Enhancing quantum cryptography with quantum dot single-photon sources

Quantum cryptography harnesses quantum light, in particular single photons, to provide security guarantees that cannot be reached by classical means. For each cryptographic task, the security feature of interest is directly related to the photons’ non-classical properties. Quantum dot-based single-photon sources are remarkable candidates, as they can in principle emit deterministically, with high brightness and low multiphoton contribution. Here, we show that these sources provide additional security benefits, thanks to the tunability of coherence in the emitted photon-number states. We identify the optimal optical pumping scheme for the main quantum-cryptographic primitives, and benchmark their performance with respect to Poisson-distributed sources such as attenuated laser states and down-conversion sources. In particular, we elaborate on the advantage of using phonon-assisted and two-photon excitation rather than resonant excitation for quantum key distribution and other primitives. The presented results will guide future developments in solid-state and quantum information science for photon sources that are tailored to quantum communication tasks.

With the rise of quantum algorithms capable of breaking modern encryption schemes, there follows a global response to search for stronger security levels [1][2][3].While the security of most current schemes relies on the complexity of solving difficult mathematical problems, quantummechanical laws can provide security against adversaries endowed with unlimited computational power for some tasks [4,5].This type of security, known as informationtheoretic security, motivates research towards a quantum internet [6].
Modern communication networks rely on a handful of fundamental building blocks, known as cryptographic primitives [7,8].These can be combined with one another to provide security in various applications such as message encryption, electronic voting, digital signatures, online banking, anonymous messaging, and software licensing, to name a few.In order to reach information-theoretic security through quantum primitives, information is typically encoded onto quantum properties of light, such as photonic path, time-bin, polarization, and photon number [5].In the quantum realm, the uncertainty principle then ensures that any eavesdropper attempting to access quantum-encoded information, while unaware of the preparation basis, will alter the quantum states in a way that is detectable by the honest parties [4,9].
For such quantum primitives, it is expected that quantum dot-based single-photon sources (QDS) can excel by generating photons on-demand, with high brightness and low multiphoton contribution [10,11].In fact, source brightness is crucial in achieving high-speed quantum communication [12,13], while low multiphoton contribution minimizes information leakage to a malicious eavesdropper [14].In contrast to these on-demand singlephoton sources, widely used Poisson-distributed sources (PDS), such as attenuated laser states [5] and spontaneous parametric down-conversion [15], suffer from a stringent trade-off between high brightness and low multiphoton emission.Despite elaborate countermeasures proposed to overcome this trade-off [16,17], the distance and rate of secure quantum communication can be increased using on-demand single-photon sources.
Some pioneering works have already implemented instances of quantum key distribution (QKD) employing QDS [18][19][20][21][22][23][24][25] or other single-photon sources [26,27], comparing their performance to PDS in terms of secret key rate.In these works, brightness and purity are the sole figures of merit used to establish a comparison, while the additional tuning capabilities of QDS and their role in quantum cryptography have not yet been investigated.
In this work, we explore features of QDS to enhance the performance and security of quantum-cryptographic primitives, with an emphasis on telecom wavelengths.We first optimize and compare the brightness and singlephoton purity of three main optical pumping schemes, using realistic intra-cavity simulations of quantum dot dynamics.We then show how photon-number coherence generated from QDS, experimentally demonstrated in [28], can be erased or preserved to boost the performance of practical QKD, and match its fundamental security requirements [17,29].We further explain how the field of mistrustful quantum cryptography [7,8], not yet implemented with QDS, can significantly benefit from this feature.Our findings are designed to bridge the gap between the quantum dot and quantum cryptography communities: we optimize and benchmark QDS optical pumping schemes for four main quantum cryptographic primitives, exploiting the combined advantage of brightness, single-photon purity, and photon-number coherence.The studied primitives include quantum key distribution (standard BB84, decoy and twin-field) [5,16,30,31], unforgeable quantum tokens [32][33][34], quantum strong coin flipping [35][36][37], and quantum bit commitment [38][39][40] under storage assumptions.

