Multi-photon and side-channel attacks in mistrustful quantum cryptography

,

Quantum cryptography promises that cryptographic tasks can be implemented with provable security, assuming only the validity of quantum theory. As with most guarantees, though, one needs to study the small print. Security proofs are based on idealized models of quantum cryptosystems, which do not necessarily characterize the behaviour of real world equipment. Hence apparently faithful implementations of provably secure protocols can be vulnerable to attacks. A wide range of attacks on practical quantum key distribution systems have been noted [1][2][3][4][5][6][7][8], along with countermeasures. Less attention has so far been paid to attacks on practical implementations of quantum protocols for mistrustful cryptographic tasks. We consider such attacks here.
At present, quantum implementations of mistrustful cryptography generally use photonic systems. A common step in these protocols is for (say) Alice to send Bob quantum states encoding some secret data of hers in photonic degrees of freedom (usually polarization), and for Bob to apply quantum measurements on the received states, chosen from a predetermined set, where his choice encodes secret data of his. Idealized protocols often assume that Alice has ideal single photon sources, the channel is lossless, and Bob has perfectly efficient ideal detectors. In practice, there are preparation and measurement errors and losses. Moreover, most implementations use weak coherent pulses rather than near-perfect single photon sources. Another issue is that Bob generally uses threshold photon detectors, which cannot distinguish the number of photons in pulses activating a detection and which are not close to perfectly efficient. Because of losses and imperfect detectors, realistic implementations tend to require Bob to report during the protocol the labels of pulses activating a detection.
Realistic security analyses need to take all these points into account. The full range of attacks that they allow in mistrustful quantum cryptographic scenarios seems not to have been appreciated. In such scenarios, Bob cannot assume that Alice sends independent light pulses with identically randomly distributed photon numbers, or the pulses have similar frequencies, or any variations are statistical fluctuations that Alice has no more information about than he does. If Alice can advantageously vary the distributions in a controlled way or obtain information about individual pulses, then she might. An uncon-ditionally secure real world implementation must allow for these possibilities and still provide security guarantees. Bob also cannot assume that his detectors have precisely equal efficiencies, nor that Alice has no information about their efficiencies. Even if the latter were true at the start of a protocol, Alice can learn information about their efficiencies during the protocol. In this respect she has advantages over Bob, since she knows the states sent, while he does not, and can send states other than those prescribed by the protocol.
Here we analyse various strategies of Bob to report the labels of pulses activating a detection, some of which were considered before, and discuss their vulnerability to multi-photon attacks, in which dishonest Alice controls the number of photons in the transmitted pulses to her advantage. The analysed reporting strategies fit within a broad class of probabilistic reporting strategies introduced here in which Bob reports the label of a pulse with a probability that depends on which of his detectors are activated. Our main result (Theorem 1) states that the only reporting strategy within this class that provides perfect protection against arbitrary multiphoton attacks when Bob's detection efficiencies are different is a trivial strategy in which Bob reports all detection events with the same probability. This implies that the strategy of symmetrization of losses [60], which is commonly used (e.g. [13,30,60,61]), does not protect against arbitrary multi-photon attacks. We discuss how multi-photon attacks apply to the experimental demonstrations of mistrustful quantum cryptography of Refs. [13,14,30,60,61]. We report an experiment suggesting that multi-photon attacks can be implemented in practice. We also discuss side-channel attacks in mistrustful quantum cryptography, where Alice controls degrees of freedom not previously agreed with Bob. We propose some countermeasures to investigate against multiphoton and side-channel attacks.

I. RESULTS
A. Private measurement of an unknown qubit state Many interesting protocols in mistrustful quantum cryptography (e.g. [12-14, 23, 24, 30, 44, 46, 47, 60, 61]) use some version of a task we call private measurement of an unknown qubit state. An ideal protocol to implement this task is the following: 1. Alice prepares a qubit state |ψ randomly from a set S = {|ψ ij } (i,j)∈{0,1} 2 and sends it to Bob.
Commonly, B 0 and B 1 are the computational and Hadamard bases, respectively, and S is the set of Bennett-Brassard 1984 [67] (BB84) states. We consider here the more general situation in which B 0 and B 1 are arbitrary distinct qubit orthogonal bases. We assume that Alice and Bob know these bases precisely.
We are primarily interested in the security attainable against Alice in various realistic implementations of the task. This is parametrised by Alice's probability P guess to guess Bob's chosen bit β, assuming Bob honestly follows the version of the protocol defined for the given implementation. We say the protocol is ǫ guess -secure against Alice if for any possible strategy (not necessarily honestly following the protocol) of Alice. We say it is secure against Alice if ǫ guess → 0 as some protocol security parameter is increased. In general, a dishonest Alice may deviate in any way from the protocol. For example, she may send Bob quantum states that are not only outside the agreed set S but outside its Hilbert space. Different experimental setups correspond to different protocols to implement versions of this task. Here we consider setups and protocols with photonic systems, where Alice encodes quantum states in degrees of freedom of photons, for example in polarization, and Bob measures quantum states using single photon detectors.
We focus here on attacks by Alice, and assume that Bob honestly follows the given protocols. However, we have in mind applications in which these are subprotocols for mistrustful cryptographic tasks in which cheating by Bob is equally relevant. These applications motivate two correctness criteria: 1. If Alice and Bob follow the protocol, the pulse sent by Alice must produce a measurement outcome with probability P det satisfying for some δ det > 0 predetermined by Alice and Bob.
2. If Alice and Bob follow the protocol, Bob measures the received qubit in the basis of Alice's prepared state, and Bob gets a measurement outcome, then the outcome is the state |ψ prepared by Alice, with probability 1 − P error , where for some δ error ≥ 0 predetermined by Alice and Bob.
In an ideal setup, Alice's and Bob's laboratories are perfectly secure, their preparation and measurement devices are perfect, Alice has a perfect single photon source, the probability that a transmitted photon is lost in the quantum channel is zero, Bob has a perfect random number generator and single photon detectors with unit detection efficiency and without dark counts.
Since Bob's detectors are ideal and the quantum channel is lossless, Bob obtains a measurement outcome with unit probability if Alice sends a single photon: precisely one of his detectors clicks for each photon sent. Thus, P det = 1 and condition (2) is trivially satisfied. Since the preparation and measurement devices are perfect, P error = 0 and (3) is also trivially satisfied.
In the setups we consider Bob has at least two detectors. If Alice sends something other than a single photon state, Bob may get zero, two or more clicks. The number of clicks may depend statistically on his measurement basis. However, since he does not report anomalous results, his laboratory is secure, and his basis choices are perfectly random, Alice still learns no information about his chosen basis. Thus, the ideal setup allows us to effectively implement the task of private measurement of an unknown qubit state, with perfect security against Alice (ǫ guess = 0) and perfect correctness (P det = 1 and P error = 0).
However, in practical implementations, the ideal protocol and setup have to be altered to allow for imperfect sources, channels and measuring devices. We show in this paper that this allows attacks by Alice that make perfect security impossible in practical implementations of the task using known technology. This is hence also true of higher-level cryptographic tasks that use the considered task as a sub-routine.

A practical protocol
We make the standard cryptographic assumption that Alice's and Bob's laboratories are secure. We consider the realistic case in which their preparation and measurement devices are imperfect, the quantum channel is lossy, Bob's random number generator is imperfect, Bob's single photon detectors have nonunit efficiencies and nonzero dark count probabilities.
We assume Alice has what is usually called a single photon source, although in fact only approximates to one, i.e. the source emits a pulse with k photons with probability p k , for k ∈ {0, 1, 2, . . .}, where p 1 >> ∞ k=2 p k . For the moment we suppose that Alice and Bob know the probabilities p k but neither of them has any further information about the number of photons k in any given pulse. Most commonly, in implementations to date, Alice uses a weak coherent source (e.g. [13,14,30,43]), which emits a pulse of k photons with probability p k = e −µ µ k /k!, where µ is the average photon number, chosen by Alice and agreed with Bob, with 0 < µ << 1. This emits an empty pulse with probability p 0 = e −µ ≈ 1, but nonempty pulses are likely to be single photons since p 1 >> ∞ k=2 p k . Another possibility is a source of pairs of entangled photons in which Alice measures one of the photons and sends the other one to Bob, with transmissions considered valid if Alice obtains a measurement out-come (e.g. [60,61]). This gives p 0 << 1, p 1 ≈ 1 and so p 1 >> ∞ k=2 p k . In either case there is a nonzero probability that none of Bob's detectors click when a nonempty pulse is sent, because they are not perfectly efficient and the quantum channel is lossy. There is also a nonzero probability that more than one of Bob's detectors click, because their dark counts are nonzero and the transmitted pulse may have more than one photon. As we explain below, a realistic protocol generally requires an algorithm determining a message m as a function (which may be probabilistic) of Bob's detection results. This algorithm may in general depend on various experimental parameters known to Bob, which may include his detectors' efficiencies, for instance. Bob sends Alice m = 1 (m = 0) to report a successful (unsuccessful) measurement. As usual in cryptography, we assume the full protocol, and hence the algorithm, is known to both parties. It defines Bob's reporting strategy.
The parameter δ det must be sufficiently small to satisfy (2). Bob's detection efficiencies are often small. For example, Refs. [13,30,60,61] report detection efficiencies of the order of 0.06, 0.08, 0.13 and 0.015, respectively. Ref. [14] reports considerably higher detection efficiencies, of the order of 0.45. Note that in this paper, we include in the term 'detection efficiency' the transmission efficiency of the quantum channel and the quantum efficiency of the detectors.
However, more complex protocols that have our task as a subroutine may also require that δ det be not too small in order to give security against Bob. For example, a N −parallel repetition of the task in which Bob reports to Alice that ≪ N δ det pulses produce a measurement outcome could allow Bob to choose to report an appropriate subset of pulses producing measurement outcomes advantageous to him in some cheating strategy. Alice thus stipulates a minimum value of δ det , and Bob must ensure his technology allows this value to be attained. Alice aborts if Bob reports less than N δ det (1 − δ dev det ), where δ dev det > 0 is predetermined by Alice and agreed by Bob as the maximum tolerable deviation from the expected value of reported pulses.
Since the preparation and measurement devices are not perfect, there is a probability P error > 0 that Bob obtains a measurement outcome different to Alice's target state |ψ when Bob measures in the basis of preparation by Alice. Thus, δ error must be chosen large enough to guarantee the condition (3).
However, more complex protocols that have the task as a subroutine generally require Bob to be able to report correct measurement outcomes with reasonably high probability. This requires δ error not to be too large.
These constraints require that Bob identifies some subset of purportedly successful measurement outcomes to Alice, in which the proportion of actually successful measurement outcomes will be relatively high if Alice honestly followed the protocol. They motivate a practical protocol for private measurement of an unknown qubit state, with the above practical setup: 1. Alice prepares and sends Bob a photon pulse with an approximate single photon source, where each photon in the pulse encodes the same qubit state |ψ , and where |ψ is chosen randomly by Alice from the set S.
2. Bob generates a random bit β ∈ {0, 1} and measures the pulse in the qubit basis B β .
3. Bob sends a message m ∈ {0, 1} to Alice reporting whether a measurement outcome was produced (m = 1) or not (m = 0), following an agreed reporting strategy.
Unless otherwise stated, in the definition of security against Alice for the practical protocol, P guess is taken as Alice's probability to guess β, independently of the value of m. This makes sense with the setup described below in extensions of this protocol in which N > 1 photon pulses are produced by Alice and all pulses are measured by Bob in the same basis B β . Examples of these type of protocols are those of Refs. [13,14], which we discuss in Appendix D.
Alternatively, we could define P guess as Alice's probability to guess β conditioned on Bob reporting m = 1. This makes more sense in extensions of the practical protocol in which Alice sends Bob N > 1 photon pulses and Bob measures each pulse randomly in one of the two bases, B 0 and B 1 , or in protocols using a setup with four single photon detectors (setup II defined in Appendix D 4) instead of two as in the setup below. This is because in these scenarios Alice might only care to learn Bob's measurement bases for the pulses that he reported as being successful. In Appendix D 4, we use this definition to present an attack to the protocols of Refs. [60,61].
Some version of the practical protocol defined above is commonly used in experimental demonstrations of mistrustful cryptography [13,14,30,60,61]. Various reporting strategies have been used. We show below that they have subtle weaknesses, allowing attacks by a dishonest Alice. We show moreover that this is true of any reporting strategy of the broad class described here.

Details of setup
We consider a basic setup to implement the practical protocol, denoted as setup I (see Fig. 1). Another setup is discussed in Appendix D 4. Alice encodes a qubit state in some degrees of freedom of a photon pulse, using an approximate single photon source and a state modulator. Alice and Bob agree in advance on these degrees of freedom. These typically consist in the polarization (e.g. [13,14,30,43,60,61]), but can also be time bin (e.g. [29]) or others, for example. For definiteness we focus on polarization coding in this paper, but our results apply to any choice. A dishonest Alice may deviate arbitrarily from the protocol, limited only by her technological capabilities. Importantly, when proving the unconditional security of a protocol, we need to assume that the technology available to dishonest Alice is only limited by the laws of physics. Dishonest Alice may, for example, replace the photon source agreed with Bob for the protocol with another one that has different statistics. More generally, Alice may send Bob an arbitrary quantum state ρ encoded in the polarization and other degrees of freedom.
In most of this paper we focus on multi-photon attacks performed by a dishonest Alice, in which Alice sends Bob a pulse of k photons encoding an arbitrary quantum state ρ of her choice, which may be pure or mixed and may be entangled with an ancilla held by Alice, and where each photon in the pulse encodes a qubit in its polarization.
We assume from here on that Bob honestly follows the agreed protocol. In setup I (see Fig. 1), Bob measures the polarization of the received pulse with a wave plate, set in one of two positions β ∈ {0, 1}, followed by a polarizing beam splitter and two single photon detectors, D 0 and D 1 . These are threshold detectors: they do not distinguish the number of photons of a pulse producing a detection. If β = 0 (β = 1), Bob sets the wave plate in its first (second) position, corresponding to a measurement in the basis B 0 (B 1 ). Let η iβ and d iβ be the detection efficiency and the dark count probability of detector D i when Bob applies the measurement B β , where 0 < η iβ < 1 and 0 < d iβ << 1, for i, β ∈ {0, 1}. In our model, dark counts and each photo-detection are independent random events. To the best of our knowledge, this is a valid assumption.

