
In this work, we present a reliable, efficient, and tight numerical method
for calculating key rates for finitedimensional quantum key distribution (QKD)
protocols. We illustrate our approach by finding higher key rates than those
previously reported in the literature for several interesting scenarios (e.g.,
the Trojanhorse attack and the phasecoherent BB84 protocol). Our method will
ultimately improve our ability to automate key rate calculations and, hence, to
develop a userfriendly software package that could be used widely by QKD
researchers.

Quantum information degrades over distance due to the unavoidable
imperfections of the transmission channels, with loss as the leading factor.
This simple fact hinders quantum communication, as it relies on propagating
quantum systems. A solution to this issue is to introduce quantum repeaters at
regular intervals along a lossy channel, to revive the quantum signal. In this
work we study unitary oneway quantum repeaters, which do not need to perform
measurements and do not require quantum memories, and are therefore
considerably simpler than other schemes. We introduce and analyze two methods
to construct Hamiltonians that generate a repeater interaction that can beat
the fundamental repeaterless key rate bound even in the presence of an
additional coupling loss, with signals that contain only a handful of photons.
The natural evolution of this work will be to approximate a repeater
interaction by combining simple optical elements.

Quantum key distribution (QKD) promises information theoretic secure key as
long as the device performs as assumed in the theoretical model. One of the
assumptions is an absence of information leakage about individual photon
detection outcomes of the receiver unit. Here we investigate the information
leakage from a QKD receiver due to photon emission caused by detection events
in singlephoton detectors (backflash). We test commercial silicon avalanche
photodiodes and a photomultiplier tube, and find that the former emit
backflashes. We study the spectral, timing and polarization characteristics of
these backflash photons. We experimentally demonstrate on a freespace QKD
receiver that an eavesdropper can distinguish which detector has clicked inside
it, and thus acquire secret information. A set of countermeasures both in
theory and on the physical devices are discussed.

We propose a protocol based on coherent states and linear optics operations
for solving the appointmentscheduling problem. Our main protocol leaks
strictly less information about each party's input than the optimal classical
protocol, even when considering experimental errors. Along with the ability to
generate constantamplitude coherent states over two modes, this protocol
requires the ability to transfer these modes backandforth between the two
parties multiple times with low coupling loss. The implementation requirements
are thus still challenging. Along the way, we develop new tools to study
quantum information cost of interactive protocols in the finite regime.

We introduce several families of quantum fingerprinting protocols to evaluate
the equality function on two $n$bit strings in the simultaneous message
passing model. The original quantum fingerprinting protocol uses a tensor
product of a small number of $\mathcal{O}(\log n)$qubit high dimensional
signals [Buhrman et al. 2001], whereas a recentlyproposed optical protocol
uses a tensor product of $\mathcal{O}(n)$ singlequbit signals, while
maintaining the $\mathcal{O}(\log n)$ information leakage of the original
protocol [Arrazola and L\"utkenhaus 2014]. We find a family of protocols which
interpolate between the original and optical protocols while maintaining the
$\mathcal{O}(\log n)$ information leakage, thus demonstrating a tradeoff
between the number of signals sent and the dimension of each signal.
There has been interest in experimental realization of the recentlyproposed
optical protocol using coherent states [Xu et al. 2015, Guan et al. 2016], but
as the required number of laser pulses grows linearly with the input size $n$,
eventual challenges for the longtime stability of experimental setups arise.
We find a coherent state protocol which reduces the number of signals by a
factor $1/2$ while also reducing the information leakage. Our reduction makes
use of a simple modulation scheme in optical phase space, and we find that more
complex modulation schemes are not advantageous. Using a similar technique, we
improve a recentlyproposed coherent state protocol for evaluating the
Euclidean distance between two real unit vectors [Kumar et al. 2017] by
reducing the number of signals by a factor $1/2$ and also reducing the
information leakage.

