**“Simple and Tight Device-Independent Security Proofs”** by Rotem Arnon-Friedman, Renato Renner and Thomas Vidick

Monday, 11:25 a.m. – Slides / Video

*Winner of the QCrypt Student Paper Prize*

Device-independent (DI) cryptography aims at achieving security that holds irrespective of the quality, or trustworthiness, of the physical devices used in the implementation of the protocol. Such a surprisingly high level of security is made possible due to the phenomena of quantum non-locality. The lack of any a priori characterization of the device used in a DI protocol makes proving security a challenging task. Indeed, proofs for, e.g., DI quantum key distribution (DIQKD) were only achieved recently and result in far from optimal key rates while being quite complex.

In this work we show that a newly developed tool, the “entropy accumulation theorem” of Dupuis et al., can be effectively applied to give fully general proofs of DI security that yield essentially tight parameters for a broad range of DI tasks. At a high level, our technique amounts to establishing a reduction to the scenario in which the untrusted device operates in an identical and independent way in each round of the protocol. This makes the proof much simpler and allows us to achieve significantly better quantitative results for the case of general quantum adversaries.

As concrete applications we give simple and modular security proofs for DIQKD and randomness expansion protocols based on the CHSH inequality. For both tasks we establish essentially optimal key rates and noise tolerance that are much higher than what was known before. Our results considerably decrease the gap between theory and experiments, thereby marking an important step towards practical DI protocols and their implementations.

**“Zero-Knowledge Proof Systems for QMA” **by Anne Broadbent, Zhengfeng Ji, Fang Song and John Watrous

Monday, 11:45 a.m. – Video

Prior work has established that all problems in NP admit classical zero-knowledge proof systems, and under reasonable hardness assumptions for quantum computations, these proof systems can be made secure against quantum attacks. We prove a result representing a further quantum generalization of this fact, which is that every problem in the complexity class QMA has a quantum zero-knowledge proof system. More specifically, assuming the existence of an unconditionally binding and quantum computationally concealing commitment scheme, we prove that every problem in the complexity class QMA has a quantum interactive proof system that is zero-knowledge with respect to efficient quantum computations.

Our QMA proof system is sound against arbitrary quantum provers, but only requires an honest prover to perform polynomial-time quantum computations, provided that it holds a quantum witness for a given instance of the QMA problem under consideration. The proof system relies on a new variant of the QMA-complete local Hamiltonian problem in which the local terms are described by Clifford operations and standard basis measurements. We believe that the QMA-completeness of this problem may have other uses in quantum complexity.

**“A Modulator-Free QKD Transmitter”** by Zhiliang Yuan, Bernd Fröhlich, Marco Lucamarini, George Roberts, James Dynes and Andrew Shields

Monday, 2:15 p.m.

Quantum key distribution (QKD) is a powerful method for guaranteeing the confidentiality of future communication networks. It has progressed from laboratories to real-world implementations and is gradually being integrated into existing optical networks.

However, its commercial success still requires significant innovations that will make the technology more robust and affordable. As a step toward this goal, we propose and demonstrate a novel light source that can generate pulses modulated in phase without the aid of an external phase modulator. This allows to considerably reduce the source driving voltage and to reliably control the phase randomization of the emitted pulses. By changing the electrical signals only, a diverse range of QKD protocols can easily be accommodated. This development makes QKD devices substantially more compact, versatile and energy- efficient—features that are essential for widespread adoption.

**“77-Day Field Trial of High Speed Quantum Key Distribution with Implementation Security”** by Alexander Dixon, James Dynes, Marco Lucamarini, Bernd Fröhlich, Andrew Sharpe, Alan Plews, Simon Tam, Zhiliang Yuan, Yoshimichi Tanizawa, Hideaki Sato, Shinichi Kawamura, Mikio Fujiwara, Masahide Sasaki and Andrew Shields

Monday, 2:35 p.m. – Slides

Quantum key distribution’s central and unique claim is information theoretic security. However, there is an increasing awareness that the security of real QKD systems rely not only on theoretical security proofs, but also on how closely the system matches the theoretical models and resists known attacks. These hacking or side channel attacks exploit physical devices which do not necessarily behave precisely as the theory expects. As a result, there is a need to demonstrate QKD systems providing both theoretical and implementation based security.

