Quantum Key Distribution
1. INTRODUCTION
1.1 Cryptography:
Cryptography is the art of rendering information exchanged between two parties
unintelligible to any unauthorized person. The purpose of cryptography is to transmit
information in such a way that access to it is restricted entirely to the intended recipient,
even if the transmission itself is received by others. This science is of increasing
importance with the advent of broadcast and network communication, such as electronic
transactions, the Internet, e-mail, and cell phones, where sensitive monetary, business,
political, and personal communications are transmitted over public channels.
.
Principle of cryptography
The sender combines the plain text with a secret key, using some encryption algorithm, to
obtain the cipher text. This scrambled message is then sent to the recipient who reverses
the process to recover the plain text by combining the cipher text with the secret key
using the decryption algorithm. An eavesdropper cannot deduce the plain message from
the scrambled one without knowing the key.
1
Quantum Key Distribution
In classical cryptography the encrypting and decrypting algorithms are publicly
announced; the security of the cryptogram depends entirely on the secrecy of the key and
same key used for both encryption and decryption. To prevent this being discovered by
accident or systematic search, the key is chosen as a very large number. This means first,
that the key generation process must be appropriate, in the sense that it must not be
possible for a third party to guess or deduce it. Truly random numbers must thus be used
for the key. Second, it must not be possible for a third party to intercept the key during its
exchange between the sender and the recipient. This so-called “key distribution problem”
is very central in cryptography.
Classical cryptography
Cryptographers have tried hard to solve this key distribution problem. The 1970s brought
a clever mathematical discovery in the form of public key cryptography (PKC). PKC
systems exploit the fact that certain mathematical operations are easier to do in one
direction than the other.
• Public key cryptography: Two keys used
– Public key known to everybody. Used for encryption.
– Private key known only to owner. Used for decryption.
2
Quantum Key Distribution
Public key cryptography
Public key cryptography works if…
• Private key remains secret
– Never leaves the owner’s computer.
– Typically encrypted and password-protected.
• Difficult to guess private key from knowledge of public key
– Boils down to trying all different key combinations.
– Difficulty of breaking the code rises exponentially with the bit length of the key
– 1024b keys require more time than the life of the universe in order to be broken.
• Reliable public key distributed
– This is the most difficult problem!
The systems avoid the key distribution problem, but unfortunately their security depends
on unproven mathematical assumptions about the intrinsic difficulty of certain
operations. The most popular public key cryptosystem, RSA (Rivest-Shamin-Adleman),
gets its security from the difficulty of factoring large numbers.
RSA Algorithm:
-
Pick two large prime numbers p and q and calculate the product N = pq, f = (p –
1)(q – 1)
-
Choose a number that is co-prime with f, c
3
Quantum Key Distribution
-
Find a number d to satisfy cd = 1 mod f, using a method such as Euclid’s
algorithm
-
Using your plaintext, a, the ciphertext is encoded as b = ac mod N
-
To retrieve the plaintext, a = bd mod N
-
The numbers N and c are made public, so anyone can encrypt information, but
only someone with d can retrieve the plaintext
Example for RSA:
-
Plaintext a = 123
-
p = 61 and q = 53
-
N = pq = 3233
-
f = (p – 1)(q – 1) = 3120
-
Pick a coprime of f, c=17
-
Find d such that cd = 1 mod f, d=2753
-
Encode with ac mod N, in this case 12317 mod 3233 = 855
-
Decode message by evaluating bd mod N, in this case 8552753 mod 3233 = 123
This means that if ever mathematicians or computer scientists come up with fast and
clever procedures for factoring large numbers, then the whole privacy and discretion of
widespread cryptosystems could vanish overnight. As public key cryptography
algorithms require complex calculations, they are slow.
But quantum technology promises to revolutionize secure communication at an even
more fundamental level. While classical cryptography relies on the limitations of various
mathematical techniques or computing technology to restrict eavesdroppers from learning
the contents of encrypted messages, in quantum cryptography the information is
protected by the laws of physics.
4
Quantum Key Distribution
1.2 Overview of QKD:
Quantum cryptography is based on the usage of individual particles/waves of light
(photon) and their intrinsic quantum properties to develop an unbreakable cryptosystem essentially because it is impossible to measure the quantum state of any system without
disturbing that system. It is theoretically possible that other particles could be used, but
photons offer all the necessary qualities needed, their behavior is comparatively wellunderstood, and they are the information carriers in optical fiber cables, the most
promising medium for extremely high-bandwidth communications.
Alice and Bob will represent two people who want to communicate securely and
the malicious Eve will try to listen in on the communication.
Quantum Key Distribution
5
Quantum Key Distribution
The quantum channel will only be used to send information from Alice to Bob,
not in the other direction. This is secure channel (e.g.: optical fiber) to transmit a polarize
photon which then will create the secret key. This secret key generated from a form of a
random string of bits. These bits then will be used as a secret key in a conventional
cryptography scheme. The public channel could be the internet.
The Heisenberg uncertainty principle and quantum entanglement can be exploited
in a system of secure communication, often referred to as "quantum cryptography".
Quantum cryptography provides means for two parties to exchange an enciphering key
over a private channel with complete security of communication.
6
Quantum Key Distribution
1.3 Principle:
Quantum cryptography solves the key distribution problem by allowing the exchange of a
cryptographic key between two remote parties with absolute security, guaranteed by the
laws of physics. This key can then be used with conventional cryptographic algorithms.
One may thus claim, with some merit, that “quantum key distribution” may be a better
name for quantum cryptography.
It exploits the fact that according to quantum physics, the mere fact of observing a
quantum object perturbs it in an irreparable way. When you read this article for example,
the sheet of paper must be lighted. The impact of the light particles will slightly heat it up
and hence change it. This effect is very small on a piece of paper, which is a macroscopic
object. However, the situation is radically different with a microscopic object. If one
encodes the value of a digital bit on a single quantum object, its interception will
necessarily translate into a perturbation, because the eavesdropper is forced to observe it.
This perturbation causes errors in the sequence of bits exchanged by the sender and
recipient.
