ńņš. 1 |

Nicolas Gisin, GrĀ“goire Ribordy, Wolfgang Tittel and Hugo Zbinden

e

Group of Applied Physics, University of Geneva, 1211 Geneva 4, Switzerland

(February 1, 2008; submitted to Reviews of Modern Physics)

4 Free-space links . . . . . . . . . . . 17

Quantum cryptography could well be the ļ¬rst application C Single-photon detection . . . . . . . . . 18

of quantum mechanics at the individual quanta level. The

1 Photon counting at wavelengths be-

very fast progress in both theory and experiments over the

low 1.1 Āµm . . . . . . . . . . . . . . 19

recent years are reviewed, with emphasis on open questions

2 Photon counting at telecommunica-

and technological issues.

tion wavelengths . . . . . . . . . . . 19

arXiv:quant-ph/0101098v2 18 Sep 2001

D Quantum random number generators . 20

E Quantum repeaters . . . . . . . . . . . 20

Contents

IV Experimental quantum cryptography

I Introduction 2 with Faint laser pulses 21

A Quantum Bit Error Rate . . . . . . . . 22

II A beautiful idea 2 B Polarization coding . . . . . . . . . . . 23

A The intuition . . . . . . . . . . . . . . . 2 C Phase coding . . . . . . . . . . . . . . . 24

B Classical cryptography . . . . . . . . . 3 1 The double Mach-Zehnder imple-

1 Asymmetrical (public-key) cryp- mentation . . . . . . . . . . . . . . 25

tosystems . . . . . . . . . . . . . . . 3 2 The āPlug-&-Playā systems . . . . 26

2 Symmetrical (secret-key) cryptosys- D Frequency coding . . . . . . . . . . . . 28

tems . . . . . . . . . . . . . . . . . 4 E Free space line-of-sight applications . . 29

3 The one-time-pad as āclassical tele- F Multi-users implementations . . . . . . 30

portationā . . . . . . . . . . . . . . 5

C The example of the BB84 protocol . . . 5 V Experimental quantum cryptography

1 Principle . . . . . . . . . . . . . . . 5 with photon pairs 31

2 No cloning theorem . . . . . . . . . 6 A Polarization entanglement . . . . . . . 32

3 Intercept-resend strategy . . . . . . 6 B Energy-time entanglement . . . . . . . 33

4 Error correction, privacy ampliļ¬ca- 1 Phase-coding . . . . . . . . . . . . . 33

tion and quantum secret growing . . 6 2 Phase-time coding . . . . . . . . . . 34

5 Advantage distillation . . . . . . . . 8 3 Quantum secret sharing . . . . . . . 35

D Other protocols . . . . . . . . . . . . . 8

1 2-state protocol . . . . . . . . . . . 8 VI Eavesdropping 35

2 6-state protocol . . . . . . . . . . . 9 A Problems and Objectives . . . . . . . . 35

3 EPR protocol . . . . . . . . . . . . 9 B Idealized versus real implementation . . 36

4 Other variations . . . . . . . . . . . 10 C Individual, joint and collective attacks 36

E Quantum teleportation as āQuantum D Simple individual attacks: intercept-

one-time-padā . . . . . . . . . . . . . . 10 resend, measurement in the intermedi-

F Optical ampliļ¬cation, quantum non- ate basis . . . . . . . . . . . . . . . . . 37

demolition measurements and optimal E Symmetric individual attacks . . . . . . 37

quantum cloning . . . . . . . . . . . . . 10 F Connection to Bell inequality . . . . . . 40

G Ultimate security proofs . . . . . . . . 40

III Technological challenges 12 H Photon number measurements, lossless

A Photon sources . . . . . . . . . . . . . . 12 channels . . . . . . . . . . . . . . . . . 42

1 Faint laser pulses . . . . . . . . . . 12 I A realistic beamsplitter attack . . . . . 43

2 Photon pairs generated by paramet- J Multi-photon pulses and passive choice

ric downconversion . . . . . . . . . 13 of states . . . . . . . . . . . . . . . . . 43

3 Photon guns . . . . . . . . . . . . . 14 K Trojan Horse Attacks . . . . . . . . . . 43

B Quantum channels . . . . . . . . . . . . 14 L Real security: technology, cost and

1 Singlemode ļ¬bers . . . . . . . . . . 14 complexity . . . . . . . . . . . . . . . . 44

2 Polarization eļ¬ects in singlemode

ļ¬bers . . . . . . . . . . . . . . . . . 15 VII Conclusion 44

3 Chromatic dispersion eļ¬ects in sin-

glemode ļ¬bers . . . . . . . . . . . . 16

1

a way that they can be read independently.

I. INTRODUCTION

Electrodynamics was discovered and formalized in the

II. A BEAUTIFUL IDEA

19th century. The 20th century was then profoundly af-

fected by its applications. A similar adventure is pos-

The idea of QC was ļ¬rst proposed only in the 1970ā™s

sibly happening for quantum mechanics, discovered and

by Wiesner2 (1983) and by Charles H. Bennett from

formalized during the last century. Indeed, although the

IBM and Gilles Brassard from MontrĀ“al University (1984,

e

laser and semiconductors are already common, applica-

3

1985) . However, this idea is so simple that actually ev-

tions of the most radical predictions of quantum mechan-

ery ļ¬rst year student since the infancy of quantum me-

ics have been thought of only recently and their full power

chanics could have discovered it! Nevertheless, it is only

remains a fresh gold mine for the physicists and engineers

of the 21st century. nowadays that the matter is mature and information se-

curity important enough, and ā“ interestingly ā“ only nowa-

The most peculiar characteristics of quantum mechan-

days that physicists are ready to consider quantum me-

ics are the existence of indivisible quanta and of entan-

chanics, not only as a strange theory good for paradoxes,

gled systems. Both of these are at the root of Quantum

but also as a tool for new engineering. Apparently, infor-

Cryptography (QC) which could very well be the ļ¬rst

mation theory, classical cryptography, quantum physics

commercial application of quantum physics at the indi-

and quantum optics had ļ¬rst to develop into mature sci-

vidual quantum level. In addition to quantum mechan-

ics, the 20th century has been marked by two other major ences. It is certainly not a coincidence that QC and, more

generally, quantum information has been developed by a

scientiļ¬c revolutions: the theory of information and rel-

community including many computer scientists and more

ativity. The status of the latter is well recognized. It

mathematics oriented young physicists. A broader inter-

is less known that the concept of information, nowadays

est than traditional physics was needed.

measured in bits, and the formalization of probabilities is

quite recent1 , although they have a tremendous impact

on our daily life. It is fascinating to realize that QC lies at

A. The intuition

the intersection of quantum mechanics and information

theory and that, moreover, the tension between quan-

tum mechanics and relativity ā“ the famous EPR paradox Quantum Physics is well-known for being counter-

(Einsteinet al.1935) ā“ is closely connected to the security intuitive, or even bizarre. We teach students that Quan-

of QC. Let us add a further point for the young physicists. tum Physics establishes a set of negative rules stating

Contrary to laser and semiconductor physics, which are things that cannot be done. For example:

manifestations of quantum physics at the ensemble level

1. Every measurement perturbs the system.

and can thus be described by semi-classical models, QC,

and even much more quantum computers, require a full

2. One cannot determine simultaneously the position

quantum mechanical description (this may oļ¬er interest-

and the momentum of a particle with arbitrary high

ing jobs for physicists well trained in the subtleties of

accuracy.

their science).

This review article has several objectives. First we 3. One cannot measure the polarization of a photon in

present the basic intuition behind QC. Indeed the basic the vertical-horizontal basis and simultaneously in

idea is so beautiful and simple that every physicist and the diagonal basis.

every student should be given the pleasure to enjoy it.

The general principle is then set in the broader context of

modern cryptology (section II B) and made more precise

(section II C). Chapter III discusses the main technologi- 2

Stephen Wiesner, then at Columbia University, was the

cal challenges. Then, chapters IV and V present the most ļ¬rst one to propose ideas closely related to QC, already in

common implementation of QC using weak laser pulses the 1970ā™s. However, his revolutionary paper appeared only a

and photon pairs, respectively. Finally, the important decade later. Since it is diļ¬cult to ļ¬nd, let us mention his ab-

and diļ¬cult problems of eavesdropping and of security stract: The uncertainty principle imposes restrictions on the

proofs are discussed in chapter VI, where the emphasis is capacity of certain types of communication channels. This pa-

more on the variety of questions than on technical issues. per will show that in compensation for this āquantum noiseā,

We tried to write the diļ¬erent parts of this review in such quantum mechanics allows us novel forms of coding without

analogue in communication channels adequately described by

classical physics.

3

Artur Ekert (1991) from Oxford University discovered QC

independently, though from a diļ¬erent perspective (see para-

1

The Russian mathematician A.N. Kolmogorow (1956) is

graph II D 3).

credited with being the ļ¬rst to have consistently formulated

a mathematical theory of probabilities in the 1940ā™s.

2

4. One cannot draw pictures of individual quantum channel to transmit information, but only to transmit a

random sequence of bits, i.e. a key. Now, if the key is

processes.

unperturbed, then Quantum Physics guarantees that no

5. One cannot duplicate an unknown quantum state. one got any information about this key by eavesdropping

(i.e. measuring) the quantum communication channel.

This negative viewpoint on Quantum Physics, due to

In this case, Alice and Bob can safely use this key to

its contrast to classical physics, has only recently been

encode messages. If, on the contrary, the key turns out

turned positive and QC is one of the best illustrations

to be perturbed, then Alice and Bob simply disregard it;

of this psychological revolution. Actually, one could car-

since the key does not contain any information, they did

icature Quantum Information Processing as the science

not lose any.

of turning Quantum conundrums into potentially useful

Let us make this general idea somewhat more pre-

applications.

cise, anticipating section II C. In practice, the individual

Let us illustrate this for QC. One of the basic negative

quanta used by Alice and Bob, often called qubits (for

statement of Quantum Physics reads:

quantum bits), are encoded in individual photons. For

example, vertical and horizontal polarization code for bit

Every measurement perturbs the system (1)

value zero and one, respectively. The second basis, can

then be the diagonal one (Ā±45o linear polarization), with

(except if the quantum state is compatible with the mea-

+45o for bit 1 and ā’45o for bit 0, respectively (see Fig.

surement). The positive side of this axiom can be seen

1). Alternatively, the circular polarization basis could

when applied to a communication between Alice and

be used as second basis. For photons the quantum com-

Bob (the conventional names of the sender and receiver,

munication channel can either be free space (see section

respectively), provided the communication is quantum.

IV E) or optical ļ¬bers ā“ special ļ¬bers or the ones used in

The latter means that the support of information are

standard telecommunication ā“ (section III B). The com-

quantum systems, like, for example, individual photons.

munication channel is thus not really quantum. What is

Indeed, then axiom (1) applies also to the eavesdroppers,

quantum are the information carriers.

i.e. to a malicious Eve (the conventional name given to

But before continuing, we need to see how QC could

the adversary in cryptology). Hence, Eve cannot get any

ļ¬t in the existing cryptosystems. For this purpose the

information about the communication without introduc-

next section brieļ¬‚y surveys some of the main aspects of

ing perturbations which would reveal her presence.

modern cryptology.

