. 3
( 3)

Note that only 4 states span Eve™s relevant state space.
the swap operator “ de¬ned by ψ — φ ’ φ — ψ for all ψ,φ
Hence, Eve™s e¬ective Hilbert space is at most of dimen-
“ is unitary and could be appended to Eve™s interaction).
sion 4, no matter how subtle she might be51 ! This greatly
Let HEve and C2 —HEve be the Hilbert spaces of Eve™s
simpli¬es the analysis.
probe and of the total qubit+probe system, respectively.
The symmetry imposes that the attack on the other
If |m , |0 and U denote the qubit and the probe™s initial
basis satis¬es:
states and the unitary interaction, respectively, then the
state of the qubit received by Bob is given by the density | ‘, 0 + | “, 0

U | ’, 0 = U (50)
matrix obtained by tracing out Eve™s probe:
ρBob (m) = T rHEve (U |m, 0 m, 0|U † ). (45) = √ (| ‘ — φ‘ + | “ — θ‘ (51)
The symmetry of the BB84 protocol makes it very nat- + | “ — φ“ + | ‘ — θ“ ) (52)
ural to assume that Bob™s state is related to Alice™s |m
= | ’ — φ’ + | ← — θ’ (53)
by a simple shrinking factor50 · ∈ [0, 1] (see Fig. 29):
1 + · mσ
ρBob (m) = . (46)
2 φ’ = (φ‘ + θ‘ + φ“ + θ“ ) (54)
Eavesdroppings that satisfy the above condition are 1
θ’ = (φ‘ ’ θ‘ ’ φ“ + θ“ ) (55)
called symmetric attacks.
Since the qubit state space is 2-dimensional, the uni-
tary operator is entirely determined by its action on two Similarly,
states, for example the | ‘ and | “ states (in this section
we use spin 2 notations for the qubits). It is convenient φ← = (φ‘ ’ θ‘ + φ“ ’ θ“ ) (56)
to write the states after the unitary interaction in the
Schmidt form (Peres 1997):
θ← = (φ‘ + θ‘ ’ φ“ ’ θ“ ) (57)
U | ‘, 0 = | ‘ — φ‘ + | “ — θ‘ (47)
Condition (46) for the {| ’ , | ← } basis implies: θ’ ⊥
φ’ and θ← ⊥ φ← . By proper choice of the phases,
φ‘ |θ“ can be made real. By condition (49) θ‘ |φ“ is
then also real. Symmetry implies then θ’ |φ← ∈ „.
Chris Fuchs and Asher Peres were the ¬rst ones to derive
the result presented in this section, using numerical optimiza-
tion. Almost simultaneously Robert Gri¬ths and his stu-
dent Chi-Sheng Niu derived it under very general conditions
and Nicolas Gisin using the symmetry argument used here. Actually, Niu and Gri¬ths (1999) showed that 2-
These 5 authors joined e¬orts in a common paper (Fuchs et dimensional probes su¬ce for Eve to get as much information
al. 1997). The result of this section is thus also valid without as with the strategy presented here, though in their case the
this symmetry assumption. attack is not symmetric (one basis is more disturbed than the

A straightforward computation concludes that all scalar where h(p) = ’p log2 (p) ’ (1’) log2 (1 ’ p). For a given
products among Eve™s states are real and that the φ™s error rate D, this information is maximal when x = y.
Consequently, for D = 1’cos(x) , one has:
generate a subspace orthogonal to the θ™s: 2

φ‘ |θ“ = φ“ |θ‘ = 0. (58) 1 + sin(x)
I max (±, «) = 1 ’ h( ). (64)
Finally, using |φ’ |2 = F , i.e. that the shrinking is the
same for all states, one obtains a relation between the This provides the explicit and analytic optimum eaves-
probe states™ overlaps and the ¬delity: dropping strategy. For x = 0 the QBER (i.e. D) and
the information gain are zero. For x = π/2 the QBER
ˆˆ 1
1 + θ‘ |θ“ is 2 and the information gain 1. For small QBERs, the
F= (59)
information gain grows linearly:
ˆˆ ˆˆ
2 ’ φ‘ |φ“ + θ‘ |θ“
ˆ I max (±, «) = D + O(D)2 ≈ 2.9 D (65)

where the hats denote normalized states, e.g. φ‘ = √D .
Consequently, the entire class of symmetric individual
attacks depends only on 2 real parameters52 : cos(x) ≡ Once Alice, Bob and Eve have measured their quantum
ˆˆ ˆˆ
φ‘ |φ“ and cos(y) ≡ θ‘ |θ“ ! systems, they are left with classical random variables ±, β
Thanks to the symmetry, it su¬ces to analyze this and «, respectively. Secret key agreement between Alice
scenario for the case that Alice sends the | ‘ state and and Bob is then possible using only error correction and
Bob measures in the {‘, “} basis (if not, Alice, Bob and privacy ampli¬cation if and only if the Alice-Bob mutual
Eve disregard the data). Since Eve knows the basis, she Shannon information I(±, β) is larger than the Alice-Eve
or the Bob-Eve mutual information53 , I(±, β) > I(±, «)
knows that her probe is in one of the following two mixed
states: or I(±, β) > I(β, «). It is thus interesting to compare
Eve™s maximal information (64) with Bob™s Shannon in-
ρEve (‘) = F P (φ‘ ) + DP (θ‘ ) (60) formation. The latter depends only on the error rate D:
ρEve (“) = F P (φ“ ) + DP (θ“ ). (61)
I(±, β) = 1 ’ h(D) (66)
An optimum measurement strategy for Eve to distinguish = 1 + D log2 (D) + (1 ’ D) log2 (1 ’ D) (67)
between ρEve (‘) and ρEve (“) consists in ¬rst distinguish-
ing whether her state is in the subspace generated by φ‘ Bob™s and Eve™s information are plotted on Fig. 30. As
and φ“ or the one generated by θ‘ and θ“ . This is pos- expected, for low error rates D, Bob™s information is
sible, since the two subspaces are mutually orthogonal. larger. But, more errors provide Eve with more infor-
Eve has then to distinguish between two pure states, ei- mation, while Bob™s information gets lower. Hence, both
ther with overlap cos(x), or with overlap cos(y). The ¬rst information curves cross at a speci¬c error rate D0 :
alternative happens with probability F , the second one √
1 ’ 1/ 2
with probability D. The optimal measurement distin-
I(±, β) = I max (±, «) ⇐’ D = D0 ≡ ≈ 15%
guishing two states with overlap cos(x) is known to pro- 2
vide Eve with the correct guess with probability 1+sin(x) (68)
(Peres 1997). Eve™s maximal Shannon information, at-
tained when she does the optimal measurements, is thus Consequently, the security criteria against individual at-
given by: tacks for the BB84 protocol reads:

1 + sin(x) 1 ’ 1/ 2
I(±, «) = F · 1 ’ h( ) (62) BB84 secure ⇐’ D < D0 ≡ (69)
2 2
1 + sin(y)
For QBERs larger than D0 no (one-way communica-
+ D · 1 ’ h( ) (63)
2 tion) error correction and privacy ampli¬cation protocol
can provide Alice and Bob with a secret key immune
against any individual attacks.
Interestingly, when the symmetry is extended to a third
maximally conjugated basis, as natural in the 6-state protocol
of paragraph II D 2, then the number of parameters reduces 53
Note, however, that if this condition is not satis¬ed, other
to one. This parameter measures the relative quality of Bob™s
protocols might sometimes be used, see paragraph II C 5.
and Eve™s “copy” of the qubit send by Alice. When both
These protocols are signi¬cantly less e¬cient and are usu-
copies are of equal quality, one recovers the optimal cloning
ally not considered as part of “standard” QC. Note also that
presented in section II F (Bechmann-Pasquinucci and Gisin
in the scenario analysed in this section I(β, «) = I(±, «).


1 ’ 1/ 2
Let us mention that more general classical protocols,
Smax (D) > 2 ⇐’ D < D0 ≡ . (73)
called advantage distillation (paragraph II C 5), using two 2
way communication, exist. These can guarantee secrecy
This is a surprising and appealing connection between
if and only if Eve™s intervention does not disentangle Al-
the security of QC and tests of quantum nonlocality.
ice and Bob™s qubits (assuming they use the Ekert ver-
One could argue that this connection is quite natural,
sion of the BB84 protocol) (Gisin and Wolf 2000). If
since, if Bell inequality were not violated, then quantum
Eve optimizes her Shannon information, as discussed in
mechanics would be incomplete and no secure commu-
this section, this disentanglement-limit corresponds to a
√ nication could be based on such an incomplete theory.
QBER= 1 ’ 1/ 2 ≈ 30% (Gisin and Wolf 1999). But,
In some sense, Eve™s information is like probabilistic lo-
using more brutal strategies, Eve can disentangled Alice
cal hidden variables. However, the connection between
and Bob already for a QBER of 25%, see Fig. 30. The
(69) and (73) has not been generalized to other protocols.
latter is thus the absolute upper limit, taking into ac-
A complete picture of these connections is thus not yet
count the most general secret-key protocols. In practice,
the limit (68) is more realistic, since advantage distilla-
Let us emphasize that nonlocality plays no direct role
tion algorithms are much less e¬cient than the classical
in QC. Indeed, generally, Alice is in the absolute past
privacy ampli¬cation ones.
of Bob. Nevertheless, Bell inequality can be violated as
well by space like separated events as by time like sep-
arated events. However, the independence assumption
F. Connection to Bell inequality
necessary to derive Bell inequality is justi¬ed by locality
considerations only for space-like separated events.
There is an intriguing connection between the above
tight bound (69) and the CHSH form of Bell inequality
(Bell 1964, Clauser et al. 1969, Clauser and Shimony G. Ultimate security proofs
1978, Zeilinger 1999):
The security proof of QC with perfect apparatuses and
S ≡ E(a, b) + E(a, b′ ) + E(a′ , b) ’ E(a′ , b′ ) ¤ 2 (70)
a noise-free channel is straightforward. However, the fact
that security can still be proven for imperfect apparatuses
where E(a, b) is the correlation between Alice and Bob™s
and noisy channels is far from obvious. Clearly, some-
data when measuring σa —1 and 1 —σb , where σa denotes
1 1
thing has to be assumed about the apparatuses. In this
an observable with eigenvalues ±1 parameterized by the
section we simply make the hypothesis that they are per-
label a. Recall that Bell inequalities are necessarily sat-
fect. For the channel which is not under Alice and Bob™s
is¬ed by all local models, but are violated by quantum
mechanics54 . To establish this connection, assume that control, however, nothing is assumed. The question is
then: up to which QBER can Alice and Bob apply er-
the same quantum channel is used to test Bell inequality.
ror correction and privacy ampli¬cation to their classical
It is well-known that√ error free channels, a maximal
for √
bits? In the previous sections we found that the threshold
violation by a factor 2 is achievable: Smax = 2 2 > 2.
is close to a QBER of 15%, assuming individual attacks.
However, if the channel is imperfect, or equivalently if
But in principle Eve could manipulate several qubits co-
some perturbator Eve acts on the channel, then the quan-
herently. How much help to Eve this possibility provides
tum correlation E(a, b|D) is reduced,
is still unknown, though some bounds are known. Al-
E(a, b|D) = F · E(a, b) ’ D · E(a, b) (71) ready in 1996, Dominic Mayers (1996b) presented the
main ideas on how to prove security55 . In 1998, two ma-
= (1 ’ 2D) · E(a, b) (72)
jor papers were made public on the Los Alamos archives
(Mayers 1998, and Lo and Chau 1999). Nowadays, these
where E(a, b) denote the correlation for the unperturbed
proofs are generally considered as valid, thanks “ among
channel. The achievable amount of violation is then re-

