ńņš. 1 |

Quantum cryptography

Ā“

Nicolas Gisin, Gregoire Ribordy, Wolfgang Tittel, and Hugo Zbinden

Group of Applied Physics, University of Geneva, 1211 Geneva 4, Switzerland

(Published 8 March 2002)

Quantum cryptography could well be the ļ¬rst application of quantum mechanics at the

single-quantum level. The rapid progress in both theory and experiment in recent years is reviewed,

with emphasis on open questions and technological issues.

D. Frequency coding 173

CONTENTS

E. Free-space line-of-sight applications 174

F. Multi-user implementations 175

I. Introduction 145 V. Experimental Quantum Cryptography with Photon

II. A Beautiful Idea 146 Pairs 175

A. Polarization entanglement 176

A. The intuition 146

B. Energy-time entanglement 177

B. Classical cryptography 147

1. Phase coding 177

1. Asymmetrical (public-key) cryptosystems 147

2. Phase-time coding 179

2. Symmetrical (secret-key) cryptosystems 148

3. Quantum secret sharing 180

3. The one-time pad as ā˜ā˜classical

VI. Eavesdropping 180

teleportationā™ā™ 148

A. Problems and objectives 180

C. The BB84 protocol 149

B. Idealized versus real implementation 180

1. Principle 149

C. Individual, joint, and collective attacks 181

2. No-cloning theorem 149

D. Simple individual attacks: Intercept-resend and

3. Intercept-resend strategy 150

measurement in the intermediate basis 181

4. Error correction, privacy ampliļ¬cation, and

E. Symmetric individual attacks 182

quantum secret growing 150 F. Connection to Bellā™s inequality 185

5. Advantage distillation 151 G. Ultimate security proofs 185

D. Other protocols 152 H. Photon number measurements and lossless

1. Two-state protocol 152 channels 187

2. Six-state protocol 152 I. A realistic beamsplitter attack 188

3. Einstein-Podolsky-Rosen protocol 152 J. Multiphoton pulses and passive choice of states 188

4. Other variations 153 K. Trojan horse attacks 189

E. Quantum teleportation as a ā˜ā˜quantum one-time L. Real security: Technology, cost, and complexity 189

VII. Conclusions 190

padā™ā™ 154

Acknowledgments 190

F. Optical ampliļ¬cation, quantum nondemolition

References 190

measurements, and optimal quantum cloning 154

III. Technological Challenges 155

A. Photon sources 155 I. INTRODUCTION

1. Faint laser pulses 156

2. Photon pairs generated by parametric Electrodynamics was discovered and formalized in the

downconversion 156 19th century. The 20th century was then profoundly af-

3. Photon guns 157 fected by its applications. A similar adventure may be

B. Quantum channels 158

underway for quantum mechanics, discovered and for-

1. Single-mode ļ¬bers 158

malized during the last century. Indeed, although the la-

2. Polarization effects in single-mode ļ¬bers 158

ser and semiconductor are already common, applica-

3. Chromatic dispersion effects in single-mode

tions of the most radical predictions of quantum

ļ¬bers 160

mechanics have only recently been conceived, and their

4. Free-space links 160

full potential remains to be explored by the physicists

C. Single-photon detection 161

and engineers of the 21st century.

1. Photon counting at wavelengths below 1.1

The most peculiar characteristics of quantum mechan-

m 163

2. Photon counting at telecommunications ics are the existence of indivisible quanta and of en-

wavelengths 163 tangled systems. Both of these lie at the root of quantum

D. Quantum random-number generators 164

cryptography (QC), which could very well be the ļ¬rst

E. Quantum repeaters 164

commercial application of quantum physics at the single-

IV. Experimental Quantum Cryptography with Faint

quantum level. In addition to quantum mechanics, the

Laser Pulses 165

20th century has been marked by two other major scien-

A. Quantum bit error rate 166

tiļ¬c revolutions: information theory and relativity. The

B. Polarization coding 167

status of the latter is well recognized. It is less well

C. Phase coding 168

known that the concept of information, nowadays mea-

1. The double Mach-Zehnder implementation 170

sured in bits, and the formalization of probabilities are

2. ā˜ā˜Plug-and-playā™ā™ systems 171

0034-6861/2002/74(1)/145(51)/$35.00 145 Ā©2002 The American Physical Society

146 Gisin et al.: Quantum cryptography

quite recent,1 although they have a tremendous impact a tool for new engineering. Apparently, information

on our daily life. It is fascinating to realize that QC lies theory, classical cryptography, quantum physics, and

at the intersection of quantum mechanics and informa- quantum optics ļ¬rst had to develop into mature sci-

tion theory and that, moreover, the tension between ences. It is certainly not a coincidence that QC and,

quantum mechanics and relativityā”the famous more generally, quantum information were developed

Einstein-Rosen-Podolsky (EPR) paradox (Einstein by a community including many computer scientists and

et al., 1935)ā”is closely connected to the security of QC. more mathematically oriented young physicists: broader

Let us add a further point for young physicists. Unlike interests than traditional physics were needed.

laser and semiconductor physics, which are manifesta-

tions of quantum physics at the ensemble level and can

thus be described by semiclassical models, QC, and to an A. The intuition

even greater extent quantum computers, require a full

Quantum physics is well known for being counterin-

quantum-mechanical description (this may offer an in-

tuitive or even bizarre. We teach students that quantum

teresting challenge for physicists well trained in the

physics establishes a set of negative rules stating things

subtleties of their science).

that cannot be done. For example,

This review article has several objectives. First, we

present the basic intuition behind QC. Indeed, the basic

(1) One cannot take a measurement without perturbing

idea is so beautiful and simple that every physicist and

the system.

student should be given the pleasure of learning it. The

(2) One cannot determine simultaneously the position

general principle is then set in the broader context of

and the momentum of a particle with arbitrarily

modern cryptology (Sec. II.B) and made more precise

high accuracy.

(Sec. II.C). Section III discusses the main technological

(3) One cannot simultaneously measure the polariza-

challenges. Then, Secs. IV and V present the most com-

tion of a photon in the vertical-horizontal basis and

mon implementations of QC: the use of weak laser

simultaneously in the diagonal basis.

pulses and photon pairs, respectively. Finally, the impor-

(4) One cannot draw pictures of individual quantum

tant and difļ¬cult problems of eavesdropping and secu-

processes.

rity proofs are discussed in Sec. VI, where the emphasis

(5) One cannot duplicate an unknown quantum state.

is more on the diversity of the issues than on formal

details. We have tried to write the different parts of this This negative viewpoint of quantum physics, due to its

review in such a way that they can be read indepen- contrast with classical physics, has only recently been

dently. turned positive, and QC is one of the best illustrations of

this psychological revolution. Indeed, one could charac-

terize quantum information processing as the science of

II. A BEAUTIFUL IDEA

turning quantum conundrums into potentially useful ap-

The idea of quantum cryptography was ļ¬rst proposed plications.

in the 1970s by Stephen Wiesner2 (1983) and by Charles Let us illustrate this point for QC. One of the basic

H. Bennett of IBM and Gilles Brassard of The Univer- negative statements of quantum physics reads

sity of Montreal (1984, 1985).3 However, this idea is so

Ā“

One cannot take a measurement without perturbing

simple that any ļ¬rst-year student since the infancy of

the system (1)

quantum mechanics could actually have discovered it!

Nevertheless, it is only now that the ļ¬eld is mature (unless the quantum state is compatible with the mea-

enough and information security important enough that surement). The positive side of this axiom can be seen

physicists are ready to consider quantum mechanics, not when applied to a communication between Alice and

only as a strange theory good for paradoxes, but also as Bob (the conventional names of the sender and receiver,

respectively), provided the communication is quantum,

that is, quantum systems, for example, individual pho-

tons, carry the information. When this is the case, axiom

1

The Russian mathematician A. N. Kolmogorov (1956) is

(1) also applies to eavesdroppers, i.e., to a malicious Eve

credited with being the ļ¬rst to have formulated a consistent

(the conventional name given to the adversary in cryp-

mathematical theory of probabilities in the 1940s.

2

tology). Hence Eve cannot get any information about

S. Wiesner, then at Columbia University, was the ļ¬rst to pro-

pose ideas closely related to QC in the 1970s. However, his the communication without introducing perturbations

revolutionary paper did not appear until a decade later. Since that would reveal her presence.

it is difļ¬cult to ļ¬nd, we reproduce his abstract here: The un- To make this intuition more precise, imagine that Al-

certainty principle imposes restrictions on the capacity of certain ice codes information in individual photons, which she

types of communication channels. This paper will show that in

sends to Bob. If Bob receives the photons unperturbed,

compensation for this ā˜ā˜quantum noise,ā™ā™ quantum mechanics al-

then, according to the basic axiom (1), the photons were

lows us novel forms of coding without analogue in communica-

not measured. No measurement implies that Eve did not

tion channels adequately described by classical physics.

get any information about the photons (note that acquir-

3

Artur Ekert (1991) of Oxford University discovered QC in-

ing information is synonymous with carrying out mea-

dependently, though from a different perspective (see Sec.

surements). Consequently, after exchanging the photons,

II.D.3).

Rev. Mod. Phys., Vol. 74, No. 1, January 2002

147

Gisin et al.: Quantum cryptography

Before continuing, we need to see how QC could ļ¬t

into existing cryptosystems. For this purpose the next

section brieļ¬‚y surveys some of the main aspects of mod-

ern cryptology.