To make this intuition more precise, imagine that Alice

codes information in individual photons which she sends

to Bob. If Bob receives the photons unperturbed, then,

B. Classical cryptography

by the basic axiom (1), the photons were not measured.

No measurement implies that Eve did not get any in-

formation about the photons (note that acquiring infor- Cryptography is the art of rendering a message un-

mation is synonymous to carrying out measurements). intelligible to any unauthorized party. It is part of the

Consequently, after exchanging the photons, Alice and broader ļ¬eld of cryptology, which also includes crypto-

Bob can check whether someone āwas listeningā: they analysis, the art of code breaking (for a historical per-

simply compare a randomly chosen subset of their data spective, see Singh 1999). To achieve this goal, an algo-

using a public channel. If Bob received the randomly rithm (also called a cryptosystem or cipher) is used to

chosen subset unperturbed then the logic goes as follows: combine a message with some additional information ā“

known as the ākeyā ā“ and produce a cryptogram. This

technique is known as āencryptionā. For a cryptosystem

N o perturbation ā’ N o measurement to be secure, it should be impossible to unlock the cryp-

ā’ N o eavesdropping (2) togram without the key. In practice, this demand is often

softened so that the system is just extremely diļ¬cult to

It is as simple as that! crack. The idea is that the message should remain pro-

tected at least as long as the information it contains is

Actually, there are two more points to add. First, in valuable. Although conļ¬dentiality is the traditional ap-

order to ensure that axiom (1) applies, Alice encodes her plication of cryptography, it is used nowadays to achieve

information in non-orthogonal states (we shall illustrate broader objectives, such as authentication, digital signa-

this in the sections II C and II D). Second, as we have tures and non-repudiation (Brassard 1988).

presented it so far, Alice and Bob could discover any

eavesdropper, but only after they exchanged their mes-

sage. It would of course be much better to ensure the 1. Asymmetrical (public-key) cryptosystems

privacy in advance, and not afterwards! To achieve this,

Alice and Bob complement the above simple idea with a Cryptosytems come in two main classes ā“ depending on

second idea, again a very simple one, and one which is whether Alice and Bob use the same key. Asymmetrical

entirely classical. Alice and Bob do not use the quantum

3

systems involve the use of diļ¬erent keys for encryption ers.

and decryption. They are commonly known as public-key Similarly, all public-key cryptosystems rely on un-

cryptosystems. Their principle was ļ¬rst proposed in 1976 proven assumptions for their security, which could them-

by Whitļ¬eld Diļ¬e and Martin Hellman, who were then selves be weakened or suppressed by theoretical or prac-

at Stanford University in the US. The ļ¬rst actual im- tical advances. So far, no one has proved the existence of

plementation was then developed by Ronald Rivest, Adi any one-way function with a trapdoor. In other words,

Shamir,and Leonard Adleman of the Massachusetts In- the existence of secure asymmetric cryptosystems is not

stitute of Technology in 19784. It is known as RSA and is proven. This casts an intolerable threat on these cryp-

still widely used. If Bob wants to be able to receive mes- tosystems.

sages encrypted with a public key cryptosystem, he must In a society where information and secure communi-

ļ¬rst choose a āprivateā key, which he keeps secret. Then, cation is of utmost importance, as in ours, one cannot

he computes from this private key a āpublicā key, which tolerate such a threat. Think, for instance, that an

he discloses to any interested party. Alice uses this public overnight breakthrough in mathematics could make elec-

key to encrypt her message. She transmits the encrypted tronic money instantaneously worthless. To limit such

message to Bob, who decrypts it with the private key. economical and social risks, there is no possibility but

Public-key cryptosystems are convenient and they have to turn to symmetrical cryptosystems. QC has a role to

thus become very popular over the last 20 years. The play in such alternative systems.

security of the internet, for example, is partially based

on such systems. They can be thought of as a mailbox,

where anybody can insert a letter. Only the legitimate 2. Symmetrical (secret-key) cryptosystems

owner can then recover it, by opening it with his private

key. Symmetrical ciphers require the use of a single key for

The security of public key cryptosystems is based on both encryption and decryption. These systems can be

computational complexity. The idea is to use mathemat- thought of as a safe, where the message is locked by Al-

ical objects called one-way functions. By deļ¬nition, it ice with a key. Bob in turns uses a copy of this key to

is easy to compute the function f (x) given the variable unlock the safe. The āone-time padā, ļ¬rst proposed by

x, but diļ¬cult to reverse the calculation and compute x Gilbert Vernam of AT&T in 1926, belongs to this cate-

from f (x). In the context of computational complexity, gory. In this scheme, Alice encrypts her message, a string

the word ādiļ¬cultā means that the time to do a task of bits denoted by the binary number m1 , using a ran-

grows exponentially with the number of bits in the in- domly generated key k. She simply adds each bit of the

put, while āeasyā means that it grows polynomially. In- message with the corresponding bit of the key to obtain

tuitively, it is easy to understand that it only takes a few the scrambled text (s = m1 ā• k, where ā• denotes the

seconds to work out 67 Ć— 71, but it takes much longer binary addition modulo 2 without carry). It is then sent

to ļ¬nd the prime factors of 4757. However, factoring has to Bob, who decrypts the message by subtracting the key

a ātrapdoorā, which means that it is easy to do the cal- (sā–k = m1 ā•k ā–k = m1 ). Because the bits of the scram-

culation in the diļ¬cult direction provided that you have bled text are as random as those of the key, they do not

some additional information. For example, if you were contain any information. This cryptosystem is thus prov-

told that 67 was one of the prime factors of 4757, the ably secure in the sense of information theory (Shannon

calculation would be relatively simple. The security of 1949). Actually, this is today the only provably secure

RSA is actually based on the factorization of large inte- cryptosystem!

gers. Although perfectly secure, the problem with this sys-

In spite of its elegance suļ¬ers from a major ļ¬‚aw. tem is that it is essential for Alice and Bob to possess a

Whether factoring is ādiļ¬cultā or not could never be common secret key, which must be at least as long as the

proven. This implies that the existence of a fast algo- message itself. They can only use the key for a single en-

rithm for factorization cannot be ruled out. In addi- cryption ā“ hence the name āone-time padā. If they used

tion, the discovery in 1994 by Peter Shor of a polynomial the key more than once, Eve could record all of the scram-

algorithm allowing fast factorization of integers with a bled messages and start to build up a picture of the plain

quantum computer puts additional doubts on the non- texts and thus also of the key. (If Eve recorded two diļ¬er-

existence of a polynomial algorithm for classical comput- ent messages encrypted with the same key, she could add

the scrambled text to obtain the sum of the plain texts:

s1 ā• s2 = m 1 ā• k ā• m 2 ā• k = m 1 ā• m 2 ā• k ā• k = m 1 ā• m 2 ,

where we used the fact that ā• is commutative.) Fur-

4

thermore, the key has to be transmitted by some trusted

According to the British Government, public key cryptog-

means, such as a courier, or through a personal meeting

raphy was originally invented at the Government Communica-

between Alice and Bob. This procedure can be complex

tions Headquarters in Cheltenham as early as in 1973. For an

historical account, see for example the book by Simon Singh and expensive, and may even amount to a loophole in

(1999). the system.

4

and conventions5. The interdisciplinary character of QC

Because of the problem of distributing long sequences

of key bits, the one-time pad is currently used only for the is the probable reason for its relatively slow start, but

most critical applications. The symmetrical cryptosys- it certainly contributes crucially to the vast and fast ex-

tems in use for routine applications such as e-commerce pansion over the recent years.

employ rather short keys. In the case of the Data En- We shall explain the BB84 protocol using the language

1

cryption Standard (also known as DES, promoted by the of spin 2 , but clearly any 2-level quantum system would

United Statesā™ National Institute of Standards and Tech- do. The protocol uses 4 quantum states that constitute

nology), a 56 bits key is combined with the plain text 2 bases, think of the states up | ā‘ , down | ā“ , left | ā

divided in blocks in a rather complicated way, involving and right | ā’ . The bases are maximally conjugate in

permutations and non-linear functions to produce the ci- the sense that any pair of vectors, one from each basis,

1

has the same overlap, e.g. | ā‘ | ā |2 = 2 . Convention-

pher text blocks (see Stallings 1999 for a didactic pre-

sentation). Other cryptosystems (e.g. IDEA or AES) ally, one attributes the binary value 0 to states | ā‘ and

follow similar principles. Like asymmetrical cryptosys- | ā’ and the value 1 to the other two states, and calls

tems, they oļ¬er only computational security. However the states qubits (for quantum bits). In the ļ¬rst step,

for a given key length, symmetrical systems are more se- Alice sends individual spins to Bob in states chosen at

cure than their asymmetrical counterparts. random among the 4 basic states (in Fig. 1 the spin

In practical implementations, asymmetrical algorithms states | ā‘ ,| ā“ , | ā’ and | ā are identiļ¬ed with the

polarization states āhorizontalā, āvericalā, ā+45oā and

are not so much used for encryption, because of their

ā-45oā, respectively). How she āchooses at randomā is

slowness, but to distribute session keys for symmetrical

cryptosystems such as DES. Because the security of those a delicate problem in practice (see section III D), but in

algorithms is not proven (see paragraph II B 1), the secu- principle she could use her free will. The individual spins

rity of the whole implementation can be compromised. If could be sent all at once, or one after the other (much

they were broken by mathematical advances, QC would more practical); the only restriction being that Alice and

constitute the only way to solve the key distribution Bob can establish a one-to-one correspondence between

problem. the transmitted and the received spins. Next, Bob mea-

sures the incoming spins in one of the two bases, chosen

at random (using a random number generator indepen-

dent from that of Alice). At this point, whenever they

3. The one-time-pad as āclassical teleportationā

used the same basis, they get perfectly correlated results.

