Quantum cryptography: key distribution and beyond

Uniquely among the sciences, quantum cryptography has driven both foundational research as well as practical real-life applications. We review the progress of quantum cryptography in the last decade, covering quantum key distribution and other applications.


Introduction
Cryptography is the technique of concealing confidential information using physical or mathematical means. While cryptologists find newer methods to conceal a secret, cryptanalysts devise powerful methods to compromise the same. This recursive cat-and-mouse game has pushed the field and driven progress in it tremendously, motivating the participation of a large group of physicists, mathematicians and engineers.
The seminal work of Peter W. Shor [1] uncovered the security threat that quantum computation posed on all classical cryptographic schemes that are based on computational assumptions, such as the hardness of the discrete logarithm problem and the factorization problem. One such cryptographic scheme is the Rivest-Shamir-Adleman (RSA) scheme, which is widely used in e-commerce today. RSA in today's world is safe so long as a scalable quantum computer remains unfeasible. However, ideally, we wish to guarantee cryptographic security that follows only from basic physics. This is the promise of quantum cryptography.
In particular, note the recent report on a loophole-free test of Bell's inequality [2], thereby conclusively verifying the existence of quantum nonlocality in Nature, and also attesting to the advancement of experimental techniques to prepare, transmit, manipulate and measure quantum information. Another direction in cryptography is to provide practicable tools embracing experimental limitations, e.g. quantum key distribution with pulses having mean photon number much larger than one [3].
Several quantum cryptographic tools have now been commercialized. ID-Quantique, a major player in the quantum cryptography industry, sells complete cryptographic solutions. Their products include network encryption systems, quantum cryptographic systems especially designed for industry and government, a quantum random number generator, a state-of-art photon counting device, single photon source, etc. QUANTIS, a quantum random number generator from ID-Quantique deserves special mention, as it is used in quantum key distribution and various quantum-classical hybrid machines (e.g., in casinos); the CLAVIS series of products, which provide a platform for cryptography research, are worth noting. Further, ID-Quantique's cryptographic solution provides an open platform where buyers can incorporate their own encryption algorithms.
Further, there are several other companies trying to commercialize quantum key distribution (see a long list of such companies at Wikipedia, which depicts the importance of the field). Among this set of large number of other companies and the interesting products developed by them, we would like to point out a few. Toshiba markets an excellent room temperature single-photon detector, a photon number resolving detector and a quantum key distribution system using the T12 protocol [4], in which the probability that bit values are encoded in X and Z basis are different (otherwise, T12 is similar to Bennett-Brassard 1984 protocol (BB84)) and decoy qubits are used. A very attractive example of quantum-classical hybrid cryptographic product is the world's first quantumkey-distribution-based one-time-pad mobile phone software designed by Mitsubishi Electric.
The interaction between academia and industry, and the development of commercially viable products as a result, has been relatively thriving in this area. In 2015, H. Zbinden and his colleagues at GAP-Optique, University of Geneva, performed a record breaking long distance quantum key distribution experiment using a coherent one-way scheme that uses decoy qubits and a variant of BB84. They successfully distributed the key in a secure manner over 307 km. It took only a few months for the development of the corresponding commercial product, as in October 2015, ID-Quantique introduced a commercial product using the same protocol (cf. Cerberis QKD Blade at ID-Quantique).
While quantum key distribution remains the most popular application of quantum cryptography, potential usefulness has been recognized for other areas, in particular for distrustful cryptography. This involves players with conflicting interests who do not necessarily trust one another, unlike in quantum key distribution. The present review will try to cover many such areas, including relativistic quantum cryptography, developed in the last decade since two comprehensive reviews on quantum key distribution done in the previous decade [5,6].
The present review is arranged as follows. In Section 2, we revisit quantum key distribution, briefly explaining intuitive and rigorous proofs of security, presenting some variants of quantum key distribution going beyond BB84, among them semi-quantum protocols, and touching on the issue of composability, which is relevant for a largescale implementation of a quantum cryptography. A modification of the quantum key distribution, allowing for secure deterministic communication, and other allied protocols, is discussed in Section 3. In Section 4, we cover the paradigm of counterfactual key distribution, which is based on interaction-free measurements. Subsequently, in Section 5, we discuss the practically important area of device independence, in particular devoting subsections to the issues of side channels, and then five classifications of device independence, namely full, one-sided-, semi-, measurement-and detector-device independence. The formalism of device independence can in principle also be useful in a world where quantum mechanics fails to be valid, being replaced by a non-signaling theory. We also briefly touch upon this, along with the issue of selftesting, in the final subsection. Next, we cover various other issues in cryptography besides quantum key distribution, covering quantum versions for cryptotasks such as random number generation, strong and weak coin tossing, private querying, secret sharing and privacy preserving tasks. Some crypto-tasks not possible in non-relativistic classical cryptography become feasible with the inclusion of relativity or the conjunction of relativity and quantum mechanics. These issues are discussed in Section 7. Technological issues encountered in practical realization of quantum cryptography are discussed in Section 8. After covering continuous variable quantum cryptography in Section 9, we conclude in Section 11.

Quantum key distribution
Quantum cryptography was born when S. Wiesner came up with the idea of quantum money in the 1970s, though his paper eventually appeared only in 1983. In 1984, Bennett and Brassard introduced their famous, eponymous four-state protocol BB84 [7], using encoding based on photon polarization. This was seminal in showing how quantum features like uncertainty, impossibility of perfectly discriminating non-orthogonal states and measurement disturbance were 'just what the doctor ordered' as far as secret communication goes. For the first time, it became clear how quantum physical laws can provide unconditional security, impossible classically. Since then, quantum key distribution has progressed tremendously both in theory and practice. For a recent comprehensive review, see [8]. In 1991, Ekert proposed his celebrated E91 cryptographic protocol [9], using Einstein-Podolsky-Rosen pairs (maximally entangled states), where security was linked to the monogamous property of quantum nonlocality [10]. As a result, E91 has sometimes been dubbed 'experimental metaphysics'! Interestingly, it contained the seeds for the concept of device-independent protocols [11], that would be introduced about one-and-half decades later. Bennett's 1992 protocol, which introduced a two-state scheme, showed that two non-orthogonal states are sufficient for quantum cryptography [12]. Shor's efficient quantum algorithms for finding the prime factors of an integer and for the discrete logarithm problem [1] created a huge excitement, optimism and interest among physicists and computer scientists because of their potential impact on computational complexity, indicating strongly that the quantum computers may prove to be more powerful than their classical counterparts. The factorization algorithm, which is now known as Shor's algorithm, got more attention because it threatened classical cryptography, on account of its potential ability to efficiently crack the RSA cryptographic protocol, which depends on the supposed inability of the classical computers to factorize a large integer in polynomial time.
The Goldenberg-Vaidman protocol [13] shows, intriguingly, that orthogonal states suffice for quantum key distribution. Based on a Mach-Zehnder interferometer architecture, Goldenberg and Vaidman introduced a new paradigm in the foundations of cryptography, where the spatial distribution of a pulse is exploited to obviate the need for non-orthogonality of the signal states to provide security. An experimental realization of Goldenberg-Vaidman protocol was reported by Avella et al [14]. Later on, Goldenberg-Vaidman protocol was generalized by various authors [15][16][17][18][19][20][21], in which they established that almost all cryptographic tasks that can be performed using a BB84 type conjugate coding based schemes can also be performed using orthogonal state based protocols. Specifically, they showed that it is possible to design orthogonal state based schemes for quantum private comparison, quantum key agreement, quantum key distribution, deterministic secure quantum communication, etc., and that thus conjugate coding is not essential for obtaining unconditional security.
The first ever experimental demonstration of the quantum teleportation phenomenon was reported in 1997 by Zeilinger's group at the University of Vienna, Austria [22], who used the polarization of a photon as a qubit. Quantum teleportation in its original form is cryptographically insecure, but it may be used as a primitive to build schemes for secure quantum communication.
Another new paradigm was introduced in cryptography in 1999 by Guo and Shi who proposed a protocol based on interaction-free measurement [23]. In 2009, this was followed by the Noh protocol [24], which replaces its use of the Mach-Zehnder interferometer with that of a Michelson interferometer. An experimental realization of the Noh protocol was reported by Brida et al. [25].

Intuitive security
Quantum key distribution is intuitively secure. In BB84, Alice sends Bob a stream of states prepared in the Pauli X or Z basis over an insecure channel. Bob measures them in the X or Z basis randomly. Later over a classical channel, he announces his measurement bases, and Alice informs him which results he can keep. This step, called basis reconciliation, creates a shared sifted key, wherein Alice and Bob decide to assign bit value '0' to the +1 outcome of X and Z, and bit value '1' to the −1 of the bases. A fraction of this sifted key is publicly announced. If Alice's and Bob's records diverge on too many bits, they abandon the protocol run. Suppose an eavesdropper Eve intervenes by measuring the qubits in the X or Z basis. At the time of key reconciliation, she knows which qubits she measured in the right basis. Suppose Alice and Bob consume m check bits during their final test. The probability that Eve is not detected on a given bit is 3 4 , or 3 4 m on all m bits. A more detailed treatment of the above attack must compare Bob's and Eve's information gain during her attack. Suppose an eavesdropper Eve intervenes by measuring a fraction f of qubits in the X or Z basis. She notes the result, and forwards the measured qubit. The probability that she measures in the right basis, and thus has the right sifted bit, is f 2 . The error rate she introduces is e = f 4 , so that the mutual information between Alice and Bob per sifted bit is I(A : is Shannon binary entropy. Eve has more information than Alice, thereby potentially making the channel insecure [26], if Eve's mutual information which happens around 17.05%. Here, it is assumed that Eve retrospectively knows when she measured in the right basis. This is the case if Alice and Bob use pseudo-random number generators for state preparation and measurement, respectively, and Eve is able to crack their pattern based on their public discussion for sifting the raw key. Otherwise, Eve's information would be f (1 − h(1/4)) = 4e(1 − h(1/4)) ≤ I(A:B) throughout the range 0 ≤ f ≤ 1.

