FIG. 21. Typical system for quantum cryptography exploiting

that photon pairs have the advantage of avoiding multi-

photon pairs entangled in polarization: PR, active polarization

photon pulses, but this is not correct. For a given mean

rotator; PBS, polarizing beamsplitter; APD, avalanche photo-

photon number, the probability that a nonempty pulse

diode.

contains more than one photon is essentially the same

for weak pulses as for photon pairs (see Sec. III.A.2).

A second advantage is that using entangled photons Generally speaking, entanglement-based systems are

pair prevents unintended information leakage in unused far more complex than setups based on faint laser

degrees of freedom (Mayers and Yao, 1998). Observing pulses. They will most certainly not be used in the near

a QBER lower than approximately 15%, or equivalently future for the realization of industrial prototypes. In ad-

observing that Bell™s inequality is violated, indeed guar- dition, the current experimental key creation rates ob-

tained with these systems are at least two orders of mag-

antees that the photons are entangled, so that the differ-

nitude smaller than those obtained with faint laser pulse

ent states are not fully distinguishable through other de-

setups (net rate on the order of a few tens of bits per

grees of freedom. A third advantage was indicated

second, in contrast to a few thousand bits per second for

recently by new and elaborate eavesdropping analyses.

a 10-km distance). Nevertheless, they offer interesting

The fact that passive state preparation can be imple-

possibilities in the context of cryptographic optical net-

mented prevents multiphoton splitting attacks (see Sec.

works. The photon-pair source can indeed be operated

VI.J).

by a key provider and situated somewhere in between

The coupling between the optical frequency and the

potential QC customers. In this case, the operator of the

property used to encode the qubit, i.e., decoherence, is

source has no way of getting any information about the

rather easy to master when using faint laser pulses.

key obtained by Alice and Bob.

However, this issue is more serious when using photon

It is interesting to emphasize the close analogy be-

pairs, because of the larger spectral width. For example,

tween one- and two-photon schemes, which was ¬rst

for a spectral width of 5 nm full width at half maximum

noted by Bennett, Brassard, and Mermin (1992). In a

(FWHM)”a typical value, equivalent to a coherence

two-photon scheme, when Alice detects her photon, she

time of 1 ps”and a ¬ber with a typical polarization

effectively prepares Bob™s photon in a given state. In the

mode dispersion of 0.2 ps/ km, transmission over a few

one-photon analog, Alice™s detectors are replaced by

kilometers induces signi¬cant depolarization, as dis-

sources, while the photon-pair source between Alice and

cussed in Sec. III.B.2. In the case of polarization-

Bob is bypassed. The difference between these schemes

entangled photons, this effect gradually destroys their

lies only in practical issues, like the spectral widths of

correlation. Although it is in principle possible to com-

the light. Alternatively, one can look at this analogy

pensate for this effect, the statistical nature of the polar-

ization mode dispersion makes this impractical.44 from a different point of view: in two-photon schemes, it

is as if Alice™s photon propagates backwards in time

Although perfectly ¬ne for free-space QC (see Sec.

from Alice to the source and then forward in time from

IV.E), polarization entanglement is thus not adequate

the source to Bob.

for QC over long optical ¬bers. A similar effect arises

when dealing with energy-time-entangled photons.

A. Polarization entanglement

Here, the chromatic dispersion destroys the strong time

correlations between the photons forming a pair. How-

A ¬rst class of experiments takes advantage of

ever, as discussed in Sec. III.B.3, it is possible to com-

polarization-entangled photon pairs. The setup, depicted

pensate passively for this effect either using additional

in Fig. 21, is similar to the scheme used for polarization

¬bers with opposite dispersion, or exploiting the inher-

coding based on faint pulses. A two-photon source emits

ent energy correlation of photon pairs.

pairs of entangled photons ¬‚ying back to back towards

Alice and Bob. Each photon is analyzed with a polariz-

ing beamsplitter whose orientation with respect to a

43

Photon-pair sources are often, though not always, pumped common reference system can be changed rapidly. The

continuously. In these cases, the time window determined by a results of two experiments were reported in the spring of

trigger detector and electronics de¬nes an effective pulse.

2000 (Jennewein, Simon, et al., 2000; Naik et al., 2000).

44

In the case of weak pulses, we saw that a full round trip

Both used photon pairs at a wavelength of 700 nm,

together with the use of Faraday mirrors circumvents the prob-

which were detected with commercial single-photon de-

lem (see Sec. IV.C.2). However, since the channel loss on the

tectors based on silicon APD™s. To create the photon

way from the source to the Faraday mirror inevitably increases

pairs, both groups took advantage of parametric down-

the fraction of empty pulses, the main advantage of photon

conversion in one or two -BaB2 O4 (BBO) crystals

pairs vanishes in such a con¬guration.

Rev. Mod. Phys., Vol. 74, No. 1, January 2002

177

Gisin et al.: Quantum cryptography

FIG. 22. Principle of phase-

coding quantum cryptography

using energy-time-entangled

photon pairs.

pumped by an argon-ion laser. The analyzers consisted In spite of their qualities, it would be dif¬cult to re-

of fast modulators that were used to rotate the polariza- produce these experiments over distances of more than

tion state of the photons, in front of polarizing beam- a few kilometers of optical ¬ber. As mentioned in the

splitters. introduction to this section, polarization is indeed not

The group of Anton Zeilinger, then at the University robust enough to avoid decoherence in optical ¬bers. In

of Innsbruck, demonstrated such a cryptosystem, includ- addition, the polarization state transformation induced

ing error correction, over a distance of 360 m (Jenne- by an installed ¬ber frequently ¬‚uctuates, making an ac-

wein, Simon, et al., 2000). Inspired by a test of Bell™s tive alignment system absolutely necessary. Neverthe-

inequalities performed with the same setup a year ear- less, these experiments are very interesting in the con-

lier (Weihs et al., 1998), they positioned the two-photon text of free-space QC.

source near the center between the two analyzers. Spe-

cial optical ¬bers, designed for guiding only a single

B. Energy-time entanglement

mode at 700 nm, were used to transmit the photons to

the two analyzers. The results of the remote measure- 1. Phase coding

ments were recorded locally, and the processes of key

Another class of experiments takes advantage of

sifting and error correction were implemented at a later

energy-time-entangled photon pairs. The idea originates

stage, long after the distribution of the qubits. Two dif-

from an arrangement proposed by Franson in 1989 to

ferent protocols were implemented: one based on Wig-

test Bell™s inequalities. As we shall see below, it is com-

ner™s inequality (a special form of Bell™s inequalities) and

parable to the double Mach-Zehnder con¬guration dis-

the other based on BB84.

cussed in Sec. IV.C.1. A source emits pairs of energy-

The group of Paul Kwiat, then at Los Alamos Na-

correlated photons, that were created at exactly the

tional Laboratory, demonstrated the Ekert protocol

same (unknown) time (see Fig. 22). This can be achieved

(Naik et al., 2000). This experiment was a table-top re-

by pumping a nonlinear crystal with a pump of long co-

alization in which the source and the analyzers were

herence time. The pairs of downconverted photons are

separated by only a few meters. The quantum channel

then split, and one photon is sent to each party down

consisted of a short free-space distance. In addition to

quantum channels. Both Alice and Bob possess a widely

performing QC, the researchers simulated different

but identically unbalanced Mach-Zehnder interferom-

eavesdropping strategies. As predicted by theory, they

eter, with photon-counting detectors connected to the

observed a rise in the QBER with an increase of the

outputs. Locally, if Alice or Bob change the phase of

information obtained by the eavesdropper. Moreover,

their interferometer, no effect on the count rates is ob-

they have also recently implemented the six-state proto-

served, since the imbalance prevents any single-photon

col described in Sec. II.D.2 and observed the predicted

interference. Looking at the detection time at Bob™s end

QBER increase to 33% (Enzer et al., 2001).

with respect to the arrival time at Alice™s end, three dif-

The main advantage of polarization entanglement is

ferent values are possible for each combination of detec-

that analyzers are simple and ef¬cient. It is therefore

tors. The different possibilities in a time spectrum are

relatively easy to obtain high contrast. Naik and co-

shown in Fig. 22. First, both photons can propagate

workers, for example, measured a polarization extinc-

through the short arms of the interferometers. Second,

tion of 97%, mainly limited by electronic imperfections

one can take the long arm at Alice™s end, while the other

of the fast modulators. This amounts to a QBERopt con-

one takes the short one at Bob™s, or vice versa. Finally,

tribution of only 1.5%. In addition, the constraint on the

both photons can propagate through the long arms.

coherence length of the pump laser is not very stringent

When the path differences of the interferometers are

(note that, if it is shorter than the length of the crystal,

matched to within a fraction of the coherence length of

some dif¬culties can arise, but we will not go into these

the downconverted photons, the short-short and the

here).

