. 1
( 4)



>>

REVIEWS OF MODERN PHYSICS, VOLUME 74, JANUARY 2002

Quantum cryptography
´
Nicolas Gisin, Gregoire Ribordy, Wolfgang Tittel, and Hugo Zbinden
Group of Applied Physics, University of Geneva, 1211 Geneva 4, Switzerland
(Published 8 March 2002)

Quantum cryptography could well be the ¬rst application of quantum mechanics at the
single-quantum level. The rapid progress in both theory and experiment in recent years is reviewed,
with emphasis on open questions and technological issues.


D. Frequency coding 173
CONTENTS
E. Free-space line-of-sight applications 174
F. Multi-user implementations 175
I. Introduction 145 V. Experimental Quantum Cryptography with Photon
II. A Beautiful Idea 146 Pairs 175
A. Polarization entanglement 176
A. The intuition 146
B. Energy-time entanglement 177
B. Classical cryptography 147
1. Phase coding 177
1. Asymmetrical (public-key) cryptosystems 147
2. Phase-time coding 179
2. Symmetrical (secret-key) cryptosystems 148
3. Quantum secret sharing 180
3. The one-time pad as ˜˜classical
VI. Eavesdropping 180
teleportation™™ 148
A. Problems and objectives 180
C. The BB84 protocol 149
B. Idealized versus real implementation 180
1. Principle 149
C. Individual, joint, and collective attacks 181
2. No-cloning theorem 149
D. Simple individual attacks: Intercept-resend and
3. Intercept-resend strategy 150
measurement in the intermediate basis 181
4. Error correction, privacy ampli¬cation, and
E. Symmetric individual attacks 182
quantum secret growing 150 F. Connection to Bell™s inequality 185
5. Advantage distillation 151 G. Ultimate security proofs 185
D. Other protocols 152 H. Photon number measurements and lossless
1. Two-state protocol 152 channels 187
2. Six-state protocol 152 I. A realistic beamsplitter attack 188
3. Einstein-Podolsky-Rosen protocol 152 J. Multiphoton pulses and passive choice of states 188
4. Other variations 153 K. Trojan horse attacks 189
E. Quantum teleportation as a ˜˜quantum one-time L. Real security: Technology, cost, and complexity 189
VII. Conclusions 190
pad™™ 154
Acknowledgments 190
F. Optical ampli¬cation, quantum nondemolition
References 190
measurements, and optimal quantum cloning 154
III. Technological Challenges 155
A. Photon sources 155 I. INTRODUCTION
1. Faint laser pulses 156
2. Photon pairs generated by parametric Electrodynamics was discovered and formalized in the
downconversion 156 19th century. The 20th century was then profoundly af-
3. Photon guns 157 fected by its applications. A similar adventure may be
B. Quantum channels 158
underway for quantum mechanics, discovered and for-
1. Single-mode ¬bers 158
malized during the last century. Indeed, although the la-
2. Polarization effects in single-mode ¬bers 158
ser and semiconductor are already common, applica-
3. Chromatic dispersion effects in single-mode
tions of the most radical predictions of quantum
¬bers 160
mechanics have only recently been conceived, and their
4. Free-space links 160
full potential remains to be explored by the physicists
C. Single-photon detection 161
and engineers of the 21st century.
1. Photon counting at wavelengths below 1.1
The most peculiar characteristics of quantum mechan-
m 163
2. Photon counting at telecommunications ics are the existence of indivisible quanta and of en-
wavelengths 163 tangled systems. Both of these lie at the root of quantum
D. Quantum random-number generators 164
cryptography (QC), which could very well be the ¬rst
E. Quantum repeaters 164
commercial application of quantum physics at the single-
IV. Experimental Quantum Cryptography with Faint
quantum level. In addition to quantum mechanics, the
Laser Pulses 165
20th century has been marked by two other major scien-
A. Quantum bit error rate 166
ti¬c revolutions: information theory and relativity. The
B. Polarization coding 167
status of the latter is well recognized. It is less well
C. Phase coding 168
known that the concept of information, nowadays mea-
1. The double Mach-Zehnder implementation 170
sured in bits, and the formalization of probabilities are
2. ˜˜Plug-and-play™™ systems 171


0034-6861/2002/74(1)/145(51)/$35.00 145 ©2002 The American Physical Society
146 Gisin et al.: Quantum cryptography


quite recent,1 although they have a tremendous impact a tool for new engineering. Apparently, information
on our daily life. It is fascinating to realize that QC lies theory, classical cryptography, quantum physics, and
at the intersection of quantum mechanics and informa- quantum optics ¬rst had to develop into mature sci-
tion theory and that, moreover, the tension between ences. It is certainly not a coincidence that QC and,
quantum mechanics and relativity”the famous more generally, quantum information were developed
Einstein-Rosen-Podolsky (EPR) paradox (Einstein by a community including many computer scientists and
et al., 1935)”is closely connected to the security of QC. more mathematically oriented young physicists: broader
Let us add a further point for young physicists. Unlike interests than traditional physics were needed.
laser and semiconductor physics, which are manifesta-
tions of quantum physics at the ensemble level and can
thus be described by semiclassical models, QC, and to an A. The intuition
even greater extent quantum computers, require a full
Quantum physics is well known for being counterin-
quantum-mechanical description (this may offer an in-
tuitive or even bizarre. We teach students that quantum
teresting challenge for physicists well trained in the
physics establishes a set of negative rules stating things
subtleties of their science).
that cannot be done. For example,
This review article has several objectives. First, we
present the basic intuition behind QC. Indeed, the basic
(1) One cannot take a measurement without perturbing
idea is so beautiful and simple that every physicist and
the system.
student should be given the pleasure of learning it. The
(2) One cannot determine simultaneously the position
general principle is then set in the broader context of
and the momentum of a particle with arbitrarily
modern cryptology (Sec. II.B) and made more precise
high accuracy.
(Sec. II.C). Section III discusses the main technological
(3) One cannot simultaneously measure the polariza-
challenges. Then, Secs. IV and V present the most com-
tion of a photon in the vertical-horizontal basis and
mon implementations of QC: the use of weak laser
simultaneously in the diagonal basis.
pulses and photon pairs, respectively. Finally, the impor-
(4) One cannot draw pictures of individual quantum
tant and dif¬cult problems of eavesdropping and secu-
processes.
rity proofs are discussed in Sec. VI, where the emphasis
(5) One cannot duplicate an unknown quantum state.
is more on the diversity of the issues than on formal
details. We have tried to write the different parts of this This negative viewpoint of quantum physics, due to its
review in such a way that they can be read indepen- contrast with classical physics, has only recently been
dently. turned positive, and QC is one of the best illustrations of
this psychological revolution. Indeed, one could charac-
terize quantum information processing as the science of
II. A BEAUTIFUL IDEA
turning quantum conundrums into potentially useful ap-
The idea of quantum cryptography was ¬rst proposed plications.
in the 1970s by Stephen Wiesner2 (1983) and by Charles Let us illustrate this point for QC. One of the basic
H. Bennett of IBM and Gilles Brassard of The Univer- negative statements of quantum physics reads
sity of Montreal (1984, 1985).3 However, this idea is so
´
One cannot take a measurement without perturbing
simple that any ¬rst-year student since the infancy of
the system (1)
quantum mechanics could actually have discovered it!
Nevertheless, it is only now that the ¬eld is mature (unless the quantum state is compatible with the mea-
enough and information security important enough that surement). The positive side of this axiom can be seen
physicists are ready to consider quantum mechanics, not when applied to a communication between Alice and
only as a strange theory good for paradoxes, but also as Bob (the conventional names of the sender and receiver,
respectively), provided the communication is quantum,
that is, quantum systems, for example, individual pho-
tons, carry the information. When this is the case, axiom
1
The Russian mathematician A. N. Kolmogorov (1956) is
(1) also applies to eavesdroppers, i.e., to a malicious Eve
credited with being the ¬rst to have formulated a consistent
(the conventional name given to the adversary in cryp-
mathematical theory of probabilities in the 1940s.
2
tology). Hence Eve cannot get any information about
S. Wiesner, then at Columbia University, was the ¬rst to pro-
pose ideas closely related to QC in the 1970s. However, his the communication without introducing perturbations
revolutionary paper did not appear until a decade later. Since that would reveal her presence.
it is dif¬cult to ¬nd, we reproduce his abstract here: The un- To make this intuition more precise, imagine that Al-
certainty principle imposes restrictions on the capacity of certain ice codes information in individual photons, which she
types of communication channels. This paper will show that in
sends to Bob. If Bob receives the photons unperturbed,
compensation for this ˜˜quantum noise,™™ quantum mechanics al-
then, according to the basic axiom (1), the photons were
lows us novel forms of coding without analogue in communica-
not measured. No measurement implies that Eve did not
tion channels adequately described by classical physics.
get any information about the photons (note that acquir-
3
Artur Ekert (1991) of Oxford University discovered QC in-
ing information is synonymous with carrying out mea-
dependently, though from a different perspective (see Sec.
surements). Consequently, after exchanging the photons,
II.D.3).


Rev. Mod. Phys., Vol. 74, No. 1, January 2002
147
Gisin et al.: Quantum cryptography


Before continuing, we need to see how QC could ¬t
into existing cryptosystems. For this purpose the next
section brie¬‚y surveys some of the main aspects of mod-
ern cryptology.


