Practical challenges in quantum key distribution

Quantum key distribution (QKD) promises unconditional security in data communication and is currently being deployed in commercial applications. Nonetheless, before QKD can be widely adopted, it faces a number of important challenges such as secret key rate, distance, size, cost and practical security. Here, we survey those key challenges and the approaches that are currently being taken to address them.

Mbits per second. QKD has leaped out of the lab [17]. In China, the deployment of a 2000 km QKD network between Shanghai and Beijing is underway; in Europe, after the SECOQC network demonstration in 2008 [18], the UK is now creating a quantum network facilitating device and system trials, and the integration of quantum and conventional communications; in Japan, QKD technologies will be put into test to secure transmission of sensitive genome data; and the US has also started installing its own QKD network. Why practical challenges in QKD? In this review, we will focus on practical issues in QKD. We remark that, historically, practical considerations in QKD have led to ground-breaking inventions. For example, the need to counter the photon-number-splitting attack [19] triggered the invention of the decoy-state protocol [20][21][22], which allows efficient distillation of secure keys using weak coherent pulse based QKD systems that once were vulnerable. As another example, the need to counter detector side-channel attacks has led to the discovery of measurement device independent (MDI) QKD [23]. New theory that is due to practical advances in QKD also includes, for instance, the quantum de Finetti theorem [24], while security loopholes in QKD are closely related to loopholes in Bell inequality tests [25] -a key subject in the foundations of quantum mechanics. These issues are therefore of great interest to mathematicians and theoretical physicists.
QKD is clearly of interest to engineers too. For instance, practical QKD is closely linked to the development of new single-photon detection technologies such as superconducting nanowire single-photon detectors (SNSPDs) [26], superconducting transition-edge sensors (TES) [27], frequency up-conversion single photo detectors [28,29], and self-differential InGaAs avalanche photodiodes (APDs) [30], as well as of high performance homodyne detection techniques [31]. It is also the motivation for high-speed quantum random number generators (QRNG) [32] and broadband entangled photon sources [33].
Practical QKD has steered innovation and is a precursor in the field of Quantum Information Processing. Outline of the review. Despite the important theoretical and experimental achievements, a number of key challenges remain for QKD to be widely used for securing everyday interactions. For instance, much effort is being put into increasing the communication rate and range of QKD and making QKD systems low cost, compact and robust. New hardware such as chip-based QKD and new software such as novel protocols are being studied and developed. The security of practical QKD systems is another important challenge. In order to foil quantum hackers, protocols such as MDI-QKD and loss-tolerant QKD [34] have been developed and are currently being experimentally implemented. Yet, a comprehensive theory of the model of a QKD source remains to be constructed. To further extend the reach of QKD, two different approaches -quantum repeaters and ground-to-satellite QKD -are being pursued. In view of the proliferation of mobile computing devices including smart phones, mobile QKD applications have also attracted recent attention.
Furthermore, the standardization of QKD components is currently being pursued in ETSI (European Telecommunications Standards Institute) [35]. In what follows, we will highlight some of the above challenges and the various approaches that are being taken to tackle them.

Main protocols and implementations.
We begin our discussion with a brief overview of the main QKD protocols currently studied and the state-of-theart in their practical implementations. As our main focus here is the current challenges in the field, we refer the reader to a recent review [9] for the necessary background on the rigorous information-theoretic (or, unconditional) security definition of QKD in the composable framework, secure communication schemes including the one-time pad, the standard BB84 QKD protocol, and basic QKD components.
QKD protocols can be in essence divided with respect to the detection technique required to recover the key information encoded in the properties of light (Fig. 1a). In discrete-variable (DV) protocols information is typically encoded in the polarization or phase of weak coherent pulses simulating true single-photon states; hence the corresponding implementations employ single-photon detection techniques. The previously mentioned BB84 and decoy-state protocols are prominent examples in this category. Single-photon detection techniques are also necessary for the so-called distributed-phase-reference protocols, such as the coherent-one-way (COW) [36] and differential-phase-shift (DPS) [37] protocols, where the key information is encoded in photon arrival times or in the phase between adjacent weak coherent pulses. On the other hand, in continuous-variable (CV) QKD protocols information is encoded in the quadratures of the quantized electromagnetic field, such as those of coherent states [38,39], and homodyne or heterodyne detection techniques are used in this case. Such detectors are routinely deployed in classical optical communications, hence the CV approach offers the possibility for implementations based only on mature telecom components. All these protocols are prepare-and-measure in the sense that the transmitter, Alice, sends the encoded pulses to the receiver, Bob, who decodes as required by the specific protocol. On the contrary, in entanglement-based protocols [7], both parties receive parts of an entangled state and perform suitable measurements. More details on all protocols can be found in refs. [8,9,40,41].