The security analysis of quantum key distribution is difficult to perform
when there is efficiency mismatch between various threshold detectors involved
in an experimental setup. Even the verification that the device actually
performs in the quantum domain, referred to as the task of entanglement
verification, is hard to perform. In this article we provide such an
entanglementverification method for characterized detectionefficiency
mismatch. Our method does not rely on a cutoff of photon numbers in the
optical signal. It can be applied independently of the degrees of freedom
involved, thus covering, for example, efficiency mismatch in polarization and
timebin modes, but also in spatial modes. The evaluation of typical
experimental scenarios suggests that an increase of detectionefficiency
mismatch will drive the performance of a given setup out of the quantum domain.

Bound secret information is classical information that contains secrecy but
from which secrecy cannot be extracted. The existence of bound secrecy has been
conjectured but is currently unproven, and in this work we provide analytical
and numerical evidence for its existence. Specifically, we consider twoway
postprocessing protocols in prepareandmeasure quantum key distribution based
on the wellknown sixstate signal states. In terms of the quantum biterror
rate $Q$ of the classical data, such protocols currently exist for
$Q<\frac{5\sqrt{5}}{10}\approx 27.6\%$. On the other hand, for
$Q\geq\frac{1}{3}$ no such protocol can exist as the observed data is
compatible with an interceptresend attack. This leaves the interesting
question of whether successful protocols exist in the interval
$\frac{5\sqrt{5}}{10}\leq Q<\frac{1}{3}$.
Previous work has shown that a necessary condition for the existence of
twoway postprocessing protocols for distilling secret key is breaking the
symmetric extendability of the underlying quantum state shared by Alice and
Bob. Using this result, it has been proven that symmetric extendability can be
broken up to the $27.6\%$ lower bound using the advantage distillation
protocol. In this work, we first show that to break symmetric extendability it
is sufficient to consider a generalized form of advantage distillation
consisting of one round of postselection by Bob on a block of his data. We
then provide evidence that such generalized protocols cannot break symmetric
extendability beyond $27.6\%$. We thus have evidence to believe that $27.6\%$
is an upper bound on twoway postprocessing and that the interval
$\frac{5\sqrt{5}}{10}\leq Q<\frac{1}{3}$ is a domain of bound secrecy.

Quantum information processing provides remarkable advantages over its
classical counterpart. Quantum optical systems are proved to be sufficient for
realizing general quantum tasks, which however often rely on single photon
sources. In practice, imperfect single photon sources, such as weak coherent
state source, are used instead, which will inevitably limit the power in
demonstrating quantum effects. For instance, with imperfect photon sources, the
key rate of the BB84 quantum key distribution protocol will be very low, which
fortunately can be resolved by utilizing the decoy state method. As a
generalization, we investigate an efficient way to simulate single photons with
imperfect ones to an arbitrary desired accuracy when the number of photonic
inputs is small. Based on this simulator, we can thus replace the tasks that
involve only a few single photon inputs with the ones that only make use of
imperfect photon sources. In addition, our method also provides a quantum
simulator to quantum computation based on quantum optics. In the main context,
we take phase randomized coherent state as an example for analysis. A general
photon source applies similarly and may provide some further advantages for
certain tasks.

We investigate a quantum repeater scheme for quantum key distribution based
on the work by Muralidharan et al., Phys. Rev. Lett. 112, 250501 (2014). Our
scheme extends that work by making use of error syndrome measurement outcomes
available at the repeater stations. We show how to calculate the secret key
rates for the case of optimizing the syndrome information, while the known key
rate is based on a scenario of coarsegraining the syndrome information. We
show that these key rates can surpass the PirandolaLaurenzaOttavianiBanchi
bound on secret key rates of direct transmission over lossy bosonic channels.

Quantum key distribution (QKD) allows for communication with security
guaranteed by quantum theory. The main theoretical problem in QKD is to
calculate the secret key rate for a given protocol. Analytical formulas are
known for protocols with symmetries, since symmetry simplifies the analysis.
However, experimental imperfections break symmetries, hence the effect of
imperfections on key rates is difficult to estimate. Furthermore, it is an
interesting question whether (intentionally) asymmetric protocols could
outperform symmetric ones. Here, we develop a robust numerical approach for
calculating the key rate for arbitrary discretevariable QKD protocols.
Ultimately this will allow researchers to study "unstructured" protocols, that
is, those that lack symmetry. Our approach relies on transforming the key rate
calculation to the dual optimization problem, which dramatically reduces the
number of parameters and hence the calculation time. We illustrate our method
by investigating some unstructured protocols for which the key rate was
previously unknown.

