
Despite the enormous theoretical and experimental progress made so far in
quantum key distribution (QKD), the security of most existing QKD
implementations is not rigorously established yet. A critical obstacle is that
almost all existing security proofs make ideal assumptions on the QKD devices.
Problematically, such assumptions are hard to satisfy in the experiments, and
therefore it is not obvious how to apply such security proofs to practical QKD
systems. Fortunately, any imperfections and securityloopholes in the
measurement devices can be perfectly closed by measurementdeviceindependent
QKD (MDIQKD), and thus we only need to consider how to secure the source
devices. Among imperfections in the source devices, correlations between the
sending pulses are one of the principal problems. In this paper, we consider a
settingchoiceindependent correlation (SCIC) framework in which the sending
pulses can present arbitrary correlations but they are independent of the
previous setting choices such as the bit, the basis and the intensity settings.
Within the framework of SCIC, we consider the dominant fluctuations of the
sending states, such as the relative phases and the intensities, and provide a
selfcontained information theoretic security proof for the losstolerant QKD
protocol in the finitekey regime. We demonstrate the feasibility of secure
quantum communication within a reasonable number of pulses sent, and thus we
are convinced that our work constitutes a crucial step toward guaranteeing
implementation security of QKD.

Security proofs of quantum key distribution (QKD) typically assume that the
devices of the legitimate users are perfectly shielded from the eavesdropper.
This assumption is, however, very hard to meet in practice, and thus the
security of current QKD implementations is not guaranteed. Here, we fill this
gap by providing a finitekey security analysis for QKD which is valid against
arbitrary information leakage from the state preparation process of the
legitimate users. For this, we extend the techniques introduced in (New J.
Phys. 18, 065008, (2016)) to the finitekey regime, and we evaluate the
security of a leaky decoystate BB84 protocol with biased basis choice, which
is one of the most implemented QKD schemes today. Our simulation results
demonstrate the practicability of QKD over long distances and within a
reasonable time frame given that the legitimate users' devices are sufficiently
isolated.

In recent years, there has been a great effort to prove the security of
quantum key distribution (QKD) with a minimum number of assumptions. Besides
its intrinsic theoretical interest, this would allow for larger tolerance
against device imperfections in the actual implementations. However, even in
this deviceindependent scenario, one assumption seems unavoidable, that is,
the presence of a protected space devoid of any unwanted information leakage in
which the legitimate parties can privately generate, process and store their
classical data. In this paper we relax this unrealistic and hardly feasible
assumption and introduce a general formalism to tackle the information leakage
problem in most of existing QKD systems. More specifically, we prove the
security of optical QKD systems using phase and intensity modulators in their
transmitters, which leak the setting information in an arbitrary manner. We
apply our security proof to cases of practical interest and show key rates
similar to those obtained in a perfectly shielded environment. Our work
constitutes a fundamental step forward in guaranteeing implementation security
of quantum communication systems.

The experimental characterization of multiphoton quantum interference
effects in optical networks is essential in many applications of photonic
quantum technologies, which include quantum computing and quantum communication
as two prominent examples. However, such characterization often requires
technologies which are beyond our current experimental capabilities, and
today's methods suffer from errors due to the use of imperfect sources and
photodetectors. In this paper, we introduce a simple experimental technique to
characterise multiphoton quantum interference by means of practical laser
sources and threshold singlephoton detectors. Our technique is based on
wellknown methods in quantum cryptography which use decoy settings to tightly
estimate the statistics provided by perfect devices. As an illustration of its
practicality, we use this technique to obtain a tight estimation of both the
generalized HongOuMandel dip in a beamsplitter with six input photons, as
well as the threephoton coincidence probability at the output of a tritter.

Several quantum key distribution (QKD) protocols employ iterative sifting.
After each quantum transmission round, Alice and Bob disclose part of their
setting information (including their basis choices) for the detected signals.
The quantum phase of the protocol then ends when the numbers of detected
signals per basis exceed certain preagreed threshold values. Recently,
however, Pfister et al. [New J. Phys. 18 053001 (2016)] showed that iterative
sifting makes QKD insecure, especially in the finite key regime, if the
parameter estimation for privacy amplification uses the random sampling theory.
This implies that a number of existing finite key security proofs could be
flawed and cannot guarantee security. Here, we solve this serious problem by
showing that the use of Azuma's inequality for parameter estimation makes QKD
with iterative sifting secure again. This means that the existing protocols
whose security proof employs this inequality remain secure even if they employ
iterative sifting. Also, our results highlight a fundamental difference between
the random sampling theorem and Azuma's inequality in proving security.

