Real-world two-photon interference and proof-of-principle quantum key distribution immune to detector attacks
Several vulnerabilities of single photon detectors have recently been exploited to compromise the security of quantum key distribution (QKD) systems. In this letter we report the first proof-of-principle implementation of a new quantum key distribution protocol that is immune to any such attack. More precisely, we demonstrated this new approach to QKD in the laboratory over more than 80 km of spooled fiber, as well as across different locations within the city of Calgary. The robustness of our fibre-based implementation, together with the enhanced level of security offered by the protocol, confirms QKD as a realistic technology for safeguarding secrets in transmission. Furthermore, our demonstration establishes the feasibility of controlled two-photon interference in a real-world environment, and thereby removes a remaining obstacle to realizing future applications of quantum communication, such as quantum repeaters and, more generally, quantum networks.
Quantum key distribution (QKD) promises the distribution of cryptographic keys whose secrecy is guaranteed by fundamental laws of quantum physicsGisin2002 ; Scarani2009 . Starting with its invention in 1984BB84 , theoretical and experimental QKD have progressed rapidly. Information theoretic security, which ensures that secret keys can be distributed even if the eavesdropper, Eve, is only bounded by the laws of quantum physics, has been proven under various assumptions about the devices of the legitimate QKD users, Alice and BobShorPreskill ; GLLP . Furthermore, experimental demonstrations employing quantum states of light have meanwhile resulted in key distribution over more than 100 km distance through optical fiberStucki2009 or airSchmitt-Manderbach2007 , QKD networks employing trusted nodesSasaki2011 , as well as in commercially available productscommercialQKD .
However, it became rapidly clear that some of the assumptions made in QKD proofs were difficult to meet in real implementations, which opened side channels for eavesdropping attacks. The most prominent examples are the use of quantum states encoded into attenuated laser pulses as opposed to single photonsBrassard2000 , and, more recently, various possibilities for an eavesdropper to remote-control or monitor single photon detectorsLamas2007 ; Zhao2008 ; Lydersen2010a ; Lydersen2010b . Fortunately, both side channels can be removed using appropriately modified protocols. In the first case, randomly choosing between so-called signal or decoy states (quantum states encoded into attenuated laser pulses with different mean photon numbers) allows one to establish a secret key strictly from information conveyed by single photons emitted by the laserHwang2003 ; Wang2005 ; Lo2005 . (We remind the reader that an attenuated laser pulse comprising on average photons contains exactly one photon with probability .) Furthermore, the recently proposed measurement-device independent (MDI) QKD protocolLo2011 (for closely related work see ) additionally ensures that controlling or monitoring detectors, regardless by what means, does not help the eavesdropper to gain information about the distributed key. Note that, while the two most prominent side channels are removed by MDI-QKD, others remain open and have to be closed by means of appropriate experimental design (see the Supplemental Material).
The MDI-QKD protocol is a clever time-reversed version of QKD based on the distribution and measurement of pairs of maximally entangled photonsBennett1992b : In the idealized version, Alice and Bob randomly and independently prepare single photons in one out of the four qubit states , where . The photons are then sent to Charlie, who performs a Bell state measurement, i.e. projects the photons’ joint state onto a maximally entangled Bell stateTittel2001 . Charlie then publicly announces the instances in which his measurement resulted in a projection onto and, for these cases, Alice and Bob publicly disclose the bases (z, spanned by and , or x, spanned by ) used to prepare their photons. (They keep their choices of states secret.) Identifying quantum states with classical bits (e.g. 0, and 1) and keeping only events in which Charlie found and they picked the same basis, Alice and Bob now establish anti-correlated key strings. (Note that a projection of two photons onto indicates that the two photons, if prepared in the same basis, must have been in orthogonal states.) Bob then flips all his bits, thereby converting the anti-correlated strings into correlated ones. Next, the so-called x-key is formed out of all key bits for which Alice and Bob prepared their photons in the x-basis; its error rate is used to bound the information an eavesdropper may have acquired during photon transmission. Furthermore, Alice and Bob form the z-key out of those bits for which both picked the z-basis. Finally, they perform error correction and privacy amplificationGisin2002 ; Scarani2009 to the z-key, which results in the secret key.
