SlideShare a Scribd company logo

The Security of Practical Quantum Key Distribution

XequeMateShannon
XequeMateShannon

Quantum key distribution (QKD) is the first quantum information task to reach the level of mature technology, already fit for commercialization. It aims at the creation of a secret key between authorized partners connected by a quantum channel and a classical authenticated channel. The security of the key can in principle be guaranteed without putting any restriction on the eavesdropper's power. The first two sections provide a concise up-to-date review of QKD, biased toward the practical side. The rest of the paper presents the essential theoretical tools that have been developed to assess the security of the main experimental platforms (discrete variables, continuous variables and distributed-phase-reference protocols).

1 of 52
arXiv:0802.4155v3[quant-ph]30Sep2009 The Security of Practical Quantum Key Distribution Valerio Scarani1,2 , Helle Bechmann-Pasquinucci3,4 , Nicolas J. Cerf5 , Miloslav Duˇsek6 , Norbert L¨utkenhaus7,8 , Momtchil Peev9 1 Centre for Quantum Technologies and Department of Physics, National University of Singapore, Singapore 2 Group of Applied Physics, University of Geneva, Geneva, Switzerland 3 University of Pavia, Dipartimento di Fisica “A. Volta”, Pavia, Italy 4 UCCI.IT, Rovagnate (LC), Italy 5 Quantum Information and Communication, Ecole Polytechnique, Universit´e Libre de Bruxelles, Brussels, Belgium 6 Department of Optics, Faculty of Science, Palack´y University, Olomouc, Czech Republic 7 Institute for Quantum Computing & Department for Physics and Astronomy, University of Waterloo, Waterloo, Canada 8 Max Planck Research Group, Institute for Optics, Information and Photonics, University of Erlangen-Nuremberg, Erlangen, Germany 9 Quantum Technologies, Smart Systems Division, Austrian Research Centers GmbH ARC, Vienna, Austria (Dated: September 30, 2009) Quantum key distribution (QKD) is the first quantum information task to reach the level of mature technology, already fit for commercialization. It aims at the creation of a secret key be- tween authorized partners connected by a quantum channel and a classical authenticated channel. The security of the key can in principle be guaranteed without putting any restriction on the eavesdropper’s power. The first two sections provide a concise up-to-date review of QKD, biased toward the practical side. The rest of the paper presents the essential theoretical tools that have been developed to assess the security of the main experimental platforms (discrete variables, continuous variables and distributed-phase-reference protocols). Contents I. Introduction 2 A. Cryptography 2 B. Basics of Quantum Key Distribution (QKD) 3 1. Generic setting 3 2. The origin of security 3 3. The choice of light 4 4. The BB84 protocol 4 5. An example of eavesdropping 5 6. Beyond the example: the field of QKD 5 C. Scope of this review 6 1. Focus 6 2. Outline 6 II. The Elements of Practical QKD 6 A. Milestones 6 1. Foundations: 1984-1995 6 2. The theory-experiment gap opens: 1993-2000 6 3. Closing the gap: 2000 to present 7 B. Generic QKD Protocol 8 1. Classical and quantum channels 8 2. Quantum information processing 8 3. Classical information processing 9 4. Secret fraction and secret key rate 9 C. Notions of Security 9 1. Unconditional security, and its conditions 9 2. Definition of security 10 3. Security proofs 10 D. Explicit Protocols 11 1. Three families 11 2. Discrete-variable Protocols 12 3. Continuous-variable Protocols 13 4. Distributed-phase-reference Protocols 14 E. Sources 15 1. Lasers 15 2. Sub-Poissonian Sources 16 3. Sources of Entangled Photons 16 F. Physical Channels 17 1. Fiber Links 17 2. Free Space Links 18 G. Detectors 18 1. Photon Counters 18 2. Homodyne Detection 18 H. Synchronization and alignment 19 1. Generalities 19 2. Phase coding: two configurations 20 III. Secret Key Rate 21 A. Raw key rate 21 B. Secret fraction 21 1. Classical information post-processing 21 2. Individual, Collective and Coherent Attacks 23 3. Quantum side channels and zero-error attacks 25 4. Hacking on Practical QKD 25 5. A crutch: the “uncalibrated-device scenario” 26 IV. Discrete-variable protocols 26 A. Generic Assumptions and Tools 26 1. Photon-number statistics 26 2. Qubits and Modes 27 3. Secret key rate 27 B. BB84 coding: lower bounds 28 1. Prepare-and-Measure: Generalities 28 2. P&M without decoy states 28 3. P&M with decoy states 28 4. P&M: analytical estimates 29 5. Entanglement-Based 30 C. BB84 coding: upper bounds incorporating the calibration of the devices 31 1. Statistical parameters 31 2. Upper bounds 31 D. Bounds for the SARG04 coding 32 V. Continuous-variable protocols 32 A. Status of security proofs 32
2 B. Bounds for Gaussian protocols 33 1. Generalities 33 2. Modeling the noise 34 3. Information Alice-Bob 34 4. Individual attacks 35 5. Collective attacks 35 6. Collective attacks and post-selection 35 VI. Distributed-phase-reference protocols 36 A. Status of security proofs 36 B. Bounds for DPS and COW 36 1. Collective beam-splitting attack 36 2. More sophisticated attacks 37 VII. Comparison of experimental platforms 37 A. Generalities 37 1. Model for the source and channel 38 2. Choice of the parameters 38 B. Comparisons based on K 39 1. All platforms on a plot 39 2. Upper bound incorporating the calibration of the devices 40 C. Comparison based on the “cost of a linear network” 40 VIII. Perspectives 41 A. Perspectives within QKD 41 1. Finite-key analysis 41 2. Open issues in unconditional security 41 3. Black-box security proofs 42 4. Toward longer distances: satellites and repeaters 42 5. QKD in networks 42 B. QKD versus other solutions 43 Note added in proof 44 Acknowledgements 44 A. Unconditional security bounds for BB84 and six-states, single-qubit signals 44 B. Elementary estimates for quantum repeaters 45 1. Quantum memories 45 2. Model of quantum repeater 46 a. Definition of the model 46 b. Detection rates 46 References 47 I. INTRODUCTION A. Cryptography Cryptography is a field of applications that provide pri- vacy, authentication and confidentiality to users. An im- portant subfield is that of secure communication, aiming at allowing confidential communication between different parties such that no unauthorized party has access to the content of the messages. This field has a long history of successes and failures, as many methods to encode mes- sages emerged along the centuries, always to be broken some time later. History needs not repeat forever, though. In 1917, Ver- nam invented the so-called One-Time Pad encryption, which uses a symmetric, random secret key shared be- tween sender and receiver (Vernam, 1926). This scheme cannot be broken in principle, provided the parties do not reuse their key. Three decades later, Shannon proved that the Vernam scheme is optimal: there is no encryp- tion method that requires less key (Shannon, 1949). This means that the key is being used up in the process. To employ this scheme, therefore, the communicating par- ties must have a secure method to share a key as long as the text to be encrypted. Because of this limitation, which becomes severe in case huge amounts of informa- tion have to be securely transmitted, most cryptographic applications nowadays are based on other schemes, whose security cannot be proved in principle, but is rather based on our experience that some problems are hard to solve. In other words, these schemes can be broken, but with a substantial amount of computational power. One can therefore set a security parameter to a value, such that the amount of required computational power lies beyond the amount deemed to be available to an adversary; the value can be adjusted in time, along with technological advances. The picture has changed in the last two decades, thanks to unexpected inputs from quantum physics. In the early 1980s, Bennett and Brassard proposed a solu- tion to the key distribution problem based on quantum physics (Bennett and Brassard, 1984); this idea, inde- pendently re-discovered by Ekert a few years later (Ekert, 1991), was the beginning of quantum key distribution (QKD) which was to become the most promising task of quantum cryptography1 . Since then, QKD devices have constantly increased their key generation rate and have started approaching maturity, needed for implementation in realistic settings. In an intriguing independent development, ten years after the advent of QKD, Peter Shor discovered that large numbers can in principle be factorized efficiently if one 1 Quantum cryptography is often identified with QKD, but ac- tually comprises all possible tasks related to secrecy that are implemented with the help of quantum physics. The first ap- pearance of a link between secrecy and quantum physics was Wiesner’s idea of quantum money, which dates back to the early 1970s although was published a decade later (Wiesner, 1983). To our knowledge, there is nothing else before Bennett’s and Brassard’s first QKD protocol. In 1999, two new tasks were invented and both were given the same name, quantum se- cret sharing. In one case, the protocol is a multi-partite gen- eralization of key distribution (Hillery, Buˇzek and Berthiaume, 1999; Karlsson, Koashi and Imoto, 1999); in the other case it refers to the sharing of secret quantum information, i.e. the goal is for the authorized partners to share quan- tum information (instead of a list of classical random vari- ables) known only to them (Cleve, Gottesman and Lo, 1999; Cr´epeau, Gottesman and Smith, 2005). Other examples of cryp- tographic tasks are bit commitment or oblivious transfer; for these tasks, contrary to the case of QKD and secret shar- ing, quantum physics cannot guarantee unconditional security (Lo and Chau, 1997; Lo, 1997; Mayers, 1997) and therefore their interest seems limited — though new paradigms like “bounded- storage models” may change this perception in the future (Damgaard et al., 2005, 2007; Wehner, Schaffner and Terhal, 2008).
3 can perform coherent manipulations on many quantum systems (Shor, 1994, 1997). Factorizing large numbers is an example of a mathematical task considered classically hard to solve and for this reason related to a class of cryptographic schemes which are currently widely used. Though quantum computers are not realized yet, the mere fact that they could be built brought into awareness that the security of some cryptographic schemes may be threatened2 . This review focuses therefore on the cryptographic task of key distribution, and in particular on its realization us- ing quantum physics. Note that a secret key serves many useful purposes in cryptography other than message en- cryption: it can be used, for example, to authenticate messages, that is, to prove that a message has been in- deed sent by the claimed sender. B. Basics of Quantum Key Distribution (QKD) In this paragraph, we introduce the basic elements of quantum key distribution (QKD), for the sake of those readers who would not be familiar with the field. Alternative presentations of this material are avail- able in many sources, ranging from books with rather general scope (Ekert et al., 2001; Le Bellac, 2006; Lo, 1998; Scarani, 2006) to other review articles specific to the topic (Duˇsek, L¨utkenhaus and Hendrych, 2006; Gisin, Ribordy, Tittel and Zbinden, 2002; Lo and Zhao, 2008). 1. Generic setting Y r U C FIG. 1 (Color online) The setting of QKD: Alice and Bob are connected by a quantum channel, on which Eve can tap without any restriction other than the laws of physics; and by an authenticated classical channel, which Eve can only listen to. The generic settings of QKD are schematically repre- sented in Fig. 1. The two authorized partners, those that want to establish a secret key at a distance, are tradition- ally called Alice and Bob. They need to be connected by two channels: a quantum channel, allowing them to share quantum signals; and a classical channel, on which they can send classical messages forth and back. 2 This issue will be discussed in more detail in Sec. VIII.B. The classical channel needs to be authenticated: this means that Alice and Bob identify themselves; a third person can listen to the conversation but cannot partici- pate in it. The quantum channel, however, is open to any possible manipulation from a third person. Specifically, the task of Alice and Bob is to guarantee security against an adversarial eavesdropper, usually called Eve3 , tapping on the quantum channel and listening to the exchanges on the classical channel. By “security” we mean that“a non-secret key is never used”: either the authorized partners can indeed create a secret key (a common list of secret bits known only to themselves), or they abort the protocol4 . Therefore, after the transmission of a sequence of symbols, Alice and Bob must estimate how much information about their lists of bits has leaked out to Eve. Such an estimate is obvi- ously impossible in classical communication: if someone is tapping on a telephone line, or when Eve listens to the exchanges on the classical channel for that matters, the communication goes on unmodified. This is where quan- tum physics comes into the game: in a quantum channel, leakage of information is quantitatively related to a degra- dation of the communication. The next paragraph delves a bit deeper into the physical reasons for this statement. 2. The origin of security The origin of security of QKD can be traced back to some fundamental principles of quantum physics. One can argue for instance that any action, by which Eve ex- tracts some information out of quantum states, is a gen- eralized form of measurement; and a well-known tenet of quantum physics says that measurement in general mod- ifies the state of the measured system. Alternatively, one may think that Eve’s goal is to have a perfect copy of the state that Alice sends to Bob; this is however for- bidden by the no-cloning theorem (Wootters and Zurek, 1982), which states that one cannot duplicate an un- known quantum state while keeping the original intact. Both these arguments appear already in the seminal pa- per (Bennett and Brassard, 1984); they lead to the same formalization. A third physical argument can be invoked, which is usually considered rather as a fact than as a principle, but a very deep one: quantum correlations ob- 3 The name, obtained from assonance with the English term “eavesdropping”, is remarkably suited for someone whose task is to mess things up! 4 No physical principle can prevent an adversary to cut the chan- nels, thus blocking all transfer of information between Alice and Bob. Stepping back then, one can imagine the following eaves- dropping strategy (suggested to one of us by A. Beveratos): Eve systematically cuts all QKD channels, until Alice and Bob, who after all want to communicate, opt for less secure methods — and then Eve gets the information. There is obviously a point of humor in this idea but, given that Eve has no hope if QKD is used correctly, this strategy may be the most effective indeed.
4 tained by separated measurements on members of entan- gled pairs violate Bell’s inequalities and cannot therefore have been created by pre-established agreement. In other words, the outcomes of the measurements did not exist before the measurements; but then, in particular, Eve could not know them (Ekert, 1991). This argument sup- poses that QKD is implemented with entangled states. The fact that security can be based on general prin- ciples of physics suggests the possibility of unconditional security, i.e. the possibility of guaranteeing security with- out imposing any restriction on the power of the eaves- dropper (more on this notion in Sec. II.C.1). Indeed, at the moment of writing, unconditional security has been proved for several QKD protocols. 3. The choice of light In general, quantum information processing can be implemented with any system, and one indeed finds proposal to implement quantum computing with ions, atoms, light, spins... Abstractly, this is the case also for QKD: one could imagine to perform a QKD exper- iment with electrons, ions, molecules; however, light is the only practical choice. Indeed, the task of key distri- bution makes sense only if Alice and Bob are separated by a macroscopic distance: if they are in the same room, they have much easier ways of generating a common se- cret key. Now, as well known, light does not interact easily with matter; therefore quantum states of light can be trans- mitted to distant locations basically without decoherence, in the sense that little perturbations are expected in the definition of the optical mode. The problem with light is scattering, i.e. losses: quite often, the photons just don’t arrive. The way losses affect QKD varies with the protocol and the implementation; we shall deal with these issues in detail later, but it’s useful to give here a rapid overview. First and quite obviously, losses impose bounds on the secret key rate (that cannot scale with the distance better than the transmittivity of the line) and on the achievable distance (when losses are so large that the signal is lost in spurious events, the “dark counts”). Second: losses may leak information to the eavesdropper, according to the nature of the quantum signal: for coher- ent pulses it is certainly the case, for single photons it is not, the case for entangled beams is more subtle. A third basic difference is determined by the detection scheme. Indeed, implementations that use photon counters rely on post-selection: if a photon does not arrive, the de- tector does not click and the event is simply discarded5 . 5 Note that this is possible because the task is to distribute a random key. In the days of booming of quantum informa- tion, some authors considered the possibility of sending di- rectly the message on the quantum channel (Beige et al., 2002; Bostr¨om and Felbinger, 2002). This task has been called “Quan- On the contrary, implementations that use homodyne de- tection always give a signal, therefore losses translate as additional noise. In summary, QKD is always implemented with light and there is no reason to believe that things will change in the future. As a consequence, the quantum channel is any medium that propagates light with reasonable losses: typically, either an optical fiber, or just free space pro- vided Alice and Bob have a line of sight. 4. The BB84 protocol All the points and concepts introduced above will be dealt in more depth and detail in the main sections of this review. Let us first practice the generic ideas on a very concrete example: the first QKD protocol, published by Bennett and Brassard in 1984 and called therefore BB84 (Bennett and Brassard, 1984). Suppose Alice holds a source of single photons. The spectral properties of the photons are sharply defined, so the only degree of freedom left is polarization. Alice and Bob align their polarizers and agree to use either the Horizontal/Vertical (+) basis, or the complementary ba- sis of linear polarizations i.e. +45/-45 (×). Specifically, the coding of bits is |H codes for 0+ |V codes for 1+ | + 45 codes for 0× | − 45 codes for 1× . (1) We see that both bit values 0 and 1 are coded in two possible ways, more precisely in non-orthogonal states, because | ± 45 = 1 √ 2 |H ± |V . (2) Given this coding, the BB84 protocol goes as follows: 1. Alice prepares a photon in one of the four states above and sends it to Bob on the quantum channel. Bob measures it in either the + or the × basis. This step is repeated N times. Both Alice and Bob have now a list of N pairs (bit,basis). 2. Alice and Bob communicate over the classical chan- nel and compare the “basis” value of each item and discard those instances in which they have used dif- ferent bases. This step is called sifting. At its end, tum Secure Direct Communication” and has generated some in- terest. However, it was soon recognized (even by some of the original authors) that the idea suffers of two major defaults with respect to standard QKD: (i) It is obviously not robust against losses: you cannot afford losing a significant amount of the mes- sage. (ii) It allows no analog of privacy amplification: if an eavesdropper obtains information, it is information on the mes- sage itself and cannot of course be erased.
5 Alice and Bob have a list of approximately N/2 bits, with the promise that for each of them Alice’s coding matched Bob’s measurement. This list is called raw key. 3. Alice and Bob now reveal a random sample of the bits of their raw keys and estimate the error rate in the quantum channel, thus in turn Eve’s infor- mation. In the absence of errors, the raw key is identical for Alice and Bob and Eve has no infor- mation: in this case, the raw key is already the secret key. If there are errors however, Alice and Bob have to correct them and to erase the infor- mation that Eve could have obtained6 . Both tasks can be performed by communication on the clas- sical channel, so this part of the protocol is called classical post-processing. At the end of this pro- cessing, Alice and Bob share either a truly secret key or nothing at all (if Eve’s information was too large). 5. An example of eavesdropping A particularly simple eavesdropping strategy is the one called intercept-resend. To obtain information, Eve does the same as Bob: she intercepts the photon coming from Alice and measures it either in the + or in the × basis. But Bob is waiting for some signal to arrive. Let’s then suppose that Eve resends the same photon to Bob (Eve is limited only by the laws of physics, therefore in par- ticular she can perform a quantum non-demolition mea- surement). If Eve has measured in the basis of Alice’s preparation, the photon is intact: on such instances, Eve has got full information on Alice’s bit without introduc- ing any errors. However, when Eve has chosen the wrong basis, her result is uncorrelated with Alice’s bit; more- over, she has modified the state so that, even if Bob uses the same basis as Alice, half of the times he will get the wrong result. In average over long keys then, this particular attack gives Eve full information on half of the bits of the raw key (IE = 0.5) at the price of introducing an error rate Q = 0.25. Can a secure key be extracted under such conditions? One has to know how to quantify the length of the final key that can be extracted. For this particu- lar case, under some assumptions on the classical post- processing it holds (Csisz´ar and K¨orner, 1978) r = max{I(A : B) − IE, 0} . (3) where I(A : B) = H(A) + H(B) − H(AB) is the mutual information between Alice’s and Bob’s raw keys (H is 6 Historical note: the procedure that erases the information of the eavesdropper was not discussed in (Bennett and Brassard, 1984) and appears for the first time a few years later (Bennett, Brassard and Robert, 1988). Shannon entropy). Assuming that both bit values are equally probable, i.e. H(A) = H(B) = 1, one has I(A : B) = 1 − h(Q) where h is binary entropy. Having these elements, one can plug in the values obtained for the intercept-resend attack and find that I(A : B) < IE: Eve has more information on Alice’s string than Bob, therefore no secret key can be extracted7 . Another simple exercise consists in supposing that Eve perform the intercept-resend attack only on a fraction p of the photons sent by Alice, and leaves the others untouched. Then obviously Q = p/4 and IE = p/2 = 2Q; this leads to conclude that, if Q > ∼ 17%, a secure key cannot be extracted from the BB84 protocol — at least, if the classical post-processing is done according to the assumptions of (Csisz´ar and K¨orner, 1978). 6. Beyond the example: the field of QKD The basic example that we have just presented calls for a number of important questions: • The adversary is clearly not restricted to perform the intercept-resend attack. What is the maximal amount of information Eve can possibly obtain, if she is allowed to do anything that is compatible with the laws of physics? This is the question about the possibility of proving unconditional security. • The BB84 protocol is just a particular protocol. What about other forms of coding and/or of pro- cessing the data? • The protocol supposed that the quantum signal is a qubit — explicitly, a bimodal single photon, i.e. an elementary excitation of the light field in only two modes (polarization in the explicit example). How close can an implementation come to this? And af- ter all, should any implementation of QKD actually aim at coming close to this? • In a real device, information may leak out in chan- nels that are neglected in a theoretical description. What are the potential threats in an implementa- tion? The whole field of QKD has developed along the answer to these and similar questions. 7 This conclusion is valid for all protocols: no secret key can be extracted if the observed statistics are com- patible with Eve performing the intercept-resend attack (Curty, Lewenstein and L¨utkenhaus, 2004). The reason is that this attack “breaks” the quantum channel into two pieces, in which case the correlations between Alice and Bob can always be obtained with classical signals; and no secrecy can be dis- tributed with classical communication.
6 C. Scope of this review 1. Focus The label “quantum cryptography” applies nowadays to a very wide range of interests, going from abstract mathematical considerations to strictly technological is- sues. This review focuses somewhere in the middle of this range, in the realm where theoretical and experimental physics meet, that we call practical QKD. There, theo- rists cannot pursue pure formal elegance and are com- pelled to complicate their models in order to take real effects into account; and experimentalists must have a serious grasp on theoretical issues in order to choose the right formulas and make the correct claims about the se- curity of their devices. Specifically, we want to address the following two concerns: 1. On the one hand, the theoretical tools have reached a rather satisfactory level of development; but from outside the restricted group of experts, it has be- come almost impossible to follow this development, due also to the fact that quite a few strong secu- rity claims made in the past had to be revisited in the light of better understanding. As theorists involved in the development of security proofs, we want to provide an updated review of the status of such proofs. 2. On the other hand, several competing experimental platforms exist nowadays. It is desirable to have a synthetic view of those, highlighting the interest and possible shortcomings of each choice. Also, we want to raise the awareness of the complexity of any comparison: “physical” figures of merit like the secret key rate or the maximal achievable distance are in competition with “practical” figures of merit like stability and cost. Along the review, we shall make reference also to some strictly mathematical or strictly technological progresses, but without any claim of exhaustiveness. 2. Outline The review is structured as follows. Section II in- troduces all the basic elements of practical QKD. Sec- tion III is devoted to the rate at which a secret key is produced: this is the fundamental parameter of QKD, and depends both on the speed and efficiency of the de- vices, and on the intrinsic security of the protocol against eavesdropping. The next three sections provide a de- tailed analysis, with a consistent set of explicit formu- las, for the three main families of protocols: those based on discrete-variable coding (Section IV), those based on continuous-variable coding (Section V) and the more re- cent distributed-phase-reference coding (Section VI). In Section VII, we put everything together and sketch some directions for comparison of different experimental plat- forms. Finally, in Section VIII, we discuss future per- spectives for QKD, both as a field in itself and in the broader context of key distribution. II. THE ELEMENTS OF PRACTICAL QKD A. Milestones 1. Foundations: 1984-1995 QKD unfolded with the presentation of the first com- plete protocol (Bennett and Brassard, 1984), which was based on earlier ideas by Wiesner (Wiesner, 1983). In the BB84 protocol, bits are coded in two complementary bases of a two level system (qubit); this qubit is sent by Alice to Bob, who measures it. The no-cloning theorem is explicitly mentioned as the reason for security. This work was published in conference proceedings and was largely unknown to the community of physicists. It was not until 1991, when Artur Ekert, independently from the earlier developments, published a paper on quantum key distributions, that the field gained a rapid popular- ity (Ekert, 1991). Ekert’s argument for security had a different flavor: an eavesdropper introduces “elements of reality” into the correlations shared by Alice and Bob; so, if they observe correlations that violate a Bell inequal- ity, the communication cannot have been completely bro- ken by Eve. Shortly later, Bennett, Brassard and Mer- min argued8 that entanglement-based protocols, such as E91, are equivalent to prepare&measure protocols, such as the BB84 protocol (Bennett, Brassard and Mermin, 1992). The same year 1992 witnessed two additional milestones: the invention of the B92 protocol (Bennett, 1992) and the very first in-principle experimental demon- stration (Bennett et al., 1992). One can reasonably con- clude the foundational period of QKD with the defini- tion of privacy amplification, the classical post-processing needed to erase Eve’s information from the raw key (Bennett et al., 1995). 2. The theory-experiment gap opens: 1993-2000 After these foundational works, the inter- est and feasibility of QKD became apparent to many. Improved experimental demonstrations took place, first in the lab with a growing dis- tance of optical fiber next to the optical table 8 The argument is correct under some assumptions; only around the year 2006 it was fully realized that Ekert’s view is qualita- tively different and allows to reduce the set of assumptions about Alice’s and Bob’s devices; see VIII.A.3. This is also why the Ek- ert protocol was not implemented as such in an experiment until very recently (Ling et al., 2008).
7 (Br´eguet, Muller and Gisin, 1994; Franson and Ilves, 1994; Townsend, Rarity and Tapster, 1993), then in installed optical fibers (Muller, Zbinden and Gisin, 1995), thereby demonstrating that QKD can be made sufficiently robust for a real-world implementation. In this development, an obvious milestone is the invention of the so-called Plug&Play setups by the Geneva group (Muller et al., 1997; Ribordy et al., 1998). By the year 2000, QKD over large distances was demonstrated also with entangled photons (Jennewein et al., 2000; Naik et al., 2000; Tittel et al., 2000). Theorists became very active too. New protocols were proposed. For instance, the elegant six-state protocol, first mentioned back in 1984 as a possible extension of BB84 (Bennett et al., 1984), was rediscovered and stud- ied in greater detail (Bechmann-Pasquinucci and Gisin, 1999; Bruß, 1998). But by far a more complex task was at stake: the derivation of rigorous security proofs that would replace the intuitive arguments and the first, ob- viously sub-optimal estimates. The first such proof has been given by Mayers, who included even advanced fea- tures such as the analysis of finite key effects (Mayers, 1996, 2001). However, this proof is not very intuitive, and other proofs emerged, starting with the basic principle of entanglement distillation ideas (Deutsch et al., 1996) which were put into a rigorous framework by Lo and Chau (Lo and Chau, 1999). These entanglement based proofs would require the ability to perform quantum logic operations on signals. At present, we do not have the ex- perimental capability to do so. Therefore the result by Shor and Preskill (Shor and Preskill, 2000) provided a step forward, as it combined the property of Mayers re- sult of using only classical error correction and privacy amplification with a very intuitive way of proving the se- curity of the BB84 protocol. That result uses the ideas of quantum error correction methods, and reduces the corresponding quantum protocol to an actual classically- assisted prepare-and-measure protocol. As of the year 2000 therefore, both experimental and theoretical QKD had made very significant advances. However, almost inevitably, a gap had opened between the two: security proofs had been derived only for very idealized schemes; setups had been made practical with- out paying attention to all the security issues. 3. Closing the gap: 2000 to present The awareness of the gap was triggered by the discovery of photon-number-splitting (PNS) at- tacks (Brassard et al., 2000), which had actually been anticipated years before (Bennett, 1992; Duˇsek, Haderka and Hendrych, 1999; Huttner et al., 1995) but had passed rather unnoticed. The focus is on the source: the theoretical protocols supposed single- photon sources, but experiments were rather using atten- uated laser pulses, with average photon numbers below one. In these pulses, photons are distributed according to the Poissonian statistics: in particular, there are some- times two or more photons, and this opens an important loophole. Security proofs could be adapted to deal with the case (Gottesman, Lo, L¨utkenhaus and Preskill, 2004; Inamori, L¨utkenhaus and Mayers, 2001-2007; L¨utkenhaus, 2000): the extractable secret key rate was found to scale much worse with the distance than for single-photon sources (t2 compared to t, where t is the transmittivity of the quantum channel). It took a few years to realize that methods can be devised to reduce the power of PNS attacks while keeping the very convenient laser sources. One im- provement can be made by a mere change of software by modifying the announcements of the BB84 proto- col (Scarani, Ac´ın, Ribordy and Gisin, 2004): in this SARG04 protocol, the key rate scales as t3/2 (Koashi, 2005; Kraus, Gisin and Renner, 2005). Another signif- icant improvement can be made by an easy change of hardware: by varying the quantum state along the pro- tocol (decoy states), one can perform a more complete test of the quantum channel (Hwang, 2003). When the decoy state idea is applied to laser sources, the key rate scales as t (Lo, Ma and Chen, 2005; Wang, 2005). Parallel to this development, the field of practical QKD9 has grown in breadth and maturity. New fami- lies of protocols have been proposed, notably continuous- variable protocols (Cerf, L´evy and Van Assche, 2001; Gottesman and Preskill, 2001; Grosshans and Grangier, 2002a; Hillery, 2000; Ralph, 1999; Silberhorn et al., 2002) and the more recent distributed-phase-reference protocols (Inoue, Waks and Yamamoto, 2002; Stucki et al., 2005). Critical thinking on existing setups has lead to the aware- ness that the security against Eve tapping on the quan- tum channel is not all: one should also protect the de- vices against more commonplace hacking attacks and ver- ify that information does not leak out in side-channels (Makarov and Hjelme, 2005). Since a short time, QKD has also reached the commercial market: at least three companies10 are offering working QKD devices. New questions can now be addressed: in which applications QKD can help (All´eaume et al., 2007), how to implement a network of QKD systems11 , how to certify QKD de- vices for commercial markets (including the verification that these devices indeed fulfill the specifications of the corresponding security proofs) etc. 9 The whole field of QKD witnessed many other remarkable devel- opments, especially in theoretical studies, which are not included in this paragraph but are mentioned in due place in the paper. 10 idQuantique, Geneva (Switzerland), www.idquantique.com; MagiQ Technologies, Inc., New York., www.magiqtech.com; and Smartquantum, Lannion (France), www.smartquantum.com. 11 This is the aim of the European Network SECOQC, www.secoqc.net.
8 B. Generic QKD Protocol 1. Classical and quantum channels As introduced in Sec. I.B, Alice and Bob need to be connected by two channels. On the quantum channel, Alice can send quantum signals to Bob. Eve can interact with these signal, but if she does, the signals are changed because of the laws of quantum physics – the essence of QKD lies precisely here. On the classical channel, Alice and Bob can send clas- sical messages forth and back. Eve can listen without penalty to all communication that takes place on this channel. However, in contrast to the quantum chan- nel, the classical channel is required to be authenticated, so that Eve cannot change the messages that are being sent on this channel. Failure to authenticate the classical channel can lead to the situation where Eve impersonates one of the parties to the other, thus entirely compromis- ing the security. Unconditionally secure authentication12 of the classical channel requires Alice and Bob to pre- share an initial secret key or at least partially secret but identical random strings (Renner and Wolf, 2003). QKD therefore does not create a secret key out of nothing: rather, it will expand a short secret key into a long one, so strictly speaking it is a way of key-growing. This re- mark calls for two comments. First, key growing cannot be achieved by use of classical means alone, whence QKD offers a real advantage. Second, it is important to show that the secret key emerging from QKD is composable, that is, it can be used like a perfect random secret key in any task (more in Sec. II.C.2), because one has to use a part of it as authentication key for the next round. 2. Quantum information processing The first step of a QKD protocol is the exchange and measurement of signals on the quantum channel. Al- ice’s role is encoding: the protocol must specify which quantum state |Ψ(Sn) codes for the sequence of n sym- bols Sn = {s1, ..., sn}. In most protocols, but not in all, the state |Ψ(Sn) has the tensor product form |ψ(s1) ⊗ ... ⊗ |ψ(sn) . In all cases, it is crucial that the protocol uses a set of non-orthogonal states13 , otherwise 12 Authentication schemes that do not rely on pre-shared secrecy exist, but are not unconditionally secure. Since we aim at un- conditional security for QKD, the same level of security must in principle be guaranteed in all the auxiliary protocols. How- ever, breaking the authentication code after one round of QKD does not threaten security of the key that has been produced; one may therefore consider authentication schemes that guar- antee security only for a limited time, e.g.based on complexity assumptions. 13 There is only one exception (Goldenberg and Vaidman, 1995) when Alice uses just two orthogonal states. Alice prepares a qubit in one of the two orthogonal superposition of two spatially Eve could decode the sequence without introducing errors by measuring in the appropriate basis (in other words, a set of orthogonal states can be perfectly cloned). Bob’s role is twofold: his measurements allow of course to de- code the signal, but also to estimate the loss of quantum coherence and therefore Eve’s information. For this to be possible, non-compatible measurements must be used. We have described the quantum coding of QKD pro- tocols with the language of Prepare-and-Measure (P&M) schemes: Alice chooses actively the sequence Sn she wants to send, prepares the state |Ψ(Sn) and sends it to Bob, who performs some measurement. Any such scheme can be immediately translated into an entanglement- based (EB) scheme: Alice prepares the entangled state |Φn AB = 1 √ dn Sn |Sn A ⊗ |Ψ(Sn) B (4) where dn is the number of possible Sn sequences and the |Sn A form an orthogonal basis. By measuring in this basis, Alice learns one Sn and prepares the correspond- ing |Ψ(Sn) on the sub-system that is sent to Bob: from Bob’s point of view, nothing changes. This formal trans- lation obviously does not mean that both realizations are equally practical or even feasible with present-day tech- nology. However, it implies that the security proof for the EB protocol translates immediately to the corresponding P&M protocol and viceversa. A frequently quoted statement concerning the role of entanglement in QKD says that “entanglement is a nec- essary condition to extract a secret key” (Ac´ın and Gisin, 2005; Curty, Lewenstein and L¨utkenhaus, 2004). Two important comments have to be made to understand it correctly. First of all, this is not a statement about imple- mentations, but about the quantum channel: it says that no key can be extracted from an entanglement-breaking channel14 . In particular, the statement does not say that entanglement-based implementations are the only secure ones. Second: as formulated above, the statement has been derived under the assumption that Eve holds a purifica- tion of ρAB, where A and B are the degrees of freedom that Alice and Bob are going to measure. One may ask a more general question, namely, how to characterize all the private states, i.e. the states out of which secrecy can be extracted (Horodecki et al., 2005, 2008a,b). It was re- alized that, in the most general situation, Alice and Bob separated states, then – at a random time instant – she sends one component of this superposition to Bob. Only later she sends the second component. Precise time synchronization between Alice and Bob is crucial. See also Peres’ criticism (Peres, 1996), the authors’ reply (Goldenberg and Vaidman, 1996) and a related discussion (Koashi and Imoto, 1997). Unconditional security has not been proved for this protocol. 14 As the name indicates, a channel ρ → ρ′ = C(ρ) is called entanglement-breaking if (11⊗C)|Ψ AB is separable for any input |Ψ AB. A typical example of such a channel is the one obtained by performing a measurement on half of the entangled pair.
9 may control some additional degrees of freedom A′ and B′ ; thus, Eve is not given a purification of ρAB, but of ρAA′BB′ . In such situation, it turns out that ρAB can even be separable; as for ρAA′BB′ , it must be entangled, but may even be bound entangled. The reason is quite clear: A′ and B′ shield the meaningful degrees of free- dom from Eve’s knowledge. We do not consider this most general approach in what follows15 , because at the mo- ment of writing no practical QKD scheme with shielding systems has been proposed. 3. Classical information processing Once a large number N of signals have been exchanged and measured on the quantum channel, Alice and Bob start processing their data by exchanging communica- tion on the classical channel. In all protocols, Alice and Bob estimate the statistics of their data; in particular, they can extract the meaningful parameters of the quan- tum channel: error rate in decoding, loss of quantum co- herence, transmission rate, detection rates... This step, called parameter estimation, may be preceded in some protocols by a sifting phase, in which Alice and Bob agree to discard some symbols (typically, because Bob learns that he has not applied the suitable decoding on those items). After parameter estimation and possibly sifting, both Alice and Bob hold a list of n ≤ N sym- bols, called raw keys. These raw keys are only partially correlated and only partially secret. Using some classi- cal information post-processing (see III.B.1), they can be transformed into a fully secure key K of length ℓ ≤ n. The length ℓ of the final secret key depends of course on Eve’s information on the raw keys. 4. Secret fraction and secret key rate In the asymptotic case N → ∞ of infinitely long keys, the meaningful quantity is the secret fraction16 r = lim N→∞ ℓ/n . (5) The secret fraction is clearly the heart of QKD: this is the quantity for which the security proofs (II.C.3) must provide an explicit expression. However, a more pro- saic parameter must also be taken into account as well in practical QKD: namely, the raw-key rate R, i.e. the length of the raw key that can be produced per unit time. This rate depends partly on the protocol: for instance, it contains the sifting factor, i.e. the fraction of exchanged 15 In (Smith, Renes and Smolin, 2008), the formalism of private states is used to study pre-processing, see III.B.1. 16 Often, especially in theoretical studies, this quantity is called “secret key rate”. In this paper, we reserve this term to (6), which is more meaningful for practical QKD. symbols that is discarded in a possible sifting phase. But, surely enough, its largest dependence is on the details of the setup: repetition rate of the source, losses in the channel, efficiency and dead time of the detectors, possi- ble duty cycle, etc. In conclusion, in order to assess the performances of practical QKD systems, it is natural to define the secret key rate as the product K = R r . (6) The whole Section III will be devoted to a detailed dis- cussion of this quantity. As mentioned, these definitions hold in the asymptotic regime of infinitely long keys. When finite-key corrections are taken into account, a reduction of the secret fraction is expected, mainly for two reasons. On the one hand, parameter estimation is made on a finite number of sam- ples, and consequently one has to consider the worst pos- sible values compatible with statistical fluctuations. On the other hand, the yield of the classical post-processing contains terms that vanish only in the asymptotic limit; intuitively, these correction take care of the fact that se- curity is never absolute: the probability that Eve knows a n-bit key is at least 2−n , which is strictly positive. In this review, we restrict our attention to the asymptotic case, not because finite-key corrections are negligible — quite the opposite seems to be true17 — but because their esti- mate is still the object of on-going research (see VIII.A.1 for the state-of-the-art). C. Notions of Security 1. Unconditional security, and its conditions The appeal of QKD comes mainly from the fact that, in principle, it can achieve unconditional security. This technical term means that security can be proved with- out imposing any restriction on the computational re- sources or the manipulation techniques that are available to the eavesdropper acting on the signal. The possibil- ity of achieving unconditional security in QKD is deeply rooted in quantum physics. To learn something about the key, Eve must interact with the quantum system; now, if the coding uses randomly chosen non-orthogonal states, Eve’s intervention necessarily modifies the state on average, and this modification can be observed by the parties. As we discussed in Sec. I.B, there are many equivalent formulations of this basic principle. However formulated, it must be stressed that this criterion can be made quantitative: the observed perturbations in the quantum channel allow computing a bound on the infor- mation that Eve might have obtained. 17 For instance, in the only experiment analyzed with finite-key formalism to date (Hasegawa et al., 2007), the authors extracted r ≈ 2%, whereas, for the observed error rate, the asymptotic bound would have yielded r > ∼ 40%!
