Quantum cryptography - d22izw7byeupn1.cloudfront.net · The idea of quantum cryptography was ﬁrst proposed in the 1970s by Stephen Wiesner2 (1983) and by Charles ... ern cryptology

REVIEWS OF MODERN PHYSICS, VOLUME 74, JANUARY 2002

Quantum cryptography

Nicolas Gisin, Gregoire Ribordy, Wolfgang Tittel, and Hugo Zbinden

Group of Applied Physics, University of Geneva, 1211 Geneva 4, Switzerland

(Published 8 March 2002)

Quantum cryptography could well be the first application of quantum mechanics at thesingle-quantum level. The rapid progress in both theory and experiment in recent years is reviewed,with emphasis on open questions and technological issues.

CONTENTS

I. Introduction 145II. A Beautiful Idea 146

A. The intuition 146B. Classical cryptography 147

1. Asymmetrical (public-key) cryptosystems 1472. Symmetrical (secret-key) cryptosystems 1483. The one-time pad as ‘‘classical

teleportation’’ 148C. The BB84 protocol 149

1. Principle 1492. No-cloning theorem 1493. Intercept-resend strategy 1504. Error correction, privacy amplification, and

quantum secret growing 1505. Advantage distillation 151

D. Other protocols 1521. Two-state protocol 1522. Six-state protocol 1523. Einstein-Podolsky-Rosen protocol 1524. Other variations 153

E. Quantum teleportation as a ‘‘quantum one-timepad’’ 154

F. Optical amplification, quantum nondemolitionmeasurements, and optimal quantum cloning 154

III. Technological Challenges 155A. Photon sources 155

1. Faint laser pulses 1562. Photon pairs generated by parametric

downconversion 1563. Photon guns 157

B. Quantum channels 1581. Single-mode fibers 1582. Polarization effects in single-mode fibers 1583. Chromatic dispersion effects in single-mode

fibers 1604. Free-space links 160

C. Single-photon detection 1611. Photon counting at wavelengths below 1.1

mm 1632. Photon counting at telecommunications

wavelengths 163D. Quantum random-number generators 164E. Quantum repeaters 164

IV. Experimental Quantum Cryptography with FaintLaser Pulses 165A. Quantum bit error rate 166B. Polarization coding 167C. Phase coding 168

1. The double Mach-Zehnder implementation 1702. ‘‘Plug-and-play’’ systems 171

0034-6861/2002/74(1)/145(51)/$35.00 145

D. Frequency coding 173E. Free-space line-of-sight applications 174F. Multi-user implementations 175

V. Experimental Quantum Cryptography with PhotonPairs 175

A. Polarization entanglement 176B. Energy-time entanglement 177

1. Phase coding 1772. Phase-time coding 1793. Quantum secret sharing 180

VI. Eavesdropping 180A. Problems and objectives 180B. Idealized versus real implementation 180C. Individual, joint, and collective attacks 181D. Simple individual attacks: Intercept-resend and

measurement in the intermediate basis 181E. Symmetric individual attacks 182F. Connection to Bell’s inequality 185G. Ultimate security proofs 185H. Photon number measurements and lossless

channels 187I. A realistic beamsplitter attack 188J. Multiphoton pulses and passive choice of states 188K. Trojan horse attacks 189L. Real security: Technology, cost, and complexity 189

VII. Conclusions 190Acknowledgments 190References 190

I. INTRODUCTION

Electrodynamics was discovered and formalized in the19th century. The 20th century was then profoundly af-fected by its applications. A similar adventure may beunderway for quantum mechanics, discovered and for-malized during the last century. Indeed, although the la-ser and semiconductor are already common, applica-tions of the most radical predictions of quantummechanics have only recently been conceived, and theirfull potential remains to be explored by the physicistsand engineers of the 21st century.

The most peculiar characteristics of quantum mechan-ics are the existence of indivisible quanta and of en-tangled systems. Both of these lie at the root of quantumcryptography (QC), which could very well be the firstcommercial application of quantum physics at the single-quantum level. In addition to quantum mechanics, the20th century has been marked by two other major scien-tific revolutions: information theory and relativity. Thestatus of the latter is well recognized. It is less wellknown that the concept of information, nowadays mea-sured in bits, and the formalization of probabilities are

©2002 The American Physical Society

146 Gisin et al.: Quantum cryptography

quite recent,1 although they have a tremendous impacton our daily life. It is fascinating to realize that QC liesat the intersection of quantum mechanics and informa-tion theory and that, moreover, the tension betweenquantum mechanics and relativity—the famousEinstein-Rosen-Podolsky (EPR) paradox (Einsteinet al., 1935)—is closely connected to the security of QC.Let us add a further point for young physicists. Unlikelaser and semiconductor physics, which are manifesta-tions of quantum physics at the ensemble level and canthus be described by semiclassical models, QC, and to aneven greater extent quantum computers, require a fullquantum-mechanical description (this may offer an in-teresting challenge for physicists well trained in thesubtleties of their science).

This review article has several objectives. First, wepresent the basic intuition behind QC. Indeed, the basicidea is so beautiful and simple that every physicist andstudent should be given the pleasure of learning it. Thegeneral principle is then set in the broader context ofmodern cryptology (Sec. II.B) and made more precise(Sec. II.C). Section III discusses the main technologicalchallenges. Then, Secs. IV and V present the most com-mon implementations of QC: the use of weak laserpulses and photon pairs, respectively. Finally, the impor-tant and difficult problems of eavesdropping and secu-rity proofs are discussed in Sec. VI, where the emphasisis more on the diversity of the issues than on formaldetails. We have tried to write the different parts of thisreview in such a way that they can be read indepen-dently.

II. A BEAUTIFUL IDEA

The idea of quantum cryptography was first proposedin the 1970s by Stephen Wiesner2 (1983) and by CharlesH. Bennett of IBM and Gilles Brassard of The Univer-sity of Montreal (1984, 1985).3 However, this idea is sosimple that any first-year student since the infancy ofquantum mechanics could actually have discovered it!Nevertheless, it is only now that the field is matureenough and information security important enough thatphysicists are ready to consider quantum mechanics, notonly as a strange theory good for paradoxes, but also as

1The Russian mathematician A. N. Kolmogorov (1956) iscredited with being the first to have formulated a consistentmathematical theory of probabilities in the 1940s.

2S. Wiesner, then at Columbia University, was the first to pro-pose ideas closely related to QC in the 1970s. However, hisrevolutionary paper did not appear until a decade later. Sinceit is difficult to find, we reproduce his abstract here: The un-certainty principle imposes restrictions on the capacity of certaintypes of communication channels. This paper will show that incompensation for this ‘‘quantum noise,’’ quantum mechanics al-lows us novel forms of coding without analogue in communica-tion channels adequately described by classical physics.

3Artur Ekert (1991) of Oxford University discovered QC in-dependently, though from a different perspective (see Sec.II.D.3).

Rev. Mod. Phys., Vol. 74, No. 1, January 2002

a tool for new engineering. Apparently, informationtheory, classical cryptography, quantum physics, andquantum optics first had to develop into mature sci-ences. It is certainly not a coincidence that QC and,more generally, quantum information were developedby a community including many computer scientists andmore mathematically oriented young physicists: broaderinterests than traditional physics were needed.

A. The intuition

Quantum physics is well known for being counterin-tuitive or even bizarre. We teach students that quantumphysics establishes a set of negative rules stating thingsthat cannot be done. For example,

(1) One cannot take a measurement without perturbingthe system.

(2) One cannot determine simultaneously the positionand the momentum of a particle with arbitrarilyhigh accuracy.

(3) One cannot simultaneously measure the polariza-tion of a photon in the vertical-horizontal basis andsimultaneously in the diagonal basis.

(4) One cannot draw pictures of individual quantumprocesses.

(5) One cannot duplicate an unknown quantum state.

This negative viewpoint of quantum physics, due to itscontrast with classical physics, has only recently beenturned positive, and QC is one of the best illustrations ofthis psychological revolution. Indeed, one could charac-terize quantum information processing as the science ofturning quantum conundrums into potentially useful ap-plications.

Let us illustrate this point for QC. One of the basicnegative statements of quantum physics reads

One cannot take a measurement without perturbingthe system (1)

(unless the quantum state is compatible with the mea-surement). The positive side of this axiom can be seenwhen applied to a communication between Alice andBob (the conventional names of the sender and receiver,respectively), provided the communication is quantum,that is, quantum systems, for example, individual pho-tons, carry the information. When this is the case, axiom(1) also applies to eavesdroppers, i.e., to a malicious Eve(the conventional name given to the adversary in cryp-tology). Hence Eve cannot get any information aboutthe communication without introducing perturbationsthat would reveal her presence.

To make this intuition more precise, imagine that Al-ice codes information in individual photons, which shesends to Bob. If Bob receives the photons unperturbed,then, according to the basic axiom (1), the photons werenot measured. No measurement implies that Eve did notget any information about the photons (note that acquir-ing information is synonymous with carrying out mea-surements). Consequently, after exchanging the photons,

147Gisin et al.: Quantum cryptography

Alice and Bob can check whether someone ‘‘was listen-ing’’: they simply compare a randomly chosen subset oftheir data using a public channel. If Bob received thissubset unperturbed, then the logic goes as follows:

No perturbation⇒No measurement

⇒No eavesdropping. (2)

Actually, there are two more points to add. First, inorder to ensure that axiom (1) applies, Alice encodesher information in nonorthogonal states (we shall illus-trate this in Secs. II.C and II.D). Second, as we havepresented it so far, Alice and Bob could discover anyeavesdropper, but only after they have exchanged theirmessage. It would of course be much better to ensuretheir privacy in advance and not afterwards. To achievethis, Alice and Bob complement the above idea with asecond idea, again a very simple one, and one which isentirely classical. Alice and Bob do not use the quantumchannel to transmit information, but only to transmit arandom sequence of bits, i.e., a key. Now, if the key isunperturbed, then quantum physics guarantees that noone has gotten any information about this key by eaves-dropping, i.e., measuring, the quantum communicationchannel. In this case, Alice and Bob can safely use thiskey to encode messages. If, on the other hand, the keyturns out to be perturbed, then Alice and Bob simplydisregard it; since the key does not contain any informa-tion, they have not lost any.

Let us make this general idea somewhat more precise,in anticipation of Sec. II.C. In practice, the individualquanta used by Alice and Bob, often called qubits (forquantum bits), are encoded in individual photons; forexample, vertical and horizontal polarization code forbit values 0 and 1, respectively. The second basis canthen be the diagonal one (645° linear polarization),with 145° coding for bit 1 and 245° for bit 0, respec-tively (see Fig. 1). Alternatively, the circular polarizationbasis could be used as second basis. For photons thequantum communication channel can be either freespace (see Sec. IV.E) or optical fibers—special fibers orthe ones used in standard telecommunications (Sec.III.B). The communication channel is thus not reallyquantum. What is quantum are the information carriers.

FIG. 1. Implementation of the Bennett and Brassard (BB84)protocol. The four states lie on the equator of the Poincaresphere.


Before continuing, we need to see how QC could fitinto existing cryptosystems. For this purpose the nextsection briefly surveys some of the main aspects of mod-ern cryptology.

B. Classical cryptography

Cryptography is the art of rendering a message unin-telligible to any unauthorized party. It is part of thebroader field of cryptology, which also includes cryp-toanalysis, the art of code breaking (for a historical per-spective, see Singh, 1999). To achieve this goal, an algo-rithm (also called a cryptosystem or cipher) is used tocombine a message with some additional information—known as the key—and produce a cryptogram. Thistechnique is known as encryption. For a cryptosystem tobe secure, it should be impossible to unlock the crypto-gram without the key. In practice, this requirement isoften weakened so that the system is just extremely dif-ficult to crack. The idea is that the message should re-main protected at least as long as the information it con-tains is valuable. Although confidentiality is thetraditional application of cryptography, it is used nowa-days to achieve broader objectives, such as authen-tication, digital signatures, and nonrepudiation (Bras-sard, 1988).

1. Asymmetrical (public-key) cryptosystems

Cryptosytems come in two main classes—dependingon whether Alice and Bob use the same key. Asym-metrical systems involve the use of different keys forencryption and decryption. They are commonly knownas public-key cryptosystems. Their principle was firstproposed in 1976 by Whitfield Diffie and Martin Hell-man, who were then at Stanford University. The firstactual implementation was then developed by RonaldRivest, Adi Shamir, and Leonard Adleman of the Mas-sachusetts Institute of Technology in 1978.4 It is knownas RSA and is still widely used. If Bob wants to be ableto receive messages encrypted with a public-key crypto-system, he must first choose a private key, which hekeeps secret. Then he computes from this private key apublic key, which he discloses to any interested party.Alice uses this public key to encrypt her message. Shetransmits the encrypted message to Bob, who decrypts itwith the private key. Public-key cryptosystems are con-venient and have thus become very popular over the last20 years. The security of the Internet, for example, ispartially based on such systems. They can be thought ofas a mailbox in which anybody can insert a letter. Onlythe legitimate owner can then recover it, by opening itwith his private key.

4According to the British Government, public-key cryptogra-phy was originally invented at the Government Communica-tions Headquarters in Cheltenham as early as 1973. For anhistorical account, see, for example, the book by Simon Singh(1999).


The security of public-key cryptosystems is based oncomputational complexity. The idea is to use mathemati-cal objects called one-way functions. By definition, it iseasy to compute the function f(x) given the variable x ,but difficult to reverse the calculation and deduce xfrom f(x). In the context of computational complexity,the word ‘‘difficult’’ means that the time required to per-form a task grows exponentially with the number of bitsin the input, while ‘‘easy’’ means that it grows polynomi-ally. Intuitively, it is easy to understand that it takes onlya few seconds to work out 67371, but it takes muchlonger to find the prime factors of 4757. However, fac-toring has a ‘‘trapdoor,’’ which means that it is easy to dothe calculation in the difficult direction provided thatyou have some additional information. For example, ifyou were told that 67 was one of the prime factors of4757, the calculation would be relatively simple. The se-curity of RSA is actually based on the factorization oflarge integers.

In spite of its elegance, this technique suffers from amajor flaw. It has not been possible yet to prove whetherfactoring is ‘‘difficult’’ or not. This implies that the exis-tence of a fast algorithm for factorization cannot beruled out. In addition, the discovery in 1994 by PeterShor of a polynomial algorithm allowing fast factoriza-tion of integers with a quantum computer casts addi-tional doubt on the nonexistence of a polynomial algo-rithm for classical computers.

Similarly, all public-key cryptosystems rely for theirsecurity on unproven assumptions, which could them-selves be weakened or suppressed by theoretical orpractical advances. So far, no one has proved the exis-tence of any one-way function with a trapdoor. In otherwords, the existence of secure asymmetric cryptosystemsis not proven. This poses a serious threat to these cryp-tosystems.

In a society like ours, where information and securecommunication are of the utmost importance, one can-not tolerate such a threat. For instance, an overnightbreakthrough in mathematics could make electronicmoney instantly worthless. To limit such economic andsocial risks, there is no alternative but to turn to sym-metrical cryptosystems. QC has a role to play in suchalternative systems.

2. Symmetrical (secret-key) cryptosystems

Symmetrical ciphers require the use of a single key forboth encryption and decryption. These systems can bethought of as a safe in which the message is locked byAlice with a key. Bob in turns uses a copy of this key tounlock the safe. The one-time pad, first proposed by Gil-bert Vernam of AT&T in 1926, belongs to this category.In this scheme, Alice encrypts her message, a string ofbits denoted by the binary number m1 , using a ran-domly generated key k . She simply adds each bit of themessage to the corresponding bit of the key to obtainthe scrambled text (s5m1 % k , where % denotes the bi-nary addition modulo 2 without carry). It is then sent toBob, who decrypts the message by subtracting the key


(s*k5m1 % k*k5m1). Because the bits of thescrambled text are as random as those of the key, theydo not contain any information. This cryptosystem isthus provably secure according to information theory(Shannon, 1949). In fact, it is the only provably securecryptosystem known today.

Although perfectly secure, this system has aproblem—it is essential for Alice and Bob to possess acommon secret key, which must be at least as long as themessage itself. They can only use the key for a singleencryption—hence the name ‘‘one-time pad.’’ If theyused the key more than once, Eve could record all of thescrambled messages and start to build up a picture of theplain texts and thus also of the key. (If Eve recorded twodifferent messages encrypted with the same key, shecould add the scrambled texts to obtain the sum of theplain texts: s1 % s25m1 % k % m2 % k5m1 % m2 % k % k5m1 % m2 , where we use the fact that % is commuta-tive.) Furthermore, the key has to be transmitted bysome trusted means, such as a courier, or through a per-sonal meeting between Alice and Bob. This procedurecan be complex and expensive, and may even amount toa loophole in the system.

Because of the problem of distributing long sequencesof key bits, the one-time pad is currently used only forthe most critical applications. The symmetrical crypto-systems in use for routine applications such ase-commerce employ rather short keys. In the case of theData Encryption Standard (also known as DES, pro-moted by the United States’ National Institute of Stan-dards and Technology), a 56-bit key is combined withthe plain text divided into blocks in a rather complicatedway, involving permutations and nonlinear functions toproduce the cipher text blocks (see Stallings, 1999 for adidactic presentation). Other cryptosystems (e.g.,IDEA, The International Data Encryption System, orAES, the Advanced Encryption Standard) follow similarprinciples. Like asymmetrical cryptosystems, they offeronly computational security. However, for a given keylength, symmetrical systems are more secure than theirasymmetrical counterparts.

In practical implementations, asymmetrical algorithmsare used not so much for encryption, because of theirslowness, but rather for distribution of session keys forsymmetrical cryptosystems such as DES. Because the se-curity of those algorithms is not proven (see Sec. II.B.1),the security of the whole implementation can be com-promised. If these algorithms were broken by math-ematical advances, QC would constitute the only way tosolve the key distribution problem.

3. The one-time pad as ‘‘classical teleportation’’

The one-time pad has an interesting characteristic.Assume that Alice wants to transfer to Bob a faithfulcopy of a classical system, without giving any informa-tion to Eve about this system. For this purpose Aliceand Bob have access only to an insecure classical chan-nel. The operation is possible provided they share anarbitrarily long secret key. Indeed, in principle, Alice


can measure the state of her classical system with arbi-trarily high precision and then use the one-time pad tosecurely communicate this information to Bob, who canthen, in principle, reconstruct (a copy of) the classicalsystem. This somewhat artificial use of the one-time padhas an interesting quantum relative (see Sec. II.E).

C. The BB84 protocol

1. Principle

The first protocol for QC was proposed in 1984 byCharles H. Bennett, of IBM and Gilles Brassard, of theUniversity of Montreal, hence the name BB84, as thisprotocol is now known. They presented their work at anIEEE conference in India, quite unnoticed by the phys-ics community at the term. This underscores the needfor collaboration in QC between different communities,with different jargons, habits, and conventions.5 The in-terdisciplinary character of QC is the probable reasonfor its relatively slow start, but it certainly has contrib-uted to the rapid expansion of the field in recent years.

We shall explain the BB84 protocol using the lan-guage of spin 1

2, but clearly any two-level quantum sys-tem would do. The protocol uses four quantum statesthat constitute two bases, for example, the states up u↑&,down u↓&, left u←&, and right u→&. The bases are maxi-mally conjugate in the sense that any pair of vectors, onefrom each basis, has the same overlap, e.g., u^↑u←&u2

5 12 . Conventionally, one attributes the binary value 0 to

states u↑& and u→& and the value 1 to the other twostates, and calls the states qubits (for quantum bits). Inthe first step, Alice sends individual spins to Bob instates chosen at random among the four states (in Fig. 1the spin states u↑& , u↓&, u→&, and u←& are identified asthe polarization states ‘‘horizontal,’’ ‘‘vertical,’’ ‘‘145°,’’and ‘‘245°,’’ respectively). How she ‘‘chooses at ran-dom’’ is a delicate problem in practice (see Sec. III.D),but in principle she could use her free will. The indi-vidual spins could be sent all at once or one after theother (much more practical), the only restriction beingthat Alice and Bob be able to establish a one-to-onecorrespondence between the transmitted and the re-ceived spins. Next, Bob measures the incoming spins inone of the two bases, chosen at random (using arandom-number generator independent from that of Al-ice). At this point, whenever they use the same basis,they get perfectly correlated results. However, wheneverthey use different bases, they get uncorrelated results.Hence, on average, Bob obtains a string of bits with a25% error rate; called the raw key. This error rate is sohigh that standard error correction schemes would fail.But in this protocol, as we shall see, Alice and Bob know

5For instance, it is amusing to note that physicists strive topublish in reputable journals, while conference proceedingsare of secondary importance. For computer scientists, in con-trast, appearance in the proceedings of the best conferences isconsidered more important, while journal publication is sec-ondary.


which bits are perfectly correlated (the ones for whichAlice and Bob used the same basis) and which ones arecompletely uncorrelated (all the other ones). Hence astraightforward error correction scheme is possible: Foreach bit Bob announces publicly in which basis he mea-sured the corresponding qubit (but he does not tell theresult he obtained). Alice then reveals only whether ornot the state in which she encoded that qubit is compat-ible with the basis announced by Bob. If the state iscompatible, they keep the bit; if not, they disregard it. Inthis way about 50% of the bit string is discarded. Thisshorter key obtained after basis reconciliation is calledthe sifted key.6 The fact that Alice and Bob use a publicchannel at some stage of their protocol is very commonin cryptoprotocols. This channel does not have to beconfidential, only authentic. Hence any adversary Evecan listen to all the communication on the public chan-nel, but she cannot modify it. In practice Alice and Bobmay use the same transmission channel to implementboth the quantum and the classical channels.

Note that neither Alice nor Bob can decide which keyresults from the protocol.7 Indeed, it is the conjunctionof both of their random choices that produces the key.

Let us now consider the security of the above idealprotocol (ideal because so far we have not taken intoaccount unavoidable noise in practice, due to technicalimperfections). Assume that some adversary Eve inter-cepts a qubit propagating from Alice to Bob. This is veryeasy, but if Bob does not receive an expected qubit, hewill simply tell Alice to disregard it. Hence Eve onlylowers the bit rate (possibly down to zero), but she doesnot gain any useful information. For real eavesdroppingEve must send a qubit to Bob. Ideally she would like tosend this qubit in its original state, keeping a copy forherself.

2. No-cloning theorem

Following Wootters and Zurek (1982) one can easilyprove that perfect copying is impossible in the quantumworld (see also the anticipatory intuition of Wigner in1961, as well as Dieks, 1982 and Milonni and Hardies,1982). Let c denote the original state of the qubit, ub&the blank copy,8 and u0&PHQCM the initial state of Eve’s‘‘quantum copy machine,’’ where the Hilbert spaceHQCM of the quantum cloning machine is arbitrary. Theideal machine would produce

6This terminology was introduced by Ekert and Huttner in1994.

7Alice and Bob can, however, determine the statistics of thekey.

8ub& corresponds to the stock of white paper in an everydayphotocopy machine. We shall assume that the machine is notempty, a purely theoretical assumption, as is well known.


c ^ ub& ^ u0&→c ^ c ^ ufc&, (3)

where ufc& denotes the final state of Eve’s machine,which might depend on c. Accordingly, using obviousnotations,

u↑ ,b ,0&→u↑ ,↑ ,f↑&, (4)

and

u↓ ,b ,0&→u↓ ,↓ ,f↓&. (5)

By linearity of quantum dynamics it follows that

u→ ,b ,0&51

&~ u↑&1u↓&) ^ ub ,0& (6)

→ 1

&~ u↑ ,↑ ,f↑&1u↓ ,↓ ,f↓&). (7)

But the latter state differs from the ideal copy u→ ,→ ,f→&, whatever the states ufc& are.

Consequently, Eve cannot keep a perfect quantumcopy, because perfect quantum copy machines cannotexist. The possibility of copying classical information isprobably one of the most characteristic features of infor-mation in the everyday sense. The fact that quantumstates, nowadays often called quantum information, can-not be copied is certainly one of the most specific at-tributes that make this new kind of information so dif-ferent and hence so attractive. Actually, this negativecapability clearly has its positive side, since it preventsEve from perfect eavesdropping and hence makes QCpotentially secure.

3. Intercept-resend strategy

We have seen that the eavesdropper needs to send aqubit to Bob while keeping a necessarily imperfect copyfor herself. How imperfect the copy has to be, accordingto quantum theory, is a delicate problem that we shalladdress in Sec. VI. Here, let us develop a simple eaves-dropping strategy, called intercept-resend. This simpleand even practical attack consists of Eve’s measuringeach qubit in one of the two bases, precisely as Bobdoes. Then, she resends to Bob another qubit in thestate corresponding to her measurement result. In abouthalf of the cases, Eve will be lucky and choose the basiscompatible with the state prepared by Alice. In thesecases she resends to Bob a qubit in the correct state, andAlice and Bob will not notice her intervention. How-ever, in the other half of the cases, Eve unluckily usesthe basis incompatible with the state prepared by Alice.This necessarily happens, since Eve has no informationabout Alice’s random-number generator (hence the im-portance of this generator’s being truly random). Inthese cases the qubits sent out by Eve are in states withan overlap of 1

2 with the correct states. Alice and Bobthus discover her intervention in about half of these


cases, since they get uncorrelated results. Altogether, ifEve uses this intercept-resend strategy, she gets 50% in-formation, while Alice and Bob have about a 25% errorrate in their sifted key, i.e., after they eliminate the casesin which they used incompatible states, there is stillabout 25% error. They can thus easily detect the pres-ence of Eve. If, however, Eve applies this strategy toonly a fraction of the communication, say 10%, then theerror rate will be only '2.5%, while Eve’s informationwill be '5%. The next section explains how Alice andBob can counter such attacks.

4. Error correction, privacy amplification, and quantumsecret growing

At this point in the BB84 protocol, Alice and Bobshare a so-called sifted key. But this key contains errors.The errors are caused by technical imperfections, as wellas possibly by Eve’s intervention. Realistic error rates inthe sifted key using today’s technology are of the orderof a few percent. This contrasts strongly with the 1029

error rate typical in optical communication. Of course,the few-percent error rate will be corrected down to thestandard 1029 during the (classical) error correction stepof the protocol. In order to avoid confusion, especiallyamong optical communication specialists, Beat Pernyfrom Swisscom and Paul Townsend, then with BritishTelecommunications (BT), proposed naming the errorrate in the sifted key QBER, for quantum bit error rate,to clearly distinguish it from the bit error rate (BER)used in standard communications.

Such a situation, in which legitimate partners shareclassical information with high but not 100% correlationand with possibly some correlation to a third party, iscommon to all quantum cryptosystems. Actually, it isalso a standard starting point for classical information-based cryptosystems in which one assumes that some-how Alice, Bob, and Eve have random variables a, b,and e, respectively, with a joint probability distributionP(a ,b ,e). Consequently, the last step in a QC protocoluses classical algorithms, first to correct the errors, andthen reduce to Eve’s information on the final key, a pro-cess called privacy amplification.

The first mention of privacy amplification appeared inBennett, Brassard, and Robert (1988). It was then ex-tended in collaboration with C. Crepeau from the Uni-versity of Montreal and U. Maurer of ETH, Zurich, re-spectively (Bennett, Brassard, et al. 1995; see alsoBennett, Bessette, et al., 1992). Interestingly, this workmotivated by QC found applications in standardinformation-based cryptography (Maurer, 1993; Maurerand Wolf, 1999).

Assume that a joint probability distribution P(a ,b ,e)exists. Near the end of this section, we shall comment onthis assumption. Alice and Bob have access only to themarginal distribution P(a ,b). From this and from thelaws of quantum mechanics, they have to deduce con-straints on the complete scenario P(a ,b ,e); in particu-lar they have to bound Eve’s information (see Secs. VI.Eand VI.G). Given P(a ,b ,e), necessary and sufficient


conditions for a positive secret-key rate between Aliceand Bob, S(a ,bie), are not yet known. However, a use-ful lower bound is given by the difference between Aliceand Bob’s mutual Shannon information I(a ,b) andEve’s mutual information (Csiszar and Korner, 1978, andTheorem 1 in Sec. VI.G):

S~a ,bie!>max$I~a ,b!2I~a ,e!,I~a ,b!2I~b ,e!%. (8)

Intuitively, this result states that secure-key distillation(Bennett, Bessette, et al., 1992) is possible wheneverBob has more information than Eve.

The bound (8) is tight if Alice and Bob are restrictedto one-way communication, but for two-way communi-cation, secret-key agreement might be possible evenwhen condition (8) is not satisfied (see Sec. II.C.5).

Without discussing any algorithm in detail, let us offersome idea of how Alice and Bob can establish a secretkey when condition (8) is satisfied. First, once the siftedkey is obtained (i.e., after the bases have been an-nounced), Alice and Bob publicly compare a randomlychosen subset of it. In this way they estimate the errorrate [more generally, they estimate their marginal prob-ability distribution P(a ,b)]. These publicly disclosedbits are then discarded. Next, either condition (8) is notsatisfied and they stop the protocol or condition (8) issatisfied and they use some standard error correctionprotocol to get a shorter key without errors.

With the simplest error correction protocol, Alice ran-domly chooses pairs of bits and announces their XORvalue (i.e., their sum modulo 2). Bob replies either ‘‘ac-cept’’ if he has the same XOR value for his correspond-ing bits, or ‘‘reject’’ if not. In the first case, Alice andBob keep the first bit of the pair and discard the secondone, while in the second case they discard both bits. Inreality, more complex and efficient algorithms are used.

After error correction, Alice and Bob have identicalcopies of a key, but Eve may still have some informationabout it [compatible with condition (8)]. Alice and Bobthus need to reduce Eve’s information to an arbitrarilylow value using some privacy amplification protocols.These classical protocols typically work as follows. Aliceagain randomly chooses pairs of bits and computes theirXOR value. But, in contrast to error correction, shedoes not announce this XOR value. She only announceswhich bits she chose (e.g., bits number 103 and 537).Alice and Bob then replace the two bits by their XORvalue. In this way they shorten their key while keeping iterror free, but if Eve has only partial information on thetwo bits, her information on the XOR value is even less.Assume, for example, that Eve knows only the value ofthe first bit and nothing about the second one. Then shehas no information at all about the XOR value. Also, ifEve knows the value of both bits with 60% probability,then the probability that she correctly guesses the XORvalue is only 0.6210.42552%. This process would haveto be repeated several times; more efficient algorithmsuse larger blocks (Brassard and Salvail, 1994).

The error correction and privacy amplification algo-rithms sketched above are purely classical algorithms.This illustrates that QC is a truly interdisciplinary field.


Actually, the above scenario is incomplete. In this pre-sentation, we have assumed that Eve measures herprobe before Alice and Bob run the error correction andprivacy amplification algorithms, hence that P(a ,b ,e)exists. In practice this is a reasonable assumption, but inprinciple Eve could wait until the end of all the proto-cols and then optimize her measurements accordingly.Such ‘‘delayed-choice eavesdropping strategies’’9 arediscussed in Sec. VI.

It should by now be clear that QC does not provide acomplete solution for all cryptographic purposes.10 Ac-tually, quite the contrary, QC can only be used as acomplement to standard symmetrical cryptosystems. Ac-cordingly, a more precise name for QC is quantum keydistribution, since this is all QC does. Nevertheless, weprefer to keep the well-known terminology, which lendsits name to the title of this review.

Finally, let us emphasize that every key distributionsystem must incorporate some authentication scheme:the two parties must identify themselves. If not, Alicecould actually be communicating directly with Eve. Astraightforward approach is for Alice and Bob initiallyto share a short secret. Then QC provides them with alonger one and they each keep a small portion for au-thentication at the next session (Bennett, Bessette, et al.,1992). From this perspective, QC is a quantum secret-growing protocol.