Eavesdropping on a quantum channel. Eve extracts information from the quantum
channel between Alice and Bob at the cost of introducing noise into that channel.
7
Quantum Key Distribution
By checking for the presence of such errors, the two parties can verify whether
their key was intercepted or not. It is important to stress that since this verification takes
place after the exchange of bits, one finds out a posteriori whether the communication
was eavesdropped or not. That is why this technology is used to exchange key and not
valuable information. Once the key is validated, it can be used to encrypt data.
There are two main types of quantum cryptosystems for the key distribution, these are:
 Cryptosystems with encoding based on two non-commuting observables proposed
by S.Wiesner (1970), and by C.H.Bennett and G.Brassard (1984)
 Cryptosystems with encoding built upon quantum entanglement and the Bell
Theorem proposed by A.K.Ekert (1990).
8
Quantum Key Distribution
2 QUNTUM MECHANICS IN QKD
Quantum mechanics is the fundamental physical theory of matter. Quantum
communication involves encoding information in quantum states, or qubits, as opposed to
classical communications use of bits. Usually, photons are used for these quantum states.
Quantum cryptography exploits certain properties of these quantum states to ensure its
security. There are several different approaches to quantum key distribution, but they can
be divided into two main categories depending on which property they exploit. Of these,
the most relevant for cryptography are Heisenberg's uncertainty principle and quantum
entanglement.
2.1 Uncertainty:
In contrast to classical physics, the act of measurement is an integral part of quantum
mechanics. In general, measuring an unknown quantum state will change that state in
some way. This is known as quantum indeterminacy, and underlies results such as the
Heisenberg uncertainty principle, information-disturbance theorem and no
cloning theorem. This can be exploited in order to detect any eavesdropping on
communication (which necessarily involves measurement) and, more importantly, to
calculate the amount of information that has been intercepted.
Heisenberg's Uncertainty principle:

It is impossible to measure simultaneously both position and velocity of a
microscopic particle with any degree of accuracy or certainty.

The more precisely the position is determined, the less precisely the momentum is
known in this instant, and vice versa.

The uncertainty principle is certainly one of the most famous and important
aspects of quantum mechanics. It has often been regarded as the most distinctive
feature in which quantum mechanics differs from classical theories of the physical
world

Attempting to measure an elementary particle’s position to the highest degree of
accuracy, for example, leads to an increasing uncertainty in being able to measure
9
Quantum Key Distribution
the particle’s momentum to an equally high degree of accuracy. Heisenberg’s
Principle is typically written mathematically in either of two forms:
E t  h / 4 
x p  h / 4 
In essence, the uncertainty in the energy (E) times the uncertainty in the time (t) -- or
alternatively, the uncertainty in the position (x) multiplied times the uncertainty in the
momentum (p) -- is greater or equal to a constant (h/4). The constant, h, is called
Planck’s Constant (where h/4 = 0.527 x 10-34 Joule-second).
Information-disturbance theorem:

It has been shown that Information-Disturbance theorem can play an important
role in security proof of quantum cryptography.

The theorem is can be regarded as an information theoretic version of uncertainty
principle.

In this, the restriction on the source is abandoned, and a general informationdisturbance theorem is obtained. The theorem relates information gain by Eve
with information gain by Bob.

The information gain by Eve inevitably makes the outcomes by Bob in the
Conjugate basis not only erroneous but random
No cloning theorem:

The no cloning theorem is a result of quantum mechanics which forbids the
creation of identical copies of an arbitrary unknown quantum state.

The no cloning theorem prevents us from using classical error correction
techniques on quantum states. For example, we cannot create backup copies of a
state in the middle of a quantum computation, and use them to correct subsequent
errors. Error correction is vital for practical quantum computing, and for some
time this was thought to be a fatal limitation.
10
Quantum Key Distribution
2.2 Entanglement:
The quantum states of two (or more) separate objects can become linked together in such
a way that they must be described by a combined quantum state, not as individual
objects. This is known as entanglement and means that, performing a measurement on
one object will affect the other. If an entangled pair of objects is shared between two
parties, anyone intercepting either object will alter the overall system, allowing the
presence of the third party (and the amount of information they have gained) to be
determined.
Quantum entanglement is a quantum mechanical phenomenon in which the
quantum states of two or more objects have to be described with reference to each other,
even though the individual objects may be spatially separated. This leads to correlations
between observable physical properties of the systems that are stronger than any classical
correlations. As a result, measurements performed on one system may be interpreted as
"influencing" other systems entangled with it. However, no information can be
transmitted through entanglement.
Entanglement obeys the letter if not the spirit of relativity. Although two
entangled systems can interact across large spatial separations, no useful information can
be transmitted in this way, so causality cannot be violated through entanglement. This
occurs for two subtle reasons:
(i)
Quantum mechanical measurements yield probabilistic results
(ii)
The no cloning theorem forbids the statistical inspection of entangled
quantum states.
Although no information can be transmitted through entanglement alone, it is
possible to transmit information using a set of entangled states used in conjunction with a
classical information channel. This process is known as quantum teleportation. Despite
its name, quantum teleportation cannot be used to transmit information faster than light,
because a classical information channel is involved.
11
Quantum Key Distribution
2.3 Fundamentals:
•
Light waves are propagated as discrete quanta called photons.
•
They are measles and have energy, momentum and angular momentum called
spin.
•
Spin carries the polarization.
•
If on its way we put a polarization filter a photon may pass through it or may not.
•
We can use a detector to check of a photon has passed through a filter.
Heisenberg Uncertainty Principle:
•
Certain pairs of physical properties are related in such a way that measuring one
property prevents the observer from knowing the value of the other. When
measuring the polarization of a photon, the choice of what direction to measure
affects all subsequent measurements.
•
If a photon passes through a vertical filter it will have the vertical orientation
regardless of its initial direction of polarization.
12
Quantum Key Distribution
Photon Polarization:
Vertical filter
Tilted filter
at the angle 
The probability of a photon appearing after the second filter depends on the angle
and becomes 0 at  = 90 degrees.
The first filter randomizes the measurements of the second filter.
