
Despite the enormous theoretical and experimental progress made so far in
quantum key distribution (QKD), the security of most existing QKD
implementations is not rigorously established yet. A critical obstacle is that
almost all existing security proofs make ideal assumptions on the QKD devices.
Problematically, such assumptions are hard to satisfy in the experiments, and
therefore it is not obvious how to apply such security proofs to practical QKD
systems. Fortunately, any imperfections and securityloopholes in the
measurement devices can be perfectly closed by measurementdeviceindependent
QKD (MDIQKD), and thus we only need to consider how to secure the source
devices. Among imperfections in the source devices, correlations between the
sending pulses are one of the principal problems. In this paper, we consider a
settingchoiceindependent correlation (SCIC) framework in which the sending
pulses can present arbitrary correlations but they are independent of the
previous setting choices such as the bit, the basis and the intensity settings.
Within the framework of SCIC, we consider the dominant fluctuations of the
sending states, such as the relative phases and the intensities, and provide a
selfcontained information theoretic security proof for the losstolerant QKD
protocol in the finitekey regime. We demonstrate the feasibility of secure
quantum communication within a reasonable number of pulses sent, and thus we
are convinced that our work constitutes a crucial step toward guaranteeing
implementation security of QKD.

Security proofs of quantum key distribution (QKD) typically assume that the
devices of the legitimate users are perfectly shielded from the eavesdropper.
This assumption is, however, very hard to meet in practice, and thus the
security of current QKD implementations is not guaranteed. Here, we fill this
gap by providing a finitekey security analysis for QKD which is valid against
arbitrary information leakage from the state preparation process of the
legitimate users. For this, we extend the techniques introduced in (New J.
Phys. 18, 065008, (2016)) to the finitekey regime, and we evaluate the
security of a leaky decoystate BB84 protocol with biased basis choice, which
is one of the most implemented QKD schemes today. Our simulation results
demonstrate the practicability of QKD over long distances and within a
reasonable time frame given that the legitimate users' devices are sufficiently
isolated.

In recent years, there has been a great effort to prove the security of
quantum key distribution (QKD) with a minimum number of assumptions. Besides
its intrinsic theoretical interest, this would allow for larger tolerance
against device imperfections in the actual implementations. However, even in
this deviceindependent scenario, one assumption seems unavoidable, that is,
the presence of a protected space devoid of any unwanted information leakage in
which the legitimate parties can privately generate, process and store their
classical data. In this paper we relax this unrealistic and hardly feasible
assumption and introduce a general formalism to tackle the information leakage
problem in most of existing QKD systems. More specifically, we prove the
security of optical QKD systems using phase and intensity modulators in their
transmitters, which leak the setting information in an arbitrary manner. We
apply our security proof to cases of practical interest and show key rates
similar to those obtained in a perfectly shielded environment. Our work
constitutes a fundamental step forward in guaranteeing implementation security
of quantum communication systems.

Several quantum key distribution (QKD) protocols employ iterative sifting.
After each quantum transmission round, Alice and Bob disclose part of their
setting information (including their basis choices) for the detected signals.
The quantum phase of the protocol then ends when the numbers of detected
signals per basis exceed certain preagreed threshold values. Recently,
however, Pfister et al. [New J. Phys. 18 053001 (2016)] showed that iterative
sifting makes QKD insecure, especially in the finite key regime, if the
parameter estimation for privacy amplification uses the random sampling theory.
This implies that a number of existing finite key security proofs could be
flawed and cannot guarantee security. Here, we solve this serious problem by
showing that the use of Azuma's inequality for parameter estimation makes QKD
with iterative sifting secure again. This means that the existing protocols
whose security proof employs this inequality remain secure even if they employ
iterative sifting. Also, our results highlight a fundamental difference between
the random sampling theorem and Azuma's inequality in proving security.

We show the informationtheoretic security proof of the
differentialphaseshift (DPS) quantum key distribution (QKD) protocol based on
the complementarity approach [arXiv:0704.3661 (2007)]. Our security proof
provides a slightly better key generation rate compared to the one derived in
the previous security proof in [arXiv:1208.1995 (2012)] that is based on the
ShorPreskill approach [Phys. Rev. Lett. ${\bf 85}$, 441 (2000)]. This
improvement is obtained because the complementarity approach can employ more
detailed information on Alice's sending state in estimating the leaked
information to an eavesdropper. Moreover, we remove the necessity of the
numerical calculation that was needed in the previous analysis to estimate the
leaked information. This leads to an advantage that our security proof enables
us to evaluate the security of the DPS protocol with any block size. This paper
highlights one of the fundamental differences between the ShorPreskill and the
complementarity approaches.