5. Advantage distillation

QC has motivated and still motivates research in clas-sical information theory. The best-known example isprobably the development of privacy amplification algo-rithms (Bennett et al., 1988, 1995). This in turn led to thedevelopment of new cryptosystems based on weak butclassical signals, emitted for instance by satellites (Mau-rer, 1993).11 These new developments required secret-key agreement protocols that could be used even whencondition (8) did not apply. Such protocols, called ad-vantage distillation, necessarily use two-way communica-tion and are much less efficient than privacy amplifica-tion. Usually, they are not considered in the literature onQC, but conceptually they are remarkable from at leasttwo points of view. First, it is somewhat surprising thatsecret-key agreement is possible even if Alice and Bobstart with less mutual (Shannon) information than Eve.They can take advantage of the authenticated public

9Note, however, that Eve has to choose the interaction be-tween her probe and the qubits before the public discussionphase of the protocol.

10For a while it was thought that bit commitment (see, forexample, Brassard, 1988), a powerful primitive in cryptology,could be realized using quantum principles. However, DominicMayers (1996a, 1997) and Lo and Chau (1998) proved it to beimpossible (see also Brassard et al., 1998).

11Note that here confidentiality is not guaranteed by the lawsof physics, but relies on the assumption that Eve’s technologyis limited, e.g., her antenna is finite, and her detectors havelimited efficiencies.


channel to decide which series of realizations to keep,whereas Eve cannot influence this process12 (Maurer,1993; Maurer and Wolf, 1999).

Recently, a second remarkable feature of advantagedistillation, connecting quantum and classical secret-keyagreement, has been discovered (assuming one uses theEkert protocol described in Sec. II.D.3): If Eve follows astrategy that optimizes her Shannon information, underthe assumption that she attacks the qubits one at a time(the so-called individual attack; see Sec. VI.E), then Al-ice and Bob can use advantage distillation if and only ifAlice and Bob’s qubits are still entangled (they can thususe quantum privacy amplification; Deutsch et al., 1996;Gisin and Wolf, 1999). This connection between the con-cept of entanglement, central to quantum informationtheory, and the concept of intrinsic classical information,central to classical information-based cryptography(Maurer and Wolf, 1999), has been shown to be general(Gisin and Wolf, 2000). The connection seems to extendeven to bound entanglement (Gisin et al., 2000).

D. Other protocols

1. Two-state protocol

In 1992 Bennett noticed that four states are more thanare really necessary for QC: only two nonorthogonalstates are needed. Indeed the security of QC relies onthe inability of an adversary to distinguish unambigu-ously and without perturbation between the differentstates that Alice may send to Bob; hence two states arenecessary, and if they are incompatible (i.e., not mutu-ally orthogonal), then two states are also sufficient (Ben-nett, 1992). This is a conceptually important clarifica-tion. It also made several of the first experimentaldemonstrations easier (as is discussed further in Sec.IV.D). But in practice, it is not a good solution. Indeed,although two nonorthogonal states cannot be distin-guished unambiguously without perturbation, one canunambiguously distinguish between them at the cost ofsome losses (Ivanovic, 1987; Peres, 1988). This possibil-ity has been demonstrated in practice (Huttner, Gautier,et al., 1996; Clarke et al., 2000). Alice and Bob wouldhave to monitor the attenuation of the quantum channel(and even this would not be entirely safe if Eve wereable to replace the channel by a more transparent one;see Sec. VI.H). The two-state protocol can also beimplemented using interference between a macroscopic

12The idea is that Alice picks out several instances in whichshe got the same bit and communicates the instances—but notthe bit—to Bob. Bob replies yes only if it happens that for allthese instances he also has the same bit value. For high errorrates this is unlikely, but when it does happen there is a highprobability that both have the same bit. Eve cannot influencethe choice of the instances. All she can do is use a majorityvote for the cases accepted by Bob. The probability that Evemakes an error can be much higher than the probability thatBob makes an error (i.e., that all his instances are wrong), evenif Eve has more initial information than Bob.


bright pulse and a dim pulse with less than one photonon average (Bennett, 1992). The presence of the brightpulse makes this protocol especially resistant to eaves-dropping, even in settings with high attenuation. Bobcan monitor the bright pulses to make sure that Evedoes not remove any. In this case, Eve cannot eliminatethe dim pulse without revealing her presence, becausethe interference of the bright pulse with vacuum wouldintroduce errors. A practical implementation of this so-called 892 protocol is discussed in Sec. IV.D. Huttneret al. extended this reference-beam monitoring to thefour-state protocol in 1995.

2. Six-state protocol

While two states are enough and four states are stan-dard, a six-state protocol better respects the symmetryof the qubit state space; see Fig. 2 (Bruss, 1998;Bechmann-Pasquinucci and Gisin, 1999). The six statesconstitute three bases, hence the probability that Aliceand Bob choose the same basis is only 1

3, but the sym-metry of this protocol greatly simplifies the securityanalysis and reduces Eve’s optimal information gain fora given error rate QBER. If Eve measures every photon,the QBER is 33%, compared to 25% in the case of theBB84 protocol.

3. Einstein-Podolsky-Rosen protocol

This variation of the BB84 protocol is of special con-ceptual, historical, and practical interest. The idea is dueto Artur Ekert (1991) of Oxford University, who, whileelaborating on a suggestion of David Deutsch (1985),discovered QC independently of the BB84 paper. Intel-lectually, it is very satisfying to see this direct connectionto the famous EPR paradox (Einstein, Podolski, andRosen, 1935): the initially philosophical debate turned totheoretical physics with Bell’s inequality (1964), then toexperimental physics (Freedmann and Clauser, 1972; Fryand Thompson, 1976; Aspect et al., 1982), and is now—thanks to Ekert’s ingenious idea—part of applied phys-ics.

The idea consists in replacing the quantum channelcarrying two qubits from Alice to Bob by a channel car-rying two qubits from a common source, one qubit to

FIG. 2. Poincare sphere with a representation of six states thatcan be used to implement the generalization of the BB84 pro-tocol.


Alice and one to Bob. A first possibility would be thatthe source always emits the two qubits in the same statechosen randomly among the four states of the BB84 pro-tocol. Alice and Bob would then both measure their qu-bit in one of the two bases, again chosen independentlyand randomly. The source then announces the bases,and Alice and Bob keep the data only when they hap-pen to have made their measurements in the compatiblebasis. If the source is reliable, this protocol is equivalentto that of BB84: It is as if the qubit propagates back-wards in time from Alice to the source, and then for-ward to Bob. But better than trusting the source, whichcould be in Eve’s hand, the Ekert protocol assumes thatthe two qubits are emitted in a maximally entangledstate like

f151

&~ u↑ ,↑&1u↓ ,↓&). (9)

Then, when Alice and Bob happen to use the same ba-sis, either the x basis or the y basis, i.e., in about half ofthe cases, their results are identical, providing them witha common key. Note the similarity between the one-qubit BB84 protocol illustrated in Fig. 1 and the two-qubit Ekert protocol of Fig. 3. The analogy can be madeeven stronger by noting that for all unitary evolutionsU1 and U2 , the following equality holds:

U1 ^ U2F(1)51^ U2U1t F(1), (10)

where U1t denotes the transpose.

In his 1991 paper Ekert suggested basing the securityof this two-qubit protocol on Bell’s inequality, an in-equality which demonstrates that some correlations pre-dicted by quantum mechanics cannot be reproduced byany local theory (Bell, 1964). To do this, Alice and Bobcan use a third basis (see Fig. 4). In this way the prob-ability that they might happen to choose the same basisis reduced from 1

2 to 29, but at the same time as they

establish a key, they collect enough data to test Bell’sinequality.13 They can thus check that the source reallyemits the entangled state (9) and not merely productstates. The following year Bennett, Brassard, and Mer-min (1992) criticized Ekert’s letter, arguing that the vio-lation of Bell’s inequality is not necessary for the secu-

13A maximal violation of Bell’s inequality is necessary to ruleout tampering by Eve. In this case, the QBER must necessarilybe equal to zero. With a nonmaximal violation, as typicallyobtained in experimental systems, Alice and Bob can distill asecure key using error correction and privacy amplification.

FIG. 3. Einstein-Podolsky-Rosen (EPR) protocol, with thesource and a Poincare representation of the four possiblestates measured independently by Alice and Bob.


rity of QC and emphasizing the close connectionbetween the Ekert and the BB84 schemes. This criticismmight be missing an important point. Although the exactrelation between security and Bell’s inequality is not yetfully known, there are clear results establishing fascinat-ing connections (see Sec. VI.F). In October 1992, an ar-ticle by Bennett, Brassard, and Ekert demonstrated thatthe founding fathers of QC were able to join forcesto develop the field in a pleasant atmosphere (Bennett,Brassard, and Ekert, 1992).

4. Other variations

There is a large collection of variations on the BB84protocol. Let us mention a few, chosen somewhat arbi-trarily. First, one can assume that the two bases are notchosen with equal probability (Ardehali et al., 1998).This has the nice consequence that the probability thatAlice and Bob choose the same basis is greater than 1

2,thus increasing the transmission rate of the sifted key.However, this protocol makes Eve’s job easier, as she ismore likely to guess correctly the basis that was used.Consequently, it is not clear whether the final key rate,after error correction and privacy amplification, ishigher or not.

Another variation consists in using quantum systemsof dimension greater than 2 (Bechmann-Pasquinucciand Peres, 2000; Bechmann-Pasquinucci and Tittel,2000; Bourennane, Karlsson, and Bjorn, 2001). Again,the practical value of this idea has not yet been fullydetermined.

A third variation worth mentioning is due to Golden-berg and Vaidman of Tel Aviv University (1995). Theysuggested preparing the qubits in a superposition of twospatially separated states, then sending one componentof this superposition and waiting until Bob receives itbefore sending the second component. This does not

FIG. 4. Illustration of protocols exploiting EPR quantum sys-tems. To implement the BB84 quantum cryptographic proto-col, Alice and Bob use the same bases to prepare and measuretheir particles. A representation of their states on the Poincaresphere is shown. A similar setup, but with Bob’s bases rotatedby 45°, can be used to test the violation of Bell’s inequality.Finally, in the Ekert protocol, Alice and Bob may use the vio-lation of Bell’s inequality to test for eavesdropping.


sound of great practical value, but has the nice concep-tual feature that the minimal two states do not need tobe mutually orthogonal.

E. Quantum teleportation as a ‘‘quantum one-time pad’’

Since its discovery in 1993 by a surprisingly largegroup of physicists, quantum teleportation (Bennettet al., 1993) has received much attention from both thescientific community and the general public. The dreamof beaming travelers through the universe is exciting,but completely out of the realm of any foreseeable tech-nology. However, quantum teleportation can be seen asthe fully quantum version of the one-time pad (see Sec.II.B.3), hence as the ultimate form of QC. As in ‘‘classi-cal teleportation,’’ let us assume that Alice aims to trans-fer a faithful copy of a quantum system to Bob. If Alicehas full knowledge of the quantum state, the problem isnot really a quantum one (Alice’s information is classi-cal). If, on the other hand, Alice does not know thequantum state, she cannot send a copy, since quantumcopying is impossible according to quantum physics (seeSec. II.C.2). Nor can she send classical instructions, sincethis would allow the production of many copies. How-ever, if Alice and Bob share arbitrarily many entangledqubits, sometimes called a quantum key, and share aclassical communication channel, then the quantum tele-portation protocol provides them with a means of trans-ferring the quantum state of the system from Alice toBob. In the course of running this protocol, Alice’squantum system is destroyed without Alice’s havinglearned anything about the quantum state, while Bob’squbit ends in a state isomorphic to the state of the origi-nal system (but Bob does not learn anything about thequantum state). If the initial quantum system is a quan-tum message coded in the form of a sequence of qubits,then this quantum message is faithfully and securelytransferred to Bob, without any information leaking tothe outside world (i.e., to anyone not sharing the priorentanglement with Alice and Bob). Finally, the quantummessage could be formed of a four-letter quantum al-phabet consisting of the four states of the BB84 proto-col. With futuristic but not impossible technology, Aliceand Bob could keep their entangled qubits in their re-spective wallets and could enjoy totally secure commu-nication at any time, without even having to know wherethe other is located (provided they can communicateclassically).

F. Optical amplification, quantum nondemolitionmeasurements, and optimal quantum cloning

After almost every general talk on QC, two questionsarise: What about optical amplifiers? and What aboutquantum nondemolition measurements? In this sectionwe briefly address these questions.

Let us start with the second one, as it is the easiest.The term ‘‘quantum nondemolition measurement’’ issimply confusing. There is nothing like a quantum mea-surement that does not perturb (i.e., modify) the quan-


tum state, except if the state happens to be an eigenstateof the observable. Hence, if for some reason one conjec-tures that a quantum system is in some state (or in astate among a set of mutually orthogonal ones), one canin principle test this conjecture repeatedly (Braginskyand Khalili, 1992). However, if the state is only restrictedto be in a finite set containing nonorthogonal states, asin QC, then there is no way to perform a measurementwithout ‘‘demolishing’’ (perturbing) the state. Now, inQC the term ‘‘nondemolition measurement’’ is also usedwith a different meaning: one measures the number ofphotons in a pulse without affecting the degree of free-dom coding the qubit (e.g., the polarization; see Sec.VI.H), or one detects the presence of a photon withoutdestroying it (Nogues et al., 1999). Such measurementsare usually called ideal measurements, or projective mea-surements, because they produce the least possible per-turbation (Piron, 1990) and because they can be repre-sented by projectors. It is important to stress that these‘‘ideal measurements’’ do not invalidate the security ofQC.

Let us now consider optical amplifiers (a laser me-dium, but without mirrors, so that amplification takesplace in a single pass; see Desurvire, 1994). They arewidely used in today’s optical communication networks.However, they are of no use for quantum communica-tion. Indeed, as seen in Sec. II.C, the copying of quan-tum information is impossible. Here we illustrate thischaracteristic of quantum information by the example ofoptical amplifiers: the necessary presence of spontane-ous emission whenever there is stimulated emission pre-vents perfect copying. Let us clarify this important andoften confusing point, following the work of Simon et al.(1999, 2000; see also De Martini et al., 2000 and Kempeet al., 2000). Let the two basic qubit states u0& and u1& bephysically implemented by two optical modes:u0&[u1,0& and u1&[u0,1&. Thus un ,m&ph ^ uk ,l&a denotesthe state of n photons in mode 1 and m photons in mode2, while k ,l50(1) denotes the ground (or excited) stateof two-level atoms coupled to mode 1 or 2, respectively.Hence spontaneous emission corresponds to

u0,0&ph ^ u1,0&a→u1,0&ph ^ u0,0&a , (11)

u0,0&ph ^ u0,1&a→u0,1&ph ^ u0,0&a , (12)

and stimulated emission to

u1,0&ph ^ u1,0&a→&u2,0&ph ^ u0,0&a , (13)

u0,1&ph ^ u0,1&a→&u0,2&ph ^ u0,0&a , (14)

where the factor of & takes into account the ratio ofstimulated to spontaneous emission. Let the initial stateof the atom be a mixture of the following two states,each with equal (50%) weight:

u0,1&a and u1,0&a . (15)

By symmetry, it suffices to consider one possible initialstate of the qubit, e.g., one photon in the first modeu1,0&ph . The initial state of the photon1atom system isthus a mixture:


u1,0&ph ^ u1,0&a or u1,0&ph ^ u0,1&a . (16)

This corresponds to the first-order term in an evolutionwith a Hamiltonian (in the interaction picture): H5x(a1

†s121a1s1

†1a2†s2

21a2s2†). After some time the

two-photon component of the evolved states becomes

&u2,0&ph ^ u0,0&a or u1,1&ph ^ u0,0&a . (17)

The correspondence with a pair of spin 12 goes as fol-

lows:

u2,0&5u↑↑&, u0,2&5u↓↓&, (18)

u1,1&ph5c(1)51

&~ u↑↓&1u↓↑&). (19)

Tracing over the amplifier (i.e., the two-level atom), an(ideal) amplifier achieves the following transformation:

P↑→2P↑↑1Pc(1), (20)

where the P’s indicate projectors (i.e., pure-state densitymatrices) and the lack of normalization results from thefirst-order expansion used in Eqs. (11)–(14). Accord-ingly, after normalization, each photon is in the state

Tr12ph modeS 2P↑↑1Pc(1)

3 D52P↑1 1

2 1

3. (21)

The corresponding fidelity is

F521 1

2

35

56

, (22)

which is precisely the optimal fidelity compatible withquantum mechanics (Buzek and Hillery, 1996; Gisin andMassar, 1997; Bruss et al., 1998). In other words, if westart with a single photon in an arbitrary state and pass itthrough an amplifier, then due to the effect of spontane-ous emission the fidelity of the state exiting the ampli-fier, when it consists of exactly two photons, with theinitial state will be equal to at most 5/6. Note that if itwere possible to make better copies, then signaling atarbitrarily fast speed, using EPR correlations betweenspatially separated systems, would also be possible (Gi-sin, 1998).

III. TECHNOLOGICAL CHALLENGES

The very first demonstration of QC was a table-topexperiment performed at the IBM laboratory in theearly 1990s over a distance of 30 cm (Bennett, Bessette,et al., 1992), marking the start of a series of impressiveexperimental improvements over the past few years.The 30-cm distance is of little practical interest. Eitherthe distance should be even shorter [think of a creditcard and an ATM machine (Huttner, Imoto, and Bar-nett, 1996), in which case all of Alice’s componentsshould fit on the credit card—a nice idea, but still im-practical with present technology] or the distance shouldbe much longer, at least in the kilometer range. Most ofthe research so far uses optical fibers to guide the pho-tons from Alice to Bob, and we shall mainly concentrate


on such systems here. There is also, however, some verysignificant research on free-space systems (see Sec.IV.E).

Once the medium has been chosen, there remain thequestions of the source and detectors. Since they have tobe compatible, the crucial choice is that of the wave-length. There are two main possibilities. Either onechooses a wavelength around 800 nm, for which efficientphoton counters are commercially available, or onechooses a wavelength compatible with today’s telecom-munications optical fibers, i.e., near 1300 or 1550 nm.The first choice requires free-space transmission or theuse of special fibers, hence the installed telecommunica-tions networks cannot be used. The second choice re-quires the improvement or development of new detec-tors, not based on silicon semiconductors, which aretransparent above a wavelength of 1000 nm.

In the case of transmission using optical fibers, it isstill unclear which of the two alternatives will turn out tobe the best choice. If QC finds niche markets, it is con-ceivable that special fibers will be installed for that pur-pose. But it is equally conceivable that new commercialdetectors will soon make it much easier to detect singlephotons at telecommunications wavelengths. Actually,the latter possibility is very likely, as several researchgroups and industries are already working on it. There isanother good reason to bet on this solution: the qualityof telecommunications fibers is much higher than that ofany special fiber; in particular, the attenuation is muchlower (this is why the telecommunications industrychose these wavelengths): at 800 nm, the attenuation isabout 2 dB/km (i.e., half the photons are lost after 1.5km), while it is only of the order of 0.35 and 0.20 dB/kmat 1300 and 1550 nm, respectively (50% loss after about9 and 15 km).14

In the case of free-space transmission, the choice ofwavelength is straightforward, since the region wheregood photon detectors exist—around 800 nm—coincideswith that where absorption is low. However, free-spacetransmission is restricted to line-of-sight links and is veryweather dependent.

In the next sections we successively consider the ques-tions of how to produce single photons (Sec. III.A), howto transmit them (Sec. III.B), how to detect single pho-tons (Sec. III.C), and finally how to exploit the intrinsicrandomness of quantum processes to build random gen-erators (Sec. III.D).

A. Photon sources

Optical quantum cryptography is based on the use ofsingle-photon Fock states. Unfortunately, these statesare difficult to realize experimentally. Nowadays, practi-cal implementations rely on faint laser pulses or en-tangled photon pairs, in which both the photon and thephoton-pair number distribution obey Poisson statistics.

14The losses in dB (ldb) can be calculated from the losses inpercent (l%): ldB5210 log10@12 (l% /100)# .


Hence both possibilities suffer from a small probabilityof generating more than one photon or photon pair atthe same time. For large losses in the quantum channel,even small fractions of these multiphotons can have im-portant consequences on the security of the key (seeSec. VI.H), leading to interest in ‘‘photon guns’’; see Sec.III.A.3). In this section we briefly comment on sourcesbased on faint pulses as well as on entangled photonpairs, and we compare their advantages and drawbacks.

1. Faint laser pulses

There is a very simple solution to approximate single-photon Fock states: coherent states with an ultralowmean photon number m. They can easily be realized us-ing only standard semiconductor lasers and calibratedattenuators. The probability of finding n photons in sucha coherent state follows the Poisson statistics:

P~n ,m!5mn

n!e2m . (23)

Accordingly, the probability that a nonempty weak co-herent pulse contains more than one photon,

P~n.1un.0,m!512P~0,m!2P~1,m!

12P~0,m!

512e2m~11m!

12e2m >m

2, (24)

can be made arbitrarily small. Weak pulses are thus ex-tremely practical and have indeed been used in the vastmajority of experiments. However, they have one majordrawback. When m is small, most pulses are empty:P(n50)'12m . In principle, the resulting decrease inbit rate could be compensated for thanks to the achiev-able gigahertz modulation rates of telecommunicationslasers. But in practice, the problem comes from the de-tectors’ dark counts (i.e., a click without a photon’s ar-riving). Indeed, the detectors must be active for allpulses, including the empty ones. Hence the total darkcounts increase with the laser’s modulation rate, and theratio of detected photons to dark counts (i.e., the signal-to-noise ratio) decreases with m (see Sec. IV.A). Theproblem is especially severe for longer wavelengths, atwhich photon detectors based on indium gallium ar-senide semiconductors (InGaAs) are needed (see Sec.III.C), since the noise of these detectors explodes if theyare opened too frequently (in practice with a rate largerthan a few megahertz). This prevents the use of reallylow photon numbers, smaller than approximately 1%.Most experiments to date have relied on m50.1, mean-ing that 5% of the nonempty pulses contain more thanone photon. However, it is important to stress that, aspointed out by Lutkenhaus (2000), there is an optimal m


depending on the transmission losses.15 After key distil-lation, the security is just as good with faint laser pulsesas with Fock states. The price to pay for using suchstates is a reduction of the bit rate.

2. Photon pairs generated by parametric downconversion

Another way to create pseudo-single-photon states isthe generation of photon pairs and the use of one pho-ton as a trigger for the other one (Hong and Mandel,1986). In contrast to the sources discussed earlier, thesecond detector must be activated only whenever thefirst one has detected a photon, hence when m51, andnot whenever a pump pulse has been emitted, thereforecircumventing the problem of empty pulses.

The photon pairs are generated by spontaneous para-metric downconversion in a x(2) nonlinear crystal.16 Inthis process, the inverse of the well-known frequencydoubling, one photon spontaneously splits into twodaughter photons—traditionally called signal and idlerphotons—conserving total energy and momentum. Inthis context, momentum conservation is called phasematching and can be achieved despite chromatic disper-sion by exploiting the birefringence of the nonlinearcrystal. Phase matching allows one to choose the wave-length and determines the bandwidth of the downcon-verted photons. The latter is in general rather large andvaries from a few nanometers up to some tens of na-nometers. For the nondegenerate case one typically getsa bandwith of 5–10 nm, whereas in the degenerate case(where the central frequency of both photons is equal),the bandwidth can be as large as 70 nm.

This photon-pair creation process is very inefficient;typically it takes some 1010 pump photons to create onepair in a given mode.17 The number of photon pairs permode is thermally distributed within the coherence timeof the photons and follows a Poissonian distribution forlarger time windows (Walls and Milburn, 1995). With apump power of 1 mW, about 106 pairs per second can becollected in single-mode fibers. Accordingly, in a timewindow of roughly 1 ns, the conditional probability offinding a second pair, having already detected one, is10631029'0.1%. In the case of continuous pumping,this time window is given by the detector resolution. Tol-erating, for example, 1% of these multipair events, onecan generate 107 pairs per second using a realistic

15Contrary to a frequent misconception, there is nothing spe-cial about a m value of 0.1, even though it has been selected bymost experimentalists. The optimal value—i.e., the value thatyields the highest key exchange rate after distillation—depends on the optical losses in the channel and on assump-tions about Eve’s technology (see Secs. VI.H and VI.I).

16For a review see Rarity and Tapster (1988), and for morerecent developments see Kwiat et al. (1999), Tittel et al.(1999), Jennewein, Simon, et al. (2000), and Tanzilli et al.(2001).

17Recently we achieved a conversion rate of 1026 using anoptical waveguide in a periodically poled LiNbO3 crystal (Tan-zilli et al., 2001).


10-mW pump. To detect, for example, 10% of the triggerphotons, the second detector has to be activated 106

times per second. In comparison, the example of 1% ofmultiphoton events corresponds in the case of faint laserpulses to a mean photon number of m50.02. In order toget the same number (106) of nonempty pulses per sec-ond, a pulse rate of 50 MHz is needed. For a given pho-ton statistics, photon pairs thus allow one to work withlower pulse rates (e.g., 50 times lower) and hence re-duced detector-induced errors. However, due to limitedcoupling efficiency in optical fibers, the probability offinding the sister photon after detection of the triggerphoton in the respective fiber is in practice less than 1.This means that the effective photon number is not 1 butrather m'2/3 (Ribordy et al., 2001), still well above m50.02.

Photon pairs generated by parametric downconver-sion offer a further major advantage if they are notmerely used as a pseudo-single-photon source, but iftheir entanglement is exploited. Entanglement leads toquantum correlations that can be used for key genera-tion (see Secs. II.D.3 and V). In this case, if two photonpairs are emitted within the same time window but theirmeasurement basis is chosen independently, they pro-duce completely uncorrelated results. Hence, dependingon the realization, the problem of multiple photons canbe avoided; see Sec. VI.J.

Figure 5 shows one of our sources creating entangledphoton pairs at a wavelength of 1310 nm, as used in testsof Bell’s inequalities over 10 kilometers (Tittel et al.,1998). Although not as simple as faint laser sources,diode-pumped photon-pair sources emitting in the nearinfrared can be made compact, robust, and rather handy.

FIG. 5. Photo of our entangled photon-pair source as used inthe first long-distance test of Bell’s inequalities (Tittel et al.,1998). Note that the whole source fits into a box only 40345315 cm3 in size and that neither a special power supply norwater cooling is necessary.


3. Photon guns

The ideal single-photon source is a device that, whenone pulls the trigger, and only then, emits one and onlyone photon. Hence the name photon gun. Althoughphoton antibunching was first demonstrated years ago(Kimble et al., 1977), a practical and handy device is stillawaited. At present, there are essentially three differentexperimental approaches that more or less come close tothis ideal.

A first idea is to work with a single two-level quantumsystem that obviously cannot emit two photons at atime. The manipulation of single trapped atoms or ionsrequires a much too involved technical effort. Single or-ganic dye molecules in solvents (Kitson et al., 1998) orsolids (Brunel et al., 1999; Fleury et al., 2000) are easierto handle but offer only limited stability at room tem-perature. A promising candidate, however, is thenitrogen-vacancy center in diamond, a substitutional ni-trogen atom with a vacancy trapped at an adjacent lat-tice position (Brouri et al., 2000; Kurtsiefer et al., 2000).It is possible to excite individual nitrogen atoms with a532-nm laser beam, which will subsequently emit a fluo-rescence photon around 700 nm (12-ns decay time). Thefluorescence exhibits strong photon antibunching, andthe samples are stable at room temperature. However,the big remaining experimental challenge is to increasethe collection efficiency (currently about 0.1%) in orderto obtain mean photon numbers close to 1. To obtainthis efficiency, an optical cavity or a photonic band-gapstructure must suppress emission in all spatial modes butone. In addition, the spectral bandwidth of this type ofsource is broad (on the order of 100 nm), enhancing theeffect of perturbations in a quantum channel.

A second approach is to generate photons by singleelectrons in a mesoscopic p-n junction. The idea is toprofit from the fact that thermal electrons show anti-bunching (the Pauli exclusion principle) in contrast tophotons (Imamoglu and Yamamoto, 1994). The first ex-perimental results have been presented (Kim et al.,1999), but with extremely low efficiencies and only at atemperature of 50 mK!

Finally, another approach is to use the photon emis-sion of electron-hole pairs in a semiconductor quantumdot. The frequency of the emitted photon depends onthe number of electron-hole pairs present in the dot.After one creates several such pairs by optical pumping,they will sequentially recombine and hence emit pho-tons at different frequencies. Therefore, a single-photonpulse can be obtained by spectral filtering (Gerard et al.,1999; Michler et al., 2000; Santori et al., 2000). Thesedots can be integrated in solid-state microcavities withstrong enhancements of spontaneous emission (Gerardet al., 1998).

In summary, today’s photon guns are still too compli-cated to be used in a QC prototype. Moreover, due totheir low quantum efficiencies, they do not offer an ad-vantage over faint laser pulses with extremely low meanphoton numbers m.


B. Quantum channels

The single-photon source and the detectors must beconnected by a ‘‘quantum channel.’’ Such a channel isnot especially quantum, except that it is intended tocarry information encoded in individual quantum sys-tems. Here ‘‘individual’’ does not mean ‘‘nondecom-posible,’’ but only the opposite of ‘‘ensemble.’’ The ideais that the information is coded in a physical system onlyonce, in contrast to classical communication, in whichmany photons carry the same information. Note that thepresent-day limit for fiber-based classical optical com-munication is already down to a few tens of photons,although in practice one usually uses many more. Withincreasing bit rate and limited mean power—imposed toavoid nonlinear effects in silica fibers—these figures arelikely to get closer and closer to the quantum domain.

Individual quantum systems are usually two-level sys-tems, called qubits. During their propagation they mustbe protected from environmental noise. Here ‘‘environ-ment’’ refers to everything outside the degree of free-dom used for the encoding, which is not necessarily out-side the physical system. If, for example, the informationis encoded in the polarization state, then the optical fre-quencies of the photon are part of the environment.Hence coupling between the polarization and the opticalfrequency has to be mastered18 (e.g., by avoiding wave-length-sensitive polarizers and birefringence). Moreover,the sender of the qubits should avoid any correlationbetween the polarization and the spectrum of the pho-tons.

Another difficulty is that the bases used by Alice tocode the qubits and the bases used by Bob for his mea-surements must be related by a known and stable uni-tary transformation. Once this unitary transformation isknown, Alice and Bob can compensate for it and get theexpected correlation between their preparations andmeasurements. If it changes with time, they need activefeedback to track it, and if the changes are too fast, thecommunication must be interrupted.

1. Single-mode fibers

Light is guided in optical fibers thanks to the refrac-tive index profile n(x ,y) across the section of the fibers(traditionally, the z axis is along the propagation direc-tion). Over the last 25 years, a lot of effort has gone intoreducing transmission losses—initially several dB perkm—and today the attenuation is as low as 2 dB/km at800-nm wavelength, 0.35 dB/km at 1310 nm, and 0.2dB/km at 1550 nm (see Fig. 6). It is amusing to note thatthe dynamical equation describing optical pulse propa-gation (in the usual slowly varying envelope aproxima-tion) is identical to the Schrodinger equation, withV(x ,y)52n(x ,y) (Snyder, 1983). Hence a positivebump in the refractive index corresponds to a potentialwell. The region of the well is called the fiber core. If the

18Note that, as we shall see in Sec. V, using entangled photonsprevents such information leakage.


core is large, many bound modes exist, corresponding tomany guided modes in the fiber. Such fibers are calledmultimode fibers, They usually have cores 50 mm in di-ameter. The modes couple easily, acting on the qubit likea nonisolated environment. Hence multimode fibers arenot appropriate as quantum channels (see, however,Townsend, 1998a, 1998b). If, however, the core is smallenough (diameter of the order of a few wavelengths),then a single spatial mode is guided. Such fibers arecalled single-mode fibers. For telecommunications wave-lengths (i.e., 1.3 and 1.5 mm), their core is typically 8 mmin diameter. Single-mode fibers are very well suited tocarry single quanta. For example, the optical phase atthe output of a fiber is in a stable relation with the phaseat the input, provided the fiber does not become elon-gated. Hence fiber interferometers are very stable, a factexploited in many instruments and sensors (see, for ex-ample, Cancellieri, 1993).