C.
Bob's reporting strategies and Alice's multi-photon attacks Tables I -III summarize the multi-photon attacks, the main suggested countermeasures against them, and the reporting strategies discussed below, as well as the application of multiphoton attacks to previous experimental demonstrations of mistrustful quantum cryptography.

Reporting only single clicks
We define reporting strategy I by m = 1 if (c 0 , c 1 ) ∈ {(1, 0), (0, 1)}, and m = 0 otherwise. This might seem a natural strategy. However, as Liu et al. discuss [14], if Bob uses reporting strategy I, Alice can gain information about β with the following attack, which we call multiphoton attack I.
To illustrate this attack, consider a setup in which Alice's polarization preparation devices and Bob's polarizers are precisely aligned. Alice sends a pulse with a large number of photons k in the same polarization state chosen from S; for example, ρ = (|ψ 00 ψ 00 |) ⊗k . If Bob measures the pulse in the basis B 0 then the detection event (c 0 , c 1 ) = (1, 0) occurs with high probability, giving m = 1. If Bob measures in the basis B 1 then the detection event (c 0 , c 1 ) = (1, 1) occurs with high probability, giving m = 0. Thus, given m, Alice can learn β with high probability.
In a different version of attack I, Alice's pulse is prepared with a coherent source with average photon number µ >> 1. We show below (see Methods) that in this case, if B 0 and B 1 are the computational and Hadamard bases, Bob's detectors have equal efficiencies η ∈ (0, 1) and zero dark count probabilities, then Alice's probability P cs guess (µ) to guess Bob's bit β as a function of µ is given by When the devices are closely but not precisely aligned, Alice can still learn significant information about β from m with an appropriate choice of k or µ. An experimental simulation of this attack is presented below (see Methods). The results are given in Fig. 2 and show that Alice's probability to guess Bob's bit β is very well approximated by (4), and can be very close to unity if µ is sufficiently large. Different versions of attack I apply Alice's guessing probability in multi-photon attack I. Implementing setup I, we simulated multi-photon attack I by varying the attenuation of Alice's coherent source in order to scan the range for the average photon number µ. Frequencies for zero, single and double clicks in the pair of Bob's detectors were registered in order to then compute the experimental estimation of Alice's guessing probability P cs guess (µ) (blue dots) when Bob uses reporting strategy I. We propose reporting strategy II (defined below) as a countermeasure against multi-photon attack I. The orange solid curve represents the theoretical prediction given by (4), assuming the values d iβ = 0 and η iβ = η ∈ (0, 1), for i, β ∈ {0, 1}. The measured value of the detection efficiency, including the transmission probability through the quantum channel, is η = 0.12. The horizontal and vertical uncertainty bars are included. The vertical uncertainty bars are so small that they are unnoticeable and lie within the corresponding markers.
to the experimental protocols of Refs. [13,30,60,61] if they are implemented with Bob using reporting strategy I (see Appendix D).
We note that multi-photon attack I still applies in a variation of reporting strategy I in which Bob also sets m = 1 with some non-zero but small probability when (c 0 , c 1 ) = (1, 1), i.e. when there is a double click.

Reporting if at least one detector clicks
A better reporting strategy is to set m = 1 if at least one detector clicks and m = 0 if no detector clicks. We call this reporting strategy II.
This reporting strategy has been considered in quantum key distribution: squashing models map a multiphoton quantum state to a single-photon state by randomly assigning the measurement outcome of a double click to a single click [68]. This reporting strategy has also been implemented in the experimental demonstrations of mistrustful quantum cryptography of Refs. [14,29].
As the following lemma shows, if Bob's detectors have exactly equal efficiencies and their dark count probabilities are independent of his measurement basis, Alice cannot learn any information about β from the message m. See Appendix E for proofs of the lemmas and theorem. Lemma 1. Suppose that η iβ = η and d iβ = d i , for i, β ∈ {0, 1}. If Bob uses reporting strategy II, then for an arbitrary quantum state ρ encoded in a pulse of k photons that Alice sends Bob, and for arbitrary qubit orthogonal bases B 0 and B 1 , it holds that for β ∈ {0, 1} and k ∈ {0, 1, 2, . . .}.
In practice, Bob cannot guarantee that the efficiencies of his detectors are exactly equal. In this general case, the detection probabilities P det (c 0 , c 1 |β, ρ, k) depend nontrivially on β, as illustrated in Lemma 3 (see Methods). We call multi-photon attack II any strategy implemented by Alice that allows her to exploit the difference of Bob's detection efficiencies to obtain information about β, when Bob reports double clicks with unit probability, as in reporting strategy II, or with high probability. Particularly, in this attack, we assume that Alice knows the efficiencies of Bob's detectors and can control the number of photons and the states of her pulses. For example, in an extension of the task to N >> 1 pulses in which Bob measures all pulses in the basis B 0 or in the basis B 1 , Alice can prepare a subset of pulses in specific states and with specific number of photons to maximize her probability to guess β from Bob's messages reporting whether these pulses produced successful measurements or not. This and other versions of this attack apply (for example) to the experimental demonstrations of Refs. [13,14].
In Appendix D, we discuss how multi-photon attacks I and II apply to some experimental demonstrations of mistrustful quantum cryptography. We summarize this in Table I below. We show below that there is no reporting strategy using setup I that guarantees perfect security against Alice when the detection efficiencies are different. However, we derive in Appendix B an upper bound on the amount of information that Alice can learn about β from Bob's message m, which approaches zero when the difference of the detection efficiencies tends to zero.

Symmetrization of losses
The symmetrization of losses strategy was introduced in Ref. [60] as follows. Bob tests his setup by preparing and measuring states as in the practical protocol, a large number of times N in parallel. Then, for c, β ∈ {0, 1}, Bob computes the frequency F det (c,c|β) of detection events (c,c), which provides a good estimate of the probability P det (c,c|β) if N F det (c,c|β) >> 1. Bob then com-putes the numbers S ccβ ∈ (0, 1] satisfying for c, β ∈ {0, 1}, where Then, in the implementation of the protocol with Alice, Bob reports a detection event (c,c) with probability S ccβ , for c, β ∈ {0, 1}. Ref. [60] explicitly states that the detection events (0, 0) and (1, 1) are not reported by Bob, for β ∈ {0, 1}.
Symmetrization of losses aims to effectively make the detection probabilities of Bob's detectors equal. As shown below in Lemma 2, a more precise definition of this strategy (reporting strategy III), achieves this if Alice's pulse has zero or one photons. However, dishonest Alice can send Bob a pulse with an arbitrary number of photons k. Because the detection probabilities are not linear functions of k (see Methods) and Bob does not know k, symmetrization of losses fails in effectively making the detection probabilities of Bob's detectors equal. This is proved by Theorem 1 below.
Symmetrization of losses has been implemented in at least four experimental demonstrations of mistrustful quantum cryptography protocols [13,30,60,61]. These implementations used setups and protocols that are slight variations of ours. We discuss them, and show that they are vulnerable to multi-photon attacks by Alice, in Appendix D.

Generalization of symmetrization of losses to double click events
In this paper, we introduce the following generalization of symmetrization of losses and call it reporting strategy III. Let η min = min{η 00 , η 01 , η 10 , η 11 }. If Bob obtains a detection event (c 0 , c 1 ), he sets m = 1 with probability S c0c1β , for c 0 , c 1 , β ∈ {0, 1}, where for β ∈ {0, 1}. Note that Bob needs to know the efficiencies of his detectors to apply this reporting strategy and that the choices of S 110 and S 111 are left free. As the following lemma shows, this reporting strategy guarantees that Alice cannot obtain any information about β if Alice's pulse does not have more than one photon and d iβ = 0, for arbitrary η iβ ∈ (0, 1) and for i, β ∈ {0, 1}. Furthermore, it guarantees that Alice cannot obtain much information about β if Alice's pulse does not have more than one photon and 0 < d iβ ≤ δ, for 0 < δ << 1 and i, β ∈ {0, 1}.  [13,14,30,60,61] are covered against variations of these attacks, which are discussed in detail in Appendix D. Setup I is described in Fig. 1, while setup II is a variation of Setup I with four detectors, which is described in Appendix D 4. Dashes indicate that further analysis is required to show how (or whether) attack II applies. Lemma 2. Let d iβ ≤ δ, for some 0 ≤ δ < 1 and for i, β ∈ {0, 1}. Consider the practical protocol with p 0 + p 1 = 1 in which Alice sends Bob a single photon pulse (k = 1) in arbitrary qubit state ρ or an empty pulse (k = 0). Suppose that Bob applies reporting strategy III. Then and where S max

Probabilistic reporting strategies
In this paper, we introduce probabilistic reporting strategies, which generalize the reporting strategies considered above. If a detection event (c 0 , c 1 ) occurs when Bob measures in the basis B β , Bob reports the message m = 1 to Alice with some probability S c0c1β , for c 0 , c 1 , β ∈ {0, 1}. Thus, if Alice sends Bob a pulse of k photons encoding a state ρ and Bob measures in the basis B β , the probability that Bob reports the message m = 1 is given by for β ∈ {0, 1} and k ∈ {0, 1, 2, . . .}. Note that the previous strategies, including symmetrization of losses, are special cases of probabilistic reporting strategies.
We define a trivial strategy as a probabilistic reporting strategy satisfying for c 0 , c 1 , β ∈ {0, 1} and for some S ∈ (0, 1]: we exclude S = 0, which implies that Bob never reports a successful measurement. A trivial strategy guarantees to Bob that Alice cannot learn any information about β from his message m. Indeed, if (12) holds then from (11) we have for β ∈ {0, 1}, for any k−qubit state ρ and for any k ∈ {0, 1, 2, . . .}. If Bob uses a trivial strategy, he may as well take S = 1, sending m = 1 to Alice with unit probability. As shown in Appendix A, this satisfies the correctness properties (2) and (3) if losses are low and Bob's detectors have high efficiency. However, a trivial strategy cannot satisfy (2) and (3) for a class of common experimental setups (see details in Appendix A).
In the following theorem we show that the only probabilistic reporting strategy with setup I guaranteeing to Bob perfect security against Alice is the trivial strategy (12). This is shown explicitly for the BB84 case and numerically for the case of general bases. It follows that symmetrization of losses, being a particular probabilistic reporting strategy, does not guarantee security against Alice.
for i, β ∈ {0, 1}, and B 0 and B 1 are arbitrary distinct qubit orthogonal bases. If Alice sends Bob a pulse of k photons encoding a state ρ, with k ∈ {0, 1, 2} chosen by Alice and unknown to Bob, then the only probabilistic reporting strategy that guarantees to Bob that Alice cannot obtain any information about β from his message m is the trivial strategy (12).

D. Discussion
We have highlighted known, and introduced new, attacks on photonic implementations of mistrustful quantum cryptographic protocols. These arise because Alice may send multi-photon pulses that are different from the single photon pulses envisaged in the ideal versions of the protocols and that give her statistically distinguishable results when Bob uses standard detectors. The attacks are hard to detect with standard technology, since there is no practical perfectly reliable way to distinguish a multi-photon pulse from a single photon one. They are also hard to counter by filtering, since there is no practical perfectly reliable way to filter multi-photon pulses to produce single photon outputs with the same polarisation. Lemma 1 suggests that a possible countermeasure against multi-photon attacks is to make the efficiencies of Bob's detectors as close as possible. Bob could use attenuators for this purpose; but care should be taken to guarantee that these act linearly, i.e that their action on multi-photon states is given by the product of their action on individual photons, and that their action does not depend on wavelength or other degrees of freedom that Alice could exploit to her advantage, as in the side-channel attacks discussed below. We have investigated this possibility in Appendix B by deriving security bounds when Bob applies reporting strategies II or III that provide perfect security against multi-photon attacks in the limit that the difference of the detector efficiencies equals zero (see Lemmas 5 -7 in Appendix B). However, as discussed in Appendix B, our security bounds are not useful in practical settings unless this difference is extremely small. We leave as an open problem to investigate whether this countermeasure can provide useful security guarantees against multi-photon attacks in practice.
We have focused here on the simple experimental setup of Fig. 1 with two detectors. However, our analyses can be extended to more general setups with more detectors. In Appendix D 4 we have investigated a setup with four detectors, setup II, (see Fig. 5 in Appendix D 4). There, we analyse extensions of reporting strategies I, II and III to setup II. We extend multi-photon attack I to this setup and show that it makes implementations insecure if Bob only reports single clicks as successful measurements (see Fig. 6 in Appendix D 4). We extend Lemma 1 to setup II and show that if Bob's detectors have equal detection efficiencies and dark count probabilities independent of the measurement bases then an extension of reporting strategy II guarantees security against arbitrary multiphoton attacks (see Lemma 12 in Appendix D 4). We also extend Lemma 2 to this setup (see Lemma 9 in Appendix D 4) and leave the extension of Theorem 1 to this setup as an open problem.
Although there exist photon-number-resolving detectors (see e.g. Ref. [69] and references therein), to our knowledge, they cannot practically determine the number of photons k in a pulse, for arbitrary k. Nevertheless, we think it is worth investigating their use as a countermeasure against multi-photon attacks.
In addition to the degrees of freedom of the photon pulses, like polarization, on which Alice and Bob agreed that Alice would encode the quantum states, Alice may control further degrees of freedom of the photon pulses to her advantage, giving rise to various side-channel attacks previously considered in the literature of quantum key distribution, which can be straightforwardly adapted to mistrustful quantum cryptography. These degrees of freedom may include, for example, the light reflected from Bob's setup to Alice's setup in Trojan-horse attacks [1]; the time at which the pulse is sent, the pulse wavelength, polarization, spatial degrees of freedom like angle of incidence, etc. in the detection-efficiency-mismatch attacks [2,4]; the arrival time of the pulse in the time-shift attacks [3]; the intensity of the pulse in the blinding [5] and bright-illumination [6] attacks; the time separation between consecutive pulses in the dead-time attacks [14]; and the mean photon number [7].
More generally, in a side-channel attack, Alice may send any system S in place of the expected photon pulse. For example, S could be a different type of elementary particle, or some more complex system. It is hard to make any general statement about the resulting measurement statistics at Bob's detectors. At the more exotic end of the range of possibilities, one can imagine [70] Alice sending through the quantum channel miniaturised robots that are programmed to analyse the measurement settings and to trigger detections following statistics of Alice's choice. Although this last possibility may perhaps seem unrealistic, the limitation is ultimately technological, meaning that a security proof that excludes such cases cannot strictly be said to guarantee unconditional security [70]. Even if Alice is restricted to photons or particles of small mass, it would be very hard for Bob to analyse all the possible detector statistics and the scope they offer for side-channel attacks.
The only countermeasure of which we are aware that provides unconditional security, in principle, is for Bob to filter Alice's signals via teleportation, as suggested in another context by Lo-Chau [70]. Indeed, if Bob teleports the quantum state encoded in each pulse sent by Alice to a photon entering his setup, using an ideal teleportation device, he is guaranteed that his setup does not receive anything else than a single photon. Thus, if Bob applies reporting strategy III, he is guaranteed from Lemma 2 that Alice can get negligible information about his bit β when the dark count probabilities of his detectors are very small. In practice, when preparing pairs of entangled photons with parametric down conversion, there is a small but nonzero probability of produc-  ing pairs with more than one photon. Thus, in practice Bob cannot guarantee that pulses with more than one photon do not enter his setup. Although the quantum states of the multi-photon pulses entering Bob's setup with this countermeasure are out of Alice's control, Bob must guarantee that Alice cannot exploit this imperfection to learn some information about β. We believe this countermeasure deserves further investigation.
We conclude that implementations of theoretically unconditionally secure mistrustful cryptographic protocols need, at least, very careful analysis of practical possibilities for attacks of the type described. We hope our analyses of multi-photon and side-channel attacks will serve as cautionary examples and stimulate further investigations.
Proof. Let k 0 be the number of photons that go to detector D 0 . The number of photons that go to detector D 1 is k 1 = k − k 0 .
B. Experiment

