Experimental demonstration of kilometer-range quantum digital signatures

We present an experimental realization of a quantum digital signature protocol which, together with a standard quantum key distribution link, increases transmission distance to kilometre ranges, three orders of magnitude larger than in previous realizations. The bit-rate is also significantly increased compared with previous quantum signature demonstrations. This work illustrates that quantum digital signatures can be realized with optical components similar to those used for quantum key distribution, and could be implemented in existing optical fiber networks.

. Experimental setup for kilometer-range quantum digital signatures. Alice uses a pulsed 850 nm wavelength vertical cavity surface emitting laser (VCSEL) diode to generate coherent states. She encodes her phase shift by using a lithium niobate (LiNbO 3 ) phase modulator, choosing randomly between the four possible phases. Alice sends the coherent states through standard telecommunications optical fiber to the receivers, who then measure the received coherent states. Sender and receivers are constructed from 4.4 µm core diameter polarization-maintaining optical fiber to improve the interferometric visibility. Polarization routing of modulated signal and unmodulated reference was carried out using polarization dependent beam splitters (PBS), and static polarization controllers (SPCs) were used to correct for polarization shift induced by birefringence in the telecommunications fiber.
on the quantum channels between other participants. It is expected this assumption could be removed by using a parameter estimation procedure analogous to that used in QKD [26]. By declaring (sacrificing) some of the states sent during the distribution stage, participants should be able to estimate the level of eavesdropping, aborting if it is too high. When considering security against forging by either Bob or Charlie, one assumes that the other recipient and Alice are honest, since no protocol can guarantee security if two of the three parties are dishonest and collude. Similarly, when considering security against repudiation by Alice, one assumes that Bob and Charlie are honest.
All pairwise classical communication in the present protocol, just as for QKD, must be authenticated. Pairwise message authentication can in modern cryptography be efficiently implemented using "short" pre-shared keys [27]. It is not, even in principle, possible to prevent man-in-the-middle-attacks in QKD or QDS schemes unless there has been some prior interaction between parties. If information-theoretic security is required, one needs to use an appropriate authentication scheme for all classical communication [28]. The security analysis for the QDS protocol implemented here proceeds much as in Collins et al. [13] and is detailed in the Appendix.

III. EXPERIMENTAL RESULTS
In Figure 2, we plot experimental data and parameters for a range of mean photon numbers |α| 2 sent by Alice. When |α| 2 increases, the probability that a forger will be able to select the correct declaration increases, but likewise does an honest recipient's ability to detect mismatches in a fake declaration. It is therefore highly non-trivial to determine the optimal value of |α| 2 . The gap, g, between the probability for a forger's fake declaration to be rejected and the probability for Alice's true declaration to be rejected, i.e. g = C min − p h (see the Appendix), depends on |α| 2 and we choose the optimal value of |α| 2 that maximises g. Other experimental parameters such as system loss and interferometric visibility are also taken into account in the cost matrices that are used to obtain C min and thus the gap g. It can be seen from Figure 2(c) that maximum gap occurs around |α| 2 = 0.4 for transmission distances of 500 m, 1000 m and 2000 m, showing that this value of |α| 2 is the best choice for the sender in this particular experimental implementation.
For the desired security level, the length required to sign one half-bit can then be calculated using . Experimental results and calculated parameters for one of the recipients, Bob. In our experiment, measurement statistics for Bob and Charlie was very similar. a) Conditional probabilities for unambiguous state elimination by Bob, with |α| 2 = 0.5. These probabilities are used to calculate the gap g and the required signature length per half-bit. b) the time required for Alice to send a half-bit to Bob. c) The gap achieved in the experiments is a calculated from a combination of information from both receivers' cost matrices. d) The length L required to prevent forging and repudiation, per half-bit of message, for a security level of 0.01%. For all sub-figures at 500 m, mean photon number points of 0.1, 0.9 and 1 have been removed. Here, the combination of count rate and the dead time of the detector led to non-linearity in the detection. P(protocol failure) = 2e −(g/4) 2 L (see the Appendix). In this paper, we have used a security level of 0.01%. The resulting signature length for each half-bit is graphed in Figure 2(d) for varying |α| 2 . As |α| 2 increases, the length per half-bit dips to a minimum and increases again. For our experimental data, the maximum value for the gap and the minimum values for the length are around |α| 2 = 0.4. To further illustrate the measurements by the recipients, experimental success rates are shown in Figure 3. A successful USE measurement means eliminating any state except the state Alice sent. On average, the USE success rate is 80% of the raw count rate. Only a single detection event is required to eliminate a state, and therefore the success rate is higher than for unambiguous state discrimination (USD), where one has to eliminate all possible states except the one sent. The success rate for USD is typically many orders of magnitude lower than the time-gated detector count rate [13]. The failure rate of USE (eliminating the state that was actually sent) depends on the visibility of the interferometers formed by Alice's state preparation and the receiver's detection setup. In the security proof we assume that Alice has full control over the failure rate and so can generate any number of mismatches she likes. For these experiments, the USE failure rate was on average 1.7% of the pulse repetition rate. Knowing Alice's repetition rate and the signature length L required to sign a half-bit message allows us to calculate the time it would take for Alice to send one half-bit using the current system.