Accordingly, a single-mode fiber with perfect cylindricsymmetry would provide an ideal quantum channel. Butall real fibers have some asymmetries, so that the twopolarization modes are no longer degenerate, but rathereach has its own propagation constant. A similar effectis caused by chromatic dispersion, in which the groupdelay depends on the wavelength. Both dispersion ef-fects are the subject of the next subsections.

2. Polarization effects in single-mode fibers

Polarization effects in single-mode fibers are a com-mon source of problems in all optical communicationschemes, classical as well as quantum ones. In recentyears these effects have been the subject of a major re-search effort in classical optical communication (Gisinet al., 1995). As a result, today’s fibers are much betterthan the fibers of a decade ago. Today, the remainingbirefringence is small enough for the telecommunica-tions industry, but for quantum communication any

FIG. 6. Transmission losses vs wavelength in optical fibers.Electronic transitions in SiO2 lead to absorption at lowerwavelengths, and excitation of vibrational modes leads tolosses at higher wavelengths. Superposed is the absorption dueto Rayleigh backscattering and to transitions in OH groups.Modern telecommunications are based on wavelengths around1.3 mm (the second telecommunications window) and 1.5 mm(the third telecommunications window).


birefringence, even extremely small, will always remaina concern. All fiber-based implementations of QC haveto face this problem. This is clearly true for polarization-based systems, but it is equally a concern for phase-based systems, since interference visibility depends onthe polarization states. Hence, although polarization ef-fects are not the only source of difficulties, we shall de-scribe them in some detail, distinguishing among foureffects: the geometric phase, birefringence, polarizationmode dispersion, and polarization-dependent losses.

The geometric phase as encountered when guidinglight in an optical fiber is a special case of the Berryphase,19 which results when any parameter describing aproperty of the system under concern, here the k vectorcharacterizing the propagation of the light field, under-goes an adiabatic change. Think first of a linear polar-ization state, let us say vertical at the input. Will it stillbe vertical at the output? Vertical with respect to what?Certainly not the gravitational field! One can follow thatlinear polarization by hand along the fiber and see howit may change even along a closed loop. If the loop staysin a plane, the state after a loop coincides with the inputstate, but if the loop explores the three dimensions ofour space, then the final state will differ from the initialone by an angle. Similar reasoning holds for the axes ofelliptical polarization states. The two circular polariza-tion states are the eigenstates. During parallel transportthey acquire opposite phases, called the Berry phases.The presence of a geometrical phase is not fatal forquantum communication. It simply means that initiallyAlice and Bob have to align their systems by defining,for instance, the vertical and diagonal directions (i.e.,performing the unitary transformation mentioned be-fore). If these vary slowly, they can be tracked, thoughthis requires active feedback. However, if the variationsare too fast, the communication might be interrupted.Hence aerial cables that swing in the wind are not ap-propriate (except with self-compensating configurations;see Sec. IV.C.2).

Birefringence is the presence of two different phasevelocities for two orthogonal polarization states. It iscaused by asymmetries in the fiber geometry and in theresidual stress distribution inside and around the core.Some fibers are made birefringent on purpose. Such fi-bers are called polarization-maintaining fibers becausethe birefringence is large enough to effectively uncouplethe two polarization eigenmodes. Note that only thesetwo orthogonal polarization modes are maintained; allother modes, in contrast, evolve very quickly, makingthis kind of fiber completely unsuitable for polarization-

19The Berry phase was introduced by Michael Berry in 1984,and was then observed in optical fiber by Tomita and Chiao(1986) and on the single-photon level by Hariharan et al.(1993). It was studied in connection with photon pairs by Bren-del et al. (1995).


based QC systems.20 The global effect of the birefrin-gence is equivalent to an arbitrary combination of twowaveplates; that is, it corresponds to a unitary transfor-mation. If this transformation is stable, Alice and Bobcan compensate for it. The effect of birefringence is thussimilar to the effect of the geometric phase, though, inaddition to causing a rotation, it may also affect the el-lipticity. Stability of birefringence requires slow thermaland mechanical variations.

Polarization mode dispersion (PMD) is the presenceof two different group velocities for two orthogonal po-larization modes. It is due to a delicate combination oftwo causes. First, birefringence produces locally twogroup velocities. For optical fibers, this local dispersionis in good approximation equal to the phase dispersion,of the order of a few picoseconds per kilometer. Hence,an optical pulse tends to split locally into a fast modeand a slow mode. But because the birefringence is small,the two modes couple easily. Hence any small imperfec-tion along the fiber produces polarization mode cou-pling: some energy of the fast mode couples into theslow mode and vice versa. PMD is thus similar to a ran-dom walk21 and grows only with the square root of thefiber length. It is expressed in ps km21/2, with values aslow as 0.1 ps km21/2 for modern fibers and possibly ashigh as 0.5 or even 1ps km21/2 for older ones.

Typical lengths for polarization mode coupling varyfrom a few meters up to hundreds of meters. The stron-ger the coupling, the weaker the PMD (the two modesdo not have time to move apart between the couplings).In modern fibers, the couplings are even artificially in-creased during the drawing process of the fibers (Hartet al., 1994; Li and Nolan, 1998). Since the couplings areexceedingly sensitive, the only reasonable description isa statistical one, hence PMD is described as a statisticaldistribution of delays dt. For sufficiently long fibers, thestatistics are Maxwellian, and PMD is related to the fi-ber length l , the mean coupling length h , the meanmodal birefringence B , and the rms delay as follows(Gisin et al., 1995): PMD[A^^dt2&&5BhAl /h . Polar-ization mode dispersion could cause depolarization,which would be devastating for quantum communica-tion, similar to any decoherence in quantum informationprocessing. Fortunately, for quantum communication theremedy is easy; it suffices to use a source with a coher-ence time longer than the largest delay dt. Hence, whenlaser pulses are used (with typical spectral widths Dl<1 nm, corresponding to a coherence time >3 ps; seeSec. III.A.1), PMD is no real problem. For photons cre-

20Polarization-maintaining fibers may be of use for phase-based QC systems. However, this requires that the wholesetup—transmission lines as well as interferometers at eachend—be made of polarization-maintaining fibers. While this ispossible in principle, the need to install a completely new fibernetwork makes this solution not very practical.

21In contrast to Brownian motion, which describes particlediffusion in space as time passes, here photons diffuse overtime as they propagate along the fiber.


ated by parametric downconversion, however, PMD canimpose severe limitations, since Dl>10 nm (coherencetime <300 fs) is not unusual.

Polarization-dependent loss is a differential attenua-tion between two orthogonal polarization modes. Thiseffect is negligible in fibers, but can be significant incomponents like phase modulators. In particular, someintegrated optics waveguides actually guide only onemode and thus behave almost like polarizers (e.g., pro-ton exchange waveguides in LiNbO3). Polarization-dependent losses are usually stable, but if connected to afiber with some birefringence, the relation between thepolarization state and the loss may fluctuate, producingrandom outcomes (Elamari et al., 1998). Polarization-dependent loss cannot be described by a unitary opera-tor acting in the polarization state space (but it is ofcourse unitary in a larger space (Huttner, Gautier, et al.,1996). Thus it does not preserve the scalar product. Inparticular, it can turn nonorthogonal states into orthogo-nal ones, which can then be distinguished unambigu-ously (at the cost of some loss; Huttner, Gautier, et al.,1996; Clarke et al., 2000). Note that this attenuationcould be used by Eve, especially to eavesdrop on thetwo-state protocol (Sec. II.D.1).

Let us conclude this section on polarization effects infibers by mentioning that they can be passively compen-sated for, provided one uses a go-and-return configura-tion, with Faraday mirrors, as described in Sec. IV.C.2.

3. Chromatic dispersion effects in single-mode fibers

In addition to polarization effects, chromatic disper-sion can also cause problems for quantum cryptography.For instance, as explained in Secs. IV.C and V.B,schemes implementing phase or phase-and-time codingrely on photons arriving at well-defined times, that is, onphotons well localized in space. However, in dispersivemedia like optical fibers, different group velocities act asa noisy environment on the localization of the photon aswell as on the phase acquired in an interferometer.Hence the broadening of photons featuring nonzerobandwidth, or, in other words, the coupling between fre-quency and position, must be circumvented or con-trolled. This implies working with photons of smallbandwidth, or, as long as the bandwidth is not too large,operating close to the wavelength l0 at which chromaticdispersion is zero, i.e., for standard fibers around 1310nm. Fortunately, fiber losses are relatively small at thiswavelength and amount to '0.35 dB/km. This region iscalled the second telecommunications window.22 Thereare also special fibers, called dispersion-shifted fibers,with a refractive index profile such that the chromatic

22The first one, around 800 nm, is almost no longer used. Itwas motivated by the early existence of sources and detectorsat this wavelength. The third window is around 1550 nm,where the attenuation reaches an absolute minimum (Thomaset al., 2000) and where erbium-doped fibers provide conve-nient amplifiers (Desurvire, 1994).


dispersion goes to zero around 1550 nm, where the at-tenuation is minimal (Neumann, 1988).23

Chromatic dispersion does not constitute a problem inthe case of faint laser pulses, for which the bandwidth issmall. However, it becomes a serious issue when utilizingphoton pairs created by parametric downconversion.For instance, sending photons of 70-nm bandwidth (asused in our long-distance tests of Bell’s inequality; Tittelet al., 1998) down 10 km of optical fibers leads to a tem-poral spread of around 500 ps (assuming photons cen-tered at l0 and a typical dispersion slope of0.086 ps nm22 km21). However, this can be compen-sated for when using energy-time-entangled photons(Franson, 1992; Steinberg et al., 1992a, 1992b, Larchuket al., 1995). In contrast to polarization coding, in whichfrequency and the physical property used to implementthe qubit are not conjugate variables, frequency andtime (thus position) constitute a Fourier pair. The strictenergy anticorrelation of signal and idler photons en-ables one to achieve a dispersion for one photon that isequal in magnitude but opposite in sign to that of thesister photon, thus corresponding to the same delay24

(see Fig. 7). The effect of broadening of the two wavepackets then cancels out, and two simultaneously emit-ted photons stay coincident. However, note that the ar-rival time of the pair varies with respect to its emissiontime. The frequency anticorrelation also provides thebasis for avoiding a decrease in visibility due to differentwave packet broadening in the two arms of an interfer-ometer. Since the choromatic dispersion properties ofoptical fibers do not change with time—in contrast tobirefringence—no active tracking and compensation arerequired. It thus turns out that phase and phase-timecoding are particularly suited to transmission over longdistances in optical fibers: nonlinear effects decoheringthe qubit ‘‘energy’’ are completely negligible, and chro-matic dispersion effects acting on the localization can beavoided or compensated for in many cases.

4. Free-space links

Although today’s telecommunications based on opti-cal fibers are very advanced, such channels may not al-ways be available. Hence there is also some effort indeveloping free-space line-of-sight communication sys-

23Chromatic dispersion in fibers is mainly due to the material,essentially silicon, but also to the refractive index profile. In-deed, longer wavelengths feel regions farther away from thecore where the refractive index is lower. Dispersion-shifted fi-bers have, however, been abandoned by today’s industry, be-cause it has turned out to be simpler to compensate for theglobal chromatic dispersion by adding an extra fiber with highnegative dispersion. The additional loss is then compensatedfor by an erbium-doped fiber amplifier.

24Here we assume a predominantly linear dependence ofchromatic dispersion as a function of the optical frequency, arealistic assumption.


tems, not only for classical data transmission but also forquantum cryptography (see Hughes, Buttler, et al., 2000and Gorman et al., 2000).

Transmission over free space features some advan-tages compared to the use of optical fibers. The atmo-sphere has a high transmission window at a wavelengthof around 770 nm (see Fig. 8), where photons can easilybe detected using commercial, high-efficiency photon-counting modules (see Sec. III.C.1). Furthermore, theatmosphere is only weakly dispersive and essentiallynonbirefringent25 at these wavelengths. It will thus notalter the polarization state of a photon.

However, there are some drawbacks concerning free-space links as well. In contrast to the signal transmittedin a guiding medium where the energy is ‘‘protected’’and remains localized in a small region of space, theenergy transmitted via a free-space link spreads out,leading to higher and varying transmission losses. In ad-dition to loss of energy, ambient daylight, or even moon-light at night, can couple into the receiver, leading to ahigher error rate. However, such errors can be kept to areasonable level by using a combination of spectral fil-tering (interference filters <1 nm), spatial filtering at thereceiver, and timing discrimination using a coincidence

25In contrast to an optical fiber, air is not subject to stress andis hence isotropic.

FIG. 7. Illustration of cancellation of chromatic dispersion ef-fects in the fibers connecting an entangled-particle source andtwo detectors. The figure shows differential group delay curvesfor two slightly different fibers approximately 10 km long. Us-ing frequency-correlated photons with central frequencyv0—determined by the properties of the fibers—the differencein propagation times t22t1 between the signal (at vs1,vs2)and idler (at v i1,v i2) photon is the same for all vs ,v i . Notethat this cancellation scheme is not restricted to signal andidler photons at nearly equal wavelengths. It also applies toasymmetrical setups in which the signal photon (generating thetrigger to indicate the presence of the idler photon) is at ashort wavelength of around 800 nm and travels only a shortdistance. Using a fiber with appropriate zero dispersion wave-length l0 , it is still possible to achieve equal differential groupdelay with respect to the energy-correlated idler photon sentthrough a long fiber at a telecommunications wavelength.


window of typically a few nanoseconds. Finally, it is clearthat the performance of free-space systems depends dra-matically on atmospheric conditions and is possible onlyin clear weather.

Finally, let us briefly comment on the different sourcesleading to coupling losses. A first concern is the trans-mission of the signals through a turbulent medium, lead-ing to arrival-time jitter and beam wander (hence prob-lems with beam pointing). However, as the time scalesfor atmospheric turbulences involved are rather small—around 0.1–0.01 s—the time jitter due to a variation ofthe effective refractive index can be compensated for bysending a reference pulse at a different wavelength ashort time (around 100 ns) before each signal pulse.Since this reference pulse experiences the same atmo-spheric conditions as the subsequent one, the signal willarrive essentially without jitter in the time window de-fined by the arrival of the reference pulse. In addition,the reference pulse can be reflected back to the trans-mitter and used to correct the direction of the laserbeam by means of adaptive optics, hence compensatingfor beam wander and ensuring good beam pointing.

Another issue is beam divergence, hence increase ofspot size at the receiver end caused by diffraction at thetransmitter aperture. Using, for example, 20-cm-diameter optics, one obtains a diffraction-limited spotsize after 300 km of '1 m. This effect can in principle bekept small by taking advantage of larger optics. How-ever, it can also be advantageous to have a spot size thatis large compared to the receiver’s aperture in order toensure constant coupling in case of remaining beamwander. In their 2000 paper, Gilbert and Hamrick pro-vide a comprehensive discussion of free-space channelsin the context of QC.

C. Single-photon detection

With the availability of pseudo-single-photon andphoton-pair sources, the success of quantum cryptogra-

FIG. 8. Transmission losses in free space as calculated usingthe LOWTRAN code for earth-to-space transmission at the el-evation and location of Los Alamos, USA. Note that there is alow-loss window at around 770 nm—a wavelength at whichhigh-efficiency silicon APD’s can be used for single-photon de-tection (see also Fig. 9 and compare to Fig. 6). Figure courtesyof Richard Hughes.


phy essentially depends on the ability to detect singlephotons. In principle, this can be achieved using a vari-ety of techniques, for instance, photomultipliers, ava-lanche photodiodes, multichannel plates, and supercon-ducting Josephson junctions. The ideal detector shouldfulfill the following requirements:

• the quantum detection efficiency should be highover a large spectral range,

• the probability of generating noise, that is, a signalwithout an arriving photon, should be small,

• the time between detection of a photon and genera-tion of an electrical signal should be as constant as pos-sible, i.e., the time jitter should be small, to ensure goodtiming resolution,

• the recovery time (i.e., the dead time) should beshort to allow high data rates.

In addition, it is important to keep the detectors prac-tical. For instance, a detector that needs liquid helium oreven nitrogen cooling would certainly render commer-cial development difficult.

Unfortunately, it turns out that it is impossible to ful-fill all the above criteria at the same time. Today, thebest choice is avalanche photodiodes (APD’s). Threedifferent semiconductor materials are used: either sili-con, germanium, or indium gallium arsenide, dependingon the wavelengths.

APDs are usually operated in the so-called Geigermode. In this mode, the applied voltage exceeds thebreakdown voltage, leading an absorbed photon to trig-ger an electron avalanche consisting of thousands of car-riers. To reset the diode, this macroscopic current mustbe quenched—the emission of charges must be stoppedand the diode recharged (Cova et al., 1996). Three mainpossibilities exist:

• In passive-quenching circuits, a large (50–500 kV)resistor is connected in series with the APD (see, forexample, Brown et al., 1986). This causes a decrease inthe voltage across the APD as soon as an avalanchestarts. When it drops below breakdown voltage, the ava-lanche stops and the diode recharges. The recovery timeof the diode is given by its capacitance and by the valueof the quench resistor. The maximum count rate variesfrom a few hundred kilohertz to a few megahertz.

• In active-quenching circuits, the bias voltage is ac-tively lowered below the breakdown voltage as soon asthe leading edge of the avalanche current is detected(see, for example, Brown et al., 1987). This mode makespossible higher count rates than those in passive quench-ing (up to tens of megahertz), since the dead time can beas short as tens of nanoseconds. However, the fast elec-tronic feedback system makes active-quenching circuitsmuch more complicated than passive ones.

• Finally, in gated-mode operation, the bias voltage iskept below the breakdown voltage and is raised above itonly for a short time, typically a few nanosecods when aphoton is expected to arrive. Maximum count rates simi-lar to those in active-quenching circuits can be obtainedusing less complicated electronics. Gated-mode opera-tion is commonly used in quantum cryptography based


on faint laser pulses, for which the arrival times of thephotons are well known. However, it only applies ifprior timing information is available. For two-photonschemes, it is most often combined with a passive-quenched detector, generating the trigger signal for thegated detector.

In addition to Geiger mode, Brown and Daniels(1989) have investigated the performance of siliconAPD’s operated in sub-Geiger mode. In this mode, thebias voltage is kept slightly smaller than the breakdownvoltage such that the multiplication factor—around100—is sufficient to detect an avalanche, yet, is stillsmall enough to prevent real breakdowns. Unfortu-nately, the single-photon counting performance in thismode is rather poor, and thus efforts have not been con-tinued, the major problem being the need for extremelylow-noise amplifiers.

An avalanche engendered by carriers created in theconduction band of the diode can be set off not only byan impinging photon, but also by unwanted causes.These might be thermal or band-to-band tunneling pro-cesses, or emissions from trapping levels populatedwhile a current transits through the diode. The first twoproduce avalanches not due to photons and are referredto as dark counts. The third process depends on previousavalanches and its effects are called afterpulses. Sincethe number of trapped charges decreases exponentiallywith time, these afterpulses can be limited by applyinglarge dead times. Thus there is a tradeoff between highcount rates and low afterpulses. The time constant of theexponential decrease of afterpulses shortens for highertemperatures of the diode. Unfortunately, operatingAPD’s at higher temperatures leads to a higher fractionof thermal noise, that is, higher dark counts. Thus thereis again a tradeoff to be optimized. Finally, increasingthe bias voltage leads to a higher quantum efficiency anda smaller time jitter, at the cost of an increase in noise.

We thus see that the optimal operating parameters—voltage, temperature, and dead time (i.e., maximumcount rate)—depend on the specific application. More-over, since the relative magnitudes of efficiency, thermalnoise, and afterpulses vary with the type of semiconduc-tor material used, no general solution exists. In the nexttwo sections we briefly discuss the different types ofAPD’s. The first section focuses on silicon APD’s for thedetection of photons at wavelengths below 1 mm; thesecond comments on germanium and on indium galliumarsenide APD’s for photon counting at telecommunica-tions wavelengths. The different behavior of the threetypes is shown in Fig. 9. Although the best figure ofmerit for quantum cryptography is the ratio of dark-count rate R to detection efficiency h, we show here thebetter-known noise equivalent power (NEP), whichshows similar behavior. The noise equivalent power isdefined as the optical power required to measure a unitysignal-to-noise ratio and is given by

NEP5hn

hA2R . (25)


Here, h is Planck’s constant and n is the frequency of theimpinging photons.

1. Photon counting at wavelengths below 1.1 mm

Since the beginning of the 1980s much work has beendone to characterize silicon APD’s for single-photoncounting (Ingerson 1983; Brown et al., 1986, 1987;Brown and Daniels, 1989; Spinelli, 1996), and the perfor-mance of Si APD’s has continuously been improved.Since the first test of Bell’s inequality using Si APD’s byShih and Alley in 1988, they have completely replacedthe photomultipliers used until then in the domain offundamental quantum optics, now known as quantumcommunication. Today, quantum efficiencies of up to76% (Kwiat et al., 1993) and time jitter as low as 28 ps(Cova et al., 1989) have been reported. Commercialsingle-photon counting modules are available (for ex-ample, EG&G SPCM-AQ-151), featuring quantum effi-ciencies of 70% at a wavelength of 700 nm, a time jitterof around 300 ps, and maximum count rates higher than5 MHz. Temperatures of 220 °C—sufficient to keepthermally generated dark counts as low as 50 Hz—caneasily be achieved using Peltier cooling. Single-photoncounters based on silicon APD’s thus offer an almostperfect solution for all applications in which photons ofwavelengths below 1 mm can be used. Apart from fun-damental quantum optics, these applications includequantum cryptography in free space and in optical fi-bers; however, due to high losses, the latter works onlyover short distances.

2. Photon counting at telecommunications wavelengths

When working in the second telecommunications win-dow (1.3 mm), one can take advantage of APD’s madefrom germanium or InGaAs/InP semiconductor materi-als. In the third window (1.55 mm), the only option isInGaAs/InP.

Photon counting with germanium APD’s, althoughknown for 30 years (Haecker et al., 1971), began to beused in quantum communication as the need arose totransmit single photons over long distances using opticalfibers, which necessitated working at telecommunica-tions wavelengths. In 1993, Townsend, Rarity, and Tap-

FIG. 9. Noise equivalent power as a function of wavelength forsilicon, germanium, and InGaAs/InP APD’s.


ster (1993a) implemented a single-photon interferencescheme for quantum cryptography over a distance of 10km, and in 1994, Tapster, Rarity, and Owens demon-strated a violation of Bell’s inequalities over 4 km. Theseexperiments were the first to take advantage of GeAPD’s operated in passively quenched Geiger mode. Ata temperature of 77 K, which can be achieved using ei-ther liquid nitrogen or Stirling engine cooling, typicalquantum efficiencies of about 15% at dark-count ratesof 25 kHz can be achieved (Owens et al., 1994), and timejitter down to 100 ps has been observed (Lacaita et al.,1994) a normal value being 200–300 ps.

Traditionally, germanium APD’s have been imple-mented in the domain of long-distance quantum com-munication. However, this type of diode is currently be-ing replaced by InGaAs APD’s, and it has become moreand more difficult to find germanium APD’s on the mar-ket. Motivated by pioneering research reported in 1985(Levine et al., 1985), the latest research focuses onInGaAs APD’s, which allow single-photon detection inboth telecommunications windows. Starting with workby Zappa et al. (1994), InGaAs APD’s as single-photoncounters have meanwhile been thoroughly characterized(Lacaita et al., 1996; Ribordy et al., 1998; Karlsson et al.,1999; Hiskett et al., 2000; Rarity et al., 2000; Stucki et al.,2001), and the first implementations for quantum cryp-tography have been reported (Ribordy, 1998; Bouren-nane et al., 1999; Bethune and Risk, 2000; Hughes, Mor-gan, and Peterson, 2000; Ribordy et al., 2000). However,if operating Ge APD’s is already more inconvenientthan using silicon APD’s, the practicality of InGaAsAPD’s is even worse, the problem being an extremelyhigh afterpulse fraction. Therefore operation in passive-quenching mode is impossible for applications in whichlow noise is crucial. In gated mode, InGaAs APD’s arebetter for single-photon counting at 1.3 mm than GeAPD’s. For instance, at a temperature of 77 K and adark-count probability of 1025 per 2.6-ns gate, quantumefficiencies of around 30% and 17% have been reportedfor InGaAs and Ge APD’s, respectively (Ribordy et al.,1998), while the time jitter of both devices is compa-rable. If working at a wavelength of 1.55 mm, the tem-perature has to be increased for single-photon detection.At 173 K and a dark-count rate of 1024, a quantumefficiency of 6% can still be observed using InGaAs/InPdevices, while the same figure for germanium APD’s isclose to zero.

To date, no industrial effort has been made to opti-mize APD’s operating at telecommunications wave-lengths for photon counting, and their performance stilllags far behind that one of silicon APD’s.26 However,there is no fundamental reason why photon counting atwavelengths above 1 mm should be more difficult than atwavelengths below 1 mm except that the high-

26The first commercial photon counter at telecommunicationswavelengths came out only this year (the Hamamatsu photo-multiplier R5509-72). However, its efficiency is not yet suffi-cient for use in quantum cryptography.


wavelength photons are less energetic. The real reasonsfor the lack of commercial products are, first, that sili-con, the most common semiconductor material, is notsensitive enough (the band gap is too large), and secondthat the market for photon counting is not yet mature.But, without great risk, one can predict that good com-mercial photon counters will become available in thenear future and that they will have a major impact onquantum cryptography.

D. Quantum random-number generators

The key used in the one-time pad must be secret andused only once. Consequently it must be as long as themessage, and it must be perfectly random. The latterpoint proves to be a delicate and interesting one. Com-puters are deterministic systems that cannot create trulyrandom numbers. However, all secure cryptosystems,both classical and quantum ones, require truly randomnumbers.27 Hence the random numbers must be createdby a random physical process. Moreover, to make surethat the process does not merely appear random whilehaving some hidden deterministic pattern, the processneeds to be completely understood. It is thus of interestto implement a simple process in order to gain confi-dence in the randomness of its proper operation.

A natural solution is to rely on the random choice of asingle photon at a beamsplitter28 (Rarity et al., 1994). Inthis case the randomness is in principle guaranteed bythe laws of quantum mechanics, though one still has tobe very careful not to introduce any experimental arti-fact that could correlate adjacent bits. Different experi-mental realizations have been demonstrated (Jenne-wein, Achleitner, et al., 2000; Stefanov et al., 2000;Hildebrand, 2001), and prototypes are commerciallyavailable (www.gap-optique.unige.ch). One particularproblem is the dead time of the detectors, which mayintroduce a strong anticorrelation between neighboringbits. Similarly, afterpulses may provoke a correlation.These detector-related effects increase with higher pulserates, limiting the bit rate of a quantum number genera-tor to a few megahertz.

In the BB84 protocol Alice has to choose randomlyamong four different states and Bob between two bases.The limited random-number generation rate may forceAlice to produce her numbers in advance and storethem, creating a security risk. On Bob’s side the random-bit creation rate can be lower, since, in principle, thebasis need be changed only after a photon has been de-tected, which normally happens at rates below 1 MHz.However, one must make sure that this does not give aspy an opportunity for a Trojan horse attack (see Sec.VI.K).

27The PIN number that the bank assigns to your ATM cardmust be random. If not, someone else knows it.

28Strictly speaking, the choice is made only once the photonsare detected at one of the outports.


An elegant configuration integrating the random-number generator into the QC system consists in using apassive choice of bases, as discussed in Sec. V (Mulleret al., 1993). However, the problem of detector-inducedcorrelation remains.

E. Quantum repeaters

Today’s fiber-based QC systems are limited to opera-tion over tens of kilometers due to the combination offiber losses and detector noise. The losses by themselvesonly reduce the bit rate (exponentially with distance).With perfect detectors the distance would not be limited.However, because of the dark counts, each time a pho-ton is lost there is a chance that a dark count producesan error. Hence, when the probability of a dark countbecomes comparable to the probability that a photon iscorrectly detected, the signal-to-noise ratio tends to 0[more precisely, the mutual information I(a ,b) tends toa lower bound29]. In this section we briefly explain howthe use of entangled photons and of entanglement swap-ping (Zukowski et al., 1993) could offer ways to extendthe achievable distances in the foreseeable future (someprior knowledge of entanglement swapping is assumed).Let t link denote the transmission coefficient (i.e., theprobability that a photon sent by Alice gets to one ofBob’s detectors), h the detector efficiency, and pdark thedark-count probability per time bin. With a perfectsingle-photon source, the probability Praw of a correctqubit detection is Praw5t linkh , while the probabilityPdet of an error is Pdet5(12t linkh)pdark . Accordingly,the QBER5Pdet /(Praw1Pdet), and the normalized netrate is rnet5(Praw1Pdet)•fct(QBER), where the func-tion fct denotes the fraction of bits remaining after errorcorrection and privacy amplification. For the sake of il-lustration, we simply assume a linear dependence drop-ping to zero for QBER>15% (this simplification doesnot affect the qualitative results of this section; for amore precise calculation, see Lutkenhaus 2000):fct(QBER)512 QBER/15%. The corresponding netrate rnet is displayed in Fig. 10. Note that it drops to zeronear 90 km.

Let us now assume that instead of a perfect single-photon source, Alice and Bob use a perfect two-photonsource set in the middle of their quantum channel. Eachphoton then has a probability At link of reaching a detec-tor. The probability of a correct joined detection is thusPraw5t linkh2, while an error occurs with probabilityPdet 5 (12At linkh)2pdark

2 1 2At linkh(1 2 At linkh)pdark(both photons lost and two dark counts, or one photonlost and one dark count). This can be conveniently re-written as Praw5t linkhn and Pdet5@ t link

1/n h1(12t link

1/n h)pdark#n2t linkhn, valid for any division of the

29The absolute lower bound is 0, but depending on the as-sumed eavesdropping strategy, Eve could take advantage ofthe losses. In the latter case, the lower bound is given by hermutual information I(a ,e).


link into n equal-length sections and n detectors. Notethat the measurements performed at the nodes betweenAlice and Bob transmit (swap) the entanglement to thetwin photons without revealing any information aboutthe qubit (these measurements are called Bell measure-ments and are at the core of entanglement swapping andof quantum teleportation). The corresponding net ratesare displayed in Fig. 10. Clearly, the rates for short dis-tances are smaller when several detectors are used, be-cause of their limited efficiencies (here we assume h510%), but the distance before the net rate drops tozero is extended to longer distances! Intuitively, this canbe understood as follows. Let us assume that a logicalqubit propagates from Alice to Bob (although somephotons propagate in the opposite direction). Then,each two-photon source and each Bell measurement actson this logical qubit as a kind of quantum nondemolitionmeasurement, testing whether the logical qubit is stillthere. In this way, Bob activates his detectors only whenthere is a large chance t link

1/n that the photon gets to hisdetectors.

Note that if in addition to detector noise there is noisedue to decoherence, then the above idea can be ex-tended, using entanglement purification. This is essen-tially the idea behind quantum repeaters (Briegel et al.,1998; Dur et al., 1999).

