2 bases, think of the states up | âã, down | âã, left | âã and right | âã. .... standard communications. .... complete solution for al...

0 downloads 55 Views 1MB Size

arXiv:quant-ph/0101098v2 18 Sep 2001

Quantum cryptography could well be the first application of quantum mechanics at the individual quanta level. The very fast progress in both theory and experiments over the recent years are reviewed, with emphasis on open questions and technological issues.

C

D E

Contents

I

Introduction

2

II

A beautiful idea A The intuition . . . . . . . . . . . . . . . B Classical cryptography . . . . . . . . . 1 Asymmetrical (public-key) cryptosystems . . . . . . . . . . . . . . . 2 Symmetrical (secret-key) cryptosystems . . . . . . . . . . . . . . . . . 3 The one-time-pad as “classical teleportation” . . . . . . . . . . . . . . C The example of the BB84 protocol . . . 1 Principle . . . . . . . . . . . . . . . 2 No cloning theorem . . . . . . . . . 3 Intercept-resend strategy . . . . . . 4 Error correction, privacy amplification and quantum secret growing . . 5 Advantage distillation . . . . . . . . D Other protocols . . . . . . . . . . . . . 1 2-state protocol . . . . . . . . . . . 2 6-state protocol . . . . . . . . . . . 3 EPR protocol . . . . . . . . . . . . 4 Other variations . . . . . . . . . . . E Quantum teleportation as “Quantum one-time-pad” . . . . . . . . . . . . . . F Optical amplification, quantum nondemolition measurements and optimal quantum cloning . . . . . . . . . . . . .

2 2 3

III

Technological challenges A Photon sources . . . . . . . . . . . . . . 1 Faint laser pulses . . . . . . . . . . 2 Photon pairs generated by parametric downconversion . . . . . . . . . 3 Photon guns . . . . . . . . . . . . . B Quantum channels . . . . . . . . . . . . 1 Singlemode fibers . . . . . . . . . . 2 Polarization effects in singlemode fibers . . . . . . . . . . . . . . . . . 3 Chromatic dispersion effects in singlemode fibers . . . . . . . . . . . .

IV

3 4 5 5 5 6 6

V

6 8 8 8 9 9 10

VI

10 10 12 12 12 13 14 14 14 15

VII

16 1

4 Free-space links . . . . . . . . . . . Single-photon detection . . . . . . . . . 1 Photon counting at wavelengths below 1.1 µm . . . . . . . . . . . . . . 2 Photon counting at telecommunication wavelengths . . . . . . . . . . . Quantum random number generators . Quantum repeaters . . . . . . . . . . .

Experimental quantum cryptography with Faint laser pulses A Quantum Bit Error Rate . . . . . . . . B Polarization coding . . . . . . . . . . . C Phase coding . . . . . . . . . . . . . . . 1 The double Mach-Zehnder implementation . . . . . . . . . . . . . . 2 The “Plug-&-Play” systems . . . . D Frequency coding . . . . . . . . . . . . E Free space line-of-sight applications . . F Multi-users implementations . . . . . . Experimental quantum cryptography with photon pairs A Polarization entanglement . . . . . . . B Energy-time entanglement . . . . . . . 1 Phase-coding . . . . . . . . . . . . . 2 Phase-time coding . . . . . . . . . . 3 Quantum secret sharing . . . . . . .

17 18 19 19 20 20 21 22 23 24 25 26 28 29 30 31 32 33 33 34 35

Eavesdropping A Problems and Objectives . . . . . . . . B Idealized versus real implementation . . C Individual, joint and collective attacks D Simple individual attacks: interceptresend, measurement in the intermediate basis . . . . . . . . . . . . . . . . . E Symmetric individual attacks . . . . . . F Connection to Bell inequality . . . . . . G Ultimate security proofs . . . . . . . . H Photon number measurements, lossless channels . . . . . . . . . . . . . . . . . I A realistic beamsplitter attack . . . . . J Multi-photon pulses and passive choice of states . . . . . . . . . . . . . . . . . K Trojan Horse Attacks . . . . . . . . . . L Real security: technology, cost and complexity . . . . . . . . . . . . . . . .

35 35 36 36

Conclusion

44

37 37 40 40 42 43 43 43 44

a way that they can be read independently.

I. INTRODUCTION

Electrodynamics was discovered and formalized in the 19th century. The 20th century was then profoundly affected by its applications. A similar adventure is possibly happening for quantum mechanics, discovered and formalized during the last century. Indeed, although the laser and semiconductors are already common, applications of the most radical predictions of quantum mechanics have been thought of only recently and their full power remains a fresh gold mine for the physicists and engineers of the 21st century. The most peculiar characteristics of quantum mechanics are the existence of indivisible quanta and of entangled systems. Both of these are at the root of Quantum Cryptography (QC) which could very well be the first commercial application of quantum physics at the individual quantum level. In addition to quantum mechanics, the 20th century has been marked by two other major scientific revolutions: the theory of information and relativity. The status of the latter is well recognized. It is less known that the concept of information, nowadays measured in bits, and the formalization of probabilities is quite recent1 , although they have a tremendous impact on our daily life. It is fascinating to realize that QC lies at the intersection of quantum mechanics and information theory and that, moreover, the tension between quantum mechanics and relativity – the famous EPR paradox (Einsteinet al.1935) – is closely connected to the security of QC. Let us add a further point for the young physicists. Contrary to laser and semiconductor physics, which are manifestations of quantum physics at the ensemble level and can thus be described by semi-classical models, QC, and even much more quantum computers, require a full quantum mechanical description (this may offer interesting jobs for physicists well trained in the subtleties of their science). This review article has several objectives. First we present the basic intuition behind QC. Indeed the basic idea is so beautiful and simple that every physicist and every student should be given the pleasure to enjoy it. The general principle is then set in the broader context of modern cryptology (section II B) and made more precise (section II C). Chapter III discusses the main technological challenges. Then, chapters IV and V present the most common implementation of QC using weak laser pulses and photon pairs, respectively. Finally, the important and difficult problems of eavesdropping and of security proofs are discussed in chapter VI, where the emphasis is more on the variety of questions than on technical issues. We tried to write the different parts of this review in such

II. A BEAUTIFUL IDEA

The idea of QC was first proposed only in the 1970’s by Wiesner2 (1983) and by Charles H. Bennett from IBM and Gilles Brassard from Montr´eal University (1984, 1985)3. However, this idea is so simple that actually every first year student since the infancy of quantum mechanics could have discovered it! Nevertheless, it is only nowadays that the matter is mature and information security important enough, and – interestingly – only nowadays that physicists are ready to consider quantum mechanics, not only as a strange theory good for paradoxes, but also as a tool for new engineering. Apparently, information theory, classical cryptography, quantum physics and quantum optics had first to develop into mature sciences. It is certainly not a coincidence that QC and, more generally, quantum information has been developed by a community including many computer scientists and more mathematics oriented young physicists. A broader interest than traditional physics was needed. A. The intuition

Quantum Physics is well-known for being counterintuitive, or even bizarre. We teach students that Quantum Physics establishes a set of negative rules stating things that cannot be done. For example: 1. Every measurement perturbs the system. 2. One cannot determine simultaneously the position and the momentum of a particle with arbitrary high accuracy. 3. One cannot measure the polarization of a photon in the vertical-horizontal basis and simultaneously in the diagonal basis.

2

Stephen Wiesner, then at Columbia University, was the first one to propose ideas closely related to QC, already in the 1970’s. However, his revolutionary paper appeared only a decade later. Since it is difficult to find, let us mention his abstract: The uncertainty principle imposes restrictions on the capacity of certain types of communication channels. This paper will show that in compensation for this “quantum noise”, quantum mechanics allows us novel forms of coding without analogue in communication channels adequately described by classical physics. 3 Artur Ekert (1991) from Oxford University discovered QC independently, though from a different perspective (see paragraph II D 3).

1

The Russian mathematician A.N. Kolmogorow (1956) is credited with being the first to have consistently formulated a mathematical theory of probabilities in the 1940’s.

2

channel to transmit information, but only to transmit a random sequence of bits, i.e. a key. Now, if the key is unperturbed, then Quantum Physics guarantees that no one got any information about this key by eavesdropping (i.e. measuring) the quantum communication channel. In this case, Alice and Bob can safely use this key to encode messages. If, on the contrary, the key turns out to be perturbed, then Alice and Bob simply disregard it; since the key does not contain any information, they did not lose any. Let us make this general idea somewhat more precise, anticipating section II C. In practice, the individual quanta used by Alice and Bob, often called qubits (for quantum bits), are encoded in individual photons. For example, vertical and horizontal polarization code for bit value zero and one, respectively. The second basis, can then be the diagonal one (±45o linear polarization), with +45o for bit 1 and −45o for bit 0, respectively (see Fig. 1). Alternatively, the circular polarization basis could be used as second basis. For photons the quantum communication channel can either be free space (see section IV E) or optical fibers – special fibers or the ones used in standard telecommunication – (section III B). The communication channel is thus not really quantum. What is quantum are the information carriers. But before continuing, we need to see how QC could fit in the existing cryptosystems. For this purpose the next section briefly surveys some of the main aspects of modern cryptology.

4. One cannot draw pictures of individual quantum processes. 5. One cannot duplicate an unknown quantum state. This negative viewpoint on Quantum Physics, due to its contrast to classical physics, has only recently been turned positive and QC is one of the best illustrations of this psychological revolution. Actually, one could caricature Quantum Information Processing as the science of turning Quantum conundrums into potentially useful applications. Let us illustrate this for QC. One of the basic negative statement of Quantum Physics reads: Every measurement perturbs the system

(1)

(except if the quantum state is compatible with the measurement). The positive side of this axiom can be seen when applied to a communication between Alice and Bob (the conventional names of the sender and receiver, respectively), provided the communication is quantum. The latter means that the support of information are quantum systems, like, for example, individual photons. Indeed, then axiom (1) applies also to the eavesdroppers, i.e. to a malicious Eve (the conventional name given to the adversary in cryptology). Hence, Eve cannot get any information about the communication without introducing perturbations which would reveal her presence. To make this intuition more precise, imagine that Alice codes information in individual photons which she sends to Bob. If Bob receives the photons unperturbed, then, by the basic axiom (1), the photons were not measured. No measurement implies that Eve did not get any information about the photons (note that acquiring information is synonymous to carrying out measurements). Consequently, after exchanging the photons, Alice and Bob can check whether someone “was listening”: they simply compare a randomly chosen subset of their data using a public channel. If Bob received the randomly chosen subset unperturbed then the logic goes as follows: N o perturbation ⇒ N o measurement ⇒ N o eavesdropping

B. Classical cryptography

Cryptography is the art of rendering a message unintelligible to any unauthorized party. It is part of the broader field of cryptology, which also includes cryptoanalysis, the art of code breaking (for a historical perspective, see Singh 1999). To achieve this goal, an algorithm (also called a cryptosystem or cipher) is used to combine a message with some additional information – known as the “key” – and produce a cryptogram. This technique is known as “encryption”. For a cryptosystem to be secure, it should be impossible to unlock the cryptogram without the key. In practice, this demand is often softened so that the system is just extremely difficult to crack. The idea is that the message should remain protected at least as long as the information it contains is valuable. Although confidentiality is the traditional application of cryptography, it is used nowadays to achieve broader objectives, such as authentication, digital signatures and non-repudiation (Brassard 1988).

(2)

It is as simple as that! Actually, there are two more points to add. First, in order to ensure that axiom (1) applies, Alice encodes her information in non-orthogonal states (we shall illustrate this in the sections II C and II D). Second, as we have presented it so far, Alice and Bob could discover any eavesdropper, but only after they exchanged their message. It would of course be much better to ensure the privacy in advance, and not afterwards! To achieve this, Alice and Bob complement the above simple idea with a second idea, again a very simple one, and one which is entirely classical. Alice and Bob do not use the quantum

1. Asymmetrical (public-key) cryptosystems

Cryptosytems come in two main classes – depending on whether Alice and Bob use the same key. Asymmetrical

3

ers. Similarly, all public-key cryptosystems rely on unproven assumptions for their security, which could themselves be weakened or suppressed by theoretical or practical advances. So far, no one has proved the existence of any one-way function with a trapdoor. In other words, the existence of secure asymmetric cryptosystems is not proven. This casts an intolerable threat on these cryptosystems. In a society where information and secure communication is of utmost importance, as in ours, one cannot tolerate such a threat. Think, for instance, that an overnight breakthrough in mathematics could make electronic money instantaneously worthless. To limit such economical and social risks, there is no possibility but to turn to symmetrical cryptosystems. QC has a role to play in such alternative systems.

systems involve the use of different keys for encryption and decryption. They are commonly known as public-key cryptosystems. Their principle was first proposed in 1976 by Whitfield Diffie and Martin Hellman, who were then at Stanford University in the US. The first actual implementation was then developed by Ronald Rivest, Adi Shamir,and Leonard Adleman of the Massachusetts Institute of Technology in 19784. It is known as RSA and is still widely used. If Bob wants to be able to receive messages encrypted with a public key cryptosystem, he must first choose a “private” key, which he keeps secret. Then, he computes from this private key a “public” key, which he discloses to any interested party. Alice uses this public key to encrypt her message. She transmits the encrypted message to Bob, who decrypts it with the private key. Public-key cryptosystems are convenient and they have thus become very popular over the last 20 years. The security of the internet, for example, is partially based on such systems. They can be thought of as a mailbox, where anybody can insert a letter. Only the legitimate owner can then recover it, by opening it with his private key. The security of public key cryptosystems is based on computational complexity. The idea is to use mathematical objects called one-way functions. By definition, it is easy to compute the function f (x) given the variable x, but difficult to reverse the calculation and compute x from f (x). In the context of computational complexity, the word “difficult” means that the time to do a task grows exponentially with the number of bits in the input, while “easy” means that it grows polynomially. Intuitively, it is easy to understand that it only takes a few seconds to work out 67 × 71, but it takes much longer to find the prime factors of 4757. However, factoring has a “trapdoor”, which means that it is easy to do the calculation in the difficult direction provided that you have some additional information. For example, if you were told that 67 was one of the prime factors of 4757, the calculation would be relatively simple. The security of RSA is actually based on the factorization of large integers. In spite of its elegance suffers from a major flaw. Whether factoring is “difficult” or not could never be proven. This implies that the existence of a fast algorithm for factorization cannot be ruled out. In addition, the discovery in 1994 by Peter Shor of a polynomial algorithm allowing fast factorization of integers with a quantum computer puts additional doubts on the nonexistence of a polynomial algorithm for classical comput-

2. Symmetrical (secret-key) cryptosystems

Symmetrical ciphers require the use of a single key for both encryption and decryption. These systems can be thought of as a safe, where the message is locked by Alice with a key. Bob in turns uses a copy of this key to unlock the safe. The “one-time pad”, first proposed by Gilbert Vernam of AT&T in 1926, belongs to this category. In this scheme, Alice encrypts her message, a string of bits denoted by the binary number m1 , using a randomly generated key k. She simply adds each bit of the message with the corresponding bit of the key to obtain the scrambled text (s = m1 ⊕ k, where ⊕ denotes the binary addition modulo 2 without carry). It is then sent to Bob, who decrypts the message by subtracting the key (s⊖k = m1 ⊕k ⊖k = m1 ). Because the bits of the scrambled text are as random as those of the key, they do not contain any information. This cryptosystem is thus provably secure in the sense of information theory (Shannon 1949). Actually, this is today the only provably secure cryptosystem! Although perfectly secure, the problem with this system is that it is essential for Alice and Bob to possess a common secret key, which must be at least as long as the message itself. They can only use the key for a single encryption – hence the name “one-time pad”. If they used the key more than once, Eve could record all of the scrambled messages and start to build up a picture of the plain texts and thus also of the key. (If Eve recorded two different messages encrypted with the same key, she could add the scrambled text to obtain the sum of the plain texts: s1 ⊕ s2 = m 1 ⊕ k ⊕ m 2 ⊕ k = m 1 ⊕ m 2 ⊕ k ⊕ k = m 1 ⊕ m 2 , where we used the fact that ⊕ is commutative.) Furthermore, the key has to be transmitted by some trusted means, such as a courier, or through a personal meeting between Alice and Bob. This procedure can be complex and expensive, and may even amount to a loophole in the system.

4 According to the British Government, public key cryptography was originally invented at the Government Communications Headquarters in Cheltenham as early as in 1973. For an historical account, see for example the book by Simon Singh (1999).

4

and conventions5. The interdisciplinary character of QC is the probable reason for its relatively slow start, but it certainly contributes crucially to the vast and fast expansion over the recent years. We shall explain the BB84 protocol using the language of spin 21 , but clearly any 2-level quantum system would do. The protocol uses 4 quantum states that constitute 2 bases, think of the states up | ↑i, down | ↓i, left | ←i and right | →i. The bases are maximally conjugate in the sense that any pair of vectors, one from each basis, has the same overlap, e.g. |h↑ | ←i|2 = 21 . Conventionally, one attributes the binary value 0 to states | ↑i and | →i and the value 1 to the other two states, and calls the states qubits (for quantum bits). In the first step, Alice sends individual spins to Bob in states chosen at random among the 4 basic states (in Fig. 1 the spin states | ↑i,| ↓i, | →i and | ←i are identified with the polarization states “horizontal”, “verical”, “+45o” and “-45o”, respectively). How she “chooses at random” is a delicate problem in practice (see section III D), but in principle she could use her free will. The individual spins could be sent all at once, or one after the other (much more practical); the only restriction being that Alice and Bob can establish a one-to-one correspondence between the transmitted and the received spins. Next, Bob measures the incoming spins in one of the two bases, chosen at random (using a random number generator independent from that of Alice). At this point, whenever they used the same basis, they get perfectly correlated results. However, whenever they used different basis, they get uncorrelated results. Hence, on average, Bob obtains a string of bits with 25% errors, called the raw key. This error rate is so large that standard error correction schemes would fail. But in this protocol, as we shall see, Alice and Bob know which bits are perfectly correlated (the ones for which Alice and Bob used the same basis) and which ones are completely uncorrelated (all the other ones). Hence, a straightforward error correction scheme is possible: For each bit Bob announces publicly in which basis he measured the corresponding qubit (but he does not tell the result he obtained). Alice then only tells whether or not the state in which she encoded that qubit is compatible with the basis announced by Bob. If the state is compatible, they keep the bit, if not they disregard it. In this way about 50% of the bit string is discarded. This shorter key obtained after bases reconciliation is called the sifted key6 . The fact that Alice and Bob use a public channel at some stage of their protocol is very common

Because of the problem of distributing long sequences of key bits, the one-time pad is currently used only for the most critical applications. The symmetrical cryptosystems in use for routine applications such as e-commerce employ rather short keys. In the case of the Data Encryption Standard (also known as DES, promoted by the United States’ National Institute of Standards and Technology), a 56 bits key is combined with the plain text divided in blocks in a rather complicated way, involving permutations and non-linear functions to produce the cipher text blocks (see Stallings 1999 for a didactic presentation). Other cryptosystems (e.g. IDEA or AES) follow similar principles. Like asymmetrical cryptosystems, they offer only computational security. However for a given key length, symmetrical systems are more secure than their asymmetrical counterparts. In practical implementations, asymmetrical algorithms are not so much used for encryption, because of their slowness, but to distribute session keys for symmetrical cryptosystems such as DES. Because the security of those algorithms is not proven (see paragraph II B 1), the security of the whole implementation can be compromised. If they were broken by mathematical advances, QC would constitute the only way to solve the key distribution problem. 3. The one-time-pad as “classical teleportation”

The one-time-pad has an interesting characteristic. Assume that Alice aims at transferring to Bob a faithful copy of a classical system, without giving any information to Eve about this system. For this purpose Alice and Bob have only access to an insecure classical channel. This is possible provided they share an arbitrary long secret key. Indeed, in principle Alice can measure the state of her classical system with arbitrary high precision and then use the one-time-pad to securely communicate this information to Bob who can then, in principle, reconstruct (a copy of) the classical system. This somewhat artificial use of the one-time-pad has an interesting quantum relative, (see section II E). C. The example of the BB84 protocol 1. Principle

The first protocol for QC has been proposed in 1984 by Charles H. Bennett, from IBM New-York, and Gilles Brassard, from the University of Montreal, hence the name BB84 under which this protocol is recognized nowadays. They published their work in a conference in India, totally unknown to physicists. This underlines at once that QC needs the collaboration between different communities, with different jargons and different habits

5 For instance, it is amusing to note that physicists must publish in reputed journals while conference proceedings are of secondary importance. For computer science, on the contrary, the proceedings of the best conferences are considered as the top, while journals are secondary! 6 This terminology has been introduced by Ekert and Huttner in 1994.

5

But the latter state differs from the ideal copy | →, → , f→ i, whatever the states |fψ i are. Consequently, Eve can’t keep a perfect quantum copy, because perfect quantum copy machines can’t exist. The possibility to copy classical information is probably one of the most characteristic features of information in the every day sense. The fact that quantum states, nowadays often called quantum information, can’t be copied is certainly one of the most specific attributes which make this new kind of information so different, hence so attractive. Actually, this “negative rule” has clearly its positive side, since it prevents Eve from perfect eavesdropping, and hence makes QC potentially secure.

in crypto-protocols. This channel does not have to be confidential, but has to be authentic. Hence, any adversary Eve can listen to all the communication on the public channel, but she can’t modify it. In practice Alice and Bob may use the same transmission channel to implement both the quantum and the classical channels. Note that neither Alice nor Bob can decide which key results from the protocol7 . Indeed, it is the conjunction of both of their random choices which produces the key. Let us now consider the security of the above ideal protocol (ideal because so far we did not take into account unavoidable noise due to technical imperfections). Assume that some adversary Eve intercepts a qubit propagating from Alice to Bob. This is very easy, but if Bob does not receive an expected qubit, he will simply inform Alice to disregard it. Hence, in this way Eve only lowers the bit rate (possibly down to zero), but she does not gain any useful information. For real eavesdropping Eve must send a qubit to Bob. Ideally she would like to send this qubit in its original state, keeping a copy for herself.

3. Intercept-resend strategy

We have seen that the eavesdropper needs to send a qubit to Bob, while keeping a necessarily imperfect copy for herself. How imperfect the copy has to be, according to quantum theory, is a delicate problem that we shall address in chapter VI. Here, let us develop a simple eavesdropping strategy, called intercept-resend. This simple and even practical attack consists in Eve measuring each qubit in one of the two basis, precisely as Bob does. Then, she resends to Bob another qubit in the state corresponding to her measurement result. In about half of the cases Eve will be lucky and choose the basis compatible with the state prepared by Alice. In these cases she resends to Bob a qubit in the correct state and Alice and Bob won’t notice her intervention. However, in the other 50% cases, Eve unluckily uses the basis incompatible with the state prepared by Alice. This necessarily happens, since Eve has no information on Alice’s random generator (hence the importance that this generator is truly random). In these cases the qubits sent out by Eve are in states with overlap 21 with the correct states. Alice and Bob discover thus her intervention in about half of these cases, since they get uncorrelated results. Altogether, if Eve uses this intercept-resend strategy, she gets 50% information, while Alice and Bob have about 25% of errors in their sifted key, i.e. after they eliminated the cases in which they used incompatible states, there are still about 25% errors. They can thus easily detect the presence of Eve. If, however, Eve applies this strategy to only a fraction of the communication, 10% let’s say, then the error rate will be only ≈2.5% while Eve’s information would be ≈5%. The next section explains how Alice and Bob can counter such attacks.

2. No cloning theorem

Following Wootters and Zurek (1982) it is easy to prove that perfect copying is impossible in the quantum world (see also Milonni and Hardies 1982, Dieks 1982, and the anticipating intuition by Wigner in 1961). Let ψ denote the original state of the qubit, |bi the blank copy8 and denote |0i ∈ HQCM the initial state of Eve’s “quantum copy machine”, where the Hilbert space HQCM of the quantum cloning machine is arbitrary. The ideal machine would produce: ψ ⊗ |bi ⊗ |0i → ψ ⊗ ψ ⊗ |fψ i

(3)

where |fψ i denotes the final state of Eve’s machine which might depend on ψ. Accordingly, using obvious notations, | ↑, b, 0i → | ↑, ↑, f↑ i and | ↓, b, 0i → | ↓, ↓, f↓ i.

(4) (5)

By linearity of quantum dynamics it follows that 1 | →, b, 0i = √ (| ↑i + | ↓i) ⊗ |b, 0i 2 1 → √ (| ↑, ↑, f↑ i + | ↓, ↓, f↓i). 2

(6) (7)

4. Error correction, privacy amplification and quantum secret growing

7

Alice and Bob can however determine the statistics of the key. 8 |bi corresponds to the stock of white paper in everyday’s photocopy machine. We shall assume that exceptionally this stock is not empty, a purely theoretical assumption, as is well known.

At this point in the BB84 protocol, Alice and Bob share a so-called sifted key. But this key contains errors. The errors are caused as well by technical imperfections,

6

as possibly by Eve’s intervention. Realistic error rates on the sifted key using today’s technology are of a few percent. This contrasts strongly with the 10−9 typical in optical communication. Of course, the few percent errors will be corrected down to the standard 10−9 during the (classical) error correction step of the protocol. In order to avoid confusion, especially among the optical communication specialists, Beat Perny from Swisscom and Paul Townsend, then with BT, proposed to name the error rate on the sifted key QBER, for Quantum Bit Error Rate, to make it clearly distinct from the BER used in standard communications. Such a situation where the legitimate partners share classical information, with high but not 100% correlation and with possibly some correlation to a third party is common to all quantum cryptosystems. Actually, it is also a standard starting point for classical information based cryptosystems where one assumes that somehow Alice, Bob and Eve have random variables α, β and ǫ, respectively, with joint probability distribution P (α, β, ǫ). Consequently, the last step in a QC protocol uses classical algorithms, first to correct the errors, next to lower Eve’s information on the final key, a process called privacy amplification. The first mention of privacy amplification appears in Bennett, Brassard and Robert (1988). It was then extended in collaboration with C. Cr´epeau and U. Maurer from the University of Montreal and the ETH Z¨ urich, respectively (Bennett et al. 1995, see also Bennett et al. 1992a). Interestingly, this work motivated by QC found applications in standard information-based cryptography (Maurer 1993, Maurer and Wolf 1999). Assume that such a joint probability distribution P (α, β, ǫ) exists. Near the end of this section, we comment on this assumption. Alice and Bob have access only to the marginal distribution P (α, β). From this and from the laws of quantum mechanics, they have to deduce constraints on the complete scenario P (α, β, ǫ), in particular they have to bound Eve’s information (see sections VI E and VI G). Given P (α, β, ǫ), necessary and sufficient conditions for a positive secret key rate between Alice and Bob, S(α, β||ǫ), are not yet known. However, a useful lower bound is given by the difference between Alice and Bob’s mutual Shannon information I(α, β) and Eve’s mutual information (Csisz´ar and K¨ orner 1978, and theorem 1 in section VI G):

Without discussing any algorithm in detail, let us give some intuition how Alice and Bob can establish a secret key when condition (8) is satisfied. First, once the sifted key is obtained (i.e. after the bases have been announced), Alice and Bob publicly compare a randomly chosen subset of it. In this way they estimate the error rate (more generally, they estimate their marginal probability distribution P (α, β)). These publicly disclosed bits are then discarded. Next, either condition (8) is not satisfied and they stop the protocol. Or condition (8) is satisfied and they use some standard error correction protocol to get a shorter key without errors. With the simplest error correction protocol, Alice randomly chooses pairs of bits and announces their XOR value (i.e. their sum modulo 2). Bob replies either “accept” if he has the same XOR value for his corresponding bits, or “reject” if not. In the first case, Alice and Bob keep the first bit of the pair and eliminate the second one, while in the second case they eliminate both bits. In reality, more complex and efficient algorithms are used. After error correction, Alice and Bob have identical copies of a key, but Eve may still have some information about it (compatible with condition (8)). Alice and Bob thus need to lower Eve’s information down to an arbitrarily low value using some privacy amplification protocols. These classical protocols typically work as follows. Alice again randomly choses pairs of bits and computes their XOR value. But, contrary to error correction she does not announce this XOR value. She only announces which bits she chose (e.g. bit number 103 and 537). Alice and Bob then replace the two bits by their XOR value. In this way they shorten their key while keeping it error free, but if Eve has only partial information on the two bits, her information on the XOR value is even lower. Consider for example that Eve knows only the value of the first bit, and nothing about the second one. Then she has no information at all on the XOR value. Also, if Eve knows the value of both bits with 60% probability, then the probability that she guesses correctly the value of the XOR is only of 0.62 + 0.42 = 52%. This process would have to be repeated several times; more efficient algorithms use larger blocks (Brassard and Salvail 1993). The error correction and privacy amplification algorithms sketched above are purely classical algorithms. This illustrates that QC is a truly interdisciplinary field. Actually, the above presentation is incomplete. Indeed, in this presentation, we have assumed that Eve has measured her probe before Alice and Bob run the error correction and privacy amplification algorithms, hence that P (α, β, ǫ) exists. In practice this is a very reasonable assumption, but, in principle, Eve could wait until the end of all the protocol, and then optimize her measurements accordingly. Such “delayed choice eavesdropping

S(α, β||ǫ) ≥ max{I(α, β) − I(α, ǫ), I(α, β) − I(β, ǫ)} (8) Intuitively, this result states that secure key distillation (Bennett et al. 1992a) is possible whenever Bob has more information than Eve. The bound (8) is tight if Alice and Bob are restricted to one-way communication, but for two-way communication, secret key agreement might be possible even when (8) is not satisfied (see next paragraph II C 5).