When it comes to practical demonstrations, performance of point-to-point links is assessed by the distance over which secret keys can be distributed and the rate b d a c FIG. 1. a. Quantum key distribution systems use discrete-variable (DV) single-photon state encoding and single-photon detection techniques or continuous-variable (CV) quadrature field amplitude encoding and homodyne (or heterodyne) detection techniques. b. State-of-the-art experimental setup for the implementation of the decoy-state BB84 QKD protocol [42]. c. Stateof-the-art experimental setup for the implementation of the coherent state CV-QKD protocol [43]. d. Secret key generation rates demonstrated in some representative recent QKD experiments. Note that this figure is not meant to provide an exhaustive list of QKD implementations. Furthermore, protocol performance cannot be directly compared as different security assumptions are considered; for instance, decoy-state BB84 is secure against general coherent attacks while COW and CV-QKD are secure against collective attacks. QKD is a subject of active ongoing research and so further developments are likely to occur in the near future. The loss coefficient of 0.2 dB/km in standard single-mode fibers at telecom wavelengths is assumed in this figure.
of their distribution for a given security level. The security level is determined by the type of attacks considered in the corresponding security proof; demonstrating security against the so-called collective attacks [8] is an important challenge for an implementation, however information-theoretic security is achieved only when security against the most general (or coherent) attacks is proven. Hence, the ultimate goal is to provide this level of security at a speed and a distance that are compatible with practical applications. Some recent implementations have provided high levels of security: several QKD protocols have been demonstrated to provide composable security against collective attacks using reasonable data block sizes and practical setups, including decoy-state BB84 [42], COW [45], and CV-QKD [43,46]. Among those protocols, the security of decoy-state BB84 QKD has been extended to cover coherent attacks, for realistic block sizes and with a minimal sacrifice in the secret key rate [47,48]. Unfortunately, for COW, the best security proof against coherent attacks currently gives a secret key rate that only scales quadratically with the loss [49]. For CV-QKD with coherent states and heterodyne detection, a composable security proof against the most general attacks has recently been provided [50], but the current proof techniques do not allow a positive key rate for realistic block sizes in this case. Extending the security proofs for the latter protocols is therefore a pressing task in the theoretical study of QKD. Figures 1b,c show examples of advanced fiber-optic QKD systems allowing for real-time secret key generation over distances of 50 km with Mbit/s rates. In Fig. 1d we summarize some important experimental achievements from both established and emerging QKD protocols (discussed in the following sections). Although the security assumptions and technological maturity vary in these implementations, these results illustrate the diversity of protocols and experimental solutions that the research community has invented to push the performance of QKD technology. Indeed, tremendous progress has been achieved in recent years, and avenues for further progress will be discussed in the next section. We remark, however, that there are fundamental limitations on what can be ultimately achieved. Over optical fiber networks, the attenuation of light in standard fibers at the telecom wavelength of 1550 nm is 0.2 dB/km (or 0.16 dB/km in newly developed ultra low loss fibers). This unavoidable loss will not allow the range of point-to-point QKD links to exceed a few hundreds of kilometers as with overly excessive channel loss it would take several years to generate just one bit even using perfect light sources and detectors. Furthermore, with a practical lossy channel, the ultimate key rate is upper bounded by the so-called TGW bound [51] (see also [52] for a more recent result). The TGW bound provides a useful benchmark for the performance of all QKD protocol implementations.

Major challenges in performance and cost.
