Article

Entanglement-based secure quantum

cryptography over 1,120 kilometres

https://doi.org/10.1038/s41586-020-2401-y Juan Yin1,2,3, Yu-Huai Li1,2,3, Sheng-Kai Liao1,2,3, Meng Yang1,2,3, Yuan Cao1,2,3, Liang Zhang2,3,4,
Ji-Gang Ren1,2,3, Wen-Qi Cai1,2,3, Wei-Yue Liu1,2,3, Shuang-Lin Li1,2,3, Rong Shu2,3,4,
Received: 15 July 2019
Yong-Mei Huang5, Lei Deng6, Li Li1,2,3, Qiang Zhang1,2,3, Nai-Le Liu1,2,3, Yu-Ao Chen1,2,3,
Accepted: 13 May 2020 Chao-Yang Lu1,2,3, Xiang-Bin Wang2, Feihu Xu1,2,3, Jian-Yu Wang2,3,4, Cheng-Zhi Peng1,2,3 ✉,
Artur K. Ekert7,8 & Jian-Wei Pan1,2,3 ✉
Published online: xx xx xxxx

Check for updates

Quantum key distribution (QKD)1–3 is a theoretically secure way of sharing secret keys
between remote users. It has been demonstrated in a laboratory over a coiled optical
fibre up to 404 kilometres long4–7. In the field, point-to-point QKD has been achieved
from a satellite to a ground station up to 1,200 kilometres away8–10. However,
real-world QKD-based cryptography targets physically separated users on the Earth,
for which the maximum distance has been about 100 kilometres11,12. The use of trusted
relays can extend these distances from across a typical metropolitan area13–16 to
intercity17 and even intercontinental distances18. However, relays pose security risks,
which can be avoided by using entanglement-based QKD, which has inherent
source-independent security19,20. Long-distance entanglement distribution can be
realized using quantum repeaters21, but the related technology is still immature for
practical implementations22. The obvious alternative for extending the range of
quantum communication without compromising its security is satellite-based QKD,
but so far satellite-based entanglement distribution has not been efficient23 enough to
support QKD. Here we demonstrate entanglement-based QKD between two ground
stations separated by 1,120 kilometres at a finite secret-key rate of 0.12 bits per second,
without the need for trusted relays. Entangled photon pairs were distributed via two
bidirectional downlinks from the Micius satellite to two ground observatories in
Delingha and Nanshan in China. The development of a high-efficiency telescope and
follow-up optics crucially improved the link efficiency. The generated keys are secure
for realistic devices, because our ground receivers were carefully designed to
guarantee fair sampling and immunity to all known side channels24,25. Our method
not only increases the secure distance on the ground tenfold but also increases the
practical security of QKD to an unprecedented level.

Our experimental arrangement is shown in Fig. 1. The two receiving with a wavelength centred at 405 nm and a linewidth of 160 MHz, and
ground stations are located at Delingha (37°22′ 44.43′′ N, 97°43′ 37.01′′ E; generates down-converted polarization-entangled photon pairs at
altitude 3,153 m) in Qinghai province, and Nanshan (43°28′ 31.66′′ N, 810 nm close to the form of |Ψ ⟩12 = (|H ⟩1|V ⟩2 + |V ⟩1|H ⟩2)/ 2 , where |H⟩
87°10′ 36.07′′ E; altitude 2,028 m) in Xinjiang province, China. The physi- and |V⟩ denote the horizontal and vertical polarization states, respec-
cal distance between Delingha and Nanshan is 1,120 km. To optimize the tively, and the subscripts 1 and 2 denote the two output spatial modes.
receiving efficiencies, both the two ground telescopes are newly built The entangled photon pairs are then collected and guided by two
with a diameter of 1.2 m, specifically designed for the entanglement single-mode fibres to two independent transmitters equipped in the
distribution experiments. All the optical elements, such as mirrors, in satellite. Both transmitters have a near-diffraction-limited far-field
the telescopes maintain polarization. divergence of about 10 μrad. Under a pump power of 30 mW, the source
The satellite is equipped with a compact spaceborne entangled pho- distributes up to 5.9 × 106 entangled photon pairs per second.
ton source with a weight of 23.8 kg. A periodically poled KTiOPO4 crys- The photons are collected by the telescopes on two optical ground
tal inside a Sagnac interferometer is pumped in both the clockwise and stations. For each one, the follow-up optics is installed on one of the
anticlockwise directions simultaneously by a continuous-wave laser rotating arms and rotates along with the telescope. As shown in Fig. 1c,
1
Hefei National Laboratory for Physical Sciences at the Microscale and Department of Modern Physics, University of Science and Technology of China, Hefei, China. 2Shanghai Branch, CAS
Center for Excellence in Quantum Information and Quantum Physics, University of Science and Technology of China, Shanghai, China. 3Shanghai Research Center for Quantum Science,
Shanghai, China. 4Key Laboratory of Space Active Opto-Electronic Technology, Shanghai Institute of Technical Physics, Chinese Academy of Sciences, Shanghai, China. 5The Institute of Optics
and Electronics, Chinese Academy of Sciences, Chengdu, China. 6Shanghai Engineering Center for Microsatellites, Shanghai, China. 7Mathematical Institute, University of Oxford, Oxford, UK.
8
Centre for Quantum Technologies, National University of Singapore, Singapore, Singapore. ✉e-mail: [email protected]; [email protected]