We report here a QKD system which has been designed to provide these features of resistance to real security issues, component monitoring and failure detection—important not only from a security point of view, but also for reliable and robust operation. Alongside the increased security confidence level, the system operates with a high and stable secure key rate due to newly developed active stabilization, averaging 210 kbps and producing 1.33 Tbits of secure key data over 77 days in a telecom network.

**“Towards Secure QKD with Testable Assumptions on Modulation Devices”** by Akihiro Mizutani, Yuichi Nagamatsu, Marcos Curty, Hoi-Kwong Lo, Koji Azuma, Rikizo Ikuta, Takashi Yamamoto, Nobuyuki Imoto and Kiyoshi Tamaki

Monday, 2:55 p.m. – Slides / Video

In order to realize secure communication in practice, one serious problem is to establish practical security proofs to bridge the gap between theory and practice.

Currently, source devices become the only region exploitable by a potential eavesdropper (Eve). Therefore, it is urgently required to establish security proofs based on practical source devices for realizing secure communication in practice.

In this work, we have accommodated two dominant imperfections in the source devices, i.e., phase modulation and intensity fluctuation errors. For both imperfections, we made potentially experimentally testable assumptions, and proved the security against coherent attacks in the finite-key regime.

As a result of our security proof, even under a realistic phase modulation and intensity fluctuation errors, we show that long distance secure communication is possible with reasonable times of signal transmission. Our result constitutes a significant step toward realizing secure quantum communication with practical devices.

**“Observation of Quantum Fingerprinting Beating the Classical Limit”** by Jianyu Guan, Feihu Xu, Hualei Yin, Wei-Jun Zhang, Si-Jing Chen, Xiao-Yan Yang, Li Li, Li-Xing You, Teng-Yun Chen, Zhen Wang, Qiang Zhang and Jianwei Pan

Monday, 4:20 p.m. – Slides / Video

Quantum communication promises the remarkable advantage of an exponential reduction in the transmitted information over classical communication to accomplish distributed computational tasks. However, to date, demonstrating this advantage in a practical setting continues to be a central challenge.

Here, we report an experimental demonstration of a quantum fingerprinting protocol that for the first time surpasses the ultimate classical limit to transmitted information. Ultra-low noise superconducting single-photon detectors and a stable fiber-based Sagnac interferometer are used to implement a quantum fingerprinting system that is capable of transmitting less information than the classical proven lower bound over 20 km. standard telecom fiber for input sizes of up to two Gbits. The results pave the way for experimentally exploring the advanced features of quantum communication and open a new window of opportunity for research in communication complexity.

**“24-Hour Long Relativistic Bit Commitment”** by Ephanielle Verbanis, Raphaël Houlmann, Gianluca Boso, Felix Bussières, Anthony Martin and Hugo Zbinden

Monday, 4:40 p.m. – Video

We report on the first implementation of a relativistic bit commitment protocol sustained for 24 hours using high-speed optical communication and FPGA-based processing between standard computers. Our commitment time is more than six orders of magnitude longer than what was previously achieved, and we show that it could be extended even further.

**“Quantum Teleportation Over Deployed Fibres and Applications to Quantum Networks” **by Venkata Ramana Raju Valivarthi, Marcel-Li Grimau Puigibert, Qiang Zhou, Gabriel H. Aguilar, Varun Verma, Francesco Marsili, Sae Woo Nam, Daniel Oblak and Wolfgang Tittel

Monday, 5 p.m. – Slides / Video

If a photon interacts with a member of an entangled photon pair via a so-called Bell-state measurement (BSM), its state is teleported over arbitrary distances (in principle) onto the second member of the pair. Starting in 1997, this puzzling prediction of quantum mechanics has been demonstrated many times. However, with just one very recent exception, only the photon that received the teleported state—if any—traveled far, while the photons partaking in the BSM were always measured close to where they were created.

Here, using the Calgary Fibre Network, we report quantum teleportation from a telecommunication- wavelength photon, interacting with another telecommunication photon after both have traveled over several kilometers in beeline, onto a photon at 795 nm. wavelength. This improves the distance over which teleportation takes place from 818 m. to 6.2 km. Our demonstration establishes an important requirement for quantum repeater-based communications and constitutes a milestone on the path to a global quantum Internet.