Results
Comparison of pumping schemes.Solid-state singlephoton sources can be excited under different optical pumping schemes, and we aim to provide a fair comparison of their performance for quantum cryptography.Using realistic intra-cavity simulations for GaAs-based QDS, we calculate the emitted photon-number occupations up to three photons for resonant excitation (RE), longitudinal phonon-assisted (LA) excitation and twophoton excitation (TPE).In Fig. 1, we then compare each scheme's brightness and single-photon purity, and estimate the full-width-at-half-maximum excitation pulse length which maximizes both properties (marked with black symbols).
RE schemes are based on resonant excitation of a two-level system [41][42][43].The spectral degeneracy of the excitation laser and the emitted photons usually imposes separation based on polarization filtering, which may cause significant collection losses of around 50% [42,44].Other methods, exploiting dichromatic pumping or trion recombination in asymmetric cavities however, can overcome such limitations [45,46].Since RE exhibits Rabi oscillations of the excitonic state populations, its brightness and single-photon purity are susceptible to pump power fluctuations-thus presenting challenges for quantum network applications [47].As we show in Fig. 1.a., for a fixed RE π-pulse area, single-photon purity decreases with pulse length due to re-excitation processes, while brightness decreases as the emission statistics tend to a Poisson distribution [48,49].
The main limitations of RE may be overcome by using LA excitation schemes.Here, the pump energy is slightly higher than the relevant excitonic transition, and the fast emission of a longitudinal-acoustic (LA) phonon precedes the population of the excited state.Due to this additional incoherent step, Rabi oscillations vanish, and the purity of the emitted single photons becomes less sensitive to small pump power fluctuations [50].Recently, it was shown that LA excitation can reach even smaller multiphoton components than its RE counterpart [51], while still enabling spectral filtering of the pump [52,53].As regards to brightness, Fig. 1.b.displays an increase with pulse length, as was experimentally demonstrated in [52].With longer pulses however, the peak intensity decreases for a fixed pulse area, thus lowering the efficiency of the phonon excitation process.
RE and LA multiphoton contributions can be greatly reduced by addressing the exciton-biexciton cascade through TPE schemes, usually employed to generate spectrally-separated entangled photon pairs.Here, the re-excitation probability scales quadratically with the pulse length, as opposed to linearly in the resonantlydriven RE scheme [49], which can reduce multiphoton emission by several orders of magnitude [54].Moreover, TPE offers the possibility to overcome the collection efficiency limitations of RE: the spectral separation of the generated photons allows for frequency filtering of the pump laser [55], avoiding the polarisation filtering losses.We show in Fig. 1.c.that the brightness is low for short pulse lengths, due to a remaining overlap with the exciton transition, causing the biexciton level to be only partially populated.Although the emitted exciton polarization is random, which would limit the brightness to half the values of Fig. 1.c., recent works have shown the possibility of deterministically preparing the exciton polarization with near-unit brightness by adding a stimulated biexciton excitation after the original two-photon excitation [56][57][58].
Photon-number coherence.We now discuss the presence of coherence in the photon-number basis, a usually disregarded feature of interest, under each excitation scheme.For PDS such as attenuated laser states, this quantity refers to a fixed phase relationship between the various Poisson-distributed number states.For QDS, this will materialize as a coherent superposition of vacuum, single and two-photon states.
In RE, it was experimentally demonstrated in [28] that the coherently-driven Rabi oscillations translate into emitted photon-number coherence: values of coherence purity as high as 96% for π-pulse areas were measured.On the other hand, this coherence can gradually vanish as the pump is detuned from resonance in LA schemes, along with the vanishing of Rabi oscillations [51].Our quantum dot dynamics simulations support these findings: for the optimal pulse lengths of Fig. 1, the normalized off-diagonal density matrix elements of LA between the vacuum and single-photon components are around 10 times smaller than the RE ones.Accordingly, we will assume in this work that states emitted under RE are pure in photon-number basis, while those emitted under LA present vanishing off-diagonal elements.
In TPE, our simulation results display off-diagonal elements around 20 times smaller than the RE ones.Although the biexciton level follows Rabi oscillations under resonant TPE [54,55], loss of coherence arises from a radiative decay between the biexciton to exciton state, which creates a timing jitter similar to the phononinduced jitter in LA schemes.We will therefore also assume that states emitted under TPE present vanishing off-diagonal elements.Note that this assumption is expected to hold for the stimulated schemes discussed in [56][57][58], since the remaining jitter due to the biexciton transition is significantly larger than the jitter responsible for coherence erasure.
Practical sources and security.We now discuss the role of brightness, single-photon purity and photonnumber coherence in quantum primitives involving two parties, exchanging a sequence of classical and quantum (photonic) messages that do not rely on quantum entanglement.Each of these primitives achieves a different functionality within quantum networks, and thus also requires its own security figure of merit.
The main efficiency limitations of PDS may be understood upon inspection of the generated state 2 coefficients follow a Poisson distribution with average photon number µ, and {|n } span the photon-number basis.Increasing the source brightness (i.e., increasing µ) comes at the cost of increasing the multiphoton components n 2, which renders the respective quantum primitive vulnerable to attacks involving photon number splitting on lossy channels [14].Thus, µ is typically kept very low in quantum-cryptographic implementations, in the range µ∼0.005−0.5 [5,32,35,39], which limits the communication rate.On the other hand, single-photon purity in QDS can be increased without an intrinsic penalty on the multiphoton component.Achieving higher QDS brightness is then ultimately a technological challenge, limited by the collection efficiency of the source [11,46], and not a fundamental limitation as in the case of PDS.
In contrast to their PDS counterparts, QDS have not yet been optimized to suit the security requirements of quantum primitives.Most importantly, a main assumption behind the implementation of decoy QKD and other primitives is that the global phase of PDS must be actively scrambled, to effectively destroy the coherence in the number basis [17,29]: Under this assumption, the adversary's cheating strategy is restricted to performing an attack conditioned on the photon-number content of each pulse.Many works rely on this feature to prove the security of quantum primitive implementations [5,16,31,32,35].Achieving phase randomization with active phase modulation or laser gain switching imposes practical limitations of a few GHz on repetition rates [12,64].These limitations, combined with the low values of µ required due to fundamental PDS source statistics, can bring effective communication rates down to a few MHz.Unwanted remnants of coherence in the number basis, furthermore, can be exploited for a large spectrum of attacks, using unambiguous state discrimination for instance [65,66].In contrast, as discussed in this work, QDS can be excited in such a way that this coherence is intrinsically suppressed, thus circumventing the need for active phase scrambling.With demonstrated Purcell-enhanced photon lifetimes of tens of picoseconds [46,67] and source efficiencies now beyond the 50% level [46], QDS have the potential to enable secure communication rates of tens of GHz [13], i.e. around 3 orders of magnitude higher than effective PDS communication rates.This is not only true for QKD but for many quantum primitives as shown in the following sections.
Quantum key distribution.A few decades after the birth of quantum key distribution (QKD) [4], experimentalists started demonstrating that QDS with low collection efficiencies can already outperform PDS in terms of secret key rate [22][23][24][25].We first show that, while this is true for standard QKD implemented without the decoystate countermeasure, beating PDS with decoy states [16] requires much higher QDS collection efficiencies at an equal repetition rate.Our results, based on the optimal performance of pumping schemes in Fig. 1, are displayed in Fig. 2: without decoy states (a), QDS with collection efficiency 1% are enough to outperform PDS after 100 km, while infinite decoy schemes (b) require at least 30%.We should emphasize, however, that this benchmark must be scaled by a repetition rate factor for QDS which could achieve considerably higher repetition rates than phaserandomized PDS.Any state preparation losses, including modulator losses, can be absorbed in the QDS collection efficiency, and the resulting key rate inferred from Fig. 2. Comparisons can also be established using finite (and different) number of decoy intensities for QDS and PDS.
The optimal pumping scheme for QKD then follows from Eq. (1): the states' global phase must be uniformly randomized [17,29], which implies that standard and decoy-state QKD should only be implemented with LA and TPE.Any remaining photon-number coherence will lead to a decrease in the secure key rate, as shown in [29].
Twin-field QKD, on the other hand, requires two states, generated by Alice and Bob, to interfere on an untrusted party's beamsplitter [30,31].This forces Alice and Bob to scramble the global phase of their states in an active manner (using a modulator for instance), such that they can record their original fixed phase encoding.We therefore argue that twin-field schemes must be implemented with RE QDS, in order to provide the two parties with a shared phase reference before the scrambling.We simulate the protocol performance of [31] under these conditions in Fig. 2.c, assuming the implementation of decoy states.We note that performing TF-QKD with a perfect single photon source (RE π-pulse and unit single-photon purity) is impossible, since there is no accessible phase to encode the key information.However, by decreasing FIG. 3. QDS performance for the main quantum primitives.A description of each primitive is provided, along with its main network applications, and our chosen security figure of merit.In each case, we summarize the various QDS pumping scheme performances and the threshold collection efficiencies T required to outperform PDS in a lossless setting.We then display the performance ratio of QDS with 100% collection over the best PDS at zero distance (note that this ratio has to be scaled for QDS achieving higher repetition rates than PDS).We then calculate the loss tolerance, both in terms of distance (in km) assuming single-mode telecom fiber losses of 0.21 dB/km, and in terms of absolute losses (in dB) for QDS reaching T % collection, QDS reaching 100% collection, and randomized-phase PDS.
the pulse area a little below π, in the same manner as [28], it is possible to create a coherent superposition of vacuum and single-photon, thus providing an accessible phase to perform the protocol.
Our results are focused on QKD implemented with discrete degrees of freedom, such as polarization or time-bin.For completeness, we note the existence of QKD protocols optimized for continuous degrees of freedom of PDS, such as phase and amplitude [68].These can actually compete with discrete-variable QKD over metropolitan distances, using simpler technology, but are sensitive to larger attenuations due to heavier post-selection and noise estimation techniques [69,70].
Quantum primitives beyond QKD.Quantum cryptography presents a broad spectrum of other primitives, many of which belong to the branch of mistrustful cryptography [7,8]: unlike in QKD, Alice and Bob are not collaborators, but adversaries wishing to compute a common function.Decoy-state methods are then more challenging to apply (although not impossible for all protocols), since Alice and Bob do not trust each other.
Remarkably, the desired security properties for such primitives can be very sensitive to photon-number coherence.In this instance, substituting PDS by appropriately optimized QDS can yield even more benefits than in QKD.To show this, we extend the practical security analyses of three mistrustful quantum primitives [32,35,38] to the QDS framework, and estimate the QDS collection efficiencies required to outperform PDS for the relevant security figures of merit.Our performance results are summarized in Fig. 3 for all primitives.We display the performance of QDS and PDS for one example primitive in Fig. 4: unforgeable quantum tokens.This primitive allows a central authority to issue tokens, comprised of quantum states, whose unforgeability is intrinsically guaranteed by the no-cloning theorem, thus requiring no hardware assumptions.One famous application is quantum money, which, in its private-key form, can prevent banknote forgery [9], double-spending with credit cards [32,61] and guarantee features such as user privacy [34].
In Fig. 4.a., we compare the noise tolerance of the quantum token scheme from [61] for PDS and QDS as a function of source efficiency.Noise tolerance indicates how much experimental error rate can be tolerated such that the unforgeability property holds, while source efficiency is the probability that a threshold single-photon detector will click in a lossless setting.Naturally, PDS reach a maximal noise tolerance for source efficiencies around 63%, corresponding to µ ≈ 1, before dropping again when the multiphoton contribution becomes too significant.For QDS, we notice a striking difference between schemes with coherence (RE) and those without (LA and TPE): the latters give an overhead of almost 2% on the noise tolerance with respect to RE at high source efficiencies.This difference is crucial in making implementations feasible, since boosting the fidelity of quantum state preparation and quantum storage by a few percent can be extremely challenging.These differences are also reflected in Fig. 4.b., which identifies the collection efficiencies at which QDS can outperform the best PDS performance: while LA and TPE require 44% and 38%, respectively, RE must be pushed to 47% to beat PDS.For information purposes, we also select three state-of-the art experimental QDS, and show how they would perform in such a beyond-QKD protocol with their reported values of brightness and single-photon purity.
Fig. 4.c.finally compares the performance of each source as a function of distance.Once again, the difference between LA/TPE and RE is significant due to the coherence feature.We notice here that the maximal distance for all sources is much shorter than in QKD schemes, since our selected quantum token scheme bears a maximal loss tolerance of 50%: above this limit, an adversary can clone the quantum token without introducing any errors [61].
Our work showcases the importance of engineering optical pumping schemes towards specific primitives.Fig. 3 displays non-trivial requirements for quantum strong coin flipping for instance: unlike with QKD and quantum tokens, QDS perform better at lower collection efficiencies, thus rendering state-of-the art QDS already capable of providing quantum advantage in such mistrustful primitives.Furthermore, the absence of photon number coherence in LA and TPE allow these schemes to reach quantum advantage over significantly longer distances than RE schemes: for the selected protocol from [35], these values read 86 km and 36 km for TPE and LA, respectively, vs. 25 km for RE.