B. Classical cryptography

Cryptography is the art of rendering a message unin-

telligible to any unauthorized party. It is part of the

broader ļ¬eld of cryptology, which also includes cryp-

toanalysis, the art of code breaking (for a historical per-

spective, see Singh, 1999). To achieve this goal, an algo-

FIG. 1. Implementation of the Bennett and Brassard (BB84) rithm (also called a cryptosystem or cipher) is used to

Ā“

protocol. The four states lie on the equator of the Poincare combine a message with some additional informationā”

sphere. known as the keyā”and produce a cryptogram. This

technique is known as encryption. For a cryptosystem to

be secure, it should be impossible to unlock the crypto-

Alice and Bob can check whether someone ā˜ā˜was listen-

gram without the key. In practice, this requirement is

ingā™ā™: they simply compare a randomly chosen subset of

often weakened so that the system is just extremely dif-

their data using a public channel. If Bob received this

ļ¬cult to crack. The idea is that the message should re-

subset unperturbed, then the logic goes as follows:

main protected at least as long as the information it con-

No perturbationā’No measurement tains is valuable. Although conļ¬dentiality is the

traditional application of cryptography, it is used nowa-

ā’No eavesdropping. (2)

days to achieve broader objectives, such as authen-

Actually, there are two more points to add. First, in tication, digital signatures, and nonrepudiation (Bras-

order to ensure that axiom (1) applies, Alice encodes sard, 1988).

her information in nonorthogonal states (we shall illus-

trate this in Secs. II.C and II.D). Second, as we have

1. Asymmetrical (public-key) cryptosystems

presented it so far, Alice and Bob could discover any

eavesdropper, but only after they have exchanged their Cryptosytems come in two main classesā”depending

message. It would of course be much better to ensure on whether Alice and Bob use the same key. Asym-

their privacy in advance and not afterwards. To achieve metrical systems involve the use of different keys for

this, Alice and Bob complement the above idea with a encryption and decryption. They are commonly known

second idea, again a very simple one, and one which is as public-key cryptosystems. Their principle was ļ¬rst

entirely classical. Alice and Bob do not use the quantum proposed in 1976 by Whitļ¬eld Difļ¬e and Martin Hell-

channel to transmit information, but only to transmit a man, who were then at Stanford University. The ļ¬rst

random sequence of bits, i.e., a key. Now, if the key is actual implementation was then developed by Ronald

unperturbed, then quantum physics guarantees that no Rivest, Adi Shamir, and Leonard Adleman of the Mas-

sachusetts Institute of Technology in 1978.4 It is known

one has gotten any information about this key by eaves-

dropping, i.e., measuring, the quantum communication as RSA and is still widely used. If Bob wants to be able

channel. In this case, Alice and Bob can safely use this to receive messages encrypted with a public-key crypto-

key to encode messages. If, on the other hand, the key system, he must ļ¬rst choose a private key, which he

turns out to be perturbed, then Alice and Bob simply keeps secret. Then he computes from this private key a

disregard it; since the key does not contain any informa- public key, which he discloses to any interested party.

tion, they have not lost any. Alice uses this public key to encrypt her message. She

Let us make this general idea somewhat more precise, transmits the encrypted message to Bob, who decrypts it

in anticipation of Sec. II.C. In practice, the individual with the private key. Public-key cryptosystems are con-

quanta used by Alice and Bob, often called qubits (for venient and have thus become very popular over the last

quantum bits), are encoded in individual photons; for 20 years. The security of the Internet, for example, is

example, vertical and horizontal polarization code for partially based on such systems. They can be thought of

bit values 0 and 1, respectively. The second basis can as a mailbox in which anybody can insert a letter. Only

then be the diagonal one ( 45Ā° linear polarization), the legitimate owner can then recover it, by opening it

with 45Ā° coding for bit 1 and 45Ā° for bit 0, respec- with his private key.

tively (see Fig. 1). Alternatively, the circular polarization

basis could be used as second basis. For photons the

quantum communication channel can be either free 4

According to the British Government, public-key cryptogra-

space (see Sec. IV.E) or optical ļ¬bersā”special ļ¬bers or phy was originally invented at the Government Communica-

the ones used in standard telecommunications (Sec. tions Headquarters in Cheltenham as early as 1973. For an

III.B). The communication channel is thus not really historical account, see, for example, the book by Simon Singh

quantum. What is quantum are the information carriers. (1999).

Rev. Mod. Phys., Vol. 74, No. 1, January 2002

148 Gisin et al.: Quantum cryptography

(sk m 1 kk m 1 ). Because the bits of the

The security of public-key cryptosystems is based on

computational complexity. The idea is to use mathemati- scrambled text are as random as those of the key, they

cal objects called one-way functions. By deļ¬nition, it is do not contain any information. This cryptosystem is

easy to compute the function f(x) given the variable x, thus provably secure according to information theory

(Shannon, 1949). In fact, it is the only provably secure

but difļ¬cult to reverse the calculation and deduce x

cryptosystem known today.

from f(x). In the context of computational complexity,

Although perfectly secure, this system has a

the word ā˜ā˜difļ¬cultā™ā™ means that the time required to per-

problemā”it is essential for Alice and Bob to possess a

form a task grows exponentially with the number of bits

common secret key, which must be at least as long as the

in the input, while ā˜ā˜easyā™ā™ means that it grows polynomi-

message itself. They can only use the key for a single

ally. Intuitively, it is easy to understand that it takes only

encryptionā”hence the name ā˜ā˜one-time pad.ā™ā™ If they

a few seconds to work out 67 71, but it takes much

used the key more than once, Eve could record all of the

longer to ļ¬nd the prime factors of 4757. However, fac-

scrambled messages and start to build up a picture of the

toring has a ā˜ā˜trapdoor,ā™ā™ which means that it is easy to do

plain texts and thus also of the key. (If Eve recorded two

the calculation in the difļ¬cult direction provided that

different messages encrypted with the same key, she

you have some additional information. For example, if

could add the scrambled texts to obtain the sum of the

you were told that 67 was one of the prime factors of

plain texts: s 1 s 2 m 1 k m 2 k m 1 m 2 k k

4757, the calculation would be relatively simple. The se-

m 1 m 2 , where we use the fact that is commuta-

curity of RSA is actually based on the factorization of

tive.) Furthermore, the key has to be transmitted by

large integers.

some trusted means, such as a courier, or through a per-

In spite of its elegance, this technique suffers from a

sonal meeting between Alice and Bob. This procedure

major ļ¬‚aw. It has not been possible yet to prove whether

can be complex and expensive, and may even amount to

factoring is ā˜ā˜difļ¬cultā™ā™ or not. This implies that the exis-

a loophole in the system.

tence of a fast algorithm for factorization cannot be

Because of the problem of distributing long sequences

ruled out. In addition, the discovery in 1994 by Peter

of key bits, the one-time pad is currently used only for

Shor of a polynomial algorithm allowing fast factoriza-

the most critical applications. The symmetrical crypto-

tion of integers with a quantum computer casts addi-

systems in use for routine applications such as

tional doubt on the nonexistence of a polynomial algo-

e-commerce employ rather short keys. In the case of the

rithm for classical computers.

Data Encryption Standard (also known as DES, pro-

Similarly, all public-key cryptosystems rely for their

moted by the United Statesā™ National Institute of Stan-

security on unproven assumptions, which could them-

dards and Technology), a 56-bit key is combined with

selves be weakened or suppressed by theoretical or

the plain text divided into blocks in a rather complicated

practical advances. So far, no one has proved the exis-

way, involving permutations and nonlinear functions to

tence of any one-way function with a trapdoor. In other

produce the cipher text blocks (see Stallings, 1999 for a

words, the existence of secure asymmetric cryptosystems

didactic presentation). Other cryptosystems (e.g.,

is not proven. This poses a serious threat to these cryp-

IDEA, The International Data Encryption System, or

tosystems.

AES, the Advanced Encryption Standard) follow similar

In a society like ours, where information and secure

principles. Like asymmetrical cryptosystems, they offer

communication are of the utmost importance, one can-

only computational security. However, for a given key

not tolerate such a threat. For instance, an overnight

length, symmetrical systems are more secure than their

breakthrough in mathematics could make electronic

asymmetrical counterparts.

money instantly worthless. To limit such economic and

In practical implementations, asymmetrical algorithms

social risks, there is no alternative but to turn to sym-

are used not so much for encryption, because of their

metrical cryptosystems. QC has a role to play in such

slowness, but rather for distribution of session keys for

alternative systems.

symmetrical cryptosystems such as DES. Because the se-

curity of those algorithms is not proven (see Sec. II.B.1),

2. Symmetrical (secret-key) cryptosystems the security of the whole implementation can be com-

promised. If these algorithms were broken by math-

Symmetrical ciphers require the use of a single key for

ematical advances, QC would constitute the only way to

both encryption and decryption. These systems can be

solve the key distribution problem.

thought of as a safe in which the message is locked by

Alice with a key. Bob in turns uses a copy of this key to

unlock the safe. The one-time pad, ļ¬rst proposed by Gil-

3. The one-time pad as ā˜ā˜classical teleportationā™ā™

bert Vernam of AT&T in 1926, belongs to this category.

