.

A noninteractive XOR quantum oblivious transfer protocolLara Stroh (HeriotWatt University); Robert Stárek (Palacký University Olomouc); Ittoop V. Puthoor (HeriotWatt University); Michal Mičuda (Palacký University Olomouc); Ladislav Mišta (Palacký University Olomouc); Miloslav Dušek (Palacký University Olomouc); Erika Andersson (HeriotWatt University)[abstract]Abstract: Oblivious transfer (OT) is an important cryptographic primitive for transmitting information between two nontrusting parties and can be used as basic building block to implement any twoparty computation. One variant of OT is XOR oblivious transfer (XOT), where the sender Alice has two bits and sends them to the receiver Bob. Bob will obtain either the first bit, the second bit, or their XOR. In an honest run of the protocol, Bob should not learn anything more than this, and Alice should not be able to tell what Bob has learned. Unfortunately, perfect quantum OT is impossible with informationtheoretic security, so we focus on obtaining the smallest possible cheating probabilities for dishonest parties, when there are no restrictions imposed on them. We present a noninteractive quantum XOT protocol with classical postprocessing, where the cheating probabilities are 1/2 for Alice and 3/4 for Bob. Reversing this protocol, so that Bob becomes the sender of a quantum state and Alice the receiver who measures it, while still implementing oblivious transfer from Alice to Bob, we show that the cheating probabilities for both parties stay the same as for the unreversed protocol. The reversed protocol is even easier to implement. The quantum XOT protocol outperforms classical XOT protocols. Lastly, we are in the process of implementing both the unreversed and the reversed protocol experimentally.

Improved deviceindependent randomness expansion rates from tight bounds on the two sided randomness using CHSH testsRutvij Bhavsar (University of York); Sammy Ragy (University of York); Roger Colbeck (University of York)[abstract]Abstract: A deviceindependent randomness expansion protocol aims to take an initial random string and generate a longer one, where the security of the protocol does not rely on knowing the inner workings of the devices used to run it. In order to do so, the protocol tests that the devices violate a Bell inequality and one then needs to bound the amount of extractable randomness in terms of the observed violation. The entropy accumulation theorem gives a bound in terms of the singleround von Neumann entropy of any strategy achieving the observed score. Tight bounds on this are known for the onesided randomness when using the ClauserHorneShimonyHolt (CHSH) game. Here we find the minimum von Neumann entropies for a given CHSH score relevant for one and two sided randomness that can be applied to various protocols. In particular, we show the gain that can be made by using the twosided randomness and by using a protocol without spotchecking where the input randomness is recycled. We also discuss protocols that fully close the locality loophole while expanding randomness. Although our bounds are mostly numerical, we conjecture analytic formulae for the curves in two cases.

Coherent phase fluctuations suppression for realworld twinfield quantum key distributionIvo Pietro Degiovanni (INRIM Istituto Nazionale di Ricerca Metrologica); Cecilia Clivati (INRIM Istituto Nazionale di Ricerca Metrologica); Alice Meda (INRIM Istituto Nazionale di Ricerca Metrologica); Simone Donadello (INRIM Istituto Nazionale di Ricerca Metrologica); Salvatore Virzi’ (INRIM Istituto Nazionale di Ricerca Metrologica); Marco Genovese (INRIM Istituto Nazionale di Ricerca Metrologica); Filippo Levi (INRIM Istituto Nazionale di Ricerca Metrologica); Alberto Mura (INRIM Istituto Nazionale di Ricerca Metrologica); Davide Calonico (INRIM Istituto Nazionale di Ricerca Metrologica); Mirko Pittaluga (Toshiba Europe Ltd, Cambridge, U.K.); Zhiliang Yuan (Toshiba Europe Ltd, Cambridge, U.K.); Andrew Shields (Toshiba Europe Ltd, Cambridge, U.K.); Marco Lucamarini (University of York)[abstract]Abstract: Quantum key distribution (QKD) ensures the sharing of secret cryptographic keys between distant entities (typically called Alice and Bob), whose intrinsic security is guaranteed by the laws of nature [1–3]. Besides pioneering experiments involving satellite transmission [4], the challenge is the integration of this technology in telecommunication fiber networks, in particular in long haul segments [5–11]. The longest achievable communication distance is limited by the channel loss which increases exponentially with the fiber length and noise in the deployed single photon detector. The secure QKD key rate decreases exponentially with the channel fiber length. Although the communication distance could be extended using quantum repeaters, the related research is still at a proofofprinciple level [12]. Presently the widely adopted solution is the exploitation of trusted nodes, whose security represents however a significant technical issue. An innovative approach that overcomes, at least partially, the need for trusted node is represented by the recently proposed QKD protocol dubbed twinfield QKD (TFQKD) [13]. In TFQKD, the information is encoded on dim laser pulses generated at distant Alice and Bob terminals and sent through optical fiber over half of the entire communication distance to the central node, Charlie, where they interfere. For this reason, the TFQKD has weaker dependence on channel losses, essentially doubling the communication distance with respect to the conventional prepareandmeasure QKD solution. TFQKDhas been proved secure against general attacks (see e.g. [14–18]), but its implementation is challenging as the optical pulses sent by Alice and Bob are required to be phasecoherent and preserve coherence when reaching Charlie after travelling the long fiber paths. While phase coherence can be achieved by phaselocking the two QKD lasers in Alice and Bob to a common reference laser transmitted through a service channel, uncorrelated phase changes due to the length and refractive index fluctuations in the long optical fibers still remain and will reduce the visibility of the interference measurement. In the TFQKD proofofprinciple experiments [19–26], this effect was mitigated by interleaving the QKD frames with classical transmission frames that were used to periodically realign the phases of interfering pulses. Here we present an alternative solution derived from the metrological research community, more precisely from atomic clocks comparison technology. Specifically, transmission of coherent laser radiation over thousandkilometerlong fibers is exploited for the comparison of distant atomic clocks at the highest accuracy [27–32]. In this case phase fluctuations in long fiber also need to be addressed, othewise they would substantially degrade the comparison results. Precise comparison among these atomic clocks are made possible by the use of ultrastable lasers and the active cancellation of the noise introduced by connecting fibers. Here we demonstrate that this technique can be successfully adapted into a TFQKD setup. More specifically, we designed and developed an apparatus suitable for actively cancelling phase fluctuations of both the lasers and of the connecting fibers in a TFQKD setup. This is achieved by transmitting an additional sensing laser light at a slightly different wavelength in the same fiber as the QKD dim pulses. In Charlie, this sensing laser is used for the fiber optical length stabilisation. We show that this multiplexed solution can be properly tuned in order to avoid a sizeable impact on the number of background photons observed by the singlephoton detectors in the QKD channels, allowing simultaneous key streaming and channels stabilization, ensuring longer dutycycles of the QKD process and a tighter control of the optical phase on longhaul deployed fibers. Furthermore, we tested our solution in a realworld network where the net losses between Alice and Bob are as high as 65 dB, resulting here in a distance of 206 km, or equivalent at 325 km on a fiber haul at common nominal losses of 0.2 dB/km [33]. References [1] Bennett, C. H. & Brassard, G. Quantum cryptography: public key distribution and coin tossing. Theor. Comput. Sci. 560, 7–11 (2014). [2] Scarani, V. et al. The security of practical quantum key distribution. Rev. Mod. Phys. 81, 1301 (2009). [3] Kwong Lo, H., Curty, M. & Tamaki, K. Secure quantum key distribution. Nature Photonics 8, 595604 (2014). [4] Liao, SK., Cai, WQ., Pan, JW. Satellitetoground quantum key distribution, Nature 549, 4347 (2017) [5] Peev, M. et al. The SECOQC quantum key distribution network in Vienna, New J. Phys. 11, 075001 (2009). [6] Sasaki, M. et al. Field test of quantum key distribution in the Tokyo QKD Network. Opt. Expr. 19, 10387 (2011). [7] Dynes, J. F. et al. Cambridge quantum network. npj Quantum Inf. 5, 101 (2019). [8] Shimizu K., et al. Performance of longdistance quantum key distribution over 90km optical links installed in a field environment of Tokyo metropolitan area. J. Lightwave Technol. 32,, 14151 (2014). [9] Bacco, D. et al. Field trial of a threestate quantum key distribution scheme in the Florence metropolitan area. EPJ Quantum Technol.6, 5 (2019). [10] Choi, I. et al. Field trial of a quantum secured 10 Gb/s DWDM transmission system over a single installed fiber. Opt. Expr 22, 2312123128 (2014). [11] Dixon, A. R. et al. Quantum key distribution with hacking countermeasures and long term field trial, Sci. Rep. 7, 7583 (2017). [12] Xu, F., Ma, X., Zhang, Q., Lo, HK. & Pan, JW. Secure quantum key distribution with realistic devices. Rev. Mod. Phys. 92, 025002 (2020) [13] Lucamarini, M., Yuan, Z. L., Dynes, J. F., Shields, A. J. Overcoming the ratedistance limit of quantum key distribution without quantum repeaters. Nature 557, 400403 (2018). [14] Ma, X. Zeng, P., & Zhou, H. PhaseMatching Quantum Key Distribution. Phys. Rev. X 8, 031043 (2018). [15] Wang, XB., Yu, ZW. & Hu, XL. Twinfield quantum key distribution with large misalignment error. Phys. Rev. A 98, 062323 (2018). [16] Lin J. & Lutkenhaus, N. Simple security analysis of phasematching measurementdeviceindependent quantum key distribution. Phys. Rev. A 98, 042332 (2018); [17] Curty, M., Azuma, K. & Lo, H.K. Simple security proof of twinfield type quantum key distribution protocol. npj Quantum Inf. 5, 64 (2019) [18] Yin, HL. & Chen, ZB. Finitekey analysis for twinfield quantum key distribution with composable security, Sci Rep. 9, 17113 (2019). [19] Wang, S. et al. Beating the Fundamental RateDistance Limit in a ProofofPrinciple Quantum Key Distribution System. Phys. Rev. X 9, 021046 (2019) [20] Minder, M. et al. Experimental quantum key distribution beyond the repeaterless secret key capacity. Nature Photon. 13, 334338 (2019) [21] X. Zhong, Hu, J., Curty, M., Qian, L. & Lo, HK. ProofofPrinciple Experimental Demonstration of TwinField Type Quantum Key Distribution. Phys. Rev. Lett. 123, 100506 (2019) [22] Chen, JP. et al. SendingorNotSending with Independent Lasers: Secure TwinField Quantum Key Distribution over 509 km. Phys. Rev. Lett. 124, 070501 (2020). [23] Fang, XT., et al. Implementation of quantum key distribution surpassing the linear rate transmittance bound. Nature Photon 14, 422425 (2020). [24] Pittaluga M, et al., 600 km repeaterlike quantum communications with dualband stabilisation, arXiv:2012.15099 (2020) [25] Hui Liu et al., Field Test of TwinField Quantum Key Distribution through SendingorNotSending over 428 km, arXiv:2101.00276 (2021) [26] JiuPeng Chen et al., TwinField Quantum Key Distribution over 511 km Optical Fiber Linking two Distant Metropolitans, arXiv:2102.00433 (2021) [27] Clivati, C. et al. Optical frequency transfer over submarine fiber links. Optica 5, 893 (2018). [28] Clivati, C. et al. Commonclock very long baseline interferometry using a coherent optical fiber link. Optica 7, 10311037 (2020) [29] Grotti, J. et al. Geodesy and metrology with a transportable optical clock. Nature Physics 14, 437441 (2018). [30] Lisdat, C. et al. A clock network for geodesy and fundamental science. Nat.Comm. 7, 12443 (2016). [31] Delva, P. et al. Test of Special Relativity Using a Fiber Network of Optical Clocks, Phys. Rev. Lett. 118, 221102 (2017). [32] Guena, J. First international comparison of fountain primary frequency standards via a long distance optical fiber link. Metrologia 54, 348 (2017). [33] Clivati, C. et al. Coherent phase transfer for realworld twinfield quantum key distribution, arXiv:2012.15199 (2021)

Thermal State Quantum Key DistributionAdam Walton (University of Leeds); Benjamin Varcoe (University of Leeds); David Jennings (University of Leeds); Anne Ghesquière (University of Leeds)[abstract]Abstract: A central broadcast Quantum Key Distribution protocol employs a thermal source to produce a secret key between Alice and Bob in the presence of an eavesdropper, Eve. Intensity correlations arising due to the Hanbury Brown and Twiss effect are used to produce correlated strings of quadrature measurements between each party, which may then be converted into bit strings. Using analytic methods, as well as through Monte Carlo simulations, we find that the correlations survive a series of beam splitters, and that the bit strings produced are suitable for distilling into a shared key. As thermal sources are already regularly used in modern communications equipment, this may allow quantum key distribution to be performed without using specialist equipment, with future work focusing on experimental implementations of the protocol in the microwave region.

Practical SemiDevice Independent Randomness Generation Based on Quantum State's IndistinguishabilityHamid Tebyanian (University of Padova); Mujtaba Zahidy (University of Padova); Marco Avesani (University of Padova); Andrea Stanco (University of Padova); Paolo Villoresi (University of Padova); Giuseppe Vallone (University of Padova)[abstract]Abstract: Semidevice independent (SemiDI) quantum random number generators (QRNG) gained attention for security applications, offering an excellent tradeoff between security and generation rate. This paper presents a proofofprinciple timebin encoding semiDI QRNG experiments based on a prepareandmeasure scheme. The protocol requires two simple assumptions and a measurable condition: an upperbound on the prepared pulses' energy. We lowerbound the conditional minentropy from the energybound and the inputoutput correlation, determining the amount of genuine randomness that can be certified. Moreover, we present a generalized optimization problem for bounding the minentropy in the case of multiple input and outcomes, in the form of a semidefinite program (SDP). The protocol is tested with a simple experimental setup, capable of realizing two configurations for the ternary timebin encoding scheme. The experimental setup is easytoimplement and comprises commercially available offtheshelf (COTS) components at the telecom wavelength, granting a secure and certifiable entropy source. The combination of easeofimplementation, scalability, high security level and outputentropy, make our system a promising candidate for commercial QRNGs.

Resourceefficient energy test and parameter estimation in continuousvariable quantum key distributionCosmo Lupo (University of Sheffield)[abstract]Abstract: Symmetry plays a fundamental role in the security analysis of quantum key distribution (QKD). Here we review how symmetry is exploited in continuousvariable (CV) QKD to prove the optimality of Gaussian attacks in the finitesize regime. We then apply these results to improve the efficiency, and thus the key rate, of these protocols. First we show how to improve the efficiency and practicality of the energy test, which is one important routine aimed at establishing an upper bound on the effective dimensions of the otherwise infinitedimensional Hilbert space of CV systems. Second, we show how the routine of parameter estimation can be made resource efficient in measurementdevice independent (MDI) QKD. These results show that all the raw data can be used both for key extraction and for the routines of energy test and parameter estimation. Furthermore, the improved energy test does not require active symmetrization of the measured data, which can be computationally demanding.

