List of Accepted Contributed Talks
(in order of submission)

#10:A Quantum Money Solution to the Blockchain Scalability ProblemAndrea Coladangelo (Caltech); Or Sattath (BenGurion University)[abstract]Abstract: We put forward the idea that classical blockchains and smart contracts are potentially useful primitives not only for classical cryptography, but for quantum cryptography as well. Abstractly, a smart contract is a functionality that allows parties to deposit funds, and release them upon fulfillment of algorithmically checkable conditions, and can thus be employed as a formal tool to enforce monetary incentives. In this work, we give the first example of the use of smart contracts in a quantum setting. We describe a simple hybrid classicalquantum payment system whose main ingredients are a classical blockchain capable of handling stateful smart contracts, and quantum lightning, a strengthening of publickey quantum money introduced by Zhandry (Eurocrypt'19). Our hybrid payment system employs quantum states as banknotes and a classical blockchain to settle disputes and to keep track of the valid serial numbers. It has several desirable properties: it is decentralized, requiring no trust in any single entity; payments are as quick as quantum communication, regardless of the total number of users; when a quantum banknote is damaged or lost, the rightful owner can recover the lost value.

#16:Quantum encryption with certified deletionAnne Broadbent (University of Ottawa); Rabib Islam (University of Ottawa)[abstract]Abstract: Given a ciphertext, is it possible to prove the deletion of the underlying plaintext? Since classical ciphertexts can be copied, clearly such a feat is impossible using classical information alone. In stark contrast to this, we show that quantum encodings enable certified deletion. More precisely speaking, we show that it is possible to encrypt classical data into a quantum ciphertext such that the recipient of the ciphertext can produce a classical string which proves to the originator that the recipient has relinquished any chance of recovering the plaintext should the decryption key be revealed. Our scheme is feasible with current quantum technology: the honest parties only require quantum devices for singlequbit preparation and measurements; the scheme is also robust against noise in these devices. Furthermore, we provide an analysis that is suitable in the finitekey regime

#17:Succinct Blind Quantum Computation Using a Random OracleJiayu Zhang (Boston University)[abstract]Abstract: In the universal blind quantum computation problem, a client wants to make use of a single quantum server to evaluate $C\ket{0}$ where $C$ is an arbitrary quantum circuit while keeping $C$ secret. The client's goal is to use as few resources as possible. This problem, first raised by Broadbent, Fitzsimons and Kashefi\cite{UBQC}, has become fundamental to the study of quantum cryptography, not only because of its own importance, but also because it provides a testbed for new techniques that were later applied to related problems (for example, quantum computation verification). Previous works on this problem mainly focused on either informationtheoretically (IT) secure protocols or techniques based on trapdoor assumptions (public key encryptions).\par In this paper we study how the availability of symmetrickey primitives, modeled by a random oracle, changes the complexity of universal blind quantum computation. We give a new universal blind quantum computation protocol. Similar to previous works on ITsecure protocols (for example, BFK\cite{UBQC}), our protocol has an offline phase and an online phase. In the offline phase the client prepares some quantum gadgets with relatively simple quantum gates and sends them to the server, and in the online phase the client is entirely classical  it does not even need quantum storage. Crucially, the protocol's offline phase is \emph{succinct}, that is, its complexity is independent of the circuit size. Its complexity is only $poly(\kappa)$ where $poly$ is a fixed polynomial, and can be used to evaluate any circuit (or several circuits) of size up to $subexp(\kappa)$. In contrast, known schemes either require the client to perform quantum computations that scale with the size of the circuit \cite{UBQC}, or require trapdoor assumptions \cite{Mahadev2017}.

#18:HighSpeed MeasurementDeviceIndependent Quantum Key Distribution with Integrated Silicon PhotonicsWei Li (University of Science and Technology of China); Kejin Wei (University of Science and Technology of China); Hao Tan (University of Science and Technology of China); Yang Li (University of Science and Technology of China); Hao Min (University of Science and Technology of China); WeiJun Zhang (Shanghai Institute of Microsystem and Information Technology); Hao Li (Shanghai Institute of Microsystem and Information Technology); Lixing You (Shanghai Institute of Microsystem and Information Technology); Zhen Wang (Shanghai Institute of Microsystem and Information Technology); Xiao Jiang (University of Science and Technology of China); Teng Yun Chen (University of Science and Technology of China); ShengKai Liao (University of Science and Technology of China); ChengZhi Peng (University of Science and Technology of China); Feihu Xu (University of Science and Technology of China); JianWei Pan (University of Science and Technology of China)[abstract]Abstract: Measurementdeviceindependent quantum key distribution (MDIQKD) removes all detector side channels and enables secure QKD with an untrusted relay. It is suitable for building a startype quantum access network, where the complicated and expensive measurement devices are placed in the central untrusted relay and each user requires only a lowcost transmitter, such as an integrated photonic chip. Here, we experimentally demonstrate a 1.25 GHz silicon photonic chipbased MDIQKD system using polarization encoding. The photonic chip transmitters integrate the necessary encoding components for a standard QKD source. We implement random modulations of polarization states and decoy intensities, and demonstrate a finitekey secret rate of 31 bps over 36 dB channel loss (or 180 km standard fiber). This key rate is higher than stateoftheart MDIQKD experiments. The results show that silicon photonic chipbased MDIQKD, benefiting from miniaturization, lowcost manufacture and compatibility with CMOS microelectronics, is a promising solution for future quantum secure networks.