7

strategies9 ” are discussed in chapter VI. It should now be clear that QC does not provide a complete solution for all cryptographic purposes10 . Actually, quite on the contrary, QC can only be used as a complement to standard symmetrical cryptosystems. Accordingly, a more precise name for QC is Quantum Key Distribution, since this is all QC does. Nevertheless, we prefer to keep the well known terminology which gives its title to this review. Finally, let us emphasize that every key distribution system must incorporate some authentification scheme: the two parties must identify themselves. If not, Alice could actually be communicating directly with Eve! A straightforward possibility is that Alice and Bob initially share a short secret. Then QC provides them with a longer one and, for example, they each keep a small portion for authentification at the next session (Bennett et al. 1992a). From this perspective, QC is a Quantum Secret Growing protocol.

tion to keep, whereas Eve can’t influence this process12 (Maurer 1993, Maurer and Wolf 1999). Recently a second remarkable connection between quantum and classical secret key agreement has been discovered (assuming they use the Ekert protocol described in paragraph II D 3): If Eve follows the strategy which optimizes her Shannon information, under the assumption that she attacks the qubit one at a time (the so-called individual attacks, see section VI E), then Alice and Bob can use advantage distillation if and only if Alice and Bob’s qubits are still entangled (they can thus use quantum privacy amplification (Deutsch et al. 1996)) (Gisin and Wolf 1999). This connection between the concept of entanglement, central to quantum information theory, and the concept of intrinsic classical information, central to classical information based cryptography (Maurer and Wolf 1999), has been shown to be general (Gisin and Wolf 2000). The connection seems even to extend to bound entanglement (Gisin et al. 2000).

5. Advantage distillation

D. Other protocols

QC has triggered and still triggers research in classical information theory. The best known example is probably the development of privacy amplification algorithms (Bennett et al. 1988 and 1995). This in turn triggered the development of new cryptosystems based on weak but classical signals, emitted for instance by satellites (Maurer 1993)11. These new developments required secret key agreement protocols that can be used even when the condition (8) doesn’t apply. Such protocols, called advantage distillation, necessarily use two way communication and are much less efficient than privacy amplification. Usually, they are not considered in the literature on QC. But, conceptually, they are remarkable from at least two points of view. First it is somewhat surprising that secret key agreement is possible even if Alice and Bob start with less mutual (Shannon) information than Eve. However, they can take advantage of the authenticated public channel: Alice and Bob can decide which series of realiza-

1. 2-state protocol

In 1992 Charles H. Bennett noticed that actually 4 states is more than necessary for QC: all what is really needed is 2 nonorthogonal states. Indeed the security relies on the impossibility for any adversary to distinguish unambiguously and without perturbation between the different states that Alice may send to Bob, hence 2 states are necessary and if they are incompatible (i.e. not mutually orthogonal), then 2 states are also sufficient. This is a conceptually important clarification. It also made several of the first experimental demonstrations easier (this is further discussed in section IV D). But in practice it is not a good solution. Indeed, although 2 nonorthogonal states can’t be distinguished unambiguously without perturbation, one can unambiguously distinguish them at the cost of some losses (Ivanovic 1987, Peres 1988). This possibility has even been demonstrated in practice (Huttner et al. 1996, Clarke et al. 2000). Hence, Alice and Bob would have to monitor the attenuation of the

9

Note however that Eve has to choose the interaction between her probe and the qubits before the public discussion phase of the protocol. 10 For a while it was thought that bit commitment (see, e.g., Brassard 1988), a powerful primitive in cryptology, could be realized using quantum principles. However, Dominic Mayers (1996a and 1997) and Lo and Chau (1998) proved it to be impossible (see also Brassard et al. 1998). 11 Note that here the confidentiality is not guaranteed by the laws of physics, but relies on the assumption that Eve’s technology is limited, e.g. her antenna is finite, her detectors have limited efficiencies.

12

The idea is that Alice picks out several instances where she got the same bit and communicates the instances - but not the bit - to Bob. Bob replies yes only if it happens that for all these instances he also has the same bit value. For large error rates this is unlikely, but when it happens there is a large chance that both have the same bit. Eve can’t influence the choice of the instances. All she can do is to use a majority vote for the cases accepted by Bob. The probability that Eve makes an error can be much larger than the probability that Bob makes an error (i.e. that all his instances are wrong), even if Eve’s initial information is larger than Bob’s.

8

keep the data only when they happen to have done their measurements in the compatible basis. If the source is reliable, this protocol is equivalent to the BB84 one: Every thing is as if the qubit propagates backwards in time from Alice to the source, and then forwards to Bob! But better than trusting the source, which could be in Eve’s hand, the Ekert protocol assumes that the 2 qubits are emitted in a maximally entangled state like:

quantum channel (and even this is not entirely safe if Eve could replace the channel by a more transparent one, see section VI H). The two-state protocol can also be implemented using an interference between a macroscopic bright pulse and a dim pulse with less than one photon on average (Bennett, 1992). The presence of the bright pulse makes this protocol specially resistant to eavesdropping, even in settings with high attenuation. Indeed Bob can monitor the bright pulses, to make sure that Eve does not remove any. In this case, Eve cannot eliminate the dim pulse without revealing her presence, because the interference of the bright pulse with vacuum would introduce errors. A practical implementation of this protocol is discussed in section IV D. Huttner et al. extended this reference beam monitoring to the four-states protocol in 1995.

1 φ+ = √ (| ↑, ↑i + | ↓, ↓i). 2

(9)

Then, when Alice and Bob happen to use the same basis, both the x-basis or both the y-basis, i.e. in about half of the cases, their results are identical, providing them with a common key. Note the similarity between the 1qubit BB84 protocol illustrated in Fig. 1 and the 2-qubit Ekert protocol of Fig. 3. The analogy can be even made stronger by noting that for all unitary evolutions U1 and U2 , the following equality hold:

2. 6-state protocol

While two states are enough and four states are standard, a 6-state protocol respects much more the symmetry of the qubit state space, see Fig. 2 (Bruss 1998, Bechmann-Pasquinucci and Gisin 1999). The 6 states constitute 3 bases, hence the probability that Alice and Bob chose the same basis is only of 31 . But the symmetry of this protocol greatly simplifies the security analysis and reduces Eve’s optimal information gain for a given error rate QBER. If Eve measures every photon, the QBER is 33%, compared to 25% in the case of the BB84 protocol.

U1 ⊗ U2 Φ(+) = 11 ⊗ U2 U1t Φ(+)

(10)

where U1t denotes the transpose. In his 1991 paper Artur Ekert suggested to base the security of this 2-qubit protocol on Bell’s inequality, an inequality which demonstrates that some correlation predicted by quantum mechanics can’t be reproduced by any local theory (Bell 1964). For this, Alice and Bob have a third choice of basis (see Fig. 4). In this way the probability that they happen to choose the same basis is reduced from 21 to 29 , but at the same time as they establish a key they collect enough data to test Bell inequality13 . They can thus check that the source really emits the entangled state (9) and not merely product states. The following year Bennett, Brassard and Mermin (1992b) criticized Ekert’s letter, arguing that the violation of Bell inequality is not necessary for the security of QC and emphasizing the close connection between the Ekert and the BB84 schemes. This criticism might be missing an important point. Indeed, although the exact relation between security and Bell inequality is not yet fully known, there are clear results establishing fascinating connections, (see section VI F). In October 1992, an article by Bennett, Brassard and Ekert demonstrated that the founding fathers joined forces to develop the field in a pleasant atmosphere (Bennett et al. 1992c)!

3. EPR protocol

This variation of the BB84 protocol is of special conceptual, historical and practical interest. The idea is due to Artur Ekert (1991) from Oxford University, who, while elaborating on a suggestion of David Deutsch (1985), discovered QC independently of the BB84 paper. Intellectually, it is very satisfactory to see this direct connection to the famous EPR paradox (Einstein, Podolski and Rosen 1935): the initially philosophical debate turned to theoretical physics with Bell’s inequality (1964), then to experimental physics (Freedmann and Clauser 1972, Fry and Thompson 1976, and Aspect, Dalibard and Roger 1982), and is now – thanks to Ekert’s ingenious idea – part of applied physics. The idea consists in replacing the quantum channel carrying qubits from Alice to Bob by a channel carrying 2 qubits from a common source, one qubit to Alice and one to Bob. A first possibility would be that the source emits the two qubits always in the same state chosen randomly among the 4 states of the BB84 protocol. Alice and Bob would then both measure their qubit in one of the two bases, again chosen independently and randomly. The source then announces the bases and Alice and Bob

13

A maximal violation of Bell inequality is necessary to rule out tampering by Eve. In this case, the QBER must necessarily be equal to zero. With a non-maximal violation, as typically obtained in experimental systems, Alice and Bob can distil a secure key using error correction and privacy amplification.

9

tem is destroyed without Alice learning anything about the quantum state, while Bob’s qubit ends in a state isomorphic to the state of the original system (but Bob doesn’t learn anything about the quantum state). If the initial quantum system is a quantum message coded in the form of a sequence of qubits, then this quantum message is faithfully and securely transferred to Bob, without any information leaking to the outside world (i.e. to anyone not sharing the prior entanglement with Alice and Bob). Finally, the quantum message could be formed of a 4 letter quantum alphabet constituted by the 4 states of the BB84 protocol. With futuristic, but not impossible technology, Alice and Bob could have their entangled qubits in appropriate wallets and could establish a totally secure communication at any time, without even having to know where the partner is located (provided they can communicate classically).

4. Other variations

There is a large collection of variations around the BB84 protocol. Let us mention a few, chosen somewhat arbitrarily. First, one can assume that the two bases are not chosen with equal probability (Ardehali et al. 1998). This has the nice consequence that the probability that Alice and Bob choose the same basis is larger than 21 , increasing thus the transmission rate of the sifted key. However, this protocol makes Eve’s job easier as she is more likely to guess correctly the used basis. Consequently, it is not clear whether the final key rate, after error correction and privacy amplification, is higher or not. Another variation consists in using quantum systems of dimension larger than 2 (Bechmann-Pasquinucci and Tittel 2000, Bechmann-Pasquinucci and Peres 2000, Bourennane et al. 2001a). Again, the practical value of this idea has not yet been fully determined. A third variation worth mentioning is due to Goldenberg and Vaidman, from Tel-Aviv University (1995). They suggested to prepare the qubits in a superposition of two spatially separated states, then to send one component of this superposition and to wait until Bob received it before sending the second component. This doesn’t sound of great practical value, but has the nice conceptual feature that the minimal two states do not need to be mutually orthogonal.

F. Optical amplification, quantum nondemolition measurements and optimal quantum cloning

After almost every general talk on QC, two questions arise: what about optical amplifiers? and what about quantum nondemolition measurements? In this section we briefly address these questions. Let us start with the second one, being the easiest. The terminology “quantum nondemolition measurement” is simply a confusing one! There is nothing like a quantum measurement that does not perturb (i.e. modify) the quantum state, except if the state happens to be an eigenstate of the observable. Hence, if for some reason one conjectures that a quantum system is in some state (or in a state among a set of mutually orthogonal ones), this can be in principle tested repeatedly (Braginsky and Khalili 1992). But if the state is only restricted to be in a finite set containing non-orthogonal states, as in QC, then there is no way to perform a measurement without “demolishing” (perturbing) the state. Now, in QC the terminology “nondemolition measurement” is also used with a different meaning: one measures the number of photons in a pulse without affecting the degree of freedom coding the qubit (e.g. the polarization), (see section VI H), or one detects the presence of a photon without destroying it (Nogues et al. 1999). Such measurements are usually called “ideal measurements”, or “projective measurements”, because they produce the least possible perturbation (Piron 1990) and because they can be represented by projectors. It is important to stress that these “ideal measurements” do not invalidate the security of QC. Let us consider now optical amplifiers (a laser medium, but without mirrors, so that amplification takes place in a single pass, see Desurvire 1994). They are widely used in today’s optical communication networks. However, they are of no use for quantum communication. Indeed, as seen in section II C, the copying of quantum information is impossible. Here we illustrate this characteristic

E. Quantum teleportation as “Quantum one-time-pad”

Since its discovery in 1993 by a surprisingly large group of physicists, Quantum teleportation (Bennett et al. 1993) received a lot of attention in the scientific community as well as in the general public. The dream of beaming travellers through the Universe is exciting, but completely out of the realm of any foreseeable technology. However, quantum teleportation can be seen as the fully quantum version of the one-time-pad, see paragraph II B 3, hence as the ultimate form of QC. Similarly to “classical teleportation”, let’s assume that Alice aims at transferring to Bob a faithful copy of a quantum system. If Alice has full knowledge of the quantum state, the problem is not really a quantum one (Alice information is classical). If, on the opposite, Alice does not know the quantum state, she cannot send a copy, since quantum copying is impossible according to quantum physics (see paragraph II C 2). Nor can she send classical instructions, since this would allow the production of many copies. However, if Alice and Bob share arbitrarily many entangled qubits, sometimes called a quantum key, and share a classical communication channel then the quantum teleportation protocol provides them with a mean to transfer the quantum state of the system from Alice to Bob. In the course of running this protocol, Alice’s quantum sys-

10

of quantum information with the example of optical amplifiers: the necessary presence of spontaneous emission whenever there is stimulated emission, prevents perfect copying. Let us clarify this important and often confusing point, following the work of Simon et al. (1999 and 2000; see also Kempe et al. 2000, and De Martini et al. 2000). Let the two basic qubit states |0i and |1i be physically implemented by two optical modes: |0i ≡ |1, 0i and |1i ≡ |0, 1i. |n, miph ⊗ |k, lia denotes thus the state of n photons in mode 1 and m in mode 2, and k, l = 0 (1) the ground (excited) state of 2-level atoms coupled to mode 1 and 2, respectively. Hence spontaneous emission corresponds to |0, 0iph ⊗ |1, 0ia → |1, 0iph ⊗ |0, 0ia , |0, 0iph ⊗ |0, 1ia → |0, 1iph ⊗ |0, 0ia

T r1−ph mode

|1, 0ia

F =

or

(11) (12)

(15)

|1, 0iph ⊗ |0, 1ia

(16)

This corresponds to the first order term in an evolution with a Hamiltonian (in the interaction picture): H = χ(a†1 σ1− + a1 σ1† + a†2 σ2− + a2 σ2† ). After some time the 2-photon component of the evolved states reads: √ 2|2, 0iph ⊗ |0, 0ia or |1, 1iph ⊗ |0, 0ia (17) The correspondence with a pair of spin |2, 0i = | ↑↑i

1 2

goes as follows:

|0, 2i = | ↓↓i

1 |1, 1iph = ψ (+) = √ (| ↑↓i + | ↓↑i) 2

(18)

(19)

Tracing over the amplifier (i.e. the 2-level atom), an (ideal) amplifier achieves the following transformation: P↑ → 2P↑↑ + Pψ(+)

=

2P↑ + 21 11 3

(21)

2+ 3

1 2

=

5 6

(22)

which is precisely the optimal fidelity compatible with quantum mechanics (Buˇzek and Hillery 1996, Bruss et al 1998, Gisin and Massar 1997). In other words, if we start with a single photon in an arbitrary state, and pass it through an amplifier, then due to the effect of spontaneous emission the fidelity of the state exiting the amplifier, in the cases where it consists of exactly two photons, with the initial state will be equal to at most 5/6. Note that if it were possible to make better copies, then, using EPR correlations between spatially separated systems, signaling at arbitrarily fast speed would also be possible (Gisin 1998).

By symmetry, it suffices to consider one possible initial state of the qubit, e.g. 1 photon in the first mode |1, 0iph . The initial state of the photon+atom system is thus a mixture: |1, 0iph ⊗ |1, 0ia

2P↑↑ + Pψ(+) 3

The corresponding fidelity is:

and stimulated emission to √ |1, 0iph ⊗ |1, 0ia → 2|2, 0iph ⊗ |0, 0ia , (13) √ (14) |0, 1iph ⊗ |0, 1ia → 2|0, 2iph ⊗ |0, 0ia √ where the 2 factor takes into account the ratio stimulated/spontaneous emission. Let the initial state of the atom be a mixture of the following two states (each with equal weight 50%): |0, 1ia

(20)

where the P ’s indicate projectors (i.e. pure state density matrices) and the lack of normalization results from the first order expansion used in (11) to (14). Accordingly, after normalization, each photon is in state : 11

the one where absorption is low. However, free space transmission is restricted to line-of sight links and is very weather dependent. In the next sections we successively consider the questions “how to produce single photons?” (section III A), “how to transmit them?” (section III B), “how to detect single photons?” (section III C), and finally “how to exploit the intrinsic randomness of quantum processes to build random generators?” (section III D).

III. TECHNOLOGICAL CHALLENGES

The very first demonstration of QC was a table top experiment performed at the IBM laboratory in the early 1990’s over a distance of 30 cm (Bennett et al. 1992a), marking the start of impressive experimental improvements during the last years. The 30 cm distance is of little practical interest. Either the distance should be even shorter, think of a credit card and the ATM machine (Huttner et al. 1996b), but in this case all of Alice’s components should fit on the credit card. A nice idea, but still impractical with present technology. Or the distance should be much longer, at least in the km range. Most of the research so far uses optical fibers to guide the photons from Alice to Bob and we shall mainly concentrate here on such systems. There is, however, also some very significant research on free space systems, (see section IV E). Once the medium is chosen, there remain the questions of the source and detectors. Since they have to be compatible, the crucial choice is the wavelength. There are two main possibilities. Either one chooses a wavelength around 800 nm where efficient photon counters are commercially available, or one chooses a wavelength compatible with today’s telecommunication optical fibers, i.e. near 1300 nm or 1550 nm. The first choice requires free space transmission or the use of special fibers, hence the installed telecommunication networks can’t be used. The second choice requires the improvement or development of new detectors, not based on silicon semiconductors, which are transparent above 1000 nm wavelength. In case of transmission using optical fibers, it is still unclear which of the two alternatives will turn out to be the best choice. If QC finds niche markets, it is conceivable that special fibers will be installed for that purpose. But it is equally conceivable that new commercial detectors will soon make it much easier to detect single photons at telecommunication wavelengths. Actually, the latter possibility is very likely, as several research groups and industries are already working on it. There is another good reason to bet on this solution: the quality of telecommunication fibers is much higher than that of any special fiber, in particular the attenuation is much lower (this is why the telecommunication industry chose these wavelengths): at 800 nm, the attenuation is about 2 dB/km (i.e. half the photons are lost after 1.5 km), while it is only of the order of 0.35 and 0.20 dB/km at 1300 nm and 1550 nm, respectively (50% loss after about 9 and 15 km) 14 . In case of free space transmission, the choice of wavelength is straightforward since the region where good photon detectors exist – around 800 nm – coincides with

A. Photon sources

Optical quantum cryptography is based on the use of single photon Fock states. Unfortunately, these states are difficult to realize experimentally. Nowadays, practical implementations rely on faint laser pulses or entangled photon pairs, where both the photon as well as the photon-pair number distribution obeys Poisson statistics. Hence, both possibilities suffer from a small probability of generating more than one photon or photon pair at the same time. For large losses in the quantum channel even small fractions of these multi-photons can have important consequences on the security of the key (see section VI H), leading to interest in “photon guns”, see paragraph III A 3). In this section we briefly comment on sources based on faint pulses as well as on entangled photon-pairs, and we compare their advantages and drawbacks. 1. Faint laser pulses

There is a very simple solution to approximate single photon Fock states: coherent states with an ultra-low mean photon number µ. They can easily be realized using only standard semiconductor lasers and calibrated attenuators. The probability to find n photons in such a coherent state follows the Poisson statistics: P (n, µ) =

µn −µ e . n!

(23)

Accordingly, the probability that a non-empty weak coherent pulse contains more than 1 photon, 1 − P (0, µ) − P (1, µ) 1 − P (0, µ) 1 − e−µ (1 + µ) ∼ µ = = 1 − e−µ 2

P (n > 1|n > 0, µ) =

(24)

can be made arbitrarily small. Weak pulses are thus extremely practical and have indeed been used in the vast majority of experiments. However, they have one major drawback. When µ is small, most pulses are empty: P (n = 0) ≈ 1 − µ. In principle, the resulting decrease in bit rate could be compensated for thanks to the achievable GHz modulation rates of telecommunication lasers.

14

The losses in dB (ldb ) can be calculated from the losses in l% ). percent (l% ): ldB = −10 log10 (1 − 100

12

But in practice the problem comes from the detectors’ dark counts (i.e. a click without a photon arriving). Indeed, the detectors must be active for all pulses, including the empty ones. Hence the total dark counts increase with the laser’s modulation rate and the ratio of the detected photons over the dark counts (i.e. the signal to noise ratio) decreases with µ (see section IV A). The problem is especially severe for longer wavelengths where photon detectors based on Indium Gallium Arsenide semiconductors (InGaAs) are needed (see section III C) since the noise of these detectors explodes if they are opened too frequently (in practice with a rate larger than a few MHz). This prevents the use of really low photon numbers, smaller than approximately 1%. Most experiments to date relied on µ = 0.1, meaning that 5% of the nonempty pulses contain more than one photon. However, it is important to stress that, as pointed out by L¨ utkenhaus (2000), there is an optimal µ depending on the transmission losses 15 . After key distillation, the security is just as good with faint laser pulses as with Fock states. The price to pay for using such states lies in a reduction of the bit rate.

The latter is in general rather large and varies from a few nanometers up to some tens of nanometers. For the non degenerate case one typically gets 5-10 nm, whereas in the degenerate case (central frequency of both photons equal) the bandwidth can be as large as 70 nm. This photon pair creation process is very inefficient, typically it needs some 1010 pump photons to create one pair in a given mode17 . The number of photon pairs per mode is thermally distributed within the coherence time of the photons, and follows a poissonian distribution for larger time windows (Walls and Milburn 1995). With a pump power of 1 mW, about 106 pairs per second can be collected in single mode fibers. Accordingly, in a time window of roughly 1ns the conditional probability to find a second pair having detected one is 106 · 10−9 ≈ 0.1%. In case of continuous pumping, this time window is given by the detector resolution. Tolerating, e.g. 1% of these multi-pair events, one can generate 107 pairs per second, using a realistic 10 mW pump. Detecting for example 10 % of the trigger photons, the second detector has to be activated 106 times per second. In comparison, the example of 1% of multi-photon events corresponds in the case of faint laser pulses to a mean photon number of µ = 0.02. In order to get the same number 106 of non-empty pulses per second, a pulse rate of 50 MHz is needed. For a given photon statistics, photon pairs allow thus to work with lower pulse rates (e.g. 50 times lower) and hence reduced detector-induced errors. However, due to limited coupling efficiency into optical fibers, the probability to find the sister photon after detection of the trigger photon in the respective fiber is in practice lower than 1. This means that the effective photon number is not one, but rather µ ≈ 2/3 (Ribordy et al. 2001), still well above µ = 0.02. Photon pairs generated by parametric down conversion offer a further major advantage if they are not merely used as pseudo single-photon source, but if their entanglement is exploited. Entanglement leads to quantum correlations which can be used for key generation, (see paragraph II D 3 and chapter V). In this case, if two photon pairs are emitted within the same time window but their measurement basis is choosen independently, they produce completely uncorrelated results. Hence, depending on the realization, the problem of multiple photon can be avoided, see section VI J. Figure 5 shows one of our sources creating entangled photon pairs at 1310 nm wavelength as used in tests of Bell inequalities over 10 kilometers (Tittel et al. 1998). Although not as simple as faint laser sources, diode pumped photon pair sources emitting in the near infrared can be made compact, robust and rather handy.

2. Photon pairs generated by parametric downconversion

Another way to create pseudo single-photon states is the generation of photon pairs and the use of one photon as a trigger for the other one (Hong and Mandel 1986). In contrast to the sources discussed before, the second detector must be activated only whenever the first one detected a photon, hence when µ = 1, and not whenever a pump pulse has been emitted, therefore circumventing the problem of empty pulses. The photon pairs are generated by spontaneous parametric down conversion in a χ(2) non-linear crystal16 . In this process, the inverse of the well-known frequency doubling, one photon spontaneously splits into two daughter photons – traditionally called signal and idler photon – conserving total energy and momentum. In this context, momentum conservation is called phase matching, and can be achieved despite chromatic dispersion by exploiting the birefringence of the nonlinear crystal. The phase matching allows to choose the wavelength, and determines the bandwidth of the downconverted photons.

15 Contrary to a frequent misconception, there is nothing special about a µ value of 0.1, eventhough it has been selected by most experimentalists. The optimal value – i.e. the value that yields the highest key exchange rate after distillation – depends on the optical losses in the channel and on assumptions about Eve’s technology (see VI H and VI I). 16 For a review see Rarity and Tapster 1988, and for latest developments Tittel et al. 1999, Kwiat et al. 1999, Jennewein et al. 2000b, Tanzilli et al. 2001.

17

Recently we achieved a conversion rate of 10−6 using an optical waveguide in a periodically poled LiNbO3 crystal (Tanzilli et al. 2001).

13

vantage with respect to faint laser pulses with extremely low mean photon numbers µ.

3. Photon guns

The ideal single photon source is a device that when one pulls the trigger, and only then, emits one and only one photon. Hence the name photon gun. Although photon anti-bunching has been demonstrated already years ago (Kimble et al. 1977), a practical and handy device is still awaited. At present, there are essentially three different experimental approaches that come more or less close to this ideal. A first idea is to work with a single two-level quantum system that can obviously not emit two photons at a time. The manipulation of single trapped atoms or ions requires a much too involved technical effort. Single organics dye molecules in solvents (S.C. Kitson et al. 1998) or solids (Brunel et al. 1999, Fleury et al. 2000) are easier to handle but only offer limited stability at room temperature. Promising candidates, however, are nitrogen-vacancy centers in diamond, a substitutional nitrogen atom with a vacancy trapped at an adjacent lattice position (Kurtsiefer et al. 2000, Brouri et al. 2000). It is possible to excite individual nitrogen atoms with a 532 nm laser beam, which will subsequently emit a fluorescence photon around 700 nm (12ns decay time). The fluorescence exhibits strong photon anti-bunching and the samples are stable at room temperature. However, the big remaining experimental challenge is to increase the collection efficiency (currently about 0.1%) in order to obtain mean photon numbers close to 1. To obtain this, an optical cavity or a photonic bandgap structure must suppress the emission in all spatial modes but one. In addition, the spectral bandwith of this type of source is broad (of the order of 100 nm), enhancing the effect of pertubations in a quantum channel. A second approach is to generate photons by single electrons in a mesoscopic p-n junction. The idea is to take profit of the fact that thermal electrons show antibunching (Pauli exclusion principle) in contrast to photons (Imamoglu and Yamamoto, 1994). First experimental results have been presented (Kim et al. 1999), however with extremely low efficiencies, and only at a temperature of 50mK! Finally, another approach is to use the photon emission of electron-hole pairs in a semiconductor quantum dot. The frequency of the emitted photon depends on the number of electron-hole pairs present in the dot. After one creates several such pairs by optical pumping, they will sequentially recombine and hence emit photons at different frequencies. Therefore, by spectral filtering a single-photon pulse can be obtained (G´erard et al. 1999, Santori et al. 2000, and Michler et al. 2000). These dots can be integrated in solid-states microcavities with strong enhancements of the spontaneous emission (G´erard et al. 1998). In summary, today’s photon guns are still too complicated to be used in a QC-prototype. Moreover, due to their low quantum efficiencies they do not offer an ad-

B. Quantum channels

The single photon source and the detectors must be connected by a “quantum channel”. Such a channel is actually nothing specially quantum, except that it is intended to carry information encoded in individual quantum systems. Here “individual” doesn’t mean “nondecomposible”, it is meant in opposition to “ensemble”. The idea is that the information is coded in a physical system only once, contrary to classical communication where many photons carry the same information. Note that the present day limit for fiber-based classical optical communication is already down to a few tens of photons, although in practice one usually uses many more. With the increasing bit rate and the limited mean power – imposed to avoid nonlinear effects in silica fibers – these figures are likely to get closer and closer to the quantum domain. The individual quantum systems are usually 2-level systems, called qubits. During their propagation they must be protected from environmental noise. Here “environment” refers to everything outside the degree of freedom used for the encoding, which is not necessarily outside the physical system. If, for example, the information is encoded in the polarization state, then the optical frequencies of the photon is part of the environment. Hence, coupling between the polarization and the optical frequency has to be mastered18 (e.g. avoid wavelength sensitive polarizers and birefringence). Moreover, the sender of the qubits should avoid any correlation between the polarization and the spectrum of the photons. Another difficulty is that the bases used by Alice to code the qubits and the bases used by Bob for his measurements must be related by a known and stable unitary transformation. Once this unitary transformation is known, Alice and Bob can compensate for it and get the expected correlation between their preparations and measurements. If it changes with time, they need an active feedback to track it, and if the changes are too fast the communication must be interrupted. 1. Singlemode fibers

Light is guided in optical fibers thanks to the refractive index profile n(x, y) across the section of the fibers (traditionally, the z-axis is along the propagation direction). Over the last 25 years, a lot of effort has been

18

Note that, as we will see in chapter V, using entangled photons prevents such information leakage.