Improved analytical bounds on delivery times of longdistance entanglementTim Coopmans (QuTech (Delft University of Technology)); Sebastiaan Brand (Leiden University); David Elkouss (QuTech (Delft University of Technology))[abstract]Abstract: The fundamental distance limit for quantum key distribution due to photon loss can be overcome by intermediate nodes called quantum repeaters. We provide analytical bounds on the mean and quantiles of the entanglement delivery time for a very general class of repeater schemes, which significantly improve upon existing work. Our bounds enable the analytical assessment of repeater in the presence of timedependent noise, such as imperfect memories, and are useful for the design and analysis of network sizes beyond the reach of numerics.

The “quantum annoying” property of passwordauthenticated key exchange protocolsEdward Eaton (University of Waterloo); Douglas Stebila (University of Waterloo)[abstract]Abstract: During the Crypto Forum Research Group (CFRG)'s standardization of passwordauthenticated key exchange (PAKE) protocols, a novel property emerged: a PAKE scheme is said to be ``quantumannoying'' if a quantum computer can compromise the security of the scheme, but only by solving one discrete logarithm for each guess of a password. Considering that early quantum computers will likely take quite long to solve even a single discrete logarithm, a quantumannoying PAKE, combined with a large password space, could delay the need for a postquantum replacement by years, or even decades. In this paper, we make the first steps towards formalizing the quantumannoying property. We consider a classical adversary in an extension of the generic group model in which the adversary has access to an oracle that solves discrete logarithms. While this idealized model does not fully capture the range of operations available to an adversary with a generalpurpose quantum computer, this model does allow us to quantify security in terms of the number of discrete logarithms solved. We apply this approach to the CPace protocol, a balanced PAKE advancing through the CFRG standardization process, and show that the CPaceBase variant is secure in the generic group model with a discrete logarithm oracle.

Quantum key distribution over quantum repeaters with encodingYumang Jing (University of Leeds); Mohsen Razavi (University of Leeds)[abstract]Abstract: We study the implementation of quantumkeydistribution (QKD) systems over quantumrepeater infrastructures. We particularly consider quantum repeaters with encoding and compare them with probabilistic quantum repeaters. To that end, we propose two decoder structures for encoded repeaters that not only improve system performance but also make the implementation aspects easier by removing twoqubit gates from the QKD decoder. By developing several scalable numerical and analytical techniques, we then identify the resilience of the setup to various sources of error in gates, measurement modules, and initialization of the setup. We apply our techniques to three and fivequbit repetition codes and obtain the normalized secret key generation rate per memory per second for encoded and probabilistic quantum repeaters. We quantify the regimes of operation, where one class of repeater outperforms the other, and find that there are feasible regimes of operation where encoded repeaters—based on simple threequbit repetition codes—could offer practical advantages.

Metrology for Quantum Communication: results and perspectives in the context of the EURAMET European Metrology Network for Quantum TechnologiesMarco Gramegna (INRIM  EMNQ); Ivo Pietro Degiovanni (INRIM Istituto Nazionale di Ricerca Metrologica)[abstract]Abstract: The second quantum revolution is underway and the deployment of Quantum Technologies (QT) keeps pace with it. This technological paradigmswitch creates opportunities and challenges for industry, innovation and society. Several large companies, as well as startups, have started to develop and engineer quantum devices or begun to integrate them into their products: the commercial success of QT, together with progress in research and development, relies on certification and reliability built upon internationally agreed standards and metrological traceability. In this scenario, a group of European National Metrology Institutes (NMIs) and Delegated Institutes (DIs) have recently created a European Metrology Network for Quantum Technologies (EMNQ) under the auspices of EURAMET, the European association of NMIs and the regional metrology organisation (RMO) of Europe. In this talk, a short overview of the EMNQ organization will be provided, together with a report about the current status of the Strategic Research Agenda and on the Technological Roadmaps. Afterwards, the discussion will be focused on QKD and how the EMNQ has started to answer to the metrology needs of the QKD community.

A Unified Framework For Quantum UnforgeabilityMina Doosti (University of Edinburgh); Mahshid Delavar (University of Edinburgh); Elham Kashefi (University of Edinburgh, CNRS, Sorbonne University); Myrto Arapinis (University of Edinburgh)[abstract]Abstract: In this paper, we continue the line of work initiated by Boneh and Zhandry at CRYPTO 2013 and EUROCRYPT 2013 in which they formally define the notion of unforgeability against quantum adversaries. We develop a general and parameterised quantum gamebased security model unifying unforgeability for both classical and quantum constructions allowing us for the first time to present a complete quantum cryptanalysis framework for unforgeability. In particular, we prove how our definitions subsume previous ones while considering more finegrained adversarial models, capturing the full spectrum of superposition attacks. The subtlety here resides in the characterisation of a forgery. We show that the strongest level of unforgeability in our framework, namely existential unforgeability, can only be achieved if only orthogonal to previously queried messages are considered to be forgeries. We further show that deterministic constructions can only achieve the weaker notion of unforgeability, that is selective unforgeability, against such adversaries, but that selective unforgeability breaks if more general quantum adversaries (capable of general superposition attacks) are considered. On the other hand, we show that PRF is sufficient for constructing a selective unforgeable classical primitive against full quantum adversaries. Moreover, we show similar positive results relying on Pseudorandom Unitaries (PRU) for quantum primitives. \\ These results demonstrate the generality of our framework that could be applicable to other primitives beyond the cases analysed in this paper.

Fidelity Bounds for DeviceIndependent Advantage DistillationThomas Hahn (ETH Zürich); Ernest Y.Z. Tan (ETH Zürich)[abstract]Abstract: It is known that advantage distillation (that is, information reconciliation using twoway communication) improves noise tolerances for quantum key distribution (QKD) setups. Twoway communication is hence also of interest in the deviceindependent case, where noise tolerance bounds for oneway error correction are currently too low to be experimentally feasible. Existing security proofs for deviceindependent advantage distillation rely on fidelityrelated security conditions, but previous bounds on the fidelity were not tight. We improve on those results by developing an algorithm that returns arbitrarily tight lower bounds on the fidelity. Our results give new insight on how strong the fidelityrelated security conditions are. Finally, we conjecture a necessary security condition that naturally complements the existing sufficient conditions.

Catalytic EntanglementTulja Varun Kondra (Centre for Quantum Optical Technologies, Centre of New Technologies, University of Warsaw); Chandan Datta (Centre for Quantum Optical Technologies, Centre of New Technologies, University of Warsaw); Alexander Streltsov (Centre for Quantum Optical Technologies, Centre of New Technologies, University of Warsaw)[abstract]Abstract: Quantum entanglement of pure states is usually quantified via the entanglement entropy, the von Neumann entropy of the reduced state. Entanglement entropy is closely related to entanglement distillation, a process for converting quantum states into singlets, which can then be used for various quantum technological tasks. The relation between entanglement entropy and entanglement distillation has been known only for the asymptotic setting, and the meaning of entanglement entropy in the single copy regime has so far remained open. Here we close this gap by considering entanglement catalysis. We prove that entanglement entropy completely characterizes state transformations in the presence of entangled catalysts. Our results suggest that catalysis is useful for a broad range of quantum information protocols, giving asymptotic results an operational meaning also in the singlecopy setup.

Quantum Keyless Private Communication vs. Quantum Key Distribution for Space LinksAngeles VazquezCastro (Autonomous University of Barcelona and Centre for Space Research (CERES) of Institut d’Estudis Espacials de Catalunya (IEECUAB)); Davide Rusca (Group of Applied Physics, Univ. of Geneva); Hugo Zbinden (Group of Applied Physics, Univ. of Geneva)[abstract]Abstract: We study information theoretical security for space links between a satellite and a groundstation. Quantum key distribution (QKD) is a well established method for information theoretical secure communication, giving the eavesdropper unlimited access to the channel and technological resources only limited by the laws of quantum physics. But QKD for space links is extremely challenging, the achieved key rates are extremely low, and daytime operating impossible. However, eavesdropping on a channel in freespace without being noticed seems complicated, given the constraints imposed by orbital mechanics. If we also exclude eavesdropper's presence in a given area around the emitter and receiver, we can guarantee that he has only access to a fraction of the optical signal. In this setting, quantum keyless private (direct) communication based on the wiretap channel model is a valid alternative to provide information theoretical security. Like for QKD, we assume the legitimate users to be limited by stateoftheart technology, while the potential eavesdropper is only limited by physical laws: either by specifying her detection strategy (Helstrom detector) or by bounding her knowledge, assuming the most powerful strategy through the Holevo information. Nevertheless, we demonstrate information theoretical secure communication rates (positive keyless private capacity) over a classicalquantum wiretap channel using onokeying of coherent states. We present numerical results for a setting equivalent to the recent experiments with the Micius satellite and compare them to the fundamental limit for the secret key rate of QKD. We obtain much higher rates compared with QKD with exclusion area of less than 13 meters for Low Earth Orbit (LEO) satellites. Moreover, we show that the wiretap channel quantum keyless privacy is much less sensitive to noise and signal dynamics and daytime operation is possible.

Limitations on Uncloneable Encryption and Simultaneous OneWaytoHidingChristian Majenz (CWI, QuSoft); Christian Schaffner (University of Amsterdam, QuSoft); Mehrdad Tahmasbi (University of Amsterdam, QuSoft)[abstract]Abstract: We study uncloneable quantum encryption schemes for classical messages as recently proposed by Broadbent and Lord. We focus on the informationtheoretic setting and give several limitations on the structure and security of these schemes: Concretely, 1) We give an explicit cloningindistinguishable attack that succeeds with probability 12+μ/16 where μ is related to the largest eigenvalue of the resulting quantum ciphertexts. 2) The *simultaneous* onewaytohiding (O2H) lemma is an important technique in recent works on uncloneable encryption and quantum copy protection. We give an explicit example which shatters the hope of reducing the multiplicative "security loss" constant in this lemma to below 9/8. 3) For a uniform message distribution, we partially characterize the scheme with the minimal success probability for cloning attacks. 4) Under natural symmetry conditions, we prove that the rank of the ciphertext density operators has to grow at least logarithmically in the number of messages to ensure uncloneable security.

A resourceeffective QKD fieldtrial in Padua with the iPOGNAC encoderMarco Avesani (Università degli Studi di Padova); Luca Calderaro (Università degli Studi di Padova); Giulio Foletto (Università degli Studi di Padova); Costantino Agnesi (Università degli Studi di Padova); Francesco Picciariello (Università degli Studi di Padova); Francesco Santagiustina (Università degli Studi di Padova); Alessia Scriminich (Università degli Studi di Padova); Andrea Stanco (Università degli Studi di Padova); Francesco Vedovato (Università degli Studi di Padova); Mujtaba Zahidy (Università degli Studi di Padova); Giuseppe Vallone (Università degli Studi di Padova); Paolo Villoresi (Università degli Studi di Padova)[abstract]Abstract: We describe a QKD field trial running on urban fibers deployed in Padua, Italy. This is the first validation outside of the laboratory environment of a new lowerror and calibrationfree polarization encoder, called iPOGNAC, which we also present here. Our system is resource and costeffective, and can be installed quickly in an existing fiber network.

Education aspects to create QKD industryYury Kurochkin (Russian Quantum Center); Vadim Rodimin (QRate); Vladimir Kurochkin (National University of Science and Technology MISiS); Evgeniy Krivoshein (QRate)[abstract]Abstract: QKD is an emerging industry. Numbers of forecasts indicate rapid growth making it more and more affordable not only to large companies also with the use of service models. At the same time information security is very conservative industry. Digital information security specialists usually do not study quantum mechanics and it cause sense of magic dealing with QKD. The only way to close this gap is education. Most available education solutions focus its efforts on theoretical explanation. Meanwhile if we look at education of telecommunication industry specialists there are a lot of workshops dealing with signal processing equipment. In this work we want to share our experience of creating new competence on World Skills specialists competition. We believe that explanation of QKD via workshops where students can touch by hands optics, electronics and software can change specialist perception from magic to telecommunication equipment.

Quantumaccess security of the Winternitz onetime signature schemeChristian Majenz (Centrum Wiskunde & Informatica, QuSoft); Chanelle Matadah Manfouo (African Institute for Mathematical Science & Quantum Leap Africa, Rwanda); Maris Ozols (University of Amsterdam and QuSoft)[abstract]Abstract: Quantumaccess security, where an attacker is granted superposition access to secretkeyed functionalities, is a fundamental security model and its study has inspired results in postquantum security. We revisit, and fill a gap in, the quantumaccess security analysis of the Lamport onetime signature scheme (OTS) in the quantum random oracle model (QROM) by Alagic et al. (Eurocrypt 2020). We then go on to generalize the technique to the Winternitz OTS. Along the way, we develop a tool for the analysis of hash chains in the QROM based on the superposition oracle technique by Zhandry (Crypto 2019) which might be of independent interest.

Fading channel estimation for freespace continuousvariable secure quantum communicationLászló Ruppert (Palacky University Olomouc); Christian Peuntinger (MaxPlanckInstitut für die Physik des Lichts); Bettina Heim (MaxPlanckInstitut für die Physik des Lichts); Kevin Günthner (MaxPlanckInstitut für die Physik des Lichts); Vladyslav C. Usenko (Palacky University Olomouc); Dominique Elser (MaxPlanckInstitut für die Physik des Lichts); Gerd Leuchs (MaxPlanckInstitut für die Physik des Lichts); Radim Filip (Palacky University Olomouc); Christoph Marquardt (MaxPlanckInstitut für die Physik des Lichts)[abstract]Abstract: We investigate estimation of fluctuating channels and its effect on security of continuousvariable quantum key distribution. We propose a novel estimation scheme which is based on the clusterization of the estimated transmittance data. We show that uncertainty about whether the transmittance is fixed or not results in a lower key rate. However, if the total number of measurements is large, one can obtain using our method a key rate similar to the nonfluctuating channel even for highly fluctuating channels. We also verify our theoretical assumptions using experimental data from an atmospheric quantum channel. Our method is therefore promising for secure quantum communication over strongly fluctuating turbulent atmospheric channels.

Robust Self Testing of All Pure Bipartite Maximally Entangled States via Quantum SteeringHarshank Shrotriya (Centre for Quantum Technologies, NUS); Kishor Bharti (Centre for Quantum Technologies, NUS); LeongChuan Kwek (Centre for Quantum Technologies, NUS)[abstract]Abstract: The idea of selftesting is to render guarantees concerning the inner workings of a device based on the measurement statistics. It is one of the most formidable quantum certification and benchmarking schemes. Here, we have shown that any bipartite pure entangled state can be selftested through Quantum Steering. Analogous to the tilted CHSH inequality, we use a steering inequality called Tilted Steering Inequality for selftesting any pure twoqubit entangled state. We have further used this inequality to selftest any bipartite pure entangled state by certifying twodimensional subspaces of the qudit state by observing the structure of the set of assemblages obtained on the trusted side after measurements are made on the untrusted side. Finally, as a novel feature of self testing via steering, we use the notion of Assemblage based Robust Self Testing to provide robustness bounds for the self testing result in the case of pure maximally entangled states of any local dimension.

Fully deviceindependent quantum key distribution using synchronous correlationsNishant Rodrigues (University of Maryland); Brad Lackey (Microsoft Quantum)[abstract]Abstract: We derive a deviceindependent quantum key distribution protocol based on synchronous correlations and their Bell inequalities. This protocol offers several advantages over other deviceindependent schemes including symmetry between the two users and no need for preshared randomness. We close a "synchronicity" loophole by showing an almost synchronous correlation inherits the selftesting property of the associated synchronous correlation. We also pose a new security assumption that closes the "locality" (or "causality") loophole: an unbounded adversary with even a small uncertainty about the users' choice of measurement bases cannot produce any almost synchronous correlation that approximately maximally violates a synchronous Bell inequality.

