I Introduction
Recent progress in creating quantum algorithms posses a serious threat on the central element of currently used tools for ensuring information security, the key distribution infrastructure. The majority of methods for key distribution is based on the assumption of the computational complexity of several mathematical tasks, such as large number factorization Schneier . However, Shor’s algorithm for a quantum computer allows solving these problems in a polynomial time Shor1997 . Moreover, absence of an efficient classical (nonquantum) algorithm breaking such publickey cryptosystems still remains unproved.
Quantum computers have less of an effect on symmetric cryptographic primitives, such as GOST block cipher if it is assumed that the master key has been distributed secretly, since Shor’s algorithm does not apply, and then exponential speedups are not expected Shor1997 . Nevertheless, Grover’s search algorithm Grover1996 would allow quantum computers a quadratic speedup in brute force search, which means that the key management in terms of the key size and the key refresh time for such primitives needs to be reconsidered.
An ultimate and practical solution for the key distribution problem is the QKD technology. The QKD method uses the possibility to encode information in states of single photons, transmit them through optical channels, and measure on the receiver side Gisin2002 ; Lo2015 ; Lo2016 . By virtue of a number quantummechanical phenomena, this allows one to exclude possibilities for undetectable eavesdropping Gisin2002 . It is important to note that the method for preparation and measurements of quantum states, socalled QKD protocol, should guarantee the absence of undetectable eavesdropping. Presently, decoystate BB84 QKD is a standard technique, which provides security and significant key rates for a large distance between parties Hwang2003 ; Lo2005 ; Wang2005 ; Ma2005 ; Curty2014 ; Lim2014 ; Ma2017 ; Trushechkin2017 .
In this work, we report the experimental demonstration of quantumsecured data transmission in standard communication lines in Moscow. Due to significant losses in the urban fibreoptic communication lines, we use the recently suggested oneway scheme of key distribution with fast polarization encoding Duplinskiy2017 . The setup is based on LiNbO3 phase modulators, single laser source for states generation, and two singlephoton detectors (see Fig. 1). An important improvement in compare with recent experiments on realizing threenode QKD network in Moscow Pozhar2017 is the inclusion of an intensity modulator to the optical scheme as well as updating control units and postprocessing software for the implementation of the decoystate QKD protocol. Quantumgenerated keys then used for continuous key renewal in the hardware devices for establishing quantumsecured VPN Tunnel by Amicon Amicon . The used fiberoptic communication lines are deployed between the Sberbank office on Bol’shaya Andron’yevskaya street (Alice) and the Sberbank office on Vavilova street (Bob): the one is used for QKD and another one for information transmitting.
Ii Experiment
The optical scheme (Fig. 1) realizing decoystate BB84 QKD works as follows Duplinskiy2017 . The laser source (L1) emits polarized optical pulses at 1550 nm. Then halfwave plate transforms the polarization state so that the amplitudes along the crystal axes of Alice’s phase modulator (PM 1) are equal to each other. This allows Alice to encode bits of the secret key in polarization states with the help of the modulator. To weaken the pulse, a variable optical attenuator (VOA) is used. After the quantum channel (QC), the piezodriven polarization controller (PC) compensates SOP (state of polarization ) drifts and rotates it so that the polarization components along the lithium niobate crystal axes switch places, compensating the birefringence of LiNbO3. Bob’s modulator PM 2 is used for basis selection. Finally, a halfwave plate () converts SOP for polarization beam splitter (PBS) to distinguish states with the help of singlephoton detectors (SPD1, SPD2). The decoystate QKD protocol is realized by using intensity modulators. Polarization recalibration is applied once quantum bit error rate (QBER) in decoy pulses rises above the 8% value. Then the gradient descent algorithm is applied for polarization controller to minimize the QBER. As soon as QBER over all types of pulses is under 5.5%, the calibration is over and key generation is restarted.
The parameters of the QKD setup implementation are as follows: number of pulses in train , repetition rate of pulses in train 312,5 MHz, detectors efficiencies are 10% and 6.4% (for SPD1 and SPD2, respectively; see Fig. 1), detectors dead time 5
, dark count probability
, fiber channel losses 14.05 dB in the channel of 25 km length (which corresponds to km of standard fiberoptic communication line with 0.2dB/km losses), and additional losses on Bob’s side 6 dB. The communication line between two server rooms consists of 8 segments (6 segments outside the buildings and 2 inside the buildings). Few connections give us about 4% of reflection. Toward to prevent the detector blinding, we separate clock synchronisation signal and quantum signal not only in wavelength but also on time. The resulting raw key generation rate in our experiments is 2 kbit/s. After realization of the QKD session, we realize the standard sifting procedure, which is needed for dropping the positions with inconsistent bases from the raw quantum keys, by using authenticated communication channel (see below). The resulting keys are called sifted keys. The decoy states statistics Trushechkin2017 is announced on this stage as well.Iii PostProcessing Procedure and Application Level
The sifted keys are the input for a postprocessing procedure Kiktenko2016
. The postprocessing procedure includes a number of stages: information reconciliation, parameter estimation, privacy amplification, and, finally, authentication check. First, sifted keys from the hardware devices go through the information reconciliation stage. We use the recently suggested symmetric blind information reconciliation method
Kiktenko2017 . It uses lowdensity paritycheck (LDPC) codes with frame length . For a coarse tuning of the code rate we employ a pool of LDPC codes consisting of nine codes with the following rates: . For a fine tuning of the code rate, we employ the shortening and puncturing techniques Elkouss2010 ; Elkouss2011 . We note that the total number of shortening and puncturing bits was kept at constant level as follows:(1) 
The subblock length of sifted key processed in a single launch of the symmetric blind reconciliation is as follows:
(2) 
Here, subblocks of sifted keys were processed in parallel launches of the symmetric blind reconciliation method. The resulting length of the sifted key processed in one round of the postprocessing procedure was bits.