14

sion and polarization dependent losses. The Geometric phase as encountered when guiding light in an optical fiber is a special case of the Berry phase19 which results when any parameter describing a property of the system under concern, here the k-vector characterizing the propagation of the light field, undergoes an adiabatic change. Think first of a linear polarization state, let’s say vertical at the input. Will it still be vertical at the output? Vertical with respect to what? Certainly not the gravitational field! One can follow that linear polarization by hand along the fiber and see how it may change even along a closed loop. If the loop stays in a plane, the state after a loop coincides with the input state. But if the loop explores the 3 dimensions of our space, then the final state will differ from the initial one by an angle. Similar reasoning holds for the axes of elliptical polarization states. The two circular polarization states are the eigenstates: during parallel transport they acquire opposite phases, called the Berry phase. The presence of a geometrical phase is not fatal for quantum communication, it simply means that initially Alice and Bob have to align their systems by defining for instance the vertical and diagonal directions (i.e. performing the unitary transformation mentioned before). If these vary slowly, they can be tracked, though this requires an active feedback. However, if the variations are too fast, the communication might be interrupted. Hence, aerial cables that swing in the wind are not appropriate (except with selfcompensating configurations, see paragraph IV C 2). Birefringence is the presence of two different phase velocities for two orthogonal polarization states. It is caused by asymmetries in the fiber geometry and in the residual stress distribution inside and around the core. Some fibers are made birefringent on purpose. Such fibers are called polarization maintaining (PM) fibers because the birefringence is large enough to effectively uncouple the two polarization eigenmodes. But note that only these two orthogonal polarization modes are maintained; all the other modes, on the contrary, evolve very quickly, making this kind of fiber completely unsuitable for polarization-based QC systems20 . The global effect of the birefringence is equivalent to an arbitrary combination of two waveplates, that is, it corresponds to a unitary transformation. If this transformation is stable,

made to reduce transmission losses – initially several dB per km –, and nowadays, the attenuation is as low as 2dB/km at 800nm wavelength, 0.35 dB/km at 1310 nm, and 0.2 dB/km at 1550 nm (see Fig. 6). It is amusing to note that the dynamical equation describing optical pulse propagation (in the usual slowly varying envelope aproximation) is identical to the Schr¨odinger equation, with V (x, y) = −n(x, y) (Snyder 1983). Hence a positive bump in the refractive index corresponds to a potential well. The region of the well is called the fiber core. If the core is large, many bound modes exist, corresponding to many guided modes in the fiber. Such fibers are called multimode fibers, their core being usually 50 micrometer in diameter. The modes couple easily, acting on the qubit like a non-isolated environment. Hence multimode fibers are not appropriate as quantum channels (see however Townsend 1998a and 1998b). If, however, the core is small enough (diameter of the order of a few wavelengths) then a single spatial mode is guided. Such fibers are called singlemode fibers. For telecommunications wavelength (i.e. 1.3 and 1.5 µm), their core is typically 8 µm in diameter. Singlemode fibers are very well suited to carry single quanta. For example, the optical phase at the output of a fiber is in a stable relation with the phase at the input, provided the fiber doesn’t get elongated. Hence, fiber interferometers are very stable, a fact exploited in many instruments and sensors (see, e.g., Cancellieri 1993). Accordingly, a singlemode fiber with perfect cylindric symmetry would provide an ideal quantum channel. But all real fibers have some asymmetries and then the two polarization modes are no longer degenerate but each has its own propagation constant. A similar effect is caused by chromatic dispersion, where the group delay depends on the wavelength. Both dispersion effects are the subject of the next paragraphs. 2. Polarization effects in singlemode fibers

Polarization effects in singlemode fibers are a common source of problems in all optical communication schemes, as well classical as quantum ones. In recent years this has been a major topic for R&D in classical optical communication (Gisin et al. 1995). As a result, today’s fibers are much better than the fibers a decade ago. Nowadays, the remaining birefringence is small enough for the telecom industry, but for quantum communication, any birefringence, even extremely small, will always remain a concern. All fiber based implementations of QC have to face this problem. This is clearly true for polarization based systems; but it is equally a concern for phase based systems, since the interference visibility depends on the polarization states. Hence, although polarization effects are not the only source of difficulties, we shall describe them in some detail, distinguishing between 4 effects: the geometrical one, birefringence, polarization mode disper-

19

Introduced by Michael Berry in 1984, then observed in optical fiber by Tomita and Chiao (1986), and on the single photon level by Hariharan et al. (1993), studied in connection to photon pairs by Brendel et al. (1995). 20 PM fibers might be of use for phase based QC systems. However, this requires the whole setup – transmission lines as well as interferometers at Alice’s and Bob’s – to be made of PM fibers. While this is principally possible, the need of installing a completely new fiber network makes this solution not very practical.

15

Alice and Bob can compensate for it. The effect of birefringence is thus similar to the geometrical effect, though, in addition to a rotation, it may also affect the ellipticity. Stability of birefringence requires slow thermal and mechanical variations. Polarization Mode Dispersion (PMD) is the presence of two different group velocities for two orthogonal polarization modes. It is due to a delicate combination of two causes. First, birefringence produces locally two group velocities. For optical fibers, this local modal dispersion is in good approximation equal to the phase dispersion, of the order of a few ps/km. Hence, locally an optical pulse tends to split into a fast mode and a slow mode. But because the birefringence is small, the two modes couple easily. Hence any small imperfection along the fiber produces polarization mode coupling: some energy of the fast mode couples into the slow mode and vice-versa. PMD is thus similar to a random walk21 and grows only with the square root of the fiber length. It is expressed in √ps , with values as low as 0.1 √ps for km km ps modern fibers and possibly as high as 0.5 or even 1 √km for older ones. Typical lengths for the polarization mode coupling vary from a few meters up to hundreds of meters. The stronger the coupling, the weaker the PMD (the two modes do not have time to move away between the couplings). In modern fibers, the couplings are even artificially increased during the drawing process of the fibers (Hart et al. 1994, Li and Nolan 1998). Since the couplings are exceedingly sensitive, the only reasonable description is a statistical one, hence PMD is described as a statistical distribution of delays δτ . For long enough fibers, the statistics is Maxwellian and PMD is related to the fiber length ℓ, the mean coupling length h, the mean modal birefringence B and to p the RMS delay as follows p 2 << δτ >> = Bh ℓ/h. (Gisin et al. 1995): PMD≡ PMD could cause depolarization which would be devastating for quantum communication, similar to any decoherence in quantum information processing. But fortunately, for quantum communication the remedy is easy, it suffices to use a source with a coherence time larger than the largest delay δτ . Hence, when laser pulses are used (with typical spectral widths ∆λ ≤ 1 nm, corresponding to a coherence time ≥ 3 ps, see paragraph III A 1), PMD is no real problem. For photons created by parametric down conversion, however, PMD can impose severe limitations since ∆λ ≥ 10 nm (coherence time ≤ 300 fs) is not unusual. Polarization Dependent Losses (PDL) is a differential attenuation between two orthogonal polarization modes. This effect is negligible in fibers, but can be sig-

nificant in components like phase modulators. In particular, some integrated optics waveguides actually guide only one mode and thus behave almost like polarizers (e.g. proton exchange waveguides in LiNbO3 ). PDL is usually stable, but if connected to a fiber with some birefringence, the relation between the polarization state and the PDL may fluctuate, producing random outcomes (Elamari et al. 1998). PDL cannot be described by a unitary operator acting in the polarization state space (but it is of course unitary in a larger space (Huttner et al. 1996a). It does thus not preserve the scalar product. In particular, it can turn non-orthogonal states into orthogonal ones which can then be distinguished unambiguously (at the cost of some loss) (Huttner et al. 1996a, Clarke et al. 2000). Note that this could be used by Eve, specially to eavesdrop on the 2-state protocol (paragraph II D 1). Let us conclude this paragraph on polarization effects in fibers by mentioning that they can be passively compensated, provided one uses a go-&-return configuration, using Faraday mirrors, as described in section IV C 2. 3. Chromatic dispersion effects in singlemode fibers

In addition to polarization effects, chromatic dispersion (CD) can cause problems for quantum cryptography as well. For instance, as explained in sections IV C and V B, schemes implementing phase- or phase-and-timecoding rely on photons arriving at well defined times, that is on photons well localized in space. However, in dispersive media like optical fibers, different group velocities act as a noisy environment on the localization of the photon as well as on the phase acquired in an interferometer. Hence, the broadening of photons featuring non-zero bandwidth, or, in other words, the coupling between frequency and position must be circumvented or controlled. This implies working with photons of small bandwidth, or, as long as the bandwidth is not too large, operating close to the wavelength λ0 where chromatic dispersion is zero, i.e. for standard fibers around 1310 nm. Fortunately, fiber losses are relatively small at this wavelength and amount to ≈0.35 dB/km. This region is called the second telecommunication window22 . There are also special fibers, called dispersion-shifted, with a refractive index profile such that the chromatic dispersion goes to zero around 1550 nm, where the attenuation is minimal (Neumann 1988)23 .

22

The first one, around 800 nm, is almost no longer used. It was motivated by the early existence of sources and detectors at this wavelength. The third window is around 1550 nm where the attenuation reaches an absolute minimum (Thomas et al. 2000) and where erbium doped fibers provide convenient amplifiers (Desurvire 1994). 23 Chromatic dispersion in fibers is mainly due to the material, essentially silicon, but also to the refractive index profile.

21

In contrast to Brownian motion describing particles diffusion in space as time passes, here photons diffuse in time as they propagate along the fiber.

16

CD does not constitute a problem in case of faint laser pulses where the bandwidth is small. However, it becomes a serious issue when utilizing photon pairs created by parametric downconversion. For instance, sending photons of 70 nm bandwidth (as used in our longdistance Bell inequality tests, Tittel et al. 1998) down 10 km of optical fibers leads to a temporal spread of around 500 ps (assuming photons centered at λ0 and a typical dispersion slope of 0.086 nmps 2 km ). However, this can be compensated for when using energy-time entangled photons (Franson 1992, Steinberg et al. 1992a and 1992b, Larchuk et al. 1995). In contrast to polarization coding where frequency and the physical property used to implement the qubit are not conjugate variables, frequency and time (thus position) constitute a Fourier pair. The strict energy anti-correlation of signal and idler photon enables one to achieve a dispersion for one photon which is equal in magnitude but opposite in sign to that of the sister photon, corresponding thus to the same delay24 (see Fig. 7). The effect of broadening of the two wave packets then cancels out and two simultaneously emitted photons stay coincident. However, note that the arrival time of the pair varies with respect to its emission time. The frequency anticorrelation provides also the basis for avoiding decrease of visibility due to different wavepacket broadening in the two arms of an interferometer. And since the CD properties of optical fibers do not change with time – in contrast to birefringence – no on-line tracking and compensation is required. It thus turns out that phase and phase-time coding is particularly suited to transmission over long distances in optical fibers: nonlinear effects decohering the qubit “energy” are completely negligible, and CD effects acting on the localization can be avoided or compensated for in many cases.

Transmission over free space features some advantages compared to the use of optical fibers. The atmosphere has a high transmission window at a wavelength of around 770 nm (see Fig. 8) where photons can easily be detected using commercial, high efficiency photon counting modules (see chapter III C 1). Furthermore, the atmosphere is only weakly dispersive and essentially nonbirefringent25 at these wavelengths. It will thus not alter the polarization state of a photon. However, there are some drawbacks concerning freespace links as well. In contrast to transmitting a signal in a guiding medium where the energy is “protected” and remains localized in a small region in space, the energy transmitted via a free-space link spreads out, leading to higher and varying transmission losses. In addition to loss of energy, ambient daylight, or even light from the moon at night, might couple into the receiver, leading to a higher error rate. However, the latter errors can be maintained at a reasonable level by using a combination of spectral filtering (≤ 1 nm interference filters), spatial filtering at the receiver and timing discrimination using a coincidence window of typically a few ns. Finally, it is clear that the performance of free-space systems depends dramatically on atmospheric conditions and is possible only with clear weather. Finally, let us briefly comment on the different sources leading to coupling losses. A first concern is the transmission of the signals through a turbulent medium, leading to arrival-time jitter and beam wander (hence problems with beam pointing). However, as the time-scales for atmospheric turbulences involved are rather small – around 0.1 to 0.01 s –, the time jitter due to a variation of the effective refractive index can be compensated for by sending a reference pulse at a different wavelength at short time (around 100 ns) before each signal pulse. Since this reference pulse experiences the same atmospheric conditions as the subsequent one, the signal will arrive essentially without jitter in the time-window defined by the arrival of the reference pulse. In addition, the reference pulse can be reflected back to the transmitter and used to correct the direction of the laser beam by means of adaptive optics, hence to compensate for beam wander and to ensure good beam pointing Another issue is the beam divergence, hence increase of spot size at the receiver end caused by diffraction at the transmitter aperture. Using for example 20 cm diameter optics, the diffraction limited spot size after 300 km is of ≈ 1 m. This effect can in principle be kept small taking advantage of larger optics. However, it can also be of advantage to have a spot size large compared to the receiver’s aperture in order to ensure constant coupling in case of remaining beam wander. In their 2000 paper,

4. Free-space links

Although telecommunication based on optical fibers is very advanced nowadays, such channels may not always be available. Hence, there is also some effort in developing free space line-of-sight communication systems not only for classical data transmission but for quantum cryptography as well (see Hughes et al. 2000a and Gorman et al. 2000).

Indeed, longer wavelengths feel regions further away from the core where the refractive index is lower. Dispersion-shifted fibers have, however, been abandoned by today’s industry, because it turned out to be simpler to compensate for the global chromatic dispersion by adding an extra fiber with high negative dispersion. The additional loss is then compensated by an erbium doped fiber amplifier. 24 Assuming a predominantly linear dependence of CD in function of the optical frequency, a realistic assumption.

25

In contrast to an optical fiber, air is not subject to stress, hence isotropic.

17

• In active quenching circuits, the bias voltage is actively lowered below the breakdown voltage as soon as the leading edge of the avalanche current is detected (see e.g. Brown et al. 1987). This mode enables higher count rates compared to passive quenching (up to tens of MHz), since the deadtime can be as short as some tens of ns. However, the fast electronic feedback system renders active quenching circuits much more complicated than passive ones.

Gilbert and Hamrick provide a comprehensive discussion of free-space channels in the context of QC.

C. Single-photon detection

With the availability of pseudo single-photon and photon-pair sources, the success of quantum cryptography is essentially dependent on the possibility to detect single photons. In principle, this can be achieved using a variety of techniques, for instance photo-multipliers, avalanche-photodiodes, multichannel plates, superconducting Josephson junctions. The ideal detector should fulfill the following requirements:

• Finally, in gated mode operation, the bias voltage is kept below the breakdown voltage and is raised above only for a short time when a photon is expected to arrive, typically a few ns. Maximum count-rates similar to active quenching circuits can be obtained using less complicated electronics. Gated mode operation is commonly used in quantum cryptography based on faint laser pulses where the arrival-times of the photons are well known. However, it only applies if prior timing information is available. For 2-photon schemes, it is most often combined with one passive quenched detector, generating the trigger signal for the gated detector.

• it should feature a high quantum detection efficiency over a large spectral range, • the probability of generating noise, that is a signal without a photon arriving, should be small, • to ensure a good timing resolution, the time between detection of a photon and generation of an electrical signal should be as constant as possible, i.e. the time jitter should be small,

Apart from Geiger mode, Brown et al. also investigated the performance of Silicon APDs operated in subGeiger mode (Brown et al. 1989). In this mode, the bias voltage is kept slightly smaller than the breakdown voltage such that the multiplication factor – around 100 – already enables to detect an avalanche, however, is still small enough to prevent real breakdowns. Unfortunately, the single-photon counting performance in this mode is rather bad and initial efforts have not been continued, the major problem being the need for extremely low-noise amplifiers.

• the recovery time (i.e. the deadtime) should be small to allow high data rates. In addition, it is important to keep the detectors handy. For instance, a detector which needs liquid helium or even nitrogen cooling would certainly render a commercial development difficult. Unfortunately, it turns out that it is impossible to meet all mentioned points at the same time. Today, the best choice is avalanche photodiodes (APD). Three different semiconductor materials are used: either Silicon, Germanium or Indium Gallium Arsenide, depending on the wavelengths. APDs are usually operated in so-called Geiger mode. In this mode, the applied voltage exceeds the breakdown voltage, leading an absorbed photon to trigger an electron avalanche consisting of thousands of carriers. To reset the diode, this macroscopic current must be quenched – the emission of charges stopped and the diode recharged (Cova et al. 1996). Three main possibilities exist:

An avalanche engendered by carriers created in the conduction band of the diode can not only be caused by an impinging photon, but also by unwanted causes. These might be thermal or band-to-band tunneling processes, or emissions from trapping levels populated while a current transits through the diode. The first two causes produce avalanches not due to photons and are referred to as darkcounts. The third process depends on previous avalanches and its effect is called afterpulses. Since the number of trapped charges decreases exponentially with time, these afterpulses can be limited by applying large deadtimes. Thus, there is a trade-off between high count rates and low afterpulses. The time-constant of the exponential decrease of afterpulses shortens for higher temperatures of the diode. Unfortunately, operating APDs at higher temperature leads to a higher fraction of thermal noise, that is higher dark counts. There is thus again a tradeoff to be optimized. Finally, increasing the bias voltage leads to a larger quantum efficiency and a smaller time jitter, at the cost of an increase in the noise.

• In passive-quenching circuits, a large (50-500 kΩ) resistor is connected in series with the APD (see e.g. Brown et al. 1986). This causes a decrease of the voltage across the APD as soon as an avalanche starts. When it drops below breakdown voltage, the avalanche stops and the diode recharges. The recovery time of the diode is given by its capacitance and by the value of the quench resistor. The maximum count rate varies from some hundred kHz to a few MHz.

18

We thus see that the optimal operating parameters, voltage, temperature and dead time (i.e. maximum count rate) depend on the very application. Besides, since the relative magnitude of efficiency, thermal noise and after pulses varies with the type of semiconductor material used, no general solution exists. In the two next paragraphs we briefly present the different types of APDs. The first paragraph focuses on Silicon APDs which enable the detection of photons at wavelengths below 1µm, the second one comments on Germanium and on Indium Gallium Arsenide APDs for photon counting at telecommunication wavelength. The different behaviour of the three types is shown in Fig. 9. Although the best figure of merit for quantum cryptography is the ratio of dark count rate R per time unit to detection efficiency η, we depict here the better-known noise equivalent power NEP which shows similar behaviour. The NEP is defined as the optical power required to measure a unity signal-to-noise ratio, and is given by hν √ N EP = 2R. (25) η

from Germanium or InGaAs/InP semiconductor materials. In the third window (1.55 µm), the only option is InGaAs/InP APDs. Photon counting with Germanium APDs, although known for 30 years (Haecker, Groezinger and Pilkuhn 1971), started to be used in the domain of quantum communication with the need of transmitting single photons over long distances using optical fibers, hence with the necessity to work at telecommunications wavelength. In 1993, Townsend, Rarity and Tapster (Townsend et al. 1993a) implemented a single photon interference scheme for quantum cryptography over a distance of 10 km, and in 1994, Tapster, Rarity and Owens (1994) demonstrated a violation of Bell inequalities over 4 km. These experiments where the first ones to take advantage of Ge APDs operated in passively quenched Geiger mode. At a temperature of 77K which can be achieved using either liquid nitrogen or Stirling engine cooling, typical quantum efficiencies of about 15 % at dark count rates of 25 kHz can be found (Owens et al. 1994), and time jitter down to 100 ps have been observed (Lacaita et al. 1994) – a normal value being 200-300 ps. Traditionally, Germanium APDs have been implemented in the domain of long-distance quantum communication. However, this type of diode is currently getting replaced by InGaAs APDs and it is more and more difficult to find Germanium APDs on the market. Motivated by pioneering research reported already in 1985 (Levine, Bethea and Campbell 1985), latest research focusses on InGaAs APDs, allowing single photon detection in both telecommunication windows. Starting with work by Zappa et al. (1994), InGaAs APDs as single photon counters have meanwhile been characterized thoroughly (Lacaita et al. 1996, Ribordy et al. 1998, Hiskett et al. 2000, Karlsson et al. 1999, and Rarity et al. 2000, Stucki et al. 2001), and first implementations for quantum cryptography have been reported (Ribordy 1998, Bourennane et al. 1999, Bethune and Risk 2000, Hughes et al. 2000b, Ribordy et al. 2000). However, if operating Ge APDs is already inconvenient compared to Silicon APDs, the handiness of InGaAs APDs is even worse, the problem being a extremely high afterpulse fraction. Therefore, operation in passive quenching mode is impossible for applications where noise is crucial. In gated mode, InGaAs APDs feature a better performance for single photon counting at 1.3 µm compared to Ge APDs. For instance, at a temperature of 77 K and a dark count probability of 10−5 per 2.6 ns gate, quantum efficiencies of around 30% and of 17% have been reported for InGaAs and Ge APDs, respectively (Ribordy et al. 1998), while the time jitter of both devices is comparable. If working at a wavelength of 1.55 µm, the temperature has to be increased for single photon detection. At 173 K and a dark count rate of now 10−4 , a quantum efficiency of 6% can still be observed using InGaAs/InP devices while the same figure for Germanium APDs is close to zero. To date, no industrial effort has been done to optimize APDs operating at telecommunication wavelength

Here, h is Planck’s constant and ν is the frequency of the impinging photons. 1. Photon counting at wavelengths below 1.1 µm

Since the beginning of the 80’s, a lot of work has been done to characterize Silicon APDs for single photon counting (Ingerson 1983, Brown 1986, Brown 1987, Brown 1989, Spinelli 1996), and the performance of SiAPDs has continuously been improved. Since the first test of Bell inequality using Si-APDs by Shih and Alley in 1988, they have completely replaced the photomultipliers used until then in the domain of fundamental quantum optics, known now as quantum communication. Today, quantum efficiencies of up to 76% (Kwiat et al. 1993) and time jitter down to 28 ps (Cova et al. 1989) have been reported. Commercial single photon counting modules are available (EG&G SPCM-AQ-151), featuring quantum efficiencies of 70 % at a wavelength of 700 nm, a time jitter of around 300 psec and maximum count rates larger than 5 MHz. Temperatures of -20oC – sufficient to keep thermally generated dark counts as low as 50 Hz – can easily be achieved using Peltier cooling. Single photon counters based on Silicon APDs thus offer an almost perfect solution for all applications where photons of a wavelength below 1 µm can be used. Apart from fundamental quantum optics, this includes quantum cryptography in free space and in optical fibers, however, due to high losses, the latter one only over short distances. 2. Photon counting at telecommunication wavelengths

When working in the second telecommunication window (1.3µm), one has to take advantage of APDs made 19

In the BB84 protocol Alice has to choose randomly between four different states and Bob between two bases. The limited random number generation rate may force Alice to produce her numbers in advance and store them, opening a security weakness. On Bob’s side the random bit creation rate can be lower since, in principle, the basis must be changed only after a photon has been detected, which normally happens at rates below 1 MHz. However, one has to make sure that this doesn’t give the spy an opportunity for a Trojan horse attack (see section VI K)! An elegant configuration integrating the random number generator into the QC system consists in using a passive choice of bases, as discussed in chapter V (Muller et al. 1993). However, the problem of detector induced correlation remains.

for photon counting, and their performance is still far behind the one of Silicon APDs26 . However, there is no fundamental reasons why photon counting at wavelengths above 1 µm should be more delicate than below, except that the photons are less energetic. The real reasons for the lack of commercial products are, first, that Silicon, the most common semiconductor, is not sensitive (the band gap is too large), and secondly that the market for photon counting is not yet mature. But, without great risk, one can forecast that good commercial photon counters will become available in the near future, and that this will have a major impact on quantum cryptography. D. Quantum random number generators

E. Quantum repeaters

The key used in the one-time-pad must be secret and used only once. Consequently, it must be as long as the message and must be perfectly random. The later point proves to be a delicate and interesting one. Computers are deterministic systems that cannot create truly random numbers. But all secure cryptosystems, both classical and quantum ones, require truly random numbers27 ! Hence, the random numbers must be created by a random physical process. Moreover, to make sure that the random process is not merely looking random with some hidden deterministic pattern, it is necessary that it is completely understood. It is thus of interest to implement a simple process in order to gain confidence in its proper operation. A natural solution is to rely on the random choice of a single photon at a beamsplitter28 (Rarity et al. 1994). In this case the randomness is in principle guaranteed by the laws of quantum mechanics, though, one still has to be very careful not to introduce any experimental artefact that could correlate adjacent bits. Different experimental realizations have been demonstrated (Hildebrand 2001, Stefanov et al. 2000, Jennewein et al. 2000a) and prototypes are commercially available (www.gapoptique.unige.ch). One particular problem is the deadtime of the detectors, that may introduce a strong anticorrelation between neighboring bits. Similarly, afterpulses may provoke a correlation. These detector-related effects increase with higher pulse rates, limiting the bit rate of quantum number generator to some MHz.

Todays fiber based QC systems are limited to tens of kilometers. This is due to the combination of fiber losses and detectors’ noise. The losses by themselves do only reduce the bit rate (exponentially with the distance), but with perfect detectors the distance would not be limited. However, because of the dark counts, each time a photon is lost there is a chance that a dark count produces an error. Hence, when the probability of a dark count becomes comparable to the probability that a photon is correctly detected, the signal to noise ratio tends to 0 (more precisely the mutual information I(α, β) tends to a lower bound29 ). In this section we briefly explain how the use of entangled photons and of entanglement ˙ swapping (Zukowski et al. 1993) could open ways to extend the achievable distances in a foreseeable future (some prior knowledge of entanglement swapping is assumed). Let us denote tlink the transmission coefficient (i.e. tlink =probability that a photon sent by Alice gets to one of Bob’s detectors), η the detectors’ efficiency and pdark the dark count probability per time bin. With a perfect single photon source, the probability Praw of a correct qubit detection reads: Praw = tlink η, while the probability Pdet of an error is: Pdet = (1 − tlink η)pdark . Pdet Accordingly, the QBER= Praw +Pdet and the normalized net rate reads: ρnet = (Praw + Pdet ) · f ct(QBER) where the function f ct denotes the fraction of bits remaining after error correction and privacy amplification. For the sake of illustration we simply assume a linear dependence dropping to zero for QBER≥ 15% (This simplification does not affect the qualitative results of this section. For a more precise calculation, see L¨ utkenhaus 2000.):

26

The first commercial photon counter at telecommunication wavelengths came out only this year (Hamamatsu photomultiplier R5509-72). However, the efficiency does not yet allow an implementation for quantum cryptography. 27 The pin number that the bank attributes to your credit card must be random. If not, someone knows it! 28 Strictly speaking, the choice is made only once the photons are detected at one of the outports.

29

The absolute lower bound is 0, but dependening on the assumed eavesdropping strategy, Eve could take advantage of the losses. In the latter case, the lower bound is given by her mutual information I(α, ǫ).

20

f ct(QBER) = 1 − QBER 15% . The corresponding net rate ρnet is displayed on Fig. 10. Note that it drops to zero near 90 km. Let us now assume that instead of a perfect singlephoton source, Alice and Bob use a (perfect) 2-photon source set in the middle of their√quantum channel. Each photon has then a probability tlink to get to a detector. The probability of a correct joined detection is thus Praw = tlink√ η 2 , while an error√occurs with √ probability P det = (1 − tlink η)2 p2dark + 2 tlink η(1 − tlink η)pdark (both photon lost and 2 dark counts, or one photon lost and one dark count). This can be conveniently 1/n rewritten as: Praw = tlink η n and Pdet = (tlink η + (1 − 1/n tlink η)pdark )n − tlink η n valid for any division of the link into n equal-length sections and n detectors. Note that the measurements performed at the nodes between Alice and Bob do transmit (swap) the entanglement to the twin photons, without revealing any information about the qubit (these measurements are called Bell-measurements and are the core of entanglement swapping and of quantum teleportation). The corresponding net rates are displayed in Fig. 10. Clearly, the rates for short distances are smaller when several detectors are used, because of their limited efficiencies (here we assume η = 10%). But the distance before the net rate drops to zero is extended to longer distances! Intuitively, this can be understood as follows. Let’s consider that a logical qubit propagates from Alice to Bob (although some photons propagate in the opposite direction). Then, each 2-photon source and each Bell-measurement acts on this logical qubit as a kind of QND measurement: they test whether the logical qubit is still there! In this way, Bob activates his detectors only 1/n when there is a large chance tlink that the photon gets to his detectors. Note that if in addition to the detectors’ noise there is noise due to decoherence, then the above idea can be extended, using entanglement purification. This is essentially the idea of quantum repeaters (Briegel et al. 1998, Dur et al. 1999).

IV. EXPERIMENTAL QUANTUM CRYPTOGRAPHY WITH FAINT LASER PULSES

Experimental quantum key distribution was demonstrated for the first time in 1989 (it was published only in 1992 by Bennett et al. 1992a). Since then, tremendous progress has been made. Today, several groups have shown that quantum key distribution is possible, even outside the laboratory. In principle, any two-level quantum system could be used to implement QC. In practice, all implementations have relied on photons. The reason is that their interaction with the environment, also called decoherence, can be controlled and moderated. In addition, researchers can benefit from all the tools developed in the past two decades for optical telecommunications. It is unlikely that other carriers will be employed in the foreseeable future. Comparing different QC-setups is a difficult task, since several criteria must be taken into account. What matters in the end is of course the rate of corrected secret bits (distilled bit rate, Rdist ) that can be transmitted and the transmission distance. One can already note that with present and near future technology, it will probably not be possible to achieve rates of the order of gigahertz, nowadays common with conventional optical communication systems (in their comprehensive paper published in 2000, Gilbert and Hamrick discuss practical methods to achieve high bit rate QC). This implies that encryption with a key exchanged through QC is to be limited to highly confidential information. While the determination of the transmission distance and rate of detection (the raw bit rate, Rraw ) is straightforward, estimating the net rate is rather difficult. Although in principle errors in the bit sequence follow only from tampering by a malevolent eavesdropper, the situation is rather different in reality. Discrepancies in the keys of Alice and Bob also always happen because of experimental imperfections. The error rate (here called quantum bit error rate, or QBER) can be easily determined. Similarly, the error correction procedure is rather simple. Error correction leads to a first reduction of the key rate that depends strongly on the QBER. The real problem consist in estimating the information obtained by Eve, a quantity necessary for privacy amplification. It does not only depend on the QBER, but also on other factors, like the photon number statistics of the source, or the way the choice of the measurement basis is made. Moreover in a pragmatic approach, one might also accept restrictions on Eve’s technology, limiting her strategies and therefore also the information she can obtain per error she introduces. Since the efficiency of privacy amplification rapidly decreases when the QBER increases, the distilled bit rate depends dramatically on Eve’s information and hence on the assumptions made. One can define as the maximum transmission distance, the distance where the distilled rate reaches zero. This can give an idea of the

21

difficulty to evaluate a QC system from a physical point of view. Technological aspects must also be taken into account. In this article we do not focus on all the published performances (in particular not on the key rates), which strongly depend on present technology and the financial possibilities of the research teams having carried out the experiments. On the contrary, we try to weight the intrinsic technological difficulties associated with each setup and to anticipate certain technological advances. And last but not least the cost of the realization of a prototype should also be considered. In this chapter, we first deduce a general formula for the QBER and consider its impact on the distilled rate. We then review faint pulses implementations. We class them according to the property used to encode the qubits value and follow a rough chronological order. Finally, we assess the possibility to adopt the various set-ups for the realization of an industrial prototype. Systems based on entangled photon pairs are presented in the next chapter.

product of the sifted key rate and the probability popt of a photon going in the wrong detector: Ropt = Rsif t popt =

Rdet =

11 frep pdark n 22

(29)

where pdark is the probability of registering a dark count per time-window and per detector, and n is the number of detectors. The two 12 -factors are related to the fact that a dark count has a 50% chance to happen with Alice and Bob having chosen incompatible bases (thus eliminated during sifting) and a 50% chance to arise in the correct detector. Finally error counts can arise from uncorrelated photons, because of imperfect photon sources:

The QBER is defined as the number of wrong bits to the total number of received bits30 and is normally in the order of a few percent. In the following we will use it expressed as a function of rates:

Racc =

Rerror Rerror Nwrong = ≈ QBER = Nright + Nwrong Rsif t + Rerror Rsif t

11 pacc frep tlink nη 22

(30)

This factor appears only in systems based on entangled photons, where the photons belonging to different pairs but arriving in the same time window are not necessarily in the same state. The quantity pacc is the probability to find a second pair within the time window, knowing that a first one was created32 . The QBER can now be expressed as follows:

(26) where the sifted key corresponds to the cases in which Alice and Bob made compatible choices of bases, hence its rate is half that of the raw key. The raw rate is essentially the product of the pulse rate frep , the mean number of photon per pulse µ, the probability tlink of a photon to arrive at the analyzer and the probability η of the photon being detected: 1 1 Rraw = q frep µ tlink η 2 2

(28)

This contribution can be considered, for a given set-up, as an intrinsic error rate indicating the suitability to use it for QC. We will discuss it below in the case of each particular system. The second contribution, Rdet , arises from the detector dark counts (or from remaining environmental stray light in free space setups). This rate is independent of the bit rate31 . Of course, only dark counts falling in a short time window when a photon is expected give rise to errors.

