. 3
( 4)


somewhat reduces this advantage. One frequently hears
FIG. 21. Typical system for quantum cryptography exploiting
that photon pairs have the advantage of avoiding multi-
photon pairs entangled in polarization: PR, active polarization
photon pulses, but this is not correct. For a given mean
rotator; PBS, polarizing beamsplitter; APD, avalanche photo-
photon number, the probability that a nonempty pulse
contains more than one photon is essentially the same
for weak pulses as for photon pairs (see Sec. III.A.2).
A second advantage is that using entangled photons Generally speaking, entanglement-based systems are
pair prevents unintended information leakage in unused far more complex than setups based on faint laser
degrees of freedom (Mayers and Yao, 1998). Observing pulses. They will most certainly not be used in the near
a QBER lower than approximately 15%, or equivalently future for the realization of industrial prototypes. In ad-
observing that Bell™s inequality is violated, indeed guar- dition, the current experimental key creation rates ob-
tained with these systems are at least two orders of mag-
antees that the photons are entangled, so that the differ-
nitude smaller than those obtained with faint laser pulse
ent states are not fully distinguishable through other de-
setups (net rate on the order of a few tens of bits per
grees of freedom. A third advantage was indicated
second, in contrast to a few thousand bits per second for
recently by new and elaborate eavesdropping analyses.
a 10-km distance). Nevertheless, they offer interesting
The fact that passive state preparation can be imple-
possibilities in the context of cryptographic optical net-
mented prevents multiphoton splitting attacks (see Sec.
works. The photon-pair source can indeed be operated
by a key provider and situated somewhere in between
The coupling between the optical frequency and the
potential QC customers. In this case, the operator of the
property used to encode the qubit, i.e., decoherence, is
source has no way of getting any information about the
rather easy to master when using faint laser pulses.
key obtained by Alice and Bob.
However, this issue is more serious when using photon
It is interesting to emphasize the close analogy be-
pairs, because of the larger spectral width. For example,
tween one- and two-photon schemes, which was ¬rst
for a spectral width of 5 nm full width at half maximum
noted by Bennett, Brassard, and Mermin (1992). In a
(FWHM)”a typical value, equivalent to a coherence
two-photon scheme, when Alice detects her photon, she
time of 1 ps”and a ¬ber with a typical polarization
effectively prepares Bob™s photon in a given state. In the
mode dispersion of 0.2 ps/ km, transmission over a few
one-photon analog, Alice™s detectors are replaced by
kilometers induces signi¬cant depolarization, as dis-
sources, while the photon-pair source between Alice and
cussed in Sec. III.B.2. In the case of polarization-
Bob is bypassed. The difference between these schemes
entangled photons, this effect gradually destroys their
lies only in practical issues, like the spectral widths of
correlation. Although it is in principle possible to com-
the light. Alternatively, one can look at this analogy
pensate for this effect, the statistical nature of the polar-
ization mode dispersion makes this impractical.44 from a different point of view: in two-photon schemes, it
is as if Alice™s photon propagates backwards in time
Although perfectly ¬ne for free-space QC (see Sec.
from Alice to the source and then forward in time from
IV.E), polarization entanglement is thus not adequate
the source to Bob.
for QC over long optical ¬bers. A similar effect arises
when dealing with energy-time-entangled photons.
A. Polarization entanglement
Here, the chromatic dispersion destroys the strong time
correlations between the photons forming a pair. How-
A ¬rst class of experiments takes advantage of
ever, as discussed in Sec. III.B.3, it is possible to com-
polarization-entangled photon pairs. The setup, depicted
pensate passively for this effect either using additional
in Fig. 21, is similar to the scheme used for polarization
¬bers with opposite dispersion, or exploiting the inher-
coding based on faint pulses. A two-photon source emits
ent energy correlation of photon pairs.
pairs of entangled photons ¬‚ying back to back towards
Alice and Bob. Each photon is analyzed with a polariz-
ing beamsplitter whose orientation with respect to a
Photon-pair sources are often, though not always, pumped common reference system can be changed rapidly. The
continuously. In these cases, the time window determined by a results of two experiments were reported in the spring of
trigger detector and electronics de¬nes an effective pulse.
2000 (Jennewein, Simon, et al., 2000; Naik et al., 2000).
In the case of weak pulses, we saw that a full round trip
Both used photon pairs at a wavelength of 700 nm,
together with the use of Faraday mirrors circumvents the prob-
which were detected with commercial single-photon de-
lem (see Sec. IV.C.2). However, since the channel loss on the
tectors based on silicon APD™s. To create the photon
way from the source to the Faraday mirror inevitably increases
pairs, both groups took advantage of parametric down-
the fraction of empty pulses, the main advantage of photon
conversion in one or two -BaB2 O4 (BBO) crystals
pairs vanishes in such a con¬guration.

Rev. Mod. Phys., Vol. 74, No. 1, January 2002
Gisin et al.: Quantum cryptography

FIG. 22. Principle of phase-
coding quantum cryptography
using energy-time-entangled
photon pairs.

pumped by an argon-ion laser. The analyzers consisted In spite of their qualities, it would be dif¬cult to re-
of fast modulators that were used to rotate the polariza- produce these experiments over distances of more than
tion state of the photons, in front of polarizing beam- a few kilometers of optical ¬ber. As mentioned in the
splitters. introduction to this section, polarization is indeed not
The group of Anton Zeilinger, then at the University robust enough to avoid decoherence in optical ¬bers. In
of Innsbruck, demonstrated such a cryptosystem, includ- addition, the polarization state transformation induced
ing error correction, over a distance of 360 m (Jenne- by an installed ¬ber frequently ¬‚uctuates, making an ac-
wein, Simon, et al., 2000). Inspired by a test of Bell™s tive alignment system absolutely necessary. Neverthe-
inequalities performed with the same setup a year ear- less, these experiments are very interesting in the con-
lier (Weihs et al., 1998), they positioned the two-photon text of free-space QC.
source near the center between the two analyzers. Spe-
cial optical ¬bers, designed for guiding only a single
B. Energy-time entanglement
mode at 700 nm, were used to transmit the photons to
the two analyzers. The results of the remote measure- 1. Phase coding
ments were recorded locally, and the processes of key
Another class of experiments takes advantage of
sifting and error correction were implemented at a later
energy-time-entangled photon pairs. The idea originates
stage, long after the distribution of the qubits. Two dif-
from an arrangement proposed by Franson in 1989 to
ferent protocols were implemented: one based on Wig-
test Bell™s inequalities. As we shall see below, it is com-
ner™s inequality (a special form of Bell™s inequalities) and
parable to the double Mach-Zehnder con¬guration dis-
the other based on BB84.
cussed in Sec. IV.C.1. A source emits pairs of energy-
The group of Paul Kwiat, then at Los Alamos Na-
correlated photons, that were created at exactly the
tional Laboratory, demonstrated the Ekert protocol
same (unknown) time (see Fig. 22). This can be achieved
(Naik et al., 2000). This experiment was a table-top re-
by pumping a nonlinear crystal with a pump of long co-
alization in which the source and the analyzers were
herence time. The pairs of downconverted photons are
separated by only a few meters. The quantum channel
then split, and one photon is sent to each party down
consisted of a short free-space distance. In addition to
quantum channels. Both Alice and Bob possess a widely
performing QC, the researchers simulated different
but identically unbalanced Mach-Zehnder interferom-
eavesdropping strategies. As predicted by theory, they
eter, with photon-counting detectors connected to the
observed a rise in the QBER with an increase of the
outputs. Locally, if Alice or Bob change the phase of
information obtained by the eavesdropper. Moreover,
their interferometer, no effect on the count rates is ob-
they have also recently implemented the six-state proto-
served, since the imbalance prevents any single-photon
col described in Sec. II.D.2 and observed the predicted
interference. Looking at the detection time at Bob™s end
QBER increase to 33% (Enzer et al., 2001).
with respect to the arrival time at Alice™s end, three dif-
The main advantage of polarization entanglement is
ferent values are possible for each combination of detec-
that analyzers are simple and ef¬cient. It is therefore
tors. The different possibilities in a time spectrum are
relatively easy to obtain high contrast. Naik and co-
shown in Fig. 22. First, both photons can propagate
workers, for example, measured a polarization extinc-
through the short arms of the interferometers. Second,
tion of 97%, mainly limited by electronic imperfections
one can take the long arm at Alice™s end, while the other
of the fast modulators. This amounts to a QBERopt con-
one takes the short one at Bob™s, or vice versa. Finally,
tribution of only 1.5%. In addition, the constraint on the
both photons can propagate through the long arms.
coherence length of the pump laser is not very stringent
When the path differences of the interferometers are
(note that, if it is shorter than the length of the crystal,
matched to within a fraction of the coherence length of
some dif¬culties can arise, but we will not go into these
the downconverted photons, the short-short and the

Rev. Mod. Phys., Vol. 74, No. 1, January 2002
178 Gisin et al.: Quantum cryptography

