Category Archives: Story of the month

Story of the month: Secure Digital Communications


Since the rise of the internet people around the world found themselves with the opportunity to communicate with anyone at any time. Any message is transformed into a binary string and sent through different means of telecommunication (satellite, fibre, etc…) over the internet network. However, this powerful technology comes at a price. Whoever would tamper the communication link would find himself able to read whatever message is passing through it and if confidential or sensitive information is needed to be transfer this would imply an impossibility to use such a link. For this reason, each message sent in the network must be encoded so that only the transmitter and receiver of the information will be able to read it.

How to encode a message is the topic of interest of Cryptography, the art of hiding a message, that has been around for millennia. Nowadays, the most common encoding schemes are the so called public key schemes, where a public key is broadcasted by a service provider and anyone with it could encode a message, however the only one able to read it is the possessor of the private key. Meaning that the communication can be left secure if the private key is kept secret. These protocols, however, rely on the assumption that the computational power of a possible eavesdropper is limited. In fact, in principle, from the public key it would be possible to retrieve the private one, the task is however computationally challenging, and it is usually set such as no current technology could crack it in a reasonable time. This means that the security of public key encryption schemes does not rely only on the privacy of the private key but also on the limitation of the technology of a possible adversary.

Figure 1 Simple example of a one-time pad encryption scheme
Figure 1 Simple example of a one-time pad encryption scheme

Cryptography however helps us once again. There exist in fact a protocol which requires only the privacy of a private key in order to be information theoretically secure. This protocol is known as the One Time Pad (see Figure 1) and works as follows. Two honest parties are in posses of a secret key k (a binary string of dimension n). One of the two can then encode a message m (of dimension n) just be applying an xor operation between the two strings and sending the resulting cypher-text c = k + m (modulo 2) through the channel. If k is private it will be known only by the two honest users and look completely random to any other listener of the communication. This fact is translated also for c, meaning that the cyphertext just look like a random string to anyone oblivious to the original key. This protocol seems to solve all the problem of the previous public key encryption scheme. However, there are two major constraints that must be respected for it to work.

  • The key must be randomly generated and used only once (from this the name One Time Pad).
  • The key must be in possession of the two honest parties.

Since each key can be used only once (a repeated key uses will breach some information to a carful adversary) new keys must be generated at each communication rounds. Randomness moreover must be ensured so that no one could foresee which key is produced. However, classical physics is deterministic meaning that knowing the initial conditions of a system would result into knowing the results of the whole process. Meaning, that we need another theory in order to guarantee the randomness of the generated key.

On the other hand, the key in the onetime pad should have the same length as the message and should be private once generated. This means that the two honest parties must exchange the key beforehand and keep it secret. But how can they share it if they are far from each other? Should they meet and exchange it before? If this was the case, they would as well exchange the message itself! Unfortunately, classical information theory does not help in this regard. We need a new physics in order to do it as in the previous case.



Luckily, both issues stated before are solve using quantum mechanics. In fact, in this theory there are some very useful properties that help a lot the establishment of a secure and remote communication.

First, in quantum mechanics the result of some measurement (when the state prepared, and the measurement are not compatible) are intrinsically probabilistic. Meaning that no observer that abides to the laws of physics can foresee the results of these experiment, even if all initial conditions are known. By tailoring an experiment to work in this way we can generate genuine randomness that no third malicious party can have any information on.

Figure 2 Quantum state cannot be copied while transmitted in between the two honest parties.
Figure 2 Quantum state cannot be copied while transmitted in between the two honest parties.

Second, certain sets of quantum states cannot be copied (see Figure 2). This property can be used for the broadcast of the key between two remote parties. In fact, as for the case before, any observer that is limited by physics cannot gain any information on the transmitted key. In fact, intuitively, since it cannot copy the state it has to measure it while the state it’s transmitted. This will cause the state to be altered and with a certain probability to produce a mistake at the receiver side. By measuring the amount of error occurred during transmission the two honest parties Alice and Bob can estimate how much information was stolen by the adversary, and by using a procedure called privacy amplification they can reduce this information to zero.