IV. DISCUSSION
In a previous QDS experiment using quantum state elimination and a mulitport [13], with a transmission distance of 5 m, the largest gap was found to be 1.20 × 10 −6 , which occurred for |α| 2 = 1. The USE success rate was 2 × 10 5 counts per second. For a security level of 0.01%, the length L required to securely sign a half-bit was found to be 5.0 × 10 13 , and the estimated time it would take to securely sign a half-bit was over eight years. In contrast, for the present setup and a transmission distance of 500 m, the maximum gap, g = 2.86 × 10 −4 , occurs at a |α| 2 = 0.5, with a USE success rate of 2.48 × 10 6 . This gap is two orders of magnitude greater than for the previous short-range system. The length L per half-bit for this new realization is 1.93 × 10 9 for a security level of 0.01%, and the estimated time it would take to securely sign a half-bit is less than 20 seconds. As the transmission distance increases, the time taken to sign one half-bit naturally increases, but even at 2000 m the time taken to sign one half-bit is four orders of magnitude smaller than in the previous experimental demonstrations of QDS.
The system reported in this letter operates over relatively short distances when compared to the current maximum transmission distances achieved for QKD experiments [29]Quite apart from the increased losses of 2.2 dbkm -1 experienced in the standard telecommunications fibre quantum channel at the wavelength of 850 nm selected for these experiments as opposed to 0.2 dbkm -1 at the wavelength of 1550 nm typically used in the QKD experiments, this letter reports a QDS protocol and it is to previous experimental QDS systems that it must be compared. In particular, because of differences in the security analysis, one would not expect, a-priori, that the exact same physical implementation leads to comparable distances of QKD and QDS protocols.
Although the new protocol demonstrated in this paper shows a significant enhancement in transmission distance and message signing rate compared with previous QDS demonstrations, further improvements in signature transmission rate, in particular, will be necessary to fully exploit the potential of QDS. The largest scope for improvement seems to lie in having Alice send different sequences of states to Bob and Charlie. This reduces each participant's ability to forge, while retaining security against repudiation due to the exchange of measurement outcomes performed by Bob and Charlie [26].
The recently proposed signature protocol "P2" in [20] uses standard QKD systems to first generate pairwise shared keys between all parties. The secret keys are then used to sign messages. Currently, such schemes seem more efficient than any proposed quantum protocol that directly signs a message without first distilling a secret key. Nevertheless, "direct" quantum signature protocols, such as the one discussed in this paper, are still worth investigating, as they may eventually prove better than signature protocols based on secret shared keys. For example, direct quantum protocols can remain secure even if the available quantum channels are too noisy for practical QKD [26]. The most efficient direct quantum protocol should intuitively be at least as efficient as protocols proceeding via first distilling shared secret keys, and then using the shared keys to sign messages. There could also be other advantages with direct quantum protocols. If quantum channels of sufficiently high quality are available, then direct quantum signature protocols should need quantum channels only between the sender and each recipient, as opposed to QKD links between each party for protocols similar to P2. This means that the number of quantum channels scales only linearly with the number of recipients for direct quantum signature schemes, as opposed to quadratically for schemes similar to P2. Compared with work on QKD, very little work has been done on QDS schemes. This is surprising, given the wide usage and importance of signature schemes in modern communication. We are confident that demonstrating kilometer-range quantum signature schemes, using the same technical components as QKD, will stimulate wider interest in developing the next generation of quantum signature protocols for real-world optical networks.