In the quest for high performance and low-cost QKD systems, both hardware and software solutions are currently being pursued. Hardware development. Key rate. Encryption keys generated by QKD can be used in a symmetric cipher scheme, such as AES (Advanced Encryption Standard), which is quantumresistant, for enhanced security, or they can be combined with the one-time-pad encryption scheme for unconditional security. In both cases, the secure key rate achieved by the underlying QKD layer in a typical application scenario is crucial. Higher secure rates allow for a more frequent update of encryption keys in symmetric ciphers, and for a proportional increase in the one-timepad communication bandwidth as this scheme requires the key to be as long as the message.
Presently, strong disparity exists between the classical and QKD communication rates. Classical optical communications delivering speeds of 100 Gbit/s per wavelength channel are currently being deployed [53], and a field trial featuring 54.2 Tbit/s aggregated data rate has recently been performed [54]. On the other hand, the Mbit/s rates achieved by QKD systems today are sufficient, for instance, for video transmission; however, it is clear that if we want in the longer term to encrypt high volumes of classical network traffic using the one-timepad, major developments on the secure key rate generated by QKD will be required.
The obtained key rate depends crucially on the performance of the detectors used. For QKD systems employing single-photon detection techniques, high efficiency and short dead time of the detectors are essential for reaching a high bit rate. The latest developments on high efficiency detectors [55][56][57] are extremely promis-ing; quantum efficiencies as high as 93% at telecom wavelengths have been reported for SNSPDs [56], and devices based on this technology with short dead time, low dark count, low time jitter and high detection efficiency are commercially available [58] (Figs. 2a,b). These results may allow for as much as a four-fold increase in the secret key rate, which currently stands at 1 Mbit/s over a 50 km fiber (or 10 dB loss) achieved using self-differential InGaAs APDs with an ultrashort dead time [42] (Fig.  2c). Further key rate increase is possible using wavelength or spatial mode multiplexing technologies which have been routinely used for increasing the bandwidth in data communications [53,59,60]. For CV-QKD systems, increasing the bandwidth of the homodyne or heterodyne detectors, while keeping at the same time the electronic noise low, is a necessary step for increasing the key rate beyond the 1 Mbit/s over 25 km that has been achieved [46]. Further progress continues to be pursued, targeting also higher efficiency, which is currently around 60% for fiber-coupled detectors at telecom wavelengths [43]. Furthermore, as shown in Fig. 1c, a practical issue in these systems is that the strong phase reference pulse (or, local oscillator) needs to be transmitted together with the signal at high clock rates; recent proposals that avoid this and use instead a local oscillator generated at Bob's site [61][62][63] are promising and will lead to more practical, high performance implementations. Distance. Extending the communication range of QKD systems is a major driving factor for technological developments in view of future network applications. QKD systems based on single-photon detection champion the point-to-point communication distance (or channel loss). Here, the low noise of single-photon detectors is the key enabling factor; in particular, the attainable range de-pends on the type and operation temperature of the detectors. InGaAs APDs can tolerate losses of 30 dB and 52 dB when cooled to -30 • C and -120 • C [45,65], respectively, while SNSPDs cooled to cryogenic temperatures have been demonstrated to withstand a record loss of 72 dB [66]. This loss is equivalent to 360 km of standard single mode fiber or about 450 km of ultra low loss fiber. Although technologically possible, further extending the point-to-point distance is increasingly unappealing because the channel loss will inevitably reduce the key rate to a level of little practical relevance. This is also true for CV-QKD systems, which are in general more sensitive to losses. Here, it is crucial to keep the excess noisethe noise exceeding the fundamental shot noise of coherent states -low and especially to be able to estimate the noise value precisely, which becomes increasingly difficult with the distance [40,43].