10 Like many other technical terms, the wording “uncon- ditional security” has to be used in its precise meaning given above, and not as a synonym of “absolute secu- rity” — something that does not exist. As a matter of fact, unconditional security of QKD holds under some conditions. First of all, there are some compulsory re- quirements: 1. Eve cannot intrude Alice’s and Bob’s devices to access either the emerging key or their choices of settings (we shall see in Sec. III.B.4 how complex it is to check this point thoroughly). 2. Alice and Bob must trust the random number gen- erators that select the state to be sent or the mea- surement to be performed. 3. The classical channel is authenticated with unconditionally secure protocols, which ex- ist (Carter and Wegman, 1979; Stinson, 1995; Wegman and Carter, 1981). 4. Eve is limited by the laws of physics. This require- ment can be sharpened: in particular, one can ask whether security can be based on a restricted set of laws18 . In this review, as in the whole field of practical QKD, we assume that Eve has to obey the whole of quantum physics. We shall take these requirements, the failure of which would obviously compromise any security, as granted. Even so, many other issues have to be settled, before unconditional security is claimed for a given protocol: for instance, the theoretical description of the quantum states must match the signals that are really exchanged; the implementations must be proved free of unwanted in- formation leakage through side-channels or back-doors, against which no theoretical protection can be invoked. 2. Definition of security The security of a key K can be parametrized by its deviation ε from a perfect key, which is defined as a list 18 As we have seen (I.B.2), intuition suggests that the security of QKD can be traced back to a few specific principles or laws like “no-cloning” or “non-locality without signaling”. One may ask whether this intuition may be made fully rigorous. Con- cretely, since any theory that does not allow signaling and is non-local exhibits a no-cloning theorem (Barnum et al., 2006; Masanes, Ac´ın and Gisin, 2006), and since non-locality itself can be checked, one may hope to derive security only from the physical law of no-signaling. In this framework, as of to- day, unconditional security has been proved only in the case of strictly error-free channels and for a key of vanishing length (Barrett, Hardy and Kent, 2005). Only limited security has been proved in more realistic cases (Ac´ın, Gisin and Masanes, 2006; Scarani et al., 2006). Recently, Masanes showed that uncondi- tional composable security can be proved if no-signaling is as- sumed not only between Alice and Bob, but also among the systems that are measured by each partner (Masanes, 2009). of perfectly correlated symbols shared between Alice and Bob, on which Eve has no information (in particular, all the possible lists must be equally probable a priori). A definition of security is a choice of the quantity that is re- quired to be bounded by ε; a key that deviates by ε from a perfect key is called ε-secure. The main property that a definition of security must fulfill is composability, mean- ing that the security of the key is guaranteed whatever its application may be — more precisely: if an ε-secure key is used in an ε′ -secure task19 , composability ensures that the whole procedure is at least (ε + ε′ )-secure. A composable definition of security is the one based on the trace-norm (Ben-Or et al., 2005; Renner and K¨onig, 2005): 1 2 ρKE − τK ⊗ ρE 1 ≤ ε, where ρKE is the actual state containing some correlations between the final key and Eve, τK is the completely mixed state on the set K of possible final keys and ρE is any state of Eve. In this definition, the parameter ε has a clear interpretation as the maximum failure probability of the process of key ex- traction. As the dates of the references show, the issue of composability was raised rather late in the development of QKD. Most, if not all, of the early security studies had adopted a definition of security that is not compos- able, but the asymptotic bounds that were derived can be “redeemed” using a composable definition20 . 3. Security proofs Once the security criterion is defined, one can derive a full security proof, leading to an explicit (and hopefully computable) expression for the length of the extractable 19 For instance, the One-Time Pad is a 0-secure task; while any implementation of channel authentication, for which a part of the key is used (II.B.1), must allow for a non-zero ε′. 20 The early proofs defined security by analogy with the classi- cal definition: Eve, who holds a quantum state ρE, performs the measurement M which maximizes her mutual information with the key K. This defines the so-called accessible informa- tion Iacc(K : ρE) = maxE=M(ρE) I(K : E), and the security criterion reads Iacc(K : ρE) ≤ ε. As for the history of claims, it is quite intricate. Accessible information was first claimed to provide composable security (Ben-Or et al., 2005). The proof is correct, but composability follows from the use of two-universal hashing in the privacy amplification step (see III.B.1), rather than from the properties of accessible information itself. Indeed, shortly later, an explicit counterexample showed that accessi- ble information is in general not composable for any reasonable choice of the security parameter ε (K¨onig et al., 2007). The rea- son why accessible information is not composable can be ex- plained qualitatively: this criterion supposes that Eve performs a measurement to guess the key at the end of the key exchange. But Eve may prefer not to measure her systems until the key is actually used in a further protocol: for instance, if a plain- text attack can reveal some information, Eve has certainly bet- ter adapt her measurement to this additional knowledge. The counterexample also implies that the classical results on privacy amplification by two-universal hashing (Bennett et al., 1995) do not apply and have to be replaced by a quantum version of the statement (Renner and K¨onig, 2005).
11 secret key rate. Several techniques have been used: • The very first proofs by Mayers were somehow based on the uncertainty principle (Mayers, 1996, 2001). This approach has been revived recently by Koashi (Koashi, 2006, 2007). • Most of the subsequent security proofs have been based on the correspondence between entanglement distillation and classical post- processing, generalizing the techniques of Shor and Preskill (Shor and Preskill, 2000). For instance, the most developed security proofs for imperfect devices follow this pat- tern (Gottesman, Lo, L¨utkenhaus and Preskill, 2004). • The most recent techniques use rather information-theoretical notions (Ben-Or, 2002; Kraus, Gisin and Renner, 2005; Renner, 2005; Renner, Gisin and Kraus, 2005). A detailed description on how a security proof is built goes beyond the scope of this review. The core lies in how to relate the security requirement 1 2 ρKE − τK ⊗ ρE 1 ≤ ε to a statement about the length ℓ of the secret key that can be extracted. This step is achieved using inequalities that can be seen as a generalization of the Chernoff bound. In other words, one must use or prove an inequality of the form Prob [ ρKE − τK ⊗ ρE 1 > 2ε] < ∼ eℓ−F (ρKE,ε) (7) where we omitted constant factors. From such an in- equality, one immediately reads that the security require- ment will fail with exponentially small probability pro- vided ℓ < ∼ F(ρKE, ε). Explicit security bounds will be provided below (Sec. III.B) for the asymptotic limit of infinitely long keys — note that in this limit one can take ε → 0, whence no explicit dependence on ε is manifest in those expressions. D. Explicit Protocols 1. Three families The number of explicit QKD protocols is virtually in- finite: after all, Bennett has proved that security can be obtained when coding a bit in just two non-orthogonal quantum states (Bennett, 1992). But as a matter of fact, this possible variety has crystallized into three main families: discrete-variable coding (II.D.2), continuous- variable coding (II.D.3), and more recently distributed- phase-reference coding (II.D.4). The crucial difference is the detection scheme: discrete-variable coding and distributed-phase-reference coding use photon counting and post-select the events in which a detection has ef- fectively taken place, while continuous-variable coding is defined by the use of homodyne detection (detection techniques are reviewed in Sec. II.G). Discrete-variable coding is the original one. Its main advantage is that protocols can be designed in such a way that, in the absence of errors, Alice and Bob would share immediately a perfect secret key. They are still the most implemented QKD protocols. Any discrete quantum de- gree of freedom can be chosen in principle, but the most frequent ones are polarization for free-space implementa- tions and phase-coding in fiber-based implementations21 . The case for continuous-variable coding stems from the observation that photon counters normally feature low quantum efficiencies, high dark count rates, and rather long dead times; while these inconveniences can be over- come by using homodyne detection. The price to pay is that the protocol provides Alice and Bob with correlated but rather noisy realization of a continuous random vari- able, because losses translate into noise (see I.B.3): as a consequence, a significant amount of error correction pro- cedures must be used. In short, the issue is, whether it is better to build up slowly a noiseless raw key, or rapidly a noisy one. As for distributed-phase-reference coding, its origin lies in the effort of some experimental groups to- ward a more and more practical implementation. From the point of view of detection, these protocols produce a discrete-valued result; but the nature of the quantum signals is very different from the case of discrete-variable coding, and this motivates a separate treatment. Despite the differences originating from the use of a different detection device, there is a strong conceptual unity underlying discrete- and continuous-variable QKD. To take just one example, in both cases the ability to distribute a quantum key is closely related to the abil- ity to distribute entanglement, regardless of the detec- tion scheme used and even if no actual entanglement is present. These similarities are not very surprising since it has long been known that the quantum features of light may be revealed either via photon counting (e.g., antibunching or anticorrelation experiments) or via ho- modyne detection (e.g., squeezing experiments). Being a technique that exploits these quantum features of light, QKD has thus no reason to be restricted to the photon- counting regime. Surprisingly, just like antibunching (or a single-photon source) is not even needed in photon- counting based QKD, we shall see that squeezing is not needed in homodyne-detection based QKD. The only quantum feature that happens to be needed is the non- orthogonality of light states. 21 Other degrees of freedom have been explored, for instance cod- ing in sidebands of phase-modulated light (M´erolla et al., 1999) and time-coding (Boucher and Debuisschert, 2005). Energy- time entanglement gives also rise to a peculiar form of coding (Tittel et al., 2000).
12 2. Discrete-variable Protocols a. BB84-BBM. The best known discrete-variable proto- col is of course BB84 (Bennett and Brassard, 1984), that we introduced in Sec. I.B. The corresponding EB pro- tocol is known as BBM (Bennett, Brassard and Mermin, 1992); the E91 protocol (Ekert, 1991) is equivalent to it when implemented with qubits. Alice prepares a single particle in one of the four states: | + x , | − x , eigenstates of σx | + y , | − y , eigenstates of σy (8) where the σ’s are Pauli operators. The states with “+” code for the bit value 0, the states with “−” for the bit value 1. Bob measures either σx or σy. In the absence of errors, measurement in the correct basis reveals the bit- value encoded by Alice. The protocol includes a sifting phase: Alice reveals the basis, X or Y , of each of her signals; Bob accepts the values for which he has used the same basis and discards the others22 . Unconditional security of BB84-BBM has been proved with many different techniques (Kraus, Gisin and Renner, 2005; Lo and Chau, 1999; Mayers, 1996, 2001; Shor and Preskill, 2000). The same coding can be implemented with other sources, leading to a family of BB84-like protocols. We review them at length in Sec. IV.B. b. SARG04. The SARG04 proto- col (Ac´ın, Gisin and Scarani, 2004; Scarani, Ac´ın, Ribordy and Gisin, 2004) uses the same four states (8) and the same measurements on Bob’s side as BB84, but the bit is coded in the basis rather than in the state (basis X codes for 0 and basis Y codes for 1). Bob has to choose his bases with prob- ability 1 2 . The creation of the raw key is slightly more complicated than in BB84. Suppose for definiteness that Alice sends | + x : in the absence of errors, if Bob measures X he gets sb = +; if he measures Y , he may get both sb = +/− with equal probability. In the sifting phase, Bob reveals sb; Alice tells him to accept if she had prepared a state with sa = sb, in which case Bob accepts the bit corresponding to the basis he has not used. The reason is clear in the example above: in the 22 In the original version of BB84, both bases are used with the same probability, so that the sifting factor is psift = 1 2 , i.e. only half of the detected bits will be kept in the raw key. But the protocol can be made asymmetric without changing the security (Lo, Chau and Ardehali, 1998-2005): Alice and Bob can agree on using one basis with probability 1 − ǫ where ǫ can be taken as small as one wants, so as to have psift ≈ 1 (recall that we are considering only asymptotic bounds; in the finite key regime, the optimal value of ǫ can be computed (Scarani and Renner, 2008)). absence of errors, sb = − singles out the wrong basis 23 . SARG04 was invented for implementations with at- tenuated laser sources, because it is more robust than BB84 against the PNS attacks. Unconditional security has been proved, we shall review the main results in Sec. IV.D. c. Other discrete-variable protocols. A large number of other discrete-variable protocols have been proposed; all of them have features that makes them less interesting for practical QKD than BB84 or SARG04. The six-state protocol (Bechmann-Pasquinucci and Gisin, 1999; Bennett et al., 1984; Bruß, 1998) follows the same structure as BB84, to which it adds the third mutually unbiased basis Z defined by the Pauli matrix σz. Its unconditional security has been proved quite early (Lo, 2001). The interest of this protocol lies in the fact that the channel estimation becomes “tomographically complete”, that is, the measured parameters completely characterize the channel. As a consequence, more noise can be tolerated with respect to BB84 or SARG04. However, noise is quite low in optical setups, while losses are a greater concern (see II.F). Under this respect, six-state perform worse, because it requires additional lossy optical com- ponents. Similar considerations apply to the six-state version of the SARG04 coding (Tamaki and Lo, 2006) and to the Singapore protocol (Englert et al., 2004). The coding of BB84 and six-state has been generalized to larger dimensional quantum sys- tems (Bechmann-Pasquinucci and Peres, 2000; Bechmann-Pasquinucci and Tittel, 2000). For any d, protocols that use either two or d + 1 mutually unbiased bases have been defined (Cerf et al., 2002). Unconditional security was not studied; for restricted at- tacks, the robustness to noise increases with d. Time-bin coding allows producing d-dimensional quantum states of light in a rather natural way (De Riedmatten et al., 2004; Thew et al., 2004). However, the production and detection of these states requires d-arm interferometers with couplers or switches, that must moreover be kept stable. Thus again, the possible advantages are overcome by the practical issues of losses and stability. Finally, we have to mention the B92 protocol (Bennett, 1992), which uses only two non-orthogonal states, each one coding for one bit-value. In terms of encoding, this is obviously the most economic possibility. Un- 23 In an alternative version of the sifting, Alice reveals that the state she sent belongs to one of the two sets {|sax , |say }, and Bob accepts if he has detected a state sb = sa. This is a sim- plified version with respect to the original proposal, where Alice could declare any of the four sets of two non-orthogonal states. The fact, that the two versions are equivalent in terms of secu- rity, was not clear when the first rigorous bounds were derived (Branciard et al., 2005), but was verified later.
13 fortunately, B92 is a rather sensitive protocol: as no- ticed already in the original paper, this protocol is se- cure only if some other signal (e.g. a strong reference pulse) is present along with the two states that code the bit. Unconditional security has been proved for single- photon implementations (Tamaki, Koashi and Imoto, 2003; Tamaki and L¨utkenhaus, 2004) and for some im- plementations with a strong reference pulse (Koashi, 2004; Tamaki et al., 2006). Incidentally, SARG04 may be seen as a modified B92, in which a second set of non-orthogonal states is added — actually, an almost forgotten protocol served as a link between the two (Huttner et al., 1995). 3. Continuous-variable Protocols Discrete-variable coding can be implemented with sev- eral sources, but requires photon-counting techniques. An alternative approach to QKD has been suggested, in which the photon counters are replaced by standard tele- com PIN photodiodes, which are faster (GHz instead of MHz) and more efficient (typically 80% instead of 10%). The corresponding schemes are then based on homodyne detection (II.G.2) and involve measuring data that are real amplitudes instead of discrete events; hence these schemes are named continuous-variable (CV) QKD. The first proposals suggesting the use of homodyne de- tection in QKD are due to (Hillery, 2000; Ralph, 1999; Reid, 2000). In particular, a squeezed-state version of BB84 was proposed in (Hillery, 2000), where Alice’s basis choice consists of selecting whether the state of light sent to Bob is squeezed in either quadrature q = x or q = p. Next, this q-squeezed state is displaced in q either by +c or −c depending on a random bit chosen by Alice, where c is an appropriately chosen constant. Bob’s random ba- sis choice defines whether it is the x or p quadrature that is measured. The sifting simply consists in keeping only the instances where Alice and Bob’s chosen quadratures coincide. In this case, the value measured by Bob is dis- tributed according to a Gaussian distribution centered on the value (+c or −c) sent by Alice. In some sense, this protocol can be viewed as “hybrid” because Alice’s data are binary while Bob’s data are real (Gaussian dis- tributed). These early proposals and their direct generalization are called CV protocols with discrete modulation; at the same time, another class of CV protocols was proposed that rather use a continuous modulation, in particular a Gaussian modulation. Although CV protocols are much more recent than discrete-variable protocols, their secu- rity proofs have been progressing steadily over the last years, and are now close to reach a comparable status: see a thorough discussion in Sec. V.A. a. Gaussian protocols. The first proposed Gaussian QKD protocol was based on squeezed states of light, which are modulated with a Gaussian distribution in the x or p quadrature by Alice, and are measured via homodyne de- tection by Bob (Cerf, L´evy and Van Assche, 2001). This protocol can be viewed as the proper continuous-variable counterpart of BB84 in the sense that the average state sent by Alice is the same regardless of the chosen basis (it is a thermal state, replacing the maximally-mixed qubit state in BB84). The security of this protocol can be analyzed using the connection with continuous-variable cloning (Cerf, Ipe and Rottenberg, 2000); using a con- nection with quantum error-correcting codes, uncondi- tional security was proved when the squeezing exceeds 2.51 dB (Gottesman and Preskill, 2001). The main draw- back of this protocol is the need for a source of squeezed light. A second Gaussian QKD protocol was therefore de- vised, in which Alice generates coherent states of light, which are then Gaussian modulated both in x and p, while Bob still performs homodyne detec- tion (Grosshans and Grangier, 2002a). A first proof-of- principle experiment, supplemented with the technique of reverse reconciliation24 , was run with bulk optical ele- ments on an optics table (Grosshans, Van Assche et al., 2003). Subsequent experiments have used optical fibers and telecom wavelengths. The scheme was thus imple- mented over distances up to 14 km using a Plug&Play configuration (Legr´e, Zbinden and Gisin, 2006), then up to 25 km by time-multiplexing the local oscillator pulses with the signal pulses in the same optical fiber and using an improved classical post-processing (Lodewyck et al., 2005; Lodewyck, Bloch et al., 2007). Another fiber- based implementation over 5 km has been reported (Qi, Huang et al., 2007). Note that, in these two first protocols, Bob randomly chooses to homodyning one quadrature, either x or p. In the squeezed-state protocol, this implies the need for sift- ing. Bob indeed needs to reject the instances where he measured the other quadrature than the one modulated by Alice, which results in a decrease of the key rate by a factor of 2 (this factor may actually be reduced arbitrar- ily close to 1 by making an asymmetric choice between x and p, provided that the key length is sufficiently large) (Lo, Chau and Ardehali, 1998-2005). In the coherent- state protocol, Alice simply forgets the quadrature that is not measured by Bob, so that all pulses do carry useful information that is exploited to establish the final secret key. The fact that Alice, in this second protocol, dis- cards half of her data may look like a loss of efficiency since some information is transmitted and then lost. A third Gaussian QKD protocol was therefore proposed 24 In all Gaussian QKD protocols, reversing the one-way reconcil- iation procedure (i.e., using Bob’s measured data instead of Al- ice’s sent data as the raw key) is beneficial in terms of attainable range, provided that the noise is not too large. We will come back to this point in Section V.
14 (Weedbrook et al., 2004), in which Alice still transmits doubly-modulated coherent states drawn from a bivari- ate Gaussian distribution, but Bob performs heterodyne instead of homodyne measurements25 , that is, he mea- sures both x and p quadratures simultaneously. At first sight, this seems to imply that the rate is doubled since Bob then acquires a pair of quadratures (x, p). Actually, since heterodyne measurement effects one additional unit of vacuum noise on the measured quadratures, the two quadratures received by Bob are noisier than the single quadrature in the homodyne-based protocol. The net ef- fect, however, is often an increase of the key rate when the two quadratures are measured simultaneously. In addition, a technological advantage of this heterodyne- based coherent-state protocol is that there is no need to choose a random quadrature at Bob’s side (that is, no active basis choice is needed). The experiment has been realized (Lance et al., 2005). Finally, a fourth Gaussian QKD protocol was in- troduced recently (Garc´ıa-Patr´on, 2007), which com- pletes this family of Gaussian QKD protocols. Here, Alice sends again squeezed states, as in the proto- col of (Cerf, L´evy and Van Assche, 2001), but Bob per- forms heterodyne measurements, as in the protocol of (Weedbrook et al., 2004). This protocol is associated with the highest rate and range among all Gaussian QKD protocols, but requires a source of squeezed light. As seen in the discussion about BB84 and SARG04 above, it turns out also for the CV QKD protocols that the classical processing is an essential element of the protocol. As will be discussed later (V.A), the per- formance of CV-QKD protocols depends crucially on the exact protocol that extracts the secret key from the experimental data. Two important tools here are reverse reconciliation (Grosshans and Grangier, 2002a) and post-selection (Silberhorn et al., 2002). As shown in (Heid and L¨utkenhaus, 2007), the combination of both will lead to the optimal key rate. b. Discrete-modulation protocols. On the side of practical implementation, it is desirable to keep the number of sig- nals as low as possible, and also to minimize the number of parameters in the detection process that needs to be monitored. The deep reason behind this is that in prac- tical implementation at some stage one has to consider finite size effects in the statistics and also in the security proof stage. For a continuous family of signals, it will be intuitively harder to get hold of these finite size effects and to include statistical fluctuations of observations into a full security proof. For this reason, it becomes interesting to have a look 25 This possibility was also suggested for postselection-based pro- tocols in (Lorenz, Korolkova and Leuchs, 2004), and the experi- ment has been performed (Lorenz et al., 2006). at QKD systems that combine a finite number of sig- nals with the continuous variable detection schemes: discrete-modulation protocols have been devised follow- ing this proposal, some based on coherent states instead of squeezed states (Silberhorn et al., 2002). The signals consist here of a weak coherent state together with a strong phase reference. The signal is imprinted onto the weak coherent state by setting the relative optical phase between weak coherent state and reference pulse either to 0 or π. Schematically, the strong phase reference could be represented by two local oscillators, e.g. phase-locked lasers at the sending and receiving station. These type of signals have been used already in the original B92 pro- tocol (Bennett, 1992). The receiver then uses the local oscillator in the homodyne or heterodyne measurement. The security of this protocol is still based on the fact that the weak signal pulses represent non-orthogonal sig- nal states. On the receiver side, homodyne detection is performed by choosing at random one of the two relevant quadra- ture measurement (one quadrature serves the purpose of being able to measure the bit values, the other one serves the purpose to monitor the channel to limit possi- ble eavesdropping attacks). Alternatively, a heterodyne measurement can, in a way, monitor both quadratures. Consider for definiteness a simple detection scheme, in which bit-values are assigned by the sign of the detec- tion signal, + or −, with respect to the half-planes in the quantum optical phase space in which the two sig- nals reside. As a result, both sender and receiver have binary data at hand. As in the case of Gaussian modu- lation, they can now perform post-selection of data, and use error-correction and privacy amplification to extract secret keys from these data. 4. Distributed-phase-reference Protocols Both discrete- and continuous-variable protocols have been invented by theorists. Some experimental groups, in their developments toward practical QKD systems, have conceived new protocols, which do not fit in the cate- gories above. In these, like in discrete-variable protocols, the raw keys are made of realizations of a discrete variable (a bit) and are already perfectly correlated in the absence of errors. However, the quantum channel is monitored us- ing the properties of coherent states — more specifically, by observing the phase coherence of subsequent pulses; whence the name distributed-phase-reference protocols. The first such protocol has been called Differential- Phase-Shift (DPS) (Inoue, Waks and Yamamoto, 2002, 2003). Alice produces a sequence of coherent states of same intensity |Ψ(Sn) = ...|eiϕk−1 √ µ |eiϕk √ µ |eiϕk+1 √ µ ... (9) where each phase can be set at ϕ = 0 or ϕ = π (Fig. 2). The bits are coded in the difference between two successive phases: bk = 0 if eiϕk = eiϕk+1 and
15 tB DB DM1 DM2 1 t- B Alice Bob Laser IM D0 Alice Laser PM p00pp0 Bob D1 FIG. 2 The two distributed-phase reference protocol: differ- ential phase shift (DPS, top) and coherent one-way (COW, bottom). Legend: PM: phase modulator; IM: intensity mod- ulator. See text for description. bk = 1 otherwise. This can be unambiguously discrim- inated using an unbalanced interferometer. The com- plexity in the analysis of this protocol lies in the fact that |Ψ(Sn) = |ψ(b1) ⊗ ... ⊗ |ψ(bn) : the k-th pulse contributes to both the k-th and the (k + 1)-st bit. The DPS protocol has been already the object of sev- eral experimental demonstrations (Diamanti et al., 2006; Takesue et al., 2005, 2007). In the protocol called Coherent-One-Way (COW) (Gisin et al., 2004; Stucki et al., 2005), each bit is coded in a sequence of one non-empty and one empty pulse: |0 k = | √ µ 2k−1 |0 2k , |1 k = |0 2k−1| √ µ 2k . (10) These two states can be unambiguously discriminated in an optimal way by just measuring the time of ar- rival (Fig. 2). For the channel estimation, one checks the coherence between two successive non-empty pulses; these can be produced on purpose as a “decoy sequence” | √ µ 2k−1 | √ µ 2k , or can happen as | √ µ 2k | √ µ 2k+1 across a bit separation, when a sequence |1 k|0 k+1 is coded. This last check, important to detect PNS attacks, implies that the phase between any two successive pulses must be controlled; therefore, as it happened for DPS, the whole sequence must be considered as a single signal. A prototype of a full QKD system based on COW has been reported recently (Stucki et al., 2008). Both DPS and COW are P&M schemes, tailored for laser sources. It has not yet been possible to derive a bound for unconditional security, because the existing techniques apply only when |Ψ(Sn) can be decomposed in independent signals. We shall review the status of partial security proofs in Sec. VI. E. Sources 1. Lasers Lasers are the most practical and versatile light sources available today. For this reason, they are chosen by the vast majority of groups working in the field. Of course, all implementations in which the source is a laser are P&M schemes. For the purposes of this review, we don’t have to delve deep into laser physics. The output of a laser in a given mode is described by a coherent state of the field | √ µ eiθ ≡ |α = e−µ/2 ∞ n=0 αn √ n! |n (11) where µ = |α2 | is the average photon number (also called intensity). The phase factor eiθ is accessible if a reference for the phase is available; if not, the emitted state is rather described by the mixture ρ = 2π 0 dθ 2π |α α| = n P(n|µ)|n n| (12) with P(n|µ) = e−µ µn n! . (13) Since two equivalent decompositions of the same density matrix cannot be distinguished, one may say as well that, in the absence of a phase reference, the laser produces a Poissonian mixture of number states. The randomization of θ generalizes to multimode co- herent states (Mølmer, 1997; van Enk and Fuchs, 2002). Consider for instance the two-mode coherent state | √ µ ei(θ+ϕ) | √ µ′ eiθ that may describe for instance a weak pulse and a reference beam. The phase ϕ is the rel- ative phase between the two modes and is well-defined, but the common phase θ is random. One can then carry out the same integral as before; the resulting ρ is the Pois- sonian mixture with average photon number µ + µ′ and the number states generated in the mode described by the creation operator A† = eiϕ√ µa† 1 + √ µ′a† 2 / √ µ + µ′. Let us turn now to QKD. The existence of a refer- ence for the phase is essential in both continuous-variable and distributed-phase-reference protocols: after all, these protocols have been designed having specifically in mind the laser as a source. On the contrary, when attenuated lasers are used to approximate qubits in discrete proto- cols, the phase reference does not play any role. In this implementations, ρ given in (12) is generically26 an accu- rate description of the quantum signal outside Alice’s lab. 26 One must be careful though: the fact that the phase reference is not used in the protocol does not necessarily mean that such a reference is physically not available. In particular, such reference is available for some source, e.g. when a mode-locked laser is used
16 Since ρ commutes with the measurement of the number of photons, this opens the possibility of the photon-number- splitting (PNS) attacks (Bennett, 1992; Brassard et al., 2000; L¨utkenhaus, 2000), a major concern in practical QKD that will be addressed in Sec. III.B.3. 2. Sub-Poissonian Sources Sub-Poissonian sources (sometimes called “single- photon sources”) come closer to a single-photon source than an attenuated laser, in the sense that the proba- bility of emitting two photons is smaller. The quantum signal in each mode is taken to be a photon-number diag- onal mixture with a very small contribution of the multi- photon terms. The quality of a sub-Poissonian source is usually measured through the second order correlation function g2(τ) = : I(t)I(t + τ) : I(t) 2 (14) where I(t) is the signal intensity emitted by the source and : − : denotes normal ordering of the creation and an- nihilation operators. In particular, g2(0) ≈ 2p(2)/p(1)2 , while p(n) is the probability that the source emits n pho- tons. For Poissonian sources, g2(0) = 1; the smaller g2(0), the closer the source is to an ideal single-photon source. It has been noticed that the knowledge of the efficiency and of g2 is enough to characterize the perfor- mance of such a source in an implementation of BB84 (Waks, Santori and Yamamoto, 2002). Sub-Poissonian sources have been, and still are, the object of intensive research; recent reviews cover the most meaningful developments (Lounis and Orrit, 2005; Shields, 2007). In the context of QKD, the discovery of PNS attacks triggered a lot of interest in sub-Poissonian sources, because they would reach much higher secret fractions. QKD experiments have been performed with such sources (All´eaume et al., 2004; Beveratos et al., 2002; Waks et al., 2002), also in fibers (Intallura et al., 2007) thanks to the development of sources at tele- com wavelengths (Saint-Girons et al., 2006; Ward et al., 2005; Zinoni et al., 2006). At the moment of writing, this interest has significantly dropped, as it was shown that the same rate can be achieved with lasers by using decoy states, see IV.B.3 and IV.B.4. But the tide may turn again in the near future, for applications in QKD with quantum repeaters (Sangouard et al., 2007). to produce pulses. In such cases, even though Alice and Bob don’t use the phase coherence in the protocol, the signal is no longer correctly described by (12), and Eve can in principle take advantage of the existing coherence to obtain more information (Lo and Preskill, 2007). Therefore it is necessary to implement active randomization (Gisin et al., 2006; Zhao, Qi and Lo, 2007). 3. Sources of Entangled Photons Entangled photon pairs suitable for entanglement- based protocols or for heralded sub-Poissonian sources are mostly generated by spontaneous parametric down conversion (SPDC) (Mandel and Wolf, 1995). In this process some photons from a pump laser beam are con- verted due to the non-linear interaction in an optical crys- tal27 into pairs of photons with lower energies. The total energy and momentum are conserved. In QKD devices, cw-pumped sources are predominantly used. In the approximation of two output modes, the state behind the crystal can be described as follows |ψ P DC = 1 − λ2 ∞ n=0 λn |nA, nB , (15) where λ = tanh ξ with ξ proportional to the pump ampli- tude, and where |nA, nB denotes the state with n pho- tons in the mode destined to Alice and n photons in the other mode aiming to Bob. This is the so called two- mode squeezed vacuum. The photons are entangled in time and in frequen- cies (energies); one can also prepare pairs of pho- tons correlated in other degrees of freedom: polariza- tion (Kwiat et al., 1995, 1999), time bins (Brendel et al., 1999; Tittel et al., 2000), momenta (directions), or or- bital angular momenta (Mair et al., 2001). The state (15) can be directly utilized in continuous- variable protocols. In the case of discrete-variable protocols, one would prefer only single pair of pho- tons per signal; however, SPDC always produces multi- pair components, whose presence must be taken into account. Let us describe this in the four-mode ap- proximation, which is sufficient for the description of fs-pulse pumped SPDC (Li et al., 2005). An ideal two-photon maximally entangled state reads |Ψ2 = 1√ 2 (|1, 0 A|1, 0 B + |0, 1 A|0, 1 B) where each photon can be in two different modes (orthogonal polarizations, dif- ferent time-bins...). This state can be approximately achieved if λ ≪ 1, i.e. if the mean pair number per pulse µ = 2λ2 /(1 − λ2 ) ≪ 1. But there are multi-pair compo- nents: in fact, again in the case of a four-mode approxi- mation, the generated state reads |Ψ ≈ p(0) |0 + p(1) |Ψ2 + p(2) |Ψ4 (16) where p(1) ≈ µ and p(2) ≈ 3 4 µ2 , |0 is the vacuum state, and the four-photon state is |Ψ4 = 1√ 3 |0, 2 |0, 2 + 27 Crystals like KNbO3, LiIO3, LiNbO3, β-BaB2O4, etc. Very promising are periodically-poled nonlinear materials (Tanzilli at al., 2001). Besides the spontaneous parametric down conversion, new sources of entangled photons based on quantum dots are tested in laboratories (Young at al., 2006). But these sources are still at an early stage of development. Their main drawback is the need of cryogenic environment.
17 |2, 0 |2, 0 +|1, 1 |1, 1 . We recall that this description is good for short pump pulses; when a cw-pumped source is used (or the pulse-pumped source with the pulse du- ration much larger than the coherence time τ of the down-converted photons) the four-mode approximation is not applicable and a continuum of frequency modes must be taken into account. The multiple excitations created during the coherence time τ are coherent and partially correlated: in this case, the four-photon state is a fully entangled state that cannot be written as “two pairs” — see |Ψ4 above28 . However, τ is usually much shorter than the typical time ∆t that one can discrimi- nate, this time being defined as the time resolution of the detectors for cw-pumped sources29 or as the duration of a pulse for pulsed sources. This implies that, when two photons arrive “at the same time”, they may actually arise from two incoherent processes, and in this case the observed statistics corresponds to that of two indepen- dent pairs. This physics has been the object of several studies (De Riedmatten et al., 2004b; Eisenberg et al., 2004; Ou, Rhee and Wang, 1999; Scarani et al., 2005; Tapster and Rarity, 1998; Tsujino et al., 2004). What concerns us here is the advantage that Eve may obtain, and in particular the efficiency of PNS attacks. If the source is used in a P&M scheme as heralded single- photon source, then the PNS attack is effective as usual, because all the photons that travel to Bob have been actively prepared in the same state (L¨utkenhaus, 2000); ideas inspired from decoy states can be used to detect it (Adachi et al., 2007; Mauerer and Silberhorn, 2007). In an EB scheme, the PNS attack is effective on the frac- tion ζ ≈ τ/∆t of coherent four-photon states; besides, all multi-pair contributions inevitably produce errors in the correlations Alice-Bob. We shall come back to these points in Sec. IV.B.5. F. Physical Channels As far as the security is concerned, the quantum chan- nel must be characterized only a posteriori, because Eve has full freedom of acting on it. However, the knowledge of the a priori expected behavior is obviously important at the moment of designing a setup. We review here the physics of the two main quantum channels used for light, namely optical fibers and free space beams. An important parameter of the quantum channel is the amount of losses. Surely enough, a key can be built by post-selecting only those photons that have actually been 28 Though a nuisance in qubit-based protocols, the existence of such four photon components can lead to new opportunities for QKD, as pointed out independently in (Brassard, Mor and Sanders, 2000) and (Durkin et al., 2002). 29 However, a recent entanglement-swapping experiment combined fast detectors and narrow filters to achieve ∆t < τ in cw-pumped SPDC (Halder et al., 2007). detected. But, since quantum signals cannot be ampli- fied, the raw key rate decreases with the distance as the transmission t of the channel; in addition, at some point the detection rate reaches the level of the dark counts of the detectors, and this effectively limits the maximal achievable distance. Finally, in general the lost photons are correlated to the signal and thus must be counted as information that leaked to Eve. Concerning the interaction of photons with the envi- ronment in the channel, the effect of decoherence depends strongly on the quantum degree of freedom that is used; therefore, although weak in principle, it cannot be fully neglected and may become critical in some implementa- tions. 1. Fiber Links The physics of optical fibers has been explored in depth because of its importance for communication (Agrawal, 1997). When we quote a value, we refer to the specifi- cations of the standard fiber Corning SMF-28 (see e.g. www.ee.byu.edu/photonics/connectors.parts/smf28.pdf); obviously, the actual values must be measured in any experiment. The losses are due to random scattering processes and depend therefore exponentially on the length ℓ: t = 10−α ℓ/10 . (17) The value of α is strongly dependent on the wavelength and is minimal in the two “telecom windows” around 1330nm (α ≃ 0.34dB/km) and 1550nm (α ≃ 0.2dB/km). The decoherence channels and their importance vary with the coding of the information. Two main effects modify the state of light in optical fibers. The first effect is chromatic dispersion: different wavelengths travel at slightly different velocities, thus leading to an incoherent temporal spread of a light pulse. This may become problematic as soon as subsequent pulses start to overlap. However, chromatic dispersion is a fixed quantity for a given fiber, and can be compen- sated (Fasel, Gisin, Ribordy and Zbinden, 2004). The second effect is polarization mode dispersion (PMD) (Galtarossa and Menyuk, 2005; Gisin and Pellaux, 1992). This is a birefringent effect, which defines a fast and a slow polarization mode orthogonal to one another, so that any pulse tends to split into two components. This induces a depolarization of the pulse. Moreover, the direction of the birefringence may vary in time due to environmental factors: as such, it cannot be compen- sated statically. Birefringence effects induce decoherence in polarization coding, and may be problematic for all implementations that require a control on polarization. The importance of such effects depend on the fibers and on the sources; recent implementations can be made stable, even though they use a rather broadband source (H¨ubel et al., 2007).