Polarization by a filter:
•
A pair of orthogonal filters such as vertical/horizontal is called a basis.
•
A pair of bases is conjugate if the measurement in the first basis completely
randomizes the measurements in the second basis.
•
As in the previous slide example for  =45deg.
Sender-receiver of photons:
•
Suppose Alice uses 0-deg/90-deg polarizer sending photons to Bob. But she does
not reveal which.
•
Bob can determine photons by using filter aligned to the same basis.
•
But if he uses 45deg/135 deg polarizer to measure the photon he will not be able
to determine any information about the initial polarization of the photon.
•
The result of his measurement will be completely random
Eavesdropper Eve:
•
If Eve uses the filter aligned with Alice’s she can recover the original polarization
of the photon.
•
If she uses the misaligned filter she will receive no information about the photon.
13
Quantum Key Distribution
•
Also she will influence the original photon and be unable to retransmit it with the
original polarization.
•
Bob will be able to deduce Ave’s presence.
Bit Vs Qubit:
A qubit is the fundamental building block of quantum computers. Qubits are
made up of controlled particles and the means of control (e.g. devices that trap particles
and switch them from one state to another). Each photon carries one qubit of information
A quantum computer is a device for computation that makes direct use of quantum
mechanical phenomena, such as superposition and entanglement, to perform operations
on data. The basic principle behind quantum computation is that quantum properties can
be used to represent data and perform operations on these data
A classical computer has a memory made up of bits, where each bit represents either a
one or a zero. A quantum computer maintains a sequence of qubits. A single qubit can
represent a one, a zero, or, crucially, any quantum superposition of these; moreover, a
pair of qubits can be in any quantum superposition of 4 states, and three qubits in any
superposition of 8. In general a quantum computer with n qubits can be in an arbitrary
superposition of up to 2n different states simultaneously (this compares to a normal
computer that can only be in one of these 2n states at any one time). A quantum computer
operates by manipulating those qubits with a fixed sequence of quantum logic gates. The
sequence of gates to be applied is called a quantum algorithm.
14
Quantum Key Distribution
Consider first a classical computer that operates on a three-bit register. The state of the
computer at any time is a probability distribution over the 23 = 8 different three-bit strings
000, 001, ..., 111. If it is a deterministic computer, then it is in exactly one of these states
with probability 1. However, if it is a probabilistic computer, then it may have a chance
in being in a number of different states. We can describe this probabilistic state by eight
nonnegative numbers a,b,c,d,e,f,g,h (where a = probability computer is in state 000, b =
probability computer is in state 001, etc.). There is a restriction that these probabilities
sum to 1.
The state of a three-qubit quantum computer is similarly described by an eightdimensional vector (a,b,c,d,e,f,g,h), called a wavefunction. However, instead of adding to
one, the sum of the squares of the coefficient magnitudes, | a | 2 + | b | 2 + ... + | h | 2, must
equal one. Moreover, the coefficients are complex numbers. Since states are represented
by complex wavefunctions, two states being added together will undergo interference.
This is a key difference between quantum computing and probabilistic classical
computing.[6]
Note that although recording a classical state of n bits, a 2n-dimensional probability
distribution, requires an exponential number of real numbers, practically we can always
think of the system as being exactly one of the n-bit strings—we just don't know which
one. Quantum mechanically, this is not the case, and all 2n complex coefficients need to
be kept track of to see how the quantum system evolves. For example, a 300-qubit
quantum computer has a state described by 2300 (approximately 1090) complex numbers,
more than the number of atoms in the observable universe.
15
Quantum Key Distribution
Quantum Random Number Generators:
Classical physics is deterministic. If the state of a system is known, physical laws can be
used to predict its evolution. On the contrary, the outcome of certain phenomena is,
according to quantum physics, fundamentally random. One such phenomenon is the
reflection or transmission of an elementary light “particle” –a photon – on a semitransparent mirror. In such a case, the photon is transmitted or reflected by the mirror
with a probability of 50%. It is thus completely impossible for an observer to predict the
outcome. Because of this intrinsic randomness, it is natural to use this phenomenon to
generate strings of random numbers. Quantis is a quantum random number generator
exploiting this principle.
 Fiber-optic links:
Randomly generated keys are changed up to 1,000 times/s in MagiQ’s OPN Security
Gateway, which uses a secure fiber-optic link to transmit the changing key sequence up
to 120 km as a stream of polarized photons. The company claims that linking its systems
together can transmit a QKD several hundred kilometers.
Quantum properties other than polarization can encode the value of a bit for the quantum
key. This company introduced the first commercial quantum-cryptography products in
2002: single-photon detectors and random-number generators, two essential components
for quantum-cryptography systems. In 2003, the company partnered with two electronicsecurity firms to develop a commercial system.
16
Quantum Key Distribution
3 QUANTUM KEY EXCHANGE
Quantum Key Exchange can be further divided into three families of protocols;
discrete variable, continuous variable and distributed phase reference coding. Discrete
variable protocols were the first to be invented, and they remain the most widely
implemented. The other two families are mainly concerned with overcoming practical
limitations of experiments. The two protocols are:
 BB84 Protocol
 E91 Protocol
are described below both use discrete variable coding.
3.1 BB84 Protocol
This protocol, known as BB84 after its inventors and year of publication, was
originally described using photon polarization states to transmit the information.
However, any two pairs of conjugate states can be used for the protocol, and many
optical fiber based implementations described as BB84 use phase encoded states. The
sender (traditionally referred to as Alice) and the receiver (Bob) are connected by a
quantum communication channel which allows quantum states to be transmitted. In the
case of photons this channel is generally either an optical fiber or simply free space. In
addition they communicate via a public classical channel, for example using broadcast
radio or the internet. Neither of these channels need to be secure; the protocol is designed
with the assumption that an eavesdropper (referred to as Eve) can interfere in any way
with both.
The security of the protocol comes from encoding the information in non-orthogonal
states. Quantum indeterminacy means that these states cannot in general be measured
without disturbing the original state as stated in “No cloning theorem”.