As in the entanglement-based protocol, the time-reversed version ensures that Eve cannot gain information by eavesdropping photons during transmission or by modifying the device that generates entanglement – either the source of photon pairs or the projective two-photon measurement, respectively – without leaving a traceBiham1996 ; Inamori2002 . Furthermore, the outstanding attribute of the MDI-QKD protocol is that it de-correlates detection events (here indicating a successful projection onto the Bell state) from the values of the - and z-key bits and hence the secret key bits. In other words, all side channels related to the detection setup, regardless whether actively attacked or passively monitored, do not help Eve gain information about the secret key.
Unfortunately, the described procedure is currently difficult to implement for two reasons, first of which is the lack of practical single photon sources. However, it is possible to replace the true single photons by attenuated laser pulses of varying mean photon number (i.e. signal and decoy states, as introduced above), and to establish the secret key using information only from joint measurements at Charlie’s that stem from Alice and Bob both sending single photonsWang2012 . This procedure results in the same security against eavesdropping as the conceptually simpler one discussed above. The secret key rate, , distilled from signal states, is then given byLo2011 :
where denotes the binary entropy function evaluated on , and describes the efficiency of error correction with respect to Shannon’s noisy coding theorem. Furthermore, , , , and are gains ( – the probability of a projection onto per emitted pair of pulses) and error rates ( – the ratio of erroneous to total projections onto ) in either the - or -basis for Alice and Bob sending single photons (denoted by subscript “11”), or for pulses emitted by Alice and Bob with mean photon number and (denoted by subscript “”), respectively. While the latter are directly accessible from experimental data, the former have to be calculated using a decoy state method Lo2011 ; Wang2012 (see the Supplemental Material).
Second, a crucial element for MDI-QKD as well as future quantum repeaters and networks is a Bell state measurement (BSM)Sangouard2011 . However, this two-photon interference measurement has not yet been demonstrated with photons that were generated by independent sources and have travelled through separate deployed fibers (i.e. fibers that feature independent changes of propagation times and polarization transformations). To implement the BSM one requires that these photons be indistinguishable, i.e. arrive simultaneously within their respective coherence times, with equal polarization, and feature sufficient spectral overlap. Yet, due to time-varying properties of optical fibers in a real-world environment, significant changes to photons’ indistinguishability can happen in less than a minute, as depicted in Fig. 1. Furthermore, the carrier frequencies of the signals generated at Alice’s and Bob’s generally vary. These instabilities make real-world Bell state measurements without stabilization by means of active feedback impossible.
Hence, to enable MDI-QKD and pave the way for quantum repeaters and quantum networks, we developed the ability to track and stabilize photon arrival times and polarization transformations as well as the frequency difference between Alice’s and Bob’s lasers during all measurements (for more information see the Supplemental Material). In order to ensure the indistinguishability of photons arriving at Charlie’s and to allow, for the first time, Bell state measurements in a real-world environment, we developed and implemented three stabilization systems (see Fig. 2): fully-automatic polarization stabilization, manual adjustment of photon arrival time, and manual adjustment of laser frequency. Note that automating the frequency and timing stabilization systems is straightforward, particularly if the active control elements are placed in Charlie’s setup.
We verified that we could indeed maintain the indistinguishability of the photons by frequently measuring the visibility, , of the so-called Hong-Ou-Mandel dipHong1987 (a two-photon interference experiment that is closely related to a BSM). On average we found =471%, which is close to the maximum value of 50% for attenuated laser pulses with a Poissonian photon number distributionclassicalHOM , and thereby confirm that real-world two-photon interference is possible.
To assess the feasibility of MDI-QKD, we implemented a proof-of-principle demonstration of MDI-QKD using the decoy state protocol proposed by WangWang2012 . This protocol requires that Alice and Bob choose between three different mean photon numbers: two non-zero values referred to as signal and decoy as well as vacuum. We performed our experiments over four different distances (henceforth referred to as setups) comprising two different arrangements (see Fig. 2): (i) Alice, Bob and Charlie are located within the same lab, and Alice and Bob are connected to Charlie via separate spooled fibers of various lengths and loss. (ii) Alice, Bob and Charlie are located in different locations within the city of Calgary, and Alice and Bob are connected to Charlie by deployed fibers of 12.4 and 6.2 km length, respectively. The fiber lengths and loss in each setup are listed in Table 1.