Experimental evaluation of the detection probabilities in a multi-photon attack
We experimentally evaluated the validity of the theoretical predictions for the detection probabilities given by (19), in Lemma 3. For this, Alice prepared the state with vertical polarization using a weak coherent photon source and varied the average photon number µ. This polarization corresponds to a qubit state ρ qubit = |0 0|, which has Bloch vector along the z axis, given by r = (0, 0, 1). That is, as above, each pulse encodes in the polarization a k−qubit state ρ = ρ ⊗k qubit , where k has a probability dis- , we fixed Bob's measurement basis to B β and computed the frequency of the detection events (c 0 , c 1 ) for a large number of pulses N = 4 × 10 6 , estimating in this way the detection probability P cs det (c 0 , c 1 |β, ρ, µ). As above, Bob's measurement bases B 0 and B 1 are the computational and Hadamard bases, respectively.
In practice, this was done as follows. Pulses of 1 µs with vertical polarization were generated by Alice at a repetition rate of 200 kHz for 20 s using two fibered amplitude modulators connected in series. An unbalanced coupler was then used for power calibration in order to fix the value of µ. The estimated uncertainty for the coupler's splitting ratio is ±5 %, and the uncertainty on the power measurement is also ±5 % from the relevant data sheet. Combining these uncertainties in quadrature, this gives a total uncertainty on µ of ±7 %. One arm transmitted the signal, while the other was sent to a photodiode to calibrate the power. Bob's measurement basis was selected using a half wave plate, with angle uncertainty of ±0.25 • , hence contributing with ±0.5 • and ±1 • uncertainties in the physical polarization angle and in the Bloch sphere angle, respectively. The polarization was then projected using a fibered polarization beam splitter, and detected with two id230 free-running avalanche detectors, at Bob's site (see Fig. 1).
the plotted theoretical curves. These are given by for β, c ∈ {0, 1}. In Fig. 3, we observe a good agreement between the experimental estimates of the detection probabilities P cs det (c 0 , c 1 |β, ρ, µ) and the theoretical predictions given by (22), for c 0 , c 1 , β ∈ {0, 1}. The slight disagreements observed for a few experimental points with the theoretical predictions of (22) are possibly explained by the uncertainties on some experimental quantities, like the detection efficiency and the measurement bases, for instance, in addition to the uncertainties on the average photon number µ given by the horizontal uncertainty bars.

Experimental simulation of multi-photon attack I
We illustrate a version of multi-photon attack I in which Alice sends Bob a photon pulse prepared with a coherent source, with average photon number µ >> 1 chosen by Alice. We assume that Bob applies reporting strategy I, i.e. he only sets valid measurement outcomes, and sends Alice the message m = 1, for pulses that generate a click in only one of his detectors. We consider the case that B 0 and B 1 are the computational and Hadamard bases, respectively. Each photon in the pulse encodes a qubit state ρ qubit = |ψ 00 ψ 00 | = |0 0|. Thus, we can use Lemma 3, with q 0 = 1 and q 1 = 1 2 in (17). If Bob sends Alice the message m = 1, Alice guesses that β = 0. If Bob sends m = 0, Alice guesses that β = 1. Thus, since we suppose that Bob generates β randomly, Alice's probability P cs guess (µ) to guess Bob's bit β in this attack is given by where P cs det (c 0 , c 1 |β, ρ, µ) is given by (19), for c 0 , c 1 , β ∈ {0, 1}, and where q 0 = 1 and q 1 = 1 2 . In the simple case that d iβ = 0 and η iβ = η ∈ (0, 1), for i, β ∈ {0, 1}, and q 0 = 1 and q 1 = 1 2 , (19) reduces to (22). Thus, from (22) and (23), we obtain (4).
We implemented an experimental simulation of the multi-photon attack described above. In our simulation, Alice and Bob use setup I illustrated in Fig. 1. Alice's photon source is a coherent source with average photon number µ. Bob measures the polarization of the pulse in the basis B 0 or in the basis B 1 , which are the horizontalvertical polarization basis and the diagonal-diagonal basis (corresponding to polarization angle of 45 • and −45 • from the horizontal axis towards the vertical axis), respectively. In the Bloch sphere, these are the computational and Hadamard bases, respectively.
Alice sets the value of µ and sends Bob photon pulses with the same polarization, in vertical polarization, corresponding to the qubits state |0 . That is, each pulse encodes in the polarization a k−qubit state ρ = ρ ⊗k qubit , where ρ qubit = |0 0| is a qubit state, and where k has a probability distribution p k = e −µ µ k k! , for k ∈ {0, 1, 2, . . .}. For c 0 , c 1 , β ∈ {0, 1}, we fix Bob's measurement basis to B β and compute the frequency of the detection events (c 0 , c 1 ) for a large number of pulses N , estimating experimentally in this way the value of the detection probability P cs det (c 0 , c 1 |β, ρ, µ). Alice's probability P cs guess (µ) to guess Bob's bit β in the considered attack is given by (23).
We have plotted the obtained experimental estimates of P cs guess (µ) for various values of µ in Fig. 2. In practice, the experimental data plotted in Fig. 2 corresponds to the same experimental data plotted in Fig. 3, but using (23). As follows from (23), computing P cs guess (µ) requires some probabilities P cs det (c 0 , c 1 |β, ρ, µ) with both values of β ∈ {0, 1}. Because in our experimental points of the plots in Fig (4) is also shown in Fig.  2, for comparison with the experimental data. A good agreement between the experimental data and the theoretical prediction is observed. As mentioned for the plots of Fig. 3, the slight disagreements observed for a few experimental points in the plot of Fig. 2 with the theoretical predictions of (4) are expected due to the uncertainties on some experimental quantities, like the detection efficiency and the measurement bases, for example, in addition to the uncertainties on the average photon number µ given by the horizontal uncertainty bars.

C. Statistical Information
The number of photon pulses used for estimating the probabilities P cs det (c 0 , c 1 |β, ρ, µ) plotted in Fig. 3 and the probability P cs guess (µ) plotted in Fig. 2 for each value of the average photon number µ was N = 4 × 10 6 , for c 0 , c 1 , β ∈ {0, 1}. The uncertainty for each experimental estimate of the probabilities P cs det (c 0 , c 1 |β, ρ, µ) plotted in Fig. 3 was taken as the standard error, given by where P is the obtained experimental estimate of the probability P cs det (c 0 , c 1 |β, ρ, µ), for c 0 , c 1 , β ∈ {0, 1} and for each value of µ. The uncertainty for each experimental estimate of the probabilities P cs guess (µ) plotted in Fig.  2 was obtained using (23) and (24), combining in quadrature the uncertainties of the experimental estimates for the probabilities P cs det (c 0 , c 1 |β, ρ, µ) appearing in (23). Lemma 4. Let Alice and Bob implement the practical protocol. Let P error|c0c1β be the probability that Bob obtains the wrong measurement outcome when he measures in the basis B β of preparation by Alice and obtains a detection event (c 0 , c 1 ), for c 0 , c 1 , β ∈ {0, 1}. If the photon pulse produces a detection event (c, c), Bob assigns a random measurement outcome, which we assume gives a wrong outcome with some probability P error|ccβ such that 1 2 − δ equal error ≤ P error|ccβ ≤ 1 2 + δ equal error , for a small δ equal error > 0 and for c, β ∈ {0, 1}. We assume that P error|ccβ ≤ δ diff error , for a small δ diff error > 0 and for c, β ∈ {0, 1}. Let P det (c 0 , c 1 |β) be the probability that the pulse sent by Alice produces a detection event (c 0 , c 1 ) in Bob's detectors when Bob measures in the basis B β , for c 0 , c 1 , β ∈ {0, 1}.
If the trivial reporting strategy (12) is implemented with S = 1 using a first class of experimental setups with small probability of loss and high detection efficiencies, satisfying P det (c, c|β) ≤ δ I cc , for a small δ I cc > 0 and for c, β ∈ {0, 1}, then the condition (2) of the correctness property is satisfied for any δ det ≤ 1, and the condition (3) of the correctness property is guaranteed if If a probabilistic reporting strategy (11) is implemented using a second class of experimental setups where Bob's detection efficiencies are small and the probability of loss is high, satisfying that P det (0, 0|β) ≥ 1 − δ II 00 , for a small δ II 00 > 0 and for β ∈ {0, 1}, and the conditions (2) and the reporting strategy is not the trivial one.
Proof. We consider the case of the first class of experimental setups following the trivial strategy (12) with S = 1. It follows straightforwardly from (12) and (13), since S = 1, that Bob's probability to report Alice's pulse as producing a measurement outcome is P det = 1. Thus, the condition (2) is satisfied for any δ det ≤ 1, as claimed.
The probability of error P error is computed for the case in which Bob's basis B β equals Alice's basis and Bob reports the pulse as valid (m = 1), which in this case occurs with unit probability. We have Thus, the condition (3) of the correctness property is guaranteed if (A1) holds, as claimed. Now we consider the case of the second class of experimental setups that follows a probabilistic reporting strategy. We show that satisfaction of (3) and (A3) require for β ∈ {0, 1}. Then we show that satisfaction of (2), (A2) and (A5) imply that there exists (c 0 , c 1 ) ∈ {(0, 1), (1, 0), (1, 1)} and β ∈ {0, 1} satisfying S c0c1β > S 00β , i.e. that the reporting strategy is not the trivial one.

Appendix B: Security bounds
The following lemmas give upper bounds on the amount of information that Alice can obtain about β from Bob's message m. Lemma 5 provides a bound for an arbitrary reporting strategy by Bob. Together with Lemma 5, Lemmas 6 and 7 provide bounds when Bob follows reporting strategies II and III, respectively.
Lemma 5. Suppose that Alice sends Bob a pulse of k photons, encoding an arbitrary k−qubit state ρ, which may be arbitrarily entangled and which may be entangled with an ancilla held by Alice. Suppose that Bob chooses the bit β with some probability for β ∈ {0, 1} and for some ǫ basis ≥ 0. Consider an arbitrary strategy by Bob to report the message m ∈ {0, 1} to Alice. Then Alice's probability P guess to guess β from Bob's message m satisfies Proof. Alice's most general strategy to guess β from the message m is as follows. Alice guesses β = i with some probability P Alice (i|m), when she receives the message m, for i, m ∈ {0, 1}. Alice's optimal strategy is a deterministic strategy. That is, one of the two following equations holds: for i, m ∈ {0, 1}. Alice's average probability to guess β is given by (B5) If (B3) holds, it follows from (B1), (B3) and (B5) that If (B4) holds, it follows from (B1), (B4) and (B5) that for β, m ∈ {0, 1}, we obtain that 1 β=0 P report (β|β, ρ, k) = 1 + P report (1|1, ρ, k) Similarly, from (B8), we obtain 1 β=0 P report (β|β, ρ, k) = 1 + P report (1|0, ρ, k) Thus, from (B6), (B7), (B9) and (B10), the claimed result (B2) follows. Lemma 6. Let η low and η up be such that Suppose that Alice sends Bob a pulse of k photons, encoding an arbitrary k−qubit state ρ, which may be arbitrarily entangled and which may be entangled with an ancilla held by Alice. Suppose also that Bob uses reporting strategy II. Then Lemma 7. Let η min and η max be such that (B18) Suppose that Alice sends Bob a pulse of k photons, encoding an arbitrary k−qubit state ρ, which may be arbitrarily entangled and which may be entangled with an ancilla held by Alice. Suppose also that Bob uses reporting strategy III with for β ∈ {0, 1}. Then We note that the bounds B II and B III in Lemmas 6 and 7, respectively, tend to 2δ if all the detection efficiencies tend to the same value η, as in this case we have η up → η, η low → η, η max → η and η min → η. Additionally, if the dark count probabilities are zero then δ = 0 and the bounds tend to zero in this case. This is expected. However, as we illustrate in Fig. 4, even for relatively close values for the detection efficiencies, the obtained bounds are not very small.
The proofs of Lemmas 6 and 7 use the following lemma.
Proof of Lemma 6. Consider an arbitrary, and possibly entangled, k−qubit state ρ encoded in a pulse of k photons that Alice sends Bob, which may be in an arbitrary entangled state with an ancilla held by Alice. In the reporting strategy II, the probability that Bob reports the message m = 1 to Alice is the probability that at least one of his detectors click. That is, for k ∈ R. It follows from (B28) that for k ∈ {0, 1, 2, . . .}. If η low = η up , it follows from (B11) and (B29), and from δ ≥ 0, that for k ∈ {0, 1, 2, . . .}, where B II exp is given by (B13). It follows straightforwardly from (B12), (B13) and (B29) that where B II det is given by (B12). Thus, (B27) follows from (B30) -(B33).