A central assumption in quantum key distribution (QKD) is that Eve has no
knowledge about which rounds will be used for parameter estimation or key
distillation. Here we show that this assumption is violated for iterative
sifting, a sifting procedure that has been employed in some (but not all) of
the recently suggested QKD protocols in order to increase their efficiency. We
show that iterative sifting leads to two security issues: (1) some rounds are
more likely to be key rounds than others, (2) the public communication of past
measurement choices changes this bias round by round. We analyze these two
previously unnoticed problems, present eavesdropping strategies that exploit
them, and find that the two problems are independent. We discuss some sifting
protocols in the literature that are immune to these problems. While some of
these would be inefficient replacements for iterative sifting, we find that the
sifting subroutine of an asymptotically secure protocol suggested by Lo et al
(2005 J. Cryptol. 18 13365), which we call LCA sifting, has an efficiency on
par with that of iterative sifting. One of our main results is to show that LCA
sifting can be adapted to achieve secure sifting in the finitekey regime. More
precisely, we combine LCA sifting with a certain parameter estimation protocol,
and we prove the finitekey security of this combination. Hence we propose that
LCA sifting should replace iterative sifting in future QKD implementations.
More generally, we present two formal criteria for a sifting protocol that
guarantee its finitekey security. Our criteria may guide the design of future
protocols and inspire a more rigorous QKD analysis, which has neglected
siftingrelated attacks so far.

Complex cryptographic protocols are often constructed from simpler
buildingblocks. In order to advance quantum cryptography, it is important to
study practical buildingblocks that can be used to develop new protocols. An
example is quantum retrieval games (QRGs), which have broad applicability and
have already been used to construct quantum money schemes. In this work, we
introduce a general construction of quantum retrieval games based on the hidden
matching problem and show how they can be implemented in practice using
available technology. More precisely, we provide a general method to construct
(1outofk) QRGs, proving that their cheating probabilities decrease
exponentially in $k$. In particular, we define new QRGs based on coherent
states of light, which can be implemented even in the presence of experimental
imperfections. Our results constitute a new tool in the arsenal of the
practical quantum cryptographer.

Quantum key distribution (QKD) has the potential to improve communications
security by offering cryptographic keys whose security relies on the
fundamental properties of quantum physics. The use of a trusted quantum
receiver on an orbiting satellite is the most practical nearterm solution to
the challenge of achieving longdistance (globalscale) QKD, currently limited
to a few hundred kilometers on the ground. This scenario presents unique
challenges, such as high photon losses and restricted classical data
transmission and processing power due to the limitations of a typical satellite
platform. Here we demonstrate the feasibility of such a system by implementing
a QKD protocol, with optical transmission and full postprocessing, in the
highloss regime using minimized computing hardware at the receiver. Employing
weak coherent pulses with decoy states, we demonstrate the production of secure
key bits at up to 56.5 dB of photon loss. We further illustrate the feasibility
of a satellite uplink by generating secure key while experimentally emulating
the varying channel losses predicted for realistic lowEarthorbit satellite
passes at 600 km altitude. With a 76 MHz source and including finitesize
analysis, we extract 3374 bits of secure key from the best pass. We also
illustrate the potential benefit of combining multiple passes together: while
one suboptimal "upperquartile" pass produces no finitesized key with our
source, the combination of three such passes allows us to extract 165 bits of
secure key. Alternatively, we find that by increasing the signal rate to 300
MHz it would be possible to extract 21570 bits of secure finitesized key in
just a single upperquartile pass.