B. Classical cryptography

Cryptography is the art of rendering a message unin-
telligible to any unauthorized party. It is part of the
broader ¬eld of cryptology, which also includes cryp-
toanalysis, the art of code breaking (for a historical per-
spective, see Singh, 1999). To achieve this goal, an algo-
FIG. 1. Implementation of the Bennett and Brassard (BB84) rithm (also called a cryptosystem or cipher) is used to
´
protocol. The four states lie on the equator of the Poincare combine a message with some additional information”
sphere. known as the key”and produce a cryptogram. This
technique is known as encryption. For a cryptosystem to
be secure, it should be impossible to unlock the crypto-
Alice and Bob can check whether someone ˜˜was listen-
gram without the key. In practice, this requirement is
ing™™: they simply compare a randomly chosen subset of
often weakened so that the system is just extremely dif-
their data using a public channel. If Bob received this
¬cult to crack. The idea is that the message should re-
subset unperturbed, then the logic goes as follows:
main protected at least as long as the information it con-
No perturbation’No measurement tains is valuable. Although con¬dentiality is the
traditional application of cryptography, it is used nowa-
’No eavesdropping. (2)
days to achieve broader objectives, such as authen-
Actually, there are two more points to add. First, in tication, digital signatures, and nonrepudiation (Bras-
order to ensure that axiom (1) applies, Alice encodes sard, 1988).
her information in nonorthogonal states (we shall illus-
trate this in Secs. II.C and II.D). Second, as we have
1. Asymmetrical (public-key) cryptosystems
presented it so far, Alice and Bob could discover any
eavesdropper, but only after they have exchanged their Cryptosytems come in two main classes”depending
message. It would of course be much better to ensure on whether Alice and Bob use the same key. Asym-
their privacy in advance and not afterwards. To achieve metrical systems involve the use of different keys for
this, Alice and Bob complement the above idea with a encryption and decryption. They are commonly known
second idea, again a very simple one, and one which is as public-key cryptosystems. Their principle was ¬rst
entirely classical. Alice and Bob do not use the quantum proposed in 1976 by Whit¬eld Dif¬e and Martin Hell-
channel to transmit information, but only to transmit a man, who were then at Stanford University. The ¬rst
random sequence of bits, i.e., a key. Now, if the key is actual implementation was then developed by Ronald
unperturbed, then quantum physics guarantees that no Rivest, Adi Shamir, and Leonard Adleman of the Mas-
sachusetts Institute of Technology in 1978.4 It is known
one has gotten any information about this key by eaves-
dropping, i.e., measuring, the quantum communication as RSA and is still widely used. If Bob wants to be able
channel. In this case, Alice and Bob can safely use this to receive messages encrypted with a public-key crypto-
key to encode messages. If, on the other hand, the key system, he must ¬rst choose a private key, which he
turns out to be perturbed, then Alice and Bob simply keeps secret. Then he computes from this private key a
disregard it; since the key does not contain any informa- public key, which he discloses to any interested party.
tion, they have not lost any. Alice uses this public key to encrypt her message. She
Let us make this general idea somewhat more precise, transmits the encrypted message to Bob, who decrypts it
in anticipation of Sec. II.C. In practice, the individual with the private key. Public-key cryptosystems are con-
quanta used by Alice and Bob, often called qubits (for venient and have thus become very popular over the last
quantum bits), are encoded in individual photons; for 20 years. The security of the Internet, for example, is
example, vertical and horizontal polarization code for partially based on such systems. They can be thought of
bit values 0 and 1, respectively. The second basis can as a mailbox in which anybody can insert a letter. Only
then be the diagonal one ( 45° linear polarization), the legitimate owner can then recover it, by opening it
with 45° coding for bit 1 and 45° for bit 0, respec- with his private key.
tively (see Fig. 1). Alternatively, the circular polarization
basis could be used as second basis. For photons the
quantum communication channel can be either free 4
According to the British Government, public-key cryptogra-
space (see Sec. IV.E) or optical ¬bers”special ¬bers or phy was originally invented at the Government Communica-
the ones used in standard telecommunications (Sec. tions Headquarters in Cheltenham as early as 1973. For an
III.B). The communication channel is thus not really historical account, see, for example, the book by Simon Singh
quantum. What is quantum are the information carriers. (1999).


Rev. Mod. Phys., Vol. 74, No. 1, January 2002
148 Gisin et al.: Quantum cryptography


(sk m 1  kk m 1 ). Because the bits of the
The security of public-key cryptosystems is based on
computational complexity. The idea is to use mathemati- scrambled text are as random as those of the key, they
cal objects called one-way functions. By de¬nition, it is do not contain any information. This cryptosystem is
easy to compute the function f(x) given the variable x, thus provably secure according to information theory
(Shannon, 1949). In fact, it is the only provably secure
but dif¬cult to reverse the calculation and deduce x
cryptosystem known today.
from f(x). In the context of computational complexity,
Although perfectly secure, this system has a
the word ˜˜dif¬cult™™ means that the time required to per-
problem”it is essential for Alice and Bob to possess a
form a task grows exponentially with the number of bits
common secret key, which must be at least as long as the
in the input, while ˜˜easy™™ means that it grows polynomi-
message itself. They can only use the key for a single
ally. Intuitively, it is easy to understand that it takes only
encryption”hence the name ˜˜one-time pad.™™ If they
a few seconds to work out 67 71, but it takes much
used the key more than once, Eve could record all of the
longer to ¬nd the prime factors of 4757. However, fac-
scrambled messages and start to build up a picture of the
toring has a ˜˜trapdoor,™™ which means that it is easy to do
plain texts and thus also of the key. (If Eve recorded two
the calculation in the dif¬cult direction provided that
different messages encrypted with the same key, she
you have some additional information. For example, if
could add the scrambled texts to obtain the sum of the
you were told that 67 was one of the prime factors of
plain texts: s 1  s 2 m 1  k  m 2  k m 1  m 2  k  k
4757, the calculation would be relatively simple. The se-
m 1  m 2 , where we use the fact that  is commuta-
curity of RSA is actually based on the factorization of
tive.) Furthermore, the key has to be transmitted by
large integers.
some trusted means, such as a courier, or through a per-
In spite of its elegance, this technique suffers from a
sonal meeting between Alice and Bob. This procedure
major ¬‚aw. It has not been possible yet to prove whether
can be complex and expensive, and may even amount to
factoring is ˜˜dif¬cult™™ or not. This implies that the exis-
a loophole in the system.
tence of a fast algorithm for factorization cannot be
Because of the problem of distributing long sequences
ruled out. In addition, the discovery in 1994 by Peter
of key bits, the one-time pad is currently used only for
Shor of a polynomial algorithm allowing fast factoriza-
the most critical applications. The symmetrical crypto-
tion of integers with a quantum computer casts addi-
systems in use for routine applications such as
tional doubt on the nonexistence of a polynomial algo-
e-commerce employ rather short keys. In the case of the
rithm for classical computers.
Data Encryption Standard (also known as DES, pro-
Similarly, all public-key cryptosystems rely for their
moted by the United States™ National Institute of Stan-
security on unproven assumptions, which could them-
dards and Technology), a 56-bit key is combined with
selves be weakened or suppressed by theoretical or
the plain text divided into blocks in a rather complicated
practical advances. So far, no one has proved the exis-
way, involving permutations and nonlinear functions to
tence of any one-way function with a trapdoor. In other
produce the cipher text blocks (see Stallings, 1999 for a
words, the existence of secure asymmetric cryptosystems
didactic presentation). Other cryptosystems (e.g.,
is not proven. This poses a serious threat to these cryp-
IDEA, The International Data Encryption System, or
tosystems.
AES, the Advanced Encryption Standard) follow similar
In a society like ours, where information and secure
principles. Like asymmetrical cryptosystems, they offer
communication are of the utmost importance, one can-
only computational security. However, for a given key
not tolerate such a threat. For instance, an overnight
length, symmetrical systems are more secure than their
breakthrough in mathematics could make electronic
asymmetrical counterparts.
money instantly worthless. To limit such economic and
In practical implementations, asymmetrical algorithms
social risks, there is no alternative but to turn to sym-
are used not so much for encryption, because of their
metrical cryptosystems. QC has a role to play in such
slowness, but rather for distribution of session keys for
alternative systems.
symmetrical cryptosystems such as DES. Because the se-
curity of those algorithms is not proven (see Sec. II.B.1),
2. Symmetrical (secret-key) cryptosystems the security of the whole implementation can be com-
promised. If these algorithms were broken by math-
Symmetrical ciphers require the use of a single key for
ematical advances, QC would constitute the only way to
both encryption and decryption. These systems can be
solve the key distribution problem.
thought of as a safe in which the message is locked by
Alice with a key. Bob in turns uses a copy of this key to
unlock the safe. The one-time pad, ¬rst proposed by Gil-
3. The one-time pad as ˜˜classical teleportation™™
bert Vernam of AT&T in 1926, belongs to this category.
In this scheme, Alice encrypts her message, a string of The one-time pad has an interesting characteristic.
bits denoted by the binary number m 1 , using a ran- Assume that Alice wants to transfer to Bob a faithful
domly generated key k. She simply adds each bit of the copy of a classical system, without giving any informa-
message to the corresponding bit of the key to obtain tion to Eve about this system. For this purpose Alice
the scrambled text (s m 1  k, where  denotes the bi- and Bob have access only to an insecure classical chan-
nary addition modulo 2 without carry). It is then sent to nel. The operation is possible provided they share an
Bob, who decrypts the message by subtracting the key arbitrarily long secret key. Indeed, in principle, Alice