Unconditional security
More generally, Eve may use sophisticated attacks going beyond the above intercept-resend method. A rigorous proof for security must be able to cover not only general attacks on individual qubits, but also coherent attacks on all qubits, with Eve's final manipulations deferred until after basis reconciliation [27][28][29][30].
Here we very briefly review the proof of security of BB84 in the spirit of [29]. At its core are two ideas: Entanglement distillation [31] via Calderbank-Shor-Steane (CSS) quantum error correcting codes or, more generally, stabilizer codes [32,33]. This corresponds to privacy amplification at the quantum level.
Monogamy of entanglement [34], the property that if Alice and Bob share singlets with high fidelity, then there is no third party with which Alice's or Bob's particles could be entangled (cf. [30]). More generally, nonlocal no-signaling correlations are known to be monogamous [10].
It is interesting that these proofs, which assume trusted devices, make use of entanglement, which is the appropriate resource for device-independent cryptography (discussed below), but not necessary for security in the scenario of trusted devices. In this case, measurement disturbance and an information vs. disturbance trade-off suffice for guaranteeing unconditional security of key distribution, which is proven in [35].
Regarding the first point above, viz., distillation via stabilizer codes, an important observation is that quantum errors can be digitized into tensor products of Pauli operators-namely bit flips, phase flips and their products-if carefully encoded and the errors are small enough [36,37], and thereby corrected using a classicallike (if subtler) technique.
Suppose we are given two classical linear error correcting codes C 1 ≡ [n, k 1 ] and C 2 ≡ [n, k 2 ] such that C 2 ⊂ C 1 and C 1 and C ⊥ 2 correct up to t errors on n bits, with code rates k 1 /n and k 2 /n respectively. Then, there are associated parity check matrices H 1 and H 2 pertaining to C 1 and C ⊥ 2 , such that given a code word w in a code that picks up a bit flip error of weight of at most t, to become w + , it can be corrected by computing the error syndrome H j (w + ) = H j ( ).
The codes C j above define a [n, k 1 − k 2 ] CSS quantum error correcting code, a subspace of C 2 n . Given u ∈ C 1 , a quantum code word, which is a basis state for the quantum error correcting code, is Note that |u + C 2 = |u + C 2 if u − u ∈ C 2 , so that |u + C 2 only depends on the coset of C 1 /C 2 which u is located in, whence the notation of (2) [37]. Under b bit flip errors and f phase errors, the above transforms to The error correcting properties of C 1 can be used to correct the b Pauli bit flip errors by incompletely measuring the quantum operators corresponding to the syndromes. After correcting these bit flip errors, it can be shown that applying a Hadamard transformation H ≡ 1 √ 2 (X + Z) to each of the qubits, transforms these qubits to the form so that the phase flip errors now appear as bit flip errors, which can be corrected using the error correcting properties of the code C ⊥ 2 . We recover the state (2) after application of H to each qubit.
An application of CSS codes is to derive the Gilbert-Varshamov bound for quantum communication, which guarantees the existence of good quantum error correcting codes [29]. For a [n, k] CSS code correcting all errors on at most t ≡ δn qubits, the quantum Gilbert-Varshamov bound says that there exist codes in the asymptotic limit such that the code rate k/n is at least 1 − 2h(2t/n), while giving protection against t bit errors and t phase errors. Thus, in a protocol, after correction of total errors ( 11%), Alice and Bob share almost pure singlets hardly correlated with Eve.
The use of CSS codes for distillation can be roughly described as follows. Suppose the channel introduces δn errors, and Alice and Bob encode k Bell states using a [n, k] quantum error correcting code correcting up to this many errors. Alice sends Bob the qubits corresponding to the second particle in the Bell states. Both perform identical syndrome measurements and recovery operations on their own n-qubit halves of the noisy encoded Bell pairs, recovering k pairs of qubits that has a high degree of fidelity with k Bell pairs.
It is important to stress that the man in the middle can affect quantum key distribution as much as it does classical cryptography. This involves Eve impersonating Alice to Bob and Bob to Alice. Perhaps the only protection for quantum key distribution against man in the middle is for Alice and Bob to share a short inital secret (like a pass phrase) for the purpose of person authentication. At the end of the quantum key distribution session, Alice and Bob must store a small portion of the shared key to serve as the pass phrase for the subsequent session. This pass phrase thus serves as a seed that can be grown into the full key, making quantum key distribution as a kind of secret growing protocol [5]. But note that the initial seed must have been exhanged in person or such equivalent direct means.

Some variants
In 2002, Boström and Felbinger introduced the Pingpong protocol [38] which is a two-state deterministic scheme based on quantum dense coding. To illustrate the conceptual point that entanglement is not required, [39] proposed the non-entangled version of the Pingpong protocol.
In differential phase shift quantum key distribution [40], a single photon, split into three pulses, is transmitted to Bob by Alice. Bob extracts bit information by measuring the phase difference between two sequential pulses by passive differential phase detection. Suitable for fiber-based transmission, this method offers a superior key generation rate in comparison with fiber-based BB84. The scheme has been extended to the use of weak coherent pulses [41,42]. Its security against the photon number splitting attack [43] and detailed security, have been studied [44]. A variant of differential phase shift quantum key distribution, called the round-robin differential phase shift protocol [45] has been proposed, in which a guarantee of security is obtained even without any channel noise statistics being monitored. The robustness of roundrobin differential phase shift with regard to source flaws has been studied [46]. Recently, round-robin differential phase shift has also been experimentally realized [47,48].
The introduction of decoy states [49][50][51] allows implementation of quantum key distribution even with weak coherent pulses instead of single-photon pulses, even in the presence of high loss. Kak [52] introduced a fully quantum scheme in which Alice and Bob share secret bits by exchanging quantum information to and fro in three stages, in contrast to a protocol like BB84, where classical communication is necessary.
A research group from Toshiba Research Europe, UK, demonstrated in 2003 quantum key distribution over optical fibers about 122 km long. The commercial use of quantum technology was initiated by this key effort [53].
Building on ideas first introduced in [54], in [55] quantum key distribution was analyzed under collective attacks in the device independence scenario (discussed below), where devices are not assumed to be trusted or well characterized.
Another direction of research in the security of quantum key distribution is to ask whether it remains secure if only one of the two players is quantum, while the other is classical. Boyer et al [56,57] showed that one obtains a robust security even in this weaker situation. This is of practical relevance, since it places a significantly lesser burden on implementation. An open issue may be to consider how to combine semi-quantum with device-independence (in particular, one-way device-independence, see below).
The South Africa held 2010 Soccer World Cup marks a milestone event for the use of quantum cryptography in a significant public event. Quantum-based encryption was facilitated by the research team led by F. Petruccione, Centre for Quantum Technology, University of KwaZulu-Natal.
The use of free-space quantum communication, rather than fiber-based optics, entered a significant phase when J.-W. Pan's group [58] implemented quantum teleportation over an optical free-space link. Given the low atmospheric absorption under certain wavelength ranges, this can help extend the communication distance in comparison with a fiber link. The same research group further reported [59] the demonstration of entanglement distri-bution over a free-space link of 100 km, and verifying violation of the Clauser-Horne-Shimony-Holt inequality [60]. The high-fidelity and high-frequency techniques for data acquisition, pointing and tracking in this process pave the way for futuristic satellite-based quantum cryptography.
A scheme for quantum key distribution based on measurement-device independence was proposed in [61]. Its practical advantage over full device independence is that it can tolerate the side-channel attacks and reduced efficiency of the detectors, while doubling the secure distance using just conventional lasers. Other works followed this: phase-encoding for measurementdevice independence [62], study of the practical aspects of measurement-device independence such as asymmetric channel transmission and the use of decoys [63], extending secure distance to ultra-long distances using an entangled source in the middle [64], measurement-deviceindependent quantum key distribution with polarization encoding using commercial devices acquirable off-theshelf [65].
An experimental satellite-based quantum key distribution system, with satellite transmitters and Earth-based (at Matera Laser Ranging Laboratory, Italy) quantum receivers was implemented with reasonably low noise, namely quantum bit error rate of about 4.6% [66]. Sending quantum messages via a satellite based global network took a further step when in 2016 China launched the $100 million satellite mission named Quantum Experiments at Space Scale (QUESS) aka Micius (after the ancient philosopher) from the Jiuquan Satellite Launch Center. The mission aims to study the feasibility of quantum cryptography through free-space.

Semi-quantum protocols
The protocols mentioned so far are completely quantum in the sense that all the users (senders and receivers) need to be able to perform quantum operations (like applying unitaries or measuring in non-commuting bases) in these schemes. By a quantum user, we mean a user who can prepare and measure quantum states in the computational basis as well as in one or more superposition bases (say in diagonal basis), whose states are non-orthogonal to the computation basis states. In contrast, a classical user is one who can perform measurement in the computational basis only, has no quantum memory, and who, upon receiving a qubit, can only either measure it in computational basis or reflect it without doing anything.
An interesting question is whether all the users need to be quantum? This important foundational question was first addressed by Boyer et al., [67], where they showed that some of the users can be classical in a scheme called semi-quantum key distribution. Quite generally, such protocols, where some of the users are allowed to be classical, are called semi-quantum. After the seminal work of Boyer et al, several semi-quantum schemes have been proposed [21, [68][69][70][71][72], and their security proofs have been reported [73,74]. For example, a semi-quantum scheme has recently been proposed for secure direct communication [68], private comparison [21], information splitting [69], and secret sharing [70]. Thus, in brief, most of the cryptographic tasks can be done in semi-quantum fashion, too. This is extremely important as in practical applications end users are often expected to be classical.

Composability
Universal composability [75] is a general cryptographic framework for protocols that demands security even when protocols are composed with other protocols or other instances of the same protocol. For large-scale applications, clearly composability plays an important role also in quantum cryptography [76]. In the context of quantum key distribution, universal composability specifies additional security criteria that must be fulfilled in order for quantum key distribution to be composed with other tasks to form a larger application. The ultimate goal of security analysis would be to prove composable security against coherent attacks. See [77] for proofs of composable security in the case of discrete-variable quantum key distribution and [78] for continuous-variable quantum key distribution.
The universal composability model entails that a key produced via quantum key distribution is safe to be used in other applications, such as a key to encrypt a message. Unconditional security of quantum key distribution, as conventionally defined, does not automatically preclude a joint attack on quantum key distribution and the message transmission based on the resulting key. Universal composability closes this possible security loophole. As it turns out, the conventional definition of security in quantum key distribution does entail composable security, meaning that a key that is produced in an unconditionally secure way is indeed safe to encode a message with [79].
A relevant example concerns quantum key distribution being sequentially composed in order to generate a continuous stream of secret bits. More generally, the criteria for composability would be more stringent when mutually mistrustful parties are involved. In this context, [80] defines a universally composable security of quantum multi-party computation.
[81] invokes the composability of quantum key distribution to obtain hierarchical quantum secret sharing. A composable security has also been defined for quantum crypto-protocols that realizes certain classical two-party tasks [82].