duced to Smax (D) = (1 ’ 2D)2 2 and for large pertur-
bations no violation at all can be achieved. Interestingly,
the critical perturbation D up to which a violation can
be observed is precisely the same D0 as the limit derived 55
I (NG) vividly remember the 1996 ISI workshop in Torino,
in the previous section for the security of the BB84 pro- sponsored by Elsag-Bailey, were I ended my talk stressing the
tocol: importance of security proofs. Dominic Mayers stood up, gave
some explanation, and wrote a formula on a transparency,
claiming that this was the result of his proof. I think it is
fair to say that no one in the audience understood Mayers™
explanation. But I kept the transparency and it contains the
Let us stress that the CHSH-Bell inequality is the strongest
basic eq. (76) (up to a factor 2, which corresponds to an
possible for two qubits. Indeed, this inequality is violated if
improvement of Mayers result obtained in 2000 by Shor and
and only if the correlation can™t be reproduced by a local
Preskill, using also ideas from Lo and Chau)!
hidden variable model (Pitowski 1989).

others “ to the works of P. Shor and J. Preskill (2000), d). Bob has full information on this ¬nal key, while Eve
H. Inamori et al. (2001) and of E. Biham et al. (1999). has none.
But it is worth noting that during the ¬rst years after The second theorem states that if Eve performs a mea-
the ¬rst disclosure of these proofs, essentially nobody in surement providing her with some information I(±, «),
the community understood them! then, because of the perturbation, Bob™s information is
Here we shall present the argument in a form quite necessarily limited. Using these two theorems, the ar-
di¬erent from the original proofs. Our presentation aims gument now runs as follows. Suppose Alice sends out
at being transparent in the sense that it rests on two a large number of qubits and that n where received by
theorems. The proofs of the theorems are hard and will Bob in the correct basis. The relevant Hilbert space™s
dimension is thus N = 2n . Let us re-label the bases used
be omitted. However, their claims are easy to understand
and rather intuitive. Once one accepts the theorems, the for each of the n qubits such that Alice used n times
security proof is rather straightforward. the x-basis. Hence, Bob™s observable is the n-time ten-
The general idea is that at some point Alice, Bob and sor product σx — ... — σx . By symmetry, Eve™s optimal
Eve perform measurements on their quantum systems. information on the correct bases is precisely the same as
The outcomes provide them with classical random vari- her optimal information on the incorrect ones (Mayers
ables ±, β and «, respectively, with P (±, β, «) the joint 1998). Hence one can bound her information assuming
she measures σz — ... — σz . Accordingly, c = 2’n/2 and
probability distribution. The ¬rst theorem, a standard
of classical information based cryptography, states nec- theorem 2 implies:
essary and su¬cient condition on P (±, β, «) for the pos-
I(±, «) + I(±, β) ¤ 2 log2 (2n 2’n/2 ) = n (75)
sibility that Alice and Bob extract a secret key from
P (±, β, «) (Csisz´r and K¨rner 1978). The second the-
a o
That is, the sum of Eve™s and Bob™s information per
orem is a clever version of Heisenberg™s uncertainty re-
qubit is smaller or equal to 1. This is quite an intu-
lation expressed in terms of available information (Hall
itive result: together, Eve and Bob cannot get more
1995): it sets a bound on the sum of the information
information than sent out by Alice! Next, combining
available to Bob and to Eve on Alice™s key.
the bound (75) with theorem 1, one deduces that a se-
Theorem 1. For a given P (±, β, «), Alice and Bob
cret key is achievable whenever I(±, β) ≥ n/2. Using
can establish a secret key (using only error correc-
I(±, β) = n (1 ’ D log2 (D) ’ (1 ’ D) log2 (1 ’ D)) one
tion and classical privacy ampli¬cation) if and only if
obtains the su¬cient condition on the error rate D (i.e.
I(±, β) ≥ I(±, «) or I(±, β) ≥ I(β, «), where I(±, β) =
the QBER):
H(±) ’ H(±|β) denotes the mutual information, with H
the Shannon entropy. 1
D log2 (D) + (1 ’ D) log2 (1 ’ D) ¤ (76)
Theorem 2. Let E and B be two observables in an N
dimensional Hilbert space. Denote «, β, |« and |β the
corresponding eigenvalues and eigenvectors, respectively, i.e. D ¤ 11%.
and let c = max«,β {| «|β |}. Then This bound, QBER¤11%, is precisely that obtained
in Mayers proof (after improvement by P. Shor and J.
I(±, «) + I(±, β) ¤ 2 log2 (N c), (74) Preskill (2000)). The above proof is, strickly speaking,
only valid if the key is much longer than the number of
where I(±, «) = H(±) ’ H(±|«) and I(±, β) = H(±) ’ qubits that Eve attacks coherently, so that the Shannon
H(±|β) are the entropy di¬erences corresponding to the informations we used represent averages over many in-
probability distribution of the eigenvalues ± prior to and dependent realisations of classical random variables. In
deduced from any measurement by Eve and Bob, respec- other words, assuming that Eve can attack coherently a
tively. large but ¬nite number n0 of qubits, Alice and Bob can
The ¬rst theorem states that Bob must have more in- use the above proof to secure keys much longer than n0
formation on Alice™s bits than Eve (see Fig. 31). Since bits. If one assumes that Eve has an unlimited power,
error correction and privacy ampli¬cation can be imple- able to attack coherently any number of qubits, then the
mented using only 1-way communication, theorem 1 can above proof does not apply, but Mayer™s proof can still
be understood intuitively as follows. The initial situa- be used and provides precisely the same bound.
tion is depicted in a). During the public phase of the This 11% bound for coherent attacks is clearly com-
protocol, because of the 1-way communication, Eve re- patible with the 15% bound found for individual attacks.
ceives as much information as Bob, the initial information The 15% bound is also a necessary one, since an explicit
di¬erence δ thus remains. After error correction, Bob™s eavesdropping strategy reaching this bound is presented
information equals 1, as illustrated on b). After privacy in section VI E. It is not known what happens in the
ampli¬cation Eve™s information is zero. In c) Bob has re- intermediate range 11% < QBER < 15%, but the fol-
placed all bits to be disregarded by random bits. Hence lowing is plausible. If Eve is limited to coherent attacks
the key has still the original length, but his information on a ¬nite number of qubits, then in the limit of arbi-
has decreased. Finally, removing the random bits, the trarily long keys, she has a negligibly small probability
key is shortened to the initial information di¬erence, see that the bits combined by Alice and Bob during the error

correction and privacy ampli¬cation protocols originate by Bob, then Eve can get full information without intro-
from qubits attacked coherently. Consequently, the 15% ducing any perturbation! This is possible only when the
bound would still be valid (partial results in favor of this QC protocol is not perfectly implemented, but this is a
conjecture can be found in Cirac and Gisin 1997, and realistic situation (Huttner et al. 1995, Yuen 1997).
in Bechmann-Pasquinucci and Gisin 1999). However, if The QND atacks have recently received a lot of at-
Eve has unlimited power, in particular, if she can coher- tention (L¨ tkenhaus 2000, Brassard et al. 2000). The
ently attack an unlimited number of qubits, then the 11% debate is not yet settled. We would like to argue that
bound might be required. it might be unrealistic, or even unphysical, to assume
To conclude this section, let us stress that the above that Eve can perform ideal QND attacks. Indeed, ¬rst
security proof equally applies to the 6-state protocol she needs the capacity to perform QND photon number
(paragraph II D 2). It also extends straightforwardly to measurements. Although impossible with today™s tech-
protocols using larger alphabets (Bechmann-Pasquinucci nology, this is a reasonable assumption (Nogues et al.
and Tittel 2000, Bechmann-Pasquinucci and Peres 2000, 1999). Next, she should be able to keep her photon until
Bourennane et al. 2001a, Bourennane et al. 2001b). Alice and Bob reveal the basis. In principle this could
be achieved using a lossless channel in a loop. We dis-
cuss this eventuality below. Another possibility would
be that Eve maps her photon to a quantum memory.
H. Photon number measurements, lossless channels
This does not exist today, but might well exist in the
future. Note that the quantum memory should have es-
In section III A we saw that all real photon sources
sentially unlimited time, since Alice and Bob could easily
have a ¬nite probability to emit more than 1 photon. If
wait for minutes before revealing the bases58 . Finally,
all emitted photons encode the same qubit, Eve can take
Eve must access a lossless channel, or at least a chan-
advantage of this. In principle, she can ¬rst measure
nel with losses lower than that used by Alice and Bob.
the number of photons in each pulse, without disturbing
This might be the most tricky point. Indeed, besides
the degree of freedom encoding the qubits56 . Such mea-
using a shorter channel, what can Eve do? The tele-
surements are sometimes called Quantum Non Demoli-
com ¬bers are already at the physical limits of what can
tion (QND) measurements, because they do not perturb
be achieved (Thomas et al. 2000). The loss is almost
the qubit, in particular they do not destroy the photons.
entirely due to the Rayleigh scattering which is unavoid-
This is possible because Eve knows in advance that Al-
able: solve the Schr¨dinger equation in a medium with
ice sends a mixture of states with well de¬ned photon
inhomogeneities and you get scattering. And when the
numbers57 , (see section II F). Next, if Eve ¬nds more
inhomogeneities are due to the molecular stucture of the
than one photon, she keeps one and sends the other(s)
medium, it is di¬cult to imagine lossless ¬bers! The 0.18
to Bob. In order to prevent that Bob detects a lower
dB/km attenuation in silica ¬bers at 1550 nm is a lower
qubit rate, Eve must use a channel with lower losses. Us-
bound which is based on physics, not on technology59 .
ing an ideally lossless quantum channel, Eve can even,
Note that using the air is not a viable solution, since the
under certain conditions, keep one photon and increase
attenuation at the telecom wavelengths is rather high.
the probability that pulses with more than one photon
Vacuum, the only way to avoid Rayleigh scattering, has
get to Bob! Thirdly, when Eve ¬nds one photon, she
also limitations, due to di¬raction, again an unavoidable
may destroy it with a certain probability, such that she
physical phenomenon. In the end, it seems that Eve has
does not a¬ect the total number of qubits received by
only two possibilities left. Either she uses teleportation
Bob. Consequently, if the probability that a non-empty
(with extremely high success probability and ¬delity) or
pulse has more than one photon (on Alice™s side) is larger
than the probability that a non-empty pulse is detected