Rev. Mod. Phys., Vol. 74, No. 1, January 2002
149
Gisin et al.: Quantum cryptography


which bits are perfectly correlated (the ones for which
can measure the state of her classical system with arbi-
trarily high precision and then use the one-time pad to Alice and Bob used the same basis) and which ones are
securely communicate this information to Bob, who can completely uncorrelated (all the other ones). Hence a
then, in principle, reconstruct (a copy of) the classical straightforward error correction scheme is possible: For
system. This somewhat arti¬cial use of the one-time pad each bit Bob announces publicly in which basis he mea-
has an interesting quantum relative (see Sec. II.E). sured the corresponding qubit (but he does not tell the
result he obtained). Alice then reveals only whether or
not the state in which she encoded that qubit is compat-
C. The BB84 protocol
ible with the basis announced by Bob. If the state is
1. Principle
compatible, they keep the bit; if not, they disregard it. In
this way about 50% of the bit string is discarded. This
The ¬rst protocol for QC was proposed in 1984 by
shorter key obtained after basis reconciliation is called
Charles H. Bennett, of IBM and Gilles Brassard, of the
the sifted key.6 The fact that Alice and Bob use a public
University of Montreal, hence the name BB84, as this
protocol is now known. They presented their work at an channel at some stage of their protocol is very common
IEEE conference in India, quite unnoticed by the phys- in cryptoprotocols. This channel does not have to be
ics community at the term. This underscores the need con¬dential, only authentic. Hence any adversary Eve
for collaboration in QC between different communities, can listen to all the communication on the public chan-
with different jargons, habits, and conventions.5 The in- nel, but she cannot modify it. In practice Alice and Bob
terdisciplinary character of QC is the probable reason may use the same transmission channel to implement
for its relatively slow start, but it certainly has contrib- both the quantum and the classical channels.
uted to the rapid expansion of the ¬eld in recent years. Note that neither Alice nor Bob can decide which key
We shall explain the BB84 protocol using the lan- results from the protocol.7 Indeed, it is the conjunction
1
guage of spin 2 , but clearly any two-level quantum sys-
of both of their random choices that produces the key.
tem would do. The protocol uses four quantum states
Let us now consider the security of the above ideal
that constitute two bases, for example, the states up ‘ ,
protocol (ideal because so far we have not taken into
down “ , left ← , and right ’ . The bases are maxi-
account unavoidable noise in practice, due to technical
mally conjugate in the sense that any pair of vectors, one
imperfections). Assume that some adversary Eve inter-
from each basis, has the same overlap, e.g., ‘ ← 2
cepts a qubit propagating from Alice to Bob. This is very
1
2 . Conventionally, one attributes the binary value 0 to
easy, but if Bob does not receive an expected qubit, he
states ‘ and ’ and the value 1 to the other two
will simply tell Alice to disregard it. Hence Eve only
states, and calls the states qubits (for quantum bits). In
lowers the bit rate (possibly down to zero), but she does
the ¬rst step, Alice sends individual spins to Bob in
not gain any useful information. For real eavesdropping
states chosen at random among the four states (in Fig. 1
the spin states ‘ , “ , ’ , and ← are identi¬ed as Eve must send a qubit to Bob. Ideally she would like to
send this qubit in its original state, keeping a copy for
the polarization states ˜˜horizontal,™™ ˜˜vertical,™™ ˜˜ 45°,™™
herself.
and ˜˜ 45°,™™ respectively). How she ˜˜chooses at ran-
dom™™ is a delicate problem in practice (see Sec. III.D),
but in principle she could use her free will. The indi-
vidual spins could be sent all at once or one after the
other (much more practical), the only restriction being
2. No-cloning theorem
that Alice and Bob be able to establish a one-to-one
correspondence between the transmitted and the re-
Following Wootters and Zurek (1982) one can easily
ceived spins. Next, Bob measures the incoming spins in
prove that perfect copying is impossible in the quantum
one of the two bases, chosen at random (using a
world (see also the anticipatory intuition of Wigner in
random-number generator independent from that of Al-
1961, as well as Dieks, 1982 and Milonni and Hardies,
ice). At this point, whenever they use the same basis,
1982). Let denote the original state of the qubit, b
they get perfectly correlated results. However, whenever
the blank copy,8 and 0 HQCM the initial state of Eve™s
they use different bases, they get uncorrelated results.
˜˜quantum copy machine,™™ where the Hilbert space
Hence, on average, Bob obtains a string of bits with a
HQCM of the quantum cloning machine is arbitrary. The
25% error rate; called the raw key. This error rate is so
high that standard error correction schemes would fail. ideal machine would produce
But in this protocol, as we shall see, Alice and Bob know

6
This terminology was introduced by Ekert and Huttner in
5
1994.
For instance, it is amusing to note that physicists strive to
7
Alice and Bob can, however, determine the statistics of the
publish in reputable journals, while conference proceedings
key.
are of secondary importance. For computer scientists, in con-
8
trast, appearance in the proceedings of the best conferences is b corresponds to the stock of white paper in an everyday
considered more important, while journal publication is sec- photocopy machine. We shall assume that the machine is not
ondary. empty, a purely theoretical assumption, as is well known.


Rev. Mod. Phys., Vol. 74, No. 1, January 2002
150 Gisin et al.: Quantum cryptography


0’ cases, since they get uncorrelated results. Altogether, if
   
b f, (3)
Eve uses this intercept-resend strategy, she gets 50% in-
where f denotes the ¬nal state of Eve™s machine, formation, while Alice and Bob have about a 25% error
which might depend on . Accordingly, using obvious rate in their sifted key, i.e., after they eliminate the cases
notations, in which they used incompatible states, there is still
about 25% error. They can thus easily detect the pres-
‘,b,0 ’ ‘,‘,f ‘ , (4) ence of Eve. If, however, Eve applies this strategy to
only a fraction of the communication, say 10%, then the
and error rate will be only 2.5%, while Eve™s information
will be 5%. The next section explains how Alice and
“,b,0 ’ “,“,f “ . (5) Bob can counter such attacks.
By linearity of quantum dynamics it follows that
4. Error correction, privacy ampli¬cation, and quantum
1 secret growing
’,b,0 ‘ “ )  b,0 (6)
& At this point in the BB84 protocol, Alice and Bob
share a so-called sifted key. But this key contains errors.
The errors are caused by technical imperfections, as well
1
’ ‘,‘,f ‘ “,“,f “ ). (7) as possibly by Eve™s intervention. Realistic error rates in
& the sifted key using today™s technology are of the order
of a few percent. This contrasts strongly with the 10 9
But the latter state differs from the ideal copy ’, error rate typical in optical communication. Of course,
’,f ’ , whatever the states f are. the few-percent error rate will be corrected down to the
Consequently, Eve cannot keep a perfect quantum standard 10 9 during the (classical) error correction step
copy, because perfect quantum copy machines cannot of the protocol. In order to avoid confusion, especially
exist. The possibility of copying classical information is among optical communication specialists, Beat Perny
probably one of the most characteristic features of infor- from Swisscom and Paul Townsend, then with British
mation in the everyday sense. The fact that quantum Telecommunications (BT), proposed naming the error
states, nowadays often called quantum information, can- rate in the sifted key QBER, for quantum bit error rate,
not be copied is certainly one of the most speci¬c at- to clearly distinguish it from the bit error rate (BER)
tributes that make this new kind of information so dif- used in standard communications.
ferent and hence so attractive. Actually, this negative Such a situation, in which legitimate partners share
capability clearly has its positive side, since it prevents classical information with high but not 100% correlation
Eve from perfect eavesdropping and hence makes QC and with possibly some correlation to a third party, is
potentially secure. common to all quantum cryptosystems. Actually, it is
also a standard starting point for classical information-
based cryptosystems in which one assumes that some-
3. Intercept-resend strategy
how Alice, Bob, and Eve have random variables , ,
and , respectively, with a joint probability distribution
We have seen that the eavesdropper needs to send a
P( , , ). Consequently, the last step in a QC protocol
qubit to Bob while keeping a necessarily imperfect copy
uses classical algorithms, ¬rst to correct the errors, and
for herself. How imperfect the copy has to be, according
then reduce to Eve™s information on the ¬nal key, a pro-
to quantum theory, is a delicate problem that we shall
cess called privacy ampli¬cation.
address in Sec. VI. Here, let us develop a simple eaves-
The ¬rst mention of privacy ampli¬cation appeared in
dropping strategy, called intercept-resend. This simple
Bennett, Brassard, and Robert (1988). It was then ex-
and even practical attack consists of Eve™s measuring
´
tended in collaboration with C. Crepeau from the Uni-
each qubit in one of the two bases, precisely as Bob
¨
versity of Montreal and U. Maurer of ETH, Zurich, re-
does. Then, she resends to Bob another qubit in the
spectively (Bennett, Brassard, et al. 1995; see also
state corresponding to her measurement result. In about
Bennett, Bessette, et al., 1992). Interestingly, this work
half of the cases, Eve will be lucky and choose the basis
motivated by QC found applications in standard
compatible with the state prepared by Alice. In these
information-based cryptography (Maurer, 1993; Maurer
cases she resends to Bob a qubit in the correct state, and
and Wolf, 1999).
Alice and Bob will not notice her intervention. How-
Assume that a joint probability distribution P( , , )
ever, in the other half of the cases, Eve unluckily uses
exists. Near the end of this section, we shall comment on
the basis incompatible with the state prepared by Alice.
this assumption. Alice and Bob have access only to the
This necessarily happens, since Eve has no information
marginal distribution P( , ). From this and from the
about Alice™s random-number generator (hence the im-
laws of quantum mechanics, they have to deduce con-
portance of this generator™s being truly random). In
straints on the complete scenario P( , , ); in particu-
these cases the qubits sent out by Eve are in states with
1
lar they have to bound Eve™s information (see Secs. VI.E
an overlap of 2 with the correct states. Alice and Bob
and VI.G). Given P( , , ), necessary and suf¬cient
thus discover her intervention in about half of these