IV. EXPERIMENTAL QUANTUM CRYPTOGRAPHY WITHFAINT LASER PULSES

Experimental quantum key distribution was demon-strated for the first time in 1989 (the results were pub-lished only in 1992 by Bennett, Bessette, et al.). Sincethen, tremendous progress has been made. Today, sev-eral groups have shown that quantum key distribution ispossible, even outside the laboratory. In principle, anytwo-level quantum system could be used to implementQC. In practice, all implementations have relied on pho-tons. The reason is that their interaction with the envi-

FIG. 10. Normalized net key creation rate rnet as a function ofdistance in optical fibers. For n51, Alice uses a perfect single-photon source. For n.1, the link is divided into n equal-lengthsections, and n/2 two-photon sources are distributed betweenAlice and Bob. Parameters: detection efficiency h510%,dark-count probability pdark51024, and fiber attenuation a50.25 dB/km.


ronment, also called decoherence, can be controlled andmoderated. In addition, researchers can benefit from allthe tools developed in the past two decades for opticaltelecommunications. It is unlikely that other carriers willbe employed in the foreseeable future.

Comparing different QC setups is a difficult task,since several criteria must be taken into account. Whatmatters in the end, of course, is the rate of correctedsecret bits (the distilled bit rate Rdist) that can be trans-mitted and the transmission distance. One can alreadynote that with present and near-future technology it willprobably not be possible to achieve rates of the order ofgigahertz, which are now common with conventional op-tical communication systems (in their comprehensivepaper published in 2000, Gilbert and Hamrick discusspractical methods for achieving high-bit-rate QC). Thisimplies that encryption with a key exchanged throughQC will be limited to highly confidential information.While the determination of the transmission distanceand rate of detection (the raw bit rate Rraw) is straight-forward, estimating the net rate is rather difficult. Al-though, in principle, errors in the bit sequence followonly from tampering by a malevolent eavesdropper, thesituation is rather different in reality. Discrepancies be-tween the keys of Alice and Bob also happen because ofexperimental imperfections. The error rate QBER canbe easily determined. Similarly, the error correction pro-cedure is rather simple. Error correction leads to a re-duction of the key rate that depends strongly on theQBER. The real problem is to estimate the informationobtained by Eve, a quantity necessary for privacy ampli-fication. This depends not only on the QBER, but alsoon other factors, such as the photon number statistics ofthe source or the way the choice of the measurementbasis is made. Moreover in a pragmatic approach, onemight also accept restrictions on Eve’s technology, limit-ing her strategies and therefore also the information shecan obtain per error she introduces. Since the efficiencyof privacy amplification rapidly decreases when theQBER increases, the distilled bit rate depends dramati-cally on Eve’s information and hence on the assumptionsmade. One can define as the maximum transmission dis-tance the distance at which the distilled rate reacheszero. This distance can give one an idea of the difficultyof evaluating a QC system from a physical point of view.

Technological aspects must also be taken into account.In this article we do not focus on all the published per-formances (in particular not on the key rates), whichstrongly depend on current technology and the financialresources of the research teams who carried out the ex-periments. Rather, we try to weigh the intrinsic techno-logical difficulties associated with each setup and to an-ticipate certain technological advances. Last but notleast, the cost of realizing a prototype should also beconsidered.

In this section, we first deduce a general formula forthe QBER and consider its impact on the distilled rate.We then review faint-pulse implementations. We classthem according to the property used to encode the qu-bits value and follow a rough chronological order. Fi-


nally, we assess the possibility of adopting the varioussetups for the realization of an industrial prototype. Sys-tems based on entangled photon pairs are presented inthe next section.

A. Quantum bit error rate

The QBER is defined as the ratio of wrong bits to thetotal number of bits received30 and is normally on theorder of a few percent. We can express it as a function ofrates,

QBER5Nwrong

Nright1Nwrong5

Rerror

Rsift1Rerror'

Rerror

Rsift. (26)

Here the sifted key corresponds to the cases in whichAlice and Bob made compatible choices of bases, henceits rate is half that of the raw key.

The raw rate is essentially the product of the pulserate frep , the mean number of photons per pulse m, theprobability t link of a photons arriving at the analyzer,and the probability h of the photon’s being detected:

Rsift512

Rraw512

qfrepmt linkh . (27)

The factor q (q<1, typically 1 or 12) must be introduced

for some phase-coding setups in order to correct fornoninterfering path combinations (see, for example,Secs. IV.C and V.B).

One can identify three different contributions toRerror . The first arises from photons that end up in thewrong detector due to imperfect interference or polar-ization contrast. The rate Ropt is given by the product ofthe sifted-key rate and the probability popt of a photon’sgoing to the wrong detector:

Ropt5Rsiftpopt512

qfrepmt linkpopth . (28)

For a given setup, this contribution can be considered asan intrinsic error rate indicating its suitability for use inQC. We shall discuss it below in the case of each par-ticular system.

The second contribution, Rdet , arises from the detec-tor dark counts (or from remaining environmental straylight in free-space setups). This rate is independent ofthe bit rate.31 Of course, only dark counts falling withinthe short time window when a photon is expected giverise to errors,

Rdet512

12

freppdarkn , (29)

where pdark is the probability of registering a dark countper time window and per detector, and n is the number

30In the following section we consider systems implementingthe BB84 protocol. For other protocols, some of the formulashave to be slightly adapted.

31This is true provided that afterpulses (see Sec. III.C) do notcontribute to the dark counts.


of detectors. The two factors of 12 are related to the fact

that a dark count has a 50% chance of happening whenAlice and Bob have chosen incompatible bases (and isthus eliminated during sifting) and a 50% chance of oc-curring in the correct detector.

Finally, error counts can arise from uncorrelated pho-tons due to imperfect photon sources:

Racc512

12

paccfrept linknh . (30)

This factor appears only in systems based on entangledphotons, where the photons belonging to different pairsbut arriving in the same time window are not necessarilyin the same state. The quantity pacc is the probability offinding a second pair within the time window, knowingthat a first one was created.32

The QBER can now be expressed as follows:

QBER5Ropt1Rdet1Racc

Rsift(31)

5popt1pdarkn

tlinkh2qm1

pacc

2qm(32)

5QBERopt1QBERdet1QBERacc . (33)

We now analyze these three contributions. The first one,QBERopt , is independent of the transmission distance(it is independent of t link). It can be considered as ameasure of the optical quality of the setup, dependingonly on the polarization or interference fringe contrast.The technical effort needed to obtain and, more impor-tantly, to maintain a given QBERopt is an important cri-terion for evaluating different QC setups. Inpolarization-based systems, it is rather simple to achievea polarization contrast of 100:1, corresponding to aQBERopt of 1%. In fiber-based QC, the problem is tomaintain this value in spite of polarization fluctuationsand depolarization in the fiber link. For phase-codingsetups, QBERopt and the interference visibility are re-lated by

QBERopt512V

2. (34)

A visibility of 98% thus translates into an optical errorrate of 1%. Such a value implies the use of well-alignedand stable interferometers. In bulk optics, perfect modeoverlap is difficult to achieve, but the polarization isstable. In single-mode fiber interferometers, on in con-trast, perfect mode overlap is automatically achieved,but the polarization must be controlled, and chromaticdispersion can constitute a problem.

The second contribution, QBERdet , increases withdistance, since the dark-count rate remains constantwhile the bit rate goes down like t link . It depends en-

32Note that a passive choice of measurement basis impliesthat four detectors (or two detectors during two time windows)are activated for every pulse, thus leading to a doubling of Rdetand Racc .


tirely on the ratio of the dark-count rate to the quantumefficiency. At present, good single-photon detectors arenot commercially available for telecommunicationswavelengths. The span of QC is not limited by decoher-ence. As QBERopt is essentially independent of the fiberlength, it is detector noise that limits the transmissiondistance.

Finally, the QBERacc contribution is present only insome two-photon schemes in which multiphoton pulsesare processed in such a way that they do not necessarilyencode the same bit value (see, for example, Secs. V.B.1and V.B.2). Although all systems have some probabilityof multiphoton pulses, in most these contribute only tothe information available to Eve (see Sec. VI.H) and notto the QBER. However, for implementations featuringpassive choice by each photon, the multiphoton pulsesdo not contribute to Eve’s information but only to theerror rate (see Sec. VI.J).

Now, let us calculate the useful bit rate as a functionof the distance. Rsift and QBER are given as a functionof t link in Eqs. (27) and (32), respectively. The fiber linktransmission decreases exponentially with length. Thefraction of bits lost due to error correction and privacyamplification is a function of QBER and depends onEve’s strategy. The number of remaining bits Rnet isgiven by the sifted-key rate multiplied by the differencebetween the Alice-Bob mutual Shannon informationI(a ,b) and Eve’s maximal Shannon informationImax(a,e):

Rnet5Rsift@I~a ,b!2Imax~a ,e!# . (35)

The difference between I(a ,b) and Imax(a,e) is calcu-lated here according to Eqs. (63) and (65) (Sec. VI.E),considering only individual attacks and no multiphotonpulses. We obtain Rnet (the useful bit rate after errorcorrection and privacy amplification) for different wave-lengths as shown in Fig. 11. There is first an exponentialdecrease, then, due to error correction and privacy am-plification, the bit rates fall rapidly down to zero. This is

FIG. 11. Bit rate, after error correction and privacy amplifica-tion, vs fiber length. The chosen parameters are as follows:pulse rates of 10 MHz for faint laser pulses (m50.1) and 1MHz for the case of ideal single photons (1550-nm ‘‘single’’);losses of 2, 0.35, and 0.25 dB/km; detector efficiencies of 50, 20,and 10; dark-count probabilities of 1027, and 1025, and 1025

for 800, 1300, and 1550 nm, respectively. Losses at Bob’s endand QBERopt are neglected.


most evident when comparing the curves 1550 and 1550nm ‘‘single,’’ since the latter features a QBER that is 10times lower. One can see that the maximum range isabout 100 km. In practice it is closer to 50 km, due tononideal error correction and privacy amplification,multiphoton pulses, and other optical losses not consid-ered here. Finally, let us mention that typical key cre-ation rates on the order of a thousand bits per secondover distances of a few tens of kilometers have beendemonstrated experimentally (see, for example,Townsend, 1998b or Ribordy et al., 2000).

B. Polarization coding

Encoding the qubits in the polarization of photons is anatural solution. The first demonstration of QC by Ben-nett and co-workers (Bennett, Bessette, et al., 1992)made use of this choice. They realized a system in whichAlice and Bob exchanged faint light pulses produced bya light-emitting diode and containing less than one pho-ton on average over a distance of 30 cm in air. In spite ofthe small scale of this experiment, it had an importantimpact on the community, as it showed that it was notunreasonable to use single photons instead of classicalpulses for encoding bits.

A typical QC system with the BB84 four-state proto-col using the polarization of photons is shown in Fig. 12.Alice’s system consists of four laser diodes. They emitshort classical photon pulses ('1 ns) polarized at 245°,0°, 145°, and 90°. For a given qubit, a single diode istriggered. The pulses are then attenuated by a set offilters to reduce the average number of photons to wellbelow 1, and sent along the quantum channel to Alice.

It is essential that the pulses remain polarized for Bobto be able to extract the information encoded by Alice.As discussed in Sec. III.B.2, polarization mode disper-sion may depolarize the photons, provided the delay itintroduces between polarization modes is longer thanthe coherence time. This sets a constraint on the type oflasers used by Alice.

Upon reaching Bob, the pulses are extracted from thefiber. They travel through a set of waveplates used torecover the initial polarization states by compensatingfor the transformation induced by the optical fiber (Sec.III.B.2). The pulses then reach a symmetric beamsplit-

FIG. 12. Typical system for quantum cryptography using po-larization coding: LD, laser diode; BS, beamsplitter; F, neutraldensity filter; PBS, polarizing beamsplitter; l/2, half wave-plate; APD, avalanche photodiode.


ter, implementing the basis choice. Transmitted photonsare analyzed in the vertical-horizontal basis with a po-larizing beamsplitter and two photon-counting detec-tors. The polarization state of the reflected photons isfirst rotated with a waveplate by 45° (245°→0°). Thephotons are then analyzed with a second set of polariz-ing beamsplitters and photon-counting detectors. Thisimplements the diagonal basis. For illustration, let usfollow a photon polarized at 145°. We see that its stateof polarization is arbitrarily transformed in the opticalfiber. At Bob’s end, the polarization controller must beset to bring it back to 145°. If it chooses the output ofthe beamsplitter corresponding to the vertical-horizontalbasis, it will experience an equal probability of reflectionor transmission at the polarizing beamsplittter, yielding arandom outcome. On the other hand, if it chooses thediagonal basis, its state will be rotated to 90°. The po-larizing beamsplitter will then reflect it with unit prob-ability, yielding a deterministic outcome.

Instead of having Alice use four lasers and Bob twopolarizing beamsplitters, one can also implement thissystem with active polarization modulators such asPockels cells. For emission, the modulator is randomlyactivated for each pulse to rotate the state of polariza-tion to one of the four states, while, at the receiver, itrandomly rotates half of the incoming pulses by 45°. It isalso possible to realize the whole system with fiber op-tics components.

Antoine Muller and co-workers at the University ofGeneva have used such a system to perform QC experi-ments over optical fibers (1993; see also Breguet et al.,1994). They created a key over a distance of 1100 meterswith photons at 800 nm. In order to increase the trans-mission distance, they repeated the experiment withphotons at 1300 nm (Muller et al., 1995, 1996) and cre-ated a key over a distance of 23 km. An interesting fea-ture of this experiment is that the quantum channel con-necting Alice and Bob consisted of an optical fiber partof an installed cable used by the telecommunicationscompany Swisscom for carrying phone conversations. Itruns between the Swiss cities of Geneva and Nyon, un-der Lake Geneva (Fig. 13). This was the first time QCwas performed outside of a physics laboratory. Theseexperiments had a strong impact on the interest of thewider public in the new field of quantum communica-tion.

These two experiments highlighted the fact that thepolarization transformation induced by a long optical fi-ber was unstable over time. Indeed, when monitoringthe QBER of their system, Muller noticed that, althoughit remained stable and low for some time (on the orderof several minutes), it would suddenly increase after awhile, indicating a modification of the polarization trans-formation in the fiber. This implies that a real fiber-based QC system would require active alignment tocompensate for this evolution. Although not impossible,such a procedure is certainly difficult. James Franson didindeed implement an active-feedback alignment system(Franson and Jacobs, 1995), but did not pursue this lineof research. It is interesting to note that replacing stan-


dard fibers with polarization-maintaining fibers does notsolve the problem. The reason is that, in spite of theirname, these fibers do not maintain polarization, as ex-plained in Sec. III.B.2.

Recently, Townsend has also investigated suchpolarization-encoding systems for QC on short-spanlinks up to 10 kilometers (1998a, 1998b) with photons at800 nm. It is interesting to note that, although he usedstandard telecommunications fibers which could supportmore than one spatial mode at this wavelength, he wasable to ensure single-mode propagation by carefullycontrolling the launching conditions. Because of theproblem discussed above, polarization coding does notseem to be the best choice for QC in optical fibers. Nev-ertheless, this problem is drastically reduced when con-sidering free-space key exchange, as air has essentiallyno birefringence at all (see Sec. IV.E).

C. Phase coding

The idea of encoding the value of qubits in the phaseof photons was first mentioned by Bennett in the paperin which he introduced the two-state protocol (1992). Itis indeed a very natural choice for optics specialists.State preparation and analysis are then performed withinterferometers, which can be realized with single-modeoptical fiber components.

Figure 14 presents an optical fiber version of a Mach-Zehnder interferometer. It is made out of two symmetriccouplers—the equivalent of beamsplitters—connectedto each other, with one phase modulator in each arm.One can inject light into the setup, using a continuousand classical source, and monitor the intensity at theoutput ports. Provided that the coherence length of thelight used is larger than the path mismatch in the inter-ferometers, interference fringes can be recorded. Takinginto account the p/2 phase shift experienced upon re-flection at a beamsplitter, the effect of the phase modu-

FIG. 13. Geneva and Lake Geneva. The Swisscom optical fi-ber cable used for quantum cryptography experiments runsunder the lake between the town of Nyon, about 23 km northof Geneva, and the center of the city.


lators (fA and fB), and the path-length difference(DL), the intensity in the output port labeled ‘‘0’’ isgiven by

I05 I• cos2 S fA2fB1kDL

2 D , (36)

where k is the wave number and I the intensity of thesource. If the phase term is equal to p/21np , where n isan integer, destructive interference is obtained. There-fore the intensity registered in port 0 reaches a mini-mum, and all the light exits from port 1. When the phaseterm is equal to np , the situation is reversed: construc-tive interference is obtained in port 0, while the intensityin port 1 goes to a minimum. With intermediate phasesettings, light can be recorded in both ports. This deviceacts like an optical switch. It is essential to keep the pathdifference stable in order to record stationary interfer-ences.

Although we have discussed the behavior of this inter-ferometer for classical light, it works exactly the samewhen a single photon is injected. The probability of de-tecting the photon in one output port can be varied bychanging the phase. It is the fiber optic version ofYoung’s double-slit experiment, in which the arms of theinterferometer replace the apertures.

This interferometer combined with a single-photonsource and photon-counting detectors can be used forQC. Alice’s setup consists of the source, the first coupler,and the first phase modulator, while Bob takes the sec-ond modulator and coupler, as well as the detectors. Letus consider the implementation of the four-state BB84protocol. On the one hand, Alice can apply one of fourphase shifts (0,p/2,p ,3p/2) to encode a bit value. Sheassociates 0 and p/2 with bit 0, and p and 3p/2 with bit1. On the other hand, Bob performs a basis choice byrandomly applying a phase shift of either 0 or p/2. Heassociates the detector connected to the output port 0with a bit value of 0, and the detector connected to port1 with bit 1. When the difference of their phase is equalto 0 or p, Alice and Bob are using compatible bases andthey obtain deterministic results. In such cases, Alicecan infer from the phase shift she applied the outputport chosen by the photon at Bob’s end and hence thebit value he registered. Bob, on his side, deduces fromthe output port chosen by the photon the phase that

FIG. 14. Conceptual interferometric setup for quantum cryp-tography using an optical fiber Mach-Zehnder interferometer:LD, laser diode; PM, phase modulator; APD, avalanche pho-todiode.


Alice selected. When the phase difference equals p/2 or3p/2, the bases are incompatible and the photon ran-domly chooses which port it takes at Bob’s coupler. Thisscheme is summarized in Table I. We must stress that itis essential with this scheme to keep the path differencestable during a key exchange session. It should notchange by more than a fraction of a wavelength of thephotons. A drift of the length of one arm would indeedchange the phase relation between Alice and Bob andinduce errors in their bit sequence.

It is interesting to note that encoding qubits with two-path interferometers is formally isomorphic to polariza-tion encoding. The two arms correspond to a naturalbasis, and the weights cj of each qubit state c5(c1e2if/2,c2eif/2) are determined by the coupling ratioof the first beamsplitter, while the relative phase f isintroduced in the interferometer. The Poincare sphererepresentation, which applies to all two-level quantumsystems, can also be used to represent phase-codingstates. In this case, the azimuth angle represents therelative phase between the light that has propagatedalong the two arms. The elevation corresponds to thecoupling ratio of the first beamsplitter. States producedby a switch are on the poles, while those resulting fromthe use of a 50/50 beamsplitter lie on the equator. Figure15 illustrates this analogy. Consequently, all polarizationschemes can also be implemented using phase coding.

TABLE I. Implementation of the BB84 four-state protocolwith phase encoding.

Alice BobBit value fA fB fA2fB Bit value

0 0 0 0 00 0 p/2 3p/2 ?1 p 0 p 11 p p/2 p/2 ?0 p/2 0 p/2 ?0 p/2 p/2 0 01 3p/2 0 3p/2 ?1 3p/2 p/2 p 1

FIG. 15. Poincare sphere representation of two-level quantumstates generated by two-path interferometers. The poles corre-spond to the states generated by an interferometer in whichthe first coupler is replaced by a switch. The states generatedwith a symmetrical beamsplitter are on the equator. The azi-muth indicates the phase between the two paths.


Similarly, every coding using two-path interferometerscan be realized using polarization. However, in practiceone choice is often more convenient than the other, de-pending on circumstances like the nature of the quan-tum channel.33

1. The double Mach-Zehnder implementation

Although the scheme presented in the previous sec-tion works perfectly well on an optical table, it is impos-sible to keep the path difference stable when Alice andBob are separated by more than a few meters. As men-tioned above, the relative length of the arms should notchange by more than a fraction of a wavelength. If Aliceand Bob are separated by 1 kilometer, for example, it isclearly impossible to prevent path difference changessmaller than 1 mm caused by environmental variations.In his 1992 letter, Bennett also showed how to circum-vent this problem. He suggested using two unbalancedMach-Zehnder interferometers, one for Alice and onefor Bob, connected in series by a single optical fiber (seeFig. 16). When monitoring counts as a function of thetime since the emission of the photons, Bob obtainsthree peaks (see the inset in Fig. 16). The first one cor-responds to the photons that chose the short path inboth Alice’s and Bob’s interferometers, while the lastone corresponds to photons that chose both the longpaths. Finally, the central peak corresponds to photonsthat chose the short path in Alice’s interferometer andthe long one in Bob’s, and vice versa. If these two pro-cesses are indistinguishable, they produce interference.A timing window can be used to discriminate betweeninterfering and noninterfering events. If the latter aredisregarded, it is then possible for Alice and Bob to ex-change a key.

The advantage of this setup is that both ‘‘halves’’ ofthe photon travel in the same optical fiber. They thusexperience the same optical length in the environmen-

33Note, in addition, that using many-path interferometersopens up the possibility of coding quantum systems of dimen-sions larger than 2, like qutrits, ququarts, etc. (Bechmann-Pasquinucci and Peres, 2000; Bechmann-Pasquinucci and Tit-tel, 2000; Bourennane, Karlsson, and Bjorn, 2001).

FIG. 16. Double Mach-Zehnder implementation of an inter-ferometric system for quantum cryptography: LD, laser diode;PM, phase modulator; APD, avalanche photodiode. The insetrepresents the temporal count distribution recorded as a func-tion of the time passed since the emission of the pulse by Al-ice. Interference is observed in the central peak.


tally sensitive part of the system, provided that thevariations in the fiber are slower than their temporalseparations, determined by the interferometer’s imbal-ance ('5 ns). This condition is much less difficult tofulfill. In order to obtain good fringe visibility, and hencea low error rate, the imbalances of the interferometersmust be equal to within a fraction of the coherence timeof the photons. This implies that the path differencesmust be matched to within a few millimeters, which doesnot constitute a problem. The imbalance must be chosenso that it is possible to distinguish the three temporalpeaks clearly and thus discriminate interfering fromnoninterfering events. It must typically be larger thanthe pulse length and the timing jitter of the photon-counting detectors. In practice, the second condition isthe more stringent one. Assuming a time jitter of theorder of 500 ps, an imbalance of at least 1.5 ns keepsthe overlap between the peaks low.

The main difficulty associated with this QC scheme isthat the imbalances of Alice’s and Bob’s interferometersmust be kept stable to within a fraction of the wave-length of the photons during a key exchange to maintaincorrect phase relations. This implies that the interferom-eters must lie in containers whose temperature is stabi-lized. In addition, for long key exchanges an active sys-tem is necessary to compensate for drift.34 Finally, inorder to ensure the indistinguishability of both interfer-ing processes, one must make sure that in each interfer-ometer the polarization transformation induced by theshort path is the same as that induced by the long path.Both Alice and Bob must then use a polarization con-troller to fulfill this condition. However, the polarizationtransformation is rather stable in short optical fiberswhose temperature is kept stable and which do not ex-perience strains. Thus this adjustment does not need tobe repeated frequently.

Paul Tapster and John Rarity of DERA, the DefenceEvalution and Research Agency (Malvern, England),working with Paul Townsend, were the first to test thissystem over a fiber optic spool of 10 km (Townsendet al., 1993a, 1993b). Townsend later improved the inter-ferometer by replacing Bob’s input coupler with a polar-ization splitter to suppress the lateral noninterferingpeaks (1994). In this case, it is again unfortunately nec-essary to align the polarization state of the photons atBob’s end, in addition to stabilizing the imbalance in theinterferometers. He later thoroughly investigated keyexchange with phase coding and improved the transmis-sion distance (Marand and Townsend, 1995; Townsend,1998b). He also tested the possibility of multiplexing a

34Polarization coding requires the optimization of three pa-rameters (three parameters are necessary for unitary polariza-tion control). In comparison, phase coding requires optimiza-tion of only one parameter. This is possible because thecoupling ratios of the beamsplitters are fixed. Both solutionswould be equivalent if one could limit the polarization evolu-tion to rotations of the elliptic states without changes in theellipticity.


quantum channel using two different wavelengths withconventional data transmission over a single optical fiber(Townsend, 1997a). Richard Hughes and co-workersfrom Los Alamos National Laboratory have also exten-sively tested such an interferometer (1996; Hughes, Mor-gan, and Peterson, 2000) up to distances of 48 km ofinstalled optical fiber.35

2. ‘‘Plug-and-play’’ systems

As discussed in the two previous sections, both polar-ization and phase coding require active compensation ofoptical path fluctuations. A simple approach would be toalternate between adjustment periods—when pulsescontaining large numbers of photons are exchanged be-tween Alice and Bob to adjust the compensating systemcorrecting for slow drifts in phase or polarization—andqubits transmission periods, when the number of pho-tons is reduced to a quantum level.

An approach invented in 1989 by Martinelli, then atCISE Tecnologie Innovative in Milano, allows one toautomatically and passively compensate for all polariza-tion fluctuations in an optical fiber (see also Martinelli,1992). Let us first consider what happens to the polar-ization state of a light pulse traveling through an opticalfiber, before being reflected by a Faraday mirror—a mir-ror with a l/4 Faraday rotator36 in front. We must firstdefine a convenient description of the change in polar-ization of light reflected by a mirror at normal incidence.Let the mirror be in the x-y plane and z be the opticalaxis. Clearly, all linear polarization states are unchangedby a reflection. However, right-handed circular polariza-tion is changed into left-handed and vice versa. Actually,after a reflection the rotation continues in the samesense, but since the propagation direction is reversed,right-handed and left-handed polarizations are swapped.The same holds for elliptic polarization states: the axesof the ellipse are unchanged, but right and left are ex-changed. Accordingly, on a Poincare sphere the polar-ization transformation upon reflection is described by a

35Note that in this experiment, Hughes and co-workers usedan unusually high mean number of photons per pulse. Theyused a mean photon number of approximately 0.6 in the cen-tral interference peak, corresponding to a m'1.2 in the pulsesleaving Alice. The latter value is the relevant one for eaves-dropping analysis, since Eve could use an interferometer—conceivable with present technology—in which the first cou-pler was replaced by an optical switch and that allowed her toexploit all the photons sent by Alice. In light of this high m andoptical losses (22.8 dB), one may argue that this implementa-tion was not secure, even when taking into account only so-called realistic eavesdropping strategies (see Sec. VI.I). Finally,it is possible to estimate the results that other groups wouldhave obtained if they had used a similar value of m. One thenfinds that key distribution distances of the same order couldhave been achieved. This illustrates that the distance is a some-what arbitrary figure of merit for a QC system.

36These commercially available components are extremelycompact and convenient when using telecommunicationswavelengths, which is not true for other wavelengths.


symmetry through the equatorial plane: the north andsouth hemispheres are exchanged @mW →(m1 ,m2 ,2m3)# , or in terms of the qubit state vector,

T : S c1

c2D→S c2*

c1*D . (37)

This is a simple representation, but some attention hasto be paid. This transformation is not unitary. Indeed,the above description switches from a right-handed ref-erence frame XYZ to a left-handed one XYZ , whereZ52Z . There is nothing wrong in doing this, and thisexplains the nonunitary polarization transformation.37

Note that other descriptions are possible, but they re-quire artificially breaking the XY symmetry. The mainreason for choosing this particular transformation is thatthe description of the polarization evolution in the opti-cal fiber before and after the reflection is then straight-forward. Indeed, let U5e2ivBW sW l /2 describe this evolu-tion under the effect of some modal birefringence BW in afiber section of length l (where sW is the vector whosecomponents are the Pauli matrices). Then the evolutionafter reflection is simply described by the inverse opera-tor U215eivBW sW l /2. Now that we have a description ofthe mirror, let us add the Faraday rotator. It produces ap/2 rotation of the Poincare sphere around the north-south axis: F5e2ipsz/4 (see Fig. 17). Because the Fara-day effect is nonreciprocal (remember that it is due to amagnetic field, which can be thought of as produced by aspiraling electric current), the direction of rotationaround the north-south axis is independent of the lightpropagation direction. Accordingly, after reflection onthe mirror, the second passage through the Faraday ro-tator rotates the polarization in the same direction (seeagain Fig. 17) and is described by the same operator F .Consequently, the total effect of a Faraday mirror is to

37Note that this transformation is positive, but not completelypositive. It is thus closely connected to the partial transpositionmap (Peres, 1996). If several photons are entangled, then it iscrucial to describe all of them in frames with the same chirality.Actually that this is necessary is the content of the Peres-Horodecki entanglement witness (Horodecki et al., 1996).

FIG. 17. Evolution of the polarization state of a light pulserepresented on the Poincare sphere over a round-trip propa-gation along an optical fiber terminated by a Faraday mirror.


change any incoming polarization state into its orthogo-nal state: mW →2mW . This is best seen in Fig. 17 but canalso be expressed mathematically:

FTF : S c1

c2D→S c2*

2c1*D . (38)

Finally, the whole optical fiber can be modeled as con-sisting of a discrete number of birefringent elements. Ifthere are N such elements in front of the Faraday mir-ror, the change in polarization during a round trip can beexpressed (recall that the operator FTF only changesthe sign of the corresponding Bloch vector mW 5^cusW uc&)as

U121

¯ UN21FTFUN ¯ U15FTF . (39)

The output polarization state is thus orthogonal to theinput one, regardless of any birefringence in the fibers.This approach can thus correct for time-varying birefrin-gence changes, provided that they are slow compared tothe time required for the light to make a round trip (afew hundred microseconds).

By combining this approach with time multiplexing ina long-path interferometer, it is possible to implement aquantum cryptography system based on phase coding inwhich all optical and mechanical fluctuations are auto-matically and passively compensated for (Muller et al.,1997). We performed the first experiment on such a sys-tem in early 1997 (Zbinden et al., 1997), and a key wasexchanged over a 23-km installed optical fiber cable (thesame one as was used in the polarization coding experi-ments mentioned above). This setup featured a high in-terference contrast (fringe visibility of 99.8%) and excel-lent long-term stability and clearly established the valueof the approach for QC. The fact that no optical adjust-ments were necessary earned it the nickname of ‘‘plug-and-play’’ setup. It is interesting to note that the idea ofcombining time multiplexing with Faraday mirrors wasfirst used to implement an ‘‘optical microphone’’(Breguet and Gisin, 1995).38

However, our first realization still suffered from cer-tain optical inefficiencies, and it has been improved sincethen. Like the setup tested in 1997, the new system isbased on time multiplexing, in which the interferingpulses travel along the same optical path, but now, indifferent time ordering. A schematic is shown in Fig. 18.Briefly, the general idea is that pulses emitted at Bob’send can travel along one of two paths: they can go viathe short arm, be reflected at the Faraday mirror (FM)at Alice’s end, and finally, back at Bob’s, setup travel viathe long arm. Or, they travel first via the long arm atBob’s end, get reflected at Alice’s end, and return via theshort arm of Bob’s setup. These two possibilities thensuperpose on beamsplitter C1 . We shall now explain the

38Note that since then, we have used this interferometer forvarious other applications: a nonlinear index-of-refractionmeasurement in fibers (Vinegoni, Wegmuller, and Gisin, 2000)and an optical switch (Vinegoni, Wegmuller, Huttner, and Gi-sin, 2000).


realization of this scheme in greater detail: A short andbright laser pulse is injected into the system through acirculator. It splits at a coupler. One of the half pulses,labeled P1 , propagates through the short arm of Bob’ssetup directly to a polarizing beamsplitter. The polariza-tion transformation in this arm is set so that it is fullytransmitted. P1 is then sent through the fiber optic link.The second half pulse, labeled P2 , takes the long arm tothe polarizing beamsplitter. The polarization evolution issuch that P2 is reflected. A phase modulator present inthis long arm is left inactive so that it imparts no phaseshift to the outgoing pulse. P2 is also sent through thelink, with a delay on the order of 200 ns. Both halfpulses travel to Alice. P1 goes through a coupler. Thediverted light is detected with a classical detector to pro-vide a timing signal. This detector is also important inpreventing so-called Trojan horse attacks, which are dis-cussed in Sec. VI.K. The nondiverted light then propa-gates through an attenuator and an optical delay line—consisting simply of an optical fiber spool—whose rolewill be explained later. Finally, it passes a phase modu-lator before being reflected by the Faraday mirror. P2follows the same path. Alice briefly activates her modu-lator to apply a phase shift on P1 only, in order to en-code a bit value exactly as in the traditional phase-coding scheme. The attenuator is set so that when thepulses leave Alice, they contain no more than a fractionof a photon. When they reach the polarizing beamsplit-ter after their return trip through the link, the polariza-tion state of the pulses is exactly orthogonal to what itwas when they left, thanks to the effect of the Faradaymirror. P1 is then reflected instead of being transmitted.It takes the long arm to the coupler. When it passes, Bobactivates his modulator to apply a phase shift used toimplement his basis choice. Similarly, P2 is transmittedand takes the short arm. Both pulses reach the couplerat the same time and they interfere. Single-photon de-tectors are then used to record the output port chosenby the photon.