**“Quantum Homomorphic Encryption for Polynomial-sized Circuits”** by Yfke Dulek, Christian Schaffner and Florian Speelman

Tuesday, 10 a.m. – Slides / Video

We present a new scheme for quantum homomorphic encryption that is compact and allows for efficient evaluation of arbitrary polynomial-sized quantum circuits. Building on the framework of Broadbent and Jeffery [BJ15] and recent results in the area of instantaneous non-local quantum computation [Spe15], we show how to construct quantum gadgets that allow perfect correction of the errors that occur during the homomorphic evaluation of T gates on encrypted quantum data. Our scheme can be based on any classical (leveled) fully homomorphic encryption (FHE) scheme and requires no computational assumptions besides those already used by the classical scheme.

The size of our quantum gadget depends on the space complexity of the classical decryption function, which aligns well with the current efforts to minimize the complexity of the decryption function.

Our scheme (or slight variants of it) offers a number of additional advantages such as ideal compactness, the ability to supply gadgets “on demand,” circuit privacy for the evaluator against passive adversaries, and a three-round scheme for blind delegated quantum computation, which puts only very limited demands on the quantum abilities of the client.

**“Rate-distance Tradeoff and Resource Costs for All-Optical Quantum Repeaters”** by Mihir Pant, Hari Krovi, Dirk Englund and Saikat Guha

Tuesday, 11:25 a.m. – Slides / Video

We present a resource-performance tradeoff of an all-optical quantum repeater that uses photon sources, linear optics, photon detectors and classical feed forward at each repeater node, but no quantum memories.

We show that the quantum-secure key rate has the form R(t) = Dt^s bits per mode, where t is the end-to- end channel’s transmissivity, and the constants D and s are functions of various device inefficiencies and the resource constraint, such as the number of available photon sources at each repeater node. Even with lossy devices, we show that s < 1 is possible to attain, and in turn to outperform the maximum key rate attainable without quantum repeaters, R_direct(t) = -log_2(1-t) bits per mode for t<<1, beyond a certain total range L, where t~e^{-aL} in optical fiber.

We also propose a suite of modifications to a recently-proposed all-optical repeater protocol that ours builds upon, which lower the number of photon sources required to create photonic clusters at the repeaters so as to outperform R_direct(t), from ~10^11 to ~10^6 photon sources per repeater node. We show that the optimum separation between repeater nodes is independent of the total range L, and is around 1.5 km. for assumptions we make on various device losses. Our results shed light on the tradeoff between resource requirements and the end-to-end key rate achieved using any specific repeater architecture.

**“Continuous Variable Quantum Computing on Encrypted Data”** by Kevin Marshall, Christian S. Jacobsen, Clemens Schafermeier, Tobias Gehring, Christian Weedbrook and Ulrik L. Andersen

Tuesday, 11:45 a.m. – Slides / Video

In today’s era of cloud and distributed computing, protecting a client’s privacy is a task of the highest priority. Performing computations in the cloud on encrypted data rather than on plain text is a promising tool to achieve this goal.

Here, we report about a continuous variable protocol for performing computation on encrypted data on a quantum computer. We theoretically investigate the protocol and present a proof-of-principle experiment implementing displacements and squeezing gates. We demonstrate losses of up to 10 km. both ways between the client and the server and show that security can still be achieved.

Our approach offers a number of practical benefits, which can ultimately allow for the potential widespread adoption of this quantum technology in future cloud-based computing networks.

**“New Security Notions and Feasibility Results for Authentication of Quantum Data”** by Sumegha Garg, Henry Yuen and Mark Zhandry

Tuesday, 2:25 p.m. – Video

We give a new class of security definitions for authentication in the quantum setting. Our definitions capture and strengthen several existing definitions, including superposition attacks on \emph{classical} authentication, as well as full authentication of quantum data. We argue that our definitions resolve some of the shortcomings of existing definitions.

We then give several feasibility results for our strong definitions. As a consequence, we obtain several interesting results, including: the classical Carter-Wegman authentication scheme with 3-universal hashing is secure against superposition attacks, as well as adversaries with quantum side information; quantum authentication where the entire key can be reused if verification is successful; conceptually simple constructions of quantum authentication; and a conceptually simple QKD protocol.