Nature | www.nature.com | 1
Article
a

Nanshan
PPKTP
b

PI HWP
PBS
DM1 DM2
c
405
DM3 1,1

HWP
LP

Isolator

QWP
532

20
km
FSM BS
Collimator
BE

HWP1
SF IF HWP2

BF PBS2
PBS1
Delingha

Fig. 1 | Overview of the experimental set-up of entanglement based dichroic mirror; LP, long-pass edge filter; PI, piezo steering mirror; HWP,
quantum key distribution. a, An illustration of the Micius satellite and the two half-wave plate; QWP, quarter-wave plate; PPKTP, periodically poled KTiOPO4.
ground stations. Image credit: Fengyun-3C/Visible and Infrared Radiometer, c, The follow-up optic at the optical ground station. The tracking and
with permission (2020). The satellite flies in a Sun-synchronous orbit at an synchronization laser is separated from the signal photon by DM3 and
altitude of 500 km. The physical distance between Nanshan and Delingha detected by the single photon detector (SPD5). The spatial filter (SF),
ground station is 1,120 km. b, The spaceborne entangled-photon source. A free broad-bandwidth filter (BF) and interference filter (IF) are used to filter out the
space isolator is used to minimize back reflection to the 405-nm pump laser. A input light in frequency and spatial domains. BS, beam splitter; BE, beam
pair of off-axis concave mirrors is used to focus the pump laser and collimate expander; FSM, fast steering mirror.
the down-converted photon pairs. PBS, polarization beam splitter; DM,

a beam splitter, a half-wave plate and two polarized beam splitters are (GPS) one-pulse-per-second (1PPS) signal. As the frequency of the syn-
combined to analyse the polarization of the entangled photons ran- chronization laser is relatively stable, a least-squares method is used to
domly in the bases of Z  ∈ {|H⟩, |V⟩} and X ∈ {|+⟩, |−⟩}, where fit the selected pulses, which can eliminate the time jitter of synchro-
∣ ± ⟩ = ( H ⟩± V ⟩)/ 2 . After being transmitted or reflected by the beam nization detectors. The time synchronization accuracy of entangled
splitter and polarized beam splitters, the photons are collected by four photon pairs is 0.77 ns (1σ). We set a narrow coincidence time gate of
multimode fibres with the core diameter of 105 µm and detected by 2.5 ns to reduce the accidentally coincident events.
four single photon detectors (SPDs) respectively. We carefully selected The satellite flies along a Sun-synchronous orbit, and comes into
the four SPDs to ensure that the detector efficiency is better than 53%, both Delingha’s and Nanshan’s view once every night, starting at around
the efficiency consistency is better than 98.5% and the dark counts are 2:00AM Beijing time and lasting for a duration of 285 s (>13° elevation
less than 100 counts per second (see Extended Data Table 1 for details). angle for both ground stations). Figure 2a plots the physical distances
A motorized half-wave plate (HWP1) is used to compensate the relative from the satellite to Delingha and Nanshan during one orbit, together
rotation between the transmitter and the receiver, where the correction with the sum channel length of the two downlinks. As shown in Fig. 2b,
angle offsets are calculated in advance. The entangled photons are the measured overall two-downlink channel attenuation varies from
filtered in both the frequency and spatial domains to satisfy the fair 56 dB to 71 dB. As compared to previous experiment23, this two-photon
sampling assumption and to guarantee practical security. In particular, count rate, and thus the signal-to-noise ratio, is greatly improved. To
an extra field diaphragm, consisting of two lenses with focal length of increase the collection efficiency for downlink entangled photons, we
8 mm and a pinhole of 100 µm, is used as the spatial filter to unify the have upgraded both the main system of the telescope and the follow-up
field of view of different channels, where the field of view is narrowed optics. For the main system, we improved the receiving efficiency by
to 27 µrad. A broad-bandwidth filter and a narrow-bandwidth filter of recoating the main lens (+1.5 dB) and redesigning the high-efficiency
5 nm are used to reject frequency side channels. These frequency filters beam expander (+0.9 dB). For the follow-up optics, we increased the
can also help to reduce the background counts. The output signals of collection efficiency through optical pattern matching, especially
the SPDs are recorded by a time-to-digital converter. shortening the optical path by 20 cm to avoid beam spreading by
To optimize the link efficiency, we develop cascaded multistage 0.65 mm (+0.6 dB).
acquiring, pointing and tracking systems both in the satellite trans- As a result, we have increased the collection efficiency of each
mitters and the optical ground station receivers, achieving a tracking satellite-to-ground link by a factor of about 2 over the previous experi-
accuracy of 2 µrad and 0.4 µrad, respectively. The beacon laser (532 nm, ment23. This was quantified by measuring the single-downlink efficien-
10 kHz) from the satellite is also used as a synchronization laser. It is cies of each ground station for several orbits. The best-orbit data were
sampled, frontier identified and recorded by the same time-to-digital taken on a clear night with no clouds in the sky and no haze near the
converter as well as quantum signals. The distant time-to-digital con- ground, which had the highest atmospheric transmittance (Extended
verters are first roughly synchronized using a global positioning system Data Fig. 1). Under these conditions, the link efficiency is related only

2 | Nature | www.nature.com
 Satellite-to-Nanshan distance Satellite-to-Delingha distance threshold voltage and trigger the alarm (Fig. 3b). For the time-shift
Two-link channel overall length attack27 and the dead-time attack28, our countermeasure is to operate
a
2,800 the detector in free-running mode, in which the detector records all
2,400 the detection events and post-selects the detection windows such
Distance (km)

2,000 that the detection efficiency is guaranteed to be at a nominal level.

1,600 For the side channels in other optical domains (Fig. 1c), we use optical
1,200 filters to filter out the input light and eliminate the mismatch in the
800 frequency and spatial domains. In particular, we use two cascaded
400 broad-bandwidth and narrow-bandwidth filters (Fig. 3a) to eliminate
0 50 100 150 200 250 300 the frequency dependency29 of the transmission/reflection ratio of the
b
75
beam splitter (Extended Data Fig. 6). Spatial filters are added to ensure
Attenuation (dB)