We implemented the four full-state BB84 protocolwith this setup. The system was tested once again on thesame installed optical fiber cable linking Geneva andNyon (23 km; see Fig. 13) at 1300 nm, and we observeda very low QBERopt'1.4% (Ribordy et al., 1998, 2000).Proprietary electronics and software were developed toallow for fully automated and user-friendly operation ofthe system. Because of the intrinsically bidirectional na-ture of this system, great attention had to be paid toRayleigh backscattering. Light traveling in an optical fi-

FIG. 18. Self-aligned plug-and-play system: LD, laser diode;APD, avalanche photodiode; Ci , fiber coupler; PMj , phasemodulator; PBS, polarizing beamsplitter; DL, optical delayline; FM, Faraday mirror; DA , classical detector.


ber undergoes scattering by inhomogeneities. A smallfraction ('1%) of this light is recaptured by the fiber inthe backward direction. When the repetition rate is highenough, pulses traveling to and from Alice must inter-sect at some point along the line. Their intensity, how-ever, is strongly different. The pulses are more than athousand times brighter before than after reflectionfrom Alice. Backscattered photons can accompany aquantum pulse propagating back to Bob and inducefalse counts. We avoided this problem by making surethat pulses traveling to and from Bob are not present inthe line simultaneously. They are emitted by Bob in theform of trains. Alice stores these trains in her opticaldelay line, which consists of an optical fiber spool. Bobwaits until all the pulses of a train have reached himbefore sending the next one. Although it completelysolves the problem of Rayleigh backscattering-inducederrors, this configuration has the disadvantage of reduc-ing the effective repetition frequency. A storage line halfas long as the transmission line amounts to a reductionof the bit rate by a factor of approximately 3.

Researchers at IBM simultaneously and indepen-dently developed a similar system at 1300 nm (Bethuneand Risk, 2000). However, they avoided the problemsassociated with Rayleigh backscattering by reducing theintensity of the pulses emitted by Bob. Since these couldnot be used for synchronization purposes any longer,they added a wavelength-multiplexed classical channel(1550 nm) in the line to allow Bob and Alice to synchro-nize their systems. They tested their setup on a 10-kmoptical fiber spool. Both of these systems are equivalentand exhibit similar performances. In addition, the groupof Anders Karlsson at the Royal Institute of Technologyin Stockholm verified in 1999 that this technique alsoworks at a wavelength of 1550 nm (Bourennane et al.,1999, 2000). These experiments demonstrate the poten-tial of plug-and-play-like systems for real-world quan-tum key distribution. They certainly constitute a goodcandidate for the realization of prototypes.

Their main disadvantage with respect to the other sys-tems discussed in this section is that they are more sen-sitive to Trojan horse strategies (see Sec. VI.K). Indeed,Eve could send a probe beam and recover it through thestrong reflection by the mirror at the end of Alice’s sys-tem. To prevent such an attack, Alice adds an attenuatorto reduce the amount of light propagating through hersystem. In addition, she must monitor the incoming in-tensity using a classical linear detector. Systems based onthis approach cannot be operated with a true single-photon source and thus will not benefit from theprogress in this field.39

D. Frequency coding

Phase-based systems for QC require phase synchroni-zation and stabilization. Because of the high frequency

39The fact that the pulses make a round trip implies thatlosses are doubled, yielding a reduced counting rate.


of optical waves (approximately 200 THz at 1550 nm),this condition is difficult to fulfill. One solution is to useself-aligned systems like the plug-and-play setups dis-cussed in the previous section. Goedgebuer and his teamfrom the University of Besancon, in France, introducedan alternative solution (Sun et al., 1995; Mazurenkoet al., 1997; Merolla et al., 1999; see also Molotkov,1998). Note that the title of this section is not completelyaccurate, since the value of the qubits is coded not in thefrequency of the light, but in the relative phase betweensidebands of a central optical frequency.

Their system is depicted in Fig. 19. A source emitsshort pulses of classical monochromatic light with angu-lar frequency vS . A first phase modulator PMA modu-lates the phase of this beam with a frequency V!vS anda small modulation depth. Two sidebands are thus gen-erated at frequencies vS6V . The phase modulator isdriven by a radio-frequency oscillator RFOA whosephase FA can be varied. Finally, the beam is attenuatedso that the sidebands contain much less than one photonper pulse, while the central peak remains classical. Afterthe transmission link, the beam experiences a secondphase modulation applied by PMB . This phase modula-tor is driven by a second radio-frequency oscillatorRFOB with the same frequency V and phase FB . Theseoscillators must be synchronized. After passing throughthis device, the beam contains the original central fre-quency vS , the sidebands created by Alice, and thesidebands created by Bob. The sidebands at frequenciesvS6V are mutually coherent and thus yield interfer-ence. Bob can then record the interference pattern inthese sidebands after removal of the central frequencyand the higher-order sidebands with a spectral filter.

To implement the B92 protocol (see Sec. II.D.1), Al-ice randomly chooses the value of the phase FA foreach pulse. She associates a bit value of 0 with phase 0and a bit value of 1 with phase p. Bob also randomlychooses whether to apply a phase FB of 0 or p. One cansee that if uFA2FBu50, the interference is constructiveand Bob’s single-photon detector has a nonzero prob-ability of recording a count. This probability depends onthe number of photons initially present in the sideband,as well as on the losses induced by the channel. On theother hand, if uFA2FBu5p , interference is destructive,and no count will ever be recorded. Consequently, Bobcan infer, every time he records a count, that he appliedthe same phase as Alice. When a given pulse does notyield a detection, the reason can be that the phases ap-

FIG. 19. Implementation of sideband modulation: LD, laserdiode; A, attenuator; PMi , optical phase modulator; F j , elec-tronic phase controller; RFOk , radio frequency oscillator; FP,Fabry-Perot filter; APD, avalanche photodiode.


plied were different and destructive interference tookplace. It can also mean that the phases were actuallyequal, but the pulse was empty or the photon got lost.Bob cannot decide between these two possibilities.From a conceptual point of view, Alice sends one of twononorthogonal states. There is then no way for Bob todistinguish between them deterministically. However, hecan perform a generalized measurement, also known asa positive operator value measurement, which will some-times fail to give an answer, but at all other times givesthe correct one.

Eve could perform the same measurement as Bob.When she obtains an inconclusive result, she could justblock both the sideband and the central frequency sothat she does not have to guess a value and does not riskintroducing an error. To prevent her from doing that,Bob verifies the presence of this central frequency. Nowif Eve tries to conceal her presence by blocking only thesideband, the reference central frequency will still havea certain probability of introducing an error. It is thuspossible to catch Eve in both cases. The monitoring ofthe reference beam is essential in all two-state protocolsto reveal eavesdropping. In addition, it was shown thatthis reference-beam monitoring can be extended to thefour-state protocol (Huttner et al., 1995).

The advantage of this setup is that the interference iscontrolled by the phase of the radio-frequency oscilla-tors. Their frequency is six orders of magnitude smallerthan the optical frequency and thus considerably easierto stabilize and synchronize. It is indeed a relativelysimple task, which can be achieved by electronic means.The Besancon group performed key distribution withsuch a system. The source they used was a distributedBragg reflector (DBR) laser diode at a wavelength of1540 nm and a bandwidth of 1 MHz. It was externallymodulated to obtain 50-ns pulses, thus increasing thebandwidth to about 20 MHz. They used two identicalLiNbO3 phase modulators operating at a frequencyV/2p5300 MHz. Their spectral filter was a Fabry-Perotcavity with a finesse of 55. Its resolution was 36 MHz.They performed key distribution over a 20-km single-mode optical fiber spool, recording a QBERopt contri-bution of approximately 4%. They estimated that 2%could be attributed to the transmission of the centralfrequency by the Fabry-Perot cavity. Note also that thedetector noise was relatively high due to the long pulsedurations. Both these errors could be lowered by in-creasing the separation between the central peak andthe sidebands, allowing reduced pulse widths and henceshorter detection times and lower dark counts. Never-theless, a compromise must be found since, in additionto the technical drawbacks of high-speed modulation,the polarization transformation in an optical fiber de-pends on the wavelength. The remaining 2% of theQBERopt is due to polarization effects in the setup.

This system is another possible candidate. Its mainadvantage is that it could be used with a true single-photon source if it existed. On the other hand, the con-tribution of imperfect interference visibility to the errorrate is significantly higher than that measured with plug-


and-play systems. In addition, if this system is to be trulyindependent of polarization, it is essential to ensure thatthe phase modulators have very low polarization depen-dency. In addition, the stability of the frequency filtermay constitute a practical difficulty.

E. Free-space line-of-sight applications

Since optical fiber channels may not always be avail-able, several groups are trying to develop free-spaceline-of-sight QC systems capable, for example, of dis-tributing a key between building rooftops in an urbansetting.

Of course it may sound difficult to detect single pho-tons amidst background light, but the first experimentshave already demonstrated the feasibility of free-spaceQC. Sending photons through the atmosphere also hasadvantages, since this medium is essentially nonbirefrin-gent (see Sec. III.B.4). It is then possible to use plainpolarization coding. In addition, one can ensure veryhigh channel transmission over long distances by care-fully choosing the wavelength of the photons (see againSec. III.B.4). The atmosphere has, for example, a hightransmission ‘‘window’’ in the vicinity of 770 nm (trans-mission as high as 80% can occur between a groundstation and a satellite), which happens to be compatiblewith commercial silicon APD photon-counting modules(detection efficiency can be as high as 65% with lownoise).

The systems developed for free-space applications areactually very similar to that shown in Fig. 12. The maindifference is that the emitter and receiver are connectedby telescopes pointing at each other, instead of by anoptical fiber. The contribution of background light toerrors can be maintained at a reasonable level by using acombination of timing discrimination (coincidence win-dows of typically a few nanoseconds), spectral filtering(interference filters <1 nm), and spatial filtering (cou-pling into an optical fiber). This can be illustrated by thefollowing simple calculation. Let us suppose thatthe isotropic spectral background radiance is1022 W m22 nm21 sr21 at 800 nm. This corresponds tothe spectral radiance of a clear zenith sky with a sunelevation of 77° (Zissis and Larocca, 1978). The diver-gence u of a Gaussian beam with radius w0 is given byu5l/w0p . The product of beam (telescope) cross sec-tion and solid angle, which is a constant, is thereforepw0

2pu25l2. By multiplying the radiance by l2, oneobtains the spectral power density. With an interferencefilter of 1-nm width, the power incident on the detectoris 6310215 W, corresponding to 23104 photons per sec-ond or 231025 photons per nanosecond. This quantityis approximately two orders of magnitude larger thanthe dark-count probability of Si APD’s, but still compat-ible with the requirements of QC. The performance offree-space QC systems depends dramatically on atmo-spheric conditions and air quality. This is problematic forurban applications where pollution and aerosols degradethe transparency of air.


The first free-space QC experiment over a distanceof more than a few centimeters40 was performed by Ja-cobs and Franson in 1996. They exchanged a key over adistance of 150 m in a hallway illuminated with standardfluorescent lighting and over 75 m outdoors in brightdaylight without excessive QBER. Hughes and his teamwere the first to exchange a key over more than onekilometer under outdoor nighttime conditions (Buttleret al., 1998; Hughes, Buttler, et al., 2000). More recently,they even improved their system to reach a distance of1.6 km under daylight conditions (Buttler et al., 2000).Finally, Rarity and co-workers performed a similar ex-periment, in which they exchanged a key over a distanceof 1.9 km under nighttime conditions (Gorman et al.,2001).

Until quantum repeaters become available and allowus to overcome the distance limitation of fiber-basedQC, free-space systems seem to offer the only possibilityfor QC over distances of more than a few dozen kilome-ters. A QC link could be established between ground-based stations and a low-orbit (300–1200 km) satellite.The idea is for Alice and Bob to each exchange a key(kA and kB , respectively) with the same satellite, usingQC. Then the satellite publicly announces the value K5kA % kB , where % represents the XOR operator or,equivalently, the binary addition modulo 2 without carry.Bob subtracts his key from this value to recover Alice’skey (kA5K*kB).41 The fact that the key is known tothe satellite operator may at first be seen as a disadvan-tage. But this point might actually be conducive to thedevelopment of QC, since governments always like tocontrol communications. Although it has not yet beendemonstrated, Hughes as well as Rarity haveestimated—in view of their free-space experiments—that the difficulty can be overcome. The main difficultywould come from beam pointing—do not forget that thesatellites will move with respect to the ground—andwandering induced by turbulence. In order to minimizethe latter problem, the photons would in practice prob-ably be sent down from the satellite. Atmospheric tur-bulence is concentrated almost entirely in the first kilo-meter above the earth’s surface. Another possibile wayto compensate for beam wander is to use adaptative op-tics. Free-space QC experiments over distances of about2 km constitute a major step towards key exchangewith a satellite. According to Buttler et al. (2000), theoptical depth is indeed similar to the effective atmo-spheric thickness that would be encountered in asurface-to-satellite application.

F. Multi-user implementations

Paul Townsend and colleagues have investigated theapplication of QC over multi-user optical fiber networks

40Remember that Bennett and co-workers performed thefirst demonstration of QC over 30 cm in air (Bennett, Bessette,et al., 1992).

41This scheme could also be used with optical fiber implemen-tation provided that secure nodes existed. In the case of asatellite, one tacitly assumes that it constitutes such a securenode.


(Townsend et al., 1994; Phoenix et al., 1995; Townsend,1997b). They used a passive optical fiber network archi-tecture in which one Alice, the network manager, is con-nected to multiple network users (i.e., many Bobs; seeFig. 20). The goal is for Alice to establish a verifiablysecure and unique key with each Bob. In the classicallimit, the information transmitted by Alice is gatheredby all Bobs. However, because of their quantum behav-ior, the photons are effectively routed at the beamsplit-ter to one, and only one, of the users. Using the doubleMach-Zehnder configuration discussed above, theytested such an arrangement with three Bobs. Neverthe-less, because of the fact that QC requires a direct andlow-attenuation optical channel between Alice and Bob,the ability to implement it over large and complex net-works appears limited.

V. EXPERIMENTAL QUANTUM CRYPTOGRAPHY WITHPHOTON PAIRS

The possibility of using entangled photon pairs forquantum cryptography was first proposed by Ekert in1991. In a subsequent paper, he investigated, with otherresearchers, the feasibility of a practical system (Ekertet al., 1992). Although all tests of Bell’s inequalities (fora review see, for example, Zeilinger, 1999) can be seenas experiments in quantum cryptography, systems spe-cifically designed to meet the special requirements ofQC, like quick changes of basis, have been implementedonly recently.42 In 1999, three groups demonstratedquantum cryptography based on the properties of en-tangled photons. Their results were reported in the sameissue of Phys. Rev. Lett. (Jennewein, Simon, et al., 2000;Naik et al., 2000; Tittel et al., 2000), illustrating the rapidprogress in the still new field of quantum communica-tion.

One advantage of using photon pairs for QC is thefact that one can remove empty pulses, since the detec-

42This definition of quantum cryptography applies to the fa-mous experiment by Aspect and co-workers testing Bell’s in-equalities with time-varying analyzers (Aspect et al., 1982). QChad, however, not yet been invented. It also applies to themore recent experiments closing locality loopholes, like theone performed in Innsbruck using fast polarization modulators(Weihs et al., 1998) or the one performed in Geneva using twoanalyzers on each side (Tittel et al., 1999; Gisin and Zbinden,1999).

FIG. 20. Multi-user implementation of quantum cryptographywith one Alice connected to three Bobs by optical fibers. Thephotons sent by Alice randomly choose to go to one or theother Bob at a coupler.


tion of one photon of a pair reveals the presence of acompanion. In principle, it is thus possible to have aprobability of emitting a nonempty pulse equal to one.43

It is beneficial only because currently available single-photon detectors feature a high dark-count probability.The difficulty of always collecting both photons of a pairsomewhat reduces this advantage. One frequently hearsthat photon pairs have the advantage of avoiding multi-photon pulses, but this is not correct. For a given meanphoton number, the probability that a nonempty pulsecontains more than one photon is essentially the samefor weak pulses as for photon pairs (see Sec. III.A.2).

A second advantage is that using entangled photonspair prevents unintended information leakage in unuseddegrees of freedom (Mayers and Yao, 1998). Observinga QBER lower than approximately 15%, or equivalentlyobserving that Bell’s inequality is violated, indeed guar-antees that the photons are entangled, so that the differ-ent states are not fully distinguishable through other de-grees of freedom. A third advantage was indicatedrecently by new and elaborate eavesdropping analyses.The fact that passive state preparation can be imple-mented prevents multiphoton splitting attacks (see Sec.VI.J).

The coupling between the optical frequency and theproperty used to encode the qubit, i.e., decoherence, israther easy to master when using faint laser pulses.However, this issue is more serious when using photonpairs, because of the larger spectral width. For example,for a spectral width of 5 nm full width at half maximum(FWHM)—a typical value, equivalent to a coherencetime of 1 ps—and a fiber with a typical polarizationmode dispersion of 0.2 ps/Akm, transmission over a fewkilometers induces significant depolarization, as dis-cussed in Sec. III.B.2. In the case of polarization-entangled photons, this effect gradually destroys theircorrelation. Although it is in principle possible to com-pensate for this effect, the statistical nature of the polar-ization mode dispersion makes this impractical.44

Although perfectly fine for free-space QC (see Sec.IV.E), polarization entanglement is thus not adequatefor QC over long optical fibers. A similar effect ariseswhen dealing with energy-time-entangled photons.Here, the chromatic dispersion destroys the strong timecorrelations between the photons forming a pair. How-ever, as discussed in Sec. III.B.3, it is possible to com-pensate passively for this effect either using additionalfibers with opposite dispersion, or exploiting the inher-ent energy correlation of photon pairs.

43Photon-pair sources are often, though not always, pumpedcontinuously. In these cases, the time window determined by atrigger detector and electronics defines an effective pulse.

44In the case of weak pulses, we saw that a full round triptogether with the use of Faraday mirrors circumvents the prob-lem (see Sec. IV.C.2). However, since the channel loss on theway from the source to the Faraday mirror inevitably increasesthe fraction of empty pulses, the main advantage of photonpairs vanishes in such a configuration.


Generally speaking, entanglement-based systems arefar more complex than setups based on faint laserpulses. They will most certainly not be used in the nearfuture for the realization of industrial prototypes. In ad-dition, the current experimental key creation rates ob-tained with these systems are at least two orders of mag-nitude smaller than those obtained with faint laser pulsesetups (net rate on the order of a few tens of bits persecond, in contrast to a few thousand bits per second fora 10-km distance). Nevertheless, they offer interestingpossibilities in the context of cryptographic optical net-works. The photon-pair source can indeed be operatedby a key provider and situated somewhere in betweenpotential QC customers. In this case, the operator of thesource has no way of getting any information about thekey obtained by Alice and Bob.

It is interesting to emphasize the close analogy be-tween one- and two-photon schemes, which was firstnoted by Bennett, Brassard, and Mermin (1992). In atwo-photon scheme, when Alice detects her photon, sheeffectively prepares Bob’s photon in a given state. In theone-photon analog, Alice’s detectors are replaced bysources, while the photon-pair source between Alice andBob is bypassed. The difference between these schemeslies only in practical issues, like the spectral widths ofthe light. Alternatively, one can look at this analogyfrom a different point of view: in two-photon schemes, itis as if Alice’s photon propagates backwards in timefrom Alice to the source and then forward in time fromthe source to Bob.

A. Polarization entanglement

A first class of experiments takes advantage ofpolarization-entangled photon pairs. The setup, depictedin Fig. 21, is similar to the scheme used for polarizationcoding based on faint pulses. A two-photon source emitspairs of entangled photons flying back to back towardsAlice and Bob. Each photon is analyzed with a polariz-ing beamsplitter whose orientation with respect to acommon reference system can be changed rapidly. Theresults of two experiments were reported in the spring of2000 (Jennewein, Simon, et al., 2000; Naik et al., 2000).Both used photon pairs at a wavelength of 700 nm,which were detected with commercial single-photon de-tectors based on silicon APD’s. To create the photonpairs, both groups took advantage of parametric down-conversion in one or two b-BaB2O4 (BBO) crystals

FIG. 21. Typical system for quantum cryptography exploitingphoton pairs entangled in polarization: PR, active polarizationrotator; PBS, polarizing beamsplitter; APD, avalanche photo-diode.


FIG. 22. Principle of phase-coding quantum cryptographyusing energy-time-entangledphoton pairs.

pumped by an argon-ion laser. The analyzers consistedof fast modulators that were used to rotate the polariza-tion state of the photons, in front of polarizing beam-splitters.

The group of Anton Zeilinger, then at the Universityof Innsbruck, demonstrated such a cryptosystem, includ-ing error correction, over a distance of 360 m (Jenne-wein, Simon, et al., 2000). Inspired by a test of Bell’sinequalities performed with the same setup a year ear-lier (Weihs et al., 1998), they positioned the two-photonsource near the center between the two analyzers. Spe-cial optical fibers, designed for guiding only a singlemode at 700 nm, were used to transmit the photons tothe two analyzers. The results of the remote measure-ments were recorded locally, and the processes of keysifting and error correction were implemented at a laterstage, long after the distribution of the qubits. Two dif-ferent protocols were implemented: one based on Wig-ner’s inequality (a special form of Bell’s inequalities) andthe other based on BB84.

The group of Paul Kwiat, then at Los Alamos Na-tional Laboratory, demonstrated the Ekert protocol(Naik et al., 2000). This experiment was a table-top re-alization in which the source and the analyzers wereseparated by only a few meters. The quantum channelconsisted of a short free-space distance. In addition toperforming QC, the researchers simulated differenteavesdropping strategies. As predicted by theory, theyobserved a rise in the QBER with an increase of theinformation obtained by the eavesdropper. Moreover,they have also recently implemented the six-state proto-col described in Sec. II.D.2 and observed the predictedQBER increase to 33% (Enzer et al., 2001).

The main advantage of polarization entanglement isthat analyzers are simple and efficient. It is thereforerelatively easy to obtain high contrast. Naik and co-workers, for example, measured a polarization extinc-tion of 97%, mainly limited by electronic imperfectionsof the fast modulators. This amounts to a QBERopt con-tribution of only 1.5%. In addition, the constraint on thecoherence length of the pump laser is not very stringent(note that, if it is shorter than the length of the crystal,some difficulties can arise, but we will not go into thesehere).


In spite of their qualities, it would be difficult to re-produce these experiments over distances of more thana few kilometers of optical fiber. As mentioned in theintroduction to this section, polarization is indeed notrobust enough to avoid decoherence in optical fibers. Inaddition, the polarization state transformation inducedby an installed fiber frequently fluctuates, making an ac-tive alignment system absolutely necessary. Neverthe-less, these experiments are very interesting in the con-text of free-space QC.

B. Energy-time entanglement

1. Phase coding

Another class of experiments takes advantage ofenergy-time-entangled photon pairs. The idea originatesfrom an arrangement proposed by Franson in 1989 totest Bell’s inequalities. As we shall see below, it is com-parable to the double Mach-Zehnder configuration dis-cussed in Sec. IV.C.1. A source emits pairs of energy-correlated photons, that were created at exactly thesame (unknown) time (see Fig. 22). This can be achievedby pumping a nonlinear crystal with a pump of long co-herence time. The pairs of downconverted photons arethen split, and one photon is sent to each party downquantum channels. Both Alice and Bob possess a widelybut identically unbalanced Mach-Zehnder interferom-eter, with photon-counting detectors connected to theoutputs. Locally, if Alice or Bob change the phase oftheir interferometer, no effect on the count rates is ob-served, since the imbalance prevents any single-photoninterference. Looking at the detection time at Bob’s endwith respect to the arrival time at Alice’s end, three dif-ferent values are possible for each combination of detec-tors. The different possibilities in a time spectrum areshown in Fig. 22. First, both photons can propagatethrough the short arms of the interferometers. Second,one can take the long arm at Alice’s end, while the otherone takes the short one at Bob’s, or vice versa. Finally,both photons can propagate through the long arms.When the path differences of the interferometers arematched to within a fraction of the coherence length ofthe downconverted photons, the short-short and the


long-long processes are indistinguishable, provided thatthe coherence length of the pump photon is larger thanthe path-length difference. Conditioning detectiononly on the central time peak, one observes two-photon interferences—nonlocal quantum correlations(Franson, 1989)45—that depend on the sum of the rela-tive phases in Alice’s and Bob’s interferometers (see Fig.22). The phases of Alice’s and Bob’s interferometers can,for example, be adjusted so that both photons alwaysemerge from the same output port. It is then possible toexchange bits by associating values with the two ports.This, however, is insufficient. A second measurement ba-sis must be implemented to ensure security againsteavesdropping attempts. This measurement can bemade, for example, by adding a second interferometerto the systems (see Fig. 23). In this case, when reachingan analyzer, a photon chooses randomly to go to one orthe other interferometer. The second set of interferom-eters can also be adjusted to yield perfect correlationsbetween output ports. The relative phases between theirarms should, however, be chosen so that when the pho-tons go to interferometers that are not associated witheach other, the outcomes are completely uncorrelated.

Such a system features passive state preparation byAlice, yielding security against multiphoton splitting at-tacks (see Sec. VI.J). In addition, it also features a pas-sive basis choice by Bob, which constitutes an elegantsolution: neither a random-number generator nor an ac-tive modulator are necessary. It is nevertheless clear thatQBERdet and QBERacc [defined in Eq. (33)] aredoubled, since the number of activated detectors is twiceas high. This disadvantage is not as important as it firstappears, since the alternative, a fast modulator, intro-duces losses close to 3 dB, also resulting in an increaseof these error contributions. The striking similarity be-tween this scheme and the double Mach-Zehnder ar-rangement discussed in the context of faint laser pulsesin Sec. IV.C.1 is obvious when one compares Figs. 24and 16.

This scheme was realized in the first half of 2000 byour group at the University of Geneva (Ribordy et al.,

45The imbalance of the interferometers must be large enoughso that the middle peak can easily be distinguished from thesatellite ones. This minimal imbalance is determined by theconvolution of the detector’s jitter (tens of picoseconds), theelectronic jitter (from tens to hundreds of picoseconds), andthe single-photon coherence time (,1 ps).

FIG. 23. System for quantum cryptography based on phase-coding entanglement: APD, avalanche photodiode. The pho-tons choose their bases randomly at Alice and Bob’s couplers.


2001). It was the first experiment in which an asymmet-ric setup optimized for QC was used instead of a systemdesigned for tests of Bell’s inequality, with a source lo-cated midway between Alice and Bob (see Fig. 25). Thetwo-photon source (a KNbO3 crystal pumped by adoubled Nd-YAG laser) provided energy-time-entangled photons at nondegenerate wavelengths—oneat around 810 nm, the other centered at 1550 nm. Thischoice allowed the use of high-efficiency silicon-basedsingle-photon counters featuring low noise to detect thephotons of the lower wavelength. To avoid the hightransmission losses at this wavelength in optical fibers,the distance between the source and the correspondinganalyzer was very short, of the order of a few meters.The other photon, at the wavelength where fiber lossesare minimal, was sent via an optical fiber to Bob’s inter-ferometer and then detected by InGaAs APD’s. The de-coherence induced by chromatic dispersion was limitedby the use of dispersion-shifted optical fibers (see Sec.III.B.3).

Implementing the BB84 protocol in the manner dis-cussed above, with a total of four interferometers, is dif-ficult. Indeed, they must be aligned and their relativephase kept accurately stable during the whole key distri-bution session. To simplify this problem, we devisedbirefringent interferometers with polarization multiplex-ing of the two bases. Consequently the constraint on thestability of the interferometers was equivalent to thatencountered in the faint-pulse double Mach-Zehndersystem. We obtained interference visibilities typically of92%, yielding in turn a QBERopt contribution of about4%. We demonstrated QC over a transmission distanceof 8.5 km in a laboratory setting using a fiber on a spooland generated several megabits of key in hour-long ses-

FIG. 24. Quantum cryptography system exploiting photons en-tangled in energy-time and active basis choice. Note the simi-larity to the faint-laser double Mach-Zehnder implementationdepicted in Fig. 16.

FIG. 25. Schematic diagram of the first system designed andoptimized for long-distance quantum cryptography and ex-ploiting phase coding of entangled photons.


sions. This is the longest span realized to date for QCwith photon pairs.

As already mentioned, it is essential for this scheme tohave a pump laser whose coherence length is longerthan the path imbalance of the interferometers. In addi-tion, its wavelength must remain stable during a key ex-change session. These requirements imply that the pumplaser must be somewhat more elaborate than in the caseof polarization entanglement.

2. Phase-time coding

We have mentioned in Sec. IV.C that states generatedby two-path interferometers are two-level quantum sys-tems. They can also be represented on a Poincaresphere. The four states used for phase coding in the pre-vious section would lie equally distributed on the equa-tor of the sphere. The coupling ratio of the beamsplitteris 50%, and a phase difference is introduced betweenthe components propagating through either arm. Inprinciple, the four-state protocol can be equally wellimplemented with only two states on the equator andtwo others on the poles. In this section, we present asystem exploiting such a set of states. Proposed by ourgroup in 1999 (Brendel et al., 1999), the scheme followsin principle the Franson configuration described in thecontext of phase coding. However, it is based on apulsed source emitting entangled photons in so-calledenergy-time Bell states (Tittel et al., 2000). The emissiontime of the photon pair is therefore given by a superpo-sition of only two discrete terms, instead of by a wideand continuous range bounded only by the long coher-ence length of the pump laser (see Sec. V.B.1).

Consider Fig. 26. If Alice registers the arrival times ofthe photons with respect to the emission time of thepump pulse t0 , she finds the photons in one of threetime slots (note that she has two detectors to take intoaccount). For instance, detection of a photon in the firstslot corresponds to the pump photon’s having traveledvia the short arm and the downconverted photon’s hav-ing traveled via the short arm. To keep it simple, werefer to this process as us&P ,us&A , where P stands for the

FIG. 26. Schematics of quantum cryptography usingentangled-photon phase-time coding.


pump and A for Alice’s photon.46 However, the charac-terization of the complete photon pair is still ambiguous,since, at this point, the path of the photon that has trav-eled to Bob (short or long in his interferometer) is un-known to Alice. Figure 26 illustrates all processes lead-ing to a detection in the different time slots both atAlice’s and at Bob’s detector. Obviously, this reasoningholds for any combination of two detectors. In order tobuild up the secret key, Alice and Bob now publiclyagree about the events when both detected a photon inone of the satellite peaks—without revealing in whichone—or both in the central peak—without revealing inwhich detector. This procedure corresponds to key sift-ing. For instance, in the example discussed above, if Bobtells Alice that he has detected his photon in a satellitepeak, she knows that it must have been the left peak.This is because the pump photon has traveled via theshort arm, hence Bob can detect his photon either in theleft satellite or in the central peak. The same holds forBob, who now knows that Alice’s photon traveled viathe short arm in her interferometer. Therefore, in thecase of joint detection in a satellite peak, Alice and Bobmust have correlated detection times. Assigning a bitvalue to each side peak, Alice and Bob can exchange asequence of correlated bits.