However, whenever they used diļ¬erent basis, they get

The one-time-pad has an interesting characteristic.

uncorrelated results. Hence, on average, Bob obtains a

Assume that Alice aims at transferring to Bob a faithful

string of bits with 25% errors, called the raw key. This er-

copy of a classical system, without giving any informa-

ror rate is so large that standard error correction schemes

tion to Eve about this system. For this purpose Alice

would fail. But in this protocol, as we shall see, Alice and

and Bob have only access to an insecure classical chan-

Bob know which bits are perfectly correlated (the ones for

nel. This is possible provided they share an arbitrary

which Alice and Bob used the same basis) and which ones

long secret key. Indeed, in principle Alice can measure

are completely uncorrelated (all the other ones). Hence,

the state of her classical system with arbitrary high pre-

a straightforward error correction scheme is possible: For

cision and then use the one-time-pad to securely commu-

each bit Bob announces publicly in which basis he mea-

nicate this information to Bob who can then, in principle,

sured the corresponding qubit (but he does not tell the

reconstruct (a copy of) the classical system. This some-

result he obtained). Alice then only tells whether or not

what artiļ¬cial use of the one-time-pad has an interesting

the state in which she encoded that qubit is compatible

quantum relative, (see section II E).

with the basis announced by Bob. If the state is com-

patible, they keep the bit, if not they disregard it. In

this way about 50% of the bit string is discarded. This

C. The example of the BB84 protocol

shorter key obtained after bases reconciliation is called

the sifted key6 . The fact that Alice and Bob use a public

1. Principle

channel at some stage of their protocol is very common

The ļ¬rst protocol for QC has been proposed in 1984

by Charles H. Bennett, from IBM New-York, and Gilles

Brassard, from the University of Montreal, hence the 5

For instance, it is amusing to note that physicists must

name BB84 under which this protocol is recognized nowa-

publish in reputed journals while conference proceedings are

days. They published their work in a conference in In-

of secondary importance. For computer science, on the con-

dia, totally unknown to physicists. This underlines at

trary, the proceedings of the best conferences are considered

once that QC needs the collaboration between diļ¬erent

as the top, while journals are secondary!

communities, with diļ¬erent jargons and diļ¬erent habits 6

This terminology has been introduced by Ekert and Hut-

tner in 1994.

5

in crypto-protocols. This channel does not have to be But the latter state diļ¬ers from the ideal copy | ā’, ā’

conļ¬dential, but has to be authentic. Hence, any ad- , fā’ , whatever the states |fĻ are.

versary Eve can listen to all the communication on the Consequently, Eve canā™t keep a perfect quantum copy,

public channel, but she canā™t modify it. In practice Al- because perfect quantum copy machines canā™t exist. The

ice and Bob may use the same transmission channel to possibility to copy classical information is probably one

implement both the quantum and the classical channels. of the most characteristic features of information in the

Note that neither Alice nor Bob can decide which key every day sense. The fact that quantum states, nowadays

results from the protocol7 . Indeed, it is the conjunction often called quantum information, canā™t be copied is cer-

of both of their random choices which produces the key. tainly one of the most speciļ¬c attributes which make this

Let us now consider the security of the above ideal new kind of information so diļ¬erent, hence so attractive.

protocol (ideal because so far we did not take into ac- Actually, this ānegative ruleā has clearly its positive side,

count unavoidable noise due to technical imperfections). since it prevents Eve from perfect eavesdropping, and

Assume that some adversary Eve intercepts a qubit prop- hence makes QC potentially secure.

agating from Alice to Bob. This is very easy, but if Bob

does not receive an expected qubit, he will simply inform

Alice to disregard it. Hence, in this way Eve only lowers 3. Intercept-resend strategy

the bit rate (possibly down to zero), but she does not

gain any useful information. For real eavesdropping Eve We have seen that the eavesdropper needs to send a

must send a qubit to Bob. Ideally she would like to send qubit to Bob, while keeping a necessarily imperfect copy

this qubit in its original state, keeping a copy for herself. for herself. How imperfect the copy has to be, accord-

ing to quantum theory, is a delicate problem that we

shall address in chapter VI. Here, let us develop a sim-

2. No cloning theorem ple eavesdropping strategy, called intercept-resend. This

simple and even practical attack consists in Eve measur-

Following Wootters and Zurek (1982) it is easy to prove ing each qubit in one of the two basis, precisely as Bob

that perfect copying is impossible in the quantum world does. Then, she resends to Bob another qubit in the

(see also Milonni and Hardies 1982, Dieks 1982, and the state corresponding to her measurement result. In about

anticipating intuition by Wigner in 1961). Let Ļ denote half of the cases Eve will be lucky and choose the basis

the original state of the qubit, |b the blank copy8 and compatible with the state prepared by Alice. In these

denote |0 ā HQCM the initial state of Eveā™s āquantum cases she resends to Bob a qubit in the correct state and

copy machineā, where the Hilbert space HQCM of the Alice and Bob wonā™t notice her intervention. However, in

quantum cloning machine is arbitrary. The ideal machine the other 50% cases, Eve unluckily uses the basis incom-

would produce: patible with the state prepared by Alice. This necessarily

happens, since Eve has no information on Aliceā™s random

Ļ ā— |b ā— |0 ā’ Ļ ā— Ļ ā— |fĻ (3) generator (hence the importance that this generator is

truly random). In these cases the qubits sent out by Eve

where |fĻ denotes the ļ¬nal state of Eveā™s machine which 1

are in states with overlap 2 with the correct states. Al-

might depend on Ļ. Accordingly, using obvious nota- ice and Bob discover thus her intervention in about half

tions, of these cases, since they get uncorrelated results. Alto-

gether, if Eve uses this intercept-resend strategy, she gets

| ā‘, b, 0 ā’ | ā‘, ā‘, fā‘ (4) 50% information, while Alice and Bob have about 25%

and | ā“, b, 0 ā’ | ā“, ā“, fā“ . (5) of errors in their sifted key, i.e. after they eliminated the

cases in which they used incompatible states, there are

By linearity of quantum dynamics it follows that still about 25% errors. They can thus easily detect the

presence of Eve. If, however, Eve applies this strategy to

1

| ā’, b, 0 = ā (| ā‘ + | ā“ ) ā— |b, 0 only a fraction of the communication, 10% letā™s say, then

(6)

2 the error rate will be only ā2.5% while Eveā™s information

1 would be ā5%. The next section explains how Alice and

ā’ ā (| ā‘, ā‘, fā‘ + | ā“, ā“, fā“ ). (7)

Bob can counter such attacks.

2

4. Error correction, privacy ampliļ¬cation and quantum

7 secret growing

Alice and Bob can however determine the statistics of the

key.

8

|b corresponds to the stock of white paper in everydayā™s At this point in the BB84 protocol, Alice and Bob

photocopy machine. We shall assume that exceptionally this share a so-called sifted key. But this key contains errors.

stock is not empty, a purely theoretical assumption, as is well The errors are caused as well by technical imperfections,

known.

6

as possibly by Eveā™s intervention. Realistic error rates Without discussing any algorithm in detail, let us give

on the sifted key using todayā™s technology are of a few some intuition how Alice and Bob can establish a se-

percent. This contrasts strongly with the 10ā’9 typical in cret key when condition (8) is satisļ¬ed. First, once the

optical communication. Of course, the few percent errors sifted key is obtained (i.e. after the bases have been an-

will be corrected down to the standard 10ā’9 during the nounced), Alice and Bob publicly compare a randomly

(classical) error correction step of the protocol. In order chosen subset of it. In this way they estimate the error

to avoid confusion, especially among the optical commu- rate (more generally, they estimate their marginal prob-

nication specialists, Beat Perny from Swisscom and Paul ability distribution P (Ī±, Ī²)). These publicly disclosed

Townsend, then with BT, proposed to name the error bits are then discarded. Next, either condition (8) is not

rate on the sifted key QBER, for Quantum Bit Error satisļ¬ed and they stop the protocol. Or condition (8)

Rate, to make it clearly distinct from the BER used in is satisļ¬ed and they use some standard error correction

standard communications. protocol to get a shorter key without errors.

Such a situation where the legitimate partners share With the simplest error correction protocol, Alice ran-

classical information, with high but not 100% correla- domly chooses pairs of bits and announces their XOR

tion and with possibly some correlation to a third party value (i.e. their sum modulo 2). Bob replies either āac-

is common to all quantum cryptosystems. Actually, it ceptā if he has the same XOR value for his corresponding

is also a standard starting point for classical information bits, or ārejectā if not. In the ļ¬rst case, Alice and Bob

based cryptosystems where one assumes that somehow keep the ļ¬rst bit of the pair and eliminate the second one,

Alice, Bob and Eve have random variables Ī±, Ī² and Ē«, re- while in the second case they eliminate both bits. In re-

spectively, with joint probability distribution P (Ī±, Ī², Ē«). ality, more complex and eļ¬cient algorithms are used.

Consequently, the last step in a QC protocol uses classi- After error correction, Alice and Bob have identical

cal algorithms, ļ¬rst to correct the errors, next to lower copies of a key, but Eve may still have some information

Eveā™s information on the ļ¬nal key, a process called pri- about it (compatible with condition (8)). Alice and Bob

thus need to lower Eveā™s information down to an arbitrar-

vacy ampliļ¬cation.

The ļ¬rst mention of privacy ampliļ¬cation appears in ily low value using some privacy ampliļ¬cation protocols.

Bennett, Brassard and Robert (1988). It was then ex- These classical protocols typically work as follows. Alice

tended in collaboration with C. CrĀ“peau and U. Maurer

e again randomly choses pairs of bits and computes their

from the University of Montreal and the ETH ZĀØ rich, re-

u XOR value. But, contrary to error correction she does

spectively (Bennett et al. 1995, see also Bennett et al. not announce this XOR value. She only announces which

1992a). Interestingly, this work motivated by QC found bits she chose (e.g. bit number 103 and 537). Alice and

applications in standard information-based cryptography Bob then replace the two bits by their XOR value. In

(Maurer 1993, Maurer and Wolf 1999). this way they shorten their key while keeping it error

Assume that such a joint probability distribution free, but if Eve has only partial information on the two

P (Ī±, Ī², Ē«) exists. Near the end of this section, we com- bits, her information on the XOR value is even lower.

ment on this assumption. Alice and Bob have access only Consider for example that Eve knows only the value of

to the marginal distribution P (Ī±, Ī²). From this and from the ļ¬rst bit, and nothing about the second one. Then

the laws of quantum mechanics, they have to deduce con- she has no information at all on the XOR value. Also, if

straints on the complete scenario P (Ī±, Ī², Ē«), in particular Eve knows the value of both bits with 60% probability,

they have to bound Eveā™s information (see sections VI E then the probability that she guesses correctly the value

of the XOR is only of 0.62 + 0.42 = 52%. This process

and VI G). Given P (Ī±, Ī², Ē«), necessary and suļ¬cient con-

ditions for a positive secret key rate between Alice and would have to be repeated several times; more eļ¬cient

Bob, S(Ī±, Ī²||Ē«), are not yet known. However, a useful algorithms use larger blocks (Brassard and Salvail 1993).

lower bound is given by the diļ¬erence between Alice and The error correction and privacy ampliļ¬cation algo-

Bobā™s mutual Shannon information I(Ī±, Ī²) and Eveā™s mu- rithms sketched above are purely classical algorithms.

tual information (CsiszĀ“r and KĀØrner 1978, and theorem

a o This illustrates that QC is a truly interdisciplinary ļ¬eld.