18 2. Free Space Links A free space QKD link can be used in several very different scenarios, from short distance line- of-sight links with small telescopes mounted on rooftops in urban areas, to ground-space or even space-space links, involving the use of astronomi- cal telescopes (see also VIII.A.4). Free-space QKD has been demonstrated in both the prepare-and- measure (Buttler et al., 1998; Hughes et al., 2002; Kurtsiefer et al., 2002; Rarity, Gorman and Tapster, 2001) and the entanglement-based configu- rations (Erven et al., 2008; Ling et al., 2008; Marcikic, Lamas-Linares and Kurtsiefer, 2006; Ursin et al., 2007). The decoherence of polarization or of any other de- gree of freedom is practically negligible. The losses can roughly be divided into geometric and atmospheric. The geometric losses are related with the apertures of receiv- ing telescopes and with the effective aperture of the send- ing telescope (the one perceived by the receiving tele- scope, which is influenced by alignment, moving build- ings, atmospheric turbulence etc.). The atmospheric losses are due to scattering and to scintillation. Con- cerning scattering, within the 700-10.000nm wavelength range there are several ’atmospheric transmission win- dows’, e.g. 780-850nm and 1520-1600nm, which have an attenuation α < 0.1dB/km in clear weather. Obviously, the weather conditions influence heavily such losses; nu- merical values are available, see e.g. (Bloom et al., 2003; Kim and Korevaar, 2001). A simple model of the losses for a line-of-sight free space channel of length ℓ is there- fore given by t ≈ dr ds+D ℓ 2 10−α ℓ/10 , where the first term is an estimate of the geometric losses (ds and dr are the apertures of the sending and receiving telescopes, D is the divergence of the beam) and the second describes scattering (α is the atmospheric attenuation). We note that this formula does not account for scintillation, which is often the most critical factor in practice. G. Detectors 1. Photon Counters Discrete-variable protocols use photon-counters as de- tectors. The main quantities characterizing photon- counters are the quantum efficiency η that represents the probability of a detector click when the detector is hit by a photon, and the dark-count rate pd characterizing the noise of the detector – dark counts are events when a detector sends an impulse even if no photon has entered it. An important parameter is also the dead time of the detector, i.e. the time it takes to reset the detector af- ter a click. These three quantities are not independent. Most often, the overall repetition rate at which the de- tector can be operated is determined by the dead time. For each of the detectors discussed below, the meaningful parameters are listed in Table I. The most commonly used photon counters in discrete- variable systems are avalanche photodiodes (APD). Specifically, for wavelengths from the interval approx- imately 400–1000nm Si APD can be used, for wave- lengths from about 950 nm to 1650 nm, including tele- com wavelengths, InGaAs/InP diodes are most often applied. A whole savoir-faire on the use of APDs has originated in the field of QKD (Cova et al., 2004; Gisin, Ribordy, Tittel and Zbinden, 2002). Because they can be operated with thermo-electric cooling, these de- tectors are an obvious choice for practical QKD, and in particular for commercial devices (Ribordy et al., 2004; Trifonov et al., 2004). Two recent developments are worth mentioning. First: instead of direct use of In- GaAs APDs, one can detect signals at telecom wave- lengths (1310 nm and 1550 nm) by applying parametric frequency up-conversion and then using efficient silicon APDs (Diamanti et al., 2005; Thew et al., 2006). Com- pared with InGaAs APDs, these up-conversion detectors have lower quantum efficiency but could in principle be operated in continuous mode thus leading to repetition rates (GHz); however, as of today’s knowledge, they suf- fer from an intrinsic noise source that leads to high dark count rates. Second: more recently, an improvement of the repetition rate and count rate by several orders of magnitude has been obtained by using a circuit that compares the output of the APD with that in the pre- ceding clock cycle; such devices have been named self- differencing APDs (Yuan et al., 2007). Single-photon detectors other than APDs have been and are being developed. For instance, Visi- ble Light Photon Counters are semiconductor detec- tors that can also distinguish the number of im- pinging photons (Kim et al., 1999; Waks et al., 2003; Waks, Diamanti and Yamamoto, 2006). Other photon- counters are based on superconductors, for instance Su- perconducting Single Photon Detectors (Verevkin et al., 2002, 2004) and Transition Edge Sensors (Miller et al., 2003; Rosenberg et al., 2005); both types have been al- ready used in QKD experiments (Hadfield et al., 2006; Hiskett et al., 2006; Rosenberg et al., 2007, 2009). Each type has its own strong and weak features; in particular, all of them must be operated at cryogenic temperatures. 2. Homodyne Detection Continuous-variable QKD is based on the measure- ment of quadrature components of light. This can con- veniently be done by means of optical homodyne detec- tion. This detection scheme uses two beams of the same frequency: the signal and the so-called local oscillator (much stronger and therefore often treated as classical). The beams are superimposed at a balanced beam split- ter. The intensity of light in each of the output modes is measured with proportional detectors, and the differ- ence between the resulting photocurrents is recorded. If
19 Name λ η pd Rep. Count Jitter T n [nm] [MHz] [MHz] [ps] [K] APDs: Si 600 50% 100Hz cw 15 50-200 250 N InGaAs 1550 10% 10−5 /g 10 0.1 500 220 N Self-Diff. 1250 100 60 Others: VLPC 650 58-85% 20kHz cw 0.015 N.A. 6 Y SSPD 1550 0.9% 100Hz cw N.A. 68 2.9 N TES 1550 65% 10Hz cw 0.001 9×104 0.1 Y TABLE I Overview of typical parameters of single-photon de- tectors: detected wavelength λ, quantum efficiency η, fraction of dark counts pd (g: gate), repetition rate (cw: continuous wave), maximum count rate, jitter, temperature of operation T; the last column refers to the possibility of distinguishing the photon numbers. For acronyms and references, refer to the main text. the amplitude and the phase of the local oscillator are stable, the differential current carries information about a quadrature component of the input signal — what quadrature component is actually measured depends on the phase difference between the signal and local oscil- lator. To keep this phase difference constant, the signal and local oscillator are usually derived from the same light source: the local oscillator beam needs to be trans- mitted along with the signal from Alice to Bob; in prac- tice, they are actually sent through the same channel, so that they experience the same phase noise and the relative phase remains unaltered — note however that this practical change may render the scheme completely insecure, unless additional measurements are performed to verify the character of both the weak and the strong signal (H¨aseler, Moroder and L¨utkenhaus, 2008). The intensities are measured by PIN diodes, which provide high detection efficiency (typically 80%) and relatively low noise. Therefore homodyne detection could in principle operate at GHz repetition rates (Camatel and Ferrero, 2006) in contrast to photon coun- ters based on APDs, whose detection rate is limited by the detector dead-time. The use of such a high-rate homodyne detection tech- nique unfortunately comes with a price. Because of the uncertainty principle, the measurement of comple- mentary quadratures is intrinsically noisy. The vacuum noise (or intrinsic noise) is the noise obtained when there is vacuum in the signal port (only the local os- cillator is present). Now, the unavoidable transmission losses in the optical line, which simply cause “missing clicks” in photon-counting based schemes, result in a de- crease of the signal-to-noise ratio in homodyne-detection based schemes. The vacuum noise is responsible for a rather significant added noise in continuous-variable QKD, which needs to be corrected during the classical post-processing stage: an additional computing effort in continuous-variable QKD. In addition to the vacuum noise, an excess noise is gen- erated mainly by detectors themselves and by the subse- quent electronics. In real systems, it is possible to reduce the excess noise even 20 dB below the shot noise; but this ratio depends on the width of the spectral window, and narrow spectral windows bound the modulation frequen- cies (i.e. the repetition rates). H. Synchronization and alignment 1. Generalities The problem of the synchronization of two distant clocks, in itself, is a technical matter that has been solved efficiently in several different ways; basically, either one sends out a synchronization signal at regular intervals during the whole protocol, or one relies on an initial syn- chronization of two sufficiently stable clocks. In the con- text of QKD, one has to consider possible hacking attacks that would exploit this channel (more in Sec. III.B.4). The physical meaning of alignment depends on the coding. For coding in polarization, it obviously means that Alice and Bob agree on the polarization directions. For phase coding, it refers rather to the stabilization of in- terferometers. Both procedures are most often performed by sending a servoing signal at a different frequency than the quantum signal, taking advantage of the bandwidth of the optical channel. Alternatively, self-stabilized se- tups have been proposed: this is the so-called Plug&Play configuration, that we shall describe in the next para- graph in the context of phase-coding. Before that, we have to mention that quantum me- chanics allows also for a coding that does not require any alignment by exploiting the so-called “decoherence-free subspaces” (Boileau et al., 2004; Zanardi and Rasetti, 1997). However, though demonstrated in some proof-of-principle experiments (Bourennane et al., 2004; Chen et al., 2006), such coding is highly impractical, as it requires the preparation and measurement of com- plex multi-photon states; moreover, it is very sensitive to losses30 . 30 The simplest example is the singlet state of two qubits: when both qubits are sent into the quantum channel, the state is ro- bust against any misalignment U since U ⊗U|Ψ− = |Ψ− . With four physical qubits, there are two orthogonal states such that U ⊗ U ⊗ U ⊗ U|ψ0,1 = |ψ0,1 ; therefore, one can form an ef- fective logical qubit |0 ≡ |ψ0 and |1 ≡ |ψ1 that is insensitive to misalignments. The states |ψ0,1 are not easy to prepare and to detect. As a matter of fact, the available experiments did not produce those states: they produced a quite complex pho- tonic state, that gives the required statistics conditioned on the observation of a specific detection pattern. In turn, this implies that all four photons must be transmitted and detected, therefore losses lead to a very fast decrease of the detection rate.
20 2. Phase coding: two configurations D0 Alice Laser a a Bob D1 b D0 Alice LaserBob D1 R CFM DL PD Att. FIG. 3 Comparison of the one-way and two-way configura- tions for phase coding. The one-way configuration is called double Mach-Zehnder (top). Alice splits each laser pulse into two pulses with relative phase α; if Bob’s phase is such that α − β = 0 modulo π, the outcome is deterministic in the absence of errors. In the two-way configuration, or Plug&Play(bottom), the source of light is on Bob’s side. In detail: an intense laser pulse is sent through a circulator (C) into Bob’s interferometer. The phase modulator is passive at this stage, but a polarization rotation (R) is implemented so that all the light finally couples in the fiber. On Alice’s side, part of the light is deflected to a proportional detector (PD) that is used to monitor Trojan Horse attacks. The remaining light goes to a Faraday mirror (FM) that sends each polar- ization on the orthogonal one. On the way back, the pulses are attenuated down to the suitable level, then the coding is done as above. The role of the delay line (DL) is explained in the text. We consider P&M schemes with phase coding. This coding has been the preferential choice in fiber imple- mentations and has given rise to two possible configu- rations (Fig. 3). In the configuration called one-way, the laser is on Alice’s side; it is typically realized with a double Mach-Zehnder interferometer (Bennett, 1992; Townsend, Rarity and Tapster, 1993). The other possi- ble configuration has been called Plug&Play configura- tion (Muller et al., 1997; Ribordy et al., 1998). As the name suggests, the goal of the Plug&Play configuration is to achieve self-alignment of the system. Contrary to the one-way configuration, the Plug&Play configuration puts the source of light on Bob’s side: a strong laser pulse travels on the quantum channel from Bob to Alice. Alice attenuates this light to the suitable weak intensity (surely less than one photon per pulse in average, more precisions below and in Sec. IV.B.4), codes the infor- mation and sends the remaining light back to Bob, who detects. The coded signal goes as usual from Alice to Bob; but the same photons have first traveled through the line going from Bob to Alice. This way, interferome- ters become self-stabilized because the light passes twice through them; if the reflection on Alice’s side is done with a Faraday mirror, polarization effects in the channel are compensated as well. These two configurations have shaped the beginning of practical QKD; we refer to a pre- vious review (Gisin, Ribordy, Tittel and Zbinden, 2002) for a thorough discussion. It is useful here to address some problems that are specific for the Plug&Play configuration, since they il- lustrate the subtleties of practical QKD. The system has an intrinsic duty cycle, which limits the rate at long dis- tances: Bob must wait a go-and-return cycle before send- ing other strong signals, otherwise the weak signal coded by Alice will be overwhelmed by the backscattered pho- tons of the new strong ones31 . The nuisance has been reduced by having Bob send, not just one pulse, but a train of pulses; on Alice’s side, a sufficiently long delay line must be added: all the pulses must have passed the phase modulator before the first one comes back and is coded. Still, this duty cycle is a serious bottleneck com- pared to one-way configurations. Also, two specific security concerns arise for the Plug&Play configuration. First concern: in full general- ity, there is no reason to assume that Eve interacts only with the signal going from Alice to Bob: she might as well modify the signal going from Bob to Alice. A sim- ple argument suggests that this is not helpful for Eve: Alice attenuates the light strongly and should actively randomize the global phase; then, whatever the state of the incoming light, the outgoing coded light consists of weak signals with almost exact Poissonian statistics (Gisin et al., 2006). Indeed, the rigorous analysis shows that unconditional security can be proved if the global phase is actively randomize, and that the resulting se- cret fractions are only slightly lower than those achievable with the one-way configuration (Zhao, Qi and Lo, 2008). Second concern: since Alice’s box must allow two-way transit of light, Trojan Horse attacks (see III.B.4) must be monitored actively, whereas in one-way setups they can be avoided by passive optical isolators. In practice, this may decrease the limiting distance32 . 31 As a matter of fact, the back-scattering and the corresponding duty cycle could be avoided, but at the price of attenuating the pulses already at Bob’s side. In turn, this implies that (i) a different channel should be used for synchronization, and (ii) the maximal operating distance is reduced in practice, especially if one takes Trojan Horse attacks into account,see below. Such a setup has been demonstrated (Bethune and Risk, 2000). 32 The argument goes as follows: upon receiving Bob’s pulse, Alice attenuates it down to the desired intensity µ. Now, it turns out that a simple error by a factor of 2, i.e. sending out 2µ instead of µ, would spoil all security (see IV.B.4). This implies that the intensity of the input pulse must be monitored to a precision far better than this factor 2. This precision may be hard to achieve at long distances, when Bob’s pulse has already been significantly attenuated by transmission.
21 It is not obvious what the future perspectives of the Plug&Play configuration will be: recently, stabilized one- way configurations have been demonstrated, which can also reach optical visibilities larger than 99% and have a less constraining duty cycle (Gobby, Yuan and Shields, 2004). Still, the Plug&Play configuration is an impor- tant milestone of practical QKD: in particular, the first commercial QKD systems are based on it33 . III. SECRET KEY RATE We have seen in Sec. II.B.4 that the secret key rate K is the product of two terms (6), the raw key rate R and the secret fraction r. This section is devoted to a detailed study of these two factors. Clearly, the latter is by far the more complex one, and most security studies are devoted only to it; however the raw key rate is crucial as well in practice and its proper description involves some subtleties as well. We will therefore start from this description. A. Raw key rate The raw key rate reads R = νS Prob(Bob accepts) (18) The second factor depends both on the protocol and on the hardware (losses, detectors) and will be studied for each specific case. The factor νS is the repetition rate. In the case of pulsed sources νS is the repetition rate of the source of pulses. Of course, νS ≤ νmax S , the maximal repetition rate allowed by the source itself; but two other limitations may become important in limiting cases, so that the correct expression reads νpulse S = min νmax S , 1 τd µt tBη , 1 Tdc . (19) We explain now what the two last terms mean. The first limitation is due to the dead-time of the de- tectors τd. In fact, it is useless to send more light than can actually be detected (worse, an excess of light may even give an advantage to Eve). One can require that at most one photon is detected in an interval of time τd; the detection probability is Prob(Bob detects) ≈ µ t tBη with µ = n < ∼ 1 the average number of photons pro- duced by the source, t the transmittivity of the quantum channel, tB the losses in Bob’s device and η the efficiency of the detector. Therefore, νS < ∼ (τd µ t tBη) −1 . It is clear that this limitation plays a role only at short distances: 33 The configuration has been used also for continuous-variable cod- ing (Legr´e, Zbinden and Gisin, 2006), for a distributed-phase- reference protocol (Zhou et al., 2003) and for non-cryptographic quantum information tasks (Brainis et al., 2003). as soon as there are enough losses in the channel, fewer photon will arrive to Bob than can actually be detected. The second limitation is associated to the existence of a duty cycle: two pulses cannot be sent at a time interval smaller than a time Tdc determined by the setup. The expression for Tdc depends on the details of the setup. In Plug&Play configurations for instance, one cannot send the next train of bright pulses before the weak signal of the earlier train has come back (II.H.2): the effect be- comes important at long distance. Another example of a duty cycle is the one introduced by a stabilization scheme for one-way configurations, in which each coded signal is preceded by a strong reference signal (Yuan and Shields, 2005). Note finally that in any implementation with time-bin coding, the advanced component of the next signal must not overlap with the delayed component of the previous one. In the case of heralded photon sources or entanglement-based schemes working in a continuous- wave (cw) regime it is reasonable to define νS as an average rate of Alice’s detections, thus34 νcw S = min ηAtAµ′ , 1 τA d , 1 τd t tBη , 1 ∆t . (20) Here ηAtAµ′ is the trigger rate, with which Alice an- nounces the pair creations to Bob, with µ′ being the pair-generation rate of the source, tA is the overall trans- mittance of Alice’s part of the apparatus, and ηA is the efficiency of Alice’s detectors. Of course, in practice this rate is limited by the dead time of Alice’s detectors τA d . The whole repetition rate is limited by Bob’s detector dead time τd and by the width of coincidence window ∆t (usually ∆t ≪ τd). B. Secret fraction 1. Classical information post-processing To extract a short secret key from the raw key, clas- sical post-processing is required. This is the object of this paragraph, for more details see e.g. (Renner, 2005; Van Assche, 2006). The security bounds for the secret fraction crucially depend on how this step is performed. a. One-way post-processing. These are the most studied and best known procedures. One of the partners, the one who is chosen to hold the reference raw key, sends classi- cal information through the public channel to the other one, who acts according to the established procedure on 34 The source is assumed to be safe at Alice’s side. It is supposed that Alice’s detectors are still “open” (not gated). Dark counts and multi-pair contributions were neglected in the estimation of νcw S .
22 his data but never gives a feedback. If the sender in this procedure is the same as the sender of the quantum states (Alice with our convention), one speaks of direct recon- ciliation; in the other case, of reverse reconciliation. The optimal one-way post-processing has been characterized and consists of two steps. The first step is error correction (EC), also called in- formation reconciliation, at the end of which the lists of symbols of Alice and Bob have become shorter but per- fectly correlated. As proved by Shannon, the fraction of perfectly correlated symbols that can be extracted from a list of partially correlated symbols is bounded by the mutual information I(A : B) = H(A) + H(B) − H(AB) where H is the entropy of the probability distribution. In the context of one-way procedures with a sender S and a receiver R, it is natural to write I(A : B) in the apparently asymmetric form H(S) − H(S|R). This for- mula has an intuitive interpretation, if one remembers that the entropy is a measure of uncertainty: the sender must reveal an amount of information at least as large as the uncertainty the receiver has on the reference raw key. The second step is privacy amplification (PA). This procedure is aimed at destroying Eve’s knowledge on the reference raw key. Of course, Alice and Bob will have chosen as a reference raw key the one on which Eve has the smallest information: here is where the choice be- tween direct and reverse reconciliation becomes meaning- ful35 . The fraction to be further removed can therefore be written min (IEA, IEB), where IE· is Eve’s informa- tion on the raw key of Alice or Bob, that will be defined more precisely in the next paragraph III.B.2. PA was first mentioned in (Bennett, Brassard and Robert, 1988), then established in (Bennett et al., 1995). This reference has been considered as valid for one decade but, after the notion of universally composable security was intro- duced (see II.C.2), it had to be replaced by a generalized version (Renner and K¨onig, 2005). At the moment of writing, the only PA procedure that works in a provable way is the one based on two-universal hash functions36 . 35 Note that, I(A : B) being symmetric, there is no difference be- tween direct and reverse reconciliation at the level of EC, as expected from the nature of the task. 36 A set F of functions f : X → Z is called two-universal if Pr[f(x) = f(x′)] ≤ 1 |Z| for x = x′ and f chosen at random with uniform probability. It is instructive to see why this defi- nition is meaningful for privacy amplification. After EC, Alice and Bob share the same list of bits x; Eve has an estimate x′ of this list. For PA, Alice chooses f from the two-universal set and announces it publicly to Bob. Both Alice and Bob end up with the shorter key z = f(x); but the probability that Eve’s estimate z′ = f(x′) coincides with z is roughly 1/|Z|: Eve might as well choose randomly out of the set Z of possible final keys. Two-universal hash-functions, e.g. in the form of matrix multi- plication, can be implemented efficiently (Carter and Wegman, 1979; Wegman and Carter, 1981). The size of the matrices is proportional to the length N of the raw key. Against a classi- cal adversary, other extractors exist whose size grows only like Also, for composability, the protocol must be symmetric under permutations: in particular, the pairs for the pa- rameter estimation must be chosen at random, and the hash function has to be symmetric (as it is usually). In summary, the expression for the secret fraction ex- tractable using one-way classical post-processing reads r = I(A : B) − min (IEA, IEB) . (21) b. Remarks on practical EC. As mentioned above, the performance of EC codes is bounded by Shannon’s mu- tual information. Practical EC codes however do not reach up to the Shannon bound. For a priori theoretical estimates, it is fair to increase the number of bits to be removed by 10-20%; more precise estimates are available (L¨utkenhaus, 1999) but ultimately the performance must be evaluated on each code. We shall take this correction explicitly into account in Sections IV-VII. In addition, most of the efficient EC codes that are ac- tually implemented, e.g. Cascade (Brassard and Salvail, 1994), use two-way communication. To fit these two-way EC codes in the framework of one-way post-processing, one can give the position of the errors to Eve and treat all communication as one-way communication (L¨utkenhaus, 1999). Alternatively, one can use encryption of the EC data, as suggested in (L¨utkenhaus, 1999) and formally proved in (Lo, 2003). Note finally that it is not necessary to estimate the error rate with a small sample of the data: instead, the parties learn naturally the precise number of errors dur- ing the EC procedure. c. Other forms of post-processing. Bounds can be im- proved by two-way post-processing, one refers to any pos- sible procedure in which both partners are allowed to send information. Since its first appearance in QKD (Chau, 2002; Gisin and Wolf, 1999; Gottesman and Lo, 2003), this possibility has been the object of several stud- ies37 . Contrary to the one-way case, the optimal proce- dure is still not known, basically because of the complex- ity of taking feedback into account. More recently, a further trick to improve bounds was found, called pre-processing: before post-processing, the sender (for one-way) or both partners (for two-way) can add locally some randomness to their data. Of course, log N; but at the moment of writing, it is not known whether a similar construction exists in the case where the adversary is quantum (K¨onig and Renner, 2007). 37 We note that some of the security claims in the first pa- per dealing with advantage distillation (Gisin and Wolf, 1999) were imprecise. These works have also had an intriguing off- spring, the conjecture of the existence of “bound information” (Gisin and Wolf, 2000), later proved for three-partite distribu- tions (Ac´ın, Cirac and Masanes, 2004).
23 this decreases the correlations between them, but it de- creases Eve’s information as well, and remarkably the overall effect may be positive (Kraus, Gisin and Renner, 2005; Renner, Gisin and Kraus, 2005). Both pre-processing and two-way post-processing are easy to implement and allow extracting a secret key in a parameter region where one-way post-processing would fail; in particular, the critical tolerable error rate is pushed much higher38 . To our knowledge though, they have been implemented only once in real systems (Ma et al., 2006). The reason is that, in terms of se- cret key rate, an improvement can be appreciated only when the dark counts become dominant39 , a regime in which few systems tend to operate — see however (Rosenberg et al., 2009; Tanaka et al., 2008; Yuan et al., 2008). Therefore, in what follows, we shall present only bounds for one-way classical post-processing without pre- processing. 2. Individual, Collective and Coherent Attacks As stressed from the beginning (II.C.1), one aims ul- timately at proving unconditional security, i.e. security bounds in the case where Eve’s attack on the quantum channel is not restricted. Such a lower bound for security has been elusive for many years (II.A); it has nowadays been proved for many protocols, but is still missing for others. In order to provide an ordered view of the past, as well as to keep ideas that may also be useful in the future, we discuss now several levels of security. a. Individual (or incoherent) attacks. This family de- scribes the most constrained attacks that have been stud- ied. They are characterized by the following properties: (I1) Eve attacks each of the systems flying from Alice to Bob independently from all the other, and using the 38 The order of magnitude of the improvements is roughly the same for all examples that have been studied. Consider e.g. BB84 in a single-photon implementation, and security against the most general attacks: the critical QBER for one-way post- processing without pre-processing is 11% (Shor and Preskill, 2000); bitwise pre-processing brings this value up to 12.4% (Kraus, Gisin and Renner, 2005), more complex pre-processing up to 12.9% (Smith, Renes and Smolin, 2008); two-way post- processing can increase it significantly further, at least up to 20.0%, but at the expenses of drastically reduced key rate (Bae and Ac´ın, 2007; Chau, 2002; Gottesman and Lo, 2003). In weak coherent pulses implementations, pre-processing increases the critical distance of BB84 and of SARG04 by a few kilometers, both for security against individual (Branciard et al., 2005) and most general attacks (Kraus, Branciard and Renner, 2007). 39 Recall that optical error is routinely kept far below 5%; therefore, the total error rate exceeds ∼ 10% when the error is largely due to the dark counts. same strategy40 . This property is easily formalized in the EB scheme: the state of n symbols for Alice and Bob has the form ρn AB = (ρAB) ⊗n . (I2) Eve must measure her ancillae before the classical post-processing. This means that, at the beginning of the classical post-processing, Alice, Bob and Eve share a product probability distribution of classical symbols. In this case, the security bound for one-way post- processing is the Csisz´ar-K¨orner bound, given by (21) with IAE = max Eve I(A : E) (individual attacks) (22) and of course similarly for IBE (Csisz´ar and K¨orner, 1978). Here, I(A : E) is the mutual infor- mation between the classical symbols; the notation maxEve recalls that one must maximize this mutual information over Eve’s strategies. There is actu- ally an ambiguity in the literature, about the mo- ment where Eve is forced to perform her measure- ment: namely, whether she is forced to measure im- mediately after the interaction (Bechmann-Pasquinucci, 2006; Curty and L¨utkenhaus, 2005; L¨utkenhaus, 1996) or whether she can keep the signals in a quantum memory until the end of the sifting and error cor- rection phase (Bechmann-Pasquinucci and Gisin, 1999; Brassard et al., 2000; Bruß, 1998; Cerf et al., 2002; Fuchs et al., 1997; Herbauts et al., 2008; L¨utkenhaus, 1999; Slutsky et al., 1998). The first case is associated to the hardware assumption that Eve is restricted not to have a quantum memory41 . The second case is associ- ated to the hardware assumption that Eve cannot per- form arbitrary coherent measurements and can be useful as a step on the way to unconditional security proofs. However, we stress that the bound for collective attacks can nowadays be calculated more easily and gives more powerful results42 . 40 We note here that this “same strategy” may be probabilistic (with probability p1, Eve does something; with probability p2, something else; etc), provided the probabilities are fixed during the whole key exchange. Strange as it may seem from the stand- point of practical QKD, an attack, in which Eve would simply stop attacking for a while, belongs to the family of the most general attacks! 41 Generalizing (Wang, 2001), it is conjectured that individual at- tacks should be optimal under the weaker assumption of a quan- tum memory that would be bounded, either in capacity or in lifetime; but only rougher bounds have been derived so far (Damgaard et al., 2005, 2007; K¨onig and Terhal, 2008). 42 At the moment of writing, there is still something that is known only for individual attacks, and this is Eve’s full strategy; the op- timal procedures been found both for the scenario without quan- tum memory (L¨utkenhaus, 1996) and with it (Herbauts et al., 2008; L¨utkenhaus, 1999). On the contrary, the bound for collec- tive and coherent attacks is computed by optimizing the Holevo
24 An important sub-family of individual attacks are the intercept-resend (IR) attacks. As the name indicates, Eve intercepts the quantum signal flying from Alice to Bob, performs a measurement on it, and conditioned on the re- sult she obtains she prepares a new quantum signal that she sends to Bob. If performed identically on all items, this is an individual attack. Moreover, it obviously real- izes an entanglement-breaking channel between Alice and Bob, thus providing an easily computed upper bound on the security of a protocol (Bechmann-Pasquinucci, 2006; Curty and L¨utkenhaus, 2005). b. Collective attacks. This notion was first proposed by Biham, Mor and coworkers, who proved the security of BB84 against them and conjectured that the same bound would hold for the most general attacks (Biham and Mor, 1997; Biham et al., 2002). Collective attacks are defined as follows: (C1) The same as (I1). (C2) Eve can keep her ancillae in a quantum memory until the end of the classical post-processing, and more generally until any later time convenient to her (for instance: if the key is used to encode a message, part of which is vulnerable to plaintext attack, Eve may delay her measurement until she obtains the information coming from this attack). She can then perform the best measurement com- patible with what she knows. In general, this will be a collective measurement. Only (C1) is an assumption on Eve’s power. The generic bound for the secret key fraction achievable us- ing one-way post-processing (Devetak-Winter bound) is given by (21) with IAE = max Eve χ(A : E) (collective attacks) (23) and IBE defined in the analog way (Devetak and Winter, 2005). Here, χ(A : E) is the so-called Holevo quantity (Holevo, 1973) χ(A : E) = S(ρE) − a p(a)S(ρE|a) (24) where S is von Neumann entropy, a is a symbol of Alice’s classical alphabet distributed with probability p(a), ρE|a is the corresponding state of Eve’s ancilla and ρE = a p(a)ρE|a is Eve’s partial state. The Holevo quantity bounds the capacity of a channel, in which a bound over all possible interactions between the signal and Eve’s ancillae (see below): one implicitly assumes that suitable mea- surements and data processing exist, which will allow Eve to ex- tract that amount of information. It would be surely interesting to exhibit explicit procedures also for more general attacks. classical value (here a) is encoded into a family of quan- tum states (here, the ρE|a): in this sense, it is the natural generalization of the mutual information. As mentioned, it is actually easier to compute (23) than (22). The reason lies in the optimization of Eve’s strategy. In fact, the Holevo quantity depends only on Eve’s states ρE|a, that is, on the unitary operation with which she couples her ancilla to the system flying to Bob. In contrast to that, the mutual information depends both on Eve’s states and on the best measurement that Eve can perform to discriminate them, which can be con- structed only for very specific examples of the set of states (Helstrom, 1976). c. General (or coherent) attacks. Eve’s most general strat- egy includes so many possible variations (she may entan- gle several systems flying from Alice to Bob, she may modify her attack according to the result of an inter- mediate measurement...) that it cannot be efficiently parametrized. A brute force optimization is therefore impossible. Nevertheless, as mentioned several times al- ready, bounds for unconditional security have been found in many cases. In all these cases, it turns out the bound is the same as for collective attacks. This remarkable result calls for several comments. First remark: this result has an intuitive justification. If the state |Ψ(Sn) that codes the sequence Sn has the tensor product form |ψ(s1) ⊗...⊗|ψ(sn) , then the states flying from Alice to Bob are uncorrelated in the quantum channel; therefore Eve does not seem to have any advan- tage in introducing artificial correlations at this point43 . However, correlations do appear later, during the clas- sical post-processing of the raw key; such that in fact, the final key is determined by the relations between the symbols of the raw key, rather than by those symbols themselves. Thus, Eve must not try and guess the value of each symbol of the raw key, but rather some relation between them — and this is typically a situation in which entanglement is powerful. This vision also clarifies why unconditional security is still elusive for those protocols, for which |Ψ(Sn) is not of the tensor product form (see VI.A). Second remark: for BB84, six-state and other pro- tocols, assuming the squashing property of detec- tors (see IV.A.2), this result is a consequence of the internal symmetries (Kraus, Gisin and Renner, 2005; Renner, Gisin and Kraus, 2005). The explicit calcula- tions are given in Appendix A. In a more general frame- work, the same conclusion can be reached by invoking the exponential De Finetti theorem (Renner, 2005, 2007). This theorem says that, after some suitable symmetriza- 43 Of course, one is not saying that Eve does fulfill (I1): Eve can do whatever she wants; but there exist an attack that fulfills (I1) and that performs as well as the best possible attack.
25 tion, the statistics of the raw key are never significantly different from those that would be obtained under con- straint (I1). This is a very powerful result, but again does not solve all the issues: for instance, because the ac- tual exponential bound depends on the dimension of the Hilbert space of the quantum signals, it cannot be ap- plied to continuous-variable QKD (see however the Note added in proof at the end of this paper). Also recall that we consider only the asymptotic bound: the finite-key bounds obtained by invoking the De Finetti theorem are over-pessimistic (Scarani and Renner, 2008). 3. Quantum side channels and zero-error attacks The possibility of zero-error attacks seems to be at odds with the fundamental tenet of QKD, namely that Eve must introduce modifications in the state as soon as she obtains some information. However, there is no contradiction: for instance, in the presence of losses the quantum signal is also changed between the source and the receiver. Even if in most protocols (see discussion in Sec. I.B.3) losses do not lead to errors in the raw key, some information about the value of the coded symbol may have leaked to Eve. Losses are the most universal example of leakage of in- formation in a quantum side-channel, i.e. in some degree of freedom other than the one which is monitored. We stress that the existence of side-channels does not com- promise the security, provided the corresponding attacks are taken into account in the privacy amplification. The beam-splitting (BS) attack translates the fact that all the light that is lost in the channel must be given to Eve: specifically, Eve could be simulating the losses by putting a beam-splitter just outside Alice’s laboratory, and then forwarding the remaining photons to Bob on a lossless line. The BS attack does not modify the optical mode that Bob receives: it is therefore always possible for lossy channels and does not introduce any error44 . For an explicit computation of BS attacks, see VI.B. When the signal can consist of more than one pho- ton, Eve can count the number of photons in each sig- nal and act differently according to the result n of this measurement. Such attacks are called photon-number splitting (PNS) attacks (Bennett, 1992; Brassard et al., 2000; Duˇsek, Haderka and Hendrych, 1999; L¨utkenhaus, 2000) and can be much more powerful than the BS attack. They were discovered as zero-error attacks against BB84 implemented with weak laser pulses; in the typical parameter regime of QKD, even the Pois- sonian photon number distribution can be preserved (L¨utkenhaus and Jahma, 2002), so that the PNS attack 44 For some sources, this attack simply does not give Eve any in- formation: for a perfect single-photon source, if the photon goes to Eve, nothing goes to Bob, and viceversa. cannot be detected even in principle as long as one known signal intensity is used. To use different intensities in or- der to detect PNS attacks is the idea behind the decoy states method (Hwang, 2003; Lo, Ma and Chen, 2005; Wang, 2005). Also the distributed-phase-reference pro- tocols detect the PNS attacks (Inoue and Honjo, 2005; Stucki et al., 2005). Finally, we mention the possibility of attacks based on unambiguous state discrimination (USD) followed by resend of a signal (Duˇsek, Jahma and L¨utkenhaus, 2000). These can be part of a PNS attack (Scarani, Ac´ın, Ribordy and Gisin, 2004) or define an attack of its own (Branciard et al., 2007; Curty et al., 2007); they are clearly zero-error attacks and modify the photon-number statistics in general. Of course, a quantum side-channel may hide in any im- perfect component of the device (e.g., a polarizer which would also distort the wave function according to the chosen polarization). The list of the possibilities is un- bounded, whence the need for careful testing45 . 4. Hacking on Practical QKD In practical QKD, the security concerns are not limited to the computation of security bounds for Eve’s action on the quantum channel. Any specific implementation must be checked against hacking attacks and classical leakage of information. Hacking attacks are related to the weaknesses of an implementation. A first common feature of hacking at- tacks is that they are feasible, or almost feasible, with present-day technology. The best-known example is the family of Trojan Horse Attacks, in which Eve probes the settings of Alice’s and/or Bob’s devices by send- ing some light into them and collecting the reflected signal (Vakhitov, Makarov and Hjelme, 2001). Actually, the first kind of hacking attack that was considered is a form of Trojan Horse that would come for free: it was in fact noticed that some photon counters (silicon- based avalanche photo-diodes) emit some light at various wavelengths when they detect a photon (Kurtsiefer et al., 2001). If this light carries some information about which detector has fired, it must be prevented to propagate out, where Eve could detect it. On these two examples, one sees also the second common feature of all hacking at- tacks, namely, that once they have been noticed, they can be countered by adding some component. In all se- tups where light goes only one way (out of Alice’s lab and into Bob’s lab), the solution against Trojan Horse attacks consists in simply putting an optical isolator; in implementations where light must go both ways (typi- 45 Some very specific protocols and the corresponding secu- rity proofs can be made robust against such imperfections (Ac´ın et al., 2007).