Rev. Mod. Phys., Vol. 74, No. 1, January 2002
151
Gisin et al.: Quantum cryptography


conditions for a positive secret-key rate between Alice Actually, the above scenario is incomplete. In this pre-
sentation, we have assumed that Eve measures her
and Bob, S( , ), are not yet known. However, a use-
probe before Alice and Bob run the error correction and
ful lower bound is given by the difference between Alice
privacy ampli¬cation algorithms, hence that P( , , )
and Bob™s mutual Shannon information I( , ) and
exists. In practice this is a reasonable assumption, but in
´ ¨
Eve™s mutual information (Csiszar and Korner, 1978, and
principle Eve could wait until the end of all the proto-
Theorem 1 in Sec. VI.G):
cols and then optimize her measurements accordingly.
S , max I , I , ,I , I , . (8) Such ˜˜delayed-choice eavesdropping strategies™™9 are
discussed in Sec. VI.
Intuitively, this result states that secure-key distillation
It should by now be clear that QC does not provide a
(Bennett, Bessette, et al., 1992) is possible whenever
complete solution for all cryptographic purposes.10 Ac-
Bob has more information than Eve.
tually, quite the contrary, QC can only be used as a
The bound (8) is tight if Alice and Bob are restricted
complement to standard symmetrical cryptosystems. Ac-
to one-way communication, but for two-way communi-
cordingly, a more precise name for QC is quantum key
cation, secret-key agreement might be possible even
distribution, since this is all QC does. Nevertheless, we
when condition (8) is not satis¬ed (see Sec. II.C.5).
prefer to keep the well-known terminology, which lends
Without discussing any algorithm in detail, let us offer
its name to the title of this review.
some idea of how Alice and Bob can establish a secret
Finally, let us emphasize that every key distribution
key when condition (8) is satis¬ed. First, once the sifted
system must incorporate some authentication scheme:
key is obtained (i.e., after the bases have been an-
the two parties must identify themselves. If not, Alice
nounced), Alice and Bob publicly compare a randomly
could actually be communicating directly with Eve. A
chosen subset of it. In this way they estimate the error
straightforward approach is for Alice and Bob initially
rate [more generally, they estimate their marginal prob-
to share a short secret. Then QC provides them with a
ability distribution P( , )]. These publicly disclosed
longer one and they each keep a small portion for au-
bits are then discarded. Next, either condition (8) is not
thentication at the next session (Bennett, Bessette, et al.,
satis¬ed and they stop the protocol or condition (8) is
1992). From this perspective, QC is a quantum secret-
satis¬ed and they use some standard error correction
growing protocol.
protocol to get a shorter key without errors.
With the simplest error correction protocol, Alice ran-
domly chooses pairs of bits and announces their XOR 5. Advantage distillation
value (i.e., their sum modulo 2). Bob replies either ˜˜ac-
QC has motivated and still motivates research in clas-
cept™™ if he has the same XOR value for his correspond-
sical information theory. The best-known example is
ing bits, or ˜˜reject™™ if not. In the ¬rst case, Alice and
probably the development of privacy ampli¬cation algo-
Bob keep the ¬rst bit of the pair and discard the second
rithms (Bennett et al., 1988, 1995). This in turn led to the
one, while in the second case they discard both bits. In
development of new cryptosystems based on weak but
reality, more complex and ef¬cient algorithms are used.
classical signals, emitted for instance by satellites (Mau-
After error correction, Alice and Bob have identical
rer, 1993).11 These new developments required secret-
copies of a key, but Eve may still have some information
key agreement protocols that could be used even when
about it [compatible with condition (8)]. Alice and Bob
condition (8) did not apply. Such protocols, called ad-
thus need to reduce Eve™s information to an arbitrarily
vantage distillation, necessarily use two-way communica-
low value using some privacy ampli¬cation protocols.
tion and are much less ef¬cient than privacy ampli¬ca-
These classical protocols typically work as follows. Alice
tion. Usually, they are not considered in the literature on
again randomly chooses pairs of bits and computes their
QC, but conceptually they are remarkable from at least
XOR value. But, in contrast to error correction, she
two points of view. First, it is somewhat surprising that
does not announce this XOR value. She only announces
secret-key agreement is possible even if Alice and Bob
which bits she chose (e.g., bits number 103 and 537).
start with less mutual (Shannon) information than Eve.
Alice and Bob then replace the two bits by their XOR
They can take advantage of the authenticated public
value. In this way they shorten their key while keeping it
error free, but if Eve has only partial information on the
two bits, her information on the XOR value is even less.
9
Assume, for example, that Eve knows only the value of Note, however, that Eve has to choose the interaction be-
tween her probe and the qubits before the public discussion
the ¬rst bit and nothing about the second one. Then she
phase of the protocol.
has no information at all about the XOR value. Also, if 10
For a while it was thought that bit commitment (see, for
Eve knows the value of both bits with 60% probability,
example, Brassard, 1988), a powerful primitive in cryptology,
then the probability that she correctly guesses the XOR
could be realized using quantum principles. However, Dominic
value is only 0.62 0.42 52%. This process would have
Mayers (1996a, 1997) and Lo and Chau (1998) proved it to be
to be repeated several times; more ef¬cient algorithms impossible (see also Brassard et al., 1998).
use larger blocks (Brassard and Salvail, 1994). 11
Note that here con¬dentiality is not guaranteed by the laws
The error correction and privacy ampli¬cation algo- of physics, but relies on the assumption that Eve™s technology
rithms sketched above are purely classical algorithms. is limited, e.g., her antenna is ¬nite, and her detectors have
This illustrates that QC is a truly interdisciplinary ¬eld. limited ef¬ciencies.


Rev. Mod. Phys., Vol. 74, No. 1, January 2002
152 Gisin et al.: Quantum cryptography


channel to decide which series of realizations to keep,
whereas Eve cannot in¬‚uence this process12 (Maurer,
1993; Maurer and Wolf, 1999).
Recently, a second remarkable feature of advantage
distillation, connecting quantum and classical secret-key
agreement, has been discovered (assuming one uses the
Ekert protocol described in Sec. II.D.3): If Eve follows a
strategy that optimizes her Shannon information, under
the assumption that she attacks the qubits one at a time
(the so-called individual attack; see Sec. VI.E), then Al-
ice and Bob can use advantage distillation if and only if
Alice and Bob™s qubits are still entangled (they can thus ´
FIG. 2. Poincare sphere with a representation of six states that
use quantum privacy ampli¬cation; Deutsch et al., 1996; can be used to implement the generalization of the BB84 pro-
Gisin and Wolf, 1999). This connection between the con- tocol.
cept of entanglement, central to quantum information
theory, and the concept of intrinsic classical information,
bright pulse and a dim pulse with less than one photon
central to classical information-based cryptography
on average (Bennett, 1992). The presence of the bright
(Maurer and Wolf, 1999), has been shown to be general
pulse makes this protocol especially resistant to eaves-
(Gisin and Wolf, 2000). The connection seems to extend
dropping, even in settings with high attenuation. Bob
even to bound entanglement (Gisin et al., 2000).
can monitor the bright pulses to make sure that Eve
does not remove any. In this case, Eve cannot eliminate
D. Other protocols the dim pulse without revealing her presence, because
the interference of the bright pulse with vacuum would
1. Two-state protocol introduce errors. A practical implementation of this so-
called 892 protocol is discussed in Sec. IV.D. Huttner
In 1992 Bennett noticed that four states are more than
et al. extended this reference-beam monitoring to the
are really necessary for QC: only two nonorthogonal
four-state protocol in 1995.
states are needed. Indeed the security of QC relies on
the inability of an adversary to distinguish unambigu-
ously and without perturbation between the different 2. Six-state protocol
states that Alice may send to Bob; hence two states are
While two states are enough and four states are stan-
necessary, and if they are incompatible (i.e., not mutu-
dard, a six-state protocol better respects the symmetry
ally orthogonal), then two states are also suf¬cient (Ben-
of the qubit state space; see Fig. 2 (Bruss, 1998;
nett, 1992). This is a conceptually important clari¬ca-
Bechmann-Pasquinucci and Gisin, 1999). The six states
tion. It also made several of the ¬rst experimental
constitute three bases, hence the probability that Alice
demonstrations easier (as is discussed further in Sec. 1
and Bob choose the same basis is only 3 , but the sym-
IV.D). But in practice, it is not a good solution. Indeed,
metry of this protocol greatly simpli¬es the security
although two nonorthogonal states cannot be distin-
analysis and reduces Eve™s optimal information gain for
guished unambiguously without perturbation, one can
a given error rate QBER. If Eve measures every photon,
unambiguously distinguish between them at the cost of
the QBER is 33%, compared to 25% in the case of the
some losses (Ivanovic, 1987; Peres, 1988). This possibil-
BB84 protocol.
ity has been demonstrated in practice (Huttner, Gautier,
et al., 1996; Clarke et al., 2000). Alice and Bob would
3. Einstein-Podolsky-Rosen protocol
have to monitor the attenuation of the quantum channel
(and even this would not be entirely safe if Eve were
This variation of the BB84 protocol is of special con-
able to replace the channel by a more transparent one;
ceptual, historical, and practical interest. The idea is due
see Sec. VI.H). The two-state protocol can also be
to Artur Ekert (1991) of Oxford University, who, while
implemented using interference between a macroscopic
elaborating on a suggestion of David Deutsch (1985),
discovered QC independently of the BB84 paper. Intel-
lectually, it is very satisfying to see this direct connection
12
The idea is that Alice picks out several instances in which to the famous EPR paradox (Einstein, Podolski, and
she got the same bit and communicates the instances”but not Rosen, 1935): the initially philosophical debate turned to
the bit”to Bob. Bob replies yes only if it happens that for all theoretical physics with Bell™s inequality (1964), then to
these instances he also has the same bit value. For high error
experimental physics (Freedmann and Clauser, 1972; Fry
rates this is unlikely, but when it does happen there is a high
and Thompson, 1976; Aspect et al., 1982), and is now”
probability that both have the same bit. Eve cannot in¬‚uence
thanks to Ekert™s ingenious idea”part of applied phys-
the choice of the instances. All she can do is use a majority
ics.
vote for the cases accepted by Bob. The probability that Eve
The idea consists in replacing the quantum channel
makes an error can be much higher than the probability that
carrying two qubits from Alice to Bob by a channel car-
Bob makes an error (i.e., that all his instances are wrong), even
rying two qubits from a common source, one qubit to
if Eve has more initial information than Bob.