1 in section VI G): Actually, the above presentation is incomplete. Indeed,

in this presentation, we have assumed that Eve has mea-

S(Ī±, Ī²||Ē«) ā„ max{I(Ī±, Ī²) ā’ I(Ī±, Ē«), I(Ī±, Ī²) ā’ I(Ī², Ē«)} sured her probe before Alice and Bob run the error cor-

rection and privacy ampliļ¬cation algorithms, hence that

(8)

P (Ī±, Ī², Ē«) exists. In practice this is a very reasonable

assumption, but, in principle, Eve could wait until the

Intuitively, this result states that secure key distillation

end of all the protocol, and then optimize her measure-

(Bennett et al. 1992a) is possible whenever Bob has more

ments accordingly. Such ādelayed choice eavesdropping

information than Eve.

The bound (8) is tight if Alice and Bob are restricted

to one-way communication, but for two-way communica-

tion, secret key agreement might be possible even when

(8) is not satisļ¬ed (see next paragraph II C 5).

7

strategies9 ā are discussed in chapter VI. tion to keep, whereas Eve canā™t inļ¬‚uence this process12

It should now be clear that QC does not provide a (Maurer 1993, Maurer and Wolf 1999).

complete solution for all cryptographic purposes10 . Ac- Recently a second remarkable connection between

tually, quite on the contrary, QC can only be used as quantum and classical secret key agreement has been dis-

a complement to standard symmetrical cryptosystems. covered (assuming they use the Ekert protocol described

Accordingly, a more precise name for QC is Quantum in paragraph II D 3): If Eve follows the strategy which op-

Key Distribution, since this is all QC does. Nevertheless, timizes her Shannon information, under the assumption

we prefer to keep the well known terminology which gives that she attacks the qubit one at a time (the so-called

its title to this review. individual attacks, see section VI E), then Alice and Bob

Finally, let us emphasize that every key distribution can use advantage distillation if and only if Alice and

system must incorporate some authentiļ¬cation scheme: Bobā™s qubits are still entangled (they can thus use quan-

the two parties must identify themselves. If not, Alice tum privacy ampliļ¬cation (Deutsch et al. 1996)) (Gisin

could actually be communicating directly with Eve! A and Wolf 1999). This connection between the concept

straightforward possibility is that Alice and Bob initially of entanglement, central to quantum information theory,

share a short secret. Then QC provides them with a and the concept of intrinsic classical information, cen-

longer one and, for example, they each keep a small por- tral to classical information based cryptography (Maurer

tion for authentiļ¬cation at the next session (Bennett et and Wolf 1999), has been shown to be general (Gisin

al. 1992a). From this perspective, QC is a Quantum and Wolf 2000). The connection seems even to extend to

Secret Growing protocol. bound entanglement (Gisin et al. 2000).

5. Advantage distillation D. Other protocols

QC has triggered and still triggers research in classical 1. 2-state protocol

information theory. The best known example is proba-

bly the development of privacy ampliļ¬cation algorithms In 1992 Charles H. Bennett noticed that actually 4

(Bennett et al. 1988 and 1995). This in turn triggered states is more than necessary for QC: all what is really

the development of new cryptosystems based on weak but needed is 2 nonorthogonal states. Indeed the security re-

classical signals, emitted for instance by satellites (Mau- lies on the impossibility for any adversary to distinguish

rer 1993)11. These new developments required secret key unambiguously and without perturbation between the

agreement protocols that can be used even when the con- diļ¬erent states that Alice may send to Bob, hence 2 states

dition (8) doesnā™t apply. Such protocols, called advantage are necessary and if they are incompatible (i.e. not mutu-

distillation, necessarily use two way communication and ally orthogonal), then 2 states are also suļ¬cient. This is

are much less eļ¬cient than privacy ampliļ¬cation. Usu- a conceptually important clariļ¬cation. It also made sev-

ally, they are not considered in the literature on QC. eral of the ļ¬rst experimental demonstrations easier (this

But, conceptually, they are remarkable from at least two is further discussed in section IV D). But in practice it

points of view. First it is somewhat surprising that se- is not a good solution. Indeed, although 2 nonorthogo-

cret key agreement is possible even if Alice and Bob start nal states canā™t be distinguished unambiguously without

with less mutual (Shannon) information than Eve. How- perturbation, one can unambiguously distinguish them

ever, they can take advantage of the authenticated public at the cost of some losses (Ivanovic 1987, Peres 1988).

channel: Alice and Bob can decide which series of realiza- This possibility has even been demonstrated in practice

(Huttner et al. 1996, Clarke et al. 2000). Hence, Alice

and Bob would have to monitor the attenuation of the

9

Note however that Eve has to choose the interaction be-

tween her probe and the qubits before the public discussion

phase of the protocol. 12

The idea is that Alice picks out several instances where she

10

For a while it was thought that bit commitment (see, e.g., got the same bit and communicates the instances - but not

Brassard 1988), a powerful primitive in cryptology, could be the bit - to Bob. Bob replies yes only if it happens that for all

realized using quantum principles. However, Dominic Mayers these instances he also has the same bit value. For large error

(1996a and 1997) and Lo and Chau (1998) proved it to be rates this is unlikely, but when it happens there is a large

impossible (see also Brassard et al. 1998). chance that both have the same bit. Eve canā™t inļ¬‚uence the

11

Note that here the conļ¬dentiality is not guaranteed by choice of the instances. All she can do is to use a majority

the laws of physics, but relies on the assumption that Eveā™s vote for the cases accepted by Bob. The probability that Eve

technology is limited, e.g. her antenna is ļ¬nite, her detectors makes an error can be much larger than the probability that

have limited eļ¬ciencies. Bob makes an error (i.e. that all his instances are wrong),

even if Eveā™s initial information is larger than Bobā™s.

8

quantum channel (and even this is not entirely safe if Eve keep the data only when they happen to have done their

could replace the channel by a more transparent one, see measurements in the compatible basis. If the source is

section VI H). The two-state protocol can also be im- reliable, this protocol is equivalent to the BB84 one: Ev-

plemented using an interference between a macroscopic ery thing is as if the qubit propagates backwards in time

bright pulse and a dim pulse with less than one photon on from Alice to the source, and then forwards to Bob! But

average (Bennett, 1992). The presence of the bright pulse better than trusting the source, which could be in Eveā™s

makes this protocol specially resistant to eavesdropping, hand, the Ekert protocol assumes that the 2 qubits are

even in settings with high attenuation. Indeed Bob can emitted in a maximally entangled state like:

monitor the bright pulses, to make sure that Eve does not

1

remove any. In this case, Eve cannot eliminate the dim Ļ+ = ā (| ā‘, ā‘ + | ā“, ā“ ). (9)

2

pulse without revealing her presence, because the inter-

ference of the bright pulse with vacuum would introduce

Then, when Alice and Bob happen to use the same basis,

errors. A practical implementation of this protocol is

both the x-basis or both the y-basis, i.e. in about half

discussed in section IV D. Huttner et al. extended this

of the cases, their results are identical, providing them

reference beam monitoring to the four-states protocol in

with a common key. Note the similarity between the 1-

1995.

qubit BB84 protocol illustrated in Fig. 1 and the 2-qubit

Ekert protocol of Fig. 3. The analogy can be even made

stronger by noting that for all unitary evolutions U1 and

2. 6-state protocol

U2 , the following equality hold:

While two states are enough and four states are stan- U1 ā— U2 Ī¦(+) = 1 ā— U2 U1 Ī¦(+)

t

1 (10)

dard, a 6-state protocol respects much more the sym-

metry of the qubit state space, see Fig. 2 (Bruss 1998, t

where U1 denotes the transpose.

Bechmann-Pasquinucci and Gisin 1999). The 6 states In his 1991 paper Artur Ekert suggested to base the

constitute 3 bases, hence the probability that Alice and security of this 2-qubit protocol on Bellā™s inequality, an

1

Bob chose the same basis is only of 3 . But the symme- inequality which demonstrates that some correlation pre-

try of this protocol greatly simpliļ¬es the security anal- dicted by quantum mechanics canā™t be reproduced by

ysis and reduces Eveā™s optimal information gain for a any local theory (Bell 1964). For this, Alice and Bob

given error rate QBER. If Eve measures every photon, have a third choice of basis (see Fig. 4). In this way the

the QBER is 33%, compared to 25% in the case of the probability that they happen to choose the same basis

BB84 protocol. is reduced from 2 to 2 , but at the same time as they

1

9

establish a key they collect enough data to test Bell in-

equality13 . They can thus check that the source really

3. EPR protocol emits the entangled state (9) and not merely product

states. The following year Bennett, Brassard and Mer-

This variation of the BB84 protocol is of special con- min (1992b) criticized Ekertā™s letter, arguing that the

ceptual, historical and practical interest. The idea is due violation of Bell inequality is not necessary for the secu-

to Artur Ekert (1991) from Oxford University, who, while rity of QC and emphasizing the close connection between

elaborating on a suggestion of David Deutsch (1985), dis- the Ekert and the BB84 schemes. This criticism might

covered QC independently of the BB84 paper. Intellec- be missing an important point. Indeed, although the ex-

tually, it is very satisfactory to see this direct connec- act relation between security and Bell inequality is not

tion to the famous EPR paradox (Einstein, Podolski and yet fully known, there are clear results establishing fasci-

Rosen 1935): the initially philosophical debate turned to nating connections, (see section VI F). In October 1992,

theoretical physics with Bellā™s inequality (1964), then to an article by Bennett, Brassard and Ekert demonstrated

experimental physics (Freedmann and Clauser 1972, Fry that the founding fathers joined forces to develop the ļ¬eld

and Thompson 1976, and Aspect, Dalibard and Roger in a pleasant atmosphere (Bennett et al. 1992c)!

1982), and is now ā“ thanks to Ekertā™s ingenious idea ā“

part of applied physics.

The idea consists in replacing the quantum channel

carrying qubits from Alice to Bob by a channel carrying

2 qubits from a common source, one qubit to Alice and

one to Bob. A ļ¬rst possibility would be that the source 13

A maximal violation of Bell inequality is necessary to rule

emits the two qubits always in the same state chosen ran- out tampering by Eve. In this case, the QBER must nec-

domly among the 4 states of the BB84 protocol. Alice essarily be equal to zero. With a non-maximal violation, as

and Bob would then both measure their qubit in one of typically obtained in experimental systems, Alice and Bob

the two bases, again chosen independently and randomly. can distil a secure key using error correction and privacy

The source then announces the bases and Alice and Bob ampliļ¬cation.