For each setup, we prepared all 4 combinations of Alice and Bob picking a state from the z-basis (i.e. , where and denote time-bin qubitsTittel2001 prepared in an early or late temporal mode), and all 4 combinations of picking a state from the x-basis (i.e. ). Using a detailed model of our MDI-QKD systemourModel , we calculated the signal and decoy intensities that maximize the secret key rate produced by the decoy-state method for each setup. For our decoy intensity we generated attenuated laser pulses containing on average photons and for our signal intensities we used a mean photon number between and (the optimal value depends on loss). For each of the four distance configurations listed in Table 1, and for each of the 16 pairs of qubit states, we performed measurements of all 9 combinations of Alice and Bob using the signal, decoy or vacuum intensity. We recorded the number of joint detections in which one detector indicated an early arriving photon (or an early noise count), and the other detector indicated a late arriving photon (or a late noise count), which, for time-bin qubits, is regarded as a projection onto the -stateTittel2001 . Depending on the observed detection rates, measurements took between 2 and 35 minutes. This data yields the gains, and , and error rates, and , a subset of which is plotted in Fig. 3a. A complete list of gains and error rates is presented in the Supplemental Material.
We then computed secret key rates according to Eq. 1 after extracting and using Wang’s decoy state calculationWang2012 and assuming an error correction efficiency =1.14Sasaki2011 . As shown in Fig. 3b, all our measurements, both outside and inside the laboratory, and using up to 80 km of spooled fiber between Alice and Bob, output a positive secret key rate. Furthermore, using our modelourModel , we estimate that our setup allows secret key distribution up to a total loss of 184.8 dB, which is in agreement with our QKD results. Assuming the standard loss coefficient for telecommunication fibers without splices of 0.2 dB/km, this value corresponds to a maximum distance between Alice and Bob of 9024 km. Note that moving from our proof-of-principle demonstration to the actual distribution of secret keys requires additional developments, which are detailed in the Supplemental Material.
In summary, we have demonstrated that real-world quantum key distribution with practical attenuated laser pulses and immunity to detector hacking attacks is possible using current technology. Our setup contains only standard, off-the-shelf components, its development into a complete QKD system follows well-known stepsSasaki2011 , and the extension to higher key rates using state-of-the-art detectorsdetectors ; Marsili2012 is straightforward. We also point out that MDI-QKD is well suited for key distribution over long distances, and we expect that further developments will rapidly push the separation between Alice and Bob beyond its current maximum of 250 kmStucki2009 . Finally, we remind the reader that the demonstrated possibility for Bell state measurements in a real-world environment and with truly independent photons also removes a remaining obstacle to building a quantum repeater, which promises quantum communication such as QKD over arbitrary distances.
The authors thank E. Saglamyurek, V. Kiselyov and TeraXion for discussions and technical support, the University of Calgary’s Infrastructure Services for providing access to the fiber link between the University’s main campus and the Foothills campus, SAIT Polytechnic for providing laboratory space, and acknowledge funding by NSERC, QuantumWorks, General Dynamics Canada, iCORE (now part of Alberta Innovates Technology Futures), CFI, AAET and the Killam Trusts.
I Supplemental Material
Ii Ensuring Indistinguishability
In order to ensure the indistinguishability of photons arriving at Charlie’s and to allow Bell state measurements in a real-world environment, we developed and implemented three stabilization systems (see Fig. 2 in the main text): fully-automatic polarization stabilization, manual adjustment of photon arrival time, and manual adjustment of laser frequency. Note that automating the frequency and timing stabilization systems is straightforward, particularly if the active control elements are placed in Charlie’s setup.