A. Quantum Bit Error Rate

Rsif t =

1 q frep µ tlink popt η 2

Ropt + Rdet + Racc Rsif t pdark · n pacc = popt + + tlink · η · 2 · q · µ 2 · q · µ = QBERopt + QBERdet + QBERacc

QBER =

(27)

The factor q (q≤1, typically 1 or 21 ) must be introduced for some phase-coding setups in order to correct for noninterfering path combinations (see, e.g., sections IV C and V B). One can distinguish three different contributions to Rerror . The first one arises because of photons ending up in the wrong detector, due to unperfect interference or polarization contrast. The rate Ropt is given by the

(31) (32) (33)

We analyze now these three contributions. The first one, QBERopt , is independent on the transmission distance (it is independent of tlink ). It can be considered as a measure of the optical quality of the setup, depending only on the polarisation or interference fringe contrast.

31 This is true provided that afterpulses (see section III C) do not contribute to the dark counts. 32 Note that a passive choice of measurement basis implies that four detectors (or two detectors during two time windows) are activated for every pulse, leading thus to a doubling of Rdet and Racc .

30

In the followin we are considering systems implementing the BB84 protocol. For other protocols some of the formulas have to be slightly adapted.

22

rate after error correction and privacy amplification) for different wavelengths as shown in Fig. 11. There is first an exponential decrease, then, due to error correction and privacy amplification, the bit rates fall rapidly down to zero. This is most evident comparing the curves 1550 nm and 1550 nm “single” since the latter features 10 times less QBER. One can see that the maximum range is about 100 km. In practice it is closer to 50 km, due to non-ideal error correction and privacy amplification, multiphoton pulses and other optical losses not considered here. Finally, let us mention that typical key creation rates of the order of a thousand bits per second over distances of a few tens of kilometers have been demonstrated experimentally (see, for example, Ribordy et al. 2000 or Townsend 1998b).

The technical effort needed to obtain, and more important, to maintain a given QBERopt is an important criterion for evaluating different QC-setups. In polarization based systems, it’s rather simple to achieve a polarisation contrast of 100:1, corresponding to a QBERopt of 1%. In fiber based QC, the problem is to maintain this value in spite of polarisation fluctuations and depolarisation in the fiber link. For phase coding setups, QBERopt and the interference visibility are related by QBERopt =

1−V 2

(34)

A visibility of 98% translates thus into an optical error rate of 1%. Such a value implies the use of well aligned and stable interferometers. In bulk optics perfect mode overlap is difficult to achieve, but the polarization is stable. In single-mode fiber interferometers, on the contrary, perfect mode overlap is automatically achieved, but the polarisation must be controlled and chromatic dispersion can constitute a problem. The second contribution, QBERdet , increases with distance, since the darkcount rate remains constant while the bit rate goes down like tlink . It depends entirely on the ratio of the dark count rate to the quantum efficiency. At present, good single-photon detectors are not commercially available for telecommunication wavelengths. The span of QC is not limited by decoherence. As QBERopt is essentially independent of the fiber length, it is the detector noise that limits the transmission distance. Finally, the QBERacc contribution is present only in some 2-photon schemes in which multi-photon pulses are processed in such a way that they do not necessarily encode the same bit value (see e.g. paragraphs V B 1 and V B 2). Indeed, although in all systems there is a probability for multi-photon pulses, in most these contribute only to the information available to Eve (see section VI H) and not to the QBER. But for implementations featuring passive choice by each photon, the multiphoton pulses do not contribute to Eve’s information but to the error rate (see section VI J). Now, let us calculate the useful bit rate as a function of the distance. Rsif t and QBER are given as a function of tlink in eq. (27) and (32) respectively. The fiber link transmission decreases exponentially with the length. The fraction of bits lost due to error correction and privacy amplification is a function of QBER and depends on Eve’s strategy. The number of remaining bits Rnet is given by the sifted key rate multiplied by the difference of the Alice-Bob mutual Shannon information I(α, β) and Eve’s maximal Shannon information I max (α, ǫ): max (α, ǫ) (35) Rnet = Rsif t I(α, β) − I

B. Polarization coding

Encoding the qubits in the polarization of photons is a natural solution. The first demonstration of QC by Charles Bennett and his coworkers (Bennett et al. 1992a) made use of this choice. They realized a system where Alice and Bob exchanged faint light pulses produced by a LED and containing less than one photon on average over a distance of 30 cm in air. In spite of the small scale of this experiment, it had an important impact on the community in the sense that it showed that it was not unreasonable to use single photons instead of classical pulses for encoding bits. A typical system for QC with the BB84 four states protocol using the polarization of photons is shown in Fig. 12. Alice’s system consists of four laser diodes. They emit short classical photon pulses (≈ 1ns) polarized at −45◦ , 0◦ , +45◦ , and 90◦ . For a given qubit, a single diode is triggered. The pulses are then attenuated by a set of filters to reduce the average number of photons well below 1, and sent along the quantum channel to Alice. It is essential that the pulses remain polarized for Bob to be able to extract the information encoded by Alice. As discussed in paragraph III B 2, polarization mode dispersion may depolarize the photons, provided the delay it introduces between both polarization modes is larger than the coherence time. This sets a constraint on the type of lasers used by Alice. When reaching Bob, the pulses are extracted from the fiber. They travel through a set of waveplates used to recover the initial polarization states by compensating the transformation induced by the optical fiber (paragraph III B 2). The pulses reach then a symmetric beamsplitter, implementing the basis choice. Transmitted photons are analyzed in the vertical-horizontal basis with a polarizing beamsplitter and two photon counting detectors. The polarization state of the reflected photons is first rotated with a waveplate by 45◦ (−45◦ to 0◦ ). The photons are then analyzed with a second set of polarizing beamsplitter and photon counting detectors. This implements

The latter are calculated here according to eq. (64) and (66) (section VI E), considering only individual attacks and no multiphoton pulses. We obtain Rnet (useful bit 23

the diagonal basis. For illustration, let us follow a photon polarized at +45◦ , we see that its state of polarization is arbitrarily transformed in the optical fiber. At Bob’s end, the polarization controller must be set to bring it back to +45◦ . If it chooses the output of the beamsplitter corresponding to the vertical-horizontal basis, it will experience equal reflection and transmission probability at the polarizing beamsplittter, yielding a random outcome. On the other hand, if it chooses the diagonal basis, its state will be rotated to 90◦ . The polarizing beamsplitter will then reflect it with unit probability, yielding a deterministic outcome. Instead of Alice using four lasers and Bob two polarizing beamsplitters, it is also possible to implement this system with active polarization modulators such as Pockels cells. For emission, the modulator is randomly activated for each pulse to rotate the state of polarization to one of the four states, while, at the receiver, it randomly rotates half of the incoming pulses by 45◦ . It is also possible to realize the whole system with fiber optics components. Antoine Muller and his coworkers at the University of Geneva used such a system to perform QC experiments over optical fibers (1993, see also Br´eguet et al. 1994). They created a key over a distance of 1100 meters with photons at 800 nm. In order to increase the transmission distance, they repeated the experiment with photons at 1300nm (Muller et al.1995 and 1996) and created a key over a distance of 23 kilometers. An interesting feature of this experiment is that the quantum channel connecting Alice and Bob consisted in an optical fiber part of an installed cable, used by the telecommunication company Swisscom for carrying phone conversations. It runs between the Swiss cities of Geneva and Nyon, under Lake Geneva (Fig. 13). This was the first time QC was performed outside of a physics laboratory. It had a strong impact on the interest of the wider public for the new field of quantum communication. These two experiments highlighted the fact that the polarization transformation induced by a long optical fiber was unstable over time. Indeed, when monitoring the QBER of their system, Muller noticed that, although it remained stable and low for some time (of the order of several minutes), it would suddenly increase after a while, indicating a modification of the polarization transformation in the fiber. This implies that a real fiber based QC system requires active alignment to compensate for this evolution. Although not impossible, such a procedure is certainly difficult. James Franson did indeed implement an active feedback aligment system ( 1995), but did not pursue along this direction. It is interesting to note that replacing standard fibers with polarization maintaining fibers does not solve the problem. The reason is that, in spite of their name, these fibers do not maintain polarization, as explained in paragraph III B 2. Recently, Paul Townsend of BT Laboratories also investigated such polarization encoding systems for QC on short-span links up to 10 kilometers (1998a and 1998b)

with photons at 800nm. It is interesting to note that, although he used standard telecommunications fibers which can support more than one spatial mode at this wavelength, he was able to ensure single-mode propagation by carefully controlling the launching conditions. Because of the problem discussed above, polarization coding does not seem to be the best choice for QC in optical fibers. Nevertheless, this problem is drastically improved when considering free space key exchange, as the air has essentially no birefringence at all (see section IV E). C. Phase coding

The idea of encoding the value of qubits in the phase of photons was first mentioned by Bennett in the paper where he introduced the two-states protocol (1992). It is indeed a very natural choice for optics specialists. State preparation and analysis are then performed with interferometers, that can be realized with single-mode optical fibers components. Fig. 14 presents an optical fiber version of a MachZehnder interferometer. It is made out of two symmetric couplers – the equivalent of beamsplitters – connected to each other, with one phase modulator in each arm. One can inject light in the set-up using a continuous and classical source, and monitor the intensity at the output ports. Provided that the coherence length of the light used is larger than the path mismatch in the interferometers, interference fringes can be recorded. Taking into account the π/2-phase shift experienced upon reflection at a beamsplitter, the effect of the phase modulators (φA and φB ) and the path length difference (∆L), the intensity in the output port labeled “0” is given by: φA − φB + k∆L 2 I0 = I · cos (36) 2 where k is the wave number and I the intensity of the source. If the phase term is equal to π/2 + nπ where n is an integer, destructive interference is obtained. Therefore the intensity registered in port “0” reaches a minimum and all the light exits in port “1”. When the phase term is equal to nπ, the situation is reversed: constructive interference is obtained in port “0”, while the intensity in port “1” goes to a minimum. With intermediate phase settings, light can be recorded in both ports. This device acts like an optical switch. It is essential to keep the path difference stable in order to record stationary interferences. Although we discussed the behavior of this interferometer for classical light, it works exactly the same when a single photon is injected. The probability to detect the photon in one output port can be varied by changing the phase. It is the fiber optic version of Young’s slits experiment, where the arms of the interferometer replace the apertures. 24

the first beamsplitter. States produced by a switch are on the poles, while those resulting from the use of a 50/50 beamsplitter lie on the equator. Figure 15 illustrates this analogy. Consequently, all polarization schemes can also be implemented using phase coding. Similarly, every coding using 2-path interferometers can be realized using polarization. However, in practice one choice is often more convenient than the other, depending on circumstances like the nature of the quantum channel33 .

This interferometer combined with a single photon source and photon counting detectors can be used for QC. Alice’s set-up consists of the source, the first coupler and the first phase modulator, while Bob takes the second modulator and coupler, as well as the detectors. Let us consider the implementation of the four-states BB84 protocol. On the one hand, Alice can apply one of four phase shifts (0, π/2, π, 3π/2) to encode a bit value. She associates 0 and π/2 to bit 0, and π and 3π/2 to bit 1. On the other hand, Bob performs a basis choice by applying randomly a phase shift of either 0 or π/2, and he associates the detector connected to the output port “0” to a bit value of 0, and the detector connected to the port “1” to 1. When the difference of their phase is equal to 0 or π, Alice and Bob are using compatible bases and they obtain deterministic results. In such cases, Alice can infer from the phase shift she applied, the output port chosen by the photon at Bob’s end and hence the bit value he registered. Bob, on his side, deduces from the output port chosen by the photon, the phase that Alice selected. When the phase difference equals π/2 or 3π/2, the bases are incompatible and the photon chooses randomly which port it takes at Bob’s coupler. This is summarized in Table 1. We must stress that it is essential with this scheme to keep the path difference stable during a key exchange session. It should not change by more than a fraction of a wavelength of the photons. A drift of the length of one arm would indeed change the phase relation between Alice and Bob, and induce errors in their bit sequence. Alice Bit value φA 0 0 0 0 1 π 1 π 0 π/2 0 π/2 1 3π/2 1 3π/2

Bob φB φA − φB Bit 0 0 π/2 3π/2 0 π π/2 π/2 0 π/2 π/2 0 0 3π/2 π/2 π

1. The double Mach-Zehnder implementation

Although the scheme presented in the previous paragraph works perfectly well on an optical table, it is impossible to keep the path difference stable when Alice and Bob are separated by more than a few meters. As mentioned above, the relative length of the arms should not change by more than a fraction of a wavelength. Considering a separation between Alice and Bob of 1 kilometer for example, it is clear that it is not possible to prevent path difference changes smaller than 1µm caused by environmental variations. In his 1992 letter, Bennett also showed how to get round this problem. He suggested to use two unbalanced Mach-Zehnder interferometers connected in series by a single optical fiber (see Fig. 16), both Alice and Bob being equipped with one. When monitoring counts as a function of the time since the emission of the photons, Bob obtains three peaks (see the inset in Fig. 16). The first one corresponds to the cases where the photons chose the short path both in Alice’s and in Bob’s interferometers, while the last one corresponds to photons taking twice the long paths. Finally, the central peak corresponds to photons choosing the short path in Alice’s interferometer and the long one in Bob’s, and to the opposite. If these two processes are indistinguishable, they produce interference. A timing window can be used to discriminate between interfering and non-interfering events. Disregarding the latter, it is then possible for Alice and Bob to exchange a key. The advantage of this set-up is that both “halves” of the photon travel in the same optical fiber. They experience thus the same optical length in the environmentally sensitive part of the system, provided that the variations in the fiber are slower than their temporal separations, determined by the interferometer’s imbalance (≈ 5ns). This condition is much less difficult to fulfill. In order to obtain a good interference visibility, and hence a low error rate, the imbalancements of the interferometers must

value 0 ? 1 ? ? 0 ? 1

Table 1: Implementation of the BB84 four-states protocol with phase encoding. It is interesting to note that encoding qubits with 2paths interferometers is formally isomorphic to polarization encoding. The two arms correspond to a natural basis, and the weights cj of each qubit state ψ = −iφ/2 iφ/2 c1 e , c2 e are determined by the coupling ratio of the first beam splitter while the relative phase φ is introduced in the interferometer. The Poincar´e sphere representation, which applies to all two-levels quantum systems, can also be used to represent phase-coding states. In this case, the azimuth angle represents the relative phase between the light having propagated along the two arms. The elevation corresponds to the coupling ratio of

33

Note, in addition, that using many-path interferometers opens up the possibility to code quantum systems of dimensions larger than 2, like qutrits, ququarts, etc. (BechmannPasquinucci and Tittel 2000, Bechmann-Pasquinucci and Peres 2000, Bourennane et al. 2001a).

25

be equal within a fraction of the coherence time of the photons. This implies that the path differences must be matched within a few millimeters, which does not constitute a problem. Besides, the imbalancement must be chosen so that it is possible to clearly distinguish the three temporal peaks and thus discriminate interfering from non-interfering events. It must then typically be larger than the pulse length and than the timing jitter of the photon counting detectors. In practice, the second condition is the most stringent one. Assuming a time jitter of the order of 500ps, an imbalancement of at least 1.5ns keeps the overlap between the peaks low. The main difficulty associated with this QC scheme is that the imbalancements of Alice’s and Bob’s interferometers must be kept stable within a fraction of the wavelength of the photons during a key exchange to maintain correct phase relations. This implies that the interferometers must lie in containers whose temperature is stabilized. In addition, for long key exchanges an active system is necessary to compensate the drifts34 . Finally, in order to ensure the indistinguishability of both interfering processes, one must make sure that in each interferometer the polarization transformation induced by the short path is the same as the one induced by the long one. Alice as much as Bob must then use a polarization controller to fulfill this condition. However, the polarization transformation in short optical fibers whose temperature is kept stable, and which do not experience strains, is rather stable. This adjustment does thus not need to be repeated frequently. Paul Tapster and John Rarity from DERA working with Paul Townsend were the first ones to test this system over a fiber optic spool of 10 kilometers (1993a and 1993b). Townsend later improved the interferometer by replacing Bob’s input coupler by a polarization splitter to suppress the lateral non-interfering peaks (1994). In this case, it is unfortunately again necessary to align the polarization state of the photons at Bob’s, in addition to the stabilization of the interferometers imbalancement. He later thoroughly investigated key exchange with phase coding and improved the transmission distance (Marand and Townsend 1995, Townsend 1998b). He also tested the possibility to multiplex at two different wavelengths a quantum channel with conventional data transmission over a single optical fiber (Townsend 1997a). Richard Hughes and his co-workers from Los Alamos National Laboratory also extensively tested such an interferome-

ter (1996 and 2000b), up to distances of 48 km of installed optical fiber 35 . 2. The “Plug-&-Play” systems

As discussed in the two previous sections, both polarization and phase coding require active compensation of optical path fluctuations. A simple approach would be to alternate between adjustment periods, where pulses containing large numbers of photons are exchanged between Alice and Bob to adjust the compensating system correcting for slow drifts in phase or polarization, and qubits transmission periods, where the number of photons is reduced to a quantum level. An approach invented in 1989 by Martinelli, then at CISE Tecnologie Innovative in Milano, allows to automatically and passively compensate all polarization fluctuations in an optical fiber (see also Martinelli, 1992). Let us consider first what happens to the state of polarization of a pulse of light travelling through an optical fiber, before being reflected by a Faraday mirror – a mirror with a λ4 Faraday rotator36 – in front, and coming back. We must first define a convenient description of the change in polarization of light reflected by a mirror under perpendicular incidence. Let the mirror be in the x-y plane and z be the optical axis. Clearly, all linear polarization states are unchanged by a reflection. But right-handed circular polarization is changed into left-handed and vice-versa. Actually, after a reflection the rotation continues in the same sense, but since the propagation direction is reversed, right-handed and left-handed are swapped. The same holds for elliptic polarization states: the axes of the ellipse are unchanged,

35

Note that in this experiment Hughes and his coworkers used an unusually high mean number of photons per pulse (They used a mean photon number of approximately 0.6 in the central interference peak, corresponding to a µ ≈ 1.2 in the pulses leaving Alice. The latter value is the relevant one for an eavesdropping analysis, since Eve could use an interferometer – conceivable with present technology – where the first coupler is replaced by an optical switch and which allows her to exploit all the photons sent by Alice.). In the light of this high µ and of the optical losses (22.8 dB), one may argue that this implementation was not secure, even when taking into account only so-called realistic eavesdropping strategies (see VI I). Finally, it is possible to estimate the results that other groups would have obtained if they had used a similar value of µ. One then finds that key distribution distances of the same order could have been achieved. This illustrates that the distance is a somewhat arbitrary figure of merit for a QC system. 36 These components, commercially available, are extremely compact and convenient when using telecommunications wavelengths, which is not true for other wavelengths.

34

Polarization coding requires the optimization of three parameters (three parameters are necessary for unitary polarization control). In comparison, phase coding requires optimization of only one parameter. This is possible because the coupling ratios of the beamsplitters are fixed. Both solutions would be equivalent if one could limit the polarization evolution to rotations of the elliptic states, without changes in the ellipticity.

26

there are N such elements in front of the Faraday mirror, the change in polarization during a round trip can be expressed as (recall that the operator FTF only changes the sign of the corresponding Bloch vector m ~ = hψ|~σ |ψi):

but right and left are exchanged. Accordingly, on the Poincar´e sphere the polarization transformation upon reflection is described by a symmetry through the equatorial plane: the north and south hemispheres are exchanged: m ~ → (m1 , m2 , −m3 ). Or in terms of the qubit state vector: ∗ ψ1 ψ2 T : → (37) ψ2 ψ1∗

−1 U1−1 ...UN F T F UN ...U1 = F T F

(39)

The output polarization state is thus orthogonal to the input one, regardless of any birefringence in the fibers. This approach can thus correct for time varying birefringence changes, provided that they are slow compared to the time required for the light to make a round trip (a few hundreds of microseconds). By combining this approach with time-multiplexing in a long path interferometer, it is possible to implement a quantum cryptography system based on phase coding where all optical and mechanical fluctuations are automatically and passively compensated (Muller et al. 1997). We performed a first experiment in early 1997 (Zbinden et al., 1997), and a key was exchanged over an installed optical fiber cable of 23 km (the same one as in the case of polarization coding mentioned before). This setup features a high interference contrast (fringe visibility of 99.8%) and an excellent long term stability and clearly established the value of the approach for QC. The fact that no optical adjustments are necessary earned it the nickname of “plug & play” set-up. It is interesting to note that the idea of combining time-multiplexing with Faraday mirrors was first used to implement an “optical microphone” (Br´eguet and Gisin, 1995)38 . However, our first realization still suffered from certain optical inefficiencies, and has been improved since then. Similar to the setup tested in 1997, the new system is based on time multiplexing as well, where the interfering pulses travel along the same optical path, however, in different time ordering. A schematic is shown in Fig. 18. Briefly, to understand the general idea, pulses emitted at Bobs can travel either via the short arm at Bob’s, be reflected at the Faraday mirror FM at Alice’s and finally, back at Bobs, travel via the long arm. Or, they travel first via the long arm at Bob’s, get reflected at Alice’s, travel via the short arm at Bob’s and then superpose with the first mentioned possibility on beamsplitter C1 . We now explain the realization of this scheme more in detail: A short and bright laser pulse is injected in the system through a circulator. It splits at a coupler. One of the half pulses, labeled P1 , propagates through the short arm of Bob’s set-up directly to a polarizing beamsplitter. The polarization transformation in this arm is set so that it is fully transmitted. P1 is then sent onto the fiber optic link. The second half pulse, labeled P2 ,

This is a simple representation, but some attention has to be paid. Indeed this transformation is not a unitary one! Actually, the above description switches from a right-handed reference frame XY Z to a left handed one ˜ where Z˜ = −Z. There is nothing wrong in doing XY Z, so and this explains the non-unitary polarization transformation37 . Note that other descriptions are possible, but they require to artificially break the XY symmetry. The main reason for choosing this particular transformation is that the description of the polarization evolution in the optical fiber before and after the reflection is then ~ straightforward. Indeed, let U = e−iωB~σ ℓ/2 describe this evolution under the effect of some modal birefringence ~ in a fiber section of length ℓ (~σ is the vector whose B components are the Pauli matrices). Then, the evolution after reflection is simply described by the inverse opera~ tor U −1 = eiωB~σ ℓ/2 . Now that we have a description for the mirror, let us add the Faraday rotator. It produces a π2 rotation of the Poincar´e sphere around the northsouth axis: F = e−iπσz /4 (see Fig. 17). Because the Faraday effect is non-reciprocal (remember that it is due to a magnetic field which can be thought of as produced by a spiraling electric current), the direction of rotation around the north-south axis is independent of the light propagation direction. Accordingly, after reflection on the mirror, the second passage through the Faraday rotator rotates the polarization in the same direction (see again Fig. 17) and is described by the same operator F . Consequently, the total effect of a Faraday mirror is to change any incoming polarization state into its orthogonal state m ~ → −m. ~ This is best seen on Fig. 17, but can also be expressed mathematically: ∗ ψ1 ψ2 FTF : → (38) ψ2 −ψ1∗ Finally, the whole optical fiber can be modelled as consisting of a discrete number of birefringent elements. If

37 Note that this transformation is positive, but not completely positive. It is thus closely connected to the partial transposition map (Peres 1996). If several photons are entangled, then it is crucial to describe all of them in frames with the same chirality. Actually that this is necessary is the content of the Peres-Horodecki entanglement witness (Horodecki et al. 1996).

38 Note that since then, we have used this interferometer for various other applications: non-linear index of refraction measurement in fibers (Vinegoni et al., 2000a), optical switch (Vinegoni et al., 2000b).

27

effective repetition frequency. A storage line half long as the transmission line amounts to a reduction of the bit rate by a factor of approximately three. Researchers at IBM developed a similar system simultaneously and independently (Bethune and Risk, 2000), also working at 1300 nm. However, they avoided the problems associated with Rayleigh backscattering, by reducing the intensity of the pulses emitted by Bob. As these cannot be used for synchronization purposes any longer, they added a classical channel wavelength multiplexed (1550 nm) in the line, to allow Bob and Alice to synchronize their systems. They tested their set-up on a 10 km long optical fiber spool. Both of these systems are equivalent and exhibit similar performances. In addition, the group of Anders Karlsson at the Royal Institute of Technology in Stockholm verified in 1999 that this technique also works at a wavelength of 1550 nm (Bourennane et al., 1999 and Bourennane et al., 2000). These experiments demonstrate the potential of “plug & play”-like systems for real world quantum key distribution. They certainly constitute a good candidate for the realization of prototypes. Their main disadvantage with respect to the other systems discussed in this section is that they are more sensitive to Trojan horse strategies (see section VI K). Indeed, Eve could send a probe beam and recover it through the strong reflection by the mirror at the end of Alice’s system. To prevent such an attack, Alice adds an attenuator to reduce the amount of light propagating through her system. In addition, she must monitor the incoming intensity using a classical linear detector. Besides, systems based on this approach cannot be operated with a true single-photon source, and will thus not benefit from the progress in this field 39 .

takes the long arm to the polarizing beamsplitter. The polarization evolution is such that it is reflected. A phase modulator present in this long arm is left inactive so that it imparts no phase shift to the outgoing pulse. P2 is also sent onto the link, with a delay of the order of 200 ns. Both half pulses travel to Alice. P1 goes through a coupler. The diverted light is detected with a classical detector to provide a timing signal. This detector is also important in preventing so called Trojan Horse attacks discussed in section VI K. The non-diverted light propagates then through an attenuator and a optical delay line – consisting simply of an optical fiber spool – whose role will be explained later. Finally it passes a phase modulator, before being reflected by Faraday mirror. P2 follows the same path. Alice activates briefly her modulator to apply a phase shift on P1 only, in order to encode a bit value exactly like in the traditional phase coding scheme. The attenuator is set so that when the pulses leave Alice, they do not contain more than a fraction of a photon. When they reach the PBS after their return trip through the link, the polarization state of the pulses is exactly orthogonal to what it was when they left, thanks to the effect of the Faraday mirror. P1 is then reflected instead of being transmitted. It takes the long arm to the coupler. When it passes, Bob activates his modulator to apply a phase shift used to implement his basis choice. Similarly, P2 is transmitted and takes the short arm. Both pulses reach the coupler at the same time and they interfere. Single-photon detectors are then use to record the output port chosen by the photon. We implemented with this set-up the full four states BB84 protocol. The system was tested once again on the same installed optical fiber cable linking Geneva and Nyon (23 km, see Fig. 13) at 1300 nm and observed a very low QBERopt ≈ 1.4% (Ribordy et al. 1998 and 2000). Proprietary electronics and software were developed to allow fully automated and user-friendly operation of the system. Because of the intrinsically bi-directional nature of this system, great attention must be paid to Rayleigh backscattering. The light traveling in an optical fiber undergoes scattering by inhomogeneities. A small fraction (≈1%) of this light is recaptured by the fiber in the backward direction. When the repetition rate is high enough, pulses traveling to Alice and back from her must intersect at some point along the line. Their intensity is however strongly different. The pulses are more than a thousand times brighter before than after reflection from Alice. Backscattered photons can accompany a quantum pulse propagating back to Bob and induce false counts. We avoided this problem by making sure that pulses traveling from and to Bob are not present in the line simultaneously. They are emitted in the form of trains by Bob. Alice stores these trains in her optical delay line, which consists of an optical fiber spool. Bob waits until all the pulses of a train have reached him, before sending the next one. Although it completely solves the problem of Rayleigh backscattering induced errors, this configuration has the disadvantage of reducing the

D. Frequency coding

Phase based systems for QC require phase synchronization and stabilization. Because of the high frequency of optical waves (approximately 200 THz at 1550 nm), this condition is difficult to fulfill. One solution is to use selfaligned systems like the “plug&play” set-ups discussed in the previous section. Prof. Goedgebuer and his team from the University of Besan¸con, in France, introduced an alternative solution (Sun et al. 1995, Mazurenko et al. 1997, M´erolla et al. 1999; see also Molotkov 1998). Note that the title of this section is not completely correct in the sense that the value of the qubits is not coded in the frequency of the light, but in the relative phase between sidebands of a central optical frequency.

39 The fact that the pulses travel along a round trip implies that losses are doubled, yielding a reduced counting rate.

28

to reveal eavesdropping. In addition, it was shown that this reference beam monitoring can be extended to the four-states protocol (Huttner et al., 1995). The advantage of this set-up is that the interference is controlled by the phase of the radio-frequency oscillators. Their frequency is 6 orders of magnitude smaller than the optical frequency, and thus considerably easier to stabilize and synchronize. It is indeed a relatively simple task that can be achieved by electronic means. The Besan¸con group performed key distribution with such a system. The source they used was a DBR laser diode at a wavelength of 1540 nm and a bandwidth of 1 MHz. It was externally modulated to obtain 50 ns pulses, thus increasing the bandwidth to about 20 MHz. They used two identical LiNbO3 phase modulators operating at a frequency Ω/2π = 300M Hz. Their spectral filter was a Fabry-Perot cavity with a finesse of 55. Its resolution was 36 MHz. They performed key distribution over a 20 km long single-mode optical fiber spool, recording a QBERopt contribution of approximately 4%. They estimated that 2% can be attributed to the transmission of the central frequency by the Fabry-Perot cavity. Note also that the detector noise is relatively large due to the large pulse durations. Both these errors could be lowered by increasing the separation between the central peak and the sidebands, allowing reduced pulse widths, hence shorter detection times and lower darkcounts. Nevertheless, a compromise must be found since, in addition to technical drawbacks of high speed modulation, the polarization transformation in an optical fiber depends on the wavelength. The remaining 2% of the QBERopt is due to polarization effects in the set-up. This system is another possible candidate. It’s main advantage is the fact that it could be used with a true single-photon source, if it existed. On the other hand, the contribution of imperfect interference visibility to the error rate is significantly higher than that measured with “plug&play” systems. In addition, if this system is to be truly independent of polarization, it is essential to ensure that the phase modulators have very low polarization dependency. In addition, the stability of the frequency filter may constitute a practical difficulty.