#21:Experimental MeasurementDeviceIndependent Quantum Key Distribution with Uncharacterized SourcesXingYu Zhou (Nanjing University of Posts & Telecommunications); Qin Wang (Nanjing University of Posts & Telecommunications)[abstract]Abstract: The measurementdeviceindependent quantum key distribution (MDIQKD) protocol plays an important role in quantum communications due to its high level of security and practicability. It can be immune to all sidechannel attacks directed on the detecting devices. However, the protocol still contains strict requirements during state preparation in most existing MDIQKD schemes, e.g., perfect state preparation or perfectly characterized sources, which are very hard to realize in practice. In this letter, we investigate uncharacterized MDIQKD by utilizing a threestate method, greatly reducing the finitesize effect. The only requirement for state preparation is that the state are prepared in a bidimensional Hilbert space. Furthermore, a proofofprinciple demonstration over a 170 km transmission distance is achieved, representing the longest transmission distance under the same security level on record.

#29:On Security Notions for Encryption in a Quantum WorldCéline Chevalier (University of Paris II); Ehsan Ebrahimi (University of Luxembourg); QuocHuy Vu (University of Paris II)[abstract]Abstract: Indistinguishability against adaptive chosenciphertext attacks (INDCCA2) is usually considered the most desirable security notion for classical encryption. In this work, we investigate its adaptation in the quantum world, when an adversary can perform superposition queries. The security of quantumsecure classical encryption has first been studied by Boneh and Zhandry (CRYPTO'13), but they restricted the adversary to classical challenge queries, which makes the indistinguishability only hold for classical messages (INDqCCA2). In this work, we give the first security notions for fully quantum indistinguishability under quantum adaptive chosenciphertext attacks, where the indistinguishability holds for superposition of plaintexts (qINDqCCA2). This resolves an open problem asked by Gagliardoni et al. (CRYPTO'16). The qCCA2 security is defined in BonehZhandry's paper using string copying and comparison, which is inherent in the classical setting. Quantumly, it is unclear what it means for a ciphertext to be different from the challenge ciphertext, and how the challenger can check the equality. The classical approach would either violate the nocloning theorem or lead to perturbing the adversary's state, which may be detectable. To remedy these problems, from the recent groundbreaking compressed oracle technique introduced by Zhandry (CRYPTO'19), we develop a generic framework that allows to record quantum queries for probabilistic functions. We then give definitions for fully quantum realorrandom indistinguishability under adaptive chosenciphertext attacks (qINDqCCA2). In the symmetric setting, we show that various classical modes of encryption are trivially broken in our security notions. We then provide the first formal proof for quantum security of the EncryptthenMAC paradigm, which also answers an open problem posed by Boneh and Zhandry. In the publickey setting, we show how to achieve these stronger security notions (qINDqCCA2) from any encryption scheme secure in the sense of BonehZhandry (INDqCCA2). Along the way, we also give the first definitions of nonmalleability for classical encryption in the quantum world and show that the picture of the relations between these notions is essentially the same as in the classical setting.

#30:Secure Multiparty Quantum Computation with a Dishonest MajorityYfke Dulek (QuSoft and University of Amsterdam); Alex Grilo (QuSoft and CWI Amsterdam); Stacey Jeffery (QuSoft and CWI Amsterdam); Christian Majenz (QuSoft and CWI Amsterdam); Christian Schaffner (QuSoft and University of Amsterdam)[abstract]Abstract: The cryptographic task of secure multiparty (classical) computation has received a lot of attention in the last decades. Even in the extreme case where a computation is performed be tween k mutually distrustful players, and security is required even for the single honest player if all other players are colluding adversaries, secure protocols are known. For quantum com putation, on the other hand, protocols allowing arbitrary dishonest majority have only been proven for k = 2. In this work, we generalize the approach taken by Dupuis, Nielsen and Salvail (CRYPTO 2012) in the twoparty setting to devise a secure, efficient protocol for multi party quantum computation for any number of players k, and prove security against up to k − 1 colluding adversaries. The quantum round complexity of the protocol for computing a quantum circuit of {CNOT, T} depth d is O(k · (d + log n)), where n is the security parameter. To achieve efficiency, we develop a novel public verification protocol for the Clifford authen tication code, and a testing protocol for magicstate inputs, both using classical multiparty computation.

#36:Experimental quantum key distribution secure against malicious devicesVíctor Zapatero (University of Vigo, Spain); Wei Li (University of Science and Technology of China, Hefei, China); Feihu Xu (University of Science and Technology of China, Hefei, China); Marcos Curty (University of Vigo, Spain)[abstract]Abstract: The fabrication of quantum key distribution (QKD) systems typically involves several parties, thus providing Eve with multiple opportunities to meddle with the devices. As a consequence, conventional hardware and/or software hacking attacks pose natural threats to the security of practical QKD. Fortunately, if the number of corrupted devices is limited, the security can be restored by using redundant apparatuses. Here, we report on the demonstration of a secure QKD setup with optical devices and classical postprocessing units possibly controlled by an eavesdropper. We implement a 1.25 GHz chipbased measurementdeviceindependent QKD system secure against malicious devices on both the measurement and the users' sides. The secret key rate reaches 137 bps over a 24 dB channel loss. Our setup, benefiting from high clock rate, miniaturized transmitters and a costeffective structure, provides a promising solution for widespread applications requiring uncompromising communication security.