The cases where both find the photon in the centraltime slot are used to implement the second basis. Theycorrespond to the us&P ,ul&Aul&B and ul&P ,us&Aus&B possi-bilities. If these are indistinguishable, one obtains two-photon interferences, exactly as in the case discussed inthe previous section on phase coding. Adjusting thephases and keeping them stable, one can use the perfectcorrelations between output ports chosen by the pho-tons at Alice’s and Bob’s interferometers to establish thekey bits in this second basis.

Phase-time coding has recently been implemented in alaboratory experiment by our group (Tittel et al., 2000)and was reported at the same time as the two polariza-tion entanglement-based schemes mentioned above. Acontrast of approximately 93% was obtained, yielding aQBERopt contribution of 3.5%, similar to that obtainedwith the phase-coding scheme. This experiment will berepeated over long distances, since losses in optical fi-bers are low at the downconverted photon wavelength(1300 nm).

An advantage of this setup is that coding in the timebasis is particularly stable. In addition, the coherencelength of the pump laser is no longer critical. However, itis necessary to use relatively short pulses ('500 ps)powerful enough to induce a significant downconversionprobability.

Phase-time coding, as discussed in this section,can also be realized with faint laser pulses (Bechmann-Pasquinucci and Tittel, 2000). The one-photon configu-ration has so far never been realized. It would be similarto the double Mach-Zehnder setup discussed in Sec.IV.C.1, but with the first coupler replaced by an active

46Note that it does not constitute a product state.


switch. For the time basis, Alice would set the switcheither to full transmission or to full reflection, while forthe energy basis she would set it at 50%. This illustrateshow research on photon pairs can yield advances onfaint-pulse systems.

3. Quantum secret sharing

In addition to QC using phase-time coding, we usedthe setup depicted in Fig. 26 for the first proof-of-principle demonstration of quantum secret sharing—thegeneralization of quantum key distribution to more thantwo parties (Tittel et al., 2001). In this new application ofquantum communication, Alice distributes a secret keyto two other users, Bob and Charlie, in such a way thatneither Bob nor Charlie alone has any informationabout the key, but together they have full information.As in traditional QC, an eavesdropper trying to getsome information about the key creates errors in thetransmission data and thus reveals her presence. Themotivation behind quantum secret sharing is to guaran-tee that Bob and Charlie cooperate—one of them mightbe dishonest—in order to obtain a given piece of infor-mation. In contrast with previous proposals using three-particle Greenberger-Horne-Zeilinger states (Zukowskiet al., 1998; Hillery et al., 1999), pairs of entangled pho-tons in so-called energy-time Bell states were used tomimic the necessary quantum correlation of three en-tangled qubits, although only two photons exist at thesame time. This is possible because of the symmetry be-tween the preparation device acting on the pump pulseand the devices analyzing the downconverted photons.Therefore the emission of a pump pulse can be consid-ered as the detection of a photon with 100% efficiency,and the scheme features a much higher coincidence ratethan that expected with the initially proposed ‘‘triple-photon’’ schemes.

VI. EAVESDROPPING

A. Problems and objectives

After the qubit exchange and basis reconciliation, Al-ice and Bob each have a sifted key. Ideally, these keysare identical. But in real life, there are always some er-rors, and Alice and Bob must apply some classical infor-mation processing protocols, like error correction andprivacy amplification to their data (see Sec. II.C.4). Thefirst protocol is necessary to obtain identical keys andthe second to obtain a secret key. Essentially, the prob-lem of eavesdropping is to find protocols which, giventhat Alice and Bob can only measure the QBER, eitherprovide Alice and Bob with a verifiably secure key orstop the protocol and inform the users that the key dis-tribution has failed. This is a delicate problem at theintersection of quantum physics and information theory.Actually, it comprises several eavesdropping problems,depending on the precise protocol, the degree of ideali-zation one admits, the technological power one assumesEve has, and the assumed fidelity of Alice and Bob’sequipment. Let us immediately stress that a complete


analysis of eavesdropping on a quantum channel has yetto be achieved. In this section we review some of theproblems and solutions, without any claim for math-ematical rigor or complete coverage of the huge andrapidly evolving literature.

The general objective of eavesdropping analysis is tofind ultimate and practical proofs of security for somequantum cryptosystems. ‘‘Ultimate proofs’’ guaranteesecurity against entire classes of eavesdropping attacks,even if Eve uses not only the best of today’s technology,but any conceivable future technology. These proofstake the form of theorems, with clearly stated assump-tions expressed in mathematical terms. In contrast, prac-tical proofs deal with some actual pieces of hardwareand software. There is thus a tension between ‘‘ulti-mate’’ and ‘‘practical’’ proofs. Indeed, the former favorgeneral abstract assumptions, whereas the latter concen-trate on physical implementations. Nevertheless, it isworth finding such proofs. In addition to the securityissue, they provide illuminating lessons for our generalunderstanding of quantum information.

In the ideal game Eve has perfect technology: she islimited only by the laws of quantum mechanics, but notat all by current technology.47 In particular, Eve cannotclone qubits, as this is incompatible with quantum dy-namics (see Sec. II.C.2), but she is free to use any uni-tary interaction between one or several qubits and anauxiliary system of her choice. Moreover, after the inter-action, Eve may keep her auxiliary system unperturbed,in complete isolation from the environment, for an arbi-trarily long time. Finally, after listening to all the publicdiscussion between Alice and Bob, she can perform themeasurement of her choice on her system, being againlimited only by the laws of quantum mechanics. Oneassumes further that all errors are due to Eve. It istempting to assume that some errors are due to Alice’sand Bob’s instruments, and this probably makes sense inpractice. However, there is the danger of Eve’s replacingthem with higher-quality instruments (see the next sec-tion).

In the next section we elaborate on the most relevantdifferences between the above ideal game (ideal espe-cially from Eve’s point of view) and real systems. Next,we return to the idealized situation and present severaleavesdropping strategies, starting from the simplest, inwhich explicit formulas can be written down, and endingwith a general abstract security proof. Finally, we discusspractical eavesdropping attacks and comment on thecomplexity of a real system’s security.

B. Idealized versus real implementation

Alice and Bob use the technology available today.This trivial remark has several implications. First, all

47The question of whether QC would survive the discovery ofthe currently unknown validity limits of quantum mechanics isinteresting. Let us argue that it is likely that quantum mechan-ics will always adequately describe photons at telecommunica-tions and visible wavelengths, just as classical mechanics willalways adequately describe the fall of apples, whatever thefuture of physics may be.


real components are imperfect, so that the qubits are notprepared and detected in the exact basis described bythe theory. Moreover, a real source always has a finiteprobability of producing more than one photon. De-pending on the details of the encoding device, all pho-tons carry the same qubit (see Sec. VI.J). Hence, in prin-ciple, Eve could measure the photon number withoutperturbing the qubit. This scenario is discussed in Sec.VI.H. Recall that, ideally, Alice should emit single-qubitphotons, i.e., each logical qubit should be encoded in asingle degree of freedom of a single photon.

On Bob’s side the efficiency of his detectors is quitelimited and the dark counts (spontaneous counts notproduced by photons) are non-negligible. The limitedefficiency is analogous to the losses in the quantumchannel. The analysis of the dark counts is more deli-cate, and no complete solution is known. Conservatively,Lutkenhaus (2000) assumes in his analysis that all darkcounts provide information to Eve. He also advises that,whenever two detectors fire simultaneously (generallydue to a real photon and a dark count), Bob should notdisregard such events but should choose a value at ran-dom. Note also that the different contributions of darkcounts to the total QBER depend on whether Bob’schoice of basis is implemented using an active or a pas-sive switch (see Sec. IV.A).

Next, one usually assumes that Alice and Bob havethoroughly checked their equipment and that it is func-tioning according to specifications. This assumption isnot unique to quantum cryptography but is critical, asEve could be the actual manufacturer of the equipment.Classical cryptosystems must also be carefully tested,like any commercial apparatus. Testing a cryptosystem istricky, however, because in cryptography the client buysconfidence and security, two qualities difficult to quan-tify. Mayers and Yao (1998) proposed using Bell’s in-equality to test whether the equipment really obeysquantum mechanics, but even this is not entirely satis-factory. Interestingly, one of the most subtle loopholes inall present-day tests of Bell’s inequality, the detectionloophole, can be exploited to produce purely classicalsoftware mimicking all quantum correlations (Gisin andGisin, 1999). This illustrates once again the close con-nection between practical issues in QC and philosophi-cal debates about the foundations of quantum physics.

Finally, one must assume that Alice and Bob are per-fectly isolated from Eve. Without such an assumptionthe entire game would be meaningless: clearly, Eve isnot allowed to look over Alice’s shoulder. However, thiselementary assumption is again nontrivial. What if Eveuses the quantum channel connecting Alice to the out-side world? Ideally, the channel should incorporate anisolator48 to keep Eve from shining light into Alice’s out-put port to examine the interior of her laboratory. Sinceall isolators operate only on a finite bandwidth, thereshould also be a filter, but filters have only a finite effi-

48Optical isolators, based on the Faraday effect, let light passthrough in only one direction.


ciency, and so on. Except for Sec. VI.K, in which thisassumption is discussed, we shall henceforth assume thatAlice and Bob are isolated from Eve.

C. Individual, joint, and collective attacks

In order to simplify the problem, several eavesdrop-ping strategies of limited generality have been defined(Lutkenhaus, 1996; Biham and Mor, 1997a, 1997b) andanalyzed. Of particular interest is the assumption thatEve attaches independent probes to each qubit andmeasures her probes one after the other. This class ofattack is called the individual attack, or incoherent at-tack. This important class is analyzed in Secs. VI.D andVI.E. Two other classes of eavesdropping strategies letEve process several qubits coherently, hence the namecoherent attacks. The most general coherent attacks arecalled joint attacks, while an intermediate class assumesthat Eve attaches one probe per qubit, as in individualattacks, but can measure several probes coherently, as incoherent attacks. This intermediate class is called thecollective attack. It is not known whether this class is lessefficient than the most general class, that of joint attacks.It is also not known whether it is more efficient than thesimpler individual attacks. Actually, it is not even knownwhether joint attacks are more efficient than individualones.

For joint and collective attacks, the usual assumptionis that Eve measures her probe only after Alice and Bobhave completed all public discussion about basis recon-ciliation, error correction, and privacy amplification. Forthe more realistic individual attacks, one assumes thatEve waits only until the basis reconciliation phase of thepublic discussion.49 The motivation for this assumptionis that one hardly sees what Eve could gain by waitinguntil after the public discussion on error correction andprivacy amplification before measuring her probes, sinceshe is going to measure them independently anyway.

Individual attacks have the nice feature that the prob-lem can be entirely translated into a classical one: Alice,Bob, and Eve all have classical information in the formof random variables a, b, and e, respectively, and thelaws of quantum mechanics impose constraints on thejoint probability distribution P(a ,b ,e). Such classicalscenarios have been widely studied by the classical cryp-tology community, and many of their results can thus bedirectly applied.

D. Simple individual attacks: Intercept-resend andmeasurement in the intermediate basis

The simplest attack for Eve consists in intercepting allphotons individually, measuring them in a basis chosenrandomly between the two bases used by Alice, andsending new photons to Bob prepared according to her

49With today’s technology, it might even be fair to assumethat in individual attacks Eve must measure her probe beforethe basis reconciliation.


result. As presented in Sec. II.C.3 and assuming that theBB84 protocol is used, Eve thus gets 0.5 bits of informa-tion per bit in the sifted key, for an induced QBER of25%. Let us illustrate the general formalism with thissimple example. Eve’s mean information gain on Alice’sbit, I(a ,e), equals their relative entropy decrease:

I~a ,e!5Ha priori2Ha posteriori , (40)

i.e., I(a ,b) is the number of bits one can save by writinga when knowing b. Since the a priori probability forAlice’s bit is uniform, Ha priori51. The a posteriori en-tropy has to be averaged over all possible results r thatEve might get:

Ha posteriori5(r

P~r !H~ iur !, (41)

H~ iur !52(i

P~ iur !log2@P~ iur !# , (42)

where the a posteriori probability of bit i , given Eve’sresult r , is given by Bayes’s theorem:

P~ iur !5P~rui !P~ i !

P~r !, (43)

with P(r)5( iP(rui)P(i). In the case of intercept re-send, Eve gets one out of four possible results: rP$↑ ,↓ ,← ,→%. After the basis has been revealed, Alice’sinput assumes one of two values: iP$↑ ,↓% (assuming the↑↓ basis was used, the other case is completely analo-gous). One gets P(i5↑ur5↑)51, P(i5↑ur5→)5 1

2 ,and P(r)5 1

2 . Hence, I(a ,e)512 12 h(1)2 1

2 h( 12 )512 1

2

5 12 [with h(p)5p log2(p)1(12p)log2(12p)].Another strategy for Eve, no more difficult to imple-

ment, consists in measuring the photons in the interme-diate basis (see Fig. 27), also known as the Breidbartbasis (Bennett, Bessette, et al., 1992). In this case theprobability that Eve guesses the correct bit value is p5cos(p/8)25 1

2 1&/4 '0.854, corresponding to aQBER52p(12p)525% and a Shannon informationgain per bit of

I512H~p !'0.399. (44)

FIG. 27. Poincare representation of the BB84 states and theintermediate basis, also known as the Breidbart basis, that canbe used by Eve.


Consequently, this strategy is less advantageous for Evethan the intercept-resend strategy. Note however, thatwith this strategy Eve’s probability of guessing the cor-rect bit value is 85%, compared to only 75% in theintercept-resend case. This is possible because in the lat-ter case, Eve’s information is deterministic in half thecases, while in the former Eve’s information is alwaysprobabilistic (formally, this results from the convexity ofthe entropy function).

E. Symmetric individual attacks

In this section we present in some detail how Evecould get the maximum Shannon information for a fixedQBER, assuming a perfect single-qubit source and re-stricting Eve to attacks on one qubit after the other (i.e.,individual attacks). The motivation is that this idealizedsituation is rather simple to treat and nicely illustratesseveral of the subtleties of the subject. Here we concen-trate on the BB84 four-state protocol; for related resultson the two-state and six-state protocols, see Fuchs andPeres (1996) and Bechmann-Pasquinucci and Gisin(1999), respectively.

The general idea of eavesdropping on a quantumchannel is as follows. When a qubit propagates from Al-ice to Bob, Eve can let a system of her choice, called aprobe, interact with the qubit (see Fig. 28). She canfreely choose the probe and its initial state, but the sys-tem must obey the rules of quantum mechanics (i.e., bedescribed in some Hilbert space). Eve can also choosethe interaction, but it should be independent of the qu-bit state, and she should obey the laws of quantum me-chanics; i.e., her interaction must be described by a uni-tary operator. After the interaction a qubit has to go toBob (in Sec. VI.H we consider lossy channels, so thatBob does not always expect a qubit, a fact that Eve cantake advantage of). It makes no difference whether thisqubit is the original one (possibly in a modified state).Indeed, the question does not even make sense, since aqubit is nothing but a qubit. However, in the formalismit is convenient to use the same Hilbert space for thequbit sent by Alice as for the qubit received by Bob (thisis no loss of generality, since the swap operator—definedby c ^ f→f ^ c for all c,f—is unitary and could be ap-pended to Eve’s interaction).

FIG. 28. Eavesdropping on a quantum channel. Eve extractsinformation from the quantum channel between Alice andBob at the cost of introducing noise into that channel.


Let HEve and C2^ HEve be the Hilbert spaces of Eve’s

probe and of the total qubit1probe system, respectively.If umW & , u0&, and U denote the qubit’s and the probe’sinitial states and the unitary interaction, respectively,then the state of the qubit received by Bob is given bythe density matrix obtained by tracing out Eve’s probe:

rBob~mW !5TrHEve~UumW ,0&^mW ,0uU†!. (45)

The symmetry of the BB84 protocol makes it very natu-ral to assume that Bob’s state is related to Alice’s umW & bya simple shrinking factor50 hP@0,1# (see Fig. 29):

rBob~mW !511hmW sW

2. (46)

Eavesdropping attacks that satisfy the above conditionare called symmetric-attacks.

Since the qubit state space is two dimensional, theunitary operator is entirely determined by its action ontwo states, for example, the u↑& and u↓& states (in thissection we use spin-1

2 notation for the qubits). After theunitary interaction, it is convenient to write the states inthe Schmidt form (Peres, 1997):

Uu↑ ,0&5u↑& ^ f↑1u↓& ^ u↑ , (47)

Uu↓ ,0&5u↓& ^ f↓1u↑& ^ u↓ , (48)

where the four states f↑ , f↓ , u↑ , and u↓ belong to theHilbert space of Eve’s probe HEve and satisfy f↑'u↑ andf↓'u↓ . By symmetry uf↑u25uf↓u2[F and uu↑u25uu↓u2

[D. Unitarity imposes F1D51 and

50Fuchs and Peres were the first to derive the result presentedin this section, using numerical optimization. Almost simulta-neously, it was derived by Robert Griffiths and his studentChi-Sheng Niu under very general conditions, and by NicolasGisin using the symmetry argument presented here. These fiveauthors joined forces to produce a single paper (Fuchs et al.,1997). The result of this section is thus also valid without thissymmetry assumption.

FIG. 29. Poincare representation of BB84 states in the eventof a symmetrical attack. The state received by Bob after theinteraction of Eve’s probe is related to the one sent by Alice bya simple shrinking factor. When the unitary operator U en-tangles the qubit and Eve’s probe, Bob’s state [Eq. (46)] ismixed and is represented by a point inside the Poincaresphere.


^f↑uu↓&1û↑uf↓&50. (49)

The f’s correspond to Eve’s state when Bob receives thequbit undisturbed, while the u’s are Eve’s state when thequbit is disturbed.

Let us emphasize that this is the most general unitaryinteraction satisfying Eq. (46). One finds that the shrink-ing factor is given by h5F2D. Accordingly, if Alicesends u↑& and Bob measures it in the compatible basis,then ^↑urBob(mW )u↑&5F is the probability that Bob getsthe correct result. Hence F is the fidelity and D theQBER.

Note that only four states span Eve’s relevant statespace. Hence Eve’s effective Hilbert space is at mostfour dimensional, no matter how subtle she might be.51

This greatly simplifies the analysis.Symmetry requires that the attack on the other basis

satisfy

Uu→ ,0&5Uu↑ ,0&1u↓ ,0&

&(50)

51

&~ u↑& ^ f↑1u↓& ^ u↑ (51)

1u↓& ^ f↓1u↑& ^ u↓) (52)

5u→& ^ f→1u←& ^ u→ , (53)

where

f→512

~f↑1u↑1f↓1u↓!, (54)

u→512

~f↑2u↑2f↓1u↓!. (55)

Similarly,

f←512

~f↑2u↑1f↓2u↓!, (56)

u←512

~f↑1u↑2f↓2u↓!. (57)

Condition (46) for the $u→&,u←&% basis implies thatu→'f→ and u←'f← . By proper choice of the phases,^f↑uu↓& can be made real. By condition (49), û↑uf↓& isthen also real. Symmetry implies that û→uf←&PRe. Astraightforward computation concludes that all scalarproducts among Eve’s states are real and that the f’sgenerate a subspace orthogonal to the u’s:

^f↑uu↓&5^f↓uu↑&50. (58)

Finally, using uf→u25F, i.e., that the shrinking is thesame for all states, one obtains a relation between theprobe states’ overlap and the fidelity:

51Actually, Niu and Griffiths (1999) showed that two-dimensional probes suffice for Eve to get as much informationas with the strategy presented here, though in their case theattack is not symmetric (one basis is more disturbed than theother).


F511û↑uu↓&

22^f↑uf↓&1û↑uu↓&, (59)

where the hats denote normalized states, e.g., f↑5f↑D21/2.

Consequently the entire class of symmetric individualattacks depends only on two real parameters:52 cos(x)[^f↑uf↓& and cos(y)[û↑uu↓&.

Thanks to symmetry, it suffices to analyze this sce-nario for the case when Alice sends the u↑& state andBob measures in the $↑ ,↓% basis (if not, Alice, Bob, andEve disregard the data). Since Eve knows the basis, sheknows that her probe is in one of the following twomixed states:

rEve~↑ !5FP~f↑!1DP~u↑!, (60)

rEve~↓ !5FP~f↓!1DP~u↓!. (61)

An optimum measurement strategy for Eve to distin-guish between rEve(↑) and rEve(↓) consists in first de-termining whether her state is in the subspace generatedby f↑ and f↓ or the one generated by u↑ and u↓ . This ispossible, since the two subspaces are mutually orthogo-nal. Eve must then distinguish between two pure stateswith an overlap of either cos x or cos y. The first alterna-tive occurs with probability F, the second with probabil-ity D. The optimal measurement distinguishing twostates with overlap cos x is known to provide Eve withthe correct guess with probability @11sin(x)#/2 (Peres,1997). Eve’s maximal Shannon information, attainedwhen she performs the optimal measurements, is thusgiven by

I~a ,e!5F•F12hS 11sin x

2 D G1D•F12hS 11sin y

2 D G , (62)

where h(p)52p log2(p)2(12p)log2(12p). For a givenerror rate D, this information is maximal when x5y .Consequently, for D5 @12cos(x)#/2, one obtains:

Imax~a ,e!512hS 11sin x

2 D . (63)

This provides the explicit and analytic optimum eaves-dropping strategy. For x50 the QBER (i.e., D) and theinformation gain are both zero. For x5p/2 the QBER is12 and the information gain 1. For small QBER’s, theinformation gain grows linearly:

Imax~a ,e!52

ln 2D1O~D!2'2.9D. (64)

52Interestingly, when the symmetry is extended to a thirdmaximally conjugated basis, as is natural in the six-state pro-tocol of Sec. II.D.2, the number of parameters reduces to one.This parameter measures the relative quality of Bob’s andEve’s ‘‘copy’’ of the qubit sent by Alice. When both copies areof equal quality, one recovers the optimal cloning presented inSec. II.F (Bechmann-Pasquinucci and Gisin, 1999).


Once Alice, Bob, and Eve have measured their quan-tum systems, they are left with classical random vari-ables a, b, and e, respectively. Secret-key agreement be-tween Alice and Bob is then possible using only errorcorrection and privacy amplification if and only if theAlice-Bob mutual Shannon information I(a ,b) isgreater than the Alice-Eve or the Bob-Eve mutualinformation,53 I(a ,b).I(a ,e) or I(a ,b).I(b ,e). It isthus interesting to compare Eve’s maximal information[Eq. (64)] with Bob’s Shannon information. The latterdepends only on the error rate D:

I~a ,b!512h~D! (65)

511D log2~D!1~12D!log2~12D!. (66)

Bob’s and Eve’s information are plotted in Fig. 30. Asexpected, for low error rates D, Bob’s information isgreater. But, more errors provide Eve with more infor-

53Note, however, that if this condition is not satisfied, otherprotocols might sometimes be used; see Sec. II.C.5. These pro-tocols are significantly less efficient and are usually not consid-ered as part of ‘‘standard’’ QC. Note also that, in the scenarioanalyzed in this section, I(b ,e)5I(a ,e).

FIG. 30. Eve’s and Bob’s information vs the QBER, here plot-ted for incoherent eavesdropping on the four-state protocol.For QBER’s below QBER0 , Bob has more information thanEve, and secret-key agreement can be achieved using classicalerror correction and privacy amplification, which can, in prin-ciple, be implemented using only one-way communication.The secret-key rate can be as large as the information differ-ences. For QBER’s above QBER0 ([D0), Bob has a disad-vantage with respect to Eve. Nevertheless, Alice and Bob canapply quantum privacy amplification up to the QBER corre-sponding to the intercept-resend eavesdropping strategies (IR4and IR6 for the four-state and six-state protocols, respectively).Alternatively, they can apply a classical protocol called advan-tage distillation, which is effective up to precisely the samemaximal QBER IR4 and IR6 . Both the quantum and the clas-sical protocols require two-way communication. Note that forthe eavesdropping strategy that will be optimal, from EveShannon point of view, on the four-state protocol, QBER0should correspond precisely to the noise threshold abovewhich a Bell’s inequality can no longer be violated.


mation, while decreasing Bob’s information. Hence bothinformation curves cross at a specific error rate D0 :

I~a ,b!5Imax~a ,e!⇔D5D0[121/&

2'15%. (67)

Consequently the security criterion against individual at-tacks for the BB84 protocol is

BB84 secure⇔D,D0[121/&

2. (68)

For QBER’s greater than D0 , no (one-way communi-cation) error correction and privacy amplification proto-col can provide Alice and Bob with a secret key that isimmune to any individual attacks.

Let us mention that there exists a class of more gen-eral classical protocols, called advantage distillation (Sec.II.C.5), which uses two-way communication. These pro-tocols can guarantee secrecy if and only if Eve’s inter-vention does not disentangle Alice and Bob’s qubits (as-suming they use the Ekert version of the BB84 protocol;Gisin and Wolf, 2000). If Eve optimizes her Shannoninformation as discussed in this section, this disentangle-ment limit corresponds to a QBER5121/&'30% (Gi-sin and Wolf, 1999). However, using more brutal strate-gies, Eve can disentangle Alice and Bob’s qubits for aQBER of 25%; see Fig. 30. The latter is thus the abso-lute upper limit, taking into account the most generalsecret-key protocols. In practice, the limit (67) is morerealistic, since advantage distillation algorithms aremuch less efficient than classical privacy amplificationalgorithms.

F. Connection to Bell’s inequality

There is an intriguing connection between the tight-bound [Eq. (68)] and the Clauser-Horne-Shimony-Holt(CHSH) form of Bell’s inequality (Bell, 1964; Clauseret al., 1969; Clauser and Shimony, 1978; Zeilinger, 1999):

S[E~a !1E~a ,b8!1E~a8,b !2E~a8,b8!<2. (69)

Here E(a ,b) is the correlation between Alice and Bob’sdata when measuring sa ^ 1 and 1^ sb , where sa de-notes an observable with eigenvalues 61 parametrizedby the label a . Recall that Bell’s inequalities are neces-sarily satisfied by all local models but are violated byquantum mechanics.54 To establish this connection, as-sume that the same quantum channel is used to testBell’s inequality. It is well known that, for error-freechannels, a maximal violation by a factor & is achiev-able: Smax52&.2. However, if the channel is imperfect,

54Let us stress that the CHSH-Bell’s inequality is the stron-gest possible for two qubits. Indeed, this inequality is violatedif and only if the correlation cannot be reproduced by a localhidden-variable model (Pitowski, 1989).


or equivalently if some perturbing Eve acts on the chan-nel, then the quantum correlation E(a ,buD) is reduced:

E~a ,buD!5F•E~a ,b !2D•E~a ,b ! (70)

5~122D!•E~a ,b !, (71)

where E(a ,b) denotes the correlation for the unper-turbed channel. The achievable amount of violation isthen reduced to Smax(D)5(122D)2& , and for largeperturbations no violation at all can be achieved. Inter-estingly, the critical perturbation D up to which a viola-tion can be observed is precisely the same D0 as the limitderived in the previous section for the security of theBB84 protocol:

Smax~D!.2⇔D,D0[121/&

2. (72)

This is a surprising and appealing connection betweenthe security of QC and tests of quantum nonlocality.One could argue that this connection is quite natural,since, if Bell’s inequality were not violated, then quan-tum mechanics would be incomplete, and no securecommunication could be based on such an incompletetheory. In some sense, Eve’s information is like probabi-listic local hidden variables. However, the connectionbetween Eqs. (68) and (72) has not been generalized toother protocols. A complete picture of these connec-tions is thus not yet available.

Let us emphasize that nonlocality plays no direct rolein QC. Indeed, Alice is generally in Bob’s absolute past.Nevertheless, Bell’s inequality can be violated by space-like separated events as well as by timelike separatedevents. However, the independence assumption neces-sary to derive Bell’s inequality is justified by locality con-siderations only for spacelike separated events.

G. Ultimate security proofs

The security proof of QC with a perfect apparatus anda noise-free channel is straightforward. However, thefact that security can still be proven for an imperfectapparatus and noisy channels is far from obvious.Clearly, something has to be assumed about the appara-tus. In this section we simply make the hypothesis thatthey are perfect. For the channel that is not under Aliceand Bob’s control, however, nothing is assumed. Thequestion is then Up to what QBER can Alice and Bobapply error correction and privacy amplification to theirclassical bits? In the previous sections we found that thethreshold is close to a QBER of 15%, assuming indi-vidual attacks. In principle Eve could manipulate severalqubits coherently. How much help to Eve this possibilityprovides is still unknown, though some bounds areknown. In 1996, Dominic Mayers (1996b) presented the


main ideas on how to prove security.55 In 1998, two ma-jor papers were made public on the Los Alamos archives(Mayers, 1998, and Lo and Chau, 1999). Today, theseproofs are generally considered valid, thanks to thework of—among others—Shor and Preskill (2000), In-amori et al. (2001), and Biham et al. (1999). However, itis worth noting that during the first few years after theinitial disclosure of these proofs, hardly anyone in thecommunity understood them.

Here we shall present the argument in a form quitedifferent from the original proofs. Our presentationaims at being transparent in the sense that it rests on twotheorems. The proofs of the theorems are difficult andwill be omitted. However, their claims are easy to under-stand and rather intuitive. Once one accepts the theo-rems, the security proof is straightforward.

The general idea is that at some point Alice, Bob, andEve perform measurements on their quantum systems.The outcomes provide them with classical random vari-ables a, b, and e, respectively, with P(a ,b ,e) the jointprobability distribution. The first theorem, a standard ofclassical information-based cryptography, states the nec-essary and sufficient condition on P(a ,b ,e) for Aliceand Bob to extract a secret key from P(a ,b ,e) (Csiszarand Korner, 1978). The second theorem is a clever ver-sion of Heisenberg’s uncertainty relation expressed interms of available information (Hall, 1995): it sets abound on the sum of the information about Alice’s keyavailable to Bob and to Eve.

Theorem 1. For a given P(a ,b ,e), Alice and Bob canestablish a secret key (using only error correction andclassical privacy amplification) if and only if I(a ,b)>I(a ,e) or I(a ,b)>I(b ,e), where I(a ,b)5H(a)2H(aub) denotes the mutual information and H is theShannon entropy.

Theorem 2. Let E and B be two observables in anN-dimensional Hilbert space. Let e, b, ue&, and ub& bethe corresponding eigenvalues and eigenvectors, respec-tively, and let c5maxe,b$uêub&u%. Then

I~a ,e!1I~a ,b!<2 log2~Nc !, (73)

where I(a ,e)5H(a)2H(aue) and I(a ,b)5H(a)2H(aub) are the entropy differences corresponding tothe probability distribution of the eigenvalues a prior toand deduced from any measurement by Eve and Bob,respectively.

The first theorem states that Bob must have more in-formation about Alice’s bits than does Eve (see Fig. 31).

55One of the authors (N.G.) vividly remembers the 1996 In-stitute for Scientific Interchange workshop in Torino, Italy,sponsored by Elsag Bailey, where he ended his talk by stress-ing the importance of security proofs. Dominic Mayers stoodup, gave some explanation, and wrote a formula on a transpar-ency, claiming that this was the result of his proof. We think itis fair to say that no one in the audience understood Mayers’explanation. However, N.G. kept the transparency, and it con-tains the basic Eq. (75) (up to a factor of 2, which correspondsto an improvement of Mayer’s result obtained in 2000 by Shorand Preskill, using ideas from Lo and Chau).