In the next sections we are going to investigate the recent developments in these two subjects that are known as Quantum Random Number Generation and Quantum Key Distribution, respectively.



Figure 3 Simple QRNG implementing a single photon source, a beam splitter and two single photon detectors.
Figure 3 Simple QRNG implementing a single photon source, a beam splitter and two single photon detectors.

A simple example that can be given for quantum random number generator is the following: Let us imagine producing a simple photon (the most elementary part of the light) and send through a 50/50 beam splitter (see Figure 3). This element divides the incoming light in equal parts in the two outputs of the element. If a photon it is sent and two single photon detectors are used in order to collect the light at the outputs of the beam splitter, with a probability of 50% one or the other detector will click. This event is completely random and cannot be foreseen by anyone.

This simple device could in principle solve the problem of random generation of itself. However, in practice all the elements presented before could have some imperfections. Deterministic and reliable single photon sources are difficult to realize and not very performant (with respect to the bits generation rate need for secure communication). Often these sources are replaced with lasers that produced what is known as coherent states. Moreover, single photon detectors, even the best, do not have a unitary efficiency and are influenced by noise. All these imperfections must be considered, to estimate how many bits produced are due to quantum mechanical phenomena. This have the consequence of needing a precise characterization of the experiment.

Figure 4 Scheme of a semi-device independent device, where the grey box on the left represents the partially trusted source and the black box on the right represents the untrusted measurement.
Figure 4 Scheme of a semi-device independent device, where the grey box on the left represents the partially trusted source and the black box on the right represents the untrusted measurement.

In the recent years a new approach has been developed. The idea is to have a quantum random number generator that is easy to implement, with good performance and that needs a minimum amount of characterization of the devices involved in the experiment. The idea comes originally from the work of J.B. Brask, A. Martin et al. Phys. Rev. Applied 7, 054018 (2017). This work implements a prepare and measure system where we would like to leave the measurement box completely untrusted (see Figure 4). The only assumption that would be made is on the input state, more precisely on the overlap of the two input states prepared . By bounding this quantity, we make the states not deterministically distinguishable, meaning that no physical measurement could distinguish between them with 100% precision. Either, we must allow for some errors, or we must allow the measurement device to give an inconclusive event from time to time. These spurious events must be random, in fact, if the were not they could be avoided leading to a better distinguishability and finally to a perfect discrimination of the two state which is a contradiction to the theory, meaning that errors and inconclusive events are intrinsically random. The discrimination efficiency can be measured by the input/output probabilities  and this can be used to infer the amount of secure and quantum genuine bits that are produced by the experiment.

On this basis many recent experiments have been developed in the past few years, for example: D. Rusca, Phys. Rev. A 100, 062338 (2019) where the implementation of a Kennedy detector allowed for an implementation where the main assumption was just the average energy of the prepared states. On the same line in the work of D. Rusca, Appl. Phys. Lett. 116, 264004 (2020) the same protocol was implemented in a Homodyne detection scheme were the rate of 145.5 MHz genuinely quantum random bits was achieved.



Now that we have shown a mean to produce genuinely random sequence of bits, we remain with the problem of how to distribute them to two remote trusted parties. This problem is the subject of studies of quantum key distribution (QKD). QKD has its origin with the first and most popular quantum cryptographic protocol of C. H. Bennet and G. Brassard of 1984, known as BB84. Since then many protocols have been developed and investigated. Moreover, a broad field of studies has been sprout trying to prove the security of all these protocols against all possible hacking attacks of third malicious parties.

Nevertheless, the BB84 remains one of the most used and studied protocols even today, given its simplicity of implementation and the good performance that it can achieve in transmitting secure secret strings of bits. For this reason, it is interesting to revise how it works and to see what kind of changes and improvements have been done on it during the years.