We remark that advances towards high performance QKD systems in terms of key rate and distance are coupled with the security guarantees offered by these systems. For instance, achieving composable security against general attacks requires in practice being able to perform efficient post-processing, including parameter estimation, over large data blocks with stable setups. Particularly for CV-QKD, performing efficient error correction and precise parameter estimation is of utmost importance [40,67]. Cost and robustness. For QKD systems to be used in real world applications, low cost and robustness are indispensable features alongside high performance. Several avenues are currently being pursued. First, QKD systems have been shown to coexist with intense data traffic in the same fiber [68][69][70][71], thus eliminating the need for dark fibers that are not only expensive but also often unavailable. Access network architecture allows simultaneous access by a multitude of QKD users, and importantly they are compatible with full power GPON (Gigabit Passive Optical Network) traffic in the same network [65,72]. Room-temperature single-photon detectors have been shown to be suitable for DV-QKD over up to 100 km fiber, thus removing cooling requirements for the entire QKD system [47,64]; for CV-QKD cooling is unnecessary. All these developments help reduce deployment cost as well as system complexity, footprint and power consumption.
Another important avenue to address the issue of cost and robustness is photonic integration [73]. Chip-scale integration will bring high level of miniaturization, leading to compact and light-weight QKD modules that can be mass-manufactured at low cost. Two main integration platforms are currently being explored, namely silicon (Si) [74] and indium phosphide (InP) [75], while alternative techniques include lithium niobate (LiNbO 3 ) integration and glass waveguide technologies. For QKD protocols employing single-photon detection the main difficulty comes from the receiver side so initial experiments have focused on transmitter integration. A LiNbO 3 integrated polarization controller was used for state preparation in a QKD implementation [76], while several techniques were combined to construct a handheld QKD sender module in ref. [77]. More recently, a QKD transmitter chip that is reconfigurable to accommodate the state preparation for several QKD protocols, including decoy-state BB84, COW and DPS, has been developed on InP [78] (Fig. 3). Chip-scale QKD receivers are also progressing. Lowloss planar-lightwave-circuits (PLCs) based on silicaon-silicon technology have been routinely used to replace fiber-based asymmetric Mach-Zehnder interferometers [78][79][80], a key enabling component for phase-based QKD protocols. Research efforts are currently focused on the integration of single-photon detectors using the aforementioned techniques, which will be essential for developing complete integrated systems. CV-QKD systems are particularly well suited for this objective because they only require the use of standard components. Indeed, Si photonic chips integrating many functionalities of a CV-QKD setup, including active elements such as amplitude and phase modulators and homodyne/heterodyne detectors based on germanium (Ge) photodiodes, have been developed [81].
Development of chip-scale QKD is still at its early stages. Further research in this direction will help bring the QKD technology closer to its wide adoption. New QKD protocols. In parallel to hardware development, much effort has also been devoted to novel QKD protocols aiming to outperform the established ones. Encouragingly, this line of research has led to protocols that may exhibit advantages when certain technical constraints are in place. Below, we discuss two protocols featuring high photon information capacity or noise tolerance. HD-QKD. High dimension (HD) QKD allows retrieval of more than 1 bit from each detected photon, thus offering an advantage in the photon information capacity when the photon rate is restrained [82][83][84]. The choice for encoding is to use the arrival times of time-energy entangled photon pairs [85], whose continuous nature permits encoding of extremely large alphabets. A security proof against collective attacks has been developed [86], which was followed by a laboratory experiment demonstrating a photon information capacity of up to 6.9 bits per coincidence and a key rate of 2.7 Mbit/s over a 20 km fiber [87]. While this development has narrowed the key rate gap between entanglement based and prepare-andmeasure QKD systems, its potential in a field environment will face a challenge to maintain the near unity interference visibility which was key to the obtained information capacity. HD-QKD without entanglement is also possible by exploiting the spatial degree of freedom, but its potential is restricted by the availability of high speed modulators [88,89]. RR-DPS-QKD. The Round-Robin (RR) DPS protocol, which was proposed in 2014 [90], removes the need for monitoring the channel disturbance to establish security, in stark contrast with conventional QKD protocols (see Fig. 4a for the principle). Instead, Eve's information can be tightly set, even to an arbitrarily low level, by just choosing experimental parameters. In theory, a positive key rate is possible for any quantum bit error rate (QBER) lower than 50%. This extraordinary QBER tolerance makes it attractive for deployment when large systematic errors cannot be avoided. Shortly after its introduction the protocol has stimulated a number of experimental demonstrations [91][92][93][94]. The RR-DPS-QKD protocol uses a transmitter identical to that found in a conventional DPS system [37], but requires a receiver that is capable of measuring the differential phase between any two pulses within a pulse group sent by Alice. Two different approaches are adopted. In the first, direct approach, a combination of optical switches and delay lines is used to bring the intended pulses into temporal overlap and then let them interfere [91,93,94] (see for example Fig. 4b).