Rev. Mod. Phys., Vol. 74, No. 1, January 2002

178 Gisin et al.: Quantum cryptography

FIG. 24. Quantum cryptography system exploiting photons en-

FIG. 23. System for quantum cryptography based on phase-

tangled in energy-time and active basis choice. Note the simi-

coding entanglement: APD, avalanche photodiode. The pho-

larity to the faint-laser double Mach-Zehnder implementation

tons choose their bases randomly at Alice and Bob™s couplers.

depicted in Fig. 16.

long-long processes are indistinguishable, provided that

the coherence length of the pump photon is larger than 2001). It was the ¬rst experiment in which an asymmet-

the path-length difference. Conditioning detection ric setup optimized for QC was used instead of a system

only on the central time peak, one observes two- designed for tests of Bell™s inequality, with a source lo-

photon interferences”nonlocal quantum correlations cated midway between Alice and Bob (see Fig. 25). The

(Franson, 1989)45”that depend on the sum of the rela- two-photon source (a KNbO3 crystal pumped by a

tive phases in Alice™s and Bob™s interferometers (see Fig. doubled Nd-YAG laser) provided energy-time-

22). The phases of Alice™s and Bob™s interferometers can, entangled photons at nondegenerate wavelengths”one

for example, be adjusted so that both photons always at around 810 nm, the other centered at 1550 nm. This

emerge from the same output port. It is then possible to choice allowed the use of high-ef¬ciency silicon-based

exchange bits by associating values with the two ports. single-photon counters featuring low noise to detect the

This, however, is insuf¬cient. A second measurement ba- photons of the lower wavelength. To avoid the high

sis must be implemented to ensure security against transmission losses at this wavelength in optical ¬bers,

eavesdropping attempts. This measurement can be the distance between the source and the corresponding

made, for example, by adding a second interferometer analyzer was very short, of the order of a few meters.

to the systems (see Fig. 23). In this case, when reaching The other photon, at the wavelength where ¬ber losses

an analyzer, a photon chooses randomly to go to one or are minimal, was sent via an optical ¬ber to Bob™s inter-

the other interferometer. The second set of interferom- ferometer and then detected by InGaAs APD™s. The de-

eters can also be adjusted to yield perfect correlations coherence induced by chromatic dispersion was limited

between output ports. The relative phases between their by the use of dispersion-shifted optical ¬bers (see Sec.

arms should, however, be chosen so that when the pho- III.B.3).

tons go to interferometers that are not associated with Implementing the BB84 protocol in the manner dis-

each other, the outcomes are completely uncorrelated. cussed above, with a total of four interferometers, is dif-

Such a system features passive state preparation by ¬cult. Indeed, they must be aligned and their relative

Alice, yielding security against multiphoton splitting at- phase kept accurately stable during the whole key distri-

tacks (see Sec. VI.J). In addition, it also features a pas- bution session. To simplify this problem, we devised

sive basis choice by Bob, which constitutes an elegant birefringent interferometers with polarization multiplex-

solution: neither a random-number generator nor an ac- ing of the two bases. Consequently the constraint on the

tive modulator are necessary. It is nevertheless clear that stability of the interferometers was equivalent to that

QBERdet and QBERacc [de¬ned in Eq. (33)] are encountered in the faint-pulse double Mach-Zehnder

doubled, since the number of activated detectors is twice system. We obtained interference visibilities typically of

as high. This disadvantage is not as important as it ¬rst 92%, yielding in turn a QBERopt contribution of about

appears, since the alternative, a fast modulator, intro- 4%. We demonstrated QC over a transmission distance

duces losses close to 3 dB, also resulting in an increase of 8.5 km in a laboratory setting using a ¬ber on a spool

of these error contributions. The striking similarity be- and generated several megabits of key in hour-long ses-

tween this scheme and the double Mach-Zehnder ar-

rangement discussed in the context of faint laser pulses

in Sec. IV.C.1 is obvious when one compares Figs. 24

and 16.

This scheme was realized in the ¬rst half of 2000 by

our group at the University of Geneva (Ribordy et al.,

45

The imbalance of the interferometers must be large enough

so that the middle peak can easily be distinguished from the

satellite ones. This minimal imbalance is determined by the

FIG. 25. Schematic diagram of the ¬rst system designed and

convolution of the detector™s jitter (tens of picoseconds), the

optimized for long-distance quantum cryptography and ex-

electronic jitter (from tens to hundreds of picoseconds), and

the single-photon coherence time ( 1 ps). ploiting phase coding of entangled photons.

Rev. Mod. Phys., Vol. 74, No. 1, January 2002

179

Gisin et al.: Quantum cryptography

pump and A for Alice™s photon.46 However, the charac-

terization of the complete photon pair is still ambiguous,

since, at this point, the path of the photon that has trav-

eled to Bob (short or long in his interferometer) is un-

known to Alice. Figure 26 illustrates all processes lead-

ing to a detection in the different time slots both at

Alice™s and at Bob™s detector. Obviously, this reasoning

holds for any combination of two detectors. In order to

build up the secret key, Alice and Bob now publicly

agree about the events when both detected a photon in

one of the satellite peaks”without revealing in which

one”or both in the central peak”without revealing in

which detector. This procedure corresponds to key sift-

ing. For instance, in the example discussed above, if Bob

tells Alice that he has detected his photon in a satellite

peak, she knows that it must have been the left peak.

FIG. 26. Schematics of quantum cryptography using

This is because the pump photon has traveled via the

entangled-photon phase-time coding.

short arm, hence Bob can detect his photon either in the

left satellite or in the central peak. The same holds for

sions. This is the longest span realized to date for QC Bob, who now knows that Alice™s photon traveled via

with photon pairs. the short arm in her interferometer. Therefore, in the

As already mentioned, it is essential for this scheme to case of joint detection in a satellite peak, Alice and Bob

have a pump laser whose coherence length is longer must have correlated detection times. Assigning a bit

than the path imbalance of the interferometers. In addi- value to each side peak, Alice and Bob can exchange a

tion, its wavelength must remain stable during a key ex- sequence of correlated bits.

change session. These requirements imply that the pump The cases where both ¬nd the photon in the central

laser must be somewhat more elaborate than in the case time slot are used to implement the second basis. They

of polarization entanglement. correspond to the s P , l A l B and l P , s A s B possi-

bilities. If these are indistinguishable, one obtains two-

2. Phase-time coding photon interferences, exactly as in the case discussed in

the previous section on phase coding. Adjusting the

We have mentioned in Sec. IV.C that states generated

phases and keeping them stable, one can use the perfect

by two-path interferometers are two-level quantum sys-

correlations between output ports chosen by the pho-

´

tems. They can also be represented on a Poincare

tons at Alice™s and Bob™s interferometers to establish the

sphere. The four states used for phase coding in the pre-

key bits in this second basis.

vious section would lie equally distributed on the equa-

Phase-time coding has recently been implemented in a

tor of the sphere. The coupling ratio of the beamsplitter

laboratory experiment by our group (Tittel et al., 2000)

is 50%, and a phase difference is introduced between

and was reported at the same time as the two polariza-

the components propagating through either arm. In

tion entanglement-based schemes mentioned above. A

principle, the four-state protocol can be equally well

contrast of approximately 93% was obtained, yielding a

implemented with only two states on the equator and

QBERopt contribution of 3.5%, similar to that obtained

two others on the poles. In this section, we present a

with the phase-coding scheme. This experiment will be

system exploiting such a set of states. Proposed by our

repeated over long distances, since losses in optical ¬-

group in 1999 (Brendel et al., 1999), the scheme follows

bers are low at the downconverted photon wavelength

in principle the Franson con¬guration described in the

(1300 nm).

context of phase coding. However, it is based on a

An advantage of this setup is that coding in the time

pulsed source emitting entangled photons in so-called

basis is particularly stable. In addition, the coherence

energy-time Bell states (Tittel et al., 2000). The emission

length of the pump laser is no longer critical. However, it

time of the photon pair is therefore given by a superpo-

is necessary to use relatively short pulses ( 500 ps)

sition of only two discrete terms, instead of by a wide

powerful enough to induce a signi¬cant downconversion

and continuous range bounded only by the long coher-

probability.

ence length of the pump laser (see Sec. V.B.1).

Phase-time coding, as discussed in this section,

Consider Fig. 26. If Alice registers the arrival times of

can also be realized with faint laser pulses (Bechmann-

the photons with respect to the emission time of the

Pasquinucci and Tittel, 2000). The one-photon con¬gu-

pump pulse t 0 , she ¬nds the photons in one of three

ration has so far never been realized. It would be similar

time slots (note that she has two detectors to take into

to the double Mach-Zehnder setup discussed in Sec.

account). For instance, detection of a photon in the ¬rst

IV.C.1, but with the ¬rst coupler replaced by an active

slot corresponds to the pump photon™s having traveled

via the short arm and the downconverted photon™s hav-

ing traveled via the short arm. To keep it simple, we

46

refer to this process as s P , s A , where P stands for the Note that it does not constitute a product state.

Rev. Mod. Phys., Vol. 74, No. 1, January 2002

180 Gisin et al.: Quantum cryptography

analysis of eavesdropping on a quantum channel has yet

switch. For the time basis, Alice would set the switch

to be achieved. In this section we review some of the

either to full transmission or to full re¬‚ection, while for

problems and solutions, without any claim for math-

the energy basis she would set it at 50%. This illustrates

ematical rigor or complete coverage of the huge and

how research on photon pairs can yield advances on

rapidly evolving literature.

faint-pulse systems.

The general objective of eavesdropping analysis is to

¬nd ultimate and practical proofs of security for some

3. Quantum secret sharing

quantum cryptosystems. ˜˜Ultimate proofs™™ guarantee

In addition to QC using phase-time coding, we used security against entire classes of eavesdropping attacks,

the setup depicted in Fig. 26 for the ¬rst proof-of- even if Eve uses not only the best of today™s technology,

principle demonstration of quantum secret sharing”the but any conceivable future technology. These proofs

generalization of quantum key distribution to more than take the form of theorems, with clearly stated assump-

two parties (Tittel et al., 2001). In this new application of tions expressed in mathematical terms. In contrast, prac-

quantum communication, Alice distributes a secret key tical proofs deal with some actual pieces of hardware

to two other users, Bob and Charlie, in such a way that and software. There is thus a tension between ˜˜ulti-

neither Bob nor Charlie alone has any information mate™™ and ˜˜practical™™ proofs. Indeed, the former favor

about the key, but together they have full information. general abstract assumptions, whereas the latter concen-

trate on physical implementations. Nevertheless, it is

As in traditional QC, an eavesdropper trying to get

worth ¬nding such proofs. In addition to the security

some information about the key creates errors in the

issue, they provide illuminating lessons for our general

transmission data and thus reveals her presence. The

understanding of quantum information.

motivation behind quantum secret sharing is to guaran-

In the ideal game Eve has perfect technology: she is

tee that Bob and Charlie cooperate”one of them might

limited only by the laws of quantum mechanics, but not

be dishonest”in order to obtain a given piece of infor-

at all by current technology.47 In particular, Eve cannot

mation. In contrast with previous proposals using three-

clone qubits, as this is incompatible with quantum dy-

™

particle Greenberger-Horne-Zeilinger states (Zukowski

namics (see Sec. II.C.2), but she is free to use any uni-

et al., 1998; Hillery et al., 1999), pairs of entangled pho-

tary interaction between one or several qubits and an

tons in so-called energy-time Bell states were used to

auxiliary system of her choice. Moreover, after the inter-

mimic the necessary quantum correlation of three en-

action, Eve may keep her auxiliary system unperturbed,

tangled qubits, although only two photons exist at the

in complete isolation from the environment, for an arbi-

same time. This is possible because of the symmetry be- trarily long time. Finally, after listening to all the public

tween the preparation device acting on the pump pulse discussion between Alice and Bob, she can perform the

and the devices analyzing the downconverted photons. measurement of her choice on her system, being again

Therefore the emission of a pump pulse can be consid- limited only by the laws of quantum mechanics. One

ered as the detection of a photon with 100% ef¬ciency, assumes further that all errors are due to Eve. It is

and the scheme features a much higher coincidence rate tempting to assume that some errors are due to Alice™s

than that expected with the initially proposed ˜˜triple- and Bob™s instruments, and this probably makes sense in

photon™™ schemes. practice. However, there is the danger of Eve™s replacing

them with higher-quality instruments (see the next sec-

tion).