The polarization stabilization system Lucio2009 ; Bussieres2010 employed an additional laser (at Charlie’s) and two polarization controllers (one at Alice’s and one at Bob’s). Every 10 s, Charlie disabled data collection for 0.5 s and sent high intensity, vertically polarized stabilization light to Alice and Bob. This light was detected by photodiodes at Alice’s and Bob’s, and used to trigger their commercially available polarization controllers (POCs), which were programmed to adjust the polarization of the stabilization light to vertical. This implies that Alice’s and Bob’s attenuated laser pulses, which were emitted horizontally polarized, both arrive horizontally polarized at Charlie’s.
To stabilize the frequency difference between Alice’s and Bob’s lasers, Alice used a frequency shifter (FS) that employed a linear phase chirp via a serrodyne modulation signal applied to a phase modulator. Whenever the error rate in the x-key increased significantly, Charlie communicated the frequency difference after measuring the beat frequency by mixing their unmodulated and unattenuated laser outputs on the beam splitter. Adjustments, in the worst case, were required every 30 minutes to maintain the difference below 10 MHz.
To enable temporal synchronization, Charlie sent a master clock signal via a second set of fibers to Alice and Bob. Roughly every minute, Charlie measured the qubit arrival-time difference using his SPDs and high-resolution electronics and sent this information to Alice and Bob. They then adjusted their qubit generation times using function generators to apply a phase shift to the recovered master clock. This maintained the arrival-time difference under 30 ps.
Iii Decoy-State Analysis
In MDI-QKD the secret key rate is given by
where denotes the binary entropy function evaluated on , and describes the efficiency of error correction with respect to Shannon’s noisy coding theorem. Furthermore, , , , and are gains ( – the probability of a projection onto per emitted pair of pulses) and error rates ( – the ratio of erroneous to total projections onto ) in either the - or -basis for Alice and Bob sending single photons (denoted by subscript “11”), or for pulses emitted by Alice and Bob with mean photon number and (denoted by subscript “”), respectively. While , and are directly accessible from experimental data, , have to be bounded using a decoy state method.
We use a three-intensity decoy state method for the MDI-QKD protocol Wang2012 that derives a lower bound for and and an upper bound for , to calculate a lower bound for the secure secret key rate. We denote the signal, decoy, and vacuum intensities by , and ,
respectively, for Alice, and Bob (note that by definition). In our implementation Alice and Bob both select the same mean
photon numbers for the three intensities and use channels of equal transmission. For compactness of
notation, we omit the when describing the gains and
error rates (e.g. we write to denote the gain in the z-basis
when Alice and Bob both send photons using the signal intensity). Under
these assumptions, the lower bound on is given by
where the various denote the probabilities that a pulse with Poissonian photon number distribution and mean contains exactly photons, and and are given by
Similar equations are used to bound (we replace the superscript by ). Finally, the error rate can then be computed as
Our analysis in  determined that lowering as much as possible maximizes secret key rate. In these experiments, we select in order to obtain statistically significant data in a reasonable amount of time (see Suplementary Table 2)
Iv Secure key distribution using MDI-QKD
In this section we describe the assumptions underpinning secure key distribution in MDI-QKD as well as further technological and theoretical developments required for our current proof-of-principle demonstration to meet this goal. We note that any QKD system used to distribute secret key must be vetted against attacks arising from imperfections in its implementation111A notable exception is fully device independent QKD (DI-QKD) Masanes2011 , which, however, is currently impossible to realize due to the need for a loophole free violation of a Bell inequality.. Protection against such attacks requires the development of hardware that strives to be as ideal as possible, in conjunction with the development of security proofs that are able to take into account those imperfections that inevitably remain in any realistic implementation. (Such proofs would bound the information leaked to an eavesdropper, which, in turn, allows removing it by means of privacy amplification). Even for the heavily studied prepare-and-measure BB84 protocol, this is an area of ongoing research Woodhead2012 , and more needs to be done for the new MDI-QKD protocol. Yet, MDI-QKD constitutes a very important development in this context as it eliminates all potential attack strategies related to imperfections in the measurement apparatus, including arbitrary measurement-basis misalignment errors as well as detector attacks that have recently been shown to provide the eavesdropper full information about the key without leaving a trace Lamas2007 ; Zhao2008 ; Lydersen2010a ; Lydersen2010b . Remaining assumptions and required developments are:
Quantum mechanics is correct and complete. This assumption is generally believed to be true.