A more ingenious approach is to let a common phase reference interfere with all pulses sent by Alice, and then determine the differential phase between those pulses whose interference with the common reference produces a photon click [92]. This approach avoids many problems associated with the direct one, such as loss and phase instability caused by optical delay lines and switches, but it will require remote optical phase locking for optimal performance. As it currently stands, the best key rate for RR-DPS-QKD is around 10 kbit/s for a 50 km distance in fiber [93] and cannot compete with the more mature decoy-state BB84 protocol. RR-DPS-QKD has the advantage of being robust against encoding errors [95], but it is vulnerable to attacks on detectors, which will be discussed in the next section.

Major challenges in practical security.
While the security of a QKD protocol can be proven rig-orously, its real-life implementation often contains imperfections that may be overlooked in the corresponding security proof. By exploiting such imperfections, various attacks, targeting either the source or the detectors, have been proposed; some of them have even been demonstrated to be effective against commercial systems [96][97][98]. We refer the reader to a recent review [9] for more details on quantum hacking and also countermeasures. To regain security in practical QKD, several solutions, including QKD based on testable assumptions [9], device independent (DI) QKD [99,100] (see also [101]), and MDI-QKD [23], have been proposed. In the following, we discuss some important recent developments in this direction. MDI-QKD. One promising long-term solution to sidechannel attacks is DI-QKD, where the security relies on the violation of a Bell inequality and can be proven without knowing the implementation details. While recent loophole-free Bell experiments [25,102,103] imply that DI-QKD could be implemented, the expected secure key rate is nevertheless impractically low even at short distances. A more practical solution is MDI-QKD, which is inherently immune to all side-channel attacks targeting the measurement device, usually the most vulnerable part in a QKD system. In fact, the measurement device in MDI-QKD can be treated as a "black box" which could even be manufactured and operated by Eve. Building upon [104,105], ref. [23] proposed a practical scheme with weak coherent pulses and decoy states (Fig.  5a), whose security against the most general coherent attacks, taking into account the finite data size effect, has been proved in [106] (see also ref. [101] which studied an entanglement-based representation with general finite-dimensional systems, and ref. [107] which proposed a DI-QKD protocol with local Bell test).
MDI-QKD [23] is a natural building block for multiuser QKD networks, since the most expensive and complicated measurement device can be placed in an untrusted relay and shared among many QKD users [72]. Several groups have demonstrated its feasibility. In particular, discrete-variable (DV) MDI-QKD was demonstrated over 200 km telecom fiber in lab conditions [108] and over 30 km deployed fibers [109]. With highly efficient single-photon detectors, the tolerable channel loss can be as high as 60 dB, which corresponds to 300 km telecom fiber [110]. A real-life fiber based multi-user MDI-QKD network was also implemented recently [111] (Fig. 5c). Moreover, a 1 Mbit/s proof-of-principle MDI-QKD experiment was performed [112], thus illustrating the high key rate potential of DV MDI-QKD. This was also studied in [113] for MDI-QKD employing state-ofthe-art SNSPDs; in Fig. 5b, simulation results of the secret key rate in this case show an achievable key rate of 0.01 bit/pulse over 25 km. With a transmission rate of 1 GHz, this corresponds to a secret key rate of 10 Mbit/s, which is sufficient for many cryptographic ap- plications. As a comparison, we also present in Fig. 5b the previously mentioned fundamental upper bound per optical mode (TGW bound) [51]. We see that the key rate of DV MDI-QKD is only about 2 orders of magnitude away from the TGW bound at a practical distance, hence this protocol is suitable for high speed communications in metropolitan area networks.