VI. EAVESDROPPING

In the next section we elaborate on the most relevant

differences between the above ideal game (ideal espe-

A. Problems and objectives

cially from Eve™s point of view) and real systems. Next,

we return to the idealized situation and present several

After the qubit exchange and basis reconciliation, Al-

eavesdropping strategies, starting from the simplest, in

ice and Bob each have a sifted key. Ideally, these keys

which explicit formulas can be written down, and ending

are identical. But in real life, there are always some er-

with a general abstract security proof. Finally, we discuss

rors, and Alice and Bob must apply some classical infor-

practical eavesdropping attacks and comment on the

mation processing protocols, like error correction and

complexity of a real system™s security.

privacy ampli¬cation to their data (see Sec. II.C.4). The

¬rst protocol is necessary to obtain identical keys and B. Idealized versus real implementation

the second to obtain a secret key. Essentially, the prob-

lem of eavesdropping is to ¬nd protocols which, given Alice and Bob use the technology available today.

that Alice and Bob can only measure the QBER, either This trivial remark has several implications. First, all

provide Alice and Bob with a veri¬ably secure key or

stop the protocol and inform the users that the key dis-

tribution has failed. This is a delicate problem at the 47

The question of whether QC would survive the discovery of

intersection of quantum physics and information theory.

the currently unknown validity limits of quantum mechanics is

Actually, it comprises several eavesdropping problems, interesting. Let us argue that it is likely that quantum mechan-

depending on the precise protocol, the degree of ideali- ics will always adequately describe photons at telecommunica-

zation one admits, the technological power one assumes tions and visible wavelengths, just as classical mechanics will

Eve has, and the assumed ¬delity of Alice and Bob™s always adequately describe the fall of apples, whatever the

equipment. Let us immediately stress that a complete future of physics may be.

Rev. Mod. Phys., Vol. 74, No. 1, January 2002

181

Gisin et al.: Quantum cryptography

real components are imperfect, so that the qubits are not ciency, and so on. Except for Sec. VI.K, in which this

assumption is discussed, we shall henceforth assume that

prepared and detected in the exact basis described by

Alice and Bob are isolated from Eve.

the theory. Moreover, a real source always has a ¬nite

probability of producing more than one photon. De-

pending on the details of the encoding device, all pho- C. Individual, joint, and collective attacks

tons carry the same qubit (see Sec. VI.J). Hence, in prin-

In order to simplify the problem, several eavesdrop-

ciple, Eve could measure the photon number without

ping strategies of limited generality have been de¬ned

perturbing the qubit. This scenario is discussed in Sec.

¨

(Lutkenhaus, 1996; Biham and Mor, 1997a, 1997b) and

VI.H. Recall that, ideally, Alice should emit single-qubit

analyzed. Of particular interest is the assumption that

photons, i.e., each logical qubit should be encoded in a

Eve attaches independent probes to each qubit and

single degree of freedom of a single photon.

measures her probes one after the other. This class of

On Bob™s side the ef¬ciency of his detectors is quite

attack is called the individual attack, or incoherent at-

limited and the dark counts (spontaneous counts not

tack. This important class is analyzed in Secs. VI.D and

produced by photons) are non-negligible. The limited

VI.E. Two other classes of eavesdropping strategies let

ef¬ciency is analogous to the losses in the quantum

Eve process several qubits coherently, hence the name

channel. The analysis of the dark counts is more deli-

coherent attacks. The most general coherent attacks are

cate, and no complete solution is known. Conservatively,

¨ called joint attacks, while an intermediate class assumes

Lutkenhaus (2000) assumes in his analysis that all dark

that Eve attaches one probe per qubit, as in individual

counts provide information to Eve. He also advises that,

attacks, but can measure several probes coherently, as in

whenever two detectors ¬re simultaneously (generally

coherent attacks. This intermediate class is called the

due to a real photon and a dark count), Bob should not

collective attack. It is not known whether this class is less

disregard such events but should choose a value at ran-

ef¬cient than the most general class, that of joint attacks.

dom. Note also that the different contributions of dark

It is also not known whether it is more ef¬cient than the

counts to the total QBER depend on whether Bob™s

simpler individual attacks. Actually, it is not even known

choice of basis is implemented using an active or a pas-

whether joint attacks are more ef¬cient than individual

sive switch (see Sec. IV.A).

ones.

Next, one usually assumes that Alice and Bob have

For joint and collective attacks, the usual assumption

thoroughly checked their equipment and that it is func-

is that Eve measures her probe only after Alice and Bob

tioning according to speci¬cations. This assumption is

have completed all public discussion about basis recon-

not unique to quantum cryptography but is critical, as

ciliation, error correction, and privacy ampli¬cation. For

Eve could be the actual manufacturer of the equipment.

the more realistic individual attacks, one assumes that

Classical cryptosystems must also be carefully tested,

Eve waits only until the basis reconciliation phase of the

like any commercial apparatus. Testing a cryptosystem is

public discussion.49 The motivation for this assumption

tricky, however, because in cryptography the client buys

is that one hardly sees what Eve could gain by waiting

con¬dence and security, two qualities dif¬cult to quan-

until after the public discussion on error correction and

tify. Mayers and Yao (1998) proposed using Bell™s in-

privacy ampli¬cation before measuring her probes, since

equality to test whether the equipment really obeys

she is going to measure them independently anyway.

quantum mechanics, but even this is not entirely satis-

Individual attacks have the nice feature that the prob-

factory. Interestingly, one of the most subtle loopholes in

lem can be entirely translated into a classical one: Alice,

all present-day tests of Bell™s inequality, the detection

Bob, and Eve all have classical information in the form

loophole, can be exploited to produce purely classical

of random variables , , and , respectively, and the

software mimicking all quantum correlations (Gisin and

laws of quantum mechanics impose constraints on the

Gisin, 1999). This illustrates once again the close con-

joint probability distribution P( , , ). Such classical

nection between practical issues in QC and philosophi-

scenarios have been widely studied by the classical cryp-

cal debates about the foundations of quantum physics.

tology community, and many of their results can thus be

Finally, one must assume that Alice and Bob are per-

directly applied.

fectly isolated from Eve. Without such an assumption

the entire game would be meaningless: clearly, Eve is

not allowed to look over Alice™s shoulder. However, this D. Simple individual attacks: Intercept-resend and

elementary assumption is again nontrivial. What if Eve measurement in the intermediate basis

uses the quantum channel connecting Alice to the out-

side world? Ideally, the channel should incorporate an The simplest attack for Eve consists in intercepting all

isolator48 to keep Eve from shining light into Alice™s out- photons individually, measuring them in a basis chosen

put port to examine the interior of her laboratory. Since randomly between the two bases used by Alice, and

all isolators operate only on a ¬nite bandwidth, there sending new photons to Bob prepared according to her

should also be a ¬lter, but ¬lters have only a ¬nite ef¬-

49

With today™s technology, it might even be fair to assume

48

Optical isolators, based on the Faraday effect, let light pass that in individual attacks Eve must measure her probe before

through in only one direction. the basis reconciliation.

Rev. Mod. Phys., Vol. 74, No. 1, January 2002

182 Gisin et al.: Quantum cryptography

FIG. 28. Eavesdropping on a quantum channel. Eve extracts

information from the quantum channel between Alice and

Bob at the cost of introducing noise into that channel.

´

FIG. 27. Poincare representation of the BB84 states and the

intermediate basis, also known as the Breidbart basis, that can Consequently, this strategy is less advantageous for Eve

be used by Eve.

than the intercept-resend strategy. Note however, that

with this strategy Eve™s probability of guessing the cor-

rect bit value is 85%, compared to only 75% in the

result. As presented in Sec. II.C.3 and assuming that the

intercept-resend case. This is possible because in the lat-

BB84 protocol is used, Eve thus gets 0.5 bits of informa-

ter case, Eve™s information is deterministic in half the

tion per bit in the sifted key, for an induced QBER of

cases, while in the former Eve™s information is always

25%. Let us illustrate the general formalism with this

probabilistic (formally, this results from the convexity of

simple example. Eve™s mean information gain on Alice™s

the entropy function).

bit, I( , ), equals their relative entropy decrease:

I , H a priori H a posteriori , (40)

E. Symmetric individual attacks

i.e., I( , ) is the number of bits one can save by writing

when knowing . Since the a priori probability for In this section we present in some detail how Eve

Alice™s bit is uniform, H a priori 1. The a posteriori en- could get the maximum Shannon information for a ¬xed

tropy has to be averaged over all possible results r that QBER, assuming a perfect single-qubit source and re-

Eve might get: stricting Eve to attacks on one qubit after the other (i.e.,

individual attacks). The motivation is that this idealized

Ha PrHir, (41) situation is rather simple to treat and nicely illustrates

posteriori

r

several of the subtleties of the subject. Here we concen-

trate on the BB84 four-state protocol; for related results

Hir P i r log2 P i r , (42) on the two-state and six-state protocols, see Fuchs and

i

Peres (1996) and Bechmann-Pasquinucci and Gisin

where the a posteriori probability of bit i, given Eve™s (1999), respectively.

result r, is given by Bayes™s theorem: The general idea of eavesdropping on a quantum

channel is as follows. When a qubit propagates from Al-

PriPi

ice to Bob, Eve can let a system of her choice, called a

Pir , (43)

Pr probe, interact with the qubit (see Fig. 28). She can

freely choose the probe and its initial state, but the sys-

with P(r) i P(r i)P(i). In the case of intercept re-

tem must obey the rules of quantum mechanics (i.e., be

send, Eve gets one out of four possible results: r

‘,“,←,’ . After the basis has been revealed, Alice™s described in some Hilbert space). Eve can also choose

input assumes one of two values: i ‘,“ (assuming the the interaction, but it should be independent of the qu-

‘“ basis was used, the other case is completely analo- bit state, and she should obey the laws of quantum me-

gous). One gets P(i ‘ r ‘) 1, P(i ‘ r ’) 2 , chanics; i.e., her interaction must be described by a uni-

1

tary operator. After the interaction a qubit has to go to

1 1 1 1 1

and P(r) 2 . Hence, I( , ) 1 2 h(1) 2 h( 2 ) 1 2

Bob (in Sec. VI.H we consider lossy channels, so that

1

2 [with h(p) p log2(p) (1 p)log2(1 p)].