17
Quantum Key Distribution
BB84 uses two pairs of states, with each pair conjugate to the other pair, and the
two states within a pair orthogonal to each other. Pairs of orthogonal states are referred to
as a basis. The usual polarization state pairs used are either the rectilinear basis of vertical
(0°) and horizontal (90°), the diagonal basis of 45° and 135° or the circular basis of leftand right-handedness. Any two of these bases are conjugate to each other, and so any two
can be used in the protocol. Below the rectilinear and diagonal bases are used.
Basis
0
1
First, Alice and Bob have to communicate (one way communication) via quantum
channel, and then they both will establish connection with public channel in quantum
transmission (two way communication).
BB84 protocol works as follow:
a) Via Quantum Channel
i.
Alice creates a random bit (0 or 1) and then randomly selects one of her two
bases (rectilinear or diagonal in this case) to transmit it in. Alice then
transmits a single photon in the state specified to Bob, using the quantum
channel. This process is then repeated from the random bit stage, with Alice
recording the state, basis and time of each photon sent.
ii.
After all the photon transmission finished, Bob will measure the bits he
received using the rectilinear or diagonal basis.
b) Via Public Channel
i.
Bob announces which kind of measurement he made with or without the
presence of Eve.
ii.
Alice tells him whether he made the correct measurement.
iii.
Alice and Bob agree publicly to discard all incorrect measurements.
18
Quantum Key Distribution
iv.
Alice and Bob agree publicly to discard all positions where photons were not
detected.
v.
Polarizations of resulting photons are 0 for horizontal & left-circular.
vi.
Polarizations of resulting photons are 1 for vertical & right-circular as shown
below.
vii.
Alice and Bob now share a raw key, which is considered not fully secret, bits
maybe tampered by Eve during the transmission.
viii.
They both then will continue communicate in public channel to find and
correct the bits that they have by key distillation process.
19
Quantum Key Distribution
Quantum mechanics (particularly quantum indeterminacy) says there is no
possible measurement that will distinguish between the 4 different polarization states, as
they are not all orthogonal. The only measurement possible is between any two
orthogonal states (a basis), so for example measuring in the rectilinear basis will give a
result of horizontal or vertical. If the photon was created as horizontal or vertical (as a
rectilinear eigenstate) then this will measure the correct state, but if it was created as 45°
or 135° (diagonal eigenstates) then the rectilinear measurement will instead return either
horizontal or vertical at random. Furthermore, after this measurement the photon will be
polarized in the state it was measured in (horizontal or vertical), with all information
about its initial polarization lost.
To check for the presence of eavesdropping Alice and Bob now compare a certain
subset of their remaining bit strings. If a third party (usually referred to as Eve, for
'eavesdropper') has gained any information about the photons' polarization, this will have
introduced errors in Bobs' measurements. If more than p bits differ they abort the key and
try again, possibly with a different quantum channel, as the security of the key cannot be
guaranteed. p is chosen so that if the number of bits known to Eve is less than this,
privacy amplification can be used to reduce Eve's knowledge of the key to an arbitrarily
small amount, by reducing the length of the key.
20
Quantum Key Distribution
BB84 Protocol Implementation:
3.1.1 Software Structure
For the BB84 implementation, the software has been developed using Java
language. Alice and Bob will communicate within Quantum channel and public channel
with or without the presence of Eve. Referred to the physical implementation of BB84
protocol, this software works in two channel, Quantum channel and public channel. Alice
play as the sender role, Bob as the receiver and Eve as the eavesdropper. This software
consists of 5 objects, which are Alice, Bob, Eve, Quantum channel and Public channel.
Alice is a sender who will provide (transmit) bits to Quantum channel. This Quantum
channel act just like the physical implementation, which is if there is a tap from
eavesdropper, the bits will be change. Assuming that Alice wants to transmit bits to Bob
without any knowledge of Eve exist, Bob then read the Quantum channel object to
retrieve the bits either it have been modify by Eve or it is originally from Alice. Alice and
Bob then communicate in public channel to find error bits and correct it. Bob use public
channel object to communicate with Alice with existence of Eve. But, at the public
channel, Eve only can observe the communication; no modification will be made by Eve.
3.1.2 Hardware Setup:
21
Quantum Key Distribution
In this implementation, devices that have been used are:
• 3 workstation
• 1 switch
All devices are setup in the same room. Switch are use to connect all
workstations. Each workstation represents Alice, Bob and Eve respectively. Static IP are
used so that all workstation can communicate via the switch. So, Eve will recognize Alice
and Bob by their IP addresses. Developed software is installed on each of workstations to
simulate the protocol.
3.1.3 The Protocol
The software protocol
22
Quantum Key Distribution
For this simulation, each of object (Alice, Bob, Eve) play different role. Only the
appropriate function is executed on each of workstation, depends on its role. The
Quantum channel and public channel object are executed on Alice’s, while Eve and Bob
object are execute on different workstation respectively.
This program works as follow:
1) Alice generated a length (k) of random number (0 & 1) then sends it on Quantum
channel object to be ‘read’ by Bob and Eve.
2) If there is eavesdropping from Eve, Eve is the one who have to ‘read’ the Quantum
channel object first. Eve can modify the bits with two kind of attack; intercept/resend or
beam splitting.
3) Then, Bob read the updated version from Quantum channel object, assuming that Bob
doesn’t know about the tapping from Eve.
4) Bob then measure the bits he ‘read’ from Quantum channel object with his selected
own bases. Then, Bob ‘announce’ the bases he made to Alice via public channel, which
located at Alice’s.
5) Sifting raw key begin, Alice ‘read’ Bob’s measurement at public channel object and
‘confirm’ to Bob the position Bob has measures in the right bases (m bits) by announce it
at public channel.
6) Next, Alice and Bob estimate error to detect eavesdropper. They both calculate and
compare their bits error rate (e). If they found that their error rate is higher than
maximum bits error rate (e>emax), they will suspend the communication and start all
over again. (emax has predetermined value)
7) Now, both Alice and Bob will have a shared key, which is called ‘raw key’. This key
is not really shared since Alice and Bob’s version are different. They eliminate the m bits
from the raw key.