#38:Security proof of practical quantum key distribution with detectionefficiency mismatchYanbao Zhang (NTT Basic Research Lab); Patrick J. Coles (Los Alamos National Laboratory); Adam Winick (Institute for Quantum Computing, Waterloo); Jie Lin (Institute for Quantum Computing, Waterloo); Norbert Lutkenhaus (Institute for Quantum Computing, Waterloo)[abstract]Abstract: Quantum key distribution (QKD) protocols with threshold detectors are driving highperformance QKD demonstrations. The corresponding security proofs usually assume that all physical detectors have the same detection efficiency. However, the efficiencies of the detectors used in practice might show a mismatch depending on the manufacturing and setup of these detectors. A mismatch can also be induced as the different spatialtemporal modes of an incoming signal might couple differently to a detector. Here we develop a method that allows to provide security proofs without the usual assumption. Our method can take the detectionefficiency mismatch into account without having to restrict the attack strategy of the adversary. Especially, we do not rely on any photonnumber cutoff of incoming signals such that our security proof is complete. Though we consider polarization encoding in the demonstration of our method, the method applies to a variety of coding mechanisms, including timebin encoding, and also allows for general manipulations of the spatialtemporal modes by the adversary. We thus can close the longstanding question how to provide a valid, complete security proof of a QKD setup with characterized efficiency mismatch. Our method also shows that in the absence of efficiency mismatch, the key rate increases if the loss due to detection inefficiency is assumed to be outside of the adversary's control, as compared to the view where for a security proof this loss is attributed to the action of the adversary.

#40:Deviceindependent Randomness Expansion with Entangled PhotonsYanbao Zhang (NTT Basic Research Lab); Lynden K. Shalm (NISTBoulder); Joshua C. Bienfang (NISTMaryland); Collin Schlager (NISTBoulder); Martin J. Stevens (NISTBoulder); Michael D. Mazurek (NISTBoulder); Carlos Abellan (Barcelona Institute of Science and Technology); Waldimar Amaya (Barcelona Institute of Science and Technology); Morgan W. Mitchell (Barcelona Institute of Science and Technology); Mohammad A. Alhejji (University of Colorado Boulder); Honghao Fu (University of Maryland); Joel Ornstein (University of Colorado Boulder); Richard P. Mirin (NISTBoulder); Sae Woo Nam (NISTBoulder); Emanuel Knill (NISTBoulder)[abstract]Abstract: With the growing availability of experimental loopholefree Bell tests, it has become possible to implement a new class of deviceindependent random number generators whose output can be certified to be uniformly random without requiring a detailed model of the quantum devices used. However, all previous experiments require many input bits in order to certify a small number of output bits, and it is an outstanding challenge to develop a system that generates more randomness than is used. Here, we devise a deviceindependent spotchecking protocol which uses only uniform bits as input. Implemented with a photonic loopholefree Bell test, we can produce 24% more certified output bits (1,181,264,237 bits) than consumed input bits (953,301,640 bits), which is 5 orders of magnitude more efficient than our previous work [Phys. Rev. Lett. 124, 010505 (2020)]. The experiment ran for 91.0 hours, creating randomness at an average rate of 3,606 bits/second with a soundness error bounded by 5.7e7 in the presence of classical side information. Our system will allow for greater trust in public sources of randomness, such as randomness beacons, and the protocol may one day enable highquality sources of private randomness as the device footprint shrinks.

#41:The MeasureandReprogram Technique 2.0: MultiRound FiatShamir and MoreJelle Don (CWI); Serge Fehr (CWI & Leiden University); Christian Majenz (CWI & QuSoft)[abstract]Abstract: We revisit recent works by Don, Fehr, Majenz and Schaffner and by Liu and Zhandry on the security of the FiatShamir transformation of sigmaprotocols in the quantum random oracle model (QROM). Two natural questions that arise in this context are: (1) whether the results extend to the FiatShamir transformation of *multiround* interactive proofs, and (2) whether Don et al.'s O(q^2) loss in security is optimal. Firstly, we answer question (1) in the affirmative. As a byproduct of solving a technical difficulty in proving this result, we slightly improve the result of Don et al., equipping it with a cleaner bound and an even simpler proof. We apply our result to digital signature schemes showing that it can be used to prove strong security for schemes like MQDSS in the QROM. As another application we prove QROMsecurity of a noninteractive OR proof by Liu, Wei and Wong. As for question (2), we show via a Groversearch based attack that Don et al.'s quadratic security loss for the FiatShamir transformation of sigmaprotocols is optimal up to a small constant factor. This extends to our new multiround result, proving it tight up to a factor that depends on the number of rounds only, i.e. is constant for any constantround interactive proof.

#44:Broadband DetectorIntegrated OnChip QKD Receiver for GHz Clock RatesFabian Beutel (University of Münster, Institute of Physics, 48149 Münster, Germany); Helge Gehring (University of Münster, Institute of Physics, 48149 Münster, Germany); Martin A. Wolff (University of Münster, Institute of Physics, 48149 Münster, Germany); Carsten Schuck (University of Münster, Institute of Physics, 48149 Münster, Germany); Wolfram Pernice (University of Münster, Institute of Physics, 48149 Münster, Germany)[abstract]Abstract: We present an onchip receiver for timebased quantum key distribution (QKD) protocols such as the threestate timebin protocol. The device features fully integrated superconducting nanowire singlephoton detectors (SNSPD), lowloss delay lines and broadband 3D fibertochip couplers with a total footprint of 800x800µm^2 on a single chip. By using waveguideintegrated SNSPDs featuring small dead times and low darkcount rates we are able to operate at 2.5 GHz clock rates and achieve high performance without saturating the detector at short distances. The device is demonstrated to work for wavelengths from 1480 nm to 1610 nm, but can be easily adapted to also work at visible light (on the same chip).