After performing the information reconciliation stage, there is still a certain probability that uncorrected errors remain. In order to detect possible remaining errors, we use the subsequent verification protocol with the use of universal hash functions Kiktenko2017_2 . The probability of the presence of errors after successful verification of the block of bits is bounded by the value of with the use of a hashtag of 50 bit length. Due to the low level of frame error rate of the employed LDPC codes, we obtain the length of verified keys to be almost always equal to the length of the processed sifted keys .
The next stage in the post processing is the parameter estimation stage. On this stage, the parties obtain the actual level of the QBER for their key blocks via direct comparison of the keys before and after the information reconciliation. If the value of QBER appeared to be higher than the critical value needed for efficient privacy amplification (11% for the decoystate BB84 protocol), the parties receive a warning message about possible eavesdropping. Otherwise, the verified key blocks go to the privacy amplification stage, and estimated QBER is used in next rounds of the information reconciliation stage. In our experiments, QBER was on the level of 4.8%6%, so we were able successfully implement the privacy amplification procedure.
The aim of the privacy amplification stage is to reduce potential information of an adversary about the verified blocks to a negligible quantity Gisin2002 . Such a reduction can be achieved by a contraction of the input verified key into a shorter key. The length of the secret key is computed as follows:
(3) 
where is length of the verified key, is an estimation of the portion of the sifted key bits generated from single photons pulses,
is binary entropy function, is an estimation of the QBER for single photon pulses, is total number of bits disclosed in information reconciliation and verification stages, and is the failure probability of privacy amplification stages ( in our setup).
The estimates of and were obtained using the decoystates method. We employed three types of pulses with different intensities (signal), (decoy), and (vacuum). The corresponding probabilities of generating each type of pulses were as follows: , . We note that the sifted key was generated using signal pulses only Trushechkin2017 . The length of the secret key can be then calculated as a function of the following form:
(4) 
where and are the numbers of sent and detected states of intensity . The detailed description of the function can be found in Ref. Trushechkin2017 .
After the calculation of the length of the secret key, the privacy amplification can be realized. On this step, the block of the secret key is computed as a result of application of the 2universal hash function to the verified key Kiktenko2016 . In our setup the Toeplitz hashing is used.
At the final state, the parties need to check the authenticity of their communications over the classical channel by an exchange of hash values of the whole incoming traffic. For this purpose, we employ the informationtheoretically secure Toeplitz hashing together with one timepad encryption
Kiktenko2016 . The length of the hash value is bit, which bounds the probability of successful man in the middle attack at the level of(5) 
If the authenticity is verified, the parties reserve bits of their secret quantum keys for the next postprocessing round and obtain
(6) 
bits of the final key that can be used in cryptographic purposes. We then obtain the length of the secret key to be of depending on QBER (see Fig. 3). The final security level of the obtained key is given by
(7) 
As a result, after the postprocessing procedure, from kbit/s of sifted keys, we obtain about kbit/s of secret keys. This value can be improved significantly by fine tuning of the parameters of the decoystate QKD protocol, stabilization of the hardware, and improving characteristics of the fiberoptic communication line.
After post processing, quantumgenerated keys are used for continuous key renegotiation in the hardware devices for establishing quantumsecured VPN Tunnel. The VPN Tunnel performs L3level encryption using the Russian symmetric block cipher algorithm (GOST 2814789) with a 256 bit key size. In our experimental tests, hardware device establishing the VPN Tunnel was connected to the QKD setup via the Ethernet channel. Using the special APIprotocol the VPN Tunnel device requests a new quantum key every 400 seconds, which adds to the master keys of the device. In the case of successful obtaining symmetric quantumgenerated keys on the both sides, then encryption of transmitted data is performed using both session and quantum keys, i.e. a hybrid scheme. Data transfer rate in the hybrid encryption scheme is about 1 Gbit/s. Up to our knowledge, this is a first in Russia experimental demonstration of quantumsecured data transmission in urban fibreoptic communication lines, while previously announced results were about implementations of QKD protocols only Balygin2017 ; Glem2017 .