Since error correction and privacy amplification can beimplemented using only one-way communication, Theo-rem 1 can be understood intuitively as follows. The ini-tial situation is depicted in Fig. 31(a). During the publicphase of the protocol, because of the one-way commu-nication, Eve receives as much information as Bob. Theinitial information difference d thus remains. After errorcorrection, Bob’s information equals 1, as illustrated inFig. 31(b). After privacy amplification Eve’s informationis zero. In Fig. 31(c) Bob has replaced all bits to bedisregarded by random bits. Hence the key still has itsoriginal length, but his information has decreased. Fi-nally, upon removal of the random bits, the key is short-ened to the initial information difference d ; see Fig.31(d). Bob has full information about this final key,while Eve has none.

The second theorem states that if Eve performs ameasurement providing her with some informationI(a ,e), then, because of the perturbation, Bob’s infor-mation is necessarily limited. Using these two theorems,the argument now runs as follows. Suppose Alice sendsout a large number of qubits and that n are received byBob in the correct basis. The relevant Hilbert space’sdimension is thus N52n. Let us relabel the bases usedfor each of the n qubits such that Alice uses n times thex basis. Hence Bob’s observable is the n-time tensorproduct sx ^¯^ sx . By symmetry, Eve’s optimal infor-mation about the correct bases is precisely the same asher optimal information about the incorrect ones (May-ers, 1998). Hence one can bound her information, as-suming she measures sz ^¯^ sz . Accordingly, c522n/2, and Theorem 2 implies

I~a ,e!1I~a ,b!<2 log2~2n22n/2!5n . (74)

That is, the sum of Eve’s and Bob’s information per qu-bit is less than or equal to 1. This result is quite intuitive:

FIG. 31. Intuitive illustration of Theorem 1. The initial situa-tion is depicted in (a). During the one-way public discussionphase of the protocol, Eve receives as much information asBob; the initial information difference d thus remains. Aftererror correction, Bob’s information equals 1, as illustrated in(b). After privacy amplification Eve’s information is zero. In(c) Bob has replaced with random bits all bits to be disre-garded. Hence the key still has its original length, but his in-formation has decreased. Finally, in (d) removal of the randombits shortens the key to the initial information difference. Bobhas full information on this final key, while Eve has none.


together, Eve and Bob cannot receive more informationthan is sent out by Alice! Next, combining the bound(74) with Theorem 1, one deduces that a secret key isachievable whenever I(a ,b)>n/2. Using I(a ,b)5n@12D log2(D)2(12D)log2(12D)# , one obtains the suffi-cient condition on the error rate D (i.e., the QBER):

D log2~D!1~12D!log2~12D!<12

, (75)

i.e., D<11%.This bound, QBER<11%, is precisely that obtained

in Mayers’s proof (after improvement by Shor andPreskill, 2000). The above proof is, strictly speaking,only valid if the key is much longer than the number ofqubits that Eve attacks coherently, so that the Shannoninformation we used represents averages over many in-dependent realizations of classical random variables. Inother words, assuming that Eve can coherently attack alarge but finite number n0 of qubits, Alice and Bob canuse the above proof to secure keys much longer than n0bits. If one assumes that Eve has unlimited power and isable to attack coherently any number of qubits, then theabove proof does not apply, but Mayers’s proof can stillbe used and provides precisely the same bound.

This 11% bound for coherent attacks is clearly com-patible with the 15% bound found for individual attacks.The 15% bound is also necessary, since an explicit eaves-dropping strategy reaching this bound is presented inSec. VI.E. It is not known what happens in the interme-diate range 11%,QBER,15%, but the following sce-nario is plausible. If Eve is limited to coherent attackson a finite number of qubits, then in the limit of arbi-trarily long keys, she has a negligibly small probabilitythat the bits combined by Alice and Bob during the er-ror correction and privacy amplification protocols origi-nate from qubits attacked coherently. Consequently, the15% bound would still be valid (partial results in favorof this conjecture can be found in Cirac and Gisin, 1997and Bechmann-Pasquinucci and Gisin, 1999). However,if Eve has unlimited power, in particular, if she can co-herently attack an unlimited number of qubits, then the11% bound might be required.

To conclude this section, let us stress that the abovesecurity proof applies equally to the six-state protocol(Sec. II.D.2). It also extends in a straightforwardfashion to protocols using larger alphabets (Bechmann-Pasquinucci and Peres, 2000; Bechmann-Pasquinucciand Tittel, 2000; Bourennane, Karlsson, and Bjorn, 2001;Bourennane, Karlsson, Bjorn, Gisin, and Cerf, 2001).

H. Photon number measurements and lossless channels

In Sec. III.A we saw that all real photon sources havea finite probability of emittting more than one photon. Ifall emitted photons encode the same qubit, Eve can takeadvantage of this. In principle, she can first measure thenumber of photons in each pulse without disturbing the


degree of freedom encoding the qubits.56 Such measure-ments are sometimes called quantum nondemolitionmeasurements, because they do not perturb the qubit; inparticular they do not destroy the photons. This is pos-sible because Eve knows in advance that Alice sends amixture of states with well-defined photon numbers57

(see Sec. II.F). Next, if Eve finds more than one photon,she keeps one and sends the other(s) to Bob. In order toprevent Bob from detecting a lower qubit rate, Eve mustuse a channel with lower losses. Using an ideally losslessquantum channel, Eve can even, under certain condi-tions, keep one photon and increase the probability thatpulses with more than one photon get to Bob! Finally,when Eve finds one photon, she may destroy it withsome probability that she does not affect the total num-ber of qubits received by Bob. Consequently, if the prob-ability that a nonempty pulse has more than one photon(on Alice’s side) is greater than the probability that anonempty pulse is detected by Bob, then Eve can getfull information without introducing any perturbation.This is possible only when the QC protocol is not per-fectly implemented, but it is a realistic situation (Hutt-ner et al., 1995; Yuen, 1997).

Quantum nondemolition atacks have recently re-ceived a lot of attention (Brassard et al., 2000; Lutken-haus, 2000). The debate is not yet settled. We would liketo argue that it might be unrealistic, or even unphysical,to assume that Eve can perform ideal quantum non-demolition attacks. Indeed, she first needs the capacityto perform quantum nondemolition photon-numbermeasurements. Although impossible with today’s tech-nology, this is a reasonable assumption (Nogues et al.,1999). Next, she should be able to keep her photon untilAlice and Bob reveal the basis. In principle, this couldbe achieved using a lossless channel in a loop. We dis-cuss this eventuality below. Another possibility would befor Eve to map her photon to a quantum memory. Thisdoes not exist today but might well exist in the future.Note that the quantum memory should have essentiallyunlimited decoherence time, since Alice and Bob couldeasily wait for minutes before revealing the bases.58 Fi-nally, Eve must access a lossless channel, or at least achannel with lower losses than that used by Alice and

56For polarization coding, this is quite clear, but for phasecoding one may think (incorrectly) that phase and photonnumber are incompatible. However, the phase used for encod-ing is a relative phase between two modes. Whether thesemodes are polarization modes or correspond to different times(determined, for example, by the relative length of interferom-eters), does not matter.

57Recall that a mixture of coherent states ueifa& with arandom phase f, as produced by lasers when no phase refer-ence is available, is equal to a mixture of photon number statesun& with Poisson statistics: *0

2pueifa&êifau (df/2p)5(n>0 (mn/n!) e2mun&^nu, where m5uau2.

58The quantum part of the protocol could run continuously,storing large amounts of raw classical data, but the classicalpart of the protocol, which processes these raw data, couldtake place just seconds before the key is used.


Bob. This might be the trickiest point. Indeed, besidesusing a shorter channel, what can Eve do? Telecommu-nications fibers are already at the physical limits of whatcan be achieved (Thomas et al., 2000). The loss is almostentirely due to Rayleigh scattering, which is unavoid-able: solve the Schrodinger equation in a medium withinhomogeneities and you get scattering. When the inho-mogeneities are due to the molecular stucture of themedium, it is difficult to imagine lossless fibers. The0.18-dB/km attenuation in silica fibers at 1550 nm is alower bound imposed by physics rather thentechnology.59 Note that using air is not a viable solution,since attenuation at telecommunications wavelengths israther high. Vacuum, the only way to avoid Rayleighscattering, also has limitations, due to diffraction, againan unavoidable physical phenomenon. In the end, itseems that Eve has only two possibilities left. Either sheuses teleportation (with extremely high success prob-ability and fidelity) or she converts the photons to an-other wavelength (without perturbing the qubit). Bothof these ‘‘solutions’’ seem unrealistic in the foreseeablefuture.

Consequently, when considering the type of attacksdiscussed in this section, it is essential to distinguish theultimate proofs from the practical ones. Indeed, the as-sumptions about the defects of Alice and Bob’s appara-tuses must be very specific and might thus be of limitedinterest, while for practical considerations these assump-tions must be very general and might thus be excessive.

I. A realistic beamsplitter attack

The attack presented in the previous section takes ad-vantage of pulses containing more than one photon.However, as discussed, it uses unrealistic assumptions. Inthis section, following Dusek et al. (2000) and Lutken-haus (2000), we briefly comment on a realistic attackthat, also exploits multiphoton pulses (for details, seeFelix et al., 2001, where this and other examples are pre-sented). Assume that Eve splits all pulses in two, analyz-ing each half in one of the two bases, using photoncounting devices able to distinguish between pulses with0, 1, and 2 photons (see Fig. 32). In practice this could berealized using many single-photon counters in parallel.This requires nearly perfect detectors, but at least onedoes not need to assume technology completely out oftoday’s realm. Whenever Eve detects two photons in thesame output, she sends a photon in the corresponding

59Photonics crystal fibers have the potential to overcome theRayleigh scattering limit. There are two kinds of such fibers.The first kind guides light by total internal reflection, as inordinary fibers. In these fibers most of the light also propagatesin silica, and thus the loss limit is similar. In the second kind,most of the light propagates in air. Thus the theoretical losslimit is lower. However, today the losses are extremely high, inthe range of hundreds of dB/km. The best reported result thatwe are aware of is 11 dB/km, and it was obtained with the firstkind of fiber (Canning et al., 2000).


state into Bob’s apparatus. Since Eve’s information isclassical, she can overcome all the losses of the quantumchannel. In all other cases, Eve sends nothing to Bob. Inthis way, Eve sends a fraction (3

8) of the pulses contain-ing at least two photons to Bob. She introduces a QBERof 1

6 and gets information I(A ,E)5 2354•QBER. Bob

does not see any reduction in the number of detectedphotons, provided that the transmission coefficient ofthe quantum channel t satisfies

t<38

Prob~n>2un>1 !'3m

16, (76)

where the last expression assumes Poissonian photondistribution. Accordingly, for a fixed QBER, this attackprovides Eve with twice the information she would getfrom using the intercept-resend strategy. To countersuch an attack, Alice should use a mean photon numberm such that Eve can use this attack on only a fraction ofthe pulses. For example, Alice could use pulses weakenough that Eve’s mean information gain is identical towhat she would obtain with the simple intercept-resendstrategy (see Sec. II.C.3). For 10-, 14-, and 20-dB attenu-ation, this corresponds to m50.25, 0.1, and 0.025, respec-tively.

J. Multiphoton pulses and passive choice of states

Multiphoton pulses do not necessarily constitute athreat to key security, but they limit the key creationrate because they imply that more bits must be dis-carded during key distillation. This fact is based on theassumption that all photons in a pulse carry the samequbit, so that Eve does not need to copy the qubit goingto Bob, but merely keeps the copy that Alice inadvert-ently provides. When using weak pulses, it seems un-avoidable that all the photons in a pulse carry the samequbit. However, in two-photon implementations, each

FIG. 32. Realistic beamsplitter attack. Eve stops all pulses.The two photon pulses have a 50% probability of being ana-lyzed by the same analyzer. If this analyzer is compatible withthe state prepared by Alice, then both photons are detectedwith the same outcome; if not, there is a 50% chance that theyare detected with the same outcome. Hence there is a prob-ability of 3

8 that Eve detects both photons with the same out-come. In such a case, and only in such a case, she resends aphoton to Bob. In 2

3 of these cases she introduces no errors,since she has identified the correct state and gets full informa-tion; in the remaining cases she has a 50% probability of in-troducing an error and gains no information. The total QBERis thus 1

6, and Eve’s information gain is 23.


photon on Alice’s side independently chooses a state [inthe experiments of Ribordy et al. (2001) and Tittel et al.(2000), each photon randomly chooses both its basis andits bit value; in the experiments of Naik et al. (2000) andJennewein, Simon, et al. (2000), only the bit value choiceis random]. Hence, when two photon pairs are simulta-neously produced, the two twins carry independent qu-bits by accident. Consequently, Eve cannot take advan-tage of such multiphoton twin pulses. This might be oneof the main advantages of two-photon schemes over themuch simpler weak-pulse schemes. But the multiphotonproblem is then on Bob’s side, which gets a noisy signal,consisting partly of photons not in Alice’s state.

K. Trojan horse attacks

All eavesdropping strategies discussed up to this pointhave consisted of Eve’s attempt to get a maximum infor-mation from the qubits exchanged by Alice and Bob.However, Eve can also pursue a completely differentstrategy: she can herself send signals that enter Aliceand Bob’s offices through the quantum channel. Thiskind of strategy is called a Trojan horse attack. For ex-ample, Eve can send light pulses into the fiber enteringAlice’s or Bob’s apparatus and analyze the backreflectedlight. In this way, it is in principle possible to detectwhich laser just flashed, which detector just fired, or thesettings of phase and polarization modulators. This can-not be prevented by simply using a shutter, since Aliceand Bob must leave the ‘‘door open’’ for the photons toexit and enter, respectively.

In most QC setups the amount of backreflected lightcan be made very small, and sensing the apparatus withlight pulses through the quantum channel is difficult.Nevertheless, this attack is especially threatening in theplug-and-play scheme on Alice’s side (Sec. IV.C.2), sincea mirror is used to send the light pulses back to Bob.Thus, in principle, Eve can send strong light pulses toAlice and sense the applied phase shift. However, byapplying the phase shift only during a short time Dtphase(a few nanoseconds), Alice can oblige Eve to send thespying pulse at the same time as Bob. Remember that inthe plug-and-play scheme, pulses coming from Bob aremacroscopic and an attenuator at Alice’s end reducesthem to below the one-photon level, say, 0.1 photons perpulse. Hence, if Eve wants to get, say, one photon perpulse, she has to send ten times Bob’s pulse energy.Since Alice is detecting Bob’s pulses for triggering herapparatus, she must be able to detect an increase in en-ergy of these pulses in order to reveal the presence of aspying pulse. This is a relatively easy task, provided thatEve’s pulses look the same as Bob’s. However, Eve couldof course use another wavelength or ultrashort pulses(or very long pulses with low intensity, hence the impor-tance of Dtphase); therefore Alice must introduce an op-tical bandpass filter with a transmission spectrum corre-sponding to the sensitivity spectrum of her detector andchoose a Dtphase that fits the bandwidth of her detector.

There is no doubt that Trojan horse attacks can beprevented by technical measures. However, the fact that


this class of attacks exists illustrates that the security ofQC can never be guaranteed by the principles ofquantum mechanics only, but must necessarily rely ontechnical measures that are subject to discussion.60

L. Real security: Technology, cost, and complexity

Despite the elegance and generality of security proofs,the ideal of a QC system whose security relies entirelyon quantum principles is unrealistic. The technologicalimplementation of abstract principles will always bequestionable. It is likely that they will remain the weak-est point in all systems. Moreover, one should rememberthe obvious relation:

Infinite security⇒Infinite cost

⇒Zero practical interest . (77)

On the other hand, however, one should not underes-timate the following two advantages of QC. First, it ismuch easier to forecast progress in technology than inmathematics: the danger that QC will break down over-night is negligible, in contrast to public-key cryptosys-tems. Next, the security of QC depends on the techno-logical level of the adversary at the time of the keyexchange, in contrast to complexity-based systems whosecoded message can be registered and broken thanks tofuture progress. The latter point is relevant for secretswhose value lasts many years.

One often points to low bit rate as one of the currentlimitations of QC. However, it is important to stress thatQC need not be used in conjunction with one-time-padencryption. It can also be used to provide a key for asymmetrical cipher such as AES, whose security isgreatly enhanced by frequent key changes.

To conclude this section, let us briefly elaborate on thedifferences and similarities between technological andmathematical complexity and on their possible connec-tions and implications. Mathematical complexity meansthat the number of steps needed to run complex algo-rithms increases exponentially as the size of the inputgrows linearly. Similarly, one can define the technologi-cal complexity of a quantum computer as an exponen-tially increasing difficulty to process coherently all thequbits necessary to run a (noncomplex) algorithm on alinearly growing number of input data. It might be inter-esting to consider the possibility that the relationshipbetween these two concepts of complexity is deeper. Itcould be that the solution of a problem requires either acomplex classical algorithm or a quantum algorithm thatitself requires a complex quantum computer.61

60Another technological loophole, recently pointed out byKurtsiefer et al. (2001), is the possible information leakagecaused by light emitted by APD’s during their breakdown.

61Penrose (1994) pushes these speculations even further, sug-gesting that spontaneous collapses stop quantum computerswhenever they try to compute beyond a certain complexity.


VII. CONCLUSIONS

Quantum cryptography is a fascinating illustration ofthe dialog between basic and applied physics. It is basedon a beautiful combination of concepts from quantumphysics and information theory and made possible bythe tremendous progress in quantum optics and thetechnology of optical fibers and free-space optical com-munication. Its security principle relies on deep theo-rems in classical information theory and on a profoundunderstanding of Heisenberg’s uncertainty principle, asillustrated by Theorems 1 and 2 in Sec. VI.G (the onlymathematically involved theorems in this review). Let usalso emphasize the important contributions of QC toclassical cryptography: privacy amplification and classi-cal bound information (Secs. II.C.4 and II.C.5) are ex-amples of concepts in classical information whose dis-covery were much inspired by QC. Moreover, thefascinating tension between quantum physics and rela-tivity, as illustrated by Bell’s inequality, is not far away,as discussed in Sec. VI.F. Now, despite significantprogress in recent years, many open questions and tech-nological challenges remain.

One technological challenge at present concerns im-proved detectors compatible with telecommunicationsfibers. Two other issues concern free-space QC andquantum repeaters. The former is currently the only wayto realize QC over thousands of kilometers using thetechnology of the near future (see Sec. IV.E). The ideaof quantum repeaters (Sec. III.E) is to encode the qubitsin such a way that if the error rate is low, then errors canbe detected and corrected entirely in the quantum do-main. The hope is that such techniques could extend therange of quantum communication to essentially unlim-ited distances. Indeed, Hans Briegel, then at the Univer-sity of Innsbruck, and co-workers (1998) showed thatthe number of additional qubits needed for quantum re-peaters can be made smaller than the numbers of qubitsneeded to improve the fidelity of the quantum channel(Dur et al., 1999). One could thus overcome the deco-herence problem. However, the main practical limitationis not decoherence but loss (most photons never get toBob, but those that do get there exhibit high fidelity).

As for open questions, let us emphasize three mainconcerns. First, complete and realistic analyses of thesecurity issues are still missing. Next, figures of merit forcomparing QC schemes based on different quantum sys-tems (with different dimensions, for example) are stillawaited. Finally, the delicate question of how to test theapparatuses has not yet received enough attention. In-deed, a potential customer of quantum cryptographybuys confidence and secrecy, two qualities hard to quan-tify. Interestingly, both of these issues are connected toBell’s inequality (see Secs. VI.F and VI.B). Clearly, thisconnection cannot be phrased in the old context of localhidden variables, but rather in the context of the secu-rity of tomorrow’s communications. Here, as in the en-tire field of quantum information, old concepts are re-newed by looking at them from a fresh perspective: letus exploit quantum weirdness.


QC could well be the first application of quantum me-chanics at the single-quantum level. Experiments havedemonstrated that keys can be exchanged over distancesof a few tens of kilometers at rates on the order of atleast a thousand bits per second. There is no doubt thatthe technology can be mastered and the question is notwhether QC will find commercial applications, butwhen. At present QC is still very limited in distance andin secret bit rate. Moreover, public-key systems domi-nate the market and, being pure software, are tremen-dously easier to manage. Every so often, we hear in thenews that some classical cryptosystem has been broken.This would be impossible with properly implementedQC. But this apparent strength of QC might turn out tobe its weak point: security agencies would be equallyunable to break quantum cryptograms!

ACKNOWLEDGMENTS

This work was supported by the Swiss Fonds Nationalde la Recherche Scientifique (FNRS) and the EuropeanUnion projects European Quantum Cryptography andSingle-Photon Optical Technologies (EQCSPOT) andLong-Distance Photonic Quantum Communication(QUCOMM) financed by the Swiss Office Federal del’Education et de la Science (OFES). The authors wouldalso like to thank Richard Hughes for providing Fig. 8,and acknowledge Charles H. Bennett and Paul G. Kwiatfor their very careful reading of the manuscript and theirhelpful remarks.

REFERENCES

Ardehali, M., H. F. Chau, and H.-K. Lo, 1998, ‘‘Efficient quan-tum key distribution,’’ preprint quant-ph/9803007.

Aspect, A., J. Dalibard, and G. Roger, 1982, ‘‘Experimentaltest of Bell’s inequalities using time-varying analyzers,’’ Phys.Rev. Lett. 49, 1804–1807.

Bechmann-Pasquinucci, H., and N. Gisin, 1999, ‘‘Incoherentand coherent eavesdropping in the 6-state protocol of quan-tum cryptography,’’ Phys. Rev. A 59, 4238–4248.

Bechmann-Pasquinucci, H., and A. Peres, 2000, ‘‘Quantumcryptography with 3-state systems,’’ Phys. Rev. Lett. 85,3313–3316.

Bechmann-Pasquinucci, H., and W. Tittel, 2000, ‘‘Quantumcryptography using larger alphabets,’’ Phys. Rev. A 61,062308.

Bell, J. S., 1964, ‘‘On the problem of hidden variables in quan-tum mechanics,’’ Rev. Mod. Phys. 38, 447–452 [reprinted inBell, J. S., 1987, Speakable and Unspeakable in Quantum Me-chanics (Cambridge University, Cambridge, England)].

Bennett, C. H., 1992, ‘‘Quantum cryptography using any twononorthogonal states,’’ Phys. Rev. Lett. 68, 3121–3124.

Bennett, C. H., F. Bessette, G. Brassard, L. Salvail, and J. Smo-lin, 1992, ‘‘Experimental quantum cryptography,’’ J. Cryptol-ogy 5, 3–28.

Bennett, C. H., and G. Brassard, 1984, in Proceedings of theIEEE International Conference on Computers, Systems andSignal Processing, Bangalore, India, (IEEE, New York), pp.175–179.


Bennett, C. H., and G. Brassard, 1985, ‘‘Quantum public keydistribution system,’’ IBM Tech. Discl. Bull. 28, 3153–3163.

Bennett, C. H., G. Brassard, C. Crepeau, R. Jozsa, A. Peres,and W. K. Wootters, 1993, ‘‘Teleporting an unknown quan-tum state via dual classical and Einstein-Podolsky-Rosenchannels,’’ Phys. Rev. Lett. 70, 1895–1899.

Bennett, C. H., G. Brassard, C. Crepeau, and U. M. Maurer,1995, ‘‘Generalized privacy amplification,’’ IEEE Trans. Inf.Theory 41, 1915–1923.

Bennett, C. H., G. Brassard, and A. Ekert, 1992, ‘‘Quantumcryptography,’’ Sci. Am. 267, 50–57.

Bennett, C. H., G. Brassard, and N. D. Mermin, 1992, ‘‘Quan-tum cryptography without Bell’s theorem,’’ Phys. Rev. Lett.68, 557–559.

Bennett, C. H., G. Brassard, and J.-M. Robert, 1988, ‘‘Privacyamplification by public discussion,’’ SIAM J. Comput. 17,210–229.

Berry, M. V., 1984, ‘‘Quantal phase factors accompanying adia-batic changes,’’ Proc. R. Soc. London, Ser. A 392, 45–57.

Bethune, D., and W. Risk, 2000, ‘‘An autocompensating fiber-optic quantum cryptography system based on polarizationsplitting of light,’’ IEEE J. Quantum Electron. 36, 340–347.

Biham, E., M. Boyer, P. O. Boykin, T. Mor, and V. Roy-chowdhury, 1999, ‘‘A proof of the security of quantum keydistribution,’’ preprint quant-ph/9912053.

Biham, E., and T. Mor, 1997a, ‘‘Security of quantum cryptog-raphy against collective attacks,’’ Phys. Rev. Lett. 78, 2256–1159.

Biham, E., and T. Mor, 1997b, ‘‘Bounds on information and thesecurity of quantum cryptography,’’ Phys. Rev. Lett. 79,4034–4037.

Bourennane, M., F. Gibson, A. Karlsson, A. Hening, P. Jons-son, T. Tsegaye, D. Ljunggren, and E. Sundberg, 1999, ‘‘Ex-periments on long wavelength (1550 nm) ‘plug and play’quantum cryptography system,’’ Opt. Express 4, 383–387.

Bourennane, M., A. Karlsson, and G. Bjorn, 2001, ‘‘Quantumkey distribution using multilevel encoding,’’ Phys. Rev. A 64,012306.

Bourennane, M., A. Karlsson, G. Bjorn, N. Gisin, and N. Cerf,2001, ‘‘Quantum key distribution using multilevel encoding:security analysis,’’ preprint quant-ph/0106049.

Bourennane, M., D. Ljunggren, A. Karlsson, P. Jonsson, A.Hening, and J. P. Ciscar, 2000, ‘‘Experimental long wave-length quantum cryptography: from single photon transmis-sion to key extraction protocols,’’ J. Mod. Opt. 47, 563–579.

Braginsky, V. B., and F. Y. Khalili, 1992, Quantum Measure-ment (Cambridge University, Cambridge, England).

Brassard, G., 1988, Modern Cryptology: A Tutorial, LectureNotes in Computer Science, Vol. 325 (Springer, New York).

Brassard, G., C. Crepeau, D. Mayers, and L. Salvail, 1998, inProceedings of Randomized Algorithms, Satellite Workshopof the 23rd International Symposium on Mathematical Foun-dations of Computer Science, Brno, Czech Republic, editedby R. Freivalds (Aachen University, Aachen, Germany), pp.13–15.

Brassard, G., N. Lutkenhaus, T. Mor, and B. C. Sanders, 2000,‘‘Limitations on practical quantum cryptography,’’ Phys. Rev.Lett. 85, 1330–1333.

Brassard, G., and L. Salvail, 1994, in Advances in Cryptology—EUROCRYPT ’93 Proceedings, Lecture Notes in ComputerScience, Vol. 765, edited by T. Helleseth (Springer, NewYork), p. 410.


Breguet, J., and N. Gisin, 1995, ‘‘New interferometer using a333 coupler and Faraday mirrors,’’ Opt. Lett. 20, 1447–1449.

Breguet, J., A. Muller, and N. Gisin, 1994, ‘‘Quantum cryptog-raphy with polarized photons in optical fibers: experimentaland practical limits,’’ J. Mod. Opt. 41, 2405–2412.

Brendel, J., W. Dultz, and W. Martienssen, 1995, ‘‘Geometricphase in 2-photon interference experiments,’’ Phys. Rev. A52, 2551–2556.

Brendel, J., N. Gisin, W. Tittel, and H. Zbinden, 1999, ‘‘Pulsedenergy-time entangled twin-photon source for quantum com-munication,’’ Phys. Rev. Lett. 82, 2594–2597.

Briegel, H.-J., W. Dur, J. I. Cirac, and P. Zoller, 1998, ‘‘Quan-tum repeaters: the role of imperfect local operations in quan-tum communication,’’ Phys. Rev. Lett. 81, 5932–5935.

Brouri, R., A. Beveratios, J.-P. Poizat, and P. Grangier, 2000,‘‘Photon antibunching in the fluorescence of individual col-ored centers in diamond,’’ Opt. Lett. 25, 1294–1296.

Brown, R. G. W., and M. Daniels, 1989, ‘‘Characterization ofsilicon avalanche photodiodes for photon correlation mea-surements. 3: Sub-Geiger operation,’’ Appl. Opt. 28, 4616–4621.

Brown, R. G. W., R. Jones, J. G. Rarity, and K. D. Ridley,1987, ‘‘Characterization of silicon avalanche photodiodes forphoton correlation measurements. 2: Active quenching,’’Appl. Opt. 26, 2383–2389.

Brown, R. G. W., K. D. Ridley, and J. G. Rarity, 1986, ‘‘Char-acterization of silicon avalanche photodiodes for photon cor-relation measurements. 1: Passive quenching,’’ Appl. Opt. 25,4122–4126.

Brunel, C., B. Lounis, P. Tamarat, and M. Orrit, 1999, ‘‘Trig-gered source of single photons based on controlled singlemolecule fluorescence,’’ Phys. Rev. Lett. 83, 2722–2725.

Bruss, D., 1998, ‘‘Optimal eavesdropping in quantum cryptog-raphy with six states,’’ Phys. Rev. Lett. 81, 3018–3021.

Bruss, D., A. Ekert, and C. Macchiavello, 1998, ‘‘Optimal uni-versal quantum cloning and state estimation,’’ Phys. Rev.Lett. 81, 2598–2601.

Buttler, W. T., R. J. Hughes, P. G. Kwiat, S. K. Lamoreaux, G.G. Luther, G. L. Morgan, J. E. Nordholt, C. G. Peterson, andC. Simmons, 1998, ‘‘Practical free-space quantum key distri-bution over 1 km,’’ Phys. Rev. Lett. 81, 3283–3286.

Buttler, W. T., R. J. Hughes, S. K. Lamoreaux, G. L. Morgan, J.E. Nordholt, and C. G. Peterson, 2000, ‘‘Daylight quantumkey distribution over 1.6 km,’’ Phys. Rev. Lett. 84, 5652–5655.

Buzek, V., and M. Hillery, 1996, ‘‘Quantum copying: beyondthe no-cloning theorem,’’ Phys. Rev. A 54, 1844–1852.

Cancellieri, G., 1993, Ed., Single-Mode Optical Fiber Measure-ment: Characterization and Sensing (Artech House, Boston).

Canning, J., M. A. van Eijkelenborg, T. Ryan, M. Kristensen,and K. Lyytikainen, 2000, ‘‘Complex mode coupling withinair-silica structured optical fibers and applications,’’ Opt.Commun. 185, 321–324.

Cirac, J. I., and N. Gisin, 1997, ‘‘Coherent eavesdropping strat-egies for the 4-state quantum cryptography protocol,’’ Phys.Lett. A 229, 1–7.

Clarke, R. B. M., A. Chefles, S. M. Barnett, and E. Riis, 2000,‘‘Experimental demonstration of optimal unambiguous statediscrimination,’’ Phys. Rev. A 63, 040305.

Clauser, J. F., M. A. Horne, A. Shimony, and R. A. Holt, 1969,‘‘Proposed experiment to test local hidden variable theories,’’Phys. Rev. Lett. 23, 880–884.


Clauser, J. F., and A. Shimony, 1978, ‘‘Bell’s theorem: experi-mental tests and implications,’’ Rep. Prog. Phys. 41, 1881–1927.

Cova, S., M. Ghioni, A. Lacaita, C. Samori, and F. Zappa,1996, ‘‘Avalanche photodiodes and quenching circuits forsingle-photon detection,’’ Appl. Opt. 35, 1956–1976.

Cova, S., A. Lacaita, M. Ghioni, and G. Ripamonti, 1989,‘‘High-accuracy picosecond characterization of gain-switchedlaser diodes,’’ Opt. Lett. 14, 1341–1343.