FIG. 24. Quantum cryptography system exploiting photons en-
FIG. 23. System for quantum cryptography based on phase-
tangled in energy-time and active basis choice. Note the simi-
coding entanglement: APD, avalanche photodiode. The pho-
larity to the faint-laser double Mach-Zehnder implementation
tons choose their bases randomly at Alice and Bob™s couplers.
depicted in Fig. 16.
long-long processes are indistinguishable, provided that
the coherence length of the pump photon is larger than 2001). It was the ¬rst experiment in which an asymmet-
the path-length difference. Conditioning detection ric setup optimized for QC was used instead of a system
only on the central time peak, one observes two- designed for tests of Bell™s inequality, with a source lo-
photon interferences”nonlocal quantum correlations cated midway between Alice and Bob (see Fig. 25). The
(Franson, 1989)45”that depend on the sum of the rela- two-photon source (a KNbO3 crystal pumped by a
tive phases in Alice™s and Bob™s interferometers (see Fig. doubled Nd-YAG laser) provided energy-time-
22). The phases of Alice™s and Bob™s interferometers can, entangled photons at nondegenerate wavelengths”one
for example, be adjusted so that both photons always at around 810 nm, the other centered at 1550 nm. This
emerge from the same output port. It is then possible to choice allowed the use of high-ef¬ciency silicon-based
exchange bits by associating values with the two ports. single-photon counters featuring low noise to detect the
This, however, is insuf¬cient. A second measurement ba- photons of the lower wavelength. To avoid the high
sis must be implemented to ensure security against transmission losses at this wavelength in optical ¬bers,
eavesdropping attempts. This measurement can be the distance between the source and the corresponding
made, for example, by adding a second interferometer analyzer was very short, of the order of a few meters.
to the systems (see Fig. 23). In this case, when reaching The other photon, at the wavelength where ¬ber losses
an analyzer, a photon chooses randomly to go to one or are minimal, was sent via an optical ¬ber to Bob™s inter-
the other interferometer. The second set of interferom- ferometer and then detected by InGaAs APD™s. The de-
eters can also be adjusted to yield perfect correlations coherence induced by chromatic dispersion was limited
between output ports. The relative phases between their by the use of dispersion-shifted optical ¬bers (see Sec.
arms should, however, be chosen so that when the pho- III.B.3).
tons go to interferometers that are not associated with Implementing the BB84 protocol in the manner dis-
each other, the outcomes are completely uncorrelated. cussed above, with a total of four interferometers, is dif-
Such a system features passive state preparation by ¬cult. Indeed, they must be aligned and their relative
Alice, yielding security against multiphoton splitting at- phase kept accurately stable during the whole key distri-
tacks (see Sec. VI.J). In addition, it also features a pas- bution session. To simplify this problem, we devised
sive basis choice by Bob, which constitutes an elegant birefringent interferometers with polarization multiplex-
solution: neither a random-number generator nor an ac- ing of the two bases. Consequently the constraint on the
tive modulator are necessary. It is nevertheless clear that stability of the interferometers was equivalent to that
QBERdet and QBERacc [de¬ned in Eq. (33)] are encountered in the faint-pulse double Mach-Zehnder
doubled, since the number of activated detectors is twice system. We obtained interference visibilities typically of
as high. This disadvantage is not as important as it ¬rst 92%, yielding in turn a QBERopt contribution of about
appears, since the alternative, a fast modulator, intro- 4%. We demonstrated QC over a transmission distance
duces losses close to 3 dB, also resulting in an increase of 8.5 km in a laboratory setting using a ¬ber on a spool
of these error contributions. The striking similarity be- and generated several megabits of key in hour-long ses-
tween this scheme and the double Mach-Zehnder ar-
rangement discussed in the context of faint laser pulses
in Sec. IV.C.1 is obvious when one compares Figs. 24
and 16.
This scheme was realized in the ¬rst half of 2000 by
our group at the University of Geneva (Ribordy et al.,

The imbalance of the interferometers must be large enough
so that the middle peak can easily be distinguished from the
satellite ones. This minimal imbalance is determined by the
FIG. 25. Schematic diagram of the ¬rst system designed and
convolution of the detector™s jitter (tens of picoseconds), the
optimized for long-distance quantum cryptography and ex-
electronic jitter (from tens to hundreds of picoseconds), and
the single-photon coherence time ( 1 ps). ploiting phase coding of entangled photons.

Rev. Mod. Phys., Vol. 74, No. 1, January 2002
Gisin et al.: Quantum cryptography

pump and A for Alice™s photon.46 However, the charac-
terization of the complete photon pair is still ambiguous,
since, at this point, the path of the photon that has trav-
eled to Bob (short or long in his interferometer) is un-
known to Alice. Figure 26 illustrates all processes lead-
ing to a detection in the different time slots both at
Alice™s and at Bob™s detector. Obviously, this reasoning
holds for any combination of two detectors. In order to
build up the secret key, Alice and Bob now publicly
agree about the events when both detected a photon in
one of the satellite peaks”without revealing in which
one”or both in the central peak”without revealing in
which detector. This procedure corresponds to key sift-
ing. For instance, in the example discussed above, if Bob
tells Alice that he has detected his photon in a satellite
peak, she knows that it must have been the left peak.
FIG. 26. Schematics of quantum cryptography using
This is because the pump photon has traveled via the
entangled-photon phase-time coding.
short arm, hence Bob can detect his photon either in the
left satellite or in the central peak. The same holds for
sions. This is the longest span realized to date for QC Bob, who now knows that Alice™s photon traveled via
with photon pairs. the short arm in her interferometer. Therefore, in the
As already mentioned, it is essential for this scheme to case of joint detection in a satellite peak, Alice and Bob
have a pump laser whose coherence length is longer must have correlated detection times. Assigning a bit
than the path imbalance of the interferometers. In addi- value to each side peak, Alice and Bob can exchange a
tion, its wavelength must remain stable during a key ex- sequence of correlated bits.
change session. These requirements imply that the pump The cases where both ¬nd the photon in the central
laser must be somewhat more elaborate than in the case time slot are used to implement the second basis. They
of polarization entanglement. correspond to the s P , l A l B and l P , s A s B possi-
bilities. If these are indistinguishable, one obtains two-
2. Phase-time coding photon interferences, exactly as in the case discussed in
the previous section on phase coding. Adjusting the
We have mentioned in Sec. IV.C that states generated
phases and keeping them stable, one can use the perfect
by two-path interferometers are two-level quantum sys-
correlations between output ports chosen by the pho-
tems. They can also be represented on a Poincare
tons at Alice™s and Bob™s interferometers to establish the
sphere. The four states used for phase coding in the pre-
key bits in this second basis.
vious section would lie equally distributed on the equa-
Phase-time coding has recently been implemented in a
tor of the sphere. The coupling ratio of the beamsplitter
laboratory experiment by our group (Tittel et al., 2000)
is 50%, and a phase difference is introduced between
and was reported at the same time as the two polariza-
the components propagating through either arm. In
tion entanglement-based schemes mentioned above. A
principle, the four-state protocol can be equally well
contrast of approximately 93% was obtained, yielding a
implemented with only two states on the equator and
QBERopt contribution of 3.5%, similar to that obtained
two others on the poles. In this section, we present a
with the phase-coding scheme. This experiment will be
system exploiting such a set of states. Proposed by our
repeated over long distances, since losses in optical ¬-
group in 1999 (Brendel et al., 1999), the scheme follows
bers are low at the downconverted photon wavelength
in principle the Franson con¬guration described in the
(1300 nm).
context of phase coding. However, it is based on a
An advantage of this setup is that coding in the time
pulsed source emitting entangled photons in so-called
basis is particularly stable. In addition, the coherence
energy-time Bell states (Tittel et al., 2000). The emission
length of the pump laser is no longer critical. However, it
time of the photon pair is therefore given by a superpo-
is necessary to use relatively short pulses ( 500 ps)
sition of only two discrete terms, instead of by a wide
powerful enough to induce a signi¬cant downconversion
and continuous range bounded only by the long coher-
ence length of the pump laser (see Sec. V.B.1).
Phase-time coding, as discussed in this section,
Consider Fig. 26. If Alice registers the arrival times of
can also be realized with faint laser pulses (Bechmann-
the photons with respect to the emission time of the
Pasquinucci and Tittel, 2000). The one-photon con¬gu-
pump pulse t 0 , she ¬nds the photons in one of three
ration has so far never been realized. It would be similar
time slots (note that she has two detectors to take into
to the double Mach-Zehnder setup discussed in Sec.
account). For instance, detection of a photon in the ¬rst
IV.C.1, but with the ¬rst coupler replaced by an active
slot corresponds to the pump photon™s having traveled
via the short arm and the downconverted photon™s hav-
ing traveled via the short arm. To keep it simple, we
refer to this process as s P , s A , where P stands for the Note that it does not constitute a product state.

Rev. Mod. Phys., Vol. 74, No. 1, January 2002
180 Gisin et al.: Quantum cryptography

analysis of eavesdropping on a quantum channel has yet
switch. For the time basis, Alice would set the switch
to be achieved. In this section we review some of the
either to full transmission or to full re¬‚ection, while for
problems and solutions, without any claim for math-
the energy basis she would set it at 50%. This illustrates
ematical rigor or complete coverage of the huge and
how research on photon pairs can yield advances on
rapidly evolving literature.
faint-pulse systems.
The general objective of eavesdropping analysis is to
¬nd ultimate and practical proofs of security for some
3. Quantum secret sharing
quantum cryptosystems. ˜˜Ultimate proofs™™ guarantee
In addition to QC using phase-time coding, we used security against entire classes of eavesdropping attacks,
the setup depicted in Fig. 26 for the ¬rst proof-of- even if Eve uses not only the best of today™s technology,
principle demonstration of quantum secret sharing”the but any conceivable future technology. These proofs
generalization of quantum key distribution to more than take the form of theorems, with clearly stated assump-
two parties (Tittel et al., 2001). In this new application of tions expressed in mathematical terms. In contrast, prac-
quantum communication, Alice distributes a secret key tical proofs deal with some actual pieces of hardware
to two other users, Bob and Charlie, in such a way that and software. There is thus a tension between ˜˜ulti-
neither Bob nor Charlie alone has any information mate™™ and ˜˜practical™™ proofs. Indeed, the former favor
about the key, but together they have full information. general abstract assumptions, whereas the latter concen-
trate on physical implementations. Nevertheless, it is
As in traditional QC, an eavesdropper trying to get
worth ¬nding such proofs. In addition to the security
some information about the key creates errors in the
issue, they provide illuminating lessons for our general
transmission data and thus reveals her presence. The
understanding of quantum information.
motivation behind quantum secret sharing is to guaran-
In the ideal game Eve has perfect technology: she is
tee that Bob and Charlie cooperate”one of them might
limited only by the laws of quantum mechanics, but not
be dishonest”in order to obtain a given piece of infor-
at all by current technology.47 In particular, Eve cannot
mation. In contrast with previous proposals using three-
clone qubits, as this is incompatible with quantum dy-

