Agile and versatile quantum communication: signatures and secrets

Agile cryptography allows for a resource-efficient swap of a cryptographic core in case the security of an underlying classical cryptographic algorithm becomes compromised. Conversely, versatile cryptography allows the user to switch the cryptographic task without requiring any knowledge of its inner workings. In this paper, we suggest how these related principles can be applied to the field of quantum cryptography by explicitly demonstrating two quantum cryptographic protocols, quantum digital signatures (QDS) and quantum secret sharing (QSS), on the same hardware sender and receiver platform. Crucially, the protocols differ only in their classical post-processing. The system is also suitable for quantum key distribution (QKD) and is highly compatible with deployed telecommunication infrastructures, since it uses standard quadrature phase shift keying (QPSK) encoding and heterodyne detection. For the first time, QDS protocols are modified to allow for postselection at the receiver, enhancing protocol performance. The cryptographic primitives QDS and QSS are inherently multipartite and we prove that they are secure not only when a player internal to the task is dishonest, but also when (external) eavesdropping on the quantum channel is allowed. In our first proof-of-principle demonstration of an agile and versatile quantum communication system, the quantum states were distributed at GHz rates. This allows for a one-bit message to be securely signed using our QDS protocols in less than 0.05 ms over a 2 km fiber link and in less than 0.2~s over a 20 km fiber link. To our knowledge, this also marks the first demonstration of a continuous-variable direct QSS protocol.


I. INTRODUCTION
Throughout history, cryptography has been threatened by advances in mathematics, computational power and side-channel attacks, and may soon be threatened by quantum computers. The breaking of a cryptosystem, i.e. a suite of cryptographic algorithms and hardware needed to implement a particular security service, has usually triggered the development of new algorithms. These would subsequently be tested and hardened for years before they could finally be deployed into real world applications to secure our ever-growing digital infrastructure. The redeployment of cryptographic soft-and hard-ware is a costly endeavor.
In the past decade, crypto-agility has emerged as a prospective solution to this problem [1]. One of the core ideas of crypto-agility is to provide a middleware with a two-way interface between the software application layer and the crypto-core or algorithm of the cryptosystem, Fig. 1 (a), so that whenever a new attack vector emerges, the deployed architecture may stay in place and only the vulnerable crypto-core is replaced. This saves valuable deployment time as well as costs to re-engineer the whole system. The technical challenge is to design the middleware flexible enough to support novel crypto-cores.
We here suggest how crypto-agility-and the related concept of crypto-versatility, in which multiple crypto-graphic tasks are performed on the same system-can be translated to quantum communication. Just as the quantum computer hardware provides qubits and gates to run different quantum algorithms on it, we propose that quantum communication hardware may support a diverse range of quantum communication protocols. By providing an abstraction layer between quantum-enabled hardware and the post-processing stack necessary to realize a quantum communication protocol, quantum versatility can be achieved. For our system this also implies quantum agility.
hardware for all protocols. The employed physical system and the advances made in the security proofs of the protocols allow for an implementation compatible with telecom networks. Along with the agility and versatility aspects, this work marks the first demonstration of our CV QSS scheme and the first demonstration of a CV QDS system with GHz sending rates and record speed to sign a one-bit message. Our demonstration thus provides a step towards a full quantum crypto-agility and versatility, in which several different quantum cryptographic protocols may be implemented on the same hardware deployment with alterations only at the level of classical postprocessing.
Our paper is outlined as follows. In Sec. II, we propose and discuss two alternative approaches toward quantum crypto-agility and versatility, show that existing trends in the QKD and QDS literature may be interpreted in each context, and provide practical indications for when a quantum system may be deemed either agile or versatile. In Sec. III we discuss three cryptographic tasks, QDS, QSS and QKD, and introduce several secure protocols which rely on the same physical setups. These protocols are implemented in Sec. IV and the resulting key rates and figures of merit are displayed in Sec. V. We believe this demonstrates a crucial proof-of-principle step towards full quantum crypto-agility and crypto-versatility. Finally, we discuss our achievements through the lens of agility and versatility in Sec. VI.