Discussion
We have estimated threshold collection efficiencies for which GaAs-based quantum-dot photon sources can outperform Poisson-distributed-based implementations in four main quantum-cryptographic primitives.The estimations include the combined effect of brightness, singlephoton purity, and photon-number coherence.We have shown in particular that resonant excitation should be used for twin-field QKD, but not for decoy QKD and other quantum primitives due to the unwanted presence of photon-number coherence that violates practical security assumptions.
We believe that these results will provide a benchmark for future achievements in quantum dot cavity structures, especially at telecom wavelengths [13,[71][72][73].Although state-of-the-art dot-cavity simulation frameworks cannot account for all characteristics of quantum dots emitting in the telecom range, current telecom performance [13,74,75] shows good agreement with our 900nm framework: the brightness and purities are not strongly dependent on the emission wavelength.Furthermore, frequency conversion of 900nm photons to telecom photons can currently reach efficiencies up to 57% [76].These extra losses can be absorbed in our collection efficiency quantity.
We wish to encourage future quantum key distribution experiments with optimal pumping schemes, taking into account the security assumptions provided by the quantum cryptography community.Finally, we hope to stimulate experiments that explore the full potential of quantum dot-based single-photon sources for other quantum network primitives like unforgeable tokens [32][33][34], coin flipping [35,36] and bit commitment [38][39][40].We believe our analysis can be extended in future works to multipartite entanglement-based quantum network primitives, such as secret sharing [77] and anonymous messaging [78].

Methods
Quantum dot dynamics.Our GaAs-based quantum dot, driven by a pulsed pump laser, is modelled either as a two-or a three-level system coupled to a singlemode microcavity in the Jaynes-Cummings manner.The interaction of the quantum dot with phonons is treated by the standard pure-dephasing Hamiltonian [79][80][81][82].In this way, we solve for the dynamics of the dot-cavity system by employing a numerically exact path-integral formalism [83][84][85].The detailed intracavity simulations, along with the derivation of the photon number populations, are presented in Appendix A.

Practical security analyses. Appendices B and C
show how the collection efficiencies and state encodings are modelled, both in the presence and absence of photon number coherence, for PDS and QDS, respectively.Appendix D provides some high-level descriptions of the four main quantum primitives, and displays all results justifying our claims.Appendix E briefly introduces mathematical tools required to understand the security analyses, namely semidefinite programs and Choi's theorem on completely positive maps.Appendices F to J provide the practical security analyses of all protocols, and the extensions to account for the presence of coherence in the QDS framework.

Appendix
Section A details the theoretical framework used in our intra-cavity simulations of quantum dot dynamics.The brightness and correlation functions are derived, from which the emitted photon number populations {p n }, used in our security analyses, are inferred.Sections B and C show how the collection efficiencies and state encodings are modelled, both in the presence and absence of photon number coherence, for PDS and QDS, respectively.Section D provides some high-level descriptions of the four main quantum primitives, and displays all results justifying the Main Text claims.Section E briefly introduces mathematical tools required to understand the security analyses, namely semidefinite programs and Choi's theorem on completely positive maps.Sections F to J provide the practical security analyses of all protocols, and the extensions to account for the presence of coherence in the QDS framework.
Note on security analyses: For all quantum primitives, we make the standard quantum-cryptographic assumption that a dishonest party can replace their lossy channel and detectors by ideal ones, as this only increases their power.Although we take into account experimental imperfections such as channel losses and detector dark counts, we perform all analyses in the asymptotic regime.Our results are designed to illustrate the claims of the Main Text for a handful of protocols, and not to provide a full analysis of quantum primitives with finite-size effects.
Appendix A: Quantum dot dynamics and simulations

Model and dynamical equation
We model a quantum-dot-cavity system (QDC) consisting of a laser-driven strongly-confined self-assembled semiconductor quantum dot (QD) coupled to a single-mode microcavity influenced by an environment of longitudinal acoustic phonons (Ph) by the Hamiltonian a. Two-level model QDs can often be described as two-level systems, e.g. when one is dealing with trions in charged QDs or, when a circularly polarized laser excites degenerate excitons with vanishing fine-structure splitting [82].The considered two-level system has an excited state |X at energy ω X and the energy of the ground state |G is chosen to be zero.Assuming that the cavity supports only a single mode with nearly resonant coupling to the two-level system, the Jaynes-Cummings Hamiltonian can be used.Denoting the frequency of the microcavity mode by ω C and the coupling strength by g, the QDC Hamiltonian in a frame co-rotating with the laser frequency ω L reads is the cavity-laser detuning, a (a † ) annihilates (creates) a cavity photon, σ := |G X| is the QD transition operator, and f (t) is the real envelope of the driving laser.The cavity mode is assumed to be in resonance with the ground state-to-exciton transition, i.e. the cavity-exciton detuning ∆ω CX = ω C − ω X is zero.We consider pulsed excitations with a train of Gaussian pulses, each of which has the form with the pulse area A and width τ G , which is connected to the full width at half maximum by T FWHM = 2 √ 2 ln 2 τ G .The QD interacts with an environment of longitudinal acoustic (LA) phonons.This interaction is modeled by the Hamiltonian [1,[79][80][81][82]] where b q (b † q ) annihilates (creates) a phonon of energy ω q in the mode q. γ X q is the coupling constant between the QD exciton and the LA phonons.It fully determines the phonon spectral density J(ω) = q |γ q | 2 δ(ω − ω q ).Assuming harmonic confinement and a linear dispersion ω q = c s |q| with sound velocity c s , it becomes where we have considered deformation potential coupling which is usually the dominant coupling mechanism in the type of QDs considered here [1].ρ D is the density of the material, D e (D h ) the electron (hole) deformation potential, and a e (a h ) the electron (hole) confinement length.We use standard GaAs material parameters listed in [2,84].Assuming identical potentials for electrons and holes, the confinement ratio is fixed by the effective masses as a h = a e /1.15.The electron confinement length a e as the only free parameter thus becomes a measure for the size of the QD.Choosing a e between 3 nm and 5 nm has produced results in good agreement with experiment [3][4][5].Indeed, both the confinement ratio and the electron confinement length can be considered as fitting parameters when modeling specific samples in experiment.Here, we choose a e = 3 nm.Note that the electronic density matrix is affected by phonons only via the phonon spectral density J(ω).For QDs of any shape, it is always possible to obtain a spherical dot model, which generates the identical J(ω) [6].Then, the smallest dimension of the nonspherical QD has the largest influence on the phonon coupling.Furthermore, we account for the radiative decay of the QD exciton to the free field outside the cavity with rate γ and cavity losses with rate κ.Both processes are well approximated by a phenomenological Markovian description using Lindblad superoperators acting on a density matrix ρ where Γ is the decay rate associated with a process described by the operator O. {A, B} + denotes the anti-commutator of operators A and B.
The system dynamics is described by the Liouville-von Neumann equation for the density matrix ρ.