Secure deterministic communication
There are several facets of secure quantum communication, which can in principle be derived by composing quantum key distribution and having access to a secure random number generator. In this subsection we aim to provide an interconnection between them [83, 84] via specific examples.
To begin with we describe a scheme for controlled quantum dialogue. There are three users Alice, Bob and Charlie, such that the communication channel between Alice and Bob is supervised by Charlie, who is referred to as controller. Alice and Bob both can send classical information to each other in a secure manner using this quantum channel, which constitutes a quantum dialogue. However, Charlie fully determines whether the channel is available to them both. Further, a requirement of quantum dialogue is that classical communication between Alice and Bob should be transmitted through the same quantum channel and that it should be transmitted simultaneously (namely, there must be a time interval, during which the information of both parties would be in an encoded state in the same channel).
Here, it is important to note that Alice and Bob need to be semi-honest (a semi-honest user strictly follows the protocol, but tries to cheat and/or obtain additional information remaining within the protocol), as otherwise they may create an independent quantum channel of their own and circumvent the control of Charlie. Now, we may briefly describe a simple scheme of controlled quantum dialogue as follows [85]: Step 1: Charlie prepares n copies of a Bell state, diving them into two n-qubit sequences S A and S B , with the first and second halves of the Bell pair, respectively. Then, he transmits both S A and S B to Bob, after suitably permuting S B . It is assumed that all qubit transmissions are secure, with the possible inclusion of decoy qubits, which are inserted to test for an eavesdropper and dropped afterwards [86].
Step 2: Using Pauli operations in the manner of quantum dense coding [37] (whereby I, X, iY, and Z correspond to encoded bit values 00, 01, 10, and 11, respectively), Bob encodes his message in the qubit string S A , which he then transmits to Alice.
Step 3: After using the same method to encode her secret message, Alice transmits back the sequence S A to Bob.
Step 4: Charlie reveals the permutation used. On this basis, Bob pairs up the partner particles and measures them in the Bell basis.
Step 5: Bob publicly announces the outcomes of his measurements, which allows each party to extract the other's message using knowledge of her/his own encoding and that of initial Bell state Charlie prepared.
Without Charlie revealing the particular permutation used, semi-honest Alice and Bob cannot decode the other's message, thereby ensuring Charlie's control. Moreover, just before step 4, both Alice and Bob's messages are encoded at the same time in the channel, which ensures satisfaction of the quantum dialogue requirement.
Charlie's choice of Bell state, if publicly known, would lead to information leakage, which is often considered to be an inherent feature of quantum dialogue and variants thereof. This problem can be eliminated if Charlie chooses his Bell state randomly, informing Alice and Bob of his choice via quantum secure direct communication or deterministic secure quantum communication [87].
The above scheme can be turned into other cryptotasks. If Bob, instead of Charlie, prepares the Bell states initially (with the difference of Charlie's announcement being absent in step 4), then the above scheme reduces to quantum dialogue, of the type introduced at first by Ba An [88]. This is called the Ba An protocol for quantum dialogue.
Likewise, a quantum dialogue scheme can always be obtained from a controlled quantum dialogue scheme. Further, in a quantum dialogue scheme, restricting one of the players, e.g., Alice, to trivial encoding (namely, simply applying Pauli I operation), we obtain a protocol for quantum secure direct communication, whereby Bob can communicate a message to Alice without the prior distribution of a key. In this way, any quantum dialogue can be turned into that for quantum secure direct communication. In quantum secure direct communication, a meaningful message is typically sent by the sender. Instead, transmission of a random key turns quantum secure direct communication into a quantum key distribution. Therefore, any quantum secure direct communication protocol can be turned into a quantum key distribution protocol [83].
Likewise, suppose that in a quantum dialogue scheme, Alice (resp., Bob) transmits key k A (resp., k B ) to Bob (resp., Alice), after which they adopt K = k A ⊕ k B as the secret key for future communication, this constitutes a protocol for quantum key agreement, in which each player contributes equally to K, such that each bit of K cannot be unilaterally determined by either player. In this way, a quantum key agreement scheme can always be obtained from that for quantum dialogue. Also, in asymmetric quantum dialogue [87], a special case of the quantum dialogue scheme, involves Alice and Bob encoding an unequal amount of information (say, Alice sending m bits, and Bob sending 2m bits).
Other types of reduction are possible. In the above scheme for controlled quantum dialogue, suppose Charlie retains sequence S B and only transmits S A securely to Alice, who encodes her secret message using the dense coding method and then transmits the resultant qubit string to Bob. Upon reception, Bob encodes his secret using the same rule and sends the resultant sequence to Charlie, who finally measures each received particle with its partner particle retained by him, in the Bell basis. If in each case, he obtains the original Bell state, the Alice's and Bob's secrets are identical. This follows simply from the fact that I = XX = (iY)(iY) = ZZ = I 2 I 2 , ensuring that two encoded messages are identical, then the travel qubits return as they left.
Therefore, a quantum dialogue or controlled quantum dialogue scheme can always be turned into one for quantum private comparison, which allows a third party to compare the secrets of two parties without being able to know their secrets [21]. This quantum private comparison is suitable for the socialist millionaire problem or Tierce problem [89], which is a secure two-party computation requiring two millionaires to find out if they are equally rich, without revealing how rich each is (unless of course they are equally rich). In brief, a modification of quantum dialogue or controlled quantum dialogue provides a solution for quantum private comparison, the socialist millionaire problem and a few other related problems.
Just as a quantum dialogue protocol can be turned into a quantum secure direct communication one, a controlled quantum dialogue protocol can be turned into one for controlled quantum secure direct communication (technically, actually one for controlled deterministic secure quantum communication). Now, controlled deterministic secure quantum communication can be used in a quantum e-commerce situation, where Charlie represents a bank, Alice a buyer and Bob an online shop. To make a purchase, Alice intimates Charlie, who executes step 1 above. Next, Alice encodes her purchase information in S A , which she sends to Bob, who in turn informs Charlie of having received an order worth a specific amount from a certain buyer, whose identity is verified by Charlie, who then reveals the relevant permutation operation. Bob then performs Bell measurement and knows about Alice's order. Therefore, a quantum e-commerce protocol of this type is really a straightforward modification of a controlled quantum secure direct communication scheme.
In fact, in the recent past several schemes of quantum e-commerce and other similar applications of quantum cryptography have been proposed by various groups [90,91], that have established that quantum cryptography can be used for various practical tasks beyond key distribution and secure direct communication. Specifically, sealed-bid auctions [92][93][94] and other variants of auctioning (e.g., English and Dutch auctions) can be perfromed using quantum resources [95,96]. Binary voting can also be performed using quantum resources (cf. [97] and references therein).

Counterfactual quantum cryptography
Counterfactual quantum communication transmits information using the non-travel of a photon between Alice and Bob [98][99][100][101]. It is based on interaction-free measurement [23, 102,103], where the presence of an object is detected without directly interrogating it. Famously known as the Elitzur-Vaidman scheme for bomb detection, it involves photon interferometery used to ascertain the presence of a quantum object in one of the arms without the photon actually passing through it. The singlephoton injected into the beamspliiter of this set-up always exits one particular output port labelled as the bright port. The presence of an object in one of the arms of the interferometer permits the single photon to exit not from the bright port, but through the port that is otherwise dark. Experimental realizations proved that indeed such interaction-free measurements are possible [103]. Further, a proposal to enhance its efficiency towards 100% using chained unbalanced beamsplitters, wherein repeated measurements of the initial state in order to arrest evolution, simulating the quantum Zeno effect, was put forth. The scheme works as follows: A single-photon incident on a beamspliiter after M cycles exits from the bright port but the presence of a detector in these ports restricts the photon to be always in the lower arm and exit from the dark port. The chained action leads to the evolution: where M is the number of interferometric cycles, and the first equation indicates absorption at the obstacle. In 2009, Noh proposed the well-known counterfactual quantum protocol for cryptography [24]. Though counterfactual quantum cryptography may not be so useful for long-distance communication, it is interesting conceptually [104,105]. Schemes to improve the efficiency of counterfactual quantum key distribution protocols [106,107], security analysis of such schemes under various attacks such as intercept-resend and counterfactual attacks [108][109][110], experimental realisation using different set-ups [25, 111,112], direct communication protocols [113] and counterfactual generation and distribution of entanglement [114] have contributed towards better understanding of applying counterfactuality. The basic idea of the direct communication protocol is to ensure counterfactual transfer of information using the chained beamsplitter approach mentioned earlier. M-chained unbalanced beamsplitters are nested within N-chained outer unbalanced beamsplitters. By suitably choosing M and N, one can achieve direct communication between Alice and Bob. It has been further argued that this is fully counterfactual [115], an interpretation that has been debated. For an alternative perspective, see [116,117], but also [118,119]. Recently, the proposal in [115] for direct counterfactual communication has been implemented experimentally [120].
By letting the obstacle to be in a superposition state, as follows: An idea along this line can be used to counterfactually transmit a qubit, as against a bit [121][122][123].
The well-known counterfactual protocol Noh09 [24] is briefly explained here. Alice and Bob are connected to each other through one of the arms of a Michelson interferometer (arm B). The other arm A is internal to Alice's station and is inaccessible to the outside world. A photon traveling along arm A is always reflected using a Faraday mirror (M 1 ). In addition, Alice is also equipped with a single-photon source which prepares polarization states in the vertical (V) or horizontal (H) direction, based on the output of a quantum random number generator (a). Bob's station also consists a quantum random number generator (b) whose output decides whether a reflection using Faraday mirror (M 2 ) or a detection using a detector D B is to be applied. R B controls a switch Q whose polarization state P (pass V and block H) or B (block V and pass H) determines which of the above operations is to be applied. The protocol is as follows (cf. Figure 1):

Alice prepares polarization states randomly in V or
H states based on a and transmits it to Bob.
2. Bob applies P or B randomly based on b. The following table gives the conditional probabilities based on Alice and Bob's joint action: T D 1 and D 2 are detectors in Alice's station. R and T are the coefficient of reflectance and transmittance of the beamsplitter respectively such that R + T = 1.
3. At the end, D 1 detections lead to the generation of secret key and D 2 detections are used for detecting eavesdropping. D 1 detection is counterfactual in the sense that the photon did not travel to Bob and his blocking action leads to a remote detection by Alice.
In some sense, the photon takes into account Bob's choices before detection.
Future directions here could explore applying the counterfactual paradigm to other crypto-tasks besides quantum key distribution.

Device independent scenarios
We already noted that a classical cryptographic protocol is secure only under some assumptions about the hardness of performing some computational tasks. In contrast, BB84, B92 and other protocols for quantum key distribution, mentioned above, are unconditionally secure in the sense that their security proof is not based on such computational assumptions, but instead is guaranteed by quantum physical laws. However, the security proofs assume that the practical realization is faithful to the theoretical specifications, and that the devices used by Alice and Bob are trusted and that the duo have perfect control over the devices used for the preparation of the quantum states, manipulation and their measurement. Devices are also assumed to be free from any side channels that would leak secret information from the laboratories of Alice and Bob.

Side-channel attacks
Quantum key-distribution promises unconditional security under the assumption of perfect implementation of the protocols in the real-world. But, imperfections in the experimental set-up creates side-channels that can be employed by a malicious eavesdropper to compromise the security without the knowledge of the legitimate participants Alice and Bob. Side-channel attack allows Eve to gain information based on certain behavioural patterns of the devices used for key-distribution and does not depend upon the theoretical security [124].
Some examples of side-channels are detector clicks, dark counts and recovery time of the detectors, electromagnetic leaks. Sometimes the side-channel attacks are so powerful that the basis information may be leaked and render the protocol completely insecure. Such sidechannel attacks identified [125,126] the danger posed by not being able to completely characterise sources and detectors, leading to the device-independent paradigm [127].
Here, we list some powerful quantum hacking attacks and countermeasures on commercial quantum key distribution systems: • Time-shift attacks, which make use of the detection efficiency loophole, which plays a key role in the Bell inequality tests [128]. Here we may count bright illumination pulses to control singlephoton avalanche photodetectors [129], passive detector side channel attacks [130] and detector blinding attacks. In particular, information leakage due to the secondary photo-emission of a single photon avalanche detector can be countered by backflash light characterization [131].
• Time side channel attack where the timing information revealed during the public communication during Alice and Bob is used to extract some parts of the secret key [132].
• Optical side-channel attacks in order to gain information about the internal states being propagated in the channel [133].
• Source attacks based on tampering of the photon sources in the measurement device-independent paradigm [134].
• Preventing side-channel attacks in continuousvariable quantum key distribution by modulating the source signal appropriately to compensate for a lossy channel [135].

Device-independence
The practical realization of an otherwise unconditionally secure quantum key distribution protocol will involve the use of untrusted devices [136], whose imperfections may be exploited by a malicious eavesdropper to undermine its security. In 1998, Mayers and Yao [137] introduced the concept of quantum cryptography with the guarantee of security based only on the passing by the measurement data of certain statistical tests, under the assumptions of validity of quantum mechanics and the physical isolation (no information leakage) of Alice's and Bob's devices; in other words, a quantum key distribution set-up that can self-test.
In [54], it was shown how a single random bit can be securely distributed in the presence of a non-signallingnot just quantum-eavesdropper. This qualitative argument was made quantitative by several following works, providing efficient protocols against individual attacks [138,139], and subsequently collective attacks [140][141][142] against a non-signaling eavesdropper. Better key rates, but assuming an eavesdropper constrained by quantum laws, are reported in [55,143,144]. All these proofs of security require an independence assumption, namely that successive measurements performed on the devices commute with each other [144]. While [145] fixes this issue, by allowing Alice and Bob to use just one device each, it is inefficient and lacks noise tolerance. The deviceindependent protocol of [146] reports an improvement guaranteeing the generation of a linear key rate even with devices subject to a constant noise rate, but relaxing other assumptions such as the availability of several independent pairs of devices. We briefly mention the connection of device independence and nonlocality. A necessary condition in order to guarantee security in the scenario where devices are not assumed to be trustworthy-characteristic of the deviceindependent scenario-is that Alice's and Bob's joint correlation P(x, y|a, b), where a, b are the respective inputs and x, y their respective outputs, must be such that where P(x|a, λ) and P(y|b, λ) are arbitrary probability distributions for Alice and Bob; and P λ is the probability distribution of some underlying variable λ. For if this were not so, then in principle, knowing λ, Eve would be able to determine the outcomes of Alice and Bob, when they announce a and b publicly during the key reconciliation step. This entails that P(x, y|a, b) must be nonlocal, namely it should violate a Bell-type inequality, making the sharing of quantum entanglement necessary.
Other than this, the quantum apparatuses used by Alice and Bob are viewed as black boxes, with no assumption made about the internal workings. Interestingly, the root concept for device-independent quantum key distribution was implicit as early as 1991 in the E91 protocol [9], but its true significance was not recognized before the advent of the study into device-independent cryptography. Because the security of any device-independent scheme requires nonlocal correlations, which is in practice an expensive and delicate resource, it would be difficult to achieve full device independence. For example, the detector efficiencies are usually too low to support full deviceindependent security. Although the hope for practical realization of device-independent quantum key distribution has been raised by recent loophole-free Bell experiments [2,147,148], the secure key rates are expected to be quite low even for short distances.
Although we have generally talked of quantum key distribution in the context of device independence, other tasks can also be considered in this framework, among them self-testing of the W state [149] and that of any two projective observables of a qubit [150], have been reported. Of interest here is the device-independent quantum key distribution protocol based on a local Bell test [151]. Several relaxed variants of device-independent quantum key distribution idea (including semi-device-independent and one-way device-independent) have been proposed [61,[152][153][154][155] and are briefly discussed below.