The quantum part of the protocol could run continuously,
storing large ammount of raw classical data. But the classical
For polarization coding, this is quite clear. But for phase
part of the protocol, processing these raw data, could take
coding one may think (incorrectly) that phase and photon
place just seconds before the key is used.
number are incompatible! However, the phase used for en-
Photonics crystal ¬bers have the potential to overcome
coding is a relative phase between two modes. Whether these
the Rayleigh scaterring limit. Actually, there are two kinds
modes are polarization modes or correspond to di¬erent times
of such ¬bers. The ¬rst kind guides light by total internal
(determined e.g. by the relative length of interferometers),
re¬‚ection, like in ordinary ¬bers. In these most of the light
does not matter.
also propagates in silica, and thus the loss limit is similar. In
Recall that a mixture of coherent states |eiφ ± with a
the second kind, most of the light propagates in air, thus the
random phase φ, as produced by lasers when no phase ref-
theoretical loss limit is lower. However, today the losses are
erence in available, is equal to a mixture of photon num-
2π extremely high, in the range of hundreds of dB/km. The best
ber states |n with Poisson statistics: 0 |eiφ ± eiφ ±| dφ =

reported result that we are aware of is 11 dB/km and it was
µn ’µ
e |n n|, where µ = |±|2 .
n≥0 n! obtained with a ¬ber of the ¬rst kind (Canning et al. 2000).

she converts the photons to another wavelength (with- J. Multi-photon pulses and passive choice of states
out perturbing the qubit). Both of these “solutions” are
seemingly unrealistic in any foreseeable future. Multi-photon pulses do not necessarily constitute a
Consequently, when considering the type of attacks threat for the key security, but limit the key creation
discussed in this section, it is essential to distinguish the rate because they imply that more bits must be discarded
ultimate proofs from the practical ones discussed in the during key distillation. This fact is based on the assump-
¬rst part of this chapter. Indeed, the assumptions about tion that all photons in a pulse carry the same qubit, so
the defects of Alice and Bob™s apparatuses must be very that Eve does not need to copy the qubit going to Bob,
speci¬c and might thus be of limited interest. While for but merely keeps the copy that Alice inadvertently pro-
practical considerations, these assumptions must be very vides. When using weak pulses, it seems unavoidable
general and might thus be excessive. that all the photons in a pulse carry the same qubit.
However, in 2-photon implementations, each photon on
Alice™s side chooses independently a state (in the experi-
I. A realistic beamsplitter attack ments of Ribordy et al. 2001 and Tittel et al. 2000, each
photon chooses randomly both its basis and its bit value;
The attack presented in the previous section takes ad- in the experiments of Naik et al. 2000 and Jennewein et
vantage of the pulses containing more than one photon. al. 2000b, the bit value choice only is random). Hence,
However, as discussed, it uses unrealistic assumptions. when two photon pairs are simultaneously produced, by
In this section, following N. L¨ tkenhaus (2000) and M.
u accident, the two twins carry independent qubits. Con-
Dusek et al (2000), we brie¬‚y comment on a realistic at- sequently, Eve can™t take advantage of such multi-photon
tack, also exploiting the multiphoton pulses (for details, twin-pulses. This might be one of the main advantages
see Felix et al. 2001, where this and another examples of the 2-photon schemes compared to the much simpler
are presented). Assume that Eve splits all pulses in two, weak-pulse schemes. But the multi-photon problem is
analysing each half in one of the two bases, using pho- then on Bob™s side who gets a noisy signal, consisting
ton counting devices able to distinguish pulses with 0, partly in photons not in Alice™s state!
1 and 2 photons (see Fig. 32). In practice this could
be realized using many single photon counters in paral-
lel. This requires nearly perfect detectors, but at least K. Trojan Horse Attacks
one does not need to assume technology completely out
of today™s realm. Whenever Eve detects two photons All eavesdropping strategies discussed up to now con-
in the same output, she sends a photon in the corre- sisted of Eve™s attempt to get a maximum information
sponding state into Bob™s apparatus. Since Eve™s infor- out of the qubits exchanged by Alice and Bob. But Eve
mation is classical, she can overcome all the losses of the can also follow a completely di¬erent strategy: she can
quantum channel. In all other cases, Eve sends noth- herself send signals that enter Alice and Bob™s o¬ces
ing to Bob. In this way, Eve sends a fraction 3/8 of the through the quantum channel. This kind of strategies
pulses containing at least 2 photons to Bob. On these, are called Trojan horse attacks. For example, Eve can
she introduces a QBER=1/6 and gets an information send light pulses into the ¬ber entering Alice or Bob ap-
I(A, E) = 2/3 = 4 · QBER. Bob doesn™t see any re- paratuses and analyze the backre¬‚ected light. In this
duction in the number of detected photons, provided the way, it is in principle possible to detect which laser just
transmission coe¬cient of the quantum channel t satis- ¬‚ashed, or which detector just ¬red, or the settings of
¬es: phase and polarization modulators. This cannot be sim-
ply prevented by using a shutter, since Alice and Bob
3 3µ
t¤ P rob(n ≥ 2|n ≥ 1) ≈ (77) must leave the “door open” for the photons to go out
8 16
and in, respectively.
In most QC-setups the amount of backre¬‚ected light
where the last expression assumes Poissonian photon dis-
can be made very small and sensing the apparatuses with
tribution. Accordingly, for a ¬xed QBER, this attacks
light pulses through the quantum channel is di¬cult.
provides Eve with twice the information she would get
Nevertheless, this attack is especially threatening in the
using the intercept resend strategy. To counter such an
plug-&-play scheme on Alice™s side (section IV C 2), since
attack, Alice should use a mean photon number µ such
a mirror is used to send the light pulses back to Bob.
that Eve can only use this attack on a fraction of the
So in principle, Eve can send strong light pulses to Alice
pulses. For example, Alice could use pulses weak enough
and sense the applied phase shift. However, by applying
that Eve™s mean information gain is identical to the one
the phase shift only during a short time ∆tphase (a few
she would obtain with the simple intercept resend strat-
nanoseconds), Alice can oblige Eve to send the spying
egy (see paragraph II C 3). For 10, 14 and 20 dB at-
pulse at the same time as Bob. Remember that in the
tenuation, this corresponds to µ = 0.25, 0.1 and 0.025,
plug-&-play scheme pulse coming from Bob are macro-
scopic and an attenuator at Alice reduces them to the

below one photon level, say 0.1 photons per pulse. Hence, To conclude this chapter, let us brie¬‚y elaborate on
if Eve wants to get, say 1 photon per pulse, she has to the di¬erences and similarities between technological and
send 10 times Bob™s pulse energy. Since Alice is detect- mathematical complexity and on their possible connec-
ing Bob™s pulses for triggering her apparatus, she must tions and implications. Mathematical complexity means
be able to detect an increase of energy of these pulses that the number of steps needed to run complex algo-
in order to reveal the presence of a spying pulse. This rithms explodes exponentially when the size of the input
is a relatively easy task, provided that Eve™s pulses look data grows linearly. Similarly, one can de¬ne technolog-
the same as Bob™s. But, Eve could of course use another ical complexity of a quantum computer by an exploding
wavelength or ultrashort pulses (or very long pulses with di¬culty to process coherently all the qubits necessary
low intensity, hence the importance of ∆tphase ), there- to run a (non-complex) algorithm on a linearly growing
fore Alice must introduce an optical bandpass ¬lter with number of input data. It might be interesting to con-
a transmission spectrum corresponding to the sensitivity sider the possibility that the relation between these two
spectrum of her detector, and choose a ∆tphase that ¬ts concepts of complexity is deeper. It could be that the
to the bandwidth of her detector. solution of a problem requires either a complex classi-
There is no doubt that Trojan horse attacks can be cal algorithm or a quantum one which itself requires a
complex quantum computer61 .
prevented by technical measures. However, the fact that
this class of attacks exist illustrates that the security of
QC can never be guaranteed only by the principles of
quantum mechanics, but necessarily relies also on tech- VII. CONCLUSION
nical measures that are subject to discussions 60 .
Quantum cryptography is a fascinating illustration of
the dialog between basic and applied physics. It is based
L. Real security: technology, cost and complexity on a beautiful combinations of concepts from quantum
physics and information theory and made possible thanks
Despite the elegant and generality of security proofs, to the tremendous progress in quantum optics and in the
the dream of a QC system whose security relies entirely technology of optical ¬bers and of free space optical com-
on quantum principles is unrealistic. The technological munication. Its security principle relies on deep theorems
implementation of the abstract principles will always be in classical information theory and on a profound under-
questionable. It is likely that they will remain the weak- standing of the Heisenberg™s uncertainty principle, as il-
est point in all systems. Moreover, one should remember lustrated by theorems 1 and 2 in section VI G (the only
the obvious equation: mathematically involved theorems in this review!). Let
us also emphasize the important contributions of QC to
Inf inite security ’ Inf inite cost (78) classical cryptography: privacy ampli¬cation and classi-
’ Zero practical interest cal bound information (paragraphs II C 4 and II C 5) are
examples of concepts in classical information whose dis-
On the other hand, however, one should not under- covery were much inspired by QC. Moreover, the fasci-
estimate the following two advantages of QC. First, it nating tension between quantum physics and relativity,
is much easier to forecast progress in technology than in as illustrated by Bell™s inequality, is not far away, as dis-
mathematics: the danger that QC breaks down overnight cussed in section VI F. Now, despite the huge progress
is negligible, contrary to public-key cryptosystems. Next, over the recent years, many open questions and techno-
the security of QC depends on the technological level of logical challenges remain.
the adversary at the time of the key exchange, contrary One technological challenge at present concerns im-
to complexity based systems whose coded message can proved detectors compatible with telecom ¬bers. Two
be registered and broken thanks to future progress. The other issues concern free space QC and quantum re-
latter point is relevant for secrets whose value last many peaters. The ¬rst is presently the only way to realize
years. QC over thousands of kilometers using near future tech-
One often points at the low bit rate as one of the cur- nology (see section IV E). The idea of quantum repeaters
rent limitations of QC. However, it is important to stress (section III E) is to encode the qubits in such a way that if
that QC must not necessarily be used in conjunction with the error rate is low, then errors can be detected and cor-
one-time pad encryption. It can also be used to provide rected entirely in the quantum domain. The hope is that
a key for a symmetrical cipher “ such as AES “ whose
security is greatly enhanced by frequent key changes.