70 identical efficiencies for different detectors (Fig. 3c), thus eliminating

the spatially dependent loopholes30. Consequently, the secret key,
65 generated by our QKD system, is practically secure for realistic devices.
60 To verify the entanglement established between the two distant
optical ground stations, we use the distributed entangled photons
55 for the Bell test with the Clauser–Horne–Shimony–Holt (CHSH)-type
0 50 100 150 200 250 300 inequality31, which is given by
Time (s)
S = |E (φ1, φ2) − E (φ1, φ2′) + E (φ1′, φ2) + E (φ1′, φ2′)| ≤ 2
Fig. 2 | Distances and attenuations from satellite to Nanshan (Delingha).
a, A typical two-downlink trial from satellite to Nanshan, and to Delingha, lasts
about 285 s (>13° elevation angle for both ground stations) in a single pass of where E is the joint correlation with measurement angles of the Delingha
the satellite. The distance from satellite to Nanshan (Delingha) is from 618 km optical ground station and the Nanshan optical ground station, respec-
(853 km) to about 1,500 km, and the total length of the two downlinks varies tively. The angles are randomly selected from (0, π/8), (0, 3π/8), (π/4,
from 1,545 km to 2,730 km. b, The measured satellite-to-ground two-downlink π/8) and (π/4, 3π/8) to close the locality loophole. We run 1,021 trials
channel attenuation. of the Bell test during an effective time of 226 s. The observed result for
parameter S is 2.56 ± 0.07, with a violation of the CHSH–Bell inequality
S < 2 by 8 standard deviations (see Extended Data Table 4 for details).
to the distance between the satellite and the ground (Extended Data The Bell violation provides evidence of high-quality entanglement
Fig. 2). These data were selected to calibrate the improvement of the between the entangled photons observed over 1,120 km apart.
link efficiency, and a 3-dB enhancement in the collection efficiency In our entanglement-based QKD demonstration, we adopted the
was observed for each satellite-to-ground link (Extended Data Fig. 3). BBM92 protocol3, in which the measurements by Alice and Bob are
Overall, the collection efficiency of the two-photon distribution was symmetric, that is, each of them requires two measurement bases, that
improved by a factor of about 4 over the previous experiment23. is, the Z (H/V) basis and the X (+/−) basis. As mentioned above, using
To realize secure QKD against side-channel attacks, we add several filtering and monitoring, we guarantee that the single-photon detec-
single-mode filters to the receiver, which slightly decreases the collec- tions were conducted on a nearly two-dimensional subspace and the
tion efficiency. Even so, the system efficiency (with filters) still improves system detection efficiencies for the four polarization states could be
by a factor of about 2. A comparison of the results of this work and the well characterized to satisfy the fair sampling condition without Eve’s
previous experiment23 is shown in Extended Data Table 2. We observe tampering. Experimentally, we have characterized the system detec-
an average two-photon count rate of 2.2 Hz, with a signal-to-noise tion efficiency of each detection path, where the efficiency mismatch
ratio of 15:1. The sifted key rate for QKD is 1.1 Hz. This enhancement is has an upper bound of 1.47%. This efficiency mismatch is considered
remarkable, because it decreases the quantum bit error rate (QBER) in the privacy amplification (PA) of the post-processing of the secret
from about 8.1% (ref. 23) to about 4.5%, thus enabling the realization of key rate (see Methods). Moreover, we use the post-processing to han-
satellite-based entanglement QKD (Extended Data Fig. 4). dle double clicks, by randomly assigning a classical bit, as well as the
The entanglement-based QKD system was carefully designed to dead-time effect, by removing the sequential detections after a click.
provide practical security against physical side channels21,22. We note These implementations can ensure that the secret keys produced are
that entanglement-based QKD is naturally source-independent16,17, secure against the issues of known side channels.
which guarantees that the system is secure against loopholes in the Following the security analysis for an uncharacterized source19, the
source. All we need is to ensure the security on the detection sides, that asymptotic secret key rate RZ for the post-processed bits in the Z basis
is, the two optical ground stations. In general, the side channels on the is given by:
detection side primarily violate the key assumption of fair sampling.
To guarantee this assumption, we add a series of filters with differ- RZ ≥ QZ [1 − fe H (EZ ) − H (EX )]
ent degrees of freedom, including frequency, spatial and temporal
modes, and implement countermeasures for the correct operation where QZ is the sifted key where Alice and Bob select the Z basis, ƒe is the
of the single-photon detectors. error correction inefficiency, and EZ and EX are the QBER in the Z and X
Specifically, great attention has been paid to detection attacks, bases, respectively. The analysis for the X basis is the same. The total
including: detector-related attack26–28, wavelength-dependent attack29, asymptotic secret key rate is RA = RZ + RX. The detailed security analysis
spatial-mode attack30, and other possible side-channels. We have imple- for the finite key rate RF, which takes into account the finite key size32,33
mented countermeasures to all the above known attacks (see Methods and the detection efficiency mismatch, is shown in Methods.
and Extended Data Table 3). For the side channels targeting the opera- Experimentally, we obtained 6,208 initial coincidences within 3,100 s
tion of detectors, such as blinding attack26, we install additional moni- of data collection. Discarding the events for which the two optical
toring circuits. In particular, we install an additional circuit to monitor ground stations had chosen different bases, we obtained 3,100 bits
the anode of the load resistance in the detection circuit to counter the of sifted key with 140 erroneous bits, which corresponded to an aver-
blinding attack (Extended Data Fig. 5). If there is a bright laser pulse aged QBER of 4.51% ± 0.37%. The QBERs in the H/V and +/− bases (Z
illumination, the output of the monitoring circuit will exceed a secure and X bases) are, respectively, 4.63% ± 0.51% and 4.38% ± 0.54%. For

Nature | www.nature.com | 3
Article
a Broadband Narrowband b Blink pulse Single photon
1.0
2.0

Transmission
0.5
1.5
Secure threshold

Voltage (V)
0.0
400 600 800 1,000 1.0
1.0
Filter
Transmission

0.5 0.5

0.0 0.0
806 808 810 812 814 0.0 0.1 0.2 0.3 0.4
Wavelength (nm) Time (ms)
c
0.0
20 + 20 – 20 H 20 V
0.2
0.4
Y (μrad)

Y (μrad)

Y (μrad)
Y (μrad)

0.6
0 0 0 0 0.8
1.0

–20 –20 –20 –20

–20 0 20 –20 0 20 –20 0 20 –20 0 20
X (μrad) X (μrad) X (μrad) X (μrad)