**“Continuous-Variable Quantum Key Distribution with a ‘Locally’ Generated Local Oscillator” **by Bing Qi, Pavel Lougovski, Raphael Pooser, Warren Grice, Miljko Bobrek, Charles Ci Wen Lim and Philip G. Evans

Tuesday, 2:45 p.m. – Slides / Video

Continuous-variable quantum key distribution (CV-QKD) protocols based on coherent detection have been studied extensively in both theory and experiment. While the existing security proofs of CV-QKD are based on the assumption that the local oscillator (LO) for coherent detection is trustable, this assumption cannot be justified in most practical implementations of CV-QKD, where both the quantum signal and the LO are generated from the same laser at the sender’s side and propagate through an insecure quantum channel.

To close the above gap between theory and experiment, we proposed an intradyne CV-QKD scheme where the LO is generated from an independent laser source at the receiver’s end (Phys. Rev. X 5, 041009, 2015). This scheme not only removes the security issues related to an untrusted LO, but also greatly simplifies QKD implementation. We demonstrate the above scheme in a coherent communication system constructed by a spool of 25 km. single mode fiber and two independent commercial laser sources operated at free-running mode. The observed phase-noise variance is 0.04 (rad^2), which is small enough to enable secure key distribution. This technology also opens the door for other quantum communication protocols, such as measurement-device-independent (MDI) CV-QKD

Here, using the Calgary Fibre Network, we report quantum teleportation from a telecommunication-wavelength photon, interacting with another telecommunication photon after both have traveled over several kilometers in beeline, onto a photon at 795 nm. wavelength. This improves the distance over which teleportation takes place from 818 m. to 6.2 km. Our demonstration establishes an important requirement for quantum repeater-based communications and constitutes a milestone on the path to a global quantum Internet.

*Note: This talk is combined with the following talk. *

**“Theoretical Analysis and Proof-of-Principle Demonstration of Self-Referenced Continuous-Variable Quantum Key Distribution” **by Constantin Brif, Daniel Soh, Patrick Coles, Norbert Lutkenhaus, Ryan Camacho, Junji Urayama and Mohan Sarovar

Slides / Video

This work presents the theoretical analysis and proof-of-principle demonstration of a new continuous- variable quantum key distribution (CV-QKD) protocol, self-referenced CV-QKD. This protocol eliminates the need for transmission of a high-power local oscillator between the communicating parties. Instead, each signal pulse is accompanied by a reference pulse (or a pair of twin reference pulses), used to align Alice’s and Bob’s measurement bases.

We quantify the expected secret key rates by expressing them in terms of experimental parameters and present a proof-of-principle, fiber-based experimental demonstration of the protocol. Our analysis of the secret key rate fully takes into account the inherent uncertainty associated with the quantum nature of the reference pulse(s) and quantifies the limit at which the theoretical key rate approaches that of the respective conventional protocol that requires local oscillator transmission. The self-referenced protocol greatly simplifies the hardware required for CV-QKD, especially for potential integrated photonics implementations of transmitters and receivers, with minimum sacrifice of performance. As such, it provides a pathway towards scalable integrated CV-QKD transceivers, a vital step toward large-scale QKD networks.

**“Quantum-Limited Measurements of Signals from a Satellite in Geostationary Earth Orbit”** by Dominique Elser, Kevin Günthner, Imran Khan, Birgit Stiller, Ömer Bayraktar, Christian R. Müller, Karen Saucke, Daniel Tröndle, Frank Heine, Stefan Seel, Peter Greulich, Herwig Zech, Björn Gütlich, Ines Richter, Rolf Meyer, Christoph Marquardt and Gerd Leuchs

Wednesday, 11:25 a.m. – Slides / Video

Quantum communication has been implemented in metropolitan area networks around the world. Optical satellite communication lends itself to interconnect such metropolitan networks over global distances. For this purpose, existing Laser Communication Terminals (LCTs) can be upgraded to quantum key distribution (QKD) application. We have performed first satellite measurement campaigns to validate this approach.

**“Time-Bin Encoding Along Satellite-Ground Channels”** by Giuseppe Vallone, Daniele Dequal, Marco Tomasin, Francesco Vedovato, Matteo Schiavon, Vincenza Luceri, Giuseppe Bianco and Paolo Villoresi

Wednesday, 11:45 a.m. – Slides / Video

Time-bin encoding is an extensively used technique to encode a qubit in quantum key distribution (QKD) along optical fibers. Despite its success in fibers QKD (in particular in the “plug-and-play” systems), time- bin encoding was never implemented in long-distance free-space QKD.