APPENDIX I. PROTOCOL
The protocol presented in this paper is similar to P1' from reference [20], but with two important differences. First, we require Bob and Charlie to record whether each measurement outcome they hold came directly from Alice or whether it was forwarded to them by the other recipient. Second, the experiment uses weak coherent states instead of true single-photon states. This means that the security proofs presented for protocol P1' do not apply, and instead we follow the methods applied in [13] for security against individual and collective forging attacks. The protocol is as follows: A. Distribution Stage 1. For each future one-bit message k = 0, 1, Alice generates two copies of sequences of coherent states, 2. Alice sends one copy of QuantSig k to Bob and one to Charlie, for each possible message k = 0 and k = 1.
3. Bob and Charlie measure each state received using quantum unambiguous state elimination (USE) for For every element of each quantum signature (for k = 0, 1), they store which detectors detected photons; each detector rules out one possible phase state. They therefore store sets of six Here, a k,l ′ φ = 0 means that no photons were detected at the ¬φ detector (that is, the phase φ is not ruled out), while a k,l ′ φ = 1 means that there was at least one photon detected at the ¬φ detector (that is, the phase φ is ruled out for this element). By ¬φ detector we symbolise the "not φ " detector. Note that, due to losses, many of the hexaplets will have a k,l ′ φ = 0 for all φ . 2. Bob checks whether (m, PrivKey m ) matches both of his stored sequences -the one he received directly from Alice, and the one he received from Charlie. In particular, he counts the number of elements of PrivKey m which disagree with his stored hexaplets. Therefore, for a given element l of the signature, if Alice's declaration was φ , Bob needs to check if a φ is 0 or 1. If a φ = 1, he registers one mismatch. In other words, a mismatch is registered whenever Alice's declaration for a given element has been eliminated by Bob's USE measurement. Bob checks, for each of his stored sequences, whether the number of mismatches is below s a L/2, where s a is an authentication threshold. Bob accepts the message only if both of his sequences have fewer than s a L/2 mismatches, i.e. both the sequence received directly from Alice, and the sequence received from Charlie.
3. To forward the message to Charlie, Bob forwards to Charlie the pair (m, PrivKey m ) he received from Alice. Charlie tests for mismatches similarly to Bob, but to protect against repudiation by Alice, he uses a different threshold. For each of his sequences -the one received directly from Alice and the one received from Bob -Charlie checks if the number of mismatches is below s v L/2, where s v is the verification threshold, with s a < s v .
Charlie accepts the message only if both of his sequences have fewer than s v L/2 mismatches.

II. SECURITY
The quantum signature protocol is designed to be secure against two types of dishonesty: forging and repudiation. Security against forging requires that any participant receiving a message will, with high probability, reject a message that did not originate with Alice. Security against repudiation requires that, with high probability, Alice cannot make Bob and Charlie disagree on the validity of her message, i.e. she cannot make one participant accept and the other reject her message. In this section we will show that the probabilities of forging and repudiation decay exponentially in the signature length, L. Further, we will show that the protocol is robust, i.e. if all participants are honest, the protocol works and does not abort, except with a probability exponentially small in L.
For forging one can distinguish different types of malicious attacks. In individual attacks, the cheating party employs a strategy separately and independently for each signature element. In collective attacks, there may be classical correlations between strategies for different signature elements. Coherent attacks are the most general type; here a cheating party can employ any type of correlations, including entanglement and measurements in an entangled basis. Note that the same distinctions apply in principle to repudiation attempts from Alice. However, when proving security against repudiation we will assume that Alice can exactly control the number of mismatches her signature generates with Bob's and Charlie's measurement outcomes. This covers all types of attack from Alice and so the distinction between individual, collective and coherent attacks is not made. Security is proven for all types of repudiation attacks, and all types of forging except coherent forging attacks. We will treat individual forging attacks in detail. Security against collective forging attacks then follows because the optimal collective forging strategy is actually an individual strategy, as argued in [13].