26 cally, the Plug & Play setups), the solution is provided by an additional monitoring detector (Gisin et al., 2006). Apart from Trojan Horses, other hacking attacks have been invented to exploit potential weaknesses of specific implementations, e.g. faked state at- tacks (Makarov and Hjelme, 2005; Makarov et al., 2006; Makarov and Skaar, 2008), phase-remapping attacks (Fung et al., 2007), time-shift attacks (Qi, Fung et al., 2007; Zhao et al., 2008). It has also been noticed that a too precise timing disclosed in the Alice-Bob synchro- nization protocol may disclose information about which detector actually fired (Lamas-Linares and Kurtsiefer, 2007). 5. A crutch: the “uncalibrated-device scenario” As stressed, all the errors and losses in the quantum channel must be attributed to Eve’s intervention. But in a real experiment, there are errors and losses also in- side the devices of the authorized partners. In particu- lar, the detectors have finite efficiency (losses) and dark counts (errors); these values are known to the authorized partners, through calibration of their devices. A security proof should take this fact into account. The task of integrating this knowledge into security proofs, however, has proved harder than one might think. In general, the naive approach, consisting in taking an attack and removing the device imperfections from the parameters used in privacy amplification, gives only an upper bound, even at the level of individual attacks46 . In particular, unconditional security proofs, whenever avail- able, have been provided only under the assumption that all the losses and all the errors are attributed to Eve and must therefore be taken into account in privacy amplifica- tion. We refer to this assumption as to the uncalibrated- device scenario, because it all happens as if Alice and Bob would have no means of distinguishing the losses and 46 Consider a PNS attack (III.B.3) on BB84 implemented with weak coherent pulses, and focus on the pulses for which Eve has found n = 2 photons. The obvious PNS attack consists in Eve keeping one photon in a quantum memory and sending the other one to Bob, because in this case she obtains full information and in- troduces no error. But there is no information on non-detected photons: in particular, if Eve cannot control the losses in Bob’s apparatus tB and the detector efficiency η, her information rate on such events will be I2→1+1 = tBη. Now, consider another strategy: Eve applies a quantum cloner 2 → 3, keeps one pho- ton and sends the other two to Bob. Since no perfect cloning is possible, this introduces an error ε2 on Bob’s side and Eve’s information on each detected bit is I(ε2) < 1. But Eve’s informa- tion rate is I2→2+1 = [1 − (1 − tBη)2]I(ε2) ≈ 2tBηI(ε2) and can therefore become larger than I2→1+1. The full analysis must be done carefully, taking into account the observed total error rate; in the family of individual attacks, the cloning strategy performs indeed better than the “obvious” one for typical values of tB η (Curty and L¨utkenhaus, 2004; Niederberger, Scarani and Gisin, 2005). Note that there is no claim of optimality in this example: another attack may be found that performs still better. errors of their devices from those originating in the chan- nel47 . These issues have been raised in a non-uniform way in the literature. Most of the discussions have taken place for discrete-variable protocols; the security stud- ies of distributed-phase-reference protocols are in a too early stage, but will surely have to address the question. The case of CV QKD may prove different because of the difference in the detection process (homodyne detection instead of photon counting). At the moment of writing, the uncalibrated-device sce- nario is still a necessary condition to derive lower bounds. In the following sections, we shall work with this scenario. In IV.C and VII.B.2, we shall compare the best available lower bounds with the upper bounds obtained with a naive approach to calibrated devices: we shall show (for the first time explicitly, to our knowledge) that in some cases the two bounds coincide for every practical pur- pose. In VIII.A.2, we summarize the status of this open problem. IV. DISCRETE-VARIABLE PROTOCOLS A. Generic Assumptions and Tools As argued in Sec. III.B.5, in order to present lower bounds as they are available today, we work systemati- cally in the uncalibrated-device scenario; paragraph IV.C will present how to derive an upper bound for calibrated devices. 1. Photon-number statistics We suppose that each signal is represented by a diago- nal state in the photon-number basis, or in other words, that there is no phase reference available and no coher- ence between successive signals48 . Thus, Alice’s source can be described as sending out a pulse that contains n photons with probability pA(n); Eve can learn n without modifying the state, so this step is indeed part of the optimal collective attack (Eve may always choose not to take advantage of this information). The statistical parameters that describe a key ex- change are basically detection rates and error rates49 . 47 The name “uncalibrated-device scenario” is proposed here for the first time. In the literature, the assumption used to be named “untrusted-device scenario”; but this name is clearly inadequate (see II.C.1 for the elements that must be always trusted in a QKD setup, and VIII.A.3 for those may not be trusted in some very specific protocols). 48 In some cases like Plug&Play implementations, the random- ization of the phase should in principle be ensured actively (Gisin et al., 2006; Zhao, Qi and Lo, 2008). 49 We assume that these parameters are independent of Bob’s mea- surements, either because they are really measured to be the same for all bases (a reasonable case in practice), or because, af-
27 Here are the main notations: • R: total detection rate; • Rn: detection rate for the events when Alice sent n photons ( n Rn = R); • Yn = Rn/R a convenient notation ( n Yn = 1); • Rw n : wrong counts among the Rn; • εn = Rw n /Rn the error rate on the n photon signals; • Q = n Ynεn the total error rate (QBER). Concerning photon statistics on Bob’s side, it is impor- tant to notice the following. If the channel introduces random losses, the photons that enter Bob’s device are distributed according to pt B(k) = n≥k pA(n) Ck ntk (1 − t)n−k where Ck n = k! n!(n−k)! is the binomial factor; one could compute Rn from this value and the details of the protocol. However, Eve can adapt her strategy to the value of n, so the photon-number statistics pB(k) on Bob’s side may be completely different from pt B(k) (L¨utkenhaus and Jahma, 2002). 2. Qubits and Modes Many, though not all, security proofs can be obtained by finding qubit protocols in the optical implementations that work with optical modes. a. Sources: Tagging. On the source side, this can be done by ’tagging’, by assuming that all multi-photon sig- nals (with respect to the total signal) becoming fully known to an eavesdropper. This leaves us effectively with qubits, using the single photons and the coding degree of freedom, for example polarization or rela- tive phase between two modes. This method has been used in (Inamori, L¨utkenhaus and Mayers, 2001-2007; L¨utkenhaus, 2000), but the term tagging has been intro- duced only in (Gottesman, Lo, L¨utkenhaus and Preskill, 2004). Note that security proofs can be done without this assumptions, e.g. in the case of the SARG protocol. b. Detectors: Squashing. Detectors act on optical modes, and typically threshold detectors are used that cannot re- solve the incoming photon number. Some security proofs (Koashi, 2006; Mayers, 1996, 2001) can directly deal with this situation. In other security proofs one has either to search through all possible photon number of arriving signals to prove that it is Eve’s optimal strategy to send ter the sifting procedure, Alice and Bob forget from which mea- surement each bit was derived and work with average values. preferentially single photons to Bob (L¨utkenhaus, 1999). It was there realized that double clicks in detection de- vices, resulting from multi-photon signals or dark counts, cannot be simply ignored, as a security loophole would open up. 50 As a countermeasure, in (L¨utkenhaus, 1999, 2000) it was introduced to assign double clicks at random to the values corresponding to single click events. The concept of squashing, originally in- troduced in a continuous variable context (Gottesman and Preskill, 2001), has been coined in (Gottesman, Lo, L¨utkenhaus and Preskill, 2004), where it is assumed that the detection device can be described by a two-step process: in a first step, the optical signal is mapped (squashed) into a single photon (qubit), and then the ideal measurement in the qubit descrip- tion is performed. Only recently, it has been shown that a squashing model actually exists for the BB84 protocol (Beaudry, Moroder and L¨utkenhaus, 2008; Tsurumaru and Tamaki, 2008) with the given assign- ment of double clicks to random single detector clicks. Actually, in (Beaudry, Moroder and L¨utkenhaus, 2008), a framework has been developed to find squashing maps for different detector set-ups, including the implemen- tation of passive basis choice in the BB84 protocols via a beamsplitter. Note that the existence of a squashing model should not be taken for granted, as for example the six-state protocol does not admit a squashing model. However, a six-state protocol measurement with a passive basis choice via a linear optics array admits a squashing model for suitable assignment of multi-clicks. (Beaudry et al., 2008b). Note again that it is not necessary to find a squash- ing model to prove security, but it is certainly an ele- gant short cut, as now the combination of tagging in the source and squashing in the detector allows to reduce the security analysis of QKD to qubit protocols. For the re- mainder of this review, however, we adopt the squashing model view. 3. Secret key rate The bound for the secret fraction is (21). In the case of the protocols under study, H(A) = H(B) = 1 and H(A|B) = H(B|A) = h(Q), where h is binary entropy and Q is the QBER. Therefore I(A : B) = 1 − h(Q). However, we want to provide formulas that take imper- 50 A simple attack exploiting this loophole goes as follows: Eve per- forms an intercept/resend attack and resend a pulse containing a large number of photons in the detected polarization. If Bob measures in the same basis as Eve, he will receive a single detec- tor click, about which Eve has full information. If Bob measures in a different basis, he will receive almost always double clicks, which he would discard. Therefore Eve has perfect information about all signals retained by Eve, allowing her to break the QKD scheme.
28 fect error correction into account. Therefore we shall use K = R [1 − leakEC(Q) − IE] (25) with leakEC(Q) ≥ h(Q) and IE = min (IAE, IBE). Let us study this last term. Eve gains information only on the non-empty pulses, and provided Bob detects the photon she has forwarded. Since, due to the squashing model, the exponential De Finetti theorem applies to discrete- variable protocols (see discussion in Sec. III.B.2), and since the optimal collective attack includes the measure- ment of the number of photons, the generic structure for the Eve’s information reads51 IE = max Eve n Yn IE,n (26) where, as usual, the maximum is to be taken on all Eve’s attacks compatible with the measured parameters. B. BB84 coding: lower bounds In the BB84 coding, the probability that Bob accepts an item depends only on the fact that he has used the same basis as Alice, which happens with probability psift. Therefore, writing ˜νS = νS psift, we have Rn = ˜νS pA(n) fn (27) where fn is the probability that Eve forwards some sig- nal to Bob for n-photon pulses. Eve’s attack must be optimized over the possible {fn}n≥0 compatible with n Rn = R. Now we consider different implementations of this coding. 1. Prepare-and-Measure: Generalities In P&M BB84, IAE = IBE. On the events when Al- ice sends no photons (n = 0) but Bob has a detection, the intuitive result IE,0 = 0 (Lo, 2005) has indeed been proved (Koashi, 2006b). On the single-photon pulses, Eve can gain information only at the expense of intro- ducing an error ε1; the maximal information that she can obtain this way is IE,1 = h(ε1) where h is binary entropy (Shor and Preskill, 2000). A possible demonstration of this well-known result is given in Appendix A. For multi- photon pulses, the best attack is the PNS attack in which Eve forwards one photon to Bob and keeps the others: i.e. for n ≥ 2, εn = 0 and IE,n = 1 (Fung, Tamaki and Lo, 51 More explicitly, this formula should read IE = min (IAE, IBE) with IAE = maxEve n Yn IAE,n and similarly for IBE. In the development of QKD, this formula was derived first for BB84 (Gottesman, Lo, L¨utkenhaus and Preskill, 2004), then for SARG04 (Fung, Tamaki and Lo, 2006), then generalized to all discrete-variable protocols (Kraus, Branciard and Renner, 2007). 2006; Gottesman, Lo, L¨utkenhaus and Preskill, 2004; Kraus, Branciard and Renner, 2007). Therefore (26) be- comes IE = max Eve Y1h(ε1) + 1 − Y0 − Y1 = 1 − min Eve {Y0 + Y1[1 − h(ε1)]} . (28) 2. P&M without decoy states In P&M schemes without decoy states, the only mea- sured parameters are R and Q. We have to assume εn≥2 = 0; therefore we obtain ε1 = Q/Y1. From this and (28), we see52 that Eve’s optimal attack compatible with the measured parameters is the one which minimizes Y1, a situation which is obviously achieved by setting f0 = 0 and fn≥2 = 1. One finds then Y1 = 1 − (˜νS/R) pA(n ≥ 2) . (29) As a conclusion, for BB84 in a P&M scheme without decoy states, the quantity to be subtracted in PA is IE = 1 − Y1[1 − h(Q/Y1)] ; (30) the corresponding achievable secret key rate (25) is K = R [Y1 (1 − h(Q/Y1)) − leakEC(Q)] (31) where Y1 is given in (29). As expected, K contains only quantities that are known either from calibration or from the parameter estimation of the protocol (R, Q). 3. P&M with decoy states The idea of decoy states is simple and deep. Alice changes the nature of the quantum signal at random during the protocol; at the end of the exchange of quan- tum signals, she will reveal which state she sent in each run. This way, Eve cannot adapt her attack to Al- ice’s state, but in the post-processing Alice and Bob can estimate their parameters conditioned to that knowl- edge. The first proposal using one- and two-photon sig- nals (Hwang, 2003) was rapidly modified to the more realistic implementation in which Alice modulates the intensity of the laser (Lo, Ma and Chen, 2005; Wang, 2005). As we mentioned, several experiments have al- ready been performed (Ma et al., 2006; Peng et al., 2007; Rosenberg et al., 2007; Yuan, Sharpe and Shields, 2007; Zhao et al., 2006), more recently even including finite- key effects (Hasegawa et al., 2007). Let ξ be some tunable parameter(s) in the source, the typical example being ξ = µ the intensity (mean photon- number) of a laser. Alice changes the value of ξ randomly 52 First proved in (Inamori, L¨utkenhaus and Mayers, 2001-2007) in the context of unconditional security.
29 from one pulse to the other; at the end of the exchange of quantum signals, Alice reveals the list of values of ξ ∈ X, and the data are sorted in order to estimate the parame- ters separately for each value. With this simple method, Alice and Bob measure 2|X| parameters, namely the Rξ and the Qξ . The set X is publicly known as part of the protocol; but if |X| > 1, Eve cannot adapt her strategy to the actual value of ξ in each pulse, because she does not know it. Therefore, fn and εn are independent of ξ; in particular, Rξ n = ˜νS pA(n|ξ) fn. The measured parameters Rξ = n≥0 Rξ n and Qξ = n≥0 Rξ n Rξ εn (32) define a linear system with 2|X| equations for the fn and the εn. The optimization in (28) must then be performed using the lower bounds for Y ξ 1 and the upper bound for ε1 as obtained from the measured quantities {Rξ , Qξ }ξ∈X (Tsurumaru, Soujaeff, Takeuchi, 2008). In practice, the meaningful contributions are typically the n = 0, 1, 2 terms, and a decoy-state protocol with |X| = 3 reaches very close an exact determination (Hayashi, 2007b). For simplicity, here we suppose that all the fn and εn have been determined exactly53 . Also, we consider a protocol in which the classical post-processing that extracts a key is done separately on the data that correspond to differ- ent ξ. For each ξ, the quantity to be subtracted in PA is54 Iξ E = 1 − Y ξ 0 − Y ξ 1 [1 − h(ε1)] (33) with Y ξ 0,1 = Rξ 0,1/Rξ and the corresponding achievable secret key rate is Kξ = Rξ Y ξ 0 + Y ξ 1 (1 − h(ε1)) − leakEC(Qξ ) .(34) The total secret key rate is K = ′ ξ Kξ , where the sum is taken on all the values of ξ such that Kξ ≥ 0. If the classical post-processing were done on the whole raw key, the total secret key rate would read K = R[1 − leakEC(Q)] − ξ Rξ Iξ E. The two expressions coincide if there exists a ξ which is used almost always. 4. P&M: analytical estimates Alice and Bob can optimize K by playing with the pa- rameters of the source, typically the intensity. A rigorous optimization can be done only numerically. In this para- graph, we re-derive some often-quoted results for P&M 53 As a side remark: one might find εn≥2 > 0, but this does not modify the discussion in Sec. IV.B.1 about the optimal attack. Indeed, Eve might have performed the attack that gives εn≥2 = 0, then added some errors “for free”. 54 Note the presence of Y ξ 0 in the next two equations. implementations of BB84. For this a priori estimate, one has to assume that some “typical” values for the Rn and the Qn will indeed be observed. As stressed above, se- curity must be based on the actually measured values: what follows provides only guidelines to start working with the correct orders of magnitude. Here, we chose to work in a regime in which the rate of detection of true photons is much larger than the dark count rate. For simplicity, we also assume optimal error correction, so that leakEC(Q) = h(Q). The reference case is the case of single-photon sources, for which the meaningful scheme is P&M without decoy states. For this source, pA(1) = 1 therefore Y1 = 1; the expected detection rate is R = ˜νSt tBη, and Eq. (31) yields immediately K ≈ ˜νSt tBη [1 − 2h(Q)] (single photon) . (35) As expected, K scales linearly with the losses in the line and the efficiency of the detector. The most widespread source in P&M schemes are at- tenuated lasers. The estimate can be made by consid- ering only the single-photon and the two-photon emis- sions: pA(1) = µe−µ , pA(2) = µ2 e−µ /2. The expected detection rate is R = ˜νSµt tBη. The important feature, which is absent in the study of single-photon sources, is the existence of an optimal value for the intensity µ, a compromise between a large R and a small pA(2). We focus first on implementations without decoy states. We can set pA(1) ≈ µ and pA(2) ≈ µ2 /2, but still, the op- timal value of µ cannot be estimated exactly in gen- eral, because Y1 = 1 − µ 2t tBη depends on µ and ap- pears in a non-algebraic function. Let us then con- sider first the limiting case Q = 0: Eq. (31) becomes K/˜νS ≈ µt tBη −µ2 /2, whose maximal value is 1 2 (t tBη)2 obtained for µ0 = t tBη (L¨utkenhaus, 2000). To obtain estimates for the Q > 0 case, we can make the approx- imation of using µ0 to compute Y1, i.e. to set Y1 = 1 2 . Then, the optimization of Eq. (31) is also immediate: writing F(Q) = 1 −h(2Q)−h(Q), the highest achievable secret key rate is K ˜νSt tBη ≈ 1 2 µopt F(Q) (laser, no decoy) (36) obtained for the optimal mean photon number µopt ≈ t tBη F(Q) 1 − h(2Q) . (37) Let us now perform the estimate for an implementa- tion using decoy states. The decoy consists in varying the intensity of the laser from one pulse to the other, so that the general parameter ξ is in fact µ. We sup- pose that a given value µ is used almost always (and this one we want to optimize), while sufficiently many decoy values are used in order to provide a full parame- ter estimation. The expected values are Rµ = ˜νSµt tBη, Rµ 1 = ˜νSµe−µ t tBη and ε1 = Q. Inserted into Eq. (34),
30 one obtains K ≈ ˜νSµt tBη[e−µ (1 − h(Q)) − h(Q)]; using e−µ ≈ 1 − µ, this expression reaches the maximal value K ˜νSt tBη ≈ 1 2 µopt [1 − 2h(Q)] (laser, decoy) (38) for the optimal mean photon number µopt ≈ 1 2 1 − h(Q) 1 − h(Q) . (39) Let us summarize. Without decoy states, µopt ∼ t and consequently K ∝ t2 : the larger the losses, the more attenuated must the laser be. The reason are PNS at- tacks: Alice must ensure that Eve cannot reproduce the detection rate at Bob’s by using only photons that come from 2-photon pulses (on which she has full information). With decoy states, one can determine the fraction of detections that involve photons coming from 2-photon pulses; if this fraction is as low as expected, one can ex- clude a PNS attack by Eve — as a benefit, the linear scaling K ∝ t is recovered. This is the same scaling ob- tained with single-photon sources, with the obvious bene- fit that lasers are much more versatile and well-developed than strongly sub-Poissonian sources. Another interest- ing remark is that, both with and without decoy states, µopt ≈ 1 2 µcrit, where the critical value µcrit is defined as the one for which K ≈ 0. In other words, an intensity double than the optimal one is already enough to spoil all security. In implementations without decoy states, where µ decreases with t, this calibration may be critical at long distances. 5. Entanglement-Based If Alice holds the down-conversion source, as is the case in almost all the EB QKD experiments performed to date55 , an EB scheme is equivalent to a P&M one (see II.B.2) so the corresponding security proofs could be ap- plied. The only specific difference to address concerns the events in which more than one pair is produced in- side a coincidence window. As described in Sec. II.E.3, two kinds of such contributions exist and Eve is able to distinguish between them: • A fraction of the multi-pair events contain partial correlations in the degrees of freedom used for sym- bol encoding; thus, Eve can get information on the key bit by some form of PNS attacks. This situ- ation is similar to the multi-photon case in P&M schemes, although here it is difficult to determine exactly the amount of information that leaks out. 55 We are aware of a single case, in which the source was in the middle (Erven et al., 2008). As we shall discuss below in this paragraph, security proofs have been provided also for this situ- ation. To be on the safe side we will suppose that Eve can obtain full information without introducing any er- rors. • The other, usually much larger fraction of multi- pair events consists of independent uncorrelated pairs. In this case Eve cannot obtain any informa- tion on Bob’s symbol using the PNS attack. She can only apply “standard” single particle attack. We suppose that Eve can somehow find out which one of multiple pairs were selected by Alice’s detec- tor, so we treat all such multi-pair contributions as if they were single pairs. Therefore Eq. (28) is replaced by IE ≤ Y ′ m + Y ′ 1 h Q Y ′ 1 , (40) where Y ′ 1 is the fraction of single-pair plus uncorrelated multi-pair events and Y ′ m is the fraction of multi-pair events which are (partially) correlated in the degree of freedom the information is encoded in. Explicitly, Y ′ m = pA(n ≥ 2) ˜νS R ζ (41) with ζ being the ratio of the number of partially corre- lated multi-pair contributions to all multi-pair contribu- tions (see Sec. II.E.3). In total Y ′ m + Y ′ 1 = 1. Finally, the achievable secret-key rate reads K = R [Y ′ 1 (1 − h(Q/Y ′ 1)) − leakEC(Q)] . (42) Recall that these formulas apply to implementations, in which the source is safe on Alice’s side. Notice also that two different sorts of multi-pair contributions are consid- ered and for each of them different eavesdropping strat- egy is assumed. However, in reality there is a smooth transition between correlated and uncorrelated pairs. All multi-pair events which exhibit non-negligible correla- tions must be counted as correlated. Recently security has been demonstrated also for EB systems, in which the source is under Eve’s control (Ma, Fung and Lo, 2007). The authors describe the con- ditions, under which the whole object “Eve’s state prepa- ration and Alice’s measurement” behaves like an un- characterized source in the sense of Koashi and Preskill (Koashi and Preskill, 2003). Alice has a box where she can dial a basis and gets an information bit from her box indicating which signal (0 or 1) was sent. Whatever state Eve prepares, when she gives one part into Alice’s box and Alice chooses a measurement, then the average den- sity matrix outside this box is independent of this choice (assuming that the no-click event probability is basis in- dependent).56 On Alice’s side no Hilbert space argument 56 This is clearly true for an active basis choice. In case of the pas- sive basis selection some additional assumptions on the detection may be necessary.
31 is needed, but on Bob’s side the squshing property of the detection is required (see IV.A.2). The formula for the achievable secret-key rate then reads K = R [1 − h(Q) − leakEC(Q)] . (43) Formally, this is the same as obtained in a P&M scheme using single photons [Eq. (31) with Y1 = 1]. As such, it is a remarkable result: it states that, under the as- sumptions listed above, all the deviations from a perfect two-photon source — in particular, the presence of multi- photon components — are taken care of by measuring the error rate Q (Koashi and Preskill, 2003). Besides, it has been found that the EB QKD can tolerate higher losses if the source is placed in the middle between Alice and Bob rather than if it is in Alice’s side (Ma, Fung and Lo, 2007; Waks, Zeevi and Yamamoto, 2002). Finally, we note that very recently another proof of the security of entanglement-based systems with real detec- tors was proposed, that does not rely on the squashing property but rather on the measurement of the double- click rate (Koashi et al., 2008). C. BB84 coding: upper bounds incorporating the calibration of the devices As explained in Sec. III.B.5, the bounds for uncon- ditional security are always found for the uncalibrated- device scenario, which is over-pessimistic. It is instruc- tive to present some upper bounds that take the calibra- tion of the devices into account: the comparison between these and the lower bounds will determine the “realm of hope”, i.e. the range in which improvements on K may yet be found. Clearly, the contribution leakEC(Q) of er- ror correction is independent of the scenario: one has to correct for all the errors, whatever their origin. The dif- ference appears in the quantity to be removed in privacy amplification. 1. Statistical parameters In order to single out the parameters of the devices, one has first to recast the general notations (IV.A.1) in a more elaborated form. The detection rates must be explicitly written as Rn = Rn,p + Rn,d (44) where Rn,p is the contribution of detections and Rn,d is the contribution of dark counts. Since Eve can act only on the first part, it is convenient to redefine Yn = Rn,p/R, so that n Yn ≡ Y < 1. The errors on the line εn are introduced only on the photon contribution, while the dark counts always give an error rate of 1 2 ; therefore the total error is Q = Y ε + δ (45) where ε = n≥1 Yn Y εn and δ = 1−Y 2 . Note that the content of this paragraph is not specific to BB84; but all that follows is. 2. Upper bounds To derive an upper bound, we use a simple recipe, which consists in following closely the calculations of the previous subsection IV.B and just making the necessary modifications, although this is known to be sub-optimal and no squashing model is known in this situation to jus- tify the assumption. In particular, Eve is still supposed to forward to Bob at most one photon, although this is known to be sub-optimal. Therefore Rn,p = ˜νSpA(n)fn tBη (46) Rn,d = ˜νSpA(n)(1 − fn tBη) 2pd (47) where pd is the dark count rate. Note the presence of tBη in these formulas: the detector efficiency has not been incorporated into fn. Extracting fn tBη from these equations, one finds Y = (1 − 2pd˜νS/R) /(1 − 2pd) (48) which means that the ratio between detections and dark counts depends only on the total detection rate R. Also, for our simple recipe, it is immediate that the modifica- tion of the general expression (28) reads IE = max Eve Y1h(ε1) + Y − Y1 = Y − min Eve Y1[1 − h(ε1)] . (49) We restrict now to the P&M schemes. In the imple- mentation with decoy states, the Yn and the εn are known, so the only difference with the uncalibrated-device for- mula (34) is the role of dark counts: Kξ = Rξ Y ξ 1 (1 − h(ε1)) + 2δξ − leakEC(Qξ ) (50) where Y0 is replaced by the very slightly larger term57 2δξ = 1−Y ξ . Things are different for the implementation without decoy states, because now Y1 and ε1 are not di- rectly measured, only R and Q are. Since we are suppos- ing that the optimal strategy is still such that εn≥2 = 0 and fn≥2 = 1, we have Y1 = Y − tBη ˜νS R pA(n ≥ 2) and ε1 = Q − δ Y1 .(51) 57 In the notation of this paragraph, the previous Y0 would read R0/R = R0,d/R; while 2δ = n≥0 Rn,d/R. Note that, strictly speaking, R0 = R0,d is an assumption: a priori, one can imagine that Eve creates some photons to send to Bob also when Alice is sending no photons — but we don’t consider here such a highly artificial situation.
32 Note that Y1 can be significantly larger than in the uncalibrated-device scenario, eq. (29): in fact, although Y is slightly smaller than one, the term to be subtracted is multiplied by tBη. This difference is specifically due to the fact that Eve is not supposed to influence the ef- ficiency of the detector. Finally, one obtains K = R [Y1 (1 − h(ε1)) + 2δ − leakEC(Q)] (52) with the expressions (51) and with 2δ = 1 − Y . D. Bounds for the SARG04 coding We sketch here the analysis of SARG04 because it con- tains a certain number of instructive differences with re- spect to BB84. Here we note ˜νS = νS/2 because Bob must always choose the bases with probability 1 2 , even if Alice would almost always use the same set of states. The raw key rates are different from those of BB84. For definiteness, suppose that Alice send | + x , so the bit is accepted if Bob finds “−”. If Bob measures X, he ac- cepts the bit only if he obtains “−”, but this can only be due to an error. We write Rw n = ˜νSpA(n) fn ˜εn where the relation of ˜εn to the induced error rate εn will be computed just below. If Bob measures Y , he gets “−” in half of the cases58 and the bit value is correct. So Rn = ˜νSpA(n) fn 1 2 + ˜εn . (53) We see that the detection rate increases in the presence of errors, contrary to BB84 where the detection rate is determined only by psift. The error rate is εn = ˜εn 1 2 + ˜εn : (54) for a given perturbation ˜εn in the quantum channel, the error introduced in SARG04 is roughly twice the error εn = ˜εn which would be introduced in BB84. The protocol can be analyzed following the same pat- tern as the one presented for BB84. Here we just review the main results: • SARG04 was invented as a method to reduce the effect of PNS attacks, taking advantage of the fact that Eve cannot extract full information from the 2-photon pulses (Ac´ın, Gisin and Scarani, 2004; Scarani, Ac´ın, Ribordy and Gisin, 2004). This ini- tial intuition has been confirmed by all subsequent, more rigorous studies. In particular, it was proved 58 As such, this statement contains an assumption on Eve’s attack, namely Tr[σyρ(±x)] = 0 where ρ(±x) is the state received by Bob after Eve’s intervention, when Alice has sent | ± x . But the result holds in general for the average detection rate, if Alice prepares all four states with equal probability. that a fraction of fully secure secret key can be ex- tracted from the 2-photon pulses (Tamaki and Lo, 2006), and that in implementations using weak co- herent lasers and without decoy states, for small error rate SARG04 performs indeed better than BB84 and shows a scaling ∼ t3/2 as a function of the distance (Branciard et al., 2005; Koashi, 2005; Kraus, Branciard and Renner, 2007). • In the literature one finds the claim that, when implemented with decoy states, SARG04 performs worse than BB84 (Fung, Tamaki and Lo, 2006; Kraus, Branciard and Renner, 2007). This must be properly understood: decoy states are a method to gain additional knowledge on Eve’s attack. If this method does not reveal any PNS attack (as it will be the case in most experiments, because losses appear random and therefore Eve is acting as a beam-splitter), indeed the BB84 rate is better than the one of SARG04. However, if one would find that Eve is actually performing a PNS attack, SARG04 would of course be more robust, consis- tently with what we wrote in the previous item. • An interesting case arises if one considers im- plementations with single-photon sources. The first unconditional security bound yielded that SARG04 tolerates a smaller QBER than BB84 (Tamaki and Lo, 2006). But this bound was im- proved shortly later: the optimal IE,1, which is not known analytically but can easily be com- puted numerically, goes to zero for ε1 ≈ 11.67% (Kraus, Branciard and Renner, 2007). This im- proved value is slightly better than the correspond- ing value for BB84, ε1 ≈ 11.0%: it seems therefore that SARG04 would perform better than BB84 also in a single-photon implementation. The picture is however different if one relates the error rate to the parameters of the channel, typically the visibility of interference fringes: this parameter is related to the ones introduced here through ˜ε1 = 1−V 2 . For BB84, ˜ε1 = ε1 and consequently the critical visibil- ity is V ≈ 78%; while for SARG04, because of (54), the critical visibility is worse, namely V ≈ 87%. V. CONTINUOUS-VARIABLE PROTOCOLS A. Status of security proofs In the case of Gaussian modulation, se- curity has been proved against collec- tive attacks (Garc´ıa-Patr´on and Cerf, 2006; Navascu´es, Grosshans and Ac´ın, 2006). We shall present this bound below (V.B) and use it for the comparison with the other platforms (VII). There is some hope that the same bound would hold also for the most general attack, as it is the case for discrete-variable systems: in particular, we note that the “intuitive”
33 reason behind that equivalence (III.B.2) would apply also to CV protocols. Unfortunately, the exponential de Finetti bound (Renner, 2007) does not help because it explicitely depends on the dimension of the quantum signals. On this issue, see Note add in proof at the end of this paper. In the case of discrete modulation, the security status is even less advanced. Technically, the difficulty lies in the fact that the raw key is made of discrete variables for Alice, while Bob has a string of real numbers. A full analysis has been possible only in the case where the quantum channel does not add excess noise to the signal, so that the observed conditional variances still describe minimum uncertainty states. In this case, the eavesdrop- per’s attack is always describable as a generalized beam- splitting attack, simulating the observed loss. The corre- sponding key rates depend on the classical communica- tion protocols chosen (with or without post-selection of data, in reverse or direct reconciliation); the best known protocol involves a combination of post-selection and re- verse reconciliation, especially when the error correction algorithms work away from the asymptotic Shannon effi- ciency (Heid and L¨utkenhaus, 2006). In the presence of excess noise, the formula for the key rate is the object of ongoing research; it has at least been possible to derive entanglement witnesses (Rigas, G¨uhne and L¨utkenhaus, 2006). Entanglement verification has been performed and has shown that excess noise in typical installations does not wipe out the quantum correlation within the experimentally accessible domain (Lorenz et al., 2006). Finally, in all works on CV QKD with no exception, it has been assumed that Eve does not act on the local oscillator59 — of course, she is allowed to have access to it in order to measure quadratures. Since the local oscillator travels through Eve’s domain, this assumption opens a security loophole60 . Note that a similar situation burdened until very recently the security of Plug&Play configurations, for which finally unconditional security could be proved (see II.H.2); it is not clear however that the same approach will work here, since the strong pulses have very different roles in the two schemes. In any case, the open issue just discussed, together with the fact that the existing exponential de Finetti theorem does not ap- ply to infinitely-dimensional systems, are the main rea- 59 This amounts at viewing the local oscillator as an authenticated channel, building on the closeness to classical signals. In an alter- native set-up, this problem can be circumvented by Bob measur- ing the phase of the local oscillator, followed by the recreation within Bob’s detector of a local oscillator with the measured phase (Koashi, 2004). 60 For the setups as they have been implemented, all observed cor- relations are compatible with an intercept/resend attack involv- ing both the signal and the local oscillator. Security against this specific attack can be easily recovered by simple modifica- tions of the setups, for example the independent measurement of the intensity of the phase reference pulse and the signal pulse (H¨aseler, Moroder and L¨utkenhaus, 2008). sons unconditional security proofs are not available yet for CV QKD. As mentioned earlier (II.D.3), continuous variable protocols show interesting features also on the classical part. In contrast to typical discrete variable protocols, where losses simply reduce the number of detected signals, continuous variable protocols will always detect a result, so that loss corresponds now to increased noise in the signal. Two main methods have been formu- lated to deal with this situation at the protocol level: reverse reconciliation (Grosshans and Grangier, 2002a) and post-selection (Silberhorn et al., 2002). The first method can be realized using one-way EC schemes, but turns out to be sensitive to the efficiency of those very schemes. Its main advantage is that its security can be rigorously assessed versus general collective attacks (and has been conjectured to hold even for coherent attacks) In contrast, the second method can use both one-way and two-way EC schemes, and is fairly stable even if those schemes do not perform at the Shannon limit. However, its security can be analyzed only by making assumptions on Eve’s interception (see below). The status of its security is not clear even for general individual attacks. Note that for close-to-perfect EC, reverse reconciliation outperforms post-selection. While progress is being made in the efficiency of EC schemes, it turns out that a combination of post-selection and reverse reconcilia- tion provides a practical solution to obtain reasonable rates with current technology, both for discrete- modulation (Heid and L¨utkenhaus, 2006) and for Gaussian-modulation protocols (Heid and L¨utkenhaus, 2007). B. Bounds for Gaussian protocols 1. Generalities As announced, we provide an explicit security bound for coherent-state homodyne-detection protocol of (Grosshans and Grangier, 2002a). Like all Gaus- sian protocols, this prepare-and-measure protocol can be shown to be equivalent to an entanglement-based scheme (Grosshans, Cerf et al., 2003). In such a scheme, Alice prepares an EPR state — more precisely, the two-mode squeezed vacuum state (15). By applying an heterodyne measurement on mode A, she prepares in the second mode of the EPR pair a coherent state, whose displace- ment vector is Gaussian distributed in x and p. Then, Bob applies a homodyne measurement on mode B, mea- suring quadrature x or p. It can be shown that reverse reconciliation is always favorable for Alice and Bob, so we have to compute Eq. (21) with IEB on the right hand side. It has been proved that Eve’s opti- mal attack is Gaussian for both individual (Garc´ıa-Patr´on, 2007; Grosshans and Cerf, 2004; Lodewyck, Debuisschert et al., 2007) and col-
34 lective attacks (Garc´ıa-Patr´on and Cerf, 2006; Navascu´es, Grosshans and Ac´ın, 2006). We can there- fore assume that Eve effects a Gaussian channel, so that the quantum state ρAB just before Alice and Bob’s measurements can be assumed to be a Gaussian two-mode state with zero mean value and covariance matrix γAB. The Gaussian channel is characterized by two parame- ters: the transmittance, which here, since we work in the uncalibrated-device scenario, is tη with η the efficiency of the detectors; and the noise δ referred to the input of the channel61 . Since the two-mode squeezed state (15) is also symmetric and has no correlations between x and p, the resulting covariance matrix of modes A and B can be written in a block-diagonal form, γAB = γx AB 0 0 γp AB (55) with γ x(p) AB = v ± tη(v2 − 1) ± tη(v2 − 1) tη(v + δ) (56) where the signs + and − correspond to γx AB and γp AB, respectively. Here, v is the variance of both quadratures of Alice’s output thermal state expressed in shot-noise units, that is, v = vA +1, vA being the variance of Alice’s Gaussian modulation. For what follows, it is convenient to define vX|Y , the conditional variance that quantifies the remaining uncer- tainty on X after the measurement of Y : vX|Y = x2 − xy 2 / y2 , (57) expressed in shot-noise units. 2. Modeling the noise The noise δ is the total noise of the channel Alice-Bob. It can be modeled as the sum of three terms: δ = 1 − t t + δh t + ǫ . (58) The first term (1−t)/t stands for the loss-induced vacuum noise (referred to the input); this term is at the origin of the higher sensitivity to losses of continuous-variable QKD. The second term stands for the noise added by the imperfection of the homodyne detection. This is modeled by assuming that the signal reaching Bob’s station is at- tenuated by a factor η (detection efficiency) and mixed 61 The observed noise in channels such as optical fibers is typically symmetric and uncorrelated in both quadratures x and p (there is no preferred phase), so we restrict to this case here. with some thermal noise vel (electronic noise of the de- tector), giving62 δh = 1 + vel η − 1 . (59) The third term ǫ is the excess noise (referred to the in- put) that is not due to line losses nor detector imper- fections. For a perfect detector, it can be viewed as the continuous-variable counterpart of the QBER in discrete- variable QKD; it is zero for a lossy but noiseless line. 3. Information Alice-Bob In the EB version of the coherent-state protocol con- sidered here (Grosshans and Grangier, 2002a), Alice per- forms heterodyne detection, so her uncertainty on Bob’s quadratures is expressed as vB|AM = tη(δ + 1) . (60) The mutual information between Alice and Bob is there- fore given by I(A : B) = 1 2 log2 vB vB|AM = 1 2 log2 δ + v δ + 1 .(61) As mentioned above, the main bottleneck of continuous- variable QKD schemes comes from the heavy post- processing that is needed in order to correct the errors due to the vacuum noise that is induced by the line losses. In practice, the amount of information left after error correction will be a fraction β of I(A : B). This value has an important effect on the achievable secret key rate and the limiting distance (as we shall discuss below, for β = 1 a secure key can in principle be extracted for ar- bitrarily large distances). This provides a strong incen- tive for developing better reconciliation algorithms. The first technique that was proposed to perform continuous- variable error correction relied on a so-called “sliced reconciliation” method (Van Assche, Cardinal and Cerf, 2004), and gave an efficiency β ≈ 80%. These al- gorithms have been improved by using turbo-codes (Nguyen, Van Assche and Cerf, 2004) and low-density parity codes (LDPC) (Bloch et al., 2005), which both allow to work with noisy data, hence longer distances. More recently, multi-dimensional reconciliation algo- rithms have been introduced, which allow to deal with even noisier data while keeping similar or higher recon- ciliation efficiencies (Leverrier et al., 2008). 62 Replacing the expression for δh into (58), one obtains δ = (1 − tη + vel)/(tη) + ε, which depends only on tη as it should in the uncalibrated-device scenario.