Their system is depicted in Fig. 19. A source emits short pulses of classical monochromatic light with angular frequency ωS . A first phase modulator P MA modulates the phase of this beam with a frequency Ω ≪ ωS and a small modulation depth. Two sidebands are thus generated at frequencies ωS ± Ω. The phase modulator is driven by a radio-frequency oscillator RF OA whose phase ΦA can be varied. Finally, the beam is attenuated so that the sidebands contain much less than one photon per pulse, while the central peak remains classical. After the transmission link, the beam experiences a second phase modulation applied by P MB . This phase modulator is driven by a second radio-frequency oscillator RF OB with the same frequency Ω and a phase ΦB . These oscillators must be synchronized. After passing through this device, the beam contains the original central frequency ωS , the sidebands created by Alice, and the sidebands created by Bob. The sidebands at frequencies ωS ± Ω are mutually coherent and thus yield interference. Bob can then record the interference pattern in these sidebands, after removal of the central frequency and the higher order sidebands with a spectral filter. To implement the B92 protocol (see paragraph II D 1), Alice randomly chooses the value of the phase ΦA , for each pulse. She associates a bit value of “0” to the phase 0 and the bit “1” to phase π. Bob also chooses randomly whether to apply a phase ΦB of 0 or π. One can see that if |ΦA − ΦB | = 0, the interference is constructive and Bob’s single-photon detector has a non-zero probability of recording a count. This probability depends on the number of photons present initially in the sideband, as well as the losses induced by the channel. On the other hand, if |ΦA − ΦB | = π, interference is destructive and no count will ever be recorded. Consequently, Bob can infer, everytime he records a count, that he applied the same phase as Alice. When a given pulse does not yield a detection, the reason can be that the phases applied were different and destructive interference took place. It can also mean that the phases were actually equal, but the pulse was empty or the photon got lost. Bob cannot decide between these two possibilities. From a conceptual point of view, Alice sends one of two non-orthogonal states. There is then no way for Bob to distinguish between them deterministically. However he can perform a generalized measurement, also known as a positive operator value measurement, which will sometimes fail to give an answer, and at all other times gives the correct one. Eve could perform the same measurement as Bob. When she obtains an inconclusive result, she could just block both the sideband and the central frequency so that she does not have to guess a value and does not risk introducing an error. To prevent her from doing that, Bob verifies the presence of this central frequency. Now if Eve tries to conceal her presence by blocking only the sideband, the reference central frequency will still have a certain probability of introducing an error. It is thus possible to catch Eve in both cases. The monitoring of the reference beam is essential in all two-states protocol

E. Free space line-of-sight applications

Since optical fiber channels may not always be available, several groups are trying to develop free space lineof-sight QC systems, capable for example to distribute a key between buildings rooftops in an urban setting. It may of course sound difficult to detect single photons amidst background light, but the first experiments demonstrated the possibility of free space QC. Besides, sending photons through the atmosphere also has advantages, since this medium is essentially not birefringent (see paragraph III B 4). It is then possible to use plain polarization coding. In addition, one can ensure a very

29

high channel transmission over large distances by choosing carefully the wavelength of the photons (see again paragraph III B 4). The atmosphere has for example a high transmission “window” in the vicinity of 770 nm (transmission as high as 80% between a ground station and a satellite), which happens to be compatible with commercial silicon APD photon counting modules (detection efficiency as high as 65% and low noise). The systems developed for free space applications are actually very similar to the one shown in Fig. 12. The main difference is that the emitter and receiver are connected to telescopes pointing at each other, instead of an optical fiber. The contribution of background light to errors can be maintained at a reasonable level by using a combination of timing discrimination (coincidence windows of typically a few ns), spectral filtering (≤ 1 nm interference filters) and spatial filtering (coupling into an optical fiber). This can be illustrated with the following simple calculation. Let us suppose that the isotropic spectral background radiance is 10−2 W/m2 nm sr at 800 nm. This corresponds to the spectral radiance of a clear zenith sky with a sun elevation of 77◦ (Zissis and Larocca, 1978). The divergence θ of a Gaussian beam with radius w0 is given by θ = λ/w0 π. The product of beam (telescope) cross-section and solid angle, which is a constant, is therefore πw02 πθ2 = λ2 . By multiplying the radiance by λ2 , one obtains the spectral power density. With an interference filter of 1 nm width, the power on the detector is 6 · 10−15 W, corresponding to 2 · 104 photons per second or 2 · 10−5 photons per ns time window. This quantity is approximately two orders of magnitude larger than the dark count probability of Si APD’s, but still compatible with the requirements of QC. Besides the performance of free space QC systems depends dramatically on atmospheric conditions and air quality. This is problematic for urban applications where pollution and aerosols degrade the transparency of air. The first free space QC experiment over a distance of more than a few centimeters 40 was performed by Jacobs and Franson in 1996. They exchanged a key over a distance of 150 m in a hallway illuminated with standard fluorescent lighting and 75 m outdoor in bright daylight without excessive QBER. Hughes and his team were the first to exchange a key over more than one kilometer under outdoor nighttime conditions (Buttler et al. 1998, and Hughes et al. 2000a). More recently, they even improved their system to reach a distance of 1.6 km under daylight conditions (Buttler et al. 2000). Finally Rarity and his coworkers performed a similar experiment where they exchanged a key over a distance of 1.9 km under nighttime conditions (Gorman et al. 2000).

Before quantum repeaters become available and allow to overcome the distance limitation of fiber based QC, free space systems seem to offer the only possibility for QC over distances of more than a few dozens kilometers. A QC link could be established between ground based stations and a low orbit (300 to 1200 km) satellite. The idea is first to exchange a key kA between Alice and a satellite, using QC, next to establish another key kB between Bob and the same satellite. Then the satellite publicly announces the value K = kA ⊕ kB obtained after an XOR of the two keys (⊕ represents here the XOR operator or equivalently the binary addition modulo 2 without carry). Bob subtracts then his key from this value to recover Alice’s key (kA = K ⊖ kB ) 41 . The fact that the key is known to the satellite operator may be at first sight seen as a disadvantage. But this point might on the contrary be a very positive one for the development of QC, since governments always like to keep control of communications! Although this has not yet been demonstrated, Hughes as well as Rarity have estimated - in view of their free space experiments - that the difficulty can be mastered. The main difficulty would come from beam pointing - don’t forget that the satellites will move with respect to the ground - and wandering induced by turbulences. In order to reduce this latter problem the photons would in practice probably be sent down from the satellite. Atmospheric turbulences are indeed almost entirely concentrated on the first kilometer above the earth surface. Another possibility to compensate for beam wander is to use adaptative optics. Free space QC experiments over distances of the order of 2 km constitute major steps towards key exchange with a satellite. According to Buttler et al. (2000), the optical depth is indeed similar to the effective atmospheric thickness that would be encountered in a surface-to-satellite application. F. Multi-users implementations

Paul Townsend and colleagues investigated the application of QC over multi-user optical fiber networks (Phoenix et al 1995, Townsend et al. 1994, Townsend 1997b). They used a passive optical fiber network architecture where one Alice – the network manager – is connected to multiple network users (i.e. many Bobs, see Fig. 20). The goal is for Alice to establish a verifiably secure and unique key with each Bob. In the classical limit, the information transmitted by Alice is gathered by all Bobs. However, because of their quantum behavior,

41

This scheme could also be used with optical fiber implementation provided that secure nodes exist. In the case of a satellite, one tacitly assumes that it constitutes such a secure node.

40

Remember that Bennett and his coworkers performed the first demonstration of QC over 30 cm in air (Bennett et al. 1992a).

30

the photons are effectively routed at the beamsplitter to one, and only one, of the users. Using the double MachZehnder configuration discussed above, they tested such an arrangement with three Bobs. Nevertheless, because of the fact that QC requires a direct and low attenuation optical channel between Alice and Bob, the possibility to implement it over large and complex networks appears limited.

V. EXPERIMENTAL QUANTUM CRYPTOGRAPHY WITH PHOTON PAIRS

The possibility to use entangled photon pairs for quantum cryptography was first proposed by Ekert in 1991. In a subsequent paper, he investigated, with other researchers, the feasibility of a practical system (Ekert et al., 1992). Although all tests of Bell inequalities (for a review, see for example, Zeilinger 1999) can be seen as experiments of quantum cryptography, systems specifically designed to meet the special requirements of QC, like quick change of bases, were first implemented only recently 42 . In 1999, three groups demonstrated quantum cryptography based on the properties of entangled photons. They were reported in the same issue of Phys. Rev. Lett. (Jennewein et al. 2000b, Naik et al. 2000, Tittel et al. 2000), illustrating the fast progress in the still new field of quantum communication. When using photon pairs for QC, one advantage lies in the fact that one can remove empty pulses, since the detection of one photon of a pair reveals the presence of a companion. In principle, it is thus possible to have a probability of emitting a non-empty pulse equal to one43 . It is beneficial only because presently available single-photon detector feature high dark count probability. The difficulty to always collect both photons of a pair somewhat reduces this advantage. One frequently hears that photon-pairs have also the advantage of avoiding multi-photon pulses, but this is not correct. For a given mean photon number, the probability that a non-empty pulse contains more than one photon is essentially the same for weak pulses and for photon pairs (see paragraph III A 2). Second, using entangled photons pairs prevents unintended information leakage in unused degrees of freedom (Mayers and Yao 1998). Observing a QBER smaller than approximately 15%, or equivalently that Bell’s inequality is violated, indeed guarantees that the photons are entangled and so that the different states are not fully distinguishable through other degrees of freedom. A third advantage was indicated recently by new and elaborate eavesdropping analyses. The fact that passive state preparation can be implemented prevents multiphoton splitting attacks (see section VI J).

42

This definition of quantum cryptography applies to the famous experiment by Aspect and his co-workers testing Bell inequalities with time varying analyzers (Aspect et al., 1982). QC had however not yet been invented. It also applies to the more recent experiments closing the locality loopholes, like the one performed in Innsbruck using fast polarization modulators (Weihs et al. 1998) or the one performed in Geneva using two analyzers on each side (Tittel et al. 1999; Gisin and Zbinden 1999). 43 Photon pair sources are often, though not always, pumped continuously. In these cases, the time window determined by a trigger detector and electronics defines an effective pulse.

31

schemes, everything is as if Alice’s photon propagated backwards in time from Alice to the source and then forwards from the source to Bob.

The coupling between the optical frequency and the property used to encode the qubit, i.e. decoherence, is rather easy to master when using faint laser pulses. However, this issue is more serious when using photon pairs, because of the larger spectral width. For example, for a spectral width of 5 nm FWHM – a typical value, equivalent to a coherence √ time of 1 ps – and a fiber with a typical PMD of 0.2 ps/ km, transmission over a few kilometers induces significant depolarization, as discussed in paragraph III B 2. In case of polarization-entangled photons, this gradually destroys their correlation. Although it is in principle possible to compensate this effect, the statistical nature of the PMD makes this impractical44 . Although perfectly fine for free-space QC (see section IV E), polarization entanglement is thus not adequate for QC over long optical fibers. A similar effect arises when dealing with energy-time entangled photons. Here, the chromatic dispersion destroys the strong time-correlations between the photons forming a pair. However, as discussed in paragraph III B 3, it is possible to passively compensate for this effect using either additional fibers with opposite dispersion, or exploiting the inherent energy correlation of photon pairs. Generally speaking, entanglement based systems are far more complex than faint laser pulses set-ups. They will most certainly not be used in the short term for the realization of industrial prototypes. In addition the current experimental key creation rates obtained with these systems are at least two orders of magnitude smaller than those obtained with faint laser pulses set-ups (net rate in the order of a few tens of bits per second rather than a few thousands bits per second for a 10 km distance). Nevertheless, they offer interesting possibilities in the context of cryptographic optical networks The photon pairs source can indeed be operated by a key provider and situated somewhere in between potential QC customers. In this case, the operator of the source has no way to get any information about the key obtained by Alice and Bob. It is interesting to emphasize the close analogy between 1 and 2-photon schemes, which was first noted by Bennett, Brassard and Mermin (1992). Indeed, in a 2-photon scheme, one can always consider that when Alice detects her photon, she effectively prepares Bob’s photon in a given state. In the 1-photon analog, Alice’s detectors are replaced by sources, while the photon pair source between Alice and Bob is bypassed. The difference between these schemes lies only in practical issues, like the spectral widths of the light. Alternatively, one can look at this analogy from a different point of view: in 2-photon

A. Polarization entanglement

A first class of experiments takes advantage of polarization-entangled photon pairs. The setup, depicted in Fig. 21, is similar to the scheme used for polarization coding based on faint pulses. A two-photon source emits pairs of entangled photons flying back to back towards Alice and Bob. Each photon is analyzed with a polarizing beamsplitter whose orientation with respect to a common reference system can be changed rapidly. Two experiments, have been reported in the spring of 2000 (Jennewein et al. 2000b, Naik et al. 2000). Both used photon pairs at a wavelength of 700 nm, which were detected with commercial single photon detectors based on Silicon APD’s. To create the photon pairs, both groups took advantage of parametric downconversion in one or two BBO crystals pumped by an argon-ion laser. The analyzers consisted of fast modulators, used to rotate the polarization state of the photons, in front of polarizing beamsplitters. The group of Anton Zeilinger, then at the University of Innsbruck, demonstrated such a crypto-system, including error correction, over a distance of 360 meters (Jennewein et al. 2000b). Inspired by a test of Bell inequalities performed with the same set-up a year earlier (Weihs et al., 1998), the two-photon source was located near the center between the two analyzers. Special optical fibers, designed for guiding only a single mode at 700 nm, were used to transmit the photons to the two analyzers. The results of the remote measurements were recorded locally and the processes of key sifting and of error correction implemented at a later stage, long after the distribution of the qubits. Two different protocols were implemented: one based on Wigner’s inequality (a special form of Bell inequalities), and the other one following BB84. The group of Paul Kwiat then at Los Alamos National Laboratory, demonstrated the Ekert protocol (Naik et al. 2000). This experiment was a table-top realization with the source and the analyzers only separated by a few meters. The quantum channel consisted of a short free space distance. In addition to performing QC, the researchers simulated different eavesdropping strategies as well. As predicted by the theory, they observed a rise of the QBER with an increase of the information obtained by the eavesdropper. Moreover, they also recently implemented the six-state protocol described in paragraph II D 2, and observed the predicted QBER increase to 33% (Enzer et al. 2001). The main advantage of polarization entanglement is the fact that analyzers are simple and efficient. It is therefore relatively easy to obtain high contrast. Naik and co-workers, for example, measured a polarization

44 In the case of weak pulses we saw that a full round trip together with the use of Faraday mirrors circumvents the problem (see paragraph IV C 2). However, since the channel loss on the way from the source to the Faraday mirror inevitably increases the empty pulses fraction, the main advantage of photon pairs vanishes in such a configuration.

32

extinction of 97%, mainly limited by electronic imperfections of the fast modulators. This amounts to a QBERopt contribution of only 1.5%. In addition, the constraint on the coherence length of the pump laser is not very stringent (note that if it is shorter than the length of the crystal some difficulties can appear, but we will not mention them here). In spite of their qualities, it would be difficult to reproduce these experiments on distances of more than a few kilometers of optical fiber. As mentioned in the introduction to this chapter, polarization is indeed not robust enough to decoherence in optical fibers. In addition, the polarization state transformation induced by an installed fiber frequently fluctuates, making an active alignment system absolutely necessary. Nevertheless, these experiments are very interesting in the context of free space QC.

in Alice’s and Bob’s interferometer – non-local quantum correlation (Franson 1989)45 – see Fig. 22. The phase in the interferometers at Alice’s and Bob’s can, for example, be adjusted so that both photons always emerge from the same output port. It is then possible to exchange bits by associating values to the two ports. This is, however, not sufficient. A second measurement basis must be implemented, to ensure security against eavesdropping attempts. This can be done for example by adding a second interferometer to the systems (see Fig. 23). In the latter case, when reaching an analyzer, a photon chooses randomly to go to one or the other interferometer. The second set of interferometers can be adjusted to also yield perfect correlations between output ports. The relative phase between their arms should however be chosen so that when the photons go to interferometers not associated, the outcomes are completely uncorrelated. Such a system features a passive state preparation by Alice, yielding security against multiphoton splitting attacks (see section VI J). In addition, it also features a passive basis choice by Bob, which constitutes an elegant solution: neither a random number generator, nor an active modulator are necessary. It is nevertheless clear that QBERdet and QBERacc (defined in eq. (33)) are doubled since the number of activated detectors is twice as high. This disadvantage is however not as important as it first appears since the alternative, a fast modulator, introduces losses close to 3dB, also resulting in an increase of these error contributions. The striking similarity between this scheme and the double Mach-Zehnder arrangement discussed in the context of faint laser pulses in section IV C 1 is obvious when comparing Fig. 24 and Fig. 16! This scheme has been realized in the first half of 2000 by our group at Geneva University (Ribordy et al., 2001). It constitutes the first experiment in which an asymmetric setup, optimized for QC was used instead of a system designed for tests of Bell inequality and having a source located in the center between Alice and Bob (see Fig. 25). The two-photon source (a KNbO3 crystal pumped by a doubled Nd-YAG laser) provides energy-time entangled photons at non-degenerate wavelengths – one around 810 nm, the other one centered at 1550 nm. This choice allows to use high efficiency silicon based single photon counters featuring low noise to detect the photons of the lower wavelength. To avoid the high transmission losses at this wavelength in optical fibers, the distance between the source and the corresponding analyzer is very short,

B. Energy-time entanglement 1. Phase-coding

The other class of experiments takes advantage of energy-time entangled photon pairs. The idea originates from an arrangement proposed by Franson in 1989 to test Bell inequalities. As we will see below, it is comparable to the double Mach-Zehnder configuration discussed in section IV C 1. A source emits pairs of energycorrelated photons with both particles created at exactly the same, however uncertain time (see Fig. 22). This can be achieved by pumping a non-linear crystal with a pump of large coherence time. The pairs of downconverted photons are then split, and one photon is sent to each party down quantum channels. Both Alice and Bob possess a widely, but identically unbalanced MachZehnder interferometer, with photon counting detectors connected to the outputs. Locally, if Alice or Bob change the phase of their interferometer, no effect on the count rates is observed, since the imbalancement prevents any single-photon interference. Looking at the detection-time at Bob’s with respect to the arrival time at Alice’s, three different values are possible for each combination of detectors. The different possibilities in a time spectrum are shown in Fig. 22. First, both photons can propagate through the short arms of the interferometers. Next, one can take the long arm at Alice’s, while the other one takes the short one at Bob’s. The opposite is also possible. Finally, both photons can propagate through the long arms. When the path differences of the interferometers are matched within a fraction of the coherence length of the down-converted photons, the short-short and the long-long processes are indistinguishable, provided that the coherence length of the pump photon is larger than the path-length difference. Conditioning detection only on the central time peak, one observes two-photon interferences which depends on the sum of the relative phases

45 The imbalancement of the interferometers must be large enough so that the middle peak can easily be distinguished from the satellite ones. This minimal imbalancement is determined by the convolution of the detector’s jitter (tens of ps), the electronic jitter (from tens to hundreds of ps) and the single-photon coherence time (<1ps).

33

slots (note that she has two detectors to take into account). For instance, detection of a photon in the first slot corresponds to “pump photon having traveled via the short arm and downconverted photon via the short arm”. To keep it short, we refer to this process as | s iP , | s iA , where P stands for the pump- and A for Alice’s photon46 . However, the characterization of the complete photon pair is still ambiguous, since, at this point, the path of the photon having traveled to Bob (short or long in his interferometer) is unknown to Alice. Figure 26 illustrates all processes leading to a detection in the different time slots both at Alice’s and at Bob’s detector. Obviously, this reasoning holds for any combination of two detectors. In order to build up the secret key, Alice and Bob now publicly agree about the events where both detected a photon in one of the satellite peaks – without revealing in which one – or both in the central peak – without revealing the detector. This procedure corresponds to key-sifting. For instance, in the example discussed above, if Bob tells Alice that he also detected his photon in a satellite peak, she knows that it must have been the left peak as well. This is due to the fact that the pump photon has traveled via the short arm – hence Bob can detect his photon either in the left satellite or in the central peak. The same holds for Bob who now knows that Alice’s photon traveled via the short arm in her interferometer. Therefore, in case of joint detection in a satellite peak, Alice and Bob must have correlated detection times. Assigning a bit value to each side peak, Alice and Bob can exchange a sequence of correlated bits. The cases where both find the photon in the central time slot are used to implement the second basis. They correspond to the | s iP , | l iA | l iB and | l iP , | s iA | s iB possibilities. If these are indistinguishable, one obtains two-photon interferences, exactly as in the case discussed in the previous paragraph on phase coding. Adjusting the phases, and maintaining them stable, perfect correlations between output ports chosen by the photons at Alice’s and Bob’s interferometers are used to establish the key bits in this second basis. Phase-time coding has recently been implemented in a laboratory experiment by our group (Tittel et al., 2000) and was reported at the same time as the two polarization entanglement-based schemes mentioned above. A contrast of approximately 93% was obtained, yielding a QBERopt contribution of 3.5%, similar to that obtained with the phase coding scheme. This experiment will be repeated over long distances, since losses in optical fibers are low at the downconverted photons’ wavelength (1300 nm). An advantage of this set-up is that coding in the time basis is particularly stable. In addition, the coherence length of the pump laser is not critical anymore. It is

of the order of a few meters. The other photon, at the wavelength where fiber losses are minimal, is sent via an optical fiber to Bob’s interferometer and is then detected by InGaAs APD’s. The decoherence induced by chromatic dispersion is limited by the use of dispersionshifted optical fiber (see section III B 3). Implementing the BB84 protocols in the way discussed above, with a total of four interferometers, is difficult. They must indeed be aligned and their relative phase kept accurately stable during the whole key distribution session. To simplify this problem, we devised birefringent interferometers with polarization multiplexing of the two bases. Consequently, the constraint on the stability of the interferometers is equivalent to that encountered in the faint pulses double Mach-Zehnder system. We obtained interference visibilities of typically 92%, yielding in turn a QBERopt contribution of about 4%. We demonstrated QC over a transmission distance of 8.5 km in a laboratory setting using a fiber on a spool and generated several Mbits of key in hour long sessions. This is the largest span realized to date for QC with photon pairs. As already mentioned, it is essential for this scheme to have a pump laser whose coherence length is larger than the path imbalancement of the interferometers. In addition, its wavelength must remain stable during a key exchange session. These requirements imply that the pump laser must be somewhat more elaborate than in the case of polarization entanglement. 2. Phase-time coding

We have mentioned in section IV C that states generated by two-paths interferometers are two-levels quantum systems. They can also be represented on a Poincar´e sphere. The four-states used for phase coding in the previous section would lie on the equator of the sphere, equally distributed. The coupling ratio of the beamsplitter is indeed 50%, and they differ only by a phase difference introduced between the components propagating through either arm. In principle, the four-state protocol can be equally well implemented with only two states on the equator and the two other ones on the poles. In this section, we present a system exploiting such a set of states. Proposed by our group in 1999 (Brendel et al., 1999), the scheme follows in principle the Franson configuration described in the context of phase coding. However, it is based on a pulsed source emitting entangled photons in so-called energy-time Bell states (Tittel et al. 2000). The emission time of the photon pair is therefore given by a superposition of only two discrete terms, instead of a wide and continuous range bounded only by the large coherence length of the pump laser (see paragraph V B 1). Consider Fig. 26. If Alice registers the arrival times of the photons with respect to the emission time of the pump pulse t0 , she finds the photons in one of three time

46

34

Note that it does not constitute a product state.

however necessary to use relatively short pulses (≈ 500 ps) powerful enough to induce a significant downconversion probability. Phase-time coding, as discussed in this section, can also be realized with faint laser pulses (BechmannPasquinucci and Tittel, 2000). The 1-photon configuration has though never been realized. It would be similar to the double Mach-Zehnder discussed in paragraph IV C 1, but with the first coupler replaced by an active switch. For the time-basis, Alice would set the switch either to full transmission or to full reflection, while for the energy-basis she would set it at 50%. This illustrates how considerations initiated on photon pairs can yield advances on faint pulses systems.

VI. EAVESDROPPING A. Problems and Objectives

After the qubit exchange and bases reconciliation, Alice and Bob each have a sifted key. Ideally, these are identical. But in real life, there are always some errors and Alice and Bob must apply some classical information processing protocols, like error correction and privacy amplification, to their data (see paragraph II C 4). The first protocol is necessary to obtain identical keys, the second to obtain a secret key. Essentially, the problem of eavesdropping is to find protocols which, given that Alice and Bob can only measure the QBER, either provides Alice and Bob with a provenly secure key, or stops the protocol and informs the users that the key distribution has failed. This is a delicate question, really at the intersection between quantum physics and information theory. Actually, there is not one, but several eavesdropping problems, depending on the precise protocol, on the degree of idealization one admits, on the technological power one assumes Eve has and on the assumed fidelity of Alice and Bob’s equipment. Let us immediately stress that the complete analysis of eavesdropping on quantum channel is by far not yet finished. In this chapter we review some of the problems and solutions, without any claim of mathematical rigor nor complete cover of the huge and fast evolving literature. The general objective of eavesdropping analysis is to find ultimate and practical proofs of security for some quantum cryptosystems. Ultimate means that the security is guaranteed against entire classes of eavesdropping attacks, even if Eve uses not only the best of today’s technology, but any conceivable technology of tomorrow. They take the form of theorems, with clearly stated assumptions expressed in mathematical terms. In contrast, practical proofs deal with some actual pieces of hardware and software. There is thus a tension between “ultimate” and “practical” proofs. Indeed the first ones favor general abstract assumptions, whereas the second ones concentrate on physical implementations of the general concepts. Nevertheless, it is worth aiming at finding such proofs. In addition to the security issue, they provide illuminating lessons for our general understanding of quantum information. In the ideal game Eve has perfect technology: she is only limited by the laws of quantum mechanics, but not at all by today’s technology 47 . In particular, Eve can-

3. Quantum secret sharing

In addition to QC using phase-time coding, we used the setup depicted in Fig. 26 for the first proof-of-principle demonstration of quantum secret sharing – the generalization of quantum key distribution to more than two parties (Tittel et al., 2001). In this new application of quantum communication, Alice distributes a secret key to two other users, Bob and Charlie, in a way that neither Bob nor Charlie alone have any information about the key, but that together they have full information. Like with traditional QC, an eavesdropper trying to get some information about the key creates errors in the transmission data and thus reveals her presence. The motivation behind quantum secret sharing is to guarantee that Bob and Charlie cooperate – one of them might be dishonest – in order to obtain a given piece of information. In contrast with previous proposals using three-particle GHZ ˙ states (Zukowski et al.,1998, and Hillery et al., 1999), pairs of entangled photons in so-called energy-time Bell states were used to mimic the necessary quantum correlation of three entangled qubits, albeit only two photons exist at the same time. This is possible because of the symmetry between the preparation device acting on the pump pulse and the devices analyzing the downconverted photons. Therefore, the emission of a pump pulse can be considered as the detection of a photon with 100% efficiency, and the scheme features a much higher coincidence rate than that expected with the initially proposed “triple-photon” schemes.

47

The question whether QC would survive the discovery of the currently unknown validity limits of quantum mechanics is interesting. Let us argue that it is likely that quantum mechanics will always adequately describe photons at telecom and vsible wavelengths, like classical mechanics always adequately describes the fall of apples, whatever the future of

35

not clone the qubits, as this is incompatible with quantum dynamics (see paragraph II C 2), but Eve is free to use any unitary interaction between one or several qubits and an auxiliary system of her choice. Moreover, after the interaction, Eve may keep her auxiliary system unperturbed, in particular in complete isolation from the environment, for an arbitrarily long time. Finally, after listening to all the public discussion between Alice and Bob, she can perform the measurement of her choice on her system, being again limited only by the laws of quantum mechanics. Moreover, one assumes that all errors are due to Eve. It is tempting to assume that some errors are due to Alice’s and Bob’s instruments and this probably makes sense in practice. But there is the danger that Eve replaces them with higher quality instruments (see next section)! In the next section we elaborate on the most relevant differences between the above ideal game (ideal especially from Eve’s point of view!) and real systems. Next, we return to the idealized situation and present several eavesdropping strategies, starting from the simplest ones, where explicit formulas can be written down and ending with a general abstract security proof. Finally, we discus practical eavesdropping attacks and comment on the complexity of real system’s security.

choose a value at random. Note also that the different contributions of dark count to the total QBER depend on whether Bob’s choice of basis is implemented using an active or a passive switch (see section IV A). Next, one usually assumes that Alice and Bob have thoroughly checked their equipments and that it is functioning according to the specifications. This is not particular to quantum cryptography, but is quite a delicate question, as Eve could be the actual manufacturer of the equipment! Classical crypto-systems must also be carefully tested, like any commercial apparatuses. Testing a crypto-system is however delicate, because in cryptography the client buys confidence and security, two qualities difficult to quantify. D. Mayers and A. Yao (1998) proposed to use Bell inequality to test that the equipments really obey quantum mechanics, but even this is not entirely satisfactory. Indeed and interestingly, one of the most subtle loopholes in all present day tests of Bell inequality, the detection loophole, can be exploited to produce a purely classical software mimicking all quantum correlation (Gisin and Gisin 1999). This illustrates once again how close practical issues in QC are to philosophical debates about the foundations of quantum physics! Finally, one has to assume that Alice and Bob are perfectly isolated from Eve. Without such an assumption the entire game would be meaningless: clearly, Eve is not allowed to look over Alice’s shoulder! But this elementary assumption is again a nontrivial one. What if Eve uses the quantum channel connecting Alice to the outside world? Ideally, the channel should incorporate an isolator 48 to keep Eve from shining light into Alice’s output port to examine the interior of her laboratory. But all isolators operate only on a finite bandwidth, hence there should also be a filter. But filters have only a finite efficiency. And so on. Except for section VI K where this assumption is discussed, we henceforth assume that Alice and Bob are isolated from Eve.