We introduce a new continuousvariable quantum key distribution (CVQKD)
protocol, selfreferenced CVQKD, that eliminates the need for transmission of
a highpower local oscillator between the communicating parties. In this
protocol, each signal pulse is accompanied by a reference pulse (or a pair of
twin reference pulses), used to align Alice's and Bob's measurement bases. The
method of phase estimation and compensation based on the reference pulse
measurement can be viewed as a quantum analog of intradyne detection used in
classical coherent communication, which extracts the phase information from the
modulated signal. We present a proofofprinciple, fiberbased experimental
demonstration of the protocol and quantify the expected secret key rates by
expressing them in terms of experimental parameters. Our analysis of the secret
key rate fully takes into account the inherent uncertainty associated with the
quantum nature of the reference pulse(s) and quantifies the limit at which the
theoretical key rate approaches that of the respective conventional protocol
that requires local oscillator transmission. The selfreferenced protocol
greatly simplifies the hardware required for CVQKD, especially for potential
integrated photonics implementations of transmitters and receivers, with
minimum sacrifice of performance. As such, it provides a pathway towards
scalable integrated CVQKD transceivers, a vital step towards largescale QKD
networks.

Despite the tremendous progress of quantum cryptography, efficient quantum
communication over long distances (>1000km) remains an outstanding challenge
due to fiber attenuation and operation errors accumulated over the entire
communication distance. Quantum repeaters, as a promising approach, can
overcome both photon loss and operation errors, and hence significantly speedup
the communication rate. Depending on the methods used to correct loss and
operation errors, all the proposed QR schemes can be classified into three
categories (generations). Here we present the first systematic comparison of
three generations of quantum repeaters by evaluating the cost of both temporal
and physical resources, and identify the optimized quantum repeater
architecture for a given set of experimental parameters. Our work provides a
roadmap for the experimental realizations of highly efficient quantum networks
over transcontinental distances.

We propose a scheme for performing quantum key distribution (QKD) which has
the potential to beat schemes based on the direct transmission of photons
between the communicating parties. In our proposal, the communicating parties
exchange photons with two quantum memories placed between them. This is a very
simple quantum repeater scheme and can be implemented with currently available
technology. Ideally, its secret key rate scales as the square root of the
transmittivity of the optical channel, which is superior to QKD schemes based
on direct transmission because key rates for the latter scale at best linearly
with transmittivity. Taking into account various imperfections in each
component of our setup, we present parameter regimes in which our protocol
outperforms protocols based on direct transmission.

In freespace quantum key distribution (QKD), the sensitivity of the
receiver's detector channels may depend differently on the spatial mode of
incoming photons. Consequently, an attacker can control the spatial mode to
break security. We experimentally investigate a standard polarization QKD
receiver, and identify sources of efficiency mismatch in its optical scheme. We
model a practical interceptandresend attack and show that it would break
security in most situations. We show experimentally that adding an
appropriately chosen spatial filter at the receiver's entrance is an effective
countermeasure.

The appealing feature of quantum key distribution (QKD), from a cryptographic
viewpoint, is the ability to prove the informationtheoretic security (ITS) of
the established keys. As a key establishment primitive, QKD however does not
provide a standalone security service in its own: the secret keys established
by QKD are in general then used by a subsequent cryptographic applications for
which the requirements, the context of use and the security properties can
vary. It is therefore important, in the perspective of integrating QKD in
security infrastructures, to analyze how QKD can be combined with other
cryptographic primitives. The purpose of this survey article, which is mostly
centered on European research results, is to contribute to such an analysis. We
first review and compare the properties of the existing key establishment
techniques, QKD being one of them. We then study more specifically two generic
scenarios related to the practical use of QKD in cryptographic infrastructures:
1) using QKD as a key renewal technique for a symmetric cipher over a
pointtopoint link; 2) using QKD in a network containing many users with the
objective of offering anytoany key establishment service. We discuss the
constraints as well as the potential interest of using QKD in these contexts.
We finally give an overview of challenges relative to the development of QKD
technology that also constitute potential avenues for cryptographic research.

Higher transmission loss diminishes the performance of optical
communicationbe it the rate at which classical or quantum data can be sent
reliably, or the secure key generation rate of quantum key distribution (QKD).
Loss compounds with distanceexponentially in an optical fiber, and
inversesquare with distance for a freespace channel. In order to boost
classical communication rates over long distances, it is customary to introduce
regenerative relays at intermediate points along the channel. It is therefore
natural to speculate whether untended regenerative stations, such as
phaseinsensitive or phasesensitive optical amplifiers, could serve as
repeaters for longdistance QKD. The primary result of this paper rules out all
bosonic Gaussian channels to be useful as QKD repeaters, which include
phaseinsensitive and phasesensitive amplifiers as special cases, for any QKD
protocol. We also delineate the conditions under which a Gaussian relay renders
a lossy channel entanglement breaking, which in turn makes the channel useless
for QKD.