particle Greenberger-Horne-Zeilinger states (Zukowski
namics (see Sec. II.C.2), but she is free to use any uni-
et al., 1998; Hillery et al., 1999), pairs of entangled pho-
tary interaction between one or several qubits and an
tons in so-called energy-time Bell states were used to
auxiliary system of her choice. Moreover, after the inter-
mimic the necessary quantum correlation of three en-
action, Eve may keep her auxiliary system unperturbed,
tangled qubits, although only two photons exist at the
in complete isolation from the environment, for an arbi-
same time. This is possible because of the symmetry be- trarily long time. Finally, after listening to all the public
tween the preparation device acting on the pump pulse discussion between Alice and Bob, she can perform the
and the devices analyzing the downconverted photons. measurement of her choice on her system, being again
Therefore the emission of a pump pulse can be consid- limited only by the laws of quantum mechanics. One
ered as the detection of a photon with 100% ef¬ciency, assumes further that all errors are due to Eve. It is
and the scheme features a much higher coincidence rate tempting to assume that some errors are due to Alice™s
than that expected with the initially proposed ˜˜triple- and Bob™s instruments, and this probably makes sense in
photon™™ schemes. practice. However, there is the danger of Eve™s replacing
them with higher-quality instruments (see the next sec-
In the next section we elaborate on the most relevant
differences between the above ideal game (ideal espe-
A. Problems and objectives
cially from Eve™s point of view) and real systems. Next,
we return to the idealized situation and present several
After the qubit exchange and basis reconciliation, Al-
eavesdropping strategies, starting from the simplest, in
ice and Bob each have a sifted key. Ideally, these keys
which explicit formulas can be written down, and ending
are identical. But in real life, there are always some er-
with a general abstract security proof. Finally, we discuss
rors, and Alice and Bob must apply some classical infor-
practical eavesdropping attacks and comment on the
mation processing protocols, like error correction and
complexity of a real system™s security.
privacy ampli¬cation to their data (see Sec. II.C.4). The
¬rst protocol is necessary to obtain identical keys and B. Idealized versus real implementation
the second to obtain a secret key. Essentially, the prob-
lem of eavesdropping is to ¬nd protocols which, given Alice and Bob use the technology available today.
that Alice and Bob can only measure the QBER, either This trivial remark has several implications. First, all
provide Alice and Bob with a veri¬ably secure key or
stop the protocol and inform the users that the key dis-
tribution has failed. This is a delicate problem at the 47
The question of whether QC would survive the discovery of
intersection of quantum physics and information theory.
the currently unknown validity limits of quantum mechanics is
Actually, it comprises several eavesdropping problems, interesting. Let us argue that it is likely that quantum mechan-
depending on the precise protocol, the degree of ideali- ics will always adequately describe photons at telecommunica-
zation one admits, the technological power one assumes tions and visible wavelengths, just as classical mechanics will
Eve has, and the assumed ¬delity of Alice and Bob™s always adequately describe the fall of apples, whatever the
equipment. Let us immediately stress that a complete future of physics may be.

Rev. Mod. Phys., Vol. 74, No. 1, January 2002
Gisin et al.: Quantum cryptography

real components are imperfect, so that the qubits are not ciency, and so on. Except for Sec. VI.K, in which this
assumption is discussed, we shall henceforth assume that
prepared and detected in the exact basis described by
Alice and Bob are isolated from Eve.
the theory. Moreover, a real source always has a ¬nite
probability of producing more than one photon. De-
pending on the details of the encoding device, all pho- C. Individual, joint, and collective attacks
tons carry the same qubit (see Sec. VI.J). Hence, in prin-
In order to simplify the problem, several eavesdrop-
ciple, Eve could measure the photon number without
ping strategies of limited generality have been de¬ned
perturbing the qubit. This scenario is discussed in Sec.
(Lutkenhaus, 1996; Biham and Mor, 1997a, 1997b) and
VI.H. Recall that, ideally, Alice should emit single-qubit
analyzed. Of particular interest is the assumption that
photons, i.e., each logical qubit should be encoded in a
Eve attaches independent probes to each qubit and
single degree of freedom of a single photon.
measures her probes one after the other. This class of
On Bob™s side the ef¬ciency of his detectors is quite
attack is called the individual attack, or incoherent at-
limited and the dark counts (spontaneous counts not
tack. This important class is analyzed in Secs. VI.D and
produced by photons) are non-negligible. The limited
VI.E. Two other classes of eavesdropping strategies let
ef¬ciency is analogous to the losses in the quantum
Eve process several qubits coherently, hence the name
channel. The analysis of the dark counts is more deli-
coherent attacks. The most general coherent attacks are
cate, and no complete solution is known. Conservatively,
¨ called joint attacks, while an intermediate class assumes
Lutkenhaus (2000) assumes in his analysis that all dark
that Eve attaches one probe per qubit, as in individual
counts provide information to Eve. He also advises that,
attacks, but can measure several probes coherently, as in
whenever two detectors ¬re simultaneously (generally
coherent attacks. This intermediate class is called the
due to a real photon and a dark count), Bob should not
collective attack. It is not known whether this class is less
disregard such events but should choose a value at ran-
ef¬cient than the most general class, that of joint attacks.
dom. Note also that the different contributions of dark
It is also not known whether it is more ef¬cient than the
counts to the total QBER depend on whether Bob™s
simpler individual attacks. Actually, it is not even known
choice of basis is implemented using an active or a pas-
whether joint attacks are more ef¬cient than individual
sive switch (see Sec. IV.A).
Next, one usually assumes that Alice and Bob have
For joint and collective attacks, the usual assumption
thoroughly checked their equipment and that it is func-
is that Eve measures her probe only after Alice and Bob
tioning according to speci¬cations. This assumption is
have completed all public discussion about basis recon-
not unique to quantum cryptography but is critical, as
ciliation, error correction, and privacy ampli¬cation. For
Eve could be the actual manufacturer of the equipment.
the more realistic individual attacks, one assumes that
Classical cryptosystems must also be carefully tested,
Eve waits only until the basis reconciliation phase of the
like any commercial apparatus. Testing a cryptosystem is
public discussion.49 The motivation for this assumption
tricky, however, because in cryptography the client buys
is that one hardly sees what Eve could gain by waiting
con¬dence and security, two qualities dif¬cult to quan-
until after the public discussion on error correction and
tify. Mayers and Yao (1998) proposed using Bell™s in-
privacy ampli¬cation before measuring her probes, since
equality to test whether the equipment really obeys
she is going to measure them independently anyway.
quantum mechanics, but even this is not entirely satis-
Individual attacks have the nice feature that the prob-
factory. Interestingly, one of the most subtle loopholes in
lem can be entirely translated into a classical one: Alice,
all present-day tests of Bell™s inequality, the detection
Bob, and Eve all have classical information in the form
loophole, can be exploited to produce purely classical
of random variables , , and , respectively, and the
software mimicking all quantum correlations (Gisin and
laws of quantum mechanics impose constraints on the
Gisin, 1999). This illustrates once again the close con-
joint probability distribution P( , , ). Such classical
nection between practical issues in QC and philosophi-
scenarios have been widely studied by the classical cryp-
cal debates about the foundations of quantum physics.
tology community, and many of their results can thus be
Finally, one must assume that Alice and Bob are per-
directly applied.
fectly isolated from Eve. Without such an assumption
the entire game would be meaningless: clearly, Eve is
not allowed to look over Alice™s shoulder. However, this D. Simple individual attacks: Intercept-resend and
elementary assumption is again nontrivial. What if Eve measurement in the intermediate basis
uses the quantum channel connecting Alice to the out-
side world? Ideally, the channel should incorporate an The simplest attack for Eve consists in intercepting all
isolator48 to keep Eve from shining light into Alice™s out- photons individually, measuring them in a basis chosen
put port to examine the interior of her laboratory. Since randomly between the two bases used by Alice, and
all isolators operate only on a ¬nite bandwidth, there sending new photons to Bob prepared according to her
should also be a ¬lter, but ¬lters have only a ¬nite ef¬-

With today™s technology, it might even be fair to assume
Optical isolators, based on the Faraday effect, let light pass that in individual attacks Eve must measure her probe before
through in only one direction. the basis reconciliation.

Rev. Mod. Phys., Vol. 74, No. 1, January 2002
182 Gisin et al.: Quantum cryptography

FIG. 28. Eavesdropping on a quantum channel. Eve extracts
information from the quantum channel between Alice and
Bob at the cost of introducing noise into that channel.
FIG. 27. Poincare representation of the BB84 states and the
intermediate basis, also known as the Breidbart basis, that can Consequently, this strategy is less advantageous for Eve
be used by Eve.
than the intercept-resend strategy. Note however, that
with this strategy Eve™s probability of guessing the cor-
rect bit value is 85%, compared to only 75% in the
result. As presented in Sec. II.C.3 and assuming that the
intercept-resend case. This is possible because in the lat-
BB84 protocol is used, Eve thus gets 0.5 bits of informa-
ter case, Eve™s information is deterministic in half the
tion per bit in the sifted key, for an induced QBER of
cases, while in the former Eve™s information is always
25%. Let us illustrate the general formalism with this
probabilistic (formally, this results from the convexity of
simple example. Eve™s mean information gain on Alice™s
the entropy function).
bit, I( , ), equals their relative entropy decrease:
I , H a priori H a posteriori , (40)
E. Symmetric individual attacks
i.e., I( , ) is the number of bits one can save by writing
when knowing . Since the a priori probability for In this section we present in some detail how Eve
Alice™s bit is uniform, H a priori 1. The a posteriori en- could get the maximum Shannon information for a ¬xed
tropy has to be averaged over all possible results r that QBER, assuming a perfect single-qubit source and re-
Eve might get: stricting Eve to attacks on one qubit after the other (i.e.,
individual attacks). The motivation is that this idealized
Ha PrHir, (41) situation is rather simple to treat and nicely illustrates
several of the subtleties of the subject. Here we concen-
trate on the BB84 four-state protocol; for related results
Hir P i r log2 P i r , (42) on the two-state and six-state protocols, see Fuchs and
Peres (1996) and Bechmann-Pasquinucci and Gisin
where the a posteriori probability of bit i, given Eve™s (1999), respectively.
result r, is given by Bayes™s theorem: The general idea of eavesdropping on a quantum
channel is as follows. When a qubit propagates from Al-
ice to Bob, Eve can let a system of her choice, called a
Pir , (43)
Pr probe, interact with the qubit (see Fig. 28). She can
freely choose the probe and its initial state, but the sys-
with P(r) i P(r i)P(i). In the case of intercept re-
tem must obey the rules of quantum mechanics (i.e., be
send, Eve gets one out of four possible results: r
‘,“,←,’ . After the basis has been revealed, Alice™s described in some Hilbert space). Eve can also choose
input assumes one of two values: i ‘,“ (assuming the the interaction, but it should be independent of the qu-
‘“ basis was used, the other case is completely analo- bit state, and she should obey the laws of quantum me-
gous). One gets P(i ‘ r ‘) 1, P(i ‘ r ’) 2 , chanics; i.e., her interaction must be described by a uni-