35 4. Individual attacks To become familiar with the security analysis, we first present individual attacks. In order to address the secu- rity of the protocol, we assume as usual that Eve holds the purification of ρAB. Then, by measuring their sys- tems, Alice and Eve project Bob’s share of the joint pure state |ΨABE onto another pure state (we may assume without loss of generality that Eve’s projection results from a rank-one POVM). Applying the Heisenberg un- certainty relation on the pure state held by Bob condi- tionally on Alice and Eve’s measurements, we have vXB |E vPB|A ≥ 1, vPB |E vXB |A ≥ 1, (62) where XB and PB are the canonically conjugate quadra- tures of Bob’s mode. Equation (62) can be written as a single uncertainty relation vB|E vB|A ≥ 1 (63) where B stands for any quadrature of Bob’s mode. This inequality can be used to put a lower bound on the un- certainty of Eve’s estimate of the key in reverse reconcil- iation, that is, when the key is made out of Bob’s data while Alice and Eve compete to estimate it. Now, vB|A is not necessarily given by (60): Eve’s at- tack cannot depend on how the mixed state sent by Al- ice (i.e., the thermal state) has been prepared, since all possible ensembles are indistinguishable. An acceptable possibility is Alice performing homodyne measurement, or, equivalently, preparing squeezed states just as in the protocol of (Cerf, L´evy and Van Assche, 2001); in which case we obtain vB|A = tη(δ + 1/v) . (64) It can be shown that this is the lowest possible value of vB|A, hence from (63) vB|E ≥ 1 tη(δ + 1/v) . (65) This gives a bound for I(B : E), so the extractable se- cret key rate under the assumption of individual attacks becomes r = I(A : B) − I(E : B) = 1 2 log2 vB|E vB|AM ≥ 1 2 log2 1 (tη)2(δ + 1/v)(δ + 1) (66) as shown in (Grosshans, Van Assche et al., 2003). Note that the scheme that implements the optimal attack (sat- urating this bound) is the entanglement cloner defined in (Grosshans and Grangier, 2002b). Using Eq. (58), it ap- pears that in the case of high losses (tη → 0) and large modulation (v → ∞), the secret key rate r remains non- zero provided that the excess noise satisfies ǫ < 1/2. This is a remarkable result, due to reverse reconciliation: for direct reconciliation, obviously there can be no security when Eve has as much light as Bob, i.e. for tη ≤ 1 2 . A similar reasoning can be followed to derive the se- curity of all Gaussian QKD protocols against individual attacks (Garc´ıa-Patr´on, 2007). The only special case con- cerns the coherent-state heterodyne-detection protocol, whose security study against individual attacks is more involved (Lodewyck and Grangier, 2007; Sudjana et al., 2007). 5. Collective attacks The security of the coherent-state homodyne-detection scheme against the class of collective attacks has been fully studied. The corresponding rates were first provided assuming that Eve’s collective attack is Gaussian (Grosshans, 2005; Navascu´es and Ac´ın, 2005). Later on, it was proved that this choice is actually optimal (Garc´ıa-Patr´on and Cerf, 2006; Navascu´es, Grosshans and Ac´ın, 2006). This implies that it remains sufficient to assess the security against Gaussian collective attacks, which are completely charac- terized by the covariance matrix γAB estimated by Alice and Bob. A long but straightforward calculation shows that χ(B : E) = g(˜λ1) + g(˜λ2) − g(˜λ3) (67) where g(x) = (x + 1) log2(x + 1) − x log2 x is the entropy of a thermal state with a mean photon number of x and ˜λk = λk−1 2 where λ2 1,2 = 1 2 (A ± A2 − 4B) , λ2 3 = v 1 + vδ v + δ (68) with A = v2 (1−2tη)+2tη+[tη(v+δ)]2 and B = [tη(vδ+ 1)]2 . In conclusion, the secret key rate achievable against collective attacks is obtained by inserting expressions (61) and (67) into K = R [β I(A : B) − χ(B : E)] . (69) Finally, we note that the optimality of Gaussian attacks is actually valid also for protocols that use heterodyne detection; a bound for security against Gaussian collec- tive attacks in these protocols has been provided recently (Pirandola, Braunstein and Lloyd, 2008). 6. Collective attacks and post-selection In the case where all observed data are Gaussian, in- cluding the observed noise, we can again provide a se- curity proof which also allows to include post-selection of data in the procedure. The starting point of this se- curity proof is the protocol with Gaussian distribution of the amplitude together with the heterodyne detection by Bob. In this case, in a collective attack scenario, we
36 can assume a product structure of the subsequent sig- nals, and the density matrix ρAB of the joint state of Alice and Bob is completely determined due to the to- mographic structure of the source replacement picture and the measurement. In this scenario, we can therefore determine the quantum states in the hand of the eaves- dropper as Eve holds the system E of the purification |Ψ ABE of ρAB. Let us consider the situation where all observed data in this scenario are Gaussian distributions, which is the typical observation made in experiments. Note that this is an assumption that can be verified in each run of the QKD protocol! In principle, one can now just use the standard formula for the key rate in the collective sce- nario, Eq. (69). However, we would like to introduce a post-selection procedure (Silberhorn et al., 2002) to im- prove the stability of the protocol against imperfections in the error correction protocol. To facilitate the introduction of post-selection, we add further public announcements to the CV QKD proto- col: Alice makes an announcement ’a’ consistent of the imaginary component αy and the modulus of the real component |αx| of the complex amplitude α of her sig- nals. That leaves two possible signals state open. Sim- ilarly, Bob makes an announcement ’b’ which contains again the complex component βy and the modulus |βx| of the complex measurement result β of her heterodyne measurement. That leaves, again, two possible measure- ments from Eve’s point of view. For any announcement combination (a, b) we have therefore an effective binary channel between Alice and Bob. As the purification of the total state ρAB is known, we can calculate for each effective binary channel a key rate ∆I(a, b) = max (1 − f(ea,b )h[ea,b ] − χa,b ), 0 . (70) This expression contains the post-selection idea in the way that whenever 1 − h[ea,b ] − χa,b is negative, the data are discarded, leading to a zero contribution of the corre- sponding effective binary channel to the overall key rate. The expressions for χa,b have been calculated analytically in (Heid and L¨utkenhaus, 2007), which is possible since now the conditional states of Eve, as calculated from the purification of ρAB, are now at most of rank four. Several scenarios have been considered there, but the one that is of highest interest is the combination of post-selection with reverse reconciliation. The explicit expressions are omitted here, as they do not give additional insight. The evaluations of the overall key rate K = R da db ∆I(a, b) (71) is then done numerically. VI. DISTRIBUTED-PHASE-REFERENCE PROTOCOLS A. Status of security proofs As we said in Sec. II.D.4, distributed-phase-reference protocols were invented by experimentalists, looking for practical solutions. Only later it was noticed that these protocols, in addition to be practical, may even yield bet- ter rates than the traditional discrete-variable protocols, i.e. rates comparable to those of decoy-states implemen- tations. The reason is that the PNS attacks are no longer zero-error attacks both for DPS (Inoue and Honjo, 2005) and for COW (Gisin et al., 2004; Stucki et al., 2005). In fact, the number of photons in a given pulse and the phase coherence between pulses are incompatible phys- ical quantities. At the moment of writing, no lower bound is known for the unconditional security of DPS or COW, but several restricted attacks have been studied (Branciard et al., 2007; Branciard, Gisin and Scarani, 2008; Curty et al., 2007; Curty, Tamaki and Moroder, 2008; Gomez-Sousa and Curty, 2009; Tsurumaru, 2007; Waks, Takesue and Yamamoto, 2006). In these stud- ies, it has also been noticed that DPS and especially COW can be modified in a way that does not make them more complicated, but may make them more robust (Branciard, Gisin and Scarani, 2008). Since this point has not been fully developed though, we restrict our at- tention to the original version of these protocols. B. Bounds for DPS and COW 1. Collective beam-splitting attack We present the calculation of the simplest zero- error collective attack, namely the beam-splitting attack (Branciard, Gisin and Scarani, 2008). For both DPS and COW, Alice prepares a sequence of coherent states k |α(k) : each α(k) is chosen in {+α, −α} for DPS, in {+α, 0} for COW. Eve simulates the losses with a beam- splitter, keeps a fraction of the signal and sends the re- maining fraction τ = t tBη to Bob on a lossless line — note that, although this security study does not provide a lower bound, we work in the uncalibrated-device sce- nario for the sake of comparison with the other protocols. Bob receives the state k |α(k) √ τ : in particular, Bob’s optical mode is not modified, i.e. BSA introduces no er- ror63 . Eve’s state is k |α(k) √ 1 − τ ; let us introduce the notations αE = α √ 1 − τ and γ = e−|αE|2 = e−µ(1−τ) . (72) 63 Apart from BSA, other attacks exist that do not introduce errors: for instance, photon-number-splitting attacks over the whole key, preserving the coherence (these are hard to parametrize and have never been studied in detail). For COW, there exist also attacks based on unambiguous state discrimination (Branciard et al., 2007).
37 When Bob announces a detection involving pulses k − 1 and k, Eve tries to learn the value of his bit by looking at her systems. Assuming that each bit value is equally probable, Eve’s information is given by IEve = S(ρE) − 1 2 S(ρE|0) − 1 2 S(ρE|1) with ρE = 1 2 ρE|0 + 1 2 ρE|1. The information available to Eve differs for the two protocols, because of the different coding of the bits. In DPS, the bit is 0 when α(k − 1) = α(k) and is 1 when α(k − 1) = −α(k). So, writing Pψ the projector on |ψ , the state of two consecutive pulses reads ρE|0 = 1 2 P+αE ,+αE + 1 2 P−αE ,−αE and ρE|1 = 1 2 P+αE ,−αE + 1 2 P−αE,+αE ; therefore, noticing that | +αE| − αE | = γ2 , we obtain IDP S E,BS(µ) = 2h[(1 − γ2 )/2] − h[(1 − γ4 )/2] (73) where h is the binary entropy function, and K(µ) = νS 1 − e−µt tBη 1 − IDP S E,BS(µ) . (74) In COW, the bit is 0 when α(k − 1) = √ µ , α(k) = 0 and is 1 when α(k − 1) = 0 , α(k) = √ µ; so, with similar notations as above, ρE|0 = P+αE ,0 and ρE|1 = P0,+αE ; therefore, noticing that | +αE|0 | = γ, we obtain ICOW E,BS (µ) = h[(1 − γ)/2] . (75) The secret key rate is given by K(µ) = ˜νS 1 − e−µt tBη 1 − ICOW E,BS (µ) (76) where ˜νS = νS 1−f 2 because the fraction f of decoy se- quences does not contribute to the raw key, and half of the remaining pulses are empty. 2. More sophisticated attacks For the purpose of comparison with other protocols later in this review, it is useful to move away from the strictly zero-error attacks. As mentioned above, several examples of more sophisticated attacks have indeed been found. Instead of looking for the exact optimum among those attacks, we prefer to keep the discussion simple, bearing in mind that all available bounds are to be re- placed one day by unconditional security proofs. We consider attacks in which Eve interacts coher- ently with pairs of pulses (Branciard, Gisin and Scarani, 2008). Upper bounds have been provided in the limit µt ≪ 1 of not-too-short distances. Even within this family, a simple formula is available only for COW. For COW, there is no a priori relation between the error on the key ε and the visibility V observed on the interferom- eter. If e−µ ≤ ξ ≡ 2 V (1 − V ), one finds ICOW E (µ) = 1: µ is too large and no security is possible. If on the con- trary e−µ > ξ, the best attack in the family yields ICOW E (µ) = ε + (1 − ε)h 1 + FV (µ) 2 (77) with FV (µ) = (2V − 1)e−µ − ξ √ 1 − e−2µ. Therefore K(µ) = R 1 − ICOW E (µ) − leakEC(Q) (78) where the value of R is constrained by the definition of the attack to be ˜νS[µt tBη + 2pd]. As for DPS, numerical estimates show that its ro- bustness under the same family of attacks is very sim- ilar (slightly better) than the one of COW. Therefore, we shall use (78) as an estimate of the performances of distributed-phase-reference protocols in the presence of errors; again, for the sake of comparison with the other protocols, we have adopted the uncalibrated-device sce- nario here64 . VII. COMPARISON OF EXPERIMENTAL PLATFORMS A. Generalities After having presented the various forms that practi- cal QKD can take, it is legitimate to try and draw some comparison. If one would dispose of unlimited financial means and manpower, then obviously the best platform would just be the one that maximizes the secret key rate K for the desired distance. A choice in the real world will obviously put other parameters in the balance, like simplicity, stability, cost... Some partial comparisons are available in the literature; but, to our knowledge, this is the first systematic attempt of comparing all the most meaningful platforms of practical QKD. Of course, any attempt of putting all platforms on equal footing con- tains elements of arbitrariness, which we shall discuss. Also, we are bounded by the state-of-the-art, both con- cerning the performance of the devices and the develop- ment of the security proofs, as largely discussed in the previous sections. We have chosen to compare the best available bounds, which however do not correspond to the same degree of security: for the implementations of the BB84 coding, we have bounds for unconditional security; for continuous variable systems, we have security against collective attacks; for the new protocols like COW and DPS, we have security only against specific families of attacks. Also, one must be reminded that all security proofs hold under some assumptions: these have been discussed in Sections IV, V and VI; it is crucial to check if they apply correctly to any given implementation. 64 For the family of attacks under study, the rate scales linearly with the losses, therefore the difference between calibrated and uncalibrated devices is only due to the dark counts. We have to warn that the attacks based on unambiguous state discrimina- tion, which have been studied explicitly for calibrated devices (Branciard et al., 2007), are expected to become significantly more critical in the uncalibrated-device scenario. However, this more complex family of attacks can be further restricted by a careful statistical analysis of the data: we can therefore leave it out of our analysis, which is anyway very partial.
38 As stressed many times, the security of a given QKD realization must be assessed using measured values. Here, we have to present some a priori estimates: they neces- sarily involve choices, which have some degree of arbi- trariness. The first step is to provide a model for the channel: the one that we give (VII.A.1) corresponds well to what is observed in all experiments and is therefore rather universally accepted as an a priori model. At the risk of being redundant, we stress that the actual realiza- tion of this specific channel is not a condition for security: Eve might realize a completely different channel, and the general formulas for security apply to any case65 . Once the model of the channel accepted, one still has to choose the numerical values for all the parameters. 1. Model for the source and channel We assume that the detection rates are those that are expected in the absence of Eve, given the source and the distance between Alice and Bob. As for the error rates, we consider a depolarizing channel with visibility V . For an a priori choice, the modeling of the channel just sketched is rather universally accepted. In detail, it gives the following: Discrete-variable protocols, P&M. We consider imple- mentations of the BB84 coding. The rate is estimated by R = ˜νS[P + Pd] with P = n≥1 pA(n)[1 − (1 − t tBη)n ] and Pd = 2pd n≥0 pA(n)(1 − t tBη)n . The error rate in the channel is ε = (1 − V )/2, so the expected er- ror rate is Q = [εP + Pd/2]/(R/˜νS). For weak coher- ent pulses without decoy states, pA(1) = e−µ µ, pA(n ≥ 2) = 1 − e−µ (1 + µ), and we optimize K, given by (31), over µ. For weak coherent pulses with decoy states, we consider an implementation in which one value of µ is used almost always, while sufficiently many others are used, so that all the parameters are exactly evaluated. The statistics of the source are as above; Y0 is estimated by ˜νS 2pdpA(0)/R, Y1 by ˜νSpA(1)t tBη/R, and we opti- mize K given by (34) over µ. For perfect single-photon sources, pA(1) = 1 and pA(n ≥ 2) = 0; we just compute (31), as there is nothing to optimize. Discrete-variable protocols, EB. Again, we consider implementations of the BB84 coding. Since most of the experiments have been performed using cw-pumped sources, we shall restrict to this case66 . For such sources, 65 The attacks we studied against DPS and COW, Section VI, do suppose a model of the channel. This is a signature of the incom- pleteness of such studies. Security can be guaranteed by adding that, if the channel deviates from the expected one, the protocol is aborted. A full assessment of the channel, of course, requires additional tests: the fact that data can be reproduced by a chan- nel model does not imply that the channel model is correct (for instance, in weak coherent pulses implementations of BB84 with- out decoy states, the observed parameters are compatible both with a BS and a PNS attack). 66 Pulsed sources can be treated in a similar way. For short pulse the probability of having multiple pairs is ζ = 0 with good precision, therefore the bounds (42) and (43) for K are identical. K will be optimized over µ′ , the mean pair-generation rate of the source. Note that νcw S given by Eq. (20) depends on µ′ ; given this, one has pA(1) ≈ 1 and pA(2) ≈ µ′ ∆t if µ′ ∆t ≪ 1: indeed, neglecting dark counts, whenever any of Alice’s detectors fires there is at least one photon going to Bob; and the probability that another pair appears during the coincidence win- dow ∆t is approximately µ′ ∆t. The total expected error is Q = [(ε+ε′ )P +Pd/2]/(R/˜νS), where ε = (1−V )/2 as above and ε′ ≈ µ′ ∆t 2 is the error rate due to double-pair events. Continuous-variable protocols. We consider the proto- col that uses coherent states with Gaussian modulation, and compute the best available bound (69), which give security against collective attacks. The reference beam is supposed to be so intense, that there is always a signal arriving at the homodyne detection, so R = ˜νS. The er- ror is modeled by (58). Now, just as for discrete variable protocols one can optimize K over the mean number of photons (or of pairs) µ for each distance, here one can optimize K over the variance v of the modulation. Note that this optimization outputs rather demanding values, so that only recently it has become possible to implement them in practice, thanks to the latest developments in er- ror correction codes (Leverrier et al., 2008). Distributed-phase-reference protocols. As mentioned, apart from the errorless case, a simple formula exists only for COW, which moreover is valid only at not too short distances. We use this bound to represent distributed- phase reference protocols in this comparison, keeping in mind that DPS performs slightly better, but that any- way only upper bounds are available. Specifically, we have R ≈ ˜νS[µt tBη + 2pd]; we optimize then K(µ) given by (78) over µ, and keep the value only if µoptt ≤ 0.1. The expected error rate is formally the same as for P&M BB84; recall however that here the bit-error ε is not re- lated to the visibility of the channel and must be chosen independently. 2. Choice of the parameters We shall use two sets of parameters (Table II): set #1 corresponds to today’s state-of-the-art, while set #2 re- flects a more optimistic but not unrealistic development. Moreover, we make the following choices: schemes, one would have pA(1) ≈ µ and pA(2) ≈ 3 4 µ2 if µ ≪ 1; for long-pulse pumping, the statistics of pairs is approximately Poissonian: pA(1) ≈ µ and pA(2) ≈ µ2/2 if µ ≪ 1 and the most of the multi-pair events are uncorrelated. In both cases, the intrinsic error rate due to double-pair events is ε′ ≈ µ/2 (Eisenberg et al., 2004; Scarani et al., 2005). Note that the pa- rameter ζ may be different from 0 in the case of short pulse schemes.
39 Platform Parameter Set #1 Set #2 µ mean intensity (opt.) (opt.) V visibility: P&M 0.99 0.99 V visibility: EB 0.96 0.99 BB84, tB transmission in Bob’s device 1 1 COW η det. efficiency 0.1 0.2 pd dark counts 10−5 10−6 ε (COW) bit error 0.03 0.01 ζ (EB) coherent 4 photons 0 0 leak EC code 1.2 1 v = vA + 1 variance (opt.) (opt.) ε optical noise 0.005 0.001 CV η det. efficiency 0.6 0.85 vel electronic noise 0.01 0 β EC code 0.9 0.9 TABLE II Parameters used for the a priori plots in this Sec- tion. See main text for notations and comments. The caption (opt.) means that the parameter will be varied as a function of the distance in order to optimize K. • Unless specified otherwise (see VII.B.2), the plots use the formulas for the uncalibrated-device sce- nario. The reason for this choice is the same as dis- cussed in Sec. III.B.5: unconditional security has been proved only in this over-pessimistic scenario. • Since we are using formulas that are valid only in the asymptotic regime of infinitely long keys, we re- move the nuisance of sifting by allowing an asym- metric choice of bases or of quadratures. Specif- ically, this leads to ˜νS = νS for both BB84 and continuous-variables. Similarly, for COW we can set f = 0, whence ˜νS = νS/2. • For definiteness, we consider fiber-based implemen- tations; in particular, the relation between distance and transmission will be (17) with α = 0.2dB/km; and the parameters for photon counters are given at telecom wavelengths (Table II). The reader must keep in mind that in free space implementations, where one can work with other frequencies, the rates and the achievable distance may be larger. B. Comparisons based on K 1. All platforms on a plot As a first case study, we compare all the platforms on the basis by plotting K/νS as a function of the transmit- tivity t of the channel. The result is shown in Fig. 4. As promised, we have to stress the elements of arbitrariness in this comparison (in addition to the choices discussed above). First of all, we recall that the curves do not correspond to the same degree of security (see VII.A). Second, we have considered “steady-state” key rates, be- cause we have neglected the time needed for the classical post-processing; this supposes that the setup is stable enough to run in that regime (and it is fair to say that many of the existing platforms have not reached such a stage of stability yet). Third, the real performance is of course K: in particular, if some implementations have bottlenecks at the level of νS (see III.A), the order of the curves may change significantly. 0 5 10 15 20 25 30 35 40 10 −6 10 −4 10 −2 10 0 t [dB] K/νS decoy COWWCP EB 1−ph CV 0 5 10 15 20 25 30 35 40 10 −6 10 −4 10 −2 10 0 t [dB] K/νS WCP COW decoy CV EB 1−ph FIG. 4 (Color online). K/νS as a function of the transmit- tivity t, for all the platforms. Legend: 1-ph: perfect single- photon source, unconditional; WCP: weak coherent pulses without decoy states, unconditional; decoy: weak coherent pulses with decoy states, unconditional; EB: entanglement- based, unconditional; CV: continuous-variables with Gaus- sian modulation, security against collective attacks; COW: Coherent-One-Way, security against the restricted family of attacks described in Sec. VI.B.2. Parameters from Table II: set #1 upper graph, set #2 lower graph.
40 2. Upper bound incorporating the calibration of the devices As a second case study, we show the difference between the lower bounds derived in the uncalibrated-device sce- nario, and some upper bounds that incorporate the cali- bration of the devices. We focus first on BB84 implemented with weak coher- ent pulses; the upper bounds under study have been derived in Sec. IV.C. The plots in Fig. 5 show how much one can hope to improve the unconditional security bounds from their present status. As expected, the plot confirms that basically no improvement is expected for implementations with decoy states, because there only the treatment of dark counts is different; while the bound for implementations without decoy states may still be the object of significant improvement. 0 5 10 15 20 25 30 10 −6 10 −4 10 −2 t [dB] K/ν S WCP decoy FIG. 5 (Color online). K/νS as a function of the transmission t for the P&M implementations of BB84 with weak coherent pulses: comparison between the lower bound (solid lines, same as in Fig. 4, upper graph) and the upper bound for calibrated devices (dashed lines). Legend as in Fig. 4. Parameters from Table II, set #1. We turn now to CV QKD with Gaussian modulation. Bounds for the security against collective attacks as- suming calibrated devices are given in Eqs (5)-(12) of (Lodewyck, Bloch et al., 2007). The plots are shown in Fig. 6. One sees that the difference between the two scenarios is significant for set #1 of parameters, but is negligible for the more optimistic set #2. This is interest- ing, given that the efficiency η of the detectors is “only” 85% in set #2. C. Comparison based on the “cost of a linear network” We consider a linear chain of QKD devices, aimed at achieving a secret key rate Ktarget over a distance L. Many devices can be put in parallel, and trusted repeater stations are built at the connecting points. Each individ- ual QKD device is characterized by the point-to-point 0 5 10 15 20 25 30 35 40 10 −4 10 −2 10 0 t [dB] K/νS set #1 set #2 FIG. 6 (Color online). K/νS as a function of the transmission t for CV QKD with Gaussian modulation, security against collective attacks, comparison between the lower bound (solid lines, same as in Fig. 4) and the upper bound for calibrated devices (dashed lines) for both sets of parameters from Table II. Compared to Fig. 4, the color of the lines of set #1 was changed for clarity. rate K(ℓ) it can achieve as a function of the distance ℓ, and by its cost C1. We need N = L ℓ Ktarget K(ℓ) devices to achieve the goal, so the cost of the network is67 Ctot[ℓ] = C1 L ℓ Ktarget K(ℓ) . (79) The best platform is the one that minimizes this cost, i.e., the one that maximizes F(ℓ) = ℓK(ℓ). This quantity, normalized to νS, is plotted in Fig. 7 as a function of the distance for both sets of parameters defined in Table II. Of course, this comparison presents the same elements of arbitrariness as the previous one. The optimal distances are quite short, and this can be understood from a simple analytical argument. Indeed, typical behaviors are K(ℓ) ∝ t (single-photon sources, at- tenuated lasers with decoy states, strong reference pulses) and K(ℓ) ∝ t2 (weak coherent pulses without decoy states). Using t = 10−αℓ/10 , it is easy to find ℓopt which maximizes F(ℓ): K(ℓ) ∝ tk −→ ℓopt = 10/(kα ln 10) . (80) In particular, for α ≈ 0.2dB/km, one has ℓopt ≈ 20km for k = 1 and ℓopt ≈ 10km for k = 2. In conclusion, our toy model suggests that, in a net- work environment, one might not be interested in push- ing the maximal distance of the devices; in particu- lar, detector saturation (which we neglected in the plots 67 In this first toy model, we neglect the cost of the trusted repeater stations; see (All´eaume et al., 2008) for a more elaborated model.
41 above) may become the dominant problem instead of dark counts. 0 50 100 150 200 10 −4 10 −3 10 −2 10 −1 10 0 distance [km] F/νS EB COW WCP CV 1−ph decoy 0 50 100 150 200 10 −4 10 −3 10 −2 10 −1 10 0 10 1 distance [km] F/νS EB decoy COWWCP CV 1−ph FIG. 7 (Color online). F/νS as a function of the distance ℓ for all the platforms. Legend as in Fig. 4. Parameters from Table II: set #1 upper graph, set #2 lower graph. VIII. PERSPECTIVES A. Perspectives within QKD 1. Finite-key analysis As stressed, all the security bounds presented in this review are valid only in the asymptotic limit of in- finitely long keys. Proofs of security for finite-length keys are obviously a crucial tool for practical QKD. The estimate of finite-key effects, unfortunately, has received very limited attention so far. The pioneer- ing works (Inamori, L¨utkenhaus and Mayers, 2001-2007; Mayers, 1996), as well as some subsequent ones (Hayashi, 2006; Watanabe et al., 2004), have used non-composable definitions of security (see II.C.2). This is a problem because the security of a finite key is never perfect, so one needs to know how it composes with other tasks. Others studied a new formalism but failed to prove unconditional security (Meyer et al., 2006). The most recent works comply with the requirements (Hayashi, 2007a; Scarani and Renner, 2008); finite statistics have been incorporated in the analysis of an experiment (Hasegawa et al., 2007). Without going into details, all these works estimate that no key can be extracted if fewer than N ≈ 105 signals are exchanged. 2. Open issues in unconditional security We have said above that, for CV QKD and distributed- phase reference protocols, no unconditional security proof is available yet. However, there is an important difference between these cases. In the existing CV QKD protocols, the information is coded in independent sig- nals; as such, it is believed that unconditional security proofs can be built as generalizations of the existing ones (see also Note added in proof below). On the contrary, the impossibility of identifying signals with qubits in distributed-phase reference protocols will require a com- pletely different approach, which nobody has been able to devise at the moment of writing. As explained in Sec. III.B.5, all unconditional secu- rity proofs have been derived under the over-conservative assumption of uncalibrated devices. Ideally, such an as- sumption should be removed: one should work out un- conditional security proofs taking into account the knowl- edge about the detectors; this would lead to better rates. A possible solution consists in including the calibration of the devices in the protocol itself; the price to pay seems to be a complication of the setup (Qi et al., 2007). The idea is somehow similar to the one used in decoy states. We also discussed how calibrated-device proofs may ul- timately provide significant improvement only for some protocols (see VII.B.2). The difference between protocols can be understood from the fact that typically K ∼ tα where t is the transmittance and α ≥ 1. When α = 1, then the only advantage of calibrating the devices can come from the dark count contribution. If on the con- trary α > 1 (weak coherent pulses without decoy states: α = 2 for BB84, α = 3 2 for SARG04), then the differ- ence is much larger, because it matters whether tBη is included in the losses or not. The urgency of this rather ungrateful68 task is therefore relative to the choice of a 68 Here is an example of the complications that might appear. When taking the calibration into account, it is often assumed that the dark counts do not enter in Eve’s information. Actu- ally, things are more subtle. On the one hand, most of the dark counts will actually decrease Eve’s information, because she does not know if a detection is due to the physical signal (on which she
42 protocol. 3. Black-box security proofs The development of commercial QKD systems makes it natural to ask whether the “quantumness” of such de- vices can be proved in a black-box approach. Of course, the compulsory requirements (II.C.1) must hold. For in- stance, the random number generator cannot be within the black box, because it must be trusted; one must also make sure that no output port is diffusing the keys on the internet; and so on. Remarkably though, all the quan- tum part can in principle be kept in a black-box. The idea is basically the one that triggered Ekert’s discov- ery (Ekert, 1991), although Ekert himself did not push it that far: the fact, that Alice and Bob observe correla- tions that violate a Bell inequality, is enough to guarantee entanglement, independent of the nature of the quantum signals and even of the measurements that are performed on them. This has been called “device-independent se- curity”; a quantitative bound was computed for collec- tive attacks on a modification of Ekert’s protocol, the goal of proving unconditional security is still unattained (Ac´ın et al., 2007). Device-independent security can be proved only for entanglement-based schemes: for this def- inition of security, the equivalence EB-P&M presented in Sec. II.B.2 does not hold. As long as the detection loop- hole is open, these security proofs cannot be applied to any system; but by re-introducing some knowledge of the devices, they might provide a good tool for disposing of all quantum side-channels (III.B.4). 4. Toward longer distances: satellites and repeaters The attempt of achieving efficient QKD over long distances is triggering the most ambitious experimen- tal developments. Basically two solutions are be- ing envisaged. The first is to use the techniques of free space quantum communication to realize ground- to-satellite links (Aspelmeyer et al., 2003; Buttler et al., 1998; Rarity et al., 2002). The main challenges are tech- nical: to adapt the existing optical tracking techniques to the needs of quantum communication, and to build devices that can operate in a satellite without need of maintenance. The second solution are quantum repeaters (Briegel et al., 1998; D¨ur et al., 1999). The basic has gained some information) or is a completely random event. On the other hand, if a detection happens shortly after a previous one, Eve may guess that the second event is in fact a dark count triggered by an afterpulse, and therefore learn some correlations between the two results. Admittedly, these are fine-tuning cor- rections, and have never been fully discussed in the literature; but if one wants to prove unconditional security, also these marginal issues must be properly addressed. idea is the following: the link A-B is cut in segments A-C1, C1-C2, ..., Cn-B. On each segment independently, the two partners exchange pairs of entangled photons, which may of course be lost; but whenever both partners receive the photon, they store it in a quantum memory. As soon as there is an entangled pair on each link, the intermediate stations perform a Bell measurement, thus ultimately swapping all the entanglement into A-B. Actually, variations of this basic scheme may be more practical (Duan et al., 2001). Whatever the exact im- plementation, the advantage is clear: one does not have to ensure that all the links are active simultaneously; but the advantage can only be achieved if quantum memories are available. The experimental research in quantum memories has boosted over the last years, but the applications in practical QKD are still far away because the requirements are challenging (see Appendix B). Teleportation-based links have been studied also in the absence of quantum memories (quantum relays). They are rather inefficient, but allow to reduce the nui- sance of the dark counts and therefore increase the lim- iting distance (Collins, Gisin and de Riedmatten, 2005; Jacobs, Pittman and Franson, 2002); however, it seems simpler and more cost-effective to solve the same prob- lem by using cryogenic detectors (see II.G). 5. QKD in networks QKD is a point-to-point link between two users. But only a tiny fraction of all communication is done in ded- icated point-to-point links, most communication takes place in networks, where many users are interconnected. Note that one-to-many connectivity between QKD de- vices can be obtained with optical switching (Elliott, 2002; Elliott et al., 2005; Townsend et al., 1994). In all models of QKD networks, the nodes are operated by authorized partners, while Eve can eavesdrop on all the links. If the network is built with quantum repeaters or quantum relays, no secret information is available to the nodes: indeed, the role of these nodes is to perform entanglement swapping, so that Alice and Bob end up with a maximally entangled — therefore fully private — state. Since quantum repeaters are still a challenge, trusted relays QKD networks have been considered. In this case, the nodes learn secret information during the protocol. In the simplest model, a QKD key is created be- tween two consecutive nodes and a message is encrypted and decrypted hop-by-hop. This model has been adopted by BBN Technologies and by the SECOQC QKD networks (All´eaume et al., 2007; Dianati and All´eaume, 2006; Dianati et al., 2008; Elliott, 2002; Elliott et al., 2005). Alternatively, the trusted relays can perform an intercept-resend chain at the level of the quantum signal (Bechmann-Pasquinucci and Pasquinucci, 2005).
43 B. QKD versus other solutions Information-theoretically (unconditionally) secure key distribution (key agreement), is a cryptographic task that, as is well known, cannot be solved by public com- munication alone, i.e. without employing additional re- sources or relying on additional assumptions. Besides QKD, the additional resource in this case being the quantum channel, a number of alternative schemes to this end have been put forward (Ahlswede and Csisz´ar, 1993; Csisz´ar and K¨orner, 1978; Maurer, 1993; Wyner, 1975), to which one can also count the traditional trusted courier approach (All´eaume et al., 2007). While the lat- ter is still used in certain high security environments, QKD is the sole automatic, practically feasible and ef- ficient information-theoretically secure key agreement technology, whereby in the point-to-point setting, lim- itations of distance and related key rate apply. These limitations can be lifted by using QKD networks, see VIII.A. With this in mind, we address below typical secure communication solutions in order to relate this subse- quently to the assets offered by QKD. Secure commu- nication in general requires encrypted (and authentic) transition of communication data. In current standard cryptographic practice both the encryption schemes and the key agreement protocols used (whenever needed) are not unconditionally secure. While there is really a very broad range of possible alternatives and combinations, the most typical pattern for confidential communica- tion is the following: public key exchange protocols are used to ensure agreement of two identical keys; the en- cryption itself is done using symmetric-key algorithms. In particular, most often some realization of the Diffie- Hellman algorithm (Diffie and Hellman, 1976) is used in the key agreement phase. The symmetric-encryption al- gorithms most widely used today belong to the bloc- cipher class and are typically 3DES (Coppersmith et al., 1996)or AES (Daemen and Rijmen, 2001). The security of the Diffie-Hellman algorithm is based on the assumption that the so called Diffie-Hellman prob- lem is hard to solve, the complexity of this problem being ultimately related to the hardness of the discrete loga- rithm problem (see (Maurer and Wolf, 1999, 2000) for a detailed discussion). It is widely believed, although it was never proven, that the discrete logarithm prob- lem is classically hard to solve. This is not true in the quantum case, since a quantum computer, if available, can execute a corresponding efficient algorithm by Pe- ter Shor (Shor, 1994, 1997), which is based on the same fundamental approach as is the Shor factoring algorithm, already mentioned in Sec. I.A. It should be further noted that that, similar to QKD, the Diffie-Hellman protocol can trivially be broken, if the authenticity of the communication channel is not ensured. There are many means to guarantee commu- nication authenticity with different degrees of security but in any case additional resources are needed. In cur- rent common practice public key infrastructures are em- ployed, which in turn rely on public-key cryptographic primitives (digital signatures), i.e. rely on similar as- sumptions as for the Diffie-Hellman protocol itself, and on trust in external certifying entities. Turning now to encryption it should be underlined that the security of a block-cipher algorithm is based on the assumption that it has no structural weaknesses, i.e. that only a brute force attack amounting to a thorough search of the key space (utilizing pairs of cipher texts and corre- sponding known or even chosen plain texts) can actually reveal the secret key. The cost of such an attack on a classical computer is O(N) operations, where N is the dimension of the key space. The speed-up of a quan- tum computer in this case is moderate, the total number of operations to be performed being O( √ N) (Grover, 1996, 1997). The assumption on the lack of structural weaknesses itself is not related to any particular class of mathematical problems and in the end relies merely on the fact that such a weakness is not (yet) known. Cryp- tographic practice suggests that for a block-cipher algo- rithm such weaknesses are in fact discovered at the latest a few decades after its introduction69 . Before turning to a direct comparison of the described class of secure communication schemes with QKD-based solutions, it should be explained why public-key based generation combined with symmetric-key encryption is actually the most proliferated solution. The reason is that currently AES or 3DES encryption, in contrast to direct public-key (asymmetric) encryption, can ensure a high encryption speed and appears optimal in this re- spect. Typically high speed is achieved by designing ded- icated hardware devices, which can perform encryption at very high rate and ensure a secure throughput of up to 10Gb per second. Such devices are offered by an in- creasing number of producers (see e.g. ATMedia GmbH, www.atmedia.de) and it is beyond the scope of the cur- rent article to address these in any detail. We would like however to underline an important side-aspect. In gen- eral, security of encryption in the described scenario is increased by changing the key often, the rate of change being proportional to the dimension of the key space. In practice, however, even in the high speed case, the key is changed at a rate lower than once per minute (often once per day or even more seldom). The reason for this is twofold: on the one hand public key agreement algo- rithms are generally slow and on the other, and more importantly, current design of the mentioned dedicated encryption devices is not compatible with a rapid key change. The question now is how QKD compares with the stan- dard practice as outlined above. It is often argued that QKD is too slow for practical uses and that the limited distance due to the losses is a limitation to the system as 69 Vincent Rijmen, private communication.