Fig. 3 | Monitoring and filtering against side channels. a, The transmission of 2 V, which is clearly above the security threshold, thus triggering the security
broad-bandwidth and narrow-bandwidth wavelength filters. b, The output of alarm. c, The system detection efficiency of the four polarizations in the spatial
monitoring circuit with/without blinding attack. Without blinding attack, the domain. With the spatial filter, the four efficiencies are identical. The colour
outputs are random avalanching single-photon-detection signals (black dots). scale shows the measured efficiencies normalized to the maximum efficiency.
With blinding attack (starting from 0.20 ms), the output signals are at around

the sifted bits, we performed an error correction with Hamming code

and achieved an error correction inefficiency of ƒe = 1.19. After the error Online content
correction and the PA, we obtained a secure key rate of RA = 0.43 bits Any methods, additional references, Nature Research reporting sum-
per second in the asymptotic limit of the infinitely long key. With a maries, source data, extended data, supplementary information,
failure probability ε = 10−10, the finite key rate is RF = 0.12 bits per second acknowledgements, peer review information; details of author con-
(see Table 1 for a summary). In total, we obtained a 372-bit secret key. tributions and competing interests; and statements of data and code
Compared to directly transmitting the entangled photons over a dis- availability are available at https://doi.org/10.1038/s41586-020-2401-y.
tance of 1,120 km using commercial ultralow-loss optical fibres (with a
loss of 0.16 dB km−1), we estimate that the effective link efficiency, and 1. Bennett, C. H. & Brassard, G. Quantum cryptography: public key distribution and coin
thus the secret key rate, of the satellite-based method is eleven orders tossing. In Proc. Int. Conf. on Computers, Systems and Signal Processing 175–179 (1984).
2. Ekert, A. K. Quantum cryptography based on Bell’s theorem. Phys. Rev. Lett. 67, 661
of magnitude higher. The secure distance substantially outperforms (1991).
previous entanglement-based QKD experiments12,34. 3. Bennett, C. H., Brassard, G. & Mermin, N. D. Quantum cryptography without Bell’s
In summary, we have demonstrated entanglement-based QKD theorem. Phys. Rev. Lett. 68, 557 (1992).
4. Peng, C.-Z. et al. Experimental long-distance decoy-state quantum key distribution based
between two ground stations separated by 1,120 km. We increase the on polarization encoding. Phys. Rev. Lett. 98, 010505 (2007).
link efficiency of the two-photon distribution by a factor of about 4 5. Rosenberg, D. et al. Long-distance decoy-state quantum key distribution in optical fiber.
compared to the previous work23 and obtain a finite-key secret key Phys. Rev. Lett. 98, 010503 (2007).
6. Yin, H.-L. et al. Measurement-device-independent quantum key distribution over a 404
rate of 0.12 bits per second. The brightness of our spaceborne entan- km optical fiber. Phys. Rev. Lett. 117, 190501 (2016).
gled photon source can be increased by about two orders of magni- 7. Boaron, A. et al. Secure quantum key distribution over 421 km of optical fiber. Phys. Rev.
tude in our latest research35, which could readily increase the average Lett. 121, 190502 (2018).
8. Liao, S.-K. et al. Satellite-to-ground quantum key distribution. Nature 549, 43 (2017).
final key to tens of bits per second or tens of kilobits per orbit. The 9. Liao, S.-K. et al. Space-to-ground quantum key distribution using a small-sized payload on
entanglement-based quantum communication could be combined Tiangong-2 Space Lab. Chin. Phys. Lett. 34, 090302 (2017).
with quantum repeaters21 for general quantum communication pro- 10. Yin, J. et al. Satellite-to-ground entanglement-based quantum key distribution. Phys. Rev.
Lett. 119, 200501 (2017).
tocols and distributed quantum computing36. Hence, our work paves 11. Schmitt-Manderbach, T. et al. Experimental demonstration of free-space decoy-state
the way towards entanglement-based global quantum networks. quantum key distribution over 144 km. Phys. Rev. Lett. 98, 010504 (2007).
Overall, the results increase the secure distance of practical QKD on 12. Ursin, R. et al. Entanglement-based quantum communication over 144 km. Nat. Phys. 3,
481 (2007).
the ground from 100 km to more than 1,000 km without the need for 13. Elliott, C. et al. Current status of the DARPA quantum network. In Quantum Information
trusted relays, thus representing an important step towards a truly and Computation III Vol. 5815, 138–150 (International Society for Optics and Photonics,
robust and unbreakable cryptographic method for remote users over 2005).
14. Peev, M. et al. The SECOQC quantum key distribution network in Vienna. New J. Phys. 11,
arbitrarily long distances. 075001 (2009).
15. Chen, T.-Y. et al. Field test of a practical secure communication network with decoy-state
quantum cryptography. Opt. Express 17, 6540 (2009).
Table 1 | Experimental results of entanglement-based QKD 16. Sasaki, M. et al. Field test of quantum key distribution in the Tokyo QKD network. Opt.
Express 19, 10387–10409 (2011).
over 1,120 km 17. Qiu, J. et al. Quantum communications leap out of the lab. Nature 508, 441 (2014).
18. Liao, S.-K. et al. Satellite-relayed intercontinental quantum network. Phys. Rev. Lett. 120,
Parameter Q EZ EX RA RF 030501 (2018).
19. Koashi, M. & Preskill, J. Secure quantum key distribution with an uncharacterized source.
Value 1.00 bps 4.63% ± 0.51% 4.38% ± 0.54% 0.43 bps 0.12 bps
Phys. Rev. Lett. 90, 057902 (2003).