b. Three-level model
Considering external driving by lasers with well defined linear polarization and again assuming that there is just a single nearly resonant cavity mode, one of the linearly polarized excitons is decoupled from the dynamics.Therefore, including the biexciton state |B in this situation amounts to the addition of only one further electronic level.The QDC Hamiltonian becomes where the biexciton binding energy E B has been introduced.We assume a value of E B = 4 meV (cf., Table I), which is large for typical QDs, but even if it may be hard to find a naturally grown QD with this value, it can be achieved by applying biaxial stress [7].Having such a rather large value for E B means that essentially all collected photons originate from the exciton-to-ground state transition.σ := |G X| + |X B| now contains both transitions which are optically excited in the QD.The phonon coupling strength of the biexciton state is assumed to be twice the one of the single exciton, i.e.
Finally, the biexciton is assumed to radiatively decay with twice the exciton decay rate γ.Therefore, the dynamical equation becomes We employ a numerically exact iterative real-time path integral method to solve the Liouville-von Neumann equation for the QDC's reduced density matrix ρ := Tr Ph [ρ], where the phonon subspace is traced out.Details of the method are explained in [8,83,84].This path integral formalism is exact up to the time discretization and the memory truncation length.We call a solution numerically exact, when it does not change noticeably when making the discretization finer or the truncation length longer.All relevant system parameters used for the calculations are listed in Tab.I.
In the two-level model, we consider two different excitation conditions: (i) resonant π-pulse and (ii) off-resonant phonon-assisted excitation.In the former, the laser is on resonance with the exciton energy, i.e. ∆ω XL = 0 and the excitation pulse has the area A = π.In the latter, the laser is detuned above the exciton energy by ∆ω XL = −0.9meV and the pulse has an area of A = 10π.
In the three-level model, we only consider the two-photon resonant excitation of the biexciton state, i.e. 2 ∆ω XL − E B = 0.For every T FWHM chosen for the simulation, first, the area A has to be found, for which the occupation of the biexciton state |B is unity after the pulse.This calibration is done for a standalone QD, i.e. g = 0, and without any losses, i.e. γ = κ = 0.

Derivation of photon number populations pn a. Correlation functions
We calculate second-order two-time correlation functions to obtain the multiphoton component of the cavity state.First, we average over the entire pulse sequence to obtain a function of the delay time argument τ only: Then, we integrate the peak-like structure around τ = 0, which corresponds to the amount of multiphoton contribution within a single pulse of the pulse train, and normalize it to the first uncorrelated side peak.This results in the probability P 2 of having two or more photons during one pulse Here, T Pulse is the separation of two subsequent pulse maxima within the excitation pulse train.Coherent states may be expressed as a Poisson-distributed superposition of photon number states: where {|n } denote the photon number states and α is the coherent state amplitude.Using either polarization, time-bin or path encoding, the two-mode coherent states in all protocols may be expressed as: where θ = 0 is a global phase and φ k ∈ {0, π 2 , 2π, 3π 2 } is the relative phase between the two modes, which can take one of four values depending on k ∈ {0, 1, 2, 3}.In quantum cryptography, a potential eavesdropper or adversary must access φ k to unveil the information encoded in the states.
In a similar manner to [61,66], we may only focus on the second mode which contains the relative phase φ k , and thus rewrite these four encoded states as | α k = |e iφ k α √ 2 , with k ∈ {0, 1, 2, 3}.To avoid truncating the infinite-dimensional Fock space in our state expressions, we notice that these four specific states may be expressed in a four-dimensional orthonormal basis {|b i } as: where

Without number coherence
Phase randomization scrambles the global phase reference from Eq. (B2) by allowing θ to take values from [0, 2π] uniformly at random instead of a single value.By considering the state |e iθ α and integrating over all possible values of θ, the adversary sees a classical mixture of Fock states given by [9]: where µ = |α| 2 is the average photon number, and |n are the photon number states.As the coherent superpositions of number states vanish, the quantum-cryptographic security proofs may simply proceed according to the result of quantum non-demolition (QND) photon number measurements.If there is no photon in the state, then there is no information content.If there is 1 photon, then the qubit security proof may be applied.If there are more than 2 photons in the pulse, it is assumed that perfect cheating is possible.One can therefore express the phase randomized states ρ k in a 7-dimensional orthonormal basis {|v , |q 0 , |q 1 , |m 0 , |m 1 , |m 2 , |m 3 }, where |v is the vacuum state, |q 0 and |q 1 span a qubit space, and |m i constitute the four orthogonal outcomes which materialize the four perfectly distinguishable states in the multiphoton subspace.Our four phase-randomized coherent states may then be written as the following density matrices : Appendix C: Collection efficiency and state encoding for quantum dots

Preliminary definitions
Single photons are obtained by the action of the creation operator onto the vacuum.Beam splitters act linearly on creation operators, and leave the vacuum invariant.More precisely, a beam splitter of reflectivity r acting on input modes (k, l) maps the creation operators â † where We similarly define the phase shift operation kl , acting on input modes (k, l), as:

Collection and encoding with number coherence
Following Fig. 5, we model the collection efficiency of the quantum dot as a beamsplitter of reflectivity η, and label the three input spatial modes as 0, 1 and 2. The standard four protocol states are then encoded with a Mach-Zehnder interferometer, consisting of two beamsplitters described by H (r) 01 , with tunable phase φ ∈ {0, π}, corresponding to the Pauli Z eigenstates in a two-dimensional Hilbert space, and φ ∈ { π 2 , 3π 2 }, corresponding to the Pauli X eigenstates in a two-dimensional Hilbert space.A general pure photonic state, with photon number distribution given by {p n } and input into spatial mode 0, then evolves as: (C4) The encoded state then reads: where and {p n } take the values of Eq. (A18) in our work.
To obtain the actual collected state ρ (c) η,φ used in our security analyses (where the (c) superscript denotes coherence in Fock basis for further convenience), we simply trace out over spatial mode 2: (C7)

Collection and encoding without number coherence
Similar calculations lead to the expression for the collected state ρ η,φ , where the superscript (nc) this time accounts for "no coherence" in Fock basis.In essence, we set n = m in Eq. (C7) and obtain the following state: Appendix D: QDS performance for quantum primitives

BB84 quantum key distribution a. Brief introduction
Quantum key distribution (QKD) is one of the most mature quantum-cryptographic primitives implemented so far.In its simplest form, it allows two parties, Alice and Bob, to establish a secret key over a public quantum channel, provided that a public, authenticated classical channel is available.The parties must ensure that the unwanted presence of an eavesdropper, Eve, on the channel is detected with arbitrarily high probability.Once a secret key has successfully been established, Alice and Bob may use it to encrypt a secret message through one-time padding [10].This encryption technique requires a secret key whose length is at least equal to the message length.
In a standard protocol, Alice encodes N bits of the secret key she wishes to share into N qubit states.She randomly picks the encoding basis for each qubit (σ z or σ x ), and stores this classical information.Bit 0 is therefore randomly encoded in either |0 or |+ , while bit 1 is randomly encoded in |1 or |− .The states are sent over a quantum channel to distant Bob, who does not know the encoding basis, and thus randomly measures each qubit in either σ z or σ x .He records each qubit's measurement basis, along with the associated measurement outcomes.Once the quantum communication stage is over, Alice and Bob proceed to a classical reconciliation stage: Bob communicates his sequence of measurement bases (without the measurement outcomes) to Alice.After comparing it with her stored sequence, Alice reports to Bob the elements for which her preparation basis does not match Bob's measurement basis.They both agree to dismiss all bits which correspond to a basis mismatch from the final key.After basis reconciliation, Alice and Bob then compare a pre-agreed random subset of their corrected key to ensure that all bits match.If any of the bits disagree, they may conclude on the presence of Eve and abort the protocol.If all bits agree, the key has then successfully been established, and they may use it to encrypt a secret message.Note that an additional stage, known as privacy amplification, is required in the noisy setting, in order to decrease the amount of information that Eve acquires from Alice and Bob's classical error correction routine [11].

b. Results
In order to compare the performance of all sources for BB84 QKD, we study the protocol with and without the decoy state countermeasure (see Section F for details), assuming one-way classical post-processing [60].Without decoy states, we plot the secure key rate per pulse as a function of source efficiency, collection efficiency, and distance in Fig. 6.We then display the performance of QDS pumping schemes for collection efficiencies ranging from 1% to 100% in Fig. 7, and compare these to the best performance of randomized-phase PDS.We then proceed to similar plots for BB84 QKD with decoy states, in Figs. 8 and 9.In general, the secure key rate as a function of source efficiency reaches a maximum for PDS, after which the multiphoton component becomes too significant.Regarding QDS, the key rate evolves almost linearly with source efficiency, since the vacuum and single photon components dominate at all source efficiencies.

