
A quantum money scheme enables a trusted bank to provide untrusted users with
verifiable quantum banknotes that cannot be forged. In this work, we report an
experimental demonstration of the preparation and verification of unforgeable
quantum banknotes. We employ a security analysis that takes experimental
imperfections fully into account. We measure a total of $3.6\times 10^6$ states
in one verification round, limiting the forging probability to $10^{7}$ based
on the security analysis. Our results demonstrate the feasibility of preparing
and verifying quantum banknotes using currently available experimental
techniques.

Covert communication allows us to transmit messages in such a way that it is
not possible to detect that the communication is occurring. This provides
protection in situations where knowledge that people are talking to each other
may be incriminating to them. In this work, we study how covert communication
can be used for a different purpose: secret key expansion. First, we show that
any message transmitted in a secure covert protocol is also secret and
therefore unknown to an adversary. We then propose a protocol that uses covert
communication where the amount of key consumed in the protocol is smaller than
the transmitted key, thus leading to secure secret key expansion. We derive
precise conditions showing that secret key expansion from covert communication
is possible when there are sufficiently low levels of noise for a given
security level. We conclude by examining how secret key expansion from covert
communication can be performed in a computational security model.

Digital signatures play an important role in software distribution, modern
communication and financial transactions, where it is important to detect
forgery and tampering. Signatures are a cryptographic technique for validating
the authenticity and integrity of messages, software, or digital documents. The
security of currently used classical schemes relies on computational
assumptions. Quantum digital signatures (QDS), on the other hand, provide
informationtheoretic security based on the laws of quantum physics. Recent
work on QDS shows that such schemes do not require trusted quantum channels and
are unconditionally secure against general coherent attacks. However, in
practical QDS, just as in quantum key distribution (QKD), the detectors can be
subjected to sidechannel attacks, which can make the actual implementations
insecure. Motivated by the idea of measurementdeviceindependent quantum key
distribution (MDIQKD), we present a measurementdeviceindependent QDS
(MDIQDS) scheme, which is secure against all detector sidechannel attacks.
Based on the rapid development of practical MDIQKD, our MDIQDS protocol could
also be experimentally implemented, since it requires a similar experimental
setup.

We present a family of quantum money schemes with classical verification
which display a number of benefits over previous proposals. Our schemes are
based on hidden matching quantum retrieval games and they tolerate noise up to
23%, which we conjecture reaches 25% asymptotically as the dimension of the
underlying hidden matching states is increased. Furthermore, we prove that 25%
is the maximum tolerable noise for a wide class of quantum money schemes with
classical verification, meaning our schemes are almost optimally noise
tolerant. We use methods in semidefinite programming to prove security in a
substantially different manner to previous proposals, leading to two main
advantages: first, coin verification involves only a constant number of states
(with respect to coin size), thereby allowing for smaller coins; second, the
reusability of coins within our scheme grows linearly with the size of the
coin, which is known to be optimal. Lastly, we suggest methods by which the
coins in our protocol could be implemented using weak coherent states and
verified using existing experimental techniques, even in the presence of
detector inefficiencies.

Digital signatures are widely used in modern communication to guarantee
authenticity and transferability of messages, The security of currently used
classical schemes relies on computational assumptions. We present a quantum
signature scheme that does not require trusted quantum channels. We prove that
it is unconditionally secure against the most general coherent attacks, and
show that it requires the transmission of significantly fewer quantum states
than previous schemes. We also show that the quantum channel noise threshold
for our scheme is less strict than for distilling a secure key using quantum
key distribution. This shows that direct quantum signature schemes can be
preferable to signature schemes relying on secret shared keys generated using
quantum key distribution.

Quantum digital signatures apply quantum mechanics to the problem of
guaranteeing message integrity and nonrepudiation with informationtheoretical
security, which are complementary to the confidentiality realized by quantum
key distribution. Previous experimental demonstrations have been limited to
transmission distances of less than 5km of optical fiber in a laboratory
setting. Here we report the first demonstration of quantum digital signatures
over installed optical fiber as well as the longest transmission link reported
to date. This demonstration used a 90km long differential phase shift quantum
key distribution system to achieve approximately one signed bit per second  an
increase in the signature generation rate of several orders of magnitude over
previous optical fiber demonstrations.

We present an experimental realization of a quantum digital signature
protocol which, together with a standard quantum key distribution link,
increases transmission distance to kilometre ranges, three orders of magnitude
larger than in previous realizations. The bitrate is also significantly
increased compared with previous quantum signature demonstrations. This work
illustrates that quantum digital signatures can be realized with optical
components similar to those used for quantum key distribution, and could be
implemented in existing optical fiber networks.

Signature schemes, proposed in 1976 by Diffie and Hellman, have become
ubiquitous across modern communications. They allow for the exchange of
messages from one sender to multiple recipients, with the guarantees that
messages cannot be forged or tampered with and that messages also can be
forwarded from one recipient to another without compromising their validity.
Signatures are different from, but no less important than encryption, which
ensures the privacy of a message. Commonly used signature protocols 
signatures based on the RivestAdlemanShamir (RSA) algorithm, the digital
signature algorithm (DSA), and the elliptic curve digital signature algorithm
(ECDSA)  are only computationally secure, similar to public key encryption
methods. In fact, since these rely on the difficulty of finding discrete
logarithms or factoring large primes, it is known that they will become
completely insecure with the emergence of quantum computers. We may therefore
see a shift towards signature protocols that will remain secure even in a
postquantum world. Ideally, such schemes would provide unconditional or
informationtheoretic security. In this paper, we aim to provide an accessible
and comprehensive review of existing unconditionally secure signature schemes
for signing classical messages, with a focus on unconditionally secure quantum
signature schemes.