44 such. In order to allow for a correct comparison one has to define the relevant secure communication scenarios. There are two basic possibilities: (i) QKD is used in con- junction with One-Time Pad, (ii) QKD is used together with some high speed encryptor (we note in passing that the second scenario appears to be a main target for the few QKD producers). The rate as a function of distance has been discussed in detail in the preceding sections. Here we shall consider an average modern QKD device operating in the range of 1 to 10kbps over 25 km; the maximal distance of operation at above 100 bps being around 100 km. Case (i) obviously offers information-theoretic security of communication if the classical channel, both in the key generation and the encryption phase, is addition- ally authenticated with the same degree of security. As this overhead to this end is negligible the QKD genera- tion rates as presented above are also the rates for se- cure communication. Obviously this is not sufficient for broad-band data transmission but pretty adequate for communicating very-highly sensitive data. Another ad- vantage of this combination is the fact that keys can be stored for later use. The security of the case (ii) is equivalent to the security of the high speed encryption, which we addressed above, while all treats related to the key generation-phase are eliminated. At 25 km the QKD speed would allow key refreshment (e.g. in the case of AES with 256 bit key length) of several times per second. This is remarkable for two reasons: first, this is on or rather beyond the key-exchange capacity of current high speed encryptors; second, it compares also to the performances of high level classical link encryptors, which refresh AES keys a few times per second using Diffie-Hellman elliptic curve cryp- tography for key generation. So in the second scenario QKD over performs the stan- dard solution at 25 km distance both in terms of speed and security. Regarding the distance an interesting point is that clas- sical high-end encryptors use direct dark fibers, not for reasons related to security but for achieving maximal speed, which also gives them a limitation in distance. However, classical key generation performed in software is naturally not bounded by the distance. In this sense standard public-key based key agreement appears supe- rior. This is however a QKD limitation, which is typical for the point-to-point regime. As mentioned above, it is lifted in QKD networks. Note added in proof While this paper was being finalized, three groups have independently claimed to have solved one of the pend- ing issues toward unconditional security proofs of CV QKD (see Sec. V.A): namely, the fact that the security bound for collective and for general attacks should coin- cide asymptotically. On the one hand, a new exponential de Finetti theorem has been presented, which would ap- ply to infinite-dimensional systems under some assump- tions that are fulfilled in CV QKD (Renner and Cirac, 2009; ?). A different argument reaches the same con- clusion without any need for a de Finetti-type theorem altogether (Leverrier, Karpov, Grangier and Cerf, 2008). Acknowledgements This paper has been written within the European Project SECOQC. The following members of the QIT sub-project have significantly contributed to the report that formed the starting point of the present review: Ste- fano Bettelli, Kamil Br´adler, Cyril Branciard, Nicolas Gisin, Matthias Heid, Louis Salvail. During the preparation of this review, we had fur- ther fruitful exchanges with the above-mentioned col- leagues, as well as with: Romain All´eaume, Lucie Bart˚uˇskov´a, Alexios Beveratos, Hugues De Riedmatten, Eleni Diamanti, Artur Ekert, Philippe Grangier, Fr´ed´eric Grosshans, Hannes Huebel, Michal Horodecki, Masato Koashi, Christian Kurtsiefer, Antia Lamas-Linares, An- thony Leverrier, Hoi-Kwong Lo, Chiara Macchiavello, Michele Mosca, Miguel Navascu´es, Andrea Pasquin- ucci, Renato Renner, Andrew Shields, Christoph Simon, Kiyoshi Tamaki, Akihisa Tomita, Yasuhiro Tokura, Zhil- iang Yuan, Hugo Zbinden. APPENDIX A: Unconditional security bounds for BB84 and six-states, single-qubit signals In this Appendix, we present a derivation of the uncon- ditional security bounds for the BB84 (Shor and Preskill, 2000) and the six-state protocol (Lo, 2001) for the case where each quantum signal is a single qubit, or more generally when the quantum channel is a qubit channel followed by a qubit detection70 . As usual, the proof is done in the EB scheme, the application to the P&M case following immediately as discussed in Sec. II.B.2. Alice produces the state |Φ+ = 1√ 2 (|00 + |11 ), she keeps the first qubit and sends the other one to Bob. This state is such that σz ⊗ σz = σx ⊗ σx = +1 (perfectly correlated out- comes) and σy ⊗ σy = −1 (perfectly anti-correlated outcomes); to have perfect correlation in all three bases, Bob flips his result when he measures σy. We suppose an asymmetric implementation of the protocols: the key is extracted only from the measurements in the Z basis, which is used almost always; the other measurements are used to estimate Eve’s knowledge on the Z basis, and 70 For real optical channels, we assume therefore the tagging method for real sources and the squashing model for the de- tection, see IV.A.2.
45 will be used on a negligible sample (recall that we work in the asymptotic regime of infinitely long keys). Now we follow the techniques of (Kraus, Gisin and Renner, 2005; Renner, Gisin and Kraus, 2005). Without loss of generality, the symmetries of the BB84 and the six-state protocols71 imply that one can compute the bound by restricting to collective attacks, and even further, to those collective attacks such that the final state of Alice and Bob is Bell-diagonal: ρAB = λ1|Φ+ Φ+ | + λ2|Φ− Φ− | +λ3|Ψ+ Ψ+ | + λ4|Ψ− Ψ− | (A1) with i λi = 1. Since |Φ± give perfect correlations in the Z basis, while |Ψ± give perfect anti-correlations, the QBER εz is given by εz = λ3 + λ4 . (A2) The error rates in the other bases are εx = λ2 + λ4 , εy = λ2 + λ3 . (A3) Eve’s information is given by the Holevo bound (24) IE = S(ρE)−1 2 S(ρE|0)−1 2 S(ρE|1) since both values of the bit are equiprobable in this attack. Since Eve has a purifi- cation of ρAB, S(ρE) = S(ρAB) = H ({λ1, λ2, λ3, λ4}) ≡ H(λ) where H is Shannon entropy. The computation of ρE|b is made in two steps. First, one writes down ex- plicitly the purification72 |Ψ ABE = i √ λi|Φi AB|ei E, where we used an obvious change of notation for the Bell states, and where ei|ej = δij. Then, one traces out Bob and projects Alice on | + z for b = 0, on | − z for b = 1. All calculations done, the result is S(ρE|0) = S(ρE|1) = h(εz). So we have obtained IE(λ) = H(λ) − h(εz) . (A4) Now we have to particularize to the two protocols under study. Let’s start with the six-state protocol. In this case, both εx and εy are measured, so all the four λ’s are di- rectly determined. After easy algebra, one finds IE(ε) = εz h 1 + (εx − εy)/εz 2 +(1 − εz) h 1 − (εx + εy + εz)/2 1 − εz . (A5) 71 Actually, a lower bound can be computed in the same way for a very general class of protocols; but it may not be tight, as explicitly found in the case of SARG04 (Branciard et al., 2005; Kraus, Branciard and Renner, 2007). 72 All purifications are equivalent under a local unitary operation on Eve’s system, so Eve’s information does not change with the choice of the purification. Under the usual assumption of a depolarizing channel, εx = εy = εz = Q, this becomes IE(Q) = Q + (1 − Q) h 1 − 3Q/2 1 − Q . (A6) The corresponding secret fraction (one-way post- processing, no pre-processing and perfect error correc- tion) is r = 1 − h(Q) − IE(Q), which goes to 0 for Q ≈ 12.61%. The calculation is slightly more complicated for BB84, because there only εx is measured; therefore, there is still a free parameter, which must be chosen as to maximize Eve’s information. The simplest way of performing this calculation consists in writing λ1 = (1 − εz)(1 − u), λ2 = (1 − εz)u, λ3 = εz(1 − v), λ4 = εzv, where u, v ∈ [0, 1] are submitted to the additional constraint (1 − εz)u + εzv = εx . (A7) Under this parametrization, H(λ) = h(εz)+(1−εz)h(u)+ εzh(v) and consequently IE(λ) = (1 − εz)h(u) + εzh(v) (A8) to be maximized under the constraint (A7). This can be done easily by inserting v = v(u) and taking the deriva- tive with respect to u. The result is that the optimal choice is u = v = εx so that IE(ε) = h (εx) . (A9) The usual case is εx = εz = Q, which however here does not correspond to the depolarizing channel: the relations above imply εy = 2Q(1 − Q), which corresponds to the application of the so-called “phase-covariant cloning ma- chine” (Brußet al., 2000; Griffiths and Niu, 1997). The corresponding secret fraction (again for one-way post- processing, no pre-processing and perfect error correc- tion) is r = 1 − h(Q) − IE(Q), which goes to 0 for Q ≈ 11%. APPENDIX B: Elementary estimates for quantum repeaters 1. Quantum memories A quantum memory is a device that can store an incoming quantum state (typically, of light) and re- emit it on demand without loss of coherence. A full review of the research in quantum memories is clearly beyond our scope. Experiments are being pur- sued using several techniques, like atomic ensembles (Chou et al., 2007; Julsgaard et al., 2004), NV centers (Childress et al., 2006), doped crystals (Alexander et al., 2006; Staudt et al., 2007). Two characteristics of quantum memories are espe- cially relevant for quantum repeaters. A memory is called multimode if it can store several light modes and one
46 A B A BC M M A B M M C1 C2D A B A BC M M A B M M C1 C2D FIG. 8 Three configurations for quantum repeaters: direct link, two-link repeater and four-link repeater. can select which mode to re-emit; multimode memories are being realized (Simon et al., 2007). A memory is called heralded if its status (loaded or not loaded) can be learned without perturbation; there is no proposal to date on how to realize such a memory, and repeater schemes have been found that work without heralded memories (Duan et al., 2001). 2. Model of quantum repeater Here we present a rapid comparison of the direct link with the two-link repeater and discuss the advantages and problems that arise in more complex repeaters. We con- sider the architecture sketched in Fig. 8, corresponding to the original idea (Briegel et al., 1998). a. Definition of the model Our elementary model is described as follows: • Source: perfect two-photon source with repetition rate νS; • Quantum channel: the total distance between Alice and Bob is ℓ. The channel is noiseless; its losses characterized by α, we denote t = 10−αℓ/10 the total transmittivity. • Detectors of Alice and Bob: efficiency η; neglected dark counts, dead-time and other nuisances. • Quantum memories: multimode memories that can store N modes. We write pM the probability that a photon is absorbed, then re-emitted on demand (contains all the losses due to coupling with other elements). The memory has a typical time TM , that we shall consider as a life-time73 . • Bell measurement: linear optics, i.e. probability of success 1 2 . Fidelity F, depolarized noise (i.e. a detection comes from the desired Bell state with probability F, from any of the others with equal probability (1 − F)/3). The detectors have effi- ciency ηM and no dark counts. b. Detection rates For the direct link, the key rate is just the detection rate in our simplified model: K1 = R1 = νStη2 . (B1) In the two-link repeater, the central station (Christoph) holds the two sources and the memories. Consider one of the links, say with Alice. The source produces groups of N pairs, each pair in a different mode; one photon per pair is kept in the memory, the other is sent to Alice. Alice announces whether she has detected at least one photon: if she has, Christoph notes which one; if she has not, Christoph releases the memory and starts the pro- tocol again. The same is happening on the other link, the one with Bob, independently. As soon as both part- ners have announced a detection, Christoph releases the corresponding photons, performs the Bell measurement and communicates the result to Alice and Bob, who post- select their results accordingly74 . Note that the memories need not be heralded in this scheme. Here is the quantitative analysis of the two-link re- peater. Any elementary run takes the time for the photon to go from the source to the detector, then for the com- munication to reach back Christoph, i.e. ℓ/c. In each run, the probability of a detection is 1−(1 − √ tη)N ≈ N √ tη. Then, in average, the Bell measurement will be per- formed after a time75 τ ≈ 3 2 ℓ/c N √ tη . Consequently, R2 = τ−1 1 2 p2 M η2 M if τ < TM 0 otherwise (B2) 73 That is, photons may be lost but do not decohere in the memory. Note that this can be the case even if the atoms, which form the memory, do undergo some decoherence (Staudt et al., 2007). 74 Recall that there is no time-ordering in quantum correlations: so, this procedure gives exactly the same statistics as the “usual” entanglement swapping, in which the Bell measurement is made beforehand. 75 In fact, let x = 1 − (1 − √ tη)N : the probability that Alice’s (Bob’s) detector is activated by the m-th group of N pairs is p1(m) = x(1−x)m−1. Therefore, the probability that both links are activated exactly by the n-th repetition is p(n) = 2p1(n)p1(< n) + p1(n)2 = x(1 − x)n−1[2 − (2 − x)(1 − x)n−1] with p1(< n) = n−1 m=1 p1(m). Finally, the number of repetitions needed to establish the link is n = n np(n) = 1 x 3−2x 2−x .
47 0 100 200 300 400 500 600 700 10 −5 10 0 10 5 10 10 distance [km] (b) (a) (c) FIG. 9 Comparison of K1 (straight line) and K2. For all curves: νS = 10GHz, η = 0.5, ηM = 0.9, pM = 0.9, α = 0.2dB/km (fibers), TM = 10s. Line (a): best case, N = 1000, F = 0.95; line (b): N = 1000, fidelity reduced to F = 0.9; line (c): supported modes reduced to N = 100, F = 0.95. where we have supposed that the memory time TM de- fines a sharp cut, which is another simplification. This is the expected result: R2 scales with √ tη and not with tη2 , because each link can be activated independently. Finally, in our model, the error rate is uncorrelated with the other parameters and only due to the fidelity of the Bell measurement; so K2 = R2 [1 − 2h(ε)] (B3) with ε = 2 3 (1−F) because one of the “wrong” Bell states gives nevertheless the correct bit correlations. In particu- lar, the fidelity of a Bell measurement must exceed 83.5% to have K2 > 0. Some plots of K1 and K2 as a function of the distance are shown in Fig. 9. The chosen values are already opti- mistic extrapolations of what could be achieved in a not too distant future. We notice that quantum repeaters overcome the direct link for ℓ > ∼ 500km in fibers; with η = 0.5 and N = 1000, this requires TM ≈ 10s. Also, the number of modes supported by the memory is a more critical parameter than the fidelity of the Bell measure- ment. This analysis provides a rough idea of the perfor- mances to be reached in order for quantum repeaters to be useful. For the next step, the four-link repeater, we content ourselves with a few remarks. The four-link repeater al- lows in principle to reach the scaling R4 ∝ t1/4 . The requirements for a practical implementation, however, become more stringent: the four memories must be re- leased before TM ; there are three Bell measurements, so ε < 11% requires F > ∼ 95%; also, pM′ ≈ pM t1/4 . More- over, it is easy to realize that the basic scheme (Fig. 8) requires heralded memories, although other schemes do not (Duan et al., 2001). References Ac´ın, A., J.I. Cirac, and L. Masanes, 2004, Phys. Rev. Lett. 92, 107903. Ac´ın, A., N. Gisin, and V. Scarani, 2004, Phys. Rev. A 69, 012309. Ac´ın, A., and N. Gisin, 2005, Phys. Rev. Lett. 94, 020501. Ac´ın, A., N. Gisin, and L. Masanes, 2006, Phys. Rev. Lett. 97, 120405. Ac´ın, A., N. Brunner, N. Gisin, S. Massar, S. Pironio, V. Scarani, 2007, Phys. Rev. Lett. 98, 230501. Adachi, Y., T. Yamamoto, M. Koashi, and N. Imoto, 2007, Phys. Rev. Lett. 99, 180503. Agrawal, G.P., 1997, Fiber-Optic Communication Systems (John Wiley and Sons). Ahlswede, R., and I. Csisz´ar, 1993, IEEE Trans. Inf. Theory 39, 1121. Alexander, A.L., J.J. Longdell, M.J. Sellars, and N.B. Man- son, 2006, Phys. Rev. Lett. 96, 043602. All´eaume, R., F. Treussart, G. Messin, Y. Dumeige, J.-F. Roch, A. Beveratos, R. Brouri-Tualle, J.-P.Poizat, and P. Grangier, 2004, New J. Phys. 6, 92. All´eaume, R., J. Bouda, C. Branciard, T. Debuisschert, M. Dianati, N. Gisin, M. Godfrey, P. Grangier, T. L¨anger, A. Leverrier, N. L¨utkenhaus, P. Painchault, M. Peev, A. Poppe, T. Pornin, J. Rarity, R. Renner, G. Ribordy, M. Riguidel, L. Salvail, A. Shields, H. Weinfurter, and A. Zeilinger, 2007, eprint quant-ph/0701168 (SECOQC White Paper on Quantum Key Distribution and Cryptography ) All´eaume, R., F. Roueff, E. Diamanti, N. L¨utkenhaus, 2009, eprint arXiv:0903.0839. Aspelmeyer, M., T. Jennewein, M. Pfennigbauer, W. Leeb, and A. Zeilinger, 2003, IEEE J. of Selected Topics in Quan- tum Electronics 9, 1541. Bae, J., and A. Ac´ın, 2007, Phys. Rev. A 75, 012334. Barnum, H., J. Barrett, M. Leifer, and A. Wilce, 2006, eprint quant-ph/0611295 Barrett, J., L. Hardy, and A. Kent, 2005, Phys. Rev. Lett. 95, 010503. Beaudry, N.J., T. Moroder, and N. L¨utkenhaus, 2008, Phys. Rev. Lett. 101, 093601. Beaudry, N.J., T. Moroder, and N. L¨utkenhaus, 2008, in preparation. Bechmann-Pasquinucci, H. and N. Gisin, 1999, Phys. Rev. A 59, 4238. Bechmann-Pasquinucci, H. and A. Peres, 2000, Phys. Rev. Lett. 85, 3313. Bechmann-Pasquinucci, H. and W. Tittel, 2000, Phys. Rev. A 61, 062308. Bechmann-Pasquinucci H. and A. Pasquinucci, 2005, eprint quant-ph/0505089. Bechmann-Pasquinucci, H., 2006, Phys. Rev. A 73, 044305. Beige, A., B.-G. Englert, C. Kurtsiefer, and H. Weinfurter, 2002, Acta Phys. Pol. A 101, 357.
48 Bennett, C.H. and G. Brassard, 1984, in Proceedings IEEE Int. Conf. on Computers, Systems and Signal Processing, Bangalore, India (IEEE, New York), p. 175. Bennett, C.H., G. Brassard, S. Bredibart, and S. Wiesner, 1984, IBM Technical Disclosure Bulletin 26, 4363. Bennett, C.H., G. Brassard, and J.-M. Robert, 1988, SIAM J. Comp. 17, 210. Bennett, C.H., G. Brassard, and N.D. Mermin, 1992, Phys. Rev. Lett. 68, 557. Bennett, C.H., 1992, Phys. Rev. Lett. 68, 3121. Bennett, C. H., F. Bessette, L. Salvail, G. Brassard, and J. Smolin, 1992, J. Cryptology 5, 3. Bennett, C. H., G. Brassard, C. Cr´epeau, and U. Maurer, 1995, IEEE Trans. Info. Theory 41, 1915. Ben-Or, M., 2002, Security of BB84 QKD Protocol, Slides available at Ben-Or, M., M. Horodecki, D. W. Leung, D. Mayers, and J. Oppenheim, 2005, in: Theory of Cryptography: Sec- ond Theory of Cryptography Conference, TCC 2005, Lec- ture Notes in Computer Science Vol. 3378 (Springer Verlag, Berlin), p. 387. Bethune, D., and W.Risk, 2000, IEEE J. Quantum Electron. 36, 340. Beveratos, A., R. Bruori, T. Gacoin, A. Villing, J.P. Poizat, and P. Grangier, 2002, Phys. Rev. Lett. 89, 187901. Biham, E., and T. Mor, 1997, Phys. Rev. Lett. 78, 2256. Biham, E., M. Boyer, G. Brassard, J. van de Graaf, and T. Mor, 2005, Algorithmica 34, 372. Bloch, M., A. Thangaraj, S.W. McLaughlin, and J.-M. Merolla, 2005, eprint cs.IT/0509041 Bloom, S., E. Korevaar, J. Schuster, and H. Willebrand, 2003, J. Opt. Netw. 2, 178. Boileau, J.C., D. Gottesman, R. Laflamme, D. Poulin, R.W. Spekkens, 2004, Phys. Rev. Lett. 92, 017901. Bostr¨om, K., and T. Felbinger, 2002, Phys. Rev. Lett. 89, 187902. Boucher, W., and T. Debuisschert, 2005, Phys. Rev. A 72, 062325. Bourennane, M., M.Eibl, S. Gaertner, C. Kurtsiefer, A. Cabello, and H. Weinfurter, 2004, Phys. Rev. Lett. 92, 107901. Brainis, E., L.-P. Lamoureux, N.J. Cerf, P. Emplit, M. Hael- terman, and S. Massar, 2003, Phys. Rev. Lett. 90, 157902. Branciard, C., N. Gisin, B. Kraus, and V. Scarani, 2005, Phys. Rev. A 72, 032301. Branciard, C., N. Gisin, N. L¨utkenhaus, and V. Scarani, 2007, Quant. Inf. Comput. 7, 639. Branciard, C., N. Gisin, and V. Scarani, 2008, New J. Phys. 10, 013031. Brassard, G., and L. Salvail, 1994, in: Advances in Cryptology - EUROCRYPT ’93, Lecture Notes in Computer Science Vol. 765 (Springer Verlag, Berlin), pp. 410-423. Brassard, G., N. L¨utkenhaus, T. Mor, and B.C. Sanders, 2000, Phys. Rev. Lett. 85, 1330. Brassard, G., T. Mor, and B.C. Sanders, 2000, in: P. Kumar, G.M. D’Ariano and O. Hirota (eds), Quantum Communi- cation, Computing and Measurement 2 (Kluwer Academic/ Plenum Publishers, New York), pp. 381-386. Br´eguet, J., A. Muller, and N. Gisin, 1994, J. Mod. Opt. 41, 2405. Brendel, J., N. Gisin, W. Tittel, and H. Zbinden, 1999, Phys. Rev. Lett. 82, 2594. Briegel, H.-J., W. D¨ur, J.I. Cirac, and P. Zoller, 1998, Phys. Rev. Lett. 81, 5932. Bruß, D., 1998, Phys. Rev. Lett. 81, 3018. Bruß, D., M. Cinchetti, G. M. D’Ariano and C. Macchiavello, 2000, Phys. Rev. A 62, 012302. Buttler, W.T., R.J. Hughes, P.G. Kwiat, S.K. Lamoreaux, G.G. Luther, G.L. Morgan, J.E. Nordholt, C.G. Peterson, and C. M. Simmons, 1998, Phys. Rev. Lett. 81, 3283. Camatel, S., and V. Ferrero, 2006, IEEE Photonics Technol- ogy Letters 18, 142. Carter, J. L., and M. N. Wegman, 1979, J. Comp. Syst. Sci. 18, 143. Cerf, N.J., A. Ipe, and X. Rottenberg, 2000, Phys. Rev. Lett. 85, 1754. Cerf, N.J., M. L´evy, and G. Van Assche, 2001, Phys. Rev. A 63, 052311. Cerf, N.J., M. Bourennane, A. Karlsson and N. Gisin, 2002, Phys. Rev. Lett. 88, 127902. Chen, T.-Y., J. Zhang, J.-C. Boileau, X.-M. Jin, B. Yang, Q. Zhang, T. Yang, R. Laflamme, and J.-W. Pan, 2006, Phys. Rev. Lett. 96, 150504. Childress, L., J.M. Taylor, A.S. Sorensen, and M.D. Lukin, 2006, Phys. Rev. Lett. 96, 070504. Chau, H. F., 2002, Phys. Rev. A 66, 060302(R). Chou, C.-W., J. Laurat, H. Deng, K.S. Choi, H. de Riedmat- ten, D. Felinto, H.J. Kimble , 2007, Science 316, 1316. Cleve, R., D. Gottesman, and H.-K. Lo, 1999, Phys. Rev. Lett. 83, 648. Collins D., N. Gisin and H. de Riedmatten, 2005, J. Mod. Opt. 52, 735. Coppersmith, D., D.B. Johnson, and S.M. Matyas, 1996, IBM J. Res. Dev. 40, 253. Cova, S., M. Ghioni, A. Lotito, I. Rech, and F. Zappa, 2004, J. Mod. Opt. 51, 1267. Cr´epeau, C., D. Gottesman, and A. Smith, 2005, in: Ad- vances in Cryptology - EUROCRYPT 2005, Lecture Notes in Computer Science Vol. 3494 (Springer Verlag, Berlin), pp. 285-301. Csisz´ar, I. and J. K¨orner, 1978, IEEE Trans. Inf. Theory 24, 339. Curty, M., M. Lewenstein, and N. L¨utkenhaus, 2004, Phys. Rev. Lett. 92, 217903. Curty, M., and N. L¨utkenhaus, 2004, Phys. Rev. A 69, 042321. Curty, M., and N. L¨utkenhaus, 2005, Phys. Rev. A 71, 062301. Curty, M., L. Zhang, H.-K. Lo, and N. L¨utkenhaus, 2007, Quant. Inf. Comput. 7, 665. Curty, M., K. Tamaki, and T. Moroder, 2005, Phys. Rev. A 77, 052321. Daemen, J., and V. Rijmen, 2001, Dr. Dobb’s J. 26, 137. Damgaard, I.B., S. Fehr, L. Salvail, C. Schaffner, 2005, in: Proceedings of the 46th IEEE Symposium on Foundations of Computer Science - FOCS 2005, p. 449 Damgaard, I.B., S. Fehr, R. Renner, L. Salvail, C. Schaffner, 2007, in: CRYPTO 2007, Lecture Notes in Computer Sci- ence Vol. 4622 (Springer Verlag, Berlin). De Riedmatten, H., I. Marcikic, V. Scarani, W. Tittel, H.Zbinden, N. Gisin, 2004, Phys. Rev. A 69, 050304(R). De Riedmatten, H., V. Scarani, I. Marcikic, A. Ac´ın, W. Tit- tel, H.Zbinden, N. Gisin, 2004, J. Mod. Opt. 51, 1637. Devetak, I. and A. Winter, 2005, Proc. R. Soc. Lond. A 461, 207. Deutsch, D., A.K. Ekert, R. Jozsa, C. Macchiavello, S. Popescu, and A. Sanpera, 1996, Phys. Rev. Lett. 77, 2818. Diamanti, E., H. Takesue, T. Honjo, K. Inoue, and Y. Ya-
49 mamoto, 2005, Phys. Rev. A 72, 052311. Diamanti, E., H. Takesue, C. Langrock, M.M. Fejer, and Y. Yamamoto, 2006, Optics Express 14, 13073. Dianati, M., and R. All´eaume, 2006, eprint quant-ph/0610202 Dianati, M., R. All´eaume, M. Gagnaire, and X. Shen, 2008, Security and Communication Networks 1, 57. Diffie, W., and M.E. Hellman, 1976, IEEE Trans. Info. Theory IT-22, 644. Duan, L.M., M.D. Lukin, J.I. Cirac, and P. Zoller, 2001, Na- ture 414, 413. D¨ur, W., H.-J. Briegel, J.I. Cirac, and P. Zoller, 1999, Phys. Rev. A 59, 169. Durkin, G.A., C. Simon, and D. Bouwmeester, 2002, Phys. Rev. A 88, 187902. Duˇsek, M., O. Haderka, and M. Hendrych, 1999, Opt. Com- mun. 169, 103. Duˇsek, M., M. Jahma, and N. L¨utkenhaus, 2000, Phys. Rev. A 62, 022306. Duˇsek, M., N. L¨utkenhaus, and M. Hendrych, 2006, Progress in Optics 49, Edt. E. Wolf (Elsevier), 381. Eisenberg, H.S., G. Khoury, G.A. Durkin, C. Simon, and D. Bouwmeester, 2004, Phys. Rev. Lett. 93, 193901. Ekert, A.K., 1991, Phys. Rev. Lett. 67, 661. Ekert, A.K., N. Gisin, B. Huttner, H. Inamori, H. Weinfurter, 2001, Quantum cryptography, in: D. Bouwmeester, A.K. Ekert, A. Zeilinger (eds), The physics of quantum informa- tion (Springer Verlag, London). Elliott, C., 2002, New J. Phys. 4, 46. Elliott, C., A. Colvin, D. Pearson, O. Pikalo, J. Schlafer, and H. Yeh, 2005, eprint quant-ph/0503058. Englert, B.-G., D. Kaszlikowski, H.K. Ng, W.K. Chua, J. Reh´acek, and J. Anders, 2004, eprint quant-ph/0412075. Erven, C., C.Couteau, R. Laflamme, and G. Weihs, 2008, eprint arXiv:0807.2289. Fasel, S., N. Gisin, G. Ribordy, and H. Zbinden, 2004, Eur. Phys. J. D 30, 143. Franson, J. D., and H. Ilves, 1994, J. Mod. Opt. 41, 2391. Fuchs, C.A., N. Gisin, R. B. Griffiths, C.-S. Niu and A. Peres, 1997, Phys. Rev. A 56, 1163. Fung, C.-H. F., K. Tamaki, and H.-K. Lo, 2006, Phys. Rev. A 73, 012337. Fung, C.-H. F., B. Qi, K. Tamaki, and H.-K. Lo, 2007, Phys. Rev. A 75, 032314. Galtarossa, A., and Menyuk, C.R. (eds), 2005, Polarization Mode Dispersion (Springer Verlag, Berlin). Garc´ıa-Patr´on, R., and N.J. Cerf, 2006, Phys. Rev. Lett. 97, 190503. Garc´ıa-Patr´on, R., 2007, Ph.D. thesis (Universit´e Libre de Bruxelles). Gisin, N., and J.P. Pellaux, 1992, Optics Commun. 89, 316. Gisin, N., and S. Wolf, 1999, Phys. Rev. Lett. 83, 4200. Gisin, N., and S. Wolf, 2000, in: Proceedings of CRYPTO 2000, Lecture Notes in Computer Science Vol. 1880 (Springer Verlag, Berlin), p. 482. Gisin, N., G. Ribordy, W. Tittel and H. Zbinden, 2002, Rev. Mod. Phys. 74, 145. Gisin, N., G. Ribordy, H. Zbinden, D. Stucki, N. Brunner, and V. Scarani, 2004, eprint quant-ph/0411022 Gisin, N., S. Fasel, B. Kraus, H. Zbinden, and G. Ribordy, 2006, Phys. Rev. A 73, 022320. Gobby, C., Z.L. Yuan, and A.J. Shields, 2004, Appl. Phys. Lett. 84, 3762. Goldenberg, L., and L. Vaidman, 1995, Phys. Rev. Lett. 75, 1239. Goldenberg, L., and L. Vaidman, 1996, Phys. Rev. Lett. 77, 3265. Gomez-Sousa, H., and M. Curty, 2009, Quant. Inf.Comput. 9, 62. Gottesman, D., and J. Preskill, 2001, Phys. Rev. A 63, 022309. Gottesman, D., and H.-K. Lo, 2003, IEEE Transactions on Information Theory 49, 457. Gottesman, D., H.-K. Lo, N. L¨utkenhaus, and J. Preskill, 2004, Quant. Inf. Comput. 4, 325. Griffiths, R.B. and C.-S. Niu, 1997, Phys. Rev. A 56, 1173. Grosshans, F., and P. Grangier, 2002, Phys. Rev. Lett. 88, 057902. Grosshans, F., and P. Grangier, in: Proc. 6th Int. Conf. on Quantum Communications, Measurement, and Computing (QCMC’02) (Rinton Press); eprint quant-ph/0204127. Grosshans, F., G. Van Assche, J. Wenger, R. Tualle-Brouri, N. J. Cerf, and P. Grangier, 2003, Nature 421, 238. Grosshans, F., N.J. Cerf, J. Wenger, R. Tualle-Brouri, and P. Grangier, 2003, Qunatum Inf. Comput. 3, 535. Grosshans, F., and N. J. Cerf, 2004, Phys. Rev. Lett. 92, 047905. Grosshans, F., 2005, Phys. Rev. Lett. 94, 020504. Grover, L.K., 1996, in Proc. 28th Annual ACM Symp. on the Theory of Computing, STOC’96 (ACM, New York), p. 212. Grover, L.K., 1997, Phys. Rev. Lett. 79, 325. Hadfield, R.H., J.L. Habif, J. Schlafer, R.E. Schwall, S.W. Nam, 2006, Appl. Phys. Lett. 89, 241129. Halder, M., A. Beveratos, N. Gisin, V. Scarani, C. Simon, and H. Zbinden, 2007, Nature Physics 3, 692. H¨aseler, H., T. Moroder, and N. L¨utkenhaus, 2008, Phys. Rev. A 77, 032303. Hasegawa, J., M. Hayashi, T. Hiroshima, A. Tanaka, and A. Tomita, 2007, eprint arXiv:0705.3081. Hayashi, M., 2006, Phys. Rev. A 74, 022307. Hayashi, M., 2007, Phys. Rev. A 76, 012329. Hayashi, M., 2007, New J. Phys. 9, 284. Heid, M., and N. L¨utkenhaus, 2006, Phys. Rev. A 73, 052316. Heid, M., and N. L¨utkenhaus, 2007, Phys. Rev. A 76, 022313. Helstrom, C.W., 1976, Quantum Detection and Estimation Theory (Academic Press, New York). Herbauts, I.M., S. Bettelli, H. H¨ubel, and M. Peev, 2008, Eur. Phys. J. D 46, 395. Hillery, M., V. Buˇzek, and A. Berthiaume, 1999, Phys. Rev. A 59, 1829. Hillery, M., 2000, Phys. Rev. A 61, 022309. Hiskett, P.A., D. Rosenberg, C.G. Peterson, R.J. Hughes, S.W. Nam, A.E. Lita, A.J. Miller, and J.E. Nordholt, 2006, New J. Phys. 8, 193. Holevo, A.S., 1973, Probl. Inf. Trans. 9, 177. Horodecki, K., M. Horodecki, P. Horodecki, and J. Oppen- heim, 2005, Phys. Rev. Lett. 94, 160502. Horodecki, K., M. Horodecki, P. Horodecki, D. Leung, and J. Oppenheim, 2008, IEEE Trans. Info. Theory 54, 2604. Horodecki, K., M. Horodecki, P. Horodecki, D. Leung, and J. Oppenheim, 2008, Phys. Rev. Lett. 100, 110502. H¨ubel, H., M.R. Vanner, T. Lederer, B. Blauensteiner, T. Lor¨unser, A. Poppe, A. Zeilinger, 2007, Optics Express 15, 7853. Hughes, R.J., J.E. Nordholt, D. Derkacs, and C.G. Peterson, 2002, New J. Phys. 4, 43. Huttner, B., N. Imoto, N. Gisin, and T. Mor, 1995, Phys. Rev. A 51, 1863. Hwang, W.-Y., 2003, Phys. Rev. Lett. 91, 057901.
50 A. Karlsson, M. Koashi, and N. Imoto, 1999, Phys. Rev. A 59, 162. Inamori, H., N. L¨utkenhaus, D. Mayers, 2007, Eur. J. Phys. D 41, 599, eprint quant-ph/0107017. Inoue, K., E. Waks, and Y. Yamamoto, 2002, Phys. Rev. Lett. 89, 037902. Inoue, K., E. Waks, and Y. Yamamoto, 2003, Phys. Rev. A 68, 022317. Inoue, K., and T. Honjo, 2005, Phys. Rev. A 71, 042305. Intallura, P.M., M.B. Ward, O.Z. Karimov, Z.L. Yuan, P. See, A.J. Shields, P. Atkinson, and D.A. Ritchie, 2007, Appl. Phys. Lett. 91, 161103. Jacobs, B.C., T.B. Pittman, and J.D. Franson, 2002, Phys. Rev. A 66, 052307. Jennewein, T., C. Simon, G.Weihs, H. Weinfurter, A. Zeilinger, 2000, Phys. Rev. Lett. 84, 4729. Julsgaard, B., J. Sherson, J.I. Cirac, J. Fiurasek, E.S. Polzik, 2004, Nature 432, 482. Kim, J., S. Takeuchi, Y. Yamamoto, and H. Hogue, 1999, Appl. Phys. Lett. 74, 902. Kim, I.I., and E. Korevaar, 2001, http://www.freespaceoptic.com/WhitePapers/SPIE2001b.pdf. Koashi, M., and N. Imoto, 1997, Phys. Rev. Lett. 79, 2383. Koashi, M., and J. Preskill, 2003, Phys. Rev. Lett. 90, 057902. Koashi, M., 2004, Phys. Rev. Lett. 93, 120501. Koashi, M., 2005, eprint quant-ph/0507154. Koashi, M., 2006, J. of Phys. Conference Series 36, 98. Koashi, M., 2006, eprint quant-ph/0609180. Koashi, M., 2007, eprint arXiv:0704.3661. Koashi, M., Y. Adachi, T. Yamamoto, and N. Imoto, 2008, eprint arXiv:0804.0891. K¨onig, R., R. Renner, A. Bariska, and U. Maurer, 2007, Phys. Rev. Lett. 98, 140502. K¨onig, R., and B. Terhal, 2008, IEEE Trans. Inf. Theo. 54, 749. K¨onig, R., and R. Renner, 2007, eprint arXiv:0712.4291 Kraus, B., N. Gisin and R. Renner, 2005, Phys. Rev. Lett. 95, 080501. Kraus, B., C. Branciard and R. Renner, 2007, Phys. Rev. A 75, 012316. Kurtsiefer, C., P. Zarda, S. Mayer, and H. Weinfurter, 2001, J. Mod. Opt. 48, 2039. Kurtsiefer, C., P. Zarda, M. Halder, H. Weinfurter, P.M. Gor- man, P.R. Tapster, and J.G. Rarity, 2002, Nature 419, 450. Kwiat, P.G., K. Mattle, H. Weinfurter, A. Zeilinger, A. V. Sergienko, and Y. Shih, 1995, Phys. Rev. Lett. 75, 4337. Kwiat, P.G., E. Waks, A.G. White, I. Appelbaum, and P.H. Eberhard, 1999, Phys. Rev. A 60, R773. Lamas-Linares, A., and C. Kurtsiefer, 2007, Opt. Express 15, 9388. Lance, A.M., T. Symul, V. Sharma, C. Weedbrook, T.C. Ralph, P.K. Lam, 2005, Phys. Rev. Lett. 95, 180503. Laurent, S., S. Varoutsis, L. Le Gratiet, A. Lemaˆıtre, I. Sagnes, F. Raineri, J. A. Levenson, I. Robert-Philip, and I. Abram, 2005, Appl. Phys. Lett. 87, 163107. Le Bellac, M., 2006, A Short Introduction to Quantum Infor- mation and Quantum Computation (Cambridge University Press, Cambridge). Legr´e, M., H. Zbinden, and N. Gisin, 2006, Quant. Inf. Com- put. 6, 326. Leverrier, A., R. All´eaume, J. Boutros, G. Z´emor, P. Grang- ier, 2008, Phys. Rev. A 77, 042325. Leverrier, A., E. Karpov, P. Grangier, and N.J. Cerf, 2008, eprint arXiv:0809.2252 Li, Y., H. Mikami, H. Wang, and T. Kobayashi, 2005, Phys. Rev. A 72, 063801. Ling, A., M.P. Peloso, I. Marcikic, V. Scarani, A. Lamas- Linares, C. Kurtsiefer, 2008, Phys. Rev. A 78, 020301(R). Lo, H.-K., and H.F. Chau, 1997, Phys. Rev. Lett. 78, 3410. Lo, H.-K., 1997, Phys. Rev. A 56, 1154. Lo, H.-K., 1998, Quantum cryptology, in: H.-K. Lo, S.Popescu and T.Spiller (eds), Introduction to quantum computation and information (World Scientific, Singapore). Lo, H.-K., and H.F. Chau, 1999, Science 283, 2050. Lo, H.-K., 2001, Quant. Inf. Comput. 1, 81. Lo, H.-K., H. F. Chau, and M. Ardehali, 2005, J. Cryptology 18, 133, eprint quant-ph/9803007. Lo, H.-K., 2003, New J. Phys. 5, 36. Lo, H.-K., 2005, Quant. Inf. Comput. 5, 413. Lo, H.-K., X. Ma, and K. Chen, 2005, Phys. Rev. Lett. 94, 230504. Lo, H.-K., and J. Preskill, 2007, Quant. Inf. Comput. 8, 431. Lo, H.-K., and Y. Zhao, 2008, eprint arXiv:0803.2507. Lodewyck, J., T. Debuisschert, R. Tualle-Brouri, and P. Grangier, 2005, Phys. Rev. A 72, 050303(R). Lodewyck, J., M. Bloch, R. Garcia-Patron, S. Fossier, E. Kar- pov, E. Diamanti, T. Debuisschert, N.J. Cerf, R. Tualle- Brouri, S.W. McLaughlin, and P. Grangier, 2007, Phys. Rev. A 76, 042305. Lodewyck, J., T. Debuisschert, R. Garc´ıa-Patr´on, R. Tualle- Brouri, N.J. Cerf, and P. Grangier, 2007, Phys. Rev. Lett. 98, 030503. Lodewyck, J., and P. Grangier, 2007, Phys. Rev. A 76, 022332. Lorenz, S., N. Korolkova, and G. Leuchs, 2004, Appl. Phys. B 79, 273. Lorenz, S., J. Rigas, M. Heid, U.L. Andersen, N. L¨utkenhaus, and G. Leuchs, 2006, Phys. Rev. A 74, 042326. Lounis, B., and M. Orrit, 2005, Rep. Prog. Phys. 68, 1129. L¨utkenhaus, N., 1996, Phys. Rev. A 54, 97. L¨utkenhaus, N., 1999, Phys. Rev. A 59, 3301. L¨utkenhaus, N., 2000, Phys. Rev. A 61, 052304. L¨utkenhaus, N., and M. Jahma, 2002, New J. Phys. 4, 44. Ma, X., C.-H. F. Fung, F. Dupuis, K. Chen, K.Tamaki, and H.-K. Lo, 2006, Phys. Rev. A 74, 032330. Ma, X., C.-H. F. Fung, and H.-K. Lo, 2007, Phys. Rev. A 76, 012307. Mair, A., A. Vaziri, G. Weihs, and A. Zeilinger, 2001, Nature 412, 3123. Makarov, V., and D. R. Hjelme, 2005, J. Mod. Opt. 52, 691. Makarov, V., A. Anisimov, and J. Skaar, 2006, Phys. Rev. A 74, 022313. Makarov, V., and J. Skaar, 2008, Quant. Inf. Comput. 8, 622. Mandel, L., and E. Wolf, 1995, Optical Coherence and Quan- tum Optics (Cambridge University Press, Cambridge). Marcikic, I., A. Lamas-Linares, and C. Kurtsiefer, 2006, Appl. Phys. Lett. 89, 101122. Masanes, L., A. Ac´ın, and N. Gisin, 2006, Phys. Rev. A 73, 012112. Masanes, L., 2009, Phys. Rev. Lett. 102, 140501. Mauerer, W., and C. Silberhorn, 2007, Phys. Rev. A 75, 050305(R). Maurer, U.M., 1993, IEEE Trans. Info. Theory 39, 733. Maurer, U.M., and S. Wolf, 1999, SIAM J. Comput. 28, 1689. Maurer, U.M., and S. Wolf, 2000, Des. Codes Cryptography 19, 147. Mayers, D., 1996, in: Advances in Cryptology — Proceedings
51 of Crypto ’96 (Springer Verlag, Berlin), p. 343. Mayers, D., 1997, Phys. Rev. Lett. 78, 3414. Mayers, D., 2001, JACM 48, 351. M´erolla, J.-M., Y. Mazurenko, J.-P. Goedgebuer, and W.T. Rhodes, 1999, Phys. Rev. Lett. 82, 1656. Meyer, T., H. Kampermann, M. Kleinmann, and D. Bruss, 2006, Phys. Rev. A 74, 042340. Miller, A. J., S. W. Nam, J. M. Martinis, and A. V. Sergienko, 2003, Appl. Phys. Lett. 83, 791. Mølmer, K., 1997, Phys. Rev. A 55, 3195. Muller, A., H. Zbinden, and N. Gisin, 1995, Nature 378, 449. Muller, A., T. Herzog, B. Huttner, W. Tittel, H. Zbinden, and N. Gisin, 1997, Appl. Phys. Lett. 70, 793. Naik, D.S., C.G. Peterson, A.G. White, A.J. Berglund, P.G. Kwiat, 2000, Phys. Rev. Lett. 84, 4733. Navascu´es, M., and A. Ac´ın, 2005, Phys. Rev. Lett. 94, 020505. Navascu´es, M., F. Grosshans, and A. Ac´ın, 2006, Phys. Rev. Lett. 97, 190502. Nguyen, K.-C., G. Van Assche, and N.J. Cerf, in: Proc. Int. Symposium on Information Theory and its Applications (ISITA, Parma, 2004); eprint cs.IT/0406001. Niederberger, A., V. Scarani and N. Gisin, 2005, Phys. Rev. A 71, 042316. Ou, Z.Y., J.-K. Rhee, and L.J. Wang, 1999, Phys. Rev. A 60, 593. Peng, C.-Z., J. Zhang, D. Yang, W.-B. Gao, H.-X. Ma, H. Yin, H.-P. Zeng, T. Yang, X.-B. Wand, and J.-W. Pan, 2007, Phys. Rev. Lett. 98, 010505. Peres, A., 1996, Phys. Rev. Lett. 77, 3264. Pirandola, S., S.L. Braunstein, S. Lloyd, 2008, Phys. Rev. Lett. 101, 200504. Qi, B., Y. Zhao, X. Ma, H.-K. Lo, and L. Qian, 2007, Phys. Rev. A 75, 052304. Qi, B., C.H. F. Fung, H.-K. Lo, and X. Ma, 2007, Quant. Inf. Comput. 7, 73. Qi, B., L.-L. Huang, L. Qian, and H.-K. Lo, 2007, Phys. Rev. A 76, 052323. Ralph, T.C., 1999, Phys. Rev. A 61, 010303(R). Rarity, J.G., P.M. Gorman, and P.R. Tapster, 2001, Electron. Lett. 37, 512. Rarity, J.G., P.R. Tapster, P.M. Gorman, and P. Knight, 2002, New J. Phys. 4, 82. Reid, M.D., 2000, Phys. Rev. A 62, 062308. Renner, R., and S. Wolf, 2005, in: Advances in cryptology: CRYPTO 2003, Lecture Notes in Computer Science Vol. 2729 (Springer Verlag, Berlin), p. 78. Renner, R., 2005, Ph.D. thesis (ETH Z¨urich), eprint quant- ph/0512258. Renner, R., N. Gisin and B. Kraus, 2005, Phys. Rev. A 72, 012332. Renner, R., and R. K¨onig, 2005, in: Theory of Cryptography: Second Theory of Cryptography Conference, TCC 2005, Lecture Notes in Computer Science Vol. 3378 (Springer Verlag, Berlin), p. 407. Renner, R., 2007, Nature Physics 3, 645. Renner, R., and J.I. Cirac, 2009, Phys. Rev. Lett. 102, 110504. Ribordy, G., J.D. Gautier, N. Gisin, O. Guinnard, and H. Zbinden, 1998, Electron. Lett. 34, 2116. Ribordy, G., N. Gisin, O. Guinnard, D. Stucki, M. Wegm¨uller, and H. Zbinden, 2004, J. Mod. Opt. 51, 1381. Rigas, J., O. G¨uhne, and N. L¨utkenhaus, 2006, Phys. Rev. A 73, 012341. Rosenberg, D., A. E. Lita, A. J. Miller, and S. W. Nam, 2005, Phys. Rev. A 71, 061803(R). Rosenberg, D., J.W. Harrington, P.R. Rice, P.A. Hiskett, C.G. Peterson, R.J. Hughes, A.E. Lita, S.W. Nam, and J.E. Nordholt, 2007, Phys. Rev. Lett. 98, 010503. Rosenberg, D., C.G. Peterson, J.W. Harrington, P.R. Rice, N. Dallmann, K.T. Tyagi, K.P. McCabe, S.W. Nam, B. Baek, R.H. Hadfield, R.J. Hughes, and J.E. Nordholt, 2009, New J. Phys. 11, 045009. Saint-Girons, G., N. Chauvin, A. Michon, G. Patriarche, G. Beaudoin, B Bremond, C. Bru-Chevalier, and I. Sagnes, 2006, Appl. Phys. Lett. 88, 133101. Sangouard, N., C. Simon, J. Minar, H. Zbinden, H. De Ried- matten, and N. Gisin, 2007, Phys. Rev. A 76, 050301(R). Scarani, V., A. Ac´ın, G. Ribordy, and N. Gisin, 2004, Phys. Rev. Lett. 92, 057901. Scarani, V., H. De Riedmatten, I. Marcikic, H. Zbinden and N. Gisin, 2005, Eur. Phys. J. D 32, 129. Scarani, V., 2006, Quantum Physics – A First Encounter (Oxford University Press, Oxford). Scarani, V., N. Gisin, N. Brunner, L. Masanes, S. Pino, and A. Ac´ın, 2006, Phys. Rev. A 74, 042339. Scarani, V., and R. Renner, 2008, Phys. Rev. Lett. 100, 200501. Shannon, C.E., 1949, Bell Syst. Tech. J. 28, 656 Shields, A.J., 2007, Nature Photonics 1, 215 Shor, P.W., 1994, in Proceedings of the 35th Annual Sympo- sium on the Foundations of Computer Science, Santa Fe (IEEE Computer Society, Los Alamitos), p. 124. Shor, P.W., 1997, SIAM J. Sci. Statist. Comput. 26, 1484, eprint quant-ph/9508027 Shor, P.W. and J. Preskill, 2000, Phys. Rev. Lett. 85, 441. Silberhorn, C., T. C. Ralph, N. L¨utkenhaus, and G. Leuchs, 2002, Phys. Rev. Lett. 89, 167901. Simon, C., H. De Riedmatten, M. Afzelius, N. Sangouard, H. Zbinden, and N. Gisin, 2007, Phys. Rev. Lett. 98, 190503. Slutsky, B.A., R. Rao, P.-C. Sun, and Y. Fainman, 1998, Phys. Rev. A 57, 2383. Smith, G., J. M. Renes, and J. A. Smolin, 2008, Phys. Rev. Lett. 100, 170502. Staudt, M.U., S.R. Hastings-Simon, M. Nilsson, M. Afzelius, V. Scarani, R. Ricken, H. Suche, W. Sohler, W. Tittel, and N. Gisin, 2007, Phys. Rev. Lett. 98, 113601. Stinson, D.R., 1995, Cryptography, Theory and Practice (CRC Press, Boca Raton). Stucki, D., N. Brunner, N. Gisin, V. Scarani, and H. Zbinden, 2005, Appl. Phys. Lett. 87, 194108. Stucki, D., C. Barreiro, S. Fasel, J.-D. Gautier, O. Gay, N. Gisin, R. Thew, Y. Thoma, P. Trinkler, F. Vannel, and H. Zbinden, 2008, eprint arXiv:0809.5264 Sudjana, J., L. Magnin, R. Garcia-Patron, and N. J. Cerf, 2007, Phys. Rev. A 76, 052301. Takesue, H., E. Diamanti, T. Honjo, C. Langrock, M.M. Fejer, K. Inoue, and Y. Yamamoto, 2005, New J. Phys. 7, 232. Takesue, H., S.W. Nam, Q. Zhang, R.H. Hadfield, T. Honjo, K. Tamaki, and Y. Yamamoto, 2007, Nature Photonics 1, 343. Tamaki, K., M. Koashi, and N. Imoto, 2003, Phys. Rev. Lett. 90, 167904. Tamaki, K., and N. L¨utkenhaus, 2004, Phys. Rev. A 69, 032316. Tamaki, K., and H.-K. Lo, 2006, Phys. Rev. A 73, 010302(R). Tamaki, K., N. L¨utkenhaus, M. Koashi, and J. Batuwantu- dawe, 2006, eprint quant-ph/0607082.
52 Tanaka, A., M. Fujiwara, S.W. Nam, Y. Nambu, S. Taka- hashi, W. Maeda, K.Yoshino, S. Miki, B. Baek, Z. Wang, A. Tajima, M. Sasaki, and A. Tomita, 2008, eprint arXiv:0805.2193. Tanzilli, S., H. De Riedmatten, W. Tittel, H. Zbinden, P. Baldi, M. De Micheli, D. B. Ostrowsky, and N. Gisin, 2001, Electr. Lett. 37, 26. Tapster, P.R., and J.G. Rarity, 1998, J. Mod. Opt. 45, 595. Thew, R., A. Ac´ın, H. Zbinden, and N. Gisin, 2004, Quant. Inf. Comput. 4, 93. Thew, R., S. Tanzilli, L. Krainer, S. C. Zeller, A. Rochas, I. Rech, S. Cova, H. Zbinden, and N. Gisin, 2006, New J. Phys. 8, 32. Tittel, W., J. Brendel, H. Zbinden, and N. Gisin, 2000, Phys. Rev. Lett. 84, 4737. Townsend, P.D., J. G. Rarity, and P. R. Tapster, 1993, Elec- tronics Letters 29, 1291. Townsend, P.D., S.J.D. Phoenix, K.J. Blow, and S.M. Bar- nett, 1994, Electronics Letters 30, 1875. Trifonov, A., D. Subacius, A. Berzanskis, and A. Zavriyev, 2004, J. Mod. Opt. 51, 1399. Tsujino, K., H.F. Hofmann, S. Takeuchi, and K. Sasaki, 2004, Phys. Rev. Lett. 92, 153602. Tsurumaru, T., 2007, Phys. Rev. A 75, 062319. Tsurumaru, T., A. Soujaeff, and S. Takeuchi, 2008, Phys. Rev. A 77, 022319. Tsurumaru, T., and K. Tamaki, 2008, Phys. Rev. A 78, 032302. Ursin, R., F. Tiefenbacher, T. Schmitt-Manderbach, H. Weier, T. Scheidl, M. Lindenthal, B. Blauensteiner, T. Jen- newein, J. Perdigues, P. Trojek, B. Oemer, M. Fuerst, M. Meyenburg, J. Rarity, Z. Sodnik, C. Barbieri, H. Weinfurter and A. Zeilinger, 2007, Nature Physics 3, 481. Vakhitov, A., V. Makarov, and D.R. Hjelme, 2001, J. Mod. Opt. 48, 2023. Van Assche, G., J. Cardinal, and N.J. Cerf, 2004, IEEE Trans. Inf. Theory 50, 394. Van Assche, G., 2006, Quantum Cryptography and Secret-Key Distillation (Cambridge University Press, Cambridge). van Enk, S.J., and C.A. Fuchs, 2002, Quant. Inf. Comput. 2, 151. Verevkin, A., J. Zhang, R. Sobolewski, A. Lipatov, O. Okunev, G. Chulkova, A. Korneev, K. Smirnov, G. N. Goltsman, and A. Semenov, 2002, Appl. Phys. Lett. 80, 4687. Verevkin, A., A. Pearlmany, W. Slyszyz, J. Zhangy, M. Cur- rie, A. Korneev, G. Chulkova, O. Okunev, P. Kouminov, K. Smirnov, B. Voronov, G. N. Goltsman, and R. Sobolewskiy, 2004, J. Mod. Opt. 51, 1447. Vernam, G.S., 1926, J. AIEE 45, 109. Waks, E., K. Inoue, C. Santori, D. Fattal, J. Vuckovic, G. Solomon, and Y. Yamamoto, 2002, Nature 420, 762. Waks, E., A. Zeevi, and Y. Yamamoto, 2002, Phys. Rev. A 65, 052310. Waks, E., C. Santori, and Y. Yamamoto, 2002, Phys. Rev. A 66, 042315. Waks, E., K. Inoue, W.D. Oliver, E. Diamanti, and Y. Ya- mamoto, 2003, IEEE J. of Selected Topics in Quantum Electronics 9, 1502. Waks, E., H. Takesue, and Y. Yamamoto, 2006, Phys. Rev. A 73, 012344. Waks, E., E. Diamanti, and Y. Yamamoto, 2006, New J. Phys. 8, 4. Wang, X.-B., 2001, eprint quant-ph/0110089. Wang, X.-B., 2005, Phys. Rev. Lett. 94, 230503. Ward, M.B., O.Z. Karimov, D.C. Unitt, Z.L. Yuan, P. See, D.G. Gevaux, A.J. Shields, P. Atkinson, and D.A. Ritchie, 2005, Appl. Phys. Lett. 86, 201111. Watanabe, S., R. Matsumoto, and T. Uyematsu, 2004, eprint quant-ph/0412070. Weedbrook, C., A.M. Lance, W.P. Bowen, T. Symul, T.C. Ralph, and P.K. Lam, 2004, Phys. Rev. Lett. 93, 170504. Wehner, S., C. Schaffner, and B. Terhal, 2008, Phys. Rev. Lett. 100, 220502. Wegman, M. N., and J. L.Carter, 1981, J. Comp. Syst. Sci. 22, 265. Wiesner, S., 1983, Sigact News 15, 78. Wootters, W.K. and W.H. Zurek, 1982, Nature 299, 802. Wyner, A.D., 1975, Bell Syst. Tech. J. 54, 1355. Young, R. J., R. M. Stevenson, P. Atkinson, K. Cooper, D. A. Ritchie, and A. J. Shields, 2006, New J. Phys. 8, 29. Yuan, Z.L., and A.J. Shields, 2005, Opt. Express 13, 660. Yuan, Z.L., A.W. Sharpe, and A.J. Shields, 2007, Appl. Phys. Lett. 90, 011118. Yuan, Z.L., B.E. Kardynal, A.W. Sharpe, and A.J. Shields, 2007, Appl. Phys. Lett. 91, 011114. Yuan, Z.L., A.R. Dixon, J.F. Dynes, A.W. Sharpe, and A.J. Shields, 2008, Appl. Phys. Lett. 92, 201104. Zanardi, P., and M. Rasetti, 1997, Phys. Rev. Lett. 79, 3306. Zhao, Y., B. Qi, X. Ma, H.-K. Lo, and L. Qian, 2006, Phys. Rev. Lett. 96, 070502. Zhao, Y., B. Qi, and H.-K. Lo, 2007, Appl. Phys. Lett. 90, 044106. Zhao, Y., C.-H. F. Fung, B. Qi, C. Chen, and H.-K. Lo, 2008, Phys. Rev. A 78, 042333. Zhao, Y., B. Qi, and H.-K. Lo, 2008, Phys. Rev. A 77, 052327. Zhou, C., G. Wu, X. Chen, and H. Zeng, 2003, Appl. Phys. Lett. 83, 1692. Zinoni, C., B. Alloing, C. Monat, V. Zwiller, L.H. Li, A. Fiore, L. Lunghi, A. Gerardino, H. de Riedmatten, H. Zbinden, and N. Gisin, 2006, Appl. Phys. Lett. 88, 131102.
Ad