Digital signatures play an important role in software distribution, modern
communication and financial transactions, where it is important to detect
forgery and tampering. Signatures are a cryptographic technique for validating
the authenticity and integrity of messages, software, or digital documents. The
security of currently used classical schemes relies on computational
assumptions. Quantum digital signatures (QDS), on the other hand, provide
informationtheoretic security based on the laws of quantum physics. Recent
work on QDS shows that such schemes do not require trusted quantum channels and
are unconditionally secure against general coherent attacks. However, in
practical QDS, just as in quantum key distribution (QKD), the detectors can be
subjected to sidechannel attacks, which can make the actual implementations
insecure. Motivated by the idea of measurementdeviceindependent quantum key
distribution (MDIQKD), we present a measurementdeviceindependent QDS
(MDIQDS) scheme, which is secure against all detector sidechannel attacks.
Based on the rapid development of practical MDIQKD, our MDIQDS protocol could
also be experimentally implemented, since it requires a similar experimental
setup.

Quantum digital signatures (QDS) provide a means for signing electronic
communications with informationtheoretic security. However, all previous
demonstrations of quantum digital signatures assume trusted measurement
devices. This renders them vulnerable against detector sidechannel attacks,
just like quantum key distribution. Here, we exploit a
measurementdeviceindependent (MDI) quantum network, over a
200squarekilometer metropolitan area, to perform a field test of a
threeparty measurementdeviceindependent quantum digital signature (MDIQDS)
scheme that is secure against any detector sidechannel attack. In so doing, we
are able to successfully sign a binary message with a security level of about
1E7. Remarkably, our work demonstrates the feasibility of MDIQDS for
practical applications.

Detectordeviceindependent quantum key distribution (ddiQKD) held the
promise of being robust to detector sidechannels, a major security loophole in
QKD implementations. In contrast to what has been claimed, however, we
demonstrate that the security of ddiQKD is not based on postselected
entanglement, and we introduce various eavesdropping strategies that show that
ddiQKD is in fact insecure against detector sidechannel attacks as well as
against other attacks that exploit device's imperfections of the receiver. Our
attacks are valid even when the QKD apparatuses are built by the legitimate
users of the system themselves, and thus free of malicious modifications, which
is a key assumption in ddiQKD.

We demonstrate that, with a fair comparison, the secret key rate of
discretevariable measurementdeviceindependent quantum key distribution
(DVMDIQKD) with highefficiency singlephoton detectors and good system
alignment is typically rather high and thus highly suitable for not only long
distance communication but also metropolitan networks. The previous reservation
on the key rate and suitability of DVMDIQKD for metropolitan networks
expressed by Pirandola et al. [Nature Photon. 9, 397 (2015)] was based on an
unfair comparison with lowefficiency detectors and high quantum bit error
rate, and is, in our opinion, unjustified.

Secure communication plays a crucial role in the Internet Age. Quantum
mechanics may revolutionise cryptography as we know it today. In this Review
Article, we introduce the motivation and the current state of the art of
research in quantum cryptography. In particular, we discuss the present
security model together with its assumptions, strengths and weaknesses. After a
brief introduction to recent experimental progress and challenges, we survey
the latest developments in quantum hacking and countermeasures against it.

Quantum key distribution promises unconditionally secure communications.
However, as practical devices tend to deviate from their specifications, the
security of some practical systems is no longer valid. In particular, an
adversary can exploit imperfect detectors to learn a large part of the secret
key, even though the security proof claims otherwise. Recently, a practical
approachmeasurementdeviceindependent quantum key distributionhas been
proposed to solve this problem. However, so far its security has only been
fully proven under the assumption that the legitimate users of the system have
unlimited resources. Here we fill this gap and provide a rigorous security
proof against general attacks in the finitekey regime. This is obtained by
applying large deviation theory, specifically the Chernoff bound, to perform
parameter estimation. For the first time we demonstrate the feasibility of
longdistance implementations of measurementdeviceindependent quantum key
distribution within a reasonable timeframe of signal transmission.

In recent years, the gap between theory and practice in quantum key
distribution (QKD) has been significantly narrowed, particularly for QKD
systems with arbitrarily awed optical receivers. The status for QKD systems
with imperfect light sources is however less satisfactory, in the sense that
the resulting secure key rates are often overlydependent on the quality of
state preparation. This is especially the case when the channel loss is high.
Very recently, to overcome this limitation, Tamaki et al proposed a QKD
protocol based on the socalled rejected data analysis, and showed that its
securityin the limit of infinitely long keysis almost independent of any
encoding flaw in the qubit space, being this protocol compatible with the decoy
state method. Here, as a step towards practical QKD, we show that a similar
conclusion is reached in the finitekey regime, even when the intensity of the
light source is unstable. More concretely, we derive security bounds for a wide
class of realistic light sources and show that the bounds are also efficient in
the presence of high channel loss. Our results strongly suggest the feasibility
of long distance provablysecure communication with imperfect light sources.