The protocol BB84 is what is known as a prepare and measure scheme. One of the two parties (Alice) prepares the sequence of random bits, it encodes it in some quantum states and sends it to the receiving party (Bob) that measures them. In BB84 Alice can chose between two non-compatible bases in the Hilbert space of dimension two, usually these bases are the Z basis (eigenstates  and ) and the X basis (eigenstates  and  ) which eigenstates are a superposition of the previous basis. Intuitively this means that if a state of one basis is prepared and the measurement of the other basis it performs the result will be with 50% probability a mistake. The simplicity of the abstract protocol is undermined by the fact that it needs to exploit a Hilbert space of dimension two. If light is used to transmit the information, which is a very reasonable choice when tele-communications are considered, this is equivalent to prepare a single photon. Unfortunately, reliable deterministic single photon sources are not yet available. For this reason, currently most of experimental QKD implementations rely on the use of coherent states, easily produced by a laser source.

Coherent state BB84 have been one of the most interesting topics of interest for QKD in the past decades, and today it is one of the most preferred choice in commercial implementations. In order to achieve long distance security, however, another modulation must be added to the general scheme: the decoy-state method. In fact, by modulating the intensity of the coherent states prepared, it is possible to infer the fraction of secure single photon states exchanged by Alice and Bob and use once again the security proof for the original BB84.

Figure 5 Simple setup for the QKD protocol with 3 states prepared by Alice, 3 state detected by Bob and 2 decoy state intensities.
Figure 5 Simple setup for the QKD protocol with 3 states prepared by Alice, 3 state detected by Bob and 2 decoy state intensities.


The most common decoy state BB84 uses four encoding states (using two orthogonal modes of light, e.g. polarization, time, phase) and three possible intensities for the decoy state modulation, where one is simply the vacuum. This means that in order to implement this protocol a total of nine different states must be prepared. In the past years however, it was discovered that it is not necessary to send all four encoding states of BB84 and only three are enough (see K. Tamaky Phys. Rev. A 90, 052314 (2014)). Moreover, in 2018 it was shown that a less popular decoy state method that uses only two intensity in the finite key regime was performing better than its more popular and complex counterpart (see D. Rusca Appl. Phys. Lett. 112, 171104 (2018)). Another recent simplification on this protocol was to allow Bob to discriminate unambiguously only three state out of the total four prepared usually (see D. Rusca Phys. Rev. A 98, 052336 (2018)). All these simplification of the original decoy-state BB84 allowed for the development of a recent time bin encoded QKD experiment (see Figure 5) that proved the secure transmission of a secret key over the distance of 421 km of ultra-low-loss fibre (see A. Boaron Phys. Rev. Lett. 121, 190502 (2018)).



In this brief document we tried to show how useful the properties of quantum mechanics are when used for secure communications. On one side the probabilistic nature of this theory allows for almost perfect random number generators which results no one could foresee. On the other side, quantum mechanics allows for private and secure key distribution for remotely position trusted parties, were any adversary abiding to the laws of physics cannot steal any information.

Thanks for  your interest,

Davide Rusco



Story of the month: Quantum Cryptography using Quantum Computational Timelock


Quantum Key Distribution (QKD) enables secure key agreement with information-theoretic security. This is in contrast with classical key agreement protocols whose security is based on computational hardness conjectures. Hence, QKD can offer a distinctive security advantage over classical techniques, particularly in contexts where long-term security is sought.

Current QKD systems have now reached performance levels essentially comparable to the fundamental limits on the secret capacity. This indicates the impressive technological maturity that quantum communications engineering has reached. Conversely, this also fundamentally limits our hope to experience large performance gains for QKD in the future. Extending the functionality and overcoming the performance limitation under which QKD can operate requires either quantum repeaters or new security models.

We address this issue in an alternative way by investigating the latter option. Our approach consists of devising a new security model that leverages short-term computational security and noisy quantum storage to boost the performance and functionality of quantum-based key agreement. Interestingly, although our proposed model is weaker than the unconditional security, it provides everlasting security, i.e., security of key establishment against a computationally unbounded adversary, provided an initial ephemeral encrypted communication cannot be broken within a short time. As everlasting security is not achievable using computational constructions, our hybrid approach can claim a strict security gain compared to classical techniques, in addition to significantly extending the performance envelope.