Twin-field quantum key distribution a. Brief introduction
Twin-field QKD (TF-QKD) was proposed as a new protocol configuration to overcome the repeaterless rate-distance limit of standard QKD [31].By delegating the measurement setup to a third untrusted party situated halfway between Alice and Bob, the optical fields sent by each party travel only half the communication distance of standard QKD.Since the key bits are extracted from the resulting single-photon interference at Charlie's station, the secure key rate scales with the square root of the channel transmittance instead of scaling linearly.

b. Results
In order to compare the performance of all sources for twin-field QKD, we plot the secure key rate from Eq. (G2) as a function of source efficiency, collection efficiency, and distance in Fig. 10.We then display the performance of QDS pumping schemes for collection efficiencies ranging from 1% to 100% in Fig. 11, and compare these to the best performance of randomized-phase PDS.

Unforgeable quantum tokens a. Brief introduction
This primitive, in its private-key form, allows a central authority to issue tokens comprising of quantum states, whose unforgeability is intrinsically guaranteed by the no-cloning theorem.One famous application is quantum money, which can prevent banknote forgery [9], double-spending with credit cards [32,61], and also guarantee features such as user privacy [34].
In a private-key scheme, the quantum state is encoded according to a secret pre-shared classical key, which is known by the central authority and the verifier(s) only.The key contains a sequence of secret information bits, as well as a sequence of secret basis bits, which indicate the random preparation basis of each information bit (the states used are the standard BB84 states from QKD).This ensures that a dishonest client willing to duplicate the money state will introduce errors in at least one of two states, due to no-cloning.Upon verification, these errors will be detected by the verifier(s), who measure(s) each sub-system of the money state in the correct basis and compares the measurement outcomes with the secret key.There exist different forms of quantum token protocols, from private-key to public-key, with quantum verification [9] or classical verification [61].Some schemes require quantum storage [32,33], while others replace this requirement with no-signalling constraints [? ].Here, we focus on private-key quantum token schemes with quantum verification that assume quantum storage, which can provide information-theoretic security for unforgeability.

b. Results
The exact protocol considered here is described in [61], and we extend its security analysis to the quantum dot framework in Section H.
In order to compare the performance of all sources for unforgeable quantum tokens, we solve problem (H6) from Section H numerically using the MATLAB cvx package with solver SDPT3.In this way, we plot the evolution of the noise tolerance as a function of source efficiency, collection efficiency, and distance in Fig. 12.We then display the performance of all three QDS pumping schemes for collection efficiencies ranging from 1% to 100% in Fig. 13, and compare these to the best performance of randomized-phase PDS.
Naturally, PDS reach a maximal noise tolerance for source efficiencies around 63%, corresponding to µ ≈ 1, before dropping again when the multiphoton contribution becomes too significant.For QDS, we notice a striking difference between schemes with coherence (RE) and those without (LA and TPE): the latters give an overhead of almost 2% on the noise tolerance with respect to RE at high source efficiencies.This difference is crucial in making implementations feasible, since boosting the fidelity of quantum state preparation and quantum storage by a few percent can be extremely challenging.These differences are also reflected in Fig. 12.b., which identifies the collection efficiencies at which QDS can outperform the best PDS performance: while LA and TPE require 44% and 38%, respectively, RE must be pushed to 47% to beat PDS.For information purposes, we also select three state-of-the art experimental QDS, and show how they would perform in such a beyond-QKD protocol with their reported values of brightness and single-photon purity.Fig. 12.c.finally compares the performance of each source as a function of distance.Once again, the difference between LA/TPE and RE is significant due to the coherence feature.We notice here that the maximal distance for all sources is much shorter than in QKD schemes, since our selected quantum token scheme bears a maximal loss tolerance of 50%: above this limit, an adversary can clone the quantum token without introducing any errors [61].

Quantum strong coin flipping a. Brief introduction
Strong coin flipping (SCF) allows two distant parties, Alice and Bob, to generate and agree on a random bit.They do not trust each other and wish to ensure that the bit is truly random.We call the coin flip fair when two honest parties each win with probability 1/2.On the other hand, security for this task must guarantee that none of the two parties can force the other to declare outcome i ∈ {0, 1} with probability higher than P = 1  2 + (i) , where (i) is the protocol bias.In its most general form, SCF does not necessarily involve equal cheating probabilities for both parties, but when it does, the protocol is labelled balanced.We define the following upper bounds on Alice and Bob's probabilities of forcing their opponent to declare outcome i: Alice forces Bob to declare i The bias of a given SCF protocol is then defined as the highest of all four biases: = max A , .

(D2)
Information-theoretic strong coin flipping with arbitrarily small bias cannot be reached with quantum mechanics alone [12,13], but requires additional space-time constraints [14], which can be experimentally challenging.It was shown, however, that even without such constraints, quantum mechanics can provide strong coin flipping protocols that perform better than any classical coin flipping protocol with information-theoretic security (in terms of bias) [15].This led to experimental demonstrations of quantum strong coin flipping, namely [16,35,36].
In quantum coin flipping, the states generated by Alice are usually not encoded in the standard way of Fig. 5 (i.e. they are not an extension of the BB84 states {|+ , |− , |+i , |−i } to infinite Hilbert spaces).Instead, the four coin flipping states must allow for an extra free parameter y, which will be varied to guarantee a fair (resp.balanced) coin flip, i.e. a coin flip in which Alice and Bob have equal honest (resp.dishonest) winning probabilities.
The required states in a two-dimensional qubit space spanned by {|v 0 , |v 1 } are the following: where α ∈ {0, 1} denotes the encoding basis.In order to extend them to the full Hilbert space required in photonic setups, we simply change the two H (1/2) 01 beamsplitter transformations from Fig. 5 to 01 .We then reproduce the workings from Eqs. (C4), (C7) and (C8) with these new coefficients.The resulting coin flipping states are labelled as {σ }, to account for PDS average photon number or QDS collection efficiency η, and phase encoding φ.