8) Both Alice and Bob then perform ‘error correction’ on their raw key to find erroneous
bits in uncompared parts of keys and ‘privacy amplification’ to minimize the number of
bits that an eavesdropper knows in the final key.
9) Finally, they both will get a same string of bits, which is the shared secret key.
23
Quantum Key Distribution
3.2 E91 protocol:
The Ekert scheme uses entangled pairs of photons. These can be created by Alice, by
Bob, or by some source separate from both of them, including eavesdropper Eve. The
photons are distributed so that Alice and Bob each end up with one photon from each
pair. Quantum entanglement is a condition of two or more quantum particles like photons
where the various properties are correlated.
The scheme relies on two properties of entanglement. First, the entangled states are
perfectly correlated in the sense that if Alice and Bob both measure whether their
particles have vertical or horizontal polarizations, they will always get the same answer
with 100% probability. The same is true if they both measure any other pair of
complementary (orthogonal) polarizations. However, the particular results are completely
random; it is impossible for Alice to predict if she (and thus Bob) will get vertical
polarization or horizontal polarization.
Second, any attempt at eavesdropping by Eve will destroy these correlations in a way that
Alice and Bob can detect.
Quantum cryptography exploiting photon pairs entangled in polarization
24
Quantum Key Distribution
The Ekert scheme uses entangled pairs of photons. These can be made by Alice, by Bob,
or by some source separate from both of them; in any case, they are distributed so that
Alice and Bob each end up with one photon from each pair.
The scheme relies on three properties of entanglement. First, we can make
entangled states which are perfectly anti-correlated, in the sense that if Alice and Bob
both test whether their particles have or
polarizations, they will always get opposite
answers, and the same is true if they both test whether they have
or
, or if they both
carry out the same test for any other pair of complementary (orthogonal) polarizations.
However, their individual results are completely random: it is impossible to predict in
advance if Alice will get
or
.
Second, these states have a property often called quantum non-locality, which has no
analogue in classical physics or everyday experience. If Alice and Bob carry out different
polarization measurements, their answers will not be perfectly anti-correlated, or
perfectly correlated, but they will in general be statistically correlated. That is, Alice can
make a better than random guess at Bob's answer, given her own, and vice versa. And
these correlations are stronger - in other words, Alice's guesses will on average be better than any model based on classical physics or ordinary intuition would predict.
Third, any attempt at eavesdropping by Eve will weaken these correlations, in a way that
Alice and Bob can detect.
25
Quantum Key Distribution
4 KEY DISTILLATION
The quantum cryptography protocols will provide Alice and Bob with nearly identical
shared keys, and also with an estimate of the discrepancy between the keys. These
differences can be caused by eavesdropping, but will also be caused by imperfections
in the transmission line and detectors. As it is impossible to distinguish between these
two types of errors, it is assumed all errors are due to eavesdropping in order to
guarantee security. A post processing phase, also known as key distillation, is then
performed as shown in diagram. It takes place after the sifting of the key and consists
of two steps. Provided the error rate between the keys is lower than a certain
threshold (20%), two steps can be performed to first remove the erroneous bits and
then reduce Eve's knowledge of the key to an arbitrary small value. These two steps
are known as information reconciliation and privacy amplification.
26
Quantum Key Distribution
4.1 Information reconciliation:
It is a form of error correction carried out between Alice and Bob's keys, in order
to ensure both keys are identical. It is conducted over the public channel and as such it is
vital to minimise the information sent about each key, as this can be read by Eve. A
common protocol used for information reconciliation is the cascade protocol. This
operates in several rounds, with both keys divided into blocks in each round and the
parity of those blocks compared. If a difference in parity is found then a binary search is
performed to find and correct the error. If an error is found in a block from a previous
round that had correct parity then another error must be contained in that block; this error
is found and corrected as before. This process is repeated recursively, which is the source
of the cascade name. After all blocks have been compared, Alice and Bob both reorder
their keys in the same random way, and a new round begins. At the end of multiple
rounds Alice and Bob will have identical keys with high probability, however Eve will
have gained additional information about the key from the parity information exchanged.
Error correction algorithm (Shor’s algorithm):
In 2001 first working 7-qubit NMR computer demonstrated at IBM's Almaden
Research Center was the first execution of Shor's algorithm. The number 15 was factored
using 1018 identical molecules, each containing 7 atoms. Peter Shor, at AT&T's Bell Labs
in New Jersey, discovered a remarkable algorithm. It allowed a quantum computer to
factor large integers quickly. It solved both the factoring problem and the discrete log
problem. Shor's algorithm could theoretically break many of the cryptosystems in use
today. Its invention sparked a tremendous interest in quantum computers, even outside
the physics community.
Shor proposed the first scheme for quantum error correction. This is an approach to
making quantum computers that can compute with large numbers of qubits for long
periods of time. Errors are always introduced by the environment, but quantum error
correction might be able to overcome those errors. This could be a key technology for
building large-scale quantum computers that work. These early proposals had a number
27
Quantum Key Distribution
of limitations. They could correct for some errors, but not errors that occur during the
correction process itself. A number of improvements have been suggested, and active
research on this continues. An alternative to quantum error correction has been found.
Instead of actively correcting the errors induced by the interaction with the environment,
special states that are immune to the errors can be used. This approach, known as
decoherence free subspaces, assumes that there is some symmetry in the computerenvironment interaction.
Shor’s Algorithm:
-
Let f(x) = bx mod N, if we can find some r that f(x) = f(x+r), then we can find a
number d’ such that cd’ = 1 mod r
-
The value d’ works like the decoding value we calculated from cd = 1 mod f
-
In addition, using different values for b<N, we can determine the prime
components of N
Shor’s algorithm time computational complexity is:
T (n)  O[(ln n) 3 ]
Eve can wiretap the public channel, but that won't do her any good. She gets information
on the bases and not on the outcome of the measurement. In case Eve attempts to
measure part of the Quantum Channel she betrays herself by a high Quantum Bit Error
Rate (QBER) and Alice and Bob are warned.
Quantum Bit Error Rate
The Quantum Bit Error Rate (QBER) is the ratio of an error rate to the key rate and
contains information on the existence of an eavesdropper and how much he knows.