The differentialphaseshift (DPS) quantum key distribution (QKD) protocol
was proposed aiming at simple implementation, but it can tolerate only a small
disturbance in a quantum channel. The roundrobin DPS (RRDPS) protocol could be
a good solution for this problem, which in fact can tolerate even up to $50\%$
of a bit error rate. Unfortunately, however, such a high tolerance can be
achieved only when we compromise the simplicity, i.e., Bob's measurement must
involve a large number of random delays ($\mathcal{R}$ denotes its number),
and in a practical regime of $\mathcal{R}$ being small, the tolerance is low.
In this paper, we propose a new DPS protocol to achieve a higher tolerance than
the one in the original DPS protocol, in which the measurement setup is less
demanding than the one of the RRDPS protocol for the high tolerance regime. We
call the new protocol the smallnumberrandom DPS (SNRDPS) protocol, and in
this protocol, we add only a small amount of randomness to the original DPS
protocol, i.e., $2\leq\mathcal{R}\leq10$. In fact, we found that the
performance of the SNRDPS protocol is significantly enhanced over the original
DPS protocol only by employing a few additional delays such as
$\mathcal{R}=2$. Also, we found that the key generation rate of the SNRDPS
protocol outperforms the RRDPS protocol without monitoring the bit error rate
when it is less than $5\%$ and $\mathcal{R}\leq10$. Our protocol is an
intermediate protocol between the original DPS protocol and the RRDPS protocol,
and it increases the variety of the DPStype protocols with quantified
security.

Quantum digital signatures apply quantum mechanics to the problem of
guaranteeing message integrity and nonrepudiation with informationtheoretical
security, which are complementary to the confidentiality realized by quantum
key distribution. Previous experimental demonstrations have been limited to
transmission distances of less than 5km of optical fiber in a laboratory
setting. Here we report the first demonstration of quantum digital signatures
over installed optical fiber as well as the longest transmission link reported
to date. This demonstration used a 90km long differential phase shift quantum
key distribution system to achieve approximately one signed bit per second  an
increase in the signature generation rate of several orders of magnitude over
previous optical fiber demonstrations.

Recently, a new type of quantum key distribution, called the roundrobin
differential phaseshift (RRDPS) protocol [Nature 509, 475 (2014)], was
proposed, where the security can be guaranteed without monitoring any
statistics. In this Letter, we investigate source imperfections and
sidechannel attacks on the source of this protocol. We show that only three
assumptions are needed for the security, and no detailed characterizations of
the source or the sidechannel attacks are needed. This high robustness is
another striking advantage of the RRDPS protocol over other protocols.

Many quantum key distribution (QKD) protocols require random choice of
measurement basis for each pulse or each train of pulses. In some QKD
protocols, such as the RoundRobin Differential Phase Shift (RRDPS) QKD
protocol, this requirement is a bit challenging as randomly choosing hundreds
of settings for every, say, 100 pulses may be too fast with current
technologies. In this paper, we solve this issue by proving the security of QKD
protocols with slow basis choice without compromising the secret key rate. We
also show that the random choice of the bases for the state preparation can be
made slow if the signals do not leak any information on the basis. Examples of
QKD protocols that our technique can apply include the RRDPS protocol and
BB84type protocols, and our technique relaxes demands for the implementation
of QKD systems.

Although quantum key distribution (QKD) is theoretically secure, there is a
gap between the theory and practice. In fact, reallife QKD may not be secure
because component devices in QKD systems may deviate from the theoretical
models assumed in security proofs. To solve this problem, it is necessary to
construct the security proof under realistic assumptions on the source and
measurement unit. In this paper, we prove the security of a QKD protocol under
practical assumptions on the source that accommodate fluctuation of the phase
and intensity modulations. As long as our assumptions hold, it does not matter
at all how the phase and intensity distribute nor whether or not their
distributions over different pulses are independently and identically
distributed (I.I.D.). Our work shows that practical sources can be safely
employed in QKD experiments.

Since the invention of BennettBrassard 1984 (BB84) protocol, many quantum
key distribution (QKD) protocols have been proposed and some protocols are
operated even in field environments. One of the striking features of QKD is
that QKD protocols are provably secure unlike cryptography based on
computational complexity assumptions. It has been believed that, to guarantee
the security of QKD, Alice and Bob have to monitor the statistics of the
measurement outcomes which are used to determine the amount of the privacy
amplification to generate a key. Recently a new type of QKD protocol, called
round robin differential phase shift (RRDPS) protocol, was proposed, and
remarkably this protocol can generate a key without monitoring any statistics
of the measurement outcomes. Here we report an experimental realization of the
RRDPS protocol. We used a setup in which Bob randomly chooses one from four
interferometers with different pulse delays so that he could implement phase
difference measurements for all possible combinations with fivepulse timebin
states. Using the setup, we successfully distributed keys over 30 km of fiber,
making this the first QKD experiment that does not rely on signal disturbance
monitoring.