In this scheme, Alice encrypts her message, a string of The one-time pad has an interesting characteristic.

bits denoted by the binary number m 1 , using a ran- Assume that Alice wants to transfer to Bob a faithful

domly generated key k. She simply adds each bit of the copy of a classical system, without giving any informa-

message to the corresponding bit of the key to obtain tion to Eve about this system. For this purpose Alice

the scrambled text (s m 1 k, where denotes the bi- and Bob have access only to an insecure classical chan-

nary addition modulo 2 without carry). It is then sent to nel. The operation is possible provided they share an

Bob, who decrypts the message by subtracting the key arbitrarily long secret key. Indeed, in principle, Alice

Rev. Mod. Phys., Vol. 74, No. 1, January 2002

149

Gisin et al.: Quantum cryptography

which bits are perfectly correlated (the ones for which

can measure the state of her classical system with arbi-

trarily high precision and then use the one-time pad to Alice and Bob used the same basis) and which ones are

securely communicate this information to Bob, who can completely uncorrelated (all the other ones). Hence a

then, in principle, reconstruct (a copy of) the classical straightforward error correction scheme is possible: For

system. This somewhat artiļ¬cial use of the one-time pad each bit Bob announces publicly in which basis he mea-

has an interesting quantum relative (see Sec. II.E). sured the corresponding qubit (but he does not tell the

result he obtained). Alice then reveals only whether or

not the state in which she encoded that qubit is compat-

C. The BB84 protocol

ible with the basis announced by Bob. If the state is

1. Principle

compatible, they keep the bit; if not, they disregard it. In

this way about 50% of the bit string is discarded. This

The ļ¬rst protocol for QC was proposed in 1984 by

shorter key obtained after basis reconciliation is called

Charles H. Bennett, of IBM and Gilles Brassard, of the

the sifted key.6 The fact that Alice and Bob use a public

University of Montreal, hence the name BB84, as this

protocol is now known. They presented their work at an channel at some stage of their protocol is very common

IEEE conference in India, quite unnoticed by the phys- in cryptoprotocols. This channel does not have to be

ics community at the term. This underscores the need conļ¬dential, only authentic. Hence any adversary Eve

for collaboration in QC between different communities, can listen to all the communication on the public chan-

with different jargons, habits, and conventions.5 The in- nel, but she cannot modify it. In practice Alice and Bob

terdisciplinary character of QC is the probable reason may use the same transmission channel to implement

for its relatively slow start, but it certainly has contrib- both the quantum and the classical channels.

uted to the rapid expansion of the ļ¬eld in recent years. Note that neither Alice nor Bob can decide which key

We shall explain the BB84 protocol using the lan- results from the protocol.7 Indeed, it is the conjunction

1

guage of spin 2 , but clearly any two-level quantum sys-

of both of their random choices that produces the key.

tem would do. The protocol uses four quantum states

Let us now consider the security of the above ideal

that constitute two bases, for example, the states up ā‘ ,

protocol (ideal because so far we have not taken into

down ā“ , left ā , and right ā’ . The bases are maxi-

account unavoidable noise in practice, due to technical

mally conjugate in the sense that any pair of vectors, one

imperfections). Assume that some adversary Eve inter-

from each basis, has the same overlap, e.g., ā‘ ā 2

cepts a qubit propagating from Alice to Bob. This is very

1

2 . Conventionally, one attributes the binary value 0 to

easy, but if Bob does not receive an expected qubit, he

states ā‘ and ā’ and the value 1 to the other two

will simply tell Alice to disregard it. Hence Eve only

states, and calls the states qubits (for quantum bits). In

lowers the bit rate (possibly down to zero), but she does

the ļ¬rst step, Alice sends individual spins to Bob in

not gain any useful information. For real eavesdropping

states chosen at random among the four states (in Fig. 1

the spin states ā‘ , ā“ , ā’ , and ā are identiļ¬ed as Eve must send a qubit to Bob. Ideally she would like to

send this qubit in its original state, keeping a copy for

the polarization states ā˜ā˜horizontal,ā™ā™ ā˜ā˜vertical,ā™ā™ ā˜ā˜ 45Ā°,ā™ā™

herself.

and ā˜ā˜ 45Ā°,ā™ā™ respectively). How she ā˜ā˜chooses at ran-

domā™ā™ is a delicate problem in practice (see Sec. III.D),

but in principle she could use her free will. The indi-

vidual spins could be sent all at once or one after the

other (much more practical), the only restriction being

2. No-cloning theorem

that Alice and Bob be able to establish a one-to-one

correspondence between the transmitted and the re-

Following Wootters and Zurek (1982) one can easily

ceived spins. Next, Bob measures the incoming spins in

prove that perfect copying is impossible in the quantum

one of the two bases, chosen at random (using a

world (see also the anticipatory intuition of Wigner in

random-number generator independent from that of Al-

1961, as well as Dieks, 1982 and Milonni and Hardies,

ice). At this point, whenever they use the same basis,

1982). Let denote the original state of the qubit, b

they get perfectly correlated results. However, whenever

the blank copy,8 and 0 HQCM the initial state of Eveā™s

they use different bases, they get uncorrelated results.

ā˜ā˜quantum copy machine,ā™ā™ where the Hilbert space

Hence, on average, Bob obtains a string of bits with a

HQCM of the quantum cloning machine is arbitrary. The

25% error rate; called the raw key. This error rate is so

high that standard error correction schemes would fail. ideal machine would produce

But in this protocol, as we shall see, Alice and Bob know

6

This terminology was introduced by Ekert and Huttner in

5

1994.

For instance, it is amusing to note that physicists strive to

7

Alice and Bob can, however, determine the statistics of the

publish in reputable journals, while conference proceedings

key.

are of secondary importance. For computer scientists, in con-

8

trast, appearance in the proceedings of the best conferences is b corresponds to the stock of white paper in an everyday

considered more important, while journal publication is sec- photocopy machine. We shall assume that the machine is not

ondary. empty, a purely theoretical assumption, as is well known.

Rev. Mod. Phys., Vol. 74, No. 1, January 2002

150 Gisin et al.: Quantum cryptography

0ā’ cases, since they get uncorrelated results. Altogether, if

b f, (3)

Eve uses this intercept-resend strategy, she gets 50% in-

where f denotes the ļ¬nal state of Eveā™s machine, formation, while Alice and Bob have about a 25% error

which might depend on . Accordingly, using obvious rate in their sifted key, i.e., after they eliminate the cases

notations, in which they used incompatible states, there is still

about 25% error. They can thus easily detect the pres-

ā‘,b,0 ā’ ā‘,ā‘,f ā‘ , (4) ence of Eve. If, however, Eve applies this strategy to

only a fraction of the communication, say 10%, then the

and error rate will be only 2.5%, while Eveā™s information

will be 5%. The next section explains how Alice and

ā“,b,0 ā’ ā“,ā“,f ā“ . (5) Bob can counter such attacks.

By linearity of quantum dynamics it follows that

4. Error correction, privacy ampliļ¬cation, and quantum

1 secret growing

ā’,b,0 ā‘ ā“ ) b,0 (6)

& At this point in the BB84 protocol, Alice and Bob

share a so-called sifted key. But this key contains errors.

The errors are caused by technical imperfections, as well

1

ā’ ā‘,ā‘,f ā‘ ā“,ā“,f ā“ ). (7) as possibly by Eveā™s intervention. Realistic error rates in

& the sifted key using todayā™s technology are of the order

of a few percent. This contrasts strongly with the 10 9

But the latter state differs from the ideal copy ā’, error rate typical in optical communication. Of course,

ā’,f ā’ , whatever the states f are. the few-percent error rate will be corrected down to the

Consequently, Eve cannot keep a perfect quantum standard 10 9 during the (classical) error correction step

copy, because perfect quantum copy machines cannot of the protocol. In order to avoid confusion, especially

exist. The possibility of copying classical information is among optical communication specialists, Beat Perny

probably one of the most characteristic features of infor- from Swisscom and Paul Townsend, then with British

mation in the everyday sense. The fact that quantum Telecommunications (BT), proposed naming the error

states, nowadays often called quantum information, can- rate in the sifted key QBER, for quantum bit error rate,

not be copied is certainly one of the most speciļ¬c at- to clearly distinguish it from the bit error rate (BER)

tributes that make this new kind of information so dif- used in standard communications.

ferent and hence so attractive. Actually, this negative Such a situation, in which legitimate partners share

capability clearly has its positive side, since it prevents classical information with high but not 100% correlation

Eve from perfect eavesdropping and hence makes QC and with possibly some correlation to a third party, is

potentially secure. common to all quantum cryptosystems. Actually, it is

also a standard starting point for classical information-

based cryptosystems in which one assumes that some-

3. Intercept-resend strategy

how Alice, Bob, and Eve have random variables , ,

and , respectively, with a joint probability distribution

We have seen that the eavesdropper needs to send a

P( , , ). Consequently, the last step in a QC protocol

qubit to Bob while keeping a necessarily imperfect copy

uses classical algorithms, ļ¬rst to correct the errors, and

for herself. How imperfect the copy has to be, according

then reduce to Eveā™s information on the ļ¬nal key, a pro-

to quantum theory, is a delicate problem that we shall

cess called privacy ampliļ¬cation.

address in Sec. VI. Here, let us develop a simple eaves-

The ļ¬rst mention of privacy ampliļ¬cation appeared in

dropping strategy, called intercept-resend. This simple

Bennett, Brassard, and Robert (1988). It was then ex-

and even practical attack consists of Eveā™s measuring

Ā“

tended in collaboration with C. Crepeau from the Uni-

each qubit in one of the two bases, precisely as Bob

ĀØ

versity of Montreal and U. Maurer of ETH, Zurich, re-

does. Then, she resends to Bob another qubit in the

spectively (Bennett, Brassard, et al. 1995; see also

state corresponding to her measurement result. In about

Bennett, Bessette, et al., 1992). Interestingly, this work

half of the cases, Eve will be lucky and choose the basis

motivated by QC found applications in standard

compatible with the state prepared by Alice. In these

information-based cryptography (Maurer, 1993; Maurer

cases she resends to Bob a qubit in the correct state, and

and Wolf, 1999).