b. Results
We focus here on the quantum protocol from [35], and additionally study the effect of photon number coherence on the protocol bias in the security proof (see Section I for details).
We show in Fig. 14 how the cheating probability evolves as a function of source and collection efficiencies in a balanced protocol (i.e., a protocol in which Alice and Bob have equal cheating probabilities).For the purpose of this example, we fix the number of states to N = 1000, and calculate the subsequent honest abort probability: where Z is the probability that Honest Bob does not register any click after the N states have been sent, and e is the quantum error rate.Using the results derived in [15,77], we deduce the best achievable classical bound, thus identifying where QDS and PDS allow for quantum advantage in terms of cheating probability.For balanced, strong coin flipping protocols, the optimal classical bound reads: As can be seen from Fig. 14, the cheating probability for RE is under-estimated, since we have only considered a specific discrimination attack in our security proof (Section I).The bounds for no coherence (LA/TPE), on the other hand, are over-estimated, since we have used the framework from [35], which does not provide tight bounds on the cheating probability.The combination of both features does not allow us to directly conclude that LA performs better than RE.However, for comparable brightness and purity, we know that it should perform better than RE, since the optimal attacks in quantum strong coin flipping protocols involve some form of discrimination, which is always more successful in the presence of photon-number coherence.
Note that we have not plotted the curves for fixed-phase PDS.For LA, TPE, and RE QDs, the dimension of the Hilbert space is upper-bounded (since p n = 0 for n >= 3).For randomized-phase PDS, the required dimension is also upper-bounded, since perfect cheating is assumed for higher photon number terms.On the other hand, deriving the bounds for fixed-phase PDS would imply solving the semidefinite program from Eq. (I4) in an infinite-dimensional Hilbert space.
In Fig. 15, we show how the cheating probability evolves as a function of distance for various collection efficiencies and a fixed honest abort probability of P ab = 2.5%.Since, for PDS, a given abort probability can be achieved by varying either the number of states N or the average photon number per pulse µ, we choose N to be equal to the number of states required for the best performing quantum dot scheme (TPE).Essentially, the number of states N dictates the time duration of the protocol (for a fixed repetition rate), so the plots compare QDS to PDS performance for a fixed protocol duration, and fixed abort probability.
Here, we note the striking feature that QDS perform better at lower collection efficiencies, due to lower multiphoton component.This is in contrast with QKD, in which the main figure of merit is key rate, and the trade-off between brightness and single-photon purity is more crucial.
Interestingly, we have not considered the weak coin flipping protocol from [37] in our work, since the information there is not encoded onto the phase between various photon number terms (as is the case in our polarization, time-bin or path-encoded primitives), but rather onto the photon number itself.This means that having a phase reference between the photon number terms should not leak any information to an adversary, since it does not reveal whether the state was a vacuum state or a 1-photon Fock state.It therefore should not matter whether one uses RE, LA or TPE pumping schemes.Just like its strong coin flipping counterpart, the quantum version of bit commitment cannot provide perfect information-theoretic security for both parties without additional spacetime constraints [17,18].However, it is  II.RE photonic states were assumed to be maximally pure in number basis, expressed as √ pn |n , while LA states were expressed as diagonal states ∞ n=0 pn |n n|.As discussed in Section I, note that the upper bounds on the cheating probability for LA and XX are general and may be over-estimated, while the upper bound for RE considers a specific attack only (i.e., the cheating probability may in fact be higher).
possible to circumvent this no-go theorem for two-party computations [17,18] by placing restrictions on Dishonest Bob's storage capabilities.
We focus on the quantum protocol from [38], secure under a bounded storage assumption.During the commit phase, Honest Alice generates N BB84 states similarly to the QKD and quantum token protocols from Sections D 1 and D 3, and Honest Bob performs random X or Z measurements on each state.Both parties wait a pre-agreed amount of time ∆t, during which it is assumed that a Dishonest Bob may only store and retrieve S of the N quantum states sent by Alice.After waiting ∆t, Honest Alice sends her preparation basis for each of the N states to Honest Bob, who

b. Results
In Figs 16 and 17, we plot the security condition from Eq. (J2) presented in Section J. Similarly to [38], we assume that Alice sends N = 10 8 states, and that Dishonest Bob's storage size is S = 972.Once again, the security condition as a function of source efficiency reaches a maximum for PDS, after which the multiphoton component becomes too significant.Regarding QDS, the condition evolves almost linearly with source efficiency, since the vacuum and single photon components dominate at all source efficiencies.If it exists, the operator X which maximizes Tr F † X given these constraints is the primal optimal solution, and the corresponding value of Tr F † X is the primal optimal value.
Semidefinite programs present an elegant dual structure, which associates a dual minimization problem to each primal maximization problem.Effectively, the new variable(s) of the dual problem may be understood as the Lagrange multipliers associated with the constraints of the primal problem (one for each constraint).
The dual problem associated with (E1) reads: Similarly to the primal problem, the operator Y which minimizes Tr C † Y given these constraints, if it exists, is the dual optimal solution, and the corresponding value of Tr C † Y is the dual optimal value.The Lagrange multiplier method allows to find the local extremum of a constrained function.The optimal value s p of the primal problem therefore upper bounds the optimal value s d of the dual problem, while the optimal value of the dual lower bounds that of the primal.This property is known as weak duality, and may be simply expressed as: In many quantum-cryptographic applications however, we wish to ensure that the upper bound derived in the primal problem is tight, i.e. that the local maximum is in fact a global maximum for the objective function.The dual problem will help to prove this when there exists strong duality: In the majority of QKD implementations so far, highly attenuated laser states are used instead of single photons [5].
New techniques, such as the insertion of decoy states into the protocol, have been developed to provide significant secure key rates despite the presence of multiphoton noise [16,59].We note that the derivation of the secure key rate in this setting assumes that the states sent by Alice bear no coherence in Fock basis, in order to satisfy the photon number channel assumption [16,22].This implies that the global phase of each state must be actively randomized, where the random phases are chosen from a given set of m phases S m ∈ [0, 2π).In this work, we assume m → ∞, but note that security proofs with discrete phase randomization also exist [29].
We briefly recall the workings from [16,22,59] for practical BB84 QKD without and with infinite decoy states, respectively.Let us define the yield Y k of a k-photon state, which gives the conditional probability of a detection on Bob's detector given that Alice generates a k-photon state: where η d is Bob's detection efficiency, η t is the channel transmission, and Y 0 is the dark count probability.We may then define the gain Q k of a k-photon state as the probability that Alice sends a k-photon state and Bob gets a detection: where P µ (k) are the Poisson distributed coefficients from Eq. (B6) with average photon number µ. From [22], the secure key rate R after privacy amplification and error correction may be lower-bounded as: where Q µ and E µ are the gain and quantum bit error rate (QBER) of the signal state, respectively, e 1 is the QBER generated by single-photon states only, f is the error correcting code inefficiency assuming one-way classical post-processing, and is the binary entropy function for 0 < x 1.The first term states that only single-photon states contribute positively to the secure key rate, since multi-photon pulses leak information on lossy channels [14].The second term materializes the cost of error correction.
In practical BB84 QKD without decoy states, Alice and Bob cannot estimate Q 1 and e 1 from their eavesdropped channel, as an eavesdropper may influence the photon number statistics observed by Alice and Bob.In order to nevertheless estimate the secure key rate from Eq. (F3), Alice and Bob must make a pessimistic (yet secure) assumption, namely that all losses and error come from single-photon states [16,22]: We may then estimate the required single-photon parameters as: where . The parameter e d characterizes the detection error probability, which depends on the optical alignment of the entire system.In practice, this pessimistic assumption places a limit on the secure communication distance between Alice and Bob: since single-photon states are the only signals that contribute positively to the secret key rate from (F3), assuming that all channel losses come from these effectively reduces the key rate.
Decoy state QKD [16], on the other hand, fixes this issue by proposing that Alice varies the average photon number µ of her signal.Some pulses are then used as decoy states to estimate the channel statistics, while the others are used as true signal states for the protocol.In the limit of infinite decoy states, since the eavesdropper cannot differentiate between the two, the estimation of Q 1 and e 1 can be performed much more accurately, as:

With quantum dot sources
For QDS with collection efficiency η, we simply replace the P µ (k) photon number coefficients in Eqs.(F2), (F5) and (F6) by the following P η (k) coefficients:  The decoy method presented in Section F can also be applied in TF-QKD, which implies that Alice and Bob must both randomize their pulses' global phase.However, a global phase reference must be shared between the two parties at some stage of the protocol, without leaking any information to Charlie.In [31], the proposed method is for Alice and Bob to agree on a fixed number of global phase slices m, equally splitting the interval [0, 2π), from which they uniformly sample a global phase for each state.After Charlie's announcement of the measurement outcomes, they reveal which phase slice was chosen, and sift the raw key in such a way that they keep only the elements for which their chosen phase slices match.This method can potentially leak information to eavesdroppers, and variants that offer alternative methods have been proposed [23,24].
In this setting, the secret key rate for TF-QKD resembles that derived in Eq. (F3) for standard decoy QKD, with a few amendments.First, the channel transmittance η t presented in Eq. (F1) must be corrected to √ η t , since each optical pulse travels only half the distance between Alice and Bob.This gives the following expression for the yield: Then, an extra factor, dependent on the number m of chosen phase slices and the duty cycle d of quantum vs. classical signals, must be added to correct the key rate.This factor reads d/m.Finally, the intrinsic error rate e s generated by the finite phase slicing must be taken into account on top of the overall setup alignment error e d .For illustration purposes, we here assume that the setup alignment error e d = 2%, and, for d = 1 and m = 16, that the error due to phase slicing is e s = 1.275% [31].Following the workings from [31] with optimal µ = 0.765, this provides the following modified expression for the TF key rate : where

With quantum dot sources
For QDS with collection efficiency η, we simply replace the P µ (k) photon number coefficients in Eq. (G3) by the following P η (k) coefficients: where {p n } are the photon number populations from Eq. (A18).