Csiszar, I., and J. Korner, 1978, ‘‘Broadcast channels with con-fidential messages,’’ IEEE Trans. Inf. Theory IT-24, 339–348.

De Martini, F., V. Mussi, and F. Bovino, 2000, ‘‘Schroedingercat states and optimum universal quantum cloning by en-tangled parametric amplification,’’ Opt. Commun. 179, 581–589.

Desurvire, E., 1994, ‘‘The golden age of optical fiber amplifi-ers,’’ Phys. Today 47 (1), 20–27.

Deutsch, D., 1985, ‘‘Quantum theory, the Church-Turing prin-ciple and the universal quantum computer,’’ Proc. R. Soc.London, Ser. A 400, 97–105.

Deutsch, D., A. Ekert, R. Jozsa, C. Macchiavello, S. Popescu,and A. Sanpera, 1996, ‘‘Quantum privacy amplification andthe security of quantum cryptography over noisy channels,’’Phys. Rev. Lett. 77, 2818–2821; 80, 2022(E) (1996).

Dieks, D., 1982, ‘‘Communication by EPR devices,’’ Phys.Lett. 92A, 271–272.

Diffie, W., and M. E. Hellman, 1976, ‘‘New directions in cryp-tography,’’ IEEE Trans. Inf. Theory IT-22, 644–654.

Dur, W., H.-J. Briegel, J. I. Cirac, and P. Zoller, 1999, ‘‘Quan-tum repeaters based on entanglement purification,’’ Phys.Rev. A 59, 169–181; 60, 725(E).

Dusek, M., M. Jahma, and N. Lutkenhaus, 2000, ‘‘Unambigu-ous state discrimination in quantum cryptography with weakcoherent states,’’ Phys. Rev. A 62, 022306.

Einstein, A., B. Podolsky, and N. Rosen, 1935, ‘‘Can quantum-mechanical description of physical reality be considered com-plete?,’’ Phys. Rev. 47, 777–780.

Ekert, A. K., 1991, ‘‘Quantum cryptography based on Bell’stheorem,’’ Phys. Rev. Lett. 67, 661–663.

Ekert, A. K., 2000, ‘‘Coded secrets cracked open,’’ Phys. World13 (2), 39–40.

Ekert, A. K., and B. Huttner, 1994, ‘‘Eavesdropping tech-niques in quantum cryptosystems,’’ J. Mod. Opt. 41, 2455–2466.

Ekert, A. K., J. G. Rarity, P. R. Tapster, and G. M. Palma,1992, ‘‘Practical quantum cryptography based on two-photoninterferometry,’’ Phys. Rev. Lett. 69, 1293–1296.

Elamari, A., H. Zbinden, B. Perny, and C. Zimmer, 1998, ‘‘Sta-tistical prediction and experimental verification of concatena-tions of fiber optic components with polarization dependentloss,’’ J. Lightwave Technol. 16, 332–339.

Enzer, D., P. Hadley, R. Hughes, G. Peterson, and P. Kwiat,2001, private communication.

Felix, S., A. Stefanov, H. Zbinden, and N. Gisin, 2001, ‘‘Faintlaser quantum key distribution: Eavesdropping exploitingmultiphoton pulses,’’ J. Mod. Opt. 48, 2009–2021.

Fleury, L., J.-M. Segura, G. Zumofen, B. Hecht, and U. P.Wild, 2000, ‘‘Nonclassical photon statistics in single-moleculefluorescence at room temperature,’’ Phys. Rev. Lett. 84,1148–1151.

Franson, J. D., 1989, ‘‘Bell inequality for position and time,’’Phys. Rev. Lett. 62, 2205–2208.


Franson, J. D., 1992, ‘‘Nonlocal cancellation of dispersion,’’Phys. Rev. A 45, 3126–3132.

Franson, J. D., and B. C. Jacobs, 1995, ‘‘Operational system forquantum cryptography,’’ Electron. Lett. 31, 232–234.

Freedmann, S. J., and J. F. Clauser, 1972, ‘‘Experimental test oflocal hidden variable theories,’’ Phys. Rev. Lett. 28, 938–941.

Fry, E. S., and R. C. Thompson, 1976, ‘‘Experimental test oflocal hidden variable theories,’’ Phys. Rev. Lett. 37, 465–468.

Fuchs, C. A., N. Gisin, R. B. Griffiths, C.-S. Niu, and A. Peres,1997, ‘‘Optimal eavesdropping in quantum cryptography. I:Information bound and optimal strategy,’’ Phys. Rev. A 56,1163–1172.

Fuchs, C. A., and A. Peres, 1996, ‘‘Quantum state disturbancevs. information gain: uncertainty relations for quantum infor-mation,’’ Phys. Rev. A 53, 2038–2045.

Gerard, J.-M., and B. Gayral, 1999, ‘‘Strong Purcell effect forInAs quantum boxes in three-dimensional solid-state micro-cavities,’’ J. Lightwave Technol. 17, 2089–2095.

Gerard, J.-M., B. Sermage, B. Gayral, B. Legrand, E. Costard,and V. Thierry-Mieg, 1998, ‘‘Enhanced spontaneous emissionby quantum boxes in a monolithic optical microcavity,’’ Phys.Rev. Lett. 81, 1110–1113.

Gilbert, G., and M. Hamrick, 2000, ‘‘Practical quantum cryp-tography: a comprehensive analysis (part one),’’ internal re-port (MITRE, McLean, USA), preprint quant-ph/0009027.

Gisin, B., and N. Gisin, 1999, ‘‘A local hidden variable modelof quantum correlation exploiting the detection loophole,’’Phys. Lett. A 260, 323–327.

Gisin, N., 1998, ‘‘Quantum cloning without signaling,’’ Phys.Lett. A 242, 1–3.

Gisin, N., et al., 1995, ‘‘Definition of polarization mode disper-sion and first results of the COST 241 round-robin measure-ments,’’ Pure Appl. Opt. 4, 511–522.

Gisin, N., and S. Massar, 1997, ‘‘Optimal quantum cloning ma-chines,’’ Phys. Rev. Lett. 79, 2153–2156.

Gisin, N., R. Renner, and S. Wolf, 2000, Proceedings of theThird European Congress of Mathematics, Barcelona(Birkhauser, Basel) (in press).

Gisin, N., and S. Wolf, 1999, ‘‘Quantum cryptography on noisychannels: quantum versus classical key-agreement protocols,’’Phys. Rev. Lett. 83, 4200–4203.

Gisin, N., and S. Wolf, 2000, Advances in Cryptology—Proceedings of Crypto 2000, Lecture Notes in Computer Sci-ence, Vol. 1880, edited by M. Bellare (Springer, New York),pp. 482–500.

Gisin, N., and H. Zbinden, 1999, ‘‘Bell inequality and the lo-cality loophole: active versus passive switches,’’ Phys. Lett. A264, 103–107.

Goldenberg, L., and L. Vaidman, 1995, ‘‘Quantum cryptogra-phy based on orthogonal states,’’ Phys. Rev. Lett. 75, 1239–1243.

Gorman, P. M., P. R. Tapster, and J. G. Rarity, 2001, ‘‘Securefree-space key exchange to 1.9 km and beyond,’’ J. Mod. Opt.48, 1887–1901.

Haecker, W., O. Groezinger, and M. H. Pilkuhn, 1971, ‘‘Infra-red photon counting by Ge avalanche diodes,’’ Appl. Phys.Lett. 19, 113–115.

Hall, M. J. W., 1995, ‘‘Information exclusion principle forcomplementary observables,’’ Phys. Rev. Lett. 74, 3307–3310.

Hariharan, P., M. Roy, P. A. Robinson, and J. W. O’Byrne,1993, ‘‘The geometric phase observation at the single photonlevel,’’ J. Mod. Opt. 40, 871–877.


Hart, A. C., R. G. Huff, and K. L. Walker, 1994, ‘‘Method ofmaking a fiber having low polarization mode dispersion dueto a permanent spin,’’ U.S. Patent No. 5,298,047.

Hildebrand, E., 2001, Ph.D. thesis (Johann Wolfgang Goethe-Universitat, Frankfurt am Main).

Hillery, M., V. Buzek, and A. Berthiaume, 1999, ‘‘Quantumsecret sharing,’’ Phys. Rev. A 59, 1829–1834.

Hiskett, P. A., G. S. Buller, A. Y. Loudon, J. M. Smith, I. Gon-tijo, A. C. Walker, P. D. Townsend, and M. J. Robertson,2000, ‘‘Performance and design of InGaAs/InP photodiodesfor single-photon counting at 1.55 mm,’’ Appl. Opt. 39, 6818–6829.

Hong, C. K., and L. Mandel, 1985, ‘‘Theory of parametric fre-quency down conversion of light,’’ Phys. Rev. A 31, 2409–2418.

Hong, C. K., and L. Mandel, 1986, ‘‘Experimental realizationof a localized one-photon state,’’ Phys. Rev. Lett. 56, 58–60.

Horodecki, M., R. Horodecki, and P. Horodecki, 1996, ‘‘Sepa-rability of mixed states: necessary and sufficient conditions,’’Phys. Lett. A 223, 1–8.

Hughes, R., W. Buttler, P. Kwiat, S. Lamoreaux, G. Morgan, J.Nordhold, and G. Peterson, 2000, ‘‘Free-space quantum keydistribution in daylight,’’ J. Mod. Opt. 47, 549–562.

Hughes, R., G. G. Luther, G. L. Morgan, and C. Simmons,1996, in Advances in Cryptology—CRYPTO ’96 Proceedings,Lecture Notes in Computer Science, Vol. 1109, edited by N.Koblitz (Springer, New York), pp. 329–342.

Hughes, R., G. Morgan, and C. Peterson, 2000, ‘‘Quantum keydistribution over a 48-km optical fiber network,’’ J. Mod. Opt.47, 533–547.

Huttner, B., J. D. Gautier, A. Muller, H. Zbinden, and N. Gi-sin, 1996, ‘‘Unambiguous quantum measurement of non-orthogonal states,’’ Phys. Rev. A 54, 3783–3789.

Huttner, B., N. Imoto, and S. M. Barnett, 1996, ‘‘Short distanceapplications of quantum cryptography,’’ J. Nonlinear Opt.Phys. Mater. 5, 823–832.

Huttner, B., N. Imoto, N. Gisin, and T. Mor, 1995, ‘‘Quantumcryptography with coherent states,’’ Phys. Rev. A 51, 1863–1869.

Imamoglu, A., and Y. Yamamoto, 1994, ‘‘Turnstile device forheralded single photons: Coulomb blockade of electron andhole tunneling in quantum confined p-i-n heterojunctions,’’Phys. Rev. Lett. 72, 210–213.

Inamori, H., L. Rallan, and V. Vedral, 2000, ‘‘Security of EPR-based quantum cryptography against incoherent symmetricattacks,’’ preprint quant-ph/0103058.

Ingerson, T. E., R. J. Kearney, and R. L. Coulter, 1983, ‘‘Pho-ton counting with photodiodes,’’ Appl. Opt. 22, 2013–2018.

Ivanovic, I. D., 1987, ‘‘How to differentiate between non-orthogonal states,’’ Phys. Lett. A 123, 257–259.

Jacobs, B., and J. Franson, 1996, ‘‘Quantum cryptography infree space,’’ Opt. Lett. 21, 1854–1856.

Jennewein, T., U. Achleitner, G. Weihs, H. Weinfurter, and A.Zeilinger, 2000, ‘‘A fast and compact quantum random num-ber generator,’’ Rev. Sci. Instrum. 71, 1675–1680.

Jennewein, T., C. Simon, G. Weihs, H. Weinfurter, and A.Zeilinger, 2000, ‘‘Quantum cryptography with entangled pho-tons,’’ Phys. Rev. Lett. 84, 4729–4732.

Karlsson, A., M. Bourennane, G. Ribordy, H. Zbinden, J.Brendel, J. Rarity, and P. Tapster, 1999, ‘‘A single-photoncounter for long-haul telecom,’’ IEEE Circuits Devices Mag.15, 34–40.


Kempe, J., C. Simon, G. Weihs, and A. Zeilinger, 2000, ‘‘Op-timal photon cloning,’’ Phys. Rev. A 62, 032302.

Kim, J., O. Benson, H. Kan, and Y. Yamamoto, 1999, ‘‘Asingle-photon turnstile device,’’ Nature (London) 397, 500–503.

Kimble, H. J., M. Dagenais, and L. Mandel, 1977, ‘‘Photonantibunching in resonance fluorescence,’’ Phys. Rev. Lett. 39,691–694.

Kitson, S. C., P. Jonsson, J. G. Rarity, and P. R. Tapster, 1998,‘‘Intensity fluctuation spectroscopy of small numbers of dyemolecules in a microcavity,’’ Phys. Rev. A 58, 620–627.

Kolmogorov, A. N., 1956, Foundations of the Theory of Prob-ability (Chelsea, New York).

Kurtsiefer, C., S. Mayer, P. Zarda, and H. Weinfurter, 2000,‘‘Stable solid-state source of single photons,’’ Phys. Rev. Lett.85, 290–293.

Kurtsiefer, C., P. Zarda, S. Mayer, and H. Weinfurter, 2001,‘‘The breakdown flash of Silicon Avalanche Photodiodes—backdoor for eavesdropper attacks?,’’ J. Mod. Opt. 48, 2039–2047.

Kwiat, P. G., A. M. Steinberg, R. Y. Chiao, P. H. Eberhard, andM. D. Petroff, 1993, ‘‘High-efficiency single-photon detec-tors,’’ Phys. Rev. A 48, R867–870.

Kwiat, P. G., E. Waks, A. G. White, I. Appelbaum, and P. H.Eberhard, 1999, ‘‘Ultrabright source of polarization-entangled photons,’’ Phys. Rev. A 60, R773–776.

Lacaita, A., P. A. Francese, F. Zappa, and S. Cova, 1994,‘‘Single-photon detection beyond 1 mm: performance of com-mercially available germanium photodiodes,’’ Appl. Opt. 33,6902–6918.

Lacaita, A., F. Zappa, S. Cova, and P. Lovati, 1996, ‘‘Single-photon detection beyond 1 mm: performance of commerciallyavailable InGaAs/InP detectors,’’ Appl. Opt. 35, 2986–2996.

Larchuk, T. S., M. V. Teich, and B. E. A. Saleh, 1995, ‘‘Nonlo-cal cancellation of dispersive broadening in Mach-Zehnderinterferometers,’’ Phys. Rev. A 52, 4145–4154.

Levine, B. F., C. G. Bethea, and J. C. Campbell, 1985, ‘‘Room-temperature 1.3-mm optical time domain reflectometer usinga photon counting InGaAs/InP avalanche detector,’’ Appl.Phys. Lett. 45, 333–335.

Li, M. J., and D. A. Nolan, 1998, ‘‘Fiber spin-profile designs forproducing fibers with low PMD,’’ Opt. Lett. 23, 1659–1661.

Lo, H.-K., and H. F. Chau, 1998, ‘‘Why quantum bit commit-ment and ideal quantum coin tossing are impossible,’’ PhysicaD 120, 177–187.

Lo, H.-K., and H. F. Chau, 1999, ‘‘Unconditional security ofquantum key distribution over arbitrary long distances,’’ Sci-ence 283, 2050–2056.

Lutkenhaus, N., 1996, ‘‘Security against eavesdropping inquantum cryptography,’’ Phys. Rev. A 54, 97–111.

Lutkenhaus, N., 2000, ‘‘Security against individual attacks forrealistic quantum key distribution,’’ Phys. Rev. A 61, 052304.

Marand, C., and P. D. Townsend, 1995, ‘‘Quantum key distri-bution over distances as long as 30 km,’’ Opt. Lett. 20, 1695–1697.

Martinelli, M., 1989, ‘‘A universal compensator for polariza-tion changes induced by birefringence on a retracing beam,’’Opt. Commun. 72, 341–344.

Martinelli, M., 1992, ‘‘Time reversal for the polarization statein optical systems,’’ J. Mod. Opt. 39, 451–455.

Maurer, U. M., 1993, ‘‘Secret key agreement by public discus-sion from common information,’’ IEEE Trans. Inf. Theory 39,733–742.


Maurer, U. M., and S. Wolf, 1999, ‘‘Unconditionally secure keyagreement and intrinsic information,’’ IEEE Trans. Inf.Theory 45, 499–514.

Mayers, D., 1996a, ‘‘The trouble with quantum bit commit-ment,’’ quant-ph/9603015.

Mayers, D., 1996b, Advances in Cryptology—Proceedings ofCrypto’96, Lecture Notes in Computer Science, Vol. 1109,edited by N. Koblitz (Springer, New York), pp. 343–357.

Mayers, D., 1997, ‘‘Unconditionally secure Q bit commitmentis impossible,’’ Phys. Rev. Lett. 78, 3414–3417.

Mayers, D., 1998, ‘‘Unconditional security in quantum cryptog-raphy,’’ J. Assn. Comput. Mac. (in press).

Mayers, D., and A. Yao, 1998, Proceedings of the 39th AnnualSymposium on Foundations of Computer Science (IEEEComputer Society, Los Alamitos, California), p. 503.

Mazurenko, Y., R. Giust, and J. P. Goedgebuer, 1997, ‘‘Spectralcoding for secure optical communications using refractive in-dex dispersion,’’ Opt. Commun. 133, 87–92.

Merolla, J-M., Y. Mazurenko, J. P. Goedgebuer, and W. T.Rhodes, 1999, ‘‘Single-photon interference in sidebands ofphase-modulated light for quantum cryptography,’’ Phys.Rev. Lett. 82, 1656–1659.

Michler, P., A. Kiraz, C. Becher, W. V. Schoenfeld, P. M.Petroff, L. Zhang, E. Hu, and A. Imamoglu, 2000, ‘‘A quan-tum dot single photon turnstile device,’’ Science 290, 2282–2285.

Milonni, P. W., and M. L. Hardies, 1982, ‘‘Photons cannot al-ways be replicated,’’ Phys. Lett. A 92, 321–322.

Molotkov, S. N., 1998, ‘‘Quantum cryptography based on pho-ton ‘frequency’ states: example of a possible realization,’’ Sov.Phys. JETP 87, 288–293.

Muller, A., J. Breguet, and N. Gisin, 1993, ‘‘Experimental dem-onstration of quantum cryptography using polarized photonsin optical fiber over more than 1 km,’’ Europhys. Lett. 23,383–388.

Muller, A., T. Herzog, B. Huttner, W. Tittel, H. Zbinden, andN. Gisin, 1997, ‘‘ ‘Plug and play’ systems for quantum cryp-tography,’’ Appl. Phys. Lett. 70, 793–795.

Muller, A., H. Zbinden, and N. Gisin, 1995, ‘‘Underwaterquantum coding,’’ Nature (London) 378, 449–449.

Muller, A., H. Zbinden, and N. Gisin, 1996, ‘‘Quantum cryp-tography over 23 km in installed under-lake telecom fibre,’’Europhys. Lett. 33, 335–339.

Naik, D., C. Peterson, A. White, A. Berglund, and P. Kwiat,2000, ‘‘Entangled state quantum cryptography: eavesdrop-ping on the Ekert protocol,’’ Phys. Rev. Lett. 84, 4733–4736.

Neumann, E.-G., 1988, Single-Mode Fibers: Fundamentals,Springer Series in Optical Sciences, Vol. 57 (Springer, Berlin).

Niu, C. S., and R. B. Griffiths, 1999, ‘‘Two-qubit copying ma-chine for economical quantum eavesdropping,’’ Phys. Rev. A60, 2764–2776.

Nogues, G., A. Rauschenbeutel, S. Osnaghi, M. Brune, J. M.Raimond, and S. Haroche, 1999, ‘‘Seeing a single photonwithout destroying it,’’ Nature (London) 400, 239–242.

Owens, P. C. M., J. G. Rarity, P. R. Tapster, D. Knight, and P.D. Townsend, 1994, ‘‘Photon counting with passivelyquenched germanium avalanche,’’ Appl. Opt. 33, 6895–6901.

Penrose, R., 1994, Shadows of the Mind (Oxford University,Oxford, England).

Peres, A., 1988, ‘‘How to differentiate between two non-orthogonal states,’’ Phys. Lett. A 128, 19.

Peres, A., 1996, ‘‘Separability criteria for density matrices,’’Phys. Rev. Lett. 76, 1413–1415.


Peres, A., 1997, Quantum Theory: Concepts and Methods (Klu-wer Academic, Dordrecht, The Netherlands).

Phoenix, S. J. D., S. M. Barnett, P. D. Townsend, and K. J.Blow, 1995, ‘‘Multi-user quantum cryptography on opticalnetworks,’’ J. Mod. Opt. 6, 1155–1163.

Piron, C., 1990, Mecanique quantique, bases et applications(Presses Polytechniques et Universitaires Romandes, Lau-sanne, Switzerland).

Pitowsky, I., 1989, Ed. Quantum Probability—Quantum Logic,Lecture Notes in Physics, Vol. 321 (Springer, Berlin).

Rarity, J. G., P. C. M. Owens, and P. R. Tapster, 1994, ‘‘Quan-tum random-number generation and key sharing,’’ J. Mod.Opt. 41, 2435–2444.

Rarity, J. G., and P. R. Tapster, 1988, in Photons and QuantumFluctuations, edited by E. R. Pike and H. Walther (Hilger,Bristol, England), pp. 122–150.

Rarity, J. G., T. E. Wall, K. D. Ridley, P. C. M. Owens, and P.R. Tapster, 2000, ‘‘Single-photon counting for the 1300–1600-nm range by use of Peltier-cooled and passivelyquenched InGaAs avalanche photodiodes,’’ Appl. Opt. 39,6746–6753.

Ribordy, G., J. Brendel, J. D. Gautier, N. Gisin, and H. Zbin-den, 2001, ‘‘Long distance entanglement based quantum keydistribution,’’ Phys. Rev. A 63, 012309.

Ribordy, G., J.-D. Gautier, N. Gisin, O. Guinnard, and H.Zbinden, 2000, ‘‘Fast and user-friendly quantum key distribu-tion,’’ J. Mod. Opt. 47, 517–531.

Ribordy, G., J. D. Gautier, H. Zbinden, and N. Gisin, 1998,‘‘Performance of InGaAsInP avalanche photodiodes asgated-mode photon counters,’’ Appl. Opt. 37, 2272–2277.

Rivest, R. L., A. Shamir, and L. M. Adleman, 1978, ‘‘A methodof obtaining digital signatures and public-key cryptosystems,’’Commun. ACM 21, 120–126.

Santori, C., M. Pelton, G. Solomon, Y. Dale, and Y. Yama-moto, 2000, ‘‘Triggered single photons from a quantum dot,’’Phys. Rev. Lett. 86, 1502–1505.

Shannon, C. E., 1949, ‘‘Communication theory of secrecy sys-tems,’’ Bell Syst. Tech. J. 28, 656–715.

Shih, Y. H., and C. O. Alley, 1988, ‘‘New type of Einstein-Podolsky-Rosen-Bohm experiment using pairs of light quantaproduced by optical parametric down conversion,’’ Phys. Rev.Lett. 61, 2921–2924.

Shor, P. W., 1994, Proceedings of the 35th Symposium on Foun-dations of Computer Science, edited by S. Goldwasser (IEEEComputer Society, Los Alamitos, California), pp. 124–134.

Shor, P. W., and J. Preskill, 2000, ‘‘Simple proof of security ofthe BB84 quantum key distribution protocol,’’ Phys. Rev.Lett. 85, 441–444.

Simon, C., G. Weihs, and A. Zeilinger, 1999, ‘‘Quantum clon-ing and signaling,’’ Acta Phys. Slov. 49, 755–760.

Simon, C., G. Weihs, and A. Zeilinger, 2000, ‘‘Optimum quan-tum cloning via stimulated emission,’’ Phys. Rev. Lett. 84,2993–2996.

Singh, S., 1999, The Code Book: The Science of Secrecy fromAncient Egypt to Quantum Cryptography (Fourth Estate,London).

Snyder, A. W., and J. D. Love, 1983, Optical Waveguide Theory(Chapman & Hall, London).

Spinelli, A., L. M. Davis, and H. Dauted, 1996, ‘‘Activelyquenched single-photon avalanche diode for high repetitionrate time-gated photon counting,’’ Rev. Sci. Instrum. 67,55–61.


Stallings, W., 1999, Cryptography and Network Security: Prin-ciples and Practices (Prentice Hall, Upper Saddle River, NewJersey).

Stefanov, A., O. Guinnard, L. Guinnard, H. Zbinden, and N.Gisin, 2000, ‘‘Optical quantum random number generator,’’ J.Mod. Opt. 47, 595–598.

Steinberg, A. M., P. Kwiat, and R. Y. Chiao, 1992a, ‘‘Disper-sion cancellation and high-resolution time measurements in afourth-order optical interferometer,’’ Phys. Rev. A 45, 6659–6665.

Steinberg, A. M., P. Kwiat, and R. Y. Chiao, 1992b, ‘‘Disper-sion cancellation in a measurement of the single-photonpropagation velocity in glass,’’ Phys. Rev. Lett. 68, 2421–2424.

Stucki, D., G. Ribordy, A. Stefanov, H. Zbinden, J. Rarity, andT. Wall, 2001, ‘‘Photon counting for quantum key distributionwith Peltier-cooled InGaAs/InP APD’s,’’ J. Mod. Opt. 48,1967–1981.

Sun, P. C., Y. Mazurenko, and Y. Fainman, 1995, ‘‘Long-distance frequency-division interferometer for communica-tion and quantum cryptography,’’ Opt. Lett. 20, 1062–1063.

Tanzilli, S., H. De Riedmatten, W. Tittel, H. Zbinden, P. Baldi,M. De Micheli, D. B. Ostrowsky, and N. Gisin, 2001, ‘‘Highlyefficient photon-pair source using a periodically poled lithiumniobate waveguide,’’ Electron. Lett. 37, 26–28.

Tapster, P. R., J. G. Rarity, and P. C. M. Owens, 1994, ‘‘Viola-tion of Bell’s inequality over 4 km of optical fiber,’’ Phys. Rev.Lett. 73, 1923–1926.

Thomas, G. A., B. I. Shraiman, P. F. Glodis, and M. J. Stephen,2000, ‘‘Towards the clarity limit in optical fiber,’’ Nature(London) 404, 262–264.

Tittel, W., J. Brendel, H. Zbinden, and N. Gisin, 1998, ‘‘Viola-tion of Bell inequalities by photons more than 10 km apart,’’Phys. Rev. Lett. 81, 3563–3566.

Tittel, W., J. Brendel, H. Zbinden, and N. Gisin, 1999, ‘‘Long-distance Bell-type tests using energy-time entangled pho-tons,’’ Phys. Rev. A 59, 4150–4163.

Tittel, W., J. Brendel, H. Zbinden, and N. Gisin, 2000, ‘‘Quan-tum cryptography using entangled photons in energy-timebell states,’’ Phys. Rev. Lett. 84, 4737–4740.

Tittel, W., H. Zbinden, and N. Gisin, 2001, ‘‘Experimentaldemonstration of quantum secret sharing,’’ Phys. Rev. A 63,042301.

Tomita, A., and R. Y. Chiao, 1986, ‘‘Observation of Berry’stopological phase by use of an optical fiber,’’ Phys. Rev. Lett.57, 937–940.

Townsend, P., 1994, ‘‘Secure key distribution system based onquantum cryptography,’’ Electron. Lett. 30, 809–811.

Townsend, P., 1997a, ‘‘Simultaneous quantum cryptographickey distribution and conventional data transmission over in-stalled fibre using WDM,’’ Electron. Lett. 33, 188–190.

Townsend, P., 1997b, ‘‘Quantum cryptography on multiuser op-tical fiber networks,’’ Nature (London) 385, 47–49.

Townsend, P., 1998a, ‘‘Experimental investigation of the per-formance limits for first telecommunications-window quan-tum cryptography systems,’’ IEEE Photonics Technol. Lett.10, 1048–1050.


Townsend, P., 1998b, ‘‘Quantum cryptography on optical fibernetworks,’’ Opt. Fiber Technol.: Mater., Devices Syst. 4, 345–370.

Townsend, P. D., S. J. D. Phoenix, K. J. Blow, and S. M. Bar-nett, 1994, ‘‘Design of QC systems for passive optical net-works,’’ Electron. Lett. 30, 1875–1876.

Townsend, P., J. G. Rarity, and P. R. Tapster, 1993a, ‘‘Singlephoton interference in a 10 km long optical fiber interferom-eter,’’ Electron. Lett. 29, 634–639.

Townsend, P., J. Rarity, and P. Tapster, 1993b, ‘‘Enhancedsingle photon fringe visibility in a 10 km-long prototypequantum cryptography channel,’’ Electron. Lett. 29, 1291–1293.

Vernam, G., 1926, ‘‘Cipher printing telegraph systems for se-cret wire and radio telegraphic communications,’’ J. Am. Inst.Electr. Eng. 45, 109–115.

Vinegoni, C., M. Wegmuller, and N. Gisin, 2000, ‘‘Determina-tion of nonlinear coefficient n2/Aeff using a self-aligned inter-ferometer and a Faraday mirror,’’ Electron. Lett. 36, 886–888.

Vinegoni, C., M. Wegmuller, B. Huttner, and N. Gisin, 2000,‘‘Measurement of nonlinear polarization rotation in a highlybirefringent optical fiber using a Faraday mirror,’’ J. Opt. A,Pure Appl. Opt. 2, 314–318.

Walls, D. F., and G. J. Milburn, 1995, Eds., Quantum Optics(Springer, Berlin).

Weihs, G., T. Jennewein, C. Simon, H. Weinfurter, and A.Zeilinger, 1998, ‘‘Violation of Bell’s inequality under strictEinstein locality conditions,’’ Phys. Rev. Lett. 81, 5039–5043.

Wiesner, S., 1983, ‘‘Conjugate coding,’’ SIGACT News 15, 78–88.

Wigner, E. P., 1961, The Logic of Personal Knowledge: EssaysPresented to Michael Polanyi on his Seventieth Birthday, 11March 1961 (Routledge & Kegan Paul, London), pp. 231–238.

Wootters, W. K., and W. H. Zurek, 1982, ‘‘A single quantumcannot be cloned,’’ Nature (London) 299, 802–803.

Yuen, H. P., 1997, ‘‘Quantum amplifiers, quantum duplicatorsand quantum cryptography,’’ Quantum Semiclassic. Opt. 8,939.

Zappa, F., A. Lacaita, S. Cova, and P. Webb, 1994, ‘‘Nanosec-ond single-photon timing with InGaAs/InP photodiodes,’’Opt. Lett. 19, 846–848.

Zbinden, H., J.-D. Gautier, N. Gisin, B. Huttner, A. Muller,and W. Tittel, 1997, ‘‘Interferometry with Faraday mirrors forquantum cryptography,’’ Electron. Lett. 33, 586–588.

Zeilinger, A., 1999, ‘‘Experiment and the foundations of quan-tum physics,’’ Rev. Mod. Phys. 71, S288–S297.

Zissis, G., and A. Larocca, 1978, in Handbook of Optics, ed-ited by W. G. Driscoll (McGraw-Hill, New York), Sec. 3.

Zukowski, M., A. Zeilinger, M. A. Horne, and A. Ekert, 1993,‘‘ ‘Event-ready-detectors’ Bell experiment via entanglementswapping,’’ Phys. Rev. Lett. 71, 4287–4290.

Zukowski, M., A. Zeilinger, M. Horne, and H. Weinfurter,1998, ‘‘Quest for GHZ states,’’ Acta Phys. Pol. A 93,187–195.

Documents

Quantum cryptography - d22izw7byeupn1.cloudfront.net · The idea of quantum cryptography was ﬁrst proposed in the 1970s by Stephen Wiesner2 (1983) and by Charles ... ern cryptology