tary operator. After the interaction a qubit has to go to
1 1 1 1 1
and P(r) 2 . Hence, I( , ) 1 2 h(1) 2 h( 2 ) 1 2
Bob (in Sec. VI.H we consider lossy channels, so that
2 [with h(p) p log2(p) (1 p)log2(1 p)].
Bob does not always expect a qubit, a fact that Eve can
Another strategy for Eve, no more dif¬cult to imple-
take advantage of). It makes no difference whether this
ment, consists in measuring the photons in the interme-
qubit is the original one (possibly in a modi¬ed state).
diate basis (see Fig. 27), also known as the Breidbart
Indeed, the question does not even make sense, since a
basis (Bennett, Bessette, et al., 1992). In this case the
qubit is nothing but a qubit. However, in the formalism
probability that Eve guesses the correct bit value is p
it is convenient to use the same Hilbert space for the
cos( /8) 2 2 &/4 0.854, corresponding to a
qubit sent by Alice as for the qubit received by Bob (this
QBER 2p(1 p) 25% and a Shannon information
is no loss of generality, since the swap operator”de¬ned
gain per bit of
by  ’  for all , ”is unitary and could be ap-
I 1 Hp 0.399. (44) pended to Eve™s interaction).

Rev. Mod. Phys., Vol. 74, No. 1, January 2002
Gisin et al.: Quantum cryptography

0. (49)
‘ “ ‘ “

The ™s correspond to Eve™s state when Bob receives the
qubit undisturbed, while the ™s are Eve™s state when the
qubit is disturbed.
Let us emphasize that this is the most general unitary
interaction satisfying Eq. (46). One ¬nds that the shrink-
F D. Accordingly, if Alice
ing factor is given by
sends ‘ and Bob measures it in the compatible basis,
then ‘ Bob (m ) ‘ F is the probability that Bob gets
the correct result. Hence F is the ¬delity and D the
Note that only four states span Eve™s relevant state
FIG. 29. Poincare representation of BB84 states in the event space. Hence Eve™s effective Hilbert space is at most
four dimensional, no matter how subtle she might be.51
of a symmetrical attack. The state received by Bob after the
interaction of Eve™s probe is related to the one sent by Alice by This greatly simpli¬es the analysis.
a simple shrinking factor. When the unitary operator U en- Symmetry requires that the attack on the other basis
tangles the qubit and Eve™s probe, Bob™s state [Eq. (46)] is satisfy
mixed and is represented by a point inside the Poincare
‘,0 “,0
U ’,0 U (50)
Let HEve and C2  HEve be the Hilbert spaces of Eve™s
probe and of the total qubit probe system, respectively. ‘ “
 ‘ (51)

If m , 0 , and U denote the qubit™s and the probe™s
initial states and the unitary interaction, respectively,
“ ‘
  “) (52)

then the state of the qubit received by Bob is given by
’ ←
the density matrix obtained by tracing out Eve™s probe:   ’, (53)

TrHEve U m ,0 m ,0 U † .
m (45) where

The symmetry of the BB84 protocol makes it very natu-
, (54)
’ ‘ ‘ “ “
ral to assume that Bob™s state is related to Alice™s m by 2
a simple shrinking factor50 0,1 (see Fig. 29):
1 m . (55)
’ ‘ ‘ “ “
m . (46)
Eavesdropping attacks that satisfy the above condition
are called symmetric-attacks.
, (56)
← ‘ ‘ “ “
Since the qubit state space is two dimensional, the 2
unitary operator is entirely determined by its action on
two states, for example, the ‘ and “ states (in this . (57)
← ‘ ‘ “ “
section we use spin- 2 notation for the qubits). After the
unitary interaction, it is convenient to write the states in Condition (46) for the ’ , ← basis implies that
the Schmidt form (Peres, 1997):
’ and ← ← . By proper choice of the phases,

U ‘,0 ‘ “ ‘ “ can be made real. By condition (49), “ is
  ‘, (47) ‘

then also real. Symmetry implies that ’ ← Re. A
U “,0 “ ‘
  “, (48)
“ straightforward computation concludes that all scalar
products among Eve™s states are real and that the ™s
where the four states ‘ , “ , ‘ , and “ belong to the
Hilbert space of Eve™s probe HEve and satisfy ‘ ‘ and generate a subspace orthogonal to the ™s:
F and ‘ 2
2 2 2
“ . By symmetry
“ ‘ “ “ 0. (58)
‘ “ “ ‘
D. Unitarity imposes F D 1 and
F, i.e., that the shrinking is the
Finally, using ’
same for all states, one obtains a relation between the
probe states™ overlap and the ¬delity:
Fuchs and Peres were the ¬rst to derive the result presented
in this section, using numerical optimization. Almost simulta-
neously, it was derived by Robert Grif¬ths and his student
Chi-Sheng Niu under very general conditions, and by Nicolas Actually, Niu and Grif¬ths (1999) showed that two-
Gisin using the symmetry argument presented here. These ¬ve dimensional probes suf¬ce for Eve to get as much information
authors joined forces to produce a single paper (Fuchs et al., as with the strategy presented here, though in their case the
1997). The result of this section is thus also valid without this attack is not symmetric (one basis is more disturbed than the
symmetry assumption. other).

Rev. Mod. Phys., Vol. 74, No. 1, January 2002
184 Gisin et al.: Quantum cryptography

ˆ‘ ˆ“
F , (59)
ˆ‘ ˆ“ ˆ‘ ˆ“
where the hats denote normalized states, e.g., ˆ ‘
Consequently the entire class of symmetric individual
attacks depends only on two real parameters:52 cos(x)
ˆ ‘ ˆ “ and cos(y) ˆ ‘ ˆ “ .
Thanks to symmetry, it suf¬ces to analyze this sce-
nario for the case when Alice sends the ‘ state and
Bob measures in the ‘,“ basis (if not, Alice, Bob, and
Eve disregard the data). Since Eve knows the basis, she
knows that her probe is in one of the following two
mixed states:
FIG. 30. Eve™s and Bob™s information vs the QBER, here plot-
‘ FP DP , (60)
‘ ‘
Eve ted for incoherent eavesdropping on the four-state protocol.
For QBER™s below QBER0 , Bob has more information than
“ FP DP . (61)
“ “
Eve, and secret-key agreement can be achieved using classical
An optimum measurement strategy for Eve to distin- error correction and privacy ampli¬cation, which can, in prin-
guish between Eve (‘) and Eve (“) consists in ¬rst de- ciple, be implemented using only one-way communication.
termining whether her state is in the subspace generated The secret-key rate can be as large as the information differ-
by ‘ and “ or the one generated by ‘ and “ . This is ences. For QBER™s above QBER0 ( D0 ), Bob has a disad-
possible, since the two subspaces are mutually orthogo- vantage with respect to Eve. Nevertheless, Alice and Bob can
nal. Eve must then distinguish between two pure states apply quantum privacy ampli¬cation up to the QBER corre-
with an overlap of either cos x or cos y. The ¬rst alterna- sponding to the intercept-resend eavesdropping strategies (IR4
tive occurs with probability F, the second with probabil- and IR6 for the four-state and six-state protocols, respectively).
ity D. The optimal measurement distinguishing two Alternatively, they can apply a classical protocol called advan-
states with overlap cos x is known to provide Eve with tage distillation, which is effective up to precisely the same
the correct guess with probability 1 sin(x) /2 (Peres, maximal QBER IR4 and IR6 . Both the quantum and the clas-
1997). Eve™s maximal Shannon information, attained sical protocols require two-way communication. Note that for
when she performs the optimal measurements, is thus the eavesdropping strategy that will be optimal, from Eve
Shannon point of view, on the four-state protocol, QBER0
given by
should correspond precisely to the noise threshold above
1 sin x which a Bell™s inequality can no longer be violated.
F• 1 h
I ,
1 sin y Once Alice, Bob, and Eve have measured their quan-
D• 1 h , (62)
2 tum systems, they are left with classical random vari-
ables , , and , respectively. Secret-key agreement be-
where h(p) p log2(p) (1 p)log2(1 p). For a given
tween Alice and Bob is then possible using only error
error rate D, this information is maximal when x y.
correction and privacy ampli¬cation if and only if the
Consequently, for D 1 cos(x) /2, one obtains:
Alice-Bob mutual Shannon information I( , ) is
1 sin x greater than the Alice-Eve or the Bob-Eve mutual
I max , 1h . (63)
information,53 I( , ) I( , ) or I( , ) I( , ). It is
thus interesting to compare Eve™s maximal information
This provides the explicit and analytic optimum eaves-
[Eq. (64)] with Bob™s Shannon information. The latter
dropping strategy. For x 0 the QBER (i.e., D) and the
depends only on the error rate D:
information gain are both zero. For x /2 the QBER is
2 and the information gain 1. For small QBER™s, the 1 hD
I , (65)
information gain grows linearly:
1 D log2 D 1 D log2 1 D . (66)
max 2
I , 2.9D. (64) Bob™s and Eve™s information are plotted in Fig. 30. As
ln 2
expected, for low error rates D, Bob™s information is
greater. But, more errors provide Eve with more infor-
Interestingly, when the symmetry is extended to a third
maximally conjugated basis, as is natural in the six-state pro-
Note, however, that if this condition is not satis¬ed, other
tocol of Sec. II.D.2, the number of parameters reduces to one.
protocols might sometimes be used; see Sec. II.C.5. These pro-
This parameter measures the relative quality of Bob™s and
tocols are signi¬cantly less ef¬cient and are usually not consid-
Eve™s ˜˜copy™™ of the qubit sent by Alice. When both copies are
ered as part of ˜˜standard™™ QC. Note also that, in the scenario
of equal quality, one recovers the optimal cloning presented in
analyzed in this section, I( , ) I( , ).
Sec. II.F (Bechmann-Pasquinucci and Gisin, 1999).