Appendix C: Mistrustful quantum cryptography
In mistrustful cryptography, two or more parties who do not trust each other collaborate to implement a cryptographic task. Important cryptographic tasks in mistrustful cryptography are bit commitment, oblivious transfer, secure multi-party computation and coin flipping, for example. We say that a cryptographic protocol is unconditionally secure if it is secure based only on the laws of physics, without imposing any technological limitations on the dishonest parties. There exist quantum and relativistic protocols in mistrustful cryptography that exploit the laws of quantum physics and relativity to guarantee security, respectively. For some tasks in mistrustful cryptography, there exists some impossibility results stating that some tasks in mistrustful cryptography cannot achieve unconditional security with quantum nonrelativistic protocols [48][49][50]53], or even with quantum relativistic protocols for other tasks [56]. On the other hand, there are relativistic protocols that achieve unconditional security for some tasks [9-12, 15-17, 22-24, 27, 55, 56, 62]. However, by imposing technological limitations on the dishonest parties, security of some quantum nonrelativistic protocols can be guaranteed. For example, some tasks that cannot achieve unconditional security can be implemented securely in the noisy storage model [58,59] in which the dishonest parties can only store quantum states in noisy quantum memories with finite coherence times.

Quantum bit commitment
In bit commitment, Bob (the committing party) commits a secret bit b to Alice at a given time t commit . Bob chooses to unveil b to Alice at some time t unveil > t commit . A bit commitment protocol must satisfy two security conditions. First, a bit commitment protocol is hiding if, when Bob follows the protocol and Alice deviates arbitrarily from the protocol, the probability that Alice guesses Bob's bit b before Bob unveils satisfies P guess ≤ 1 2 + ǫ hiding , for some ǫ hiding ≥ 0 that goes to zero as some security parameter goes to infinity. Second, a bit commitment protocol is binding if, when Alice follows the protocol and Bob deviates arbitrarily from the protocol, the probability p i that Bob successfully unveils the bit b = i satisfies p 0 + p 1 ≤ 1 + ǫ binding , for i ∈ {0, 1}, and for some ǫ binding ≥ 0 that goes to zero as some security parameter goes to infinity. The hiding and binding properties are also called security against Alice and security against Bob, respectively, when Bob is the committing party.

Quantum oblivious transfer
In a 1-out-of-2 oblivious transfer (OT) protocol [71], Alice inputs two strings of n bits, x 0 and x 1 , initially secret from Bob. Bob inputs a bit b, initially secret from Alice. At the end of the protocol, Bob outputs the string x b . Two security conditions must be fulfilled, called security against Alice and security against Bob. Security against Alice states that, if Bob follows the protocol and Alice deviates arbitrarily from the protocol, the probability that Alice guesses Bob's input b satisfies P Alice ≤ 1 2 + ǫ Alice , for some ǫ Alice ≥ 0 that goes to zero as some security parameter goes to infinity. Security against Bob states that, if Alice follows the protocol and Bob deviates arbitrarily from the protocol, Bob cannot learn both strings x 0 and x 1 ; this can be quantified by stating that the probability that Bob obtains both messages satisfies P Bob ≤ ǫ Bob , for some ǫ Bob ≥ 0 that goes to zero as some security parameter goes to infinity.
1-out-of-m OT cannot be implemented with unconditional security in quantum cryptography [53]. This im-possibility theorem holds even in the setting of relativistic quantum cryptography [55], although some relativistic variations of the task can be achieved with unconditional security [22][23][24]. However, 1-out-of-2 OT can be implemented securely in the noisy storage model [58,59].

Quantum coin flipping
In strong coin flipping, Bob and Alice, who are at distant locations, obtain a bit a that is random and which cannot be biased by neither of them. A strong coin flipping protocol must satisfy security against Alice and security against Bob. Security against Alice (Bob) states that if Alice (Bob) follows the protocol and Bob (Alice) deviates arbitrarily from the protocol, and Alice (Bob) obtains as outcome the bit a then it holds that P (a = i) ≤ 1 2 + ǫ, for i ∈ {0, 1}, and for some ǫ ≥ 0 that goes to zero as some security parameter goes to infinity.
Although there are relativistic protocols for strong coin flipping that are unconditionally secure [27], quantum nonrelativistic protocols for strong coin flipping cannot achieve unconditional security [50]. However there are quantum nonrelativistic protocols for strong coin flipping that unconditionally guarantee some level of security, in that the bias a dishonest party can give the coin is bounded below one [51,52,[72][73][74][75][76].
Appendix D: Multi-photon attacks on experimental demonstrations of mistrustful cryptography protocols Some of the quantum protocols discussed in the previous section offer unconditional security guarantees; others offer security based on technological assumptions. Over the past decade, they have been implemented in pioneering experimental demonstrations (e.g. [13,14,30,60,61]), often adapting quantum key distribution technology. Refs. [60,61] demonstrated quantum bit commitment and 1-out-of-2 quantum oblivious transfer in the noisy storage model. Ref. [30] demonstrated quantum coin flipping performing better than classical protocols over a distance of various kilometres, gaining three orders of magnitude in communication distance over previous experiments. Refs. [13,14] implemented quantum relativistic bit commitment protocols for the first time, showing that the protocol of Ref. [12] can be implemented in practice, over short and long range.
Two of us (E.D. and A.K.) have contributed to this work. Scientific honesty compels us to acknowledge that we did not appreciate all the obstacles to attaining provable and truly unconditional security in practical implementations of mistrustful quantum cryptographic protocols. In hindsight, we believe the implementations [13,14,30,60,61] may be best seen as proofs of principle. They show that some key technological challenges in implementing the protocols have been met and give significant and valuable security guarantees based on assumptions about the parties' behaviour and technology that are natural in some scenarios. However, more work appears to be required to deliver provably unconditional security. In particular, provable unconditional security against Alice (i.e. the sender of the quantum states, in our convention) requires implementing techniques countering the various side-channel and multi-photon attacks we have described and showing that her cheating probability can thus be made arbitrarily close to the ideal bound (which in most cases is zero).
Users and developers of mistrustful quantum cryptosystems may also need to consider whether some technological assumptions may be both necessary and sufficient in practical implementations, even for protocols that are theoretically unconditionally secure, given the difficulty in provably countering every possible sidechannel attack.
We will discuss Refs. [13,14,30,60,61] separately below. We should first note that reanalysing previous implementations in the light of our attacks is not completely straightforward. Although the relevant papers are generally very clear and comprehensive, experimental details that at the time may not have seemed significant were not always given. For example, some of the experiments used off-the-shelf quantum key distribution equipment which may have been programmed either to discard double clicks or choose a random outcome. After discussing with colleagues, we understand it may not now be possible to say with certainty which option was used. This is unimportant for the future of the field. We believe we should note, though, when (what we now realise are) significant instructions are missing from the published reports, since future users trying to reproduce or improve on previous implementations may rely on these. Ref. [60] explicitly states that only single click detection events are reported by Bob as valid measurement outcomes, while Refs. [13,30,61] do not say whether multiple clicks are reported by Bob or not.
A related issue is the question of precisely how the symmetrization of losses technique was or might have been implemented. This technique was introduced by Ref. [60] and claimed to guarantee security against Alice by Refs. [13,30,60,61]. Indeed, as Lemma 2 states for the symmetrization of losses with setup I (see Fig. 1 of the main text) -as applied by Ref.
[30], for examplesecurity against Alice is guaranteed when she does not send multi-photon pulses, if Bob reduces the probability of assigning a measurement outcome due to a single click event (c,c) by a suitable factor S ccβ , for c, β ∈ {0, 1}. A similar result is shown by Lemma 9 below in a setup with four detectors (setup II, see Fig. 5), as implemented by Refs. [60,61]. However, the original symmetrization of losses technique [60] treats multiple clicks as invalid, and thus does not provide effective protection against multiphoton attack I. A natural defence against this attack is to report multiple clicks as valid measurement outcomes. However, one then needs to define an extension of the symmetrization of losses reporting strategy applicable to multiple click outcomes. A general extension of symmetrization of losses in setup I is what we have defined as reporting strategy III in (8) Fig. 4 illustrates, the efficiency differences need to be very small.
We should note that Ref. [13] implemented a slightly different version of symmetrization of losses with setup I which aimed not to symmetrize the detection efficiencies but to symmetrize Bob's detection probabilities for both values of Bob's measurement basis β ∈ {0, 1}. This version of symmetrization of losses naturally incorporates double click events, which can be assigned a random measurement outcome. However, multi-photon attack II still applies.
We also note again that Ref. [14] discussed multiphoton attack I and implemented the countermeasure of reporting single and double clicks. Again, multi-photon attack II still applies.
Below we discuss variations of the multi-photon attacks I and II presented in the main text, as they apply to the protocols of Refs. [13,14,30,60,61]. Because these protocols extend the task of private measurement of an unknown qubit state of the main text to a setting with N > 1 photon pulses in different ways, we need to discuss the attacks separately for each protocol. A summary is given in Table I in the main text.
We note that, as indicated with a dash in Table I, we have not found a clear application of the attack II to the protocol of Ref. [30]. Furthermore, we have not investigated an application of this attack in setup II, introduced below (see Fig. 5), which is used in the protocols of Refs. [60,61]. The reason is that Bob's detection probabilities as functions of the multi-photon states generated by Alice are much more complex to derive for setup II because Bob has four detectors in this case. Our analytic strategy should still apply, but we leave this for future work. The burden of proof, of course, lies on the other side. A full proof of security (within the given model) would require an explicit reporting strategy for setup II and a discussion of the information Alice can obtain from general multi-photon attacks against that strategy when Bob's detector efficiencies are unequal and known to her.
1. Multi-photon attacks on the relativistic quantum bit commitment protocol of Ref. [13] a. The relativistic quantum bit commitment protocol of Ref. [13] Ref. [13] (co-authored by one of us) demonstrated the quantum relativistic bit commitment protocol of Ref. [12], using an extra stage of pre-processing to allow commitments to be made by the pre-agreed actions of parties separated by several thousand kilometres. We discuss here the application of multi-photon attacks on the protocol (as presented) and show that it does not guarantee hiding with unconditional security if the committer's detectors have unequal efficiency and the committee becomes aware of the efficiencies. Ref. [13] takes Bob as the committing party. We follow this convention below.
The protocol of Ref. [13] is a relativistic quantum protocol. The attacks that we present below are implemented in the quantum stage of the protocol, which is nonrelativistic. For this reason, here we only need to discuss the quantum stage.
The nonrelativistic quantum stage of the protocol is as follows. Alice and Bob use setup I discussed in the main text and illustrated in Fig. 1 Ref. [13] implemented the following version of the symmetrization of losses strategy. Bob tests his system by implementing the protocol agreed with Alice, with the agreed experimental parameters. Then, Bob computes the ratio R = n0 n1 , where n β is the number of pulses producing valid measurement outcomes when Bob measures all pulses in the basis B β , for β ∈ {0, 1}. Then, when implementing the protocol with Alice, Bob performs the following actions. If R ≤ 1, when a pulse produces a click, Bob sets m = 1 and assigns a valid measurement outcome with probability R if β = 1, or with unit probability if β = 0. On the other hand, if R > 1, when a pulse produces a click, Bob sets m = 1 and assigns a valid measurement outcome with probability 1 R if β = 0, or with unit probability if β = 1. This effectively makes Bob's detection probabilities for the cases β = 0 and β = 1 equal when both parties follow the protocol. We note that Ref. [13] does not explicitly say whether this procedure applies only to single clicks, or to single and double clicks, although we understand that double clicks were probably counted.
However, we need to consider cheating strategies available to Alice. We make some simplifying assumptions (which if anything reduce the power of cheating attacks) to illustrate these. We assume that B 0 and B 1 are the computational and Hadamard bases, respectively, as in Ref. [13]. We assume that Bob uses the single photon threshold detectors D 0 and D 1 to register outcomes associated with the states |0 (|+ ) and |1 (|− ) if β = 0 (β = 1). We assume that η iβ = η i ∈ (0, 1), for i, β ∈ {0, 1}. Since Bob cannot guarantee his detector to have exactly the same efficiencies, we assume that η 0 = η 1 . Without loss of generality, we assume that 1 > η 0 > η 1 > 0. We also assume that Alice's preparation devices and Bob's measurement devices are perfectly aligned. Thus, random BB84 states are prepared exactly by Alice. Bob randomly chooses β ∈ {0, 1} and measures all pulses exactly in the basis B β , where B 0 and B 1 are exactly the computational and Hadamard bases, respectively. We note from these assumptions that, due to symmetry, the detection probabilities when Bob measures in the basis B 0 are the same as the detection probabilities when Bob measures in the basis B 1 . Thus, for large N , the ratio R obtained by Bob in his symmetrization of losses strategies is very close to unity. We assume here that R = 1.