Iv Conclusions
QKD technology provides the ultimate in quantumsafe security, guaranteeing provably secure key exchange for encryption and other security devices on pointtopoint backbone, networks, and distributed ledgers, such as blockchains Kiktenko2017_3 . We emphasize that the realized hybrid approach, where quantumgenerated keys are used for continuous key renewal in already existing information security solutions, offers the method for longterm data protection in the postquantum era. Furthermore, we expect that using a highquality fiberoptic communication line (e.g. with 0.2 dB/km loss coefficient) and improving all stabilization issues in hardware and software results in an increase of the key generation rate up to 100 kbit/s, which is enough for transmitting audio information in the onetime pad regime.
Acknowledgments. We express our gratitude to Mr. S. V. Lebed’, the head of Cybersecurity Division of the Sberbank and Mr. S. K. Kuznetsov, the Deputy Chairman of the Sberbank Board, as well as the colleagues from Amicon for their help in realizing this experimental work. The work was supported by the Russian Science Foundation under Grant No. 177120146.
References
 (1) B. Schneier, Applied cryptography (John Wiley & Sons, Inc., New York, 1996).
 (2) P.W. Shor, SIAM J. Comput. 26, 1484 (1997).

(3)
L.K. Grover,
in
Proceedings of 28th Annual ACM Symposium on the Theory of Computing (New York, USA, 1996)
, p. 212.  (4) N. Gisin, G. Ribordy, W. Tittel, and H. Zbinden, Rev. Mod. Phys. 74, 145 (2002).
 (5) H.K. Lo, M. Curty, and K. Tamaki, Nat. Photonics 8, 595 (2014).
 (6) E. Diamanti, H.K. Lo, and Z. Yuan, npj Quant. Inf. 2, 16025 (2016).
 (7) W.Y. Hwang, Phys. Rev. Lett. 91, 057901 (2003).
 (8) H.K. Lo, X. Ma, and K. Chen, Phys. Rev. Lett. 94, 230504 (2005).
 (9) X.B. Wang, Phys. Rev. Lett. 94, 230503 (2005).
 (10) X. Ma, B. Qi, Y. Zhao, and H.K. Lo, Phys. Rev. A 72, 012326 (2005).
 (11) M. Curty, F. Xu, W. Cui, C.C.W. Lim, K. Tamaki, and H.K. Lo, Nat. Commun. 5, 3732 (2014).
 (12) C.C.W. Lim, M. Curty, N. Walenta, F. Xu, and H. Zbinden, Phys. Rev. A 89, 022307 (2014).
 (13) Z. Zhang, Q. Zhao, M. Razavi, and X. Ma, Phys. Rev. A 95, 012333 (2017).
 (14) A.S. Trushechkin, E.O. Kiktenko, and A.K. Fedorov, Phys. Rev. A 96, 022316 (2017).
 (15) A. Duplinskiy, V. Ustimchik, A. Kanapin, V. Kurochkin, and Y. Kurochkin, Opt. Express 25, 28886 (2017).
 (16) E.O. Kiktenko, N.O. Pozhar, A.V. Duplinskiy, A.A. Kanapin, A.S. Sokolov, S.S. Vorobey, A.V. Miller, V.E. Ustimchik, M.N. Anufriev, A.S. Trushechkin, R.R. Yunusov, V.L. Kurochkin, Y.V. Kurochkin, and A.K. Fedorov, Quantum Electron. 47, 798 (2017).
 (17) Website: Amicon FSPUIP.
 (18) E.O. Kiktenko, A.S. Trushechkin, Y.V. Kurochkin, and A.K. Fedorov, J. Phys. Conf. Ser. 741, 012081 (2016).
 (19) E.O. Kiktenko, A.S. Trushechkin, C.C.W. Lim, Y.V. Kurochkin, and A.K. Fedorov, Phys. Rev. Applied 8, 044017 (2017).
 (20) D. Elkouss, J. MartínezMateo, and V. Martin, Secure rateadaptive reconciliation, in Proceedings of the IEEE International Symposium on Information Theory and its Applications (ISITA), Taichung, Taiwan (IEEE, 2010), p. 179.
 (21) D. Elkouss, J. MartínezMateo, and V. Martin, Information reconciliation for quantum key distribution, Quant. Inf. Comp. 11, 226 (2011).
 (22) A.S. Trushechkin, E.O. Kiktenko, and A.K. Fedorov, arXiv:1705.06664 (2017).
 (23) K.A. Balygin, V. I. Zaitsev, A.N. Klimov, A.I. Klimov, S.P. Kulik, and S.N. Molotkov, JETP Lett. 105, 606 (2017).
 (24) A.V. Gleim, V.V. Chistyakov, O.I. Bannik, V.I. Egorov, N.V. Buldakov, A.B. Vasilev, A.A. Gaidash, A.V. Kozubov, S.V. Smirnov, S.M. Kynev, S.E. Khoruzhnikov, S.A. Kozlov, and V.N. Vasil’ev, J. Opt. Tech. 84, 362 (2017).
 (25) E.O. Kiktenko, N.O. Pozhar, M.N. Anufriev, A.S. Trushechkin, R.R. Yunusov, Y.V. Kurochkin, A.I. Lvovsky, and A.K. Fedorov, arXiv:1705.09258 (2017).