Measurement-device independence
A more feasible solution than device-independent quantum key distribution is the measurement-deviceindependent quantum key distribution [61] scheme, which builds on [156,157]. Using weak coherent light pulses along with decoy states, the measurement-deviceindependent quantum key distribution protocol is made immune to all side-channel attacks on the measurement device, often the most vulnerable part. However, it is assumed in measurement-device-independent quantum key distribution that Eve cannot access state preparation by Alice and Bob. The security of measurement-deviceindependent quantum key distribution against general coherent attacks, exploiting the effect of finite data size, has been proven in [158]. In this context, see [124], which proposes using quantum memory and entanglement to replace all real channels in a quantum key distribution protocol with side-channel-free virtual counterparts.
Measurement-device-independent quantum key distribution, in contrast to a full device-independent scheme, requires neither almost perfect detectors nor a qubit amplifier nor a measurement of photon number using quantum non-demolition measurement techniques [61,159]; also cf. related references cited in Section 2. The most recent developments of the measurement-device-independent quantum key distribution scenario, including its strengths, assumptions and weaknesses are reviewed in [159].
The basic idea behind measurement-device independence is that Alice and Bob transmit weak coherent pulses representing randomized BB84 polarization states to a central untrusted Bell state measurement station, manned by Charlie or even Eve. The probabilistic production of Bell states can be shown to lead to a secure bits, even if the untrusted station uses only linear optics.
Measurement-device-independent schemes have been experimentally realized by various groups [65,160,161].
It has even been demonstrated through a distance over 200 km, whereas a full device-independent scheme is yet to be realized experimentally. For discrete-variable measurement-device-independent quantum key distribution, the key rate for practical distances turns out to be just 2 orders of magnitude below the Takeoka-Guha-Wilde bound [162], enabling this method to meet the high speed demand in metropolitan networks.

Detector-device-independence
Whereas the key rate of measurement-device-independent quantum key distribution scales linearly with transmittance of the channel (just as with conventional quantum key distribution), it has the drawback that its key rate scales quadratically (rather than linearly, as in conventional quantum key distribution) with detector efficiency [8], which can be a practical problem if detectors of sufficiently high efficiency are not available. Detectordevice-independent quantum key distribution aims to combine the efficiency of the conventional quantum key distribution protocols with the security of measurementdevice-independent quantum key distribution [163,164]. In detector-device-independent quantum key distribution, receiver Bob decodes photon information from an insecure channel using a trusted linear optics, followed by a Bell state measurement with untrusted detectors.
The advantage of detector-device-independent quantum key distribution over measurement-deviceindependent quantum key distribution is that key rate scales linearly (rather than quadratically) with detector efficiency, essentially because it replaces the two-photon Bell state measurement scheme of measurement-device-independent quantum key distribution with a single-photon Bell state measurement scheme [165]. (In a single-photon Bell state, spatial and polarization modes-each representing a bit-are entangled.) However, the security of detector-deviceindependent quantum key distribution against all detector side-challels remains yet to be shown. It is known [166] that either countermeasures to certain Trojan horse attacks [167] or some trustworthiness to the Bell state measurement device is required to guarantee the security of detector-device-independent quantum key distribution (as against the strong security of measurement-deviceindependent quantum key distribution, where such assumptions are not needed.) Indeed, a simple implementation of a detector-device-independent quantum key distribution protocol can be built directly on the standard phase-encoding-based BB84 quantum key distribution [168].

One-sided device-independence
Further, violation of Bell's inequality or equivalently the use of a Bell nonlocal state can ensure the security of a device-independent quantum key distribution mentioned above, but if one of the users (Alice or Bob) trusts her/his devices then we obtain a weakening of deviceindependent quantum key distribution, known as onesided device-independent quantum key distribution [152], whose security does not require the violation of Bell's inequality, but rather a weaker type of nonlocality, namely quantum steerability.
The condition (7) is symmetric between Alice and Bob. Now suppose P(x, y|a, b) satisfies the asymmetric but weaker condition [169]: where P Q (y|b, λ) is any quantumly realizable probability distribution for Bob. Such a state is said to be steerable, and can be pointed out by the violation of a steering inequality. Steering is a stronger condition than nonseparability, but weaker than nonlocality. C. Branciard et al [152] first studied the security and practicability of one-sided device-independent quantum key distribution, which belongs to a scenario intermediate between device-independent quantum key distribution and standard quantum key distribution. This makes it more applicable to practical situations than the latter. Just as a sufficient violation of a Bell-type inequality is necessary to establish device-independent quantum key distribution, so a demonstration of steering is necessary for security in the one-sided device-independent quantum key distribution scenario.
It may be noted that the prepare-and-measure schemes of quantum key distribution that do not use entangled states (e.g., BB84 and B92 protocols) can also be turned into entanglement-based equivalents, from which we can obtain their device-independent counterparts by employing suitable Bell-type inequalities. For example, M. Lucamarini et al [170] presented a device-independent version of a modified B92 protocol. T. Gehring et al [171] reported an experimental realization of continuousvariable quantum key distribution with composable and one-sided device-independent security against coherent attacks. A one-sided device-independent implementation of continuous-variable quantum key distribution has been experimentally implemented, wherein the key rate is directly linked to the violation of the Einstein-Podolsky-Rosen steering inequality relevant to the context [172].
Here it would be apt to note that for pure states, entanglement, steering and nonlocality are equivalent. However, for mixed states they are different and all Bell non-local states are steerable, and all steerable states are entangled, but not the other way in each case, namely entanglement is the weakest and nonlocality the strongest nonclassicality condition among these.

Semi-device independence
In quantum mechanics, an entangled measurement is represented by an operator, at least one of whose eigenstates corresponds to an entangled state. In the semi-deviceindependent approach [173], one can certify that the measurement is indeed entangled on basis of the measurement statistics alone, provided it can be assumed that the states prepared for testing the measurement apparatus are of fixed Hilbert space dimension, even if uncharacterized otherwise. This approach has been applied to other quantum information processing tasks, among them cryptography [154]. Now, it is possible to test the dimension of a physical system in a device-independent manner, namely on basis of measurement outcomes alone, without requiring the devices to be characterized, by means of Bell inequalities [174,175] or bounds pertaining to quantum random access codes [176]. More recently, the semidevice-independent approach has been applied to estimate classical and quantum dimensions for systems in a prepare-and-measure setup [177,178]. Experimental realization of these ideas have been reported [179,180], as well as their application to cryptography [154] and random number generation [181,182].
For prepare-and-measure protocols in quantum information processing, since quantum nonlocality is out of question, a more natural notion of device independence applicable is the semi-device-independent scenario. This uses the notion of bounding the classical or quantum dimension required to reproduce the observed quantum correlations by measurements on transmitted particles prepared in specific states [177,183]. Let denote Bob's probability for getting outcome y given measurement b acting on state ρ α transmitted by Alice, with Π y b being the corresponding quantum mechanical measurement operator.
A dimension witness for the prepare-and-measure scenario has the form where f α,b,y are a set of real numbers and C d is a positive real number. Violation of (10) would mean that no classical particle of dimension d could have generated the observed experimental correlation P(y|α, b). More generally, one can bound the quantum dimension, also [177]. This violation serves as the basis for semi-device-independent security, just as violation of a Bell inequality serves as the basis for device-independent security. In [155] a semi-device-independent version of BB84 protocol has been presented using the notion of semidevice-independence introduced in [154]. Similar deviceindependent and semi-device-independent generalizations of other protocols are also possible, and a general prescription for the same is a problem worth exploring.

Security in a post-quantum world
There is an intrinsic and quite reasonable assumption in the security proof of all the above protocols on the validity of quantum mechanics. What would happen to the keys if the nature is found to obey a theory other than quantum mechanics? It turns out that so long as a theory admits a no-cloning theorem, then (possibly assuming trusted devices) security is possible [184], whereas device-independent security would be possible if it is a nonlocal non-signaling theory. In fact, the concept of device independence can be adapted to provide security against even a post-quantum Eve constrained, assuming only the no-signaling principle [54,185].

Further applications of quantum cryptography
We shall now survey various crypto-tasks other than quantum key distribution for which quantum cryptographic schemes have been proposed.

Quantum random number generation
Apart from key distribution, current levels of quantum technology suffice for providing a good source of genuine randomness, which is important for cryptography and in algorithms for simulation. As noted above, quantum random number generators are available commercially now. By genuinely random we refer to a source whose output is unpredictable and irreproducible according to known physical laws. This stands in contrast to pseudo-random number generator, which generates strings which are predetermined according to a deterministic algorithm. One may then hope that the numbers produced by a pseudorandom number generator are distributed indistinguishably from a uniform probability distribution. The robustness of pseudo-random number generators is an issue that would merit careful consideration [186].
From the perspective of algorithmic information theory, genuinely random strings are incompressible, namely their Kolmogorov complexity is not smaller than the string's length [187], whereas pseudo-randomness is algorithmically compressible. Kolmogorov complexity of string S refers to the length in bits of the shortest computer program (in a given programming language) that generates S as its output. However, in general, randomness cannot be proven because Kolmogorov complexity is uncomputable. For practical purposes, the randomness of given data may be evaluated by running the data through standard statistical tests for random number generators, such as the suite provided by the National Institute for Standards and Testing [188].
An important issue here is to estimate the entropy of the randomness source, namely the raw random bits generated, from which truly random bits can be extracted [202]. Sophisticated techniques have been developed to estimate entropy in specific cases [203,204]. However, these methods are somewhat difficult to implement and do not easily lend themselves to generalization nor to easy realtime monitoring. Device-independent quantum random number generator provides a possible solution [205,206], which makes use of suitable tests of violation of a Belltype inequality [206,207], making them however not so simple to implement in practice as a basis for a quantum random number generator.
Semi-device-independent certification of randomness [182] is simpler, but not entirely free from loopholes in practice [208]. A method based on the uncertainty principle, but requiring a fully characterized measurement device, has recently been proposed [209]. As an improvement, Lunghi et al [210] have proposed a self-testing prepare-and-measure quantum random number generator protocol based on measuring a pair of incompatible quantum observables.
The incompatibility, and consequently the amount of genuine randomness, can be quantified directly from the experimental data. These authors have also reported a practical implementation using a single-photon source and fiber optical communication channel, through which they report a 23-bit throughput of genuine randomness at 99% confidence level [210] .