Alice and Bob will not notice her intervention. How-

Assume that a joint probability distribution P( , , )

ever, in the other half of the cases, Eve unluckily uses

exists. Near the end of this section, we shall comment on

the basis incompatible with the state prepared by Alice.

this assumption. Alice and Bob have access only to the

This necessarily happens, since Eve has no information

marginal distribution P( , ). From this and from the

about Aliceā™s random-number generator (hence the im-

laws of quantum mechanics, they have to deduce con-

portance of this generatorā™s being truly random). In

straints on the complete scenario P( , , ); in particu-

these cases the qubits sent out by Eve are in states with

1

lar they have to bound Eveā™s information (see Secs. VI.E

an overlap of 2 with the correct states. Alice and Bob

and VI.G). Given P( , , ), necessary and sufļ¬cient

thus discover her intervention in about half of these

Rev. Mod. Phys., Vol. 74, No. 1, January 2002

151

Gisin et al.: Quantum cryptography

conditions for a positive secret-key rate between Alice Actually, the above scenario is incomplete. In this pre-

sentation, we have assumed that Eve measures her

and Bob, S( , ), are not yet known. However, a use-

probe before Alice and Bob run the error correction and

ful lower bound is given by the difference between Alice

privacy ampliļ¬cation algorithms, hence that P( , , )

and Bobā™s mutual Shannon information I( , ) and

exists. In practice this is a reasonable assumption, but in

Ā“ ĀØ

Eveā™s mutual information (Csiszar and Korner, 1978, and

principle Eve could wait until the end of all the proto-

Theorem 1 in Sec. VI.G):

cols and then optimize her measurements accordingly.

S , max I , I , ,I , I , . (8) Such ā˜ā˜delayed-choice eavesdropping strategiesā™ā™9 are

discussed in Sec. VI.

Intuitively, this result states that secure-key distillation

It should by now be clear that QC does not provide a

(Bennett, Bessette, et al., 1992) is possible whenever

complete solution for all cryptographic purposes.10 Ac-

Bob has more information than Eve.

tually, quite the contrary, QC can only be used as a

The bound (8) is tight if Alice and Bob are restricted

complement to standard symmetrical cryptosystems. Ac-

to one-way communication, but for two-way communi-

cordingly, a more precise name for QC is quantum key

cation, secret-key agreement might be possible even

distribution, since this is all QC does. Nevertheless, we

when condition (8) is not satisļ¬ed (see Sec. II.C.5).

prefer to keep the well-known terminology, which lends

Without discussing any algorithm in detail, let us offer

its name to the title of this review.

some idea of how Alice and Bob can establish a secret

Finally, let us emphasize that every key distribution

key when condition (8) is satisļ¬ed. First, once the sifted

system must incorporate some authentication scheme:

key is obtained (i.e., after the bases have been an-

the two parties must identify themselves. If not, Alice

nounced), Alice and Bob publicly compare a randomly

could actually be communicating directly with Eve. A

chosen subset of it. In this way they estimate the error

straightforward approach is for Alice and Bob initially

rate [more generally, they estimate their marginal prob-

to share a short secret. Then QC provides them with a

ability distribution P( , )]. These publicly disclosed

longer one and they each keep a small portion for au-

bits are then discarded. Next, either condition (8) is not

thentication at the next session (Bennett, Bessette, et al.,

satisļ¬ed and they stop the protocol or condition (8) is

1992). From this perspective, QC is a quantum secret-

satisļ¬ed and they use some standard error correction

growing protocol.

protocol to get a shorter key without errors.

With the simplest error correction protocol, Alice ran-

domly chooses pairs of bits and announces their XOR 5. Advantage distillation

value (i.e., their sum modulo 2). Bob replies either ā˜ā˜ac-

QC has motivated and still motivates research in clas-

ceptā™ā™ if he has the same XOR value for his correspond-

sical information theory. The best-known example is

ing bits, or ā˜ā˜rejectā™ā™ if not. In the ļ¬rst case, Alice and

probably the development of privacy ampliļ¬cation algo-

Bob keep the ļ¬rst bit of the pair and discard the second

rithms (Bennett et al., 1988, 1995). This in turn led to the

one, while in the second case they discard both bits. In

development of new cryptosystems based on weak but

reality, more complex and efļ¬cient algorithms are used.

classical signals, emitted for instance by satellites (Mau-

After error correction, Alice and Bob have identical

rer, 1993).11 These new developments required secret-

copies of a key, but Eve may still have some information

key agreement protocols that could be used even when

about it [compatible with condition (8)]. Alice and Bob

condition (8) did not apply. Such protocols, called ad-

thus need to reduce Eveā™s information to an arbitrarily

vantage distillation, necessarily use two-way communica-

low value using some privacy ampliļ¬cation protocols.

tion and are much less efļ¬cient than privacy ampliļ¬ca-

These classical protocols typically work as follows. Alice

tion. Usually, they are not considered in the literature on

again randomly chooses pairs of bits and computes their

QC, but conceptually they are remarkable from at least

XOR value. But, in contrast to error correction, she

two points of view. First, it is somewhat surprising that

does not announce this XOR value. She only announces

secret-key agreement is possible even if Alice and Bob

which bits she chose (e.g., bits number 103 and 537).

start with less mutual (Shannon) information than Eve.

Alice and Bob then replace the two bits by their XOR

They can take advantage of the authenticated public

value. In this way they shorten their key while keeping it

error free, but if Eve has only partial information on the

two bits, her information on the XOR value is even less.

9

Assume, for example, that Eve knows only the value of Note, however, that Eve has to choose the interaction be-

tween her probe and the qubits before the public discussion

the ļ¬rst bit and nothing about the second one. Then she

phase of the protocol.

has no information at all about the XOR value. Also, if 10

For a while it was thought that bit commitment (see, for

Eve knows the value of both bits with 60% probability,

example, Brassard, 1988), a powerful primitive in cryptology,

then the probability that she correctly guesses the XOR

could be realized using quantum principles. However, Dominic

value is only 0.62 0.42 52%. This process would have

Mayers (1996a, 1997) and Lo and Chau (1998) proved it to be

to be repeated several times; more efļ¬cient algorithms impossible (see also Brassard et al., 1998).

use larger blocks (Brassard and Salvail, 1994). 11

Note that here conļ¬dentiality is not guaranteed by the laws

The error correction and privacy ampliļ¬cation algo- of physics, but relies on the assumption that Eveā™s technology

rithms sketched above are purely classical algorithms. is limited, e.g., her antenna is ļ¬nite, and her detectors have

This illustrates that QC is a truly interdisciplinary ļ¬eld. limited efļ¬ciencies.

Rev. Mod. Phys., Vol. 74, No. 1, January 2002

152 Gisin et al.: Quantum cryptography

channel to decide which series of realizations to keep,

whereas Eve cannot inļ¬‚uence this process12 (Maurer,

1993; Maurer and Wolf, 1999).

Recently, a second remarkable feature of advantage

distillation, connecting quantum and classical secret-key

agreement, has been discovered (assuming one uses the

Ekert protocol described in Sec. II.D.3): If Eve follows a

strategy that optimizes her Shannon information, under

the assumption that she attacks the qubits one at a time

(the so-called individual attack; see Sec. VI.E), then Al-

ice and Bob can use advantage distillation if and only if

Alice and Bobā™s qubits are still entangled (they can thus Ā“

FIG. 2. Poincare sphere with a representation of six states that

use quantum privacy ampliļ¬cation; Deutsch et al., 1996; can be used to implement the generalization of the BB84 pro-

Gisin and Wolf, 1999). This connection between the con- tocol.

cept of entanglement, central to quantum information

theory, and the concept of intrinsic classical information,

bright pulse and a dim pulse with less than one photon

central to classical information-based cryptography

on average (Bennett, 1992). The presence of the bright

(Maurer and Wolf, 1999), has been shown to be general

pulse makes this protocol especially resistant to eaves-

(Gisin and Wolf, 2000). The connection seems to extend

dropping, even in settings with high attenuation. Bob

even to bound entanglement (Gisin et al., 2000).

can monitor the bright pulses to make sure that Eve

does not remove any. In this case, Eve cannot eliminate

D. Other protocols the dim pulse without revealing her presence, because

the interference of the bright pulse with vacuum would

1. Two-state protocol introduce errors. A practical implementation of this so-

called 892 protocol is discussed in Sec. IV.D. Huttner

In 1992 Bennett noticed that four states are more than

et al. extended this reference-beam monitoring to the

are really necessary for QC: only two nonorthogonal

four-state protocol in 1995.

states are needed. Indeed the security of QC relies on

the inability of an adversary to distinguish unambigu-

ously and without perturbation between the different 2. Six-state protocol

states that Alice may send to Bob; hence two states are

While two states are enough and four states are stan-

necessary, and if they are incompatible (i.e., not mutu-

dard, a six-state protocol better respects the symmetry

ally orthogonal), then two states are also sufļ¬cient (Ben-

of the qubit state space; see Fig. 2 (Bruss, 1998;

nett, 1992). This is a conceptually important clariļ¬ca-

Bechmann-Pasquinucci and Gisin, 1999). The six states

tion. It also made several of the ļ¬rst experimental

constitute three bases, hence the probability that Alice

demonstrations easier (as is discussed further in Sec. 1

and Bob choose the same basis is only 3 , but the sym-

IV.D). But in practice, it is not a good solution. Indeed,

metry of this protocol greatly simpliļ¬es the security

although two nonorthogonal states cannot be distin-

analysis and reduces Eveā™s optimal information gain for

guished unambiguously without perturbation, one can

a given error rate QBER. If Eve measures every photon,

unambiguously distinguish between them at the cost of

the QBER is 33%, compared to 25% in the case of the

some losses (Ivanovic, 1987; Peres, 1988). This possibil-

BB84 protocol.