9

tem is destroyed without Alice learning anything about

4. Other variations

the quantum state, while Bobā™s qubit ends in a state

isomorphic to the state of the original system (but Bob

There is a large collection of variations around the

doesnā™t learn anything about the quantum state). If the

BB84 protocol. Let us mention a few, chosen somewhat

initial quantum system is a quantum message coded in

arbitrarily. First, one can assume that the two bases

the form of a sequence of qubits, then this quantum mes-

are not chosen with equal probability (Ardehali et al.

sage is faithfully and securely transferred to Bob, without

1998). This has the nice consequence that the proba-

any information leaking to the outside world (i.e. to any-

bility that Alice and Bob choose the same basis is larger

one not sharing the prior entanglement with Alice and

1

than 2 , increasing thus the transmission rate of the sifted

Bob). Finally, the quantum message could be formed of

key. However, this protocol makes Eveā™s job easier as she

a 4 letter quantum alphabet constituted by the 4 states

is more likely to guess correctly the used basis. Conse-

of the BB84 protocol. With futuristic, but not impossi-

quently, it is not clear whether the ļ¬nal key rate, after

ble technology, Alice and Bob could have their entangled

error correction and privacy ampliļ¬cation, is higher or

qubits in appropriate wallets and could establish a totally

not.

secure communication at any time, without even having

Another variation consists in using quantum systems of

to know where the partner is located (provided they can

dimension larger than 2 (Bechmann-Pasquinucci and Tit-

communicate classically).

tel 2000, Bechmann-Pasquinucci and Peres 2000, Bouren-

nane et al. 2001a). Again, the practical value of this idea

has not yet been fully determined.

F. Optical ampliļ¬cation, quantum nondemolition

A third variation worth mentioning is due to Gold-

measurements and optimal quantum cloning

enberg and Vaidman, from Tel-Aviv University (1995).

They suggested to prepare the qubits in a superposition

After almost every general talk on QC, two questions

of two spatially separated states, then to send one compo-

arise: what about optical ampliļ¬ers? and what about

nent of this superposition and to wait until Bob received

quantum nondemolition measurements? In this section

it before sending the second component. This doesnā™t

we brieļ¬‚y address these questions.

sound of great practical value, but has the nice concep-

Let us start with the second one, being the easiest. The

tual feature that the minimal two states do not need to

terminology āquantum nondemolition measurementā is

be mutually orthogonal.

simply a confusing one! There is nothing like a quan-

tum measurement that does not perturb (i.e. modify)

the quantum state, except if the state happens to be an

E. Quantum teleportation as āQuantum

eigenstate of the observable. Hence, if for some reason

one-time-padā

one conjectures that a quantum system is in some state

(or in a state among a set of mutually orthogonal ones),

Since its discovery in 1993 by a surprisingly large

this can be in principle tested repeatedly (Braginsky and

group of physicists, Quantum teleportation (Bennett et

Khalili 1992). But if the state is only restricted to be in

al. 1993) received a lot of attention in the scientiļ¬c com-

a ļ¬nite set containing non-orthogonal states, as in QC,

munity as well as in the general public. The dream of

then there is no way to perform a measurement without

beaming travellers through the Universe is exciting, but

ādemolishingā (perturbing) the state. Now, in QC the

completely out of the realm of any foreseeable technol-

terminology ānondemolition measurementā is also used

ogy. However, quantum teleportation can be seen as the

with a diļ¬erent meaning: one measures the number of

fully quantum version of the one-time-pad, see paragraph

photons in a pulse without aļ¬ecting the degree of free-

II B 3, hence as the ultimate form of QC. Similarly to

dom coding the qubit (e.g. the polarization), (see section

āclassical teleportationā, letā™s assume that Alice aims at

VI H), or one detects the presence of a photon without

transferring to Bob a faithful copy of a quantum system.

destroying it (Nogues et al. 1999). Such measurements

If Alice has full knowledge of the quantum state, the

are usually called āideal measurementsā, or āprojective

problem is not really a quantum one (Alice information

measurementsā, because they produce the least possible

is classical). If, on the opposite, Alice does not know the

perturbation (Piron 1990) and because they can be repre-

quantum state, she cannot send a copy, since quantum

sented by projectors. It is important to stress that these

copying is impossible according to quantum physics (see

āideal measurementsā do not invalidate the security of

paragraph II C 2). Nor can she send classical instructions,

QC.

since this would allow the production of many copies.

Let us consider now optical ampliļ¬ers (a laser medium,

However, if Alice and Bob share arbitrarily many entan-

but without mirrors, so that ampliļ¬cation takes place in

gled qubits, sometimes called a quantum key, and share a

a single pass, see Desurvire 1994). They are widely used

classical communication channel then the quantum tele-

in todayā™s optical communication networks. However,

portation protocol provides them with a mean to transfer

they are of no use for quantum communication. Indeed,

the quantum state of the system from Alice to Bob. In

as seen in section II C, the copying of quantum informa-

the course of running this protocol, Aliceā™s quantum sys-

tion is impossible. Here we illustrate this characteristic

10

1

2Pā‘ā‘ + PĻ(+) 2Pā‘ + 2 1

1

of quantum information with the example of optical am-

T r1ā’ph mode = (21)

pliļ¬ers: the necessary presence of spontaneous emission 3 3

whenever there is stimulated emission, prevents perfect

The corresponding ļ¬delity is:

copying. Let us clarify this important and often confus-

ing point, following the work of Simon et al. (1999 and 1

2+ 5

2000; see also Kempe et al. 2000, and De Martini et al. 2

F= = (22)

3 6

2000). Let the two basic qubit states |0 and |1 be physi-

cally implemented by two optical modes: |0 ā” |1, 0 and

which is precisely the optimal ļ¬delity compatible with

|1 ā” |0, 1 . |n, m ph ā— |k, l a denotes thus the state of

quantum mechanics (BuĖek and Hillery 1996, Bruss et

z

n photons in mode 1 and m in mode 2, and k, l = 0 (1)

al 1998, Gisin and Massar 1997). In other words, if we

the ground (excited) state of 2-level atoms coupled to

start with a single photon in an arbitrary state, and pass

mode 1 and 2, respectively. Hence spontaneous emission

it through an ampliļ¬er, then due to the eļ¬ect of sponta-

corresponds to

neous emission the ļ¬delity of the state exiting the ampli-

ļ¬er, in the cases where it consists of exactly two photons,

|0, 0 ā— |1, 0 ā’ |1, 0 ā— |0, 0 a , (11)

ph a ph

with the initial state will be equal to at most 5/6. Note

|0, 0 ph ā— |0, 1 ā’ |0, 1 ph ā— |0, 0 a (12)

a

that if it were possible to make better copies, then, using

EPR correlations between spatially separated systems,

and stimulated emission to

signaling at arbitrarily fast speed would also be possible

ā

(Gisin 1998).

|1, 0 ph ā— |1, 0 a ā’ 2|2, 0 ph ā— |0, 0 a , (13)

ā

|0, 1 ph ā— |0, 1 a ā’ 2|0, 2 ph ā— |0, 0 a (14)

ā

where the 2 factor takes into account the ratio stimu-

lated/spontaneous emission. Let the initial state of the

atom be a mixture of the following two states (each with

equal weight 50%):

|0, 1 |1, 0 (15)

a a

By symmetry, it suļ¬ces to consider one possible initial

state of the qubit, e.g. 1 photon in the ļ¬rst mode |1, 0 ph .

The initial state of the photon+atom system is thus a

mixture:

|1, 0 ā— |1, 0 or |1, 0 ā— |0, 1 (16)

ph a ph a

This corresponds to the ļ¬rst order term in an evolution

with a Hamiltonian (in the interaction picture): H =

Ļ(aā Ļ1 + a1 Ļ1 + aā Ļ2 + a2 Ļ2 ). After some time the

ā ā

ā’ ā’

1 2

2-photon component of the evolved states reads:

ā

2|2, 0 ph ā— |0, 0 a or |1, 1 ph ā— |0, 0 a (17)

1

The correspondence with a pair of spin goes as follows:

2

|2, 0 = | ā‘ā‘ |0, 2 = | ā“ā“ (18)

1

= Ļ (+) = ā (| ā‘ā“ + | ā“ā‘ )

|1, 1 (19)

ph

2

Tracing over the ampliļ¬er (i.e. the 2-level atom), an

(ideal) ampliļ¬er achieves the following transformation:

Pā‘ ā’ 2Pā‘ā‘ + PĻ(+) (20)

where the P ā™s indicate projectors (i.e. pure state density

matrices) and the lack of normalization results from the

ļ¬rst order expansion used in (11) to (14). Accordingly,

after normalization, each photon is in state :

11

the one where absorption is low. However, free space

III. TECHNOLOGICAL CHALLENGES

transmission is restricted to line-of sight links and is very

weather dependent.

The very ļ¬rst demonstration of QC was a table top ex-

In the next sections we successively consider the ques-

periment performed at the IBM laboratory in the early

tions āhow to produce single photons?ā (section III A),

1990ā™s over a distance of 30 cm (Bennett et al. 1992a),

āhow to transmit them?ā (section III B), āhow to detect

marking the start of impressive experimental improve-

single photons?ā (section III C), and ļ¬nally āhow to ex-

ments during the last years. The 30 cm distance is of

ploit the intrinsic randomness of quantum processes to

little practical interest. Either the distance should be

build random generators?ā (section III D).

even shorter, think of a credit card and the ATM ma-

chine (Huttner et al. 1996b), but in this case all of Al-

iceā™s components should ļ¬t on the credit card. A nice

A. Photon sources

idea, but still impractical with present technology. Or

the distance should be much longer, at least in the km

Optical quantum cryptography is based on the use of

range. Most of the research so far uses optical ļ¬bers to

single photon Fock states. Unfortunately, these states

guide the photons from Alice to Bob and we shall mainly

are diļ¬cult to realize experimentally. Nowadays, practi-

concentrate here on such systems. There is, however, also

cal implementations rely on faint laser pulses or entan-

some very signiļ¬cant research on free space systems, (see

gled photon pairs, where both the photon as well as the

section IV E).

photon-pair number distribution obeys Poisson statistics.

Once the medium is chosen, there remain the questions

Hence, both possibilities suļ¬er from a small probability

of the source and detectors. Since they have to be com-

of generating more than one photon or photon pair at

patible, the crucial choice is the wavelength. There are

the same time. For large losses in the quantum chan-

two main possibilities. Either one chooses a wavelength

nel even small fractions of these multi-photons can have

around 800 nm where eļ¬cient photon counters are com-

important consequences on the security of the key (see

mercially available, or one chooses a wavelength compat-

section VI H), leading to interest in āphoton gunsā, see

ible with todayā™s telecommunication optical ļ¬bers, i.e.

paragraph III A 3). In this section we brieļ¬‚y comment

near 1300 nm or 1550 nm. The ļ¬rst choice requires free

on sources based on faint pulses as well as on entan-

space transmission or the use of special ļ¬bers, hence the

gled photon-pairs, and we compare their advantages and

installed telecommunication networks canā™t be used. The

drawbacks.

second choice requires the improvement or development

of new detectors, not based on silicon semiconductors,

which are transparent above 1000 nm wavelength.