A. Model Assumptions
Here, as in all previous QDS protocols, we assume that the quantum channels between participants do not allow tampering or eavesdropping from a third party. It is expected that this assumption could be removed by using a parameter estimation procedure analogous to that used in QKD [26]. By sacrificing part of the states sent during the distribution stage, participants should be able to estimate the level of tampering and eavesdropping.
All pairwise classical communication in the present protocol, just as for QKD, must be authenticated. Pairwise message authentication can be efficiently implemented with information-theoretic security using short pre-shared keys [11]. Without this authentication, it is not possible, even in principle, to prevent "man-in-the-middle" attacks in QKD or QDS schemes . Thus neither QKD nor QDS can be implemented without some prior interaction between parties. It is important to note that pairwise authentication between parties is far simpler to achieve than an authenticated broadcast channel.

B. Security Against Repudiation
To repudiate, Alice aims to send a declaration (m, Sig m ) which Bob will accept and which Charlie will reject. To do this, Bob must accept both the elements that Alice sent directly to him, and the elements that Charlie forwarded to him. In order for Charlie to reject he need only reject either the elements he received from Alice, or the elements Bob forwarded to him. Intuitively, security against repudiation follows because of the symmetrisation of measurement outcomes performed by Bob and Charlie using the secret classical channel. Bob and Charlie perform USE measurements on each of the states sent to them by Alice so that they hold the L hexaplets (b 1 , ..., b L ) and (c 1 , ..., c L ) respectively. We give Alice full powers and assume that later on, in the messaging stage, she is able to fully control the number of mismatches her signature declaration, PrivKey m , contains with the hexaplets (b 1 , ..., b L ) and (c 1 , ..., c L ). Call the mismatch rates e B and e C respectively. The symmetrisation process means that Bob and Charlie will randomly (and unknown to Alice) receive L/2 of the others' hexaplets. We show that all choices of e B and e C lead to an exponentially decaying probability of repudiation.
Suppose Alice chooses e C > s a . In this case, Bob is selecting (without replacement) L/2 elements from the set {c 1 , ..., c L }, which contains exactly e C L mismatches with Alice's declaration. The number of mismatches Bob selects then follows a hypergeometric distribution H(L, e C L, L/2) with expected value e C L/2. For the message to be accepted, Bob must select fewer than s a L/2 errors. The tails of a hypergeometric distribution can be bound, using [30], to give an inequality with the same form as a Hoeffding Inequality. We bound the probability that Bob selects fewer than s a L/2 mismatches as P(Bob receives fewer than s a L/2mismatches from Charlie) ≤ exp(−(e C − s a ) 2 L).
To repudiate, Alice must make Bob accept the message, which means that Bob must accept both the part received from Alice and the part received from Charlie. Since P(A ∩ B) ≤ min{P(A), P(B)}, the probability of repudiation must be less than or equal to the above expression, and so must also decrease exponentially.
Now suppose e C ≤ s a . In this case, if e B > s a the above argument shows that it is highly likely that Bob will reject the message, so we consider only the case where e B ≤ s a . Consider first the set {b 1 , ..., b L }. We can use the same arguments as above to bound the probability of selecting more than s v L/2 mismatches as P(Charlie selects more than s v L/2mismatches from Bob) ≤ exp(−(s v − e B ) 2 L).
For Alice to successfully repudiate, Charlie must select more than s v L/2 mismatches from either the set {b 1 , ..., b L } or the set {c 1 , ..., c L }. Using P(A ∪ B) ≤ P(A) + P(B), we can see that, for the choice of e B , e C ≤ s a , we have P(Charlie selects more than s v L/2 mismatches) ≤ 2 exp(−(s v − s a ) 2 L).