Bob does not always expect a qubit, a fact that Eve can

Another strategy for Eve, no more dif¬cult to imple-

take advantage of). It makes no difference whether this

ment, consists in measuring the photons in the interme-

qubit is the original one (possibly in a modi¬ed state).

diate basis (see Fig. 27), also known as the Breidbart

Indeed, the question does not even make sense, since a

basis (Bennett, Bessette, et al., 1992). In this case the

qubit is nothing but a qubit. However, in the formalism

probability that Eve guesses the correct bit value is p

it is convenient to use the same Hilbert space for the

cos( /8) 2 2 &/4 0.854, corresponding to a

1

qubit sent by Alice as for the qubit received by Bob (this

QBER 2p(1 p) 25% and a Shannon information

is no loss of generality, since the swap operator”de¬ned

gain per bit of

by ’ for all , ”is unitary and could be ap-

I 1 Hp 0.399. (44) pended to Eve™s interaction).

Rev. Mod. Phys., Vol. 74, No. 1, January 2002

183

Gisin et al.: Quantum cryptography

0. (49)

‘ “ ‘ “

The ™s correspond to Eve™s state when Bob receives the

qubit undisturbed, while the ™s are Eve™s state when the

qubit is disturbed.

Let us emphasize that this is the most general unitary

interaction satisfying Eq. (46). One ¬nds that the shrink-

F D. Accordingly, if Alice

ing factor is given by

sends ‘ and Bob measures it in the compatible basis,

then ‘ Bob (m ) ‘ F is the probability that Bob gets

the correct result. Hence F is the ¬delity and D the

QBER.

Note that only four states span Eve™s relevant state

´

FIG. 29. Poincare representation of BB84 states in the event space. Hence Eve™s effective Hilbert space is at most

four dimensional, no matter how subtle she might be.51

of a symmetrical attack. The state received by Bob after the

interaction of Eve™s probe is related to the one sent by Alice by This greatly simpli¬es the analysis.

a simple shrinking factor. When the unitary operator U en- Symmetry requires that the attack on the other basis

tangles the qubit and Eve™s probe, Bob™s state [Eq. (46)] is satisfy

´

mixed and is represented by a point inside the Poincare

‘,0 “,0

sphere.

U ’,0 U (50)

&

Let HEve and C2 HEve be the Hilbert spaces of Eve™s

1

probe and of the total qubit probe system, respectively. ‘ “

‘ (51)

‘

&

If m , 0 , and U denote the qubit™s and the probe™s

initial states and the unitary interaction, respectively,

“ ‘

“) (52)

“

then the state of the qubit received by Bob is given by

’ ←

the density matrix obtained by tracing out Eve™s probe: ’, (53)

’

TrHEve U m ,0 m ,0 U † .

m (45) where

Bob

1

The symmetry of the BB84 protocol makes it very natu-

, (54)

’ ‘ ‘ “ “

ral to assume that Bob™s state is related to Alice™s m by 2

a simple shrinking factor50 0,1 (see Fig. 29):

1

1 m . (55)

’ ‘ ‘ “ “

2

m . (46)

Bob

2

Similarly,

Eavesdropping attacks that satisfy the above condition

1

are called symmetric-attacks.

, (56)

← ‘ ‘ “ “

Since the qubit state space is two dimensional, the 2

unitary operator is entirely determined by its action on

1

two states, for example, the ‘ and “ states (in this . (57)

← ‘ ‘ “ “

1

2

section we use spin- 2 notation for the qubits). After the

unitary interaction, it is convenient to write the states in Condition (46) for the ’ , ← basis implies that

the Schmidt form (Peres, 1997):

’ and ← ← . By proper choice of the phases,

’

U ‘,0 ‘ “ ‘ “ can be made real. By condition (49), “ is

‘, (47) ‘

‘

then also real. Symmetry implies that ’ ← Re. A

U “,0 “ ‘

“, (48)

“ straightforward computation concludes that all scalar

products among Eve™s states are real and that the ™s

where the four states ‘ , “ , ‘ , and “ belong to the

Hilbert space of Eve™s probe HEve and satisfy ‘ ‘ and generate a subspace orthogonal to the ™s:

F and ‘ 2

2 2 2

“ . By symmetry

“ ‘ “ “ 0. (58)

‘ “ “ ‘

D. Unitarity imposes F D 1 and

F, i.e., that the shrinking is the

2

Finally, using ’

same for all states, one obtains a relation between the

probe states™ overlap and the ¬delity:

50

Fuchs and Peres were the ¬rst to derive the result presented

in this section, using numerical optimization. Almost simulta-

neously, it was derived by Robert Grif¬ths and his student

51

Chi-Sheng Niu under very general conditions, and by Nicolas Actually, Niu and Grif¬ths (1999) showed that two-

Gisin using the symmetry argument presented here. These ¬ve dimensional probes suf¬ce for Eve to get as much information

authors joined forces to produce a single paper (Fuchs et al., as with the strategy presented here, though in their case the

1997). The result of this section is thus also valid without this attack is not symmetric (one basis is more disturbed than the

symmetry assumption. other).

Rev. Mod. Phys., Vol. 74, No. 1, January 2002

184 Gisin et al.: Quantum cryptography

ˆ‘ ˆ“

1

F , (59)

ˆ‘ ˆ“ ˆ‘ ˆ“

2

where the hats denote normalized states, e.g., ˆ ‘

‘D

1/2

.

Consequently the entire class of symmetric individual

attacks depends only on two real parameters:52 cos(x)

ˆ ‘ ˆ “ and cos(y) ˆ ‘ ˆ “ .

Thanks to symmetry, it suf¬ces to analyze this sce-

nario for the case when Alice sends the ‘ state and

Bob measures in the ‘,“ basis (if not, Alice, Bob, and

Eve disregard the data). Since Eve knows the basis, she

knows that her probe is in one of the following two

mixed states:

FIG. 30. Eve™s and Bob™s information vs the QBER, here plot-

‘ FP DP , (60)

‘ ‘

Eve ted for incoherent eavesdropping on the four-state protocol.

For QBER™s below QBER0 , Bob has more information than

“ FP DP . (61)

“ “

Eve

Eve, and secret-key agreement can be achieved using classical

An optimum measurement strategy for Eve to distin- error correction and privacy ampli¬cation, which can, in prin-

guish between Eve (‘) and Eve (“) consists in ¬rst de- ciple, be implemented using only one-way communication.

termining whether her state is in the subspace generated The secret-key rate can be as large as the information differ-

by ‘ and “ or the one generated by ‘ and “ . This is ences. For QBER™s above QBER0 ( D0 ), Bob has a disad-

possible, since the two subspaces are mutually orthogo- vantage with respect to Eve. Nevertheless, Alice and Bob can

nal. Eve must then distinguish between two pure states apply quantum privacy ampli¬cation up to the QBER corre-

with an overlap of either cos x or cos y. The ¬rst alterna- sponding to the intercept-resend eavesdropping strategies (IR4

tive occurs with probability F, the second with probabil- and IR6 for the four-state and six-state protocols, respectively).

ity D. The optimal measurement distinguishing two Alternatively, they can apply a classical protocol called advan-

states with overlap cos x is known to provide Eve with tage distillation, which is effective up to precisely the same

the correct guess with probability 1 sin(x) /2 (Peres, maximal QBER IR4 and IR6 . Both the quantum and the clas-

1997). Eve™s maximal Shannon information, attained sical protocols require two-way communication. Note that for

when she performs the optimal measurements, is thus the eavesdropping strategy that will be optimal, from Eve

Shannon point of view, on the four-state protocol, QBER0

given by

should correspond precisely to the noise threshold above

1 sin x which a Bell™s inequality can no longer be violated.

F• 1 h

I ,

2

1 sin y Once Alice, Bob, and Eve have measured their quan-

D• 1 h , (62)

2 tum systems, they are left with classical random vari-

ables , , and , respectively. Secret-key agreement be-

where h(p) p log2(p) (1 p)log2(1 p). For a given

tween Alice and Bob is then possible using only error

error rate D, this information is maximal when x y.

correction and privacy ampli¬cation if and only if the

Consequently, for D 1 cos(x) /2, one obtains:

Alice-Bob mutual Shannon information I( , ) is

1 sin x greater than the Alice-Eve or the Bob-Eve mutual

I max , 1h . (63)

information,53 I( , ) I( , ) or I( , ) I( , ). It is

2

thus interesting to compare Eve™s maximal information

This provides the explicit and analytic optimum eaves-

[Eq. (64)] with Bob™s Shannon information. The latter

dropping strategy. For x 0 the QBER (i.e., D) and the

depends only on the error rate D:

information gain are both zero. For x /2 the QBER is

1

2 and the information gain 1. For small QBER™s, the 1 hD

I , (65)

information gain grows linearly:

1 D log2 D 1 D log2 1 D . (66)

2

D OD

max 2

I , 2.9D. (64) Bob™s and Eve™s information are plotted in Fig. 30. As

ln 2

expected, for low error rates D, Bob™s information is

greater. But, more errors provide Eve with more infor-

52

Interestingly, when the symmetry is extended to a third

maximally conjugated basis, as is natural in the six-state pro-

53

Note, however, that if this condition is not satis¬ed, other

tocol of Sec. II.D.2, the number of parameters reduces to one.

protocols might sometimes be used; see Sec. II.C.5. These pro-

This parameter measures the relative quality of Bob™s and

tocols are signi¬cantly less ef¬cient and are usually not consid-

Eve™s ˜˜copy™™ of the qubit sent by Alice. When both copies are

ered as part of ˜˜standard™™ QC. Note also that, in the scenario

of equal quality, one recovers the optimal cloning presented in

analyzed in this section, I( , ) I( , ).