Rev. Mod. Phys., Vol. 74, No. 1, January 2002
Gisin et al.: Quantum cryptography

mation, while decreasing Bob™s information. Hence both or equivalently if some perturbing Eve acts on the chan-
information curves cross at a speci¬c error rate D0 : nel, then the quantum correlation E(a,b D) is reduced:

1 1/& E a,b D F•E a,b D•E a,b (70)
”D D0
I max
I , , 15%. (67)
1 2D •E a,b , (71)
Consequently the security criterion against individual at-
tacks for the BB84 protocol is
where E(a,b) denotes the correlation for the unper-
turbed channel. The achievable amount of violation is
1 1/&
BB84 secure”D D0 then reduced to S max(D) (1 2D)2&, and for large
. (68)
2 perturbations no violation at all can be achieved. Inter-
estingly, the critical perturbation D up to which a viola-
For QBER™s greater than D0 , no (one-way communi- tion can be observed is precisely the same D0 as the limit
cation) error correction and privacy ampli¬cation proto- derived in the previous section for the security of the
col can provide Alice and Bob with a secret key that is BB84 protocol:
immune to any individual attacks.
Let us mention that there exists a class of more gen-
1 1/&
eral classical protocols, called advantage distillation (Sec. S max D 2”D D0 . (72)
II.C.5), which uses two-way communication. These pro-
tocols can guarantee secrecy if and only if Eve™s inter-
vention does not disentangle Alice and Bob™s qubits (as- This is a surprising and appealing connection between
suming they use the Ekert version of the BB84 protocol; the security of QC and tests of quantum nonlocality.
Gisin and Wolf, 2000). If Eve optimizes her Shannon One could argue that this connection is quite natural,
information as discussed in this section, this disentangle- since, if Bell™s inequality were not violated, then quan-
ment limit corresponds to a QBER 1 1/& 30% (Gi- tum mechanics would be incomplete, and no secure
sin and Wolf, 1999). However, using more brutal strate- communication could be based on such an incomplete
gies, Eve can disentangle Alice and Bob™s qubits for a theory. In some sense, Eve™s information is like probabi-
QBER of 25%; see Fig. 30. The latter is thus the abso- listic local hidden variables. However, the connection
lute upper limit, taking into account the most general between Eqs. (68) and (72) has not been generalized to
secret-key protocols. In practice, the limit (67) is more other protocols. A complete picture of these connec-
realistic, since advantage distillation algorithms are tions is thus not yet available.
much less ef¬cient than classical privacy ampli¬cation Let us emphasize that nonlocality plays no direct role
algorithms. in QC. Indeed, Alice is generally in Bob™s absolute past.
Nevertheless, Bell™s inequality can be violated by space-
F. Connection to Bell™s inequality like separated events as well as by timelike separated
events. However, the independence assumption neces-
There is an intriguing connection between the tight- sary to derive Bell™s inequality is justi¬ed by locality con-
bound [Eq. (68)] and the Clauser-Horne-Shimony-Holt siderations only for spacelike separated events.
(CHSH) form of Bell™s inequality (Bell, 1964; Clauser
et al., 1969; Clauser and Shimony, 1978; Zeilinger, 1999):

S Ea E a,b E a ,b E a ,b 2. (69)
G. Ultimate security proofs
Here E(a,b) is the correlation between Alice and Bob™s
data when measuring a  1 and 1 b , where a de- The security proof of QC with a perfect apparatus and
notes an observable with eigenvalues 1 parametrized a noise-free channel is straightforward. However, the
by the label a. Recall that Bell™s inequalities are neces- fact that security can still be proven for an imperfect
sarily satis¬ed by all local models but are violated by apparatus and noisy channels is far from obvious.
quantum mechanics.54 To establish this connection, as- Clearly, something has to be assumed about the appara-
sume that the same quantum channel is used to test tus. In this section we simply make the hypothesis that
Bell™s inequality. It is well known that, for error-free they are perfect. For the channel that is not under Alice
channels, a maximal violation by a factor & is achiev- and Bob™s control, however, nothing is assumed. The
question is then Up to what QBER can Alice and Bob
able: S max 2& 2. However, if the channel is imperfect,
apply error correction and privacy ampli¬cation to their
classical bits? In the previous sections we found that the
threshold is close to a QBER of 15%, assuming indi-
vidual attacks. In principle Eve could manipulate several
Let us stress that the CHSH-Bell™s inequality is the stron-
qubits coherently. How much help to Eve this possibility
gest possible for two qubits. Indeed, this inequality is violated
provides is still unknown, though some bounds are
if and only if the correlation cannot be reproduced by a local
known. In 1996, Dominic Mayers (1996b) presented the
hidden-variable model (Pitowski, 1989).

Rev. Mod. Phys., Vol. 74, No. 1, January 2002
186 Gisin et al.: Quantum cryptography

main ideas on how to prove security.55 In 1998, two ma-
jor papers were made public on the Los Alamos archives
(Mayers, 1998, and Lo and Chau, 1999). Today, these
proofs are generally considered valid, thanks to the
work of”among others”Shor and Preskill (2000), In-
amori et al. (2001), and Biham et al. (1999). However, it
is worth noting that during the ¬rst few years after the
initial disclosure of these proofs, hardly anyone in the
community understood them.
Here we shall present the argument in a form quite
different from the original proofs. Our presentation
aims at being transparent in the sense that it rests on two
theorems. The proofs of the theorems are dif¬cult and FIG. 31. Intuitive illustration of Theorem 1. The initial situa-
will be omitted. However, their claims are easy to under- tion is depicted in (a). During the one-way public discussion
stand and rather intuitive. Once one accepts the theo- phase of the protocol, Eve receives as much information as
rems, the security proof is straightforward. Bob; the initial information difference thus remains. After
The general idea is that at some point Alice, Bob, and error correction, Bob™s information equals 1, as illustrated in
Eve perform measurements on their quantum systems. (b). After privacy ampli¬cation Eve™s information is zero. In
The outcomes provide them with classical random vari- (c) Bob has replaced with random bits all bits to be disre-
garded. Hence the key still has its original length, but his in-
ables , , and , respectively, with P( , , ) the joint
formation has decreased. Finally, in (d) removal of the random
probability distribution. The ¬rst theorem, a standard of
bits shortens the key to the initial information difference. Bob
classical information-based cryptography, states the nec-
has full information on this ¬nal key, while Eve has none.
essary and suf¬cient condition on P( , , ) for Alice
and Bob to extract a secret key from P( , , ) (Csiszar
and Korner, 1978). The second theorem is a clever ver- Since error correction and privacy ampli¬cation can be
sion of Heisenberg™s uncertainty relation expressed in implemented using only one-way communication, Theo-
terms of available information (Hall, 1995): it sets a rem 1 can be understood intuitively as follows. The ini-
bound on the sum of the information about Alice™s key tial situation is depicted in Fig. 31(a). During the public
available to Bob and to Eve. phase of the protocol, because of the one-way commu-
Theorem 1. For a given P( , , ), Alice and Bob can nication, Eve receives as much information as Bob. The
establish a secret key (using only error correction and initial information difference thus remains. After error
classical privacy ampli¬cation) if and only if I( , ) correction, Bob™s information equals 1, as illustrated in
I( , ) or I( , ) I( , ), where I( , ) H( ) Fig. 31(b). After privacy ampli¬cation Eve™s information
H( ) denotes the mutual information and H is the is zero. In Fig. 31(c) Bob has replaced all bits to be
Shannon entropy. disregarded by random bits. Hence the key still has its
Theorem 2. Let E and B be two observables in an original length, but his information has decreased. Fi-
N-dimensional Hilbert space. Let , , , and be nally, upon removal of the random bits, the key is short-
the corresponding eigenvalues and eigenvectors, respec- ened to the initial information difference ; see Fig.
tively, and let c max , . Then 31(d). Bob has full information about this ¬nal key,
while Eve has none.
I , I , 2 log2 Nc , (73)
The second theorem states that if Eve performs a
where I( , ) H( ) H( ) and I( , ) H( ) measurement providing her with some information
H( ) are the entropy differences corresponding to I( , ), then, because of the perturbation, Bob™s infor-
the probability distribution of the eigenvalues prior to mation is necessarily limited. Using these two theorems,
and deduced from any measurement by Eve and Bob, the argument now runs as follows. Suppose Alice sends
respectively. out a large number of qubits and that n are received by
The ¬rst theorem states that Bob must have more in- Bob in the correct basis. The relevant Hilbert space™s
formation about Alice™s bits than does Eve (see Fig. 31).
dimension is thus N 2 n . Let us relabel the bases used
for each of the n qubits such that Alice uses n times the
x basis. Hence Bob™s observable is the n-time tensor
product x  ¯  x . By symmetry, Eve™s optimal infor-
One of the authors (N.G.) vividly remembers the 1996 In-
stitute for Scienti¬c Interchange workshop in Torino, Italy, mation about the correct bases is precisely the same as
sponsored by Elsag Bailey, where he ended his talk by stress- her optimal information about the incorrect ones (May-
ing the importance of security proofs. Dominic Mayers stood
ers, 1998). Hence one can bound her information, as-
up, gave some explanation, and wrote a formula on a transpar-
z  ¯  z . Accordingly, c
suming she measures
ency, claiming that this was the result of his proof. We think it n/2
2 , and Theorem 2 implies
is fair to say that no one in the audience understood Mayers™
explanation. However, N.G. kept the transparency, and it con- 2 log2 2 n 2 n/2
I , I , n. (74)
tains the basic Eq. (75) (up to a factor of 2, which corresponds
That is, the sum of Eve™s and Bob™s information per qu-
to an improvement of Mayer™s result obtained in 2000 by Shor
bit is less than or equal to 1. This result is quite intuitive:
and Preskill, using ideas from Lo and Chau).