Secure communication plays a crucial role in the Internet Age. Quantum
mechanics may revolutionise cryptography as we know it today. In this Review
Article, we introduce the motivation and the current state of the art of
research in quantum cryptography. In particular, we discuss the present
security model together with its assumptions, strengths and weaknesses. After a
brief introduction to recent experimental progress and challenges, we survey
the latest developments in quantum hacking and countermeasures against it.

Quantum key distribution promises unconditionally secure communications.
However, as practical devices tend to deviate from their specifications, the
security of some practical systems is no longer valid. In particular, an
adversary can exploit imperfect detectors to learn a large part of the secret
key, even though the security proof claims otherwise. Recently, a practical
approachmeasurementdeviceindependent quantum key distributionhas been
proposed to solve this problem. However, so far its security has only been
fully proven under the assumption that the legitimate users of the system have
unlimited resources. Here we fill this gap and provide a rigorous security
proof against general attacks in the finitekey regime. This is obtained by
applying large deviation theory, specifically the Chernoff bound, to perform
parameter estimation. For the first time we demonstrate the feasibility of
longdistance implementations of measurementdeviceindependent quantum key
distribution within a reasonable timeframe of signal transmission.

In recent years, the gap between theory and practice in quantum key
distribution (QKD) has been significantly narrowed, particularly for QKD
systems with arbitrarily awed optical receivers. The status for QKD systems
with imperfect light sources is however less satisfactory, in the sense that
the resulting secure key rates are often overlydependent on the quality of
state preparation. This is especially the case when the channel loss is high.
Very recently, to overcome this limitation, Tamaki et al proposed a QKD
protocol based on the socalled rejected data analysis, and showed that its
securityin the limit of infinitely long keysis almost independent of any
encoding flaw in the qubit space, being this protocol compatible with the decoy
state method. Here, as a step towards practical QKD, we show that a similar
conclusion is reached in the finitekey regime, even when the intensity of the
light source is unstable. More concretely, we derive security bounds for a wide
class of realistic light sources and show that the bounds are also efficient in
the presence of high channel loss. Our results strongly suggest the feasibility
of long distance provablysecure communication with imperfect light sources.

The timereversed version of entanglementbased quantum key distribution
(QKD), called measurementdeviceindependent QKD (mdiQKD), was originally
introduced to close arbitrary security loopholes of measurement devices. Here
we show that the mdiQKD has another advantage which should be distinguished
from the entanglementbased QKD. In particular, an allphotonic adaptive Bell
measurement, based on the concept of quantum repeaters, can be installed solely
in the mdiQKD, which leads to a square root improvement in the key rate. This
Bell measurement also provides a similar improvement in the singlephotonbased
entanglement generation of quantum repeaters.

The measurementdeviceindependent quantum key distribution (MDI QKD) was
proposed to make BB84 completely free from any sidechannel in detectors. Like
in prepare & measure QKD, the use of other protocols in MDI setting would be
advantageous in some practical situations. In this paper, we consider SARG04
protocol in MDI setting. The prepare & measure SARG04 is proven to be able to
generate a key up to twophoton emission events. In MDI setting we show that
the key generation is possible from the event with single or twophoton
emission by a party and singlephoton emission by the other party, but the
twophoton emission event by both parties cannot contribute to the key
generation. On the contrary to prepare & measure SARG04 protocol where the
experimental setup is exactly the same as BB84, the measurement setup for
SARG04 in MDI setting cannot be the same as that for BB84 since the measurement
setup for BB84 in MDI setting induces too many bit errors. To overcome this
problem, we propose two alternative experimental setups, and we simulate the
resulting key rate. Our study highlights the requirements that MDI QKD poses on
us regarding with the implementation of a variety of QKD protocols.

We propose a method for generating highfidelity multipartite
spinentanglement of ultracold atoms in an optical lattice in a short operation
time with a scalable manner, which is suitable for measurementbased quantum
computation. To perform the desired operations based on the perturbative
spinspin interactions, we propose to actively utilize the extra degrees of
freedom (DOFs) usually neglected in the perturbative treatment but included in
the Hubbard Hamiltonian of atoms, such as, (pseudo)charge and orbital DOFs.
Our method simultaneously achieves high fidelity, short operation time, and
scalability by overcoming the following fundamental problem: enhancing the
interaction strength for shortening operation time breaks the perturbative
condition of the interaction and inevitably induces unwanted correlations among
the spin and extra DOFs.

In principle, quantum key distribution (QKD) offers unconditional security
based on the laws of physics. In practice, flaws in the state preparation
undermine the security of QKD systems, as standard theoretical approaches to
deal with state preparation flaws are not losstolerant. An eavesdropper can
enhance and exploit such imperfections through quantum channel loss, thus
dramatically lowering the key generation rate. Crucially, the security analyses
of most existing QKD experiments are rather unrealistic as they typically
neglect this effect. Here, we propose a novel and general approach that makes
QKD losstolerant to state preparation flaws. Importantly, it suggests that the
state preparation process in QKD can be significantly less precise than
initially thought. Our method can widely apply to other quantum cryptographic
protocols.