II. QUANTUM CRYPTO-AGILITY AND VERSATILITY
Classical crypto-agility and versatility are described pictorially in Fig. 1(a), in which a potentially vulnerable crypto-core may be readily replaced without affecting the rest of the deployed system, and in which several tasks can be accomplished via the same encryptor-core. The encrypted communication is then sent on the hardware level via a network interface card (NIC). The exact algorithm chosen to accomplish the task can be swapped and patched without knowledge of the end-user. We suggest here two different approaches to consider a quantum crypto system as agile or versatile.
One can think of a first type of agility as classical crypto-agility assisted by QKD. Here a QKD system acts as a black box that delivers fresh shared keys to classical cryptography applications, see Fig. 1(b). The advantage is that the middleware does not have to care about key generation or the QKD protocol itself. The downside is that although the generated key can be used for many different tasks, the QKD system itself may not be repurposed to run any other quantum protocol on it, limiting its versatility and potentially imposing an additional resource overhead.
The second approach, quantum crypto-agility + versatility, is depicted in Fig. 1(c). Compared to the first approach, the QKD system is replaced by a quantum net- work interface card (QNIC). The QNIC is able to perform multiple quantum communication protocols (e.g. QDS, QSS or QKD) on the same hardware platform. It communicates its hardware capabilities through an interface to the protocol layer, where the matching protocol for the user task at hand is chosen. Such a layer stack is illustrated in Fig. 2 and demonstrated later in this Paper. Note that here the choice of a particular quantum cryptographic application is reduced merely to a software and/or firmware update. A quantum crypto-system structured like this carries direct analogy with the classical agile crypto-system of Fig. 1: hardware and agile interface stay the same and only the crypto-core, classical, as in Fig. 1(a), or quantum, as in Fig. 1(c), changes. This second approach to agility can be thought of as a choice of quantum "app" and therefore also allows versatile usage of the quantum hardware. This approach carries an advantage of economic use of resources. QKD requires resource-intensive postprocessing to generate a secure key, and real channel parameters (e. g., noise, losses) may be too restrictive to allow for efficient secret key distillation. Some tasks, however, can be performed directly without first generating a shared secure key via QKD. A good example are QDS protocols, in which a secure signature is created straight from a raw quantum state exchange, consuming fewer resources than an equivalent QKD protocol [2]. Thus, a versatile system capable of performing both QDS and QKD will in general allow for a more efficient use of quantum resources when full QKD is either not possible or not necessary.
To make explicit the ideas discussed above, we propose the terms quantum crypto-agility and quantum cryptoversatility to mean the following (see. Fig. 2): Quantum crypto-agility: As a minimal requirement, a quantum crypto system can be considered agile if it exposes its cryptographic capabilities through a stable and opaque interface to the end user, allowing a compromised implementation to be modified without requiring changes to user software. A given crypto system may be agile up to different degrees, depending on which implementation components can be modified cost-effectively after deployment. It is typically easy to update a system's software, harder to update or replace firmware and quite difficult and costly to replace hardware. The transfer of the crypto-agility idea to the field of quantum cryptography slightly changes its meaning since the security of the quantum crypto-core can be proven informationtheoretically. However, considering practical implementation security and the emergence of novel quantum cryptographic protocols and performance improvements to existing ones, an agile strategy seems prudent. Quantum crypto-versatility: We consider a quantum system to be versatile if it implements different cryptographic tasks (e.g. QKD, QDS, QSS) on the same hardware platform and makes these available to the user through a common interface. In a versatile quantum crypto system, the selection of a quantum protocol to fulfill the requested cryptographic task happens on the middleware level, Fig. 2. Since the inner workings of the specific task is only of concern for the manufacturer but not the user, this also implies agility. The converse may not hold true.
Quantum crypto-agility and versatility may also be relevant topics for ongoing standardization efforts, such as the ETSI QKD ISG 004 and 014 standards [3,4] that define the interface between applications and key providers such as a key management system or QKD systems. Based on these two standards, quantum crypto-agility and versatility could eventually be added as another standard in a lower abstraction layer to form a full stack in the future.
The idea of a layered architecture for QKD-secured communication systems is a natural one, and has been investigated before, e.g. in Refs. [5][6][7][8]. For example, large quantum networks of quantum senders and receivers, classical communication lines and trusted/untrusted central nodes have been considered in Ref. [5], where the study of different network topologies, and of the rela-tionships between existing classical and future quantum networks, is important. Further, quantum analogues to the TCP/IP stack are discussed in Refs. [7,8], and quantum repeater links are also considered, allowing for additional teleportation-based protocols over the network. In contrast to these outlooks, our focus is on the layered stack required for individual nodes in the network, and is complementary to these full-network approaches. Notably, to our knowledge, neither CV nor DV based systems capable of selectively performing several different quantum primitives on the same hardware have been demonstrated so far.
In the remainder of this paper we will thus demonstrate the versatility of two quantum systems by showing that the choice of quantum cryptographic task can be made entirely at the software level. Because of the employed middleware, which provides an innate separation between Hardware and User layers, this also implies that our system is agile.

III. BEYOND QKD: SIGNATURES AND SECRETS
In addition to the usual bipartite QKD, and in order to make our notion of quantum crypto-agility and versatility concrete, we consider the following multipartite tasks: QDS -quantum digital signatures: allows for the secure authentication of a classical message. It has been shown that because of its small overhead, QDS may run over channels for which QKD is insecure [2].
QSS -quantum secret sharing: allows for the secure distribution of a classical secret among a conspiracy of potentially dishonest recipients.
In the spirit of quantum crypto-agility and versatility introduced earlier, Figs. 1 (c), 2, we explicitly propose two communication systems, i.e. configurations of the same underlying hardware, which can each fulfill multiple quantum cryptographic tasks. The two systems may thus both be considered as agile and versatile, and we denote them QDS-b-QSS-b-CV-QPSK and QDS-f -QKDf -CV-QPSK, see Fig. 3. The labels indicate which cryptographic tasks (QDS, QSS or QKD) they support; the underlying quantum states that they use (a continuousvariable CV-QPSK alphabet); and in which direction (f -"forward" or b -"backward") the quantum states are exchanged. Labeling agile and versatile quantum cryptosystems by the hardware components they are based on and the protocols they support might prove useful in later efforts to standardize interfaces and provide some comparability between different implementations.
The agile and versatile approaches can in principle be applied to both discrete-and continuous-variable systems, with the agile middleware, Fig. 2, ensuring that the end-user does not need to care about whether (quasi)single photons or phase-encoded coherent states are used. For the remainder of the paper we focus on the CV platform, noting that the use of the QPSK alphabet and A layer-based description of an agile and versatile quantum cryptosystem, showing how its modular and decoupled components can be swapped out and recombined, similarly to puzzle pieces. Quantum crypto-agility and versatility can both be realized by introducing a middleware (a collection of interface layers) between the user application (yellow) and quantum hardware (purple) layers. This requires that the hardware drivers expose a set of standardized functions to the layers above it. The middleware can then select suitable quantum crypto primitives and hardware-compatible protocols to fulfill a given user request for a given cryptographic task. In this manner, the middleware layers generalize and extend the functions of a key management system (KMS). For some of the acronyms occurring in this figure, please refer to the caption of Fig. 1. CV-I/Q-TX and CV-I/Q-RX denote sender (Tx) and receiver (Rx) hardware modules capable of performing continuous-variable (CV) I/Q modulation and detection.
heterodyne detection renders our system highly compatible with standard telecom infrastructure, potentially paving a way to integrating agile and versatile quantum crypto systems into deployed communication links which run with up to 100 GHz sending rate [9,10]. With this in mind, the protocols presented here sit within the field of continuous-variable (CV) quantum cryptography, which aims towards fast sending rates over metropolitan distances. The four individual protocols each provide asymptotic security against a dishonest player performing a collective beamsplitter or entangling-cloner attack. Descriptions of each protocol and key details in their security proofs are sketched below, while the reader is referred to the appendices for technical details.
The sender (Tx) and and receiver (Rx) modules may be reconfigured to make Alice either the sender ("fconfiguration") or receiver ("b-configuration") of quantum states. Each setup may be immediately considered versatile, since once either the f -or b-configuration is chosen, multiple different cryptographic tasks may be performed. Agility is implied by separation of the User and Hardware layers through a stable and opaque interface (see Fig. 2). Shading and a dashed outline are used to indicate that a single device may be used to emulate two different endpoints as described in Sec. IV.