Rev. Mod. Phys., Vol. 74, No. 1, January 2002
Gisin et al.: Quantum cryptography

degree of freedom encoding the qubits.56 Such measure-
together, Eve and Bob cannot receive more information
than is sent out by Alice! Next, combining the bound ments are sometimes called quantum nondemolition
(74) with Theorem 1, one deduces that a secret key is measurements, because they do not perturb the qubit; in
particular they do not destroy the photons. This is pos-
achievable whenever I( , ) n/2. Using I( , ) n 1
D log2(D) (1 D)log2(1 D) , one obtains the suf¬- sible because Eve knows in advance that Alice sends a
cient condition on the error rate D (i.e., the QBER): mixture of states with well-de¬ned photon numbers57
(see Sec. II.F). Next, if Eve ¬nds more than one photon,
D log2 D 1 D log2 1 D she keeps one and sends the other(s) to Bob. In order to
, (75)
2 prevent Bob from detecting a lower qubit rate, Eve must
use a channel with lower losses. Using an ideally lossless
i.e., D 11%.
quantum channel, Eve can even, under certain condi-
This bound, QBER 11%, is precisely that obtained
tions, keep one photon and increase the probability that
in Mayers™s proof (after improvement by Shor and
pulses with more than one photon get to Bob! Finally,
Preskill, 2000). The above proof is, strictly speaking,
when Eve ¬nds one photon, she may destroy it with
only valid if the key is much longer than the number of
some probability that she does not affect the total num-
qubits that Eve attacks coherently, so that the Shannon
ber of qubits received by Bob. Consequently, if the prob-
information we used represents averages over many in-
ability that a nonempty pulse has more than one photon
dependent realizations of classical random variables. In
(on Alice™s side) is greater than the probability that a
other words, assuming that Eve can coherently attack a
nonempty pulse is detected by Bob, then Eve can get
large but ¬nite number n 0 of qubits, Alice and Bob can
full information without introducing any perturbation.
use the above proof to secure keys much longer than n 0
This is possible only when the QC protocol is not per-
bits. If one assumes that Eve has unlimited power and is
fectly implemented, but it is a realistic situation (Hutt-
able to attack coherently any number of qubits, then the
ner et al., 1995; Yuen, 1997).
above proof does not apply, but Mayers™s proof can still
Quantum nondemolition atacks have recently re-
be used and provides precisely the same bound.
ceived a lot of attention (Brassard et al., 2000; Lutken-
This 11% bound for coherent attacks is clearly com-
haus, 2000). The debate is not yet settled. We would like
patible with the 15% bound found for individual attacks.
to argue that it might be unrealistic, or even unphysical,
The 15% bound is also necessary, since an explicit eaves-
to assume that Eve can perform ideal quantum non-
dropping strategy reaching this bound is presented in
demolition attacks. Indeed, she ¬rst needs the capacity
Sec. VI.E. It is not known what happens in the interme-
to perform quantum nondemolition photon-number
diate range 11% QBER 15%, but the following sce-
measurements. Although impossible with today™s tech-
nario is plausible. If Eve is limited to coherent attacks
nology, this is a reasonable assumption (Nogues et al.,
on a ¬nite number of qubits, then in the limit of arbi-
1999). Next, she should be able to keep her photon until
trarily long keys, she has a negligibly small probability
Alice and Bob reveal the basis. In principle, this could
that the bits combined by Alice and Bob during the er-
be achieved using a lossless channel in a loop. We dis-
ror correction and privacy ampli¬cation protocols origi-
cuss this eventuality below. Another possibility would be
nate from qubits attacked coherently. Consequently, the
for Eve to map her photon to a quantum memory. This
15% bound would still be valid (partial results in favor
does not exist today but might well exist in the future.
of this conjecture can be found in Cirac and Gisin, 1997
Note that the quantum memory should have essentially
and Bechmann-Pasquinucci and Gisin, 1999). However,
unlimited decoherence time, since Alice and Bob could
if Eve has unlimited power, in particular, if she can co-
easily wait for minutes before revealing the bases.58 Fi-
herently attack an unlimited number of qubits, then the
nally, Eve must access a lossless channel, or at least a
11% bound might be required.
channel with lower losses than that used by Alice and
To conclude this section, let us stress that the above
security proof applies equally to the six-state protocol
(Sec. II.D.2). It also extends in a straightforward
For polarization coding, this is quite clear, but for phase
fashion to protocols using larger alphabets (Bechmann-
coding one may think (incorrectly) that phase and photon
Pasquinucci and Peres, 2000; Bechmann-Pasquinucci
number are incompatible. However, the phase used for encod-
and Tittel, 2000; Bourennane, Karlsson, and Bjorn, 2001;
ing is a relative phase between two modes. Whether these
Bourennane, Karlsson, Bjorn, Gisin, and Cerf, 2001).
modes are polarization modes or correspond to different times
(determined, for example, by the relative length of interferom-
eters), does not matter.
Recall that a mixture of coherent states e i with a
random phase , as produced by lasers when no phase refer-
H. Photon number measurements and lossless channels ence is available, is equal to a mixture of photon number states
2 i
n with Poisson statistics: 0e (d /2 )
In Sec. III.A we saw that all real photon sources have n 2
n 0( /n!) e n n , where .
a ¬nite probability of emittting more than one photon. If 58
The quantum part of the protocol could run continuously,
all emitted photons encode the same qubit, Eve can take storing large amounts of raw classical data, but the classical
advantage of this. In principle, she can ¬rst measure the part of the protocol, which processes these raw data, could
number of photons in each pulse without disturbing the take place just seconds before the key is used.

Rev. Mod. Phys., Vol. 74, No. 1, January 2002
188 Gisin et al.: Quantum cryptography

Bob. This might be the trickiest point. Indeed, besides
using a shorter channel, what can Eve do? Telecommu-
nications ¬bers are already at the physical limits of what
can be achieved (Thomas et al., 2000). The loss is almost
entirely due to Rayleigh scattering, which is unavoid-
able: solve the Schrodinger equation in a medium with
inhomogeneities and you get scattering. When the inho-
mogeneities are due to the molecular stucture of the
medium, it is dif¬cult to imagine lossless ¬bers. The
FIG. 32. Realistic beamsplitter attack. Eve stops all pulses.
0.18-dB/km attenuation in silica ¬bers at 1550 nm is a
The two photon pulses have a 50% probability of being ana-
lower bound imposed by physics rather then
lyzed by the same analyzer. If this analyzer is compatible with
technology.59 Note that using air is not a viable solution,
the state prepared by Alice, then both photons are detected
since attenuation at telecommunications wavelengths is
with the same outcome; if not, there is a 50% chance that they
rather high. Vacuum, the only way to avoid Rayleigh are detected with the same outcome. Hence there is a prob-
scattering, also has limitations, due to diffraction, again 3
ability of 8 that Eve detects both photons with the same out-
an unavoidable physical phenomenon. In the end, it come. In such a case, and only in such a case, she resends a
seems that Eve has only two possibilities left. Either she 2
photon to Bob. In 3 of these cases she introduces no errors,
uses teleportation (with extremely high success prob- since she has identi¬ed the correct state and gets full informa-
ability and ¬delity) or she converts the photons to an- tion; in the remaining cases she has a 50% probability of in-
other wavelength (without perturbing the qubit). Both troducing an error and gains no information. The total QBER
1 2
of these ˜˜solutions™™ seem unrealistic in the foreseeable is thus 6, and Eve™s information gain is 3.
Consequently, when considering the type of attacks
state into Bob™s apparatus. Since Eve™s information is
discussed in this section, it is essential to distinguish the
classical, she can overcome all the losses of the quantum
ultimate proofs from the practical ones. Indeed, the as-
channel. In all other cases, Eve sends nothing to Bob. In
sumptions about the defects of Alice and Bob™s appara- 3
this way, Eve sends a fraction ( 8 ) of the pulses contain-
tuses must be very speci¬c and might thus be of limited
ing at least two photons to Bob. She introduces a QBER
interest, while for practical considerations these assump- 1 2
of 6 and gets information I(A,E) 3 4•QBER. Bob
tions must be very general and might thus be excessive.
does not see any reduction in the number of detected
photons, provided that the transmission coef¬cient of
the quantum channel t satis¬es
I. A realistic beamsplitter attack
3 3
t Prob n 2 n 1 , (76)
The attack presented in the previous section takes ad- 8 16
vantage of pulses containing more than one photon.
where the last expression assumes Poissonian photon
However, as discussed, it uses unrealistic assumptions. In
distribution. Accordingly, for a ¬xed QBER, this attack
this section, following Dusek et al. (2000) and Lutken-
provides Eve with twice the information she would get
haus (2000), we brie¬‚y comment on a realistic attack
from using the intercept-resend strategy. To counter
that, also exploits multiphoton pulses (for details, see
such an attack, Alice should use a mean photon number
Felix et al., 2001, where this and other examples are pre-
such that Eve can use this attack on only a fraction of
sented). Assume that Eve splits all pulses in two, analyz-
the pulses. For example, Alice could use pulses weak
ing each half in one of the two bases, using photon
enough that Eve™s mean information gain is identical to
counting devices able to distinguish between pulses with
what she would obtain with the simple intercept-resend
0, 1, and 2 photons (see Fig. 32). In practice this could be
strategy (see Sec. II.C.3). For 10-, 14-, and 20-dB attenu-
realized using many single-photon counters in parallel.
ation, this corresponds to 0.25, 0.1, and 0.025, respec-
This requires nearly perfect detectors, but at least one
does not need to assume technology completely out of
today™s realm. Whenever Eve detects two photons in the
same output, she sends a photon in the corresponding
J. Multiphoton pulses and passive choice of states

Multiphoton pulses do not necessarily constitute a
Photonics crystal ¬bers have the potential to overcome the threat to key security, but they limit the key creation
Rayleigh scattering limit. There are two kinds of such ¬bers. rate because they imply that more bits must be dis-
The ¬rst kind guides light by total internal re¬‚ection, as in carded during key distillation. This fact is based on the
ordinary ¬bers. In these ¬bers most of the light also propagates
assumption that all photons in a pulse carry the same
in silica, and thus the loss limit is similar. In the second kind,
qubit, so that Eve does not need to copy the qubit going
most of the light propagates in air. Thus the theoretical loss
to Bob, but merely keeps the copy that Alice inadvert-
limit is lower. However, today the losses are extremely high, in
ently provides. When using weak pulses, it seems un-
the range of hundreds of dB/km. The best reported result that
avoidable that all the photons in a pulse carry the same
we are aware of is 11 dB/km, and it was obtained with the ¬rst
qubit. However, in two-photon implementations, each
kind of ¬ber (Canning et al., 2000).