Experiment on scalable multiuser Sagnac twinfield quantum key distribution networkXiaoqing Zhong (University of Toronro); Wenyuan Wang (University of Toronto); Reem Mandil (University of Toronto); Li Qian (University of Toronto); HoiKwong Lo (University of Toronto; University of Hong Kong)[abstract]Abstract: Twinfield quantum key distribution (TFQKD) systems have shown great promise for implementing practical longdistance secure quantum communication due to its measurementdeviceindependent nature and its ability to offer fundamentally superior rateloss scaling than conventional pointtopoint QKD systems. A surge of research has produced many variants of protocols and experimental demonstrations. To make TFQKD more applicable in quantum communication, a study of TFQKD in a networking setting is essential. In this work, we experimentally demonstrate a proofofprinciple Sagnacinterferometer based TFQKD network with three users and one untrusted central node. We show that our network enables users to share secure keys with channel losses up to 58dB, and channel loss asymmetric up to 15dB. In some cases, the secure key rates still beat the rateloss bounds for conventional pointtopoint repeaterless QKD systems. It is to our knowledge the first multiuserpair TFQKD network demonstration, an important step in advancing quantum communication network technologies.

Measurement deviceindependent quantum key distribution with timedependent source sidechannelsAmita Gnanapandithan (University of Toronto); Eli Bourassa (University of Toronto); Li Qian (University of Toronto); HoiKwong Lo (University of Toronto)[abstract]Abstract: We identify a timedependent passive source sidechannel in common measurementdeviceindependent quantum key distribution implementations that rely on Faraday mirrors for stable phase modulation. We model the timedependence of the side channel and use this information in conjunction with a recently developed numerical security proof technique based on semidefinite programming to quantify the impact on the secure key rate of the protocol. We explore the sensitivity of security to the parameters of the side channel and the choice of model for the signal.

A framework for efficient entanglement distribution with cavity QED systemsSachi Tamechika (NTT Secure Platform Laboratories); Yasunari Suzuki (NTT Secure Platform Laboratories); Yuuki Tokunaga (NTT Secure Platform Laboratories); Takao Aoki (Department of Applied Physics, Waseda University)[abstract]Abstract: To demonstrate quantum protocols on a global scale, a quantum repeater is a vital technology to improve the efficiency of entanglement distribution. Entanglement distribution consists of two steps; share entanglements between neighboring quantum repeaters, and perform entanglement distillation and swapping. In this paper, we propose a framework for the first step, efficient Bell measurement between adjacent quantum repeaters, using quantum memories based on cavity quantum electrodynamics (QED) systems. Our framework maximizes a distillable entanglement rate of the protocol by optimizing the parameters of a cavity QED system and pulse length of photons according to the number of available memories at repeater nodes. We demonstrate our theory with a nanofiber cavity QED system with trapped atoms, which is one of the most promising quantum devices for the quantum network. We show that with practical parameters, Bell measurements with quantum memories can outperform those without memories, and we show several tradeoff relations between accessible parameters in experiments. Our results extend the limits of entanglement distribution with quantum repeaters using available technology, and reveal that the multiplexing of the cavity QED systems is effective for improving the performance of entanglement distribution.

Towards experimental implementation of symmetric private information retrieval with measurementdeviceindependent quantum networkChao Wang (National University of Singapore); Wen Yu Kon (National University of Singapore); Charles Lim (National University of Singapore)[abstract]Abstract: Quantum key distribution (QKD) provides a practical method for distant parties to establish identical and secret keys. However, how quantum technologies can be practically used to protect user privacy with provable security remains an open question. Here, we report the first steps of our efforts to experimentally implement a symmetric private information retrieval (SPIR) scheme with QKD keys for fingerprint data retrieval. In the QKD layer, a threeuser Measurementdeviceindependent QKD network is utilised for secure key distribution among the enquirer and data centres. In the application layer, an informationtheoretically secure SPIR protocol is implemented to ensure both the privacy of the enquirer and the security of the database. Preliminary experimental results of the MDI QKD network implementation is presented, and simulations of the SPIR+QKD performance are also shown based on the experimental characterisation data.

Practical Quantum Cryptanalysis by Variational Quantum CloningBrian Coyle (University of Edinburgh); Mina Doosti (University of Edinburgh); Elham Kashefi (University of Edinburgh, CNRS, LIP6, Sorbonne University); Niraj Kumar (University of Edinburgh)[abstract]Abstract: Cryptanalysis of quantum cryptographic systems generally involves finding optimal adversarial attack strategies on the underlying protocols. The core principle of modeling quantum attacks often reduces to the ability of the adversary to clone unknown quantum states and to extract thereby meaningful secret information. Explicit optimal attack strategies typically require high computational resources due to large circuit depths or, in many cases, are unknown. Here we introduce variational quantum cloning (VarQlone), a cryptanalysis algorithm based on quantum machine learning, which allows an adversary to obtain optimal approximate cloning strategies with short depth quantum circuits, trained using hybrid classicalquantum techniques. The algorithm contains operationally meaningful cost functions with theoretical guarantees, quantum circuit structure learning and gradientdescentbased optimization. Our approach enables the endtoend discovery of hardwareefficient quantum circuits to clone specific families of quantum states, which we demonstrate in implementation on the Rigetti Aspen quantum hardware. We connect these results to quantum cryptographic primitives and derive explicit attacks facilitated by VarQlone. We expect that quantum machine learning will serve as a resource for improving attacks on current and future quantum cryptographic protocols.

Generalised DecoyState Scheme for Rigorous Characterization of SinglePhoton DetectorsGong Zhang (National University of Singapore); Haibo Wang (National University of Singapore); Jishen Zhang (National University of Singapore); Chao Wang (National University of Singapore); Haiwen Xu (National University of Singapore); Yan Liang (University of Shanghai for Science and Technology); Charles CiWen Lim (National University of Singapore); Xiao Gong (National University of Singapore)[abstract]Abstract: Characterizing the singlephoton detection efficiency (SPDE) of a singlephoton detector (SPD) is an essential but nontrivial task for various applications. Conventional methods require detailed detector models to calculate the estimated SPDE, which are not always available. In this work, a generalized method based on decoystate for accurate characterization of SPDs is proposed and experimentally demonstrated. This work provides a new toolbox for rigorous SPD characterization with relaxed assumptions on the detector model, opening new possibilities in device calibration standards and quantum information applications.

Secure TwoParty Quantum Computation Over Classical ChannelsMichele Ciampi (The University of Edinburgh); Alexandru Cojocaru (Inria); Elham Kashefi (The University of Edinburgh and Sorbonne Universite); Atul Mantri (University of Maryland)[abstract]Abstract: Secure twoparty computation considers the problem of two parties computing a joint function of their private inputs without revealing anything beyond the output of the computation. In this work, we take the first steps towards understanding the setting where: 1) the two parties (Alice and Bob) can communicate only via a classical channel, 2) the input of Bob is quantum and 3) the input of Alice is classical. Our first result indicates that in this setting it is in general impossible to realize a twoparty quantum functionality with blackbox simulation in the case of malicious quantum adversaries. In particular, we show that the existence of a secure protocol that relies only on classical channels would contradict the quantum nocloning argument. We circumvent this following three different approaches. The first is by considering a weaker security notion called onesided simulation security. This notion protects the input of one party (the quantum Bob) in the standard simulationbased sense, and protects the privacy of the other party's input (the classical Alice). We realize our protocol relying on the learning with errors assumption. As a result, we put forward a first construction of secure onesided quantum twoparty computation over classical networks. The second way to circumvent the impossibility result, while at the same time providing standard simulationbased security also against Bob, is by assuming that the quantum input has an efficient classical representation. Finally, we focus our attention on the class of zeroknowledge functionalities, and provide a protocol for such a class for specific QMA relations. We note that the direct implication of our result is that Mahadev's protocol for classical verification of quantum computations (FOCS'18) can be turned into a zeroknowledge proof of quantum knowledge protocol with classical verifiers. To the best of our knowledge, we are the first to instantiate such a primitive.

Efficient Construction of Quantum Physical Unclonable Functions with Unitary tdesignsNiraj Kumar (University of Edinburgh); Rawad Mezher (University of Edinburgh); Elham Kashefi (University of Edinburgh)[abstract]Abstract: Quantum physical unclonable functions, or QPUFs, are rapidly emerging as theoretical hardware solutions to provide secure cryptographic functionalities such as key exchange, message authentication, entity identification among others. Recent works have shown that in order to provide provable security of these solutions against any quantum polynomial time adversary, QPUFs are required to be a unitary sampled uniformly randomly from the Haar measure. This however is known to require an exponential amount of resources. In this work, we propose an efficient construction of these devices using unitary tdesigns, called QPUF_t. Along the way, we modify the existing security definitions of QPUFs to include efficient constructions and showcase that QPUF_t still retains the provable security guarantees against a bounded quantum polynomial adversary with tquery access to the device. This also provides the first use case of unitary tdesign construction for arbitrary t, as opposed to previous applications of tdesigns where usually a few (relatively low) values of t are known to be useful for performing some task. We study the noiseresilience of QPUF_t against specific types of noise, unitary noise, and show that some resilience can be achieved particularly when the error rates affecting individual qubits become smaller as the system size increases. To make the noise resilience more realistic and meaningful, we conclude that some notion of error mitigation or correction should be introduced.

Densewavelength division multiplexing of quantum and classical communication over a deployed fiber link enabled by upconversion assisted detectorsIlaria Vagniluca (CNR  Istituto Nazionale di Ottica and University of Naples); Domenico Ribezzo (CNR  Istituto Nazionale di Ottica and University of Naples); Davide Bacco (Technical University of Denmark); Alessandro Zavatta (CNR  Istituto Nazionale di Ottica)[abstract]Abstract: The coexistence of classical and quantum communication within the same fiber optics infrastructure is still an open challenge to be solved. In fact, most of the practical implementations of quantum key distribution (QKD) are accomplished by taking advantage of dark fiber channels, i.e. fiberoptics links totally dedicated to the transmission of quantum signals. This prevents the intense classical light to affect the qubit error rate, but strongly reduces the possibilities for a full deployment of QKD technologies in largescale and realistic applications. Looking for a solution several approaches have been tested, generally based on multiplexing of different degrees of freedom of photons. In our work we combined a densewavelengthdivisionmultiplexing scheme with two different homemade single photon detection stages able to convert Cband photons into photons detectable by a silicon photon counter, by exploiting sumfrequencygeneration process in nonlinear crystals. We compared the results with an offtheshelf InGaAs singlephoton detector, equipping it with polarization and wavelength filters, that was tested under the same experimental conditions. Injecting an intense light laser into a different DWDM channel to simulate a realworl QKD scenario, we demonstrated that our upconversion based detector makes QKD feasible with a classical launch power of 4 dB higher than the one affordable by the InGaAs detector. This result paves the way to the employment of quantum communication in many realistic situations, by enabling the usage of already existing telecom infrastructures, where the noise levels are not manageable by current single photon avalanche detectors.

Quantum Measurement AdversaryDivesh Aggarwal (Centre for Quantum Technologies, National university of Singapore); Naresh Goud Boddu (Centre for Quantum Technologies, National university of Singapore); Rahul Jain (Centre for Quantum Technologies, National university of Singapore); Maciej Obremski (Centre for Quantum Technologies, National university of Singapore)[abstract]Abstract: Multisourceextractors are functions that extract uniform randomness from multiple (weak) sources of randomness. With the advent of quantum computers, it is natural to investigate the security of multisourceextractors against adversaries with quantum sideinformation on the sources of randomness (potentially generated using quantum entanglement). Quantum multi sourceextractors were considered by Kasher and Kempe (for the quantumindependent adversary and the quantumboundedstorageadversary), Chung, Li, and Wu (for the general entangledadversary), and ArnonFriedman, Portmann, and Scholz (for the quantumMarkov adversary). In this work, we propose two new models of adversaries, the quantummeasurementadversary (qmadv) and the quantumcommunicationadversary (qcadv). qmadv generates sideinformation postmeasurement outcomes and qcadv generates sideinformation using a communication protocol. We show that: 1. qmadv is the strongest adversary among all the known adversaries, in the sense that the sideinformation of all other adversaries can be generated by qmadv. 2. The (generalized) innerproduct function (in fact a general class of twowise independent functions) continue to work as a good extractor against qmadv (with matching parameters as that of Chor and Goldreich against classicaladversaries). 3. A nonmalleable extractor proposed by Li (against classicaladversaries) continues to be secure against quantum sideinformation. A nonmalleable extractor (nmext) for two sources (X, Y) is an extractor such that nmext(X, Y) is uniform and independent of nmext(X, Y')YY', where Y' is not equal to Y and Y' is generated by the adversary using Y and the sideinformation on X. 4. A modification (not needing any local uniform randomness) of the Dodis and Wich's protocol for privacyamplification is secure against active quantum adversaries. This strengthens on a recent result due to Aggarwal, Chung, Lin, and Vidick which uses local uniform randomness. 5. As a byproduct, we reproduce the quantum communication complexity lower bound for the (generalized) innerproduct function via different proof techniques.

Provablysecure quantum randomness expansion with untrusted homodyne detection secure against quantum sideinformationIgnatius William Primaatmaja (Centre for Quantum Technologies); Jianran Zhang (National University of Singapore); Jing Yan Haw (National University of Singapore); Raymond Ho (National University of Singapore); Gong Zhang (National University of Singapore); Chao Wang (National University of Singapore); Charles CiWen Lim (National University of Singapore)[abstract]Abstract: Quantum random number generators (QRNGs) could generate numbers that are certifiably random even to a potential adversary who holds some sideinformation. However, many QRNGs require extremely precise characterisation of the source of the quantum states and the measurement apparatus. In this work, we propose a semideviceindependent QRNG protocol with untrusted homodyne detection. We show that our protocol is secure against quantum sideinformation, taking into account finitesize effects without making any assumption on the measurement device.

Oneshot inner bounds for sending private classical information over a quantum MACSayantan Chakraborty (Tata Institute of Fundamental Research, Mumbai); Aditya Nema (Nagoya University); Pranab Sen (Tata Institute of Fundamental Research, Mumbai)[abstract]Abstract: We provide the first inner bounds for sending private classical information over a quantum multiple access channel. We do so by using three powerful information theoretic techniques: rate splitting, quantum simultaneous decoding for multiple access channels, and a novel smoothed distributed covering lemma for classical quantum channels. Our inner bounds are given in the one shot setting and accordingly the three techniques used are all very recent ones specifically designed to work in this setting. The last technique is new to this work and is our main technical advancement. For the asymptotic iid setting, our one shot inner bounds lead to the natural quantum analogue of the best classical inner bounds for this problem.