Penrose (1994) pushes these speculations even further,
suggesting that spontaneous collapses stop quantum com-
Another technological loophole, recently pointed out by puters whenever they try to compute beyond a certain
Kurtsiefer et al., is the possible information leakage caused complexity.
by light emitted by APDs during their breakdown (2001).

such techniques could extend the range of quantum com- REFERENCES
munication to essentially unlimited distances. Indeed,
Hans Briegel, then at Innsbruck University (1998), and Ardehali, M., H. F. Chau and H.-K. Lo, 1998, “E¬cient
coworkers, showed that the number of additional qubits Quantum Key Distribution”, quant-ph/9803007.
needed for quantum repeaters can be made smaller than Aspect, A., J. Dalibard, and G. Roger, 1982, “Experimen-
the numbers of qubits needed to improved the ¬delity of tal Test of Bell™s Inequalities Using Time-Varying Analyzers”,
the quantum channel (Dur et al. 1999). One could thus Phys. Rev. Lett. 49, 1804-1807.
overcome the decoherence problem. However, the main Bechmann-Pasquinucci, H., and N. Gisin, 1999, “Incoher-
ent and Coherent Eavesdropping in the 6-state Protocol of
practical limitation is not decoherence but loss (most
Quantum Cryptography”, Phys. Rev. A 59, 4238-4248.
photons never get to Bob, but those which get there,
Bechmann-Pasquinucci, H., and A. Peres, 2000, “Quantum
exhibit high ¬delity).
cryptography with 3-state systems”, Phys. Rev. Lett. 85,
On the open questions side, let us emphasize three
main concerns. First, complete and realistic analyses
Bechmann-Pasquinucci, H., and W. Tittel, 2000, “Quan-
of the security issues are still missing. Next, ¬gures of
tum cryptography using larger alphabets”, Phys. Rev. A 61,
merit to compare QC schemes based on di¬erent quan-
tum systems (with di¬erent dimensions for example) are
Bell, J.S., 1964, “On the problem of hidden variables in
still awaited. Finally, the delicate question of how to
quantummechanics”, Review of Modern Phys. 38, 447-452;
test the apparatuses did not yet receive enough atten-
reprinted in “Speakable and unspeakable in quantum mechan-
tion. Indeed, a potential customer of quantum cryptog-
ics”, Cambridge University Press, New-York 1987.
raphy buys con¬dence and secrecy, two qualities hard to Bennett, Ch.H., 1992, “Quantum cryptography using any
quantify. Interestingly, both of these issues have a con- two nonorthogonal states”, Phys. Rev. Lett. 68, 3121-3124.
nection with Bell inequality (see sections VI F and VI B). Bennett, Ch.H. and G. Brassard, 1984, “Quantum cryptog-
But, clearly, this connection can not be phrased in the old raphy: public key distribution and coin tossing”, Int. conf.
context of local hidden variables, but rather in the con- Computers, Systems & Signal Processing, Bangalore, India,
text of the security of tomorrows communications. Here, December 10-12, 175-179.
like in all the ¬eld of quantum information, old concepts Bennett, Ch.H. and G. Brassard, 1985, “Quantum public
are renewed by looking at them from a fresh perspective: key distribution system”, IBM Technical Disclosure Bulletin,
let™s exploit the quantum weirdness! 28, 3153-3163.
QC could well be the ¬rst application of quantum me- Bennett, Ch.H., G. Brassard and J.-M. Robert, 1988, “Pri-
chanics at the single quanta level. Experiments have vacy ampli¬cation by public discussion” SIAM J. Comp. 17,
demonstrated that keys can be exchanged over distances 210-229.
Bennett, Ch.H., F. Bessette, G. Brassard, L. Salvail, and
of a few tens of kilometers at rates at least of the order
J. Smolin, 1992a, “Experimental Quantum Cryptography”, J.
of a thousand bits per second. There is no doubt that
Cryptology 5, 3-28.
the technology can be mastered and the question is not
Bennett, Ch.H., G. Brassard and Mermin N.D., 1992b,
whether QC will ¬nd commercial applications, but when.
“Quantum cryptography without Bell™s theorem”, Phys. Rev.
Indeed, presently QC is still very limited in distance and
Lett. 68, 557-559.
in secret-bit rate. Moreover, public key systems occupy
Bennett, Ch.H., G. Brassard and A. Ekert, 1992c, “Quan-
the market and, being pure software, are tremendously
tum cryptography”, Scienti¬c Am. 267, 26-33 (int. ed.).
easier to manage. Every so often, the news is that some
Bennett, Ch.H., G. Brassard, C. Cr´peau, R. Jozsa, A.
classical ciphersystem has been broken. This would be
Peres and W.K. Wootters, 1993, “Teleporting an unknown
impossible with properly implemented QC. But this ap-
quantum state via dual classical and Einstein-Podolsky-Rosen
parent strength of QC might turn out to be its weak channels”, Phys. Rev. Lett. 70, 1895-1899.
point: the security agencies would equally be unable to Bennett, Ch.H., G. Brassard, C. Cr´peau, and U.M. Mau-
break quantum cryptograms! rer, 1995, “Generalized privacy ampli¬cation”, IEEE Trans.
Information th., 41, 1915-1923.
Berry, M.V., 1984, “Quantal phase factors accompanying
ACKNOWLEDGMENTS adiabatic changes”, Proc. Roy. Soc. Lond. A 392, 45-57.
Bethune, D., and W. Risk, 2000, “An Autocompensating
Fiber-Optic Quantum Cryptography System Based on Polar-
Work supported by the Swiss FNRS and the European
ization Splitting of Light”, IEEE J. Quantum Electron., 36,
projects EQCSPOT and QUCOMM ¬nanced by the Swiss
OFES. The authors would also like to thank Richard Hughes
Biham, E. and T. Mor, 1997a, “Security of quantum cryp-
for providing Fig. 8, and acknowledge both referees, Charles
tograophy against collective attacks”, Phys. Rev. Lett. 78,
H. Bennett and Paul G. Kwiat, for their very careful reading
of the manuscript and their helpful remarks.
Biham, E. and T. Mor, 1997b, “Bounds on Information and
the Security of Quantum Cryptography”, Phys. Rev. Lett.
79, 4034-4037.

Biham, E., M. Boyer, P.O. Boykin, T. Mor and V. Roy- Brown, R.G.W., R. Jones, J. G. Rarity, and Kevin D. Rid-
chowdhury, 1999, “A proof of the security of quantum key ley, 1987, “Characterization of silicon avalanche photodiodes
distribution”, quant-ph/9912053. for photon correlation measurements. 2: Active quenching”,
Bourennane, M., F. Gibson, A. Karlsson, A. Hening, P. Applied Optics 26, 2383-2389.
Jonsson, T. Tsegaye, D. Ljunggren, and E. Sundberg, 1999, Brunel, Ch., B. Lounis, Ph. Tamarat, and M. Orrit, 1999,
“Experiments on long wavelength (1550nm) ™plug and play™ “Triggered Source of Single Photons based on Controlled Sin-
quantum cryptography systems™, Opt. Express 4,383-387 gle Molecule Fluorescence”, Phys. Rev. Lett. 83, 2722-2725.
Bourennane, M., D. Ljunggren, A. Karlsson, P. Jonsson, A. Bruss, D., 1998, “Optimal eavesdropping in quantum cryp-
Hening, and J.P. Ciscar, 2000, “Experimental long wavelength tography with six states”, Phys. Rev. Lett. 81, 3018-3021.
quantum cryptography: from single photon transmission to Bruss, D., A. Ekert and C. Macchiavello, 1998, “Optimal
key extraction protocols”, J. Mod. Optics 47, 563-579. universal quantum cloning and state estimation”, Phys. Rev.
Bourennane, M., A. Karlsson and G. Bj¨rn, 2001a, “Quan-
o Lett. 81, 2598-2601.
tum Key Distribution using multilevel encoding”, Phys. Rev Buttler, W.T., R.J. Hughes, P.G. Kwiat, S. K. Lamoreaux,
A 64, 012306. G.G. Luther, G.L. Morgan, J.E. Nordholt, C.G. Peterson,
Bourennane, M., A. Karlsson, G. Bj¨rn, N. Gisin and N.
o and C. Simmons, 1998, “Practical free-space quantum key
Cerf, 2001b, “Quantum Key distribution using multilevel en- distribution over 1 km”, Phys. Rev. Lett. 81, 3283-3286.
coding : security analysis”, quant-ph/0106049. Buttler, W.T., R.J. Hughes, S.K. Lamoreaux, G.L. Mor-
Braginsky, V.B. and F.Ya. Khalili, 1992, “Quantum Mea- gan, J.E. Nordholt, and C.G. Peterson, 2000, “Daylight
surements”, Cambridge University Press. Quantum key distribution over 1.6 km”, Phys. Rev. Lett,
Brassard, G., 1988, “Modern cryptology”, Springer-Verlag, 84, pp. 5652-5655.
Lecture Notes in Computer Science, vol. 325. Buˇek, V. and M. Hillery, 1996, “Quantum copying: Be-
Brassard, G. and L. Salvail, 1993, “Secrete-key reconcilia- yond the no-cloning theorem”, Phys. Rev. A 54, 1844-1852.
tion by public discussion” In Advances in Cryptology, Euro- Cancellieri, G., 1993, “Single-mode optical ¬ber measure-
crypt ™93 Proceedings. ment: characterization and sensing”, Artech House, Boston
Brassard, G., C. Cr´peau, D. Mayers and L. Salvail, 1998,
e & London.
“The Security of quantum bit commitment schemes”, Pro- Canning, J., M. A. van Eijkelenborg, T. Ryan, M. Kris-
ceedings of Randomized Algorithms, Satellite Workshop of tensen and K. Lyytikainen, 2000, “Complex mode coupling
23rd International Symposium on Mathematical Foundations within air-silica structured optical ¬bers and applications”,
of Computer Science, Brno, Czech Republic, 13-15. Optics Commun. 185, 321-324
Brassard, G., N. L¨tkenhaus, T. Mor, and B.C. Sanders,
u Cirac, J.I., and N. Gisin, 1997, “Coherent eavesdropping
2000, “Limitations on Practical Quantum Cryptography”, strategies for the 4- state quantum cryptography protocol”,
Phys. Rev. Lett. 85, 1330-1333. Phys. Lett. A 229, 1-7.
Breguet, J., A. Muller and N. Gisin, 1994, “Quantum cryp- Clarke, M., R.B., A. Che¬‚es, S.M. Barnett and E. Riis,
tography with polarized photons in optical ¬bers: experimen- 2000, “Experimental Demonstration of Optimal Unambigu-
tal and practical limits”, J. Modern optics 41, 2405-2412. ous State Discrimination”, Phys. Rev. A 63, 040305.
Breguet, J. and N. Gisin, 1995, “New interferometer using Clauser, J.F., M.A. Horne, A. Shimony and R.A. Holt,
a 3x3 coupler and Faraday mirrors”, Optics Lett. 20, 1447- 1969, “Proposed experiment to test local hidden variable the-
1449. ories”, Phys. Rev. Lett. 23, 880-884.
Brendel, J., W. Dultz and W. Martienssen, 1995, “Geomet- Clauser, J.F. and A. Shimony, 1978, “Bell™s theorem: ex-
ric phase in 2-photon interference experiments”, Phys. rev. perimental tests and implications”, Rep. Prog. Phys. 41,
A 52, 2551-2556. 1881-1927.
Brendel, J., N. Gisin, W. Tittel, and H. Zbinden, 1999, Cova, S., A. Lacaita, M. Ghioni, and G. Ripamonti, 1989,
“Pulsed Energy-Time Entangled Twin-Photon Source for “High-accuracy picosecond characterization of gain-switched
Quantum Communication”, Phys. Rev. Lett. 82 (12), 2594- laser diodes”, Optics Letters 14, 1341-1343.
2597. Cova, S., M. Ghioni, A. Lacaita, C. Samori, and F. Zappa,
Briegel, H.-J., Dur W., J.I. Cirac, and P. Zoller, 1998, 1996, “Avalanche photodiodes and quenching circuits for
“Quantum Repeaters: The Role of Imperfect Local Opera- single-photon detection”, Applied Optics 35(129), 1956-1976.
tions in Quantum Communication”, Phys. Rev. Lett. 81, Csisz´r, I. and K¨rner, J., 1978, “Broadcast channels with
a o
5932-5935. con¬dential messages”, IEEE Transactions on Information
Brouri, R., A. Beveratios, J.-P. Poizat, P. Grangier, 2000, Theory, Vol. IT-24, 339-348.
“Photon antibunching in the ¬‚uorescence of individual colored De Martini, F., V. Mussi and F. Bovino, 2000,
centers in diamond”, Opt. Lett. 25, 1294-1296. “Schroedinger cat states and optimum universal Quantum
Brown, R.G.W. and M. Daniels, 1989, “Characterization cloning by entangled parametric ampli¬cation”, Optics Com-
of silicon avalanche photodiodes for photon correlation mea- mun. 179, 581-589.
surements. 3: Sub-Geiger operation”, Applied Optics 28, Desurvire, E., 1994, “The golden age of optical ¬ber am-
4616-4621. pli¬ers”, Phys. Today, Jan. 94, 20-27.
Brown, R.G.W., K. D. Ridley, and J. G. Rarity, 1986, Deutsch, D., “Quantum theory, the Church-Turing princi-
“Characterization of silicon avalanche photodiodes for pho- ple and the universal quantum computer”, 1985, Proc. Royal
ton correlation measurements. 1: Passive quenching”, Ap- Soc. London, Ser. A 400, 97-105.
plied Optics 25, 4122-4126.