Rev. Mod. Phys., Vol. 74, No. 1, January 2002
153
Gisin et al.: Quantum cryptography




FIG. 3. Einstein-Podolsky-Rosen (EPR) protocol, with the
´
source and a Poincare representation of the four possible
states measured independently by Alice and Bob.


Alice and one to Bob. A ¬rst possibility would be that
the source always emits the two qubits in the same state
chosen randomly among the four states of the BB84 pro-
tocol. Alice and Bob would then both measure their qu-
bit in one of the two bases, again chosen independently FIG. 4. Illustration of protocols exploiting EPR quantum sys-
and randomly. The source then announces the bases, tems. To implement the BB84 quantum cryptographic proto-
and Alice and Bob keep the data only when they hap- col, Alice and Bob use the same bases to prepare and measure
pen to have made their measurements in the compatible ´
their particles. A representation of their states on the Poincare
basis. If the source is reliable, this protocol is equivalent sphere is shown. A similar setup, but with Bob™s bases rotated
to that of BB84: It is as if the qubit propagates back- by 45°, can be used to test the violation of Bell™s inequality.
wards in time from Alice to the source, and then for- Finally, in the Ekert protocol, Alice and Bob may use the vio-
lation of Bell™s inequality to test for eavesdropping.
ward to Bob. But better than trusting the source, which
could be in Eve™s hand, the Ekert protocol assumes that
the two qubits are emitted in a maximally entangled rity of QC and emphasizing the close connection
state like between the Ekert and the BB84 schemes. This criticism
might be missing an important point. Although the exact
1
‘,‘ “,“ ). (9) relation between security and Bell™s inequality is not yet
& fully known, there are clear results establishing fascinat-
ing connections (see Sec. VI.F). In October 1992, an ar-
Then, when Alice and Bob happen to use the same ba-
ticle by Bennett, Brassard, and Ekert demonstrated that
sis, either the x basis or the y basis, i.e., in about half of
the founding fathers of QC were able to join forces
the cases, their results are identical, providing them with
to develop the ¬eld in a pleasant atmosphere (Bennett,
a common key. Note the similarity between the one-
Brassard, and Ekert, 1992).
qubit BB84 protocol illustrated in Fig. 1 and the two-
qubit Ekert protocol of Fig. 3. The analogy can be made
even stronger by noting that for all unitary evolutions
4. Other variations
U 1 and U 2 , the following equality holds:
There is a large collection of variations on the BB84
1 U 2 U t1
() ()
U1  U2 , (10)
protocol. Let us mention a few, chosen somewhat arbi-
where U t1 denotes the transpose. trarily. First, one can assume that the two bases are not
chosen with equal probability (Ardehali et al., 1998).
In his 1991 paper Ekert suggested basing the security
This has the nice consequence that the probability that
of this two-qubit protocol on Bell™s inequality, an in-
1
Alice and Bob choose the same basis is greater than 2 ,
equality which demonstrates that some correlations pre-
thus increasing the transmission rate of the sifted key.
dicted by quantum mechanics cannot be reproduced by
However, this protocol makes Eve™s job easier, as she is
any local theory (Bell, 1964). To do this, Alice and Bob
more likely to guess correctly the basis that was used.
can use a third basis (see Fig. 4). In this way the prob-
Consequently, it is not clear whether the ¬nal key rate,
ability that they might happen to choose the same basis
1 2
after error correction and privacy ampli¬cation, is
is reduced from 2 to 9 , but at the same time as they
higher or not.
establish a key, they collect enough data to test Bell™s
inequality.13 They can thus check that the source really Another variation consists in using quantum systems
of dimension greater than 2 (Bechmann-Pasquinucci
emits the entangled state (9) and not merely product
and Peres, 2000; Bechmann-Pasquinucci and Tittel,
states. The following year Bennett, Brassard, and Mer-
¨
2000; Bourennane, Karlsson, and Bjorn, 2001). Again,
min (1992) criticized Ekert™s letter, arguing that the vio-
the practical value of this idea has not yet been fully
lation of Bell™s inequality is not necessary for the secu-
determined.
A third variation worth mentioning is due to Golden-
berg and Vaidman of Tel Aviv University (1995). They
13
A maximal violation of Bell™s inequality is necessary to rule
suggested preparing the qubits in a superposition of two
out tampering by Eve. In this case, the QBER must necessarily
spatially separated states, then sending one component
be equal to zero. With a nonmaximal violation, as typically
of this superposition and waiting until Bob receives it
obtained in experimental systems, Alice and Bob can distill a
before sending the second component. This does not
secure key using error correction and privacy ampli¬cation.


Rev. Mod. Phys., Vol. 74, No. 1, January 2002
154 Gisin et al.: Quantum cryptography


sound of great practical value, but has the nice concep- tum state, except if the state happens to be an eigenstate
tual feature that the minimal two states do not need to of the observable. Hence, if for some reason one conjec-
be mutually orthogonal. tures that a quantum system is in some state (or in a
state among a set of mutually orthogonal ones), one can
in principle test this conjecture repeatedly (Braginsky
E. Quantum teleportation as a ˜˜quantum one-time pad™™
and Khalili, 1992). However, if the state is only restricted
Since its discovery in 1993 by a surprisingly large to be in a ¬nite set containing nonorthogonal states, as
group of physicists, quantum teleportation (Bennett in QC, then there is no way to perform a measurement
et al., 1993) has received much attention from both the without ˜˜demolishing™™ (perturbing) the state. Now, in
scienti¬c community and the general public. The dream QC the term ˜˜nondemolition measurement™™ is also used
of beaming travelers through the universe is exciting, with a different meaning: one measures the number of
but completely out of the realm of any foreseeable tech- photons in a pulse without affecting the degree of free-
nology. However, quantum teleportation can be seen as dom coding the qubit (e.g., the polarization; see Sec.
the fully quantum version of the one-time pad (see Sec. VI.H), or one detects the presence of a photon without
II.B.3), hence as the ultimate form of QC. As in ˜˜classi- destroying it (Nogues et al., 1999). Such measurements
cal teleportation,™™ let us assume that Alice aims to trans-
are usually called ideal measurements, or projective mea-
fer a faithful copy of a quantum system to Bob. If Alice
surements, because they produce the least possible per-
has full knowledge of the quantum state, the problem is
turbation (Piron, 1990) and because they can be repre-
not really a quantum one (Alice™s information is classi-
sented by projectors. It is important to stress that these
cal). If, on the other hand, Alice does not know the
˜˜ideal measurements™™ do not invalidate the security of
quantum state, she cannot send a copy, since quantum
QC.
copying is impossible according to quantum physics (see
Let us now consider optical ampli¬ers (a laser me-
Sec. II.C.2). Nor can she send classical instructions, since
dium, but without mirrors, so that ampli¬cation takes
this would allow the production of many copies. How-
place in a single pass; see Desurvire, 1994). They are
ever, if Alice and Bob share arbitrarily many entangled
widely used in today™s optical communication networks.
qubits, sometimes called a quantum key, and share a
However, they are of no use for quantum communica-
classical communication channel, then the quantum tele-
tion. Indeed, as seen in Sec. II.C, the copying of quan-
portation protocol provides them with a means of trans-
tum information is impossible. Here we illustrate this
ferring the quantum state of the system from Alice to
Bob. In the course of running this protocol, Alice™s characteristic of quantum information by the example of
quantum system is destroyed without Alice™s having optical ampli¬ers: the necessary presence of spontane-
learned anything about the quantum state, while Bob™s ous emission whenever there is stimulated emission pre-
qubit ends in a state isomorphic to the state of the origi- vents perfect copying. Let us clarify this important and
nal system (but Bob does not learn anything about the often confusing point, following the work of Simon et al.
quantum state). If the initial quantum system is a quan- (1999, 2000; see also De Martini et al., 2000 and Kempe
tum message coded in the form of a sequence of qubits, et al., 2000). Let the two basic qubit states 0 and 1 be
then this quantum message is faithfully and securely physically implemented by two optical modes:
transferred to Bob, without any information leaking to 0,1 . Thus n,m ph  k,l a denotes
0 1,0 and 1
the outside world (i.e., to anyone not sharing the prior the state of n photons in mode 1 and m photons in mode
entanglement with Alice and Bob). Finally, the quantum 2, while k,l 0(1) denotes the ground (or excited) state
message could be formed of a four-letter quantum al- of two-level atoms coupled to mode 1 or 2, respectively.
phabet consisting of the four states of the BB84 proto- Hence spontaneous emission corresponds to
col. With futuristic but not impossible technology, Alice
1,0 a ’ 1,0
ph  ph 
0,0 0,0 a , (11)
and Bob could keep their entangled qubits in their re-
0,1 a ’ 0,1
spective wallets and could enjoy totally secure commu- ph  ph 
0,0 0,0 a , (12)
nication at any time, without even having to know where
and stimulated emission to
the other is located (provided they can communicate
1,0 a ’& 2,0
classically). ph  ph 
1,0 0,0 a , (13)
0,1 a ’& 0,2
ph  ph 
0,1 0,0 a , (14)
F. Optical ampli¬cation, quantum nondemolition
where the factor of & takes into account the ratio of
measurements, and optimal quantum cloning
stimulated to spontaneous emission. Let the initial state
After almost every general talk on QC, two questions of the atom be a mixture of the following two states,
arise: What about optical ampli¬ers? and What about each with equal (50%) weight:
quantum nondemolition measurements? In this section
0,1 and 1,0 a . (15)
a
we brie¬‚y address these questions.
By symmetry, it suf¬ces to consider one possible initial
Let us start with the second one, as it is the easiest.
state of the qubit, e.g., one photon in the ¬rst mode
The term ˜˜quantum nondemolition measurement™™ is
1,0 ph . The initial state of the photon atom system is
simply confusing. There is nothing like a quantum mea-
thus a mixture:
surement that does not perturb (i.e., modify) the quan-