Rev. Mod. Phys., Vol. 74, No. 1, January 2002
Gisin et al.: Quantum cryptography

photon on Alice™s side independently chooses a state [in this class of attacks exists illustrates that the security of
the experiments of Ribordy et al. (2001) and Tittel et al. QC can never be guaranteed by the principles of
(2000), each photon randomly chooses both its basis and quantum mechanics only, but must necessarily rely on
measures that are subject to discussion.60
its bit value; in the experiments of Naik et al. (2000) and technical
Jennewein, Simon, et al. (2000), only the bit value choice
is random]. Hence, when two photon pairs are simulta-
neously produced, the two twins carry independent qu-
bits by accident. Consequently, Eve cannot take advan- L. Real security: Technology, cost, and complexity
tage of such multiphoton twin pulses. This might be one
Despite the elegance and generality of security proofs,
of the main advantages of two-photon schemes over the
the ideal of a QC system whose security relies entirely
much simpler weak-pulse schemes. But the multiphoton
on quantum principles is unrealistic. The technological
problem is then on Bob™s side, which gets a noisy signal,
implementation of abstract principles will always be
consisting partly of photons not in Alice™s state.
questionable. It is likely that they will remain the weak-
est point in all systems. Moreover, one should remember
K. Trojan horse attacks
the obvious relation:
All eavesdropping strategies discussed up to this point In¬nite security’In¬nite cost
have consisted of Eve™s attempt to get a maximum infor-
’Zero practical interest . (77)
mation from the qubits exchanged by Alice and Bob.
However, Eve can also pursue a completely different On the other hand, however, one should not underes-
strategy: she can herself send signals that enter Alice timate the following two advantages of QC. First, it is
and Bob™s of¬ces through the quantum channel. This much easier to forecast progress in technology than in
kind of strategy is called a Trojan horse attack. For ex- mathematics: the danger that QC will break down over-
ample, Eve can send light pulses into the ¬ber entering night is negligible, in contrast to public-key cryptosys-
Alice™s or Bob™s apparatus and analyze the backre¬‚ected tems. Next, the security of QC depends on the techno-
light. In this way, it is in principle possible to detect logical level of the adversary at the time of the key
which laser just ¬‚ashed, which detector just ¬red, or the exchange, in contrast to complexity-based systems whose
settings of phase and polarization modulators. This can- coded message can be registered and broken thanks to
not be prevented by simply using a shutter, since Alice future progress. The latter point is relevant for secrets
and Bob must leave the ˜˜door open™™ for the photons to whose value lasts many years.
exit and enter, respectively. One often points to low bit rate as one of the current
In most QC setups the amount of backre¬‚ected light limitations of QC. However, it is important to stress that
can be made very small, and sensing the apparatus with QC need not be used in conjunction with one-time-pad
light pulses through the quantum channel is dif¬cult. encryption. It can also be used to provide a key for a
Nevertheless, this attack is especially threatening in the symmetrical cipher such as AES, whose security is
plug-and-play scheme on Alice™s side (Sec. IV.C.2), since greatly enhanced by frequent key changes.
a mirror is used to send the light pulses back to Bob. To conclude this section, let us brie¬‚y elaborate on the
Thus, in principle, Eve can send strong light pulses to differences and similarities between technological and
Alice and sense the applied phase shift. However, by mathematical complexity and on their possible connec-
applying the phase shift only during a short time t phase tions and implications. Mathematical complexity means
(a few nanoseconds), Alice can oblige Eve to send the that the number of steps needed to run complex algo-
spying pulse at the same time as Bob. Remember that in rithms increases exponentially as the size of the input
the plug-and-play scheme, pulses coming from Bob are grows linearly. Similarly, one can de¬ne the technologi-
macroscopic and an attenuator at Alice™s end reduces cal complexity of a quantum computer as an exponen-
them to below the one-photon level, say, 0.1 photons per tially increasing dif¬culty to process coherently all the
pulse. Hence, if Eve wants to get, say, one photon per qubits necessary to run a (noncomplex) algorithm on a
pulse, she has to send ten times Bob™s pulse energy. linearly growing number of input data. It might be inter-
Since Alice is detecting Bob™s pulses for triggering her esting to consider the possibility that the relationship
apparatus, she must be able to detect an increase in en- between these two concepts of complexity is deeper. It
ergy of these pulses in order to reveal the presence of a could be that the solution of a problem requires either a
spying pulse. This is a relatively easy task, provided that complex classical algorithm or a quantum algorithm that
itself requires a complex quantum computer.61
Eve™s pulses look the same as Bob™s. However, Eve could
of course use another wavelength or ultrashort pulses
(or very long pulses with low intensity, hence the impor-
tance of t phase ); therefore Alice must introduce an op- 60
Another technological loophole, recently pointed out by
tical bandpass ¬lter with a transmission spectrum corre- Kurtsiefer et al. (2001), is the possible information leakage
sponding to the sensitivity spectrum of her detector and caused by light emitted by APD™s during their breakdown.
choose a t phase that ¬ts the bandwidth of her detector. 61
Penrose (1994) pushes these speculations even further, sug-
There is no doubt that Trojan horse attacks can be gesting that spontaneous collapses stop quantum computers
prevented by technical measures. However, the fact that whenever they try to compute beyond a certain complexity.

Rev. Mod. Phys., Vol. 74, No. 1, January 2002
190 Gisin et al.: Quantum cryptography

VII. CONCLUSIONS QC could well be the ¬rst application of quantum me-
chanics at the single-quantum level. Experiments have
Quantum cryptography is a fascinating illustration of demonstrated that keys can be exchanged over distances
the dialog between basic and applied physics. It is based of a few tens of kilometers at rates on the order of at
on a beautiful combination of concepts from quantum least a thousand bits per second. There is no doubt that
physics and information theory and made possible by the technology can be mastered and the question is not
whether QC will ¬nd commercial applications, but
the tremendous progress in quantum optics and the
when. At present QC is still very limited in distance and
technology of optical ¬bers and free-space optical com-
in secret bit rate. Moreover, public-key systems domi-
munication. Its security principle relies on deep theo-
nate the market and, being pure software, are tremen-
rems in classical information theory and on a profound
dously easier to manage. Every so often, we hear in the
understanding of Heisenberg™s uncertainty principle, as
news that some classical cryptosystem has been broken.
illustrated by Theorems 1 and 2 in Sec. VI.G (the only
This would be impossible with properly implemented
mathematically involved theorems in this review). Let us
QC. But this apparent strength of QC might turn out to
also emphasize the important contributions of QC to
be its weak point: security agencies would be equally
classical cryptography: privacy ampli¬cation and classi-
unable to break quantum cryptograms!
cal bound information (Secs. II.C.4 and II.C.5) are ex-
amples of concepts in classical information whose dis-
covery were much inspired by QC. Moreover, the
fascinating tension between quantum physics and rela-
tivity, as illustrated by Bell™s inequality, is not far away, This work was supported by the Swiss Fonds National
as discussed in Sec. VI.F. Now, despite signi¬cant de la Recherche Scienti¬que (FNRS) and the European
progress in recent years, many open questions and tech- Union projects European Quantum Cryptography and
nological challenges remain. Single-Photon Optical Technologies (EQCSPOT) and
One technological challenge at present concerns im- Long-Distance Photonic Quantum Communication
proved detectors compatible with telecommunications ´´
(QUCOMM) ¬nanced by the Swiss Of¬ce Federal de
¬bers. Two other issues concern free-space QC and l™Education et de la Science (OFES). The authors would
quantum repeaters. The former is currently the only way also like to thank Richard Hughes for providing Fig. 8,
to realize QC over thousands of kilometers using the and acknowledge Charles H. Bennett and Paul G. Kwiat
technology of the near future (see Sec. IV.E). The idea for their very careful reading of the manuscript and their
of quantum repeaters (Sec. III.E) is to encode the qubits helpful remarks.
in such a way that if the error rate is low, then errors can
be detected and corrected entirely in the quantum do-
main. The hope is that such techniques could extend the REFERENCES
range of quantum communication to essentially unlim-
ited distances. Indeed, Hans Briegel, then at the Univer- Ardehali, M., H. F. Chau, and H.-K. Lo, 1998, ˜˜Ef¬cient quan-
sity of Innsbruck, and co-workers (1998) showed that tum key distribution,™™ preprint quant-ph/9803007.
the number of additional qubits needed for quantum re- Aspect, A., J. Dalibard, and G. Roger, 1982, ˜˜Experimental
peaters can be made smaller than the numbers of qubits test of Bell™s inequalities using time-varying analyzers,™™ Phys.
needed to improve the ¬delity of the quantum channel Rev. Lett. 49, 1804“1807.
(Dur et al., 1999). One could thus overcome the deco- Bechmann-Pasquinucci, H., and N. Gisin, 1999, ˜˜Incoherent
herence problem. However, the main practical limitation and coherent eavesdropping in the 6-state protocol of quan-
is not decoherence but loss (most photons never get to tum cryptography,™™ Phys. Rev. A 59, 4238“4248.
Bechmann-Pasquinucci, H., and A. Peres, 2000, ˜˜Quantum
Bob, but those that do get there exhibit high ¬delity).
cryptography with 3-state systems,™™ Phys. Rev. Lett. 85,
As for open questions, let us emphasize three main
concerns. First, complete and realistic analyses of the
Bechmann-Pasquinucci, H., and W. Tittel, 2000, ˜˜Quantum
security issues are still missing. Next, ¬gures of merit for
cryptography using larger alphabets,™™ Phys. Rev. A 61,
comparing QC schemes based on different quantum sys-
tems (with different dimensions, for example) are still
Bell, J. S., 1964, ˜˜On the problem of hidden variables in quan-
awaited. Finally, the delicate question of how to test the
tum mechanics,™™ Rev. Mod. Phys. 38, 447“452 [reprinted in
apparatuses has not yet received enough attention. In-
Bell, J. S., 1987, Speakable and Unspeakable in Quantum Me-
deed, a potential customer of quantum cryptography
chanics (Cambridge University, Cambridge, England)].
buys con¬dence and secrecy, two qualities hard to quan- Bennett, C. H., 1992, ˜˜Quantum cryptography using any two
tify. Interestingly, both of these issues are connected to nonorthogonal states,™™ Phys. Rev. Lett. 68, 3121“3124.
Bell™s inequality (see Secs. VI.F and VI.B). Clearly, this Bennett, C. H., F. Bessette, G. Brassard, L. Salvail, and J. Smo-
connection cannot be phrased in the old context of local lin, 1992, ˜˜Experimental quantum cryptography,™™ J. Cryptol-
hidden variables, but rather in the context of the secu- ogy 5, 3“28.
rity of tomorrow™s communications. Here, as in the en- Bennett, C. H., and G. Brassard, 1984, in Proceedings of the
tire ¬eld of quantum information, old concepts are re- IEEE International Conference on Computers, Systems and
newed by looking at them from a fresh perspective: let Signal Processing, Bangalore, India, (IEEE, New York), pp.
us exploit quantum weirdness. 175“179.