Improved and Formal Proposal for Device Independent Quantum Private QueryJyotirmoy Basak (Indian Statistical Institute, Kolkata); Kaushik Chakraborty (The University of Edinburgh); Arpita Maitra (TCG Centre for Research and Education in Science and Technology, India); Subhamoy Maitra (Indian Statistical Institute, Kolkata)[abstract]Abstract: We propose a novel Quantum Private Query (QPQ) scheme using EPRpairs with full Device Independent (DI) certification. To the best of our knowledge, this is the first time we provide such a full DIQPQ protocol. Our proposed scheme exploits selftesting of shared EPRpairs along with the self testing of projective measurement operators in a setting where the parties don't trust each other. To certify full DI, our scheme also exploits a technique to selftest a particular class of POVM elements that are used in the protocol. This makes the DItesting of this proposed scheme slightly different from the traditional DIQKD scheme. Further, we provide formal security analysis and obtain an upper bound on the maximum cheating probabilities for both dishonest client as well as dishonest server.

Refined finitesize security analysis of discretemodulation continuous variable quantum key distribution based on reverse reconciliationTakaya Matsuura (The University of Tokyo); Shinichiro Yamano (The University of Tokyo); Yui Kuramochi (The University of Tokyo); Toshihiko Sasaki (The University of Tokyo); Masato Koashi (The University of Tokyo)[abstract]Abstract: The finitesize security of a discretemodulation continuous variable (CV) quantum key distribution (QKD) protocol was recently reported, but the obtained key rate of the protocol was low compared to the recent asymptotic analyses. In this work, we significantly improve the performance of the protocol by refining the finitesize security analysis based on a reverse reconciliation. The idea of the refinement is motivated by the recently established equivalence of the privacy amplification and the phase error correction. Our refined analysis is a step towards complete security proof of highperformance discretemodulation CV QKD.

New Protocols and Ideas Towards Practical Quantum Position VerificationRene Allerstorfer (QuSoft/CWI); Harry Buhrman (QuSoft/CWI); Florian Speelman (QuSoft and University of Amsterdam); Philip Verduyn Lunel (QuSoft/CWI)[abstract]Abstract: In this work, we study losstolerant quantum position verification (QPV) protocols. We propose a new fully losstolerant protocol, based on the SWAP test, with several desirable properties. The task of the protocol, which can be implemented using only a single beam splitter and two detectors, is to estimate the overlap between two input states. By formulating possible attacks as a semidefinite program (SDP), we prove full loss tolerance against unentangled attackers restricted to local operations and classical communication (LOCC), and additionally show that the attack probability decays exponentially under parallel repetition of rounds. Furthermore, we investigate the role of loss and quantum communication attacks in QPV in general. A protocol that is provably secure against unentangled attackers restricted to LOCC, but can be perfectly attacked by local operations and a single round of simultaneous quantum communication, is constructed. However, we show that any protocol secure against classical communication can be transformed into a protocol secure against quantum communication. Finally, we observe that any QPV protocol can be attacked with a linear amount of entanglement if the loss is high enough.

Routing Strategies for Multiplexed, HighFidelity Quantum NetworksYuan Lee (Massachusetts Institute of Technology); Eric Bersin (Massachusetts Institute of Technology); Wenhan Dai (Massachusetts Institute of Technology); Dirk Englund (Massachusetts Institute of Technology)[abstract]Abstract: We recently introduced a "quantum router" architecture that improves entanglement fidelities in chains of multiplexed repeaters. Here, we address local entanglement routing across general network graphs of routers to optimize entanglement rates and fidelities. Our proposed routing strategy achieves closetooptimal rates in the limit of high multiplexing.

Open Source LDPCbased error correctionAdomas Baliuka (LMU Munich, Munich Center for Quantum Science and Technology); Elsa Dupraz (IMT Atlantique); Harald Weinfurter (LMU Munich, Munich Center for Quantum Science and Technology, Max Planck Institute of Quantum Optics)[abstract]Abstract: Error correction is an essential step in the classical postprocessing of all quantum key distribution (QKD) protocols. We present error correction methods optimized for discrete variable (DV) QKD and make them freely available as an ongoing opensource project (github.com/XQPMunich/LDPC4QKD). Our methods are based on irregular quasicyclic (QC) low density parity check (LDPC) codes and stateoftheart rate adaption techniques.

Tight finitekey analysis for RRDPS protocolHang Liu (University of Science and Technology of China); ZhenQiang Yin (University of Science and Technology of China); Rong Wang (University of Science and Technology of China); ZeHao Wang (University of Science and Technology of China); Shuang Wang (University of Science and Technology of China); Wei Chen (University of Science and Technology of China); GuangCan Guo (University of Science and Technology of China); ZhengFu Han (University of Science and Technology of China)[abstract]Abstract: Among all existing quantum key distribution (QKD) protocols, the roundrobindifferentialphaseshift (RRDPS) protocol is one of the unique protocols. Because it can be running without monitoring signal disturbance, which improves its tolerance of error rate and does well in the finitekey scenario. Considering that a tight finitekey analysis with a practical phaserandomized source is still missing, we propose an improved security proof of RRDPS against the most general coherent attack based on the entropic uncertainty relation. We also introduce Azuma’s inequality into our proof, which can tackle finitekey effects. The results indicate experimentally acceptable numbers of pulses are sufficient to approach the asymptotic bound closely. This method may be the optimal one in the finitekey analysis for the RRDPS protocol.

Encoding a qubit into the continuous variables of a single photonNicolas Fabre (Centre of New technologies, Warsaw University)[abstract]Abstract: Encoding quantum information in continuous variables is intrinsically faulty. Nevertheless, redundant qubits can be used for error correction, as proposed in Phys. Rev. A 64, 012310 (2001). We show how to experimentally implement this encoding using timefrequency continuous degrees of freedom of photon pairs produced by spontaneous parametric down conversion. We illustrate our results using an integrated AlGaAs photonpair source. We show how single qubit gates can be implemented and propose a theoretical scheme for correcting errors in a circuitlike and in a measurementbased architecture. Finally, I propose a teleportationbased quantum error correction protocol adapted for such grid states.

Analysis of the effects of temperature increase on quantum random number generatorYuanhao Li (State Key Laboratory of Mathematical Engineering and Advanced Computing); Yangyang Fei (State Key Laboratory of Mathematical Engineering and Advanced Computing); Weilong Wang (State Key Laboratory of Mathematical Engineering and Advanced Computing); Xiangdong Meng (State Key Laboratory of Mathematical Engineering and Advanced Computing); Hong Wang (State Key Laboratory of Mathematical Engineering and Advanced Computing); Qianheng Duan (State Key Laboratory of Mathematical Engineering and Advanced Computing); Zhi Ma (State Key Laboratory of Mathematical Engineering and Advanced Computing)[abstract]Abstract: Quantum random number generator (QRNG) relies on the intrinsic randomness of quantum mechanics to produce true random numbers which are important in many fields. QRNGs with semiconductor light source have attracted a lot of attention due to their operational simplicity and high generation rate. However, the temperature of light source may vary due to imperfect devices and other factors. There is still a lack of study on the effects of temperature variations on the security of practical QRNG. We fill this gap by presenting a numerical method for studying the effects of temperature increase on the superluminescent emitting diode (SLED) based QRNG and propose some strategies toward robust QRNG against temperature increase.

Automated testbench for checking vulnerability of singlephoton detectors to brightlight attackKonstantin Zaitsev (Russian Quantum Center); Polina Acheva (Russian Quantum Center); Vadim Makarov (Russian Quantum Center)[abstract]Abstract: Quantum attacks to singlephoton detectors with brightlight are known for more than a decade. Many countermeasures were suggested to protect detectors, but the most of them can close some attacks with given parameters but not a whole attack group. To solve the problem we are developing automated testbench that emulates attacks by an eavesdropper Eve. It combines emission of pulse laser and continuouswave laser and observes detector's response. In future we hope to automatically prepare reports on detectors' safety or show brightlight attacks that were not covered by detectors' countermeasures.

Beam tracking system using pantilt module and MEMSbased fast steering mirror in quantum key distributionMinchul Kim (Electronics and Telecommunications Research Institute); Kyongchun Lim (Electronics and Telecommunications Research Institute); ByungSeok Choi (Electronics and Telecommunications Research Institute); JoongSeon Choe (Electronics and Telecommunications Research Institute); KapJoong Kim (Electronics and Telecommunications Research Institute); YoungHo Ko (Electronics and Telecommunications Research Institute); Ju Hee Baek (Electronics and Telecommunications Research Institute); Chun Ju Youn (Electronics and Telecommunications Research Institute)[abstract]Abstract: Quantum key distribution (QKD) has been widely studied for its inherent security against eavesdropping. Among them, freespace QKD has been actively studied for its wide range of applications. For globalscale quantum network, satellitetoground quantum key distribution has been studied in major countries around the world. Also, due to recent progress on drone and autonomous vehicle technologies and applications, short to intermediaterange applications for small moving platforms are gaining more interests than before. For applying QKD on these platforms, one of the most challenging requirements is reducing the size and weight of the QKD system, including beam tracking components. In this study, we report a compact beam tracking system and its tracking performance on a moving transmitter. The coarse tracking part of the system consists of pantilt module and a CMOS camera. The fine tracking part consists of a MEMSbased fast steering mirror (FSM) and a quadrantcell photodetector module. By using compact MEMSbased FSM, the size of the system was reduced to 15 × 15 × 30 cm and can be further reduced by using smaller optical components. For testing the tracking performance, transmitter on a moving platform was placed 1 m away from the fixed tracking system and moved at a constant speed along a circular track around the tracking system. A diverging 650 nm laser source on the transmitter was used as a tracking target for both coarse and fine tracking. When tracking the target moving at angular speed of 20 mrad/s, angular error was less than 0.12° and beam tracking induced optical loss into a multimode fiber was measured to be lower than 2.5 dB.

Quantum digital signatures with smaller public keysBoris Skoric (TU Eindhoven)[abstract]Abstract: We introduce a variant of GottesmanChuang quantum signatures [GC01] in which we sign nonbinary symbols instead of bits. The public keys are fingerprinting states, just as in [GC01], but we allow for multiple ways to reveal the private key partially. This reduces the number of qubits expended per message bit. We give a security proof and we present numerical results that show how the improvement in public key size depends on the message length.

A Case Study of Quantum Key Distribution Operating in Private 5G Network SystemYU YU (TOSHIBA); Takahiro Yamaura (TOSHIBA); Ririka Takahashi (TOSHIBA); Yoshimichi Tanizawa (TOSHIBA)[abstract]Abstract: In this paper, an experimental scenario of remote control with equipment operating at the manufacturing site over private 5G network has been demonstrated. To further enhance the security level, quantum key distribution (QKD) has been applied to this private 5G network system. The results reveal that QKD could be applicable to provide secure communications in private 5G network system for practical use.

Practical Quantum Key Distribution Secure Against Side ChannelsÁlvaro Navarrete (University of Vigo); Margarida Pereira (University of Vigo); Marcos Curty (University of Vigo); Kiyoshi Tamaki (University of Toyama)[abstract]Abstract: There is a large gap between theory and practice in quantum key distribution (QKD) because real devices do not satisfy the assumptions required by the security proofs. We close this gap by introducing a simple and practical measurementdeviceindependentQKD type of protocol, based on the transmission of coherent light, for which we prove its security against any possible imperfection and/or side channel from the quantum communication part of the QKD devices. Our approach only requires to experimentally characterize an upper bound of one single parameter for each of the pulses sent, which describes the quality of the source. Moreover, unlike deviceindependent (DI) QKD, it can accommodate information leakage from the users’ laboratories, which is essential to guarantee the security of QKD implementations. In this sense, its security goes beyond that provided by DI QKD, yet it delivers a secret key rate that is various orders of magnitude greater than that of DI QKD.

Nearmaximal Polarization Entanglement for DeviceIndependent Quantum Key Distribution at 2.1 μmAdetunmise Dada (University of Glasgow); Jędrzej Kaniewski (University of Warsaw); Corin Gawith (Covesion Limited & University of Southampton); Martin Lavery (University of Glasgow); Robert H. Hadfield (University of Glasgow); Daniele Faccio (University of Glasgow); Matteo Clerici (University of Glasgow)[abstract]Abstract: The ability to generate highly entangled states and access the full quantum state space is crucial for most advanced quantum information tasks. However, in the midinfrared band, the capability for full state tomography or the demonstration of states that are sufficiently entangled, e.g., to allow positive secure key rates for entanglementbased quantum key distribution (QKD) have not been achieved to date. At a wavelength of 2.1 μm, we demonstrate full state tomography of twophoton states and show nearmaximal violation of the ClauserHorneShimonyHolt (CHSH) Bell inequality with an orderofmagnitude improvement over the state of the art in terms of the number of standard deviations above the classical limit. We obtain a positive securekey rate for the first time using midinfrared photons (0.417 bits/pair, with a quantum bit error rate of 5.43%) in a proofofprinciple deviceindependent (DI) QKD scenario, demonstrating the viability of DIQKD at 2.1 μm. We further exploit the quality of the entangled state by obtaining (via computations on the measured state) the violation of a new Bell inequality tailored for a weak or lessrigid form of selftesting, which is of fundamental interest. These results at 2.1 μm pave the way for robust, DI quantum information applications in the midinfrared region.

Effect of Device Imperfection on Reference Frame Independent Quantum Key DistributionKyongchun Lim (ETRI); ByungSeok Choi (ETRI); Ju Hee Baek (ETRI); Minchul Kim (ETRI); JoongSeon Choe (ETRI); KapJoong Kim (ETRI); YoungHo Ko (ETRI); Chun Ju Youn (ETRI)[abstract]Abstract: Quantum key distribution (QKD) provides capability of secure communication between two remote locations. Depending on its applications, for the surroundings that fiber connection between two remote locations becomes impossible, QKD should be performed through freespace. Such QKD is called as freespace QKD. The applications corresponds to moving objects such as vehicle, aircraft, and satellite. In such freespace QKD, one fundamental characteristic is that transmitter and receiver are moving in real time. In case of conventional BB84 like QKD protocols requiring an identical reference frame between the transmitter and receiver, its performance can be affected by the moving characteristic because the relative movement causes reference frame deviation between them. This can be alleviated with active compensation of the reference frame, but it makes QKD system complex. In the protocol point of view, one has been proposed and it is called as reference frame independent (RFI) QKD. However, RFI QKD is based on ideal situation such as symmetric channels depending on encoded quantum states. This usually cannot achieved in real QKD system due to device imperfections. In this paper, we theoretically analyze how the device imperfections affect on the performance RFI QKD. In order to verify the theoretical analysis, we implement a freespace RFI QKD system with practical devices and identify the effect of device imperfections on RFI QKD.

Quantum authentication ticketsHazel Murray (Munster Technological University, Ireland); Jerry Horgan (Walton Institute, Ireland); Deirdre Kilbane (Walton Institute, Ireland); David Malone (Maynooth University, Ireland)[abstract]Abstract: Ticket based authentication systems are used across the internet. They allow an entity or device to be issued a ticket which can be used to repeated authenticate to a service. We propose a quantum ticket algorithm (based on Gavinsky's coin scheme [1]) which offers protection against phishing, replay and maninthemiddle attacks, and authentication with the service does not require either quantum or encrypted communication channels. It also provides inbuilt ticket expiration and graded stepup authentication depending on levels of trust and risk.