b. Multi-photon attack I
Suppose that Bob only assign valid measurement outcomes to pulses that produce a click in only one of his detectors. Furthermore, we assume that Bob applies the symmetrization of losses strategies described above. As discussed in the main text, Alice can implement multiphoton attack I and gain information about Bob's measurement basis B β . To illustrate this, consider a setup in which Alice's polarization preparation devices and Bob's polarizers are precisely aligned. Alice can send a pulse with a large number of photons k in the same polarization state chosen from S; for example, ρ = (|0 0|) ⊗k . If Bob measures the pulse in the basis B 0 then the detection event (c 0 , c 1 ) = (1, 0) occurs with high probability, giving m = 1 with unit probability if R ≤ 1, or with probability 1 R if R > 1. If Bob measures in the basis B 1 then the detection event (c 0 , c 1 ) = (1, 1) occurs with high probability, giving m = 0. Thus, given m, Alice can learn β with high probability. Note that this attack applies whether or not η 0 = η 1 .
In practice, Alice and Bob's devices cannot be perfectly precise. However, Alice can still learn significant information about Bob's bit β from the message m with an appropriate choice of k. In particular, Alice can send Bob photon pulses prepared with a coherent source with average photon number µ >> 1 and guess Bob's bit β with probability close to unity, as our experimental simu-lation shows (see Fig. 2 of the main text). Furthermore, Alice can increase her probability to guess β by sending Bob various pulses with a large number of photons.
Partial countermeasures that Bob can apply against these attacks are the following. First, Bob can use reporting strategy II and assign a random outcome when a double click is obtained; or he can use reporting strategy III with the parameters of Lemma 7. Lemma 1 shows reporting strategy II is perfectly effective if Bob's detectors have exactly equal efficiencies. Lemmas 6 and 7 guarantee that, if the efficiencies of Bob's detectors are sufficiently close, then Alice can obtain little information about β if Bob applies reporting strategy II or III, with the parameters of Lemma 6 or 7, respectively. However, as Fig. 4 illustrates, the efficiency differences need to be very small. Second, Bob can abort the protocol if a fraction of pulses greater than r max double ∈ (0, 1), previously agreed with Alice, produces double clicks.

c. Multi-photon attack II
As noted above, multi-photon attack I would apply if Bob discarded double clicks as invalid measurements. We thus assume that Bob sends Alice the message m = 1 for each pulse sent by Alice that produces a click in at least one of his detectors. We also assume that Bob applies the countermeasure against multi-photon attacks in which he aborts if he observes a ratio of double click events higher than a maximum value r max double ∈ (0, 1) agreed with Alice. We present a multi-photon attack by Alice that for certain parameters allows Alice to guess Bob's bit β with probability approaching unity as the number of pulses N of the protocol increases.
Alice generates two nonempty and nonintersecting subsets of [N ], Ω protocol and Ω attack , satisfying Ω protocol ∪ Ω attack = [N ]. Let a = |Ω attack | N . It follows that |Ω attack | = aN and |Ω protocol | = (1−a)N , with a ∈ (0, 1). Alice sends Bob N photon pulses. The polarization degrees of freedom of each of the pulses with labels from the set Ω protocol are prepared by Alice in a quantum state as established in the protocol agreed with Bob. Each of the pulses with labels from the set Ω attack is prepared by Alice in k * > 1 photons, encoding in the polarization a quantum state ρ. Let P protocol (1|β) and P attack (1|β) be the probabilities that a pulse with label from the sets Ω protocol and Ω attack activates a detection in at least one of the two detectors, respectively, i.e that Bob sends Alice the message m = 1 for that pulse, when Bob measures the pulses in the basis B β , for β ∈ {0, 1}.
Alice chooses k * , ρ and a in such a way that: 1) the probability that there are more than N r max double double clicks in Bob's detectors is negligible; and 2) it holds that g 1 (a, ρ, k * ) > g 0 (a, ρ, k * ) > 0, where g β (a, ρ, k * ) = aP attack (1|β) + (1 − a)P protocol (1|β), (D2) for β ∈ {0, 1}. Let Z β denote the random variable corresponding to the number of pulses producing that at least one of the two of Bob's detectors click when Bob measures in the basis B β , and let E(Z β ) denote its expectation value, for β ∈ {0, 1}. We have that for β ∈ {0, 1}. Thus, from (D1) and (D3), we have Alice defines a parameter δ ∈ (0, 1) satisfying If the number of events Z reported by Bob to give at least one click, i.e. for which Bob sends the message m = 1 to Alice, is smaller than G N , Alice guesses that Bob measured in the basis B 0 , otherwise Alice guesses that Bob measured in the basis B 1 . It follows that Alice's average probability to guess Bob's bit β in this attack is given by where in the last line we used (D3) and two Chernoff bounds [77]. Thus, since g β (a, ρ, k * ) > 0 for β ∈ {0, 1}, we see from (D6) that P guess approaches unity with increasing N . A possible countermeasure by Bob against this type of attack is to measure suitable statistical properties of the pulses sent by Alice. For example, Bob may modify his setup by adding more beam splitters and single photon detectors. In this way, Bob can measure the number of pulses producing clicks across different combinations of his detectors. If Bob observes statistics that deviate considerably from the statistics expected in the protocol agreed with Alice, Bob may abort the protocol.