Here we demonstrate that time-bin interference at the single photon level can be observed along free- space channels and in particular along satellite-ground channels. To this purpose, we used a scheme similar to the “plug-and-play” systems: a coherent superposition between two wavepackets is generated on ground, sent on space and reflected by a rapidly moving satellite at a very large distance with a total path length up to 5000 km. The beam returning on ground is at the single photon level and we measured the interference between the two time-bins. We will demonstrate that the varying relative velocity of the satellite with respect to the ground introduces a modulation in the interference pattern that can be predicted by special relativistic calculations. Our results attest the viability of time-bin encoding for quantum communications in space.

**“Cross-Phase Modulation of a Probe Stored in a Waveguide for Non-Destructive Detection of Photonics Qubits”** by Chetan Deshmukh, Neil Sinclair, Khabat Heshami, Daniel Oblak, Christoph Simon and Wolfgang Tittel

Thursday, 11:25 a.m. – Slides / Video

Non-destructive detection of photonic qubits is an enabling technology for quantum information processing and quantum communication. For practical applications such as quantum repeaters and networks, it is desirable to implement such detection in a way that allows some form of multiplexing as well as easy integration with other components such as solid-state quantum memories.

Here we propose an approach to non-destructive photonic qubit detection that promises to have all the mentioned features. Mediated by an impurity-doped crystal, a signal photon in an arbitrary time-bin qubit state modulates the phase of an intense probe pulse that is stored during the interaction. A proof-of- principle experiment with macroscopic signal pulses has been able to demonstrate the expected cross-phase modulation as well as the ability to preserve the coherence between temporal modes. Our findings open the path to a new key component of quantum photonics based on rare-earth-ion doped crystals.

**“Information Theoretically Secure Distributed Storage System with Quantum Key Distribution Network and Password Authenticated Secret Sharing Scheme”** by Mikio Fujiwara, Atsushi Waseda, Ryo Nojima, Shiho Moriai, Wakaha Ogata and Masahide Sasaki

Thursday, 11:45 a.m. – Slides / Video

A quantum key distribution (QKD) allows two users to share random numbers with the unconditional security based on the fundamental laws of physics. By combining a QKD with one-time pad encryption (OTP), communication with unconditional security can be realized.

A QKD system, however, does not guarantee the security of stored data. Shamir’s (k, n)-threshold secret sharing (SS) scheme in which the data are split into n pieces (shares) for storage and at least k pieces of them must be gathered for reconstruction, provides information theoretical security. Therefore, a combination of a QKD system and SS scheme is a combination for secure data transmission and storage. However, assumed is authentication must be perfectly secure, which is not trivial in practice.

Here we propose a totally information theoretically secure distributed storage system based on a user-friendly single-password-authenticated secret sharing scheme and secure transmission using quantum key distribution, and demonstrate it in the Tokyo metropolitan area (≤90 km).

**“Quantum-Proof Multi-Source Randomness Extractors in the Markov Model”** by Rotem Arnon-Friedman, Christopher Portmann and Volkher Scholz

Thursday, 2:15 p.m. – Slides / Video

Randomness extractors, widely used in classical and quantum cryptography as well as in device independent randomness amplification and expansion, are functions which generate almost uniform randomness from weak sources of randomness.

In the quantum setting, one must take into account the quantum side information held by an adversary, which might be used to break the security of the extractor. In the case of seeded extractors, the presence of quantum side information has been extensively studied. For multi-source extractors, one can easily see that high conditional min-entropy is not sufficient to guarantee security against arbitrary side information, even in the classical case. Hence, the interesting question is under which models of side information multi-source extractors remain secure.

In this work we suggest a natural model of side information, which we call the Markov model, and prove that any multi-source extractor remains secure in the presence of quantum side information of this type (albeit with weaker parameters). This improves on previous results in which more restricted models were considered and the security of only some types of extractors were shown.