Sec. II.F (Bechmann-Pasquinucci and Gisin, 1999).

Rev. Mod. Phys., Vol. 74, No. 1, January 2002

185

Gisin et al.: Quantum cryptography

mation, while decreasing Bob™s information. Hence both or equivalently if some perturbing Eve acts on the chan-

information curves cross at a speci¬c error rate D0 : nel, then the quantum correlation E(a,b D) is reduced:

1 1/& E a,b D F•E a,b D•E a,b (70)

”D D0

I max

I , , 15%. (67)

2

1 2D •E a,b , (71)

Consequently the security criterion against individual at-

tacks for the BB84 protocol is

where E(a,b) denotes the correlation for the unper-

turbed channel. The achievable amount of violation is

1 1/&

BB84 secure”D D0 then reduced to S max(D) (1 2D)2&, and for large

. (68)

2 perturbations no violation at all can be achieved. Inter-

estingly, the critical perturbation D up to which a viola-

For QBER™s greater than D0 , no (one-way communi- tion can be observed is precisely the same D0 as the limit

cation) error correction and privacy ampli¬cation proto- derived in the previous section for the security of the

col can provide Alice and Bob with a secret key that is BB84 protocol:

immune to any individual attacks.

Let us mention that there exists a class of more gen-

1 1/&

eral classical protocols, called advantage distillation (Sec. S max D 2”D D0 . (72)

2

II.C.5), which uses two-way communication. These pro-

tocols can guarantee secrecy if and only if Eve™s inter-

vention does not disentangle Alice and Bob™s qubits (as- This is a surprising and appealing connection between

suming they use the Ekert version of the BB84 protocol; the security of QC and tests of quantum nonlocality.

Gisin and Wolf, 2000). If Eve optimizes her Shannon One could argue that this connection is quite natural,

information as discussed in this section, this disentangle- since, if Bell™s inequality were not violated, then quan-

ment limit corresponds to a QBER 1 1/& 30% (Gi- tum mechanics would be incomplete, and no secure

sin and Wolf, 1999). However, using more brutal strate- communication could be based on such an incomplete

gies, Eve can disentangle Alice and Bob™s qubits for a theory. In some sense, Eve™s information is like probabi-

QBER of 25%; see Fig. 30. The latter is thus the abso- listic local hidden variables. However, the connection

lute upper limit, taking into account the most general between Eqs. (68) and (72) has not been generalized to

secret-key protocols. In practice, the limit (67) is more other protocols. A complete picture of these connec-

realistic, since advantage distillation algorithms are tions is thus not yet available.

much less ef¬cient than classical privacy ampli¬cation Let us emphasize that nonlocality plays no direct role

algorithms. in QC. Indeed, Alice is generally in Bob™s absolute past.

Nevertheless, Bell™s inequality can be violated by space-

F. Connection to Bell™s inequality like separated events as well as by timelike separated

events. However, the independence assumption neces-

There is an intriguing connection between the tight- sary to derive Bell™s inequality is justi¬ed by locality con-

bound [Eq. (68)] and the Clauser-Horne-Shimony-Holt siderations only for spacelike separated events.

(CHSH) form of Bell™s inequality (Bell, 1964; Clauser

et al., 1969; Clauser and Shimony, 1978; Zeilinger, 1999):

S Ea E a,b E a ,b E a ,b 2. (69)

G. Ultimate security proofs

Here E(a,b) is the correlation between Alice and Bob™s

data when measuring a 1 and 1 b , where a de- The security proof of QC with a perfect apparatus and

notes an observable with eigenvalues 1 parametrized a noise-free channel is straightforward. However, the

by the label a. Recall that Bell™s inequalities are neces- fact that security can still be proven for an imperfect

sarily satis¬ed by all local models but are violated by apparatus and noisy channels is far from obvious.

quantum mechanics.54 To establish this connection, as- Clearly, something has to be assumed about the appara-

sume that the same quantum channel is used to test tus. In this section we simply make the hypothesis that

Bell™s inequality. It is well known that, for error-free they are perfect. For the channel that is not under Alice

channels, a maximal violation by a factor & is achiev- and Bob™s control, however, nothing is assumed. The

question is then Up to what QBER can Alice and Bob

able: S max 2& 2. However, if the channel is imperfect,

apply error correction and privacy ampli¬cation to their

classical bits? In the previous sections we found that the

threshold is close to a QBER of 15%, assuming indi-

vidual attacks. In principle Eve could manipulate several

54

Let us stress that the CHSH-Bell™s inequality is the stron-

qubits coherently. How much help to Eve this possibility

gest possible for two qubits. Indeed, this inequality is violated

provides is still unknown, though some bounds are

if and only if the correlation cannot be reproduced by a local

known. In 1996, Dominic Mayers (1996b) presented the

hidden-variable model (Pitowski, 1989).

Rev. Mod. Phys., Vol. 74, No. 1, January 2002

186 Gisin et al.: Quantum cryptography

main ideas on how to prove security.55 In 1998, two ma-

jor papers were made public on the Los Alamos archives

(Mayers, 1998, and Lo and Chau, 1999). Today, these

proofs are generally considered valid, thanks to the

work of”among others”Shor and Preskill (2000), In-

amori et al. (2001), and Biham et al. (1999). However, it

is worth noting that during the ¬rst few years after the

initial disclosure of these proofs, hardly anyone in the

community understood them.

Here we shall present the argument in a form quite

different from the original proofs. Our presentation

aims at being transparent in the sense that it rests on two

theorems. The proofs of the theorems are dif¬cult and FIG. 31. Intuitive illustration of Theorem 1. The initial situa-

will be omitted. However, their claims are easy to under- tion is depicted in (a). During the one-way public discussion

stand and rather intuitive. Once one accepts the theo- phase of the protocol, Eve receives as much information as

rems, the security proof is straightforward. Bob; the initial information difference thus remains. After

The general idea is that at some point Alice, Bob, and error correction, Bob™s information equals 1, as illustrated in

Eve perform measurements on their quantum systems. (b). After privacy ampli¬cation Eve™s information is zero. In

The outcomes provide them with classical random vari- (c) Bob has replaced with random bits all bits to be disre-

garded. Hence the key still has its original length, but his in-

ables , , and , respectively, with P( , , ) the joint

formation has decreased. Finally, in (d) removal of the random

probability distribution. The ¬rst theorem, a standard of

bits shortens the key to the initial information difference. Bob

classical information-based cryptography, states the nec-

has full information on this ¬nal key, while Eve has none.

essary and suf¬cient condition on P( , , ) for Alice

´

and Bob to extract a secret key from P( , , ) (Csiszar

¨

and Korner, 1978). The second theorem is a clever ver- Since error correction and privacy ampli¬cation can be

sion of Heisenberg™s uncertainty relation expressed in implemented using only one-way communication, Theo-

terms of available information (Hall, 1995): it sets a rem 1 can be understood intuitively as follows. The ini-

bound on the sum of the information about Alice™s key tial situation is depicted in Fig. 31(a). During the public

available to Bob and to Eve. phase of the protocol, because of the one-way commu-

Theorem 1. For a given P( , , ), Alice and Bob can nication, Eve receives as much information as Bob. The

establish a secret key (using only error correction and initial information difference thus remains. After error

classical privacy ampli¬cation) if and only if I( , ) correction, Bob™s information equals 1, as illustrated in

I( , ) or I( , ) I( , ), where I( , ) H( ) Fig. 31(b). After privacy ampli¬cation Eve™s information

H( ) denotes the mutual information and H is the is zero. In Fig. 31(c) Bob has replaced all bits to be

Shannon entropy. disregarded by random bits. Hence the key still has its

Theorem 2. Let E and B be two observables in an original length, but his information has decreased. Fi-

N-dimensional Hilbert space. Let , , , and be nally, upon removal of the random bits, the key is short-

the corresponding eigenvalues and eigenvectors, respec- ened to the initial information difference ; see Fig.

tively, and let c max , . Then 31(d). Bob has full information about this ¬nal key,

while Eve has none.

I , I , 2 log2 Nc , (73)

The second theorem states that if Eve performs a

where I( , ) H( ) H( ) and I( , ) H( ) measurement providing her with some information

H( ) are the entropy differences corresponding to I( , ), then, because of the perturbation, Bob™s infor-

the probability distribution of the eigenvalues prior to mation is necessarily limited. Using these two theorems,

and deduced from any measurement by Eve and Bob, the argument now runs as follows. Suppose Alice sends

respectively. out a large number of qubits and that n are received by

The ¬rst theorem states that Bob must have more in- Bob in the correct basis. The relevant Hilbert space™s

formation about Alice™s bits than does Eve (see Fig. 31).

dimension is thus N 2 n . Let us relabel the bases used

for each of the n qubits such that Alice uses n times the

x basis. Hence Bob™s observable is the n-time tensor

55

product x ¯ x . By symmetry, Eve™s optimal infor-

One of the authors (N.G.) vividly remembers the 1996 In-

stitute for Scienti¬c Interchange workshop in Torino, Italy, mation about the correct bases is precisely the same as

sponsored by Elsag Bailey, where he ended his talk by stress- her optimal information about the incorrect ones (May-

ing the importance of security proofs. Dominic Mayers stood

ers, 1998). Hence one can bound her information, as-

up, gave some explanation, and wrote a formula on a transpar-

z ¯ z . Accordingly, c

suming she measures

ency, claiming that this was the result of his proof. We think it n/2

2 , and Theorem 2 implies

is fair to say that no one in the audience understood Mayers™

explanation. However, N.G. kept the transparency, and it con- 2 log2 2 n 2 n/2

I , I , n. (74)

tains the basic Eq. (75) (up to a factor of 2, which corresponds

That is, the sum of Eve™s and Bob™s information per qu-

to an improvement of Mayer™s result obtained in 2000 by Shor

bit is less than or equal to 1. This result is quite intuitive:

and Preskill, using ideas from Lo and Chau).