1. Faint laser pulses

In case of transmission using optical ļ¬bers, it is still

unclear which of the two alternatives will turn out to be

the best choice. If QC ļ¬nds niche markets, it is conceiv- There is a very simple solution to approximate single

able that special ļ¬bers will be installed for that purpose. photon Fock states: coherent states with an ultra-low

But it is equally conceivable that new commercial detec- mean photon number Āµ. They can easily be realized us-

tors will soon make it much easier to detect single pho- ing only standard semiconductor lasers and calibrated

tons at telecommunication wavelengths. Actually, the attenuators. The probability to ļ¬nd n photons in such a

latter possibility is very likely, as several research groups coherent state follows the Poisson statistics:

and industries are already working on it. There is an-

Āµn ā’Āµ

other good reason to bet on this solution: the quality P (n, Āµ) = e. (23)

n!

of telecommunication ļ¬bers is much higher than that of

any special ļ¬ber, in particular the attenuation is much Accordingly, the probability that a non-empty weak co-

lower (this is why the telecommunication industry chose herent pulse contains more than 1 photon,

these wavelengths): at 800 nm, the attenuation is about

2 dB/km (i.e. half the photons are lost after 1.5 km), 1 ā’ P (0, Āµ) ā’ P (1, Āµ)

P (n > 1|n > 0, Āµ) =

while it is only of the order of 0.35 and 0.20 dB/km at 1 ā’ P (0, Āµ)

1300 nm and 1550 nm, respectively (50% loss after about

1 ā’ eā’Āµ (1 + Āµ) ā¼ Āµ

9 and 15 km) 14 . = (24)

=

1 ā’ eā’Āµ 2

In case of free space transmission, the choice of wave-

length is straightforward since the region where good can be made arbitrarily small. Weak pulses are thus ex-

photon detectors exist ā“ around 800 nm ā“ coincides with tremely practical and have indeed been used in the vast

majority of experiments. However, they have one ma-

jor drawback. When Āµ is small, most pulses are empty:

P (n = 0) ā 1 ā’ Āµ. In principle, the resulting decrease in

14

The losses in dB (ldb ) can be calculated from the losses in bit rate could be compensated for thanks to the achiev-

l%

percent (l% ): ldB = ā’10 log10 (1 ā’ 100 ). able GHz modulation rates of telecommunication lasers.

12

But in practice the problem comes from the detectorsā™ The latter is in general rather large and varies from a few

dark counts (i.e. a click without a photon arriving). nanometers up to some tens of nanometers. For the non

Indeed, the detectors must be active for all pulses, in- degenerate case one typically gets 5-10 nm, whereas in

cluding the empty ones. Hence the total dark counts the degenerate case (central frequency of both photons

increase with the laserā™s modulation rate and the ratio equal) the bandwidth can be as large as 70 nm.

of the detected photons over the dark counts (i.e. the This photon pair creation process is very ineļ¬cient,

typically it needs some 1010 pump photons to create one

signal to noise ratio) decreases with Āµ (see section IV A).

pair in a given mode17 . The number of photon pairs per

The problem is especially severe for longer wavelengths

where photon detectors based on Indium Gallium Ar- mode is thermally distributed within the coherence time

senide semiconductors (InGaAs) are needed (see section of the photons, and follows a poissonian distribution for

III C) since the noise of these detectors explodes if they larger time windows (Walls and Milburn 1995). With a

pump power of 1 mW, about 106 pairs per second can

are opened too frequently (in practice with a rate larger

than a few MHz). This prevents the use of really low be collected in single mode ļ¬bers. Accordingly, in a time

photon numbers, smaller than approximately 1%. Most window of roughly 1ns the conditional probability to ļ¬nd

a second pair having detected one is 106 Ā· 10ā’9 ā 0.1%.

experiments to date relied on Āµ = 0.1, meaning that 5%

of the nonempty pulses contain more than one photon. In case of continuous pumping, this time window is given

However, it is important to stress that, as pointed out by the detector resolution. Tolerating, e.g. 1% of these

multi-pair events, one can generate 107 pairs per second,

by LĀØ tkenhaus (2000), there is an optimal Āµ depending

u

on the transmission losses 15 . After key distillation, the using a realistic 10 mW pump. Detecting for example

security is just as good with faint laser pulses as with 10 % of the trigger photons, the second detector has to

be activated 106 times per second. In comparison, the

Fock states. The price to pay for using such states lies in

a reduction of the bit rate. example of 1% of multi-photon events corresponds in the

case of faint laser pulses to a mean photon number of Āµ =

0.02. In order to get the same number 106 of non-empty

pulses per second, a pulse rate of 50 MHz is needed. For a

2. Photon pairs generated by parametric downconversion

given photon statistics, photon pairs allow thus to work

with lower pulse rates (e.g. 50 times lower) and hence

Another way to create pseudo single-photon states is

reduced detector-induced errors. However, due to limited

the generation of photon pairs and the use of one photon

coupling eļ¬ciency into optical ļ¬bers, the probability to

as a trigger for the other one (Hong and Mandel 1986).

ļ¬nd the sister photon after detection of the trigger photon

In contrast to the sources discussed before, the second

in the respective ļ¬ber is in practice lower than 1. This

detector must be activated only whenever the ļ¬rst one

means that the eļ¬ective photon number is not one, but

detected a photon, hence when Āµ = 1, and not whenever

rather Āµ ā 2/3 (Ribordy et al. 2001), still well above

a pump pulse has been emitted, therefore circumventing

Āµ = 0.02.

the problem of empty pulses.

Photon pairs generated by parametric down conversion

The photon pairs are generated by spontaneous para-

oļ¬er a further major advantage if they are not merely

metric down conversion in a Ļ(2) non-linear crystal16 . In

used as pseudo single-photon source, but if their entan-

this process, the inverse of the well-known frequency dou-

glement is exploited. Entanglement leads to quantum

bling, one photon spontaneously splits into two daughter

correlations which can be used for key generation, (see

photons ā“ traditionally called signal and idler photon ā“

paragraph II D 3 and chapter V). In this case, if two pho-

conserving total energy and momentum. In this con-

ton pairs are emitted within the same time window but

text, momentum conservation is called phase matching,

their measurement basis is choosen independently, they

and can be achieved despite chromatic dispersion by ex-

produce completely uncorrelated results. Hence, depend-

ploiting the birefringence of the nonlinear crystal. The

ing on the realization, the problem of multiple photon can

phase matching allows to choose the wavelength, and de-

be avoided, see section VI J.

termines the bandwidth of the downconverted photons.

Figure 5 shows one of our sources creating entangled

photon pairs at 1310 nm wavelength as used in tests of

Bell inequalities over 10 kilometers (Tittel et al. 1998).

Although not as simple as faint laser sources, diode

15

Contrary to a frequent misconception, there is nothing spe-

pumped photon pair sources emitting in the near infrared

cial about a Āµ value of 0.1, eventhough it has been selected

can be made compact, robust and rather handy.

by most experimentalists. The optimal value ā“ i.e. the value

that yields the highest key exchange rate after distillation ā“

depends on the optical losses in the channel and on assump-

tions about Eveā™s technology (see VI H and VI I).

16 17

Recently we achieved a conversion rate of 10ā’6 using an

For a review see Rarity and Tapster 1988, and for latest

developments Tittel et al. 1999, Kwiat et al. 1999, Jennewein optical waveguide in a periodically poled LiNbO3 crystal

et al. 2000b, Tanzilli et al. 2001. (Tanzilli et al. 2001).

13

vantage with respect to faint laser pulses with extremely

3. Photon guns

low mean photon numbers Āµ.

The ideal single photon source is a device that when

one pulls the trigger, and only then, emits one and only

B. Quantum channels

one photon. Hence the name photon gun. Although pho-

ton anti-bunching has been demonstrated already years

The single photon source and the detectors must be

ago (Kimble et al. 1977), a practical and handy device is

connected by a āquantum channelā. Such a channel is

still awaited. At present, there are essentially three dif-

actually nothing specially quantum, except that it is in-

ferent experimental approaches that come more or less

tended to carry information encoded in individual quan-

close to this ideal.

tum systems. Here āindividualā doesnā™t mean ānon-

A ļ¬rst idea is to work with a single two-level quan-

decomposibleā, it is meant in opposition to āensembleā.

tum system that can obviously not emit two photons at

The idea is that the information is coded in a physical

a time. The manipulation of single trapped atoms or

system only once, contrary to classical communication

ions requires a much too involved technical eļ¬ort. Sin-

where many photons carry the same information. Note

gle organics dye molecules in solvents (S.C. Kitson et al.

that the present day limit for ļ¬ber-based classical optical

1998) or solids (Brunel et al. 1999, Fleury et al. 2000)

communication is already down to a few tens of photons,

are easier to handle but only oļ¬er limited stability at

although in practice one usually uses many more. With

room temperature. Promising candidates, however, are

the increasing bit rate and the limited mean power ā“ im-

nitrogen-vacancy centers in diamond, a substitutional ni-

posed to avoid nonlinear eļ¬ects in silica ļ¬bers ā“ these

trogen atom with a vacancy trapped at an adjacent lat-

ļ¬gures are likely to get closer and closer to the quantum

tice position (Kurtsiefer et al. 2000, Brouri et al. 2000).

domain.

It is possible to excite individual nitrogen atoms with a

The individual quantum systems are usually 2-level

532 nm laser beam, which will subsequently emit a ļ¬‚uo-

systems, called qubits. During their propagation they

rescence photon around 700 nm (12ns decay time). The

must be protected from environmental noise. Here āen-

ļ¬‚uorescence exhibits strong photon anti-bunching and

vironmentā refers to everything outside the degree of

the samples are stable at room temperature. However,

freedom used for the encoding, which is not necessar-

the big remaining experimental challenge is to increase

ily outside the physical system. If, for example, the in-

the collection eļ¬ciency (currently about 0.1%) in order

formation is encoded in the polarization state, then the

to obtain mean photon numbers close to 1. To obtain

optical frequencies of the photon is part of the environ-

this, an optical cavity or a photonic bandgap structure

ment. Hence, coupling between the polarization and the

must suppress the emission in all spatial modes but one.

optical frequency has to be mastered18 (e.g. avoid wave-

In addition, the spectral bandwith of this type of source

length sensitive polarizers and birefringence). Moreover,

is broad (of the order of 100 nm), enhancing the eļ¬ect of

the sender of the qubits should avoid any correlation be-

pertubations in a quantum channel.

tween the polarization and the spectrum of the photons.

A second approach is to generate photons by single

Another diļ¬culty is that the bases used by Alice to

electrons in a mesoscopic p-n junction. The idea is to

code the qubits and the bases used by Bob for his mea-

take proļ¬t of the fact that thermal electrons show anti-

surements must be related by a known and stable uni-

bunching (Pauli exclusion principle) in contrast to pho-

tary transformation. Once this unitary transformation

tons (Imamoglu and Yamamoto, 1994). First experimen-

is known, Alice and Bob can compensate for it and get

tal results have been presented (Kim et al. 1999), how-

the expected correlation between their preparations and

ever with extremely low eļ¬ciencies, and only at a tem-

measurements. If it changes with time, they need an ac-

perature of 50mK!

tive feedback to track it, and if the changes are too fast

Finally, another approach is to use the photon emis-

the communication must be interrupted.

sion of electron-hole pairs in a semiconductor quantum

dot. The frequency of the emitted photon depends on the

number of electron-hole pairs present in the dot. After

1. Singlemode ļ¬bers

one creates several such pairs by optical pumping, they

will sequentially recombine and hence emit photons at

diļ¬erent frequencies. Therefore, by spectral ļ¬ltering a Light is guided in optical ļ¬bers thanks to the refrac-

single-photon pulse can be obtained (GĀ“rard et al. 1999,

e tive index proļ¬le n(x, y) across the section of the ļ¬bers

Santori et al. 2000, and Michler et al. 2000). These dots (traditionally, the z-axis is along the propagation direc-

can be integrated in solid-states microcavities with strong tion). Over the last 25 years, a lot of eļ¬ort has been

enhancements of the spontaneous emission (GĀ“rard et al.

e

1998).