It is important to emphasize that one fundamental assumption in MDI-QKD is that Eve cannot interfere with Alice and Bob's state preparation processes. To prevent Eve from having access to quantum signals entering Alice's or Bob's labs and interfering with the state preparation process, MDI-QKD is commonly implemented using independent laser sources for Alice and Bob. Recently, gigahertz-clocked, phase-randomized pulses from independent gain-switched lasers have been demonstrated to interfere with high visibility, by control of the frequency chirp and/or emission jitter [112,114].
DDI-QKD. One drawback of MDI-QKD is that its key rate scales quadratically with the detector efficiency. This is because in most of existing MDI-QKD protocols (except for [115]), secure keys are distilled from twofold coincidence detection events [116]. Recently, the detector-device-independent (DDI) QKD protocol, designed to bridge the strong security of MDI-QKD with the high efficiency of conventional QKD, was proposed [117][118][119]. In this protocol, the legitimate receiver employs a trusted linear optics network to decode information on photons received from an insecure quantum channel, and then performs a Bell state measurement (BSM) using uncharacterized detectors. One important advan-tage of this approach is that its key rate scales linearly with the detector efficiency. This is achieved by replacing the two-photon BSM scheme in the original MDI-QKD protocol (see Fig. 5a) by a single-photon BSM scheme [120]. However, its ability to completely remove detector side-channel attacks has yet to be proven. Either countermeasures to Trojan horse attacks [121] or some trustworthiness to the BSM device is still required to establish the security of DDI-QKD [122]. In fact, mathematically the standard BB84 QKD protocol based on a four-state modulation scheme can be formulated into a DDI-QKD protocol [123]. This highlights the underlying connection between DDI-QKD and the BB84 protocol. Finally, we remark that the advantage of DDI-QKD compared to MDI-QKD becomes insignificant if high detection efficiency detectors are used in both schemes.
CV MDI-QKD. The MDI-QKD scheme has been extended recently to the CV framework [124] (see also [125,126] for a more restricted security analysis). In the CV framework, both Alice and Bob prepare Gaussianmodulated coherent states and send them to an untrusted third party, Charlie, who measures the correlation between the incoming quantum states. The CV MDI-QKD system requires high efficiency (> 85%) homodyne detectors for a positive key rate [113]. This efficiency requirement has been met in recent proof-of-principle laboratory free-space experiments [124,127]. However, achieving the required efficiencies in a fiber-based optical network setting is more challenging, owing to the detector coupling loss and losses by fiber network interconnects and components [111] (see also [128] for a different per-  [23]. b. Simulation results of MDI-QKD and TGW bound [113]. DV MDI-QKD has a high key rate and is suitable for metropolitan networks. The achievable key rate is about 0.01 bit/pulse at a channel loss of 5 dB (which corresponds to 25 km telecom fiber). The key rate of DV MDI-QKD is only about 2 orders of magnitude away from the TGW bound at a practical distance. The simulation corresponds to the symmetric MDI-QKD case where the channels between Alice and Charlie and Charlie and Bob have the same amount of losses. It assumes high-efficiency SNSPDs with detection efficiency of 93% and dark count probability of 10 −6 (per pulse) [56], and an intrinsic error rate of 0.1% [108]. The efficiency of error correction is assumed to be 1. 16. Note that if the detection efficiency is reduced, for instance, to 50%, this induces a drop of the key rate of about a factor of 4. This means that for the metropolitan applications of DV MDI-QKD, the requirement on detector efficiency is not stringent. c. MDI-QKD metropolitan area network experimental field test with untrusted relays [111]. Figures adapted with permission from: a. ref. [23], c 2012 APS; b. ref. [113], courtesy of Feihu Xu; c. ref. [111], courtesy of Qiang Zhang.