Deutsch, D., A. Ekert, R. Jozsa, C. Macchiavello, S. G´rard, J.-M., B. Sermage, B. Gayral, B. Legrand, E.
Popescu, and A. Sanpera, 1996, “Quantum privacy ampli- Costard, and V. Thierry-Mieg, 1998, “Enhanced Spontaneous
¬cation and the security of quantum cryptography over noisy Emission by Quantum Boxes in a Monolithic Optical Micro-
channels”, Phys. Rev. Lett. 77, 2818-2821; Erratum-ibid. cavity”, Phys. Rev. Lett., 81, 1110-1113.
80, (1998), 2022. G´rard, J.-M., and B. Gayral, 1999, “Strong Purcell E¬ect
Dieks, D., 1982, “Communication by EPR devices”, Phys. for InAs Qantum Boxes in Three-Dimensional Solid-State Mi-
Lett. A 92, 271-272. crocavities”, J. Lightwave Technology 17, 2089-2095.
Di¬e, W. and Hellman M.E., 1976, “New directions in Gilbert, G., and M. Hamrick, 2000, “Practical Quan-
cryptography”, IEEE Trans. on Information Theory IT-22, tum Cryptography: A Comprehensive Analysis (Part One)”,
pp 644-654. MITRE Technical Report (MITRE, McLean USA), quant-
Dur, W., H.-J. Briegel, J.I. Cirac, and P. Zoller, 1999, ph/0009027.
“Quantum repeaters based on entanglement puri¬cation”, Gisin, N., 1998, “Quantum cloning without signaling”,
Phys. Rev. A 59, 169-181 (see also ibid 60, 725-725). Phys. Lett. A 242, 1-3.
Dusek, M., M. Jahma, and N. L¨tkenhaus, 2000, “Unam-
u Gisin, N. et al., 1995, “De¬nition of Polarization Mode Dis-
biguous state discrimination in quantum cryptography with persion and First Results of the COST 241 Round-Robin Mea-
weak coherent states”, Phys. Rev. A 62, 022306. surements, with the members of the COST 241 group”, JEOS
Einstein, A., B. Podolsky, and N. Rosen, 1935, “Can Pure & Applied Optics 4, 511-522.
quantum-mechanical description of physical reality be con- Gisin, N. and S. Massar, 1997, “Optimal quantum cloning
sidered complete?”, Phys. Rev. 47, 777-780. machines”, Phys. Rev. Lett. 79, 2153-2156.
Ekert, A.K., 1991, “Quantum cryptography based on Bell™s Gisin, B. and N. Gisin, 1999, “A local hidden variable
theorem”, Phys. Rev. Lett. 67, 661-663. model of quantum correlation exploiting the detection loop-
Ekert, A.K., J.G. Rarity, P.R. Tapster, and G.M. Palma, hole”, Phys. Lett. A 260, 323-327.
1992, “Practical quantum cryptography based on two-photon Gisin, N., and S. Wolf, 1999, “Quantum cryptography on
interferometry”, Phys. Rev. Lett. 69, 1293-1296. noisy channels: quantum versus classical key-agreement pro-
Ekert, A.K., B. Huttner, 1994, “Eavesdropping Techniques tocols”, Phys. Rev. Lett. 83, 4200-4203.
in Quantum Cryptosystems”, J. Modern Optics 41, 2455- Gisin, N., and H. Zbinden, 1999, “Bell inequality and the
2466. locality loophole: Active versus passive switches”, Phys. Lett.
Ekert, A.K., 2000, “Coded secrets cracked open”, Physics A 264, 103-107.
World 13, 39-40. Gisin, N., and S. Wolf, 2000a, “Linking Classical and Quan-
Elamari, A., H. Zbinden, B. Perny and Ch. Zimmer, 1998, tum Key Agreement: Is There “Bound Information”?, Ad-
“Statistical prediction and experimental veri¬cation of con- vances in cryptology - Proceedings of Crypto 2000, Lecture
catenations of ¬bre optic components with polarization de- Notes in Computer Science, Vol. 1880, 482-500.
pendent loss”, J. Lightwave Techn. 16, 332-339. Gisin, N., R. Renner and S. Wolf, 2000b, “Bound informa-
Enzer, D., P. Hadley, R. Hughes, G. Peterson, and P. tion : the classical analog to bound quantum entanglement,
Kwiat, 2001, private communication. Proceedingsof the Third European Congress of Mathematics,
Felix, S., A. Stefanov, H. Zbinden and N. Gisin, 2001, Barcelona, July 2000.
“Faint laser quantum key distribution: Eavesdropping ex- Goldenberg, L., and L. Vaidman, 1995, “Quantum Cryp-
ploiting multiphoton pulses”, quant-ph/0102062. tography Based on Orthogonal States”, Phys. Rev. Lett. 75,
Fleury, L., J.-M. Segura, G. Zumofen, B. Hecht, and 1239-1243.
U.P. Wild, 2000, “Nonclassical Photon Statistics in Single- Gorman, P.M., P.R. Tapster and J.G. Rarity, 2000, “Secure
Molecule Fluorescence at Room Temperature”, Phys. Rev. Free-space Key Exchange Over a 1.2 km Range Using Quan-
Lett. 84, 1148-1151. tum Cryptography” (DERA Malvern, United Kingdom).
Franson J.D., 1989, “Bell Inequality for Position and Haecker, W., O. Groezinger, and M.H. Pilkuhn, 1971, “In-
Time”, Phys. Rev. Lett. 62, 2205-2208. frared photon counting by Ge avalanche diodes”, Appl. Phys.
Franson, J.D., 1992, “Nonlocal cancellation of dispersion”, Lett. 19, 113-115.
Phys. Rev. A 45, 3126-3132. Hall, M.J.W., 1995, “Information excusion principle for
Franson, J.D., and B.C. Jacobs, 1995, “Operational system complementary observables”, Phys. Rev. Lett. 74, 3307-
for Quantum cryptography”, Elect. Lett. 31, 232-234. 3310.
Freedmann, S.J. and J.F. Clauser, 1972, “Experimental Hariharan, P., M. Roy, P.A. Robinson and O™Byrne J.W.,
test of local hidden variable theories”, Phys. rev. Lett. 28, 1993, “The geometric phase observation at the single photon
938-941. level”, J. Modern optics 40, 871-877.
Fry, E.S. and R.C. Thompson, 1976, “Experimental test of Hart, A.C., R.G. Hu¬ and K.L. Walker, 1994, “Method of
local hidden variable theories”, Phys. rev. Lett. 37, 465-468. making a ¬ber having low polarization mode dispersion due
Fuchs, C.A., and A. Peres, 1996, “Quantum State Distur- to a permanent spin”, U.S. Patent 5,298,047.
bance vs. Information Gain: Uncertainty Relations for Quan- Hildebrand, E., 2001, Ph. D. thesis (Johann-Wolfgang
tum Information”, Phys. Rev. A 53, 2038-2045. Goethe-Universit¨t, Frankfurt).
Fuchs, C.A., N. Gisin, R.B. Gri¬ths, C.-S. Niu, and A. Hillery, M., V. Buzek, and A. Berthiaume, 1999, “Quantum
Peres, 1997, “Optimal Eavesdropping in Quantum Cryptog- secret sharing”, Phys. Rev. A 59, 1829-1834.
raphy. I”, Phys. Rev. A 56, 1163-172. Hiskett, P. A., G. S. Buller, A. Y. Loudon, J. M. Smith, I.
Gontijo, A. C. Walker, P. D. Townsend, and M. J. Robertson,