Towards highdimensional QKD in deployed multicore fiberMujtaba Zahidy (Technical University of Denmark); Nicola Biagi (Istituto Nazionale di Ottica (CNRINO), Florence, Italy); Antonio Mecozzi (Department of Physical and Chemical Sciences, University of L’Aquila, L’Aquila, Italy); Cristian Antonelli (Department of Physical and Chemical Sciences, University of L’Aquila, L’Aquila, Italy); Leif K. Oxenløwe (Technical University of Denmark); Alessandro Zavatta (Istituto Nazionale di Ottica (CNRINO), Florence, Italy); Davide Bacco (Technical University of Denmark)[abstract]Abstract: The demand for higher secret key rates, in conjunction with the need for extending the reach of quantum key distribution has led to the devising of multiple novel protocols. Most of these protocols make use of qubits, owing to the simplicity with which they can be encoded in quantum communication systems that are available today. On the other hand, highdimensional quantum states, yet more challenging to generate and transmit, enable higher secretkey rates and are more robust against errors in the process of quantum key distribution. A promising implementation of highdimensional QKD is the one based on path encoding in opticalfiber quantum channels [1], where the most straightforward choice would be the use of multiple fibers. This choice, however, is challenged by the intrinsic nonhomogeneity of different fibers. A more practical alternative is the one offered by multicore fiber (MCF) technology, which has matured in recent years in the context of spacedivision multiplexed classical optical communications. In both cases, a key requirement is that the relative phase between spatial paths is preserved, which requires some phasestabilization procedure in the presence of propagationinduced random phase drift. Highdimensional QKD in MCFs has been recently investigated in [1], where 4dimensional QKD on a 2kmlong MCF was demonstrated. This was possible thanks to a phase stabilization scheme in which the phase fluctuations of a copropagating classical continuouswave laser signal were monitored in order to compensate for the phase drift. The same stabilization system was successfully tested more recently in the unique SDM testbed in L'Aquila [2], in Italy, on various strands of deployed MCFs, up to a total length of 26 km [2]. In this work, we aim at developing a realtime highdimensional QKD system based on joint path and timebin encoding in MCFs. By using two fiber cores and two time bins, we generate 4dimensional states.

A generalized efficiency mismatch attack to bypass detectionscrambling countermeasureMd Abduhu Ruhul Fatin (Bangladesh Univ. of Engineering and Tech.); Shihan Sajeed (IQC, University of Waterloo)[abstract]Abstract: Imperfections in the receiver setup of quantum cryptography systems may allow an eavesdropper to use it as a control parameter to attack the system. Mismatch of sensitivity in the receiver's photodetectors is one of the imperfections that can potentially be exploited by an eavesdropper. Published researches have shown that scrambling the role of the photodetectors in the receiver can be one of the countermeasure strategies to protect the system. In this work, we show that the proposed countermeasure can be bypassed if the attack is generalized by including more attack variables. Using experimental results from existing publications, we show that detector randomization effectively prevents the initial attack but fails to do so when Eve generalizes her attack strategy. Thus, unless new techniques are proposed to strengthen the existing detectorscrambling countermeasure strategies, it cannot guarantee security against detector efficiency mismatch based attacks. Our result and methodology could be used to securitycertify a freespace quantum communication receiver against all types of detectorefficiencymismatch type attacks.

Finitesize security proof of discretemodulation continuousvariable quantum key distribution using only heterodyne measurementShinichiro Yamano (The University of Tokyo); Takaya Matsuura (The University of Tokyo); Yui Kuramochi (The University of Tokyo); Toshihiko Sasaki (The University of Tokyo); Masato Koashi (The University of Tokyo)[abstract]Abstract: Recently the finitesize security of a continuousvariable quantum key distribution protocol was reported, in which homodyne measurement is used for generating raw key and heterodyne measurement for monitoring. Here we improve the security proof to allow the use of heterodyne measurement for both purposes. The new protocol not only simplifies the receiver apparatus but also alleviates the necessity of actively locking the phases of the sender's and the receiver's local oscillators. The comparison of the key rates of the two protocols shows that replacing homodyne measurement with heterodyne measurement worsens the channel loss dependence by only 1 dB, which is better than a naive expectation of a 3 dB penalty.

High Dimensional Quantum Key Distribution System Using Structured Light.MUHAMMAD KAMRAN KAMI (NED UNIVERSITY OF ENGINEERING & TECHNOLOGY); Dr. Muhammad Mubashir Khan (NED UNIVERSITY OF ENGINEERING & TECHNOLOGY); Dr. Tahir Malik (NED UNIVERSITY OF ENGINEERING & TECHNOLOGY)[abstract]Abstract: When combined with wellestablished theories of contemporary physics, quantum key distribution (QKD) has emerged as a safe method for secret key distribution that may be used to protect sensitive information. Numerous fascinating and creative ideas have been suggested for QKD since its inception in 1984 to enhance the security and efficiency of the system while also taking into consideration its applications and practical implementation. To achieve longer communication distances in QKD without compromising its security, schemes with high error rates for longdistance communication have been developed. One such scheme is the socalled KMB09 protocol, which was developed to make use of higher dimensional photon states, which are not possible with the standard BB84 scheme. However, because of the unique architecture of the KMB09 protocol, no practical implementation of the protocol has yet been disclosed to the public. Here we present a framework for the realistic construction of a QKD system that operates in two or more dimensions of photon states and executes the KMB09 protocol with a decoystate scheme. We describe the design of a KMB09 protocolbased QKD system and its simulation for practical implementation, which is based on the encoding of secret bits in higherorder Gaussian beam spatial modes, as well as the modeling of the system. We use orbital angular momentum (OAM) degree of freedom which is the most dynamic and easy handle feature that researchers utilize for the implementation of robust and stateoftheart HDQKD systems. Laguerre Gaussian, a higherorder Gaussian beam having special features associated with the OAM. Photons carrying OAM in Laguerre Gaussians beams can create several mutually unbiased basis (MUBs), which are extensively employed for protocol implementation. We constructed three MUBs in fourdimensional Hilbert space, one is reserved for a standard basis and the remaining two behave as a measurement basis. Besides this, we also used intensity variation for the generations of the qubits to employ the decoystate scheme (vacuum plus weak coherent pulses), which relieves us from Photon Number Splitting (PNS) attack and also helped in the safe transfer of secret keys. The suggested framework is assessed particularly in terms of efficiency or success rate while dealing with photon states in two and four dimensions. Here we initially plot the number of iterations data on fixed qubits length in comparison with the efficiency of the HD protocol (KMB09) observed during simulation per iteration. We also plot the percentage error of the simulated efficiency and the efficiency of the analytical model of the KMB09 based system. We discover that the simulation results using our proposed framework are consistent with the numerical and analytical findings obtained using the same QKD model that was previously published. We have so far reached our first milestone that is the development of the HDQKD system based on the KMB09 protocol. Now we are focusing on the error rates developed in the system due to intrusion and also handle attacks like interceptresendattacks. We will also incorporate losses due to turbulence in the quantum channel of our free space HD QKD system in the future.

Security analysis of a CVQKD downstream access networkYundi Huang (Beijing University of Posts and Telecommunications); Tao Shen (Beijing University of Posts and Telecommunications); Xiangyu Wang (Beijing University of Posts and Telecommunications); Ziyang Chen (Peking University); Bingjie Xu (Institute of Southwestern Communication); Song Yu (Beijing University of Posts and Telecommunications); Hong Guo (Peking University)[abstract]Abstract: Quantum key distribution (QKD) which enables the secure distribution of symmetric keys between two legitimate parties is of great importance in future network security [1, 2]. Access network that connects multiple endusers with one network backbone can be combined with QKD to build security for endusers in a scalable and costeffective way. Access network can have upstream stream transmission direction and downstream transmission direction. For upstream transmission, signals are transmitted from the endusers optical network units (ONUs), combined at the optical distribution network (ODN), and then forwarded to the optical line terminal (OLT) through single fiber. For downstream transmission direction, signals are sent from the OLT and separated at the ODN, then distributed to ONUs in the network. Though previous QKD access network demonstrations are all based on upstream transmission direction [3], the downstream access network on the other hand may offer extra advantages, since no time multiplexing technique is applied, the crosstalk is minimized, also, only passive beam splitter is sufficient to distribute the signals, and no active controls or calibrations are required at the intermediate optical distribution network node, signals are simply broadcasted to the ONUs [4]. However, it is not straight forward to integrate QKD into the downstream access network, for discretevariable QKD, the quantum signals cannot be deterministically distributed to the ONUs. More importantly, since every ONU gets a copy of the transmitted quantum signals, it is crucial that the final secret key is private against other ONUs in the downstream access network. Here, we prove that QKD downstream access network can be realized by using continuousvariable (CV) QKD [5], the corresponding implementation can deterministically perform QKD [6] with the activated ONU, the network still only applies passive beamsplitter to distribute quantum signals. The secrecy against other parties in the network is achieved by considering a reinforced Eve during the security analysis. The security analysis can be conducted with only the optical line terminal and the activated ONU, and no other parties assistances are required. Our work provides the security analysis framework for realizing QKD in the downstream access network which will boost the diversity for constructing practical QKD networks. This work was supported by the Key Program of National Natural Science Foundation of China under Grant No. 61531003, National Natural Science Foundation of China under Grant No. 62001041, China Postdoctoral Science Foundation under Grant No. 2020TQ0016, Sichuan Science and Technology Program under Grant No. 2020YFG0289 and the Fund of State Key Laboratory of Information Photonics and Optical Communications. [1] V. Scarani, H. BechmannPasquinucci, N. J. Cerf, M. Dusek, N. Lütkenhaus, and M. Peev, The security of practical quantum key distribution, Rev. Mod. Phys. 81, 1301 (2009). [2] F. Xu, X. Ma, Q. Zhang, H.K. Lo, and J.W. Pan, Secure quantum key distribution with realistic devices, Rev. Mod. Phys. 92, 025002 (2020). [3] B. Fr¨ohlich, J. F. Dynes, M. Lucamarini, A. W. Sharpe, Z. Yuan and A. J. Shields, A quantum access network, Nature 501, 6972 (2013). [4] ITU. G.984.1: Gigabitcapable passive optical networks (gpon): General characteristics. ITUT (2008). [5] S. Pirandola, et al., Advances in quantum cryptography, Adv. in Opt. and Photon. 12, 1012 (2020). [6] Y. Zhang, et al., Continuousvariable QKD over 50km commercial fiber, Quantum Sci. Technol. 4, 035006 (2019).

Strengthening practical continuousvariable quantum key distribution against measurement angular errorTao Shen (Beijing University of Posts and Telecommunications); Yundi Huang (Beijing University of Posts and Telecommunications); Xiangyu Wang (Beijing University of Posts and Telecommunications); Huiping Tian (Beijing University of Posts and Telecommunications); Ziyang Chen (Peking University); Song Yu (Beijing University of Posts and Telecommunications)[abstract]Abstract: Continuousvariable quantum key distribution (CVQKD) provides a way for two remote participants called Alice and Bob to establish symmetric keys through an unsafe channel \cite{weedbrook2012gaussian,grosshans2003quantum}. Continuousvariable quantum key distribution (CVQKD) based on commercial devices such as lasers and coherent detectors is moving towards practical. Experimental implementation of the CVQKD systems using Gaussianmodulated coherent states (GMCS) has made significant progress recently \cite{zhang2019continuous}. At the mean time, the problems of performance degradation caused by imperfections of those experimental devices remain unsolved absolutely \cite{pirandola2020advances}. A nonorthogonal measurement angular error between quadrature components $X$ and $P$ from coherent detection is always ignored in the current experimental scheme. The optical phase shifter that constantly rotates the local oscillator phase is a necessity in continuousvariable quantum key distribution systems using heterodyne detection. In previous experimental implementations, the optical phase shifter is generally regarded as an ideal passive optical device that perfectly rotates the phase of the electromagnetic wave of $90^\circ$ \cite{wang2020high}. However,under the action of external force, the fibre is stretched or compressed within the elastic deformation range, and parameters such as the fibre change's geometrical size and refractive index change, thus causing the phase change of the transmitted signal in the fibre. Therefore, the phase shifter is somewhat susceptible to environmental changes and can hardly shift the phase by $90^\circ$ exactly Considering this, we propose a concrete interpretation of measurement angular error in practical systems and the corresponding entanglementbased description. Simultaneously, an estimation method of the measurement angular error and corresponding compensation scheme are demonstrated in some ways. We conclude that measurement angular error severely degrades the security, but the proposed calibration and compensation method can significantly help improve the performance of the practical CVQKD systems. Undoubtedly, it is worth observing that our work is to strengthen practical security resulted from devices' imperfection.

Practical security of a chipbased continuousvariable quantum key distribution systemLang Li (Center for Quantum Sensing and Information Processing, State Key Laboratory of Advanced Optical Communication Systems and Networks, Shanghai Jiao Tong University, Shanghai 200240, People’s Republic of China and Shanghai Research Center for Quantum Sciences, Shanghai 201315, People’s Republic of China); Peng Huang (Center for Quantum Sensing and Information Processing, State Key Laboratory of Advanced Optical Communication Systems and Networks, Shanghai Jiao Tong University, Shanghai 200240, People’s Republic of China and Shanghai Research Center for Quantum Sciences, Shanghai 201315, People’s Republic of China); Tao Wang (Center for Quantum Sensing and Information Processing, State Key Laboratory of Advanced Optical Communication Systems and Networks, Shanghai Jiao Tong University, Shanghai 200240, People’s Republic of China and Shanghai Research Center for Quantum Sciences, Shanghai 201315, People’s Republic of China); Guihua Zeng (Center for Quantum Sensing and Information Processing, State Key Laboratory of Advanced Optical Communication Systems and Networks, Shanghai Jiao Tong University, Shanghai 200240, People’s Republic of China and Shanghai Research Center for Quantum Sciences, Shanghai 201315, People’s Republic of China)[abstract]Abstract: A chipbased continousvariable quantumkeydistribution (CVQKD) system with a high practical confidentiality performance is crucial for constructing quantum metropolitan communication networks, but imperfections in the chipbased modulation will threaten the practical security of the chipbased CVQKD system. In this paper, we combine the plasma dispersion effect of free carriers to model the carrier fluctuations and reveal the essential mechanism of carrier fluctuations’ influence on the system. The simulations show that the chipbased CVQKD system may face potential loophole threats or its performance will dramatically decrease under different carrier fluctuations. Moreover, two preliminary defense strategies are proposed to completely solve the practical security problems commonly induced by modulators in general chipbased CVQKD systems. This work proposes a set of modeling and analysis methods for general chipbased CVQKD systems’ modulators, which provides constructive methods to build the chipbased CVQKD system with more rigorous practical security.

MIMO Terahertz Quantum Key DistributionNeel Kanth Kundu (Department of Electronic and Computer Engineering, The Hong Kong University of Science and Technology); Soumya P. Dash (School of Electrical Sciences, Indian Institute of Technology Bhubaneswar); Matthew R. McKay (Department of Electronic and Computer Engineering, The Hong Kong University of Science and Technology); Ranjan K. Mallik (Department of Electrical Engineering, Indian Institute of Technology Delhi)[abstract]Abstract: We propose a multipleinput multipleoutput (MIMO) quantum key distribution (QKD) scheme for improving the secret key rates and increasing the maximum transmission distance for terahertz (THz) frequency range applications operating at room temperature. We propose a transmit beamforming and receive combining scheme that converts the rank$r$ MIMO channel between Alice and Bob into $r$ parallel lossy quantum channels whose transmittances depend on the nonzero singular values of the MIMO channel. The MIMO transmission scheme provides a multiplexing gain of $r$, along with a beamforming and array gain equal to the product of the number of transmit and receive antennas. This improves the secret key rate and extends the maximum transmission distance. Our simulation results show that multiple antennas are necessary to overcome the high freespace path loss at THz frequencies. Positive key rates are achievable in the $1030$ THz frequency range that can be used for both indoor and outdoor QKD applications for beyond fifth generation ultrasecure wireless communications systems.