4 | Nature | www.nature.com
20. Ma, X., Fung, C.-H. F. & Lo, H.-K. Quantum key distribution with entangled photon 30. Sajeed, S. et al. Security loophole in free-space quantum key distribution due to
sources. Phys. Rev. A 76, 012307 (2007). spatial-mode detector-efficiency mismatch. Phys. Rev. A 91, 062301 (2015).
21. Briegel, H.-J., Dur, W., Cirac, J. I. & Zoller, P. Quantum repeaters: the role of imperfect 31. Clauser, J. F., Horne, M. A., Shimony, A. & Holt, R. A. Proposed experiment to test local
local operations in quantum communication. Phys. Rev. Lett. 81, 5932–5935 (1998). hidden-variable theories. Phys. Rev. Lett. 23, 880 (1969).
22. Yang, S.-J., Wang, X.-J., Bao, X.-H. & Pan, J.-W. An efficient quantum light–matter interface 32. Koashi, M. Simple security proof of quantum key distribution based on complementarity.
with sub-second lifetime. Nat. Photon. 10, 381 (2016). New J. Phys. 11, 045018 (2009).
23. Yin, J. et al. Satellite-based entanglement distribution over 1200 kilometers. Science 356, 33. Tomamichel, M., Lim, C. C. W., Gisin, N. & Renner, R. Tight finite-key analysis for quantum
1140 (2017). cryptography. Nat. Commun. 3, 634 (2012).
24. Lo, H.-K., Curty, M. & Tamaki, K. Secure quantum key distribution. Nat. Photon. 8, 595 (2014). 34. Peng, C.-Z. et al. Experimental free-space distribution of entangled photon pairs over 13
25. Xu, F., Ma, X., Zhang, Q., Lo, H.-K. & Pan, J.-W. Secure quantum key distribution with km: towards satellite-based global quantum communication. Phys. Rev. Lett. 94, 150501
realistic devices. Rev. Mod. Phys. 92, 025002 (2020). (2005).
26. Lydersen, L. et al. Hacking commercial quantum cryptography systems by tailored bright 35. Cao, Y. et al. Bell test over extremely high-loss channels: towards distributing entangled
illumination. Nat. Photon. 4, 686 (2010). photon pairs between earth and the moon. Phys. Rev. Lett. 120, 140405 (2018).
27. Zhao, Y., Fung, C.-H., Qi, B., Chen, C. & Lo, H.-K. Quantum hacking: experimental 36. Ladd, T. D. et al. Quantum computers. Nature 464, 45–53 (2010).
demonstration of time-shift attack against practical quantum-key-distribution systems.
Phys. Rev. A 78, 042333 (2008).
Publisher’s note Springer Nature remains neutral with regard to jurisdictional claims in
28. Weier, H. et al. Quantum eavesdropping without interception: an attack exploiting the
published maps and institutional affiliations.
dead time of single-photon detectors. New J. Phys. 13, 073024 (2011).
29. Li, H.-W. et al. Attacking a practical quantum-key-distribution system with wavelength-
dependent beam-splitter and multiwavelength sources. Phys. Rev. A 84, 062308 (2011). © The Author(s), under exclusive licence to Springer Nature Limited 2020

Nature | www.nature.com | 5
Article
Methods several nanoseconds to tens of microseconds. If Bob has a detection
event during a time period when one detector is in the dead-time period,
Implementation against device imperfections while the other one is active, Eve could easily infer which detector has
In practice, the imperfections of realistic QKD implementations may a click. Our detector works in the free-running mode, and all detec-
introduce deviations (or side channels) from the idealized models tion events are collected. The countermeasure is that we monitor the
used in the security analysis. Eve might exploit these imperfections status of the detectors and use only those detection events for which
and launch quantum attacks24. Our entanglement-based QKD imple- all detectors are active to generate keys.
mentation is designed and characterized to provide practical security
against both known quantum attacks and potential future loopholes. Beam-splitter attack. In a polarization-based QKD system, Bob typi-
The entanglement-based QKD is naturally source-independent2,19. All cally exploits an 1 × 2 beam splitter to passively choose the measurement
we need is to consider the side channels properly at the detection stage. basis. In the standard case, a photon will randomly pass through the
Here, we design a detection system, choosing apparatus under strict beam splitter, thus randomly selecting a rectilinear basis or a diagonal
criteria for satisfying the underlying security assumptions, and per- basis. However, in practice, the splitting ratio of the beam splitter is
forming careful characterizations to test those assumptions. We note wavelength-dependent, that is, the centre wavelength has a coupling
that our implementation is based on trusted and characterized devices, ratio of 50:50, whereas the coupling ratio varies for other wavelengths.
that is, in a device-dependent scenario. The implementations are mostly Consequently, Eve can control the measurement basis by sending
common techniques, but we can maintain immunity to all known Bob photons with different wavelength29. To avoid this attack, we use
detection attacks, including: detector efficiency-mismatch attack37, broad-bandwidth and narrow-bandwidth wavelength filters to filter
time-shift attack27,38, detector-blinding attack26,39, detector-damage the input light on Bob’s station. The characterizations of these two
attack40, detector dead-time attack28, wavelength-dependent attack29, filters are shown in Fig. 3a. The beam splitter ratio within the filtered
spatial-mode attack30, and other possible side channels24. In Extended bandwidth is characterized in Extended Data Fig. 6.
Data Table 3, we list the reported attacks against the detection, as well
as our countermeasures to avert them. In the following, we will give a Spatial-mode attack. In a free-space QKD system, the detector has
more detailed description. different sensitivities for different spatial-mode photons, especially
when the detector is coupled with a multi-mode fibre. Eve could exploit
Efficiency-mismatch attack. In practice, it is difficult to manufacture the spatial-mode efficiency mismatch and perform the spatial-mode
two SPDs with the same responses for different degrees of freedom. attack30. To counter this attack, we place a spatial filter in front of the
That is, practical SPDs present efficiency mismatch. With the efficiency beam splitter to make the efficiencies of different detection paths
mismatch, Eve can partially control which detector clicks by subtly uniform. With the spatial filter, the characterization of the detection
sending desired signals to Bob37. For example, most of QKD systems efficiency in spatial domain is shown in Fig. 3c.
use two gated avalanche photodiode detectors, which produce a In general, the practical security of implementation is essentially
time-dependent efficiency mismatch. Eve can perform a time-shift guaranteed by the fair-sampling assumption. The countermeasures to
attack27,38, by shifting the arrival time of each signal, so that Bob’s de- the abovementioned attacks comprise the use of active components
tection results are biased depending on the time shift. Our strategy to to guarantee the fair-sampling assumption. In the frequency mode,
counter the time-shift attack is that our detector works in free-running broad-band and narrow-band frequency filters are employed to filter-
mode. We record all the detection events and post-select the detection ing the input light. In the temporal mode, free-running detectors are
windows such that the detection efficiency is guaranteed to be at a applied to post-select the time windows of detection events. In the
nominal level. For efficiency mismatch in other degrees of freedom37, spatial mode, spatial filters are placed before the collimating lens of
we use optical filters to filter out the input light and eliminate the mis- measurement devices. In polarization mode, we use the polarization
match in the frequency and spatial modes. encoding for QKD, thus monitoring the QBER to ensure the security.
In future, we may also combine our entanglement-based QKD system
Detector-blinding attack. In the detector-blinding attack26, Eve uses a with the measurement-device-independent QKD protocol41 to make
continuous bright laser illumination to force SPDs to work in the linear detection immune to all detector attacks.
mode. The SPDs are then no longer sensitive to single photons, and
are converted into classical intensity detectors. Eve can control which Security analysis
detector clicks by sending Bob properly tailored classical pulses. In the The main goal of our security analysis is to calculate the practi-
laser damage attack40, Eve can use a strong damaging laser illumina- cal security rate by considering the issues of the finite-key size and
tion to change the properties of the SPDs completely. To counter the device imperfections. We remark that our security analysis is for
detector-blinding attack and the laser-damage attack, as illustrated entanglement-based QKD with trusted and characterized devices, that
in Extended Data Fig. 5, we install an additional circuit to monitor the is, in a device-dependent scenario42. We start with a security proof for an
anode of the load resistance in the detection circuit. We test the attack ideal QKD protocol by following the Shor–Preskill security proof43. We
during the experiment by sending a bright laser pulse illumination. then extend the security analysis to the practical case of the finite-key
These results are shown in Fig. 3b. In normal operation (without blind- effect by using the approach of uncertainty relation for smooth entro-
ing pulses), the output voltage of the monitoring circuit is below 1.2 V, pies33. Finally, we extend the analysis to address the security issues of
corresponding to standard avalanching signals. At time t ≈ 0.2 ms, Eve device imperfections by using the Gottesman–Lo–Lütkenhaus–Preskill
performs the blinding attack using 12 µW and a 2-µs-long laser pulse (GLLP) framework44.
at a repetition rate of 100 kHz. The output of the monitoring circuit Ideal QKD refers to the case where an infinite number of signals are
clearly exceeds 1.2 V, because a large current caused by the bright laser generated and the devices to run the QKD protocol are as perfect as
illumination passes through the load resistance. Consequently, we described by theoretical models. The security proof for ideal QKD was
could set a secure threshold on the voltage of monitoring circuit: if established in the early 2000s by Mayers45, Lo and Chau46 and Shor
the voltage is higher than the threshold, it exposes the blinding attack. and Preskill43.
Shor and Preskill employed the idea of the Calderbank–Shor–Ste-
Detector dead-time attack. The basic principle of this attack is the ane quantum error correcting code to provide a simple framework
dead-time effect of a SPD28. After a detection event, a detector does not for security proof. In an entanglement-based QKD such as the BBM92
respond to the incoming photons during a time window ranging from protocol3, when Alice and Bob both measure quantum signals in the Z
basis, an error may occur when the outcomes are different. We can call By using the approach of the uncertainty relation for smooth entro-
it a bit error. The phase error can be defined as the hypothetical error pies33, the Z-basis secret key length lZ is given by
if those quantum signals were measured in the basis complementary