#46:Analytic quantum weak coin flipping protocols with arbitrarily small biasAtul Singh Arora (Universite libre de Bruxelles); Jeremie Roland (Universite libre de Bruxelles); Chrysoula Vlachou (Universite libre de Bruxelles)[abstract]Abstract: Weak coin flipping (WCF) is a fundamental cryptographic primitive, where two distrustful parties need to remotely establish a shared random bit, whilst having opposite preferred outcomes. A WCF protocol is said to have bias ε if neither party can force their preferred outcome with probability greater than 1/2+ε. Classical WCF protocols are shown to have bias 1/2, i.e., a cheating party can always force their preferred outcome. A lower bias can only be achieved by employing extra assumptions, such as computational hardness. On the other hand, there exist quantum WCF protocols with arbitrarily small bias, as Mochon showed in his seminal work in 2007 [arXiv:0711.4114]. In particular, he proved the existence of a family of WCF protocols approaching bias ε(k) = 1/(4k + 2) for arbitrarily large k and proposed a protocol with bias 1/6. Last year, Arora, Roland and Weis presented a protocol with bias 1/10 and to go below this bias, they designed an algorithm that numerically constructs unitary matrices corresponding to WCF protocols with arbitrarily small bias [STOC’19, p.205216]. In this work, we present new techniques which yield a fully analytical construction of WCF protocols with bias arbitrarily close to zero, thus achieving a solution that has been missing for more than a decade. Furthermore, our new techniques lead to a simplified proof of existence of WCF protocols by circumventing the nonconstructive part of Mochon’s proof. The construction of an explicit WCF protocol approaching bias 1/14 is illustrated as an example.

#49:Fast and simple qubitbased synchronization for quantum key distributionLuca Calderaro (Dipartimento di Ingegneria dell'Informazione, Università degli Studi di Padova, via Gradenigo 6B, 35131 Padova, Italy); Andrea Stanco (Dipartimento di Ingegneria dell'Informazione, Università degli Studi di Padova, via Gradenigo 6B, 35131 Padova, Italy); Costantino Agnesi (Dipartimento di Ingegneria dell'Informazione, Università degli Studi di Padova, via Gradenigo 6B, 35131 Padova, Italy); Marco Avesani (Dipartimento di Ingegneria dell'Informazione, Università degli Studi di Padova, via Gradenigo 6B, 35131 Padova, Italy); Daniele Dequal (Matera Laser Ranging Observatory, Agenzia Spaziale Italiana, Matera, Italy); Paolo Villoresi (Dipartimento di Ingegneria dell'Informazione, Università degli Studi di Padova, via Gradenigo 6B, 35131 Padova, Italy); Giuseppe Vallone (Dipartimento di Ingegneria dell'Informazione, Università degli Studi di Padova, via Gradenigo 6B, 35131 Padova, Italy)[abstract]Abstract: We propose Qubit4Sync, a synchronization method for Quantum Key Distribution (QKD) setups, based on the same qubits exchanged during the protocol and without requiring additional hardware other than the one necessary to prepare and measure the quantum states, in a similar fashion to the clock recovery used in classical communications. Our approach introduces a new crosscorrelation algorithm achieving the lowest computational complexity, to our knowledge, for high channel losses. We tested the robustness of our scheme in a real QKD implementation, and we believe it may find application in other quantum communication protocols#55:Simple and robust QKD system with Qubit4Sync temporal synchronization and the POGNAC polarization encoderCostantino Agnesi (Università degli Studi di Padova); Marco Avesani (Università degli Studi di Padova); Luca Calderaro (Università degli Studi di Padova); Andrea Stanco (Università degli Studi di Padova); Giulio Foletto (Università degli Studi di Padova); Mujtaba Zahidy (Università degli Studi di Padova); Alessia Scriminich (Università degli Studi di Padova); Francesco Vedovato (Università degli Studi di Padova); Giuseppe Vallone (Università degli Studi di Padova); Paolo Villoresi (Università degli Studi di Padova)[abstract]Abstract: Here we present a simple and robust polarization encoded QKD experiment where synchronization, polarization compensation and QKD are all performed with the same optical setup, without requiring any changes or any additional hardware, by exploiting only the transmission of quantum states. Furthermore, the developed polarization encoder exhibits high stability and the lowest intrinsic Quantum Bit Error Rate ever reported.

#52:Experimental quantum conference key agreementAlessandro Fedrizzi (HeriotWatt University); Massimiliano Proietti (HeriotWatt University); Joseph Ho (HeriotWatt University); Federico Grasselli (HeinrichHeine University Duesseldorf); Peter Barrow (HeriotWatt University); Mehul Malik (HeriotWatt University)[abstract]Abstract: Paradigmatic QKD protocols establish secure keys between pairs of users, however when more than two parties want to communicate, recently introduced quantum conference quantum key agreement (CKA) protocols can outperform 2party primitives in terms of resource cost. In this contribution we report an implementation of a fouruser quantum CKA protocol using polarisationencoded multipartite GHZ states at telecom wavelength. We distribute these states over up to 50km of optical fibre and implement custom multiparty error correction and privacy amplification on the resulting raw keys. From a finitekey analysis, we establish an informationtheoretic secure key of up to 1.15 × 10^6 bits, which is used to encrypt and securely share an image between the four users. Surpassing the previous maximum distance for GHZ state transmission by more than an order of magnitude, these results demonstrate the viability of network protocols relying on multipartiteentanglement. Future applications beyond quantum CKA include entanglementassisted remote clocksynchronization, quantum secret sharing, and GHZbased repeater protocols.