2000, “Performance and Design of InGaAs/InP Photodiodes Kimble, H. J., M. Dagenais, and L. Mandel, 1977, “Photon
for Single-Photon Counting at 1.55 µm”, Appl. Opt. 39, antibunching in resonance ¬‚uorescence”, Phys. Rev. Lett.
6818-6829. 39, 691-694.
Hong, C.K. and L. Mandel, 1985, “Theory of parametric Kitson, S.C., P. Jonsson, J.G. Rarity, and P.R. Tapster,
frequency down conversion of light”, Phys. Rev. A 31, 2409- 1998, “Intensity ¬‚uctuation spectroscopy of small numbers of
2418. dye molecules in a microcavity”, Phys. Rev. A 58, 620-6627.
Hong, C.K. and L. Mandel, 1986, “Experimental realiza- Kolmogorow, A.N., 1956, “Foundations of the theory of
tion of a localized one-photon state”, Phys. Rev. Lett. 56, probabilities”, Chelsa Pub., New-York.
58-60. Kurtsiefer, Ch., S. Mayer, P. Zarda, and H. Weinfurter,
Horodecki, M., R. Horodecki and P. Horodecki, 1996, “Sep- 2000, “Stable Solid-State Source of Single Photons”, Phys.
arability of Mixed States: Necessary and Su¬cient Condi- Rev. Lett., 85, 290-293.
tions”, Phys. Lett. A 223, 1-8. Kurtsiefer, Ch., P. Zarda, S. Mayer, and H. Weinfurter,
Hughes, R., G.G. Luther, G.L. Morgan and C. Simmons, 2001, “The breakdown ¬‚ash of Silicon Avalanche Photodiodes
1996, “Quantum Cryptography over Underground Optical “ backdoor for eavesdropper attacks?”, quant-ph/0104103.
Fibers”, Lecture Notes in Computer Science 1109, 329-342. Kwiat, P.G., A.M. Steinberg, R.Y. Chiao, P.H. Eberhard,
Hughes, R., W. Buttler, P. Kwiat, S. Lamoreaux, G. Mor- M.D. Petro¬, 1993, “High-e¬ciency single-photon detectors”,
gan, J. Nordhold, G. Peterson, 2000a, “Free-space quantum Phys. Rev.A, 48, R867-R870.
key distribution in daylight”, J. Modern Opt. 47, 549-562. Kwiat, P.G., E. Waks, A.G. White, I. Appelbaum, and P.H.
Hughes, R., G. Morgan, C. Peterson, 2000b, “Quantum key Eberhard, 1999, “Ultrabright source of polarization-entangled
distribution over a 48km optical ¬bre network”, J. Modern photons”, Phys. Rev. A, 60, R773-776.
Opt. 47, 533-547. Lacaita, A., P.A. Francese, F. Zappa, and S. Cova, 1994,
Huttner, B., N. Imoto, N. Gisin, and T. Mor, 1995, “Quan- “Single-photon detection beyond 1 µm: performance of com-
tum Cryptography with Coherent States”, Phys. rev. A 51, ercially available germanium photodiodes”, Applied Optics
1863-1869. 33, 6902-6918.
Huttner, B., J.D. Gautier, A. Muller H. Zbinden, and N. Lacaita, A., F. Zappa, S. Cova, and P. Lovati, 1996,
Gisin, 1996a, “Unambiguous quantum measurement of non- “Single-photon detection beyond 1 µm: performance of com-
orthogonal states”, Phys. Rev. A 54, 3783-3789. mercially available InGaAs/InP detectors. Appl. Optics
Huttner, B., N. Imoto, and S.M. Barnett, 1996b, “Short 35(16), 2986-2996.
distance applications of Quantum cryptography”, J. Nonlin- Larchuk, T.S., M.V. Teich and B.E.A. Saleh, 1995, “Non-
ear Opt. Phys. & Materials, 5, 823-832. local cancellation of dispersive broadening in Mach-Zehnder
Imamoglu, A., and Y. Yamamoto, 1994, “Turnstile Device interferometers”, Phys. Rev. A 52, 4145-4154.
for Heralded Single Photons : Coulomb Blockade of Electron Levine, B.F., C.G. Bethea, and J.C. Campbell, 1985,
and Hole Tunneling in Quantum Con¬ned p-i-n Heterojunc- “Room-temperature 1.3-µm optical time domain re¬‚ectome-
tions”, Phys. Rev. Lett. 72, 210-213. ter using a photon counting InGaAs/InP avalanche detector”,
Inamori, H., L. Rallan, and V. Vedral, 2000, “Security of Appl. Phys. Lettt. 45(4), 333-335.
EPR-based Quantum Cryptography against Incoherent Sym- Li, M.J., and D.A. Nolan, 1998, “Fiber spin-pro¬le designs
metric Attacks”, quant-ph/0103058. for producing ¬bers with low PMD”, Optics Lett. 23, 1659-
Ingerson, T.E., R.J. Kearney, and R.L. Coulter, 1983, 1661.
“Photon counting with photodiodes”, Applied Optics 22, Lo, H.-K., and H.F. Chau, 1998, “Why Quantum Bit Com-
2013-2018. mitment And Ideal Quantum Coin Tossing Are Impossible”,
Ivanovic, I.D., 1987, “How to di¬erentiate between non- Physica D 120, 177-187.
orthogonal states”, Phys. Lett. A 123, 257-259. Lo, H.-K. and H.F. Chau, 1999, “Unconditional security
Jacobs, B., and J. Franson, 1996, “Quantum cryptography of quantum key distribution over arbitrary long distances”
in free space”, Optics Letters 21, 1854-1856. Science 283, 2050-2056; also quant-ph/9803006.
Jennewein, T., U. Achleitner, G. Weihs, H. Weinfurter and L¨tkenhaus, N., 1996, “Security against eavesdropping in
A. Zeilinger, 2000a “A fast and compact quantum random Quantum cryptography”, Phys. Rev. A, 54, 97-111.
number generator”, Rev. Sci. Inst. 71, 1675-1680 and L¨tkenhaus, N., 2000, “Security against individual attacks
quantph/9912118. for realistic quantum key distribution”, Phys. Rev. A, 61,
Jennewein, T., C. Simon, G. Weihs, H. Weinfurter, and 052304.
A. Zeilinger, 2000b “Quantum Cryptography with Entangled Marand, C., and P.D. Townsend, 1995, “Quantum key dis-
Photons”, Phys. Rev. Lett. 84, 4729-4732 tribution over distances as long as 30 km”, Optics Letters 20,
Karlsson, A., M. Bourennane, G. Ribordy, H. Zbinden, J. 1695-1697.
Brendel, J. Rarity, and P. Tapster, 1999, “A single-photon Martinelli, M., 1992, “Time reversal for the polarization
counter for long-haul telecom”, IEEE Circuits & Devices 15, state in optical systems”, J. Modern Opt. 39, 451-455.
34-40. Martinelli, M., 1989, “A universal compensator for po-
Kempe, J., Simon Ch., G. Weihs and A. Zeilinger, 2000, larization changes induced by birefringence on a retracing
“Optimal photon cloning”, Phys. Rev. A 62, 032302. beam”, Opt. Commun. 72, 341-344.
Kim, J., O. Benson, H. Kan, and Y. Yamamoto, 1999, “A Maurer, U.M., 1993, “Secret key agreement by public dis-
single-photon turnstile device”, Nature, 397, 500-503. cussion from common information”, IEEE Transacions on In-
formation Theory 39, 733-742.

Maurer, U.M., and S. Wolf, 1999, “Unconditionnally secure Penrose, R., 1994, “Shadows of the mind”, Oxford Univer-
key agreement and intrinsic information”, IEEE Transactions sity Press.
on Information Theory, 45, 499-514. Peres, A., 1988, “How to di¬erentiate between two non-
Mayers, D., 1996a, “The Trouble with Quantum Bit Com- orthogonal states”, Phys. Lett. A 128, 19.
mitment”, quant-ph/9603015. Peres, A., 1996, “Separability criteria for density matrices”,
Mayers, D., 1996b, “Quantum key distribution and string Phys. Rev. Lett. 76, 1413-1415.
oblivious transfer in noisy channels”, Advances in Cryptology Peres, A., 1997, Quantum Theory: Concepts and Methods,
” Proceedings of Crypto ™96, Springer - Verlag, 343-357. Kluwer, Dordrecht.
Mayers, D., 1997, “Unconditionally secure Q bit commit- Phoenix, S.J.D., S.M. Barnett, P.D. Townsend, and K.J.
ment is impossible”, Phys. Rev. Lett. 78, 3414-3417. Blow, 1995, “Multi-user Quantum cryptography on optical
Mayers, D., 1998, “Unconditional security in quantum networks”, J. Modern optics, 6, 1155-1163.
cryptography”, Journal for the Association of Computing Ma- Piron, C., 1990, “M´canique quantique”, Presses Polytech-
chinery (to be published); also in quant-ph/9802025. niques et Universitaires Romandes, Lausanne, Switzerland,
Mayers, D., and A. Yao, 1998, “Quantum Cryptography pp 66-67.
with Imperfect Apparatus”, Proceedings of the 39th IEEE Pitowsky, I., 1989, “Quantum probability, quantum logic”,
Conference on Foundations of Computer Science. Lecture Notes in Physics 321, Heidelberg, Springer.
Mazurenko, Y., R. Giust, and J.P. Goedgebuer, 1997, Rarity, J. G. and P.R. Tapster, 1988, “Nonclassical ef-
“Spectral coding for secure optical communications using re- fects in parametric downconversion”, in “Photons & Quan-
fractive index dispersion”, Optics Commun. 133, 87-92. tum Fluctuations”, eds Pike & Walther, Adam Hilger.
M´rolla, J-M., Y. Mazurenko, J.P. Goedgebuer, and W.T.
e Rarity, J. G., P.C.M. Owens and P.R. Tapster, 1994,
Rhodes, 1999, “Single- photon interference in sidebands of “Quantum random-number generation and key sharing”,
phase-modulated light for Quantum cryptography”, Phys. Journal of Modern Optics 41, 2435-2444.
Rev. Lett, 82, 1656-1659. Rarity, J. G., T. E. Wall, K. D. Ridley, P. C. M. Owens,
Michler, P., A. Kiraz, C. Becher, W. V. Schoenfeld, P. M. and P. R. Tapster, 2000, “Single-Photon Counting for the
Petro¬, L. Zhang, E. Hu, and A. Imamoglu, 2000, “A quan- 1300-1600-nm Range by Use of Peltier-Cooled and Passively
tum dot single photon turnstile device”, Science (in press). Quenched InGaAs Avalanche Photodiodes”, Appl. Opt. 39,
Milonni, P.W. and Hardies, M.L., 1982, “Photons cannot 6746-6753.
always be replicated”, Phys. Lett. A 92, 321-322. Ribordy, G., J. Brendel, J.D. Gautier, N. Gisin, and H.
Molotkov, S.N., 1998, “Quantum crypto using photon fre- Zbinden, 2001, “Long distance entanglement based quantum
quency states (example of a possible relaization)”, J. Exp. & key distribution”, Phys. Rev. A 63, 012309.
Theor. Physics 87, 288-293. Ribordy, G., J.-D. Gautier, N. Gisin, O. Guinnard, H.
Muller, A., J. Breguet and N. Gisin, 1993, “Experimental Zbinden, 2000, “Fast and user-friendly quantum key distri-
demonstration of quantum cryptography using polarized pho- bution”, J. Modern Opt., 47, 517-531
tons in optical ¬ber over more than 1 km”, Europhysics Lett. Ribordy, G., J.D. Gautier, H. Zbinden and N. Gisin, 1998,
23, 383-388. “Performance of InGaAsInP avalanche photodiodes as gated-
Muller, A., H. Zbinden and N. Gisin, 1995, “Underwater mode photon counters”, Applied Optics 37, 2272-2277.
quantum coding”, Nature 378, 449-449. Rivest, R.L., Shamir A. and Adleman L.M., 1978, “A
Muller, A., H. Zbinden and N. Gisin, 1996, “Quantum cryp- Method of Obtaining Digital Signatures and Public-Key
tography over 23 km in installed under-lake telecom ¬bre”, Cryptosystems” Communications of the ACM 21, 120-126.
Europhysics Lett. 33, 335-339 Santori, C., M. Pelton, G. Solomon, Y. Dale, and Y. Ya-
Muller, A., T. Herzog, B. Huttner, W. Tittel, H. Zbinden, mamoto, 2000, “Triggered single photons from a quantum
and N. Gisin, 1997, “ ˜Plug and play™ systems for quantum dot” (Stanford University, Palo Alto, California).
cryptography”, Applied Phys. Lett. 70, 793-795. Shannon, C.E., 1949, “Communication theory of secrecy
Naik, D., C. Peterson, A. White, A. Berglund, and systems”, Bell System Technical Journal 28, 656-715.
P. Kwiat, 2000, “Entangled State Quantum Cryptography: Shih, Y.H. and C.O. Alley, 1988, “New type of Einstein-
Eavesdropping on the Ekert Protocol”, Phys. Rev. Lett. 84, Podolsky-Rosen-Bohm Experiment Using Pairs of Light
4733-4736 Quanta Produced by Optical Parametric Down Conversion”,
Neumann, E.-G., 1988, “Single-mode ¬bers: fundamen- Phys. Rev. Lett. 61, 2921-2924.
tals”, Springer series in Optical Sciences, vol. 57. Shor, P.W., 1994, “Algoritms for quantum computation:
Niu, C. S. and R. B. Gri¬ths, 1999, “Two-qubit copying discrete logarithms and factoring”, Proceedings of the 35th
machine for economical quantum eavesdropping” Phys. Rev. Symposium on Foundations of Computer Science, Los Alami-
A 60, 2764-2776. tos, edited by Sha¬ Goldwasser (IEEE Computer Society
Nogues, G., A. Rauschenbeutel, S. Osnaghi, M. Brune, Press), 124-134.
J.M. Raimond and S. Haroche, 1999, “Seeing a single pho- Shor, P.W., and J. Preskill, 2000, “Simple proof of security
ton without destroying it”, Nature 400, 239-242. of the BB84 Quantum key distribution protocol”, Phys. Rev.
Owens, P.C.M., J.G. Rarity, P.R. Tapster, D. Knight, Lett. 85, 441-444.
and P.D. Townsend, 1994, “Photon counting with passively Simon, C., G. Weihs, and A. Zeilinger, 1999, “Quantum
quenched germanium avalanche”, Applied Optics 33, 6895- Cloning and Signaling”, Acta Phys. Slov. 49, 755-760.
6901. Simon, C., G. Weihs, A. Zeilinger, 2000, “Optimal Quan-
tum Cloning via Stimulated Emission”, Phys. Rev. Lett. 84,