QBER =
µ
28
Quantum Key Distribution
pf : probability for a wrong 'click' (1-2%)
pd : probability for a wrong photon signal (Si: 10 − 7; GaAs 10 − 5)
n : number of detections
q : phase = 1/2 (better for optical fibers); polarization = 1 (better in the air)
Σ: detector efficiency
fr: pulse repeat frequency
tl: transmission rate (for large distances small)
µ : attenuation for light pulses (single photons = 1)
Usually the QBER is around 11%. It means that Eve didn't gain more information on the
key as Bob.
29
Quantum Key Distribution
4.2 Privacy Amplification:
It is a method for reducing (and effectively eliminating) Eve's partial information
about Alice and Bob's key. This partial information could have been gained both by
eavesdropping on the quantum channel during key transmission (thus introducing
detectable errors), and on the public channel during information reconciliation (where it
is assumed Eve gains all possible parity information). Privacy amplification uses Alice
and Bob's key to produce a new, shorter key, in such a way that Eve has only negligible
information about the new key. This can be done using a universal hash function, chosen
at random from a publicly known set of such functions, which takes as its input a binary
string of length equal to the key and outputs a binary string of a chosen shorter length.
The amount by which this new key is shortened is calculated, based on how much
information Eve could have gained about the old key (which is known due to the errors
this would introduce), in order to reduce the probability of Eve having any knowledge of
the new key to a very low value.
 The second step is called privacy amplification and consists in compressing the
key by an appropriate factor to reduce the information of the eavesdropper.
If attacker knows L bits of the length n string x, hash function may be used to map
the string x to h(x) of length L-n-s for any s Attacker’s expected knowledge of h(x) is
less than 2-s/ln2 bits A rudimentary privacy amplification protocol is described below.
Privacy Amplification Protocol:
Let us consider, as an illustration, a two-bit key shared by the emitter and the receiver and
let us assume that it is 01. Let us further assume that the eavesdropper knows the first bit
of the key but not the second one: 0?. The simplest privacy amplification protocol
consists in calculating the sum, without carry, of the two bits and to use the resulting bit
as the final key. The legitimate users obtain 0 + 1 = 1. The eavesdropper does not know
the second bit. For him, this operation could be either 0 + 0 = 0 or 0 + 1 = 1. He has no
30
Quantum Key Distribution
way to decide which one is the correct one. Consequently, he does not have any
knowledge on the final key. There is a cost. This privacy amplification protocol shortens
the key by 50%.
The compression factor depends on the error rate. The higher it is, the more
information an eavesdropper might have on the key and the more it must be compressed
to be secure. Below figure schematically shows the impact of the sifting and distillation
steps on the key size. This procedure works up to a maximum error rate. Above this
threshold, the eavesdropper can have too much information on the sequence to allow the
legitimate parties to produce a key. Because of this, it is essential for a quantum
cryptography system to have an intrinsic error rate that is well below this threshold.
Key distillation is then complemented by an authentication step in order to
prevent a “man in the middle” attack, where the eavesdropper would cut the
communication channels and pretend to the emitter that he is the receiver and viceversa.
This is possible thanks to the use of a pre-established secret key in the emitter and the
receiver, which is used to authenticate the communications on the classical channel. This
initial secret key serves only to authenticate the first quantum cryptography session. After
each session, part of the key produced is used to replace the previous authentication key.
31
Quantum Key Distribution
5 IMPLIMENTATIONS
The highest bit rate system currently demonstrated exchanges secure keys at 1
Mbit/s (over 20 km of optical fibre) and 10 kbit/s (over 100 km of fibre), achieved by a
collaboration between the University of Cambridge and Toshiba using the BB84 protocol
with decoy pulses.
The longest distance over which quantum key distribution has been demonstrated
using optic fibre is 148.7 km, achieved by Los Alamos/NIST using the BB84 protocol.
Significantly, this distance is long enough for almost all the spans found in today's fibre
networks. The distance record for free space QKD is 144 km between two of the Canary
Islands, achieved by a European collaboration using entangled photons (the Ekert
scheme) in 2006, and using BB84 enhanced with decoy states in 2007. The experiments
suggest transmission to satellites is possible, due to the lower atmospheric density at
higher altitudes. For example although the minimum distance from the International
Space Station to the ESA Space Debris Telescope is about 400 km, the atmospheric
thickness is about an order of magnitude less than in the European experiment, thus
yielding less attenuation compared to this experiment.
The most advanced quantum computers have not gone beyond manipulating more than
16 qubits, meaning that they are a far cry from practical application. However, the
potential remains that quantum computers one day could perform, quickly and easily,
calculations that are incredibly time-consuming on conventional computers. Several key
advancements have been made in quantum computing in the last few years.
Canadian startup company D-Wave demonstrated a 16-qubit quantum computer. The
computer solved a sudoku puzzle and other pattern matching problems. The company
claims it will produce practical systems by 2008. Skeptics believe practical quantum
computers are still decades away, that the system D-Wave has created isn't scalable, and
that many of the claims on D-Wave's Web site are simply impossible (or at least
impossible to know for certain given our understanding of quantum mechanics).
32
Quantum Key Distribution
D-Wave's 16-qubit
quantum computer
Some recent advancements in the field of quantum computing:
Qubit Control
Computer scientists control the microscopic particles that
act as qubits in quantum computers by using control
devices.

Ion traps use optical or magnetic fields (or a
combination of both) to trap ions.

Optical traps use light waves to trap and control
particles.
Quantum dots are made of semiconductor material and
are used to contain and manipulate electrons.
Semiconductor impurities contain electrons by using
"unwanted" atoms found in semiconductor material.
Superconducting circuits allow electrons to flow with
almost no resistance at very low temperatures.



33
Quantum Key Distribution
New Design Enables More Cost-effective Quantum Key Distribution:
Researchers at the National Institute of Standards and Technology (NIST) have
demonstrated a simpler and potentially lower-cost method for distributing strings of
digits, or "keys," for use in quantum cryptography, the most secure method of
transmitting data. The new "quantum key distribution" (QKD) method, minimizes the
required number of detectors, by far the most costly components in quantum
cryptography.Although this minimum-detector arrangement cuts transmission rates by
half, the NIST system still works at broadband speeds, allowing, for example, real-time
quantum encryption and decryption of webcam-quality video streams over an
experimental quantum network.