Rev. Mod. Phys., Vol. 74, No. 1, January 2002

187

Gisin et al.: Quantum cryptography

degree of freedom encoding the qubits.56 Such measure-

together, Eve and Bob cannot receive more information

than is sent out by Alice! Next, combining the bound ments are sometimes called quantum nondemolition

(74) with Theorem 1, one deduces that a secret key is measurements, because they do not perturb the qubit; in

particular they do not destroy the photons. This is pos-

achievable whenever I( , ) n/2. Using I( , ) n 1

D log2(D) (1 D)log2(1 D) , one obtains the suf¬- sible because Eve knows in advance that Alice sends a

cient condition on the error rate D (i.e., the QBER): mixture of states with well-de¬ned photon numbers57

(see Sec. II.F). Next, if Eve ¬nds more than one photon,

1

D log2 D 1 D log2 1 D she keeps one and sends the other(s) to Bob. In order to

, (75)

2 prevent Bob from detecting a lower qubit rate, Eve must

use a channel with lower losses. Using an ideally lossless

i.e., D 11%.

quantum channel, Eve can even, under certain condi-

This bound, QBER 11%, is precisely that obtained

tions, keep one photon and increase the probability that

in Mayers™s proof (after improvement by Shor and

pulses with more than one photon get to Bob! Finally,

Preskill, 2000). The above proof is, strictly speaking,

when Eve ¬nds one photon, she may destroy it with

only valid if the key is much longer than the number of

some probability that she does not affect the total num-

qubits that Eve attacks coherently, so that the Shannon

ber of qubits received by Bob. Consequently, if the prob-

information we used represents averages over many in-

ability that a nonempty pulse has more than one photon

dependent realizations of classical random variables. In

(on Alice™s side) is greater than the probability that a

other words, assuming that Eve can coherently attack a

nonempty pulse is detected by Bob, then Eve can get

large but ¬nite number n 0 of qubits, Alice and Bob can

full information without introducing any perturbation.

use the above proof to secure keys much longer than n 0

This is possible only when the QC protocol is not per-

bits. If one assumes that Eve has unlimited power and is

fectly implemented, but it is a realistic situation (Hutt-

able to attack coherently any number of qubits, then the

ner et al., 1995; Yuen, 1997).

above proof does not apply, but Mayers™s proof can still

Quantum nondemolition atacks have recently re-

be used and provides precisely the same bound.

¨

ceived a lot of attention (Brassard et al., 2000; Lutken-

This 11% bound for coherent attacks is clearly com-

haus, 2000). The debate is not yet settled. We would like

patible with the 15% bound found for individual attacks.

to argue that it might be unrealistic, or even unphysical,

The 15% bound is also necessary, since an explicit eaves-

to assume that Eve can perform ideal quantum non-

dropping strategy reaching this bound is presented in

demolition attacks. Indeed, she ¬rst needs the capacity

Sec. VI.E. It is not known what happens in the interme-

to perform quantum nondemolition photon-number

diate range 11% QBER 15%, but the following sce-

measurements. Although impossible with today™s tech-

nario is plausible. If Eve is limited to coherent attacks

nology, this is a reasonable assumption (Nogues et al.,

on a ¬nite number of qubits, then in the limit of arbi-

1999). Next, she should be able to keep her photon until

trarily long keys, she has a negligibly small probability

Alice and Bob reveal the basis. In principle, this could

that the bits combined by Alice and Bob during the er-

be achieved using a lossless channel in a loop. We dis-

ror correction and privacy ampli¬cation protocols origi-

cuss this eventuality below. Another possibility would be

nate from qubits attacked coherently. Consequently, the

for Eve to map her photon to a quantum memory. This

15% bound would still be valid (partial results in favor

does not exist today but might well exist in the future.

of this conjecture can be found in Cirac and Gisin, 1997

Note that the quantum memory should have essentially

and Bechmann-Pasquinucci and Gisin, 1999). However,

unlimited decoherence time, since Alice and Bob could

if Eve has unlimited power, in particular, if she can co-

easily wait for minutes before revealing the bases.58 Fi-

herently attack an unlimited number of qubits, then the

nally, Eve must access a lossless channel, or at least a

11% bound might be required.

channel with lower losses than that used by Alice and

To conclude this section, let us stress that the above

security proof applies equally to the six-state protocol

(Sec. II.D.2). It also extends in a straightforward

56

For polarization coding, this is quite clear, but for phase

fashion to protocols using larger alphabets (Bechmann-

coding one may think (incorrectly) that phase and photon

Pasquinucci and Peres, 2000; Bechmann-Pasquinucci

number are incompatible. However, the phase used for encod-

¨

and Tittel, 2000; Bourennane, Karlsson, and Bjorn, 2001;

ing is a relative phase between two modes. Whether these

¨

Bourennane, Karlsson, Bjorn, Gisin, and Cerf, 2001).

modes are polarization modes or correspond to different times

(determined, for example, by the relative length of interferom-

eters), does not matter.

57

Recall that a mixture of coherent states e i with a

random phase , as produced by lasers when no phase refer-

H. Photon number measurements and lossless channels ence is available, is equal to a mixture of photon number states

2 i

ei

n with Poisson statistics: 0e (d /2 )

In Sec. III.A we saw that all real photon sources have n 2

n 0( /n!) e n n , where .

a ¬nite probability of emittting more than one photon. If 58

The quantum part of the protocol could run continuously,

all emitted photons encode the same qubit, Eve can take storing large amounts of raw classical data, but the classical

advantage of this. In principle, she can ¬rst measure the part of the protocol, which processes these raw data, could

number of photons in each pulse without disturbing the take place just seconds before the key is used.

Rev. Mod. Phys., Vol. 74, No. 1, January 2002

188 Gisin et al.: Quantum cryptography

Bob. This might be the trickiest point. Indeed, besides

using a shorter channel, what can Eve do? Telecommu-

nications ¬bers are already at the physical limits of what

can be achieved (Thomas et al., 2000). The loss is almost

entirely due to Rayleigh scattering, which is unavoid-

¨

able: solve the Schrodinger equation in a medium with

inhomogeneities and you get scattering. When the inho-

mogeneities are due to the molecular stucture of the

medium, it is dif¬cult to imagine lossless ¬bers. The

FIG. 32. Realistic beamsplitter attack. Eve stops all pulses.

0.18-dB/km attenuation in silica ¬bers at 1550 nm is a

The two photon pulses have a 50% probability of being ana-

lower bound imposed by physics rather then

lyzed by the same analyzer. If this analyzer is compatible with

technology.59 Note that using air is not a viable solution,

the state prepared by Alice, then both photons are detected

since attenuation at telecommunications wavelengths is

with the same outcome; if not, there is a 50% chance that they

rather high. Vacuum, the only way to avoid Rayleigh are detected with the same outcome. Hence there is a prob-

scattering, also has limitations, due to diffraction, again 3

ability of 8 that Eve detects both photons with the same out-

an unavoidable physical phenomenon. In the end, it come. In such a case, and only in such a case, she resends a

seems that Eve has only two possibilities left. Either she 2

photon to Bob. In 3 of these cases she introduces no errors,

uses teleportation (with extremely high success prob- since she has identi¬ed the correct state and gets full informa-

ability and ¬delity) or she converts the photons to an- tion; in the remaining cases she has a 50% probability of in-

other wavelength (without perturbing the qubit). Both troducing an error and gains no information. The total QBER

1 2

of these ˜˜solutions™™ seem unrealistic in the foreseeable is thus 6, and Eve™s information gain is 3.

future.

Consequently, when considering the type of attacks

state into Bob™s apparatus. Since Eve™s information is

discussed in this section, it is essential to distinguish the

classical, she can overcome all the losses of the quantum

ultimate proofs from the practical ones. Indeed, the as-

channel. In all other cases, Eve sends nothing to Bob. In

sumptions about the defects of Alice and Bob™s appara- 3

this way, Eve sends a fraction ( 8 ) of the pulses contain-

tuses must be very speci¬c and might thus be of limited

ing at least two photons to Bob. She introduces a QBER

interest, while for practical considerations these assump- 1 2

of 6 and gets information I(A,E) 3 4•QBER. Bob

tions must be very general and might thus be excessive.

does not see any reduction in the number of detected

photons, provided that the transmission coef¬cient of

the quantum channel t satis¬es

I. A realistic beamsplitter attack

3 3

t Prob n 2 n 1 , (76)

The attack presented in the previous section takes ad- 8 16

vantage of pulses containing more than one photon.

where the last expression assumes Poissonian photon

However, as discussed, it uses unrealistic assumptions. In

distribution. Accordingly, for a ¬xed QBER, this attack

¨

this section, following Dusek et al. (2000) and Lutken-

provides Eve with twice the information she would get

haus (2000), we brie¬‚y comment on a realistic attack

from using the intercept-resend strategy. To counter

that, also exploits multiphoton pulses (for details, see

such an attack, Alice should use a mean photon number

Felix et al., 2001, where this and other examples are pre-

such that Eve can use this attack on only a fraction of

sented). Assume that Eve splits all pulses in two, analyz-

the pulses. For example, Alice could use pulses weak

ing each half in one of the two bases, using photon

enough that Eve™s mean information gain is identical to

counting devices able to distinguish between pulses with

what she would obtain with the simple intercept-resend

0, 1, and 2 photons (see Fig. 32). In practice this could be

strategy (see Sec. II.C.3). For 10-, 14-, and 20-dB attenu-

realized using many single-photon counters in parallel.

ation, this corresponds to 0.25, 0.1, and 0.025, respec-

This requires nearly perfect detectors, but at least one

tively.

does not need to assume technology completely out of

today™s realm. Whenever Eve detects two photons in the

same output, she sends a photon in the corresponding

J. Multiphoton pulses and passive choice of states

Multiphoton pulses do not necessarily constitute a

59

Photonics crystal ¬bers have the potential to overcome the threat to key security, but they limit the key creation

Rayleigh scattering limit. There are two kinds of such ¬bers. rate because they imply that more bits must be dis-

The ¬rst kind guides light by total internal re¬‚ection, as in carded during key distillation. This fact is based on the

ordinary ¬bers. In these ¬bers most of the light also propagates

assumption that all photons in a pulse carry the same

in silica, and thus the loss limit is similar. In the second kind,

qubit, so that Eve does not need to copy the qubit going

most of the light propagates in air. Thus the theoretical loss

to Bob, but merely keeps the copy that Alice inadvert-

limit is lower. However, today the losses are extremely high, in

ently provides. When using weak pulses, it seems un-

the range of hundreds of dB/km. The best reported result that

avoidable that all the photons in a pulse carry the same

we are aware of is 11 dB/km, and it was obtained with the ¬rst

qubit. However, in two-photon implementations, each

kind of ¬ber (Canning et al., 2000).