d. Example of multi-photon attack II: a double-photon attack
Suppose Bob reports double clicks, i.e. sends the message m = 1 to Alice and randomly chooses the outcome.
We present an attack by Alice in which the photon statistics of the pulses that she sends to Bob correspond to those agreed for her weak coherent source. Thus, there is no way in which Bob can know that Alice is cheating.
We illustrate the attack on an implementation with parameters N = 2 × 10 7 , η 0 = 0.12, η 1 = 0.08, d 0 = d 1 = 10 −5 and a weak coherent source with average photon number µ = 0.05. The values η 0 = 0.12 and η 1 = 0.08 are consistent with uncertainty values for the detection efficiencies of 0.02, which is a common value. We show that Alice can guess Bob's bit β with failure probability smaller than 0.035. Our example shows that Alice could in principle undetectably exploit the difference of Bob's detector efficiencies due to their experimental uncertainty to guess Bob's input β with high probability, for some values of the experimental parameters.
Note that the actual experimental parameters reported in Ref. [13] are different: N = 2.2 × 10 6 , η ≈ 0.06 and µ = 0.05. The values of d 0 , d 1 and the uncertainties of Bob's detection efficiencies were not reported by Ref. [13]. Even if we assume the above values for d 0 and d 1 and uncertainties of the detection efficiencies not greater than 0.02, we have not shown the attack discussed allows Alice to guess β with probability close to unity in the experiment actually implemented. What our illustration shows is that reproducing the implementation with modestly different and plausible parameters leads to an unnoticed insecurity.
As discussed in the main text, we assume that Alice knows the detection efficiencies η 0 and η 1 of Bob's respective detectors D 0 and D 1 . This is, for example, because Alice has manufactured the detectors used by Bob, or because she has obtained information about their detection efficiencies in some other way. We also assume that Alice can know the number of photons for each pulse prepared by her weak coherent source. In particular, we assume that Alice knows which of her prepared pulses have two photons. Alice prepares the states perfectly. These assumptions might seem very strong. But these are standard assumptions when trying to show unconditional security against Alice, in which it is assumed that Alice has access to perfect technology and is only limited by the laws of physics.
Furthermore, we assume that Bob does not know the values of η 0 and η 1 . For example, Bob only knows that η 0 and η 1 are within some -possibly small -range due to their assigned uncertainties. We assume that both Bob and Alice know the dark count probabilities d 0 and d 1 of Bob's detectors.
In her attack, as required by the protocol agreed with Bob, Alice prepares N pulses with a weak coherent source of average photon number µ, with all the photons in each pulse encoding the same qubit state, which is randomly chosen from the BB84 set for each pulse. Alice sends the N pulses to Bob with their labels j ∈ [N ]. Let Ω be the set of labels for pulses with two photons prepared in the state |0 , and let Ω rep,β be the set of labels from Ω for which Bob sends Alice the message m = 1, i.e for which he assigns a valid measurement outcome, when he measures the pulses in the basis B β , for β ∈ {0, 1}. The probability that a pulse prepared by Alice has two photons is given by p 2 = e −µ µ 2 /2. Let N 0 = |Ω| and N rep,β 0 = |Ω rep,β |, for β ∈ {0, 1}. In her attack, Alice only focuses on the labels of pulses from the set Ω rep,β , with the goal of guessing the value of β ∈ {0, 1}.
Let P β (i) be the probability that a pulse of two photons that Alice prepares in the state |0 activates a detection in at least one of the two Bob's detectors if i = 1, and that it does not activate any detection if i = 0, when Bob measures in the basis B β , for β ∈ {0, 1}. We compute P β (i) for i, β ∈ {0, 1} below and show that P 0 (1) > P 1 (1) > 0 for η 0 > η 1 > 0. Thus, we have E(N rep,0 is the expectation value of the random variable N rep,β 0 , for β ∈ {0, 1}. Therefore, since P 0 (1) > P 1 (1) > 0, we can find numbers δ > 0 and G such that It is straightforward to obtain that ≤ G, Alice guesses β = 1, otherwise she guesses β = 0. As we show below, from (D8) and from Chernoff bounds, Alice's probability of failure P fail in guessing β is very small for N large enough.
We compute an upper bound on Alice's probability of failure P fail . From (D9), and since we show below that P 0 (1) > P 1 (1) > 0 from η 0 > η 1 > 0, we have 0 < δ < 1. It follows that where in the first line we used the definition of Alice's guessing strategy; in the second line we used (D8), 0 < δ < 1 and Chernoff bounds [77]; and in the last line we used (D7). Thus, we see from (D11) that Alice's probability of failure can be negligible for N large enough.
It is important to note that Bob's reported detection frequencies are the same for both cases: 1) when he measures all the received pulses in the computational basis (β = 0), and 2) when he measures all the received pulses in the Hadamard basis (β = 1). This is easy to see by noting the following. First, Alice prepares BB84 states randomly. Second, Bob's detection probabilities for pulses prepared by Alice in the state |0 (|1 ) and measured by Alice in a basis B β are the same for pulses prepared by Alice in the state |+ (|− ) and measured by Bob in a basis Bβ and vice versa. Thus, in the symmetrization of losses strategy implemented by Bob he gets the ratio R very close to unity, for large N . We conclude from this attack that the symmetrization of losses strategy does not guarantee to Bob that Alice cannot obtain information about her choice of basis b. It follows that the experimental demonstration of bit commitment of Ref. [13] is not hiding; hence, it is not unconditionally secure.
The previous attack can straightforwardly be extended in various ways. For example, Alice may try to guess Bob's measurement choice β ∈ {0, 1} from pulses for which Bob reported m = 1 that Alice prepared in some particular state |ψ from the BB84 set with some particular number of photons k, or with number of photons in some range, for example with k ≥ 2. More generally, the idea of the previous attack is that Alice follows the protocol agreed with Bob, but still is able to exploit the fact that Bob's detectors have different detection efficiencies η 0 = η 1 , and that she has some knowledge about η 0 and η 1 .
In the previous attack and extensions discussed above, Alice follows the protocol agreed with Bob, i.e. she prepares BB84 states randomly with a weak coherent source set to a small average photon number µ previously agreed with Bob. This guarantees to Alice that Bob cannot detect her cheating, because Alice is following the agreed protocol. In more general attacks, Alice may deviate from the agreed protocol in various ways. For example, she may prepare BB84 states with a probability distribution different to random, or she may prepare more general states, she could prepare some photon pulses with different average photon number, she could use different photon sources, etc. However, all these variations from the agreed protocol may be detected in principle by Bob. Bob could, for example, apply some specific quantum measurements in a subset of the received pulses and verify that the detection probabilities and the outcome probabilities correspond to the expected values in the agreed protocol.
We note that the previous attack exploits the fact that the probability that Bob reports the detection of a pulse is different for different measurement basis. A partial countermeasure against this attack, or extensions, consists in implementing a nontrivial probabilistic reporting strategy, discussed in the main text, with appropriate values of the reporting probabilities S c0c1β , for c 0 , c 1 , β ∈ {0, 1}. However, as shown in Theorem 1 of the main text, for any nontrivial probabilistic reporting strategy applied by Bob, Alice can obtain some information about Bob's chosen bit β. Thus, this countermeasure cannot be perfectly effective.
e. Extending the bounds of  We recall that in Ref. [13] Bob applies a particular form of the symmetrization of losses as reporting strategy, in which the goal is to symmetrize his detection probabilities for his both choices β ∈ {0, 1} of measurement bases. However, below we deduce an upper bound on the probability that Alice can guess Bob's bit β when Bob applies either the reporting strategy II or the reporting strategy III, with the parameters of Lemmas 6 and 7, respectively.
The bounds of Lemmas 6 and 7 apply to the bit commitment protocol of Ref. [13] when Alice implements a multi-photon attack consisting in a single photon pulse and Bob applies reporting strategy II or III, respectively. Thus, Lemma 5 implies an upper bound on Alice's probability to guess Bob's bit β with a multi-photon attack of a single pulse. Alice can extend her attack by sending various multi-photon pulses. In principle, the N pulses that Alice sends Bob in the protocol can be chosen by Alice as multi-photon pulses with appropriately chosen photon numbers k. Lemmas 5 and 6, or 5 and 7, can be used to deduce an upper bound on Alice's probability P guess to guess β for this more general case, when Bob applies reporting strategy II or III, respectively.
Let us assume for now that Bob applies an arbitrary reporting strategy. For i ∈ [N ], let k i be the number of photons encoded in the polarization degrees of freedom of the ith pulse. We define B i as a number satisfying for the reporting strategy applied by Bob, and for any quantum state ρ i of k i qubits encoded in the k i photons of the ith pulse, which may be entangled among the k i qubits, and which may also be entangled with any other quantum systems. For example, if Bob applies the reporting strategy II with the parameters of Lemma 6 then B i can be given by the bound B II of Lemma 6, which is valid for any k i ∈ {0, 1, 2, . . .}. If Bob applies the reporting strategy III with the parameters of Lemma 7 then B i can be given by the bound B III of Lemma 7, which is valid for any k i ∈ {0, 1, 2, . . .}. Furthermore, If Bob applies the reporting strategy III with the parameters of Lemma 2 and k i ∈ {0, 1} then B i can be given by the bound B ki III of Lemma 2. We show below that for any multi-photon attack by Alice. If Bob applies the reporting strategy II with the parameters of Lemma 6 then we have from (D15) and from Lemma 6 that for any multi-photon attack by Alice. However, as illustrated in Fig. 4, the bound B II of Lemma 6 is not very small even for relatively close values for the detection efficiencies. Since N is usually required to be large in order to guarantee security against Bob -for example, N = 2.2 × 10 6 in the protocol of Ref. [13] -the upper bound on P guess given by (D16) is not smaller than unity for any practical case. It seems that our bounds would be more useful if Bob applies the reporting strategy III instead. Suppose that Bob applies reporting strategy III with the parameters of Lemma 7. From the N pulses that Alice sends Bob, let N empty , N single and N mult be the number of pulses with zero photons, with one photon, and with more than one photon, respectively. Suppose that Bob can guarantee with probability at least 1 − ǫ that for some 0 ≤ ǫ << 1. Bob could guarantee this by aborting if the number of pulses not producing any click is below a threshold, or if the number of double clicks is above a threshold, for instance. These thresholds must be chosen carefully so that the probability that Bob aborts is negligible if Alice and Bob follow the agreed protocol. Since, from Lemmas 2 and 7, we have B 0 III ≤ B 1 III ≤ B III for δ small enough, it follows from (D15), from (D17) -(D19), and from Lemmas 2 and 7 that (D20) Bob can always guarantee (D17) and (D19) with δ empty = 1 and any δ mult ∈ [0, 1]. In this case, if (D18) is also satisfied, then (D20) reduces to We see from Lemma 2 that B 1 III ≤ 11δ + 3δ 2 . Thus if the dark count probabilities are small enough; more precisely, if N δ << 1, then the bound (D21) can guarantee P guess − 1 2 << 1 2 if ǫ << 1 and N δ mult B III << 1. The bound (D21) seems promising in protocols agreed by Alice and Bob where the fraction of pulses with more than one photon is small enough. For example, if in the protocol agreed with Bob, Alice has a source of pairs of entangled photons in which she measures one of the photons and sends the other one to Bob, with transmissions considered valid if Alice obtains a measurement outcome, the probability that a pulse has more than one photon is very small. Thus, Bob expects that the the fraction of pulses with more than one photon is small, if Alice follows the agreed protocol.
The bound (D20) with δ empty << 1 seems promising in protocols agreed by Alice and Bob where the fraction of pulses with more than one photon is small enough and the fraction of empty pulses is large enough. For example, if in the protocol agreed by Alice and Bob Alice uses a weak coherent source with small average photon number µ, the probability that a pulse is empty is p 0 = e −µ ≈ 1, and the probability that a pulse has more than one photon is p mult = 1 − (1 + µ)e −µ << 1. Thus, Bob expects that the the fraction of empty pulses is large and the fraction of pulses with more than one photon is small, if Alice and Bob follow the agreed protocol.
If useful partial security can indeed be attained with current technology by (for example) these methods, it would be worth exploring whether greater security can be attained by extending the bit commitment protocols. Suppose for example that one can implement a bit commitment protocol with a guarantee that P guess < 1 2 + ǫ hiding and p 0 + p 1 < 1 + ǫ binding , where ǫ hiding ≪ 1 2 and ǫ binding is very small. This guarantee may be conditional on some assumptions, for example that Alice only uses photonic sources, with no side-channel attacks. One could then, for example, consider a new protocol with M iterations of the above as sub-protocols in which Bob commits to bits z 1 , . . . , z M . The new protocol then commits Bob to the XOR bit z = z 1 ⊕. . .⊕z M . If Alice carries out only the attacks we have described separately on each iteration, she obtains incomplete information about each z i . Hence, by the piling-up lemma [78], her information about the committed bit z tends to zero as M gets large. However, whether Alice has more powerful attacks (under the given assumptions) needs to be analysed, as does the dependence of ǫ binding on M .
We leave as open problems to investigate whether the bounds (D20) and (D21) can provide useful security in practice and (if so) whether variant protocols offer further practical security advantages. Similar comments apply to the other implementations of bit commitment schemes discussed below.
We show (D15). In an arbitrary multi-photon attack, Alice encodes a quantum state ρ in the N photon pulses that Alice sends Bob. Each pulse has an arbitrary number of photons chosen by Alice. The state ρ is an arbitrary entangled state among all the qubits encoded by the polarization degrees of freedom of the photons in the N pulses, which can also be entangled with an ancilla held by Alice.
Bob sends Alice a message m = (m 1 , . . . , m N ) ∈ {0, 1} N indicating that the jth pulse produced a valid measurement outcome if m j = 1, or otherwise if m j = 0, for j ∈ [N ]. Let P (m|β) be the probability that Bob sends the message m ∈ {0, 1} N when he measures in the basis B β , and let P β denote the probability distribution for m ∈ {0, 1} N given β, for β ∈ {0, 1}. The probability P guess that Alice guesses Bob's bit β satisfies where P 0 − P 1 is the variational distance between the probability distributions P 0 and P 1 , where in the second line we used the definition of the variational distance, and where m runs over {0, 1} N . We show below that Thus, from (D22) and (D23) we obtain the bound (D15).
Let m 0 = 1. We have where P i (j i |j 0 j 1 · · · j i−1 b) is the probability that m i = j i given that m l = j l and that β = b, for (j 0 , . . . , . From (D23) and (D24) we see that (D23) follows from We show (D25). Let ρ i (j 1 . . . j i−1 b) be the quantum state encoded in the k i qubits of photon-polarization in the ith pulse when m l = j l and β = b, for l ∈ {1, 2, . . . , i− 1}, b ∈ {0, 1} and i ∈ [N ]. We see that Thus, from (D14), we have We show (D25) by induction. We first show (D25) for the case N = 1. We have, as claimed, where in the first line we used that P 1 (1|m 0 β) = 1 − P 1 (0|m 0 β) for β ∈ {0, 1}, and in the second line we used (D27) for the case i = N = 1.
2. Multi-photon attacks on the relativistic quantum bit commitment protocol of Ref. [14] Ref. [14] demonstrated Kent's [12] quantum relativistic protocol for bit commitment. We show below that there are multi-photon attacks that apply to the protocol of Ref. [14], which imply that this protocol is not perfectly hiding.
In the notation of Ref. [14] Alice is the committer. However, we follow our usual convention, taking Bob to be the committer.
The protocol of Ref. [14] is a relativistic quantum protocol. The attacks discussed below are implemented in the quantum stage of the protocol, which is nonrelativistic. For this reason, here we only need to discuss the quantum stage.
The nonrelativistic quantum stage of the protocol of Ref. [14] is equivalent to the quantum stage of the protocol of Ref. [13], discussed in section D 1 a. Alice and Bob use setup I discussed in the main text and illustrated in Fig. 1 of the main text. Alice's photon source is a weak coherent source with small average photon number µ. Alice sends Bob N photon pulses, each encoding in the polarization a qubit state chosen randomly from the BB84 set. Bob chooses a random bit β. Immediately after their reception, Bob measures each of the N photon pulses in the qubit orthogonal basis B β , where B 0 and B 1 are the computational and Hadamard bases, respectively. In order to deal with losses in the quantum channel, for each pulse sent by Alice, Bob sends Alice a message m = 1 if the pulse produced a valid measurement outcome and m = 0 otherwise.
We note that in the protocol of Ref. [14], there are two setups equivalent to setup I (see Fig. 1 of the main text) that work in parallel. For this reason Bob has four detectors in that protocol. Despite this difference with the setup of Ref. [13], the analyses of section D 1 apply to the protocol of Ref. [14] too, because Alice may simply apply parallel attacks on both setups, or she can choose to apply attacks in only one of the setups.
Differently to the protocol of Ref. [13], in the protocol of Ref. [14], Bob's committed bit is β. In the multiphoton attacks discussed in section D 1 for the protocol of Ref. [13], Alice tries to guess Bob's bit β. Thus, as discussed below, some of the attacks of section D 1 apply to the protocol of Ref. [14].
Unlike Ref. [13], Ref. [14] does not implement the symmetrization of losses strategy. Instead, Ref. [14] applies the countermeasure in which Bob reports a valid measurement outcome, i.e. sets m = 1, for each pulse for which at least one detector clicks. Thus, multi-photon attack I does not apply.
However, the versions of the multi-photon attack II discussed in sections D 1 c and D 1 d apply to the protocol of Ref. [14]. This is because it cannot be guaranteed that Bob's detection efficiencies are exactly equal. In the actual experiment, the measured values for Bob's detection efficiencies were 50.4±1.1%, 50.4±0.4%, 52.4±1.0% and 50.2 ± 1.1% [79]. However, Ref. [14] also makes the important point that Bob could include calibrated attenuators in front of his detectors to make their detection efficiencies equal, in order to defend against attacks exploiting unequal detector efficiencies. As far as we are aware, this is the first discussion of this valuable countermeasure (albeit not in the context of the specific attacks we consider here). We note, though, that even if this countermeasure were implemented, experimental uncertainties would remain. There is no way to guarantee that Bob's detector efficiencies are exactly equal for a given frequency, nor that they are precisely frequencyindependent or that Alice uses precisely the stipulated frequency.
The upper bound on Alice's probability to guess Bob's bit β derived in section D 1 e assumes that Bob sets m = 1 for pulses producing a click in at least one of Bob's detectors and that Bob's detector efficiencies are not exactly equal. Thus, this bound also applies to the protocol of Ref. [14]. However, this particular bound does not appear strong enough to provide any security guarantee for the parameters of Ref. [14]. It would also be very interesting to explore whether practical security could be attained by a combination of the use of attenuators and other methods, using the results of section D 1 e. For example, Alice could be required to use a single photon source, and Bob could test a subset of the received pulses to ensure that the number of multi-photon pulses is suitably small.

A multi-photon attack on the quantum coin flipping protocol of Ref. [30]
a. The quantum coin flipping protocol of Ref. [30] Ref.
[30] demonstrated a nonrelativistic quantum strong coin flipping protocol and argued that the implementation guaranteed with information theoretic security an upper bound p c on the probability that an allpowerful malicious party can bias the coin. This bound depends on various experimental parameters, including the honest abort probability and the distance between Bob and Alice, and is strictly smaller than unity for some parameter values (see Figure 2 of Ref. [30], for example). Ref.
[30] does not say whether a double detection event is registered as a measurement outcome, and if so, how it is registered. Assuming that Bob only assigns single clicks as valid measurement outcomes, we discuss below how a version of the multi-photon attack I discussed in the main text applies to the protocol of Ref.
[30], where Alice succeeds in setting the outcome of the coin flip with probability very close to unity.
As discussed below, if Bob reports single and double clicks as valid measurement outcomes, he can only reduce Alice's success probability in this attack to a value slightly below 7 8 . It is not clear whether Ref.
[30] obtained an upper bound on the probability P Alice that dishonest Alice can bias the coin flip that is below 7 8 for any values of the possible experimental parameters, which would imply that this attack implies violation of the bound. In particular, Figure 2  The quantum strong coin flipping protocol of Ref.
[30] is the following. First, Alice sends to Bob N photon pulses prepared in states |Φ αi,γi , encoding the bit γ i in a basis labelled by the bit α i , and their labels i, for i ∈ [N ] = {1, . . . , N } and for a predetermined integer N . The states are given by |Φ αi,0 = √ y|0 + (−1) αi √ 1 − y|1 and |Φ αi,1 = √ 1 − y|0 − (−1) αi √ y|1 , for α i ∈ {0, 1}, for some predetermined parameter y ∈ 1 2 , 1 . We note that B αi = {|Φ αi,r } 1 r=0 forms an orthonormal basis, for α i ∈ {0, 1}. Second, Bob measures the ith pulse in the basis B βi , where the bit β i is chosen randomly by Bob, and obtains some bit outcome o i or does not register any measurement outcome, for i ∈ [N ]. We note that due to losses and detection efficiencies smaller than unity, not all pulses produce a detection in Bob's detectors, i.e. Bob does not obtain a measurement outcome for all i ∈ [N ]. Let j ∈ [N ] be the first pulse for which Bob registers a measurement outcome, which is a bit o j . Third, Bob generates a random bit b and communicates j and b to Alice. Fourth, Alice communicates α j and γ j to Bob. Fifth, Bob checks whether α j = β j , in which case Bob aborts if and only if o j = γ j . If α j = β j , Bob does not abort. If Bob does not abort then Bob and Alice agree that the outcome of the coin flip is a = γ j ⊕ b, i.e. the XOR of the bit b given by Bob and the bit γ j given by Alice. Ref. [30] implemented the technique of symmetrization of losses presented in Ref. [60] and discussed in the main text.
In the attack we describe below, we assume that in the protocol of Ref.
[30] double clicks are not assigned as valid measurement outcomes by Bob and that the symmetrization of losses technique is implemented as described in the main text. Thus, we assume that Bob assigns a valid measurement outcome to the detection event (c,c) with some probability S ccβ > 0 when he measured a pulse in the basis B β , in such a way that S ccβ satisfies the conditions of Lemma 2 in the main text, for c, β ∈ {0, 1}. Let S min = min{S ccβ } c,β∈{0,1} . In particular, it is stated by Ref.
[30] that there was not any important deviation between the frequencies of detection events for the two measurement bases applied by Bob. However, Ref.
[30] reports a ratio of approximately 0.68 in the number of detections observed by Bob in his two detectors, giving a value of S min = 0.68. Thus, in the protocol implemented with Alice, Bob assigned valid measurement outcomes to detection events of his detector with higher number of detections with a probability of 0.68, and to detection events of his detector with lower number of detections with unit probability.
The protocol uses a slight variation of setup I given in the main text (see Fig. 1 of the main text). The experimental setup of Ref.
[30] consists in a plug and play system with a two-way approach: light pulses of 1550 nm are sent from Bob to Alice, and Alice uses a phase modulator to prepare the qubit states. The pulses are then reflected using a Faraday mirror and attenuated to the desired average photon number before being sent back to Bob. Finally, Bob uses a phase modulator to choose his measurement basis and register the detection events using two threshold single photon detectors. In practice, we can suppose that the experimental setup is equivalent to setup I given in Fig. 1 of the main text.