A timelock is a part of a locking mechanism commonly found in bank vaults and other high-security containers, designed to prevent the opening of the safe or vault until it reaches the preset time. An authorized employee of the bank can open the vault. However, any unauthorized thief or attacker trying to break into the vault cannot open it before this preset time. Combined with an extra security mechanism, such as an alarm alerting the Sheriff, the time-lock forms a very effective security mechanism. Quantum Computational Time-lock construction will essentially follow the same principle; however, in that case, a computational one-way function will play the role of the time-lock mechanism, while the decoherence (of quantum storage) plays the role of the Sheriff.

Quantum Computational Timelock security model

We introduce a novel security model, the Quantum Computational Timelock (QCT) security model, which consists of two nested assumptions:

  1. Alice and Bob are assumed to have access to an encryption scheme, computationally secure for a short time, to do private communication against Eve.
  2. Eve’s quantum memory is decohering over time such that computationally secure encryption may only be broken after time much longer than the coherence time of available quantum memories.

These assumptions, in particular, are well motivated by reality, as the coherence time of a state-of-the-art quantum memory, O(1) sec, is much smaller than the computational time,  ~30 years, for which a current classical cryptographic scheme is secure.

Assumptions in QCT security model: (a) Short-term secure encryption (b) Time-limited quantum memory.
Assumptions in QCT security model: (a) Short-term secure encryption (b) Time-limited quantum memory


MUB-QCT Key distribution in the QCT security model

We present a novel key distribution protocol in the QCT security model. We call it the MUB-QCT protocol, where two essential ingredients used are a complete set of mutually unbiased bases (MUB) and a full set of pair-wise independent permutation.

Alice and Bob, who have access to short-term secure computational encryption, use it to exchange the basis information (a MUB and a permutation, chosen randomly) over a classical channel. The key bit is encoded onto a quantum state of a d-dimensional Hilbert space using this basis. The quantum state is then sent over a quantum channel by Alice, received, and decoded by Bob by measuring on the exchanged basis. After n channel uses the raw keys are exchanged, and finally, Alice and Bob perform classical post-processing on their exchanged raw keys and transform them into a pair of secret keys.

MUB-QCT protocol: (a) Key distribution protocol between authorized party Alice and Bob, (b) Reduction of Eve's attack strategy to immediate measurement, corresponding to to accessing the output of a strong QC-extractor based on full set of MUBs
MUB-QCT protocol: (a) Key distribution protocol between authorized party Alice and Bob, (b) Reduction of Eve’s attack strategy to immediate measurement, corresponding to access the output of a strong QC-extractor based on a full set of MUBs.

The optimal attack strategy for non-authorized party Eve consists of an immediate measurement followed by classical post-processing on measurement data. This strategy is known as state discrimination with post-measurement information as described.  Moreover, this optimal eavesdropping strategy reduces accessing the output of a strong Quantum to Classical randomness extractor (QC-Extractor)  based on a full set of MUBS.

The main requirement to prove the security of the MUB-QCT protocol is to bound Eve’s mutual information I(X; Z). Following the optimal eavesdropping, we can achieve this in the QCT security model by only considering the input state and establish I(X; Z) ~ O(1/d).

Comparison of prepare and measure HD-QKD with MUB-QCT.
Comparison of prepare and measure HD-QKD with MUB-QCT.

Performance Analysis

High dimensional encoding in the MUB-QCT protocol allows high resilience to noise by offering a maximum tolerable error rate of up to 50% for large d.

The MUB-QCT protocol’s detectors requirement remains fixed, i.e., two detectors (to distinguish a bit), irrespective of d. This significantly relaxes resource requirements compared to HD-QKD schemes, which require d-single-photon detectors.

In the MUB-QCT protocol, Eve’s information can be upper bounded only by considering the state that Alice inputs. Consequently, the implementation of Bob’s measurement device is not required to be trusted to guarantee security.

MUB-QCT with multiple quantum state copies

We also explore if the MUB-QCT protocol offers high tolerance to the channel loss incurred at long-distance by transmitting multiple photons per channel use. We prove that under a restricted scenario, where Eve proactively measures each copy in a different MUB followed by post-measurement classical decoding, the MUB-QCT protocol allows performing secure key distribution with input states containing up to O(d) photons. Implying, a significant performance increase, characterized by an O(d)-multiplication of key rates.