Recommended

VERIFICATION OF QUANTUM CRYPTOGRAPHY PROTOCOLS BY MODEL CHECKING1010ijnsa04
VERIFICATION OF QUANTUM CRYPTOGRAPHY PROTOCOLS BY MODEL CHECKING1010ijnsa04VERIFICATION OF QUANTUM CRYPTOGRAPHY PROTOCOLS BY MODEL CHECKING1010ijnsa04
VERIFICATION OF QUANTUM CRYPTOGRAPHY PROTOCOLS BY MODEL CHECKING1010ijnsa04
IJNSA Journal
 
Seminar Report on Quantum Key Distribution
Seminar Report on Quantum Key DistributionSeminar Report on Quantum Key Distribution
Seminar Report on Quantum Key Distribution
Shahrikh Khan
 
Quantum cryptography a modern cryptographic security
Quantum cryptography a modern cryptographic securityQuantum cryptography a modern cryptographic security
Quantum cryptography a modern cryptographic security
Kamal Diwakar
 
Post Quantum Cryptography: Technical Overview
Post Quantum Cryptography: Technical OverviewPost Quantum Cryptography: Technical Overview
Post Quantum Cryptography: Technical Overview
Ramesh Nagappan
 
Post quantum cryptography
Post quantum cryptographyPost quantum cryptography
Post quantum cryptography
Martins Okoi
 
Quantum Cryptography abstract
Quantum Cryptography abstractQuantum Cryptography abstract
Quantum Cryptography abstract
Kalluri Madhuri
 
A hybrid security and compressive sensing based sensor data gathering scheme
A hybrid security and compressive sensing based sensor data gathering schemeA hybrid security and compressive sensing based sensor data gathering scheme
A hybrid security and compressive sensing based sensor data gathering scheme
redpel dot com
 
The Quality of the New Generator Sequence Improvent to Spread the Color Syste...
The Quality of the New Generator Sequence Improvent to Spread the Color Syste...The Quality of the New Generator Sequence Improvent to Spread the Color Syste...
The Quality of the New Generator Sequence Improvent to Spread the Color Syste...
TELKOMNIKA JOURNAL
 
Quantum Cryptography presentation
Quantum Cryptography presentationQuantum Cryptography presentation
Quantum Cryptography presentation
Kalluri Madhuri
 
Quantum Key Distribution
Quantum Key DistributionQuantum Key Distribution
Quantum Key Distribution
Shahrikh Khan
 
quantum cryptography
quantum cryptographyquantum cryptography
quantum cryptography
vignans institute for management and technology for women
 
Naman quantum cryptography
Naman quantum cryptographyNaman quantum cryptography
Naman quantum cryptography
namanthakur
 
A SECURITY ANALYSIS OF IOT ENCRYPTION: SIDECHANNEL CUBE ATTACK ON SIMECK32/64
A SECURITY ANALYSIS OF IOT ENCRYPTION: SIDECHANNEL CUBE ATTACK ON SIMECK32/64 A SECURITY ANALYSIS OF IOT ENCRYPTION: SIDECHANNEL CUBE ATTACK ON SIMECK32/64
A SECURITY ANALYSIS OF IOT ENCRYPTION: SIDECHANNEL CUBE ATTACK ON SIMECK32/64
IJCNCJournal
 
A probabilistic data encryption scheme (pdes)
A probabilistic data encryption scheme (pdes)A probabilistic data encryption scheme (pdes)
A probabilistic data encryption scheme (pdes)
Alexander Decker
 
FAST DETECTION OF DDOS ATTACKS USING NON-ADAPTIVE GROUP TESTING
FAST DETECTION OF DDOS ATTACKS USING NON-ADAPTIVE GROUP TESTINGFAST DETECTION OF DDOS ATTACKS USING NON-ADAPTIVE GROUP TESTING
FAST DETECTION OF DDOS ATTACKS USING NON-ADAPTIVE GROUP TESTING
IJNSA Journal
 
IRJET- Secure Data on Multi-Cloud using Homomorphic Encryption
IRJET- Secure Data on Multi-Cloud using Homomorphic EncryptionIRJET- Secure Data on Multi-Cloud using Homomorphic Encryption
IRJET- Secure Data on Multi-Cloud using Homomorphic Encryption
IRJET Journal
 
International journal of computer science and innovation vol 2015-n2-paper5
International journal of computer science and innovation vol 2015-n2-paper5International journal of computer science and innovation vol 2015-n2-paper5
International journal of computer science and innovation vol 2015-n2-paper5
sophiabelthome
 
A New Chaotic Map for Secure Transmission
A New Chaotic Map for Secure TransmissionA New Chaotic Map for Secure Transmission
A New Chaotic Map for Secure Transmission
TELKOMNIKA JOURNAL
 
Somewhat Homomorphic Encryption Technique
Somewhat Homomorphic Encryption TechniqueSomewhat Homomorphic Encryption Technique
Somewhat Homomorphic Encryption Technique
Naishil Shah
 
820439
820439820439
820439
ssuserf5429e
 
Image encryption using aes key expansion
Image encryption using aes key expansionImage encryption using aes key expansion
Image encryption using aes key expansion
Sreeda Perikamana
 
Full Communication in a Wireless Sensor Network by Merging Blocks of a Key Pr...
Full Communication in a Wireless Sensor Network by Merging Blocks of a Key Pr...Full Communication in a Wireless Sensor Network by Merging Blocks of a Key Pr...
Full Communication in a Wireless Sensor Network by Merging Blocks of a Key Pr...
cscpconf
 
Compressive Sensing Based Simultaneous Data Compression and Convergent Encryp...
Compressive Sensing Based Simultaneous Data Compression and Convergent Encryp...Compressive Sensing Based Simultaneous Data Compression and Convergent Encryp...
Compressive Sensing Based Simultaneous Data Compression and Convergent Encryp...
IJCSIS Research Publications
 
Network Models
Network ModelsNetwork Models
Network Models
Vani Kandhasamy
 
Design and Implementation of a Secure Communication Protocol
Design and Implementation of a Secure Communication Protocol Design and Implementation of a Secure Communication Protocol
Design and Implementation of a Secure Communication Protocol
IJECEIAES
 
Combined Implementation of Robust Cryptosystem for Non-invertible Matrices ba...
Combined Implementation of Robust Cryptosystem for Non-invertible Matrices ba...Combined Implementation of Robust Cryptosystem for Non-invertible Matrices ba...
Combined Implementation of Robust Cryptosystem for Non-invertible Matrices ba...
IDES Editor
 
SoftwareInformationTechnology
SoftwareInformationTechnologySoftwareInformationTechnology
SoftwareInformationTechnology
Salhi Fadhel
 
Message Embedded Cipher Using 2-D Chaotic Map
Message Embedded Cipher Using 2-D Chaotic MapMessage Embedded Cipher Using 2-D Chaotic Map
Message Embedded Cipher Using 2-D Chaotic Map
ijccmsjournal
 
A SURVEY ON QUANTUM KEY DISTRIBUTION PROTOCOLS
A SURVEY ON QUANTUM KEY DISTRIBUTION PROTOCOLSA SURVEY ON QUANTUM KEY DISTRIBUTION PROTOCOLS
A SURVEY ON QUANTUM KEY DISTRIBUTION PROTOCOLS
ijcsa
 
Quantum computer in cryptography
Quantum computer in cryptographyQuantum computer in cryptography
Quantum computer in cryptography
Akshay Shelake
 
Ad

More Related Content

What's hot (20)

Quantum Cryptography presentation
Quantum Cryptography presentationQuantum Cryptography presentation
Quantum Cryptography presentation
Kalluri Madhuri
 
Quantum Key Distribution
Quantum Key DistributionQuantum Key Distribution
Quantum Key Distribution
Shahrikh Khan
 
quantum cryptography
quantum cryptographyquantum cryptography
quantum cryptography
vignans institute for management and technology for women
 
Naman quantum cryptography
Naman quantum cryptographyNaman quantum cryptography
Naman quantum cryptography
namanthakur
 
A SECURITY ANALYSIS OF IOT ENCRYPTION: SIDECHANNEL CUBE ATTACK ON SIMECK32/64
A SECURITY ANALYSIS OF IOT ENCRYPTION: SIDECHANNEL CUBE ATTACK ON SIMECK32/64 A SECURITY ANALYSIS OF IOT ENCRYPTION: SIDECHANNEL CUBE ATTACK ON SIMECK32/64
A SECURITY ANALYSIS OF IOT ENCRYPTION: SIDECHANNEL CUBE ATTACK ON SIMECK32/64
IJCNCJournal
 
A probabilistic data encryption scheme (pdes)
A probabilistic data encryption scheme (pdes)A probabilistic data encryption scheme (pdes)
A probabilistic data encryption scheme (pdes)
Alexander Decker
 
FAST DETECTION OF DDOS ATTACKS USING NON-ADAPTIVE GROUP TESTING
FAST DETECTION OF DDOS ATTACKS USING NON-ADAPTIVE GROUP TESTINGFAST DETECTION OF DDOS ATTACKS USING NON-ADAPTIVE GROUP TESTING
FAST DETECTION OF DDOS ATTACKS USING NON-ADAPTIVE GROUP TESTING
IJNSA Journal
 
IRJET- Secure Data on Multi-Cloud using Homomorphic Encryption
IRJET- Secure Data on Multi-Cloud using Homomorphic EncryptionIRJET- Secure Data on Multi-Cloud using Homomorphic Encryption
IRJET- Secure Data on Multi-Cloud using Homomorphic Encryption
IRJET Journal
 
International journal of computer science and innovation vol 2015-n2-paper5
International journal of computer science and innovation vol 2015-n2-paper5International journal of computer science and innovation vol 2015-n2-paper5
International journal of computer science and innovation vol 2015-n2-paper5
sophiabelthome
 
A New Chaotic Map for Secure Transmission
A New Chaotic Map for Secure TransmissionA New Chaotic Map for Secure Transmission
A New Chaotic Map for Secure Transmission
TELKOMNIKA JOURNAL
 
Somewhat Homomorphic Encryption Technique
Somewhat Homomorphic Encryption TechniqueSomewhat Homomorphic Encryption Technique
Somewhat Homomorphic Encryption Technique
Naishil Shah
 
820439
820439820439
820439
ssuserf5429e
 
Image encryption using aes key expansion
Image encryption using aes key expansionImage encryption using aes key expansion
Image encryption using aes key expansion
Sreeda Perikamana
 
Full Communication in a Wireless Sensor Network by Merging Blocks of a Key Pr...
Full Communication in a Wireless Sensor Network by Merging Blocks of a Key Pr...Full Communication in a Wireless Sensor Network by Merging Blocks of a Key Pr...
Full Communication in a Wireless Sensor Network by Merging Blocks of a Key Pr...
cscpconf
 
Compressive Sensing Based Simultaneous Data Compression and Convergent Encryp...
Compressive Sensing Based Simultaneous Data Compression and Convergent Encryp...Compressive Sensing Based Simultaneous Data Compression and Convergent Encryp...
Compressive Sensing Based Simultaneous Data Compression and Convergent Encryp...
IJCSIS Research Publications
 
Network Models
Network ModelsNetwork Models
Network Models
Vani Kandhasamy
 
Design and Implementation of a Secure Communication Protocol
Design and Implementation of a Secure Communication Protocol Design and Implementation of a Secure Communication Protocol
Design and Implementation of a Secure Communication Protocol
IJECEIAES
 
Combined Implementation of Robust Cryptosystem for Non-invertible Matrices ba...
Combined Implementation of Robust Cryptosystem for Non-invertible Matrices ba...Combined Implementation of Robust Cryptosystem for Non-invertible Matrices ba...
Combined Implementation of Robust Cryptosystem for Non-invertible Matrices ba...
IDES Editor
 
SoftwareInformationTechnology
SoftwareInformationTechnologySoftwareInformationTechnology
SoftwareInformationTechnology
Salhi Fadhel
 
Message Embedded Cipher Using 2-D Chaotic Map
Message Embedded Cipher Using 2-D Chaotic MapMessage Embedded Cipher Using 2-D Chaotic Map
Message Embedded Cipher Using 2-D Chaotic Map
ijccmsjournal
 
Quantum Cryptography presentation
Quantum Cryptography presentationQuantum Cryptography presentation
Quantum Cryptography presentation
Kalluri Madhuri
 
Quantum Key Distribution
Quantum Key DistributionQuantum Key Distribution
Quantum Key Distribution
Shahrikh Khan
 
quantum cryptography
quantum cryptographyquantum cryptography
quantum cryptography
vignans institute for management and technology for women
 
Naman quantum cryptography
Naman quantum cryptographyNaman quantum cryptography
Naman quantum cryptography
namanthakur
 
A SECURITY ANALYSIS OF IOT ENCRYPTION: SIDECHANNEL CUBE ATTACK ON SIMECK32/64
A SECURITY ANALYSIS OF IOT ENCRYPTION: SIDECHANNEL CUBE ATTACK ON SIMECK32/64 A SECURITY ANALYSIS OF IOT ENCRYPTION: SIDECHANNEL CUBE ATTACK ON SIMECK32/64
A SECURITY ANALYSIS OF IOT ENCRYPTION: SIDECHANNEL CUBE ATTACK ON SIMECK32/64
IJCNCJournal
 
A probabilistic data encryption scheme (pdes)
A probabilistic data encryption scheme (pdes)A probabilistic data encryption scheme (pdes)
A probabilistic data encryption scheme (pdes)
Alexander Decker
 
FAST DETECTION OF DDOS ATTACKS USING NON-ADAPTIVE GROUP TESTING
FAST DETECTION OF DDOS ATTACKS USING NON-ADAPTIVE GROUP TESTINGFAST DETECTION OF DDOS ATTACKS USING NON-ADAPTIVE GROUP TESTING
FAST DETECTION OF DDOS ATTACKS USING NON-ADAPTIVE GROUP TESTING
IJNSA Journal
 
IRJET- Secure Data on Multi-Cloud using Homomorphic Encryption
IRJET- Secure Data on Multi-Cloud using Homomorphic EncryptionIRJET- Secure Data on Multi-Cloud using Homomorphic Encryption
IRJET- Secure Data on Multi-Cloud using Homomorphic Encryption
IRJET Journal
 
International journal of computer science and innovation vol 2015-n2-paper5
International journal of computer science and innovation vol 2015-n2-paper5International journal of computer science and innovation vol 2015-n2-paper5
International journal of computer science and innovation vol 2015-n2-paper5
sophiabelthome
 
A New Chaotic Map for Secure Transmission
A New Chaotic Map for Secure TransmissionA New Chaotic Map for Secure Transmission
A New Chaotic Map for Secure Transmission
TELKOMNIKA JOURNAL
 
Somewhat Homomorphic Encryption Technique
Somewhat Homomorphic Encryption TechniqueSomewhat Homomorphic Encryption Technique
Somewhat Homomorphic Encryption Technique
Naishil Shah
 
820439
820439820439
820439
ssuserf5429e
 
Image encryption using aes key expansion
Image encryption using aes key expansionImage encryption using aes key expansion
Image encryption using aes key expansion
Sreeda Perikamana
 
Full Communication in a Wireless Sensor Network by Merging Blocks of a Key Pr...
Full Communication in a Wireless Sensor Network by Merging Blocks of a Key Pr...Full Communication in a Wireless Sensor Network by Merging Blocks of a Key Pr...
Full Communication in a Wireless Sensor Network by Merging Blocks of a Key Pr...
cscpconf
 
Compressive Sensing Based Simultaneous Data Compression and Convergent Encryp...
Compressive Sensing Based Simultaneous Data Compression and Convergent Encryp...Compressive Sensing Based Simultaneous Data Compression and Convergent Encryp...
Compressive Sensing Based Simultaneous Data Compression and Convergent Encryp...
IJCSIS Research Publications
 
Network Models
Network ModelsNetwork Models
Network Models
Vani Kandhasamy
 
Design and Implementation of a Secure Communication Protocol
Design and Implementation of a Secure Communication Protocol Design and Implementation of a Secure Communication Protocol
Design and Implementation of a Secure Communication Protocol
IJECEIAES
 
Combined Implementation of Robust Cryptosystem for Non-invertible Matrices ba...
Combined Implementation of Robust Cryptosystem for Non-invertible Matrices ba...Combined Implementation of Robust Cryptosystem for Non-invertible Matrices ba...
Combined Implementation of Robust Cryptosystem for Non-invertible Matrices ba...
IDES Editor
 
SoftwareInformationTechnology
SoftwareInformationTechnologySoftwareInformationTechnology
SoftwareInformationTechnology
Salhi Fadhel
 
Message Embedded Cipher Using 2-D Chaotic Map
Message Embedded Cipher Using 2-D Chaotic MapMessage Embedded Cipher Using 2-D Chaotic Map
Message Embedded Cipher Using 2-D Chaotic Map
ijccmsjournal
 

Similar to The Security of Practical Quantum Key Distribution (20)

A SURVEY ON QUANTUM KEY DISTRIBUTION PROTOCOLS
A SURVEY ON QUANTUM KEY DISTRIBUTION PROTOCOLSA SURVEY ON QUANTUM KEY DISTRIBUTION PROTOCOLS
A SURVEY ON QUANTUM KEY DISTRIBUTION PROTOCOLS
ijcsa
 
Quantum computer in cryptography
Quantum computer in cryptographyQuantum computer in cryptography
Quantum computer in cryptography
Akshay Shelake
 
ANALYSIS OF THE SECURITY OF BB84 BY MODEL CHECKING
ANALYSIS OF THE SECURITY OF BB84 BY MODEL CHECKINGANALYSIS OF THE SECURITY OF BB84 BY MODEL CHECKING
ANALYSIS OF THE SECURITY OF BB84 BY MODEL CHECKING
IJNSA Journal
 
IMPROVING TLS SECURITY BY QUANTUM CRYPTOGRAPHY
IMPROVING TLS SECURITY BY QUANTUM CRYPTOGRAPHYIMPROVING TLS SECURITY BY QUANTUM CRYPTOGRAPHY
IMPROVING TLS SECURITY BY QUANTUM CRYPTOGRAPHY
IJNSA Journal
 
1914 1917
1914 19171914 1917
1914 1917
Editor IJARCET
 
1914 1917
1914 19171914 1917
1914 1917
Editor IJARCET
 
Three Party Authenticated Key Distribution using Quantum Cryptography
Three Party Authenticated Key Distribution using Quantum CryptographyThree Party Authenticated Key Distribution using Quantum Cryptography
Three Party Authenticated Key Distribution using Quantum Cryptography
IJMER
 
Research paper of quantum computer in cryptography
Research paper of quantum computer in cryptographyResearch paper of quantum computer in cryptography
Research paper of quantum computer in cryptography
Akshay Shelake
 
Comprehensive Study of BB84, A Quantum Key Distribution Protocol
Comprehensive Study of BB84, A Quantum Key Distribution ProtocolComprehensive Study of BB84, A Quantum Key Distribution Protocol
Comprehensive Study of BB84, A Quantum Key Distribution Protocol
IRJET Journal
 
Quantum cryptography
Quantum cryptographyQuantum cryptography
Quantum cryptography
Sukhdeep Kaur
 
Medical image encryption using multi chaotic maps
Medical image encryption using multi chaotic mapsMedical image encryption using multi chaotic maps
Medical image encryption using multi chaotic maps
TELKOMNIKA JOURNAL
 
Statistical_mechanics_of_complex_network.pdf
Statistical_mechanics_of_complex_network.pdfStatistical_mechanics_of_complex_network.pdf
Statistical_mechanics_of_complex_network.pdf
savadogomoumini562
 
European quantum computing roadmap uploaded by Skip Sanzeri
European quantum computing roadmap uploaded by Skip SanzeriEuropean quantum computing roadmap uploaded by Skip Sanzeri
European quantum computing roadmap uploaded by Skip Sanzeri
Skip Sanzeri
 
Quantum-Cryptography-The-Next-Gen-Encryption-Revolution.pptx
Quantum-Cryptography-The-Next-Gen-Encryption-Revolution.pptxQuantum-Cryptography-The-Next-Gen-Encryption-Revolution.pptx
Quantum-Cryptography-The-Next-Gen-Encryption-Revolution.pptx
SubhasishKabi2
 
Coco co-desing and co-verification of masked software implementations on cp us
Coco co-desing and co-verification of masked software implementations on cp usCoco co-desing and co-verification of masked software implementations on cp us
Coco co-desing and co-verification of masked software implementations on cp us
RISC-V International
 
Quantum Key Distribution (QKD) and Commodity Security Protocols: Introduction...
Quantum Key Distribution (QKD) and Commodity Security Protocols: Introduction...Quantum Key Distribution (QKD) and Commodity Security Protocols: Introduction...
Quantum Key Distribution (QKD) and Commodity Security Protocols: Introduction...
IJNSA Journal
 
Quantum cryptography for secured communication networks
Quantum cryptography for secured communication networksQuantum cryptography for secured communication networks
Quantum cryptography for secured communication networks
IJECEIAES
 
Quantum Cryptography and its Applications
Quantum Cryptography and its ApplicationsQuantum Cryptography and its Applications
Quantum Cryptography and its Applications
bismayabaliarsingh00
 
Gull talk London.pdf
Gull talk London.pdfGull talk London.pdf
Gull talk London.pdf
Richard Gill
 
Compact Coding Using Multi-Photon Tolerant Quantum Protocols For Quantum Comm...
Compact Coding Using Multi-Photon Tolerant Quantum Protocols For Quantum Comm...Compact Coding Using Multi-Photon Tolerant Quantum Protocols For Quantum Comm...
Compact Coding Using Multi-Photon Tolerant Quantum Protocols For Quantum Comm...
ijcisjournal
 
A SURVEY ON QUANTUM KEY DISTRIBUTION PROTOCOLS
A SURVEY ON QUANTUM KEY DISTRIBUTION PROTOCOLSA SURVEY ON QUANTUM KEY DISTRIBUTION PROTOCOLS
A SURVEY ON QUANTUM KEY DISTRIBUTION PROTOCOLS
ijcsa
 
Quantum computer in cryptography
Quantum computer in cryptographyQuantum computer in cryptography
Quantum computer in cryptography
Akshay Shelake
 
ANALYSIS OF THE SECURITY OF BB84 BY MODEL CHECKING
ANALYSIS OF THE SECURITY OF BB84 BY MODEL CHECKINGANALYSIS OF THE SECURITY OF BB84 BY MODEL CHECKING
ANALYSIS OF THE SECURITY OF BB84 BY MODEL CHECKING
IJNSA Journal
 
IMPROVING TLS SECURITY BY QUANTUM CRYPTOGRAPHY
IMPROVING TLS SECURITY BY QUANTUM CRYPTOGRAPHYIMPROVING TLS SECURITY BY QUANTUM CRYPTOGRAPHY
IMPROVING TLS SECURITY BY QUANTUM CRYPTOGRAPHY
IJNSA Journal
 
1914 1917
1914 19171914 1917
1914 1917
Editor IJARCET
 
1914 1917
1914 19171914 1917
1914 1917
Editor IJARCET
 
Three Party Authenticated Key Distribution using Quantum Cryptography
Three Party Authenticated Key Distribution using Quantum CryptographyThree Party Authenticated Key Distribution using Quantum Cryptography
Three Party Authenticated Key Distribution using Quantum Cryptography
IJMER
 
Research paper of quantum computer in cryptography
Research paper of quantum computer in cryptographyResearch paper of quantum computer in cryptography
Research paper of quantum computer in cryptography
Akshay Shelake
 
Comprehensive Study of BB84, A Quantum Key Distribution Protocol
Comprehensive Study of BB84, A Quantum Key Distribution ProtocolComprehensive Study of BB84, A Quantum Key Distribution Protocol
Comprehensive Study of BB84, A Quantum Key Distribution Protocol
IRJET Journal
 
Quantum cryptography
Quantum cryptographyQuantum cryptography
Quantum cryptography
Sukhdeep Kaur
 
Medical image encryption using multi chaotic maps
Medical image encryption using multi chaotic mapsMedical image encryption using multi chaotic maps
Medical image encryption using multi chaotic maps
TELKOMNIKA JOURNAL
 
Statistical_mechanics_of_complex_network.pdf
Statistical_mechanics_of_complex_network.pdfStatistical_mechanics_of_complex_network.pdf
Statistical_mechanics_of_complex_network.pdf
savadogomoumini562
 
European quantum computing roadmap uploaded by Skip Sanzeri
European quantum computing roadmap uploaded by Skip SanzeriEuropean quantum computing roadmap uploaded by Skip Sanzeri
European quantum computing roadmap uploaded by Skip Sanzeri
Skip Sanzeri
 
Quantum-Cryptography-The-Next-Gen-Encryption-Revolution.pptx
Quantum-Cryptography-The-Next-Gen-Encryption-Revolution.pptxQuantum-Cryptography-The-Next-Gen-Encryption-Revolution.pptx
Quantum-Cryptography-The-Next-Gen-Encryption-Revolution.pptx
SubhasishKabi2
 
Coco co-desing and co-verification of masked software implementations on cp us
Coco co-desing and co-verification of masked software implementations on cp usCoco co-desing and co-verification of masked software implementations on cp us
Coco co-desing and co-verification of masked software implementations on cp us
RISC-V International
 
Quantum Key Distribution (QKD) and Commodity Security Protocols: Introduction...
Quantum Key Distribution (QKD) and Commodity Security Protocols: Introduction...Quantum Key Distribution (QKD) and Commodity Security Protocols: Introduction...
Quantum Key Distribution (QKD) and Commodity Security Protocols: Introduction...
IJNSA Journal
 
Quantum cryptography for secured communication networks
Quantum cryptography for secured communication networksQuantum cryptography for secured communication networks
Quantum cryptography for secured communication networks
IJECEIAES
 
Quantum Cryptography and its Applications
Quantum Cryptography and its ApplicationsQuantum Cryptography and its Applications
Quantum Cryptography and its Applications
bismayabaliarsingh00
 
Gull talk London.pdf
Gull talk London.pdfGull talk London.pdf
Gull talk London.pdf
Richard Gill
 
Compact Coding Using Multi-Photon Tolerant Quantum Protocols For Quantum Comm...
Compact Coding Using Multi-Photon Tolerant Quantum Protocols For Quantum Comm...Compact Coding Using Multi-Photon Tolerant Quantum Protocols For Quantum Comm...
Compact Coding Using Multi-Photon Tolerant Quantum Protocols For Quantum Comm...
ijcisjournal
 
Ad

More from XequeMateShannon (20)

LCS35
LCS35LCS35
LCS35
XequeMateShannon
 
Wow! Signal Decoded as Foundations of Theory of Everything
Wow! Signal Decoded as Foundations of Theory of EverythingWow! Signal Decoded as Foundations of Theory of Everything
Wow! Signal Decoded as Foundations of Theory of Everything
XequeMateShannon
 
Número normal
Número normalNúmero normal
Número normal
XequeMateShannon
 
A Teoria de Cordas e a Unificação das Forças da Natureza
A Teoria de Cordas e a Unificação das Forças da NaturezaA Teoria de Cordas e a Unificação das Forças da Natureza
A Teoria de Cordas e a Unificação das Forças da Natureza
XequeMateShannon
 
Algoritmos genéticos: princípios e aplicações
Algoritmos genéticos: princípios e aplicaçõesAlgoritmos genéticos: princípios e aplicações
Algoritmos genéticos: princípios e aplicações
XequeMateShannon
 
Hamiltonian design in readout from room-temperature Raman atomic memory
Hamiltonian design in readout from room-temperature Raman atomic memory Hamiltonian design in readout from room-temperature Raman atomic memory
Hamiltonian design in readout from room-temperature Raman atomic memory
XequeMateShannon
 
An efficient algorithm for the computation of Bernoulli numbers
An efficient algorithm for the computation of Bernoulli numbers An efficient algorithm for the computation of Bernoulli numbers
An efficient algorithm for the computation of Bernoulli numbers
XequeMateShannon
 
Intel Random Number Generator
Intel Random Number GeneratorIntel Random Number Generator
Intel Random Number Generator
XequeMateShannon
 
Information Theory for Intelligent People
Information Theory for Intelligent PeopleInformation Theory for Intelligent People
Information Theory for Intelligent People
XequeMateShannon
 
A Teoria Algorítmica da Aleatoriedade
A Teoria Algorítmica da Aleatoriedade A Teoria Algorítmica da Aleatoriedade
A Teoria Algorítmica da Aleatoriedade
XequeMateShannon
 
Quantum Computation and Information
Quantum Computation and InformationQuantum Computation and Information
Quantum Computation and Information
XequeMateShannon
 
Quantum Cryptography: from Theory to Practice
Quantum Cryptography: from Theory to Practice Quantum Cryptography: from Theory to Practice
Quantum Cryptography: from Theory to Practice
XequeMateShannon
 
Experimental realisation of Shor's quantum factoring algorithm using qubit r...
Experimental realisation of Shor's quantum factoring algorithm using qubit r... Experimental realisation of Shor's quantum factoring algorithm using qubit r...
Experimental realisation of Shor's quantum factoring algorithm using qubit r...
XequeMateShannon
 
A smooth exit from eternal inflation?
A smooth exit from eternal inflation?A smooth exit from eternal inflation?
A smooth exit from eternal inflation?
XequeMateShannon
 
The different faces of mass action in virus assembly
The different faces of mass action in virus assemblyThe different faces of mass action in virus assembly
The different faces of mass action in virus assembly
XequeMateShannon
 
A Digital Signature Based on a Conventional Encryption Function
A Digital Signature Based on a Conventional Encryption FunctionA Digital Signature Based on a Conventional Encryption Function
A Digital Signature Based on a Conventional Encryption Function
XequeMateShannon
 
Quantum algorithm for solving linear systems of equations
Quantum algorithm for solving linear systems of equations Quantum algorithm for solving linear systems of equations
Quantum algorithm for solving linear systems of equations
XequeMateShannon
 
Shor's discrete logarithm quantum algorithm for elliptic curves
Shor's discrete logarithm quantum algorithm for elliptic curves Shor's discrete logarithm quantum algorithm for elliptic curves
Shor's discrete logarithm quantum algorithm for elliptic curves
XequeMateShannon
 
Countermeasures Against High-Order Fault-Injection Attacks on CRT-RSA
Countermeasures Against High-Order Fault-Injection Attacks on CRT-RSA Countermeasures Against High-Order Fault-Injection Attacks on CRT-RSA
Countermeasures Against High-Order Fault-Injection Attacks on CRT-RSA
XequeMateShannon
 
The complexity of promise problems with applications to public-key cryptography
The complexity of promise problems with applications to public-key cryptographyThe complexity of promise problems with applications to public-key cryptography
The complexity of promise problems with applications to public-key cryptography
XequeMateShannon
 
LCS35
LCS35LCS35
LCS35
XequeMateShannon
 
Wow! Signal Decoded as Foundations of Theory of Everything
Wow! Signal Decoded as Foundations of Theory of EverythingWow! Signal Decoded as Foundations of Theory of Everything
Wow! Signal Decoded as Foundations of Theory of Everything
XequeMateShannon
 
Número normal
Número normalNúmero normal
Número normal
XequeMateShannon
 
A Teoria de Cordas e a Unificação das Forças da Natureza
A Teoria de Cordas e a Unificação das Forças da NaturezaA Teoria de Cordas e a Unificação das Forças da Natureza
A Teoria de Cordas e a Unificação das Forças da Natureza
XequeMateShannon
 
Algoritmos genéticos: princípios e aplicações
Algoritmos genéticos: princípios e aplicaçõesAlgoritmos genéticos: princípios e aplicações
Algoritmos genéticos: princípios e aplicações
XequeMateShannon
 
Hamiltonian design in readout from room-temperature Raman atomic memory
Hamiltonian design in readout from room-temperature Raman atomic memory Hamiltonian design in readout from room-temperature Raman atomic memory
Hamiltonian design in readout from room-temperature Raman atomic memory
XequeMateShannon
 
An efficient algorithm for the computation of Bernoulli numbers
An efficient algorithm for the computation of Bernoulli numbers An efficient algorithm for the computation of Bernoulli numbers
An efficient algorithm for the computation of Bernoulli numbers
XequeMateShannon
 
Intel Random Number Generator
Intel Random Number GeneratorIntel Random Number Generator
Intel Random Number Generator
XequeMateShannon
 
Information Theory for Intelligent People
Information Theory for Intelligent PeopleInformation Theory for Intelligent People
Information Theory for Intelligent People
XequeMateShannon
 
A Teoria Algorítmica da Aleatoriedade
A Teoria Algorítmica da Aleatoriedade A Teoria Algorítmica da Aleatoriedade
A Teoria Algorítmica da Aleatoriedade
XequeMateShannon
 
Quantum Computation and Information
Quantum Computation and InformationQuantum Computation and Information
Quantum Computation and Information
XequeMateShannon
 
Quantum Cryptography: from Theory to Practice
Quantum Cryptography: from Theory to Practice Quantum Cryptography: from Theory to Practice
Quantum Cryptography: from Theory to Practice
XequeMateShannon
 
Experimental realisation of Shor's quantum factoring algorithm using qubit r...
Experimental realisation of Shor's quantum factoring algorithm using qubit r... Experimental realisation of Shor's quantum factoring algorithm using qubit r...
Experimental realisation of Shor's quantum factoring algorithm using qubit r...
XequeMateShannon
 
A smooth exit from eternal inflation?
A smooth exit from eternal inflation?A smooth exit from eternal inflation?
A smooth exit from eternal inflation?
XequeMateShannon
 
The different faces of mass action in virus assembly
The different faces of mass action in virus assemblyThe different faces of mass action in virus assembly
The different faces of mass action in virus assembly
XequeMateShannon
 
A Digital Signature Based on a Conventional Encryption Function
A Digital Signature Based on a Conventional Encryption FunctionA Digital Signature Based on a Conventional Encryption Function
A Digital Signature Based on a Conventional Encryption Function
XequeMateShannon
 
Quantum algorithm for solving linear systems of equations
Quantum algorithm for solving linear systems of equations Quantum algorithm for solving linear systems of equations
Quantum algorithm for solving linear systems of equations
XequeMateShannon
 
Shor's discrete logarithm quantum algorithm for elliptic curves
Shor's discrete logarithm quantum algorithm for elliptic curves Shor's discrete logarithm quantum algorithm for elliptic curves
Shor's discrete logarithm quantum algorithm for elliptic curves
XequeMateShannon
 
Countermeasures Against High-Order Fault-Injection Attacks on CRT-RSA
Countermeasures Against High-Order Fault-Injection Attacks on CRT-RSA Countermeasures Against High-Order Fault-Injection Attacks on CRT-RSA
Countermeasures Against High-Order Fault-Injection Attacks on CRT-RSA
XequeMateShannon
 
The complexity of promise problems with applications to public-key cryptography
The complexity of promise problems with applications to public-key cryptographyThe complexity of promise problems with applications to public-key cryptography
The complexity of promise problems with applications to public-key cryptography
XequeMateShannon
 
Ad

Recently uploaded (20)

Structure formation with primordial black holes: collisional dynamics, binari...
Structure formation with primordial black holes: collisional dynamics, binari...Structure formation with primordial black holes: collisional dynamics, binari...
Structure formation with primordial black holes: collisional dynamics, binari...
Sérgio Sacani
 
Parallel resonance circuits of science.pdf
Parallel resonance circuits of science.pdfParallel resonance circuits of science.pdf
Parallel resonance circuits of science.pdf
rk5867336912
 
RAPID DIAGNOSTIC TEST (RDT) overviewppt.pptx
RAPID DIAGNOSTIC TEST (RDT) overviewppt.pptxRAPID DIAGNOSTIC TEST (RDT) overviewppt.pptx
RAPID DIAGNOSTIC TEST (RDT) overviewppt.pptx
nietakam
 
UNIT chromatography instrumental6 .pptx
UNIT chromatography instrumental6 .pptxUNIT chromatography instrumental6 .pptx
UNIT chromatography instrumental6 .pptx
myselfit143
 
Class-11-notes- Inorganic Chemistry Hydrogen, Oxygen,Ozone,Carbon,Phosphoros
Class-11-notes- Inorganic Chemistry Hydrogen, Oxygen,Ozone,Carbon,PhosphorosClass-11-notes- Inorganic Chemistry Hydrogen, Oxygen,Ozone,Carbon,Phosphoros
Class-11-notes- Inorganic Chemistry Hydrogen, Oxygen,Ozone,Carbon,Phosphoros
govindapathak8
 
VERMICOMPOSTING A STEP TOWARDS SUSTAINABILITY.pptx
VERMICOMPOSTING A STEP TOWARDS SUSTAINABILITY.pptxVERMICOMPOSTING A STEP TOWARDS SUSTAINABILITY.pptx
VERMICOMPOSTING A STEP TOWARDS SUSTAINABILITY.pptx
hipachi8
 
amino compounds.pptx class 12_Govinda Pathak
amino compounds.pptx class 12_Govinda Pathakamino compounds.pptx class 12_Govinda Pathak
amino compounds.pptx class 12_Govinda Pathak
GovindaPathak6
 