Rev. Mod. Phys., Vol. 74, No. 1, January 2002
155
Gisin et al.: Quantum cryptography


on such systems here. There is also, however, some very
ph  ph 
1,0 1,0 or 1,0 0,1 a . (16)
a
signi¬cant research on free-space systems (see Sec.
This corresponds to the ¬rst-order term in an evolution
IV.E).
with a Hamiltonian (in the interaction picture): H
Once the medium has been chosen, there remain the
(a † 1 a 1 † a † 2 a 2 † ). After some time the
1 1 2 2 questions of the source and detectors. Since they have to
two-photon component of the evolved states becomes
be compatible, the crucial choice is that of the wave-
& 2,0 ph  ph 
0,0 or 1,1 0,0 a . (17) length. There are two main possibilities. Either one
a
chooses a wavelength around 800 nm, for which ef¬cient
1
The correspondence with a pair of spin goes as fol-
2
photon counters are commercially available, or one
lows:
chooses a wavelength compatible with today™s telecom-
‘‘ , ““ ,
2,0 0,2 (18) munications optical ¬bers, i.e., near 1300 or 1550 nm.
The ¬rst choice requires free-space transmission or the
1
‘“ “‘ ). use of special ¬bers, hence the installed telecommunica-
()
1,1 (19)
ph
& tions networks cannot be used. The second choice re-
quires the improvement or development of new detec-
Tracing over the ampli¬er (i.e., the two-level atom), an
tors, not based on silicon semiconductors, which are
(ideal) ampli¬er achieves the following transformation:
transparent above a wavelength of 1000 nm.
P ‘ ’2P ‘‘ P (20) In the case of transmission using optical ¬bers, it is
( ),

still unclear which of the two alternatives will turn out to
where the P™s indicate projectors (i.e., pure-state density
be the best choice. If QC ¬nds niche markets, it is con-
matrices) and the lack of normalization results from the
ceivable that special ¬bers will be installed for that pur-
¬rst-order expansion used in Eqs. (11)“(14). Accord-
pose. But it is equally conceivable that new commercial
ingly, after normalization, each photon is in the state
detectors will soon make it much easier to detect single
1
1
photons at telecommunications wavelengths. Actually,
2P ‘
2P ‘‘ P () 2
Tr1 . (21) the latter possibility is very likely, as several research
ph mode
3 3
groups and industries are already working on it. There is
The corresponding ¬delity is another good reason to bet on this solution: the quality
of telecommunications ¬bers is much higher than that of
1
2 5
2
any special ¬ber; in particular, the attenuation is much
F , (22)
3 6 lower (this is why the telecommunications industry
chose these wavelengths): at 800 nm, the attenuation is
which is precisely the optimal ¬delity compatible with
about 2 dB/km (i.e., half the photons are lost after 1.5
ˇ
quantum mechanics (Buzek and Hillery, 1996; Gisin and
km), while it is only of the order of 0.35 and 0.20 dB/km
Massar, 1997; Bruss et al., 1998). In other words, if we
at 1300 and 1550 nm, respectively (50% loss after about
start with a single photon in an arbitrary state and pass it
9 and 15 km).14
through an ampli¬er, then due to the effect of spontane-
In the case of free-space transmission, the choice of
ous emission the ¬delity of the state exiting the ampli-
wavelength is straightforward, since the region where
¬er, when it consists of exactly two photons, with the
good photon detectors exist”around 800 nm”coincides
initial state will be equal to at most 5/6. Note that if it
with that where absorption is low. However, free-space
were possible to make better copies, then signaling at
transmission is restricted to line-of-sight links and is very
arbitrarily fast speed, using EPR correlations between
weather dependent.
spatially separated systems, would also be possible (Gi-
In the next sections we successively consider the ques-
sin, 1998).
tions of how to produce single photons (Sec. III.A), how
to transmit them (Sec. III.B), how to detect single pho-
tons (Sec. III.C), and ¬nally how to exploit the intrinsic
III. TECHNOLOGICAL CHALLENGES
randomness of quantum processes to build random gen-
The very ¬rst demonstration of QC was a table-top erators (Sec. III.D).
experiment performed at the IBM laboratory in the
A. Photon sources
early 1990s over a distance of 30 cm (Bennett, Bessette,
et al., 1992), marking the start of a series of impressive
Optical quantum cryptography is based on the use of
experimental improvements over the past few years.
single-photon Fock states. Unfortunately, these states
The 30-cm distance is of little practical interest. Either
are dif¬cult to realize experimentally. Nowadays, practi-
the distance should be even shorter [think of a credit
cal implementations rely on faint laser pulses or en-
card and an ATM machine (Huttner, Imoto, and Bar-
tangled photon pairs, in which both the photon and the
nett, 1996), in which case all of Alice™s components
photon-pair number distribution obey Poisson statistics.
should ¬t on the credit card”a nice idea, but still im-
practical with present technology] or the distance should
be much longer, at least in the kilometer range. Most of
14
the research so far uses optical ¬bers to guide the pho- The losses in dB (l db ) can be calculated from the losses in
tons from Alice to Bob, and we shall mainly concentrate percent (l % ): l dB 10 log10 1 (l % /100) .


Rev. Mod. Phys., Vol. 74, No. 1, January 2002
156 Gisin et al.: Quantum cryptography