Key rate per channel use as a function of distance, for proactive MUB measurement strategy. Curves are plotted for different values of $d$, by maximizing the key rate against the photon number $m$. The parameters assumed in the plots are: Loss $0.2$dB/Km; $P_{dark}=10^{-6}$; efficiency of detectors $\eta=25\%$; visibility $V=98\%$. Since MUB-QCT can be implemented with 2 detecttion modes (2-single photon detectors) we also plot 2-modes PLOB bound as a benchmark.
Key rate per channel use as a function of distance for proactive MUB measurement strategy. Curves are plotted for different values of d by maximizing the key rate against the photon number $m$. The parameters assumed in the plots are Loss 0.2dB/Km;  dark count rate 10^{-6}; efficiency of detectors 25%; visibility 98%. Since MUB-QCT can be implemented with 2 detection modes (2-single photon detectors), we also plot 2-modes PLOB bound as a benchmark.

Moreover, the possibility of sending multiple copies of the quantum state per channel use can be averaged to realize multiparty key distribution. In principle, Alice can transmit m copies to up to m authorized Bobs, allowing them to distill the same key.

However, the security analysis presented so far does not account for general attacks (collective measurements and adaptive strategies). We do not know if the proactive MUB measurement is optimal. Thus, the question of the optimal attack in the multiple copy case remains open and a direction for our future work.


We proposed a new Quantum Computational Timelock (QCT) security model. We assume that an encryption scheme is computationally secure for a short time, much longer than the coherence time of available quantum memories. The notion of short-term secure encryption is similar to the notion of time-release encryption (TRE). In contrast, the notion of time-limited quantum memory is similar to quantum storage in the noisy storage model.

We constructed the MUB-QCT key distribution protocol using a complete set of Mutually Unbiased Bases (MUBs). We prove the security by upper bounding Eve’s information as I(X; Z)~ O(1/d) for the optimal eavesdropping attack strategy, which reduces access to the output of a strong QC-extractor. Moreover,  Alice can send O(d) copies per channel use when Eve is restrictive to perform proactive MUB measurements. As a result, the protocol offers high resilience to error (up to 50% for large d) with fixed hardware requirements, measurement device-independent (MDI) security which relaxes some significant engineering constraints concerning quantum key distribution (QKD), and O(d) multiplication of key rates.

Our work is particularly related to  Quantum data locking, where the security against an adversary with time-limited quantum memory can be proved by upper bounding the accessible information. However, existing work on quantum data locking is restricted to single-photon encoding. It cannot extend the distance or resort to constructions based on random coding arguments for which practical implementation with structured measurement is not possible.

Hence, our results illustrate that hybrid approaches to quantum cryptography might constitute a practical and promising route to extend the performance and functionality of quantum cryptography while still guaranteeing everlasting security, which is not achievable through classical means.

Story of the month: Overcoming the limitations of quantum key distribution protocols


As we live in the era of internet, online shopping/banking, it is basically an everyday task to enter our passwords and credit card data on different websites. The encryption (so that a malicious third party cannot infer our actual data) of this sensitive data that we send throughout the internet is based on the fact that some mathematical problems are extremely difficult to tackle with our current computers. Specifically, it is practically impossible to factorize very large numbers. However, in the other direction, if a factor is known then it is really easy to determine its cofactor. This asymmetry in the difficulties can be converted into the most widely used public key cryptosystems, which is called RSA, after its inventors.

The natural (quite disturbing) question arises whether this kind of cryptosystem is going to stay secure in the future knowing how fast technology is advancing. It is even scarier if one considers the progress on the development of quantum computers. With quantum computers the task of factorizing large numbers becomes exponentially faster with the so-called Shor’s algorithm.