Alice’s and Bob’s laboratories are private. This assumption entails that no undesired signals, e.g. RF electromagnetic radiation, escape from Alice’s and Bob’s apparatus when working in normal conditions. Information gain through such passive observation can be avoided using appropriate shielding, which, as is standard in academic QKD implementations, we have not spent any particular effort on. Furthermore, the assumption implies that Eve cannot actively obtain information about the experimental settings, e.g. by sending a probe, such as light, into the laboratories using the fiber that connects Alice or Bob, respectively, with the outside world, and analyzing the back reflection. This is often referred to as a Trojan horse attack Gisin2002 ; Scarani2009 . And finally, Eve cannot actively influence Alice’s or Bob’s devices to modify their functioning. Protection against active attacks requires that the laboratories are isolated from signals sent by Eve, e.g. using optical isolators or attenuators. No such countermeasures were realized in our proof-of-principle demonstration. However, their implementation is straightforward, at least in what concerns attenuators and isolators Sasaki2011 . We emphasize that there is no need to protect Charlie’s laboratory; the MDI-QKD protocol ensures that it can even be run by the eavesdropper.
Alice and Bob send phase-randomized attenuated pulses of light produced by a laser operated well above threshold. This ensures that the generated light pulses are correctly described by the density matrix , where is the Poisson distribution with mean photon number , and denotes the density matrix of an -photon Fock state. This condition is easily met by generating every light pulse using a laser diode triggered by a short electrical pulse. However, as we carve qubits out of a laser beam with large coherence time using an intensity modulator, it is not fulfilled in our setup (more precisely, subsequent pulses are coherent). Yet, we point out that the solution to our problem is well understood and has been implemented before Zhao2007 : it simply requires adding a phase modulator that randomizes the global phase of each qubit.
The mean values of photons per pulse, as well as the encoded states are chosen randomly. No random choices have been implemented in our current proof-of-principle demonstration. Instead, we sent pulses with the same mean photon number and encoded the same qubit state during several minutes before changing the state or mean number. However, operating the phase and amplitude modulators that generate qubit states using adequate drivers connected to quantum random number generators is well understood Sasaki2011 , and meeting the requirement of random modulation is straightforward, though time consuming.
Alice and Bob generate qubits in states that are sufficiently close to those that form two maximally conjugate bases. These states were denoted in the main text as , , and , respectively. This assumption may currently not be satisfied (see ourModel for a detailed description of our experimental imperfections). For instance, considering states in different bases (for which the overlap should be 0.5), we find an average deviation of 0.074, and for different states in the same basis (for which we expect an overlap of zero), the average deviation is 0.013. According to the analyses in Wang2012 ; Tamaki2012 these overlaps, together with the current detector performance, are insufficient to securely distribute key. However, we point out that both proofs lead to very conservative bounds. For instance, the proof in Wang2012 requires a state generation procedure that artificially increases error rates and applies non-tight bounds, and hence underestimates secure key rates. We believe that future investigations will rapidly improve proof techniques and yield higher secret key rates (and result in secret key in cases in which current proofs predict no secret key). Furthermore, we note that straightforward technological improvements allow reducing the maximum deviation from the ideal overlap values to around 1 part in 1000. For instance, this can be accomplished by reducing ringing in our pulse generation by a factor of 5, and using commercially-available, state-of-the-art intensity modulators that allow suppressing the background by an additional 10-20 dB EOspace . In addition, using state-of-the-art detectors with 93% quantum efficiency and 1kHz noise Marsili2012 leads, according to simulation results with a theoretical model of MDI-QKD that we presented in ourModel , to secret key rates similar to or above the ones reported in the main document, even using the conservative approach in Wang2012 .