depending on the transmission losses.15 After key distil-
Hence both possibilities suffer from a small probability
lation, the security is just as good with faint laser pulses
of generating more than one photon or photon pair at
as with Fock states. The price to pay for using such
the same time. For large losses in the quantum channel,
states is a reduction of the bit rate.
even small fractions of these multiphotons can have im-
portant consequences on the security of the key (see
Sec. VI.H), leading to interest in ˜˜photon guns™™; see Sec. 2. Photon pairs generated by parametric downconversion
III.A.3). In this section we brie¬‚y comment on sources
Another way to create pseudo-single-photon states is
based on faint pulses as well as on entangled photon
the generation of photon pairs and the use of one pho-
pairs, and we compare their advantages and drawbacks.
ton as a trigger for the other one (Hong and Mandel,
1986). In contrast to the sources discussed earlier, the
second detector must be activated only whenever the
¬rst one has detected a photon, hence when 1, and
1. Faint laser pulses not whenever a pump pulse has been emitted, therefore
circumventing the problem of empty pulses.
There is a very simple solution to approximate single-
The photon pairs are generated by spontaneous para-
photon Fock states: coherent states with an ultralow
metric downconversion in a (2) nonlinear crystal.16 In
mean photon number . They can easily be realized us-
this process, the inverse of the well-known frequency
ing only standard semiconductor lasers and calibrated doubling, one photon spontaneously splits into two
attenuators. The probability of ¬nding n photons in such daughter photons”traditionally called signal and idler
a coherent state follows the Poisson statistics: photons”conserving total energy and momentum. In
this context, momentum conservation is called phase
n
matching and can be achieved despite chromatic disper-
P n, e . (23)
n! sion by exploiting the birefringence of the nonlinear
crystal. Phase matching allows one to choose the wave-
Accordingly, the probability that a nonempty weak co- length and determines the bandwidth of the downcon-
verted photons. The latter is in general rather large and
herent pulse contains more than one photon,
varies from a few nanometers up to some tens of na-
nometers. For the nondegenerate case one typically gets
1 P 0, P 1,
P n 1 n 0, a bandwith of 5“10 nm, whereas in the degenerate case
1 P 0,
(where the central frequency of both photons is equal),
the bandwidth can be as large as 70 nm.
1e 1
This photon-pair creation process is very inef¬cient;
, (24)
1e 2 typically it takes some 1010 pump photons to create one
pair in a given mode.17 The number of photon pairs per
can be made arbitrarily small. Weak pulses are thus ex- mode is thermally distributed within the coherence time
tremely practical and have indeed been used in the vast of the photons and follows a Poissonian distribution for
majority of experiments. However, they have one major larger time windows (Walls and Milburn, 1995). With a
pump power of 1 mW, about 106 pairs per second can be
drawback. When is small, most pulses are empty:
P(n 0) 1 . In principle, the resulting decrease in collected in single-mode ¬bers. Accordingly, in a time
window of roughly 1 ns, the conditional probability of
bit rate could be compensated for thanks to the achiev-
¬nding a second pair, having already detected one, is
able gigahertz modulation rates of telecommunications
106 10 9 0.1%. In the case of continuous pumping,
lasers. But in practice, the problem comes from the de-
this time window is given by the detector resolution. Tol-
tectors™ dark counts (i.e., a click without a photon™s ar-
erating, for example, 1% of these multipair events, one
riving). Indeed, the detectors must be active for all
can generate 107 pairs per second using a realistic
pulses, including the empty ones. Hence the total dark
counts increase with the laser™s modulation rate, and the
ratio of detected photons to dark counts (i.e., the signal-
15
to-noise ratio) decreases with (see Sec. IV.A). The Contrary to a frequent misconception, there is nothing spe-
cial about a value of 0.1, even though it has been selected by
problem is especially severe for longer wavelengths, at
most experimentalists. The optimal value”i.e., the value that
which photon detectors based on indium gallium ar-
yields the highest key exchange rate after distillation”
senide semiconductors (InGaAs) are needed (see Sec.
depends on the optical losses in the channel and on assump-
III.C), since the noise of these detectors explodes if they
tions about Eve™s technology (see Secs. VI.H and VI.I).
are opened too frequently (in practice with a rate larger 16
For a review see Rarity and Tapster (1988), and for more
than a few megahertz). This prevents the use of really recent developments see Kwiat et al. (1999), Tittel et al.
low photon numbers, smaller than approximately 1%. (1999), Jennewein, Simon, et al. (2000), and Tanzilli et al.
Most experiments to date have relied on 0.1, mean- (2001).
ing that 5% of the nonempty pulses contain more than 17
Recently we achieved a conversion rate of 10 6 using an
one photon. However, it is important to stress that, as optical waveguide in a periodically poled LiNbO3 crystal (Tan-
¨
pointed out by Lutkenhaus (2000), there is an optimal zilli et al., 2001).


Rev. Mod. Phys., Vol. 74, No. 1, January 2002
157
Gisin et al.: Quantum cryptography


3. Photon guns

The ideal single-photon source is a device that, when
one pulls the trigger, and only then, emits one and only
one photon. Hence the name photon gun. Although
photon antibunching was ¬rst demonstrated years ago
(Kimble et al., 1977), a practical and handy device is still
awaited. At present, there are essentially three different
experimental approaches that more or less come close to
this ideal.
A ¬rst idea is to work with a single two-level quantum
system that obviously cannot emit two photons at a
time. The manipulation of single trapped atoms or ions
requires a much too involved technical effort. Single or-
ganic dye molecules in solvents (Kitson et al., 1998) or
solids (Brunel et al., 1999; Fleury et al., 2000) are easier
to handle but offer only limited stability at room tem-
perature. A promising candidate, however, is the
nitrogen-vacancy center in diamond, a substitutional ni-
trogen atom with a vacancy trapped at an adjacent lat-
FIG. 5. Photo of our entangled photon-pair source as used in
tice position (Brouri et al., 2000; Kurtsiefer et al., 2000).
the ¬rst long-distance test of Bell™s inequalities (Tittel et al.,
1998). Note that the whole source ¬ts into a box only 40 45 It is possible to excite individual nitrogen atoms with a
15 cm3 in size and that neither a special power supply nor 532-nm laser beam, which will subsequently emit a ¬‚uo-
water cooling is necessary. rescence photon around 700 nm (12-ns decay time). The
¬‚uorescence exhibits strong photon antibunching, and
the samples are stable at room temperature. However,
10-mW pump. To detect, for example, 10% of the trigger
the big remaining experimental challenge is to increase
photons, the second detector has to be activated 106
the collection ef¬ciency (currently about 0.1%) in order
times per second. In comparison, the example of 1% of
to obtain mean photon numbers close to 1. To obtain
multiphoton events corresponds in the case of faint laser
this ef¬ciency, an optical cavity or a photonic band-gap
pulses to a mean photon number of 0.02. In order to
structure must suppress emission in all spatial modes but
6
get the same number (10 ) of nonempty pulses per sec-
one. In addition, the spectral bandwidth of this type of
ond, a pulse rate of 50 MHz is needed. For a given pho-
source is broad (on the order of 100 nm), enhancing the
ton statistics, photon pairs thus allow one to work with
effect of perturbations in a quantum channel.
lower pulse rates (e.g., 50 times lower) and hence re-
A second approach is to generate photons by single
duced detector-induced errors. However, due to limited
electrons in a mesoscopic p-n junction. The idea is to
coupling ef¬ciency in optical ¬bers, the probability of
pro¬t from the fact that thermal electrons show anti-
¬nding the sister photon after detection of the trigger
bunching (the Pauli exclusion principle) in contrast to
photon in the respective ¬ber is in practice less than 1.
photons (Imamoglu and Yamamoto, 1994). The ¬rst ex-
This means that the effective photon number is not 1 but
perimental results have been presented (Kim et al.,
rather 2/3 (Ribordy et al., 2001), still well above
1999), but with extremely low ef¬ciencies and only at a
0.02.
temperature of 50 mK!
Photon pairs generated by parametric downconver-
Finally, another approach is to use the photon emis-
sion offer a further major advantage if they are not
sion of electron-hole pairs in a semiconductor quantum
merely used as a pseudo-single-photon source, but if
dot. The frequency of the emitted photon depends on
their entanglement is exploited. Entanglement leads to
the number of electron-hole pairs present in the dot.
quantum correlations that can be used for key genera-
After one creates several such pairs by optical pumping,
tion (see Secs. II.D.3 and V). In this case, if two photon
they will sequentially recombine and hence emit pho-
pairs are emitted within the same time window but their tons at different frequencies. Therefore, a single-photon
measurement basis is chosen independently, they pro- ´
pulse can be obtained by spectral ¬ltering (Gerard et al.,
duce completely uncorrelated results. Hence, depending 1999; Michler et al., 2000; Santori et al., 2000). These
on the realization, the problem of multiple photons can dots can be integrated in solid-state microcavities with
be avoided; see Sec. VI.J. ´
strong enhancements of spontaneous emission (Gerard
Figure 5 shows one of our sources creating entangled et al., 1998).
photon pairs at a wavelength of 1310 nm, as used in tests In summary, today™s photon guns are still too compli-
of Bell™s inequalities over 10 kilometers (Tittel et al., cated to be used in a QC prototype. Moreover, due to
1998). Although not as simple as faint laser sources, their low quantum ef¬ciencies, they do not offer an ad-
diode-pumped photon-pair sources emitting in the near vantage over faint laser pulses with extremely low mean
photon numbers .
infrared can be made compact, robust, and rather handy.