Rev. Mod. Phys., Vol. 74, No. 1, January 2002

189

Gisin et al.: Quantum cryptography

photon on Alice™s side independently chooses a state [in this class of attacks exists illustrates that the security of

the experiments of Ribordy et al. (2001) and Tittel et al. QC can never be guaranteed by the principles of

(2000), each photon randomly chooses both its basis and quantum mechanics only, but must necessarily rely on

measures that are subject to discussion.60

its bit value; in the experiments of Naik et al. (2000) and technical

Jennewein, Simon, et al. (2000), only the bit value choice

is random]. Hence, when two photon pairs are simulta-

neously produced, the two twins carry independent qu-

bits by accident. Consequently, Eve cannot take advan- L. Real security: Technology, cost, and complexity

tage of such multiphoton twin pulses. This might be one

Despite the elegance and generality of security proofs,

of the main advantages of two-photon schemes over the

the ideal of a QC system whose security relies entirely

much simpler weak-pulse schemes. But the multiphoton

on quantum principles is unrealistic. The technological

problem is then on Bob™s side, which gets a noisy signal,

implementation of abstract principles will always be

consisting partly of photons not in Alice™s state.

questionable. It is likely that they will remain the weak-

est point in all systems. Moreover, one should remember

K. Trojan horse attacks

the obvious relation:

All eavesdropping strategies discussed up to this point In¬nite security’In¬nite cost

have consisted of Eve™s attempt to get a maximum infor-

’Zero practical interest . (77)

mation from the qubits exchanged by Alice and Bob.

However, Eve can also pursue a completely different On the other hand, however, one should not underes-

strategy: she can herself send signals that enter Alice timate the following two advantages of QC. First, it is

and Bob™s of¬ces through the quantum channel. This much easier to forecast progress in technology than in

kind of strategy is called a Trojan horse attack. For ex- mathematics: the danger that QC will break down over-

ample, Eve can send light pulses into the ¬ber entering night is negligible, in contrast to public-key cryptosys-

Alice™s or Bob™s apparatus and analyze the backre¬‚ected tems. Next, the security of QC depends on the techno-

light. In this way, it is in principle possible to detect logical level of the adversary at the time of the key

which laser just ¬‚ashed, which detector just ¬red, or the exchange, in contrast to complexity-based systems whose

settings of phase and polarization modulators. This can- coded message can be registered and broken thanks to

not be prevented by simply using a shutter, since Alice future progress. The latter point is relevant for secrets

and Bob must leave the ˜˜door open™™ for the photons to whose value lasts many years.

exit and enter, respectively. One often points to low bit rate as one of the current

In most QC setups the amount of backre¬‚ected light limitations of QC. However, it is important to stress that

can be made very small, and sensing the apparatus with QC need not be used in conjunction with one-time-pad

light pulses through the quantum channel is dif¬cult. encryption. It can also be used to provide a key for a

Nevertheless, this attack is especially threatening in the symmetrical cipher such as AES, whose security is

plug-and-play scheme on Alice™s side (Sec. IV.C.2), since greatly enhanced by frequent key changes.

a mirror is used to send the light pulses back to Bob. To conclude this section, let us brie¬‚y elaborate on the

Thus, in principle, Eve can send strong light pulses to differences and similarities between technological and

Alice and sense the applied phase shift. However, by mathematical complexity and on their possible connec-

applying the phase shift only during a short time t phase tions and implications. Mathematical complexity means

(a few nanoseconds), Alice can oblige Eve to send the that the number of steps needed to run complex algo-

spying pulse at the same time as Bob. Remember that in rithms increases exponentially as the size of the input

the plug-and-play scheme, pulses coming from Bob are grows linearly. Similarly, one can de¬ne the technologi-

macroscopic and an attenuator at Alice™s end reduces cal complexity of a quantum computer as an exponen-

them to below the one-photon level, say, 0.1 photons per tially increasing dif¬culty to process coherently all the

pulse. Hence, if Eve wants to get, say, one photon per qubits necessary to run a (noncomplex) algorithm on a

pulse, she has to send ten times Bob™s pulse energy. linearly growing number of input data. It might be inter-

Since Alice is detecting Bob™s pulses for triggering her esting to consider the possibility that the relationship

apparatus, she must be able to detect an increase in en- between these two concepts of complexity is deeper. It

ergy of these pulses in order to reveal the presence of a could be that the solution of a problem requires either a

spying pulse. This is a relatively easy task, provided that complex classical algorithm or a quantum algorithm that

itself requires a complex quantum computer.61

Eve™s pulses look the same as Bob™s. However, Eve could

of course use another wavelength or ultrashort pulses

(or very long pulses with low intensity, hence the impor-

tance of t phase ); therefore Alice must introduce an op- 60

Another technological loophole, recently pointed out by

tical bandpass ¬lter with a transmission spectrum corre- Kurtsiefer et al. (2001), is the possible information leakage

sponding to the sensitivity spectrum of her detector and caused by light emitted by APD™s during their breakdown.

choose a t phase that ¬ts the bandwidth of her detector. 61

Penrose (1994) pushes these speculations even further, sug-

There is no doubt that Trojan horse attacks can be gesting that spontaneous collapses stop quantum computers

prevented by technical measures. However, the fact that whenever they try to compute beyond a certain complexity.

Rev. Mod. Phys., Vol. 74, No. 1, January 2002

190 Gisin et al.: Quantum cryptography

VII. CONCLUSIONS QC could well be the ¬rst application of quantum me-

chanics at the single-quantum level. Experiments have

Quantum cryptography is a fascinating illustration of demonstrated that keys can be exchanged over distances

the dialog between basic and applied physics. It is based of a few tens of kilometers at rates on the order of at

on a beautiful combination of concepts from quantum least a thousand bits per second. There is no doubt that

physics and information theory and made possible by the technology can be mastered and the question is not

whether QC will ¬nd commercial applications, but

the tremendous progress in quantum optics and the

when. At present QC is still very limited in distance and

technology of optical ¬bers and free-space optical com-

in secret bit rate. Moreover, public-key systems domi-

munication. Its security principle relies on deep theo-

nate the market and, being pure software, are tremen-

rems in classical information theory and on a profound

dously easier to manage. Every so often, we hear in the

understanding of Heisenberg™s uncertainty principle, as

news that some classical cryptosystem has been broken.

illustrated by Theorems 1 and 2 in Sec. VI.G (the only

This would be impossible with properly implemented

mathematically involved theorems in this review). Let us

QC. But this apparent strength of QC might turn out to

also emphasize the important contributions of QC to

be its weak point: security agencies would be equally

classical cryptography: privacy ampli¬cation and classi-

unable to break quantum cryptograms!

cal bound information (Secs. II.C.4 and II.C.5) are ex-

amples of concepts in classical information whose dis-

covery were much inspired by QC. Moreover, the

ACKNOWLEDGMENTS

fascinating tension between quantum physics and rela-

tivity, as illustrated by Bell™s inequality, is not far away, This work was supported by the Swiss Fonds National

as discussed in Sec. VI.F. Now, despite signi¬cant de la Recherche Scienti¬que (FNRS) and the European

progress in recent years, many open questions and tech- Union projects European Quantum Cryptography and

nological challenges remain. Single-Photon Optical Technologies (EQCSPOT) and

One technological challenge at present concerns im- Long-Distance Photonic Quantum Communication

proved detectors compatible with telecommunications ´´

(QUCOMM) ¬nanced by the Swiss Of¬ce Federal de

¬bers. Two other issues concern free-space QC and l™Education et de la Science (OFES). The authors would

quantum repeaters. The former is currently the only way also like to thank Richard Hughes for providing Fig. 8,

to realize QC over thousands of kilometers using the and acknowledge Charles H. Bennett and Paul G. Kwiat

technology of the near future (see Sec. IV.E). The idea for their very careful reading of the manuscript and their

of quantum repeaters (Sec. III.E) is to encode the qubits helpful remarks.

in such a way that if the error rate is low, then errors can

be detected and corrected entirely in the quantum do-

main. The hope is that such techniques could extend the REFERENCES

range of quantum communication to essentially unlim-

ited distances. Indeed, Hans Briegel, then at the Univer- Ardehali, M., H. F. Chau, and H.-K. Lo, 1998, ˜˜Ef¬cient quan-

sity of Innsbruck, and co-workers (1998) showed that tum key distribution,™™ preprint quant-ph/9803007.

the number of additional qubits needed for quantum re- Aspect, A., J. Dalibard, and G. Roger, 1982, ˜˜Experimental

peaters can be made smaller than the numbers of qubits test of Bell™s inequalities using time-varying analyzers,™™ Phys.

needed to improve the ¬delity of the quantum channel Rev. Lett. 49, 1804“1807.

(Dur et al., 1999). One could thus overcome the deco- Bechmann-Pasquinucci, H., and N. Gisin, 1999, ˜˜Incoherent

herence problem. However, the main practical limitation and coherent eavesdropping in the 6-state protocol of quan-

is not decoherence but loss (most photons never get to tum cryptography,™™ Phys. Rev. A 59, 4238“4248.