2993-2996. over installed ¬bre using WDM”, Elect. Lett. 33, 188-190.
Singh, S., 1999, “The code book: The Science of Secrecy Townsend, P., 1997b, “Quantum cryptography on mul-
from Ancient Egypt to Quantum Cryptography” (Fourh Es- tiuser optical ¬ber networks”, Nature 385, 47-49.
tate, London), see Ekert 2000 for a review. Townsend, P., 1998a, “Experimental Investigation of the
Snyder, A.W., 1983, “Optical waveguide theory”, Chap- Performance Limits for First Telecommunications-Window
man & Hall, London. Quantum Cryptography Systems”, IEEE Photonics Tech.
Spinelli, A., L.M. Davis, H. Dauted, 1996, “Actively Lett. 10, 1048-1050.
quenched single-photon avalanche diode for high repetition Townsend, P., 1998b, “Quantum Cryptography on Optical
rate time-gated photon counting”, Rev. Sci. Instrum 67, Fiber Networks”, Opt. Fiber Tech. 4, 345-370.
55-61. Townsend, P., J.G. Rarity, and P.R. Tapster, 1993a, “Single
Stallings, W., 1999, “Cryptography and network security: photon interference in a 10 km long optical ¬ber interferom-
principles and practices”, (Prentice Hall, Upper Saddle River, eter”, Electron. Lett. 29, 634-639.
New Jersey, United States). Townsend, P., J. Rarity, and P. Tapster, 1993b, “Enhanced
Stefanov, A., O. Guinnard, L. Guinnard, H. Zbinden and N. single photon fringe visibility in a 10km-long prototype quan-
Gisin, 2000, “Optical Quantum Random Number Generator”, tum cryptography channel”, Electron. Lett. 29, 1291-1293.
J. Modern Optics 47, 595-598. Townsend, P.D., S.J.D. Phoenix, K.J. Blow, and S.M. Bar-
Steinberg, A.M., P. Kwiat and R.Y. Chiao, 1992a, “Dis- nett, 1994, “Design of QC systems for passive optical net-
persion cancellation and high-resolution time measurements works”, Elect. Lett, 30, pp. 1875-1876.
in a fourth-order optical interferometer”, Phys. Rev. A 45, Vernam, G., 1926, “Cipher printing telegraph systems for
6659-6665. secret wire and radio telegraphic communications”, J. Am.
Steinberg, A.M., P. Kwiat and R.Y. Chiao, 1992b, “Dis- Institute of Electrical Engineers Vol. XLV, 109-115.
persion Cancellation in a Measurement of the Single-Photon Vinegoni, C., M. Wegmuller and N. Gisin, 2000a, “Determi-
Propagation Velocity in Glass”, Phys. Rev. Lett. 68, 2421- nation of nonlinear coe¬cient n2/Ae¬ using self-aligned inter-
2424. ferometer and Faraday mirror”, Electron. Lett. 36, 886-888.
Stucki, D., G. Ribordy, A. Stefanov, H. Zbinden, J. Rarity Vinegoni, C., M. Wegmuller, B. Huttner and N. Gisin,
and T. Wall, 2001, “Photon counting for quantum key dis- 2000b, “Measurement of nonlinear polarization rotation in a
tribution with Peltier cooled InGaAs/InP APD™s”, preprint, highly birefringent optical ¬ber using a Faraday mirror”, J.
University of Geneva, Geneva. of Optics A 2, 314-318.
Sun, P.C., Y. Mazurenko, and Y. Fainman, 1995, “Long- Walls, D.F. and G.J. Milburn, 1995, “Quantum optics”,
distance frequency-division interferometer for communication Springer-verlag.
and quantum cryptography”, Opt. Lett. 20, 1062-1063. Weihs, G., T. Jennewein, C. Simon, H. Weinfurter, and A.
Tanzilli, S., H. De Riedmatten, W. Tittel, H. Zbinden, P. Zeilinger, 1998, ”Violation of Bell™s Inequality under Strict
Baldi, M. De Micheli, D.B. Ostrowsky, and N. Gisin, 2001, Einstein Locality Conditions”, Phys. Rev. Lett. 81, 5039-
“Highly e¬cient photon-pair source using a Periodically Poled 5043.
Lithium Niobate waveguide”, Electr. Lett. 37, 26-28. Wiesner, S., 1983, “Conjugate coding”, Sigact news, 15:1,
Tapster, P.R., J.G. Rarity, and P.C.M. Owens, 1994, “Vio- 78-88.
lation of Bell™s Inequality over 4 km of Optical Fiber”, Phys. Wigner, E.P., 1961, “The probability of the existence of a
Rev. Lett. 73, 1923-1926. self-reproducing unit”, in “The logic of personal knowledge”
Thomas, G.A., B.I. Shraiman, P.F. Glodis and M.J. Essays presented to Michael Polanyi in his Seventieth birth-
Stephen, 2000, “Towards the clarity limit in optical ¬ber”, day, 11 March 1961 Routledge & Kegan Paul, London, pp
Nature 404, 262-264. 231-238.
Tittel, W., J. Brendel, H. Zbinden, and N. Gisin, 1998, Wooters, W. K. and Zurek, W.H., 1982, “A single quanta
“Violation of Bell inequalities by photons more than 10 km cannot be cloned”, Nature 299, 802-803.
apart”, Phys. Rev. Lett. 81, 3563-3566. Yuen, H.P., 1997, “Quantum ampli¬ers, Quantum duplica-
Tittel, W., J. Brendel, H. Zbinden and N. Gisin, 1999, tors and Quantum cryptography”, Quantum & Semiclassical
“Long-distance Bell-type tests using energy-time entangled optics, 8, p. 939.
photons”, Phys. Rev. A 59, 4150-4163. Zappa, F., A. Lacaita, S. Cova, and P. Webb, 1994,
Tittel, W., J. Brendel, H. Zbinden, and N. Gisin, “Nanosecond single-photon timing with InGaAs/InP photo-
2000, “Quantum Cryptography Using Entangled Photons in diodes”, Opt. Lett. 19, 846-848.
Energy-Time Bell States”, Phys. Rev. Lett. 84, 4737-4740 Zbinden, H., J.-D. Gautier, N. Gisin, B. Huttner, A.
Tittel, W., H. Zbinden, and N. Gisin, 2001, “Experimental Muller, and W. Tittel, 1997, “Interferometry with Faraday
demonstration of quantum secret sharing”, Phys. Rev. A 63, mirrors for quantum cryptography”, Electron. Lett. 33, 586-
042301. 588.
Tomita, A. and R. Y. Chiao, 1986, “Observation of Berry™s Zeilinger, A., 1999, “Experiment and the foundations of
topological phase by use of an optical ¬ber”, Phys. Rev. Lett. quantum physics”, Rev. Mod. Phys. 71, S288-S297.
57, 937-940. Zissis, G., and A. Larocca, 1978, “Optical Radiators and
Townsend, P., 1994, “Secure key distribution system based Sources”, Handbook of Optics, edited by W. G. Driscoll
on Quantum cryptography”, Elect. Lett. 30, 809-811. (McGraw-Hill, New York), Sec. 3.

Townsend, P., 1997a, “Simultaneous Quantum crypto- Zukowski, M., A. Zeilinger, M.A. Horne and A. Ekert, 1993,
graphic key distribution and conventional data transmission “ ˜Event-ready-detectors™ Bell experiment via entanglement

swapping”, Phys. Rev. Lett. 71, 4287-4290. FIGURES

Zukowski, M., A. Zeilinger, M. Horne, and H. Weinfurter,
1998, “Quest for GHZ states”, Acta Phys. Pol. A 93, 187-

FIG. 1. Implementation of the BB84 protocol. The four
states lie on the equator of the Poincar´ sphere.

FIG. 2. Poincar´ sphere with a representation of six states
that can be used to implement the generalization of the BB84

FIG. 3. EPR protocol, with the source and a Poincar´ rep-
resentation of the four possible states measured independently
by Alice and Bob.