Sufficiently weak correlations between qubit states and all degrees of freedom not used to encode the qubit. In principle, the various states generated by Alice and Bob could have differences in other degrees of freedom (i.e. polarization, spectral, spatial, or temporal modes), which could open a security loophole Nauerth09 if not properly quantified and taken into account during privacy amplification. However, for MDI-QKD, the link between correlations with unobserved degrees of freedom and Eve’s information gain is not yet clear. In particular, correlations are likely to degrade the visibility of the BSM, thus creating observable errors. The upper bound on Eve’s information gain, possibly zero, can only be assessed using plausible arguments based on the actual implementation of the setup supplemented by careful measurements. For instance, in our implementation, the use of a single laser to generate all qubits states and of a single-mode fiber to transmit qubits from Alice, or Bob, to Charlie, respectively, makes it highly unlikely that correlation between states and photon spectra or spatial modes exist. Furthermore, careful programming of the function generator that generates all states through interaction with the same intensity modulator makes it very plausible that no temporal distinguishability is observable in our experiment. And finally, the polarization beam splitter at the exit of Alice’s and Bob’s laboratories ensures equal polarization of all time-bin qubit states.
Appropriate classical post-processing of the sifted key, i.e. error correction and privacy amplification. Note that while we have not implemented error correction, we have used a realistic estimation of the error correction efficiency Sasaki2011 to determine the potential secret key rate of our system. Furthermore, we did not consider finite key size effects in our proof-of-principle demonstration (in other words, we assumed that we could run our QKD devices during an infinitely long time and produce an infinite amount of measured data), which, in the case of MDI-QKD, have so far only been investigated using an overly conservative approach Song2012 .
A short secret authentication key exists before starting QKD. This key is used to authenticate the classical communication channel during error correction and privacy amplification. As we did not implement any of these post-processing steps, we did not need any pre-established secret key. In an actual implementation, this step can, for instance, be accomplished during a personal meeting between Alice and Bob.
We recall that some of the above topics are currently not as thoroughly studied for MDI-QKD as for prepare-and-measure QKD. However, the ability to close all side channels in measurement devices represents a significant step forward in closing the gap between theoretical security proofs and experimentally viable implementations. In particular, it has, for the first time, allowed for the development of security proofs in QKD that take arbitrary state generation and measurement errors into account, even though the efficiency of the current approaches can certainly be increased222In comparison, the only security proof for BB84 QKD dealing with arbitrary state generation errors at the source and arbitrary misalignment of the measurement bases is limited to individual attacks but does not apply to more powerful coherent attacks Woodhead2012 .. In addition, for actual key distribution, our experimental implementation has to be improved along the lines discussed above.
We leave these interesting and important topics for future investigations and emphasize that our work has focused on previously undemonstrated requirements for MDI-QKD, such as the Bell state measurement over deployed fiber, on improving the understanding of the capabilities and current limitations of our setup (including optimization and efficiency calculations of a decoy state analysis; for more information see ourModel ) and on experimental demonstrations of the protocol over various distances as well as over deployed, real-world optical fiber.
V Discussion of error rates
Let us briefly discuss the ideal case in which the quantum states encoded into attenuated laser pulses, as well as the projection measurements, are perfect. To gain some insight into how the difference in the error rates, , arises333Note when two superscripts, each one denoting a different basis, are present on variables, (e.g. , as above, or ), this is a shorthand for, e.g. and – that is, the statement is valid for both the z- and x-bases. Note that variables may take different values for each basis, e.g. . When this notation is used within an equation such as Eq. LABEL:eqn:photon_state, then the equation may be written for either the z- or x-basis., we consider only the most likely case that can cause the detection pattern associated with a projection onto (this projection occurs if the two detectors indicate detections with 1.40.4 ns time difference). Specifically, we consider only the case in which two photons arrive at the beam splitter. Note that these photons can either come from the same person, or from different persons.
z-basis: Assuming that Alice and Bob both prepare states in the z-basis, only photons prepared in orthogonal states can cause a projection onto . This implies that one photon has to come from Alice, and the other one from Bob (if generated by the same person, both photons would be in the same state). Hence, taking into account Bob’s bit flip, Alice and Bob always establish identical bits, i.e. .
x-basis: Assuming that both Alice and Bob prepare states in the x-basis, it is no longer true that only photons prepared in orthogonal states and by different persons can cause a projection onto . Indeed, if the two photons have been prepared by the same person, it is possible to observe the detection pattern associated with a projection onto . In this case, given that all detected photons have been prepared by either one or the other person, the detection does not indicate any correlation between the states prepared by Alice and Bob. In turn, this leads to uncorrelated key bits. Thus, is determined by the probability that one photon arrived from each person relative to the probability that two photons arrived from the same person. A detailed analysis for attenuated laser pulses with Poissonian photon number distribution, assuming an equal probability of photons arriving from either party, yields = 1/4.