Quantum secret sharing
Secret sharing is a crypto-task where a dealer splits a secret into two or more shares and distributes them among multiple agents such that only designated groups of agents (who define an access structure) can reconstruct the full secret.
Secret sharing is a cryptographic primitive used widely to design schemes for digital signature, key management, secure multiparty computation, etc. Classical secret sharing, first proposed independently by Shamir and Blakely, makes certain computational assumptions about complexity, making its security computational rather than unconditional. Quantum mechanics has given grounds for hope here [211,212]. The original proposal for quantum secret sharing [211] distributes a 3-qubit state among three participants: The three parties measure in X or Z basis. On a quarter of the time (that may be established by classical communication), all three would have been measured in the same basis, and it is clear from Eq. (11) that Bob and Charlie can reconstruct Alice's bit (designated the secret) by combining their results. Any attempt by a third party to find out the secret disrupts the correlation, which can be detected by the legitimate parties by announcing full outcomes in some trial runs. Another important aspect to be considered is that one or more of the participants themselves could be colluding to cheat. A full proof of security must also consider such player collusion scenarios. An extension of the above is a quantum (N, k) threshold scheme, where a quantum secret, split among N parties, can be reconstructed only if at least k parties combine their shares. The no-cloning theorem implies that 2k > N. Threshold schemes have similarities with quantum error correcting codes [213]. Generalizations of quantum secret sharing to more general access structures [214,215] and the use of various relatively easily prepared quantum states beyond the Greenberger-Horne-Zeilinger states [216] have been studied, as well as their use in the related task of quantum information splitting [217,218].
The concept of quantum secret sharing has been further generalized in various ways, among them: hierarchical quantum secret sharing [219], hierachical dynamic quantum secret sharing [81]. Further, in a recent direction [220], quantum secret sharing based on a d-level particle (with d being an odd-prime in order to exploit the cyclic property of the d + 1 mutually unbiased bases in these dimensions), rather than entanglement, has been studied. Suppose the vector in this system is denoted Ψ j;k , where j is the basis and k the index of the vector in that basis. The generalizations of the qubit Pauli operators, denoted X d and Y d , are defined by the actions where additions are in modulo d arithmetic. Each of the N participants, denoted n ∈ {0, 1, 2, · · · , N}, with the 0th player being the secret dealer, applies the operation X x n d Y y n d to the sequentially transmitted qudit, where x n , y n ∈ {0, 1, · · · , d − 1} are private data held by the nth player. The dealer measures in a random basis Ξ to obtain outcome ξ. Through public announcement, the players verify whether n j=0 y n = Ξ (which happens with probability 1/d) and reject the round if not. If not rejected, then the protocol guarantees the perfect correlations which provides a basis for sharing a secret via a (N, N) threshold scheme [220]. Over multiple rounds of the protocol, the players can test for departure from (13), which can be used to upper-bound eavesdropping. For details on security against eavesdropping and or a collusional attack on the scheme, see [220].

Strong and weak quantum coin tossing
Suppose Alice and Bob are getting divorced. Coin tossing is a crypto-task suitable to divide their assets randomly. Perfect coin tossing is a primitive for Mental Poker [221]. Classically, (non-relativistic) coin tossing is based on computational complexity [222], whereas relativistic classical coin tossing involves Alice and Bob sending each other messages with sufficient simultaneity as to ensure the independence of their messages (see Section 7). A crypto-task closely related to coin tossing is bit commitment, serves as a primitive for other tasks such as zero-knowledge proofs [223]. Bit commitment requires Alice to commit to a bit a by submitting an evidence to Bob. Later, she unveils a. During the holding phase between commitment and unveiling, the evidence must bind Alice while hiding a from Bob. Quantum coin tossing can be built on top of quantum bit commitment: Alice commits to a bit a; Bob publicly announces bit b; Alice unveils a. The toss is a + b mod 2. However, an unconditionally secure bit commitment protocol cannot be constructed via calls to a secure coin tossing black box, even given additional finite classical or quantum communication between Alice and Bob, making bit commitment strictly stronger than coin tossing in the standard cryptographic framework [224].
It is conventionally believed that (nonrelativistic) quantum bit commitment is not secure, owing to an entanglement-based attack uncovered by Mayers, Lo and Chau (MLC) [225][226][227], described briefly below. For a similar reason, the impossibility of quantum coin tossing is also accepted to hold generally [228]. Similar no-go arguments exist for the impossibility of ideal coin flipping, oblivious transfer and secure two-party computation.
The MLC argument can be cast as follows. In a quantum bit commitment protocol, suppose ρ a , with a ∈ {0, 1}, denotes the density operator of the evidence of commitment to bit a that Alice submits to Bob. To be concealing to Bob, we require ρ 0 ρ 1 .
Mixed states can always be purified by going to a larger Hilbert space. In this case, the purifications of ρ a must correspond to Schmidt decompositions with the same Schmidt coefficients, say ξ j . We associate two of these purifications with the states associated with Alice's commitment where |β j are eigenstates of ρ 0 = ρ 1 , while the states |α A j and |α A j are orthogonal basis states. Alice can cheat because she only requires a local rotation, connecting these two bases. She can use this local unitary to switch her commitment between |Ψ 0 and |Ψ 1 at the time of unveiling. This no-go result is an application of the Hughston-Jozsa-Wootters theorem [229], which shows that any two ensembles with Bob having the same density operator, can be prepared remotely by Alice, who holds the second system that purifies Bob's state.
It may be noted that various authors have questioned the generality of the cryptographic framework used to derive the standard no-go theorem for quantum bit commitment [230][231][232][233][234][235].
For the most part, the MLC result has motivated research in certain directions deviating from ideal quantum bit commitment, among them bit string commitment [236], where Alice securely commits n bits such that recipient Bob can extract at most m < n of these bits; a weaker form of bit commitment, namely cheat-sensitive bit commitment, where the condition (14) is relaxed to ρ 0 ρ 1 . Here, if either party cheats, then the other party has a non-vanishing probability for cheat detection [237] (but see [238]). Note that even cheat sensitive bit commitment is classically impossible.
Likewise, weaker versions of quantum coin tossing beyond ideal quantum coin tossing have been studied. Here, one can distinguish between weak and strong flavors of coin tossing. In strong coin tossing, the coin toss must be perfectly random. This is the requirement of correctness. In weak coin tossing, it is known that the two parties want opposite outcomes, e.g., Alice wants 'heads' whereas Bob 'tails'. Then the coin tossing protocol need not protect against Alice biasing the outcome towards 'tails' and Bob towards 'heads'. Strong coin tossing is required when the bit preferred by the other party is not known or their preferences clash.
The requirements for a (strong) quantum coin tossing protocol: Correctness. If both parties play honestly, then both outcomes of the coin are equal, namely P(t = 0) = P(t = 1) = 1 2 , where t is the toss outcome.
Bounded bias. If Bob is honest but Alice is not, then P A (t) ≤ 1 2 + A , where A is her bias. Analogously for honest Alice and dishonest Bob, P B (t) ≤ 1 2 + B . The protocol's bias is , defined as the maximum of j for j ∈ {A, B}. In an ideal quantum coin tossing, j = 0. Quantum coin tossing can be based on quantum bit commitment [239] or entanglement-based [240].
Quantum coin tossing is known to offer an advantage over classical coin tossing in that quantum coin tossing can guarantee a cheating probability strictly lower than 1, which is impossible in a non-relativistic classical coin tossing scheme. Quantum coin tossing protocols with bias lower than half have been proposed [239,[241][242][243].
Kitaev [244] found that a bias lower than 1 √ 2 − 1 2 ≈ 0.207 cannot be achieved by a fair (one where A = B ) quantum coin tossing protocol, a bound that has been demonstrated to be reachable arbitrarily close [245] (also cf. [246,247]).
Quantum coin tossing under noisy conditions can draw help from quantum string coin flipping [248]. In [249], it is allowed for honest players to abort with a certain probability determined by the level of noise. Quantum coin tossing with partial noise tolerance by means of a nested structure is proposed in [250]. These considerations are relevant to practical implementations of quantum coin tossing. Recent such works include a string of coin tosses generated using photonic qutrits with entanglement in orbital angular momentum [251] and an all optical-fiber single-coin quantum coin tossing [252]. An experimental realization of the loss resistant quantum coin tossing protocol proposed in [253] is reported in [254], where, however entanglement is employed rather than a practical weak coherent source, because of the protocol's vulnerability to multi-photon pulses. Quantum coin tossing, which is primarily considered for two mistrustful parties, can be generalized to multiple parties [255].
The coin tossing protocol [253] uses the encoding states where x ∈ {0, 1}, β represents the basis and a the secret bit. Alice partially commits to bit a by submitting the states ρ a = 1 2 (|χ 0,a χ 0,a | + |χ 1,a χ 1,a |. The supports of ρ 0 and ρ 1 are not disjoint, and thus Bob's ability to discriminate between ρ 0 and ρ 1 is constrained by a minimum error discrimination bound. This is just the reason that Alice is able to re-transmit a state if Bob's measurement fails and that the scheme has loss-resistance in conjunction with the use of a single-photon source. The protocol proposed in [256] aims to correct this reliance on a single-photon source (as against using a source of weak coherent pulses), albeit by fixing the number of pulses emitted and thereby bounding the multiphoton probability. However, its practical realization [257] is not found to be entirely loss-tolerant, although admitting several imperfections that would be encountered in practice.
It is an interesting question whether deviceindependent methods can be extended to distrustful cryptography. It turns out that for quantum bit commitment with finite cheat probability and bias, one can construct a device-independent scheme, and then build coin tossing on top of that [258]. These authors present a deviceindependent scheme for cheat-sensitive quantum bit commitment, where Alice's and Bob's cheating probabilities are 0.854 and 0.75, which is used to propose a deviceindependent protocol for coin flipping with bias 0.336.
Zhao et al [259] report using measurement-device independence [61,159] to protect quantum coin tossing against detector-side channel attacks due to Alice, who may launch a detector-blinding attack based on a recent experiment. This scheme essentially modifies the protocol of [253] to incorporate the measurement-deviceindependent method, but the authors also consider the possibility of using weak coherent pulses. This scheme is found to be loss-tolerant when single-photon sources are employed. As expected from the use of measurementdevice independence, the resulting measurement-deviceindependent quantum coin tossing is shown to potentially offer a doubling of the secure distance in some cases.

Quantum private query
Private information retrieval or private query [260] is a crypto-task involving two parties, a user Alice interacting with a server Bob, wherein Alice queries him to obtain an element held by Bob in his private database, such that Bob does not know which element she queried for (user security), while he in turn, wishes to restrict information Alice may gain about other elements in the database (database security). A protocol for quantum private query was proposed in 2007 [261,262], where it was shown to provide an exponential savings in communicational and computational complexity [263].
While an unconditionally secure private query is known to be impossible, practical, cheat-sensitive schemes can be proposed. The basic idea of quantum private query can be illustrated using the phase-encoded scheme proposed in [264]. Let server Bob possess D elements in the database, labelled d( j) ∈ {0, 1}, where 0 ≤ j ≤ D − 1. To query item j, Alice transmits the state |ψ = 1 √ 2 (|0 + | j ), whereas Bob performs the oracle operation given by whereby the query state transforms to and Alice determines her required information by distinguishing between the two possibilities 1 √ 2 (|0 ± | j ). Such a quantum private query protocol is of practical importance, assuming Bob does not launch entanglement-based attacks.