**“On Quantum Obfuscation”** by Gorjan Alagic and Bill Fefferman

Thursday, 2:35 p.m. – Video

Encryption of data is fundamental to secure communication. Beyond encryption of data lies obfuscation, i.e., encryption of functionality. It has been known for some time that the most powerful classical obfuscation, so-called “black-box obfuscation,” is impossible. In this work, we initialize the rigorous study of obfuscating programs via quantum-mechanical means. We prove quantum analogues of several foundational results in obfuscation, including the aforementioned black-box impossibility result.

In its most powerful “quantum black-box” instantiation, a quantum obfuscator would turn a description of a quantum program f into a quantum state R_f , such that anyone in possession of R_f can repeatedly evaluate f on inputs of their choice, but never learn anything else about the original program. We formalize this notion of obfuscation, and prove an impossibility result: such obfuscation is only possible in a setting where the adversary never has access to more than one obfuscation (of either the same program, or of different programs). Our proof involves a novel and recently developed technical idea: chosen-ciphertext-secure encryption for quantum states. In addition, we show that some applications of obfuscation still appear possible in spite of our impossibility result. These include encryption for quantum states, quantum fully-homomorphic encryption, and quantum money.

We also define quantum versions of indistinguishability obfuscation and best-possible obfuscation. We then show that these notions are equivalent, and that their perfect and statistical variants are impossible to achieve. The remaining (i.e., computational) variant would still have an application of interest: witness encryption for QMA.

**“Breaking Symmetric Cryptosystems Using Quantum Period Finding”** by Marc Kaplan, Gaëtan Leurent, Anthony Leverrier and María Naya-Plasencia

Thursday, 2:55 p.m. – Slides / Video

Due to Shor’s algorithm, quantum computers are a severe threat for public key cryptography. This motivated the cryptographic community to search for quantum-safe solutions. On the other hand, the impact of quantum computing on secret key cryptography is much less understood.

In this paper, we consider attacks in the quantum chosen plaintext model, in which an adversary can query an oracle implementing a cryptographic primitive in a quantum superposition of different states. The adversary is then very powerful, but recent results show that it is nonetheless possible to design secure cryptosystems.

We introduce new applications of a quantum procedure called Simon’s algorithm (the simplest quantum period finding algorithm) in order to attack symmetric cryptosystems in this model. Following previous works in this direction, we show that several classical attacks based on finding collisions can be dramatically sped up using Simon’s algorithm: finding a collision requires Ω(2n/2) queries in the classical setting, but when collisions happen with some hidden periodicity, they can be found with only O(n) queries in the quantum model.

We obtain attacks with very strong implications. First, we show that the most widely used modes of operation for authentication and authenticated encryption (e.g. CBC-MAC, PMAC, GMAC, GCM and OCB) are completely broken in this security model. Our attacks are also applicable to many CAESAR candidates: CLOC, AEZ, COPA, OTR, POET, OMD and Minalpher.

Second, we show that slide attacks can also be sped up using Simon’s algorithm. This is the first exponential speed up of a classical symmetric cryptanalysis technique in the quantum model.

**“Adaptive Versus Non-Adaptive Strategies in the Quantum Setting”** by Frédéric Dupuis, Serge Fehr, Philippe Lamontagne and Louis Salvail

Friday, 11:25 a.m. – Video

We prove a general relation between adaptive and non-adaptive strategies in the quantum setting, i.e., between strategies where the adversary can or cannot adaptively base its action on some auxiliary quantum side information. Our relation holds in a very general setting, and is applicable as long as we can control the bit-size of the side information, or, more generally, its “information content.”

Since adaptivity is notoriously difficult to handle in the analysis of (quantum) cryptographic protocols, this gives us a very powerful tool: as long as we have enough control over the side information, it is sufficient to restrict ourselves to non-adaptive attacks.

We demonstrate the usefulness of this methodology with two examples. The first is a quantum bit commitment scheme based on 1-bit cut-and-choose. Since bit commitment implies oblivious transfer (in the quantum setting) and oblivious transfer is universal for two-party computation, this implies the universality of 1-bit cut-and-choose, and, thus, solves the main open problem of [10]. The second example is a quantum bit commitment scheme proposed in 1993 by Brassard et al.

It was originally suggested as an unconditionally secure scheme, back when this was thought to be possible. We partly restore the scheme by proving it secure in (a variant of ) the bounded quantum storage model.