b. Multi-photon attack I
In order to present an attack to the quantum coin flipping protocol above, we first make some observations. As in the experimental demonstration of Ref.
[30], we assume that Bob uses threshold single photon detectors for registering the outcome of his measurement. A measurement by Bob uses two single photon detectors D 0 and D 1 . An outcome o i corresponds to a detector D i registering a detection, for D i ∈ {0, 1}.
Assuming that Bob only assigns valid measurement outcomes to detection events in which only one of his detectors click and that he applies the symmetrization of losses technique as described above, we present a version of the multi-photon attack I presented in the main text to the protocol of Ref. [30]. We assume that Bob is honest and that Alice is cheating. Alice chooses a set Ω ⊆ [N ] with M elements, for some positive integer M < N . For i / ∈ Ω, Alice does not send any pulses to Bob. For i ∈ Ω, Alice sends a pulse with k photons in the state |Φ αi,γi , where the bits α i and γ i are chosen randomly by Alice. Alice chooses her desired coin flip outcome a. Bob sends the index j ∈ [N ] and the bit b to Alice. Letα j and γ j be the bits that Alice sends Bob, indicating her supposed chosen basis and encoded bit, respectively. Alice setsγ j = b ⊕ a. Ifγ j = γ j then Alice setsα j = α j , otherwise she setsα j = α j ⊕ 1. Alice sendsα j andγ j to Bob.
We show that this attack allows Alice to succeed with very high probability. First, we note that if Bob does not abort and if he assigns at least one measurement outcome, the outcome of the coin flip isγ j ⊕ b, which equals the bit a chosen by Alice. It remains to be shown that the probability that Bob aborts or that he does not assign any measurement outcome is negligible. In order to illustrate the attack more easily, consider an ideal situation in which there are not dark counts at Bob's detectors, Alice's state preparations are perfect and Bob's measurement outcomes do not have errors. Let us also consider the limit k → ∞, i.e. Alice prepares pulses with an infinite number of photons. Thus, we see that Bob can only register detection events at his detectors for pulses with labels from the set Ω. For i ∈ Ω, if β i = α i , i.e. if Bob measures in a basis different to the one of preparation by Alice, then an infinite number of photons go to the detector D 0 and an infinite number of photons go to the detector D 1 ; hence, both detectors register a detection, and Bob does not assign a measurement outcome to the pulse with label i. On the other hand, for i ∈ Ω, if β i = α i , i.e. if Bob measures in the basis of preparation by Alice, then all photons go to the detector D γi ; hence, the detector D γi registers a detection, and Bob assigns the measurement outcome o i = γ i with a probability greater or equal than S min . Thus, the first pulse for which Bob registers a measurement outcome, which has label j, satisfies j ∈ Ω, β j = α j and o j = γ j . The probability for this to hold is the probability that Bob chooses β i = α i and Bob assigns the detector click as a valid measurement outcome for at least one i ∈ Ω, which is easily seen to be greater or equal than 1 − 1 − Smin 2 M .
Therefore, we see that in the case thatγ j = γ j , Alice reportsα j = α j = β j andγ j = γ j = o j ; hence, Bob does not abort. In the case thatγ j = γ j ⊕ 1, Alice reportsα j = α j ⊕ 1 = β j ⊕ 1 andγ j = γ j ⊕ 1 = o j ⊕ 1; hence, Bob does not abort, as in this case β j =α j ⊕ 1. We see that Bob does not abort in any case, and Alice succeeds in her cheating strategy if Bob chooses β i = α i and Bob assigns the detector click as a valid measurement outcome for at least one i ∈ Ω, which occurs with probability greater or equal than 1 − 1 − Smin 2 M . Thus, since S min > 0, for M large enough, Alice can make his cheating probability arbitrarily close to unity.
In practice, Alice cannot send pulses with infinite number of photons, the state preparation and measurements will have some errors, Bob's detectors have nonzero dark count probabilities. However, it is easy to see that an adaptation of the attack discussed above can be applied in a realistic scenario. For example, given the parameters of the protocol agreed by Alice and Bob, Alice can simulate Bob's detection probabilities and choose the set Ω to lie within the first few pulses, and pulses with labels not from the set Ω can be chosen by Alice to have specific average number of photons, in such a way that Bob's detection probabilities are very close to what is expected in the agreed protocol. In practice, N is chosen very large, for example N is of the order of 10 10 in the experimental demonstration of Ref. [30]. Thus, Bob can choose M to be large but small compared to N , for example, M = 40, which gives 1 − Smin 2 M = 6 × 10 −8 , for the value S min = 0.68 reported by Ref. [30]. Alice cannot set the number of photons k of the dishonest pulses to be infinite, but she can set the average photon number to a value µ >> 1 with a coherent source, as in the attack that we have simulated experimentally and discussed in the main text, for example.

c. Partial countermeasures and more general attacks
Bob can apply a partial countermeasure against this attack by assigning a random measurement outcome to detection events in which both of his detectors register a detection. It is straightforward to see that in the ideal attack we discussed above with M = 1 and assuming there is no symmetrization of losses (i.e. that S min = 1), with this partial countermeasure, Bob aborts with probability 1 8 , corresponding to the case β j = α j ⊕ 1 =α j , γ j = b ⊕ a ⊕ 1 =γ j ⊕ 1 and o j = γ j =γ j ⊕ 1. Thus, in this case, assuming that symmetrization of losses is implemented, the probability that Bob does not abort and assigns a valid measurement outcome is equal or greater than 7 8 S min . Thus, in situations where S min is close to unity, Alice can succeed with this attack with probability close to 7 8 . It does not help Alice in this case to set M >> 1 , as in this case it is not difficult to see that the probability that Bob aborts is equal or greater than , which approaches unity as M increases. In the attacks discussed above Alice does not send any pulses for i / ∈ Ω. But this could be easily discovered by Bob if M = |Ω| is small, as for the case M = 1. Alice can refine her attacks by sending pulses with the statistics of the protocol agreed with Bob for i / ∈ Ω and to define Ω = {1, 2, . . . , M }, i.e to let Ω correspond to the first M pulses. The attacks presented above apply straightforwardly in this case and the lower bounds on Alice's probabilities to succeed in these attacks derived above hold in this case too.
In addition to reporting single and double clicks, a possible extra countermeasure by Bob to apply against the previous attacks is to choose the index j randomly from the set [N ], instead of choosing j as the index of the first successfully measured pulse, as in the protocol of Ref.
[30]. In this way, Alice cannot effectively choose a small set Ω for her dishonest multi-photon pulses that guarantees with high probability that j ∈ Ω. On the other hand if Alice chooses a large set Ω then Bob aborts with high probability, as discussed above.
Broadly, what the previous attack illustrates is that, because Alice has the ability to prepare pulses with many photons and because Bob's single photon detectors are threshold detectors, the probabilities of Bob's measurement outcomes are not in general proportional to Φ αi,γi |ρ|Φ αi,γi , for photon pulses prepared by Alice to encode a qubit state ρ in each photon, contrary to the assumption made in the security proof of Ref.
[30]. 4. A multi-photon attack on the quantum bit commitment protocol of Ref. [60] a. The quantum bit commitment protocol of Ref. [60] Ref. [60] demonstrated quantum bit commitment in the noisy storage model. Below, we present an attack to this protocol and show that it is insecure: we show that it is not hiding.
In the protocol of Ref. [60] Alice is the committer. Although this notation is different to the one introduced in section C 1, we follow this notation here because it is consistent with an extension of setup I, which we introduce below. The protocol of Ref. [60] includes a subroutine that uses a setup different to the setup I described in the main text. We call this setup II (see Fig. 5).
In setup II, Alice has a source of pair of entangled photons. For each pair generated by Alice, she sends a photon to Bob and she measures the other photon randomly in one of two qubit orthogonal bases, B 0 and B 1 . Bob also measures his photon randomly in the bases B 0 and B 1 . Without loss of generality we suppose that B 0 = {|0 , |1 } is the computational basis and B 1 = {|+ , |− } is a qubit orthogonal basis where the Bloch vector of the qubit state |+ has an angle θ ∈ [0, π 2 ) from the x axis towards the z axis in the Bloch sphere. At each site, the random measurement is implemented with a 50 : 50 beam splitter, followed by two polarizing beam splitters and four single photon detectors. The quantum channel between the 50 : 50 beam splitter and one of the polarizing beam splitters contains a wave plate that rotates the polarization an angle π 2 − θ from the z axis towards the x axis Let 0 ≤ d i << 1 and η i ∈ (0, 1) be the dark count probability and the detection efficiency of Bob's detector D i , respectively, which we assume are known by Alice, for i ∈ {0, 1, +, −}. Let η min = min{η 0 , η 1 , η + , η − }.
It is explicitly stated in Ref. [60] that only detection events where a single detector clicks are considered as valid measurement outcomes. Thus, in a valid round a pair of photon pulses generated by Alice produces a single click in one of Alice's detectors and a single click in one of Bob's detectors. In order to deal with losses in the quantum channel, for each photon pulse sent by Alice, Bob sends a message m = 1 to Alice indicating that a single click in one of his detectors is produced or a message m = 0 indicating the opposite. The symmetrization of losses technique is applied by Bob. More precisely, the following reporting strategy is applied by Bob in Ref. [60].
Definition 1 (Symmetrization of losses in setup II (SLII)). Bob tests his setup by preparing and measuring states as in the protocol agreed with Alice, a large number of times N in parallel. Then, for i ∈ {0, 1, +, −}, Bob computes the frequency F i of detection events in which only the detector D i clicks, which provides a good esti-mate of the corresponding probability P i if N F i >> 1. Bob then computes numbers S i ∈ (0, 1] satisfying Bob sends Alice the message m = 1 and assigns a valid measurement outcome corresponding to the detector D i with a probability S i if only the detector D i clicks, for i ∈ {0, 1, +, −}. Similarly to Lemma 2 of the main text, the following lemma shows that the SLII reporting strategy guarantees to Bob that Alice cannot obtain any information about Bob's assigned measurement basis B β if Alice's pulse does not have more than one photon and d i = 0, for β ∈ {0, 1}, for arbitrary η i ∈ (0, 1) and for i ∈ {0, 1, +, −}. Furthermore, it guarantees that Alice cannot obtain much information about β if Alice's pulse does not have more than one photon and 0 < d i ≤ δ, for 0 < δ << 1 and i ∈ {0, 1, +, −}.
Note that we have slightly changed the notation P report (1|β, ρ, k) used for setup I to P report (1, β|ρ, k) for setup II. This is because in setup I Bob chooses the measurement basis by appropriately setting the wave plate. However, in setup II, the assigned measurement basis is not chosen by Bob; it is an outcome, which depends on the detectors that are activated.
The proof of Lemma 9 uses Lemma 10, given below. Thus, it is presented below.
As stated in Ref. [60], it is a necessary condition for security against Alice that she cannot learn any information about the measurement bases obtained by Bob. It is claimed by Ref. [60] that the SLII reporting strategy guarantees this condition. Below we show that this claim is wrong: that Alice can obtain a lot of information about Bob's measurement bases.