So again, the probability of Alice successfully repudiating decreases exponentially in the size of the signature. Similar to [20], Alice's best strategy would be to pick e B = e C = 1 2 (s v + s a ), in which case

C. Security Against Individual and Collective Forging
In order to forge, Bob must make a declaration with fewer than s v L/2 errors with the L/2 elements Charlie received directly from Alice. To bound the probability of Bob being able to make such a declaration, we will follow the cost matrix analysis performed in [13]. For a given individual signature element, we define the cost matrix for Bob as a matrix where the rows correspond to which state Alice sent (| exp(iθ )α ), while the columns correspond to the detectors D(¬θ ). Each matrix element C i, j can be taken equal to the probability that if the i'th state is sent, then Charlie's j'th detector clicks. This is because Bob should avoid declaring a phase that Charlie has eliminated. His cost for making a particular declaration will therefore be proportional to the probability that Charlie has ruled out this state. When |α| 2 = 0.4, and over a distance of 500m, the experiment gives us the cost matrix (2) From this matrix, we aim to find two important quantities. First, we want to find the honest cost, p h , for Bob. This is the rate at which Charlie would find mismatches even if Bob acts honestly. This situation occurs when Charlie erroneously rules out the state that Alice actually sent. The experimentally found probability of this happening is given by the diagonal elements of C, and so the honest cost is simply the average of the diagonal elements, giving p h = 8.61 × 10 −5 . This rate is important for two reasons: first, the parameter s a must be set higher than p h for the protocol to be robust (to avoid aborting due to noise in the honest run); second, to be secure against forging p h must be smaller than the rate at which Charlie finds mismatches if Bob is dishonest, i.e. being dishonest must carry some positive cost for Bob.
We now consider the case of a dishonest Bob who tries to guess Alice's signature so that he can forge a message to Charlie. We consider only individual and collective forging attacks, where Bob acts on each quantum state individually, but the outcome of his measurement on one quantum state can affect his choice of measurement on the others. Security against coherent forging attempts remains an open question. We want to find C min , the minimum possible rate that Bob will declare single signature elements which have been eliminated by Charlie. To do this, we use the cost matrix C and note that C min is the minimum cost associated with the matrix C. Finding minimum costs involves finding optimal measurements, which is in general a difficult problem. However, we are able to bound C min following the method in [13]. To do this, we find the matrices C h , C ′ and C l , with is the difference between C and C h . It represents the difference between an honest strategy and a dishonest strategy. The minimum cost for this matrix is the minimum additional cost suffered from acting dishonestly. It is difficult to find the minimum cost for this matrix, so instead we can bound it below by reducing all non-zero elements to the the smallest non-zero element, to get the matrix The matrix C l corresponds to a lower bound on the additional probability Bob has of causing a mismatch if he is dishonest, when compared to the honest case. For this reason we define the constant, non-zero element, as guad, the guaranteed advantage an honest strategy has over a dishonest strategy. Since C h i j + C l i j ≤ C i j , the minimum cost of C h + C l must be less than the minimum cost of C. The matrix C l is of error-type, so its minimum cost is proportional to p min (α), the minimum error probability, and can be achieved using a minimum-error measurement [19]. Since the optimal measurement is known, in this case, to be the SRM, we can calculate p min (α) for all values of α from: Defining the gap, g = p min × guad, we know p h + g ≤ C min . For the particular case of |α| 2 = 0.4, p min = 0.317 and we get p h + g = 8.61 × 10 −5 + (0.317 × 1.02 × 10 −3 ) = 4.10 × 10 −4 ≤ C min . This is our lower bound on C min and in what follows we conservatively assume C min = p h + g. As long as we choose s v < C min , we can use [31] to obtain Note that for simplicity we have only considered the case of Bob attempting to forge. We should also consider the possibility of Charlie trying to forge. In this case, we would replace the cost matrix (2) with the corresponding experimentally generated cost matrix for Charlie. The analysis then follows exactly as above and we would arrive at another value of C min , valid for when Charlie is the forger. For the protocol to be secure against both Bob and Charlie attempting to forge, we would choose C min = min{C Bob min ,C Charlie min }. For our implementation, C Bob min < C Charlie min and so C min remains as above.

D. Robustness
Suppose all parties are honest. Bob aborts if either the (1/2)L states received from Alice result in mismatch rate greater than s a or the measurement results for the (1/2)L states received from Charlie give mismatch rate greater than s a . We suppose that the channel from Alice to Bob has an error rate of p B h and the channel from Alice to Charlie has an error rate of p C h . Then we have If we set p h = max(p B h , p C h ) then the probability of an honest abort is bounded by

E. Signature Length
Using the above analysis, we can calculate the length of the signature needed to securely sign a single-bit message. Following [13], we assume that there is no reason in general to favour one type of security over another, so we pick parameters s a and s v so as to make the probabilities of honest abort, forgery and repudiation all equal. If all these probabilities are all below 0.01%, we say that the protocol is secure to a level of 0.01%. By setting the probabilities of repudiation, forging, and honest abort all become approximately equal. More explicitly, considering the terms in the exponent of equations (1), (3), (4), we see they are equal when where the pre-factors of 2 have been taken inside the exponential. As L increases, the choice of s a and s v satisfying (6) tends to those given in (5).