Rev. Mod. Phys., Vol. 74, No. 1, January 2002
158 Gisin et al.: Quantum cryptography


B. Quantum channels

The single-photon source and the detectors must be
connected by a ˜˜quantum channel.™™ Such a channel is
not especially quantum, except that it is intended to
carry information encoded in individual quantum sys-
tems. Here ˜˜individual™™ does not mean ˜˜nondecom-
posible,™™ but only the opposite of ˜˜ensemble.™™ The idea
is that the information is coded in a physical system only
once, in contrast to classical communication, in which
many photons carry the same information. Note that the
present-day limit for ¬ber-based classical optical com-
munication is already down to a few tens of photons,
although in practice one usually uses many more. With FIG. 6. Transmission losses vs wavelength in optical ¬bers.
increasing bit rate and limited mean power”imposed to Electronic transitions in SiO2 lead to absorption at lower
avoid nonlinear effects in silica ¬bers”these ¬gures are wavelengths, and excitation of vibrational modes leads to
losses at higher wavelengths. Superposed is the absorption due
likely to get closer and closer to the quantum domain.
to Rayleigh backscattering and to transitions in OH groups.
Individual quantum systems are usually two-level sys-
Modern telecommunications are based on wavelengths around
tems, called qubits. During their propagation they must
1.3 m (the second telecommunications window) and 1.5 m
be protected from environmental noise. Here ˜˜environ-
(the third telecommunications window).
ment™™ refers to everything outside the degree of free-
dom used for the encoding, which is not necessarily out-
side the physical system. If, for example, the information core is large, many bound modes exist, corresponding to
is encoded in the polarization state, then the optical fre- many guided modes in the ¬ber. Such ¬bers are called
quencies of the photon are part of the environment. multimode ¬bers, They usually have cores 50 m in di-
Hence coupling between the polarization and the optical ameter. The modes couple easily, acting on the qubit like
frequency has to be mastered18 (e.g., by avoiding wave- a nonisolated environment. Hence multimode ¬bers are
length-sensitive polarizers and birefringence). Moreover, not appropriate as quantum channels (see, however,
the sender of the qubits should avoid any correlation Townsend, 1998a, 1998b). If, however, the core is small
between the polarization and the spectrum of the pho- enough (diameter of the order of a few wavelengths),
tons. then a single spatial mode is guided. Such ¬bers are
Another dif¬culty is that the bases used by Alice to called single-mode ¬bers. For telecommunications wave-
code the qubits and the bases used by Bob for his mea- lengths (i.e., 1.3 and 1.5 m), their core is typically 8 m
surements must be related by a known and stable uni- in diameter. Single-mode ¬bers are very well suited to
tary transformation. Once this unitary transformation is carry single quanta. For example, the optical phase at
known, Alice and Bob can compensate for it and get the the output of a ¬ber is in a stable relation with the phase
expected correlation between their preparations and at the input, provided the ¬ber does not become elon-
measurements. If it changes with time, they need active gated. Hence ¬ber interferometers are very stable, a fact
feedback to track it, and if the changes are too fast, the exploited in many instruments and sensors (see, for ex-
communication must be interrupted. ample, Cancellieri, 1993).
Accordingly, a single-mode ¬ber with perfect cylindric
1. Single-mode ¬bers
symmetry would provide an ideal quantum channel. But
all real ¬bers have some asymmetries, so that the two
Light is guided in optical ¬bers thanks to the refrac-
polarization modes are no longer degenerate, but rather
tive index pro¬le n(x,y) across the section of the ¬bers
each has its own propagation constant. A similar effect
(traditionally, the z axis is along the propagation direc-
is caused by chromatic dispersion, in which the group
tion). Over the last 25 years, a lot of effort has gone into
delay depends on the wavelength. Both dispersion ef-
reducing transmission losses”initially several dB per
fects are the subject of the next subsections.
km”and today the attenuation is as low as 2 dB/km at
800-nm wavelength, 0.35 dB/km at 1310 nm, and 0.2
dB/km at 1550 nm (see Fig. 6). It is amusing to note that
2. Polarization effects in single-mode ¬bers
the dynamical equation describing optical pulse propa-
gation (in the usual slowly varying envelope aproxima- Polarization effects in single-mode ¬bers are a com-
¨
tion) is identical to the Schrodinger equation, with mon source of problems in all optical communication
V(x,y) n(x,y) (Snyder, 1983). Hence a positive schemes, classical as well as quantum ones. In recent
bump in the refractive index corresponds to a potential years these effects have been the subject of a major re-
well. The region of the well is called the ¬ber core. If the search effort in classical optical communication (Gisin
et al., 1995). As a result, today™s ¬bers are much better
than the ¬bers of a decade ago. Today, the remaining
18 birefringence is small enough for the telecommunica-
Note that, as we shall see in Sec. V, using entangled photons
tions industry, but for quantum communication any
prevents such information leakage.


Rev. Mod. Phys., Vol. 74, No. 1, January 2002
159
Gisin et al.: Quantum cryptography


based QC systems.20 The global effect of the birefrin-
birefringence, even extremely small, will always remain
a concern. All ¬ber-based implementations of QC have gence is equivalent to an arbitrary combination of two
to face this problem. This is clearly true for polarization- waveplates; that is, it corresponds to a unitary transfor-
based systems, but it is equally a concern for phase- mation. If this transformation is stable, Alice and Bob
based systems, since interference visibility depends on can compensate for it. The effect of birefringence is thus
the polarization states. Hence, although polarization ef- similar to the effect of the geometric phase, though, in
fects are not the only source of dif¬culties, we shall de- addition to causing a rotation, it may also affect the el-
scribe them in some detail, distinguishing among four lipticity. Stability of birefringence requires slow thermal
effects: the geometric phase, birefringence, polarization and mechanical variations.
mode dispersion, and polarization-dependent losses. Polarization mode dispersion (PMD) is the presence
The geometric phase as encountered when guiding of two different group velocities for two orthogonal po-
light in an optical ¬ber is a special case of the Berry larization modes. It is due to a delicate combination of
phase,19 which results when any parameter describing a two causes. First, birefringence produces locally two
group velocities. For optical ¬bers, this local dispersion
property of the system under concern, here the k vector
is in good approximation equal to the phase dispersion,
characterizing the propagation of the light ¬eld, under-
of the order of a few picoseconds per kilometer. Hence,
goes an adiabatic change. Think ¬rst of a linear polar-
an optical pulse tends to split locally into a fast mode
ization state, let us say vertical at the input. Will it still
and a slow mode. But because the birefringence is small,
be vertical at the output? Vertical with respect to what?
the two modes couple easily. Hence any small imperfec-
Certainly not the gravitational ¬eld! One can follow that
tion along the ¬ber produces polarization mode cou-
linear polarization by hand along the ¬ber and see how
pling: some energy of the fast mode couples into the
it may change even along a closed loop. If the loop stays
slow mode and vice versa. PMD is thus similar to a ran-
in a plane, the state after a loop coincides with the input
dom walk21 and grows only with the square root of the
state, but if the loop explores the three dimensions of
¬ber length. It is expressed in ps km 1/2, with values as
our space, then the ¬nal state will differ from the initial
low as 0.1 ps km 1/2 for modern ¬bers and possibly as
one by an angle. Similar reasoning holds for the axes of
high as 0.5 or even 1ps km 1/2 for older ones.
elliptical polarization states. The two circular polariza-
Typical lengths for polarization mode coupling vary
tion states are the eigenstates. During parallel transport
from a few meters up to hundreds of meters. The stron-
they acquire opposite phases, called the Berry phases.
ger the coupling, the weaker the PMD (the two modes
The presence of a geometrical phase is not fatal for
do not have time to move apart between the couplings).
quantum communication. It simply means that initially
In modern ¬bers, the couplings are even arti¬cially in-
Alice and Bob have to align their systems by de¬ning, creased during the drawing process of the ¬bers (Hart
for instance, the vertical and diagonal directions (i.e., et al., 1994; Li and Nolan, 1998). Since the couplings are
performing the unitary transformation mentioned be- exceedingly sensitive, the only reasonable description is
fore). If these vary slowly, they can be tracked, though a statistical one, hence PMD is described as a statistical
this requires active feedback. However, if the variations distribution of delays . For suf¬ciently long ¬bers, the
are too fast, the communication might be interrupted. statistics are Maxwellian, and PMD is related to the ¬-
Hence aerial cables that swing in the wind are not ap- ber length l , the mean coupling length h, the mean
propriate (except with self-compensating con¬gurations; modal birefringence B, and the rms delay as follows
2
see Sec. IV.C.2). (Gisin et al., 1995): PMD Bh l /h. Polar-
Birefringence is the presence of two different phase ization mode dispersion could cause depolarization,
velocities for two orthogonal polarization states. It is which would be devastating for quantum communica-
caused by asymmetries in the ¬ber geometry and in the tion, similar to any decoherence in quantum information
processing. Fortunately, for quantum communication the
residual stress distribution inside and around the core.
remedy is easy; it suf¬ces to use a source with a coher-
Some ¬bers are made birefringent on purpose. Such ¬-
ence time longer than the largest delay . Hence, when
bers are called polarization-maintaining ¬bers because
laser pulses are used (with typical spectral widths
the birefringence is large enough to effectively uncouple
1 nm, corresponding to a coherence time 3 ps; see
the two polarization eigenmodes. Note that only these
Sec. III.A.1), PMD is no real problem. For photons cre-
two orthogonal polarization modes are maintained; all
other modes, in contrast, evolve very quickly, making
this kind of ¬ber completely unsuitable for polarization-
20
Polarization-maintaining ¬bers may be of use for phase-
based QC systems. However, this requires that the whole
setup”transmission lines as well as interferometers at each
end”be made of polarization-maintaining ¬bers. While this is
19
The Berry phase was introduced by Michael Berry in 1984, possible in principle, the need to install a completely new ¬ber
and was then observed in optical ¬ber by Tomita and Chiao network makes this solution not very practical.
21
(1986) and on the single-photon level by Hariharan et al. In contrast to Brownian motion, which describes particle
(1993). It was studied in connection with photon pairs by Bren- diffusion in space as time passes, here photons diffuse over
del et al. (1995). time as they propagate along the ¬ber.


Rev. Mod. Phys., Vol. 74, No. 1, January 2002
160 Gisin et al.: Quantum cryptography


ated by parametric downconversion, however, PMD can dispersion goes to zero around 1550 nm, where the at-
tenuation is minimal (Neumann, 1988).23
impose severe limitations, since 10 nm (coherence
Chromatic dispersion does not constitute a problem in
time 300 fs) is not unusual.
the case of faint laser pulses, for which the bandwidth is

. 1
( 4)



>>