B. Idealized versus real implementation

Alice and Bob use technology available today. This trivial remark has several implications. First, all real components are imperfect, so that the qubits are prepared and detected not exactly in the basis described by the theory. Moreover, a real source always has a finite probability to produce more than one photon. Depending on the details of the encoding device, all photons carry the same qubit (see section VI J). Hence, in principle, Eve could measure the photon number, without perturbing the qubit. This is discussed in section VI H. Recall that ideally, Alice should emit single qubit-photons, i.e. each logical qubit should be encoded in a single degree of freedom of a single photon. On Bob’s side the situation is, first, that the efficiency of his detectors is quite limited and, next, that the dark counts (spontaneous counts not produced by photons) are non negligible. The limited efficiency is analogous to the losses in the quantum channel. The analysis of the dark counts is more delicate and no complete solution is known. Conservatively, L¨ utkenhaus (2000) assumes in his analysis that all dark counts provide information to Eve. He also advises that whenever two detectors fire simultaneously (generally due to a real photon and a dark count), Bob should not disregard such events but

C. Individual, joint and collective attacks

In order to simplify the problem, several eavesdropping strategies of restricted generalities have been defined (L¨ utkenhaus 1996, Biham and Mor 1997a and 1997b) and analyzed. Of particular interest is the assumption that Eve attaches independent probes to each qubit and measures her probes one after the other. This class of attacks is called individual attacks, also known as incoherent attacks. This important class is analyzed in sections VI D and VI E. Two other classes of eavesdropping strategies let Eve process several qubits coherently, hence the name of coherent attacks. The most general coherent at-

48 Optical isolators, based on the Faraday effect, let light pass through only in one direction.

physics might be.

36

tacks are called joint attacks, while an intermediate class assumes that Eve attaches one probe per qubit, like in individual attacks, but can measure several probes coherently, like in coherent attacks. This intermediate class is called collective attacks. It is not known whether this class is less efficient than the most general joint one. It is also not known whether it is more efficient than the simpler individual attacks. Actually, it is not even known whether joint attacks are more efficient than individual ones! For joint and collective attacks, the usual assumption is that Eve measures her probe only after Alice and Bob have completed all their public discussion about bases reconciliation, error correction and privacy amplification. But for the more realistic individual attacks, one assumes that Eve waits only until the bases reconciliation phase of the public discussion49 . The motivation for this is that one hardly sees what Eve could gain waiting for the public discussion on error correction and privacy amplification before measuring her probes, since she is anyway going to measure them independently. Individual attacks have the nice feature that the problem can be entirely translated into a classical one: Alice, Bob and Eve all have classical information in the form of random variables α, β an ǫ, respectively, and the laws of quantum mechanics imposes constraints on the joint probability distribution P (α, β, ǫ). Such classical scenarios have been widely studied by the classical cryptology community and many results can thus be directly applied.

has to be averaged over all possible results r that Eve might get: X Ha posteriori = P (r)H(i|r) (41) r

H(i|r) = −

P (i|r) =

− Ha

posteriori

(42)

P (r|i)P (i) P (r)

(43)

P with P (r) = i P (r|i)P (i). In the case of interceptresend, Eve gets one out of 4 possible results: r ∈ {↑, ↓ , ←, →}. After the basis has been revealed, Alice’s input assumes one out of 2 values: i ∈ {↑, ↓} (assuming the ↑↓ basis was used, the other case is completely analogous). One gets P (i =↑ |r =↑) = 1, P (i =↑ |r =→) = 21 and P (r) = 12 . Hence, I(α, ǫ) = 1− 21 h(1)− 21 h( 21 ) = 1− 21 = 21 (with h(p) = p log2 (p) + (1 − p) log2 (1 − p)). Another strategy for Eve, not more difficult to implement, consists in measuring the photons in the intermediate basis (see Fig. 27), also known as the Breidbart basis (Bennett et al. 1992a). In this way the probability that Eve guesses the correct bit value is √ p = cos(π/8)2 = 12 + 42 ≈ 0.854, corresponding to a QBER=2p(1 − p) = 25% and Shannon information gain per bit of I = 1 − H(p) ≈ 0.399.

(44)

Consequently, this strategy is less advantageous for Eve than the intercept-resend one. Note however, that with this strategy Eve’s probability to guess the correct bit value is 85.%, compared to only 75% in the interceptresend case. This is possible because in the latter case Eve’s information is deterministic in half the cases, while in the first one Eve’s information is always probabilistic (formally this results from the convexity of the entropy function).

The simplest attack for Eve consists in intercepting all photons individually, to measure them in a basis chosen randomly among the two bases used by Alice and to send new photons to Bob prepared according to her result. As presented in paragraph II C 3 and assuming that the BB84 protocol is used, Eve gets thus 0.5 bit of information per bit in the sifted key, for an induced QBER of 25%. Let us illustrate the general formalism on this simple example. Eve’s mean information gain on Alice’s bit, I(α, ǫ), equals their relative entropy decrease: priori

P (i|r) log(P (i|r))

i

where the a posteriori probability of bit i given Eve’s result r is given by Bayes’s theorem:

D. Simple individual attacks: intercept-resend, measurement in the intermediate basis

I(α, ǫ) = Ha

X

E. Symmetric individual attacks

(40) In this section we present in some details how Eve could get a maximum Shannon information for a fixed QBER, assuming a perfect single qubit source and restricting Eve to attacks on one qubit after the other (i.e. individual attacks). The motivation is that this idealized situation is rather easy to treat and nicely illustrates several of the subtleties of the subject. Here we concentrate on the BB84 4-state protocol, for related results on the 2-state and the 6-state protocols see Fuchs and Peres (1996) and Bechmann-Pasquinucci and Gisin (1999), respectively.

i.e. I(α, β) is the number of bits one can save writing α when knowing β. Since the a priori probability for Alice’s bit is uniform, Ha priori = 1. The a posteriori entropy

49

With today’s technology, it might even be fair to assume, in individual attacks, that Eve must measure her probe before the basis reconciliation.

37

U | ↓, 0i = | ↓i ⊗ φ↓ + | ↑i ⊗ θ↓

The general idea of eavesdropping on a quantum channel goes as follows. When a qubit propagates from Alice to Bob, Eve can let a system of her choice, called a probe, interact with the qubit (see Fig. 28). She can freely choose the probe and its initial state, but it has to be a system satisfying the quantum rules (i.e. described in some Hilbert space). Eve can also choose the interaction, but it should be independent of the qubit state and she should follow the laws of quantum mechanics, i.e. her interaction is described by a unitary operator. After the interaction a qubit has to go to Bob (in section VI H we consider lossy channels, so that Bob does not always expect a qubit, a fact that Eve can take advantage of). It makes no difference whether this qubit is the original one (possibly in a modified state) or not. Actually the question does not even make sense since a qubit is nothing but a qubit! But in the formalism it is convenient to use the same Hilbert space for the qubit sent by Alice and that received by Bob (this is no loss of generality, since the swap operator – defined by ψ ⊗ φ → φ ⊗ ψ for all ψ,φ – is unitary and could be appended to Eve’s interaction). Let HEve and C2 ⊗HEve be the Hilbert spaces of Eve’s probe and of the total qubit+probe system, respectively. If |mi, ~ |0i and U denote the qubit and the probe’s initial states and the unitary interaction, respectively, then the state of the qubit received by Bob is given by the density matrix obtained by tracing out Eve’s probe: ~ 0ihm, ~ 0|U † ). ρBob (m) ~ = T rHEve (U |m,

where the 4 states φ↑ , φ↓ , θ↑ and θ↓ belong to Eve’s probe Hilbert space HEve and satisfy φ↑ ⊥ θ↑ and φ↓ ⊥ θ↓ . By symmetry |φ↑ |2 = |φ↓ |2 ≡ F and |θ↑ |2 = |θ↓ |2 ≡ D. Unitarity imposes F + D = 1 and hφ↑ |θ↓ i + hθ↑ |φ↓ i = 0.

11 + η m~ ~σ

2

.

| ↑, 0i + | ↓, 0i √ 2 1 = √ (| ↑i ⊗ φ↑ + | ↓i ⊗ θ↑ 2 + | ↓i ⊗ φ↓ + | ↑i ⊗ θ↓ ) = | →i ⊗ φ→ + | ←i ⊗ θ→

U | →, 0i = U

(45)

(50) (51) (52) (53)

where

(46)

Eavesdroppings that satisfy the above condition are called symmetric attacks. Since the qubit state space is 2-dimensional, the unitary operator is entirely determined by its action on two states, for example the | ↑i and | ↓i states (in this section we use spin 21 notations for the qubits). It is convenient to write the states after the unitary interaction in the Schmidt form (Peres 1997): U | ↑, 0i = | ↑i ⊗ φ↑ + | ↓i ⊗ θ↑

(49)

The φ’s correspond to Eve’s state when Bob gets the qubit undisturbed, while the θ’s are Eve’s state when the qubit is disturbed. Let us emphasize that this is the most general unitary interaction satisfying (46). One finds that the shrinking factor is given by: η = F − D. Accordingly, if Alice sends | ↑i and Bob measures in the compatible basis, then h↑ |ρBob (m)| ~ ↑i = F is the probability that Bob gets the correct result. Hence F is the fidelity and D the QBER. Note that only 4 states span Eve’s relevant state space. Hence, Eve’s effective Hilbert space is at most of dimension 4, no matter how subtle she might be51 ! This greatly simplifies the analysis. The symmetry imposes that the attack on the other basis satisfies:

The symmetry of the BB84 protocol makes it very natural to assume that Bob’s state is related to Alice’s |mi ~ by a simple shrinking factor50 η ∈ [0, 1] (see Fig. 29): ρBob (m) ~ =

(48)

1 (φ↑ + θ↑ + φ↓ + θ↓ ) 2 1 = (φ↑ − θ↑ − φ↓ + θ↓ ) 2

φ→ =

(54)

θ→

(55)

Similarly,

(47)

1 (φ↑ − θ↑ + φ↓ − θ↓ ) 2 1 = (φ↑ + θ↑ − φ↓ − θ↓ ) 2

φ← =

(56)

θ←

(57)

Condition (46) for the {| →i, | ←i} basis implies: θ→ ⊥ φ→ and θ← ⊥ φ← . By proper choice of the phases, hφ↑ |θ↓ i can be made real. By condition (49) hθ↑ |φ↓ i is then also real. Symmetry implies then hθ→ |φ← i ∈ ℜ.

50

Chris Fuchs and Asher Peres were the first ones to derive the result presented in this section, using numerical optimization. Almost simultaneously Robert Griffiths and his student Chi-Sheng Niu derived it under very general conditions and Nicolas Gisin using the symmetry argument used here. These 5 authors joined efforts in a common paper (Fuchs et al. 1997). The result of this section is thus also valid without this symmetry assumption.

51

Actually, Niu and Griffiths (1999) showed that 2dimensional probes suffice for Eve to get as much information as with the strategy presented here, though in their case the attack is not symmetric (one basis is more disturbed than the other).

38

where h(p) = −p log2 (p) − (1−) log2 (1 − p). For a given error rate D, this information is maximal when x = y. Consequently, for D = 1−cos(x) , one has: 2

A straightforward computation concludes that all scalar products among Eve’s states are real and that the φ’s generate a subspace orthogonal to the θ’s: hφ↑ |θ↓ i = hφ↓ |θ↑ i = 0.

(58)

I max (α, ǫ) = 1 − h(

Finally, using |φ→ |2 = F , i.e. that the shrinking is the same for all states, one obtains a relation between the probe states’ overlaps and the fidelity: F=

1 + hθˆ↑ |θˆ↓ i 2 − hφˆ↑ |φˆ↓ i + hθˆ↑ |θˆ↓ i

(64)

This provides the explicit and analytic optimum eavesdropping strategy. For x = 0 the QBER (i.e. D) and the information gain are zero. For x = π/2 the QBER is 21 and the information gain 1. For small QBERs, the information gain grows linearly:

(59) φ

↑ where the hats denote normalized states, e.g. φˆ↑ = √D . Consequently, the entire class of symmetric individual attacks depends only on 2 real parameters52 : cos(x) ≡ hφˆ↑ |φˆ↓ i and cos(y) ≡ hθˆ↑ |θˆ↓ i! Thanks to the symmetry, it suffices to analyze this scenario for the case that Alice sends the | ↑i state and Bob measures in the {↑, ↓} basis (if not, Alice, Bob and Eve disregard the data). Since Eve knows the basis, she knows that her probe is in one of the following two mixed states:

ρEve (↑) = F P (φ↑ ) + DP (θ↑ ) ρEve (↓) = F P (φ↓ ) + DP (θ↓ ).

1 + sin(x) ). 2

I max (α, ǫ) =

2 D + O(D)2 ≈ 2.9 D ln(2)

(65)

Once Alice, Bob and Eve have measured their quantum systems, they are left with classical random variables α, β and ǫ, respectively. Secret key agreement between Alice and Bob is then possible using only error correction and privacy amplification if and only if the Alice-Bob mutual Shannon information I(α, β) is larger than the Alice-Eve or the Bob-Eve mutual information53 , I(α, β) > I(α, ǫ) or I(α, β) > I(β, ǫ). It is thus interesting to compare Eve’s maximal information (64) with Bob’s Shannon information. The latter depends only on the error rate D:

(60) (61)

I(α, β) = 1 − h(D) = 1 + D log2 (D) + (1 − D) log2 (1 − D)

An optimum measurement strategy for Eve to distinguish between ρEve (↑) and ρEve (↓) consists in first distinguishing whether her state is in the subspace generated by φ↑ and φ↓ or the one generated by θ↑ and θ↓ . This is possible, since the two subspaces are mutually orthogonal. Eve has then to distinguish between two pure states, either with overlap cos(x), or with overlap cos(y). The first alternative happens with probability F , the second one with probability D. The optimal measurement distinguishing two states with overlap cos(x) is known to provide Eve with the correct guess with probability 1+sin(x) 2 (Peres 1997). Eve’s maximal Shannon information, attained when she does the optimal measurements, is thus given by: 1 + sin(x) I(α, ǫ) = F · 1 − h( ) (62) 2 1 + sin(y) ) (63) + D · 1 − h( 2

(66) (67)

Bob’s and Eve’s information are plotted on Fig. 30. As expected, for low error rates D, Bob’s information is larger. But, more errors provide Eve with more information, while Bob’s information gets lower. Hence, both information curves cross at a specific error rate D0 : √ 1 − 1/ 2 max ≈ 15% I(α, β) = I (α, ǫ) ⇐⇒ D = D0 ≡ 2 (68) Consequently, the security criteria against individual attacks for the BB84 protocol reads: √ 1 − 1/ 2 (69) BB84 secure ⇐⇒ D < D0 ≡ 2 For QBERs larger than D0 no (one-way communication) error correction and privacy amplification protocol can provide Alice and Bob with a secret key immune against any individual attacks.

52

Interestingly, when the symmetry is extended to a third maximally conjugated basis, as natural in the 6-state protocol of paragraph II D 2, then the number of parameters reduces to one. This parameter measures the relative quality of Bob’s and Eve’s “copy” of the qubit send by Alice. When both copies are of equal quality, one recovers the optimal cloning presented in section II F (Bechmann-Pasquinucci and Gisin 1999).

53 Note, however, that if this condition is not satisfied, other protocols might sometimes be used, see paragraph II C 5. These protocols are significantly less efficient and are usually not considered as part of “standard” QC. Note also that in the scenario analysed in this section I(β, ǫ) = I(α, ǫ).

39

Let us mention that more general classical protocols, called advantage distillation (paragraph II C 5), using two way communication, exist. These can guarantee secrecy if and only if Eve’s intervention does not disentangle Alice and Bob’s qubits (assuming they use the Ekert version of the BB84 protocol) (Gisin and Wolf 2000). If Eve optimizes her Shannon information, as discussed in this section, this√disentanglement-limit corresponds to a QBER= 1 − 1/ 2 ≈ 30% (Gisin and Wolf 1999). But, using more brutal strategies, Eve can disentangled Alice and Bob already for a QBER of 25%, see Fig. 30. The latter is thus the absolute upper limit, taking into account the most general secret-key protocols. In practice, the limit (68) is more realistic, since advantage distillation algorithms are much less efficient than the classical privacy amplification ones.

Smax (D) > 2 ⇐⇒ D < D0 ≡

There is an intriguing connection between the above tight bound (69) and the CHSH form of Bell inequality (Bell 1964, Clauser et al. 1969, Clauser and Shimony 1978, Zeilinger 1999):

G. Ultimate security proofs

The security proof of QC with perfect apparatuses and a noise-free channel is straightforward. However, the fact that security can still be proven for imperfect apparatuses and noisy channels is far from obvious. Clearly, something has to be assumed about the apparatuses. In this section we simply make the hypothesis that they are perfect. For the channel which is not under Alice and Bob’s control, however, nothing is assumed. The question is then: up to which QBER can Alice and Bob apply error correction and privacy amplification to their classical bits? In the previous sections we found that the threshold is close to a QBER of 15%, assuming individual attacks. But in principle Eve could manipulate several qubits coherently. How much help to Eve this possibility provides is still unknown, though some bounds are known. Already in 1996, Dominic Mayers (1996b) presented the main ideas on how to prove security55 . In 1998, two major papers were made public on the Los Alamos archives (Mayers 1998, and Lo and Chau 1999). Nowadays, these proofs are generally considered as valid, thanks – among

(70)

where E(a, b) is the correlation between Alice and Bob’s data when measuring σa ⊗ 11 and 11 ⊗σb , where σa denotes an observable with eigenvalues ±1 parameterized by the label a. Recall that Bell inequalities are necessarily satisfied by all local models, but are violated by quantum mechanics54 . To establish this connection, assume that the same quantum channel is used to test Bell inequality. It is well-known that√for error free channels, a maximal √ violation by a factor 2 is achievable: Smax = 2 2 > 2. However, if the channel is imperfect, or equivalently if some perturbator Eve acts on the channel, then the quantum correlation E(a, b|D) is reduced, E(a, b|D) = F · E(a, b) − D · E(a, b) = (1 − 2D) · E(a, b)

(73)

This is a surprising and appealing connection between the security of QC and tests of quantum nonlocality. One could argue that this connection is quite natural, since, if Bell inequality were not violated, then quantum mechanics would be incomplete and no secure communication could be based on such an incomplete theory. In some sense, Eve’s information is like probabilistic local hidden variables. However, the connection between (69) and (73) has not been generalized to other protocols. A complete picture of these connections is thus not yet available. Let us emphasize that nonlocality plays no direct role in QC. Indeed, generally, Alice is in the absolute past of Bob. Nevertheless, Bell inequality can be violated as well by space like separated events as by time like separated events. However, the independence assumption necessary to derive Bell inequality is justified by locality considerations only for space-like separated events.

F. Connection to Bell inequality

S ≡ E(a, b) + E(a, b′ ) + E(a′ , b) − E(a′ , b′ ) ≤ 2

√ 1 − 1/ 2 . 2

(71) (72)

where E(a, b) denote the correlation for the unperturbed channel. The achievable amount √ of violation is then reduced to Smax (D) = (1 − 2D)2 2 and for large perturbations no violation at all can be achieved. Interestingly, the critical perturbation D up to which a violation can be observed is precisely the same D0 as the limit derived in the previous section for the security of the BB84 protocol:

55 I (NG) vividly remember the 1996 ISI workshop in Torino, sponsored by Elsag-Bailey, were I ended my talk stressing the importance of security proofs. Dominic Mayers stood up, gave some explanation, and wrote a formula on a transparency, claiming that this was the result of his proof. I think it is fair to say that no one in the audience understood Mayers’ explanation. But I kept the transparency and it contains the basic eq. (76) (up to a factor 2, which corresponds to an improvement of Mayers result obtained in 2000 by Shor and Preskill, using also ideas from Lo and Chau)!

54

Let us stress that the CHSH-Bell inequality is the strongest possible for two qubits. Indeed, this inequality is violated if and only if the correlation can’t be reproduced by a local hidden variable model (Pitowski 1989).

40

d). Bob has full information on this final key, while Eve has none. The second theorem states that if Eve performs a measurement providing her with some information I(α, ǫ), then, because of the perturbation, Bob’s information is necessarily limited. Using these two theorems, the argument now runs as follows. Suppose Alice sends out a large number of qubits and that n where received by Bob in the correct basis. The relevant Hilbert space’s dimension is thus N = 2n . Let us re-label the bases used for each of the n qubits such that Alice used n times the x-basis. Hence, Bob’s observable is the n-time tensor product σx ⊗ ... ⊗ σx . By symmetry, Eve’s optimal information on the correct bases is precisely the same as her optimal information on the incorrect ones (Mayers 1998). Hence one can bound her information assuming she measures σz ⊗ ... ⊗ σz . Accordingly, c = 2−n/2 and theorem 2 implies:

others – to the works of P. Shor and J. Preskill (2000), H. Inamori et al. (2001) and of E. Biham et al. (1999). But it is worth noting that during the first years after the first disclosure of these proofs, essentially nobody in the community understood them! Here we shall present the argument in a form quite different from the original proofs. Our presentation aims at being transparent in the sense that it rests on two theorems. The proofs of the theorems are hard and will be omitted. However, their claims are easy to understand and rather intuitive. Once one accepts the theorems, the security proof is rather straightforward. The general idea is that at some point Alice, Bob and Eve perform measurements on their quantum systems. The outcomes provide them with classical random variables α, β and ǫ, respectively, with P (α, β, ǫ) the joint probability distribution. The first theorem, a standard of classical information based cryptography, states necessary and sufficient condition on P (α, β, ǫ) for the possibility that Alice and Bob extract a secret key from P (α, β, ǫ) (Csisz´ar and K¨ orner 1978). The second theorem is a clever version of Heisenberg’s uncertainty relation expressed in terms of available information (Hall 1995): it sets a bound on the sum of the information available to Bob and to Eve on Alice’s key. Theorem 1. For a given P (α, β, ǫ), Alice and Bob can establish a secret key (using only error correction and classical privacy amplification) if and only if I(α, β) ≥ I(α, ǫ) or I(α, β) ≥ I(β, ǫ), where I(α, β) = H(α) − H(α|β) denotes the mutual information, with H the Shannon entropy. Theorem 2. Let E and B be two observables in an N dimensional Hilbert space. Denote ǫ, β, |ǫi and |βi the corresponding eigenvalues and eigenvectors, respectively, and let c = maxǫ,β {|hǫ|βi|}. Then I(α, ǫ) + I(α, β) ≤ 2 log2 (N c),

I(α, ǫ) + I(α, β) ≤ 2 log2 (2n 2−n/2 ) = n

(75)

That is, the sum of Eve’s and Bob’s information per qubit is smaller or equal to 1. This is quite an intuitive result: together, Eve and Bob cannot get more information than sent out by Alice! Next, combining the bound (75) with theorem 1, one deduces that a secret key is achievable whenever I(α, β) ≥ n/2. Using I(α, β) = n (1 − D log2 (D) − (1 − D) log2 (1 − D)) one obtains the sufficient condition on the error rate D (i.e. the QBER): D log2 (D) + (1 − D) log2 (1 − D) ≤

1 2

(76)

i.e. D ≤ 11%. This bound, QBER≤11%, is precisely that obtained in Mayers proof (after improvement by P. Shor and J. Preskill (2000)). The above proof is, strickly speaking, only valid if the key is much longer than the number of qubits that Eve attacks coherently, so that the Shannon informations we used represent averages over many independent realisations of classical random variables. In other words, assuming that Eve can attack coherently a large but finite number n0 of qubits, Alice and Bob can use the above proof to secure keys much longer than n0 bits. If one assumes that Eve has an unlimited power, able to attack coherently any number of qubits, then the above proof does not apply, but Mayer’s proof can still be used and provides precisely the same bound. This 11% bound for coherent attacks is clearly compatible with the 15% bound found for individual attacks. The 15% bound is also a necessary one, since an explicit eavesdropping strategy reaching this bound is presented in section VI E. It is not known what happens in the intermediate range 11% < QBER < 15%, but the following is plausible. If Eve is limited to coherent attacks on a finite number of qubits, then in the limit of arbitrarily long keys, she has a negligibly small probability that the bits combined by Alice and Bob during the error

(74)

where I(α, ǫ) = H(α) − H(α|ǫ) and I(α, β) = H(α) − H(α|β) are the entropy differences corresponding to the probability distribution of the eigenvalues α prior to and deduced from any measurement by Eve and Bob, respectively. The first theorem states that Bob must have more information on Alice’s bits than Eve (see Fig. 31). Since error correction and privacy amplification can be implemented using only 1-way communication, theorem 1 can be understood intuitively as follows. The initial situation is depicted in a). During the public phase of the protocol, because of the 1-way communication, Eve receives as much information as Bob, the initial information difference δ thus remains. After error correction, Bob’s information equals 1, as illustrated on b). After privacy amplification Eve’s information is zero. In c) Bob has replaced all bits to be disregarded by random bits. Hence the key has still the original length, but his information has decreased. Finally, removing the random bits, the key is shortened to the initial information difference, see 41

correction and privacy amplification protocols originate from qubits attacked coherently. Consequently, the 15% bound would still be valid (partial results in favor of this conjecture can be found in Cirac and Gisin 1997, and in Bechmann-Pasquinucci and Gisin 1999). However, if Eve has unlimited power, in particular, if she can coherently attack an unlimited number of qubits, then the 11% bound might be required. To conclude this section, let us stress that the above security proof equally applies to the 6-state protocol (paragraph II D 2). It also extends straightforwardly to protocols using larger alphabets (Bechmann-Pasquinucci and Tittel 2000, Bechmann-Pasquinucci and Peres 2000, Bourennane et al. 2001a, Bourennane et al. 2001b).

by Bob, then Eve can get full information without introducing any perturbation! This is possible only when the QC protocol is not perfectly implemented, but this is a realistic situation (Huttner et al. 1995, Yuen 1997). The QND atacks have recently received a lot of attention (L¨ utkenhaus 2000, Brassard et al. 2000). The debate is not yet settled. We would like to argue that it might be unrealistic, or even unphysical, to assume that Eve can perform ideal QND attacks. Indeed, first she needs the capacity to perform QND photon number measurements. Although impossible with today’s technology, this is a reasonable assumption (Nogues et al. 1999). Next, she should be able to keep her photon until Alice and Bob reveal the basis. In principle this could be achieved using a lossless channel in a loop. We discuss this eventuality below. Another possibility would be that Eve maps her photon to a quantum memory. This does not exist today, but might well exist in the future. Note that the quantum memory should have essentially unlimited time, since Alice and Bob could easily wait for minutes before revealing the bases58 . Finally, Eve must access a lossless channel, or at least a channel with losses lower than that used by Alice and Bob. This might be the most tricky point. Indeed, besides using a shorter channel, what can Eve do? The telecom fibers are already at the physical limits of what can be achieved (Thomas et al. 2000). The loss is almost entirely due to the Rayleigh scattering which is unavoidable: solve the Schr¨odinger equation in a medium with inhomogeneities and you get scattering. And when the inhomogeneities are due to the molecular stucture of the medium, it is difficult to imagine lossless fibers! The 0.18 dB/km attenuation in silica fibers at 1550 nm is a lower bound which is based on physics, not on technology59 . Note that using the air is not a viable solution, since the attenuation at the telecom wavelengths is rather high. Vacuum, the only way to avoid Rayleigh scattering, has also limitations, due to diffraction, again an unavoidable physical phenomenon. In the end, it seems that Eve has only two possibilities left. Either she uses teleportation (with extremely high success probability and fidelity) or

H. Photon number measurements, lossless channels

In section III A we saw that all real photon sources have a finite probability to emit more than 1 photon. If all emitted photons encode the same qubit, Eve can take advantage of this. In principle, she can first measure the number of photons in each pulse, without disturbing the degree of freedom encoding the qubits56 . Such measurements are sometimes called Quantum Non Demolition (QND) measurements, because they do not perturb the qubit, in particular they do not destroy the photons. This is possible because Eve knows in advance that Alice sends a mixture of states with well defined photon numbers57 , (see section II F). Next, if Eve finds more than one photon, she keeps one and sends the other(s) to Bob. In order to prevent that Bob detects a lower qubit rate, Eve must use a channel with lower losses. Using an ideally lossless quantum channel, Eve can even, under certain conditions, keep one photon and increase the probability that pulses with more than one photon get to Bob! Thirdly, when Eve finds one photon, she may destroy it with a certain probability, such that she does not affect the total number of qubits received by Bob. Consequently, if the probability that a non-empty pulse has more than one photon (on Alice’s side) is larger than the probability that a non-empty pulse is detected

58 The quantum part of the protocol could run continuously, storing large ammount of raw classical data. But the classical part of the protocol, processing these raw data, could take place just seconds before the key is used. 59 Photonics crystal fibers have the potential to overcome the Rayleigh scaterring limit. Actually, there are two kinds of such fibers. The first kind guides light by total internal reflection, like in ordinary fibers. In these most of the light also propagates in silica, and thus the loss limit is similar. In the second kind, most of the light propagates in air, thus the theoretical loss limit is lower. However, today the losses are extremely high, in the range of hundreds of dB/km. The best reported result that we are aware of is 11 dB/km and it was obtained with a fiber of the first kind (Canning et al. 2000).

56

For polarization coding, this is quite clear. But for phase coding one may think (incorrectly) that phase and photon number are incompatible! However, the phase used for encoding is a relative phase between two modes. Whether these modes are polarization modes or correspond to different times (determined e.g. by the relative length of interferometers), does not matter. 57 Recall that a mixture of coherent states |eiφ αi with a random phase φ, as produced by lasers when no phase reference in available, is equal to a mixture R 2π of photon number states |ni with Poisson statistics: 0 |eiφ αiheiφ α| dφ = 2π P µn −µ 2 e |nihn|, where µ = |α| . n≥0 n!

42

she converts the photons to another wavelength (without perturbing the qubit). Both of these “solutions” are seemingly unrealistic in any foreseeable future. Consequently, when considering the type of attacks discussed in this section, it is essential to distinguish the ultimate proofs from the practical ones discussed in the first part of this chapter. Indeed, the assumptions about the defects of Alice and Bob’s apparatuses must be very specific and might thus be of limited interest. While for practical considerations, these assumptions must be very general and might thus be excessive.

J. Multi-photon pulses and passive choice of states

Multi-photon pulses do not necessarily constitute a threat for the key security, but limit the key creation rate because they imply that more bits must be discarded during key distillation. This fact is based on the assumption that all photons in a pulse carry the same qubit, so that Eve does not need to copy the qubit going to Bob, but merely keeps the copy that Alice inadvertently provides. When using weak pulses, it seems unavoidable that all the photons in a pulse carry the same qubit. However, in 2-photon implementations, each photon on Alice’s side chooses independently a state (in the experiments of Ribordy et al. 2001 and Tittel et al. 2000, each photon chooses randomly both its basis and its bit value; in the experiments of Naik et al. 2000 and Jennewein et al. 2000b, the bit value choice only is random). Hence, when two photon pairs are simultaneously produced, by accident, the two twins carry independent qubits. Consequently, Eve can’t take advantage of such multi-photon twin-pulses. This might be one of the main advantages of the 2-photon schemes compared to the much simpler weak-pulse schemes. But the multi-photon problem is then on Bob’s side who gets a noisy signal, consisting partly in photons not in Alice’s state!

I. A realistic beamsplitter attack

The attack presented in the previous section takes advantage of the pulses containing more than one photon. However, as discussed, it uses unrealistic assumptions. In this section, following N. L¨ utkenhaus (2000) and M. Dusek et al (2000), we briefly comment on a realistic attack, also exploiting the multiphoton pulses (for details, see Felix et al. 2001, where this and another examples are presented). Assume that Eve splits all pulses in two, analysing each half in one of the two bases, using photon counting devices able to distinguish pulses with 0, 1 and 2 photons (see Fig. 32). In practice this could be realized using many single photon counters in parallel. This requires nearly perfect detectors, but at least one does not need to assume technology completely out of today’s realm. Whenever Eve detects two photons in the same output, she sends a photon in the corresponding state into Bob’s apparatus. Since Eve’s information is classical, she can overcome all the losses of the quantum channel. In all other cases, Eve sends nothing to Bob. In this way, Eve sends a fraction 3/8 of the pulses containing at least 2 photons to Bob. On these, she introduces a QBER=1/6 and gets an information I(A, E) = 2/3 = 4 · QBER. Bob doesn’t see any reduction in the number of detected photons, provided the transmission coefficient of the quantum channel t satisfies: t≤

3µ 3 P rob(n ≥ 2|n ≥ 1) ≈ 8 16

K. Trojan Horse Attacks

All eavesdropping strategies discussed up to now consisted of Eve’s attempt to get a maximum information out of the qubits exchanged by Alice and Bob. But Eve can also follow a completely different strategy: she can herself send signals that enter Alice and Bob’s offices through the quantum channel. This kind of strategies are called Trojan horse attacks. For example, Eve can send light pulses into the fiber entering Alice or Bob apparatuses and analyze the backreflected light. In this way, it is in principle possible to detect which laser just flashed, or which detector just fired, or the settings of phase and polarization modulators. This cannot be simply prevented by using a shutter, since Alice and Bob must leave the “door open” for the photons to go out and in, respectively. In most QC-setups the amount of backreflected light can be made very small and sensing the apparatuses with light pulses through the quantum channel is difficult. Nevertheless, this attack is especially threatening in the plug-&-play scheme on Alice’s side (section IV C 2), since a mirror is used to send the light pulses back to Bob. So in principle, Eve can send strong light pulses to Alice and sense the applied phase shift. However, by applying the phase shift only during a short time ∆tphase (a few nanoseconds), Alice can oblige Eve to send the spying pulse at the same time as Bob. Remember that in the plug-&-play scheme pulse coming from Bob are macroscopic and an attenuator at Alice reduces them to the

(77)

where the last expression assumes Poissonian photon distribution. Accordingly, for a fixed QBER, this attacks provides Eve with twice the information she would get using the intercept resend strategy. To counter such an attack, Alice should use a mean photon number µ such that Eve can only use this attack on a fraction of the pulses. For example, Alice could use pulses weak enough that Eve’s mean information gain is identical to the one she would obtain with the simple intercept resend strategy (see paragraph II C 3). For 10, 14 and 20 dB attenuation, this corresponds to µ = 0.25, 0.1 and 0.025, respectively.

43

below one photon level, say 0.1 photons per pulse. Hence, if Eve wants to get, say 1 photon per pulse, she has to send 10 times Bob’s pulse energy. Since Alice is detecting Bob’s pulses for triggering her apparatus, she must be able to detect an increase of energy of these pulses in order to reveal the presence of a spying pulse. This is a relatively easy task, provided that Eve’s pulses look the same as Bob’s. But, Eve could of course use another wavelength or ultrashort pulses (or very long pulses with low intensity, hence the importance of ∆tphase ), therefore Alice must introduce an optical bandpass filter with a transmission spectrum corresponding to the sensitivity spectrum of her detector, and choose a ∆tphase that fits to the bandwidth of her detector. There is no doubt that Trojan horse attacks can be prevented by technical measures. However, the fact that this class of attacks exist illustrates that the security of QC can never be guaranteed only by the principles of quantum mechanics, but necessarily relies also on technical measures that are subject to discussions 60 .

To conclude this chapter, let us briefly elaborate on the differences and similarities between technological and mathematical complexity and on their possible connections and implications. Mathematical complexity means that the number of steps needed to run complex algorithms explodes exponentially when the size of the input data grows linearly. Similarly, one can define technological complexity of a quantum computer by an exploding difficulty to process coherently all the qubits necessary to run a (non-complex) algorithm on a linearly growing number of input data. It might be interesting to consider the possibility that the relation between these two concepts of complexity is deeper. It could be that the solution of a problem requires either a complex classical algorithm or a quantum one which itself requires a complex quantum computer61 . VII. CONCLUSION

Quantum cryptography is a fascinating illustration of the dialog between basic and applied physics. It is based on a beautiful combinations of concepts from quantum physics and information theory and made possible thanks to the tremendous progress in quantum optics and in the technology of optical fibers and of free space optical communication. Its security principle relies on deep theorems in classical information theory and on a profound understanding of the Heisenberg’s uncertainty principle, as illustrated by theorems 1 and 2 in section VI G (the only mathematically involved theorems in this review!). Let us also emphasize the important contributions of QC to classical cryptography: privacy amplification and classical bound information (paragraphs II C 4 and II C 5) are examples of concepts in classical information whose discovery were much inspired by QC. Moreover, the fascinating tension between quantum physics and relativity, as illustrated by Bell’s inequality, is not far away, as discussed in section VI F. Now, despite the huge progress over the recent years, many open questions and technological challenges remain. One technological challenge at present concerns improved detectors compatible with telecom fibers. Two other issues concern free space QC and quantum repeaters. The first is presently the only way to realize QC over thousands of kilometers using near future technology (see section IV E). The idea of quantum repeaters (section III E) is to encode the qubits in such a way that if the error rate is low, then errors can be detected and corrected entirely in the quantum domain. The hope is that

L. Real security: technology, cost and complexity

Despite the elegant and generality of security proofs, the dream of a QC system whose security relies entirely on quantum principles is unrealistic. The technological implementation of the abstract principles will always be questionable. It is likely that they will remain the weakest point in all systems. Moreover, one should remember the obvious equation: Inf inite security ⇒ Inf inite cost (78) ⇒ Zero practical interest On the other hand, however, one should not underestimate the following two advantages of QC. First, it is much easier to forecast progress in technology than in mathematics: the danger that QC breaks down overnight is negligible, contrary to public-key cryptosystems. Next, the security of QC depends on the technological level of the adversary at the time of the key exchange, contrary to complexity based systems whose coded message can be registered and broken thanks to future progress. The latter point is relevant for secrets whose value last many years. One often points at the low bit rate as one of the current limitations of QC. However, it is important to stress that QC must not necessarily be used in conjunction with one-time pad encryption. It can also be used to provide a key for a symmetrical cipher – such as AES – whose security is greatly enhanced by frequent key changes.

61

Penrose (1994) pushes these speculations even further, suggesting that spontaneous collapses stop quantum computers whenever they try to compute beyond a certain complexity.

60

Another technological loophole, recently pointed out by Kurtsiefer et al., is the possible information leakage caused by light emitted by APDs during their breakdown (2001).

44

such techniques could extend the range of quantum communication to essentially unlimited distances. Indeed, Hans Briegel, then at Innsbruck University (1998), and coworkers, showed that the number of additional qubits needed for quantum repeaters can be made smaller than the numbers of qubits needed to improved the fidelity of the quantum channel (Dur et al. 1999). One could thus overcome the decoherence problem. However, the main practical limitation is not decoherence but loss (most photons never get to Bob, but those which get there, exhibit high fidelity). On the open questions side, let us emphasize three main concerns. First, complete and realistic analyses of the security issues are still missing. Next, figures of merit to compare QC schemes based on different quantum systems (with different dimensions for example) are still awaited. Finally, the delicate question of how to test the apparatuses did not yet receive enough attention. Indeed, a potential customer of quantum cryptography buys confidence and secrecy, two qualities hard to quantify. Interestingly, both of these issues have a connection with Bell inequality (see sections VI F and VI B). But, clearly, this connection can not be phrased in the old context of local hidden variables, but rather in the context of the security of tomorrows communications. Here, like in all the field of quantum information, old concepts are renewed by looking at them from a fresh perspective: let’s exploit the quantum weirdness! QC could well be the first application of quantum mechanics at the single quanta level. Experiments have demonstrated that keys can be exchanged over distances of a few tens of kilometers at rates at least of the order of a thousand bits per second. There is no doubt that the technology can be mastered and the question is not whether QC will find commercial applications, but when. Indeed, presently QC is still very limited in distance and in secret-bit rate. Moreover, public key systems occupy the market and, being pure software, are tremendously easier to manage. Every so often, the news is that some classical ciphersystem has been broken. This would be impossible with properly implemented QC. But this apparent strength of QC might turn out to be its weak point: the security agencies would equally be unable to break quantum cryptograms!

REFERENCES Ardehali, M., H. F. Chau and H.-K. Lo, 1998, “Efficient Quantum Key Distribution”, quant-ph/9803007. Aspect, A., J. Dalibard, and G. Roger, 1982, “Experimental Test of Bell’s Inequalities Using Time-Varying Analyzers”, Phys. Rev. Lett. 49, 1804-1807. Bechmann-Pasquinucci, H., and N. Gisin, 1999, “Incoherent and Coherent Eavesdropping in the 6-state Protocol of Quantum Cryptography”, Phys. Rev. A 59, 4238-4248. Bechmann-Pasquinucci, H., and A. Peres, 2000, “Quantum cryptography with 3-state systems”, Phys. Rev. Lett. 85, 3313-3316. Bechmann-Pasquinucci, H., and W. Tittel, 2000, “Quantum cryptography using larger alphabets”, Phys. Rev. A 61, 062308-1. Bell, J.S., 1964, “On the problem of hidden variables in quantummechanics”, Review of Modern Phys. 38, 447-452; reprinted in “Speakable and unspeakable in quantum mechanics”, Cambridge University Press, New-York 1987. Bennett, Ch.H., 1992, “Quantum cryptography using any two nonorthogonal states”, Phys. Rev. Lett. 68, 3121-3124. Bennett, Ch.H. and G. Brassard, 1984, “Quantum cryptography: public key distribution and coin tossing”, Int. conf. Computers, Systems & Signal Processing, Bangalore, India, December 10-12, 175-179. Bennett, Ch.H. and G. Brassard, 1985, “Quantum public key distribution system”, IBM Technical Disclosure Bulletin, 28, 3153-3163. Bennett, Ch.H., G. Brassard and J.-M. Robert, 1988, “Privacy amplification by public discussion” SIAM J. Comp. 17, 210-229. Bennett, Ch.H., F. Bessette, G. Brassard, L. Salvail, and J. Smolin, 1992a, “Experimental Quantum Cryptography”, J. Cryptology 5, 3-28. Bennett, Ch.H., G. Brassard and Mermin N.D., 1992b, “Quantum cryptography without Bell’s theorem”, Phys. Rev. Lett. 68, 557-559. Bennett, Ch.H., G. Brassard and A. Ekert, 1992c, “Quantum cryptography”, Scientific Am. 267, 26-33 (int. ed.). Bennett, Ch.H., G. Brassard, C. Cr´epeau, R. Jozsa, A. Peres and W.K. Wootters, 1993, “Teleporting an unknown quantum state via dual classical and Einstein-Podolsky-Rosen channels”, Phys. Rev. Lett. 70, 1895-1899. Bennett, Ch.H., G. Brassard, C. Cr´epeau, and U.M. Maurer, 1995, “Generalized privacy amplification”, IEEE Trans. Information th., 41, 1915-1923. Berry, M.V., 1984, “Quantal phase factors accompanying adiabatic changes”, Proc. Roy. Soc. Lond. A 392, 45-57. Bethune, D., and W. Risk, 2000, “An Autocompensating Fiber-Optic Quantum Cryptography System Based on Polarization Splitting of Light”, IEEE J. Quantum Electron., 36, 340-347. Biham, E. and T. Mor, 1997a, “Security of quantum cryptograophy against collective attacks”, Phys. Rev. Lett. 78, 2256-1159. Biham, E. and T. Mor, 1997b, “Bounds on Information and the Security of Quantum Cryptography”, Phys. Rev. Lett. 79, 4034-4037.

ACKNOWLEDGMENTS Work supported by the Swiss FNRS and the European projects EQCSPOT and QUCOMM financed by the Swiss OFES. The authors would also like to thank Richard Hughes for providing Fig. 8, and acknowledge both referees, Charles H. Bennett and Paul G. Kwiat, for their very careful reading of the manuscript and their helpful remarks.

45

Brown, R.G.W., R. Jones, J. G. Rarity, and Kevin D. Ridley, 1987, “Characterization of silicon avalanche photodiodes for photon correlation measurements. 2: Active quenching”, Applied Optics 26, 2383-2389. Brunel, Ch., B. Lounis, Ph. Tamarat, and M. Orrit, 1999, “Triggered Source of Single Photons based on Controlled Single Molecule Fluorescence”, Phys. Rev. Lett. 83, 2722-2725. Bruss, D., 1998, “Optimal eavesdropping in quantum cryptography with six states”, Phys. Rev. Lett. 81, 3018-3021. Bruss, D., A. Ekert and C. Macchiavello, 1998, “Optimal universal quantum cloning and state estimation”, Phys. Rev. Lett. 81, 2598-2601. Buttler, W.T., R.J. Hughes, P.G. Kwiat, S. K. Lamoreaux, G.G. Luther, G.L. Morgan, J.E. Nordholt, C.G. Peterson, and C. Simmons, 1998, “Practical free-space quantum key distribution over 1 km”, Phys. Rev. Lett. 81, 3283-3286. Buttler, W.T., R.J. Hughes, S.K. Lamoreaux, G.L. Morgan, J.E. Nordholt, and C.G. Peterson, 2000, “Daylight Quantum key distribution over 1.6 km”, Phys. Rev. Lett, 84, pp. 5652-5655. Buˇzek, V. and M. Hillery, 1996, “Quantum copying: Beyond the no-cloning theorem”, Phys. Rev. A 54, 1844-1852. Cancellieri, G., 1993, “Single-mode optical fiber measurement: characterization and sensing”, Artech House, Boston & London. Canning, J., M. A. van Eijkelenborg, T. Ryan, M. Kristensen and K. Lyytikainen, 2000, “Complex mode coupling within air-silica structured optical fibers and applications”, Optics Commun. 185, 321-324 Cirac, J.I., and N. Gisin, 1997, “Coherent eavesdropping strategies for the 4- state quantum cryptography protocol”, Phys. Lett. A 229, 1-7. Clarke, M., R.B., A. Chefles, S.M. Barnett and E. Riis, 2000, “Experimental Demonstration of Optimal Unambiguous State Discrimination”, Phys. Rev. A 63, 040305. Clauser, J.F., M.A. Horne, A. Shimony and R.A. Holt, 1969, “Proposed experiment to test local hidden variable theories”, Phys. Rev. Lett. 23, 880-884. Clauser, J.F. and A. Shimony, 1978, “Bell’s theorem: experimental tests and implications”, Rep. Prog. Phys. 41, 1881-1927. Cova, S., A. Lacaita, M. Ghioni, and G. Ripamonti, 1989, “High-accuracy picosecond characterization of gain-switched laser diodes”, Optics Letters 14, 1341-1343. Cova, S., M. Ghioni, A. Lacaita, C. Samori, and F. Zappa, 1996, “Avalanche photodiodes and quenching circuits for single-photon detection”, Applied Optics 35(129), 1956-1976. Csisz´ ar, I. and K¨ orner, J., 1978, “Broadcast channels with confidential messages”, IEEE Transactions on Information Theory, Vol. IT-24, 339-348. De Martini, F., V. Mussi and F. Bovino, 2000, “Schroedinger cat states and optimum universal Quantum cloning by entangled parametric amplification”, Optics Commun. 179, 581-589. Desurvire, E., 1994, “The golden age of optical fiber amplifiers”, Phys. Today, Jan. 94, 20-27. Deutsch, D., “Quantum theory, the Church-Turing principle and the universal quantum computer”, 1985, Proc. Royal Soc. London, Ser. A 400, 97-105.

Biham, E., M. Boyer, P.O. Boykin, T. Mor and V. Roychowdhury, 1999, “A proof of the security of quantum key distribution”, quant-ph/9912053. Bourennane, M., F. Gibson, A. Karlsson, A. Hening, P. Jonsson, T. Tsegaye, D. Ljunggren, and E. Sundberg, 1999, “Experiments on long wavelength (1550nm) ’plug and play’ quantum cryptography systems’, Opt. Express 4,383-387 Bourennane, M., D. Ljunggren, A. Karlsson, P. Jonsson, A. Hening, and J.P. Ciscar, 2000, “Experimental long wavelength quantum cryptography: from single photon transmission to key extraction protocols”, J. Mod. Optics 47, 563-579. Bourennane, M., A. Karlsson and G. Bj¨ orn, 2001a, “Quantum Key Distribution using multilevel encoding”, Phys. Rev A 64, 012306. Bourennane, M., A. Karlsson, G. Bj¨ orn, N. Gisin and N. Cerf, 2001b, “Quantum Key distribution using multilevel encoding : security analysis”, quant-ph/0106049. Braginsky, V.B. and F.Ya. Khalili, 1992, “Quantum Measurements”, Cambridge University Press. Brassard, G., 1988, “Modern cryptology”, Springer-Verlag, Lecture Notes in Computer Science, vol. 325. Brassard, G. and L. Salvail, 1993, “Secrete-key reconciliation by public discussion” In Advances in Cryptology, Eurocrypt ’93 Proceedings. Brassard, G., C. Cr´epeau, D. Mayers and L. Salvail, 1998, “The Security of quantum bit commitment schemes”, Proceedings of Randomized Algorithms, Satellite Workshop of 23rd International Symposium on Mathematical Foundations of Computer Science, Brno, Czech Republic, 13-15. Brassard, G., N. L¨ utkenhaus, T. Mor, and B.C. Sanders, 2000, “Limitations on Practical Quantum Cryptography”, Phys. Rev. Lett. 85, 1330-1333. Breguet, J., A. Muller and N. Gisin, 1994, “Quantum cryptography with polarized photons in optical fibers: experimental and practical limits”, J. Modern optics 41, 2405-2412. Breguet, J. and N. Gisin, 1995, “New interferometer using a 3x3 coupler and Faraday mirrors”, Optics Lett. 20, 14471449. Brendel, J., W. Dultz and W. Martienssen, 1995, “Geometric phase in 2-photon interference experiments”, Phys. rev. A 52, 2551-2556. Brendel, J., N. Gisin, W. Tittel, and H. Zbinden, 1999, “Pulsed Energy-Time Entangled Twin-Photon Source for Quantum Communication”, Phys. Rev. Lett. 82 (12), 25942597. Briegel, H.-J., Dur W., J.I. Cirac, and P. Zoller, 1998, “Quantum Repeaters: The Role of Imperfect Local Operations in Quantum Communication”, Phys. Rev. Lett. 81, 5932-5935. Brouri, R., A. Beveratios, J.-P. Poizat, P. Grangier, 2000, “Photon antibunching in the fluorescence of individual colored centers in diamond”, Opt. Lett. 25, 1294-1296. Brown, R.G.W. and M. Daniels, 1989, “Characterization of silicon avalanche photodiodes for photon correlation measurements. 3: Sub-Geiger operation”, Applied Optics 28, 4616-4621. Brown, R.G.W., K. D. Ridley, and J. G. Rarity, 1986, “Characterization of silicon avalanche photodiodes for photon correlation measurements. 1: Passive quenching”, Applied Optics 25, 4122-4126.

46

G´erard, J.-M., B. Sermage, B. Gayral, B. Legrand, E. Costard, and V. Thierry-Mieg, 1998, “Enhanced Spontaneous Emission by Quantum Boxes in a Monolithic Optical Microcavity”, Phys. Rev. Lett., 81, 1110-1113. G´erard, J.-M., and B. Gayral, 1999, “Strong Purcell Effect for InAs Qantum Boxes in Three-Dimensional Solid-State Microcavities”, J. Lightwave Technology 17, 2089-2095. Gilbert, G., and M. Hamrick, 2000, “Practical Quantum Cryptography: A Comprehensive Analysis (Part One)”, MITRE Technical Report (MITRE, McLean USA), quantph/0009027. Gisin, N., 1998, “Quantum cloning without signaling”, Phys. Lett. A 242, 1-3. Gisin, N. et al., 1995, “Definition of Polarization Mode Dispersion and First Results of the COST 241 Round-Robin Measurements, with the members of the COST 241 group”, JEOS Pure & Applied Optics 4, 511-522. Gisin, N. and S. Massar, 1997, “Optimal quantum cloning machines”, Phys. Rev. Lett. 79, 2153-2156. Gisin, B. and N. Gisin, 1999, “A local hidden variable model of quantum correlation exploiting the detection loophole”, Phys. Lett. A 260, 323-327. Gisin, N., and S. Wolf, 1999, “Quantum cryptography on noisy channels: quantum versus classical key-agreement protocols”, Phys. Rev. Lett. 83, 4200-4203. Gisin, N., and H. Zbinden, 1999, “Bell inequality and the locality loophole: Active versus passive switches”, Phys. Lett. A 264, 103-107. Gisin, N., and S. Wolf, 2000a, “Linking Classical and Quantum Key Agreement: Is There “Bound Information”?, Advances in cryptology - Proceedings of Crypto 2000, Lecture Notes in Computer Science, Vol. 1880, 482-500. Gisin, N., R. Renner and S. Wolf, 2000b, “Bound information : the classical analog to bound quantum entanglement, Proceedingsof the Third European Congress of Mathematics, Barcelona, July 2000. Goldenberg, L., and L. Vaidman, 1995, “Quantum Cryptography Based on Orthogonal States”, Phys. Rev. Lett. 75, 1239-1243. Gorman, P.M., P.R. Tapster and J.G. Rarity, 2000, “Secure Free-space Key Exchange Over a 1.2 km Range Using Quantum Cryptography” (DERA Malvern, United Kingdom). Haecker, W., O. Groezinger, and M.H. Pilkuhn, 1971, “Infrared photon counting by Ge avalanche diodes”, Appl. Phys. Lett. 19, 113-115. Hall, M.J.W., 1995, “Information excusion principle for complementary observables”, Phys. Rev. Lett. 74, 33073310. Hariharan, P., M. Roy, P.A. Robinson and O’Byrne J.W., 1993, “The geometric phase observation at the single photon level”, J. Modern optics 40, 871-877. Hart, A.C., R.G. Huff and K.L. Walker, 1994, “Method of making a fiber having low polarization mode dispersion due to a permanent spin”, U.S. Patent 5,298,047. Hildebrand, E., 2001, Ph. D. thesis (Johann-Wolfgang Goethe-Universit¨ at, Frankfurt). Hillery, M., V. Buzek, and A. Berthiaume, 1999, “Quantum secret sharing”, Phys. Rev. A 59, 1829-1834. Hiskett, P. A., G. S. Buller, A. Y. Loudon, J. M. Smith, I. Gontijo, A. C. Walker, P. D. Townsend, and M. J. Robertson,

Deutsch, D., A. Ekert, R. Jozsa, C. Macchiavello, S. Popescu, and A. Sanpera, 1996, “Quantum privacy amplification and the security of quantum cryptography over noisy channels”, Phys. Rev. Lett. 77, 2818-2821; Erratum-ibid. 80, (1998), 2022. Dieks, D., 1982, “Communication by EPR devices”, Phys. Lett. A 92, 271-272. Diffie, W. and Hellman M.E., 1976, “New directions in cryptography”, IEEE Trans. on Information Theory IT-22, pp 644-654. Dur, W., H.-J. Briegel, J.I. Cirac, and P. Zoller, 1999, “Quantum repeaters based on entanglement purification”, Phys. Rev. A 59, 169-181 (see also ibid 60, 725-725). Dusek, M., M. Jahma, and N. L¨ utkenhaus, 2000, “Unambiguous state discrimination in quantum cryptography with weak coherent states”, Phys. Rev. A 62, 022306. Einstein, A., B. Podolsky, and N. Rosen, 1935, “Can quantum-mechanical description of physical reality be considered complete?”, Phys. Rev. 47, 777-780. Ekert, A.K., 1991, “Quantum cryptography based on Bell’s theorem”, Phys. Rev. Lett. 67, 661-663. Ekert, A.K., J.G. Rarity, P.R. Tapster, and G.M. Palma, 1992, “Practical quantum cryptography based on two-photon interferometry”, Phys. Rev. Lett. 69, 1293-1296. Ekert, A.K., B. Huttner, 1994, “Eavesdropping Techniques in Quantum Cryptosystems”, J. Modern Optics 41, 24552466. Ekert, A.K., 2000, “Coded secrets cracked open”, Physics World 13, 39-40. Elamari, A., H. Zbinden, B. Perny and Ch. Zimmer, 1998, “Statistical prediction and experimental verification of concatenations of fibre optic components with polarization dependent loss”, J. Lightwave Techn. 16, 332-339. Enzer, D., P. Hadley, R. Hughes, G. Peterson, and P. Kwiat, 2001, private communication. Felix, S., A. Stefanov, H. Zbinden and N. Gisin, 2001, “Faint laser quantum key distribution: Eavesdropping exploiting multiphoton pulses”, quant-ph/0102062. Fleury, L., J.-M. Segura, G. Zumofen, B. Hecht, and U.P. Wild, 2000, “Nonclassical Photon Statistics in SingleMolecule Fluorescence at Room Temperature”, Phys. Rev. Lett. 84, 1148-1151. Franson J.D., 1989, “Bell Inequality for Position and Time”, Phys. Rev. Lett. 62, 2205-2208. Franson, J.D., 1992, “Nonlocal cancellation of dispersion”, Phys. Rev. A 45, 3126-3132. Franson, J.D., and B.C. Jacobs, 1995, “Operational system for Quantum cryptography”, Elect. Lett. 31, 232-234. Freedmann, S.J. and J.F. Clauser, 1972, “Experimental test of local hidden variable theories”, Phys. rev. Lett. 28, 938-941. Fry, E.S. and R.C. Thompson, 1976, “Experimental test of local hidden variable theories”, Phys. rev. Lett. 37, 465-468. Fuchs, C.A., and A. Peres, 1996, “Quantum State Disturbance vs. Information Gain: Uncertainty Relations for Quantum Information”, Phys. Rev. A 53, 2038-2045. Fuchs, C.A., N. Gisin, R.B. Griffiths, C.-S. Niu, and A. Peres, 1997, “Optimal Eavesdropping in Quantum Cryptography. I”, Phys. Rev. A 56, 1163-172.

47

Kimble, H. J., M. Dagenais, and L. Mandel, 1977, “Photon antibunching in resonance fluorescence”, Phys. Rev. Lett. 39, 691-694. Kitson, S.C., P. Jonsson, J.G. Rarity, and P.R. Tapster, 1998, “Intensity fluctuation spectroscopy of small numbers of dye molecules in a microcavity”, Phys. Rev. A 58, 620-6627. Kolmogorow, A.N., 1956, “Foundations of the theory of probabilities”, Chelsa Pub., New-York. Kurtsiefer, Ch., S. Mayer, P. Zarda, and H. Weinfurter, 2000, “Stable Solid-State Source of Single Photons”, Phys. Rev. Lett., 85, 290-293. Kurtsiefer, Ch., P. Zarda, S. Mayer, and H. Weinfurter, 2001, “The breakdown flash of Silicon Avalanche Photodiodes – backdoor for eavesdropper attacks?”, quant-ph/0104103. Kwiat, P.G., A.M. Steinberg, R.Y. Chiao, P.H. Eberhard, M.D. Petroff, 1993, “High-efficiency single-photon detectors”, Phys. Rev.A, 48, R867-R870. Kwiat, P.G., E. Waks, A.G. White, I. Appelbaum, and P.H. Eberhard, 1999, “Ultrabright source of polarization-entangled photons”, Phys. Rev. A, 60, R773-776. Lacaita, A., P.A. Francese, F. Zappa, and S. Cova, 1994, “Single-photon detection beyond 1 µm: performance of comercially available germanium photodiodes”, Applied Optics 33, 6902-6918. Lacaita, A., F. Zappa, S. Cova, and P. Lovati, 1996, “Single-photon detection beyond 1 µm: performance of commercially available InGaAs/InP detectors. Appl. Optics 35(16), 2986-2996. Larchuk, T.S., M.V. Teich and B.E.A. Saleh, 1995, “Nonlocal cancellation of dispersive broadening in Mach-Zehnder interferometers”, Phys. Rev. A 52, 4145-4154. Levine, B.F., C.G. Bethea, and J.C. Campbell, 1985, “Room-temperature 1.3-µm optical time domain reflectometer using a photon counting InGaAs/InP avalanche detector”, Appl. Phys. Lettt. 45(4), 333-335. Li, M.J., and D.A. Nolan, 1998, “Fiber spin-profile designs for producing fibers with low PMD”, Optics Lett. 23, 16591661. Lo, H.-K., and H.F. Chau, 1998, “Why Quantum Bit Commitment And Ideal Quantum Coin Tossing Are Impossible”, Physica D 120, 177-187. Lo, H.-K. and H.F. Chau, 1999, “Unconditional security of quantum key distribution over arbitrary long distances” Science 283, 2050-2056; also quant-ph/9803006. L¨ utkenhaus, N., 1996, “Security against eavesdropping in Quantum cryptography”, Phys. Rev. A, 54, 97-111. L¨ utkenhaus, N., 2000, “Security against individual attacks for realistic quantum key distribution”, Phys. Rev. A, 61, 052304. Marand, C., and P.D. Townsend, 1995, “Quantum key distribution over distances as long as 30 km”, Optics Letters 20, 1695-1697. Martinelli, M., 1992, “Time reversal for the polarization state in optical systems”, J. Modern Opt. 39, 451-455. Martinelli, M., 1989, “A universal compensator for polarization changes induced by birefringence on a retracing beam”, Opt. Commun. 72, 341-344. Maurer, U.M., 1993, “Secret key agreement by public discussion from common information”, IEEE Transacions on Information Theory 39, 733-742.

2000, “Performance and Design of InGaAs/InP Photodiodes for Single-Photon Counting at 1.55 µm”, Appl. Opt. 39, 6818-6829. Hong, C.K. and L. Mandel, 1985, “Theory of parametric frequency down conversion of light”, Phys. Rev. A 31, 24092418. Hong, C.K. and L. Mandel, 1986, “Experimental realization of a localized one-photon state”, Phys. Rev. Lett. 56, 58-60. Horodecki, M., R. Horodecki and P. Horodecki, 1996, “Separability of Mixed States: Necessary and Sufficient Conditions”, Phys. Lett. A 223, 1-8. Hughes, R., G.G. Luther, G.L. Morgan and C. Simmons, 1996, “Quantum Cryptography over Underground Optical Fibers”, Lecture Notes in Computer Science 1109, 329-342. Hughes, R., W. Buttler, P. Kwiat, S. Lamoreaux, G. Morgan, J. Nordhold, G. Peterson, 2000a, “Free-space quantum key distribution in daylight”, J. Modern Opt. 47, 549-562. Hughes, R., G. Morgan, C. Peterson, 2000b, “Quantum key distribution over a 48km optical fibre network”, J. Modern Opt. 47, 533-547. Huttner, B., N. Imoto, N. Gisin, and T. Mor, 1995, “Quantum Cryptography with Coherent States”, Phys. rev. A 51, 1863-1869. Huttner, B., J.D. Gautier, A. Muller H. Zbinden, and N. Gisin, 1996a, “Unambiguous quantum measurement of nonorthogonal states”, Phys. Rev. A 54, 3783-3789. Huttner, B., N. Imoto, and S.M. Barnett, 1996b, “Short distance applications of Quantum cryptography”, J. Nonlinear Opt. Phys. & Materials, 5, 823-832. Imamoglu, A., and Y. Yamamoto, 1994, “Turnstile Device for Heralded Single Photons : Coulomb Blockade of Electron and Hole Tunneling in Quantum Confined p-i-n Heterojunctions”, Phys. Rev. Lett. 72, 210-213. Inamori, H., L. Rallan, and V. Vedral, 2000, “Security of EPR-based Quantum Cryptography against Incoherent Symmetric Attacks”, quant-ph/0103058. Ingerson, T.E., R.J. Kearney, and R.L. Coulter, 1983, “Photon counting with photodiodes”, Applied Optics 22, 2013-2018. Ivanovic, I.D., 1987, “How to differentiate between nonorthogonal states”, Phys. Lett. A 123, 257-259. Jacobs, B., and J. Franson, 1996, “Quantum cryptography in free space”, Optics Letters 21, 1854-1856. Jennewein, T., U. Achleitner, G. Weihs, H. Weinfurter and A. Zeilinger, 2000a “A fast and compact quantum random number generator”, Rev. Sci. Inst. 71, 1675-1680 and quantph/9912118. Jennewein, T., C. Simon, G. Weihs, H. Weinfurter, and A. Zeilinger, 2000b “Quantum Cryptography with Entangled Photons”, Phys. Rev. Lett. 84, 4729-4732 Karlsson, A., M. Bourennane, G. Ribordy, H. Zbinden, J. Brendel, J. Rarity, and P. Tapster, 1999, “A single-photon counter for long-haul telecom”, IEEE Circuits & Devices 15, 34-40. Kempe, J., Simon Ch., G. Weihs and A. Zeilinger, 2000, “Optimal photon cloning”, Phys. Rev. A 62, 032302. Kim, J., O. Benson, H. Kan, and Y. Yamamoto, 1999, “A single-photon turnstile device”, Nature, 397, 500-503.

48

Penrose, R., 1994, “Shadows of the mind”, Oxford University Press. Peres, A., 1988, “How to differentiate between two nonorthogonal states”, Phys. Lett. A 128, 19. Peres, A., 1996, “Separability criteria for density matrices”, Phys. Rev. Lett. 76, 1413-1415. Peres, A., 1997, Quantum Theory: Concepts and Methods, Kluwer, Dordrecht. Phoenix, S.J.D., S.M. Barnett, P.D. Townsend, and K.J. Blow, 1995, “Multi-user Quantum cryptography on optical networks”, J. Modern optics, 6, 1155-1163. Piron, C., 1990, “M´ecanique quantique”, Presses Polytechniques et Universitaires Romandes, Lausanne, Switzerland, pp 66-67. Pitowsky, I., 1989, “Quantum probability, quantum logic”, Lecture Notes in Physics 321, Heidelberg, Springer. Rarity, J. G. and P.R. Tapster, 1988, “Nonclassical effects in parametric downconversion”, in “Photons & Quantum Fluctuations”, eds Pike & Walther, Adam Hilger. Rarity, J. G., P.C.M. Owens and P.R. Tapster, 1994, “Quantum random-number generation and key sharing”, Journal of Modern Optics 41, 2435-2444. Rarity, J. G., T. E. Wall, K. D. Ridley, P. C. M. Owens, and P. R. Tapster, 2000, “Single-Photon Counting for the 1300-1600-nm Range by Use of Peltier-Cooled and Passively Quenched InGaAs Avalanche Photodiodes”, Appl. Opt. 39, 6746-6753. Ribordy, G., J. Brendel, J.D. Gautier, N. Gisin, and H. Zbinden, 2001, “Long distance entanglement based quantum key distribution”, Phys. Rev. A 63, 012309. Ribordy, G., J.-D. Gautier, N. Gisin, O. Guinnard, H. Zbinden, 2000, “Fast and user-friendly quantum key distribution”, J. Modern Opt., 47, 517-531 Ribordy, G., J.D. Gautier, H. Zbinden and N. Gisin, 1998, “Performance of InGaAsInP avalanche photodiodes as gatedmode photon counters”, Applied Optics 37, 2272-2277. Rivest, R.L., Shamir A. and Adleman L.M., 1978, “A Method of Obtaining Digital Signatures and Public-Key Cryptosystems” Communications of the ACM 21, 120-126. Santori, C., M. Pelton, G. Solomon, Y. Dale, and Y. Yamamoto, 2000, “Triggered single photons from a quantum dot” (Stanford University, Palo Alto, California). Shannon, C.E., 1949, “Communication theory of secrecy systems”, Bell System Technical Journal 28, 656-715. Shih, Y.H. and C.O. Alley, 1988, “New type of EinsteinPodolsky-Rosen-Bohm Experiment Using Pairs of Light Quanta Produced by Optical Parametric Down Conversion”, Phys. Rev. Lett. 61, 2921-2924. Shor, P.W., 1994, “Algoritms for quantum computation: discrete logarithms and factoring”, Proceedings of the 35th Symposium on Foundations of Computer Science, Los Alamitos, edited by Shafi Goldwasser (IEEE Computer Society Press), 124-134. Shor, P.W., and J. Preskill, 2000, “Simple proof of security of the BB84 Quantum key distribution protocol”, Phys. Rev. Lett. 85, 441-444. Simon, C., G. Weihs, and A. Zeilinger, 1999, “Quantum Cloning and Signaling”, Acta Phys. Slov. 49, 755-760. Simon, C., G. Weihs, A. Zeilinger, 2000, “Optimal Quantum Cloning via Stimulated Emission”, Phys. Rev. Lett. 84,

Maurer, U.M., and S. Wolf, 1999, “Unconditionnally secure key agreement and intrinsic information”, IEEE Transactions on Information Theory, 45, 499-514. Mayers, D., 1996a, “The Trouble with Quantum Bit Commitment”, quant-ph/9603015. Mayers, D., 1996b, “Quantum key distribution and string oblivious transfer in noisy channels”, Advances in Cryptology — Proceedings of Crypto ’96, Springer - Verlag, 343-357. Mayers, D., 1997, “Unconditionally secure Q bit commitment is impossible”, Phys. Rev. Lett. 78, 3414-3417. Mayers, D., 1998, “Unconditional security in quantum cryptography”, Journal for the Association of Computing Machinery (to be published); also in quant-ph/9802025. Mayers, D., and A. Yao, 1998, “Quantum Cryptography with Imperfect Apparatus”, Proceedings of the 39th IEEE Conference on Foundations of Computer Science. Mazurenko, Y., R. Giust, and J.P. Goedgebuer, 1997, “Spectral coding for secure optical communications using refractive index dispersion”, Optics Commun. 133, 87-92. M´erolla, J-M., Y. Mazurenko, J.P. Goedgebuer, and W.T. Rhodes, 1999, “Single- photon interference in sidebands of phase-modulated light for Quantum cryptography”, Phys. Rev. Lett, 82, 1656-1659. Michler, P., A. Kiraz, C. Becher, W. V. Schoenfeld, P. M. Petroff, L. Zhang, E. Hu, and A. Imamoglu, 2000, “A quantum dot single photon turnstile device”, Science (in press). Milonni, P.W. and Hardies, M.L., 1982, “Photons cannot always be replicated”, Phys. Lett. A 92, 321-322. Molotkov, S.N., 1998, “Quantum crypto using photon frequency states (example of a possible relaization)”, J. Exp. & Theor. Physics 87, 288-293. Muller, A., J. Breguet and N. Gisin, 1993, “Experimental demonstration of quantum cryptography using polarized photons in optical fiber over more than 1 km”, Europhysics Lett. 23, 383-388. Muller, A., H. Zbinden and N. Gisin, 1995, “Underwater quantum coding”, Nature 378, 449-449. Muller, A., H. Zbinden and N. Gisin, 1996, “Quantum cryptography over 23 km in installed under-lake telecom fibre”, Europhysics Lett. 33, 335-339 Muller, A., T. Herzog, B. Huttner, W. Tittel, H. Zbinden, and N. Gisin, 1997, “ ‘Plug and play’ systems for quantum cryptography”, Applied Phys. Lett. 70, 793-795. Naik, D., C. Peterson, A. White, A. Berglund, and P. Kwiat, 2000, “Entangled State Quantum Cryptography: Eavesdropping on the Ekert Protocol”, Phys. Rev. Lett. 84, 4733-4736 Neumann, E.-G., 1988, “Single-mode fibers: fundamentals”, Springer series in Optical Sciences, vol. 57. Niu, C. S. and R. B. Griffiths, 1999, “Two-qubit copying machine for economical quantum eavesdropping” Phys. Rev. A 60, 2764-2776. Nogues, G., A. Rauschenbeutel, S. Osnaghi, M. Brune, J.M. Raimond and S. Haroche, 1999, “Seeing a single photon without destroying it”, Nature 400, 239-242. Owens, P.C.M., J.G. Rarity, P.R. Tapster, D. Knight, and P.D. Townsend, 1994, “Photon counting with passively quenched germanium avalanche”, Applied Optics 33, 68956901.

49

over installed fibre using WDM”, Elect. Lett. 33, 188-190. Townsend, P., 1997b, “Quantum cryptography on multiuser optical fiber networks”, Nature 385, 47-49. Townsend, P., 1998a, “Experimental Investigation of the Performance Limits for First Telecommunications-Window Quantum Cryptography Systems”, IEEE Photonics Tech. Lett. 10, 1048-1050. Townsend, P., 1998b, “Quantum Cryptography on Optical Fiber Networks”, Opt. Fiber Tech. 4, 345-370. Townsend, P., J.G. Rarity, and P.R. Tapster, 1993a, “Single photon interference in a 10 km long optical fiber interferometer”, Electron. Lett. 29, 634-639. Townsend, P., J. Rarity, and P. Tapster, 1993b, “Enhanced single photon fringe visibility in a 10km-long prototype quantum cryptography channel”, Electron. Lett. 29, 1291-1293. Townsend, P.D., S.J.D. Phoenix, K.J. Blow, and S.M. Barnett, 1994, “Design of QC systems for passive optical networks”, Elect. Lett, 30, pp. 1875-1876. Vernam, G., 1926, “Cipher printing telegraph systems for secret wire and radio telegraphic communications”, J. Am. Institute of Electrical Engineers Vol. XLV, 109-115. Vinegoni, C., M. Wegmuller and N. Gisin, 2000a, “Determination of nonlinear coefficient n2/Aeff using self-aligned interferometer and Faraday mirror”, Electron. Lett. 36, 886-888. Vinegoni, C., M. Wegmuller, B. Huttner and N. Gisin, 2000b, “Measurement of nonlinear polarization rotation in a highly birefringent optical fiber using a Faraday mirror”, J. of Optics A 2, 314-318. Walls, D.F. and G.J. Milburn, 1995, “Quantum optics”, Springer-verlag. Weihs, G., T. Jennewein, C. Simon, H. Weinfurter, and A. Zeilinger, 1998, ”Violation of Bell’s Inequality under Strict Einstein Locality Conditions”, Phys. Rev. Lett. 81, 50395043. Wiesner, S., 1983, “Conjugate coding”, Sigact news, 15:1, 78-88. Wigner, E.P., 1961, “The probability of the existence of a self-reproducing unit”, in “The logic of personal knowledge” Essays presented to Michael Polanyi in his Seventieth birthday, 11 March 1961 Routledge & Kegan Paul, London, pp 231-238. Wooters, W. K. and Zurek, W.H., 1982, “A single quanta cannot be cloned”, Nature 299, 802-803. Yuen, H.P., 1997, “Quantum amplifiers, Quantum duplicators and Quantum cryptography”, Quantum & Semiclassical optics, 8, p. 939. Zappa, F., A. Lacaita, S. Cova, and P. Webb, 1994, “Nanosecond single-photon timing with InGaAs/InP photodiodes”, Opt. Lett. 19, 846-848. Zbinden, H., J.-D. Gautier, N. Gisin, B. Huttner, A. Muller, and W. Tittel, 1997, “Interferometry with Faraday mirrors for quantum cryptography”, Electron. Lett. 33, 586588. Zeilinger, A., 1999, “Experiment and the foundations of quantum physics”, Rev. Mod. Phys. 71, S288-S297. Zissis, G., and A. Larocca, 1978, “Optical Radiators and Sources”, Handbook of Optics, edited by W. G. Driscoll (McGraw-Hill, New York), Sec. 3. ˙ Zukowski, M., A. Zeilinger, M.A. Horne and A. Ekert, 1993, “ ‘Event-ready-detectors’ Bell experiment via entanglement

2993-2996. Singh, S., 1999, “The code book: The Science of Secrecy from Ancient Egypt to Quantum Cryptography” (Fourh Estate, London), see Ekert 2000 for a review. Snyder, A.W., 1983, “Optical waveguide theory”, Chapman & Hall, London. Spinelli, A., L.M. Davis, H. Dauted, 1996, “Actively quenched single-photon avalanche diode for high repetition rate time-gated photon counting”, Rev. Sci. Instrum 67, 55-61. Stallings, W., 1999, “Cryptography and network security: principles and practices”, (Prentice Hall, Upper Saddle River, New Jersey, United States). Stefanov, A., O. Guinnard, L. Guinnard, H. Zbinden and N. Gisin, 2000, “Optical Quantum Random Number Generator”, J. Modern Optics 47, 595-598. Steinberg, A.M., P. Kwiat and R.Y. Chiao, 1992a, “Dispersion cancellation and high-resolution time measurements in a fourth-order optical interferometer”, Phys. Rev. A 45, 6659-6665. Steinberg, A.M., P. Kwiat and R.Y. Chiao, 1992b, “Dispersion Cancellation in a Measurement of the Single-Photon Propagation Velocity in Glass”, Phys. Rev. Lett. 68, 24212424. Stucki, D., G. Ribordy, A. Stefanov, H. Zbinden, J. Rarity and T. Wall, 2001, “Photon counting for quantum key distribution with Peltier cooled InGaAs/InP APD’s”, preprint, University of Geneva, Geneva. Sun, P.C., Y. Mazurenko, and Y. Fainman, 1995, “Longdistance frequency-division interferometer for communication and quantum cryptography”, Opt. Lett. 20, 1062-1063. Tanzilli, S., H. De Riedmatten, W. Tittel, H. Zbinden, P. Baldi, M. De Micheli, D.B. Ostrowsky, and N. Gisin, 2001, “Highly efficient photon-pair source using a Periodically Poled Lithium Niobate waveguide”, Electr. Lett. 37, 26-28. Tapster, P.R., J.G. Rarity, and P.C.M. Owens, 1994, “Violation of Bell’s Inequality over 4 km of Optical Fiber”, Phys. Rev. Lett. 73, 1923-1926. Thomas, G.A., B.I. Shraiman, P.F. Glodis and M.J. Stephen, 2000, “Towards the clarity limit in optical fiber”, Nature 404, 262-264. Tittel, W., J. Brendel, H. Zbinden, and N. Gisin, 1998, “Violation of Bell inequalities by photons more than 10 km apart”, Phys. Rev. Lett. 81, 3563-3566. Tittel, W., J. Brendel, H. Zbinden and N. Gisin, 1999, “Long-distance Bell-type tests using energy-time entangled photons”, Phys. Rev. A 59, 4150-4163. Tittel, W., J. Brendel, H. Zbinden, and N. Gisin, 2000, “Quantum Cryptography Using Entangled Photons in Energy-Time Bell States”, Phys. Rev. Lett. 84, 4737-4740 Tittel, W., H. Zbinden, and N. Gisin, 2001, “Experimental demonstration of quantum secret sharing”, Phys. Rev. A 63, 042301. Tomita, A. and R. Y. Chiao, 1986, “Observation of Berry’s topological phase by use of an optical fiber”, Phys. Rev. Lett. 57, 937-940. Townsend, P., 1994, “Secure key distribution system based on Quantum cryptography”, Elect. Lett. 30, 809-811. Townsend, P., 1997a, “Simultaneous Quantum cryptographic key distribution and conventional data transmission

50

swapping”, Phys. Rev. Lett. 71, 4287-4290. ˙ Zukowski, M., A. Zeilinger, M. Horne, and H. Weinfurter, 1998, “Quest for GHZ states”, Acta Phys. Pol. A 93, 187195.

FIGURES

FIG. 1. Implementation of the BB84 protocol. The four states lie on the equator of the Poincar´e sphere.

FIG. 2. Poincar´e sphere with a representation of six states that can be used to implement the generalization of the BB84 protocol.

FIG. 3. EPR protocol, with the source and a Poincar´e representation of the four possible states measured independently by Alice and Bob.

51

Attenuation [dB/km]

3

1 OH absorption

Rayleigh backscattering

0.3 infrared absorption

UV absorption

0.1 0.6

1.0

0.8

1.2

1.4

1.6

1.8

Wavelength [mm]

FIG. 6. Transmission losses versus wavelength in optical fibers. Electronic transitions in SiO2 lead to absorption at lower wavelengths, excitation of vibrational modes to losses at higher wavelength. Superposed is the absorption due to Rayleigh backscattering and to transitions in OH groups. Modern telecommunication is based on wavelength around 1.3 µm (second telecommunication window) and around 1.5 µm (third telecommunication window).

FIG. 4. Illustration of protocols exploiting EPR quantum systems. To implement the BB84 quantum cryptographic protocol, Alice and Bob use the same bases to prepare and measure their particles. A representation of their states on the Poincar´e sphere is shown. A similar setup, but with Bob’s bases rotated by 45◦ , can be used to test the violation of Bell inequality. Finally, in the Ekert protocol, Alice and Bob may use the violation of Bell inequality to test for eavesdropping.

wavelength [nm] 1280 500

1295 signal idler

group delay [ps]

400 300

1325

1310

1340

ω0 ωS2

ωi2

t2

200 100 ωS1

0 2.34

2.315

ωi1

2.29

2.265 14

frequency [10

t1

2.24

Hz]

FIG. 7. Illustration of cancellation of chromatic dispersion effects in the fibers connecting an entangled-particle source and two detectors. The figure shows differential group delay (DGD) curves for two slightly different, approximately 10 km long fibers. Using frequency correlated photons with central frequency ω0 – determined by the properties of the fibers –, the difference of the propagation times t2 − t1 between signal (at ωs 1, ωs 2) and idler photon (at ωi 1, ωi 2) is the same for all ωs , ωi . Note that this cancellation scheme is not restricted to signal and idler photons at nearly equal wavelengths. It applies also to asymmetrical setups where the signal photon (generating the trigger to indicate the presence of the idler photon) is at a short wavelength of around 800 nm and travels only a short distance. Using a fiber with appropriate zero dispersion wavelength λ0 , it is still possible to achieve equal DGD with respect to the energy-correlated idler photon at telecommunication wavelength, sent through a long fiber.

FIG. 5. Photo of our entangled photon-pair source as used in the first long-distance test of Bell inequalities (Tittel et al. 1998). Note that the whole source fits in a box of only 40 × 45 × 15cm3 size, and that neither special power supply nor water cooling is necessary.

52

FIG. 10. Normalized net key creation rate ρnet as a function of the distance in optical fibers. For n = 1, Alice uses a perfect single photon source. For n > 1, the link is divided into n equal length sections and n/2 2-photon sources are distributed between Alice and Bob. Parameters: detection efficiency η = 10%, dark count probability pdark = 10−4 , fiber attenuation α = 0.25 dB/km.

1'000'000

Rnet [bit/s]

100'000

FIG. 8. Transmission losses in free space as calculated using the LOWTRAN code for earth to space transmission at the elevation and location of Los Alamos, USA. Note that there is a low loss window at around 770 nm – a wavelength where high efficiency Silicon APD’s can be used for single photon detection (see also Fig. 9 and compare to Fig. 6).

1550 nm "single"

1'000 100 800 nm

1300 nm

10

1550 nm

1 0

20

40 60 80 Distance [km]

100

120

FIG. 11. Bit rate after error correction and privacy amplification vs. fiber length. The chosen parameters are: pulse rates 10 Mhz for faint laser pulses (µ = 0.1) and 1 MHz for the case of ideal single photons (1550 nm “single”); losses 2, 0.35 and 0.25 dB/km, detector efficiencies 50%, 20% and 10%, and dark count probabilities 10−7 , 10−5 , 10−5 for 800nm, 1300nm and 1550 nm respectively. Losses at Bob and QBERopt are neglected.

1E-13 InGaAs APD 150 K

NEP [W/Hz1/2]

10'000

1E-14 1E-15 Ge APD 77 K

1E-16

Si APD

1E-17 400

600

800

1000

1200

1400

1600

1800

Wavelength [nm]

FIG. 9. Noise equivalent power as a function of wavelength for Silicon, Germanium, and InGaAs/InP APD’s.

FIG. 12. Typical system for quantum cryptography using polarization coding (LD: laser diode, BS: beamsplitter, F: neutral density filter, PBS: polarizing beam splitter, λ/2: half waveplate, APD: avalanche photodiode).

0.0 -10.0 n=1

10 Log (ρ ρnet)

-20.0 -30.0 -40.0

n=2

-50.0

n=4

-60.0 -70.0 -80.0 -90.0 0

25

50

75

100

125

150

175

200

Distance [km]

53

FIG. 15. Poincar´e sphere representation of two-levels quantum states generated by two-paths interferometers. The states generated by an interferometer where the first coupler is replaced by a switch correspond to the poles. Those generated with a symetrical beamsplitter are on the equator. The azimuth indicates the phase between the two paths.

FIG. 13. Geneva and Lake Geneva. The Swisscom optical fiber cable used for quantum cryptography experiments runs under the lake between the town of Nyon, about 23 km north of Geneva, and the centre of the city.

FIG. 16. Double Mach-Zehnder implementation of an interferometric system for quantum cryptography (LD: laser diode, PM: phase modulator, APD: avalanche photodiode). The inset represents the temporal count distribution recorded as a function of the time passed since the emission of the pulse by Alice. Interference is observed in the central peak.

FIG. 14. Conceptual interferometric set-up for quantum cryptography using an optical fiber Mach-Zehnder interferometer (LD: laser diode, PM: phase modulator, APD: avalanche photodiode). FIG. 17. Evolution of the polarization state of a light pulse represented on the Poincar´e sphere over a round trip propagation along an optical fiber terminated by a Faraday mirror.

FIG. 18. Self-aligned “Plug & Play” system (LD: laser diode, APD: avalanche photodiode, Ci : fiber coupler, PMj : phase modulator, PBS: polarizing beamsplitter, DL: optical delay line, FM: Faraday mirror, DA : classical detector).

54

FIG. 23. System for phase-coding entanglement based quantum cryptography (APD: avalanche photodiode). The photons choose their bases randomly at Alice and Bob’s couplers.

FIG. 19. Implementation of sideband modulation (LD: laser diode, A: attenuator, PMi : optical phase modulator, Φj : electronic phase controller, RFOk : radio frequency oscillator, FP: Fabry-Perot filter, APD: avalanche photodiode).

FIG. 24. Quantum cryptography system exploiting photons entangled in energy-time and active basis choice. Note the similarity with the faint laser double Mach-Zehnder implementation depicted in Fig. 16. FIG. 20. Multi-users implementation of quantum cryptography with one Alice connected to three Bobs by optical fibers. The photons sent by Alice randomly choose to go to one or the other Bob at a coupler.

FIG. 25. Schematic diagram of the first system designed and optimized for long distance quantum cryptography and exploiting phase coding of entangled photons.

Laser

FIG. 21. Typical system for quantum cryptography exploiting photon pairs entangled in polarization (PR: active polarization rotator, PBS: polarizing beamsplitter, APD: avalanche photodiode).

Alice

Bob

α

single count rate

single count rate

s P, l A ; l P, s

β

source

α

s P, s

β

α

coincidence count rate

long/long+ short/short

60 short/long

long/short

40 20

anticorrelation

0 -3

-2

-1

0

1

2

s P , l B; l P , s s P, s

A

tA - t0

beam-splitter perfect correlation

80

l P, l

A

t0

B

l P, l

B

B

φ

stop

start

A

α+β

3

FIG. 22. Principle of phase coding quantum cryptography using energy-time entangled photons pairs.

tB - t 0 .

β

+

+

−

−

Alice

time difference [ns]

nonlinear crystal

Bob

FIG. 26. Schematics of quantum cryptography using entangled photons phase-time coding.

55

1.0 one w ay com m uni-cation suffices secret-key rate

Inform ation [bit]

0.8

0.6

0.4

tw o w ay com m unication is necessary E ve's inform ation

error correction and

quantum privacy am pl. or

classical privacy am pl.

0.2

classical advantage distillation

B ell-C H S H B ell-C H S H ineq.

B ob's inform ation

0.0 0.0

FIG. 27. Poincar´e representation of the BB84 states and the intermediate basis, also known as the Breidbart basis, that can be used by Eve.

Alice

A

Eve

perturbation

0.2

IR 4

0.3

IR 6

0.4

0.5

Q uantum bit error rate (Q B E R )

FIG. 30. Eve and Bob information versus the QBER, here plotted for incoherent eavesdropping on the 4-state protocol. For QBERs below QBER0 , Bob has more information than Eve and secret-key agreement can be achieved using classical error correction and privacy amplification. These can, in principle, be implemented using only 1-way communication. The secret-key rate can be as large as the information differences. For QBERs above QBER0 (≡ D0 ), Bob has a disadvantage with respect to Eve. Nevertheless, Alice and Bob can apply quantum privacy amplification up to the QBER corresponding to the intercept-resend eavesdropping strategies, IR4 and IR6 for the 4-state and 6-state protocols, respectively. Alternatively, they can apply a classical protocol called advantage distillation which is effective precisely up to the same maximal QBER IR4 and IR6 . Both the quantum and the classical protocols require then 2-way communication. Note that for the eavesdropping strategy optimal from Eve’ Shannon point of view on the 4-state protocol, QBER0 correspond precisely to the noise threshold above which a Bell inequality can no longer be violated.

Bob

B

U

0.1

QBER0

ineq. is violated is not violated

information

FIG. 28. Eavesdropping on a quantum channel. Eve extracts information out of the quantum channel between Alice and Bob at the cost of introducing noise into that channel.

FIG. 29. Poincar´e representation of the BB84 states in the event of a symmetrical attack. The state received by Bob after the interaction of Eve’s probe is related to the one sent by Alice by a simple shrinking factor. When the unitary operator U entangles the qubit and Eve’s probe, Bob’s state (eq. 46) is mixed and is represented by a point inside the Poincar´e sphere.

56

FIG. 31. Intuitive illustration of theorem 1. The initial situation is depicted in a). During the 1-way public discussion phase of the protocol Eve receives as much information as Bob, the initial information difference δ thus remains. After error correction, Bob’s information equals 1, as illustrated on b). After privacy amplification Eve’s information is zero. In c) Bob has replaced all bits to be disregarded by random bits. Hence the key has still the original length, but his information has decreased. Finally, removing the random bits, the key is shortened to the initial information difference, see d). Bob has full information on this final key, while Eve has none.

FIG. 32. Realistic beamsplitter attack. Eve stops all pulses. The two photon pulses have a 50% probability to be analyzed by the same analyzer. If this analyzer is compatible with the state prepared by Alice, then both photon are detected at the same outcome; if not there is a 50% chance that they are detected at the same outcome. Hence, there is a probability of 3/8 that Eve detects both photons at the same outcome. In such a case, and only in such a case, she resends a photon to Bob. In 2/3 of these cases she introduces no errors since she identified the correct state and gets full information; in the remaining cases she has a probability 1/2 to introduce an error and gains no information. The total QBER is thus 1/6 and Eve’s information gain 2/3.

57