#54:Overcoming qubitbased QKD with efficient highdimensional encodingIlaria Vagniluca (CNR  Istituto Nazionale di Ottica and University of Naples “Federico II"); Beatrice DaLio (CoE SPOC, DTU Fotonik, Technical University of Denmark); Davide Rusca (Group of Applied Physics, Université de Genève); Daniele Cozzolino (CoE SPOC, DTU Fotonik, Technical University of Denmark); Yunhong Ding (CoE SPOC, DTU Fotonik, Technical University of Denmark); Hugo Zbinden (Group of Applied Physics, Université de Genève); Alessandro Zavatta (CNR  Istituto Nazionale di Ottica and University of Florence); Leif Katsuo Oxenløwe (CoE SPOC, DTU Fotonik, Technical University of Denmark); Davide Bacco (CoE SPOC, DTU Fotonik, Technical University of Denmark)[abstract]Abstract: We experimentally tested an alternative fiberbased setup for 4DQKD, with time and phase encoding and onedecoy technique. We evaluated the secret key rate achievable in a finitekey scenario and we compared it with the binaryencoded BB84 protocol, which was tested with the same experimental setup. Our 4DQKD system makes it possible to improve the secret key rate by more than a factor 2 in the saturationregime of singlephoton detectors, without requiring additional expensive resources to the 2DQKD setup. In comparison to previous works, our scheme allows to measure the 4D states with a simplified and compact receiver, thus making it a costeffective solution for practical and fiberbased QKD.#57:Towards highdimensional quantum key distribution over a 2 km long multicore fiberBeatrice Da Lio (enter for Silicon Photonics for Optical Communication (SPOC), Department of Photonics Engineering, Technical University of Denmark, 2800 Kgs. Lyngby, Denmark); Davide Bacco (enter for Silicon Photonics for Optical Communication (SPOC), Department of Photonics Engineering, Technical University of Denmark, 2800 Kgs. Lyngby, Denmark); Daniele Cozzolino (enter for Silicon Photonics for Optical Communication (SPOC), Department of Photonics Engineering, Technical University of Denmark, 2800 Kgs. Lyngby, Denmark); Nicola Biagi (CNR  Istituto Nazionale di Ottica (CNRINO), Largo E. Fermi, 6  50125 Firenze, Italy); Yunhong Ding (enter for Silicon Photonics for Optical Communication (SPOC), Department of Photonics Engineering, Technical University of Denmark, 2800 Kgs. Lyngby, Denmark); Karsten Rottwitt (enter for Silicon Photonics for Optical Communication (SPOC), Department of Photonics Engineering, Technical University of Denmark, 2800 Kgs. Lyngby, Denmark); Alessandro Zavatta (CNR  Istituto Nazionale di Ottica (CNRINO), Largo E. Fermi, 6  50125 Firenze, Italy); Leif K. Oxeløwe (enter for Silicon Photonics for Optical Communication (SPOC), Department of Photonics Engineering, Technical University of Denmark, 2800 Kgs. Lyngby, Denmark)[abstract]Abstract: Highdimensional quantum key distribution (QKD) with pathencoded qudits can largely benefit from the slower phase drifts characteristic of multicore fibers: however, such channels still require phase stabilisation systems to effectively transmit quantum states with an acceptable error rate. We propose a scheme that multiplexes a copropagating wavelength to use as reference signal in a phase locked loop system, and simultaneously achieves state of the art repetition rates for the highdimensional QKD system. These factors allow us to design a system that can reach a much higher secret key generation rate over a propagation distance that is order of magnitudes longer than what shown in previous results, making our pathencoded QKD system appealing and comparable in terms of performance with current quantum systems.

#56:Securing practical quantum cryptography with optical power limitersGong Zhang (Department of Electrical & Computer Engineering, National University of Singapore, Singapore); Ignatius William Primaatmaja (Centre for Quantum Technologies, National University of Singapore, Singapore); Jing Yan Haw (Department of Electrical & Computer Engineering, National University of Singapore, Singapore); Xiao Gong (Department of Electrical & Computer Engineering, National University of Singapore, Singapore); Chao Wang (Department of Electrical & Computer Engineering, National University of Singapore, Singapore); Charles C.W. Lim (Department of Electrical & Computer Engineering, National University of Singapore, Singapore; Centre for Quantum Technologies, National University of Singapore, Singapore)[abstract]Abstract: Given that most implementations of quantum cryptography systems require low light operations for security reasons, limiting the energy of incoming/outgoing optical signals is a central task. In this submission, we propose and demonstrate a novel and practical power limiter using the thermooptical defocusing effect of an acrylic prism. The results show that a power limiting in the regime of mW or lower can be achieved, and at the same time possess desirable features like compactness, robustness, polarization and spectrum dimension independence, etc. Our work provides an effective way for limiting the incoming/outgoing optical energy, which is important for practical quantum cryptographic protocols. We believe it will attract much interest and possess the potential to become a standard tool for practical quantum applications.

#58:Noninteractive classical verification of quantum computationGorjan Alagic (University of Maryland and NIST); Andrew M. Childs (University of Maryland); Alex B. Grilo (CWI and QuSoft); ShihHan Hung (University of Maryland)[abstract]Abstract: In a recent breakthrough, Mahadev constructed an interactive protocol that enables a purely classical party to delegate any quantum computation to an untrusted quantum prover. In this work, we show that this same task can in fact be performed noninteractively and in zeroknowledge. Our protocols result from a sequence of significant improvements to the original fourmessage protocol of Mahadev. We begin by making the first message instanceindependent and moving it to an offline setup phase. We then establish a parallel repetition theorem for the resulting threemessage protocol, with an asymptotically optimal rate. This, in turn, enables an application of the FiatShamir heuristic, eliminating the second message and giving a noninteractive protocol. Finally, we employ classical noninteractive zeroknowledge (NIZK) arguments and classical fully homomorphic encryption (FHE) to give a zeroknowledge variant of this construction. This yields the first purely classical NIZK argument system for QMA, a quantum analogue of NP. We establish the security of our protocols under standard assumptions in quantumsecure cryptography. Specifically, our protocols are secure in the Quantum Random Oracle Model, under the assumption that Learning with Errors is quantumly hard. The NIZK construction also requires circuitprivate FHE.