ity has been demonstrated in practice (Huttner, Gautier,

et al., 1996; Clarke et al., 2000). Alice and Bob would

3. Einstein-Podolsky-Rosen protocol

have to monitor the attenuation of the quantum channel

(and even this would not be entirely safe if Eve were

This variation of the BB84 protocol is of special con-

able to replace the channel by a more transparent one;

ceptual, historical, and practical interest. The idea is due

see Sec. VI.H). The two-state protocol can also be

to Artur Ekert (1991) of Oxford University, who, while

implemented using interference between a macroscopic

elaborating on a suggestion of David Deutsch (1985),

discovered QC independently of the BB84 paper. Intel-

lectually, it is very satisfying to see this direct connection

12

The idea is that Alice picks out several instances in which to the famous EPR paradox (Einstein, Podolski, and

she got the same bit and communicates the instancesā”but not Rosen, 1935): the initially philosophical debate turned to

the bitā”to Bob. Bob replies yes only if it happens that for all theoretical physics with Bellā™s inequality (1964), then to

these instances he also has the same bit value. For high error

experimental physics (Freedmann and Clauser, 1972; Fry

rates this is unlikely, but when it does happen there is a high

and Thompson, 1976; Aspect et al., 1982), and is nowā”

probability that both have the same bit. Eve cannot inļ¬‚uence

thanks to Ekertā™s ingenious ideaā”part of applied phys-

the choice of the instances. All she can do is use a majority

ics.

vote for the cases accepted by Bob. The probability that Eve

The idea consists in replacing the quantum channel

makes an error can be much higher than the probability that

carrying two qubits from Alice to Bob by a channel car-

Bob makes an error (i.e., that all his instances are wrong), even

rying two qubits from a common source, one qubit to

if Eve has more initial information than Bob.

Rev. Mod. Phys., Vol. 74, No. 1, January 2002

153

Gisin et al.: Quantum cryptography

FIG. 3. Einstein-Podolsky-Rosen (EPR) protocol, with the

Ā“

source and a Poincare representation of the four possible

states measured independently by Alice and Bob.

Alice and one to Bob. A ļ¬rst possibility would be that

the source always emits the two qubits in the same state

chosen randomly among the four states of the BB84 pro-

tocol. Alice and Bob would then both measure their qu-

bit in one of the two bases, again chosen independently FIG. 4. Illustration of protocols exploiting EPR quantum sys-

and randomly. The source then announces the bases, tems. To implement the BB84 quantum cryptographic proto-

and Alice and Bob keep the data only when they hap- col, Alice and Bob use the same bases to prepare and measure

pen to have made their measurements in the compatible Ā“

their particles. A representation of their states on the Poincare

basis. If the source is reliable, this protocol is equivalent sphere is shown. A similar setup, but with Bobā™s bases rotated

to that of BB84: It is as if the qubit propagates back- by 45Ā°, can be used to test the violation of Bellā™s inequality.

wards in time from Alice to the source, and then for- Finally, in the Ekert protocol, Alice and Bob may use the vio-

lation of Bellā™s inequality to test for eavesdropping.

ward to Bob. But better than trusting the source, which

could be in Eveā™s hand, the Ekert protocol assumes that

the two qubits are emitted in a maximally entangled rity of QC and emphasizing the close connection

state like between the Ekert and the BB84 schemes. This criticism

might be missing an important point. Although the exact

1

ā‘,ā‘ ā“,ā“ ). (9) relation between security and Bellā™s inequality is not yet

& fully known, there are clear results establishing fascinat-

ing connections (see Sec. VI.F). In October 1992, an ar-

Then, when Alice and Bob happen to use the same ba-

ticle by Bennett, Brassard, and Ekert demonstrated that

sis, either the x basis or the y basis, i.e., in about half of

the founding fathers of QC were able to join forces

the cases, their results are identical, providing them with

to develop the ļ¬eld in a pleasant atmosphere (Bennett,

a common key. Note the similarity between the one-

Brassard, and Ekert, 1992).

qubit BB84 protocol illustrated in Fig. 1 and the two-

qubit Ekert protocol of Fig. 3. The analogy can be made

even stronger by noting that for all unitary evolutions

4. Other variations

U 1 and U 2 , the following equality holds:

There is a large collection of variations on the BB84

1 U 2 U t1

() ()

U1 U2 , (10)

protocol. Let us mention a few, chosen somewhat arbi-

where U t1 denotes the transpose. trarily. First, one can assume that the two bases are not

chosen with equal probability (Ardehali et al., 1998).

In his 1991 paper Ekert suggested basing the security

This has the nice consequence that the probability that

of this two-qubit protocol on Bellā™s inequality, an in-

1

Alice and Bob choose the same basis is greater than 2 ,

equality which demonstrates that some correlations pre-

thus increasing the transmission rate of the sifted key.

dicted by quantum mechanics cannot be reproduced by

However, this protocol makes Eveā™s job easier, as she is

any local theory (Bell, 1964). To do this, Alice and Bob

more likely to guess correctly the basis that was used.

can use a third basis (see Fig. 4). In this way the prob-

Consequently, it is not clear whether the ļ¬nal key rate,

ability that they might happen to choose the same basis

1 2

after error correction and privacy ampliļ¬cation, is

is reduced from 2 to 9 , but at the same time as they

higher or not.

establish a key, they collect enough data to test Bellā™s

inequality.13 They can thus check that the source really Another variation consists in using quantum systems

of dimension greater than 2 (Bechmann-Pasquinucci

emits the entangled state (9) and not merely product

and Peres, 2000; Bechmann-Pasquinucci and Tittel,

states. The following year Bennett, Brassard, and Mer-

ĀØ

2000; Bourennane, Karlsson, and Bjorn, 2001). Again,

min (1992) criticized Ekertā™s letter, arguing that the vio-

the practical value of this idea has not yet been fully

lation of Bellā™s inequality is not necessary for the secu-

determined.

A third variation worth mentioning is due to Golden-

berg and Vaidman of Tel Aviv University (1995). They

13

A maximal violation of Bellā™s inequality is necessary to rule

suggested preparing the qubits in a superposition of two

out tampering by Eve. In this case, the QBER must necessarily

spatially separated states, then sending one component

be equal to zero. With a nonmaximal violation, as typically

of this superposition and waiting until Bob receives it

obtained in experimental systems, Alice and Bob can distill a

before sending the second component. This does not

secure key using error correction and privacy ampliļ¬cation.

Rev. Mod. Phys., Vol. 74, No. 1, January 2002

154 Gisin et al.: Quantum cryptography

sound of great practical value, but has the nice concep- tum state, except if the state happens to be an eigenstate

tual feature that the minimal two states do not need to of the observable. Hence, if for some reason one conjec-

be mutually orthogonal. tures that a quantum system is in some state (or in a

state among a set of mutually orthogonal ones), one can

in principle test this conjecture repeatedly (Braginsky

E. Quantum teleportation as a ā˜ā˜quantum one-time padā™ā™

and Khalili, 1992). However, if the state is only restricted

Since its discovery in 1993 by a surprisingly large to be in a ļ¬nite set containing nonorthogonal states, as

group of physicists, quantum teleportation (Bennett in QC, then there is no way to perform a measurement

et al., 1993) has received much attention from both the without ā˜ā˜demolishingā™ā™ (perturbing) the state. Now, in

scientiļ¬c community and the general public. The dream QC the term ā˜ā˜nondemolition measurementā™ā™ is also used

of beaming travelers through the universe is exciting, with a different meaning: one measures the number of

but completely out of the realm of any foreseeable tech- photons in a pulse without affecting the degree of free-

nology. However, quantum teleportation can be seen as dom coding the qubit (e.g., the polarization; see Sec.

the fully quantum version of the one-time pad (see Sec. VI.H), or one detects the presence of a photon without

II.B.3), hence as the ultimate form of QC. As in ā˜ā˜classi- destroying it (Nogues et al., 1999). Such measurements

cal teleportation,ā™ā™ let us assume that Alice aims to trans-

are usually called ideal measurements, or projective mea-

fer a faithful copy of a quantum system to Bob. If Alice

surements, because they produce the least possible per-

has full knowledge of the quantum state, the problem is

turbation (Piron, 1990) and because they can be repre-

not really a quantum one (Aliceā™s information is classi-

sented by projectors. It is important to stress that these

cal). If, on the other hand, Alice does not know the

ā˜ā˜ideal measurementsā™ā™ do not invalidate the security of

quantum state, she cannot send a copy, since quantum

QC.

copying is impossible according to quantum physics (see

Let us now consider optical ampliļ¬ers (a laser me-

Sec. II.C.2). Nor can she send classical instructions, since

dium, but without mirrors, so that ampliļ¬cation takes

this would allow the production of many copies. How-

place in a single pass; see Desurvire, 1994). They are

ever, if Alice and Bob share arbitrarily many entangled

widely used in todayā™s optical communication networks.

qubits, sometimes called a quantum key, and share a

However, they are of no use for quantum communica-

classical communication channel, then the quantum tele-

tion. Indeed, as seen in Sec. II.C, the copying of quan-

portation protocol provides them with a means of trans-

tum information is impossible. Here we illustrate this

ferring the quantum state of the system from Alice to

Bob. In the course of running this protocol, Aliceā™s characteristic of quantum information by the example of

quantum system is destroyed without Aliceā™s having optical ampliļ¬ers: the necessary presence of spontane-

learned anything about the quantum state, while Bobā™s ous emission whenever there is stimulated emission pre-

qubit ends in a state isomorphic to the state of the origi- vents perfect copying. Let us clarify this important and

nal system (but Bob does not learn anything about the often confusing point, following the work of Simon et al.