spective). When high efficiency detectors are in place, CV MDI-QKD would require an asymmetric configuration, where Charlie needs to be located close to one of the users. Even in this case, the expected key rate of the state-of-the-art CV MDI-QKD system drops to zero when the channel loss is above 6 dB (corresponding to 30 km standard telecom fiber) [113,124]. Therefore, for long distance (> 30 km) applications, DV MDI-QKD is currently the only option available for MDI-QKD. A reliable phase reference between Alice and Bob also needs to be established in CV MDI-QKD, and may be possible to realize using recently proposed techniques for standard CV-QKD [61][62][63]. Despite these challenges, CV MDI-QKD has the potential for very high key rates, within one order of magnitude from the TGW bound, at relatively short communication distances. QKD with imperfect sources. Given that the secu-rity loopholes associated with the measurement device can be closed by MDI-QKD, an important remaining question is how to justify the assumption of trustable quantum state preparation, including single-mode operation, perfect global phase randomization, no side channels, etc. On one hand, the imperfections in quantum state preparation need to be carefully quantified and taken into account in the security proof; on the other hand, practical countermeasures are required to prevent Trojan horse attacks [121] on the source. To address imperfections in quantum state preparation in QKD, a loss-tolerant protocol was proposed in ref. [34], which makes QKD tolerable to channel loss in the presence of source flaws (see also studies in [129,130]). Based on the assumption that the single-photon components of the states prepared by Alice remain inside a two-dimensional Hilbert space, it was shown that Eve cannot enhance state preparation flaws by exploiting the channel loss and Eve's information can be bounded by the rejected data analysis [131]. The intuition for the security of loss-tolerant QKD protocol can be understood in the following manner. By assuming that the state prepared by Alice is a qubit, it becomes impossible for Eve to perform an unambiguous state discrimination (USD) attack [132]. Indeed, in order for Eve to perform a USD attack, the states prepared by Alice must be linearly independent; but by having three or more states in a twodimensional space, in general the set of states prepared by Alice is linearly dependent, thus making USD impossible.
The above loss-tolerant protocol has been further developed and demonstrated experimentally in ref. [133], where the authors implemented decoy-state QKD with imperfect state preparation and employed tight finite-key security bounds with composable security against coherent attacks. The work in [34] has also been extended to the finite-key regime in [134], where a wide range of imperfections in the laser source, such as the intensity fluctuations, have been taken into account. In [135], a rigorous security proof of QKD systems using discrete-phaserandomized coherent states was given, thus removing the requirement for perfect phase randomization. With respect to this, we note that gain-switched laser diodes are presently the de facto QKD light source, capable of naturally providing phase-randomized coherent pulses at a clock rate of up to 2.5 GHz [136].
Progress has also been made on enhancing the security of QKD by carefully examining source imperfections in implementations. Refs. [137,138], studied the risk of Trojan horse attacks due to back reflections from commonly used optical components in QKD. Similar research was also conducted for CV-QKD [139]. In [140], by using laser-induced damage threshold of single-mode optical fiber to bound the photon numbers in Eve's Trojan horse pulses, the authors provided quantitative security bounds and a purely passive solution against a general Trojan horse attack.
All the above advances strongly suggest the feasibility of long distance secure quantum communication with imperfect sources. A promising research direction is to apply the above techniques for QKD with imperfect sources to MDI-QKD leading to practical side-channel-free QKD. To achieve this goal, it is necessary to establish a comprehensive list of assumptions on the sources, and verify them one by one. In a recent experimental demonstration [141], the loss-tolerant protocol is applied to a MDI-QKD setting. Such an experiment thus addresses source and detector flaws at the same time.
We end our discussion on practical security by noting that in both classical and quantum cryptography, it is also important to carefully address the risks of sidechannel attacks on the electronics and post-processing layers. Various side-channel attacks discovered in clas-sical cryptography, such as the timing attack [142], the power-monitoring attack [143], and acoustic cryptanalysis [144], can also pose threats to quantum cryptography. Closing these side channels requires substantial future efforts.

Network QKD.
So far, our discussion has been largely limited to point-topoint QKD links. While these links are useful for some applications, QKD network structures must be considered in order to enable access by a greater many users and also to extend the reach and geographical coverage. Additionally, the incorporation of mobile QKD nodes for key transports will add to network connection flexibility and allow even greater geographical coverage. In the following, we discuss approaches for building a QKD network and possibilities for future mobile QKD deployment. Building QKD networks. An important issue in a network setting is the topology that allows for multiple users to access the network. A star topology is suitable for this purpose for relatively short distance (up to 400 km). Imagine a star network where there is at most one intermediate node between any two users, allowing for secure quantum communication among all users without the need for the relay to be trusted. In fact, this approach has already been demonstrated based on the MDI-QKD protocol [111]. The long-term vision is for each user to use a simple and cheap transmitter and outsource all the complicated devices for network control and measurement to an untrusted network operator. Since only one set of measurement devices will be needed for such a network that is shared by many users, the cost per user could be kept relatively low. The network provider would then be in a favorable position to deploy state-of-the-art technologies including high detection efficiency SNSPDs to enhance the performance of the network and to perform all network management tasks. The important advantage is that the network operator can be completely untrusted without compromising security. Experimental demonstrations of network MDI-QKD, either in optical fibers [111] or in free space, are a major step towards such QKD networks with untrusted relays.