We propose a QKD protocol for trusted node relays. Our protocol shifts the
communication and computational weight of classical postprocessing to the end
users by reassigning the roles of error correction and privacy amplification,
while leaving the exchange of quantum signals untouched. We perform a security
analysis for this protocol based on the BB84 protocol on the level of infinite
key formulas, taking into account weak coherent implementations involving decoy
analysis.

We introduce a general mapping for encoding quantum communication protocols
involving pure states of multiple qubits, unitary transformations, and
projective measurements into another set of protocols that employ coherent
states of light in a superposition of optical modes, linear optics
transformations and measurements with singlephoton threshold detectors. This
provides a general framework for transforming protocols in quantum
communication into a form in which they can be implemented with current
technology. We explore the similarity between properties of the original qubit
protocols and the coherentstate protocols obtained from the mapping and make
use of the mapping to construct new protocols in the context of quantum
communication complexity and quantum digital signatures. Our results have the
potential of bringing a wide class of quantum communication protocols closer to
their experimental demonstration.

A protocol with the potential of beating the existing distance records for
conventional quantum key distribution (QKD) systems is proposed. It borrows
ideas from quantum repeaters by using memories in the middle of the link, and
that of measurementdeviceindependent QKD, which only requires optical source
equipment at the user's end. For certain fast memories, our scheme allows a
higher repetition rate than that of quantum repeaters, thereby requiring lower
coherence times. By accounting for various sources of nonideality, such as
memory decoherence, dark counts, misalignment errors, and background noise, as
well as timing issues with memories, we develop a mathematical framework within
which we can compare QKD systems with and without memories. In particular, we
show that with the stateoftheart technology for quantum memories, it is
possible to devise memoryassisted QKD systems that, at certain distances of
practical interest, outperform current QKD implementations.

We present a protocol for quantum fingerprinting that is ready to be
implemented with current technology and is robust to experimental errors. The
basis of our scheme is an implementation of the signal states in terms of a
coherent state in a superposition of timebin modes. Experimentally, this
requires only the ability to prepare coherent states of low amplitude, and to
interfere them in a balanced beam splitter. The states used in the protocol are
arbitrarily close in trace distance to states of $\mathcal{O}(\log_2 n)$
qubits, thus exhibiting an exponential separation in communication complexity
compared to the classical case. The protocol uses a number of optical modes
that is proportional to the size $n$ of the input bitstrings, but a total mean
photon number that is constant and independent of $n$. Given the expended
resources, our protocol achieves a task that is provably impossible using
classical communication only. In fact, even in the presence of realistic
experimental errors and loss, we show that there exist a large range of input
sizes for which our quantum protocol requires communication that can be more
than two orders of magnitude smaller than a classical fingerprinting protocol.

We present an experimental study of higherdimensional quantum key
distribution protocols based on mutually unbiased bases, implemented by means
of photons carrying orbital angular momentum. We perform (d+1) mutually
unbiased measurements in a classical prepare and measure scheme and on a pair
of entangled photons for dimensions ranging from d = 2 to 5. In our analysis,
we pay attention to the detection efficiency and photon pair creation
probability. As security measures, we determine from experimental data the
average error rate, the mutual information shared between the sender and
receiver and the secret key generation rate per photon. We demonstrate that
increasing the dimension leads to an increased information capacity as well as
higher key generation rates per photon up to a dimension of d = 4.

Quantum repeaters (QRs) provide a way of enabling long distance quantum
communication by establishing entangled qubits between remote locations. We
investigate a new approach to QRs in which quantum information can be
faithfully transmitted via a noisy channel without the use of long distance
teleportation, thus eliminating the need to establish remote entangled links.
Our approach makes use of small encoding blocks to faulttolerantly correct
both operational and photon loss errors. We describe a way to optimize the
resource requirement for these QRs with the aim of the generation of a secure
key. Numerical calculations indicate that the number of quantum memory bits
required for our scheme has favorable polylogarithmic scaling with the
distance across which the communication is desired.