In summary, todayā™s photon guns are still too compli-

cated to be used in a QC-prototype. Moreover, due to 18

Note that, as we will see in chapter V, using entangled

their low quantum eļ¬ciencies they do not oļ¬er an ad- photons prevents such information leakage.

14

made to reduce transmission losses ā“ initially several dB sion and polarization dependent losses.

per km ā“, and nowadays, the attenuation is as low as The Geometric phase as encountered when guiding

2dB/km at 800nm wavelength, 0.35 dB/km at 1310 nm, light in an optical ļ¬ber is a special case of the Berry

phase19 which results when any parameter describing a

and 0.2 dB/km at 1550 nm (see Fig. 6). It is amusing

to note that the dynamical equation describing optical property of the system under concern, here the k-vector

pulse propagation (in the usual slowly varying envelope characterizing the propagation of the light ļ¬eld, under-

aproximation) is identical to the SchrĀØdinger equation,

o goes an adiabatic change. Think ļ¬rst of a linear polar-

with V (x, y) = ā’n(x, y) (Snyder 1983). Hence a positive ization state, letā™s say vertical at the input. Will it still

bump in the refractive index corresponds to a potential be vertical at the output? Vertical with respect to what?

well. The region of the well is called the ļ¬ber core. If Certainly not the gravitational ļ¬eld! One can follow that

the core is large, many bound modes exist, correspond- linear polarization by hand along the ļ¬ber and see how

ing to many guided modes in the ļ¬ber. Such ļ¬bers are it may change even along a closed loop. If the loop stays

called multimode ļ¬bers, their core being usually 50 mi- in a plane, the state after a loop coincides with the input

crometer in diameter. The modes couple easily, acting state. But if the loop explores the 3 dimensions of our

on the qubit like a non-isolated environment. Hence mul- space, then the ļ¬nal state will diļ¬er from the initial one

timode ļ¬bers are not appropriate as quantum channels by an angle. Similar reasoning holds for the axes of el-

(see however Townsend 1998a and 1998b). If, however, liptical polarization states. The two circular polarization

the core is small enough (diameter of the order of a few states are the eigenstates: during parallel transport they

wavelengths) then a single spatial mode is guided. Such acquire opposite phases, called the Berry phase. The

ļ¬bers are called singlemode ļ¬bers. For telecommunica- presence of a geometrical phase is not fatal for quantum

tions wavelength (i.e. 1.3 and 1.5 Āµm), their core is typ- communication, it simply means that initially Alice and

ically 8 Āµm in diameter. Singlemode ļ¬bers are very well Bob have to align their systems by deļ¬ning for instance

suited to carry single quanta. For example, the optical the vertical and diagonal directions (i.e. performing the

phase at the output of a ļ¬ber is in a stable relation with unitary transformation mentioned before). If these vary

the phase at the input, provided the ļ¬ber doesnā™t get slowly, they can be tracked, though this requires an ac-

elongated. Hence, ļ¬ber interferometers are very stable, a tive feedback. However, if the variations are too fast,

fact exploited in many instruments and sensors (see, e.g., the communication might be interrupted. Hence, aerial

Cancellieri 1993). cables that swing in the wind are not appropriate (ex-

Accordingly, a singlemode ļ¬ber with perfect cylindric cept with selfcompensating conļ¬gurations, see paragraph

symmetry would provide an ideal quantum channel. But IV C 2).

all real ļ¬bers have some asymmetries and then the two Birefringence is the presence of two diļ¬erent phase

polarization modes are no longer degenerate but each has velocities for two orthogonal polarization states. It is

its own propagation constant. A similar eļ¬ect is caused caused by asymmetries in the ļ¬ber geometry and in the

by chromatic dispersion, where the group delay depends residual stress distribution inside and around the core.

on the wavelength. Both dispersion eļ¬ects are the sub- Some ļ¬bers are made birefringent on purpose. Such

ject of the next paragraphs. ļ¬bers are called polarization maintaining (PM) ļ¬bers be-

cause the birefringence is large enough to eļ¬ectively un-

couple the two polarization eigenmodes. But note that

only these two orthogonal polarization modes are main-

2. Polarization eļ¬ects in singlemode ļ¬bers

tained; all the other modes, on the contrary, evolve very

quickly, making this kind of ļ¬ber completely unsuitable

Polarization eļ¬ects in singlemode ļ¬bers are a common

for polarization-based QC systems20 . The global eļ¬ect

source of problems in all optical communication schemes,

of the birefringence is equivalent to an arbitrary com-

as well classical as quantum ones. In recent years this has

bination of two waveplates, that is, it corresponds to a

been a major topic for R&D in classical optical commu-

unitary transformation. If this transformation is stable,

nication (Gisin et al. 1995). As a result, todayā™s ļ¬bers

are much better than the ļ¬bers a decade ago. Nowa-

days, the remaining birefringence is small enough for the

telecom industry, but for quantum communication, any

19

birefringence, even extremely small, will always remain Introduced by Michael Berry in 1984, then observed in

a concern. All ļ¬ber based implementations of QC have optical ļ¬ber by Tomita and Chiao (1986), and on the single

to face this problem. This is clearly true for polarization photon level by Hariharan et al. (1993), studied in connection

to photon pairs by Brendel et al. (1995).

based systems; but it is equally a concern for phase based

20

PM ļ¬bers might be of use for phase based QC systems.

systems, since the interference visibility depends on the

However, this requires the whole setup ā“ transmission lines

polarization states. Hence, although polarization eļ¬ects

as well as interferometers at Aliceā™s and Bobā™s ā“ to be made

are not the only source of diļ¬culties, we shall describe

of PM ļ¬bers. While this is principally possible, the need of

them in some detail, distinguishing between 4 eļ¬ects: the

installing a completely new ļ¬ber network makes this solution

geometrical one, birefringence, polarization mode disper-

not very practical.

15

Alice and Bob can compensate for it. The eļ¬ect of bire- niļ¬cant in components like phase modulators. In par-

fringence is thus similar to the geometrical eļ¬ect, though, ticular, some integrated optics waveguides actually guide

in addition to a rotation, it may also aļ¬ect the elliptic- only one mode and thus behave almost like polarizers

ity. Stability of birefringence requires slow thermal and (e.g. proton exchange waveguides in LiNbO3 ). PDL

mechanical variations. is usually stable, but if connected to a ļ¬ber with some

Polarization Mode Dispersion (PMD) is the pres- birefringence, the relation between the polarization state

ence of two diļ¬erent group velocities for two orthogonal and the PDL may ļ¬‚uctuate, producing random outcomes

polarization modes. It is due to a delicate combination (Elamari et al. 1998). PDL cannot be described by a uni-

of two causes. First, birefringence produces locally two tary operator acting in the polarization state space (but

group velocities. For optical ļ¬bers, this local modal dis- it is of course unitary in a larger space (Huttner et al.

persion is in good approximation equal to the phase dis- 1996a). It does thus not preserve the scalar product. In

persion, of the order of a few ps/km. Hence, locally an particular, it can turn non-orthogonal states into orthog-

optical pulse tends to split into a fast mode and a slow onal ones which can then be distinguished unambiguously

mode. But because the birefringence is small, the two (at the cost of some loss) (Huttner et al. 1996a, Clarke et

modes couple easily. Hence any small imperfection along al. 2000). Note that this could be used by Eve, specially

the ļ¬ber produces polarization mode coupling: some en- to eavesdrop on the 2-state protocol (paragraph II D 1).

ergy of the fast mode couples into the slow mode and Let us conclude this paragraph on polarization eļ¬ects

vice-versa. PMD is thus similar to a random walk21 and in ļ¬bers by mentioning that they can be passively com-

grows only with the square root of the ļ¬ber length. It pensated, provided one uses a go-&-return conļ¬guration,

is expressed in āps , with values as low as 0.1 āps for using Faraday mirrors, as described in section IV C 2.

km km

modern ļ¬bers and possibly as high as 0.5 or even 1 āps km

for older ones.

3. Chromatic dispersion eļ¬ects in singlemode ļ¬bers

Typical lengths for the polarization mode coupling

vary from a few meters up to hundreds of meters. The

In addition to polarization eļ¬ects, chromatic disper-

stronger the coupling, the weaker the PMD (the two

sion (CD) can cause problems for quantum cryptography

modes do not have time to move away between the cou-

as well. For instance, as explained in sections IV C and

plings). In modern ļ¬bers, the couplings are even artiļ¬-

V B, schemes implementing phase- or phase-and-time-

cially increased during the drawing process of the ļ¬bers

coding rely on photons arriving at well deļ¬ned times,

(Hart et al. 1994, Li and Nolan 1998). Since the cou-

that is on photons well localized in space. However, in

plings are exceedingly sensitive, the only reasonable de-

dispersive media like optical ļ¬bers, diļ¬erent group ve-

scription is a statistical one, hence PMD is described as

locities act as a noisy environment on the localization of

a statistical distribution of delays Ī“Ļ„ . For long enough

the photon as well as on the phase acquired in an inter-

ļ¬bers, the statistics is Maxwellian and PMD is related to

ferometer. Hence, the broadening of photons featuring

the ļ¬ber length ā„“, the mean coupling length h, the mean

non-zero bandwidth, or, in other words, the coupling be-

modal birefringence B and to the RMS delay as follows

tween frequency and position must be circumvented or

2

(Gisin et al. 1995): PMDā” << Ī“Ļ„ >> = Bh ā„“/h.

controlled. This implies working with photons of small

PMD could cause depolarization which would be devas-

bandwidth, or, as long as the bandwidth is not too large,

tating for quantum communication, similar to any deco-

operating close to the wavelength Ī»0 where chromatic

herence in quantum information processing. But fortu-

dispersion is zero, i.e. for standard ļ¬bers around 1310

nately, for quantum communication the remedy is easy, it

nm. Fortunately, ļ¬ber losses are relatively small at this

suļ¬ces to use a source with a coherence time larger than

wavelength and amount to ā0.35 dB/km. This region

the largest delay Ī“Ļ„ . Hence, when laser pulses are used

is called the second telecommunication window22 . There

(with typical spectral widths āĪ» ā¤ 1 nm, corresponding

are also special ļ¬bers, called dispersion-shifted, with a

to a coherence time ā„ 3 ps, see paragraph III A 1), PMD

refractive index proļ¬le such that the chromatic disper-

is no real problem. For photons created by parametric

sion goes to zero around 1550 nm, where the attenuation

down conversion, however, PMD can impose severe lim-

is minimal (Neumann 1988)23 .

itations since āĪ» ā„ 10 nm (coherence time ā¤ 300 fs) is

not unusual.