Quantum fingerprinting and digital signatures
Other related protocols include the quantum oblivious set-membership [274] and private set intersection [275].
In quantum oblivious set-membership, Bob's server decides if a user Alice's secret is a member of his private set in an oblivious fashion, namely without his knowing which element it is [274]. Requiring a communication cost of O(1) bits, it yields an exponential reduction in communication cost with respect to classical solutions to the problem. Signature schemes, which are prevalent in today's electronic communication, were first proposed by Diffie and Hellman in 1976 in the classical framework. They permit messages to be transmitted from a sender to multiple recipients, with the guarantee that the messages remain authentic and can be forwarded to other recipients without invalidation.
In contrast to classical signature schemes, that depend on computationally secure one-way protocols based on the RSA algorithm or the elliptic curve digital signature algorithm, a scheme for quantum digital signature leverages quantum physical laws for the purpose.
In the first proposal for quantum digital signature [276], in analogy with the classical signature scheme, a quantum public key is proposed, which is a set of quantum states, while the private key is the classical description of those states. A quantum one-way function thus replaces the classical one-way function to guarantee unconditional or information theoretic security. Note that quantum oneway or hash functions have the further property that the quantum hashes can be exponentially shorter than the original function input, thereby yielding quantum fingerprints [277] (see [278] which reports an experimental realization).
In contrast to the preceding scheme for quantum digital signature, which required quantum memory in order to hold the public key and were thus not practical, the authors of [279,280] propose a quantum digital signature scheme where this requirement is absent, taking a giant stride towards practicality. A further improvement on this is quantum digital signature protocols that have the same practical requirements as quantum key distribution [281].
Quantum digital signature has been extended in analogy with its classical counterpart to three or more parties [282]. From an experimental perspective, both kilometerrange quantum digital signature [283] as well as freespace quantum digital signature [284] have been demonstrated.

Blind quantum computation
Universal blind quantum computation is a measurement quantum computation based protocol, wherein a quantum server carries out quantum computation for client Alice, such that her input, output and computation remain private and she does not require any memory or computational power [285]. The protocol is interactive and has a feed-forward mechanism whereby subsequent instructions by Alice to the server can be based on single-qubit measurements. The method submits naturally to fault tolerance.
Normally, the client must be able to prepare singlequbit states. But even a classical client can perform blind quantum computation by interacting with two entangled (but non-communicating) servers. It turns out that in this setting, with authentication, any problem in boundederror quantum polynomial time class has a two-prover interactive proof with a classical verifier. Blind quantum computation has recently been experimentally realized [286].

Relativistic quantum cryptography
Unlike quantum key distribution, some mistrustful cryptotasks are believed to be insecure even when quantum resources are leveraged, among them, as we saw, bit commitment and ideal coin tossing. Since bit commitment can act as a primitive for various other crypto-tasks, such as zero-knowledge proofs, these results are thought to weaken the case for the security of quantum mistrustful protocols for communication and multiparty computation. However, these tasks may be secure under other frameworks, such as that based on relativistic constraints or the assumption of noisy storage with the adversary. Under the latter assumption, various otherwise insecure twoparty protocols become secure, among them secure identification, oblivious transfer and quantum bit commitment [287].
A. Kent [288] studied how bit commitment could be implemented by exploiting special relativity constraints. Alice and Bob are each split in two agents, and security is obtained against classical attacks provided relativistic constraints can be invoked to prohibit commucation between agents of the same player. The protocol evades [289] the MLC attack [225,226] essentially by departing from the concealment condition (14), but using synchronous exchange of classical or quantum information between the players in order to be concealing to Bob, which imposes strong complexity, space and time constraints on the protocol. This was followed by another scheme employing both quantum and classical communication [290], which was shown to be secure under the assumption of perfect devices [291,292], and has been experimentally realized as a robust method [293,294]. However, these protocols were restricted to a one-round communication, which entails that for terrestrial agents, the commitment remains valid for at most just over 20 ms. To improve on this, [295] proposed a method involving several rounds of classical communication, which was proved secure against classical attacks, wherein the holding phase could be made arbitrarily long via periodic, coordinated communication between the agents of Alice and Bob. The bound on the probability to cheat in this method was improved by other authors independently [296][297][298]. In particular, K. Chakraborty et al [296] show to satisfy the linear bound: (r + 1)2 (−n+3)/2 , where n is the length of the bit string to be communicated between the agents at each of r rounds. This allows the complexity of protocols to scale only linearly with the commitment time, during which Alice and Bob are required to perform efficient computation and communicate classically.
Based on this theoretical breakthrough, E. Verbanis et al [299] reported on a relativistic bit commitment implementation for a 24-hour bit commitment, with a potential for extension to over a year by modifying the positions of agents. Recently, the possibility of making relativistic quantum bit commitment device-independent has been studied [300]. In the case of quantum cryptographic tasks that are secure in the relativistic setting, one can ask (as in bit commitment) whether special relativity by itself can provide security, without invoking quantum mechanics (though quantum mechanics helps).
One crypto-task that requires a conjunction of both properties of relativity and quantum mechanics is variable-bias coin toss [301], in which a random bit is shared by flipping a coin whose bias, within a predetermined range, is covertly fixed by one of the players, while the other player only learns the random outcome bit of the toss. While one player is able to influence the outcome, the other can save face by attributing a negative outcome to bad luck. Security arises from the impossibility of superluminal signaling and quantum theory.
Two other protocols, whose security is known to be guaranteed under the conjunction of relativity and quantum mechanics are location-oblivious data transfer [302] and space-time-constrained oblivious transfer [303]. The location-oblivious data transfer involves two mistrustful parties, wherein Alice transfers data in Minkowski space to Bob at a space-time location determined by their joint actions and that neither can predict in advance. Alice is assured that Bob will learn the data, while Bob is assured that Alice cannot find out the transfer location. In the space-time-constrained oblivious transfer, Bob has to output a b (see definition of oblivious transfer above) within B b , where B 0 and B 1 are spacelike separated regions.
In contrast to bit commitment, some crypto-tasks, such as secure two-party quantum computation of various classical functions [240,304,305], in particular all-or-nothing oblivious transfer [205,240,306] and 1-out-of-2 oblivious transfer [304], which are believed to be insecure in nonrelativistic quantum settings, remain so even in the context of relativistic quantum settings. In 1-out-of-2 oblivious transfer, Alice inputs two numbers a 0 and a 1 , while Bob inputs bit b and then outputs a b . In all-or-nothing oblivious transfer, Bob retrieves a bit string sent by Alice with a probability half or gets nothing at all. Also, positionbased cryptography, which uses only geographic position as the sole credential of a player, is known to be insecure even with a conjunction of special relativity and quantum mechanics, if adversaries can pre-share a quantum state of unbounded entanglement. A quantum relativistic that is forbidden is that Alice can make available a state received from Bob at an arbitrary event in the causal future, as per the no-summoning theorem [307,308].

Technological issues
In this section, we cover the practical issues regarding experimental realization of a quantum key distribution. This works in tandem with advances in theory, for example, the quantum de Finetti theorem, which would be applicable when it is difficult to bound the dimension of the communication medium (possibly corrupted maliciously). This result has been applied to derive secure quantum key distribution when signals used are technologically limited to Gaussian states or weak coherent states [309], rather than single-photons.
Practical challenges that emerge because of technological issues include: 1. In discrete-variable protocols, key information is encoded in the polarization or the phase of weak coherent pulses simulating true single photon states. Hence, such implementations employ single photon detection techniques, e.g. BB84. However, the use of weak coherent pulses leads to some practical attacks such as the photon number splitting attack for which decoy states have to be used (cf. Section 8.5).
2. In the continuous variable protocols, information has to be encoded in the quadratures of the quantized electromagnetic fields such as those of the coherent states and homodyne or heterodyne detection techniques such as those used for optical classical communication (cf. Section 9).
3. The security level of a protocol is decided by the type of attack considered in its security proof, which in turn could be dictated by technological considerations (e.g., Eve's ability to fight decoherence by realizing massive entangled states). Proving the security against collective (coherent) attacks and universal composability (which, for quantum key distribution, would cover joint attacks over the distribution of the key as well as its eventual use [79]), at speeds and distance that are compatible with practical applications and technologically feasible, is quite a challenge. In practice, this would require the ability to realize efficient post-processing, including parameter estimation of quantum key distribution performance with stable setups across large data blocks. In a quantum network, the performance of any protocol is assessed point to point by considering the key distribution rate at a given security level under these attacks.
For prevalent usage of quantum cryptography, low cost and robustness are important. Among efforts being undertaken in this direction, it has been shown that quantum key distribution systems can coexist with dense data traffic within the same fibre, thereby precluding the need for dark fibers, which are costly and moreover frequently unavailable [8,310]. With access network architecture, multiple quantum key distribution users can have simultaneous access in a way that would be compatible with Gigabit Passive Optical Network traffic [311]. Yet another direction to reduce not only cost, but also system complexity and power consumption is through a chip-level photonic integration, which would lead to a high degree of mass-manufacturable, low cost miniaturization [312].
We first begin with a short introduction of classical fiber optical communication [313,314] and then its adaptation for quantum communication.

Classical fiber-optics
There has been a tremendous demand for increasing the capacity of information transmitted and internet services. Scientists and communication engineers are in pursuit of achieving this technological challenge. The invention of LASER systems in the 1960s dramatically altered the position of lightwave technologies as compared to radio or microwaves. The availability of a coherent source allowed one to pack an enormous amount of information into light signals increasing the bandwidth. A lightwave communication system consists of a transmission unit with source and electronics to modulate the signals, an optical fiber channel connecting the sender and the receiver and optical amplifiers (also known as repeaters) placed at certain distances along the fiber link to boost the signal strength, a receiving unit with optical detectors and accompanying electronics to retrieve the original signal and extract the transmitted information. Each unit of the fiber-optic communication system is described briefly.
In standard telecom optical fibers of 1550 nm, attenuation of light is 0.2 dB/km (improved in the recently developed ultralow-loss fibers to 0.16 dB/km). This lossy property will restrict of point-to-point quantum key distribution nodes to a few hundreds of kms and strong bounds on the key rate [162,315]. With practical quantum key distribution, the rates achieved are Mbit/s even though classical fiber optics can deliver speeds upto 100 Gbit/s per wavelength channel.

Transmission
The choice of a source depends on the type of application. For high-speed low loss communication with bit rates of the order of Gbps, the source should meet the following requirements: 1. Generation of wavelengths leading to low losses in the channel for a given power level such that the repeater spacing is large.
2. Spectral line width of the order of ≤ 1 nm to avoid dispersion (variation in phase velocity of a wave depending on its frequency).
3. High-speed modulation for achieving the desired transmission rate.
Typically, semiconductor-based (InGaAsP or GaAs) light sources, such as laser diodes and LEDs, are used in optical communication. They emit required wavelengths, are highly efficient, compact in size and can be modulated corresponding to the input electrical signals.
LED diodes are basically forward-biased p-n junctions emitting incoherent light due to spontaneous emission with 0.1 mW output power and are suitable for transmission distances of a few kms at 10-100 Mbps bit rates. On the contrary, semiconductor laser diodes emit coherent light via stimulated emission with an output power of 0.1 W suitable for longer distances at Gbps bit rates. Laser diodes have narrow spectral-widths, allowing 50% of the output power to be coupled into fibers and useful in reducing chromatic dispersion. In addition, laser diodes have a short recombination time, enabling them to be directly modulated at high rates necessary for high-speed long-distance communications.
High dimension quantum key distribution based on d-level systems allows transmission of greater than 1 bit per photon detection, which can enhance communication capacity at fixed particle rate [316][317][318]. The roundrobin differential phase shift quantum key distribution protocol (Section 2.3) allows a positive key in principle for any quantum bit error rate [45]. Simply by choosing experimental parameters, Eve's information can be tightly bounded, thereby removing the need for monitoring the noise level of the channel. The strong security of measurement-device-independent quantum key distribution is counterbalanced by the quadratic scaling of key rate with detector efficiency, a drawback that can be overcome in practice by reverting to detector-deviceindependent quantum key distribution (Section 5.4).