In quantum cryptography, a recipient (named Bob) needs to measure a sequence of
photons, or particles of light that are transmitted by a sender (named Alice). These
photons have information encoded in their polarization, or direction of their electric field.
In the most common polarization-based protocol, known as BB84, Bob uses four singlephoton detectors, costing approximately $5,000-$20,000 each. One pair of detectors
records photons with horizontal and vertical polarization, which could indicate 0 and 1
respectively. The other pair detects photons with "diagonal", or +/- 45 degree,
polarization in which the "northeast" and "northwest" directions alternatively denote 0
and 1.
In the new method, the researchers, led by NIST's Xiao Tang, designed an optical
component to make the diagonally polarized photons rotate by a further 45 degrees and
arrive at the same detector but later, and into a separate "time bin", than the
34
Quantum Key Distribution
horizontal/vertical polarized ones. Therefore, one pair of detectors can be used to record
information from both kinds of polarized photons in succession, reducing the required
number of detectors from four to two.
In another protocol, called B92, the researchers reduced the required number of detectors
from two to one. And in work performed since their new paper, the researchers further
developed their approach so that the popular BB84 method now only requires one
detector instead of four.
Practical Quantum Cryptography:
Polarization-based quantum cryptography is now a mature technology: many
experimental groups have built prototypes, and commercial devices like the one shown
above by Geneva based company ID Quantique are now available.
35
Quantum Key Distribution
6 ATTACKS
6. 1 Intercept and resend
The simplest type of possible attack is the intercept-resend attack, where Eve
measures the quantum states (photons) sent by Alice and then sends replacement states to
Bob, prepared in the state she measures. In the BB84 protocol this will produce errors in
the key shared between Alice and Bob. As Eve has no knowledge of the basis a state sent
by Alice is encoded in, she can only guess which basis to measure in, in the same way as
Bob. If she chooses correctly then she will measure the correct photon polarization state
as sent by Alice, and will resend the correct state to Bob.
However if she chooses incorrectly then the state she measures will be random,
and the state sent to Bob will not be the same as the state sent by Alice. If Bob then
measures this state in the same basis Alice sent he will get a random result, as Eve has
sent him a state in the opposite basis, instead of the correct result he would get without
the presence of Eve. An example of this type of attack is shown in the table below.
Alice's random bit
0
1
1
0
1
0
0
1
Alice's random sending basis
Photon polarization Alice sends
Eve's random measuring basis
Polarization Eve measures and
sends
36
Quantum Key Distribution
Bob's random measuring basis
Photon polarization Bob measures
PUBLIC DISCUSSION OF BASIS
Shared secret key
0
0
0
1
Errors in key
✓
✘
✓
✓
The probability Eve chooses the incorrect basis is 50% (assuming Alice chooses her basis
randomly), and if Bob measures this intercepted photon in the basis Alice sent he will get
a random result, i.e. an incorrect result with probability of 50%. The probability an
intercepted photon generates an error in the key string is then 50% x 50% = 25%. If Alice
and Bob publicly compare n of their key bits (thus discarding them as key bits, as they
are no longer secret) the probability they find disagreement and identify the presence of
Eve is
So to detect an eavesdropper with probability Pd = 0.999999999 Alice and Bob need to
compare n = 72 key bits.
37
Quantum Key Distribution
6.2 Security Proofs
The above is just a simple example of an attack. If Eve is assumed to have unlimited
resources, for example classical and quantum computing power, there are many more
attacks possible. BB84 has been proven secure against any attacks allowed by quantum
mechanics, both for sending information using an ideal photon source which only ever
emits a single photon at a time, and also using practical photon sources which sometimes
emit multiphoton pulses. These proofs are unconditionally secure in the sense that no
conditions are imposed on the resources available to the Eavesdropper, however there are
other conditions required:
1. Eve cannot access Alice and Bob's encoding and decoding devices.
2. The random number generators used by Alice and Bob must be trusted and truly
random (for example a Quantum random number generator).
3. The classical communication channel must be authenticated using an
unconditionally
6.3 Man in the middle attack
Quantum cryptography is vulnerable to a man-in-the-middle attack when used without
authentication to the same extent as any classical protocol, since no principle of quantum
mechanics can distinguish friend from foe. As in the classical case, Alice and Bob cannot
authenticate each other and establish a secure connection without some means of
verifying each other's identities (such as an initial shared secret). If Alice and Bob have
an initial shared secret then they can use an unconditionally secure authentication scheme
(such as Carter-Wegman) along with quantum key distribution to exponentially expand
this key, using a small amount of the new key to authenticate the next session. Several
methods to create this initial shared secret have been proposed, for example using a 3rd
party or chaos theory.
38
Quantum Key Distribution
6.4 Photon number splitting attack
In the BB84 protocol Alice sends quantum states to Bob using single photons. In practice
many implementations use laser pulses attenuated to a very low level to send the quantum
states. These laser pulses contain a very small number of photons, for example 0.2
photons per pulse, which are distributed according to a Poissonian distribution. This
means most pulses actually contain no photons (no pulse is sent), some pulses contain 1
photon (which is desired) and a few pulses contain 2 or more photons. If the pulse
contains more than one photon, then Eve can split off the extra photons and transmit the
remaining single photon to Bob. This is the basis of the photon number splitting attack,
where Eve stores these extra photons in a quantum memory until Bob detects the
remaining single photon and Alice reveals the encoding basis. Eve can then measure her
photons in the correct basis and obtain information on the key without introducing
detectable errors.
Even with the possibility of a PNS attack a secure key can still be generated, as shown in
the GLLP security proof, however a much higher amount of privacy amplification is
needed reducing the secure key rate significantly (with PNS the rate scales as t2 as
compared to t for a single photon sources, where t is the transmittance of the quantum
channel).