to the Z basis. In the Shor–Preskill security proof, the bit error correc-
tion is classical error correction and the phase error correction is PA.

lZ = nZ − nZ H EX +
(nZ + 1)log ( )  − f n H(E ) − log
1
εsec 2
e Z Z 2 .
The crucial part is to perform the PA, in which one needs to estimate  2nX (nX + nZ )  εcorε sec
the phase error rate. For the key bits measured in the Z basis, the phase  
error rate can be estimated by measuring the key bits in the X basis. The
Z-basis security rate for ideal QKD is given by Similarly, the X-basis finite-key secret key length lX can be calculated,
and the total key length is l = lZ + lX.
RZ ≥ QZ [1 − H (EZ ) − H (EX )]
Security proof for imperfect devices
where QZ is the sifted key rate per signal in which both Alice and Bob In practice, owing to device imperfections, there exist deviations
select the Z basis, EZ and EX are the QBER in the Z and X bases, and between realistic QKD systems and the ideal QKD protocol24. To achieve
H(χ) = −χlog2χ – (1 − χ)log2(1 − χ). Similarly, secret keys can also be practical security in a QKD system, Alice and Bob need to character-
generated in the X basis, and the analysis for the rate RX is the same. ize these imperfections carefully and take them into account in the
The total ideal key rate is RA = RZ + RX. Note that an entangled source practical security analysis. Notably, a general framework for security
is basis-independent (or uncharacterized), and the security proof for analysis with realistic devices was established in ref. 44. In this frame-
QKD with an uncharacterized source is given in ref. 19. work, Alice and Bob need to characterize their devices to see how much
We remark that in order for a successful estimation of PA, one needs deviation there is from the ideal ones assumed in the security proofs.
to make sure the sampling in the complementary basis is fair, which in One can employ typical distance measures, like fidelity and trace
practical realizations raises two major issues: the finite-key effect (that distance, to quantify the deviation, and then consider this deviation
is, statistical fluctuations) and device imperfections (that is, violating in PA.
the fair sampling), discussed below. Our entanglement-based QKD is source-independent, which ensures
that the imperfections in the source can be ignored. All we need is
Finite-key analysis to carefully characterize the imperfections in the detection side. In
We first define the security in the finite-key scenario with the compos- general, the (known and to be known) side channels on the detection
able security definition framework47,48. A secure key should satisfy two side26–30,38–40 primarily violate the key assumption of fair sampling.
requirements. First, the key bit strings possessed by Alice and Bob We perform implementations by following the squashing model44
need to be identical, that is, to be correct. Second, from the view of to guarantee the fair sampling assumption. In a squashing model,
anyone other than Alice and Bob, say Eve, the key bit string should be an arbitrary quantum state (from the channel) is first projected to
uniformly distributed, that is, should be secret. Practical issues, such a two-dimensional subspace before the Z and X measurements. So,
as the finite data size and non-ideal error correction, mean that Alice we implement a series of single-mode filters in different degrees of
and Bob cannot generate an ideal key via QKD. In reality, it is reason- freedom, including the frequency, spatial and temporal modes. None-
able to allow the key to have small failure probabilities, εcor and εsec, for theless, practical filters normally have finite bandwidth, which will
correctness and secrecy. We say that the QKD protocol is ε-secure with cause small deviations for detection efficiencies, that is, a detection
ε ≥ εcor + εsec, if it is εcor-correct and εsec-secret48. Specifically, we define ka efficiency mismatch52,53. Our security proof for imperfect devices
and kb to be the key bit strings obtained by Alice and Bob. A QKD proto- will primarily consider the deviation of the detection efficiency,
col is defined to be εcor-correct if the probability satisfies Pr(ka = kb) ≤ εcor. and analyse this imperfection into the PA by following the GLLP
A QKD protocol is defined in trace distance to be εsec-secret, if framework44.
[(1 – Pabort)/2]||ρAE − UA ⊗ ρE|| ≤ εsec, where ρAE is the classical quantum state We assume the lower bound of detection efficiency is η0, so the detec-
describing the joint state of ka and Eve’s system ρE, UA is the uniform tion efficiency of the ith detector can be written as η0(1 + δi), where
mixture of all possible values of ka, and Pabort is the probability that the δi quantifies the deviation of efficiency. Suppose that if we can add
protocol aborts. attenuation with transmittance 1/(1 + δi) just before the ith detector,
There are two main approaches to analyse the finite-key security then we would obtain equal efficiency for all detectors. In doing so,
of QKD: one is based on smooth min/max entropy33,48 and the other the number of Z-bits (or X-bits) will be reduced by a fraction, upper
one is based on complementarity32. Recently, these two approaches bounded by Δ = 1 – 1/(1 + δ)2. In our experiment, we quantify that δi is
have been proved to be unified49. The estimation of the phase error upper bounded by δi ≤ 1.47% (see Extended Data Table 1). This deviation
rate is the most important part of the Shor–Preskill security analy- can be considered in PA, that is, the estimation of phase error rate as EX′/
sis. Owing to statistical fluctuations in the finite-key case, the phase (1 − Δ) (ref. 44). Overall, after considering the finite-key size effect and
error rate used for evaluating the amount of PA cannot be measured the efficiency deviation, the secret key length LZ is given by:
accurately. Instead, Alice and Bob can bound the phase error rate via
certain complementary measurements32,33. Specifically, for the Z-basis   1 
(nZ + 1)log

