The theoretical existence of photon-number-splitting attacks creates a security loophole for most quantum key distribution (QKD) demonstrations that use a highly attenuated laser source. Using ultra-low-noise, highefficiency transition-edge sensor photo-detectors, we have implemented the first version of a decoy state protocol that incorporates finite statistics without the use of Gaussian approximations in a one-way QKD system, enabling the creation of secure keys immune to photon-number-splitting attacks and highly resistant to Trojan horse attacks over 107 km of optical fiber.PACS numbers: 03.67. Dd, 03.67.Hk, 85.25.Oj Quantum key distribution (QKD), which enables users to create a shared key with secrecy guaranteed by the laws of physics [1], is arguably the most advanced application in the growing field of quantum information science. Since the first demonstration in 1992 [2], the field has advanced sufficiently that commercial systems are now available. Most current QKD implementations use "prepare and measure" protocols that involve the sender (Alice) preparing a single photon in a quantum state and sending it to the receiver (Bob), who then measures the photon. Attempts by an eavesdropper (Eve) to obtain information about the state of the single photon will introduce an error rate in the transmission, which alerts the users to Eve's presence.For example, to implement the Bennett-Brassard 1984 (BB84) protocol [3], Alice randomly encodes a single photon with either a 0 or a 1 in one of two conjugate bases and sends the photon to Bob. Bob performs a measurement in one of the two bases, and communicates the time slots for which he obtained detection events. Alice and Bob then create a sifted key by only retaining events where they used the same basis. Ideally, Alice's sifted bits should be perfectly correlated with Bob's if Eve did not attack the transmission, but any real system has error rates due to experimental imperfections. Error correction [4] removes these errors, leaving Alice and Bob with a perfectly correlated key. However, this key is not yet completely secret because, in principle, the errors may have arisen from Eve attacking the system. Therefore, a final step of privacy amplification [5] is used to obtain a shorter, secret key about which Eve has negligible information.The lack of readily available single-photon sources, especially at telecom wavelengths where most fiber-based QKD systems operate, modifies the simple picture outlined above considerably. If the source emits more than one photon, Eve could remove one of the photons and store it until Bob announces his basis choice, at which time she would measure the photon in the correct basis and learn the bit value without introducing any errors. Therefore, in addition to assuming that all errors arise from Eve's interaction with single photons, it is also necessary to assume that Eve can gain full information about any sifted bits that arose from multi-photon events.To determine the number of sifted bits that were encoded in single photo...