There are several solutions to this problem. The most obvious is to use a true single
photon source instead of an attenuated laser. While such sources are still at a
developmental stage QKD has been carried out successfully with them. However as
current sources operate at a low efficiency and frequency key rates and transmission
distances are limited. Another solution is to modify the BB84 protocol, as is done for
example in the SARG04 protocol, in which the secure key rate scales as t3 / 2. The most
promising solution is the decoy state idea, in which Alice randomly sends some of her
laser pulses with a lower average photon number. These decoy states can be used to
detect a PNS attack, as Eve has no way to tell which pulses are signal and which decoy.
Using this idea the secure key rate scales as t, the same as for a single photon source. This
39
Quantum Key Distribution
idea has been implemented successfully in several QKD experiments, allowing for high
key rates secure against all known attacks.
6.5 Hacking attacks
Hacking attacks target imperfections in the implementation of the protocol instead of the
protocol directly. If the equipment used in quantum cryptography can be tampered with,
it could be made to generate keys that were not secure using a random number generator
attack. Another common class of attacks is the Trojan horse attack which does not require
physical access to the endpoints: rather than attempt to read Alice and Bob's single
photons, Mallory sends a large pulse of light back to Alice in between transmitted
photons. Alice's equipment reflects some of Mallory's light, revealing the state of Alice's
polarizer. This attack is easy to avoid, for example using an optical isolator to prevent
light from entering Alice's system, and all other hacking attacks can similarly be defeated
by modifying the implementation. Apart from Trojan horse there are several other known
attacks including faked state attacks, phase remapping attacks and time-shift attacks. The
time-shift attack has even been successfully demonstrated on a commercial quantum
crypto-system. This demonstration is the first successful demonstration of quantum
hacking against a non-homemade quantum key distribution system.
6.6 Denial of service
Because currently a dedicated fiber optic line (or line of sight in free space) is required
between the two points linked by quantum cryptography, a denial of service attack can be
mounted by simply cutting or blocking the line or, perhaps more surreptitiously, by
attempting to tap it.
40
Quantum Key Distribution
7 History
Quantum cryptography was proposed first by Stephen Wiesner, then at Columbia
University in New York, who, in the early 1970s, introduced the concept of quantum
conjugate coding. His seminal paper titled "Conjugate Coding" was rejected by IEEE
Information Theory but was eventually published in 1983 in SIGACT News (15:1 pp. 7888, 1983). In this paper he showed how to store or transmit two messages by encoding
them in two “conjugate observables”, such as linear and circular polarization of light, so
that either, but not both, of which may be received and decoded. He illustrated his idea
with a design of unforgeable bank notes. A decade later, building upon this work, Charles
H. Bennett, of the IBM Thomas J. Watson Research Center, and Gilles Brassard, of the
Université de Montréal, proposed a method for secure communication based on
Wiesner’s “conjugate observables”. In 1990, independently and initially unaware of the
earlier work, Artur Ekert, then a Ph.D. student at Wolfson College, University of Oxford,
developed a different approach to quantum cryptography based on peculiar quantum
correlations known as quantum entanglement.
41
Quantum Key Distribution
8 Prospects
The current commercial systems are aimed mainly at governments and
corporations with high security requirements. Key distribution by courier is typically
used in such cases, where traditional key distribution schemes are not believed to offer
enough guarantee. This has the advantage of not being intrinsically distance limited, and
despite long travel times the transfer rate can be high due to the availability of large
capacity portable storage devices. The major difference of quantum cryptography is the
ability to detect any interception of the key, whereas with courier the key security cannot
be proven or tested. QKD (Quantum Key Distribution) systems also have the advantage
of being automatic, with greater reliability and lower operating costs than a secure human
courier network.
Factors preventing wide adoption of quantum cryptography outside high security areas
include the cost of equipment, and the lack of a demonstrated threat to existing key
exchange protocols. However, with optic fiber networks already present in many
countries the infrastructure is in place for a more widespread use.
42
Quantum Key Distribution
9. Conclusion
Quantum cryptography allows exchanging encryption keys, whose secrecy is future-proof
and guaranteed by the laws of quantum physics. Quantum cryptography is a fascinating
illustration of the dialog between basic and applied physics. It is based on a beautiful
combination of concepts from quantum physics and information theory and made
possible by the tremendous progress in quantum optics and the technology of optical
fibers and free-space optical communication. Its security principle relies on deep
theorems in classical information theory and on a profound understanding of
Heisenberg’s uncertainty principle.
QC could well be the first application of quantum mechanics at the singlequantum level. Experiments have demonstrated that keys can be exchanged over
distances of a few tens of kilometers at rates on the order of at least a thousand bits per
second. One technological challenge at present concerns improved detectors compatible
with telecommunications fibers. Two other issues concern free-space QC and quantum
repeaters.
43
Quantum Key Distribution
REFERENCES
1. C. H. Bennett, "Quantum Cryptography: Uncertainty in the Service of Privacy",
Science, vol. 257, 7 August 1992, pp. 752-753.
http://www.ai.sri.com/~goldwate/quantum.html
(S. Goldwater, "Quantum Cryptography and Privacy Amplification")
2. S. K. Moore, IEEE Spectrum, May 2002.
3. C. H. Bennett and G. Brassard, in Proceedings of the IEEE International
Conference on Computers, Systems and Signal Processing, IEEE, New York
(1984).
4. C. H. Bennett, G. Brassard, and A. K. Ekert, "Quantum Cryptography", Scientific
American, October 1992, pp. 50-57.
5. A. K. Ekert, Physical Review Letters, 67, 661 (1991).
6. A. K. Ekert, J. G. Rarity, P. R. Tapster, and G. M. Palma, Physical Review
Letters, 69, 1293 (1992).
7. R. J. Hughes, J. E. Nordholt, D. Derkacs, and C. G. Peterson, New Journal of
Physics, 4, 43 (2002).
8. Quantum Cryptography: Privacy Through Certainty
http://www.csa.com/discoveryguides/crypt/overview.php
9. http://en.wikipedia.org/wiki/Quantum_cryptography
10. http://arxiv.org/abs/quant-ph/0101098
44