Nonetheless, MDI-QKD is limited in distance, hence in order to address the great challenge of extending the distance of secure QKD, three further approaches are possible. The first and the simplest approach is to use trusted relays. This is already feasible with current technology and indeed has been used as the standard in existing QKD networks [18,145]. By setting up trusted nodes, for instance, every 50 km, to relay secrets, it is possible to achieve secure communication over arbitrarily long distances. The QKD network currently under development between Shanghai and Beijing is based on this approach.
The second approach is quantum repeaters, which remove the need for the users to trust the relay nodes. Quantum repeaters are beyond current technology, but have been a subject of intense research efforts in recent years. The long-term vision here is to construct a global quantum internet as described, for example, in ref. [16]. Research efforts on quantum repeaters have focused on matter quantum memories and their interface with photonic flying qubits [146,147]. However, new recent approaches manage to reduce the need for a quantum memory [148] or to completely remove it by using all-photonic quantum repeaters [149].
Finally, the third approach is ground-to-satellite QKD. By using one or a few trusted satellites as relay stations, it is possible to extend the distance of secure QKD to the global scale. To this end, several free-space studies, including experiments with low earth orbit (LEO) satellites, have been conducted [150][151][152][153][154][155][156]. China, the EU and Canada are all currently exploring experimental ground-to-satellite QKD in ambitious long-term projects involving LEO satellites. Mobile QKD. The studies in free-space QKD may also open the door to mobile QKD networks, which can be useful in many applications, such as ship-to-ship communication, airport traffic control, communication between autonomous vehicles, etc. In such a network, the mobility of QKD platforms requires the network to be highly reconfigurable -the QKD users should be able to automatically determine the optimal QKD route in real time based on their locations. Fast beam tracking systems are indispensable. Furthermore, due to the strong ambient light, an effective filtering scheme is required to selectively detect quantum signals. A recent study shows that CV-QKD based on coherent detection could be robust against ambient noise photons due to the intrinsic filtering function of the local oscillator [157]. We also note that preliminary studies suggest that QKD at microwave wavelengths, which are widely used in wireless communications, might be feasible over short distances [158,159]. Driven by various potential applications, we expect that mobile QKD will become an active research topic in the coming years.

Conclusion.
In this review, we have discussed important challenges in practical QKD. These range from extending security proofs to the most general attacks allowed by quantum mechanics to developing photonic chips as well as sidechannel-free systems and global-scale QKD networks. Addressing these challenges using some of the approaches that we have presented will open the way to the use of QKD technology for securing everyday interactions.
As the lead application of the field of Quantum Information Processing, advances in QKD will have important implications in many other applications too. For example, a great range of quantum communication protocols beyond QKD have been studied in recent years and their development has directly benefited from research in QKD. These include, for instance, quantum bit commitment [160][161][162], quantum secret sharing [163][164][165], quantum coin flipping [166,167], quantum fingerprinting [168,169], quantum digital signatures [170,171], blind quantum computing [172,173], and position-based quantum cryptography [174][175][176]. It is known that some of those protocols, such as quantum bit commitment and position-based quantum cryptography, cannot be perfectly achieved with unconditional security. However, other security models exist, such as, for instance, those based on relativistic constraints or on noisy storage assumptions [177], where by assuming that it is impossible for an eavesdropper to store quantum information for a long time, one can retrieve security for such protocols.
Determining the exact power and limitations of quantum communication is the subject of intense research efforts worldwide. The formidable developments that can be expected in the next few years will mark important milestones towards the quantum internet of the future.