- (1) N. Gisin, G. Ribordy, W. Tittel and H. Zbinden, Quantum cryptography. Rev. Mod. Phys. 74, 145–195 (2002).
- (2) V. Scarani, H. Bechmann-Pasquinucci, N. J. Cerf, M. Dušek, N. Lütkenhaus and M. Peev, The security of practical quantum key distribution. Rev. Mod. Phys. 81, 1301–1350 (2009).
- (3) C. H. Bennett and G. Brassard, Quantum cryptography: public key distribution and coin tossing. Proc. Int. Conf. on Computer Systems and Signal Processing (Bangalore, 1984) (New York: IEEE), pp. 175-179.
- (4) P. W. Shor and J. Preskill, Simple proof of security of the BB84 quantum key distribution protocol. Phys. Rev. Lett. 85, 441-444 (2000).
- (5) D. Gottesman, H.-K. Lo, N. Lütkenhaus and J. Preskill, Security of quantum key distribution with imperfect devices. Quant. Inf. Comp. 4, 325-360 (2004).
- (6) D. Stucki, N. Walenta, F. Vannel, R. T. Thew, N. Gisin, H. Zbinden, S. Gray, C. R. Towery and S. Ten, High rate, long-distance quantum key distribution over 250 km of ultra low loss fibres. New J. Physics 11, 075003 (2009).
- (7) T. Schmitt-Manderbach, H. Weier, M. Fürst, R. Ursin, F. Tiefenbacher, Th. Scheidl, J. Perdigues, Z. Sodnik, J. G. Rarity, A. Zeilinger and H. Weinfurter, Experimental Demonstration of Free-Space Decoy-State Quantum Key Distribution over 144 km. Phys. Rev. Lett. 98, 010504 (2007).
- (8) M. Sasaki et al. Field test of quantum key distribution in the Tokyo QKD Network. Opt. Express 19 (11), 10387-10409 (2011).
- (9) http://www.idquantique.com, http://www.magiqtech.com.
- (10) G. Brassard, N. Lütkenhaus, T. Mor and B. C. Sanders, Limitations on practical quantum cryptography. Phys. Rev. Lett. 85, 1330-1333 (2000).
- (11) A. Lamas-Linares and C. Kurtsiefer, Breaking a quantum key distribution system through a timing side channel, Opt. Express, 15 (15), 9388-9393 (2007).
- (12) Y. Zhao, C.-H. F. Fung, B. Qi, C. Chen and H.-K. Lo, Quantum Hacking: Experimental demonstration of time-shift attack against practical quantum key distribution systems. Phys. Rev. A 78, 042333 (2008).
- (13) L. Lydersen, C. Wiechers, C. Wittmann, D. Elser, J. Skaar and V. Makarov, Hacking commercial quantum cryptography systems by tailored bright illumination. Nature Photonics 4, 686–689 (2010).
- (14) L. Lydersen, C. Wiechers, C. Wittmann, D. Elser, J. Skaar and V. Makarov, Thermal blinding of gated detectors in quantum cryptography. Opt. Express 18 (26), 27938-27954 (2010).
- (15) W. Hwang, Quantum key distribution with high loss: Towards global secure communication. Phys. Rev. Lett. 91, 057901 (2003).
- (16) X. Wang, Beating the photon-number-splitting attack in practical quantum cryptography. Phys. Rev. Lett. 94, 230503 (2005).
- (17) H.-K. Lo, X. Ma and K. Chen, Decoy state quantum key distribution. Phys. Rev. Lett. 94, 230504 (2005).