Determining the value of the coherent state amplitude, α, that leads to the smallest possible signature length is, in general, a difficult problem. Higher values of |α| 2 lead to lower loss and a smaller bit error rate, but come at the cost of making the states {|α , |iα , | − α , | − iα } more distinguishable for a potential forger. Thus we need to strike a balance between correctly transmitting the states, and giving power to a forger. In the previous QDS experiment [13], the magnitude of α was varied in increments of 1 between 1 and 10. In order to minimise the signature length, the magnitude of α is chosen so as to maximise the gap, g, defined above. It was found that |α| 2 = 1 gave the largest gap for the range considered, and extrapolation of subsequent experimental data suggested that |α| 2 ≈ 0.5 would be optimal. In fact, we found in this experiment that the optimal value was around |α| 2 = 0.4, for which the corresponding p min value is 0.317.
We now have everything in place to calculate the signature length, L, needed to securely sign a message for |α| 2 = 0.4. Over a distance of 500m, experimental data gives the honest cost as p h = max(p B h , p C h ) = 1.26 × 10 −4 . Note that this differs from the value used in the analysis above because in fact Charlie's cost matrix gave a higher honest cost than Bob's. We also find C min = min{C Bob min ,C Charlie min } = 4.10 × 10 −4 , as above. This gives the gap, g = C min − p h = 2.84 × 10 −4 , from which we can find the parameters s a , s v using (5). Putting it all together, we find that a signature length of L = 1.96 × 10 9 is required to sign a message to a security level of 0.01%.
Although this is a significant improvement over the last QDS experiment [13], there are a number of ways to further improve the efficiency of the protocol. The simplest would be to increase the clock rate and therefore the transmission rate. This would not decrease the signature length, but would decrease the time needed to transmit a given signature length. The pulse rate used in this QDS system was 100MHz, and there is scope to increase this to >1 GHz as is typically found in modern QKD systems [22,[32][33][34]. Despite the clock rate increasing by a factor of 10, the increased effects of inter-and intra-symbol interference mean that the corresponding decrease in the signature time will not be as great as a a factor of 10. The exact improvement strongly depends on the characteristics of the employed coherent source, single-photon detectors and timing electronics.
Another possible improvement would be to switch to an operational wavelength of 1550nm as in [32], rather than the 850 nm used in this experiment. At 1550nm, we would expect to see losses of about 0.22 dB per kilometer, a significant improvement over the 2.2 dB per kilometer in the current setup. This switch in wavelengths would enable a new QDS experiment to be carried out over 10's of kilometers with similar performance to our QDS system at short distances. A wavelength of 850 nm was selected for these experiments as it provides a good compromise between the detection efficiency response of the mature low-noise, lowing timing-jitter, high efficiency thick junction silicon single-photon avalanche diodes at room temperature and the attenuation profile of fused silica optical fibres.
As the system used in these experiments is similar in layout to that used in a number of QKD experiments, we can make an approximate comparison of the performance of our QDS system with that of a state-of-the-art QKD system [32] by examining the quantum bit error rate (QBER). Reducing the QBER would decrease the size of the diagonal elements in the cost matrix (2). This would lead to a larger gap, g, and therefore a smaller signature. There is perhaps less scope for improvement in this respect since the current setup achieved a QBER of around 4% over the range of distances investigated, which is comparable to the QKD system in [32] where the QBER at 50 km was 3.85%. The differing achievable transmission distances between the work presented here and reference [32] being due to the increased loss of the fused silica optical fibres for light with a wavelength of 850 nm.

III. EXPERIMENTAL METHODS
The experimental system shown in Figure 1 of the main paper, shares many similarities with common phase-basisset QKD experiments [21][22][23][24][25]35]. The main components are similar to our previous unambiguous state elimination (USE) QDS system, with the multiport removed [13]. The sender Alice and receivers Bob and Charlie are all constructed from 4.4 µm core diameter "panda-eye" polarization maintaining fiber [36] that can support two orthogonal linear polarization modes. Alice generates 850.17nm wavelength coherent-state pulses at a repetition rate of 100 MHz by means of an electrically gain-switched vertical cavity surface-emitting laser (VCSEL) and a motorised optical attenuator [13]. A Lithium Niobate (LiNbO 3 ) phase modulator is used to encode the phases on weak pulses; a strong reference pulse is delayed by half a period from the encoded states. The uncertainty in the phase encoding is ±1.6 × 10 −6 rad, primarily induced by amplitude jitter in the electrical driving signal. The signal and reference pulses have orthogonal linear polarizations and are efficiently recombined using a polarisation beam combiner (PBC) [37] before transmission through the 9 µm core diameter optical fiber quantum channel. The quantum channel is composed of reels of Corning SMF-28e optical fiber [38] that were retained within the same laboratory as Alice, Bob and Charlie. Short lengths of 4.4 µm core diameter fiber [39] are spliced onto the input and output of the quantum channel to eliminate higher order spatial modes [40].
Mechanical and thermal stresses induced on the quantum channel will result in a time-evolving birefringence in the quantum channel that serves to reduce the linearity of the polarizations as they propagate. Bob and Charlie employ paddle-type static polarisation controller (SPC) to apply an opposing birefringence over a short (≈1 m) length of 4.4 µm core diameter fiber, returning the states to linear prior to the measurement step. This correction is applied manually once before a set of measurements are recorded and is monitored during operation, with realignment when necessary. Future revisions of this system will employ automatic correction of polarization evolution by means of monitoring a fraction of the delayed bright reference pulse.
A polarization beam-splitter in each receiver ensures that the weak signal pulse traverses the long path with the 5 ns delay while the bright reference pulse traverses the short path. The polarization and intensity of the reference pulse are altered to match the signal pulse before the two pulses are recombined on a final 50:50 beam combiner (BC) where they interfere. USE [18] is used to eliminate some possible phases for the signal states [13]. Commercially available free-running Geiger-mode (photon-triggering) [41] silicon single-photon avalanche diodes (Si-SPADs) [42] are employed as detectors, because they have reasonable detection efficiency (≈40%) for photons with a wavelength of 850 nm, a low dark count rate (≈300Hz) and a low afterpulsing probability (≈0.5%) when compared to semiconductor detectors used at the telecommunications wavelengths [43,44]. Although superconducting detectors have exhibited detection efficiencies of 93% [45] such devices typically must be cooled to temperatures around 4 K with cryogens or large closed cycle coolers [46] during operation while semiconductor technologies usually operate at near room temperature with Peltier coolers [42,44]. There have been recent advances in semiconductor single-photon detector technologies for wavelengths around 1550 nm [44] and it is likely that future QDS experiments over Corning SMF-28e optical fiber [38] will employ these technologies to further enhance the transmission range. Detector trigger events are time-stamped with time interval resolution of 1 ps using commercially available electronics [47]. Technical limitations of interfacing and computer control meant that the maximum event rate that could be recorded by the receivers was approximately 4 MHz. The time-stamping electronics require a 10 MHz reference signal that is provided by common rubidium clock that is shared between Alice and the receivers.
The air-gaps in each receiver consist of an immobile launching collimating lens and a collection lens attached to a linear piezo-electric-actuator with a total travel of ≈1.5 µm in steps of ≈15 nm. The receivers adjust the relative lengths of their measurement setup to ensure optimum interferometric visibility (typically 93%). The receivers' demodulation systems had a mean attenuation of 6.96 dB.
Analysis of the raw time-stamp information is carried out by custom software written in MATLAB [48]. The time-stamps are filtered to discard those that occur outside of a window of ±2 ns centred on the expected arrival time of a pulse a process that retains 80% on average of the raw counts. The non-gated counts are from background noise, dark counts and non-interfering pulses. The custom software examines the detector firing patterns to perform USE. The measurement records are then retained to allow for subsequent forwarding of measurement results from Bob to Charlie and vice versa. This step needs to be done in secret from Alice, and could thus be accomplished using a standard QKD link between Bob and Charlie; this was however not implemented in the current setup.