A. First agile and versatile system QDS-b-QSS-b-CV-QPSK
The first agile and versatile system we consider relies on the b-configuration, with Bob and Charlie as the senders (Tx) of quantum states, while Alice performs heterodyne detection (Rx), Fig. 3. This QDS-b-QSS-b-CV-QPSK system is capable of performing both QDS and QSS tasks via the protocols QDS-b and QSS-b, which are described below. Our experiment, detailed in Section IV, also marks the first demonstration of CV QDS over insecure quantum channels.

The QDS-b protocol
The very first QDS scheme was proposed in Ref. [11] and required a quantum memory. In the last two decades, discrete-variable (DV) QDS protocols have first lifted this requirement [12][13][14][15] and then also have lifted the need for a trusted quantum channel [2,16], and have brought their hardware requirements closer to those of QKD [17]. Recently, DV QDS implementations based on deployed networks have been demonstrated successfully over metropolitan distances [18][19][20][21][22]. Indeed, in several QDS papers, a nascent form of quantum versatility is mentioned, either explicity [18,20,23] or implicitly [19,21], but so far the comparison has always been that the distribution of quantum states for QDS is analogousor in some cases identical-to that required for QKD. For example, Ref. [18] differs from differential-phase-shift QKD only in post-processing. Similarly, one protocol in Ref. [17] is designed specifically to share sender and receiver with QKD, while another requires first full QKD and then classical communication to sign a message. Despite these recognitions, to our knowledge the full utility of applying the idea of quantum crypto-agility and versatility to a deployed quantum network has not yet been explored, nor have additional cryptographic protocols been studied in this framework.
Unlike those preceding QDS protocols, in which Alice was the sender of quantum states, in QDS-b Bob and Charlie are the senders of quantum states, while Alice is the recipient, Fig. 3 (b). This allows QDS-b to be performed on our first agile and versatile system QDS-b-QSS-b-CV-QPSK.
The protocol QDS-b runs as follows: 1) For each future message m ∈ {0, 1}, which Alice wishes to securely sign, Bob and Charlie both send Alice a sequence, length L, of coherent states chosen randomly from the QPSK alphabet. Bob and Charlie each keep a record of which states they have sent. 2) Alice performs heterodyne detection on each received state, and forms eliminated signatures A m B,C by writing down which two states from QPSK are least compatible with her measurement outcome, that is, which states have the smallest conditional probability of being sent.
3) Bob and Charlie swap a random half of their signature elements in order to guard against dishonest Alice [24]. Bob (Charlie) now possesses signatures X m B , (X m C ), which consists of two halves of length L/2, one of which was generated by Bob (Charlie), and one of which was received during the swapping. 4) Later, Alice sends her message m and the corresponding A m B,C , first to Bob. Bob compares his record of which states were sent, and counts the number of mismatches. A mismatch occurs if Alice claims to have eliminated a state which Bob indeed did send. Provided that there are sufficiently few mismatches, he accepts m as genuine and forwards to Charlie, who likewise accepts or rejects by counting the number of mismatches.
A QDS scheme must be secure against both forging attacks, in which a dishonest Bob will attempt to convince Charlie that a message is genuine; and repudiation attacks, in which a dishonest Alice will attempt to force Bob and Charlie to disagree about the message's validity. Furthermore, noting that a QDS protocol which declares all possible signatures as fake may be considered trivially secure, we require that the protocol should succeed if all parties are honest, that is, it should be robust.
The full security proof of QDS-b may be found in Appendix A. Here we simply note that security against forgery is guaranteed by picking a highly non-orthogonal alphabet of coherent states, i.e. the amplitude of the QPSK alphabet should be sufficiently small.
The main security result for QDS-b is the following expression for the binary entropy h of a forging Bob's probability p e to induce a mismatch with Charlie. The χ denotes Bob's Holevo information about Charlie's distributed state. Then the final signature length L required to sign a 1 bit message with ε f ail probability of failure is implicitly given by [25,26] provided that security parameter p e − p err > 0, where p err is an honest player's mismatch probability, which can be estimated during the protocol. In other words, QDS-b is secure against any attack provided that a dishonest player causes more mismatches than an honest player.
The protocol QDS-b performs well over channels with low loss and low excess noise, but in order to reach feasible signature lengths over realistic channels we will employ the postselection technique [27]. To our knowledge this is the first time this technique has been leveraged in the context of QDS. Alice will discard measurement outcomes for which she has a large probability of mismatch, thereby reducing p err . Since a forger will attack the sender (Tx) of quantum states rather than Alice, the probability p e is unaffected by postselection. The security parameter p e − p err may then be readily altered simply by choice of postselection region. The full postselection calculation is found in Appendix B.
The experimental implementation of the protocol is presented in Sec. IV, and the signature length L required to sign a 1 bit message to ε f ail chance of failure is given in Sec. V.