quantum state). If the initial quantum system is a quan- (1999, 2000; see also De Martini et al., 2000 and Kempe

tum message coded in the form of a sequence of qubits, et al., 2000). Let the two basic qubit states 0 and 1 be

then this quantum message is faithfully and securely physically implemented by two optical modes:

transferred to Bob, without any information leaking to 0,1 . Thus n,m ph k,l a denotes

0 1,0 and 1

the outside world (i.e., to anyone not sharing the prior the state of n photons in mode 1 and m photons in mode

entanglement with Alice and Bob). Finally, the quantum 2, while k,l 0(1) denotes the ground (or excited) state

message could be formed of a four-letter quantum al- of two-level atoms coupled to mode 1 or 2, respectively.

phabet consisting of the four states of the BB84 proto- Hence spontaneous emission corresponds to

col. With futuristic but not impossible technology, Alice

1,0 a ā’ 1,0

ph ph

0,0 0,0 a , (11)

and Bob could keep their entangled qubits in their re-

0,1 a ā’ 0,1

spective wallets and could enjoy totally secure commu- ph ph

0,0 0,0 a , (12)

nication at any time, without even having to know where

and stimulated emission to

the other is located (provided they can communicate

1,0 a ā’& 2,0

classically). ph ph

1,0 0,0 a , (13)

0,1 a ā’& 0,2

ph ph

0,1 0,0 a , (14)

F. Optical ampliļ¬cation, quantum nondemolition

where the factor of & takes into account the ratio of

measurements, and optimal quantum cloning

stimulated to spontaneous emission. Let the initial state

After almost every general talk on QC, two questions of the atom be a mixture of the following two states,

arise: What about optical ampliļ¬ers? and What about each with equal (50%) weight:

quantum nondemolition measurements? In this section

0,1 and 1,0 a . (15)

a

we brieļ¬‚y address these questions.

By symmetry, it sufļ¬ces to consider one possible initial

Let us start with the second one, as it is the easiest.

state of the qubit, e.g., one photon in the ļ¬rst mode

The term ā˜ā˜quantum nondemolition measurementā™ā™ is

1,0 ph . The initial state of the photon atom system is

simply confusing. There is nothing like a quantum mea-

thus a mixture:

surement that does not perturb (i.e., modify) the quan-

Rev. Mod. Phys., Vol. 74, No. 1, January 2002

155

Gisin et al.: Quantum cryptography

on such systems here. There is also, however, some very

ph ph

1,0 1,0 or 1,0 0,1 a . (16)

a

signiļ¬cant research on free-space systems (see Sec.

This corresponds to the ļ¬rst-order term in an evolution

IV.E).

with a Hamiltonian (in the interaction picture): H

Once the medium has been chosen, there remain the

(a ā 1 a 1 ā a ā 2 a 2 ā ). After some time the

1 1 2 2 questions of the source and detectors. Since they have to

two-photon component of the evolved states becomes

be compatible, the crucial choice is that of the wave-

& 2,0 ph ph

0,0 or 1,1 0,0 a . (17) length. There are two main possibilities. Either one

a

chooses a wavelength around 800 nm, for which efļ¬cient

1

The correspondence with a pair of spin goes as fol-

2

photon counters are commercially available, or one

lows:

chooses a wavelength compatible with todayā™s telecom-

ā‘ā‘ , ā“ā“ ,

2,0 0,2 (18) munications optical ļ¬bers, i.e., near 1300 or 1550 nm.

The ļ¬rst choice requires free-space transmission or the

1

ā‘ā“ ā“ā‘ ). use of special ļ¬bers, hence the installed telecommunica-

()

1,1 (19)

ph

& tions networks cannot be used. The second choice re-

quires the improvement or development of new detec-

Tracing over the ampliļ¬er (i.e., the two-level atom), an

tors, not based on silicon semiconductors, which are

(ideal) ampliļ¬er achieves the following transformation:

transparent above a wavelength of 1000 nm.

P ā‘ ā’2P ā‘ā‘ P (20) In the case of transmission using optical ļ¬bers, it is

( ),

still unclear which of the two alternatives will turn out to

where the Pā™s indicate projectors (i.e., pure-state density

be the best choice. If QC ļ¬nds niche markets, it is con-

matrices) and the lack of normalization results from the

ceivable that special ļ¬bers will be installed for that pur-

ļ¬rst-order expansion used in Eqs. (11)ā“(14). Accord-

pose. But it is equally conceivable that new commercial

ingly, after normalization, each photon is in the state

detectors will soon make it much easier to detect single

1

1

photons at telecommunications wavelengths. Actually,

2P ā‘

2P ā‘ā‘ P () 2

Tr1 . (21) the latter possibility is very likely, as several research

ph mode

3 3

groups and industries are already working on it. There is

The corresponding ļ¬delity is another good reason to bet on this solution: the quality

of telecommunications ļ¬bers is much higher than that of

1

2 5

2

any special ļ¬ber; in particular, the attenuation is much

F , (22)

3 6 lower (this is why the telecommunications industry

chose these wavelengths): at 800 nm, the attenuation is

which is precisely the optimal ļ¬delity compatible with

about 2 dB/km (i.e., half the photons are lost after 1.5

Ė

quantum mechanics (Buzek and Hillery, 1996; Gisin and

km), while it is only of the order of 0.35 and 0.20 dB/km

Massar, 1997; Bruss et al., 1998). In other words, if we

at 1300 and 1550 nm, respectively (50% loss after about

start with a single photon in an arbitrary state and pass it

9 and 15 km).14

through an ampliļ¬er, then due to the effect of spontane-

In the case of free-space transmission, the choice of

ous emission the ļ¬delity of the state exiting the ampli-

wavelength is straightforward, since the region where

ļ¬er, when it consists of exactly two photons, with the

good photon detectors existā”around 800 nmā”coincides

initial state will be equal to at most 5/6. Note that if it

with that where absorption is low. However, free-space

were possible to make better copies, then signaling at

transmission is restricted to line-of-sight links and is very

arbitrarily fast speed, using EPR correlations between

weather dependent.

spatially separated systems, would also be possible (Gi-

In the next sections we successively consider the ques-

sin, 1998).

tions of how to produce single photons (Sec. III.A), how

to transmit them (Sec. III.B), how to detect single pho-

tons (Sec. III.C), and ļ¬nally how to exploit the intrinsic

III. TECHNOLOGICAL CHALLENGES

randomness of quantum processes to build random gen-

The very ļ¬rst demonstration of QC was a table-top erators (Sec. III.D).

experiment performed at the IBM laboratory in the

A. Photon sources

early 1990s over a distance of 30 cm (Bennett, Bessette,

et al., 1992), marking the start of a series of impressive

Optical quantum cryptography is based on the use of

experimental improvements over the past few years.

single-photon Fock states. Unfortunately, these states

The 30-cm distance is of little practical interest. Either

are difļ¬cult to realize experimentally. Nowadays, practi-

the distance should be even shorter [think of a credit

cal implementations rely on faint laser pulses or en-

card and an ATM machine (Huttner, Imoto, and Bar-

tangled photon pairs, in which both the photon and the

nett, 1996), in which case all of Aliceā™s components

photon-pair number distribution obey Poisson statistics.

should ļ¬t on the credit cardā”a nice idea, but still im-

practical with present technology] or the distance should

be much longer, at least in the kilometer range. Most of

14

the research so far uses optical ļ¬bers to guide the pho- The losses in dB (l db ) can be calculated from the losses in

tons from Alice to Bob, and we shall mainly concentrate percent (l % ): l dB 10 log10 1 (l % /100) .

Rev. Mod. Phys., Vol. 74, No. 1, January 2002

156 Gisin et al.: Quantum cryptography

depending on the transmission losses.15 After key distil-

Hence both possibilities suffer from a small probability

lation, the security is just as good with faint laser pulses

of generating more than one photon or photon pair at

as with Fock states. The price to pay for using such

the same time. For large losses in the quantum channel,

states is a reduction of the bit rate.

even small fractions of these multiphotons can have im-

portant consequences on the security of the key (see

Sec. VI.H), leading to interest in ā˜ā˜photon gunsā™ā™; see Sec. 2. Photon pairs generated by parametric downconversion

III.A.3). In this section we brieļ¬‚y comment on sources

Another way to create pseudo-single-photon states is

based on faint pulses as well as on entangled photon

the generation of photon pairs and the use of one pho-

pairs, and we compare their advantages and drawbacks.

ton as a trigger for the other one (Hong and Mandel,

1986). In contrast to the sources discussed earlier, the

second detector must be activated only whenever the

ļ¬rst one has detected a photon, hence when 1, and

1. Faint laser pulses not whenever a pump pulse has been emitted, therefore

circumventing the problem of empty pulses.