Dynamic polarization control for freespace continuousvariable quantum key distributionShiyu Wang (Shanghai Jiao Tong University); Peng Huang (Shanghai Jiao Tong University); Tao Wang (Shanghai Jiao Tong University); Guihua Zeng (Shanghai Jiao Tong University)[abstract]Abstract: We propose a dynamic polarization control scheme for freespace continuousvariable quantum key distribution and verify its validity via simulations and an experiment performed over a 150 m freespace channel. The results indicate the capability of the scheme to effectively control the states of polarization for freespace continuousvariable quantum communication.

A Software Tool for Mapping and Executing Distributed Quantum Computations on a Network SimulatorDavide Ferrari (University of Parma); Saverio Nasturzio (University of Parma); Michele Amoretti (University of Parma)[abstract]Abstract: The growing demand for largescale quantum computers is motivating research on distributed quantum computing (DQC) architectures. To support the research community in the design and evaluation of distributed quantum protocols, many simulators have been devised. However, the process of setting up a simulation requires strong expertise in the simulator itself, thus being inconvenient for those who are only interested in protocol evaluation or in the design of supporting tools such as quantum compilers. In this work, we present DQC Executor, a software tool that accepts as input the description of the network and the code of the algorithm, and then executes the simulation. The tool automatically constructs the network topology and maps the computation onto it, in a frameworkagnostic way and transparently to the user. DQC Executor currently supports automatic deployment of distributed quantum algorithms to the NetSquid simulator.

Code efficiency, frame error rate and secure key rateHossein Mani (Technical University of Denmark); Tobias Gehring (Technical University of Denmark); Ulrik L. Andersen (Technical University of Denmark); Bernhard Oemer (Austrian Institute of Technology); Christoph Pacher (Austrian Institute of Technology)[abstract]Abstract: See the short abstract in the attached file. In this poster, we present the finite length efficiency of some of our codes and show how it can improve the secret key rate. For this, the FER performance of some of these codes is plotted versus the efficiency and then we plot the secret key rate versus distance by replacing our codes with other existing codes in the literature.

A MultiValued Quantum Fully Homomorphic Encryption SchemeYuanjing Zhang (Beihang University); Tao Shang (Beihang University); Jianwei Liu (Beihang University)[abstract]Abstract: Fully homomorphic encryption enables computation on encrypted data while maintaining secrecy. This leads to an important open question whether quantum computation can be delegated and verified in a noninteractive manner or not. In this paper, we affirmatively answer this question by constructing quantum fully homomorphic encryption (QFHE) schemes with quantum obfuscation. For different scenarios, we propose two QFHE schemes with multivalued quantum point obfuscation. One is with singlequbit point obfuscation and the other is with multiqubit point obfuscation. The correctness of two QFHE schemes is proved theoretically. The evaluator does not know the decryption key and does not require a regular interaction with a user. The output state has the property of complete mixture, which guarantees the security. Moreover, the security level of the QFHE schemes depends on quantum obfuscation and encryption operators.

Entropy bounds for multipartite deviceindependent cryptographyFederico Grasselli (Heinrich Heine University Dusseldorf); Gláucia Murta (Heinrich Heine University Dusseldorf); Hermann Kampermann (Heinrich Heine University Dusseldorf); Dagmar Bruss (Heinrich Heine University Dusseldorf)[abstract]Abstract: When the outcomes of a set of parties measuring their local quantum systems exhibit nonlocal correlations by violating a Bell inequality, one can infer that such outcomes are secret to some extent. This is at the core of the security of many deviceindependent (DI) protocols, such as DI randomness expansion and DI conference key agreement. We quantify the amount of secret randomness in the parties’ outcomes by analytically computing their conditional von Neumann entropies as a function of the Bell violation, for different Bell inequalities.

A quantum key distribution simulator for BB84type protocols with decoy statesFlorian Prawits (AIT Austrian Institute of Technology)[abstract]Abstract: BB84type DVQKD protocols that implement weak coherent laser pulses as the carrier for the encoded information are severely limited in their maximally achievable transmission distance due to the inherent threat of photon number splitting (PNS) attacks. This potential weakness can be elegantly eliminated by the adaption of the protocol to include socalled decoy states (DS) in the transmission. These decoy states allow Alice and Bob to probe their transmission channel and statistically infer whether a PNS type attack is occurring, thus precluding Eve from successfully using this strategy. The added degrees of freedom of deciding how often to send decoy states and which intensities to use for them however further complicates the already complex task of predicting the impact on protocol performance and finding a set of suitable parameters to achieve optimal secret key rates (skr). In order to predict optimal performance, as a function of characteristics of the QKD setup like channel losses and device imperfections, state preparation fidelity, decoy state parameters and finite size effects, the software simulator pyDSsim has been developed. The tool is written in Python and implements the recent security proof framework introduced in [1,2]. The software can be scripted from the command line or used via a graphical user interface (GUI: QT5 framework) for easy exploration via parametrized xy plots of over 40 different variables, allowing a comprehensive evaluation of their interdependencies. The main feature however is the option to numerically compute the set of protocol variables for a given QKDsetup which maximizes the secret key rate under constraints typical for practical implementations: fixed block sizes or fixed acquisition times for the raw key. To this end two different algorithms (differentialevolution [3] and LBFGSB [4]) are utilized, allowing for a crosscheck of the acquired results and choice between speed and accuracy of the approach. References [1] Rusca, D., Boaron, A., Grünenfelder, F., Martin, A. & Zbinden, H. Finitekey analysis on the 1decoy state QKD protocol. Appl. Phys. Lett. 112, 171104 (2018) [2] Lim, C. C. W., Curty, M., Walenta, N., Xu, F. & Zbinden, H. Concise security bounds for practical decoystate quantum key distribution. Phys. Rev. A 89, 022307 (2014) [3] R. H. Byrd, P. Lu and J. Nocedal. A Limited Memory Algorithm for Bound Constrained Optimization, (1995), SIAM Journal on Scientific and Statistical Computing, 16, 5, pp. 11901208. [4] Storn, R and Price, K, Differential Evolution  a Simple and Efficient Heuristic for Global Optimization over Continuous Spaces, Journal of Global Optimization, 1997, 11, 341  359.

Genome Sequence Data Storage System using distributed storage system on QKD networkKazuaki Doi (toshiba corporation); Ririka Takahashi (toshiba corporation); Akira Murakami (toshiba corporation); Mamiko Kujiraoka (toshiba corporation); Alexander R. Dixon (toshiba corporation); Yoshimichi Tanizawa (toshiba corporation); Hideaki Sato (toshiba corporation); Muneaki Shimada (Tohoku University); Yasunobu Okamura (Tohoku University); Fuji Nagmi (Tohoku University); Mikio Fujiwara (NICT)[abstract]Abstract: We developed a genome sequence data storage system using a distributed storage system on a quantum key distribution (QKD) network and have successfully demonstrated secure storage and data reconstruction for genome sequence data. The proposed system thus has potential for use as a distributed storage system in genome analysis.

High effective efficiency LDPC codes for CVQKDThomas Symul (QuintessenceLabs); Andrew M. Lance (QuintessenceLabs); Sarah Johnson (University of Newcastle)[abstract]Abstract: High efficiency error reconciliation, typically achieved by using Multi Edge Low Density Parity Codes (MELDPC), is necessary for CVQKD to reach large transmission distance. The commonly accepted definition of the efficiency, however, is problematic as it does not take into account the Frame Error Rate (FER) of LDPC, and therefore is theoretically and provably unbounded (i.e. can tend to infinity), if one can accept increasingly larger FER. Here we report new MELDPC code construction allowing high efficiency (>0.91) with very low FER (<0.008), allowing for a large effective efficiency, over a large continuous range of SNR (between 20.5dB to 6dB).

Qubitbased clock synchronization for QKD systems using a Bayesian approachRoderick D. Cochran (The Ohio State University); Daniel J. Gauthier (Ohio State University)[abstract]Abstract: Quantum key distribution (QKD) provides a method for two users to exchange a provably secure key, which requires synchronizing the user’s clocks. Qubitbased synchronization protocols directly use the transmitted quantum states and thus avoid the need for additional classical synchronization hardware, but previous approaches sacrifice secure key either directly or indirectly. Here, we introduce a Bayesian probabilistic algorithm that incorporates all published information to efficiently find the clock offset without sacrificing any secure key [1]. Additionally, the output of the algorithm is a probability, which allows us to quantify our confidence in the synchronization. For demonstration purposes, we present a model system with accompanying simulations of an efficient threestate BB84 prepareandmeasure protocol with decoy states. Our algorithm exploits the correlations between Alice’s published basis and mean photon number choices (which must already be published for the protocol) and Bob’s measurement outcomes to probabilistically determine the most likely clock offset. We perform crosscorrelations using Fast Fourier Transforms to count the number of each type of event pairing for each potential offset (e.g., how many times Alice sent a decoy state in the horizontal/vertical polarization basis and Bob registered a click in the horizontal detector). Taking these along with a lookup table for the probabilities of the different event pairings, we determine the synchronization probability of the different potential offsets using Bayesian analysis. In our simulations, we find that we can achieve a 95% synchronization confidence using a string length of only 4,140 communication bin widths, meaning we can tolerate clock drift approaching 1 part in 4,140 in this example when simulating this system with a dark count probability per communication bin width of 8⨉104 and a received mean photon number of 0.01. The relationship between the received mean photon number and the number of communication bin widths required to achieve a 95% synchronization confidence is shown in Fig. 1.

Training a quantum workforce: Towards BB84 for engineering studentsLukas Mairhofer (FH Technikum Wien)[abstract]Abstract: In this poster we will present a truly quantum handson setup for training engineering students in quantum cryptography with the BB84 protocol. We supplement this setup with a webbased simulation of the protocol which will be available to the public.

Hacking the selfdifferencing avalanche detectors via pulse illuminationBinwu Gao (Institute for Quantum Information & State Key Laboratory of High Performance Computing, College of Computer Science and Technology, National University of Defense Technology, Changsha 410073, China); Anqi Huang (Institute for Quantum Information & State Key Laboratory of High Performance Computing, College of Computer Science and Technology, National University of Defense Technology, Changsha 410073, China); Zhihao Wu (Institute for Quantum Information & State Key Laboratory of High Performance Computing, College of Computer Science and Technology, National University of Defense Technology, Changsha 410073, China); Yingwen Liu (Institute for Quantum Information & State Key Laboratory of High Performance Computing, College of Computer Science and Technology, National University of Defense Technology, Changsha 410073, China); Weixu Shi (Institute for Quantum Information & State Key Laboratory of High Performance Computing, College of Computer Science and Technology, National University of Defense Technology, Changsha 410073, China); Ping Xu (Institute for Quantum Information & State Key Laboratory of High Performance Computing, College of Computer Science and Technology, National University of Defense Technology, Changsha 410073, China); Junjie Wu (Institute for Quantum Information & State Key Laboratory of High Performance Computing, College of Computer Science and Technology, National University of Defense Technology, Changsha 410073, China)[abstract]Abstract: Quantum key distribution (QKD) has been proved to be informationtheoretically secure in theory. In practice, the selfdifferencing avalanche photodiode detectors (SDAPDs) are commonly used in highspeed QKD systems. However, we experimentally show that the SD APD under test can be successfully hacked by the pulseillumination attack. This attack might compromise the security of a highspeed QKD system with SDAPDs. This study also indicates that the bestpractice criteria for practical security of SDAPDs might take the threat of pulseillumination attack into account.

Certification of Random Number Generators using Machine LearningNg Hong Jie (National University of Singapore); Raymond Ho (National University of Singapore); Syed M Assad (The Australian National University); Ping Koy Lam (The Australian National University); Omid Kavehei (ARC Training Centre for Innovative BioEngineering, School of Biomedical Engineering, The University of Sydney); Wang Chao (National University of Singapore); Nhan Duy Truong (ARC Training Centre for Innovative BioEngineering, School of Biomedical Engineering, The University of Sydney); Jing Yan Haw (National University of Singapore)[abstract]Abstract: Two coveted qualities for a random number generator (RNG) are uniformity and unpredictability. A PseudoRNG (PRNG) produces a uniform output, but it is predictable when one has knowledge of the seed and implementation parameters. While a quantumRNG (QRNG) produces an unpredictable output, it is not necessarily uniform and hence typically requires randomness extraction. We examine these two aspects in RNGs by utilizing a machine learning cryptanalysis, showing the applicability of the tool in uncovering hidden correlations and implementation failures.

Postselection Strategies for ContinuousVariable Quantum Key Distribution Protocols with Quadrature PhaseShift Keying ModulationFlorian Kanitschar (TU Wien / AIT  Austrian Institute of Technology); Christoph Pacher (AIT  Austrian Institute of Technology)[abstract]Abstract: Continuousvariable quantum key distribution with phaseshift keying modulation is a promising candidate for practical applications of quantum cryptography due to high compatibility with existing telecommunication infrastructure. It is known that postselection, i.e., omitting those parts of the raw key where an adversary might have gained more information than the communicating parties, can improve the secure key rate significantly. We introduce a new crossshaped postselection strategy and use a recent numerical security proof framework to compare it to other existing postselection strategies. Furthermore, we provide novel analytical results for the operators that define the respective postselection regions in phase space for each of the postselection strategies, enabling a quicker evaluation without introducing additional numerical errors. Motivated by the high computatoinal effort for the errorcorrection phase, we point out how postselection can be used to reduce the raw key (so, the data that has to be errorcorrected) significantly without lowering the secure key rate considerably. As therefore Bob uses his measurement outcomes directly without requiring any additional computations, the crossshaped scheme can be implemented easily both in new and existing QKD systems.

Quantum key distribution with a bright source of telecom single photons based on quantum frequency conversionChristopher L. Morrison (HeriotWatt University); Francesco Graffitti (HeriotWatt University); Zhe Xian Koong (HeriotWatt University); Nick G. Stoltz (University of California, Santa Barbara); Roberto G. Pousa (University of Strathclyde); Dirk Bouwmeester (Leiden University); Luca Mazzarella (California Institute of Technology); John Jeffers (University of Strathclyde); Daniel K. L. Oi (University of Strathclyde); Alessandro Fedrizzi (HeriotWatt University); Brian D. Gerardot (HeriotWatt University)[abstract]Abstract: We demonstrate fibrebased quantum key distribution over 175 km using a bright frequency converted quantum dot singlephoton source. The source is capable of producing count rates approaching 2 MHz at 1550 nm with second order correlations on the order of 3%. This allows for a measured key rate of 130 bps (100 kbps) at 175 km (50 km) in the asymptotic regime using static encoding and predicted positive key rate out to 188 km. This can be extended to 240 km using ultralow loss fibre based on the measured source parameters.