In theory, quantum key distribution (QKD) provides informationtheoretic
security based on the laws of physics. Owing to the imperfections of reallife
implementations, however, there is a big gap between the theory and practice of
QKD, which has been recently exploited by several quantum hacking activities.
To fill this gap, a novel approach, called measurementdeviceindependent QKD
(mdiQKD), has been proposed. It can remove all sidechannels from the
measurement unit, arguably the most vulnerable part in QKD systems, thus
offering a clear avenue towards secure QKD realisations. Here, we review the
latest developments in the framework of mdiQKD, together with its assumptions,
strengths and weaknesses.

In principle, quantum key distribution (QKD) offers unconditional security
based on the laws of physics. In practice, flaws in the state preparation
undermine the security of QKD systems, as standard theoretical approaches to
deal with state preparation flaws are not losstolerant. An eavesdropper can
enhance and exploit such imperfections through quantum channel loss, thus
dramatically lowering the key generation rate. Crucially, the security analyses
of most existing QKD experiments are rather unrealistic as they typically
neglect this effect. Here, we propose a novel and general approach that makes
QKD losstolerant to state preparation flaws. Importantly, it suggests that the
state preparation process in QKD can be significantly less precise than
initially thought. Our method can widely apply to other quantum cryptographic
protocols.

Due to its ability to tolerate high channel loss, decoystate quantum key
distribution (QKD) has been one of the main focuses within the QKD community.
Notably, several experimental groups have demonstrated that it is secure and
feasible under realworld conditions. Crucially, however, the security and
feasibility claims made by most of these experiments were obtained under the
assumption that the eavesdropper is restricted to particular types of attacks
or that the finitekey effects are neglected. Unfortunately, such assumptions
are not possible to guarantee in practice. In this work, we provide concise and
tight finitekey security bounds for practical decoystate QKD that are valid
against general attacks.

A novel protocol  measurementdeviceindependent quantum key distribution
(MDIQKD)  removes all attacks from the detection system, the most vulnerable
part in QKD implementations. In this paper, we present an analysis for
practical aspects of MDIQKD. To evaluate its performance, we study various
error sources by developing a general system model. We find that MDIQKD is
highly practical and thus can be easily implemented with standard optical
devices. Moreover, we present a simple analytical method with only two
(general) decoy states for the finite decoystate analysis. This method can be
used directly by experimentalists to demonstrate MDIQKD. By combining the
system model with the finite decoystate method, we present a general framework
for the optimal choice of the intensities of the signal and decoy states.
Furthermore, we consider a common situation, namely asymmetric MDIQKD, in
which the two quantum channels have different transmittances. We investigate
its properties and discuss how to optimize its performance. Our work is of
interest not only to experiments demonstrating MDIQKD but also to other
nonQKD experiments involving quantum interference.

We investigate limitations imposed by sequential attacks on the performance
of differentialphaseshift quantum key distribution protocols that use pulsed
coherent light. In particular, we analyze two sequential attacks based on
unambiguous state discrimination and minimum error discrimination,
respectively, of the signal states emitted by the source. Sequential attacks
represent a special type of interceptresend attacks and, therefore, they do
not allow the distribution of a secret key.

Bit commitment is a fundamental cryptographic task that guarantees a secure
commitment between two mutually mistrustful parties and is a building block for
many cryptographic primitives, including coin tossing, zeroknowledge proofs,
oblivious transfer and secure twoparty computation. Unconditionally secure bit
commitment was thought to be impossible until recent theoretical protocols that
combine quantum mechanics and relativity were shown to elude previous
impossibility proofs. Here we implement such a bit commitment protocol. In the
experiment, the committer performs quantum measurements using two quantum key
distribution systems and the results are transmitted via freespace optical
communication to two agents separated with more than 20 km. The security of the
protocol relies on the properties of quantum information and relativity theory.
We show that, in each run of the experiment, a bit is successfully committed
with less than 5.68*10^2 cheating probability. Our result demonstrates
unconditionally secure bit commitment and the experimental feasibility of
relativistic quantum communication.

Distributedphasereference quantum key distribution stands out for its easy
implementation with present day technology. Since many years, a full security
proof of these schemes in a realistic setting has been elusive. For the first
time, we solve this long standing problem and present a generic method to prove
the security of such protocols against general attacks. To illustrate our
result we provide lower bounds on the key generation rate of a variant of the
coherentoneway quantum key distribution protocol. In contrast to standard
predictions, it appears to scale quadratically with the system transmittance.