#59:Experimental realisation of quantum oblivious transferRyan Amiri (IPaQS, HeriotWatt University, Edinburgh, UK); Robert Stárek (Department of Optics, Palacky University, Olomouc, Czech Republic); Michal Mičuda (Department of Optics, Palacky University, Olomouc, Czech Republic); Ladislav Mišta (Department of Optics, Palacky University, Olomouc, Czech Republic); Miloslav Dušek (Department of Optics, Palacky University, Olomouc, Czech Republic); Petros Wallden (School of Informatics, University of Edinburgh, Edinburgh, UK); Erika Andersson (IPaQS, HeriotWatt University, Edinburgh, UK)[abstract]Abstract: Oblivious transfer (OT) is a cryptographic primitive which is universal for multiparty computation. Unfortunately, perfect informationtheoretically secure (ITS) quantum oblivious transfer is impossible. Imperfect informationtheoretically secure quantum oblivious transfer is possible, but the smallest possible cheating probabilities are not known. We present an imperfect informationtheoretically secure quantum oblivious transfer protocol with no restrictions on dishonest parties, and its experimental implementation. The cheating probabilities are 0.75 and 0.729 for sender and receiver respectively, which is lower than in existing protocols. Using a photonic testbed, we have implemented the protocol with honest parties, as well as optimal cheating strategies.

#65:RealTime SelfTesting Quantum Random Number Generator with Nonclassical StatesThibault Michel (ANU Canberra, Paris 6); Jing Yan Haw (ANU Canberra, NUS Singapore); Davide G. Marangon (U. Padova); Oliver Thearle (ANU Canberra); Giuseppe Vallone (U. Padova); Paolo Villoresi (U. Padova); Ping Koy Lam (ANU Canberra); Syed M. Assad (ANU Canberra)[abstract]Abstract: Random numbers are a fundamental ingredient in fields such as simulation, modeling, and cryptography. Good random numbers should be independent and uniformly distributed. Moreover, for cryptographic applications, they should also be unpredictable. A fundamental feature of quantum theory is that certain measurement outcomes are intrinsically random and unpredictable. These can be harnessed to provide unconditionally secure random numbers. We demonstrate a realtime selftesting sourceindependent quantum randomnumber generator (SI QRNG) that uses squeezed light as a source. We generate secure random numbers by measuring the quadratures of the electromagnetic field without making any assumptions about the source other than an energy bound; only the detection device is trusted. We use homodyne detection to measure alternately the Q and P conjugate quadratures of our source. P measurements allow us to estimate a bound on any classical or quantum side information that a malicious eavesdropper may obtain. This bound gives the minimum number of secure bits we can extract from the Q measurement. We discuss the performance of different estimators for this bound. We operate this QRNG with a squeezedstate source and compare its performance with a thermalstate source. This is a demonstration of a QRNG using a squeezed state, as well as an implementation of realtime quadrature switching for a SI QRNG.

#66:Benchmarking a Quantum Random Number Generator with Machine LearningNhan Duy Truong (NanoNeuroinspired Research Laboratory, School of Electrical and Information Engineering, the University of Sydney, Sydney, NSW 2006, Australia.); Jing Yan Haw (Centre for Quantum Computation and Communication Technology, Department of Quantum Science, Research School of Physics and Engineering, The Australian National University, Canberra ACT 2601, Australia; Department of Electrical \& Computer Engineering, National University of Singapore, 117583, Singapore); Syed Muhamad Assad (Centre for Quantum Computation and Communication Technology, Department of Quantum Science, Research School of Physics and Engineering, The Australian National University, Canberra ACT 2601, Australia); Ping Koy Lam (Centre for Quantum Computation and Communication Technology, Department of Quantum Science, Research School of Physics and Engineering, The Australian National University, Canberra ACT 2601, Australia); Omid Kavehei (NanoNeuroinspired Research Laboratory, School of Electrical and Information Engineering, the University of Sydney, Sydney, NSW 2006, Australia.)[abstract]Abstract: Random number generators (RNGs) that are crucial for cryptographic applications have been the subject of adversarial attacks. These attacks exploit environmental information to predict generated random numbers that are supposed to be truly random and unpredictable. Though quantum random number generators (QRNGs) are based on the intrinsic indeterministic nature of quantum properties, the presence of classical noise in the measurement process compromises the integrity of a QRNG. In this paper, we develop a predictive machine learning (ML) analysis to investigate the impact of deterministic classical noise in different stages of an optical continuous variable QRNG. Our ML model successfully detects inherent correlations when the deterministic noise sources are prominent. After appropriate filtering and randomness extraction processes are introduced, our QRNG system, in turn, demonstrates its robustness against ML. We further demonstrate the robustness of our ML approach by applying it to uniformly distributed random numbers from the QRNG and a congruential RNG. Hence, our result shows that ML has potentials in benchmarking the quality of RNG devices.

#74:PostQuantum Zero Knowledge in Constant RoundsNir Bitansky (Tel Aviv University); Omri Shmueli (Tel Aviv University)[abstract]Abstract: We construct the first constantround zeroknowledge classical argument for NP secure against quantum attacks. We assume the existence of Quantum Fully Homomorphic Encryption and other standard primitives, known based on the Learning with Errors Assumption for quantum algorithms. As a corollary, we also obtain the first constantround zeroknowledge quantum argument for QMA. At the heart of our protocol is a new nocloning nonblackbox simulation technique.