Single trusted qubit is necessary and sufficient for quantum realisation of extremal nosignaling statisticsMichał Banacki (University of Gdańsk, International Centre for Theory of Quantum Technologies, Faculty of Mathematics, Physics and Informatics); Ravishankar Ramanathan (The University of Hong Kong, Department of Computer Science); Ricard Ravell Rodriguez (University of Gdańsk, International Centre for Theory of Quantum Technologies); Paweł Horodecki (University of Gdańsk, International Centre for Theory of Quantum Technologies; Gdańsk University of Technology, Faculty of Applied Physics and Mathematics, National Quantum Information Centre)[abstract]Abstract: We consider quantum statistics from the perspective of postquantum nosignaling theories in which either none or only a certain number of systems are trusted. These scenarios can be fully described by socalled nosignaling boxes or nosignaling assemblages respectively. It has been shown so far that in the usual Bell nonlocality scenario with a single measurement run, quantum correlations can never reproduce an extremal nonlocal point within the set of nosignaling boxes. We provide here a general nogo rule showing that the latter stays true even if arbitrary sequential measurements are allowed. On the other hand, we prove a positive result showing that already a single trusted qubit is enough for quantum theory to produce a selftestable extremal point within the corresponding set of nosignaling assemblages. This result provides a tool that opens up possibilities for security proofs of cryptographic protocols against general nosignaling adversaries in semideviceindependent scenarios.

Bounds on deviceindependent quantum key distribution rates for devices and channelsEneet (Kaur); Karol (Horodecki); Siddhartha Das (Université libre de Bruxelles)[abstract]Abstract: In this work, we develop upper bounds for key rates for deviceindependent key distribution protocols, devices, and channels. We study the reduced ccsquashed entanglement and show that it is a convex functional. As a result, we show that the convex hull of the currently known bounds is a tighter upper bound on the deviceindependent key rates of standard CHSHbased protocol. We further provide tighter bounds for DIQKD key rates achievable by any protocol applied to the CHSHbased device. This bound is based on reduced relative entropy of entanglement optimized over decompositions into local and nonlocal parts. In the scenario of quantum channels, we obtain upper bounds for deviceindependent private capacity for the CHSH based protocols. We show that the DI private capacity for the CHSH based protocols on depolarizing and erasure channels is limited by the secret key capacity of dephasing channels.

Resource analysis for quantumaided Byzantine agreementZoltán Guba (Budapest University of Technology and Economics, Budapest, Hungary); István Finta (Nokia Bell Labs, Budapest, Hungary); Ákos Budai (Budapest University of Technology and Economics, Budapest, Hungary); Lóránt Farkas (Nokia Bell Labs, Budapest, Hungary); Zoltán Zimborás (Budapest University of Technology and Economics, Budapest, Hungary); András Pályi (Budapest University of Technology and Economics, Budapest, Hungary)[abstract]Abstract: In distributed computing, a Byzantine fault is a condition where a component behaves inconsistently, showing different symptoms to different components of the system. Consensus among the correct components can be reached by appropriately crafted communication protocols, even in the presence of byzantine faults. Quantumaided protocols built upon distributed entangled quantum states are worth considering, as they are more resilient than traditional ones. Based on earlier ideas, here we introduce a parameterdependent family of quantumaided weak broadcast protocols, and prove their security. We analyze the resource requirements as functions of the protocol parameters, and locate the parameter range where these requirements are minimal. Hence, our work illustrates the engineering aspects of future deployments of such protocols in practice. Following earlier work demonstrating the suitability of noisy intermediatescale quantum (NISQ) devices for the study of quantum networks, we show how to prepare our resource quantum state on publicly available IBM quantum computers. We outline followup tasks toward practical quantumaided byzantine fault tolerance.

Resilient Chip‐Scale QKD with Integrated Hacking PreventionFriederike Jöhlinger (University of Bristol); Lawrence Rosenfeld (University of Bristol); Henry Semenenko (University of Bristol); Djeylan Aktas (University of Bristol); John Rarity (University of Bristol)[abstract]Abstract: Recently, the first integrated Measurement Device Independent Quantum Key Distribution (MDI QKD) system has been implemented here in Bristol (Semenenko, 2020). To build on this result and work towards improved security and key rates, a new indium phosphide (InP) transmitter chip has been designed for a secondgeneration MDI QKD implementation. The new chip contains two laser sources, including a distributed feedback laser to allow for faster pulsing and highspeed phase modulators with a bandwidth of up to 30 GHz. With the new lasers and phase modulators a higher pulse rate will be achieved, leading to better key rates. Additionally, an onchip photodiode can be used to monitor incoming light. This makes the chip much more resilient against hacking attacks, such as a Trojan Horse or Laser Damage Attacks. Since MDI QKD is intrinsically protected against detector attacks, this means that this new MDI QKD system will show great security overall.

Categorical composable cryptographyAnne Broadbent (University of Ottawa); Martti Karvonen (University of Ottawa)[abstract]Abstract: In arXiv:2105.05949, we initiate a categorical study of composable security definitions in cryptography. We formalize the simulation paradigm of cryptography in terms of category theory and show that protocols secure against abstract attacks form a symmetric monoidal category, thus giving an abstract model of composable security definitions in cryptography. Our model is able to incorporate computational security, setup assumptions and various attack models such as colluding or independently acting subsets of adversaries in a modular, flexible fashion. Amongst other benefits, the categorical language allows using string diagrams to prove results cryptographically: in particular, we can promote "figures illustrating the proof" found in the cryptographic literature into honest proofs.

Software tool for the performance evaluation of satellite quantum key distribution linksAndrea Stanco (Università degli Studi di Padova); Giulio Foletto (Università degli Studi di Padova); Alessia Scriminich (Università degli Studi di Padova); Lorenzo Dal Corso (Qascom S.r.l.); Luca Canzian (Qascom S.r.l.); Francesco Petroni (Sitael S.p.A.); Giuseppe Piscopiello (Sitael S.p.A.); Gilles Mariotti (Sitael S.p.A.); Luca De Filippis (Sitael S.p.A.); Giuseppe Vallone (Università degli Studi di Padova); Paolo Villoresi (Università degli Studi di Padova)[abstract]Abstract: The 18month project called PROtocols for Space sEcure Quantum cOmmunication (PROSEQO), funded by the European Space Agency, was coordinated by the University of Padova with Sitael and Qascom as industrial partners. The scope of the project was to assess the protocols feasible for Satellite QKD and then realize an analytical model to describe all the elements that contribute to the Secret Key Rate (SKR). The analytical model was integrated in a dedicated software able to get several input parameters and orbit descriptions and calculate the final SKR. The software was tested in 10 different case studies. Therefore, this can be a useful tool for future Satellite QKD missions as a preliminary step to evaluate mission feasibility. It could also be the starting point for a numerical overview on the practicability of a satellite QKD infrastructure.

A QuantumProver Interactive Proof for Simon's ProblemSamuel Ducharme (Université de Montréal)[abstract]Abstract: Simon's problem is one of the few blackbox problems known to be in BQP but not in BPP. Although Simon's algorithm can be used to solve this problem efficiently, it isn't so easy for someone with access to a largescale quantum computer (the prover) to convince someone whose computing power is in BPP (the verifier) of the validity of their computation. I present an interactive protocol that aims to accomplish this goal if the verifier has access to a quantum computer with a constant number of qubits. This protocol adapts some of the known techniques using quantum authentication schemes for nonblackbox problems. It also uses a novel technique that consists of randomly doing “trap rounds” that are similar to Simon's algorithm iterations but instead ask the prover to call the blackbox function on a randomlygenerated polynomialsize superposition state chosen so that the verifier can detect the prover's attempts at cheating.

ActivelyStabilised VariableAsymmetry MachZehnder Interferometer for QKD Device CharacterisationSophie Albosh (University of York and National Physical Laboratory); T.P. Spiller (University of York); C.J. Chunnilall (National Physical Laboratory)[abstract]Abstract: Please see the attached pdf version of the extended abstract.

Preparing Indistinguishable States for a PrepareandMeasure BB84 PolarizationBased Decoy State QKD Protocol Using Three FPGADriven LEDsDaniel SanchezRosales (Ohio State University); Roderick D. Cochran (Ohio State University); Daniel J. Gauthier (Ohio State University)[abstract]Abstract: Quantum key distribution (QKD) systems provide a method for two users to exchange a provably secure key that can be used to securely exchange a cryptographic key. In prepareandmeasure QKD protocols, the indistinguishability of states is an important aspect for preventing sidechannel attacks. Here we consider the indistinguishability of states in a prepareandmeasure threestate BB84 polarizationbased decoy state protocol using lightemitting diodes (LEDs). In addition, our system is designed to operate under size, weight, and power (SWaP) restrictions such as that needed for dronebased QKD. Our setup uses three separate LEDs driven by a fieldprogrammable gate array (FPGA) that go through different optical paths that set the state of polarization. Each LED is connected to two GPIO pins via a different resistive path. By setting one pin to high impedance and driving the other with a nanosecondscale electrical signal, we can choose between signal and decoy states. We can thus send 3 signal states, 3 decoy states, and 3 vacuum states, using only 3 separate sources driven by a single lowcost and lightweight FPGA. We must guarantee that these sources are indistinguishable from each other in the spatial, spectral, and temporal degreesoffreedom on the photon. We make them nearly indistinguishable by passing the 3 photonic wavepackets through the same singlemode fiber and 1nmbandwith spectral filter, and use dynamic shifting of the FPGA phaselockedloops to control the phase and the width of the electrical pulses that drive the LEDs, which allows us to control the optical pulses produced by the LEDs. We control the timing of the photonic wavepackets to a resolution of 250 ps. To quantify spectral indistinguishability, we measure filtered spectra for all states, which are overlaid in Fig. 1a, and find that their overlap is 94.6%. To measure the temporal indistinguishability, we drive a single LED with a 10 ns wide electrical signal at a repetition rate of 12.5 MHz. The resulting photonic wavepacket is measured by a singlephoton detector whose electrical output is measured by a timetodigital converter and histogrammed. The temporal waveforms of all 6 states are overlaid and shown in Fig. 1b with a measured overlap of 97.1%.

A Quantum Key Distribution Testbed using a PlugandPlay Telecomwavelength SinglePhoton SourceTimm Kupko (TU Berlin); Lucas Rickert (TU Berlin); Felix Urban (TU Berlin); Jan Große (TU Berlin); Nicole Srocka (TU Berlin); Sven Rodt (TU Berlin); Anna Musial (Wroclaw University); Kinga Zolnacz (Wroclaw University); Pawel Mergo (Marie Curie Sklodowska University); Kamil Dybka (Fibrain Sp. z o.o.); Waclaw Urbanczyk (Wroclaw University); Grzegorz Sek (Wroclaw University); Sven Burger (Zuse Institute Berlin); Stephan Reitzenstein (TU Berlin); Tobias Heindel (TU Berlin)[abstract]Abstract: Deterministic solidstate quantum light sources are key building blocks in photonic quantum technologies. While several proofofprinciple experiments of quantum communication using such sources have been realized, all of them required bulky setups. Here, we evaluate for the first time the performance of a compact and standalone fibercoupled singlephoton source emitting in the telecom Oband (1321nm) for its application in quantum key distribution (QKD). For this purpose, we developed a compact 19” rack module including a deterministically fibercoupled quantum dot singlephoton source integrated into a Stirling cryocooler, a pulsed diode laser for driving the quantum dot, and a fiberbased spectral filter. We further employed this compact quantum light source in a QKD testbed designed for polarization coding via the BB84 protocol resulting in g20 = 0.10+\0.01 and a raw key rate of up to 4.72(13)kHz using an external laser for excitation. In this setting we investigate the achievable performance expected in full implementations of QKD. Using 2D temporal filtering on receiver side, we evaluate optimal parameter settings for different QKD transmission scenarios taking also finite key size effects into account. Using optimized parameter sets for the temporal acceptance time window, we predict a maximal tolerable loss of 23.19dB. Finally, we compare our results to previous QKD systems using quantum dot singlephoton sources. Our study represents an important step forward in the development of fiberbased quantumsecured communication networks exploiting subPoissonian quantum light sources.

QuNet: Mobile FreeSpace Quantum Communication SystemChristopher Spiess (Fraunhofer IOF); Sebastian Toepfer (Fraunhofer IOF); Sakshi Sharma (Fraunhofer IOF); Thomas Grafenauer (AIT Austrian Institute of Technology GmbH); Roland Lieger (AIT Austrian Institute of Technology GmbH); Bernhard Ömer (AIT Austrian Institute of Technology GmbH); Stefan Petscharnig (AIT Austrian Institute of Technology GmbH); Manuel Warum (AIT Austrian Institute of Technology GmbH); Christoph Pacher (AIT Austrian Institute of Technology GmbH); Andrej Krzic (Fraunhofer IOF); Gregor Sauer (Fraunhofer IOF); Matthias Goy (Fraunhofer IOF); René Berlich (Fraunhofer IOF); Teresa Kopf (Fraunhofer IOF); Thomas Peschel (Fraunhofer IOF); Christoph Damm (Fraunhofer IOF); Aoife Brady (Fraunhofer IOF); Daniel Rieländer (Fraunhofer IOF); Fabian Steinlechner (Fraunhofer IOF)[abstract]Abstract: We report on a portable quantum communication platform and its application in quantum key distribution over a terrestrial freespace link. We outline on the complete chain from an efficient fieldready entangled photon source and custommade mirror telescopes with adaptive optics for efficient link transmission to autonomous timing synchronization of detection events and subsequent secure key extraction.

FiniteKey Analysis of Quantum Key Distribution using Entropy AccumulationThomas Van Himbeeck (University of Toronto & Waterloo); Jie Lin (University of Waterloo); Ian George (University of Illinois); Kun Fang (Baidu Research); Norbert Lütkenhaus (University of Waterloo)[abstract]Abstract: The pursuit of tight finitekey analysis for general QKD protocols is an exciting but challenging task for theorists. Entropy accumulation theorem (EAT) was developed recently and been successfully applied to deviceindependent QKD protocols. In the present work, we use EAT to prove the security of a very large class of entanglementbased QKD protocols, covering most discretevariable protocols as well as their optical implementations.

Clock recovery for a CVQKD systemHouMan Chin (TECHNICAL UNIVERSITY OF DENMARK); Nitin Jain (TECHNICAL UNIVERSITY OF DENMARK); Ulrik L. Andersen (TECHNICAL UNIVERSITY OF DENMARK); Tobias Gehring (TECHNICAL UNIVERSITY OF DENMARK); Darko Zibar (TECHNICAL UNIVERSITY OF DENMARK)[abstract]Abstract: This work experimentally investigates a clock recovery algorithm’s performance for a gaussian modulated CVQKD system operating over 20km of fibre using a frequency multiplexed classical signal.

Quantum Key Distribution with Characterized Source DefectsShlok Nahar (University of Waterloo); Norbert Lütkenhaus (University of Waterloo)[abstract]Abstract: We develop general tools to be able to numerically calculate key rates for quantum key distribution protocols with characterized source defects. These tools include performing decoystate analysis for optical protocols where the signal states are not fully phaserandomised. We apply these tools for the threestate protocol when the signal states are not fully phaserandomised due to a high repetition rate. Our results suggest that the small amounts of residual coherences do not greatly affect the key rate.