In both examples, the fact that the adversary holds quantum side information obstructs a direct analysis of the scheme, and we circumvent it by analyzing a non-adaptive version, which can be done by means of known techniques, and applying our main result.

**“Computational Security of Quantum Encryption”** by Gorjan Alagic, Anne Broadbent, Bill Fefferman, Tommaso Gagliardoni, Michael St. Jules and Christian Schaffner

Friday, 11:45 a.m. – Slides / Video

Quantum-mechanical devices have the potential to transform cryptography. Most research in this area has focused either on the information-theoretic advantages of quantum protocols or on the security of classical cryptographic schemes against quantum attacks. In this work, we initiate the study of another relevant topic: the encryption of quantum data in the computational setting.

In this direction, we establish quantum versions of several fundamental classical results. First, we develop natural definitions for private-key and public-key encryption schemes for quantum data. We then define notions of semantic security and indistinguishability and, in analogy with the classical work of Goldwasser and Micali, show that these notions are equivalent. Finally, we construct secure quantum encryption schemes from basic primitives. In particular, we show that quantum-secure one-way functions imply IND-CCA1-secure symmetric-key quantum encryption, and that quantum-secure trapdoor one-way permutations imply semantically-secure public-key quantum encryption.

**“Integrated Silicon Photonics for Quantum Key Distribution” **by Philip Sibson, Jake Kennard, Stasja Stanisic, Chris Erven and Mark Thompson

Friday, 1:40 p.m. – Slides / Video

Integrated photonics provides a compact and robust platform to implement complex photonic circuitry, and with silicon, in particular, offers extreme levels of miniaturization in a CMOS-compatible technology.

Here we demonstrate integrated silicon photonic devices for polarization and time-bin encoded quantum key distribution protocols. These GHz clocked devices use a combination of slow but ideal thermo-optic phase shifters and fast but non-ideal carrier-depletion phase modulators to transmit BB84 states. This work experimentally demonstrates the feasibility of QKD transmitters for high-speed QKD based on CMOS- compatible silicon photonic integrated circuits.

*Note: This talk is combined with the following talk. *

**“Wavelength-Division-Multiplexed QKD with Integrated Photonics” **by Philip Sibson, Chris Erven and Mark Thompson

This work experimentally demonstrates Wavelength-Division-Multiplexed QKD with integrated photonics for high-rate QKD. We use two GHz rate indium phosphide transmitters and a silicon oxynitride receiver with integrated wavelength de-multiplexing and two reconfigurable receivers for multi-protocol QKD. The increase in rates and the ability to scale up these circuits opens the way to new and advanced integrated quantum communication technologies and larger adoption of quantum-secured communications.

**“Laser Damage Creates Backdoors in Quantum Cryptography” **by Shihan Sajeed, Sarah Kaiser, Poompong Chaiwongkhot, Mathieu Gagne, Jean-Philippe Bourgoin, Carter Minshull, Matthieu Legre, Thomas Jennewein, Raman Kashyap and Vadim Makarov

Friday, 2:05 p.m. – Video

Implementations of quantum communication (QC) protocols are assumed to be secure as long as implemented devices are perfectly characterized and all side channels are identified and closed. We show that this assumption is not always true.

We introduce a laser-damage attack that can, on-demand, create deviations in the behavior of the implemented devices from the characterized one. We test it on two different and perfectly characterized implementations of quantum key distribution and coin-tossing protocols and successfully create deviations to render the system insecure. Our results show that in order to provide unconditional security, quantum cryptography protocols need to be supported by additional testing and countermeasures against laser damage.

*Note: This talk is combined with the following talk. *

**“Insecurity of Detector-Device-independent Quantum Key Distribution”** by Anqi Huang, Shihan Sajeed, Shihai Sun, Feihu Xu, Vadim Makarov and Marcos Curty

Video

It is time to close the gap between theory and practice in quantum key distribution (QKD). To bridge this gap, detector-device-independent QKD (ddiQKD) has recently been proposed. However, from our analysis, this protocol is not as secure as expected. The main contributions of this work are two-fold. First, we show that, in contrast to mdiQKD, the security of ddiQKD cannot be based on post-selected entanglement alone as assumed. Second, we argue that ddiQKD is actually insecure under detector side-channel attacks.