Solution: Quantum key distribution (QKD)

In 1984, with the appearance of the famous BB84 protocol, it became clear that quantum mechanics can be used to fight against the threat that comes with future quantum computers. With encoding information into quantum systems and performing quantum mesurements on them can in principle be used to create a secret key between two distant parties (usually called Alice and Bob). This method is called quantum key distibution (QKD), which can achieve an identical, random and secret bit string (consting of 0-s and 1-s) between Alice and Bob via the most fundamental laws of quantum physics thus security is no longer based on computational assumptions (opposed to RSA). This resource then can later be used to encrypt the messages with the so-called one-time-pad (OTP), that is, Alice adds the key to her message (also consisting of 0-s and 1-s) bitwise modulo 2 (which basically means that 1+1=0). Thus Bob can decrypt the encrypted message by adding the same key bitwise to the encrypted message.

The security is based on the no-cloning theorem, stating that it is impossible for an eavesdropper to make perfect copies of arbitrary quantum states. Note that for classical bits copying is possible, therefore this is an apparent advantage that quantum mechanics offers.

Some difficulties of QKD: Repeaterless bound and source imperfections

The idea of QKD is relatively simple and elegant but in order to be a mature technology that can be deployed world-wide for everyday use, it has to overcome some limitations. In my research I try to come up with solutions in order to improve the performance of different QKD protocols, or at least to identify their limitations. The performance of a QKD protocol is characterized by its secret key rate, that is the number of secret key bits a certain protocol can generate per transmitted signal.

Repeaterless bound

One important theoretical limitation on the performance of point-to-point (when the parties are directly connected via a quantum channel that can be for example an optical fiber, or even free space) QKD protocols is the so-called repeaterless bound. This bound for the achievable secret key rate is exponentially decreasing with the distance for long distances as it can be seen in Figure 1 (note the logarithmic scaling). This is caused by the fact that the probability that a photon survives travelling through the optical fiber connecting the parties decreases exponentially with the length of the fiber, this probability is called channel loss. As this is a very stringent limitation, it has to be overcome if long distances have to be covered by point-to-point QKD and one desires to have a reasonable secret key rate.

Figure 1. The repeaterless bound
Figure 1. The repeaterless bound

It is clear that intermediate nodes (repeater stations) between the parties have to be introduced to go beyond the repeaterless bound so that the photons do not have to cover the full distance between the parties (but only the half of it) to be useful for generating a secret key bit. If the channel loss corresponding to an optical fiber of length L is t then the channel loss for the half of the fiber is the square root of t.

The most recent solution to surpass the repeaterless bound is the so-called twin-field QKD (for more information see the spotlight article by ESR Mirko Pittaluga).

In my research, however, I focused on other types of approaches in order to overcome the repeaterless bound. The first one is a kind of adaptive QKD protocol, that is schematically depicted in Figure 2. The main point here is that the key generation process (denoted by BM in Figure 2) is only performed between successfully arriving photons (sccessful arrival is checked by the QND module), therefore, the key rate increases as every key generation trial is between actual signals that reached the middle station C. Otherwise it would be possible that a photon is lost on one side, which is not sufficient for establishing correlation between the parties.

Figure 2. The schematic layout of the adaptive QKD protocol. Figure taken from !paper!
Figure 2. The schematic layout of the adaptive QKD protocol. Figure taken from this paper.

For the original proposal in Figure 2, idealized devices were assumed (e.g., perfect single-photon sources) and the authors showed that it is possible to overcome the repeaterless bound with this protocol.

In our work, we calculated the secret key rate of the original protocol if the idealized single-photon sources are substituted by the practical (and widely available) parametric down-conversion (PDC) sources (which sometimes emit two or more photons pairs). We found that with PDC sources the protocol is no longer capable of overcoming the repeaterless bound. Thus the performance is very sensitive to the imperfections of the devices.

In, we investigated the performance of the protocol depicted in Figure 3, which is very similar to the protocol from Figure 2, but it is without QND modules and instead so-called quantum memories (QM) are applied in order to overcome the repeaterless bound. The QMs are able to store a quantum signal, therefore a quantum signal on one side can patiently wait until the signal from the other side successfully arrives and then a BM module carries out secret key generation. The working principle is the same as before, making sure that the key generation is only performed between actual signals.