- (18) H.-K. Lo, M. Curty and B. Qi, Measurement-device-independent quantum key distribution. Phys. Rev. Lett. 108, 130503 (2012).
- (19) S. L. Braunstein & S. Pirandola, Side-channel-free quantum key distribution. Phys. Rev. Lett. 108, 130502 (2012).
- (20) C. H. Bennett, G. Brassard and N. D. Mermin, Quantum cryptography without Bell s theorem. Phys. Rev. Lett. 68, 557-559 (1992).
- (21) W. Tittel and G. Weihs, Photonic entanglement for fundamental tests and quantum communication. Quant. Inf. Comp. 1(2), 3-56 (2001).
- (22) E. Biham, B. Huttner and T. Mor, Quantum cryptographic network based on quantum memories. Phys. Rev. Lett. 54, 2651-2658 (1996).
- (23) H. Inamori, Security of Practical Time-Reversed EPR Quantum Key Distribution. Algorithmica 34, 340-365 (2002).
- (24) X.-B. Wang, Three-intensity decoy state method for device independent quantum key distribution with basis dependent errors. http://arxiv.org/abs/1207.0392.
- (25) N. Sangouard, C. Simon, H. De Riedmatten and N. Gisin, Quantum repeaters based on atomic ensembles and linear optics. Rev. Mod. Phys. 83, 33-80 (2011).
- (26) C. K. Hong, Z. Y. Ou and L. Mandel, Measurement of subpicosecond time intervals between two photons by interference. Phys. Rev. Lett. 59, 2044-2046 (1987).
- (27) L. Mandel, Photon interference and correlation effects produced by independent quantum sources. Phys. Rev. A 28, 929-943 (1983).
- (28) A. Rubenok, J. A. Slater, P. Chan, I. Lucio-Martinez and W. Tittel, Modelling MDI-QKD http://arxiv.org/abs/1204.0738.
- (29) Z. L. Yuan, A. W. Sharpe, J. F. Dynes, A. R. Dixon and A. J. Shields, Multi-gigahertz operation of photon counting InGaAs avalanche photodiodes. Appl. Phys. Lett. 96, 071101 (2010).
- (30) F. Marsili, V. B. Verma, J. A. Stern, S. Harrington, A. E. Lita, T. Gerrits, I. Vayshenker, B. Baek, M. D. Shaw, R. P. Mirin and S. W. Nam, Detecting Single Infrared Photons with 93% System Efficiency. arXiv:1209.5774 (2012).
- (31) I. Lucio-Martinez, P. Chan, X. Mo, S. Hosier and W. Tittel, Proof-of-concept of real-world quantum key distribution with quantum frames. New J. Phys. 11, 095001 (2009).
- (32) F. Bussières, J. A. Slater, J. Jin, N. Godbout and W. Tittel, Testing nonlocality over 12.4 km of underground fiber with universal time-bin qubit analyzers. Phys. Rev. A 81, 052106 (2010).
- (33) L. Masanes, S. Pironio and A. Acín, Secure device-independent quantum key distribution with causally independent measurement devices. Nature Communications 2, 238 (2011).
- (34) E. Woodhead and S. Pironio, Effects of preparation and measurement misalignments on the security of the BB84 quantum key distribution protocol. arXiv:1209.6479 (2012).
- (35) Y. Zhao, B. Qi and H.-K. Lo, Experimental quantum key distribution with active phase randomization, Appl. Phys. Lett., 90 (4), 044106 (2007).
- (36) K. Tamaki, H.-K. Lo, C.-H. F. Fung and B. Qi, Phase encoding schemes for measurement device independent quantum key distribution and basis-dependent flaw. arXiv:1111.3413 (2012).
- (37) http://www.eospace.com
- (38) S. Nauerth et al. Information leakage via side channels in freespace BB84 quantum cryptography. New J. Phys. 11, 065001 (2009).
- (39) T.-T. Song, Q.-Y. Wen, F.-Z. Guo and X.-Q. Tan, Finite-key analysis for measurement-device-independent quantum key distribution, Phys. Rev. A 86, 022332 (2012).