Appendix H: Security of unforgeable quantum tokens (or money)
We start with a brief introduction to the semidefinite programming techniques required for this security analysis, followed by Choi's theorem on completely positive maps, before deriving the unforgeability regions of the protocol.

Unforgeability analysis for quantum tokens
The exact protocol considered here is described in [61], and we extend its security analysis to the quantum dot framework.A successful forging attack is one in which two copies of the quantum token state are simultaneously accepted at two spatially separated verification points.Let Λ be the optimal adversarial map which produces two copies (living in H 1 ⊗ H 2 ) of the following original quantum token state living in H ini : Here, the set {σ (η,φ) k } contains either the fixed-phase coherent states from Eq. (B3), the randomized phase coherent states from Eq. (B5), the quantum dot states exhibiting number coherence from Eq. (C7), or the quantum dot states without number coherence from Eq. (C8).The superscripts (η, φ) serve as a reminder that these states depend on the PDS average photon number or QDS collection efficiency η, and encoding phase φ.
This proof makes use of the existence of a squashing model for the measurement setup [25].Essentially, this model allows to express the infinite-dimensional measurement operators in a 3-dimensional space spanned by {|0 , |1 , |∅ }, by imposing a condition on the terminal's postprocessing, consisting of assigning a random measurement outcome |0 or |1 to any double click, and declaring a |∅ flag when no detection is registered.The probability that a verifier declares an incorrect measurement outcome for token 1 is given by: while that for token 2 reads: k is its orthogonal qubit state.The factor 1/4 indicates that each σ k is equally likely to occur, while 1/2 accounts for the verifier's random measurement basis choice.Using Eq. (E6), we may rewrite these expressions as V 1 = Tr (E 1 (µ)J(Λ)) and V 2 = Tr (E 2 (µ)J(Λ)), where E 1 (µ) and E 2 (µ) are the error operators: Following a similar method, the probability that verifier 1 (resp.2) registers a no-detection event for token 1 (resp.2) reads Tr (L 1 (µ)J(Λ)) (resp.Tr (L 2 (µ)J(Λ))), where L 1 (µ) and L 2 (µ) are the loss operators, which contain the projection onto the state |∅ : We now search for the optimal cloning map Λ that minimizes the noise that the adversary must introduce for both tokens given a fixed combined channel and detection losses l.We cast this problem in the following SDP for a card with a single state, min Tr (E 1 (µ)J(Λ)) s.t.Tr H1⊗H2 (J(Λ)) = 1 Hini Tr (E 1 (µ)J(Λ)) Tr (E 2 (µ)J(Λ)) Tr (L 1 (µ)J(Λ)) l Tr (L 2 (µ)J(Λ)) l J(Λ) 0 (H6) The first constraint imposes that Λ is trace-preserving, the second imposes that the error rate measured for token 1 is at least equal to the one measured for token 2, the third and fourth impose that the losses measured for tokens 1 and 2 do not exceed the expected honest losses, and the fifth imposes that Λ is completely positive.Using similar techniques to [61], it can be shown that this lower bound is in fact optimal, and that the adversary does not succeed better by performing a general attack on the full tensor product of the N states contained in the token.

Appendix I: Security of quantum strong coin flipping
We focus here on the quantum protocol from [35], and additionally study the effect of photon number coherence on the protocol bias in the security proof.

FIG. 1 .FIG. 2 .
FIG. 1. Simulation of emission properties under different pumping schemes.Simulated brightness and single-photon purity for individual pumping schemes calculated from our numerical model (see Methods) for (a) resonant excitation (RE) between ground |G and exciton |X states , (b) longitudinal phonon-assisted excitation (LA) (c) two-photon excitation (TPE) between ground |G and biexciton |XX states.Insets show a schematic representation of each pumping scheme (the upper grey area in the LA sketch represents the vibrational quasi-continuum of the exciton state).Optimal FWHM pulse lengths are marked with black disks and circles, chosen pulse areas for maximum population inversion are π RE for RE and π TPE for TPE, while we choose 10π RE for LA.Simulation parameters are: dot-cavity coupling g = 50 µeV, radiative decay rate γ = 0.66 µeV, cavity loss rate κ = 379 µeV (yielding a Purcell factor of P = 10), initial system temperature T = 4.2K, electron confinement length 3 nm, and material properties typical for GaAs.Throughout the paper, we assume that photonic states are maximally pure in the photon-number basis for RE, i.e. expressed as ∞ n=0 √ pn |n , while they are expressed as diagonal states for LA and TPE, i.e. as ∞ n=0 pn |n n|.

FIG. 4 .
FIG. 4. Source comparison for unforgeable quantum tokens (quantum verification protocol from [61]).(a)Numerical noise tolerance as a function of source efficiency for RE, LA and TPE QDS, along with fixed-phase (FP) and randomized-phase (RP) PDS.Source efficiency is defined as 1 − e −µ for PDS and 1 − ∞ n=0 pn(1 − η) n for QDS, where η is the QDS collection efficiency.Photon-number populations {pn} emitted under different QDS excitation schemes were obtained from the brightness and single-photon purity results of Fig.1, assuming the optimal pulse lengths marked in black.RE photonic states are assumed to be maximally pure in number basis, expressed as∞ n=0√ pn |n , while LA states were expressed as M.B., M.V, J.C.L. and P.W. acknowledge support from the European Commission through UNIQORN (no.820474), the AFOSR via Q-TRUST (FA9550-21-1-0355), the Austrian Science Fund (FWF) through BeyondC (F7113) and Reseach Group (FG5), and from the Austrian Federal Ministry for Digital and Economic Affairs, the National Foundation for Research, Technology and Development and the Christian Doppler Research Association.M.C., T.S. and V.M.A. are grateful for funding by the Deutsche Forschungsgemeinschaft (DFG, German Research Foundation) under project No. 419036043.C.N., are the usual σ x and σ y eigenstates in the qubit space spanned by |q i , and the Poisson distribution coefficients are given by

FIG. 5 .
FIG.5.Collection efficiency modeling and state encoding.The collection efficiency of the quantum dot is modelled as a beamsplitter of reflection η, with two input spatial modes as 0 and 1.The quantum information is then encoded with a Mach-Zehnder interferometer, with tunable phase φ ∈ {0, π} for Z eigenstates and φ ∈ { π 2 , 3π 2 } for X eigenstates.

FIG. 6 .
FIG. 6. Source comparison for BB84 QKD without decoy states.(a) Simulated secret key rates from Eq. (F3) as a function of source efficiency for LA and TPE QDS, along with randomized-phase (RP) PDS.Source efficiency is defined as 1 − e −µ for PDS and 1 − ∞ n=0 pn(1 − η) n for QDS, where η is the QDS collection efficiency.Chosen pulse lengths, pulse areas, and photon number populations {pn} are displayed in Table II.(b) Simulated secret key rates as a function of QDS collection efficiency, compared to the best performance of RP PDS sources (dashed line).(c) Simulated secret key rates as a function of distance, assuming single mode telecom fiber losses of 0.21 dB/km.The QDS collection efficiencies were chosen as the intersection points from Fig (b).Parameters for all plots are: alignment error rate e d = 2%, dark count probability Y0 = 10 −9 , detection efficiency η d = 100%, and error-correcting code inefficiency f = 1.2.

FIG. 7 .
FIG. 7. Collection efficiency comparison for BB84 QKD without decoy states.Simulated secret key rates from Eq. (F3) as a function of distance for (a) RE QDS (b) LA QDS (c) TPE QDS, with collection efficiencies ranging from η = 1% (bottom curves) to η = 100% (top curves), in steps of 10%.The optimal performance of randomized-phase (RP) PDS is also plotted in dashed lines, in order to identify which QDS collection efficiencies are required to overcome PDS for each pumping.Single mode telecom fiber losses of 0.21 dB/km are assumed.Parameters for all plots are: alignment error rate e d = 2%, dark count probability Y0 = 10 −9 , detection efficiency η d = 100%, and error-correcting code inefficiency f = 1.2.