Attenuation [dB/km]

OH absorption

UV absorption
0.6 1.2
1.0 1.4 1.6
Wavelength [mm]

FIG. 6. Transmission losses versus wavelength in optical
¬bers. Electronic transitions in SiO2 lead to absorption at
lower wavelengths, excitation of vibrational modes to losses
at higher wavelength. Superposed is the absorption due to
Rayleigh backscattering and to transitions in OH groups.
Modern telecommunication is based on wavelength around
1.3 µm (second telecommunication window) and around 1.5
µm (third telecommunication window).
FIG. 4. Illustration of protocols exploiting EPR quantum
systems. To implement the BB84 quantum cryptographic
protocol, Alice and Bob use the same bases to prepare and
measure their particles. A representation of their states on wavelength [nm]
the Poincar´ sphere is shown. A similar setup, but with Bob™s
1280 1295 1340
bases rotated by 45—¦ , can be used to test the violation of Bell
inequality. Finally, in the Ekert protocol, Alice and Bob may
use the violation of Bell inequality to test for eavesdropping.
400 idler ω0
group delay [ps]



ωS1 ωi1
2.34 2.315 2.29 2.265 2.24
frequency [1014 Hz]

FIG. 7. Illustration of cancellation of chromatic dispersion
e¬ects in the ¬bers connecting an entangled-particle source
and two detectors. The ¬gure shows di¬erential group delay
(DGD) curves for two slightly di¬erent, approximately 10 km
long ¬bers. Using frequency correlated photons with central
frequency ω0 “ determined by the properties of the ¬bers “,
the di¬erence of the propagation times t2 ’ t1 between signal
(at ωs 1, ωs 2) and idler photon (at ωi 1, ωi 2) is the same for
all ωs , ωi . Note that this cancellation scheme is not restricted
to signal and idler photons at nearly equal wavelengths. It
applies also to asymmetrical setups where the signal photon
(generating the trigger to indicate the presence of the idler
FIG. 5. Photo of our entangled photon-pair source as used photon) is at a short wavelength of around 800 nm and travels
in the ¬rst long-distance test of Bell inequalities (Tittel et only a short distance. Using a ¬ber with appropriate zero
al. 1998). Note that the whole source ¬ts in a box of only dispersion wavelength »0 , it is still possible to achieve equal
40 — 45 — 15cm3 size, and that neither special power supply DGD with respect to the energy-correlated idler photon at
nor water cooling is necessary. telecommunication wavelength, sent through a long ¬ber.

FIG. 10. Normalized net key creation rate ρnet as a func-
tion of the distance in optical ¬bers. For n = 1, Alice uses
a perfect single photon source. For n > 1, the link is di-
vided into n equal length sections and n/2 2-photon sources
are distributed between Alice and Bob. Parameters: detec-
tion e¬ciency · = 10%, dark count probability pdark = 10’4 ,
¬ber attenuation ± = 0.25 dB/km.




Rnet [bit/s]
1550 nm "single"

FIG. 8. Transmission losses in free space as calculated us- 800 nm 1300 nm 1550 nm
ing the LOWTRAN code for earth to space transmission at
the elevation and location of Los Alamos, USA. Note that 1
there is a low loss window at around 770 nm “ a wavelength 0 20 40 60 80 100 120
Distance [km]
where high e¬ciency Silicon APD™s can be used for single
photon detection (see also Fig. 9 and compare to Fig. 6).

FIG. 11. Bit rate after error correction and privacy ampli-
¬cation vs. ¬ber length. The chosen parameters are: pulse
rates 10 Mhz for faint laser pulses (µ = 0.1) and 1 MHz for the
case of ideal single photons (1550 nm “single”); losses 2, 0.35
and 0.25 dB/km, detector e¬ciencies 50%, 20% and 10%, and
150 K
dark count probabilities 10’7 , 10’5 , 10’5 for 800nm, 1300nm
NEP [W/Hz1/2]

and 1550 nm respectively. Losses at Bob and QBERopt are
77 K
1E-16 Si APD

400 600 800 1000 1200 1400 1600 1800
Wavelength [nm]

FIG. 9. Noise equivalent power as a function of wavelength
for Silicon, Germanium, and InGaAs/InP APD™s.

FIG. 12. Typical system for quantum cryptography using
polarization coding (LD: laser diode, BS: beamsplitter, F:
neutral density ¬lter, PBS: polarizing beam splitter, »/2: half
waveplate, APD: avalanche photodiode).
10 Log (ρnet)

0 25 50 75 100 125 150 175 200
Distance [km]

FIG. 15. Poincar´ sphere representation of two-levels quan-
tum states generated by two-paths interferometers. The
states generated by an interferometer where the ¬rst coupler
is replaced by a switch correspond to the poles. Those gener-
ated with a symetrical beamsplitter are on the equator. The
azimuth indicates the phase between the two paths.

FIG. 13. Geneva and Lake Geneva. The Swisscom optical
¬ber cable used for quantum cryptography experiments runs
under the lake between the town of Nyon, about 23 km north
FIG. 16. Double Mach-Zehnder implementation of an in-
of Geneva, and the centre of the city.
terferometric system for quantum cryptography (LD: laser
diode, PM: phase modulator, APD: avalanche photodiode).
The inset represents the temporal count distribution recorded
as a function of the time passed since the emission of the pulse
by Alice. Interference is observed in the central peak.

FIG. 14. Conceptual interferometric set-up for quantum
cryptography using an optical ¬ber Mach-Zehnder interferom-
eter (LD: laser diode, PM: phase modulator, APD: avalanche
FIG. 17. Evolution of the polarization state of a light pulse
represented on the Poincar´ sphere over a round trip propa-
gation along an optical ¬ber terminated by a Faraday mirror.

FIG. 18. Self-aligned “Plug & Play” system (LD: laser
diode, APD: avalanche photodiode, Ci : ¬ber coupler, PMj :
phase modulator, PBS: polarizing beamsplitter, DL: optical
delay line, FM: Faraday mirror, DA : classical detector).

FIG. 23. System for phase-coding entanglement based
quantum cryptography (APD: avalanche photodiode). The
FIG. 19. Implementation of sideband modulation (LD: photons choose their bases randomly at Alice and Bob™s cou-
laser diode, A: attenuator, PMi : optical phase modulator, plers.
¦j : electronic phase controller, RFOk : radio frequency oscil-
lator, FP: Fabry-Perot ¬lter, APD: avalanche photodiode).

FIG. 24. Quantum cryptography system exploiting pho-
tons entangled in energy-time and active basis choice. Note
the similarity with the faint laser double Mach-Zehnder im-
plementation depicted in Fig. 16.
FIG. 20. Multi-users implementation of quantum cryptog-
raphy with one Alice connected to three Bobs by optical
¬bers. The photons sent by Alice randomly choose to go to
one or the other Bob at a coupler.

FIG. 25. Schematic diagram of the ¬rst system designed
and optimized for long distance quantum cryptography and
exploiting phase coding of entangled photons.
FIG. 21. Typical system for quantum cryptography ex-
ploiting photon pairs entangled in polarization (PR: active
polarization rotator, PBS: polarizing beamsplitter, APD:

avalanche photodiode).
s P, l A ; l P, s s P , l B; l P , s

Alice Bob l P, l
s P, s s P, s l P, l
single count rate

single count rate


tA - t0 tB - t 0
crystal .

± β
perfect correlation

count rate



-3 -2 -1 1 2 3
Alice Bob
time difference [ns]

FIG. 22. Principle of phase coding quantum cryptography FIG. 26. Schematics of quantum cryptography using en-
using energy-time entangled photons pairs. tangled photons phase-time coding.

one w ay com m uni- tw o w ay com m unication
is necessary
-cation suffices

secret-key rate
E ve's inform ation

Inform ation [bit]

error correction and quantum privacy am pl. or
classical privacy am pl. classical advantage distillation

B ell-C H S H B ell-C H S H ineq.
B ob's inform ation
ineq. is violated is not violated


IR 6
IR 4
0.0 0.1 0.2 0.3 0.4 0.5

Q uantum bit error rate (Q B E R )
FIG. 27. Poincar´ representation of the BB84 states and
the intermediate basis, also known as the Breidbart basis,
FIG. 30. Eve and Bob information versus the QBER, here
that can be used by Eve.
plotted for incoherent eavesdropping on the 4-state protocol.
For QBERs below QBER0 , Bob has more information than
Eve and secret-key agreement can be achieved using classical
Eve error correction and privacy ampli¬cation. These can, in prin-
ciple, be implemented using only 1-way communication. The
Alice Bob secret-key rate can be as large as the information di¬erences.
For QBERs above QBER0 (≡ D0 ), Bob has a disadvantage
U with respect to Eve. Nevertheless, Alice and Bob can apply
quantum privacy ampli¬cation up to the QBER correspond-
ing to the intercept-resend eavesdropping strategies, IR4 and
IR6 for the 4-state and 6-state protocols, respectively. Alter-
natively, they can apply a classical protocol called advantage
distillation which is e¬ective precisely up to the same maxi-
mal QBER IR4 and IR6 . Both the quantum and the classical
perturbation information
protocols require then 2-way communication. Note that for
the eavesdropping strategy optimal from Eve™ Shannon point
FIG. 28. Eavesdropping on a quantum channel. Eve ex-
of view on the 4-state protocol, QBER0 correspond precisely
tracts information out of the quantum channel between Alice
to the noise threshold above which a Bell inequality can no
and Bob at the cost of introducing noise into that channel.
longer be violated.

FIG. 29. Poincar´ representation of the BB84 states in the
event of a symmetrical attack. The state received by Bob after
the interaction of Eve™s probe is related to the one sent by
Alice by a simple shrinking factor. When the unitary operator
U entangles the qubit and Eve™s probe, Bob™s state (eq. 46)
is mixed and is represented by a point inside the Poincar´ e

FIG. 31. Intuitive illustration of theorem 1. The initial
situation is depicted in a). During the 1-way public discussion
phase of the protocol Eve receives as much information as
Bob, the initial information di¬erence δ thus remains. After
error correction, Bob™s information equals 1, as illustrated on
b). After privacy ampli¬cation Eve™s information is zero. In
c) Bob has replaced all bits to be disregarded by random bits.
Hence the key has still the original length, but his information
has decreased. Finally, removing the random bits, the key is
shortened to the initial information di¬erence, see d). Bob
has full information on this ¬nal key, while Eve has none.

FIG. 32. Realistic beamsplitter attack. Eve stops all
pulses. The two photon pulses have a 50% probability to
be analyzed by the same analyzer. If this analyzer is compat-
ible with the state prepared by Alice, then both photon are
detected at the same outcome; if not there is a 50% chance
that they are detected at the same outcome. Hence, there
is a probability of 3/8 that Eve detects both photons at the
same outcome. In such a case, and only in such a case, she
resends a photon to Bob. In 2/3 of these cases she introduces
no errors since she identi¬ed the correct state and gets full
information; in the remaining cases she has a probability 1/2
to introduce an error and gains no information. The total
QBER is thus 1/6 and Eve™s information gain 2/3.



. 3
( 3)