Robust Interior Point Method for Quantum Key Distribution Rate ComputationHao Hu (Department of Combinatorics and Optimization, Faculty of Mathematics, University of Waterloo, Waterloo, Ontario, Canada N2L 3G1); Jiyoung Im (Department of Combinatorics and Optimization, Faculty of Mathematics, University of Waterloo, Waterloo, Ontario, Canada N2L 3G1); Jie Lin (Institute for Quantum Computing and Department of Physics and Astronomy, University of Waterloo, Waterloo, Ontario, Canada N2L 3G1); Norbert Lütkenhaus (Institute for Quantum Computing and Department of Physics and Astronomy, University of Waterloo, Waterloo, Ontario, Canada N2L 3G1); Henry Wolkowicz (Department of Combinatorics and Optimization, Faculty of Mathematics, University of Waterloo, Waterloo, Ontario, Canada N2L 3G1)[abstract]Abstract: Security proof methods for quantum key distribution, QKD, that are based on the numerical key rate calculation problem, are powerful in principle. However, the practicality of the methods are limited by computational resources and the efficiency and accuracy of the underlying algorithms for convex optimization. We derive a stable reformulation of the convex nonlinear semidefinite programming, SDP, model for the key rate calculation problems. We use this to develop an efficient, accurate algorithm. The reformulation is based on novel forms of facial reduction, FR, for both the linear constraints and nonlinear relative entropy objective function. This allows for a GaussNewton type interiorpoint approach that avoids the need for perturbations to obtain strict feasibility, a technique currently used in the literature. The result is high accuracy solutions with theoretically proven lower bounds for the original QKD from the FR stable reformulation. This provides novel contributions for FR for general SDP. We report on empirical results that dramatically improve on speed and accuracy, as well as solving previously intractable problems.

Information Rates with Non Ideal Photon Detectors in TimeEntanglement Based QKDDunbar Birnie (Rutgers University); Emina Soljanin (Rutgers University); Chris Cheng (Rutgers University)[abstract]Abstract: We consider QKD based on time entangled photons, with detectors that exhibit timing jitter and detector downtime. Timing jitter introduces local errors, necessitating key reconciliation. The detector downtime introduces memory which results in key bits that are not uniformly random. Both effects cause key rate loss. We focus on detector downtime and develop a method to compute the key rate loss.

Reducing Network Cooling Cost using TwinField Quantum Key DistributionVasileios Karavias (University of Cambridge); Andrew Lord (BT); Mike Payne (University of Cambridge)[abstract]Abstract: Improving the rates and distances over which quantum secure keys are generated is a major challenge. New source and detector hardware can improve key rates significantly, however it can require expensive cooling. We show that TwinField Quantum Key Distribution (TFQKD) has an advantageous topology allowing the localisation of cooled detectors. This setup for a quantum network allows a fully connected network solution, i.e. one where every connection has nonzero key rates, in a box with sides of length up to 110km with just 4 cooled nodes, while Decoy state BB84 is only capable of up to 80km with 40 cooled nodes, and 50km if no nodes are cooled. The average key rate in the network of the localised, cooled TFQKD is >30 times greater than the uncooled Decoy BB84 solution and ∼0.9 those of cooled Decoy BB84. To reduce the cost of the network further, switches can be used in the network. These switches have losses ranging between 1−2dB. Adding these losses to the model shows further the advantages of TFQKD in a network. Decoy BB84 is only able to generate fully connected solutions up to 20km if all nodes are cooled for a 40 node network for 1dB losses. In comparison, using TFQKD, 70km networks are possible with just 4 cooling locations for the same losses. The simulation shows the significant benefits in using TFQKD in a switched network, and suggests that further work in this direction is necessary.

A trustless decentralized protocol for distributed consensus of public quantum random numbersLac Nguyen (Physics Department, Stevens Institute of Technology, 1 Castle Point Terrace, Hoboken, NJ 07030, USA); Jeevanandha Ramanathan (Physics Department, Stevens Institute of Technology, 1 Castle Point Terrace, Hoboken, NJ 07030, USA); Michelle Mei Wang (Physics Department, Stevens Institute of Technology, 1 Castle Point Terrace, Hoboken, NJ 07030, USA); Yong Meng Sua (Physics Department, Stevens Institute of Technology, 1 Castle Point Terrace, Hoboken, NJ 07030, USA); Yuping Huang (Physics Department, Stevens Institute of Technology, 1 Castle Point Terrace, Hoboken, NJ 07030, USA)[abstract]Abstract: Quantum random number generators (QRNGs) provide intrinsic unpredictability originating from fundamental quantum mechanics. Most demonstrations focus on creating a selftested, deviceindependent generator to retain genuineness from imperfect implementations. However, these efforts benefit only individual users, not beacon users. The difference is, QRNG users have physical access to their own trustless devices while beacon users only receive numbers broadcasted from a centralized source of randomness. Thus, in applications where multiple participants need a common set of RNs,they are obligated to trust the honesty of QRNG manufacturers, or a third party, and security of the communication. In this paper, we introduce the first consensus protocol that produces QRNs ina decentralized environment (dQRNG) where all N users can contribute in the generation process and verify the randomness of numbers they collect. Security of the protocol is guaranteed given(N1) dishonest participants. We realize our protocol by performing a proofofprinciple experiment with four players.

Onetime memory from isolated Majorana islandsSourav Kundu (University of Southern California); Ben Reichardt (University of Southern California)[abstract]Abstract: We know that classical onetime memory is a cryptographic primitive which is sufficient to construct both classical onetime programs and quantum onetime programs. We propose a construction of onetime memory (OTM) from isolated Majorana islands. The proposed 1outof2 OTM stores two bits, wherein any one chosen bit can be perfectly obtained, whereas the other bit is destroyed with high probability. We prove that a malicious recipient performing an arbitrary sequence of strong and weak measurements can not obtain more information than an honest recipient performing only strong measurements. We show that errors on the two stored bits can be corrected by a pair of classical codes obtained from a quantum CSS code. We compare several popular CSS codes and obtain the best codes for different regimes of physical error rate, availability of chosen bit and availability of remaining bit. Finally, we show that the construction for 1/2 OTMs can be generalized into efficient constructions for 1/n OTMs and (n−1)/n OTMs.

New Quantum Source for satellitebased QKD.Sungeun (Paul) Oh (University of Waterloo)[abstract]Abstract: Canada has recently begun to work on the satellitebased QKD project, known as Quantum Encryption and Science Satellite (QEYSSat) mission. Its first satellite launch is expected in the year of 2023. As I am involved in this mission, I would like to introduce the new quantum source that is currently in the progress of development. The aim was to develop a quantum source for the entanglementbased QKD that can sufficiently overcome the current distance limits. By introducing some of the important criteria for building the source, I will explain what has been achieved, then how this in the end will take us one step further toward the future quantum network.

Tight Bounds for Inverting Permutations via Compressed Oracle ArgumentsAnsis Rosmanis (Nagoya University)[abstract]Abstract: In his seminal work on recording quantum queries [Crypto 2019], Zhandry studied interactions between quantum query algorithms and the quantum oracle corresponding to random functions. Zhandry presented a framework for interpreting various states in the quantum space of the oracle that can be used to provide security proofs in quantum cryptography. In this paper, we introduce a similar interpretation for the case when the oracle corresponds to random permutations instead of random functions. Because both random functions and random permutations are highly significant in security proofs, we hope that the present framework will find applications in quantum cryptography. Additionally, we show how this framework can be used to prove that the success probability for a kquery quantum algorithm that attempts to invert a random Nelement permutation is at most O(k^2/N).

Towards a relationship between single photon nature and randomnessVardaan Mongia (Physical Research Laboratory); Satyajeet Patil (Physical Research Laboratory); Ayan Biswas (Physical Research Laboratory); RP Singh (Physical Research Laboratory)[abstract]Abstract: Quantum Random Number Generators (QRNGs) are an integral part of cryptography. In this work, we exploit the relationship between the quality of randomness of discrete variable QRNGs(minentropy(X)) and the quality of single photon source from SPDC sources (secondorder correlation: g(2)(0)). This work provides another stitch between the two fields of information theory and quantum optics. We show the variation of the two parameters (minentropy(X)) and b(=1 g(2)(0)) on various grounds, say, variation with orbital angular momentum (OAM) of the spatial mode, with time delay, etc. We propose a relationship between minentropy(X) and g(2)(0) and also give a physical significance to minentropy(X).

Unidimensional twoway continuousvariable quantum key distributionnYiming Bian (BUPT); Luyu Huang (BUPT); Yichen Zhang (BUPT)[abstract]Abstract: We report a unidimensional twoway continuousvariable quantum key distribution protocol, which shows the potential of secure communication with simple modulation method in noisy situations.

Building A Twomode Squeezed Vacuum Source for Quantum CommunicationsIgor Konieczniak (University of York); Rupesh Kumar (University of York); Tim Spiller (University of York)[abstract]Abstract: Abstract A TwoMode Squeezed Vacuum (TMSV) is a quantum resource proven useful in several aplications in Quantum Technology, one of them being Quantum Key Distribution (QKD). Here we report the building of a TMSV source for use in QKD. Our system will comprise of two OPO, with its squeezed vacuum outputs combined in a balanced beam splitters. Active controls are employed for cavities stabilization, squeezing phase lock and relative phase lock between squeezed fields. The new cavity for the first OPO was designed and is in operation. Our target is to obtain 13 dB of corrected squeezing for the amplitude quadrature and a combined Duan inequality violation of up to 10 dB. We will show the status and our more recent results towards those goals.

Allphotonic twoway quantum repeaters with multiplexing based on concatenated bosonic and discretevariable quantum codesFilip Rozpedek (Pritzker School of Molecular Engineering, University of Chicago); Kaushik P. Seshadreesan (James C. Wyant College of Optical Sciences, University of Arizona); Liang Jiang (Pritzker School of Molecular Engineering, University of Chicago); Saikat Guha (James C. Wyant College of Optical Sciences, University of Arizona)[abstract]Abstract: We propose a novel strategy of using the GottesmanKitaevPreskill (GKP) code in a twoway repeater architecture with multiplexing. The crucial feature of the GKP code that we make use of, is the fact that GKP qubits easily admit deterministic twoqubit gates, hence allowing for deterministic entanglement swapping. Furthermore, thanks to the availability of the analog information generated during the measurement of the GKP qubits, we can design better entanglement swapping procedures between the multiplexed elementary links. To boost the lossresilience of our encoded qubits, we consider a concatenation of the GKP code with the discrete variable [[7,1,3]] code which has already proven effective in the context of quantum repeater schemes. We find that our architecture allows for highrate neardeterministic endtoend entanglement generation with much larger repeater spacing than for the previously considered errorcorrection based repeater schemes.

An Opensource Software Platform for Numerical Key Rate Calculation of General Quantum Key Distribution ProtocolsWenyuan Wang (Institute for Quantum Computing and Department of Physics and Astronomy, University of Waterloo); Jie Lin (Institute for Quantum Computing and Department of Physics and Astronomy, University of Waterloo); Ian George (Institute for Quantum Computing and Department of Physics and Astronomy, University of Waterloo); Twesh Upadhyaya (Institute for Quantum Computing and Department of Physics and Astronomy, University of Waterloo); Adam Winick (Institute for Quantum Computing and Department of Physics and Astronomy, University of Waterloo); Shlok A. Nahar (Institute for Quantum Computing and Department of Physics and Astronomy, University of Waterloo); KaiHong Li (Institute for Quantum Computing and Department of Physics and Astronomy, University of Waterloo); Kun Fang (Institute for Quantum Computing and Department of Physics and Astronomy, University of Waterloo); Natansh Mathur (India Institute of Technology Roorkee); John Burniston (Institute for Quantum Computing and Department of Physics and Astronomy, University of Waterloo); Max Chemtov (Institute for Quantum Computing and Department of Physics and Astronomy, University of Waterloo); Shahabeddin M. Aslmarand (Institute for Quantum Computing and Department of Physics and Astronomy, University of Waterloo); Yanbao Zhang (Institute for Quantum Computing and Department of Physics and Astronomy, University of Waterloo; NTT Basic Research Laboratories and NTT Research Center for Theoretical Quantum Physics, NTT Corporation); Christopher Boehm (University of Freiburg); Patrick Coles (Institute for Quantum Computing and Department of Physics and Astronomy, University of Waterloo); Norbert Lütkenhaus (Institute for Quantum Computing and Department of Physics and Astronomy, University of Waterloo)[abstract]Abstract: In this work, we present an opensource software platform that calculates key rate for general QKD protocols, building upon the numerical framework proposed by our group that can perform automated security proof of QKD protocols. The software platform is fully modularized with mutually independent modules for descriptions of protocols/channels, solvers for bounding key rate, and parameter optimization algorithms. It currently supports BB84 and measurementdeviceindependent QKD (including decoy states), as well as discretemodulated continuous variable QKD. It also supports finitesize analysis for nondecoystate protocols. We hope that the opensourcing can attract theorists to test new protocols and/or contribute to new solvers, as well as appeal to experimentalists who wish to analyze their data or optimize parameters for new experiments.

Satellitebased QKD: Mission Design, LinkBudgets and KeyRatesManuel Erhard (Quantum Technology Laboratories GmbH); Armin Hochrainer (Quantum Technology Laboratories GmbH); Johannes Handsteiner (Quantum Technology Laboratories GmbH); Matthias Fink (Quantum Technology Laboratories GmbH); Thomas Herbst (Quantum Technology Laboratories GmbH); Henning Weier (Quantum Technology Laboratories GmbH); Thomas Scheidl (Quantum Technology Laboratories GmbH)[abstract]Abstract: Quantum Key Distribution (QKD) is a fast growing scientific as well as commercial field. Governments as well as private businesses seek for enhanced security solutions that can withstand future hacking attacks on classical cryptographic protocols. Today, there exists a vast amount of different QKD protocols that claim to offer “unconditional” security. However, looking in more detail many subtleties lead to different security levels, or in worstcase scenarios to no security at all. Thus, it is of upmost importance to appropriately select and design QKD protocols and networks. In this work (presented as a poster), we present and compare three different QKD protocols, concerning their security, keyrate performance, and applicability especially for satellitebased QKD networks. Our main results from this study are presented and we introduce the key requirements and the basic workflow of the design and optimization of a trustednode based and free European QKD network. Finally, realistic satellite missions and their expected secure key rates in various situations are presented.

Numerical Security Proof for DecoyState BB84 and MeasurementDeviceIndependent QKD Resistant against Large Basis MisalignmentWenyuan Wang (Institute for Quantum Computing and Department of Physics and Astronomy, University of Waterloo); Norbert Lütkenhaus (Institute for Quantum Computing and Department of Physics and Astronomy, University of Waterloo)[abstract]Abstract: In this work, we incorporate decoystate analysis into a wellestablished numerical framework for key rate calculation, and apply the numerical framework to decoystate BB84 and measurementdeviceindependent (MDI) QKD protocols as examples. Additionally, we make use of "finegrain statistics", a variation of existing QKD protocols to make use of originally discarded data and get better key rate. We show that such variations can grant protocols resilience against any unknown and slowly changing rotation along one axis, similar to referenceframeindependent QKD, but without the need for encoding physically in an additional rotationinvariant basis. Such an analysis can easily be applied to existing systems, or even data already recorded in previous experiments, to gain significantly higher key rate when considerable misalignment is present, extending the maximum distance for BB84 and MDIQKD and reducing the need for manual alignment in an experiment.