FIG. 8 .
FIG. 8. Source comparison for BB84 QKD with decoy states.(a) Simulated secret key rates from Eq. (F3) as a function of source efficiency for LA and TPE QDS, along with randomized-phase (RP) PDS.Source efficiency is defined as 1 − e −µ for PDS and 1 − ∞ n=0 pn(1 − η) n for QDS, where η is the QDS collection efficiency.Chosen pulse lengths, pulse areas, and photon number populations {pn} are displayed in Table II.(b) Simulated secret key rates as a function of QDS collection efficiency, compared to the best performance of RP PDS sources (dashed line).(c) Simulated secret key rates as a function of distance, assuming single mode telecom fiber losses of 0.21 dB/km.The QDS collection efficiencies were chosen as the intersection points from Fig (b).Parameters for all plots are: alignment error rate e d = 2%, dark count probability Y0 = 10 −9 , detection efficiency η d = 100%, and error-correcting code inefficiency f = 1.2.

FIG. 9 .
FIG. 9. Collection efficiency comparison for BB84 QKD with decoy states.Simulated secret key rates from Eq. (F3) as a function of distance for (a) RE QDS (b) LA QDS (c) TPE QDS, with collection efficiencies ranging from η = 1% (bottom curves) to η = 100% (top curves), in steps of 10%.The optimal performance of randomized-phase (RP) PDS is also plotted in dashed lines, in order to identify which QDS collection efficiencies are required to overcome PDS for each pumping.Single mode telecom fiber losses of 0.21 dB/km are assumed.Parameters for all plots are: alignment error rate e d = 2%, dark count probability Y0 = 10 −9 , detection efficiency η d = 100%, and error-correcting code inefficiency f = 1.2.

FIG. 10 .
FIG. 10.Source comparison for twin-field QKD.(a) Simulated secret key rates from Eq. (G2) as a function of source efficiency for RE QDS, along with randomized-phase (RP) PDS.Source efficiency is defined as 1 − e −µ for PDS and 1 − ∞ n=0 pn(1 − η) n for QDS, where η is the QDS collection efficiency.Chosen pulse lengths, pulse areas, and photon number populations {pn} are displayed in Table II.(b) Simulated secret key rates as a function of QDS collection efficiency, compared to the best performance of RP PDS sources (dashed line).(c) Simulated secret key rates as a function of distance, assuming single mode telecom fiber losses of 0.21 dB/km.The QDS collection efficiencies were chosen as the intersection points from Fig (b).Parameters for all plots are: alignment error rate e d = 2%, dark count probability Y0 = 10 −9 , detection efficiency η d = 100%, and error-correcting code inefficiency f = 1.2.

FIG. 11 .
FIG. 11.Collection efficiency comparison for twin-field QKD.Simulated secret key rates from Eq. (G2) as a function of distance for (a) RE QDS (b) LA QDS (c) TPE QDS, with collection efficiencies ranging from η = 1% (bottom curves) to η = 100% (top curves), in steps of 10%.The optimal performance of randomized-phase (RP) PDS is also plotted in dashed lines, in order to identify which QDS collection efficiencies are required to overcome PDS for each pumping.Single mode telecom fiber losses of 0.21 dB/km are assumed.Parameters for all plots are: alignment error rate e d = 2%, dark count probability Y0 = 10 −9 , detection efficiency η d = 100%, and error-correcting code inefficiency f = 1.2.

FIG. 12 .
FIG. 12. Source comparison for unforgeable quantum tokens.(a) Numerical optimal noise tolerance from Eq. (H6) as a function of source efficiency for RE, LA and TPE QDS, along with fixed-phase (FP) and randomized-phase (RP) PDS.Source efficiency is defined as 1 − e −µ for PDS and 1 − ∞ n=0 pn(1 − η) n for QDS, where η is the QDS collection efficiency.Chosen pulse lengths, pulse areas, and photon number populations {pn} are displayed in TableII.RE photonic states were assumed to be maximally pure in number basis, expressed as ∞ n=0 √ pn |n , while LA states were expressed as diagonal states

5 .
Quantum bit commitment a. Brief introduction A bit commitment protocol consists of two phases: the commit phase and the open phase.In the commit phase, Honest Alice chooses a bit b ∈ {0, 1} and provides Honest Bob with some form of evidence that she has committed to this choice.In the open phase, which happens some time after the commit phase, Honest Alice reveals b to Honest Bob.The desired security features are the following: • Dishonest Alice cannot change b after the commit phase, • Dishonest Bob cannot access b before the open phase.

FIG. 13 .
FIG.13.Collection efficiency comparison for unforgeable quantum tokens.Numerical optimal noise tolerance from Eq. (H6) as a function of distance for (a) RE QDS (b) LA QDS (c) TPE QDS, with collection efficiencies ranging from η = 10% (bottom curves) to η = 100% (top curves), in steps of 10%.The optimal performance of randomized-phase (RP) PDS is also plotted in dashed lines, in order to identify which QDS collection efficiencies are required to overcome PDS for each pumping.Single mode telecom fiber losses of 0.21 dB/km are assumed.

FIG. 15 .
FIG. 15.Collection efficiency comparison for quantum strong coin flipping.Cheating probability as a function of distance for a balanced protocol using (a) RE, (b) LA, and (c) TPE QDS.The honest abort probability P ab = 2.5% (of which 1.5% come from the error rate), and the number of states N are varied for each point to achieve P ab .The best achievable classical bound from Eq. (D5) is plotted in gray dashed lines.Collection efficiencies ranging from η = 10% to η = 100% are plotted from right to left, in steps of 10%.Single mode telecom fiber losses of 0.21dB/km are assumed.

FIG. 16 .
FIG. 16.Source comparison for quantum bit commitment under the bounded storage assumption.(a) Security condition from Eq. (J2) as a function of source efficiency for LA and TPE QDS, along with randomized-phase (RP) PDS.Source efficiency is defined as 1 − e −µ for PDS and 1 − ∞ n=0 pn(1 − η) n for QDS, where η is the QDS collection efficiency.Chosen pulse lengths, pulse areas, and photon number populations {pn} are displayed in Table II.(b) Security condition from Eq. (J2) as a function of QDS collection efficiency, compared to the best performance of RP PDS sources (dashed line).(c)Security condition from Eq. (J2) as a function of distance, assuming single mode telecom fiber losses of 0.21 dB/km.The QDS collection efficiencies were chosen as the intersection points from Fig (b).The error rate is e = 2%, detection efficiency η d = 100%, and the chosen parameters for Eq.(J2) are = 2 × 10 −5 , β = 0.007 and γ = 0.008.

FIG. 17 .
FIG. 17. Collection efficiency comparison for quantum bit commitment under the bounded storage assumption.Security condition from Eq. (J2) as a function of distance for (a) RE QDS (b) LA QDS (c) TPE QDS, with collection efficiencies ranging from η = 1% (bottom curves) to η = 100% (top curves), in steps of 10%.The optimal performance of randomized-phase (RP) PDS is also plotted in dashed lines, in order to identify which QDS collection efficiencies are required to overcome PDS for each pumping.Single mode telecom fiber losses of 0.21 dB/km are assumed.The error rate is e = 2%, detection efficiency η d = 100%, and the chosen parameters for Eq.(J2) are = 2 × 10 −5 , β = 0.007 and γ = 0.008.

TABLE I .
Phyiscal parameters used in the simulations.

) 2. Choi's theorem on completely positive maps
Let us consider a tensor product of two d-dimensionalHilbert spaces H = H d 1 ⊗ H d 2 , and then define the maximally entangled state |Φ + Φ + | on H as Choi's theorem then states that Λ is completely positive if and only if J(Λ) is positive semidefinite.We also have that Λ is a trace-preserving map if and only if Tr H d Appendix F: