. 1
( 3)


Quantum cryptography

Nicolas Gisin, Gr´goire Ribordy, Wolfgang Tittel and Hugo Zbinden
Group of Applied Physics, University of Geneva, 1211 Geneva 4, Switzerland
(February 1, 2008; submitted to Reviews of Modern Physics)

4 Free-space links . . . . . . . . . . . 17
Quantum cryptography could well be the ¬rst application C Single-photon detection . . . . . . . . . 18
of quantum mechanics at the individual quanta level. The
1 Photon counting at wavelengths be-
very fast progress in both theory and experiments over the
low 1.1 µm . . . . . . . . . . . . . . 19
recent years are reviewed, with emphasis on open questions
2 Photon counting at telecommunica-
and technological issues.
tion wavelengths . . . . . . . . . . . 19
arXiv:quant-ph/0101098v2 18 Sep 2001

D Quantum random number generators . 20
E Quantum repeaters . . . . . . . . . . . 20
IV Experimental quantum cryptography
I Introduction 2 with Faint laser pulses 21
A Quantum Bit Error Rate . . . . . . . . 22
II A beautiful idea 2 B Polarization coding . . . . . . . . . . . 23
A The intuition . . . . . . . . . . . . . . . 2 C Phase coding . . . . . . . . . . . . . . . 24
B Classical cryptography . . . . . . . . . 3 1 The double Mach-Zehnder imple-
1 Asymmetrical (public-key) cryp- mentation . . . . . . . . . . . . . . 25
tosystems . . . . . . . . . . . . . . . 3 2 The “Plug-&-Play” systems . . . . 26
2 Symmetrical (secret-key) cryptosys- D Frequency coding . . . . . . . . . . . . 28
tems . . . . . . . . . . . . . . . . . 4 E Free space line-of-sight applications . . 29
3 The one-time-pad as “classical tele- F Multi-users implementations . . . . . . 30
portation” . . . . . . . . . . . . . . 5
C The example of the BB84 protocol . . . 5 V Experimental quantum cryptography
1 Principle . . . . . . . . . . . . . . . 5 with photon pairs 31
2 No cloning theorem . . . . . . . . . 6 A Polarization entanglement . . . . . . . 32
3 Intercept-resend strategy . . . . . . 6 B Energy-time entanglement . . . . . . . 33
4 Error correction, privacy ampli¬ca- 1 Phase-coding . . . . . . . . . . . . . 33
tion and quantum secret growing . . 6 2 Phase-time coding . . . . . . . . . . 34
5 Advantage distillation . . . . . . . . 8 3 Quantum secret sharing . . . . . . . 35
D Other protocols . . . . . . . . . . . . . 8
1 2-state protocol . . . . . . . . . . . 8 VI Eavesdropping 35
2 6-state protocol . . . . . . . . . . . 9 A Problems and Objectives . . . . . . . . 35
3 EPR protocol . . . . . . . . . . . . 9 B Idealized versus real implementation . . 36
4 Other variations . . . . . . . . . . . 10 C Individual, joint and collective attacks 36
E Quantum teleportation as “Quantum D Simple individual attacks: intercept-
one-time-pad” . . . . . . . . . . . . . . 10 resend, measurement in the intermedi-
F Optical ampli¬cation, quantum non- ate basis . . . . . . . . . . . . . . . . . 37
demolition measurements and optimal E Symmetric individual attacks . . . . . . 37
quantum cloning . . . . . . . . . . . . . 10 F Connection to Bell inequality . . . . . . 40
G Ultimate security proofs . . . . . . . . 40
III Technological challenges 12 H Photon number measurements, lossless
A Photon sources . . . . . . . . . . . . . . 12 channels . . . . . . . . . . . . . . . . . 42
1 Faint laser pulses . . . . . . . . . . 12 I A realistic beamsplitter attack . . . . . 43
2 Photon pairs generated by paramet- J Multi-photon pulses and passive choice
ric downconversion . . . . . . . . . 13 of states . . . . . . . . . . . . . . . . . 43
3 Photon guns . . . . . . . . . . . . . 14 K Trojan Horse Attacks . . . . . . . . . . 43
B Quantum channels . . . . . . . . . . . . 14 L Real security: technology, cost and
1 Singlemode ¬bers . . . . . . . . . . 14 complexity . . . . . . . . . . . . . . . . 44
2 Polarization e¬ects in singlemode
¬bers . . . . . . . . . . . . . . . . . 15 VII Conclusion 44
3 Chromatic dispersion e¬ects in sin-
glemode ¬bers . . . . . . . . . . . . 16

a way that they can be read independently.

Electrodynamics was discovered and formalized in the
19th century. The 20th century was then profoundly af-
fected by its applications. A similar adventure is pos-
The idea of QC was ¬rst proposed only in the 1970™s
sibly happening for quantum mechanics, discovered and
by Wiesner2 (1983) and by Charles H. Bennett from
formalized during the last century. Indeed, although the
IBM and Gilles Brassard from Montr´al University (1984,
laser and semiconductors are already common, applica-
1985) . However, this idea is so simple that actually ev-
tions of the most radical predictions of quantum mechan-
ery ¬rst year student since the infancy of quantum me-
ics have been thought of only recently and their full power
chanics could have discovered it! Nevertheless, it is only
remains a fresh gold mine for the physicists and engineers
of the 21st century. nowadays that the matter is mature and information se-
curity important enough, and “ interestingly “ only nowa-
The most peculiar characteristics of quantum mechan-
days that physicists are ready to consider quantum me-
ics are the existence of indivisible quanta and of entan-
chanics, not only as a strange theory good for paradoxes,
gled systems. Both of these are at the root of Quantum
but also as a tool for new engineering. Apparently, infor-
Cryptography (QC) which could very well be the ¬rst
mation theory, classical cryptography, quantum physics
commercial application of quantum physics at the indi-
and quantum optics had ¬rst to develop into mature sci-
vidual quantum level. In addition to quantum mechan-
ics, the 20th century has been marked by two other major ences. It is certainly not a coincidence that QC and, more
generally, quantum information has been developed by a
scienti¬c revolutions: the theory of information and rel-
community including many computer scientists and more
ativity. The status of the latter is well recognized. It
mathematics oriented young physicists. A broader inter-
is less known that the concept of information, nowadays
est than traditional physics was needed.
measured in bits, and the formalization of probabilities is
quite recent1 , although they have a tremendous impact
on our daily life. It is fascinating to realize that QC lies at
A. The intuition
the intersection of quantum mechanics and information
theory and that, moreover, the tension between quan-
tum mechanics and relativity “ the famous EPR paradox Quantum Physics is well-known for being counter-
(Einsteinet al.1935) “ is closely connected to the security intuitive, or even bizarre. We teach students that Quan-
of QC. Let us add a further point for the young physicists. tum Physics establishes a set of negative rules stating
Contrary to laser and semiconductor physics, which are things that cannot be done. For example:
manifestations of quantum physics at the ensemble level
1. Every measurement perturbs the system.
and can thus be described by semi-classical models, QC,
and even much more quantum computers, require a full
2. One cannot determine simultaneously the position
quantum mechanical description (this may o¬er interest-
and the momentum of a particle with arbitrary high
ing jobs for physicists well trained in the subtleties of
their science).
This review article has several objectives. First we 3. One cannot measure the polarization of a photon in
present the basic intuition behind QC. Indeed the basic the vertical-horizontal basis and simultaneously in
idea is so beautiful and simple that every physicist and the diagonal basis.
every student should be given the pleasure to enjoy it.
The general principle is then set in the broader context of
modern cryptology (section II B) and made more precise
(section II C). Chapter III discusses the main technologi- 2
Stephen Wiesner, then at Columbia University, was the
cal challenges. Then, chapters IV and V present the most ¬rst one to propose ideas closely related to QC, already in
common implementation of QC using weak laser pulses the 1970™s. However, his revolutionary paper appeared only a
and photon pairs, respectively. Finally, the important decade later. Since it is di¬cult to ¬nd, let us mention his ab-
and di¬cult problems of eavesdropping and of security stract: The uncertainty principle imposes restrictions on the
proofs are discussed in chapter VI, where the emphasis is capacity of certain types of communication channels. This pa-
more on the variety of questions than on technical issues. per will show that in compensation for this “quantum noise”,
We tried to write the di¬erent parts of this review in such quantum mechanics allows us novel forms of coding without
analogue in communication channels adequately described by
classical physics.
Artur Ekert (1991) from Oxford University discovered QC
independently, though from a di¬erent perspective (see para-
The Russian mathematician A.N. Kolmogorow (1956) is
graph II D 3).
credited with being the ¬rst to have consistently formulated
a mathematical theory of probabilities in the 1940™s.

4. One cannot draw pictures of individual quantum channel to transmit information, but only to transmit a
random sequence of bits, i.e. a key. Now, if the key is
unperturbed, then Quantum Physics guarantees that no
5. One cannot duplicate an unknown quantum state. one got any information about this key by eavesdropping
(i.e. measuring) the quantum communication channel.
This negative viewpoint on Quantum Physics, due to
In this case, Alice and Bob can safely use this key to
its contrast to classical physics, has only recently been
encode messages. If, on the contrary, the key turns out
turned positive and QC is one of the best illustrations
to be perturbed, then Alice and Bob simply disregard it;
of this psychological revolution. Actually, one could car-
since the key does not contain any information, they did
icature Quantum Information Processing as the science
not lose any.
of turning Quantum conundrums into potentially useful
Let us make this general idea somewhat more pre-
cise, anticipating section II C. In practice, the individual
Let us illustrate this for QC. One of the basic negative
quanta used by Alice and Bob, often called qubits (for
statement of Quantum Physics reads:
quantum bits), are encoded in individual photons. For
example, vertical and horizontal polarization code for bit
Every measurement perturbs the system (1)
value zero and one, respectively. The second basis, can
then be the diagonal one (±45o linear polarization), with
(except if the quantum state is compatible with the mea-
+45o for bit 1 and ’45o for bit 0, respectively (see Fig.
surement). The positive side of this axiom can be seen
1). Alternatively, the circular polarization basis could
when applied to a communication between Alice and
be used as second basis. For photons the quantum com-
Bob (the conventional names of the sender and receiver,
munication channel can either be free space (see section
respectively), provided the communication is quantum.
IV E) or optical ¬bers “ special ¬bers or the ones used in
The latter means that the support of information are
standard telecommunication “ (section III B). The com-
quantum systems, like, for example, individual photons.
munication channel is thus not really quantum. What is
Indeed, then axiom (1) applies also to the eavesdroppers,
quantum are the information carriers.
i.e. to a malicious Eve (the conventional name given to
But before continuing, we need to see how QC could
the adversary in cryptology). Hence, Eve cannot get any
¬t in the existing cryptosystems. For this purpose the
information about the communication without introduc-
next section brie¬‚y surveys some of the main aspects of
ing perturbations which would reveal her presence.
modern cryptology.
To make this intuition more precise, imagine that Alice
codes information in individual photons which she sends
to Bob. If Bob receives the photons unperturbed, then,
B. Classical cryptography
by the basic axiom (1), the photons were not measured.
No measurement implies that Eve did not get any in-
formation about the photons (note that acquiring infor- Cryptography is the art of rendering a message un-
mation is synonymous to carrying out measurements). intelligible to any unauthorized party. It is part of the
Consequently, after exchanging the photons, Alice and broader ¬eld of cryptology, which also includes crypto-
Bob can check whether someone “was listening”: they analysis, the art of code breaking (for a historical per-
simply compare a randomly chosen subset of their data spective, see Singh 1999). To achieve this goal, an algo-
using a public channel. If Bob received the randomly rithm (also called a cryptosystem or cipher) is used to
chosen subset unperturbed then the logic goes as follows: combine a message with some additional information “
known as the “key” “ and produce a cryptogram. This
technique is known as “encryption”. For a cryptosystem
N o perturbation ’ N o measurement to be secure, it should be impossible to unlock the cryp-
’ N o eavesdropping (2) togram without the key. In practice, this demand is often
softened so that the system is just extremely di¬cult to
It is as simple as that! crack. The idea is that the message should remain pro-
tected at least as long as the information it contains is
Actually, there are two more points to add. First, in valuable. Although con¬dentiality is the traditional ap-
order to ensure that axiom (1) applies, Alice encodes her plication of cryptography, it is used nowadays to achieve
information in non-orthogonal states (we shall illustrate broader objectives, such as authentication, digital signa-
this in the sections II C and II D). Second, as we have tures and non-repudiation (Brassard 1988).
presented it so far, Alice and Bob could discover any
eavesdropper, but only after they exchanged their mes-
sage. It would of course be much better to ensure the 1. Asymmetrical (public-key) cryptosystems
privacy in advance, and not afterwards! To achieve this,
Alice and Bob complement the above simple idea with a Cryptosytems come in two main classes “ depending on
second idea, again a very simple one, and one which is whether Alice and Bob use the same key. Asymmetrical
entirely classical. Alice and Bob do not use the quantum

systems involve the use of di¬erent keys for encryption ers.
and decryption. They are commonly known as public-key Similarly, all public-key cryptosystems rely on un-
cryptosystems. Their principle was ¬rst proposed in 1976 proven assumptions for their security, which could them-
by Whit¬eld Di¬e and Martin Hellman, who were then selves be weakened or suppressed by theoretical or prac-
at Stanford University in the US. The ¬rst actual im- tical advances. So far, no one has proved the existence of
plementation was then developed by Ronald Rivest, Adi any one-way function with a trapdoor. In other words,
Shamir,and Leonard Adleman of the Massachusetts In- the existence of secure asymmetric cryptosystems is not
stitute of Technology in 19784. It is known as RSA and is proven. This casts an intolerable threat on these cryp-
still widely used. If Bob wants to be able to receive mes- tosystems.
sages encrypted with a public key cryptosystem, he must In a society where information and secure communi-
¬rst choose a “private” key, which he keeps secret. Then, cation is of utmost importance, as in ours, one cannot
he computes from this private key a “public” key, which tolerate such a threat. Think, for instance, that an
he discloses to any interested party. Alice uses this public overnight breakthrough in mathematics could make elec-
key to encrypt her message. She transmits the encrypted tronic money instantaneously worthless. To limit such
message to Bob, who decrypts it with the private key. economical and social risks, there is no possibility but
Public-key cryptosystems are convenient and they have to turn to symmetrical cryptosystems. QC has a role to
thus become very popular over the last 20 years. The play in such alternative systems.
security of the internet, for example, is partially based
on such systems. They can be thought of as a mailbox,
where anybody can insert a letter. Only the legitimate 2. Symmetrical (secret-key) cryptosystems
owner can then recover it, by opening it with his private
key. Symmetrical ciphers require the use of a single key for
The security of public key cryptosystems is based on both encryption and decryption. These systems can be
computational complexity. The idea is to use mathemat- thought of as a safe, where the message is locked by Al-
ical objects called one-way functions. By de¬nition, it ice with a key. Bob in turns uses a copy of this key to
is easy to compute the function f (x) given the variable unlock the safe. The “one-time pad”, ¬rst proposed by
x, but di¬cult to reverse the calculation and compute x Gilbert Vernam of AT&T in 1926, belongs to this cate-
from f (x). In the context of computational complexity, gory. In this scheme, Alice encrypts her message, a string
the word “di¬cult” means that the time to do a task of bits denoted by the binary number m1 , using a ran-
grows exponentially with the number of bits in the in- domly generated key k. She simply adds each bit of the
put, while “easy” means that it grows polynomially. In- message with the corresponding bit of the key to obtain
tuitively, it is easy to understand that it only takes a few the scrambled text (s = m1 • k, where • denotes the
seconds to work out 67 — 71, but it takes much longer binary addition modulo 2 without carry). It is then sent
to ¬nd the prime factors of 4757. However, factoring has to Bob, who decrypts the message by subtracting the key
a “trapdoor”, which means that it is easy to do the cal- (s–k = m1 •k –k = m1 ). Because the bits of the scram-
culation in the di¬cult direction provided that you have bled text are as random as those of the key, they do not
some additional information. For example, if you were contain any information. This cryptosystem is thus prov-
told that 67 was one of the prime factors of 4757, the ably secure in the sense of information theory (Shannon
calculation would be relatively simple. The security of 1949). Actually, this is today the only provably secure
RSA is actually based on the factorization of large inte- cryptosystem!
gers. Although perfectly secure, the problem with this sys-
In spite of its elegance su¬ers from a major ¬‚aw. tem is that it is essential for Alice and Bob to possess a
Whether factoring is “di¬cult” or not could never be common secret key, which must be at least as long as the
proven. This implies that the existence of a fast algo- message itself. They can only use the key for a single en-
rithm for factorization cannot be ruled out. In addi- cryption “ hence the name “one-time pad”. If they used
tion, the discovery in 1994 by Peter Shor of a polynomial the key more than once, Eve could record all of the scram-
algorithm allowing fast factorization of integers with a bled messages and start to build up a picture of the plain
quantum computer puts additional doubts on the non- texts and thus also of the key. (If Eve recorded two di¬er-
existence of a polynomial algorithm for classical comput- ent messages encrypted with the same key, she could add
the scrambled text to obtain the sum of the plain texts:
s1 • s2 = m 1 • k • m 2 • k = m 1 • m 2 • k • k = m 1 • m 2 ,
where we used the fact that • is commutative.) Fur-
thermore, the key has to be transmitted by some trusted
According to the British Government, public key cryptog-
means, such as a courier, or through a personal meeting
raphy was originally invented at the Government Communica-
between Alice and Bob. This procedure can be complex
tions Headquarters in Cheltenham as early as in 1973. For an
historical account, see for example the book by Simon Singh and expensive, and may even amount to a loophole in
(1999). the system.

and conventions5. The interdisciplinary character of QC
Because of the problem of distributing long sequences
of key bits, the one-time pad is currently used only for the is the probable reason for its relatively slow start, but
most critical applications. The symmetrical cryptosys- it certainly contributes crucially to the vast and fast ex-
tems in use for routine applications such as e-commerce pansion over the recent years.
employ rather short keys. In the case of the Data En- We shall explain the BB84 protocol using the language
cryption Standard (also known as DES, promoted by the of spin 2 , but clearly any 2-level quantum system would
United States™ National Institute of Standards and Tech- do. The protocol uses 4 quantum states that constitute
nology), a 56 bits key is combined with the plain text 2 bases, think of the states up | ‘ , down | “ , left | ←
divided in blocks in a rather complicated way, involving and right | ’ . The bases are maximally conjugate in
permutations and non-linear functions to produce the ci- the sense that any pair of vectors, one from each basis,
has the same overlap, e.g. | ‘ | ← |2 = 2 . Convention-
pher text blocks (see Stallings 1999 for a didactic pre-
sentation). Other cryptosystems (e.g. IDEA or AES) ally, one attributes the binary value 0 to states | ‘ and
follow similar principles. Like asymmetrical cryptosys- | ’ and the value 1 to the other two states, and calls
tems, they o¬er only computational security. However the states qubits (for quantum bits). In the ¬rst step,
for a given key length, symmetrical systems are more se- Alice sends individual spins to Bob in states chosen at
cure than their asymmetrical counterparts. random among the 4 basic states (in Fig. 1 the spin
In practical implementations, asymmetrical algorithms states | ‘ ,| “ , | ’ and | ← are identi¬ed with the
polarization states “horizontal”, “verical”, “+45o” and
are not so much used for encryption, because of their
“-45o”, respectively). How she “chooses at random” is
slowness, but to distribute session keys for symmetrical
cryptosystems such as DES. Because the security of those a delicate problem in practice (see section III D), but in
algorithms is not proven (see paragraph II B 1), the secu- principle she could use her free will. The individual spins
rity of the whole implementation can be compromised. If could be sent all at once, or one after the other (much
they were broken by mathematical advances, QC would more practical); the only restriction being that Alice and
constitute the only way to solve the key distribution Bob can establish a one-to-one correspondence between
problem. the transmitted and the received spins. Next, Bob mea-
sures the incoming spins in one of the two bases, chosen
at random (using a random number generator indepen-
dent from that of Alice). At this point, whenever they
3. The one-time-pad as “classical teleportation”
used the same basis, they get perfectly correlated results.
However, whenever they used di¬erent basis, they get
The one-time-pad has an interesting characteristic.
uncorrelated results. Hence, on average, Bob obtains a
Assume that Alice aims at transferring to Bob a faithful
string of bits with 25% errors, called the raw key. This er-
copy of a classical system, without giving any informa-
ror rate is so large that standard error correction schemes
tion to Eve about this system. For this purpose Alice
would fail. But in this protocol, as we shall see, Alice and
and Bob have only access to an insecure classical chan-
Bob know which bits are perfectly correlated (the ones for
nel. This is possible provided they share an arbitrary
which Alice and Bob used the same basis) and which ones
long secret key. Indeed, in principle Alice can measure
are completely uncorrelated (all the other ones). Hence,
the state of her classical system with arbitrary high pre-
a straightforward error correction scheme is possible: For
cision and then use the one-time-pad to securely commu-
each bit Bob announces publicly in which basis he mea-
nicate this information to Bob who can then, in principle,
sured the corresponding qubit (but he does not tell the
reconstruct (a copy of) the classical system. This some-
result he obtained). Alice then only tells whether or not
what arti¬cial use of the one-time-pad has an interesting
the state in which she encoded that qubit is compatible
quantum relative, (see section II E).
with the basis announced by Bob. If the state is com-
patible, they keep the bit, if not they disregard it. In
this way about 50% of the bit string is discarded. This
C. The example of the BB84 protocol
shorter key obtained after bases reconciliation is called
the sifted key6 . The fact that Alice and Bob use a public
1. Principle
channel at some stage of their protocol is very common
The ¬rst protocol for QC has been proposed in 1984
by Charles H. Bennett, from IBM New-York, and Gilles
Brassard, from the University of Montreal, hence the 5
For instance, it is amusing to note that physicists must
name BB84 under which this protocol is recognized nowa-
publish in reputed journals while conference proceedings are
days. They published their work in a conference in In-
of secondary importance. For computer science, on the con-
dia, totally unknown to physicists. This underlines at
trary, the proceedings of the best conferences are considered
once that QC needs the collaboration between di¬erent
as the top, while journals are secondary!
communities, with di¬erent jargons and di¬erent habits 6
This terminology has been introduced by Ekert and Hut-
tner in 1994.

in crypto-protocols. This channel does not have to be But the latter state di¬ers from the ideal copy | ’, ’
con¬dential, but has to be authentic. Hence, any ad- , f’ , whatever the states |fψ are.
versary Eve can listen to all the communication on the Consequently, Eve can™t keep a perfect quantum copy,
public channel, but she can™t modify it. In practice Al- because perfect quantum copy machines can™t exist. The
ice and Bob may use the same transmission channel to possibility to copy classical information is probably one
implement both the quantum and the classical channels. of the most characteristic features of information in the
Note that neither Alice nor Bob can decide which key every day sense. The fact that quantum states, nowadays
results from the protocol7 . Indeed, it is the conjunction often called quantum information, can™t be copied is cer-
of both of their random choices which produces the key. tainly one of the most speci¬c attributes which make this
Let us now consider the security of the above ideal new kind of information so di¬erent, hence so attractive.
protocol (ideal because so far we did not take into ac- Actually, this “negative rule” has clearly its positive side,
count unavoidable noise due to technical imperfections). since it prevents Eve from perfect eavesdropping, and
Assume that some adversary Eve intercepts a qubit prop- hence makes QC potentially secure.
agating from Alice to Bob. This is very easy, but if Bob
does not receive an expected qubit, he will simply inform
Alice to disregard it. Hence, in this way Eve only lowers 3. Intercept-resend strategy
the bit rate (possibly down to zero), but she does not
gain any useful information. For real eavesdropping Eve We have seen that the eavesdropper needs to send a
must send a qubit to Bob. Ideally she would like to send qubit to Bob, while keeping a necessarily imperfect copy
this qubit in its original state, keeping a copy for herself. for herself. How imperfect the copy has to be, accord-
ing to quantum theory, is a delicate problem that we
shall address in chapter VI. Here, let us develop a sim-
2. No cloning theorem ple eavesdropping strategy, called intercept-resend. This
simple and even practical attack consists in Eve measur-
Following Wootters and Zurek (1982) it is easy to prove ing each qubit in one of the two basis, precisely as Bob
that perfect copying is impossible in the quantum world does. Then, she resends to Bob another qubit in the
(see also Milonni and Hardies 1982, Dieks 1982, and the state corresponding to her measurement result. In about
anticipating intuition by Wigner in 1961). Let ψ denote half of the cases Eve will be lucky and choose the basis
the original state of the qubit, |b the blank copy8 and compatible with the state prepared by Alice. In these
denote |0 ∈ HQCM the initial state of Eve™s “quantum cases she resends to Bob a qubit in the correct state and
copy machine”, where the Hilbert space HQCM of the Alice and Bob won™t notice her intervention. However, in
quantum cloning machine is arbitrary. The ideal machine the other 50% cases, Eve unluckily uses the basis incom-
would produce: patible with the state prepared by Alice. This necessarily
happens, since Eve has no information on Alice™s random
ψ — |b — |0 ’ ψ — ψ — |fψ (3) generator (hence the importance that this generator is
truly random). In these cases the qubits sent out by Eve
where |fψ denotes the ¬nal state of Eve™s machine which 1
are in states with overlap 2 with the correct states. Al-
might depend on ψ. Accordingly, using obvious nota- ice and Bob discover thus her intervention in about half
tions, of these cases, since they get uncorrelated results. Alto-
gether, if Eve uses this intercept-resend strategy, she gets
| ‘, b, 0 ’ | ‘, ‘, f‘ (4) 50% information, while Alice and Bob have about 25%
and | “, b, 0 ’ | “, “, f“ . (5) of errors in their sifted key, i.e. after they eliminated the
cases in which they used incompatible states, there are
By linearity of quantum dynamics it follows that still about 25% errors. They can thus easily detect the
presence of Eve. If, however, Eve applies this strategy to
| ’, b, 0 = √ (| ‘ + | “ ) — |b, 0 only a fraction of the communication, 10% let™s say, then
2 the error rate will be only ≈2.5% while Eve™s information
1 would be ≈5%. The next section explains how Alice and
’ √ (| ‘, ‘, f‘ + | “, “, f“ ). (7)
Bob can counter such attacks.

4. Error correction, privacy ampli¬cation and quantum
7 secret growing
Alice and Bob can however determine the statistics of the
|b corresponds to the stock of white paper in everyday™s At this point in the BB84 protocol, Alice and Bob
photocopy machine. We shall assume that exceptionally this share a so-called sifted key. But this key contains errors.
stock is not empty, a purely theoretical assumption, as is well The errors are caused as well by technical imperfections,

as possibly by Eve™s intervention. Realistic error rates Without discussing any algorithm in detail, let us give
on the sifted key using today™s technology are of a few some intuition how Alice and Bob can establish a se-
percent. This contrasts strongly with the 10’9 typical in cret key when condition (8) is satis¬ed. First, once the
optical communication. Of course, the few percent errors sifted key is obtained (i.e. after the bases have been an-
will be corrected down to the standard 10’9 during the nounced), Alice and Bob publicly compare a randomly
(classical) error correction step of the protocol. In order chosen subset of it. In this way they estimate the error
to avoid confusion, especially among the optical commu- rate (more generally, they estimate their marginal prob-
nication specialists, Beat Perny from Swisscom and Paul ability distribution P (±, β)). These publicly disclosed
Townsend, then with BT, proposed to name the error bits are then discarded. Next, either condition (8) is not
rate on the sifted key QBER, for Quantum Bit Error satis¬ed and they stop the protocol. Or condition (8)
Rate, to make it clearly distinct from the BER used in is satis¬ed and they use some standard error correction
standard communications. protocol to get a shorter key without errors.
Such a situation where the legitimate partners share With the simplest error correction protocol, Alice ran-
classical information, with high but not 100% correla- domly chooses pairs of bits and announces their XOR
tion and with possibly some correlation to a third party value (i.e. their sum modulo 2). Bob replies either “ac-
is common to all quantum cryptosystems. Actually, it cept” if he has the same XOR value for his corresponding
is also a standard starting point for classical information bits, or “reject” if not. In the ¬rst case, Alice and Bob
based cryptosystems where one assumes that somehow keep the ¬rst bit of the pair and eliminate the second one,
Alice, Bob and Eve have random variables ±, β and «, re- while in the second case they eliminate both bits. In re-
spectively, with joint probability distribution P (±, β, «). ality, more complex and e¬cient algorithms are used.
Consequently, the last step in a QC protocol uses classi- After error correction, Alice and Bob have identical
cal algorithms, ¬rst to correct the errors, next to lower copies of a key, but Eve may still have some information
Eve™s information on the ¬nal key, a process called pri- about it (compatible with condition (8)). Alice and Bob
thus need to lower Eve™s information down to an arbitrar-
vacy ampli¬cation.
The ¬rst mention of privacy ampli¬cation appears in ily low value using some privacy ampli¬cation protocols.
Bennett, Brassard and Robert (1988). It was then ex- These classical protocols typically work as follows. Alice
tended in collaboration with C. Cr´peau and U. Maurer
e again randomly choses pairs of bits and computes their
from the University of Montreal and the ETH Z¨ rich, re-
u XOR value. But, contrary to error correction she does
spectively (Bennett et al. 1995, see also Bennett et al. not announce this XOR value. She only announces which
1992a). Interestingly, this work motivated by QC found bits she chose (e.g. bit number 103 and 537). Alice and
applications in standard information-based cryptography Bob then replace the two bits by their XOR value. In
(Maurer 1993, Maurer and Wolf 1999). this way they shorten their key while keeping it error
Assume that such a joint probability distribution free, but if Eve has only partial information on the two
P (±, β, «) exists. Near the end of this section, we com- bits, her information on the XOR value is even lower.
ment on this assumption. Alice and Bob have access only Consider for example that Eve knows only the value of
to the marginal distribution P (±, β). From this and from the ¬rst bit, and nothing about the second one. Then
the laws of quantum mechanics, they have to deduce con- she has no information at all on the XOR value. Also, if
straints on the complete scenario P (±, β, «), in particular Eve knows the value of both bits with 60% probability,
they have to bound Eve™s information (see sections VI E then the probability that she guesses correctly the value
of the XOR is only of 0.62 + 0.42 = 52%. This process
and VI G). Given P (±, β, «), necessary and su¬cient con-
ditions for a positive secret key rate between Alice and would have to be repeated several times; more e¬cient
Bob, S(±, β||«), are not yet known. However, a useful algorithms use larger blocks (Brassard and Salvail 1993).
lower bound is given by the di¬erence between Alice and The error correction and privacy ampli¬cation algo-
Bob™s mutual Shannon information I(±, β) and Eve™s mu- rithms sketched above are purely classical algorithms.
tual information (Csisz´r and K¨rner 1978, and theorem
a o This illustrates that QC is a truly interdisciplinary ¬eld.
1 in section VI G): Actually, the above presentation is incomplete. Indeed,
in this presentation, we have assumed that Eve has mea-
S(±, β||«) ≥ max{I(±, β) ’ I(±, «), I(±, β) ’ I(β, «)} sured her probe before Alice and Bob run the error cor-
rection and privacy ampli¬cation algorithms, hence that
P (±, β, «) exists. In practice this is a very reasonable
assumption, but, in principle, Eve could wait until the
Intuitively, this result states that secure key distillation
end of all the protocol, and then optimize her measure-
(Bennett et al. 1992a) is possible whenever Bob has more
ments accordingly. Such “delayed choice eavesdropping
information than Eve.
The bound (8) is tight if Alice and Bob are restricted
to one-way communication, but for two-way communica-
tion, secret key agreement might be possible even when
(8) is not satis¬ed (see next paragraph II C 5).

strategies9 ” are discussed in chapter VI. tion to keep, whereas Eve can™t in¬‚uence this process12
It should now be clear that QC does not provide a (Maurer 1993, Maurer and Wolf 1999).
complete solution for all cryptographic purposes10 . Ac- Recently a second remarkable connection between
tually, quite on the contrary, QC can only be used as quantum and classical secret key agreement has been dis-
a complement to standard symmetrical cryptosystems. covered (assuming they use the Ekert protocol described
Accordingly, a more precise name for QC is Quantum in paragraph II D 3): If Eve follows the strategy which op-
Key Distribution, since this is all QC does. Nevertheless, timizes her Shannon information, under the assumption
we prefer to keep the well known terminology which gives that she attacks the qubit one at a time (the so-called
its title to this review. individual attacks, see section VI E), then Alice and Bob
Finally, let us emphasize that every key distribution can use advantage distillation if and only if Alice and
system must incorporate some authenti¬cation scheme: Bob™s qubits are still entangled (they can thus use quan-
the two parties must identify themselves. If not, Alice tum privacy ampli¬cation (Deutsch et al. 1996)) (Gisin
could actually be communicating directly with Eve! A and Wolf 1999). This connection between the concept
straightforward possibility is that Alice and Bob initially of entanglement, central to quantum information theory,
share a short secret. Then QC provides them with a and the concept of intrinsic classical information, cen-
longer one and, for example, they each keep a small por- tral to classical information based cryptography (Maurer
tion for authenti¬cation at the next session (Bennett et and Wolf 1999), has been shown to be general (Gisin
al. 1992a). From this perspective, QC is a Quantum and Wolf 2000). The connection seems even to extend to
Secret Growing protocol. bound entanglement (Gisin et al. 2000).

5. Advantage distillation D. Other protocols

QC has triggered and still triggers research in classical 1. 2-state protocol
information theory. The best known example is proba-
bly the development of privacy ampli¬cation algorithms In 1992 Charles H. Bennett noticed that actually 4
(Bennett et al. 1988 and 1995). This in turn triggered states is more than necessary for QC: all what is really
the development of new cryptosystems based on weak but needed is 2 nonorthogonal states. Indeed the security re-
classical signals, emitted for instance by satellites (Mau- lies on the impossibility for any adversary to distinguish
rer 1993)11. These new developments required secret key unambiguously and without perturbation between the
agreement protocols that can be used even when the con- di¬erent states that Alice may send to Bob, hence 2 states
dition (8) doesn™t apply. Such protocols, called advantage are necessary and if they are incompatible (i.e. not mutu-
distillation, necessarily use two way communication and ally orthogonal), then 2 states are also su¬cient. This is
are much less e¬cient than privacy ampli¬cation. Usu- a conceptually important clari¬cation. It also made sev-
ally, they are not considered in the literature on QC. eral of the ¬rst experimental demonstrations easier (this
But, conceptually, they are remarkable from at least two is further discussed in section IV D). But in practice it
points of view. First it is somewhat surprising that se- is not a good solution. Indeed, although 2 nonorthogo-
cret key agreement is possible even if Alice and Bob start nal states can™t be distinguished unambiguously without
with less mutual (Shannon) information than Eve. How- perturbation, one can unambiguously distinguish them
ever, they can take advantage of the authenticated public at the cost of some losses (Ivanovic 1987, Peres 1988).
channel: Alice and Bob can decide which series of realiza- This possibility has even been demonstrated in practice
(Huttner et al. 1996, Clarke et al. 2000). Hence, Alice
and Bob would have to monitor the attenuation of the
Note however that Eve has to choose the interaction be-
tween her probe and the qubits before the public discussion
phase of the protocol. 12
The idea is that Alice picks out several instances where she
For a while it was thought that bit commitment (see, e.g., got the same bit and communicates the instances - but not
Brassard 1988), a powerful primitive in cryptology, could be the bit - to Bob. Bob replies yes only if it happens that for all
realized using quantum principles. However, Dominic Mayers these instances he also has the same bit value. For large error
(1996a and 1997) and Lo and Chau (1998) proved it to be rates this is unlikely, but when it happens there is a large
impossible (see also Brassard et al. 1998). chance that both have the same bit. Eve can™t in¬‚uence the
Note that here the con¬dentiality is not guaranteed by choice of the instances. All she can do is to use a majority
the laws of physics, but relies on the assumption that Eve™s vote for the cases accepted by Bob. The probability that Eve
technology is limited, e.g. her antenna is ¬nite, her detectors makes an error can be much larger than the probability that
have limited e¬ciencies. Bob makes an error (i.e. that all his instances are wrong),
even if Eve™s initial information is larger than Bob™s.

quantum channel (and even this is not entirely safe if Eve keep the data only when they happen to have done their
could replace the channel by a more transparent one, see measurements in the compatible basis. If the source is
section VI H). The two-state protocol can also be im- reliable, this protocol is equivalent to the BB84 one: Ev-
plemented using an interference between a macroscopic ery thing is as if the qubit propagates backwards in time
bright pulse and a dim pulse with less than one photon on from Alice to the source, and then forwards to Bob! But
average (Bennett, 1992). The presence of the bright pulse better than trusting the source, which could be in Eve™s
makes this protocol specially resistant to eavesdropping, hand, the Ekert protocol assumes that the 2 qubits are
even in settings with high attenuation. Indeed Bob can emitted in a maximally entangled state like:
monitor the bright pulses, to make sure that Eve does not
remove any. In this case, Eve cannot eliminate the dim φ+ = √ (| ‘, ‘ + | “, “ ). (9)
pulse without revealing her presence, because the inter-
ference of the bright pulse with vacuum would introduce
Then, when Alice and Bob happen to use the same basis,
errors. A practical implementation of this protocol is
both the x-basis or both the y-basis, i.e. in about half
discussed in section IV D. Huttner et al. extended this
of the cases, their results are identical, providing them
reference beam monitoring to the four-states protocol in
with a common key. Note the similarity between the 1-
qubit BB84 protocol illustrated in Fig. 1 and the 2-qubit
Ekert protocol of Fig. 3. The analogy can be even made
stronger by noting that for all unitary evolutions U1 and
2. 6-state protocol
U2 , the following equality hold:
While two states are enough and four states are stan- U1 — U2 ¦(+) = 1 — U2 U1 ¦(+)
1 (10)
dard, a 6-state protocol respects much more the sym-
metry of the qubit state space, see Fig. 2 (Bruss 1998, t
where U1 denotes the transpose.
Bechmann-Pasquinucci and Gisin 1999). The 6 states In his 1991 paper Artur Ekert suggested to base the
constitute 3 bases, hence the probability that Alice and security of this 2-qubit protocol on Bell™s inequality, an
Bob chose the same basis is only of 3 . But the symme- inequality which demonstrates that some correlation pre-
try of this protocol greatly simpli¬es the security anal- dicted by quantum mechanics can™t be reproduced by
ysis and reduces Eve™s optimal information gain for a any local theory (Bell 1964). For this, Alice and Bob
given error rate QBER. If Eve measures every photon, have a third choice of basis (see Fig. 4). In this way the
the QBER is 33%, compared to 25% in the case of the probability that they happen to choose the same basis
BB84 protocol. is reduced from 2 to 2 , but at the same time as they
establish a key they collect enough data to test Bell in-
equality13 . They can thus check that the source really
3. EPR protocol emits the entangled state (9) and not merely product
states. The following year Bennett, Brassard and Mer-
This variation of the BB84 protocol is of special con- min (1992b) criticized Ekert™s letter, arguing that the
ceptual, historical and practical interest. The idea is due violation of Bell inequality is not necessary for the secu-
to Artur Ekert (1991) from Oxford University, who, while rity of QC and emphasizing the close connection between
elaborating on a suggestion of David Deutsch (1985), dis- the Ekert and the BB84 schemes. This criticism might
covered QC independently of the BB84 paper. Intellec- be missing an important point. Indeed, although the ex-
tually, it is very satisfactory to see this direct connec- act relation between security and Bell inequality is not
tion to the famous EPR paradox (Einstein, Podolski and yet fully known, there are clear results establishing fasci-
Rosen 1935): the initially philosophical debate turned to nating connections, (see section VI F). In October 1992,
theoretical physics with Bell™s inequality (1964), then to an article by Bennett, Brassard and Ekert demonstrated
experimental physics (Freedmann and Clauser 1972, Fry that the founding fathers joined forces to develop the ¬eld
and Thompson 1976, and Aspect, Dalibard and Roger in a pleasant atmosphere (Bennett et al. 1992c)!
1982), and is now “ thanks to Ekert™s ingenious idea “
part of applied physics.
The idea consists in replacing the quantum channel
carrying qubits from Alice to Bob by a channel carrying
2 qubits from a common source, one qubit to Alice and
one to Bob. A ¬rst possibility would be that the source 13
A maximal violation of Bell inequality is necessary to rule
emits the two qubits always in the same state chosen ran- out tampering by Eve. In this case, the QBER must nec-
domly among the 4 states of the BB84 protocol. Alice essarily be equal to zero. With a non-maximal violation, as
and Bob would then both measure their qubit in one of typically obtained in experimental systems, Alice and Bob
the two bases, again chosen independently and randomly. can distil a secure key using error correction and privacy
The source then announces the bases and Alice and Bob ampli¬cation.

tem is destroyed without Alice learning anything about
4. Other variations
the quantum state, while Bob™s qubit ends in a state
isomorphic to the state of the original system (but Bob
There is a large collection of variations around the
doesn™t learn anything about the quantum state). If the
BB84 protocol. Let us mention a few, chosen somewhat
initial quantum system is a quantum message coded in
arbitrarily. First, one can assume that the two bases
the form of a sequence of qubits, then this quantum mes-
are not chosen with equal probability (Ardehali et al.
sage is faithfully and securely transferred to Bob, without
1998). This has the nice consequence that the proba-
any information leaking to the outside world (i.e. to any-
bility that Alice and Bob choose the same basis is larger
one not sharing the prior entanglement with Alice and
than 2 , increasing thus the transmission rate of the sifted
Bob). Finally, the quantum message could be formed of
key. However, this protocol makes Eve™s job easier as she
a 4 letter quantum alphabet constituted by the 4 states
is more likely to guess correctly the used basis. Conse-
of the BB84 protocol. With futuristic, but not impossi-
quently, it is not clear whether the ¬nal key rate, after
ble technology, Alice and Bob could have their entangled
error correction and privacy ampli¬cation, is higher or
qubits in appropriate wallets and could establish a totally
secure communication at any time, without even having
Another variation consists in using quantum systems of
to know where the partner is located (provided they can
dimension larger than 2 (Bechmann-Pasquinucci and Tit-
communicate classically).
tel 2000, Bechmann-Pasquinucci and Peres 2000, Bouren-
nane et al. 2001a). Again, the practical value of this idea
has not yet been fully determined.
F. Optical ampli¬cation, quantum nondemolition
A third variation worth mentioning is due to Gold-
measurements and optimal quantum cloning
enberg and Vaidman, from Tel-Aviv University (1995).
They suggested to prepare the qubits in a superposition
After almost every general talk on QC, two questions
of two spatially separated states, then to send one compo-
arise: what about optical ampli¬ers? and what about
nent of this superposition and to wait until Bob received
quantum nondemolition measurements? In this section
it before sending the second component. This doesn™t
we brie¬‚y address these questions.
sound of great practical value, but has the nice concep-
Let us start with the second one, being the easiest. The
tual feature that the minimal two states do not need to
terminology “quantum nondemolition measurement” is
be mutually orthogonal.
simply a confusing one! There is nothing like a quan-
tum measurement that does not perturb (i.e. modify)
the quantum state, except if the state happens to be an
E. Quantum teleportation as “Quantum
eigenstate of the observable. Hence, if for some reason
one conjectures that a quantum system is in some state
(or in a state among a set of mutually orthogonal ones),
Since its discovery in 1993 by a surprisingly large
this can be in principle tested repeatedly (Braginsky and
group of physicists, Quantum teleportation (Bennett et
Khalili 1992). But if the state is only restricted to be in
al. 1993) received a lot of attention in the scienti¬c com-
a ¬nite set containing non-orthogonal states, as in QC,
munity as well as in the general public. The dream of
then there is no way to perform a measurement without
beaming travellers through the Universe is exciting, but
“demolishing” (perturbing) the state. Now, in QC the
completely out of the realm of any foreseeable technol-
terminology “nondemolition measurement” is also used
ogy. However, quantum teleportation can be seen as the
with a di¬erent meaning: one measures the number of
fully quantum version of the one-time-pad, see paragraph
photons in a pulse without a¬ecting the degree of free-
II B 3, hence as the ultimate form of QC. Similarly to
dom coding the qubit (e.g. the polarization), (see section
“classical teleportation”, let™s assume that Alice aims at
VI H), or one detects the presence of a photon without
transferring to Bob a faithful copy of a quantum system.
destroying it (Nogues et al. 1999). Such measurements
If Alice has full knowledge of the quantum state, the
are usually called “ideal measurements”, or “projective
problem is not really a quantum one (Alice information
measurements”, because they produce the least possible
is classical). If, on the opposite, Alice does not know the
perturbation (Piron 1990) and because they can be repre-
quantum state, she cannot send a copy, since quantum
sented by projectors. It is important to stress that these
copying is impossible according to quantum physics (see
“ideal measurements” do not invalidate the security of
paragraph II C 2). Nor can she send classical instructions,
since this would allow the production of many copies.
Let us consider now optical ampli¬ers (a laser medium,
However, if Alice and Bob share arbitrarily many entan-
but without mirrors, so that ampli¬cation takes place in
gled qubits, sometimes called a quantum key, and share a
a single pass, see Desurvire 1994). They are widely used
classical communication channel then the quantum tele-
in today™s optical communication networks. However,
portation protocol provides them with a mean to transfer
they are of no use for quantum communication. Indeed,
the quantum state of the system from Alice to Bob. In
as seen in section II C, the copying of quantum informa-
the course of running this protocol, Alice™s quantum sys-
tion is impossible. Here we illustrate this characteristic

2P‘‘ + Pψ(+) 2P‘ + 2 1
of quantum information with the example of optical am-
T r1’ph mode = (21)
pli¬ers: the necessary presence of spontaneous emission 3 3
whenever there is stimulated emission, prevents perfect
The corresponding ¬delity is:
copying. Let us clarify this important and often confus-
ing point, following the work of Simon et al. (1999 and 1
2+ 5
2000; see also Kempe et al. 2000, and De Martini et al. 2
F= = (22)
3 6
2000). Let the two basic qubit states |0 and |1 be physi-
cally implemented by two optical modes: |0 ≡ |1, 0 and
which is precisely the optimal ¬delity compatible with
|1 ≡ |0, 1 . |n, m ph — |k, l a denotes thus the state of
quantum mechanics (Buˇek and Hillery 1996, Bruss et
n photons in mode 1 and m in mode 2, and k, l = 0 (1)
al 1998, Gisin and Massar 1997). In other words, if we
the ground (excited) state of 2-level atoms coupled to
start with a single photon in an arbitrary state, and pass
mode 1 and 2, respectively. Hence spontaneous emission
it through an ampli¬er, then due to the e¬ect of sponta-
corresponds to
neous emission the ¬delity of the state exiting the ampli-
¬er, in the cases where it consists of exactly two photons,
|0, 0 — |1, 0 ’ |1, 0 — |0, 0 a , (11)
ph a ph
with the initial state will be equal to at most 5/6. Note
|0, 0 ph — |0, 1 ’ |0, 1 ph — |0, 0 a (12)
that if it were possible to make better copies, then, using
EPR correlations between spatially separated systems,
and stimulated emission to
signaling at arbitrarily fast speed would also be possible

(Gisin 1998).
|1, 0 ph — |1, 0 a ’ 2|2, 0 ph — |0, 0 a , (13)

|0, 1 ph — |0, 1 a ’ 2|0, 2 ph — |0, 0 a (14)

where the 2 factor takes into account the ratio stimu-
lated/spontaneous emission. Let the initial state of the
atom be a mixture of the following two states (each with
equal weight 50%):

|0, 1 |1, 0 (15)
a a

By symmetry, it su¬ces to consider one possible initial
state of the qubit, e.g. 1 photon in the ¬rst mode |1, 0 ph .
The initial state of the photon+atom system is thus a

|1, 0 — |1, 0 or |1, 0 — |0, 1 (16)
ph a ph a

This corresponds to the ¬rst order term in an evolution
with a Hamiltonian (in the interaction picture): H =
χ(a† σ1 + a1 σ1 + a† σ2 + a2 σ2 ). After some time the
† †
’ ’
1 2
2-photon component of the evolved states reads:

2|2, 0 ph — |0, 0 a or |1, 1 ph — |0, 0 a (17)
The correspondence with a pair of spin goes as follows:

|2, 0 = | ‘‘ |0, 2 = | ““ (18)

= ψ (+) = √ (| ‘“ + | “‘ )
|1, 1 (19)
Tracing over the ampli¬er (i.e. the 2-level atom), an
(ideal) ampli¬er achieves the following transformation:

P‘ ’ 2P‘‘ + Pψ(+) (20)

where the P ™s indicate projectors (i.e. pure state density
matrices) and the lack of normalization results from the
¬rst order expansion used in (11) to (14). Accordingly,
after normalization, each photon is in state :

the one where absorption is low. However, free space
transmission is restricted to line-of sight links and is very
weather dependent.
The very ¬rst demonstration of QC was a table top ex-
In the next sections we successively consider the ques-
periment performed at the IBM laboratory in the early
tions “how to produce single photons?” (section III A),
1990™s over a distance of 30 cm (Bennett et al. 1992a),
“how to transmit them?” (section III B), “how to detect
marking the start of impressive experimental improve-
single photons?” (section III C), and ¬nally “how to ex-
ments during the last years. The 30 cm distance is of
ploit the intrinsic randomness of quantum processes to
little practical interest. Either the distance should be
build random generators?” (section III D).
even shorter, think of a credit card and the ATM ma-
chine (Huttner et al. 1996b), but in this case all of Al-
ice™s components should ¬t on the credit card. A nice
A. Photon sources
idea, but still impractical with present technology. Or
the distance should be much longer, at least in the km
Optical quantum cryptography is based on the use of
range. Most of the research so far uses optical ¬bers to
single photon Fock states. Unfortunately, these states
guide the photons from Alice to Bob and we shall mainly
are di¬cult to realize experimentally. Nowadays, practi-
concentrate here on such systems. There is, however, also
cal implementations rely on faint laser pulses or entan-
some very signi¬cant research on free space systems, (see
gled photon pairs, where both the photon as well as the
section IV E).
photon-pair number distribution obeys Poisson statistics.
Once the medium is chosen, there remain the questions
Hence, both possibilities su¬er from a small probability
of the source and detectors. Since they have to be com-
of generating more than one photon or photon pair at
patible, the crucial choice is the wavelength. There are
the same time. For large losses in the quantum chan-
two main possibilities. Either one chooses a wavelength
nel even small fractions of these multi-photons can have
around 800 nm where e¬cient photon counters are com-
important consequences on the security of the key (see
mercially available, or one chooses a wavelength compat-
section VI H), leading to interest in “photon guns”, see
ible with today™s telecommunication optical ¬bers, i.e.
paragraph III A 3). In this section we brie¬‚y comment
near 1300 nm or 1550 nm. The ¬rst choice requires free
on sources based on faint pulses as well as on entan-
space transmission or the use of special ¬bers, hence the
gled photon-pairs, and we compare their advantages and
installed telecommunication networks can™t be used. The
second choice requires the improvement or development
of new detectors, not based on silicon semiconductors,
which are transparent above 1000 nm wavelength.
1. Faint laser pulses
In case of transmission using optical ¬bers, it is still
unclear which of the two alternatives will turn out to be
the best choice. If QC ¬nds niche markets, it is conceiv- There is a very simple solution to approximate single
able that special ¬bers will be installed for that purpose. photon Fock states: coherent states with an ultra-low
But it is equally conceivable that new commercial detec- mean photon number µ. They can easily be realized us-
tors will soon make it much easier to detect single pho- ing only standard semiconductor lasers and calibrated
tons at telecommunication wavelengths. Actually, the attenuators. The probability to ¬nd n photons in such a
latter possibility is very likely, as several research groups coherent state follows the Poisson statistics:
and industries are already working on it. There is an-
µn ’µ
other good reason to bet on this solution: the quality P (n, µ) = e. (23)
of telecommunication ¬bers is much higher than that of
any special ¬ber, in particular the attenuation is much Accordingly, the probability that a non-empty weak co-
lower (this is why the telecommunication industry chose herent pulse contains more than 1 photon,
these wavelengths): at 800 nm, the attenuation is about
2 dB/km (i.e. half the photons are lost after 1.5 km), 1 ’ P (0, µ) ’ P (1, µ)
P (n > 1|n > 0, µ) =
while it is only of the order of 0.35 and 0.20 dB/km at 1 ’ P (0, µ)
1300 nm and 1550 nm, respectively (50% loss after about
1 ’ e’µ (1 + µ) ∼ µ
9 and 15 km) 14 . = (24)
1 ’ e’µ 2
In case of free space transmission, the choice of wave-
length is straightforward since the region where good can be made arbitrarily small. Weak pulses are thus ex-
photon detectors exist “ around 800 nm “ coincides with tremely practical and have indeed been used in the vast
majority of experiments. However, they have one ma-
jor drawback. When µ is small, most pulses are empty:
P (n = 0) ≈ 1 ’ µ. In principle, the resulting decrease in
The losses in dB (ldb ) can be calculated from the losses in bit rate could be compensated for thanks to the achiev-
percent (l% ): ldB = ’10 log10 (1 ’ 100 ). able GHz modulation rates of telecommunication lasers.

But in practice the problem comes from the detectors™ The latter is in general rather large and varies from a few
dark counts (i.e. a click without a photon arriving). nanometers up to some tens of nanometers. For the non
Indeed, the detectors must be active for all pulses, in- degenerate case one typically gets 5-10 nm, whereas in
cluding the empty ones. Hence the total dark counts the degenerate case (central frequency of both photons
increase with the laser™s modulation rate and the ratio equal) the bandwidth can be as large as 70 nm.
of the detected photons over the dark counts (i.e. the This photon pair creation process is very ine¬cient,
typically it needs some 1010 pump photons to create one
signal to noise ratio) decreases with µ (see section IV A).
pair in a given mode17 . The number of photon pairs per
The problem is especially severe for longer wavelengths
where photon detectors based on Indium Gallium Ar- mode is thermally distributed within the coherence time
senide semiconductors (InGaAs) are needed (see section of the photons, and follows a poissonian distribution for
III C) since the noise of these detectors explodes if they larger time windows (Walls and Milburn 1995). With a
pump power of 1 mW, about 106 pairs per second can
are opened too frequently (in practice with a rate larger
than a few MHz). This prevents the use of really low be collected in single mode ¬bers. Accordingly, in a time
photon numbers, smaller than approximately 1%. Most window of roughly 1ns the conditional probability to ¬nd
a second pair having detected one is 106 · 10’9 ≈ 0.1%.
experiments to date relied on µ = 0.1, meaning that 5%
of the nonempty pulses contain more than one photon. In case of continuous pumping, this time window is given
However, it is important to stress that, as pointed out by the detector resolution. Tolerating, e.g. 1% of these
multi-pair events, one can generate 107 pairs per second,
by L¨ tkenhaus (2000), there is an optimal µ depending
on the transmission losses 15 . After key distillation, the using a realistic 10 mW pump. Detecting for example
security is just as good with faint laser pulses as with 10 % of the trigger photons, the second detector has to
be activated 106 times per second. In comparison, the
Fock states. The price to pay for using such states lies in
a reduction of the bit rate. example of 1% of multi-photon events corresponds in the
case of faint laser pulses to a mean photon number of µ =
0.02. In order to get the same number 106 of non-empty
pulses per second, a pulse rate of 50 MHz is needed. For a
2. Photon pairs generated by parametric downconversion
given photon statistics, photon pairs allow thus to work
with lower pulse rates (e.g. 50 times lower) and hence
Another way to create pseudo single-photon states is
reduced detector-induced errors. However, due to limited
the generation of photon pairs and the use of one photon
coupling e¬ciency into optical ¬bers, the probability to
as a trigger for the other one (Hong and Mandel 1986).
¬nd the sister photon after detection of the trigger photon
In contrast to the sources discussed before, the second
in the respective ¬ber is in practice lower than 1. This
detector must be activated only whenever the ¬rst one
means that the e¬ective photon number is not one, but
detected a photon, hence when µ = 1, and not whenever
rather µ ≈ 2/3 (Ribordy et al. 2001), still well above
a pump pulse has been emitted, therefore circumventing
µ = 0.02.
the problem of empty pulses.
Photon pairs generated by parametric down conversion
The photon pairs are generated by spontaneous para-
o¬er a further major advantage if they are not merely
metric down conversion in a χ(2) non-linear crystal16 . In
used as pseudo single-photon source, but if their entan-
this process, the inverse of the well-known frequency dou-
glement is exploited. Entanglement leads to quantum
bling, one photon spontaneously splits into two daughter
correlations which can be used for key generation, (see
photons “ traditionally called signal and idler photon “
paragraph II D 3 and chapter V). In this case, if two pho-
conserving total energy and momentum. In this con-
ton pairs are emitted within the same time window but
text, momentum conservation is called phase matching,
their measurement basis is choosen independently, they
and can be achieved despite chromatic dispersion by ex-
produce completely uncorrelated results. Hence, depend-
ploiting the birefringence of the nonlinear crystal. The
ing on the realization, the problem of multiple photon can
phase matching allows to choose the wavelength, and de-
be avoided, see section VI J.
termines the bandwidth of the downconverted photons.
Figure 5 shows one of our sources creating entangled
photon pairs at 1310 nm wavelength as used in tests of
Bell inequalities over 10 kilometers (Tittel et al. 1998).
Although not as simple as faint laser sources, diode
Contrary to a frequent misconception, there is nothing spe-
pumped photon pair sources emitting in the near infrared
cial about a µ value of 0.1, eventhough it has been selected
can be made compact, robust and rather handy.
by most experimentalists. The optimal value “ i.e. the value
that yields the highest key exchange rate after distillation “
depends on the optical losses in the channel and on assump-
tions about Eve™s technology (see VI H and VI I).
16 17
Recently we achieved a conversion rate of 10’6 using an
For a review see Rarity and Tapster 1988, and for latest
developments Tittel et al. 1999, Kwiat et al. 1999, Jennewein optical waveguide in a periodically poled LiNbO3 crystal
et al. 2000b, Tanzilli et al. 2001. (Tanzilli et al. 2001).

vantage with respect to faint laser pulses with extremely
3. Photon guns
low mean photon numbers µ.
The ideal single photon source is a device that when
one pulls the trigger, and only then, emits one and only
B. Quantum channels
one photon. Hence the name photon gun. Although pho-
ton anti-bunching has been demonstrated already years
The single photon source and the detectors must be
ago (Kimble et al. 1977), a practical and handy device is
connected by a “quantum channel”. Such a channel is
still awaited. At present, there are essentially three dif-
actually nothing specially quantum, except that it is in-
ferent experimental approaches that come more or less
tended to carry information encoded in individual quan-
close to this ideal.
tum systems. Here “individual” doesn™t mean “non-
A ¬rst idea is to work with a single two-level quan-
decomposible”, it is meant in opposition to “ensemble”.
tum system that can obviously not emit two photons at
The idea is that the information is coded in a physical
a time. The manipulation of single trapped atoms or
system only once, contrary to classical communication
ions requires a much too involved technical e¬ort. Sin-
where many photons carry the same information. Note
gle organics dye molecules in solvents (S.C. Kitson et al.
that the present day limit for ¬ber-based classical optical
1998) or solids (Brunel et al. 1999, Fleury et al. 2000)
communication is already down to a few tens of photons,
are easier to handle but only o¬er limited stability at
although in practice one usually uses many more. With
room temperature. Promising candidates, however, are
the increasing bit rate and the limited mean power “ im-
nitrogen-vacancy centers in diamond, a substitutional ni-
posed to avoid nonlinear e¬ects in silica ¬bers “ these
trogen atom with a vacancy trapped at an adjacent lat-
¬gures are likely to get closer and closer to the quantum
tice position (Kurtsiefer et al. 2000, Brouri et al. 2000).
It is possible to excite individual nitrogen atoms with a
The individual quantum systems are usually 2-level
532 nm laser beam, which will subsequently emit a ¬‚uo-
systems, called qubits. During their propagation they
rescence photon around 700 nm (12ns decay time). The
must be protected from environmental noise. Here “en-
¬‚uorescence exhibits strong photon anti-bunching and
vironment” refers to everything outside the degree of
the samples are stable at room temperature. However,
freedom used for the encoding, which is not necessar-
the big remaining experimental challenge is to increase
ily outside the physical system. If, for example, the in-
the collection e¬ciency (currently about 0.1%) in order
formation is encoded in the polarization state, then the
to obtain mean photon numbers close to 1. To obtain
optical frequencies of the photon is part of the environ-
this, an optical cavity or a photonic bandgap structure
ment. Hence, coupling between the polarization and the
must suppress the emission in all spatial modes but one.
optical frequency has to be mastered18 (e.g. avoid wave-
In addition, the spectral bandwith of this type of source
length sensitive polarizers and birefringence). Moreover,
is broad (of the order of 100 nm), enhancing the e¬ect of
the sender of the qubits should avoid any correlation be-
pertubations in a quantum channel.
tween the polarization and the spectrum of the photons.
A second approach is to generate photons by single
Another di¬culty is that the bases used by Alice to
electrons in a mesoscopic p-n junction. The idea is to
code the qubits and the bases used by Bob for his mea-
take pro¬t of the fact that thermal electrons show anti-
surements must be related by a known and stable uni-
bunching (Pauli exclusion principle) in contrast to pho-
tary transformation. Once this unitary transformation
tons (Imamoglu and Yamamoto, 1994). First experimen-
is known, Alice and Bob can compensate for it and get
tal results have been presented (Kim et al. 1999), how-
the expected correlation between their preparations and
ever with extremely low e¬ciencies, and only at a tem-
measurements. If it changes with time, they need an ac-
perature of 50mK!
tive feedback to track it, and if the changes are too fast
Finally, another approach is to use the photon emis-
the communication must be interrupted.
sion of electron-hole pairs in a semiconductor quantum
dot. The frequency of the emitted photon depends on the
number of electron-hole pairs present in the dot. After
1. Singlemode ¬bers
one creates several such pairs by optical pumping, they
will sequentially recombine and hence emit photons at
di¬erent frequencies. Therefore, by spectral ¬ltering a Light is guided in optical ¬bers thanks to the refrac-
single-photon pulse can be obtained (G´rard et al. 1999,
e tive index pro¬le n(x, y) across the section of the ¬bers
Santori et al. 2000, and Michler et al. 2000). These dots (traditionally, the z-axis is along the propagation direc-
can be integrated in solid-states microcavities with strong tion). Over the last 25 years, a lot of e¬ort has been
enhancements of the spontaneous emission (G´rard et al.
In summary, today™s photon guns are still too compli-
cated to be used in a QC-prototype. Moreover, due to 18
Note that, as we will see in chapter V, using entangled
their low quantum e¬ciencies they do not o¬er an ad- photons prevents such information leakage.

made to reduce transmission losses “ initially several dB sion and polarization dependent losses.
per km “, and nowadays, the attenuation is as low as The Geometric phase as encountered when guiding
2dB/km at 800nm wavelength, 0.35 dB/km at 1310 nm, light in an optical ¬ber is a special case of the Berry
phase19 which results when any parameter describing a
and 0.2 dB/km at 1550 nm (see Fig. 6). It is amusing
to note that the dynamical equation describing optical property of the system under concern, here the k-vector
pulse propagation (in the usual slowly varying envelope characterizing the propagation of the light ¬eld, under-
aproximation) is identical to the Schr¨dinger equation,
o goes an adiabatic change. Think ¬rst of a linear polar-
with V (x, y) = ’n(x, y) (Snyder 1983). Hence a positive ization state, let™s say vertical at the input. Will it still
bump in the refractive index corresponds to a potential be vertical at the output? Vertical with respect to what?
well. The region of the well is called the ¬ber core. If Certainly not the gravitational ¬eld! One can follow that
the core is large, many bound modes exist, correspond- linear polarization by hand along the ¬ber and see how
ing to many guided modes in the ¬ber. Such ¬bers are it may change even along a closed loop. If the loop stays
called multimode ¬bers, their core being usually 50 mi- in a plane, the state after a loop coincides with the input
crometer in diameter. The modes couple easily, acting state. But if the loop explores the 3 dimensions of our
on the qubit like a non-isolated environment. Hence mul- space, then the ¬nal state will di¬er from the initial one
timode ¬bers are not appropriate as quantum channels by an angle. Similar reasoning holds for the axes of el-
(see however Townsend 1998a and 1998b). If, however, liptical polarization states. The two circular polarization
the core is small enough (diameter of the order of a few states are the eigenstates: during parallel transport they
wavelengths) then a single spatial mode is guided. Such acquire opposite phases, called the Berry phase. The
¬bers are called singlemode ¬bers. For telecommunica- presence of a geometrical phase is not fatal for quantum
tions wavelength (i.e. 1.3 and 1.5 µm), their core is typ- communication, it simply means that initially Alice and
ically 8 µm in diameter. Singlemode ¬bers are very well Bob have to align their systems by de¬ning for instance
suited to carry single quanta. For example, the optical the vertical and diagonal directions (i.e. performing the
phase at the output of a ¬ber is in a stable relation with unitary transformation mentioned before). If these vary
the phase at the input, provided the ¬ber doesn™t get slowly, they can be tracked, though this requires an ac-
elongated. Hence, ¬ber interferometers are very stable, a tive feedback. However, if the variations are too fast,
fact exploited in many instruments and sensors (see, e.g., the communication might be interrupted. Hence, aerial
Cancellieri 1993). cables that swing in the wind are not appropriate (ex-
Accordingly, a singlemode ¬ber with perfect cylindric cept with selfcompensating con¬gurations, see paragraph
symmetry would provide an ideal quantum channel. But IV C 2).
all real ¬bers have some asymmetries and then the two Birefringence is the presence of two di¬erent phase
polarization modes are no longer degenerate but each has velocities for two orthogonal polarization states. It is
its own propagation constant. A similar e¬ect is caused caused by asymmetries in the ¬ber geometry and in the
by chromatic dispersion, where the group delay depends residual stress distribution inside and around the core.
on the wavelength. Both dispersion e¬ects are the sub- Some ¬bers are made birefringent on purpose. Such
ject of the next paragraphs. ¬bers are called polarization maintaining (PM) ¬bers be-
cause the birefringence is large enough to e¬ectively un-
couple the two polarization eigenmodes. But note that
only these two orthogonal polarization modes are main-
2. Polarization e¬ects in singlemode ¬bers
tained; all the other modes, on the contrary, evolve very
quickly, making this kind of ¬ber completely unsuitable
Polarization e¬ects in singlemode ¬bers are a common
for polarization-based QC systems20 . The global e¬ect
source of problems in all optical communication schemes,
of the birefringence is equivalent to an arbitrary com-
as well classical as quantum ones. In recent years this has
bination of two waveplates, that is, it corresponds to a
been a major topic for R&D in classical optical commu-
unitary transformation. If this transformation is stable,
nication (Gisin et al. 1995). As a result, today™s ¬bers
are much better than the ¬bers a decade ago. Nowa-
days, the remaining birefringence is small enough for the
telecom industry, but for quantum communication, any
birefringence, even extremely small, will always remain Introduced by Michael Berry in 1984, then observed in
a concern. All ¬ber based implementations of QC have optical ¬ber by Tomita and Chiao (1986), and on the single
to face this problem. This is clearly true for polarization photon level by Hariharan et al. (1993), studied in connection
to photon pairs by Brendel et al. (1995).
based systems; but it is equally a concern for phase based
PM ¬bers might be of use for phase based QC systems.
systems, since the interference visibility depends on the
However, this requires the whole setup “ transmission lines
polarization states. Hence, although polarization e¬ects
as well as interferometers at Alice™s and Bob™s “ to be made
are not the only source of di¬culties, we shall describe
of PM ¬bers. While this is principally possible, the need of
them in some detail, distinguishing between 4 e¬ects: the
installing a completely new ¬ber network makes this solution
geometrical one, birefringence, polarization mode disper-
not very practical.

Alice and Bob can compensate for it. The e¬ect of bire- ni¬cant in components like phase modulators. In par-
fringence is thus similar to the geometrical e¬ect, though, ticular, some integrated optics waveguides actually guide
in addition to a rotation, it may also a¬ect the elliptic- only one mode and thus behave almost like polarizers
ity. Stability of birefringence requires slow thermal and (e.g. proton exchange waveguides in LiNbO3 ). PDL
mechanical variations. is usually stable, but if connected to a ¬ber with some
Polarization Mode Dispersion (PMD) is the pres- birefringence, the relation between the polarization state
ence of two di¬erent group velocities for two orthogonal and the PDL may ¬‚uctuate, producing random outcomes
polarization modes. It is due to a delicate combination (Elamari et al. 1998). PDL cannot be described by a uni-
of two causes. First, birefringence produces locally two tary operator acting in the polarization state space (but
group velocities. For optical ¬bers, this local modal dis- it is of course unitary in a larger space (Huttner et al.
persion is in good approximation equal to the phase dis- 1996a). It does thus not preserve the scalar product. In
persion, of the order of a few ps/km. Hence, locally an particular, it can turn non-orthogonal states into orthog-
optical pulse tends to split into a fast mode and a slow onal ones which can then be distinguished unambiguously
mode. But because the birefringence is small, the two (at the cost of some loss) (Huttner et al. 1996a, Clarke et
modes couple easily. Hence any small imperfection along al. 2000). Note that this could be used by Eve, specially
the ¬ber produces polarization mode coupling: some en- to eavesdrop on the 2-state protocol (paragraph II D 1).
ergy of the fast mode couples into the slow mode and Let us conclude this paragraph on polarization e¬ects
vice-versa. PMD is thus similar to a random walk21 and in ¬bers by mentioning that they can be passively com-
grows only with the square root of the ¬ber length. It pensated, provided one uses a go-&-return con¬guration,
is expressed in √ps , with values as low as 0.1 √ps for using Faraday mirrors, as described in section IV C 2.
km km
modern ¬bers and possibly as high as 0.5 or even 1 √ps km
for older ones.
3. Chromatic dispersion e¬ects in singlemode ¬bers
Typical lengths for the polarization mode coupling
vary from a few meters up to hundreds of meters. The
In addition to polarization e¬ects, chromatic disper-
stronger the coupling, the weaker the PMD (the two
sion (CD) can cause problems for quantum cryptography
modes do not have time to move away between the cou-
as well. For instance, as explained in sections IV C and
plings). In modern ¬bers, the couplings are even arti¬-
V B, schemes implementing phase- or phase-and-time-
cially increased during the drawing process of the ¬bers
coding rely on photons arriving at well de¬ned times,
(Hart et al. 1994, Li and Nolan 1998). Since the cou-
that is on photons well localized in space. However, in
plings are exceedingly sensitive, the only reasonable de-
dispersive media like optical ¬bers, di¬erent group ve-
scription is a statistical one, hence PMD is described as
locities act as a noisy environment on the localization of
a statistical distribution of delays δ„ . For long enough
the photon as well as on the phase acquired in an inter-
¬bers, the statistics is Maxwellian and PMD is related to
ferometer. Hence, the broadening of photons featuring
the ¬ber length „“, the mean coupling length h, the mean
non-zero bandwidth, or, in other words, the coupling be-
modal birefringence B and to the RMS delay as follows
tween frequency and position must be circumvented or
(Gisin et al. 1995): PMD≡ << δ„ >> = Bh „“/h.
controlled. This implies working with photons of small
PMD could cause depolarization which would be devas-
bandwidth, or, as long as the bandwidth is not too large,
tating for quantum communication, similar to any deco-
operating close to the wavelength »0 where chromatic
herence in quantum information processing. But fortu-
dispersion is zero, i.e. for standard ¬bers around 1310
nately, for quantum communication the remedy is easy, it
nm. Fortunately, ¬ber losses are relatively small at this
su¬ces to use a source with a coherence time larger than
wavelength and amount to ≈0.35 dB/km. This region
the largest delay δ„ . Hence, when laser pulses are used
is called the second telecommunication window22 . There
(with typical spectral widths ∆» ¤ 1 nm, corresponding
are also special ¬bers, called dispersion-shifted, with a
to a coherence time ≥ 3 ps, see paragraph III A 1), PMD
refractive index pro¬le such that the chromatic disper-
is no real problem. For photons created by parametric
sion goes to zero around 1550 nm, where the attenuation
down conversion, however, PMD can impose severe lim-
is minimal (Neumann 1988)23 .
itations since ∆» ≥ 10 nm (coherence time ¤ 300 fs) is
not unusual.
Polarization Dependent Losses (PDL) is a di¬er-
ential attenuation between two orthogonal polarization 22
The ¬rst one, around 800 nm, is almost no longer used. It
modes. This e¬ect is negligible in ¬bers, but can be sig-
was motivated by the early existence of sources and detectors
at this wavelength. The third window is around 1550 nm
where the attenuation reaches an absolute minimum (Thomas
et al. 2000) and where erbium doped ¬bers provide convenient
In contrast to Brownian motion describing particles di¬u- ampli¬ers (Desurvire 1994).
sion in space as time passes, here photons di¬use in time as 23
Chromatic dispersion in ¬bers is mainly due to the mate-
they propagate along the ¬ber. rial, essentially silicon, but also to the refractive index pro¬le.

CD does not constitute a problem in case of faint laser Transmission over free space features some advan-
pulses where the bandwidth is small. However, it be- tages compared to the use of optical ¬bers. The atmo-
comes a serious issue when utilizing photon pairs cre- sphere has a high transmission window at a wavelength
ated by parametric downconversion. For instance, send- of around 770 nm (see Fig. 8) where photons can eas-
ing photons of 70 nm bandwidth (as used in our long- ily be detected using commercial, high e¬ciency photon
distance Bell inequality tests, Tittel et al. 1998) down counting modules (see chapter III C 1). Furthermore, the
10 km of optical ¬bers leads to a temporal spread of atmosphere is only weakly dispersive and essentially non-
birefringent25 at these wavelengths. It will thus not alter
around 500 ps (assuming photons centered at »0 and a
typical dispersion slope of 0.086 nm2 km ). However, this the polarization state of a photon.
can be compensated for when using energy-time entan- However, there are some drawbacks concerning free-
gled photons (Franson 1992, Steinberg et al. 1992a and space links as well. In contrast to transmitting a signal
1992b, Larchuk et al. 1995). In contrast to polariza- in a guiding medium where the energy is “protected” and
tion coding where frequency and the physical property remains localized in a small region in space, the energy
used to implement the qubit are not conjugate variables, transmitted via a free-space link spreads out, leading to
frequency and time (thus position) constitute a Fourier higher and varying transmission losses. In addition to
pair. The strict energy anti-correlation of signal and idler loss of energy, ambient daylight, or even light from the
photon enables one to achieve a dispersion for one pho- moon at night, might couple into the receiver, leading
ton which is equal in magnitude but opposite in sign to to a higher error rate. However, the latter errors can be
that of the sister photon, corresponding thus to the same maintained at a reasonable level by using a combination
delay24 (see Fig. 7). The e¬ect of broadening of the two of spectral ¬ltering (¤ 1 nm interference ¬lters), spatial
wave packets then cancels out and two simultaneously ¬ltering at the receiver and timing discrimination using
emitted photons stay coincident. However, note that the a coincidence window of typically a few ns. Finally, it
arrival time of the pair varies with respect to its emission is clear that the performance of free-space systems de-
time. The frequency anticorrelation provides also the pends dramatically on atmospheric conditions and is
basis for avoiding decrease of visibility due to di¬erent possible only with clear weather.
wavepacket broadening in the two arms of an interferom- Finally, let us brie¬‚y comment on the di¬erent sources
eter. And since the CD properties of optical ¬bers do leading to coupling losses. A ¬rst concern is the trans-
not change with time “ in contrast to birefringence “ no mission of the signals through a turbulent medium, lead-
on-line tracking and compensation is required. It thus ing to arrival-time jitter and beam wander (hence prob-
turns out that phase and phase-time coding is particu- lems with beam pointing). However, as the time-scales for
larly suited to transmission over long distances in optical atmospheric turbulences involved are rather small “
¬bers: nonlinear e¬ects decohering the qubit “energy” around 0.1 to 0.01 s “, the time jitter due to a varia-
are completely negligible, and CD e¬ects acting on the tion of the e¬ective refractive index can be compensated
localization can be avoided or compensated for in many for by sending a reference pulse at a di¬erent wavelength
cases. at short time (around 100 ns) before each signal pulse.
Since this reference pulse experiences the same atmo-
spheric conditions as the subsequent one, the signal will
4. Free-space links arrive essentially without jitter in the time-window de-
¬ned by the arrival of the reference pulse. In addition,
the reference pulse can be re¬‚ected back to the transmit-
Although telecommunication based on optical ¬bers is
ter and used to correct the direction of the laser beam by
very advanced nowadays, such channels may not always
means of adaptive optics, hence to compensate for beam
be available. Hence, there is also some e¬ort in devel-
wander and to ensure good beam pointing
oping free space line-of-sight communication systems -
Another issue is the beam divergence, hence increase of
not only for classical data transmission but for quantum
spot size at the receiver end caused by di¬raction at the
cryptography as well (see Hughes et al. 2000a and Gor-
transmitter aperture. Using for example 20 cm diameter
man et al. 2000).
optics, the di¬raction limited spot size after 300 km is
of ≈ 1 m. This e¬ect can in principle be kept small
taking advantage of larger optics. However, it can also
be of advantage to have a spot size large compared to the
Indeed, longer wavelengths feel regions further away from the
receiver™s aperture in order to ensure constant coupling
core where the refractive index is lower. Dispersion-shifted
in case of remaining beam wander. In their 2000 paper,
¬bers have, however, been abandoned by today™s industry, be-
cause it turned out to be simpler to compensate for the global
chromatic dispersion by adding an extra ¬ber with high neg-
ative dispersion. The additional loss is then compensated by
an erbium doped ¬ber ampli¬er. In contrast to an optical ¬ber, air is not subject to stress,
Assuming a predominantly linear dependence of CD in hence isotropic.
function of the optical frequency, a realistic assumption.

Gilbert and Hamrick provide a comprehensive discussion • In active quenching circuits, the bias voltage is
of free-space channels in the context of QC. actively lowered below the breakdown voltage as
soon as the leading edge of the avalanche current
is detected (see e.g. Brown et al. 1987). This
mode enables higher count rates compared to pas-
C. Single-photon detection
sive quenching (up to tens of MHz), since the dead-
time can be as short as some tens of ns. How-
With the availability of pseudo single-photon and
ever, the fast electronic feedback system renders
photon-pair sources, the success of quantum cryptogra-
active quenching circuits much more complicated
phy is essentially dependent on the possibility to detect
than passive ones.
single photons. In principle, this can be achieved using
a variety of techniques, for instance photo-multipliers,
• Finally, in gated mode operation, the bias volt-
avalanche-photodiodes, multichannel plates, supercon-
age is kept below the breakdown voltage and is
ducting Josephson junctions. The ideal detector should
raised above only for a short time when a photon
ful¬ll the following requirements:
is expected to arrive, typically a few ns. Maxi-
mum count-rates similar to active quenching cir-
cuits can be obtained using less complicated elec-
• it should feature a high quantum detection e¬- tronics. Gated mode operation is commonly used in
ciency over a large spectral range, quantum cryptography based on faint laser pulses
where the arrival-times of the photons are well
• the probability of generating noise, that is a signal
known. However, it only applies if prior timing
without a photon arriving, should be small,
information is available. For 2-photon schemes, it
• to ensure a good timing resolution, the time be- is most often combined with one passive quenched
tween detection of a photon and generation of an detector, generating the trigger signal for the gated
electrical signal should be as constant as possible, detector.
i.e. the time jitter should be small,
Apart from Geiger mode, Brown et al. also investi-
• the recovery time (i.e. the deadtime) should be gated the performance of Silicon APDs operated in sub-
small to allow high data rates. Geiger mode (Brown et al. 1989). In this mode, the bias
voltage is kept slightly smaller than the breakdown volt-
In addition, it is important to keep the detectors age such that the multiplication factor “ around 100 “
handy. For instance, a detector which needs liquid he- already enables to detect an avalanche, however, is still
lium or even nitrogen cooling would certainly render a small enough to prevent real breakdowns. Unfortunately,
commercial development di¬cult. the single-photon counting performance in this mode is
Unfortunately, it turns out that it is impossible to meet rather bad and initial e¬orts have not been continued,
all mentioned points at the same time. Today, the best the major problem being the need for extremely low-noise
choice is avalanche photodiodes (APD). Three di¬erent ampli¬ers.
semiconductor materials are used: either Silicon, Ger-
manium or Indium Gallium Arsenide, depending on the
An avalanche engendered by carriers created in the
conduction band of the diode can not only be caused
APDs are usually operated in so-called Geiger mode.
by an impinging photon, but also by unwanted causes.
In this mode, the applied voltage exceeds the breakdown
These might be thermal or band-to-band tunneling pro-
voltage, leading an absorbed photon to trigger an elec-
cesses, or emissions from trapping levels populated while
tron avalanche consisting of thousands of carriers. To re-
a current transits through the diode. The ¬rst two causes
set the diode, this macroscopic current must be quenched
produce avalanches not due to photons and are referred
“ the emission of charges stopped and the diode recharged
to as darkcounts. The third process depends on previous
(Cova et al. 1996). Three main possibilities exist:
avalanches and its e¬ect is called afterpulses. Since the
number of trapped charges decreases exponentially with
• In passive-quenching circuits, a large (50-500 k„¦)
time, these afterpulses can be limited by applying large
resistor is connected in series with the APD (see
deadtimes. Thus, there is a trade-o¬ between high count
e.g. Brown et al. 1986). This causes a decrease of
rates and low afterpulses. The time-constant of the ex-
the voltage across the APD as soon as an avalanche
ponential decrease of afterpulses shortens for higher tem-
starts. When it drops below breakdown voltage,
peratures of the diode. Unfortunately, operating APDs
the avalanche stops and the diode recharges. The
at higher temperature leads to a higher fraction of ther-
recovery time of the diode is given by its capaci-
mal noise, that is higher dark counts. There is thus again
tance and by the value of the quench resistor. The
a tradeo¬ to be optimized. Finally, increasing the bias
maximum count rate varies from some hundred kHz
voltage leads to a larger quantum e¬ciency and a smaller
to a few MHz.
time jitter, at the cost of an increase in the noise.

. 1
( 3)