Figure 3. Schematic layout of the Quantum memory assisted protocol.
Figure 3. Schematic layout of the Quantum memory assisted protocol.

We characterized the necessary experimental parameters for the protocol to beat the repeaterless bound as a function of the applied QM pairs. The most important parameter of the devices is the dephasing time constant of the QMs, which describes how fast the stored quantum state changes over time (so higher quality memories have higher dephasing time constant as this depahsing leads to errors). We found that the requirement for the dephasing time constant of the QMs can be relaxed significantly if the number of QM pairs increases. But even with a lots of memory pairs it is far from trivial to overcome the repeaterless bound with current technology using this QM based protocol.

Source imperfections

The ideal information carriers for QKD protocols would be single-photons as a single-photon is a quantum mechanical object that cannot be copied due to the no-cloning theorem, however, in practice it is really challenging to implement on-demand perfect single-photon sources. Therefore, in the lab, the desired single-photon sources are approximated by dim laser pulses, but sometimes these pulses contain more than one photon. Whenever this happens, the information is not encoded only into a single entity but it is inherently duplicated so an eavesdropper Eve (who is only limited by the laws of quantum physics) can take one photon out of the two or more photons and keep it to herself thus she will have the same information carrier as Bob so the security of the protocol is compromised. This is called the infamous photon number splitting (PNS) attack. This means that additional techniques have to be applied to avoid the possibility of such an attack.

A simple protocol to fight against the PNS attack is the coherent-one-way (COW) protocol since it encodes the information coherently between different laser pulses and at the receiving end Bob checks that such coherence is kept. The PNS attack breaks this coherence, so the COW protocol should be able to detect it. Long distance experiments and even commercialized products have appeared based on this scheme.  We show that, despite of its popularity, the COW scheme is not robust against other type of attacks.

Here, we designed an attack against the COW scheme, proving that all implementations of this protocol reported so far in the scientific literature are actually insecure. The attack is based on a technique called unambiguous state discrimination (USD). With USD it is possible to discriminate the different quantum signals (that Alice sends) without misidentifying them. This comes at the cost of sometimes obtaining an inconclusive result. If Eve applies this strategy in a clever way, she can remain undetected for the parties (she will not break the coherence between the signals) since she never makes a mistake in identifying the states. In this attack she measures all the quantum signals coming from Alice to Bob and based on her measurement results she prepares new signals that she sends to Bob.

The evaluation of our attack appears in Figure 4, where one can see that the attack can provide better values for both of the monitored quantities (quantum bit error rate and the visibility that describes how the adjacent coherent laser pulses by Alice interfere with each other) than what can be achieved in the actual experiment, which makes it insecure.

Figure 4. The stars represent the values achieved in the experiment, the curves represent the performance of our attack.The two different lines correspond to the two different intensity settings that Alice uses. The smaller gain values basically mean longer distances.
Figure 4. The stars represent the values achieved in the experiment, the curves represent the performance of our attack.The two different lines correspond to the two different intensity settings that Alice uses. The smaller gain values basically mean longer distances.

The most important consequence of our attack is that we showed that the secret key rate of the COW protocol is proportional to at most the square of the channel loss between the parties so its performance is much worse than what had been thought before.


We have seen that improving the performance of QKD protocols is an important task towards building a global quantum communication infrastructure for communications, which could be the remedy for the threat on the secrecy of our communications by future quantum computers. But at the same time it is a challenging task due to, for example, the difficulties attributed to theoretical limitations like the repeaterless bound or to the fact that the real-life devices used in an implementation are always imperfect. We have also seen that the popular COW protocol is not an appropriate candidate for long distance QKD.

Story of the month: Free-space Quantum Key Distribution

The art of communication


Ever made a call over the internet, sent an email, or transferred money to another account? The information age has revolutionized many aspects of our lives. With the introduction and expansion of computers and networks in the mid-20th century, a new world of possibilities is brought into perspective, and innovations expanded and eased the life of every one of us. This happened not only because of the fast growth of the global networks and miniaturizing computers, but also, we owe it to the advances in another field, cryptography. Transmitting information is not enough if that information contains sensitive data such as personal info, bank, health, etc. Data that needs to be known only by certain people or organizations.