E +  εsec  
security key in entanglement-based QKD, Alice and Bob can bound the  X 2nX (nX + nZ )  2
underlying phase error rate EX′ by sampling the qubits in the X basis. LZ = nZ − nZ H   − fe nZ H (EZ ) − nZ Δ − log ε ε 2 .
1−Δ
This is a typical random sampling problem. We can use the Serfling   cor sec
 
inequality50 to estimate the probability that the average error on the  
sample deviates from the average error on the total string51. We obtain
the upper bound for EX′ as The analysis of the secret key length LX for the key bits in the X basis is
the same. The total finite-key length is L = LZ + LX.
(nX + 1)log(1/εsec)
EX ′ ≤ EX +
2nX (nX + nZ )
Data availability
where nZ and nX are the number of coincident counts in the Z and X The data that support the findings of this study are available from the
bases. corresponding authors on reasonable request.
Article
37. Makarov, V., Anisimov, A. & Skaar, J. Effects of detector efficiency mismatch on security of 53. Marøy, Ø., Lydersen, L. & Skaar, J. Security of quantum key distribution with arbitrary
quantum cryptosystems. Phys. Rev. A 74, 022313 (2006). individual imperfections. Phys. Rev. A 82, 032337 (2010).
38. Qi, B., Fung, C.-H.F., Lo, H.-K. & Ma, X. Time-shift attack in practical quantum
cryptosystems. Quantum Inf. Comput. 7, 73 (2007).
39. Gerhardt, I. et al. Experimentally faking the violation of Bell’s inequalities. Phys. Rev. Lett. Acknowledgements We acknowledge discussions with X. Ma and C. Jiang. We thank
107, 170404 (2011). colleagues at the National Space Science Center, China Xi’an Satellite Control Center, National
40. Bugge, A. N. et al. Laser damage helps the eavesdropper in quantum cryptography. Phys. Astronomical Observatories, Xinjiang Astronomical Observatory, Purple Mountain
Rev. Lett. 112, 070503 (2014). Observatory, and Qinghai Station for their management and coordination. We thank G.-B. Li,
41. Lo, H.-K., Curty, M. & Qi, B. Measurement-device-independent quantum key distribution. L.-L. Ma, Z. Wang, Y. Jiang, H.-B. Li, S.-J. Xu, Y.-Y. Yin, W.-C. Sun and Y. Wang for their long-term
Phys. Rev. Lett. 108, 130503 (2012). assistance in observation. This work was supported by the National Key R&D Program of China
42. Scarani, V. et al. The security of practical quantum key distribution. Rev. Mod. Phys. 81, (grant number 2017YFA0303900), the Shanghai Municipal Science and Technology Major
1301–1350 (2009). Project (grant number 2019SHZDZX01), the Anhui Initiative in Quantum Information
43. Shor, P. & Preskill, J. Simple proof of security of the BB84 quantum key distribution Technologies, Science and Technological Fund of Anhui Province for Outstanding Youth (grant
protocol. Phys. Rev. Lett. 85, 441 (2000). number 1808085J18) and the National Natural Science Foundation of China (grant numbers
44. Gottesman, D., Lo, H.-K., Lütkenhaus, N. & Preskill, J. Security of quantum key distribution U1738201, 61625503, 11822409, 11674309, 11654005 and 61771443).
with imperfect devices. Quantum Inf. Comput. 4, 325 (2004).
45. Mayers, D. J. Unconditional security in quantum cryptography. J. Assoc. Comput. Mach. Author contributions C.-Z.P., A.K.E. and J.-W.P. conceived the research. J.Y., C.-Z.P. and J.-W.P.
48, 351–406 (2001). designed the experiments. J.Y., Y.-H.L., S.-K.L., M.Y., Y.C., J.-G.R., S.-L.L., C.-Z.P. and J.-W.P.
46. Lo, H. K. & Chau, H. F. Unconditional security of quantum key distribution over arbitrarily developed the follow-up optics and monitoring circuit. J.Y., Y.-M.H., C.-Z.P. and J.-W.P.
long distances. Science 283, 2050 (1999). developed the efficiency telescopes. J.Y., S.-K.L., Y.C., L.Z., W.-Q.C., R.S., L.D., J.-Y.W., C.-Z.P. and
47. Ben-Or, M., Horodecki, M., Leung, D. W., Mayers, D. & Oppenheim, J. In Proc. 2nd Int. Conf. J.-W.P. designed and developed the satellite and payloads. J.Y., L.Z., W.-Q.C., W.-Y.L. and C.-Z.P.
on Theory of Cryptography (TCC'05) 386–406 (Springer, 2005). developed the software. F.X., X.-B.W., A.K.E. and J.-W.P. performed the security proof and
48. Renner, R. Security of quantum key distribution. PhD thesis, ETH Zurich (2005); preprint at analysis. L.L., Q.Z., N.-L.L., Y.-A.C., X.-B.W., F.X., C.-Z.P., A.K.E. and J.-W.P. contributed to the
https://arxiv.org/abs/quant-ph/0512258. theoretical study and implementation against device imperfections. F.X., C.-Y.L., C.-Z.P. and
49. Tsurumaru, T. Leftover hashing from quantum error correction: unifying the two J.-W.P. analysed the data and wrote the manuscript, with input from J.Y., Y.-H.L., M.Y., Y.C. and
approaches to the security proof of quantum key distribution. Preprint at https://arxiv.org/ A.K.E. All authors contributed to the data collection, discussed the results and reviewed the
abs/1809.05479 (2018). manuscript. J.-W.P. supervised the whole project.
50. Serfling, R. J. Probability inequalities for the sum in sampling without replacement. Ann.
Stat. 2, 39–48 (1974). Competing interests The authors declare no competing interests.
51. Curty, M. et al. Finite-key analysis for measurement-device-independent quantum key
distribution. Nat. Commun. 5, 3732 (2014). Additional information
52. Fung, C.-H. F., Tamaki, K., Qi, B., Lo, H.-K. & Ma, X. Security proof of quantum key Correspondence and requests for materials should be addressed to J.-W.P. or C.-Z.P.
distribution with detection efficiency mismatch. Quantum Inf. Comput. 9, 131–165 (2009). Reprints and permissions information is available at http://www.nature.com/reprints.
 a b