#76:Efficient simulation of random states and random unitariesGorjan Alagic (QuICS, University of Maryland, and NIST, Gaithersburg, MD); Christian Majenz (QuSoft and Centrum Wiskunde & Informatica, Amsterdam); Alexander Russell (Department of Computer Science and Engineering, University of Connecticut, Storrs, CT)[abstract]Abstract: We consider the problem of efficiently simulating random quantum states and random unitary operators, in a manner which is convincing to unbounded adversaries with blackbox oracle access. In the case of simulating random states, the ideal object is an inputless oracle which outputs the same Haarrandom nqubit state whenever it is invoked. In the case of simulating random unitaries, the ideal object is an oracle which applies to its input the same Haarrandom nqubit unitary operator whenever it is invoked. This problem has only been previously considered for restricted adversaries. Against adversaries with an a priori bound on the number of queries, it is wellknown that tdesigns suffice. Against polynomialtime adversaries, one can use pseudorandom states (PRS) and pseudorandom unitaries (PRU), as defined in a recent work of Ji, Liu, and Song; unfortunately, no provably secure construction is known for PRUs. In our setting, we are concerned with unbounded adversaries. Nonetheless, we are able to give stateful quantum algorithms which simulate the ideal object in both settings of interest. In the case of Haarrandom states, our simulator is polynomialtime, has negligible error, and can also simulate verification and reflection through the simulated state. This yields an immediate application to quantum money: a money scheme which is informationtheoretically unforgeable and untraceable. In the case of Haarrandom unitaries, our simulator takes polynomial space, but simulates both forward and inverse access with zero error. These results can be seen as the first significant steps in developing a theory of lazy sampling for random quantum objects.

#77:Numerical Calculations of Finite Key Rate for General Quantum Key Distribution ProtocolsIan George (University of Waterloo, Institute for Quantum Computing); Jie Lin (University of Waterloo, Institute for Quantum Computing); Norbert Lutkenhaus (University of Waterloo, Institute for Quantum Computing)[abstract]Abstract: Finite key analysis of quantum key distribution (QKD) is an important tool for any QKD implementation. While much work has been done on the framework of finite key analysis, the application to individual protocols often relies on the the specific protocol being simple or highly symmetric as well as represented in small finitedimensional Hilbert spaces. In this work, we extend our preexisting reliable, efficient, tight, and generic numerical method for calculating the asymptotic key rate of devicedependent QKD protocols in finitedimensional Hilbert spaces to the finite key regime using the security analysis framework of Renner. We explain how this extension preserves the reliability, efficiency, and tightness of the asymptotic method. We then explore examples which illustrate both the generality of our method as well as the importance of parameter estimation and data processing within the framework.

#80:Machine learning aided carrier recovery in continuousvariable quantum key distributionTobias Gehring (Technical University of Denmark); HouMan Chin (Technical University of Denmark); Nitin Jain (Technical University of Denmark); Darko Zibar (Technical University of Denmark); Ulrik Andersen (Technical University of Denmark)[abstract]Abstract: The secret key rate of a continuousvariable quantum key distribution (CVQKD) system is limited by excess noise. A key issue typical to all modern CVQKD systems implemented with a reference or pilot signal and an independent local oscillator is controlling the excess noise generated from the frequency and phase noise accrued by the transmitter and receiver. Therefore accurate phase estimation and compensation, socalled carrier recovery, is a critical subsystem of CVQKD. Here, we present the implementation of a machine learning framework based on Bayesian inference, namely an unscented Kalman filter (UKF), for estimation of phase noise and compare it to a standard reference method. Experimental results obtained over a 20 km fibreoptic link indicate that the UKF can ensure very low excess noise even at low pilot powers. The measurements exhibited low variance and high stability in excess noise over a wide range of pilot signal to noise ratios. This may enable CVQKD systems with low implementation complexity which can seamlessly work on diverse transmission lines.

#89:Impossibility of Quantum Virtual BlackBox Obfuscation of Classical CircuitsGorjan Alagic (QuICS, University of Maryland, NIST); Zvika Brakerski (Weizmann Institute of Science); Yfke Dulek (QuSoft; University of Amsterdam); Christian Schaffner (QuSoft; University of Amsterdam)[abstract]Abstract: Virtual blackbox obfuscation is a strong cryptographic primitive: it encrypts a circuit while maintaining its full input/output functionality. A remarkable result by Barak et al. (Crypto 2001) shows that a general obfuscator that obfuscates classical circuits into classical circuits can not exist. A promising direction that circumvents this impossibility result is to obfuscate classical circuits into quantum states, which would potentially be better capable of hiding information about the obfuscated circuit. We show that, under the assumption that learningwitherrors (LWE) is hard for quantum computers, this quantum variant of virtual blackbox obfuscation of classical circuits is generally impossible. On the way, we show that under the presence of dependent classical auxiliary input, even the small class of classical point functions cannot be quantum virtual blackbox obfuscated.

#98:Robust deviceindependent quantum key distributionRene Schwonnek (NUS/ECE); Koon Tong Goh (NUS/ECE); Ignatius W. Primaatmaja (NUS/CQT); Ernest Y.Z. Tan (ETHZ); Ramona Wolf (Leibniz Universität Hannover); Valerio Scarani (NUS/Physics/CQT); Charles C.W. Lim (NUS/ECE/CQT)[abstract]Abstract: Deviceindependent quantum key distribution (DIQKD) is the art of using untrusted devices to distribute secret keys in an unsecure network. It thus represents the ultimate form of cryptography, offering not only informationtheoretic security against channel attacks, but also against attacks exploiting implementation loopholes~\cite{lydersen2010hacking}. At its heart, DIQKD utilises nonlocal correlationsdetected and certified by a Bell inequalityto establish secret correlations between the users. In recent years, much progress has been made towards realising the first DIQKD experiments, but current proposals are just out of reach of today’s loopholefree Bell experiments. Here, in this work, we close the gap between the theory and practice of DIQKD with a simple variant of the original protocol based on the celebrated ClauserHorneShimonyHolt (CHSH) Bell inequality. In using two randomly chosen key generating bases instead of one, we show that the noise tolerance of DIQKD can be significantly improved. In particular, the extended feasibility region now covers some of the most recent loopholefree CHSH experiments, hence indicating that the first realisation of DIQKD already lies within the range of these experiments.

#99:An Integrated Chip Platform for MeasurementDeviceIndependent Quantum Key Distribution (MDIQKD)Wei Luo (Nanyang Technological University); Lin Cao (Peking University); Yun Xiang Wang (University of Electronic Science and Technology of China); Jun Zou (Nanyang Technological University); Hong Cai (Institute of Microelectronics, Singapore); Xiao Long Hu (Tsinghua University); Cong Jiang (Tsinghua University); Xiao Qi Zhou (Sun Yatsen University); Yu Feng Jin (Peking University); Shi Hai Sun (Sun Yatsen University); Xiang Bin Wang (Tsinghua University); Leong Chuan Kwek (National University of Singapore); Ai Qun Liu (Nanyang Technological University)[abstract]Abstract: An integrated chip system for MDIQKD is demonstrated. The MDIQKD transmitter chips and server chip work on a key rate per pulse of 2.923 × 10^(6) over a distance corresponding to 50km optical fiber with 25% detection efficiency.#105:Onchip Time and PolarizationMultiplexed Continuousvariable Quantum Key DistributionCAO LIN (PEKING UNIVERSITY); LUO WEI (Nanyang Techological University); Zou Jun (Nanyang Techological University); Cai Hong (Institute of Microelectronics, A*STAR); Jin Yufeng (PEKING UNIVERSITY); Leong Chuan Kwek (Nanyang Technological University); Liu Ai Qun (Nanyang Technological University); Yu Song (Beijing University of Posts and Telecommunications)[abstract]Abstract: An integrated chip platform for CVQKD system based on time and polarization multiplexing is designed and demonstrated. A proofofprinciple test is conducted, which shows the measurement results for key components. The secure key rate by simulation can reach 4 kbit/s at 40 km distance per transmission band.

#100:Scalable Pseudorandom Quantum StatesZvika Brakerski (Weizmann Institute of Science); Omri Shmueli (Tel Aviv University)[abstract]Abstract: Efficiently sampling a quantum state that is hard to distinguish from a truly random quantum state is an elementary task in quantum information theory that has both computational and physical uses. This is often referred to as pseudorandom (quantum) state generator, or PRS generator for short. In existing constructions of PRS generators, security scales with the number of qubits in the states, i.e. the (statistical) security parameter for an nqubit PRS is roughly n. Perhaps counterintuitively, nqubit PRS are not known to imply kqubit PRS even for k<n. Therefore the question of \emph{scalability} for PRS was thus far open: is it possible to construct nqubit PRS generators with security parameter m for all n, m. Indeed, we believe that PRS with tiny (even constant) n and large m can be quite useful. We resolve the problem in this work, showing that any quantumsecure oneway function implies scalable PRS. We follow the paradigm of first showing a \emph{statistically} secure construction when given oracle access to a random function, and then replacing the random function with a quantumsecure (classical) pseudorandom function to achieve computational security. However, our methods deviate significantly from prior works since scalable pseudorandom states require randomizing the amplitudes of the quantum state, and not just the phase as in all prior works. We show how to achieve this using Gaussian sampling.

#104:Deviceindependent randomness expansion against quantum side informationWenZhao Liu (University of Science and Technology of China); MingHan Li (University of Science and Technology of China); Sammy Ragy (University of York); SiRan Zhao (University of Science and Technology of China); Bing Bai (University of Science and Technology of China); Yang Liu (University of Science and Technology of China); Peter J. Brown (University of York); Jun Zhang (University of Science and Technology of China); Roger Colbeck (University of York); Jingyun Fan (Southern University of Science and Technology); Qiang Zhang (University of Science and Technology of China); JianWei Pan (University of Science and Technology of China)[abstract]Abstract: The ability to produce random numbers that are unknown to any outside party is crucial for many applications. Deviceindependent randomness generation (DIRNG) allows new randomness to be provably generated, without needing to trust the devices used for the protocol. This provides strong guarantees about the security of the output, but comes at the price of requiring the violation of a Bell inequality to implement. A further challenge is to make the bounds in the security proofs tight enough to allow expansion with contemporary technology. Thus, while randomness has been generated in recent experiments, the amount of randomness consumed in doing so has been too high to certify expansion based on existing theory. Here we present an experiment that demonstrates deviceindependent randomness expansion (DIRNE), i.e., where the generated randomness surpasses that consumed. By developing a loopholefree Bell test setup with a single photon detection efficiency of around 81% and exploiting a spotchecking protocol, we achieve a net gain of 2.63 × 10^8 certified bits with soundness error 5.74×10^{−8}. The experiment ran for 220 hours corresponding to an average rate of randomness generation of 8202 bits/s. By developing the Entropy Accumulation Theorem (EAT), we established security against quantum adversaries. We anticipate that this work will lead to further improvements that push deviceindependence towards commercial viability.
List of Accepted Posters
to appear here