Channel
Optical fibers acting as transmission channels have a central dielectric core (usually doped silica) with higher refractive index surrounded by a cladding (pure silica) of lower refractive index. Light signals are guided along the fiber axis using the phenomenon of total internal reflection. Fibers with sudden and gradual change in the refractive index at the core-clad boundary are known as step-index (which include single-mode and multi-mode fibers) and graded-index fibers respectively. Single-mode (multi-mode) step-index fibers can sustain only one mode (many modes) of light. Different modes travel at different speeds in a graded-index fiber due to the gradual decrease in refractive index from the center of the core, allowing all of them to reach the output at the same instant of time, thereby reducing chromatic dispersion.
Faithful transmission of signals through these channels depend on the transmission characteristics of the fibers which include attenuation, distortion, absorption, dispersion and scattering losses.

Detection
Optical detectors convert light signals into electrical signals which is then amplified and processed by external circuity. Commonly used detectors for fiber-optics are semiconductor-based using materials such as Si, Ge, GaAs, InGaAs, owing to good response characteristics in the optical domain and compatibility with optical fibers. Incident light with energies greater than the bandgap of the semiconductor are absorbed to generate e-h pairs leading to an external photocurrent. The photocurrent is suitably amplified and processed for the extraction of transmitted data. PIN (p-doped, intrinsic, n-doped layers) diodes and Avalanche photodiodes (APDs) are mostly used for photodetection. Both the devices are operated in the reverse-biased condition and the e-h pairs are absorbed in the depletion region.
The key enabling factor of single-photon detectors is their low noise, which in turn would depend on the type of the detection technique. Room temperature single-photon detectors have been shown to be suitable for high bit rate discrete-variable quantum key distribution [319]. For continuous variable quantum key distribution (Section 9), cooling is not necessary.

Quantum communication
With this background of classical communication, we now discuss quantum communication using fiber-optics. Looking at the Table 1 it is clear that single-mode fibers are preferable for quantum communication. For secure quantum communication, the sender and receiver are connected by quantum channels. There is nothing special about these channels except for the fact that the information is carried using single quantum systems known as qubits, realized as photons, where information is encoded in one of the degrees of freedom, in fact polarization.
Protecting the polarization of a photon from environmental effects known as decoherence and decoupling the polarization degree of a photon from its other de-grees of freedom (such as frequency) to ensure the faithful transmission of quantum information is very tricky. Single-photons are fragile in nature and cannot sustain themselves typically after traveling for 200 km.
Optical amplifiers known as quantum repeaters are placed at certain intervals along the quantum communication network to maintain the signal strength and increase the transmission distance. It is worth noting here that, quantum repeaters [320,321] are not a straightforward extensions of their classical counterparts. Quantum signals cannot be detected or amplified directly without disturbing it, by virtue of the no-cloning theorem. Hence, amplification and restoration of the original signal must be achieved without direct interaction.
In addition, quantum cryptographic security requires the generation of genuine random number sequences where each random number is completely uncorrelated with other numbers in the sequence. It is also not desirable to have any correlations across the runs among different sequences. Quantum indeterminism forms the basis for generation of truly random numbers. Measurement of a single quantum system, an entangled state, coherent state, vacuum state are some methods of random number generation. Quantum randomness cannot be directly accessed at the macroscopic level. The quantum fluctuations are classically amplified to extract genuine randomness (though there is a theoretical proposal [322] for quantum amplification of quantum fluctuations). The random number sequences generated are helpful in the random selection of basis for encoding a qubit.
It is worth pointing out that measurement-deviceindependent quantum key distribution [158] is amenable for upscaling to a multi-user, high speed communication networks in metropolitan areas [323,324], inasmuch as measurement devices can be positioned in an untrusted, dense relay, where is accessed by a number of quantum key distribution users [325], a scenario whose feasibility has been validated by a number of groups (cf. [326] and references therein), in particular discrete-variable measurement-device-independent quantum key distribution over a distance of 200 km in a telecom fiber [161] and 404 km in an ultralow-loss fiber [327]. Channel loss upto 60 dB can be tolerated given high efficiency singlephoton detectors, which translates to a distance of 300 km over standard telecom fiber [328].
Quantum repeaters. Photons are very fragile and hence for long-distance communication one needs to maintain the signal to noise strength for faithful communication [329,330]. With quantum repeaters, the idea is to divide the entire communication distance into smaller nodes with quantum repeater stations, such that sufficiently noiseless entanglement can be shared between two consecutive nodes. One then performs entanglement Table 1: Comparison between single-mode and multi-mode step-index optical fibers. Note that the above mentioned transmission distance and rates are for classical communication.
Based on the different approaches to rectify fiber attenuation and operation (gate, measurement) losses at each node and performance for specific operational parameters (local gate speed, coupling efficiency, etc.), one can classify the quantum repeaters into different generations [332][333][334]. Each generation aims to achieve better key rates and decrease in memory errors for long-distance communication [335]. For loss (operational) error suppression, the method employed is heralded generation (heralded purification) which is probabilistic and involves two-way classical communication. But, the quantum error correction approach for both is deterministic and involves one-way communication. Various realizations of quantum repeaters with or without memory are being explored [321,[336][337][338][339][340][341][342]

Single-photon sources
Quantum communication, especially quantum cryptography and quantum random number generation, demands that single-photons be employed [343,344], in order for standard security proofs such as [29,30] to work. Typically attenuated lasers are used as substitute single-photon sources. Usually, they should emit photons with mean photon-number µ = 1, variance ∆ 2 = 0 and their second order correlation function g (2) (t) = 0. Ideally, singlephoton sources should generate single photons as and when required, namely on-demand, with 100% probability. Such deterministic systems are of two types: Single emitters. Single atoms, single ion and single molecule emitters are either Λ or three-level systems in which controlling the pump laser and the atom-cavity coupling, a certain coherent state is transferred to the ground state via stimulated Raman adiabatic passage or radiative de-excitation respectively to generate a single photon in the cavity mode. These sources are scalable, emit indistinguishable photons, have low decoherence and multiphoton effects. Quantum dots [345] and diamond nitrogen-vacancy (N-V) centers are other popular sources where single photons are generated by radiative recombination of electron-hole pairs and optical transitions in the N-V center respectively. But, they suffer from small coupling efficiency, scaling and indistingishability of the generated photons.
Ensemble-based emitters. Single photons are generated by the collective excitations of atomic ensembles of Cs or Rb. The ensemble is also a Λ-type system with metastable ground states |g 1 and |g 2 and an excited state |e . A weak optical light is coupled to the population inverted atoms to induce the |g 1 → |e transition. The de-excitation of a single photon from |e → |g 2 is detected and its presence confirmed. This process is known as heralding. Next, a strong pulse induces a transition |g 2 → |e generating a single heralded photon with |e → |g 1 transition.
Single-photon sources based on probabilistic photon emission through parametric down-conversion and fourwave mixing are also available. The probability of multiphoton generation in such sources increases with the probability of single-photon generation. A single-photon detector cannot distinguish between single photons and multiple photons. This imperfection can be used by an eavesdropper to obtain secret key information after basis reconciliation by measuring the photons acquired from these multi-photon pulses.

Single-photon detectors
An ideal single-photon detector should detect an incident photon with 100% probability and have nil dead-time and dark-count rates. There are various types of single photon detectors (e.g., single-photon avalanche photodiodes (In-GaAs,Ge,Si), photo-multiplier tubes and superconducting based nanowire single-photon detectors). However, none of them can be considered as an ideal single photon detector as they do not satisfy the above mentioned set of criteria that is expected to be satisfied by an ideal single photon detector.
In particular, detection efficiency, wavelength dependence of efficiency and dead time of single photon detectors are still a big concern, and much effort has been made in the recent past to design better detectors. Often the choice of optical components and the frequency of transmission depend on the efficiency of the single photon detector and the loss characteristics of the transmission channel. Practically, it is an optimization.
The highest efficiency of single photon detectors is obtained for incident photons of frequency around 800 nm, but the lowest attenuation in an optical fiber happens around 1500 nm. Consequently, open air quantum communication systems, including those which involve satellites, are performed using photons with frequency near 800 nm, as the single photon detectors perform best at this frequency, but fiber-based implementations of quantum cryptography are realized in teleportation range (1350-1550 nm), where existing optical fibers show minimum attenuation.
It is of cryptographic advantage if the detectors can also resolve the number of photons in a pulse known as photonnumber resolution. Superconducting-tunnel-junctions, quantum dot optically gated field effect transistors are some photon-number resolving detectors. Let us discuss some of the detectors briefly. For a detailed comparison of different detectors and their external circuitry refer [346].
Photo-multiplier tubes (PMTs): An incident photon knocks an electron from a photocathode made of low work function material, which knocks more electrons causing an amplification of electrons. PMTs have large and sensitive collection areas, fast response time, about 10-40 % efficiency. They are vacuum operated which limits their scaling and integration abilities.
Single-photon avalanche photodiode (SPAD): An incident photon creates e-h pairs in the Geiger-mode operated photodiode [347]. SPADs have a detection efficiency of 85% but higher dark count rates as compared to PMTs. Also, once a pulse is detected, the wait time for re-biasing the circuitry for next detection, namely the dead time is longer. Schemes to reduce this afterpulsing have been realized.
Quantum dot field effect transistors: A thin layer of quantum dots between the gate and the conduction channel in a field-effect transistor traps incident photons modifying the channel conductance. This detector is useful for operation in the infrared region.
The above characteristics discussed are for non-photon resolving operations but the detector's operation for photon-number resolution is also being pursued. The active area of a detector is divided into many pixels. Each pixel detects a photon and collectively many photons are detected and resolved by the detector. Every time a pixel detects a photon, the amplification process takes place independently and the pixel undergoes dead-and recovery-time. Thus, the greater the number of pixels, the better the resolution is.

Photon-number splitting attacks
In quantum cryptography, the characteristics of the singlephoton sources and detectors dominate the practical security issues. Multi-photon generation, blank pulses, detector unresponsiveness for certain wavelengths, high dark counts, dead times, recovery times and jitter are the crucial features which have been used to launch powerful device attacks which cannot be detected by usual methods. In this context, we may specifically mention a particular type of attack that arise due to our technological inability to build perfect on-demand single photon source and photon number resolving detectors that would not destroy the polarization states of the incident photons. The attack is referred to as the photon number splitting attack and illustrates a well known principle of cryptography-Alice and Bob are restricted by the available technology, but Eve is not, she is restricted by laws of physics only (in other words, to provide a security proof, we are not allowed to underestimate Eve by assuming any technological limitations of the devices used by her).
Let us clarify the point. As we do not have a perfect on-demand single photon source, we use approximate single photon sources, usually one obtained by a weak laser pulse attenuated by a neutral density filter. Such an approximate single photon source usually contains single photon (in non-empty pulses), but with finite probability it contains 2 photons, 3 photons, etc. Now, Eve may use a photon number resolving detector to count the number of photons present in each pulse (without changing the polarization state of the incident photon), and stop all the single-photon pulses, while she allows all the multiphoton pulses to reach Bob, keeping one photon from each multi-photon pulse.
Subsequently, she may perform measurements on the photons that she kept from the multi-photon pulses using right basis (based on Alice's and Bob's announcements during basis reconciliation) without introducing any disturbance. This is the photon number splitting attack, which requires a photon-number resolving detector that does not destroy polarization states of the incident photon. Although, quantum mechanics or any law of physics does not prohibit construction of such a detector, until now we do not have any technology to build such a detector.
Otherwise, Alice could use the similar strategy to the multi-photon pulses and allow only single photon pulses to be transmitted. This would have solve the need of single photon sources, too. Unfortunately, no such photon number resolving detector exists until now. However, we know a trick to circumvent photon number splitting attack, which is the decoy state method [49][50][51]348]. Specifically, one may randomly mix intentionally prepared multi-photon pulses (decoy qubits) with the pulses generated at the output of an approximate single-photon source, which would generate single photon pulses most of the time. Eve cannot selectively attack pulses generated from the single photon source. In most incidents, pulses originating from the single photon source will not reach Bob, but those originating from the multi-photon source would reach Bob. Thus, loss profile statistics for the pulses generated from the two sources will be different and this difference (bias) would identify Eve, who is performing photon number splitting attack from the natural channel noise which would not be biased. Therefore, applying decoy states [49][50][51], Alice and Bob can estimate both the probability that a transmission results in a successful output as well as the error rate for different initial pulses.