Extended Data Fig. 1 | Satellite-to-Delingha link efficiencies under b, The data in current work was taken in different orbits during the period of 6
different weather conditions. a, The data in previous work 23 was taken in September 2018 to 22 October 2018. Here the change of link efficiencies on
different orbits during the period of 7 December 2016 to 22 December 2016. different days was caused by the weather conditions.
Article

Extended Data Fig. 2 | Multiple orbits of satellite-to-Delingha link efficiencies under good weather conditions. Stable and high collection efficiencies were
observed during the period of October 2018 to April 2019.
 a b

Extended Data Fig. 3 | The comparison of satellite-to-Delingha link current work shows a 3-dB enhancement in the collection efficiency over that
efficiency under the best-orbit condition. a, After improving the link of ref. 23. The lines are linear fits to the data. b, Some representative values.
efficiency with high-efficiency telescopes and follow-up optics, on average, the
Article
0
10

Secret rate R (bits/s)

-1
10
This Work
R=0.12 bit/s

-2
10
Ref. 23
R=0 bit/s

0 0.01 0.02 0.03 0.04 0.05 0.06 0.07 0.08 0.09

QBER

Extended Data Fig. 4 | The finite-key secret key rate R versus the QBER. For 4.5% and a secret key rate of 0.12 bits per second are demonstrated over
the 3,100 s of data collected in our experiment, a QBER of below about 6.0% is 1,120 km. If one ignores the important finite-key effect, the QBER in ref. 23 is
required to produce a positive key. The previous work 23 demonstrated a QBER slightly lower than the well known asymptotic limit of 11% (ref. 43).
of 8.1%, which is not sufficient to generate a secret key. In this work, a QBER of
Extended Data Fig. 5 | Schematics of the detection and blinding-attack monitor is shown in the dot-dash diagram. A resistor-capacitor filter and a
monitoring circuit. The biased voltage (HV) is applied to an avalanche voltage follower are used to smooth and minimize the impact on the signals.
photodiode through a passive quenching resistance (Rq = 500 kΩ) and a The outputs of an analogue to digital converter (ADC), at a sampling rate of
sampling resistance (R s = 10 kΩ). The avalanche signals are read out as click or 250 kHz, are registered by computer data acquisition (PC-DAQ). R1, resistor;
no-click events through a signal-discrimination circuit. The blinding signal C1, capacitor; OA, operational amplifier.
Article

Extended Data Fig. 6 | The transmission of the beam splitter within the selected bandwidth of wavelength.
Extended Data Table 1 | Parameters of the system detection efficiencies

Serial number Current (A) Dark counts (cps) Efficiency (%)

B5213 0.956 55 53.31
B4973 0.9 207 53.64
B4976 1.064 60 53.16
B5214 0.984 55 53.16
B4972 0.966 32 53.78
B4974 0.929 55 53
B4977 1.067 64 53.16
B4978 0.965 26 53.16

cps, counts per second.

Article
Extended Data Table 2 | Comparison of the results between this work and the earlier experiment23

S, Bell parameter.
Extended Data Table 3 | Typical quantum attacks and our countermeasures

Attack Brief Description Countermeasure

27, 37, 38
Detector efficiency mismatch Eve exploits efficiency mismatch to control detectors Free-running detectors
26, 39
Detector blinding Eve manipulates the detectors by sending bright light Monitoring electronics
40
Detector damage Eve sends ultra-strong light to damage the detectors Monitoring electronics
28
Detector dead-time Eve controls the detector by exploiting dead time Free-running detectors
29
Beam-splitter Beam-splitter ratio is wavelength-dependent Frequency filter
30
Spatial-mode Detectors have efficiency mismatch in spatial domain Spatial filter

Data are from refs. 26–30,37–40.

Article
Extended Data Table 4 | Measured correlation coefficients required for the CHSH inequality

E, joint polarization correlation; φ1 and φ2, measurement angles of Delingha and Nanshan ground stations, respectively.