The QSS-b protocol
A secret-sharing scheme allows for Alice to distribute a classical secret between recipients Bob and Charlie. Bob and Charlie should be able to perfectly reconstruct the secret when they behave honestly, while either Bob or Charlie working alone should gain no information.
Although some existing classical secret-sharing schemes are already information-theoretically secure [28], they encounter problems when distributing the shares of the secret across insecure channels, and may fall prey to an eavesdropper with a sufficiently powerful quantum computer. A potential solution is to employ a quantum secret sharing (QSS) protocol which uses quantum resources in order to share the classical secret [29,30]. For example, the scheme put forward in Ref. [29] relies on large multipartite entangled states for distillation of keys between the dealer, Alice, and a degree of freedom shared between recipients. In another protocol [30] security is reached via a "round-robin" distribution stage with each player interacting with the same transmitted quantum state.
Crucially, unlike these approaches which require dedicated hardware setups or distribution of large entangled states, the QSS-b protocol presented here accomplishes the secret-sharing task using only distribution of QPSK coherent states and heterodyne detection, and thus forms an integral part of our first agile system QDS-b-QSS-b-CV-QPSK, Fig. 3. We demonstrate in Sec. V that QSS-b attains a larger key rate than an equivalent informationtheoretically secure classical secret sharing scheme using two continuous-variable QKD setups.
In the QSS-b protocol, the dealer (Alice) is assumed honest, while either one of the Bob or Charlie may be dishonest. Additionally, a dishonest fourth player, Eve, may be present. For now we assume that a dishonest Bob/Charlie will send states only from the QPSK alphabet, though this could be relaxed in future work.
The protocol QSS-b runs as follows: 1) Bob and Charlie send sequences of coherent states to Alice, which are independently and randomly chosen from the QPSK alphabet. Alice performs heterodyne measurement of phase and records her outcomes A B , A C ∈ C. Bob and Charlie keep a record, X B , X C , of which states they have sent.
2) Alice forms a variable X A F (A B , A C ) which is some function F of her measurement results. She then encodes the secret using the X A , and makes the encoded secret publicly available.
3) Later, when Alice wishes to allow Bob and Charlie to reconstruct the secret, she leaks the function F and enough information to perform a reconciliation procedure between her X A and the X A F (X B , X C ) generated by Bob and Charlie. The reconciliation proceeds as in regular QKD. 4) Bob and Charlie, by working together to form and reconcile F (X B , X C ), gain a copy of Alice's key. Thus they are able to decrypt her message.
The protocol should prevent dishonest players from reconstructing the secret unless they collaborate with the honest player. Specifically, they are forced to collaborate by Alice's choice of F which requires information from both players to reach the key. The function F can be arbitrarily chosen and optimized over, though for con-creteness we choose F to be linear, i.e.
for g, h ∈ R; Alice is free to choose a more general F if it is optimal for her setup. The security proof for QSS-b is found in Appendix C. The main security result is a calculation of the key rate κ generated between Alice and a Bob-Charlie collaboration. The key rate corresponds to the number of secure key bits which which may be encrypted per channel use, i.e. after both Bob and Charlie have sent a state. One channel use thus corresponds to distribution of two coherent states.
In the the presence of dishonest Eve and honest Bob/Charlie the key rate κ is given by the following Devetak-Winter bound [29,31] κ ≥ I (X B , X C : relating the mutual information I between Bob/Charlie's classical information X B,C and Alice's information X A , and the Holevo information χ which Eve's quantum system E holds about X A . More general bounds to guard against dishonest Bob/Charlie are given in the Appendix. The QSS-b protocol is implemented in Sec. IV, and the key rate to allow for secure secret-sharing is given in Sec. V.

B. Second agile and versatile system QDS-f -QKD-f -CV-QPSK
In addition to our first agile and versatile system described above, which is capable of readily switching between QDS and QSS tasks, we will demonstrate that cryptographic protocols which already exist in the literature may be viewed through an agility/versatility lens. We therefore turn to consider a second agile and versatile system, denoted QDS-f -QKD-f -CV-QPSK, which is capable of performing either QDS or QKD tasks in a "forward"-configuration, Fig. 3.
A QDS protocol in which Alice sends quantum coherent states was previously considered in Ref. [25]. There, it is Bob and Charlie who form eliminated signatures, and check for mismatches between their eliminated signatures and Alice's declaration of which states she sent. We here denote this protocol QDS-f .
To go beyond [25] we apply the postselection technique to QDS-f , which decreases the number of quantum states L required to sign a message, particularly in the presence of channel noise. Since (in contrast to QDS-b) it is now Bob and Charlie who heterodyne, rather than Alice, both terms p e and p err now change with the choice of postselection region. The effects of postselection on QDS-f , and key steps from the security proof, are detailed in Appendix B.
Finally, we round-off the second agile and versatile system by noting that the discrete-modulation QPSK QKD protocol, analysed e.g. in Ref. [32], may be readily implemented using the same hardware setup as QDS-f without requiring reconfiguration. This protocol, which we here denote QKD-f , may be performed between either Alice-Bob or Alice-Charlie. The full security proof is found in Ref. [32], and we display the estimated maximum rate of secure key generation for our system under QKD-f in Section V.

IV. EXPERIMENT
An optical sender (Tx) and receiver (Rx) module as shown in Fig. 4 are used to experimentally investigate the performance of the protocols QDS-f , QKD-f , QDSb and QSS-b. Depending on the required configuration, Tx and Rx take on the roles indicated in Fig. 3. Our protocols do not require the quantum state exchange between parties A-B and A-C to be simultaneous. For this demonstration, we thus emulate the deployment of identical Tx/Rx hardware at B and C by instead sequentially linking a single Rx and Tx using a 2 km (−0.65 dB) or 20 km (−4.75 dB) SMF-28 optical fiber channel. Each state exchange between A-B and A-C is performed as an independent sub-experiment.

Sender module (Tx):
A PurePhotonics PPCL-300 external cavity diode laser (ECDL) with a linewidth of 15 kHz tuned to a wavelength of 1550 nm acts as an optical carrier. Using a Fujitsu DP-QPSK 40 Gbps LiN bO 3 -integrated I/Q modulator, driven at a rate of 1 GHz by a Keysight M8195A arbitrary waveform generator (AWG), the sender randomly prepares pulses of coherent states chosen from the QPSK alphabet {|±α 0 , |±iα 0 }. These states are attenuated to a chosen output amplitude α < α 0 with a variable optical attenuator and sent to the receiver.
Receiver module (Rx): The receiver module interferes the incoming signal with a local oscillator in an integrated Kylia COH24-X 90 • hybrid and performs heterodyne detection of the electric field quadratures X and P for each state using two Discovery DSC-R412 balanced optical receivers with an analog 3 dB-bandwidth of 20 GHz. For the purposes of this demonstration, the local oscillator is sourced from the carrier laser and transmitted to the receiver using an additional fiber. The optical receiver outputs are digitized and processed on a Tektronix DPO77002SX digital sampling oscilloscope using a sampling rate of 25 GS/s. Digital signal processing (DSP) is applied to the quadrature time traces, consisting of a high-pass filtering operation to eliminate lowfrequency noise components and a phase recovery step using reference states.
Experiments were performed for different modulation amplitudes α, as indicated in Tab. I. For each state exchange, a total of 1.92 × 10 6 states were sent in frames of 64, with 4 bright phase reference states at the start of each frame. Of those, 1.54 × 10 6 states or 80.2 % remained after the DSP. A phase space diagram of the  Fig. 2) are realized in our demo system as different pieces of software running on a laptop connected to our sender (Tx) and receiver (Rx) hardware. Bottom: The Tx and Rx modules used to perform four distinct quantum protocols, assuming different communication roles A, B or C as shown in Fig. 3. ECDL: external-cavity diode laser, iso: isolator, VOA: variable optical attenuator, IQM: I/Q modulator, pol.c.: polarization controller, AWG: arbitrary waveform generator, LO: local oscillator, 90 • h: 90 • hybrid, OSC: oscilloscope .
quantum state constellation and a section of the measured raw data can be seen in Fig. 5.

V. RESULTS
The agile and versatile system QDS-b-QSS-b-CV-QPSK has been investigated over the 2 km fiber link with averageᾱ = 0.64 and an excess noise in the channel of 2.7 % in the laboratory conditions that represent the first targeted implementation of an agile and versatile quantum communication system. We obtain practical figures of merit for each of the protocols (5.7 ms to sign a 1-bit message for QDS-b and 2κ = 0.3726 key rate for QSS-b), listed in Tab. I. The protocol QSS-b has also been investigated in several 20 km experimental runs for different α and different levels of excess noise with key rate up to 2κ = 0.1058, completing the first demonstration of our practical CV QSS, Fig. 6 FIG. 5. Top: Raw quadrature data traces produced by our quantum communication system running quadrature phase shift keying (QPSK) modulation. Bottom: A resulting phasespace constellation diagram after digital signal processing (DSP) has been applied to the raw data. Shaded circles indicate the means and variances of the coherent states sent and received, including quantum key states (green) and auxiliary phase reference states (red).
The second agile and versatile system QDS-f -QKD-f -CV-QPSK has been investigated over a 2 km laboratory fiber link and in several runs over 20 km for different amplitudes and different levels of excess noise in order to explore performance at larger distances, which are less favorable for CV communication systems. Alongside the agility and versatility aspects, this experiment has demonstrated the fastest to-date QDS system at intracity distances, allowing to sign a 1-bit message in less than 0.05 ms over a 2 km fiber link. It has also allowed for a secure performance of the agile system at 20 km distance with feasible signature lengths, Fig. 7, with signing times close to the recent best DV experiments, Fig. 8.
The maximum calculated secure key rates for QKD-f for this agile and versatile system are displayed in Fig. 7 and Tab. I. The maximum obtainable QKD key rate for the system is κ = 0.1024. We detail and benchmark the different aspects of the experimental performance of the two agile and versatile systems in what follows. The signature lengths at a distance of 2 km remain modest both in the ideal (above) and experimental realizations (Tab. I), and the system is robust to choice of α. Bottom: Maximum calculated QSS key rates under protocol QSS-b with a dishonest Eve performing a beamsplitter attack, and either Bob or Charlie dishonest. The key rate is robust to variations in α, and remains large even for our 20 km channel. Solid (red), dashed (blue), dot-dashed (orange) and dotted (green) lines correspond to the performance deduced by parameters from experimental runs 1, 2, 3 and 4, respectively. Vertical grid lines depict loss levels over experimental channels A and B, corresponding to fiber lengths 2 km (0.65 dB loss) and 20 km (4.75 dB loss).

A. Settings for the system runs
We performed the experiment detailed above over two different channels which we denote channel A and channel B, corresponding to 2 km fiber length and 20 km fiber length, respectively. During the experiment, measurement outcomes corresponding to parameters detailed in Tab. I were obtained. Each element of the QPSK alphabet had slightly different sending amplitude in each experiment, and we display the average amplitudeᾱ in QDS signature lengths (L) and signing times (t) required to sign a 1-bit message for security level of ε = 0.01%. The QSS and QKD key rates correspond to the maximum estimated number of bits of secure key which may be generated per use of the quantum channel. In QSS-b, one channel use corresponds to distribution of two quantum states, one from Bob and one from Charlie, and so we display 2κ for fair comparison with QKD.
the table. The excess noise ξ above the shot-noise was calculated for each quadrature x, p and ξ = max{ξ x , ξ p } was taken as a worst-case scenario. We now process our measured data with reference to each of the four quantum protocols and thus demonstrate quantum cryptoversatility, thereby implying agility, for our systems.

B. First agile and versatile system QDS-b-QSS-b-CV-QPSK
In the first agile and versatile system QDS-b-QSS-b-CV-QPSK, the sender module Tx is understood to play the role of either Bob or Charlie, while Rx plays the role of Alice.
a. QDS-b: Signature lengths are calculated using data parameters from Tab. I with the postselection region R (∆ r ) optimized at each channel loss, see Appendix. B. In the ideal case, the probability p err is calculated using Eq. (B3) under the model described in Appendix B, which includes both channel excess noise ξ, ascribed to Eve, and a detector efficiency of 50% which Eve cannot exploit. We allow Eve to perform the entangling cloner attack [25] which is expected to be optimal in the limit α → 0, and close to optimal for the small α's used here, and probability p e may be estimated as in Appendix A once the worst-case α and ξ have been estimated from data. The ideal signature lengths for QDS-b are displayed in Fig. 6.
More realistic signature lengths may be calculated by taking into account in the estimate of p e the actual amplitudes and sending probabilities which Tx sent, rather than an average, and by measuring p err directly from the output of Rx. The p err calculated this way takes into account all sources of detector loss and trusted noise which will increase p err , and thus the measured L will be larger than those in Fig. 6.
Further, in comparisons between commercial implementations, the implicit Bob-Charlie QKD channel for the swapping stage of the QDS protocol should be included in a figure of merit to give a realistic accounting of the resource requirements. We stress however that the aim of our QDS analysis is primarily to give a comparison with recent QDS schemes (see Fig. 8). Therefore, our approach to the classical postprocessing focuses on the QDS distribution stages (following the QDS literature [2,18,26,33,34]) in order to allow for this comparison.
For experimental run 1 over the 2 km channel under entangling-cloner attack, signature length L = 5.7 × 10 6 is required to sign a single bit, Tab. I. However, even at 20 km, QDS-b could still be made secure by choosing a large postselection region with ∆ r 1, but for loss levels more than ∼ 2 dB the signature length required becomes impractically large.
b. QSS-b: For our secret-sharing protocol QSS-b, Fig. 6, the Holevo information is calculated by estimating channel transmission T and excess noise ξ from the data and assuming the dishonest players perform a beamsplitter attack. In our reported results we have optimized over g, h ∈ R which parametrise the function F (X B , X C ) = gX B + hX C .
The mutual information is calculated by calculating the probability p (x|α k ) of measuring x ∈ C at the output when coherent state α k was sent, noting again that the realistic non-identical amplitudes and probabilities of the implemented QPSK alphabet may be readily included. Further details are found in Appendix C.
Maximum QSS key rates are calculated from measured experimental parameters, Tab. I. We see that twice the key rate, 2κ, is greater than the comparable key rate κ for QKD-f (remembering that one channel use is defined differently between QKD and QSS). In other words, QSS-b outperforms pairwise QKD, by consuming fewer quantum resources. Protocol QSS-b is therefore preferable over a classical information-theoretically secure protocol which can be performed over pairwise QKD-encrypted channels.

Bob or Charlie.
a. QDS-f : The performance of protocol QDS-f is displayed in Fig. 7 under a beamsplitter attack. The excess noise and detector efficiency from experiment are included, and p e and p err are calculated via analogous methods to QDS-b, above. We see that in the ideal analysis of Fig. 7, protocol QDS-f allows for very small signature lengths O 10 4 at 2 km, while at 20 km the predicted lengths are still very modest at O 10 6 .
For small channel loss the required L is roughly invari-ant over a broad range of α, which suggests that QDS-f is robust to experimental differences, and is thus easy to implement on an agile and versatile system alongside future alternative cryptographic protocols which may require more restrictive choice of α. For large channel loss however the choice of α becomes increasingly important, but using for example the meanᾱ = 0.55 and ξ = 2.1% from experimental run 3, QDS-f is predicted to remain secure even down to 20 dB loss with still-feasible signature lengths O 10 9 , which would allow a one-bit message to be signed in approximately one second. A more realistic signature length may be calculated by using the p err directly measured from the output of Rx, which includes all noise sources and detector inefficiencies. This results in the signature lengths which are displayed in Tab. I. Crucially, they remain highly feasible over the metropolitan distances where continuousvariable cryptography is expected to be effective. Of particular note is the L = 47, 887 required to securely sign a 1 bit message over 2 km fiber, which to our knowledge makes QDS-f the fastest ever demonstration of a QDS protocol, requiring just 0.047 ms to sign a message at our 1 GHz sending rate, Fig. 8. b . QKD-f : The calculated maximum secure key rates under protocol QKD-f are plotted in Fig. 7 under a beamplitter attack. The performance of the protocol agrees with Ref. [32] and corroborates their results over comparable parameter regimes in amplitude, transmission and noise. The QPSK amplitudes reported in our experiment, however, are close to optimal. Calculated maximum key rates, deduced from experimental parameters, are displayed in Tab. I.
Finally, we want to note that key rates in a concrete implementation will depend on a number of parameters. For example, error correction in CV QKD can be computationally very demanding and will limit the obtainable key rate. An agile and versatile system therefore allows itself to resort to the protocol with the least demand on resources for a given task.

VI. CONCLUSION
Agile and versatile quantum cryptography allows the introduction of a layer abstraction between the quantum optical hardware and the protocol layer based on firmware and software. This allows future quantum cryptography systems to be optimized towards agility and versatility and to explore how this concept can be applied to already existing ones. To underpin this concept, we have experimentally demonstrated versatility by showing that the same quantum sender and receiver can be utilized independent of the protocol run on top of it. Because the agile middleware is opaque to the user layer, by design, the inner workings of the task are inaccessible to the user. This implies agility. The proposed layer abstraction could potentially be further developed through standardization groups [3,4]. 8. Time required to sign a one-bit message, and the corresponding channel lengths, for several recent QDS protocols. At the short distances (∼ 2 km) favoured by the continuous-variable platform, our QDS-f and QDS-b allow for signing times of less than 0.05 ms and 6 ms, respectively, improving previous results in CV (a) and discrete-variable systems (b). At at 20 km QDS-f has signing time comparable to recent DV QDS systems (c)-(e). Protocols depicted: Red triangles -current paper. (a) Free-space CV QDS [26]. (b) Unambiguous-state-elimination-based QDS [33]. (c) Differential-phase-shift-based QDS [18]. (d) GHz BB84 QDS [21]. (e) Early QDS-QKD "agile" system with measurementdevice-independent capabilities [23].
For the demonstrations we have utilized a continuousvariable quantum communication system that is almost exclusively built from commercial-off-the-shelf (COTS) telecom components. This makes it inherently compati-ble with telecom networks and allows C-band operation and high sending rates, since telecom components for coherent communication are optimized for GHz sending rates, even ranging up to 100 GHz as the state of the art. This setup has been operated at a sending rate of 1 GHz, however there is no known fundamental limit to these rates. The current limitation is the electronic noise of the coherent detection unit, which can be further optimized in future works.
The continuous-variable protocols investigated were quantum digital signatures (QDS), quantum secret sharing (QSS) and quantum key distribution (QKD). We have shown for the first time that postselection can be utilized for QDS, and have proven its enhanced robustness to noise and to channel loss. Postselection on QDS measurement outcomes decreases the required signature lengths and thus allows us to demonstrate the shortest signing time for realistic distances of 2 km and signing times comparable to recent discrete-variable QDS protocols over 20 km. Furthermore the security of the QDS protocols has been proven for forward and backward sending configurations, enabling them to be used in both of the agile and versatile systems presented in this paper.
Recall that a QDS protocol must be secure against repudiation and forgery, and it should be robust and succeed if all players are honest. We will prove the security of our protocol against each of these, and finally derive Eq. (2), which implicitly defines the main figure of merit of a QDS protocol, the signature length L required to sign a 1 bit message.
During a repudiation attack, Alice will try to cause Bob and Charlie to disagree about whether her message is genuine. Security against repudiation follows along similar lines to [25,26,33], and we reproduce key details below for completeness.
We assume that Alice is free to manipulate her declared A m B,C , and she has full control over the mismatch rates p B (p C ) with respect to states which she originally sent to Bob or Charlie, and the p B,C may even be chosen to be zero.
After swapping, step three of the protocol, Bob and Charlie both possess two half-signatures, each of length L/2, consisting either of states which they held originally or which they received during swapping. Alice succeeds in her repudiation attack if Bob accepts both of his halves as genuine, and Charlie rejects at least one of his halves as fake. Therefore the probability of successful repudiation is given by where A (B) denotes the event that Bob accepts on his first (second) half, and C (D) denotes the event that Charlie rejects on his first (second) half. Now, using probability inequalities P (X ∩ Y ) ≤ min {P (X) , P (Y )} and P (X ∪ Y ) ≤ P (X) + P (Y ) and Hoeffding's inequalities [35], we Therefore we arrive at provided that s B < s C , and where in the second inequality we have taken p = (s B + s C ) /2 in order to maximize ε rep . A QDS protocol is robust if it succeeds when all parties are honest. Even in this case there is a probability p err of mismatch, owing to the non-orthogonality of the QPSK alphabet. Since s B < s C , an honest message is more likely to be rejected by Bob than Charlie, so we bound this probability. The message will be rejected if Bob detects more than s B L/2 mismatches on either half of his eliminated signature. Using Hoeffding's inequalities this occurs with probability provided that s B > p err , i.e. Bob's mismatch threshold is greater than the honest mismatch rate. In a forging attack, an eavesdropper will aim to minimize their mismatch probability with respect to either of the X m B,C generated by Bob and Charlie. Since Bob already knows half of X m C (the information which Bob himself forwarded), and since s B < s C , the most dangerous forger is a dishonest Bob. He is therefore assumed to eavesdrop on Charlie's distribution of quantum states, and tries to gain information about the L/2 signature elements which Charlie generated himself.
Using Hoeffding's inequalities as in Ref. [25] we see that a forging attack succeeds with probability when p e > s C , and therefore all that is required is to bound p e , which we now do. Consider the j th signature element. Charlie holds some c j denoting which state from the QPSK alphabet he sent. Bob will declare an eliminated signature element, CV platform, relying on phase measurement of coherent states, has only recently been proven secure against general coherent attacks in the finite-size regime [38], and even then only for a Gaussian modulation of the coherent states. This choice of modulation is theoretically necessary-to simplify and bound the attack of the eavesdropper-but it is experimentally unrealistic. To our knowledge there is no full security proof for QPSK QKD which offers security against the general coherent attacks in the finite-size regime. Binary [39] and ternary [40] modulations have been asymptotically secured against collective attacks, but the bounds are not tight and the techniques are not expected to be generalizable to larger alphabets. Recent QKD works [41,42] have made advances towards full security with the QPSK alphabet by providing security against coherent attacks in the asymptotic limit. The first, Ref. [41], provides security by relying on a small-amplitude assumption to ensure that the QPSK alphabet is close to a Gaussian modulation. They also make the assumption of Gaussian optimality; neither of these techniques are applicable to CV QDS. The second work, Ref. [42], removes these assumptions and applies convex optimization methods to provide security, by building upon cutting-edge reformulations of the Devetak-Winter key rate bound and related semi-definite programming optimizations. Similar work should in the future be a key focus of the CV QDS community. We simply note here that should there become available a tight lower-bound for the eavesdropper's smooth min-entropy under the QPSK alphabet, we can readily insert it into our present QDS analysis with only minor modification to our proof.