Cryptography is a set of techniques that allows us to transmit data faithfully and securely between two or more parties in the presence of adversaries. Current cryptographic schemes, which are known as classical cryptography, are proved to be effective and efficient and their resilience against attacks performed with the most powerful computers is guaranteed. However, we are on the verge of the next technological breakthrough. Quantum computers, powered by peculiarities in quantum mechanics, can in fact demolish the current cryptographic techniques as they are very powerful and faster in performing certain tasks. Quantum computers are not ready yet, but this issue has brought much attention and scientists are preparing for the post-quantum era.

One approach, allowed by the laws of quantum mechanics, is called quantum cryptography. In this short article, I am going to introduce new progress in realizing and implementing quantum cryptographical systems.

Classical vs. Quantum Cryptography

Cryptography is a set of techniques and mathematical algorithms to encrypt data, prior to storing or transmission, such that its content is safe against unwanted access. These techniques are mostly evolved based on computational hardness assumptions. In simple words, these mathematical algorithms are very hard, but not impossible, to be reversed without having access to extra information about the encrypted data. This makes trying an attack, in a reasonable time, impractical and pointless. This being said, the security stems from this type of algorithms highly depends on computational power.

Quantum cryptography, on the other hand, is an information-theoretic secure scheme. It means an adversary cannot break the encryption and access to data no matter how powerful he is. However, the practical realization of quantum cryptography in communication, known as quantum key distribution (QKD), capable of supporting the vast amount of data we are transmitting every second is a hard task.

Why is it hard to do Quantum Key Distribution?

The difference between classical and quantum cryptography roots in the logic and idea behind them. In classical cryptography, data is encrypted at the transmitter and decryption happens upon receiving the data. This allows transmitting the encrypted information at arbitrary power. Imagine classical cryptography as a radio station with the only difference that the message broadcasted in every direction is encrypted. While it can be collected by anyone, only he who has access to the encryption key can decrypt it and actually read the data. Furthermore, to cover longer distances, it is only required to increase the signal power, or amplifies it on the way to the receiver, to overcome the loss that happens in transmission. For this, the distance does not pose a serious limitation on the rate at which data transmission can be done.

In quantum key distribution, on the other hand, information is encoded in the single quanta of light, called photons and the channel is called quantum channel. In order to prevent revealing the information by an adversary or tampering with the data, the intensity of signals is extremely low, and in the regime that laws of quantum mechanics hold. In this regime, quantum mechanics ensures the security of communication.

Transmission of such weak signals is challenging. Optical fibers that are common in classical communications is the first candidate for the quantum channel. Unfortunately, optical fibers suffer from loss which limits their practical application. QKD was successfully performed in a distance over 400 km, however, the rate is not yet sufficient for daily applications. The achievable rate is mainly limited by the loss and noise in the transmission line, the quantum channel, which leads to the loss of photons.

Free-space Quantum Communication

The barrier on the attainable rate in QKD put by loss in optical fibers can be overcome using the free-space channel as the quantum channel. In this case, photons are sent through free-space to the receiver. The main advantage of the free-space channel is the lower loss values that photons experience in free-space, although exploiting this type of channel for QKD introduces new challenges. Free-space QKD, and in particular, ground-satellite-ground channels opens the room to perform QKD in intercontinental distances, something that is not possible over fiber optics. QKD was performed between two ground stations establishing a free-space channel as well as ground-to-satellite in more than 1000 km. In our group, we are focused on performing QKD over free-space as well as fiber optics. We aimed to tackle the loss issue by establishing a free-space channel and realizing QKD over it. This work is the first integration of QKD and silicon-photonics, a highly promising approach in going towards compact, light, and low-power-consuming devices. The stability of the system and noise reduce the efficiency of a QKD system. In our group, we demonstrated a series of new techniques and performed a field-trial to put our system to test in a real-world situation.

Quantum key distribution is one of the first commercialized quantum technologies, yet, there is still much to do. The future global network is envisaged a world-wide coverage of quantum secure channels and to reach that goal, many obstacles need to be overcome.