Polarization Dependent Losses (PDL) is a diļ¬er-

ential attenuation between two orthogonal polarization 22

The ļ¬rst one, around 800 nm, is almost no longer used. It

modes. This eļ¬ect is negligible in ļ¬bers, but can be sig-

was motivated by the early existence of sources and detectors

at this wavelength. The third window is around 1550 nm

where the attenuation reaches an absolute minimum (Thomas

et al. 2000) and where erbium doped ļ¬bers provide convenient

21

In contrast to Brownian motion describing particles diļ¬u- ampliļ¬ers (Desurvire 1994).

sion in space as time passes, here photons diļ¬use in time as 23

Chromatic dispersion in ļ¬bers is mainly due to the mate-

they propagate along the ļ¬ber. rial, essentially silicon, but also to the refractive index proļ¬le.

16

CD does not constitute a problem in case of faint laser Transmission over free space features some advan-

pulses where the bandwidth is small. However, it be- tages compared to the use of optical ļ¬bers. The atmo-

comes a serious issue when utilizing photon pairs cre- sphere has a high transmission window at a wavelength

ated by parametric downconversion. For instance, send- of around 770 nm (see Fig. 8) where photons can eas-

ing photons of 70 nm bandwidth (as used in our long- ily be detected using commercial, high eļ¬ciency photon

distance Bell inequality tests, Tittel et al. 1998) down counting modules (see chapter III C 1). Furthermore, the

10 km of optical ļ¬bers leads to a temporal spread of atmosphere is only weakly dispersive and essentially non-

birefringent25 at these wavelengths. It will thus not alter

around 500 ps (assuming photons centered at Ī»0 and a

ps

typical dispersion slope of 0.086 nm2 km ). However, this the polarization state of a photon.

can be compensated for when using energy-time entan- However, there are some drawbacks concerning free-

gled photons (Franson 1992, Steinberg et al. 1992a and space links as well. In contrast to transmitting a signal

1992b, Larchuk et al. 1995). In contrast to polariza- in a guiding medium where the energy is āprotectedā and

tion coding where frequency and the physical property remains localized in a small region in space, the energy

used to implement the qubit are not conjugate variables, transmitted via a free-space link spreads out, leading to

frequency and time (thus position) constitute a Fourier higher and varying transmission losses. In addition to

pair. The strict energy anti-correlation of signal and idler loss of energy, ambient daylight, or even light from the

photon enables one to achieve a dispersion for one pho- moon at night, might couple into the receiver, leading

ton which is equal in magnitude but opposite in sign to to a higher error rate. However, the latter errors can be

that of the sister photon, corresponding thus to the same maintained at a reasonable level by using a combination

delay24 (see Fig. 7). The eļ¬ect of broadening of the two of spectral ļ¬ltering (ā¤ 1 nm interference ļ¬lters), spatial

wave packets then cancels out and two simultaneously ļ¬ltering at the receiver and timing discrimination using

emitted photons stay coincident. However, note that the a coincidence window of typically a few ns. Finally, it

arrival time of the pair varies with respect to its emission is clear that the performance of free-space systems de-

time. The frequency anticorrelation provides also the pends dramatically on atmospheric conditions and is

basis for avoiding decrease of visibility due to diļ¬erent possible only with clear weather.

wavepacket broadening in the two arms of an interferom- Finally, let us brieļ¬‚y comment on the diļ¬erent sources

eter. And since the CD properties of optical ļ¬bers do leading to coupling losses. A ļ¬rst concern is the trans-

not change with time ā“ in contrast to birefringence ā“ no mission of the signals through a turbulent medium, lead-

on-line tracking and compensation is required. It thus ing to arrival-time jitter and beam wander (hence prob-

turns out that phase and phase-time coding is particu- lems with beam pointing). However, as the time-scales for

larly suited to transmission over long distances in optical atmospheric turbulences involved are rather small ā“

ļ¬bers: nonlinear eļ¬ects decohering the qubit āenergyā around 0.1 to 0.01 s ā“, the time jitter due to a varia-

are completely negligible, and CD eļ¬ects acting on the tion of the eļ¬ective refractive index can be compensated

localization can be avoided or compensated for in many for by sending a reference pulse at a diļ¬erent wavelength

cases. at short time (around 100 ns) before each signal pulse.

Since this reference pulse experiences the same atmo-

spheric conditions as the subsequent one, the signal will

4. Free-space links arrive essentially without jitter in the time-window de-

ļ¬ned by the arrival of the reference pulse. In addition,

the reference pulse can be reļ¬‚ected back to the transmit-

Although telecommunication based on optical ļ¬bers is

ter and used to correct the direction of the laser beam by

very advanced nowadays, such channels may not always

means of adaptive optics, hence to compensate for beam

be available. Hence, there is also some eļ¬ort in devel-

wander and to ensure good beam pointing

oping free space line-of-sight communication systems -

Another issue is the beam divergence, hence increase of

not only for classical data transmission but for quantum

spot size at the receiver end caused by diļ¬raction at the

cryptography as well (see Hughes et al. 2000a and Gor-

transmitter aperture. Using for example 20 cm diameter

man et al. 2000).

optics, the diļ¬raction limited spot size after 300 km is

of ā 1 m. This eļ¬ect can in principle be kept small

taking advantage of larger optics. However, it can also

be of advantage to have a spot size large compared to the

Indeed, longer wavelengths feel regions further away from the

receiverā™s aperture in order to ensure constant coupling

core where the refractive index is lower. Dispersion-shifted

in case of remaining beam wander. In their 2000 paper,

ļ¬bers have, however, been abandoned by todayā™s industry, be-

cause it turned out to be simpler to compensate for the global

chromatic dispersion by adding an extra ļ¬ber with high neg-

ative dispersion. The additional loss is then compensated by

25

an erbium doped ļ¬ber ampliļ¬er. In contrast to an optical ļ¬ber, air is not subject to stress,

24

Assuming a predominantly linear dependence of CD in hence isotropic.

function of the optical frequency, a realistic assumption.

17

Gilbert and Hamrick provide a comprehensive discussion ā¢ In active quenching circuits, the bias voltage is

of free-space channels in the context of QC. actively lowered below the breakdown voltage as

soon as the leading edge of the avalanche current

is detected (see e.g. Brown et al. 1987). This

mode enables higher count rates compared to pas-

C. Single-photon detection

sive quenching (up to tens of MHz), since the dead-

time can be as short as some tens of ns. How-

With the availability of pseudo single-photon and

ever, the fast electronic feedback system renders

photon-pair sources, the success of quantum cryptogra-

active quenching circuits much more complicated

phy is essentially dependent on the possibility to detect

than passive ones.

single photons. In principle, this can be achieved using

a variety of techniques, for instance photo-multipliers,

ā¢ Finally, in gated mode operation, the bias volt-

avalanche-photodiodes, multichannel plates, supercon-

age is kept below the breakdown voltage and is

ducting Josephson junctions. The ideal detector should

raised above only for a short time when a photon

fulļ¬ll the following requirements:

is expected to arrive, typically a few ns. Maxi-

mum count-rates similar to active quenching cir-

cuits can be obtained using less complicated elec-

ā¢ it should feature a high quantum detection eļ¬- tronics. Gated mode operation is commonly used in

ciency over a large spectral range, quantum cryptography based on faint laser pulses

where the arrival-times of the photons are well

ā¢ the probability of generating noise, that is a signal

known. However, it only applies if prior timing

without a photon arriving, should be small,

information is available. For 2-photon schemes, it

ā¢ to ensure a good timing resolution, the time be- is most often combined with one passive quenched

tween detection of a photon and generation of an detector, generating the trigger signal for the gated

electrical signal should be as constant as possible, detector.

i.e. the time jitter should be small,

Apart from Geiger mode, Brown et al. also investi-

ā¢ the recovery time (i.e. the deadtime) should be gated the performance of Silicon APDs operated in sub-

small to allow high data rates. Geiger mode (Brown et al. 1989). In this mode, the bias

voltage is kept slightly smaller than the breakdown volt-

In addition, it is important to keep the detectors age such that the multiplication factor ā“ around 100 ā“

handy. For instance, a detector which needs liquid he- already enables to detect an avalanche, however, is still

lium or even nitrogen cooling would certainly render a small enough to prevent real breakdowns. Unfortunately,

commercial development diļ¬cult. the single-photon counting performance in this mode is

Unfortunately, it turns out that it is impossible to meet rather bad and initial eļ¬orts have not been continued,

all mentioned points at the same time. Today, the best the major problem being the need for extremely low-noise

choice is avalanche photodiodes (APD). Three diļ¬erent ampliļ¬ers.

semiconductor materials are used: either Silicon, Ger-

manium or Indium Gallium Arsenide, depending on the

An avalanche engendered by carriers created in the

wavelengths.

conduction band of the diode can not only be caused

APDs are usually operated in so-called Geiger mode.

by an impinging photon, but also by unwanted causes.

In this mode, the applied voltage exceeds the breakdown

These might be thermal or band-to-band tunneling pro-

voltage, leading an absorbed photon to trigger an elec-

cesses, or emissions from trapping levels populated while

tron avalanche consisting of thousands of carriers. To re-

a current transits through the diode. The ļ¬rst two causes

set the diode, this macroscopic current must be quenched

produce avalanches not due to photons and are referred

ā“ the emission of charges stopped and the diode recharged

to as darkcounts. The third process depends on previous

(Cova et al. 1996). Three main possibilities exist:

avalanches and its eļ¬ect is called afterpulses. Since the

number of trapped charges decreases exponentially with

ā¢ In passive-quenching circuits, a large (50-500 kā„¦)

time, these afterpulses can be limited by applying large

resistor is connected in series with the APD (see

deadtimes. Thus, there is a trade-oļ¬ between high count

e.g. Brown et al. 1986). This causes a decrease of

rates and low afterpulses. The time-constant of the ex-

the voltage across the APD as soon as an avalanche

ponential decrease of afterpulses shortens for higher tem-

starts. When it drops below breakdown voltage,

peratures of the diode. Unfortunately, operating APDs

the avalanche stops and the diode recharges. The

at higher temperature leads to a higher fraction of ther-

recovery time of the diode is given by its capaci-

mal noise, that is higher dark counts. There is thus again

tance and by the value of the quench resistor. The

a tradeoļ¬ to be optimized. Finally, increasing the bias

maximum count rate varies from some hundred kHz

voltage leads to a larger quantum eļ¬ciency and a smaller

to a few MHz.

time jitter, at the cost of an increase in the noise.

ńņš. 1 |