Appendix B: Postselection in CV QDS
In the QKD context it has been known for some time that postselection will improve key rates in the presence of excess noise, and is even a requirement for distilling a key for T < 1/2 in the direct-reconciliation regime [27]. We are thus motivated to apply postselection to our QDS protocols in order to allow a message to be securely signed over a larger range of channel parameters.
To apply the postselection technique, recipients in the protocol will disregard unfavourable measurement outcomes, i.e. those for which a dishonest player is deemed to have too much knowledge, or for which the probability of honest mismatch is too high. We thus define a region R of phase-space, and only allow honest players to accept measurement outcomes x / ∈ R. The region R is then varied to increase the range of channel parameters for which the QDS protocols are secure, and to minimize signature length L.
To be concrete, in this work we take R parameterized by ∆ r , ∆ θ in polar coordinates in phase-space. This is the same postselection region considered in the recent QKD work Ref. [42], but if desired, more general regions may be readily considered. A protocol using no postselection technique may be retained by setting ∆ r → 0 and ∆ θ → 0.
We will now consider how this application of postselection affects security of QDS-b and QDS-f .

QDS-b
The crucial quantity which controls the security of a QDS protocol is g sec := p e − p err , which intuitively describes how much worse a dishonest player should fare than an honest player. The protocol is secure provided that g sec > 0.
In QDS-b, p e does not depend on Alice's heterodyne measurement, since a dishonest player will attack the sender (Tx) of the quantum states, and so p e is unaffected by postselection. We thus calculate the transformation of p err .
Although in an actual run of the protocol the honest mismatch rate p err should be estimated from a publicly disclosed subset of A m B,C and X m B,C , it is illustrative to consider how p err may be calculated theoretically. When Charlie sends state |α k through a lossy channel, transmittivity T, then Alice receives outcome x ∈ C with probability Thus, the probability of eliminating the state |α , when no postselection is used, is dθ p re iθ |α Postselecting on the region R, the mismatch probability becomes with f (r, θ) = p re iθ |α and N the probability that the outcome x ∈ C is accepted, i.e. it falls within C\R. Probability N is calculated analogously to Eq. (B3). For QDS-b the probability p e does not depend on Alice's heterodyne measurement, since a dishonest player will attack the sender (Tx) of the quantum states. The dishonest player's a posteriori state depends not on a recipient's heterodyne outcome, but only on the chosen distributed alphabet state, Appendix A. The postselection technique alters the probability distribution of heterodyne measurement outcomes which are used in the protocol; coherent state sending probabilities remain uniform and unaffected. Therefore, for QDS-b, the dishonest mismatch probability p e is unaffected by the choice of postselection region. This will no longer be the case for QDS-f , and we discuss this in detail in the next section.
Our analysis of the effects of postselection follows identically when excess noise is included, simply substituting in the requisite formulas from [25,32]. Finally, we note that when postselection is used the signature length L calculated from Eq. (2) should be rescaled in order to remain a useful figure of merit. While the normally calculated L counts how many signature elements are required to sign the message, many of the states which were sent during the protocol will be rejected. Including the rejected states in our accounting, the figure of merit is rescaled as L →L := L/N . These L andL may now be directly compared between protocols, and so in Sec. V we make no distinction between L andL.

QDS-f
Postselection affects probability p err in the same way as it does under protocol QDS-b. For our protocol QDSf , a dishonest player's declaration depends on an honest player's heterodyne outcome: so the dishonest mismatch probability p e must now also vary with R. We recall that the key security result for QDS-f , taking dishonest Bob as the forger, is [25] h (p e ) ≥ 1 − χ (B4) with χ the Holevo information between Bob's quantum system and Charlie's eliminated signature element. For the j th signature element in QDS-f this takes the form The a posteriori state ρ is the quantum state held by Bob when Charlie's eliminated signature element is x j 1 , x j 2 , and ρ j B is Bob's a priori state which is mixed over all eliminated signature elements.
Under the beamsplitter or entangling-cloner attacks considered in this work, the conditional state ρ j B|c held by Bob after Charlie measures c ∈ C may be readily calculated as in [25]. Then, since Charlie's eliminated signature element is entirely determined by the quadrant in which c lies, the state ρ where N is the required normalization factor, and where in the second line we have explicitly shown the calculation for a particular eliminated signature element.
Then we see that when postselection over region R (∆ r , ∆ θ ) is used, Eq. (B6) should be modified with N the same normalization factor as in Eq. (B3). The a priori state is likewise found by mixing Eq. (B7) over all quadrants, and thus p e may be calculated. The figure of merit for QDS-f under postselection is nowL, as in the preceding section, though since this may be directly compared with L in the absence of postselection we make no distinction in the main body of the paper. All results presented have the optimal choice of R (∆ r ), noting that variations in ∆ θ provide only small changes to signature lengths in both QDS-b and QDS-f , and so in the main body of the paper we set ∆ θ = 0 in order to focus on the much larger effects of the radial variations.