b. Multi-photon attack I
We describe a version of multi-photon attack I that applies in setup II. The attack works equally well if Bob's setup is the same as in setup II, independently of whether Alice's photon source is a source of pairs of entangled photons or not. What matters is that Alice sends Bob photon pulses and that Bob measures randomly in one of two bases, B 0 and B 1 , using Bob's setup of four threshold single photon detectors illustrated in Fig. 5.
Definition 2 (Multi-photon attack I in setup II (MPAII)). Suppose that Alice and Bob use setup II, illustrated in Fig. 5. Alice prepares a dishonest pulse of k photons encoding a k−qubit state ρ in the polarization degrees of freedom, for some nonnegative integer k chosen by Alice. The quantum state ρ is chosen by Alice and can be an arbitrary entangled state, which can also be entangled with an ancilla held by Alice. When specified, we will consider the particular case ρ = ρ ⊗k qubit in which the dishonest pulse consist in k photons, each of them encoding the qubit state ρ qubit with Bloch vector r = (r x , r y , r z ). Let P report (1, β|ρ, k) be the probability that Bob reports the message m = 1 to Alice and that Bob assigns a valid measurement outcome in the basis B β , for β ∈ {0, 1}. We assume that Alice knows the value of P report (1, β|ρ, k), for β ∈ {0, 1}. If P report (1, 0|ρ, k) ≥ P report (1, 1|ρ, k), and if Bob reports to Alice the message m = 1 , Alice guesses that Bob's obtained basis is B 0 . On the other hand, if P report (1, 1|ρ, k) > P report (1, 0|ρ, k), and if Bob reports to Alice the message m = 1, Alice guesses that Bob's obtained basis is B 1 . Thus, the probability that Alice guesses Bob's obtained basis B β for the dishonest pulse is given by P guess = max β∈{0,1} {P report (1, β|ρ, k)} P report (1, 0|ρ, k) + P report (1, 1|ρ, k) . (D37) We note that we must condition on Bob assigning a measurement outcome, either in the basis B 0 or in the basis B 1 . We show in Lemma 11 below that P report (1, 0|ρ, k) = P report (1, 1|ρ, k) for a range of parameters. Thus, it follows from (D37) that P guess > 1 2 . We also show that for a range of parameters it holds that P guess → 1 if k → ∞. Thus, Alice can guess Bob's assigned measurement basis for the dishonest pulse with great probability, which violates security against Alice.
The MPAII attack can be easily extended as follows. Let N be the number of photon pulses that Alice sends Bob in the predetermined protocol. Alice chooses a subset Ω of labels for these N pulses and prepares a dishonest pulse as in the MPAII attack if its label belongs to Ω. For each pulse with label from the set Ω, Alice guesses the measurement basis assigned by Bob as in the MPAII attack.
Let In order to present Lemma 11, we first need to introduce the following lemma.
We note that we do not lose generality by considering that B 0 is the computational basis and B 1 is a qubit orthogonal basis in the x − z plane in the Bloch sphere. This is because any pair of qubit orthogonal bases B 0 and B 1 define a plane in the Bloch sphere. Without loss of generality we can take this plane to be the x − z plane. Then, without loss of generality we can also suppose that B 0 is the basis along the z axis, i.e. the computational basis.
Proof of Lemma 10. Consider Bob's setup in Fig. 5. In the considered MPAII attack, Alice sends Bob a pulse of k photons, where each photon encodes the qubit state ρ qubit , for some nonnegative integer k. That is, ρ = ρ ⊗k qubit . Let k 01 be the number of photons that are transmitted through the 50:50 beam splitter towards the polarizing beam splitter PBS 01 and let k +− = k − k 01 be the number of photons that are reflected from the 50:50 beam splitter towards the polarizing beam splitter PBS +− , for k 01 ∈ {0, 1, . . . , k}. Let k 0 and k 1 = k 01 − k 0 be the number of photons that go towards the detectors D 0 and D 1 , respectively, for k 0 ∈ {0, 1, . . . , k 01 }. Let k + and k − = k − k 01 − k + be the number of photons that go towards the detectors D + and D − , respectively, for k + ∈ {0, 1, . . . , k − k 01 }.
The probabilities that a photon is transmitted through the 50:50 beam splitter towards the polarizing beam splitter PBS 01 and reflected from the 50:50 beam splitter towards the polarizing beam splitter PBS +− are both 1 2 . We note that we do not lose generality by supposing that the 50:50 beam splitter has transmission and reflection probabilities exactly equal to 1 2 . If these probabilities were different, these values could be absorbed in the efficiencies of the detectors, leaving the equivalent transmission and reflection probabilities of the 50:50 beam splitter effectively equal to 1 2 . The probabilities that a photon directed towards the polarizing beam splitter PBS 01 goes to the detectors D 0 and D 1 are q 0 = 0|ρ qubit |0 = 1 2 1 + r z and q 1 = 1 − q 0 , respectively, where r z is the z component of the Bloch vector r of the qubit state ρ. The probabilities that a photon directed towards the polarizing beam splitter PBS +− goes to the detectors D + and D − are q + = + |ρ qubit |+ = 1 2 1 + r x cos θ + r z sin θ and q − = 1 − q + , respectively, where r x is the x component of the Bloch vector r of the qubit state ρ qubit and where θ is the angle from the x axis towards the z axis of the Bloch vector r in the Bloch sphere.
Let P i (0|ρkk 01 k 0 k + ) and P i (1|ρkk 01 k 0 k + ) = 1 − P i (0|ρkk 01 k 0 k + ) be the probabilities that the detector D i does not click and clicks, respectively, given the values of ρ, k, k 01 , k 0 and k + , for i ∈ {0, 1, +, −}. Let P (k 01 k 0 k + |ρ, k) be the probability of the values k 01 , k 0 and k + , given ρ and k. We have that for i ∈ {0, 1, +, −}. Let P i be the probability that only the detector D i clicks, for i ∈ {0, 1, +, −}. We have that The probability P report (1, 0|ρ, k) that Bob sends the message m = 1 to Alice and assigns a measurement outcome in the basis B 0 is the probability that Bob assigns a measurement outcome corresponding to the state |0 (detector D 0 ) plus the probability that Bob assigns a measurement outcome corresponding to the state |1 (detector D 1 ). Similarly, the probability P report (1, 1|ρ, k) that Bob sends the message m = 1 to Alice and assigns a measurement outcome in the basis B 1 is the probability that Bob assigns a measurement outcome corresponding to the state |+ (detector D + ) plus the probability that Bob assigns a measurement outcome corresponding to the state |− (detector D − ). Since in the SLII reporting strategy used by Bob, Bob assigns a measurement outcome to the detector D i with probability S i if only the detector D i clicks then we have that P report (1, 0|ρ, k) and P report (1, 1|ρ, k) are given by (D38). Finally, from (D41) -(D43), it follows straightforwardly using the binomial theorem that P i is given by (D39), for i ∈ {0, 1, +, −}, as claimed.
The following lemma states Alice's guessing probability in the MPAII attack when Bob uses the SLII reporting strategy, given some specific experimental parameters.
It is important to interpret correctly the value of P guess in Lemma 11. As explained above this probability is conditioned on Bob setting m = 1, i.e. on Bob assigning a valid measurement outcome in any of the two bases. Thus, although P guess can be very close to unity for k large enough, this does not mean that Alice's dishonest pulse allows her to guess Bob's assigned measurement basis with great probability. In fact, it is easy to see from Equations (D44) and (D45) that P report (1, 0|ρ, k) + P report (1, 1|ρ, k) → 0 as k → ∞. This means that the probability that Bob assigns m = 1 is very small if k is large. However, Alice can implement the generalization of the MPAII attack described above in which Alice sends Bob various dishonest pulses. In the extreme case that each of the N pulses that Alice sends Bob is a dishonest pulse with large of number of photons k, for a small fraction of the pulses Bob will send Alice the message m = 1. But for each of these pulses, the probability that Alice guesses the measurement basis assigned by Bob is very close to unity.
A possible countermeasure by Bob against the MPAII attack is that Bob aborts if a fraction f < δ report of the pulses sent by Alice produces the value m = 1, for some predetermined δ report ∈ (0, 1). Investigating this countermeasure in detail is left as an open problem. However, neither this nor other countermeasures were proposed in Ref. [60]. We must then conclude that the protocol of Ref. [60] is insecure.
In Fig. 6, we plot Alice's guessing probability P guess in the MPAII attack when Bob uses the SLII reporting strategy, with the parameters of Lemma 11, as a function of the number of photons k of Alice's dishonest pulse. We consider the case that Bob's dark count probabilities are d = 10 −5 and consider various values for the efficiencies η ∈ (0, 1) of Bob's detectors.
c. Proof of Lemma 9 Proof. We can suppose that Alice implements the MPAII attack in the particular case k ∈ {0, 1}, that Alice sends Bob an empty pulse if k = 0, and that ρ = ρ qubit is a qubit state with Bloch vector r = (r x , r y , r z ) if k = 1. Thus, the probability P report (1, β|ρ, k) that Bob sets m = 1 and assigns a valid measurement outcome in the basis B β is given by Eq. (D38) of Lemma 10, for β, k ∈ {0, 1}.

d. Reporting single and double clicks
As in setup I discussed in the main text, a better reporting strategy in setup II is that Bob sets m = 1 if one or two detectors click. More precisely, we consider the following reporting strategy. We see that with this reporting strategy, Bob assigns a measurement outcome in the basis B 0 with unit probability if at least one of the detectors D 0 and D 1 click and none of the detectors D + and D − click. Similarly, Bob assigns a measurement outcome in the basis B 1 with unit probability if at least one of the detectors D + and D − click and none of the detectors D 0 and D 1 click.
As the following lemma shows, if Bob applies the RSDCII reporting strategy, with Bob's detectors having exactly equal efficiencies and their dark count probabilities being independent of his measurement basis, Alice cannot learn any information about β from the message m.
Lemma 12. Consider setup II of Fig. 5 in which Bob uses the RSDCII reporting strategy. Suppose that Alice sends Bob a dishonest pulse of k photons, for some nonnegative integer k chosen by Alice. Let ρ be an arbitrary quantum entangled state of the k qubits encoded in the polarization of the k photons, which is in an arbitrary entangled state with an ancilla held by Alice, and which is chosen by Alice. Let P report (1, β|ρ, k) be the probability that Bob sends the message m = 1 to Alice and assigns a valid measurement outcome in the basis B β , for β ∈ {0, 1}. Suppose that η 0 = η 1 ∈ (0, 1) and η + = η − ∈ (0, 1), for i ∈ {0, 1, +, −}. Then for any quantum state ρ of k qubits, for any nonnegative integer k, and for any qubit orthogonal bases B 0 and B 1 .
and η i = η, for i ∈ {0, 1, +, −}, then P report (1, 0|ρ, k) = P report (1, 1|ρ, k), for any quantum state ρ of k qubits and for any nonnegative integer k chosen by Alice, and for any qubit orthogonal bases B 0 and B 1 . Thus, Alice cannot obtain any information about Bob's assigned measurement basis in this case.
Exactly equal detection efficiencies cannot be guaranteed in practice. However, as discussed in the main text, attenuators can be used to make the detector efficiencies approximately equal. Furthermore, Bob can effectively make his detectors to have approximately equal dark count probabilities by simulating dark counts in the detectors with lower dark count probabilities so that they approximate the dark count probability of the detector with highest dark count probability.
Proof of Lemma 12. The probability that Bob sets m = 1 and assigns a measurement outcome in the basis B 0 is the probability that he assigns a valid measurement outcome to the state corresponding to the detector D 0 plus the probability that he assigns a valid measurement outcome to the state corresponding to the detector D 1 . Similarly, the probability that Bob sets m = 1 and assigns a measurement outcome in the basis B 1 is the probability that he assigns a valid measurement outcome to the state corresponding to the detector D + plus the probability that he assigns a valid measurement outcome to the state corresponding to the detector D − . Thus, it follows from Bob's RSDCII reporting strategy that P report (1, 0|ρ, k) = P det (1000|ρ, k) + P det (0100|ρ, k) + P det (1100|ρ, k), P report (1, 1|ρ, k) = P det (0010|ρ, k) + P det (0001|ρ, k) + P det (0011|ρ, k).
Consider Bob's setup in Fig. 5. Alice sends Bob a pulse of k photons, encoding a k−qubit state ρ in the polarization degrees of freedom, for some nonnegative integer k. Let k 01 be the number of photons that are transmitted through the 50:50 beam splitter towards the polarizing beam splitter PBS 01 and let k +− = k − k 01 be the number of photons that are reflected from the 50:50 beam splitter towards the polarizing beam splitter PBS +− , for k 01 ∈ {0, 1, . . . , k}. Let k 0 and k 1 = k 01 − k 0 be the number of photons that go towards the detectors D 0 and D 1 , respectively, for k 0 ∈ {0, 1, . . . , k 01 }. Let k + and k − = k − k 01 − k + be the number of photons that go towards the detectors D + and D − , respectively, for k + ∈ {0, 1, . . . , k − k 01 }.
The probabilities that a photon is transmitted through the 50:50 beam splitter towards the polarizing beam splitter PBS 01 and reflected from the 50:50 beam splitter towards the polarizing beam splitter PBS +− are both 1 2 . We note that we do not lose generality by considering that the 50:50 beam splitter has transmission and reflection probabilities exactly equal to 1 2 . If these probabilities were different, these values could be absorbed in the efficiencies of the detectors, leaving the equivalent transmission and reflection probabilities of the 50:50 beam splitter effectively equal to 1 2 . Let P (k 01 k 0 k + |ρ, k) be the probability of the values k 01 , k 0 and k + , given ρ and k. We have that P (k 01 k 0 k + |ρ, k) = 1 2 k k k 01 P (k 0 k + |k 01 , ρ, k), (D55) where P (k 0 k + |k 01 , ρ, k) is given by the Born rule and satisfies k01 k0=0 k−k01 k+=0 P (k 0 k + |k 01 , ρ, k) = 1, for any k 01 ∈ {0, 1, . . . , k}, for any k−qubit state ρ and for any nonnegative integer k.

5.
A multi-photon attack on the quantum oblivious transfer protocol of Ref. [61] Ref. [61] demonstrated quantum 1-out-of-2 oblivious transfer in the noisy storage model. The protocol of Ref. [61] uses setup II, which is illustrated in Fig. 5. A subroutine of this protocol is equivalent to the subroutine discussed in section D 4 and implemented in the protocol of Ref. [60]. The SLII reporting strategy is used by Bob, as it is claimed by Ref. [61] that this guarantees security against Alice. However, Ref. [61] does not say whether Bob only reports single clicks as valid measurement outcomes, or whether Bob reports multiple clicks as valid measurement outcomes. If Bob only reports single clicks as valid measurement outcomes, then the multi-photon attack I in setup II (MPAII attack) and the results presented in section D 4 apply too. In particular, as illustrated in Fig. 6 and discussed in section D 4, Alice can guess Bob's measurement bases with high probability by implementing the MPAII attack with a large number of photons k.
2. Computational proof for the case that B0 and B1 are arbitrary distinct qubit orthogonal bases

a. Obtaining a system of linear equations
We suppose that for i, β ∈ {0, 1}, and B 0 and B 1 are arbitrary qubit orthogonal bases. Below we show numerically that if Alice sends Bob a pulse of k photons encoding a state ρ, with k ∈ {0, 1, 2} chosen by Alice and unknown to Bob, then the only probabilistic reporting strategy that guarantees to Bob that Alice cannot obtain any information about β from his message m is the trivial strategy (12) of the main text. The bases B 0 and B 1 define a plane in the Bloch sphere. Without loss of generality, this plane can be taken as the x − z plane, and B 0 can be taken as the computational basis, with |ψ 00 = |0 and |ψ 10 = |1 . Thus, in general, the states of the basis B 1 are given by |ψ 01 = cos(a)|0 + sin(a)|1 , |ψ 11 = sin(a)|0 − cos(a)|1 , where a = π 4 − θ 2 is half the angle in the Bloch sphere between the states |ψ 00 and |ψ 01 , and θ is the angle in the Bloch sphere between the states |ψ 01 and |+ = 1 √ 2 |0 + |1 , for θ ∈ [0, π 2 ) and a ∈ (0, π 4 ]. We proceed as in the analytical proof of Theorem 1. From the condition that Alice cannot obtain any information about Bob's message m, we obtain a set of eight linear equations. We solve these equations numerically with a Mathematica program, provided as supplementary material, and we obtain that the only solution corresponds to the trivial strategy (12) of the main text.
We note that if (12) of the main text holds then, from (13) of the main text, (E50) holds too, for any k−qubit state ρ and for any k ∈ {0, 1, 2, . . .}. Thus, Alice does not obtain any information about β from Bob's message m in this case. Now we show, numerically, that Bob is guaranteed that Alice cannot obtain any information about β from his message m only if (12) of the main text holds. From (11) of the main text and (E50), it follows that 1 c0=0 1 c1=0 S c0c11 P det (c 0 , c 1 |1, ρ, k) −S c0c10 P det (c 0 , c 1 |0, ρ, k) = 0, (E51) for any k−qubit state ρ encoded in a pulse of k photons, and for k ∈ {0, 1, 2}.