How to remove detector side channel attacks has been a notoriously hard
problem in quantum cryptography. Here, we propose a simple solution to this
problem*measurement* device independent quantum key distribution. It not
only removes all detector side channels, but also doubles the secure distance
with conventional lasers. Our proposal can be implemented with standard optical
components with low detection efficiency and highly lossy channels. In contrast
to the previous solution of full device independent QKD, the realization of our
idea does not require detectors of near unity detection efficiency in
combination with a qubit amplifier (based on teleportation) or a quantum
nondemolition measurement of the number of photons in a pulse. Furthermore,
its key generation rate is many orders of magnitude higher than that based on
full device independent QKD. The results show that longdistance quantum
cryptography over say 200km will remain secure even with seriously flawed
detectors.

Signal state preparation in quantum key distribution schemes can be realized
using either an active or a passive source. Passive sources might be valuable
in some scenarios; for instance, in those experimental setups operating at high
transmission rates, since no externally driven element is required. Typical
passive transmitters involve parametric downconversion. More recently, it has
been shown that phaserandomized coherent pulses also allow passive generation
of decoy states and BennettBrassard 1984 (BB84) polarization signals, though
the combination of both setups in a single passive source is cumbersome. In
this paper, we present a complete passive transmitter that prepares decoystate
BB84 signals using coherent light. Our method employs sumfrequency generation
together with linear optical components and classical photodetectors. In the
asymptotic limit of an infinite long experiment, the resulting secret key rate
(per pulse) is comparable to the one delivered by an active decoystate BB84
setup with an infinite number of decoy settings.

Deviceindependent quantum key distribution does not need a precise quantum
mechanical model of employed devices to guarantee security. Despite of its
beauty, it is still a very challenging experimental task. We compare a recent
proposal by Gisin et al. [Phys. Rev. Lett. 105, 070501 (2010)] to close the
detection loophole problem with that of a simpler quantum relay based on
entanglement swapping with linear optics. Our fullmode analysis for both
schemes confirms that, in contrast to recent beliefs, the second scheme can
indeed provide a positive key rate which is even considerably higher than that
of the first alternative. The resulting key rates and required detection
efficiencies of approx. 95% for both schemes, however, strongly depend on the
underlying security proof.

The noisystorage model allows the implementation of secure twoparty
protocols under the sole assumption that no largescale reliable quantum
storage is available to the cheating party. No quantum storage is thereby
required for the honest parties. Examples of such protocols include bit
commitment, oblivious transfer and secure identification. Here, we provide a
guideline for the practical implementation of such protocols. In particular, we
analyze security in a practical setting where the honest parties themselves are
unable to perform perfect operations and need to deal with practical problems
such as errors during transmission and detector inefficiencies. We provide
explicit security parameters for two different experimental setups using weak
coherent, and parametric down conversion sources. In addition, we analyze a
modification of the protocols based on decoy states.

Most experimental realizations of quantum key distribution are based on the
BennettBrassard 1984 (socalled BB84) protocol. In a typical optical
implementation of this scheme, the sender uses an active source to produce the
required BB84 signal states. While active state preparation of BB84 signals is
a simple and elegant solution in principle, in practice passive state
preparation might be desirable in some scenarios, for instance, in those
experimental setups operating at high transmission rates. Passive schemes might
also be more robust against sidechannel attacks than active sources. Typical
passive devices involve parametric downconversion. In this paper, we show that
both coherent light and practical single photon sources are also suitable for
passive generation of BB84 signal states. Our method does not require any
externaldriven element, but only linear optical components and photodetectors.
In the case of coherent light, the resulting key rate is similar to the one
delivered by an active source. When the sender uses practical single photon
sources, however, the distance covered by a passive transmitter might be longer
than the one of an active configuration.

Decoy states have been proven to be a very useful method for significantly
enhancing the performance of quantum key distribution systems with practical
light sources. While active modulation of the intensity of the laser pulses is
an effective way of preparing decoy states in principle, in practice passive
preparation might be desirable in some scenarios. Typical passive schemes
involve parametric downconversion. More recently, it has been shown that phase
randomized weak coherent pulses (WCP) can also be used for the same purpose [M.
Curty {\it et al.}, Opt. Lett. {\bf 34}, 3238 (2009).] This proposal requires
only linear optics together with a simple threshold photon detector, which
shows the practical feasibility of the method. Most importantly, the resulting
secret key rate is comparable to the one delivered by an active decoy state
setup with an infinite number of decoy settings. In this paper we extend these
results, now showing specifically the analysis for other practical scenarios
with different light sources and photodetectors. In particular, we consider
sources emitting thermal states, phase randomized WCP, and strong coherent
light in combination with several types of photodetectors, like, for instance,
threshold photon detectors, photon number resolving detectors, and classical
photodetectors. Our analysis includes as well the effect that detection
inefficiencies and noise in the form of dark counts shown by current threshold
detectors might have on the final secret ket rate. Moreover, we provide
estimations on the effects that statistical fluctuations due to a finite data
size can have in practical implementations.