Bechmann-Pasquinucci, H., and A. Peres, 2000, ˜˜Quantum

Bob, but those that do get there exhibit high ¬delity).

cryptography with 3-state systems,™™ Phys. Rev. Lett. 85,

As for open questions, let us emphasize three main

3313“3316.

concerns. First, complete and realistic analyses of the

Bechmann-Pasquinucci, H., and W. Tittel, 2000, ˜˜Quantum

security issues are still missing. Next, ¬gures of merit for

cryptography using larger alphabets,™™ Phys. Rev. A 61,

comparing QC schemes based on different quantum sys-

062308.

tems (with different dimensions, for example) are still

Bell, J. S., 1964, ˜˜On the problem of hidden variables in quan-

awaited. Finally, the delicate question of how to test the

tum mechanics,™™ Rev. Mod. Phys. 38, 447“452 [reprinted in

apparatuses has not yet received enough attention. In-

Bell, J. S., 1987, Speakable and Unspeakable in Quantum Me-

deed, a potential customer of quantum cryptography

chanics (Cambridge University, Cambridge, England)].

buys con¬dence and secrecy, two qualities hard to quan- Bennett, C. H., 1992, ˜˜Quantum cryptography using any two

tify. Interestingly, both of these issues are connected to nonorthogonal states,™™ Phys. Rev. Lett. 68, 3121“3124.

Bell™s inequality (see Secs. VI.F and VI.B). Clearly, this Bennett, C. H., F. Bessette, G. Brassard, L. Salvail, and J. Smo-

connection cannot be phrased in the old context of local lin, 1992, ˜˜Experimental quantum cryptography,™™ J. Cryptol-

hidden variables, but rather in the context of the secu- ogy 5, 3“28.

rity of tomorrow™s communications. Here, as in the en- Bennett, C. H., and G. Brassard, 1984, in Proceedings of the

tire ¬eld of quantum information, old concepts are re- IEEE International Conference on Computers, Systems and

newed by looking at them from a fresh perspective: let Signal Processing, Bangalore, India, (IEEE, New York), pp.

us exploit quantum weirdness. 175“179.

Rev. Mod. Phys., Vol. 74, No. 1, January 2002

191

Gisin et al.: Quantum cryptography

´

Bennett, C. H., and G. Brassard, 1985, ˜˜Quantum public key Breguet, J., and N. Gisin, 1995, ˜˜New interferometer using a

distribution system,™™ IBM Tech. Discl. Bull. 28, 3153“3163. 3 3 coupler and Faraday mirrors,™™ Opt. Lett. 20, 1447“1449.

´ ´

Bennett, C. H., G. Brassard, C. Crepeau, R. Jozsa, A. Peres, Breguet, J., A. Muller, and N. Gisin, 1994, ˜˜Quantum cryptog-

and W. K. Wootters, 1993, ˜˜Teleporting an unknown quan- raphy with polarized photons in optical ¬bers: experimental

tum state via dual classical and Einstein-Podolsky-Rosen and practical limits,™™ J. Mod. Opt. 41, 2405“2412.

channels,™™ Phys. Rev. Lett. 70, 1895“1899. Brendel, J., W. Dultz, and W. Martienssen, 1995, ˜˜Geometric

´

Bennett, C. H., G. Brassard, C. Crepeau, and U. M. Maurer, phase in 2-photon interference experiments,™™ Phys. Rev. A

1995, ˜˜Generalized privacy ampli¬cation,™™ IEEE Trans. Inf. 52, 2551“2556.

Theory 41, 1915“1923. Brendel, J., N. Gisin, W. Tittel, and H. Zbinden, 1999, ˜˜Pulsed

Bennett, C. H., G. Brassard, and A. Ekert, 1992, ˜˜Quantum energy-time entangled twin-photon source for quantum com-

cryptography,™™ Sci. Am. 267, 50“57. munication,™™ Phys. Rev. Lett. 82, 2594“2597.

Bennett, C. H., G. Brassard, and N. D. Mermin, 1992, ˜˜Quan- Briegel, H.-J., W. Dur, J. I. Cirac, and P. Zoller, 1998, ˜˜Quan-

tum cryptography without Bell™s theorem,™™ Phys. Rev. Lett. tum repeaters: the role of imperfect local operations in quan-

68, 557“559. tum communication,™™ Phys. Rev. Lett. 81, 5932“5935.

Bennett, C. H., G. Brassard, and J.-M. Robert, 1988, ˜˜Privacy Brouri, R., A. Beveratios, J.-P. Poizat, and P. Grangier, 2000,

ampli¬cation by public discussion,™™ SIAM J. Comput. 17, ˜˜Photon antibunching in the ¬‚uorescence of individual col-

210“229. ored centers in diamond,™™ Opt. Lett. 25, 1294“1296.

Berry, M. V., 1984, ˜˜Quantal phase factors accompanying adia- Brown, R. G. W., and M. Daniels, 1989, ˜˜Characterization of

batic changes,™™ Proc. R. Soc. London, Ser. A 392, 45“57. silicon avalanche photodiodes for photon correlation mea-

Bethune, D., and W. Risk, 2000, ˜˜An autocompensating ¬ber- surements. 3: Sub-Geiger operation,™™ Appl. Opt. 28, 4616“

optic quantum cryptography system based on polarization 4621.

splitting of light,™™ IEEE J. Quantum Electron. 36, 340“347. Brown, R. G. W., R. Jones, J. G. Rarity, and K. D. Ridley,

Biham, E., M. Boyer, P. O. Boykin, T. Mor, and V. Roy- 1987, ˜˜Characterization of silicon avalanche photodiodes for

chowdhury, 1999, ˜˜A proof of the security of quantum key photon correlation measurements. 2: Active quenching,™™

distribution,™™ preprint quant-ph/9912053. Appl. Opt. 26, 2383“2389.

Biham, E., and T. Mor, 1997a, ˜˜Security of quantum cryptog- Brown, R. G. W., K. D. Ridley, and J. G. Rarity, 1986, ˜˜Char-

raphy against collective attacks,™™ Phys. Rev. Lett. 78, 2256“ acterization of silicon avalanche photodiodes for photon cor-

1159. relation measurements. 1: Passive quenching,™™ Appl. Opt. 25,

Biham, E., and T. Mor, 1997b, ˜˜Bounds on information and the 4122“4126.

security of quantum cryptography,™™ Phys. Rev. Lett. 79, Brunel, C., B. Lounis, P. Tamarat, and M. Orrit, 1999, ˜˜Trig-

4034“4037. gered source of single photons based on controlled single

Bourennane, M., F. Gibson, A. Karlsson, A. Hening, P. Jons- molecule ¬‚uorescence,™™ Phys. Rev. Lett. 83, 2722“2725.

son, T. Tsegaye, D. Ljunggren, and E. Sundberg, 1999, ˜˜Ex- Bruss, D., 1998, ˜˜Optimal eavesdropping in quantum cryptog-

periments on long wavelength (1550 nm) ˜plug and play™ raphy with six states,™™ Phys. Rev. Lett. 81, 3018“3021.

quantum cryptography system,™™ Opt. Express 4, 383“387. Bruss, D., A. Ekert, and C. Macchiavello, 1998, ˜˜Optimal uni-

¨

Bourennane, M., A. Karlsson, and G. Bjorn, 2001, ˜˜Quantum versal quantum cloning and state estimation,™™ Phys. Rev.

key distribution using multilevel encoding,™™ Phys. Rev. A 64, Lett. 81, 2598“2601.

012306. Buttler, W. T., R. J. Hughes, P. G. Kwiat, S. K. Lamoreaux, G.

¨

Bourennane, M., A. Karlsson, G. Bjorn, N. Gisin, and N. Cerf, G. Luther, G. L. Morgan, J. E. Nordholt, C. G. Peterson, and

2001, ˜˜Quantum key distribution using multilevel encoding: C. Simmons, 1998, ˜˜Practical free-space quantum key distri-

security analysis,™™ preprint quant-ph/0106049. bution over 1 km,™™ Phys. Rev. Lett. 81, 3283“3286.

Bourennane, M., D. Ljunggren, A. Karlsson, P. Jonsson, A. Buttler, W. T., R. J. Hughes, S. K. Lamoreaux, G. L. Morgan, J.

Hening, and J. P. Ciscar, 2000, ˜˜Experimental long wave-

E. Nordholt, and C. G. Peterson, 2000, ˜˜Daylight quantum

length quantum cryptography: from single photon transmis-

key distribution over 1.6 km,™™ Phys. Rev. Lett. 84, 5652“5655.

sion to key extraction protocols,™™ J. Mod. Opt. 47, 563“579.

ˇ

Buzek, V., and M. Hillery, 1996, ˜˜Quantum copying: beyond

Braginsky, V. B., and F. Y. Khalili, 1992, Quantum Measure-

the no-cloning theorem,™™ Phys. Rev. A 54, 1844“1852.

ment (Cambridge University, Cambridge, England).

Cancellieri, G., 1993, Ed., Single-Mode Optical Fiber Measure-

Brassard, G., 1988, Modern Cryptology: A Tutorial, Lecture

ment: Characterization and Sensing (Artech House, Boston).

Notes in Computer Science, Vol. 325 (Springer, New York).

Canning, J., M. A. van Eijkelenborg, T. Ryan, M. Kristensen,

´

Brassard, G., C. Crepeau, D. Mayers, and L. Salvail, 1998, in

and K. Lyytikainen, 2000, ˜˜Complex mode coupling within

Proceedings of Randomized Algorithms, Satellite Workshop

air-silica structured optical ¬bers and applications,™™ Opt.

of the 23rd International Symposium on Mathematical Foun-

Commun. 185, 321“324.

dations of Computer Science, Brno, Czech Republic, edited

Cirac, J. I., and N. Gisin, 1997, ˜˜Coherent eavesdropping strat-

by R. Freivalds (Aachen University, Aachen, Germany), pp.

egies for the 4-state quantum cryptography protocol,™™ Phys.

13“15.

¨ Lett. A 229, 1“7.

Brassard, G., N. Lutkenhaus, T. Mor, and B. C. Sanders, 2000,

Clarke, R. B. M., A. Che¬‚es, S. M. Barnett, and E. Riis, 2000,