Rev. Mod. Phys., Vol. 74, No. 1, January 2002
Gisin et al.: Quantum cryptography

Bennett, C. H., and G. Brassard, 1985, ˜˜Quantum public key Breguet, J., and N. Gisin, 1995, ˜˜New interferometer using a
distribution system,™™ IBM Tech. Discl. Bull. 28, 3153“3163. 3 3 coupler and Faraday mirrors,™™ Opt. Lett. 20, 1447“1449.
´ ´
Bennett, C. H., G. Brassard, C. Crepeau, R. Jozsa, A. Peres, Breguet, J., A. Muller, and N. Gisin, 1994, ˜˜Quantum cryptog-
and W. K. Wootters, 1993, ˜˜Teleporting an unknown quan- raphy with polarized photons in optical ¬bers: experimental
tum state via dual classical and Einstein-Podolsky-Rosen and practical limits,™™ J. Mod. Opt. 41, 2405“2412.
channels,™™ Phys. Rev. Lett. 70, 1895“1899. Brendel, J., W. Dultz, and W. Martienssen, 1995, ˜˜Geometric
Bennett, C. H., G. Brassard, C. Crepeau, and U. M. Maurer, phase in 2-photon interference experiments,™™ Phys. Rev. A
1995, ˜˜Generalized privacy ampli¬cation,™™ IEEE Trans. Inf. 52, 2551“2556.
Theory 41, 1915“1923. Brendel, J., N. Gisin, W. Tittel, and H. Zbinden, 1999, ˜˜Pulsed
Bennett, C. H., G. Brassard, and A. Ekert, 1992, ˜˜Quantum energy-time entangled twin-photon source for quantum com-
cryptography,™™ Sci. Am. 267, 50“57. munication,™™ Phys. Rev. Lett. 82, 2594“2597.
Bennett, C. H., G. Brassard, and N. D. Mermin, 1992, ˜˜Quan- Briegel, H.-J., W. Dur, J. I. Cirac, and P. Zoller, 1998, ˜˜Quan-
tum cryptography without Bell™s theorem,™™ Phys. Rev. Lett. tum repeaters: the role of imperfect local operations in quan-
68, 557“559. tum communication,™™ Phys. Rev. Lett. 81, 5932“5935.
Bennett, C. H., G. Brassard, and J.-M. Robert, 1988, ˜˜Privacy Brouri, R., A. Beveratios, J.-P. Poizat, and P. Grangier, 2000,
ampli¬cation by public discussion,™™ SIAM J. Comput. 17, ˜˜Photon antibunching in the ¬‚uorescence of individual col-
210“229. ored centers in diamond,™™ Opt. Lett. 25, 1294“1296.
Berry, M. V., 1984, ˜˜Quantal phase factors accompanying adia- Brown, R. G. W., and M. Daniels, 1989, ˜˜Characterization of
batic changes,™™ Proc. R. Soc. London, Ser. A 392, 45“57. silicon avalanche photodiodes for photon correlation mea-
Bethune, D., and W. Risk, 2000, ˜˜An autocompensating ¬ber- surements. 3: Sub-Geiger operation,™™ Appl. Opt. 28, 4616“
optic quantum cryptography system based on polarization 4621.
splitting of light,™™ IEEE J. Quantum Electron. 36, 340“347. Brown, R. G. W., R. Jones, J. G. Rarity, and K. D. Ridley,
Biham, E., M. Boyer, P. O. Boykin, T. Mor, and V. Roy- 1987, ˜˜Characterization of silicon avalanche photodiodes for
chowdhury, 1999, ˜˜A proof of the security of quantum key photon correlation measurements. 2: Active quenching,™™
distribution,™™ preprint quant-ph/9912053. Appl. Opt. 26, 2383“2389.
Biham, E., and T. Mor, 1997a, ˜˜Security of quantum cryptog- Brown, R. G. W., K. D. Ridley, and J. G. Rarity, 1986, ˜˜Char-
raphy against collective attacks,™™ Phys. Rev. Lett. 78, 2256“ acterization of silicon avalanche photodiodes for photon cor-
1159. relation measurements. 1: Passive quenching,™™ Appl. Opt. 25,
Biham, E., and T. Mor, 1997b, ˜˜Bounds on information and the 4122“4126.
security of quantum cryptography,™™ Phys. Rev. Lett. 79, Brunel, C., B. Lounis, P. Tamarat, and M. Orrit, 1999, ˜˜Trig-
4034“4037. gered source of single photons based on controlled single
Bourennane, M., F. Gibson, A. Karlsson, A. Hening, P. Jons- molecule ¬‚uorescence,™™ Phys. Rev. Lett. 83, 2722“2725.
son, T. Tsegaye, D. Ljunggren, and E. Sundberg, 1999, ˜˜Ex- Bruss, D., 1998, ˜˜Optimal eavesdropping in quantum cryptog-
periments on long wavelength (1550 nm) ˜plug and play™ raphy with six states,™™ Phys. Rev. Lett. 81, 3018“3021.
quantum cryptography system,™™ Opt. Express 4, 383“387. Bruss, D., A. Ekert, and C. Macchiavello, 1998, ˜˜Optimal uni-
Bourennane, M., A. Karlsson, and G. Bjorn, 2001, ˜˜Quantum versal quantum cloning and state estimation,™™ Phys. Rev.
key distribution using multilevel encoding,™™ Phys. Rev. A 64, Lett. 81, 2598“2601.
012306. Buttler, W. T., R. J. Hughes, P. G. Kwiat, S. K. Lamoreaux, G.
Bourennane, M., A. Karlsson, G. Bjorn, N. Gisin, and N. Cerf, G. Luther, G. L. Morgan, J. E. Nordholt, C. G. Peterson, and
2001, ˜˜Quantum key distribution using multilevel encoding: C. Simmons, 1998, ˜˜Practical free-space quantum key distri-
security analysis,™™ preprint quant-ph/0106049. bution over 1 km,™™ Phys. Rev. Lett. 81, 3283“3286.
Bourennane, M., D. Ljunggren, A. Karlsson, P. Jonsson, A. Buttler, W. T., R. J. Hughes, S. K. Lamoreaux, G. L. Morgan, J.
Hening, and J. P. Ciscar, 2000, ˜˜Experimental long wave-
E. Nordholt, and C. G. Peterson, 2000, ˜˜Daylight quantum
length quantum cryptography: from single photon transmis-
key distribution over 1.6 km,™™ Phys. Rev. Lett. 84, 5652“5655.
sion to key extraction protocols,™™ J. Mod. Opt. 47, 563“579.
Buzek, V., and M. Hillery, 1996, ˜˜Quantum copying: beyond
Braginsky, V. B., and F. Y. Khalili, 1992, Quantum Measure-
the no-cloning theorem,™™ Phys. Rev. A 54, 1844“1852.
ment (Cambridge University, Cambridge, England).
Cancellieri, G., 1993, Ed., Single-Mode Optical Fiber Measure-
Brassard, G., 1988, Modern Cryptology: A Tutorial, Lecture
ment: Characterization and Sensing (Artech House, Boston).
Notes in Computer Science, Vol. 325 (Springer, New York).
Canning, J., M. A. van Eijkelenborg, T. Ryan, M. Kristensen,
Brassard, G., C. Crepeau, D. Mayers, and L. Salvail, 1998, in
and K. Lyytikainen, 2000, ˜˜Complex mode coupling within
Proceedings of Randomized Algorithms, Satellite Workshop
air-silica structured optical ¬bers and applications,™™ Opt.
of the 23rd International Symposium on Mathematical Foun-
Commun. 185, 321“324.
dations of Computer Science, Brno, Czech Republic, edited
Cirac, J. I., and N. Gisin, 1997, ˜˜Coherent eavesdropping strat-
by R. Freivalds (Aachen University, Aachen, Germany), pp.
egies for the 4-state quantum cryptography protocol,™™ Phys.
¨ Lett. A 229, 1“7.
Brassard, G., N. Lutkenhaus, T. Mor, and B. C. Sanders, 2000,
Clarke, R. B. M., A. Che¬‚es, S. M. Barnett, and E. Riis, 2000,


. 3
( 4)