There is a very simple solution to approximate single-

The photon pairs are generated by spontaneous para-

photon Fock states: coherent states with an ultralow

metric downconversion in a (2) nonlinear crystal.16 In

mean photon number . They can easily be realized us-

this process, the inverse of the well-known frequency

ing only standard semiconductor lasers and calibrated doubling, one photon spontaneously splits into two

attenuators. The probability of ļ¬nding n photons in such daughter photonsā”traditionally called signal and idler

a coherent state follows the Poisson statistics: photonsā”conserving total energy and momentum. In

this context, momentum conservation is called phase

n

matching and can be achieved despite chromatic disper-

P n, e . (23)

n! sion by exploiting the birefringence of the nonlinear

crystal. Phase matching allows one to choose the wave-

Accordingly, the probability that a nonempty weak co- length and determines the bandwidth of the downcon-

verted photons. The latter is in general rather large and

herent pulse contains more than one photon,

varies from a few nanometers up to some tens of na-

nometers. For the nondegenerate case one typically gets

1 P 0, P 1,

P n 1 n 0, a bandwith of 5ā“10 nm, whereas in the degenerate case

1 P 0,

(where the central frequency of both photons is equal),

the bandwidth can be as large as 70 nm.

1e 1

This photon-pair creation process is very inefļ¬cient;

, (24)

1e 2 typically it takes some 1010 pump photons to create one

pair in a given mode.17 The number of photon pairs per

can be made arbitrarily small. Weak pulses are thus ex- mode is thermally distributed within the coherence time

tremely practical and have indeed been used in the vast of the photons and follows a Poissonian distribution for

majority of experiments. However, they have one major larger time windows (Walls and Milburn, 1995). With a

pump power of 1 mW, about 106 pairs per second can be

drawback. When is small, most pulses are empty:

P(n 0) 1 . In principle, the resulting decrease in collected in single-mode ļ¬bers. Accordingly, in a time

window of roughly 1 ns, the conditional probability of

bit rate could be compensated for thanks to the achiev-

ļ¬nding a second pair, having already detected one, is

able gigahertz modulation rates of telecommunications

106 10 9 0.1%. In the case of continuous pumping,

lasers. But in practice, the problem comes from the de-

this time window is given by the detector resolution. Tol-

tectorsā™ dark counts (i.e., a click without a photonā™s ar-

erating, for example, 1% of these multipair events, one

riving). Indeed, the detectors must be active for all

can generate 107 pairs per second using a realistic

pulses, including the empty ones. Hence the total dark

counts increase with the laserā™s modulation rate, and the

ratio of detected photons to dark counts (i.e., the signal-

15

to-noise ratio) decreases with (see Sec. IV.A). The Contrary to a frequent misconception, there is nothing spe-

cial about a value of 0.1, even though it has been selected by

problem is especially severe for longer wavelengths, at

most experimentalists. The optimal valueā”i.e., the value that

which photon detectors based on indium gallium ar-

yields the highest key exchange rate after distillationā”

senide semiconductors (InGaAs) are needed (see Sec.

depends on the optical losses in the channel and on assump-

III.C), since the noise of these detectors explodes if they

tions about Eveā™s technology (see Secs. VI.H and VI.I).

are opened too frequently (in practice with a rate larger 16

For a review see Rarity and Tapster (1988), and for more

than a few megahertz). This prevents the use of really recent developments see Kwiat et al. (1999), Tittel et al.

low photon numbers, smaller than approximately 1%. (1999), Jennewein, Simon, et al. (2000), and Tanzilli et al.

Most experiments to date have relied on 0.1, mean- (2001).

ing that 5% of the nonempty pulses contain more than 17

Recently we achieved a conversion rate of 10 6 using an

one photon. However, it is important to stress that, as optical waveguide in a periodically poled LiNbO3 crystal (Tan-

ĀØ

pointed out by Lutkenhaus (2000), there is an optimal zilli et al., 2001).

Rev. Mod. Phys., Vol. 74, No. 1, January 2002

157

Gisin et al.: Quantum cryptography

3. Photon guns

The ideal single-photon source is a device that, when

one pulls the trigger, and only then, emits one and only

one photon. Hence the name photon gun. Although

photon antibunching was ļ¬rst demonstrated years ago

(Kimble et al., 1977), a practical and handy device is still

awaited. At present, there are essentially three different

experimental approaches that more or less come close to

this ideal.

A ļ¬rst idea is to work with a single two-level quantum

system that obviously cannot emit two photons at a

time. The manipulation of single trapped atoms or ions

requires a much too involved technical effort. Single or-

ganic dye molecules in solvents (Kitson et al., 1998) or

solids (Brunel et al., 1999; Fleury et al., 2000) are easier

to handle but offer only limited stability at room tem-

perature. A promising candidate, however, is the

nitrogen-vacancy center in diamond, a substitutional ni-

trogen atom with a vacancy trapped at an adjacent lat-

FIG. 5. Photo of our entangled photon-pair source as used in

tice position (Brouri et al., 2000; Kurtsiefer et al., 2000).

the ļ¬rst long-distance test of Bellā™s inequalities (Tittel et al.,

1998). Note that the whole source ļ¬ts into a box only 40 45 It is possible to excite individual nitrogen atoms with a

15 cm3 in size and that neither a special power supply nor 532-nm laser beam, which will subsequently emit a ļ¬‚uo-

water cooling is necessary. rescence photon around 700 nm (12-ns decay time). The

ļ¬‚uorescence exhibits strong photon antibunching, and

the samples are stable at room temperature. However,

10-mW pump. To detect, for example, 10% of the trigger

the big remaining experimental challenge is to increase

photons, the second detector has to be activated 106

the collection efļ¬ciency (currently about 0.1%) in order

times per second. In comparison, the example of 1% of

to obtain mean photon numbers close to 1. To obtain

multiphoton events corresponds in the case of faint laser

this efļ¬ciency, an optical cavity or a photonic band-gap

pulses to a mean photon number of 0.02. In order to

structure must suppress emission in all spatial modes but

6

get the same number (10 ) of nonempty pulses per sec-

one. In addition, the spectral bandwidth of this type of

ond, a pulse rate of 50 MHz is needed. For a given pho-

source is broad (on the order of 100 nm), enhancing the

ton statistics, photon pairs thus allow one to work with

effect of perturbations in a quantum channel.

lower pulse rates (e.g., 50 times lower) and hence re-

A second approach is to generate photons by single

duced detector-induced errors. However, due to limited

electrons in a mesoscopic p-n junction. The idea is to

coupling efļ¬ciency in optical ļ¬bers, the probability of

proļ¬t from the fact that thermal electrons show anti-

ļ¬nding the sister photon after detection of the trigger

bunching (the Pauli exclusion principle) in contrast to

photon in the respective ļ¬ber is in practice less than 1.

photons (Imamoglu and Yamamoto, 1994). The ļ¬rst ex-

This means that the effective photon number is not 1 but

perimental results have been presented (Kim et al.,

rather 2/3 (Ribordy et al., 2001), still well above

1999), but with extremely low efļ¬ciencies and only at a

0.02.

temperature of 50 mK!

Photon pairs generated by parametric downconver-

Finally, another approach is to use the photon emis-

sion offer a further major advantage if they are not

sion of electron-hole pairs in a semiconductor quantum

merely used as a pseudo-single-photon source, but if

dot. The frequency of the emitted photon depends on

their entanglement is exploited. Entanglement leads to

the number of electron-hole pairs present in the dot.

quantum correlations that can be used for key genera-

After one creates several such pairs by optical pumping,

tion (see Secs. II.D.3 and V). In this case, if two photon

they will sequentially recombine and hence emit pho-

pairs are emitted within the same time window but their tons at different frequencies. Therefore, a single-photon

measurement basis is chosen independently, they pro- Ā“

pulse can be obtained by spectral ļ¬ltering (Gerard et al.,

duce completely uncorrelated results. Hence, depending 1999; Michler et al., 2000; Santori et al., 2000). These

on the realization, the problem of multiple photons can dots can be integrated in solid-state microcavities with

be avoided; see Sec. VI.J. Ā“

strong enhancements of spontaneous emission (Gerard

Figure 5 shows one of our sources creating entangled et al., 1998).

photon pairs at a wavelength of 1310 nm, as used in tests In summary, todayā™s photon guns are still too compli-

of Bellā™s inequalities over 10 kilometers (Tittel et al., cated to be used in a QC prototype. Moreover, due to

1998). Although not as simple as faint laser sources, their low quantum efļ¬ciencies, they do not offer an ad-

diode-pumped photon-pair sources emitting in the near vantage over faint laser pulses with extremely low mean

photon numbers .

infrared can be made compact, robust, and rather handy.

Rev. Mod. Phys., Vol. 74, No. 1, January 2002

158 Gisin et al.: Quantum cryptography

B. Quantum channels

The single-photon source and the detectors must be

connected by a ā˜ā˜quantum channel.ā™ā™ Such a channel is

not especially quantum, except that it is intended to

carry information encoded in individual quantum sys-

tems. Here ā˜ā˜individualā™ā™ does not mean ā˜ā˜nondecom-

posible,ā™ā™ but only the opposite of ā˜ā˜ensemble.ā™ā™ The idea

is that the information is coded in a physical system only

once, in contrast to classical communication, in which

many photons carry the same information. Note that the

present-day limit for ļ¬ber-based classical optical com-

munication is already down to a few tens of photons,

although in practice one usually uses many more. With FIG. 6. Transmission losses vs wavelength in optical ļ¬bers.

increasing bit rate and limited mean powerā”imposed to Electronic transitions in SiO2 lead to absorption at lower

avoid nonlinear effects in silica ļ¬bersā”these ļ¬gures are wavelengths, and excitation of vibrational modes leads to

losses at higher wavelengths. Superposed is the absorption due

likely to get closer and closer to the quantum domain.

to Rayleigh backscattering and to transitions in OH groups.