Nonlinear effects
Finally, we discuss some nonlinear effects that occur in single-mode fibers that have an impact on its propagation properties. Single-mode fibers are subject to polarization effects such as birefringence (different phase velocities for orthogonal polarization modes), polarization dependent losses (differential attenuation between orthogonal modes) and polarization mode-dispersion (different group velocities for orthogonal states). Fiber irregularities and asymmetries are the cause for such effects which can be overcome by polarization maintaining fibers where birefringence is introduced on purpose to uncouple the polarization modes. Fibers are also subject to dispersion, which is the broadening of signal pulses in the time domain as they propagate along the fiber. Each signal pulse consists different components which travel at different speeds and hence their arrival time at the output varies.
In case of chromatic dispersion, different wavelengths travel at different velocities. The overall chromatic dispersion in a fiber is governed by the type of material used and its refractive index profile. Since the material dispersion is fixed, the refractive index profile has to be engineered in order to reduce such effects. Dispersion compensating fibers and techniques (Bragg grating) are employed to fix this issue.

Continuous variable quantum cryptography
Before we conclude this review, we need to mention that all the single-photon-based schemes for quantum key distribution that are discussed here and most of the other protocols for quantum key distribution, quantum secure direct communication and other cryptographic tasks mentioned are discrete-variable based protocols in the sense that in these schemes information is encoded in a discrete variable. However, it is possible to implement most of these schemes by encoding information in continuous variable and distributed phase reference, too [349]. Basically, continuous-variable quantum key distribution involves homodyne detection instead of photon counting encountered in discrete-variable quantum key distribution. Continuous-variable quantum key distribution was first introduced with discrete modulation [350][351][352] and later with Gaussian modulation using coherent states [353,354].
Continuous-variable quantum key distribution and other continuous-variable based cryptographic schemes that are usually implemented by continuous modulation of the light field quadratures (usually with the coherent state [353] or squeezed state [355,356] of light), are important for various reasons. For example, they are immune to some of the side-channel attacks that exploit imperfections of single-photon detectors used in discretevariable quantum key distribution to cause leakage of information. This is so because coherent detectors (implementing homodyne or heterodyne detection) are used in continuous-variable quantum key distribution.
Further, continuous-variable quantum key distribution can be implemented using commercially available components [357] since the seminal work in continuous-variable quantum key distribution by Ralph in 1999 [351]. In this and the subsequent works by Ralph and his collaborators [358], small phase and amplitude modulations of continuous wave light beams were exploited to carry the key information. Subsequently, many schemes for continuous-variable quantum key distribution have been proposed [124,353,354,[359][360][361][362][363] and security proofs for a large set of those schemes have been pro-vided [78, 353,364,365], and interestingly some of the security proofs are composable in nature (cf. [365] and references therein). Continuous-variable quantum key distribution has been experimentally realized by various groups [366,367]. For example, in [366,367] experimental realizations of long distance continuous-variable quantum key distribution has been reported. However, continuous-variable quantum key distribution is not immune to all possible side channel attacks, and various strategies to perform side channels attacks have been discussed in the recent past (cf. [349,357,368] and references therein).
Although continuous-variable quantum key distribution protocols are not more complicated than their discrete-variable quantum key distribution counterparts, the security analysis in continuous-variable quantum key distribution can be relatively involved, with different considerations of hardware imperfections and noise models. See the recent review [369] and references therein, where a less restricted notion of unconditional security in continuous-variable quantum key distribution is considered. An earlier good overview covering the conceptual issues but without detailed calculations is [370].
A composable security against general coherent attacks for continuous-variable quantum key distribution that encodes via two-mode squeezed vacuum states and measurement by homodyne detection, based on the uncertainty relation formulated in terms of smooth entropies [371], is given in [78]. Also, see [171] (Section 5.5).
Continuous-variable quantum key distribution has been adapted to one-sided device-independent framework [171,172], which would be relevant when secure hubs (such as banks) are linked to less secure satellite stations. Continuous-variable quantum key distribution has also been implemented in the measurementdevice-independent quantum key distribution framework [372][373][374]. Here, Charlie measures the correlation between two Gaussian-modulated coherent states sent by Alice and Bob. However, continuous-variable measurementdevice-independent quantum key distribution requires homedyne detectors of efficiency over 85% to generate a positive key rate [159], which has indeed been recently attained [171,374]. However, scaling up to an optical network can be challenging because of losses in the detector coupling and network interconnects (but see [375]). Therefore, in the measurement-device-independent quantum key distribution, for long distance communication, discrete-variable based quantum key distribution is preferable to continuous-variable based, though the promise of high key rates makes continuous-variable measurementdevice-independent quantum key distribution an interesting option to consider. Techniques proposed recently may help realize a dependable phase reference for the continuous-variable quantum key distribution systems [360,361,376]. In a variant of this theme, quantum key distribution can also be based on continuous variables such as spatial or temporal degrees of freedom, which are basically used for upscaling the dimension of the information carrier in quantum key distribution. The spatial degree of freedom of a photon can be used as the information carrier, but this faces the technological challenge of high-speed modulators being available [377,378].
Continuous variable quantum key distribution can be used to encode in large alphabets, such as the arrival time of energy-time entangled photons [379], which was proven secure against collective attacks [380] and also realized experimentally, where it was found to achieve a rate of 6.9 bits per coincidence detection across a distance of 20 km at a key rate of 2.7 MBits/s [381]. While this advancement improves the key rate of entanglement based schemes vis-a-vis prepare-and-measure quantum key distribution methods, practical implementation would require to meet the challenge of attaining high level of interference visibility.

Post-quantum cryptography
Thus far, we have mentioned several schemes of quantum cryptopgraphy, and noted that one of the main reasons behind the enhanced interest in these schemes underlies in the pioneering work of Shor [1], which entailed that if a scalabale quantum computer could be built, then many classical schemes for key exchange, encryption, authentication, etc., would not remain secure, as the quantum algorithms are capable of performing certain computationally difficult tasks (which are used to provide security in classical system) much faster than their classical counterparts. Specifically, in a post-quantum world (namely, when a scalable quantum computer will be realized) RSA, DSA, elliptic curve DSA (ECDSA), ECDH, etc., would not remain secure [382].
Here, we draw the reader's attention toward the point that "quantum algorithm can only perform certain computationally difficult tasks (which are used to provide security in classical system) much faster than their classical counterparts". This is so because until now there exist only a few quantum algorithms that provide the required speedup (cf. [383] for an interesting discussion on "Why haven't more quantum algorithms been found?"). This leads to a few questions-What happens to those classical cryptographic schemes which use such computationally difficult problems that do not have a quantum algorithm with required speedup? Can they be quantum resistant in the sense that they can resist an adversary with a scalable quantum computer? Efforts to answer these questions led to a new branch of cryptography, known as post-quantum cryptography that deals with families of classical crytographic schemes which are expected to remain secure in a world where practical, scalable quantum computers are available [384]. Such schemes are usually classified into six families [382] such as: Lattice-based cryptography. This includes all cryptosystems that are based on lattice problems [385,386]. These schemes are interesting as some of them are provably secure under a worst-case hardness assumption. However, it seems difficult to provide precise estimates on the security of these schemes against some well known techniques of cryptanalysis [382].
Code-based cryptography. This encryption system is primarily based on error correcting codes. In these type of schemes, there is trade-off between key sizes and structures introduced into the codes. Added structures reduces key size [387], but often allows attacks [388]. A classic example of this type is McEliece's hidden-Goppa-code public key encryption system, which was introduced in 1978 [389] and has not been broken until now [382].
Multivariate polynomial cryptography. This is based on the computational difficulty associated in solving a set of multivariate polynomials over finite fields. Although, several schemes of this type have been broken [390,391], confidence of the community is high on some of the schemes like Patarin's scheme for public-key-signature system that uses Hidden Fields Equations (HFE) and Isomorphisms of Polynomials (IP) [392].
Hash-based signatures. This includes schemes for digital signatures constructed using hash functions [393][394][395]. Although, several hash-based systems have been broken in the past, confidence on the recent hash-based schemes is very high.
Secret-key cryptography. Examples of type Advanced Encryption Standard (AES), which is a symmetric private key encryption algorithm, created by Joan Daemen and Vincent Rijmen. A design goal behind AES is efficiency in software and hardware and software.
Other schemes not covered under the above mentioned families.
Shor's algorithm cannot be used to attack the cryptosystems that belong to above families as the associated computational tasks are different. However, Grover's algorithm may be used to attack some of the schemes, but since Grover's algorithm provides only a quadratic speedup, an attack based on Grover's algorithm may be circumvented using longer keys. Thus, it is believed that the schemes belonging to above families would remain secure in the post-quantum world.
We have briefly mentioned about post-quantum cryptography, an interesting facet of the modern cryptography as without a mention of post-quantum cryptography any discussion on quantum cryptography would remain incomplete. However, it is not our purpose to discus these schemes in detail. We conclude this short discussion on post-quantum cryptography by noting that the confidence of the cryptographic community in these schemes is a bit artificial as it is impossible to prove that faster quantum algorithms for all or some of the computationally difficult problems used in these schemes will not be designed in future. In brief, if a fast quantum algorithm for a task is not available today, it does not mean that the same will not be proposed tomorrow. Specifically, there is some practical reasons for limited number of quantum algorithms that can provide required speedup [383] and consequently, it is difficult to strongly establish the security of the above mentioned schemes in the post-quantum world.

Conclusions and perspectives
In this brief review, we covered a number of quantum cryptographic topics besides quantum key distribution, among them different crypto-tasks and cryptographic frameworks. In a review of a vast area such as quantum cryptography, it is, unfortunately, inevitable that some important topics may not be covered. A case in point here is the topic of quantum memory as applied to channel or device attacks.
Theoretically, the main work ahead in the area is in extending security proofs in various scenarios to the composable framework under the most general coherent attack. The main practical challenges are perhaps developing onchip quantum cryptographic modules that are free from side channels and able to be scale to global networks, by integrating point-to-point quantum cryptographic links. This may drive the search for proper trade-offs between ease of implementation and resource usage, or between reasonable security and economic feasibility.
Regarding the foundational implications of quantum cryptography, an interesting question is whether the nogo theorems that give security to quantum cryptography can be used to derive quantum mechanics. R. Clifton et al [396] presented a derivation of quantum mechanics from three quantum cryptographic axioms, namely, nosignaling, no-cloning and no bit commitment. J. Smolin [397] criticized this view by presenting a toy theory that simulated these features but was not quantum mechanics. In response, H. Halvorson and J. Bub [398] argued that Smolin's toy theory violated an independence reasonable condition for spacelike separated systems assumed in [396]. More recently, [184] have argued that general probability theories for single systems can be distinguished between base theories, which feature a nocloning theorem, which similar to Spekkens' toy theory that defends an epistemic view of quantum states [399], and contextual theories. The former supports a type of unconditional security in the framework of trusted devices, whereas the latter allows a degree of device independence.
It is known that the usual definition of security in quantum key distribution implies security under universal composition. However, keys produced by repeated runs of quantum key distribution have been shown to degrade gradually. It would be interesting to study direct secure communication (Section 3) in the context of universal composability, and the advantage of schemes for direct secure communication, if any, over quantum key distribution under repeated usage.