Quantum communication holds promise for unconditionally secure transmission
of secret messages and faithful transfer of unknown quantum states. Photons
appear to be the medium of choice for quantum communication. Owing to photon
losses, robust quantum communication over long lossy channels requires quantum
repeaters. It is widely believed that a necessary and highly demanding
requirement for quantum repeaters is the existence of matter quantum memories
at the repeater nodes. Here we show that such a requirement is, in fact,
unnecessary by introducing the concept of all photonic quantum repeaters based
on flying qubits. As an example of the realization of this concept, we present
a protocol based on photonic cluster state machine guns and a losstolerant
measurement equipped with local highspeed active feedforwards. We show that,
with such an all photonic quantum repeater, the communication efficiency still
scales polynomially with the channel distance. Our result paves a new route
toward quantum repeaters with efficient singlephoton sources rather than
matter quantum memories.

We propose a countermeasure against the socall tailored bright illumination
attacl dor DifferentialPhaseShift QKD (DPSQKD). By Monitoring a rate of
coincidence detection at a pair of superconducting nanowire single photon
detectors (SSPDs) which is connected at each of the output ports of Bob's
MachZehnder interferometer, Alice and Bob can detect and defeat this kind of
attack.

We derive the timedependent photodetection probability equation of a
superconducting single photon detector (SSPD) to study the responsive property
for a pulse train at high repetition rate. Using this equation, we analyze the
characteristics of SSPDs when illuminated by bright pulses in blinding attack
on a quantum key distribution (QKD). We obtain good agreement between expected
values based on our equation and actual experimental values. Such a
timedependent probability analysis contributes to security analysis.

For the realization of quantum key distribution, it is important to
investigate its security based on a mathematical model that captures properties
of the actual devices used by the legitimate users. Recently, Ferenczi, et. al.
(Phys. Rev. A 86 042327 (2012)) pointed out potential influences that the
losses in phase modulators and/or the unbalance in the transmission rate of
beam splitters may have on the security of the phaseencoded BB84 and analyzed
the security of this scheme, which is called the unbalanced BB84. In this
paper, we ask whether blindly applying the postprocessing of the balanced BB84
to the unbalanced BB84 would lead to an insecure key or not, and we conclude
that we can safely distill a secure key even with this postprocessing. It
follows from our proof that as long as the unbalances are basisindependent,
our conclusion holds even if the unbalances are unknown and fluctuate in time.

In this paper, we study the unconditional security of the socalled
measurement device independent quantum key distribution (MDIQKD) with the
basisdependent flaw in the context of phase encoding schemes. We propose two
schemes for the phase encoding, the first one employs a phase locking technique
with the use of nonphaserandomized coherent pulses, and the second one uses
conversion of standard BB84 phase encoding pulses into polarization modes. We
prove the unconditional security of these schemes and we also simulate the key
generation rate based on simple device models that accommodate imperfections.
Our simulation results show the feasibility of these schemes with current
technologies and highlight the importance of the state preparation with good
fidelity between the density matrices in the two bases. Since the
basisdependent flaw is a problem not only for MDIQKD but also for standard
QKD, our work highlights the importance of an accurate signal source in
practical QKD systems.
Note: We include the erratum of this paper in Appendix C. The correction does
not affect the validity of the main conclusions reported in the paper, which is
the importance of the state preparation in MDIQKD and the fact that our schemes
can generate the key with the practical channel mode that we have assumed.

We prove the unconditional security of coherentstatebased differential
phase shift quantum key distribution protocol (DPSQKD) with blockwise phase
randomization. Our proof is based on the conversion of DPSQKD to an equivalent
entanglementdistillation protocol where the estimated phase error rate
determines the amount of the privacy amplification. The generated final key has
a contribution from events where the sender emits two or more photons,
indicating the robustness of DPSQKD against photonnumbersplitting attacks.

We prove the unconditional security of the sixstate protocol with threshold
detectors and oneway classical communication. Unlike the fourstate protocol
(BB84), it has been proven that the squash operator for the sixstate does not
exist, i.e., the statistics of the measurements cannot be obtained via
measurement on qubits. We propose a technique to determine which photon number
states are important, and we consider a fictitious measurement on a qubit,
which is defined through the squash operator of BB84, for the better estimation
of Eve's information. As a result, we prove that the bit error rate threshold
for the sixstate protocol (12.611%) remains almost the same as the one of the
qubitbased sixstate protocol (12.619%). This clearly demonstrates the
robustness of the sixstate protocol against the use of the practical devices.