Individual quantum systems are usually two-level sys-

Modern telecommunications are based on wavelengths around

tems, called qubits. During their propagation they must

1.3 m (the second telecommunications window) and 1.5 m

be protected from environmental noise. Here ā˜ā˜environ-

(the third telecommunications window).

mentā™ā™ refers to everything outside the degree of free-

dom used for the encoding, which is not necessarily out-

side the physical system. If, for example, the information core is large, many bound modes exist, corresponding to

is encoded in the polarization state, then the optical fre- many guided modes in the ļ¬ber. Such ļ¬bers are called

quencies of the photon are part of the environment. multimode ļ¬bers, They usually have cores 50 m in di-

Hence coupling between the polarization and the optical ameter. The modes couple easily, acting on the qubit like

frequency has to be mastered18 (e.g., by avoiding wave- a nonisolated environment. Hence multimode ļ¬bers are

length-sensitive polarizers and birefringence). Moreover, not appropriate as quantum channels (see, however,

the sender of the qubits should avoid any correlation Townsend, 1998a, 1998b). If, however, the core is small

between the polarization and the spectrum of the pho- enough (diameter of the order of a few wavelengths),

tons. then a single spatial mode is guided. Such ļ¬bers are

Another difļ¬culty is that the bases used by Alice to called single-mode ļ¬bers. For telecommunications wave-

code the qubits and the bases used by Bob for his mea- lengths (i.e., 1.3 and 1.5 m), their core is typically 8 m

surements must be related by a known and stable uni- in diameter. Single-mode ļ¬bers are very well suited to

tary transformation. Once this unitary transformation is carry single quanta. For example, the optical phase at

known, Alice and Bob can compensate for it and get the the output of a ļ¬ber is in a stable relation with the phase

expected correlation between their preparations and at the input, provided the ļ¬ber does not become elon-

measurements. If it changes with time, they need active gated. Hence ļ¬ber interferometers are very stable, a fact

feedback to track it, and if the changes are too fast, the exploited in many instruments and sensors (see, for ex-

communication must be interrupted. ample, Cancellieri, 1993).

Accordingly, a single-mode ļ¬ber with perfect cylindric

1. Single-mode ļ¬bers

symmetry would provide an ideal quantum channel. But

all real ļ¬bers have some asymmetries, so that the two

Light is guided in optical ļ¬bers thanks to the refrac-

polarization modes are no longer degenerate, but rather

tive index proļ¬le n(x,y) across the section of the ļ¬bers

each has its own propagation constant. A similar effect

(traditionally, the z axis is along the propagation direc-

is caused by chromatic dispersion, in which the group

tion). Over the last 25 years, a lot of effort has gone into

delay depends on the wavelength. Both dispersion ef-

reducing transmission lossesā”initially several dB per

fects are the subject of the next subsections.

kmā”and today the attenuation is as low as 2 dB/km at

800-nm wavelength, 0.35 dB/km at 1310 nm, and 0.2

dB/km at 1550 nm (see Fig. 6). It is amusing to note that

2. Polarization effects in single-mode ļ¬bers

the dynamical equation describing optical pulse propa-

gation (in the usual slowly varying envelope aproxima- Polarization effects in single-mode ļ¬bers are a com-

ĀØ

tion) is identical to the Schrodinger equation, with mon source of problems in all optical communication

V(x,y) n(x,y) (Snyder, 1983). Hence a positive schemes, classical as well as quantum ones. In recent

bump in the refractive index corresponds to a potential years these effects have been the subject of a major re-

well. The region of the well is called the ļ¬ber core. If the search effort in classical optical communication (Gisin

et al., 1995). As a result, todayā™s ļ¬bers are much better

than the ļ¬bers of a decade ago. Today, the remaining

18 birefringence is small enough for the telecommunica-

Note that, as we shall see in Sec. V, using entangled photons

tions industry, but for quantum communication any

prevents such information leakage.

Rev. Mod. Phys., Vol. 74, No. 1, January 2002

159

Gisin et al.: Quantum cryptography

based QC systems.20 The global effect of the birefrin-

birefringence, even extremely small, will always remain

a concern. All ļ¬ber-based implementations of QC have gence is equivalent to an arbitrary combination of two

to face this problem. This is clearly true for polarization- waveplates; that is, it corresponds to a unitary transfor-

based systems, but it is equally a concern for phase- mation. If this transformation is stable, Alice and Bob

based systems, since interference visibility depends on can compensate for it. The effect of birefringence is thus

the polarization states. Hence, although polarization ef- similar to the effect of the geometric phase, though, in

fects are not the only source of difļ¬culties, we shall de- addition to causing a rotation, it may also affect the el-

scribe them in some detail, distinguishing among four lipticity. Stability of birefringence requires slow thermal

effects: the geometric phase, birefringence, polarization and mechanical variations.

mode dispersion, and polarization-dependent losses. Polarization mode dispersion (PMD) is the presence

The geometric phase as encountered when guiding of two different group velocities for two orthogonal po-

light in an optical ļ¬ber is a special case of the Berry larization modes. It is due to a delicate combination of

phase,19 which results when any parameter describing a two causes. First, birefringence produces locally two

group velocities. For optical ļ¬bers, this local dispersion

property of the system under concern, here the k vector

is in good approximation equal to the phase dispersion,

characterizing the propagation of the light ļ¬eld, under-

of the order of a few picoseconds per kilometer. Hence,

goes an adiabatic change. Think ļ¬rst of a linear polar-

an optical pulse tends to split locally into a fast mode

ization state, let us say vertical at the input. Will it still

and a slow mode. But because the birefringence is small,

be vertical at the output? Vertical with respect to what?

the two modes couple easily. Hence any small imperfec-

Certainly not the gravitational ļ¬eld! One can follow that

tion along the ļ¬ber produces polarization mode cou-

linear polarization by hand along the ļ¬ber and see how

pling: some energy of the fast mode couples into the

it may change even along a closed loop. If the loop stays

slow mode and vice versa. PMD is thus similar to a ran-

in a plane, the state after a loop coincides with the input

dom walk21 and grows only with the square root of the

state, but if the loop explores the three dimensions of

ļ¬ber length. It is expressed in ps km 1/2, with values as

our space, then the ļ¬nal state will differ from the initial

low as 0.1 ps km 1/2 for modern ļ¬bers and possibly as

one by an angle. Similar reasoning holds for the axes of

high as 0.5 or even 1ps km 1/2 for older ones.

elliptical polarization states. The two circular polariza-

Typical lengths for polarization mode coupling vary

tion states are the eigenstates. During parallel transport

from a few meters up to hundreds of meters. The stron-

they acquire opposite phases, called the Berry phases.

ger the coupling, the weaker the PMD (the two modes

The presence of a geometrical phase is not fatal for

do not have time to move apart between the couplings).

quantum communication. It simply means that initially

In modern ļ¬bers, the couplings are even artiļ¬cially in-

Alice and Bob have to align their systems by deļ¬ning, creased during the drawing process of the ļ¬bers (Hart

for instance, the vertical and diagonal directions (i.e., et al., 1994; Li and Nolan, 1998). Since the couplings are

performing the unitary transformation mentioned be- exceedingly sensitive, the only reasonable description is

fore). If these vary slowly, they can be tracked, though a statistical one, hence PMD is described as a statistical

this requires active feedback. However, if the variations distribution of delays . For sufļ¬ciently long ļ¬bers, the

are too fast, the communication might be interrupted. statistics are Maxwellian, and PMD is related to the ļ¬-

Hence aerial cables that swing in the wind are not ap- ber length l , the mean coupling length h, the mean

propriate (except with self-compensating conļ¬gurations; modal birefringence B, and the rms delay as follows

2

see Sec. IV.C.2). (Gisin et al., 1995): PMD Bh l /h. Polar-

Birefringence is the presence of two different phase ization mode dispersion could cause depolarization,

velocities for two orthogonal polarization states. It is which would be devastating for quantum communica-

caused by asymmetries in the ļ¬ber geometry and in the tion, similar to any decoherence in quantum information

processing. Fortunately, for quantum communication the

residual stress distribution inside and around the core.

remedy is easy; it sufļ¬ces to use a source with a coher-

Some ļ¬bers are made birefringent on purpose. Such ļ¬-

ence time longer than the largest delay . Hence, when

bers are called polarization-maintaining ļ¬bers because

laser pulses are used (with typical spectral widths

the birefringence is large enough to effectively uncouple

1 nm, corresponding to a coherence time 3 ps; see

the two polarization eigenmodes. Note that only these

Sec. III.A.1), PMD is no real problem. For photons cre-

two orthogonal polarization modes are maintained; all

other modes, in contrast, evolve very quickly, making

this kind of ļ¬ber completely unsuitable for polarization-

20

Polarization-maintaining ļ¬bers may be of use for phase-

based QC systems. However, this requires that the whole

setupā”transmission lines as well as interferometers at each

endā”be made of polarization-maintaining ļ¬bers. While this is

19

The Berry phase was introduced by Michael Berry in 1984, possible in principle, the need to install a completely new ļ¬ber

and was then observed in optical ļ¬ber by Tomita and Chiao network makes this solution not very practical.

21

(1986) and on the single-photon level by Hariharan et al. In contrast to Brownian motion, which describes particle

(1993). It was studied in connection with photon pairs by Bren- diffusion in space as time passes, here photons diffuse over

del et al. (1995). time as they propagate along the ļ¬ber.

Rev. Mod. Phys., Vol. 74, No. 1, January 2002

160 Gisin et al.: Quantum cryptography

ated by parametric downconversion, however, PMD can dispersion goes to zero around 1550 nm, where the at-

tenuation is minimal (Neumann, 1988).23

impose severe limitations, since 10 nm (coherence

Chromatic dispersion does not constitute a problem in

time 300 fs) is not unusual.

the case of faint laser pulses, for which the bandwidth is

ńņš. 1 |