SuperconductingMagneticEnergyStorage.pptx
SuperconductingMagneticEnergyStorage.pptxSuperconductingMagneticEnergyStorage.pptx
SuperconductingMagneticEnergyStorage.pptx
BurkanAlpKale
 
Metallurgical process class 11_Govinda Pathak
Metallurgical process class 11_Govinda PathakMetallurgical process class 11_Govinda Pathak
Metallurgical process class 11_Govinda Pathak
GovindaPathak6
 
Turkey Diseases and Disorders Volume 2 Infectious and Nutritional Diseases, D...
Turkey Diseases and Disorders Volume 2 Infectious and Nutritional Diseases, D...Turkey Diseases and Disorders Volume 2 Infectious and Nutritional Diseases, D...
Turkey Diseases and Disorders Volume 2 Infectious and Nutritional Diseases, D...
Ali Raei
 
2025 Insilicogen Company Korean Brochure
2025 Insilicogen Company Korean Brochure2025 Insilicogen Company Korean Brochure
2025 Insilicogen Company Korean Brochure
Insilico Gen
 
Chapter 4_Part 2_Infection and Immunity.ppt
Chapter 4_Part 2_Infection and Immunity.pptChapter 4_Part 2_Infection and Immunity.ppt
Chapter 4_Part 2_Infection and Immunity.ppt
JessaBalanggoyPagula
 
Preparation of Permanent mounts of Parasitic Protozoans.pptx
Preparation of Permanent mounts of Parasitic Protozoans.pptxPreparation of Permanent mounts of Parasitic Protozoans.pptx
Preparation of Permanent mounts of Parasitic Protozoans.pptx
Dr Showkat Ahmad Wani
 
06-Molecular basis of transformation.pptx
06-Molecular basis of transformation.pptx06-Molecular basis of transformation.pptx
06-Molecular basis of transformation.pptx
LanaQadumii
 
Direct Evidence for r-process Nucleosynthesis in Delayed MeV Emission from th...
Direct Evidence for r-process Nucleosynthesis in Delayed MeV Emission from th...Direct Evidence for r-process Nucleosynthesis in Delayed MeV Emission from th...
Direct Evidence for r-process Nucleosynthesis in Delayed MeV Emission from th...
Sérgio Sacani
 
Presentatation_SM_muscle_structpes_funtionre_ty.pptx
Presentatation_SM_muscle_structpes_funtionre_ty.pptxPresentatation_SM_muscle_structpes_funtionre_ty.pptx
Presentatation_SM_muscle_structpes_funtionre_ty.pptx
muralinath2
 
On the Lunar Origin of Near-Earth Asteroid 2024 PT5
On the Lunar Origin of Near-Earth Asteroid 2024 PT5On the Lunar Origin of Near-Earth Asteroid 2024 PT5
On the Lunar Origin of Near-Earth Asteroid 2024 PT5
Sérgio Sacani
 
APES 6.5 Presentation Fossil Fuels .pdf
APES 6.5 Presentation Fossil Fuels .pdfAPES 6.5 Presentation Fossil Fuels .pdf
APES 6.5 Presentation Fossil Fuels .pdf
patelereftu
 
Effect of nutrition in Entomophagous Insectson
Effect of nutrition in Entomophagous InsectsonEffect of nutrition in Entomophagous Insectson
Effect of nutrition in Entomophagous Insectson
JabaskumarKshetri
 
Examining Visual Attention in Gaze-Driven VR Learning: An Eye-Tracking Study ...
Examining Visual Attention in Gaze-Driven VR Learning: An Eye-Tracking Study ...Examining Visual Attention in Gaze-Driven VR Learning: An Eye-Tracking Study ...
Examining Visual Attention in Gaze-Driven VR Learning: An Eye-Tracking Study ...
Yasasi Abeysinghe
 
Structure formation with primordial black holes: collisional dynamics, binari...
Structure formation with primordial black holes: collisional dynamics, binari...Structure formation with primordial black holes: collisional dynamics, binari...
Structure formation with primordial black holes: collisional dynamics, binari...
Sérgio Sacani
 
Parallel resonance circuits of science.pdf
Parallel resonance circuits of science.pdfParallel resonance circuits of science.pdf
Parallel resonance circuits of science.pdf
rk5867336912
 
RAPID DIAGNOSTIC TEST (RDT) overviewppt.pptx
RAPID DIAGNOSTIC TEST (RDT) overviewppt.pptxRAPID DIAGNOSTIC TEST (RDT) overviewppt.pptx
RAPID DIAGNOSTIC TEST (RDT) overviewppt.pptx
nietakam
 
UNIT chromatography instrumental6 .pptx
UNIT chromatography instrumental6 .pptxUNIT chromatography instrumental6 .pptx
UNIT chromatography instrumental6 .pptx
myselfit143
 
Class-11-notes- Inorganic Chemistry Hydrogen, Oxygen,Ozone,Carbon,Phosphoros
Class-11-notes- Inorganic Chemistry Hydrogen, Oxygen,Ozone,Carbon,PhosphorosClass-11-notes- Inorganic Chemistry Hydrogen, Oxygen,Ozone,Carbon,Phosphoros
Class-11-notes- Inorganic Chemistry Hydrogen, Oxygen,Ozone,Carbon,Phosphoros
govindapathak8
 
VERMICOMPOSTING A STEP TOWARDS SUSTAINABILITY.pptx
VERMICOMPOSTING A STEP TOWARDS SUSTAINABILITY.pptxVERMICOMPOSTING A STEP TOWARDS SUSTAINABILITY.pptx
VERMICOMPOSTING A STEP TOWARDS SUSTAINABILITY.pptx
hipachi8
 
amino compounds.pptx class 12_Govinda Pathak
amino compounds.pptx class 12_Govinda Pathakamino compounds.pptx class 12_Govinda Pathak
amino compounds.pptx class 12_Govinda Pathak
GovindaPathak6
 
SuperconductingMagneticEnergyStorage.pptx
SuperconductingMagneticEnergyStorage.pptxSuperconductingMagneticEnergyStorage.pptx
SuperconductingMagneticEnergyStorage.pptx
BurkanAlpKale
 
Metallurgical process class 11_Govinda Pathak
Metallurgical process class 11_Govinda PathakMetallurgical process class 11_Govinda Pathak
Metallurgical process class 11_Govinda Pathak
GovindaPathak6
 
Turkey Diseases and Disorders Volume 2 Infectious and Nutritional Diseases, D...
Turkey Diseases and Disorders Volume 2 Infectious and Nutritional Diseases, D...Turkey Diseases and Disorders Volume 2 Infectious and Nutritional Diseases, D...
Turkey Diseases and Disorders Volume 2 Infectious and Nutritional Diseases, D...
Ali Raei
 
2025 Insilicogen Company Korean Brochure
2025 Insilicogen Company Korean Brochure2025 Insilicogen Company Korean Brochure
2025 Insilicogen Company Korean Brochure
Insilico Gen
 
Chapter 4_Part 2_Infection and Immunity.ppt
Chapter 4_Part 2_Infection and Immunity.pptChapter 4_Part 2_Infection and Immunity.ppt
Chapter 4_Part 2_Infection and Immunity.ppt
JessaBalanggoyPagula
 
Preparation of Permanent mounts of Parasitic Protozoans.pptx
Preparation of Permanent mounts of Parasitic Protozoans.pptxPreparation of Permanent mounts of Parasitic Protozoans.pptx
Preparation of Permanent mounts of Parasitic Protozoans.pptx
Dr Showkat Ahmad Wani
 
06-Molecular basis of transformation.pptx
06-Molecular basis of transformation.pptx06-Molecular basis of transformation.pptx
06-Molecular basis of transformation.pptx
LanaQadumii
 
Direct Evidence for r-process Nucleosynthesis in Delayed MeV Emission from th...
Direct Evidence for r-process Nucleosynthesis in Delayed MeV Emission from th...Direct Evidence for r-process Nucleosynthesis in Delayed MeV Emission from th...
Direct Evidence for r-process Nucleosynthesis in Delayed MeV Emission from th...
Sérgio Sacani
 
Presentatation_SM_muscle_structpes_funtionre_ty.pptx
Presentatation_SM_muscle_structpes_funtionre_ty.pptxPresentatation_SM_muscle_structpes_funtionre_ty.pptx
Presentatation_SM_muscle_structpes_funtionre_ty.pptx
muralinath2
 
On the Lunar Origin of Near-Earth Asteroid 2024 PT5
On the Lunar Origin of Near-Earth Asteroid 2024 PT5On the Lunar Origin of Near-Earth Asteroid 2024 PT5
On the Lunar Origin of Near-Earth Asteroid 2024 PT5
Sérgio Sacani
 
APES 6.5 Presentation Fossil Fuels .pdf
APES 6.5 Presentation Fossil Fuels .pdfAPES 6.5 Presentation Fossil Fuels .pdf
APES 6.5 Presentation Fossil Fuels .pdf
patelereftu
 
Effect of nutrition in Entomophagous Insectson
Effect of nutrition in Entomophagous InsectsonEffect of nutrition in Entomophagous Insectson
Effect of nutrition in Entomophagous Insectson
JabaskumarKshetri
 
Examining Visual Attention in Gaze-Driven VR Learning: An Eye-Tracking Study ...
Examining Visual Attention in Gaze-Driven VR Learning: An Eye-Tracking Study ...Examining Visual Attention in Gaze-Driven VR Learning: An Eye-Tracking Study ...
Examining Visual Attention in Gaze-Driven VR Learning: An Eye-Tracking Study ...
Yasasi Abeysinghe
 

The Security of Practical Quantum Key Distribution

  • 1. arXiv:0802.4155v3[quant-ph]30Sep2009 The Security of Practical Quantum Key Distribution Valerio Scarani1,2 , Helle Bechmann-Pasquinucci3,4 , Nicolas J. Cerf5 , Miloslav Duˇsek6 , Norbert L¨utkenhaus7,8 , Momtchil Peev9 1 Centre for Quantum Technologies and Department of Physics, National University of Singapore, Singapore 2 Group of Applied Physics, University of Geneva, Geneva, Switzerland 3 University of Pavia, Dipartimento di Fisica “A. Volta”, Pavia, Italy 4 UCCI.IT, Rovagnate (LC), Italy 5 Quantum Information and Communication, Ecole Polytechnique, Universit´e Libre de Bruxelles, Brussels, Belgium 6 Department of Optics, Faculty of Science, Palack´y University, Olomouc, Czech Republic 7 Institute for Quantum Computing & Department for Physics and Astronomy, University of Waterloo, Waterloo, Canada 8 Max Planck Research Group, Institute for Optics, Information and Photonics, University of Erlangen-Nuremberg, Erlangen, Germany 9 Quantum Technologies, Smart Systems Division, Austrian Research Centers GmbH ARC, Vienna, Austria (Dated: September 30, 2009) Quantum key distribution (QKD) is the first quantum information task to reach the level of mature technology, already fit for commercialization. It aims at the creation of a secret key be- tween authorized partners connected by a quantum channel and a classical authenticated channel. The security of the key can in principle be guaranteed without putting any restriction on the eavesdropper’s power. The first two sections provide a concise up-to-date review of QKD, biased toward the practical side. The rest of the paper presents the essential theoretical tools that have been developed to assess the security of the main experimental platforms (discrete variables, continuous variables and distributed-phase-reference protocols). Contents I. Introduction 2 A. Cryptography 2 B. Basics of Quantum Key Distribution (QKD) 3 1. Generic setting 3 2. The origin of security 3 3. The choice of light 4 4. The BB84 protocol 4 5. An example of eavesdropping 5 6. Beyond the example: the field of QKD 5 C. Scope of this review 6 1. Focus 6 2. Outline 6 II. The Elements of Practical QKD 6 A. Milestones 6 1. Foundations: 1984-1995 6 2. The theory-experiment gap opens: 1993-2000 6 3. Closing the gap: 2000 to present 7 B. Generic QKD Protocol 8 1. Classical and quantum channels 8 2. Quantum information processing 8 3. Classical information processing 9 4. Secret fraction and secret key rate 9 C. Notions of Security 9 1. Unconditional security, and its conditions 9 2. Definition of security 10 3. Security proofs 10 D. Explicit Protocols 11 1. Three families 11 2. Discrete-variable Protocols 12 3. Continuous-variable Protocols 13 4. Distributed-phase-reference Protocols 14 E. Sources 15 1. Lasers 15 2. Sub-Poissonian Sources 16 3. Sources of Entangled Photons 16 F. Physical Channels 17 1. Fiber Links 17 2. Free Space Links 18 G. Detectors 18 1. Photon Counters 18 2. Homodyne Detection 18 H. Synchronization and alignment 19 1. Generalities 19 2. Phase coding: two configurations 20 III. Secret Key Rate 21 A. Raw key rate 21 B. Secret fraction 21 1. Classical information post-processing 21 2. Individual, Collective and Coherent Attacks 23 3. Quantum side channels and zero-error attacks 25 4. Hacking on Practical QKD 25 5. A crutch: the “uncalibrated-device scenario” 26 IV. Discrete-variable protocols 26 A. Generic Assumptions and Tools 26 1. Photon-number statistics 26 2. Qubits and Modes 27 3. Secret key rate 27 B. BB84 coding: lower bounds 28 1. Prepare-and-Measure: Generalities 28 2. P&M without decoy states 28 3. P&M with decoy states 28 4. P&M: analytical estimates 29 5. Entanglement-Based 30 C. BB84 coding: upper bounds incorporating the calibration of the devices 31 1. Statistical parameters 31 2. Upper bounds 31 D. Bounds for the SARG04 coding 32 V. Continuous-variable protocols 32 A. Status of security proofs 32
  • 2. 2 B. Bounds for Gaussian protocols 33 1. Generalities 33 2. Modeling the noise 34 3. Information Alice-Bob 34 4. Individual attacks 35 5. Collective attacks 35 6. Collective attacks and post-selection 35 VI. Distributed-phase-reference protocols 36 A. Status of security proofs 36 B. Bounds for DPS and COW 36 1. Collective beam-splitting attack 36 2. More sophisticated attacks 37 VII. Comparison of experimental platforms 37 A. Generalities 37 1. Model for the source and channel 38 2. Choice of the parameters 38 B. Comparisons based on K 39 1. All platforms on a plot 39 2. Upper bound incorporating the calibration of the devices 40 C. Comparison based on the “cost of a linear network” 40 VIII. Perspectives 41 A. Perspectives within QKD 41 1. Finite-key analysis 41 2. Open issues in unconditional security 41 3. Black-box security proofs 42 4. Toward longer distances: satellites and repeaters 42 5. QKD in networks 42 B. QKD versus other solutions 43 Note added in proof 44 Acknowledgements 44 A. Unconditional security bounds for BB84 and six-states, single-qubit signals 44 B. Elementary estimates for quantum repeaters 45 1. Quantum memories 45 2. Model of quantum repeater 46 a. Definition of the model 46 b. Detection rates 46 References 47 I. INTRODUCTION A. Cryptography Cryptography is a field of applications that provide pri- vacy, authentication and confidentiality to users. An im- portant subfield is that of secure communication, aiming at allowing confidential communication between different parties such that no unauthorized party has access to the content of the messages. This field has a long history of successes and failures, as many methods to encode mes- sages emerged along the centuries, always to be broken some time later. History needs not repeat forever, though. In 1917, Ver- nam invented the so-called One-Time Pad encryption, which uses a symmetric, random secret key shared be- tween sender and receiver (Vernam, 1926). This scheme cannot be broken in principle, provided the parties do not reuse their key. Three decades later, Shannon proved that the Vernam scheme is optimal: there is no encryp- tion method that requires less key (Shannon, 1949). This means that the key is being used up in the process. To employ this scheme, therefore, the communicating par- ties must have a secure method to share a key as long as the text to be encrypted. Because of this limitation, which becomes severe in case huge amounts of informa- tion have to be securely transmitted, most cryptographic applications nowadays are based on other schemes, whose security cannot be proved in principle, but is rather based on our experience that some problems are hard to solve. In other words, these schemes can be broken, but with a substantial amount of computational power. One can therefore set a security parameter to a value, such that the amount of required computational power lies beyond the amount deemed to be available to an adversary; the value can be adjusted in time, along with technological advances. The picture has changed in the last two decades, thanks to unexpected inputs from quantum physics. In the early 1980s, Bennett and Brassard proposed a solu- tion to the key distribution problem based on quantum physics (Bennett and Brassard, 1984); this idea, inde- pendently re-discovered by Ekert a few years later (Ekert, 1991), was the beginning of quantum key distribution (QKD) which was to become the most promising task of quantum cryptography1 . Since then, QKD devices have constantly increased their key generation rate and have started approaching maturity, needed for implementation in realistic settings. In an intriguing independent development, ten years after the advent of QKD, Peter Shor discovered that large numbers can in principle be factorized efficiently if one 1 Quantum cryptography is often identified with QKD, but ac- tually comprises all possible tasks related to secrecy that are implemented with the help of quantum physics. The first ap- pearance of a link between secrecy and quantum physics was Wiesner’s idea of quantum money, which dates back to the early 1970s although was published a decade later (Wiesner, 1983). To our knowledge, there is nothing else before Bennett’s and Brassard’s first QKD protocol. In 1999, two new tasks were invented and both were given the same name, quantum se- cret sharing. In one case, the protocol is a multi-partite gen- eralization of key distribution (Hillery, Buˇzek and Berthiaume, 1999; Karlsson, Koashi and Imoto, 1999); in the other case it refers to the sharing of secret quantum information, i.e. the goal is for the authorized partners to share quan- tum information (instead of a list of classical random vari- ables) known only to them (Cleve, Gottesman and Lo, 1999; Cr´epeau, Gottesman and Smith, 2005). Other examples of cryp- tographic tasks are bit commitment or oblivious transfer; for these tasks, contrary to the case of QKD and secret shar- ing, quantum physics cannot guarantee unconditional security (Lo and Chau, 1997; Lo, 1997; Mayers, 1997) and therefore their interest seems limited — though new paradigms like “bounded- storage models” may change this perception in the future (Damgaard et al., 2005, 2007; Wehner, Schaffner and Terhal, 2008).
  • 3. 3 can perform coherent manipulations on many quantum systems (Shor, 1994, 1997). Factorizing large numbers is an example of a mathematical task considered classically hard to solve and for this reason related to a class of cryptographic schemes which are currently widely used. Though quantum computers are not realized yet, the mere fact that they could be built brought into awareness that the security of some cryptographic schemes may be threatened2 . This review focuses therefore on the cryptographic task of key distribution, and in particular on its realization us- ing quantum physics. Note that a secret key serves many useful purposes in cryptography other than message en- cryption: it can be used, for example, to authenticate messages, that is, to prove that a message has been in- deed sent by the claimed sender. B. Basics of Quantum Key Distribution (QKD) In this paragraph, we introduce the basic elements of quantum key distribution (QKD), for the sake of those readers who would not be familiar with the field. Alternative presentations of this material are avail- able in many sources, ranging from books with rather general scope (Ekert et al., 2001; Le Bellac, 2006; Lo, 1998; Scarani, 2006) to other review articles specific to the topic (Duˇsek, L¨utkenhaus and Hendrych, 2006; Gisin, Ribordy, Tittel and Zbinden, 2002; Lo and Zhao, 2008). 1. Generic setting Y r U C FIG. 1 (Color online) The setting of QKD: Alice and Bob are connected by a quantum channel, on which Eve can tap without any restriction other than the laws of physics; and by an authenticated classical channel, which Eve can only listen to. The generic settings of QKD are schematically repre- sented in Fig. 1. The two authorized partners, those that want to establish a secret key at a distance, are tradition- ally called Alice and Bob. They need to be connected by two channels: a quantum channel, allowing them to share quantum signals; and a classical channel, on which they can send classical messages forth and back. 2 This issue will be discussed in more detail in Sec. VIII.B. The classical channel needs to be authenticated: this means that Alice and Bob identify themselves; a third person can listen to the conversation but cannot partici- pate in it. The quantum channel, however, is open to any possible manipulation from a third person. Specifically, the task of Alice and Bob is to guarantee security against an adversarial eavesdropper, usually called Eve3 , tapping on the quantum channel and listening to the exchanges on the classical channel. By “security” we mean that“a non-secret key is never used”: either the authorized partners can indeed create a secret key (a common list of secret bits known only to themselves), or they abort the protocol4 . Therefore, after the transmission of a sequence of symbols, Alice and Bob must estimate how much information about their lists of bits has leaked out to Eve. Such an estimate is obvi- ously impossible in classical communication: if someone is tapping on a telephone line, or when Eve listens to the exchanges on the classical channel for that matters, the communication goes on unmodified. This is where quan- tum physics comes into the game: in a quantum channel, leakage of information is quantitatively related to a degra- dation of the communication. The next paragraph delves a bit deeper into the physical reasons for this statement. 2. The origin of security The origin of security of QKD can be traced back to some fundamental principles of quantum physics. One can argue for instance that any action, by which Eve ex- tracts some information out of quantum states, is a gen- eralized form of measurement; and a well-known tenet of quantum physics says that measurement in general mod- ifies the state of the measured system. Alternatively, one may think that Eve’s goal is to have a perfect copy of the state that Alice sends to Bob; this is however for- bidden by the no-cloning theorem (Wootters and Zurek, 1982), which states that one cannot duplicate an un- known quantum state while keeping the original intact. Both these arguments appear already in the seminal pa- per (Bennett and Brassard, 1984); they lead to the same formalization. A third physical argument can be invoked, which is usually considered rather as a fact than as a principle, but a very deep one: quantum correlations ob- 3 The name, obtained from assonance with the English term “eavesdropping”, is remarkably suited for someone whose task is to mess things up! 4 No physical principle can prevent an adversary to cut the chan- nels, thus blocking all transfer of information between Alice and Bob. Stepping back then, one can imagine the following eaves- dropping strategy (suggested to one of us by A. Beveratos): Eve systematically cuts all QKD channels, until Alice and Bob, who after all want to communicate, opt for less secure methods — and then Eve gets the information. There is obviously a point of humor in this idea but, given that Eve has no hope if QKD is used correctly, this strategy may be the most effective indeed.
  • 4. 4 tained by separated measurements on members of entan- gled pairs violate Bell’s inequalities and cannot therefore have been created by pre-established agreement. In other words, the outcomes of the measurements did not exist before the measurements; but then, in particular, Eve could not know them (Ekert, 1991). This argument sup- poses that QKD is implemented with entangled states. The fact that security can be based on general prin- ciples of physics suggests the possibility of unconditional security, i.e. the possibility of guaranteeing security with- out imposing any restriction on the power of the eaves- dropper (more on this notion in Sec. II.C.1). Indeed, at the moment of writing, unconditional security has been proved for several QKD protocols. 3. The choice of light In general, quantum information processing can be implemented with any system, and one indeed finds proposal to implement quantum computing with ions, atoms, light, spins... Abstractly, this is the case also for QKD: one could imagine to perform a QKD exper- iment with electrons, ions, molecules; however, light is the only practical choice. Indeed, the task of key distri- bution makes sense only if Alice and Bob are separated by a macroscopic distance: if they are in the same room, they have much easier ways of generating a common se- cret key. Now, as well known, light does not interact easily with matter; therefore quantum states of light can be trans- mitted to distant locations basically without decoherence, in the sense that little perturbations are expected in the definition of the optical mode. The problem with light is scattering, i.e. losses: quite often, the photons just don’t arrive. The way losses affect QKD varies with the protocol and the implementation; we shall deal with these issues in detail later, but it’s useful to give here a rapid overview. First and quite obviously, losses impose bounds on the secret key rate (that cannot scale with the distance better than the transmittivity of the line) and on the achievable distance (when losses are so large that the signal is lost in spurious events, the “dark counts”). Second: losses may leak information to the eavesdropper, according to the nature of the quantum signal: for coher- ent pulses it is certainly the case, for single photons it is not, the case for entangled beams is more subtle. A third basic difference is determined by the detection scheme. Indeed, implementations that use photon counters rely on post-selection: if a photon does not arrive, the de- tector does not click and the event is simply discarded5 . 5 Note that this is possible because the task is to distribute a random key. In the days of booming of quantum informa- tion, some authors considered the possibility of sending di- rectly the message on the quantum channel (Beige et al., 2002; Bostr¨om and Felbinger, 2002). This task has been called “Quan- On the contrary, implementations that use homodyne de- tection always give a signal, therefore losses translate as additional noise. In summary, QKD is always implemented with light and there is no reason to believe that things will change in the future. As a consequence, the quantum channel is any medium that propagates light with reasonable losses: typically, either an optical fiber, or just free space pro- vided Alice and Bob have a line of sight. 4. The BB84 protocol All the points and concepts introduced above will be dealt in more depth and detail in the main sections of this review. Let us first practice the generic ideas on a very concrete example: the first QKD protocol, published by Bennett and Brassard in 1984 and called therefore BB84 (Bennett and Brassard, 1984). Suppose Alice holds a source of single photons. The spectral properties of the photons are sharply defined, so the only degree of freedom left is polarization. Alice and Bob align their polarizers and agree to use either the Horizontal/Vertical (+) basis, or the complementary ba- sis of linear polarizations i.e. +45/-45 (×). Specifically, the coding of bits is |H codes for 0+ |V codes for 1+ | + 45 codes for 0× | − 45 codes for 1× . (1) We see that both bit values 0 and 1 are coded in two possible ways, more precisely in non-orthogonal states, because | ± 45 = 1 √ 2 |H ± |V . (2) Given this coding, the BB84 protocol goes as follows: 1. Alice prepares a photon in one of the four states above and sends it to Bob on the quantum channel. Bob measures it in either the + or the × basis. This step is repeated N times. Both Alice and Bob have now a list of N pairs (bit,basis). 2. Alice and Bob communicate over the classical chan- nel and compare the “basis” value of each item and discard those instances in which they have used dif- ferent bases. This step is called sifting. At its end, tum Secure Direct Communication” and has generated some in- terest. However, it was soon recognized (even by some of the original authors) that the idea suffers of two major defaults with respect to standard QKD: (i) It is obviously not robust against losses: you cannot afford losing a significant amount of the mes- sage. (ii) It allows no analog of privacy amplification: if an eavesdropper obtains information, it is information on the mes- sage itself and cannot of course be erased.
  • 5. 5 Alice and Bob have a list of approximately N/2 bits, with the promise that for each of them Alice’s coding matched Bob’s measurement. This list is called raw key. 3. Alice and Bob now reveal a random sample of the bits of their raw keys and estimate the error rate in the quantum channel, thus in turn Eve’s infor- mation. In the absence of errors, the raw key is identical for Alice and Bob and Eve has no infor- mation: in this case, the raw key is already the secret key. If there are errors however, Alice and Bob have to correct them and to erase the infor- mation that Eve could have obtained6 . Both tasks can be performed by communication on the clas- sical channel, so this part of the protocol is called classical post-processing. At the end of this pro- cessing, Alice and Bob share either a truly secret key or nothing at all (if Eve’s information was too large). 5. An example of eavesdropping A particularly simple eavesdropping strategy is the one called intercept-resend. To obtain information, Eve does the same as Bob: she intercepts the photon coming from Alice and measures it either in the + or in the × basis. But Bob is waiting for some signal to arrive. Let’s then suppose that Eve resends the same photon to Bob (Eve is limited only by the laws of physics, therefore in par- ticular she can perform a quantum non-demolition mea- surement). If Eve has measured in the basis of Alice’s preparation, the photon is intact: on such instances, Eve has got full information on Alice’s bit without introduc- ing any errors. However, when Eve has chosen the wrong basis, her result is uncorrelated with Alice’s bit; more- over, she has modified the state so that, even if Bob uses the same basis as Alice, half of the times he will get the wrong result. In average over long keys then, this particular attack gives Eve full information on half of the bits of the raw key (IE = 0.5) at the price of introducing an error rate Q = 0.25. Can a secure key be extracted under such conditions? One has to know how to quantify the length of the final key that can be extracted. For this particu- lar case, under some assumptions on the classical post- processing it holds (Csisz´ar and K¨orner, 1978) r = max{I(A : B) − IE, 0} . (3) where I(A : B) = H(A) + H(B) − H(AB) is the mutual information between Alice’s and Bob’s raw keys (H is 6 Historical note: the procedure that erases the information of the eavesdropper was not discussed in (Bennett and Brassard, 1984) and appears for the first time a few years later (Bennett, Brassard and Robert, 1988). Shannon entropy). Assuming that both bit values are equally probable, i.e. H(A) = H(B) = 1, one has I(A : B) = 1 − h(Q) where h is binary entropy. Having these elements, one can plug in the values obtained for the intercept-resend attack and find that I(A : B) < IE: Eve has more information on Alice’s string than Bob, therefore no secret key can be extracted7 . Another simple exercise consists in supposing that Eve perform the intercept-resend attack only on a fraction p of the photons sent by Alice, and leaves the others untouched. Then obviously Q = p/4 and IE = p/2 = 2Q; this leads to conclude that, if Q > ∼ 17%, a secure key cannot be extracted from the BB84 protocol — at least, if the classical post-processing is done according to the assumptions of (Csisz´ar and K¨orner, 1978). 6. Beyond the example: the field of QKD The basic example that we have just presented calls for a number of important questions: • The adversary is clearly not restricted to perform the intercept-resend attack. What is the maximal amount of information Eve can possibly obtain, if she is allowed to do anything that is compatible with the laws of physics? This is the question about the possibility of proving unconditional security. • The BB84 protocol is just a particular protocol. What about other forms of coding and/or of pro- cessing the data? • The protocol supposed that the quantum signal is a qubit — explicitly, a bimodal single photon, i.e. an elementary excitation of the light field in only two modes (polarization in the explicit example). How close can an implementation come to this? And af- ter all, should any implementation of QKD actually aim at coming close to this? • In a real device, information may leak out in chan- nels that are neglected in a theoretical description. What are the potential threats in an implementa- tion? The whole field of QKD has developed along the answer to these and similar questions. 7 This conclusion is valid for all protocols: no secret key can be extracted if the observed statistics are com- patible with Eve performing the intercept-resend attack (Curty, Lewenstein and L¨utkenhaus, 2004). The reason is that this attack “breaks” the quantum channel into two pieces, in which case the correlations between Alice and Bob can always be obtained with classical signals; and no secrecy can be dis- tributed with classical communication.
  • 6. 6 C. Scope of this review 1. Focus The label “quantum cryptography” applies nowadays to a very wide range of interests, going from abstract mathematical considerations to strictly technological is- sues. This review focuses somewhere in the middle of this range, in the realm where theoretical and experimental physics meet, that we call practical QKD. There, theo- rists cannot pursue pure formal elegance and are com- pelled to complicate their models in order to take real effects into account; and experimentalists must have a serious grasp on theoretical issues in order to choose the right formulas and make the correct claims about the se- curity of their devices. Specifically, we want to address the following two concerns: 1. On the one hand, the theoretical tools have reached a rather satisfactory level of development; but from outside the restricted group of experts, it has be- come almost impossible to follow this development, due also to the fact that quite a few strong secu- rity claims made in the past had to be revisited in the light of better understanding. As theorists involved in the development of security proofs, we want to provide an updated review of the status of such proofs. 2. On the other hand, several competing experimental platforms exist nowadays. It is desirable to have a synthetic view of those, highlighting the interest and possible shortcomings of each choice. Also, we want to raise the awareness of the complexity of any comparison: “physical” figures of merit like the secret key rate or the maximal achievable distance are in competition with “practical” figures of merit like stability and cost. Along the review, we shall make reference also to some strictly mathematical or strictly technological progresses, but without any claim of exhaustiveness. 2. Outline The review is structured as follows. Section II in- troduces all the basic elements of practical QKD. Sec- tion III is devoted to the rate at which a secret key is produced: this is the fundamental parameter of QKD, and depends both on the speed and efficiency of the de- vices, and on the intrinsic security of the protocol against eavesdropping. The next three sections provide a de- tailed analysis, with a consistent set of explicit formu- las, for the three main families of protocols: those based on discrete-variable coding (Section IV), those based on continuous-variable coding (Section V) and the more re- cent distributed-phase-reference coding (Section VI). In Section VII, we put everything together and sketch some directions for comparison of different experimental plat- forms. Finally, in Section VIII, we discuss future per- spectives for QKD, both as a field in itself and in the broader context of key distribution. II. THE ELEMENTS OF PRACTICAL QKD A. Milestones 1. Foundations: 1984-1995 QKD unfolded with the presentation of the first com- plete protocol (Bennett and Brassard, 1984), which was based on earlier ideas by Wiesner (Wiesner, 1983). In the BB84 protocol, bits are coded in two complementary bases of a two level system (qubit); this qubit is sent by Alice to Bob, who measures it. The no-cloning theorem is explicitly mentioned as the reason for security. This work was published in conference proceedings and was largely unknown to the community of physicists. It was not until 1991, when Artur Ekert, independently from the earlier developments, published a paper on quantum key distributions, that the field gained a rapid popular- ity (Ekert, 1991). Ekert’s argument for security had a different flavor: an eavesdropper introduces “elements of reality” into the correlations shared by Alice and Bob; so, if they observe correlations that violate a Bell inequal- ity, the communication cannot have been completely bro- ken by Eve. Shortly later, Bennett, Brassard and Mer- min argued8 that entanglement-based protocols, such as E91, are equivalent to prepare&measure protocols, such as the BB84 protocol (Bennett, Brassard and Mermin, 1992). The same year 1992 witnessed two additional milestones: the invention of the B92 protocol (Bennett, 1992) and the very first in-principle experimental demon- stration (Bennett et al., 1992). One can reasonably con- clude the foundational period of QKD with the defini- tion of privacy amplification, the classical post-processing needed to erase Eve’s information from the raw key (Bennett et al., 1995). 2. The theory-experiment gap opens: 1993-2000 After these foundational works, the inter- est and feasibility of QKD became apparent to many. Improved experimental demonstrations took place, first in the lab with a growing dis- tance of optical fiber next to the optical table 8 The argument is correct under some assumptions; only around the year 2006 it was fully realized that Ekert’s view is qualita- tively different and allows to reduce the set of assumptions about Alice’s and Bob’s devices; see VIII.A.3. This is also why the Ek- ert protocol was not implemented as such in an experiment until very recently (Ling et al., 2008).
  • 7. 7 (Br´eguet, Muller and Gisin, 1994; Franson and Ilves, 1994; Townsend, Rarity and Tapster, 1993), then in installed optical fibers (Muller, Zbinden and Gisin, 1995), thereby demonstrating that QKD can be made sufficiently robust for a real-world implementation. In this development, an obvious milestone is the invention of the so-called Plug&Play setups by the Geneva group (Muller et al., 1997; Ribordy et al., 1998). By the year 2000, QKD over large distances was demonstrated also with entangled photons (Jennewein et al., 2000; Naik et al., 2000; Tittel et al., 2000). Theorists became very active too. New protocols were proposed. For instance, the elegant six-state protocol, first mentioned back in 1984 as a possible extension of BB84 (Bennett et al., 1984), was rediscovered and stud- ied in greater detail (Bechmann-Pasquinucci and Gisin, 1999; Bruß, 1998). But by far a more complex task was at stake: the derivation of rigorous security proofs that would replace the intuitive arguments and the first, ob- viously sub-optimal estimates. The first such proof has been given by Mayers, who included even advanced fea- tures such as the analysis of finite key effects (Mayers, 1996, 2001). However, this proof is not very intuitive, and other proofs emerged, starting with the basic principle of entanglement distillation ideas (Deutsch et al., 1996) which were put into a rigorous framework by Lo and Chau (Lo and Chau, 1999). These entanglement based proofs would require the ability to perform quantum logic operations on signals. At present, we do not have the ex- perimental capability to do so. Therefore the result by Shor and Preskill (Shor and Preskill, 2000) provided a step forward, as it combined the property of Mayers re- sult of using only classical error correction and privacy amplification with a very intuitive way of proving the se- curity of the BB84 protocol. That result uses the ideas of quantum error correction methods, and reduces the corresponding quantum protocol to an actual classically- assisted prepare-and-measure protocol. As of the year 2000 therefore, both experimental and theoretical QKD had made very significant advances. However, almost inevitably, a gap had opened between the two: security proofs had been derived only for very idealized schemes; setups had been made practical with- out paying attention to all the security issues. 3. Closing the gap: 2000 to present The awareness of the gap was triggered by the discovery of photon-number-splitting (PNS) at- tacks (Brassard et al., 2000), which had actually been anticipated years before (Bennett, 1992; Duˇsek, Haderka and Hendrych, 1999; Huttner et al., 1995) but had passed rather unnoticed. The focus is on the source: the theoretical protocols supposed single- photon sources, but experiments were rather using atten- uated laser pulses, with average photon numbers below one. In these pulses, photons are distributed according to the Poissonian statistics: in particular, there are some- times two or more photons, and this opens an important loophole. Security proofs could be adapted to deal with the case (Gottesman, Lo, L¨utkenhaus and Preskill, 2004; Inamori, L¨utkenhaus and Mayers, 2001-2007; L¨utkenhaus, 2000): the extractable secret key rate was found to scale much worse with the distance than for single-photon sources (t2 compared to t, where t is the transmittivity of the quantum channel). It took a few years to realize that methods can be devised to reduce the power of PNS attacks while keeping the very convenient laser sources. One im- provement can be made by a mere change of software by modifying the announcements of the BB84 proto- col (Scarani, Ac´ın, Ribordy and Gisin, 2004): in this SARG04 protocol, the key rate scales as t3/2 (Koashi, 2005; Kraus, Gisin and Renner, 2005). Another signif- icant improvement can be made by an easy change of hardware: by varying the quantum state along the pro- tocol (decoy states), one can perform a more complete test of the quantum channel (Hwang, 2003). When the decoy state idea is applied to laser sources, the key rate scales as t (Lo, Ma and Chen, 2005; Wang, 2005). Parallel to this development, the field of practical QKD9 has grown in breadth and maturity. New fami- lies of protocols have been proposed, notably continuous- variable protocols (Cerf, L´evy and Van Assche, 2001; Gottesman and Preskill, 2001; Grosshans and Grangier, 2002a; Hillery, 2000; Ralph, 1999; Silberhorn et al., 2002) and the more recent distributed-phase-reference protocols (Inoue, Waks and Yamamoto, 2002; Stucki et al., 2005). Critical thinking on existing setups has lead to the aware- ness that the security against Eve tapping on the quan- tum channel is not all: one should also protect the de- vices against more commonplace hacking attacks and ver- ify that information does not leak out in side-channels (Makarov and Hjelme, 2005). Since a short time, QKD has also reached the commercial market: at least three companies10 are offering working QKD devices. New questions can now be addressed: in which applications QKD can help (All´eaume et al., 2007), how to implement a network of QKD systems11 , how to certify QKD de- vices for commercial markets (including the verification that these devices indeed fulfill the specifications of the corresponding security proofs) etc. 9 The whole field of QKD witnessed many other remarkable devel- opments, especially in theoretical studies, which are not included in this paragraph but are mentioned in due place in the paper. 10 idQuantique, Geneva (Switzerland), www.idquantique.com; MagiQ Technologies, Inc., New York., www.magiqtech.com; and Smartquantum, Lannion (France), www.smartquantum.com. 11 This is the aim of the European Network SECOQC, www.secoqc.net.
  • 8. 8 B. Generic QKD Protocol 1. Classical and quantum channels As introduced in Sec. I.B, Alice and Bob need to be connected by two channels. On the quantum channel, Alice can send quantum signals to Bob. Eve can interact with these signal, but if she does, the signals are changed because of the laws of quantum physics – the essence of QKD lies precisely here. On the classical channel, Alice and Bob can send clas- sical messages forth and back. Eve can listen without penalty to all communication that takes place on this channel. However, in contrast to the quantum chan- nel, the classical channel is required to be authenticated, so that Eve cannot change the messages that are being sent on this channel. Failure to authenticate the classical channel can lead to the situation where Eve impersonates one of the parties to the other, thus entirely compromis- ing the security. Unconditionally secure authentication12 of the classical channel requires Alice and Bob to pre- share an initial secret key or at least partially secret but identical random strings (Renner and Wolf, 2003). QKD therefore does not create a secret key out of nothing: rather, it will expand a short secret key into a long one, so strictly speaking it is a way of key-growing. This re- mark calls for two comments. First, key growing cannot be achieved by use of classical means alone, whence QKD offers a real advantage. Second, it is important to show that the secret key emerging from QKD is composable, that is, it can be used like a perfect random secret key in any task (more in Sec. II.C.2), because one has to use a part of it as authentication key for the next round. 2. Quantum information processing The first step of a QKD protocol is the exchange and measurement of signals on the quantum channel. Al- ice’s role is encoding: the protocol must specify which quantum state |Ψ(Sn) codes for the sequence of n sym- bols Sn = {s1, ..., sn}. In most protocols, but not in all, the state |Ψ(Sn) has the tensor product form |ψ(s1) ⊗ ... ⊗ |ψ(sn) . In all cases, it is crucial that the protocol uses a set of non-orthogonal states13 , otherwise 12 Authentication schemes that do not rely on pre-shared secrecy exist, but are not unconditionally secure. Since we aim at un- conditional security for QKD, the same level of security must in principle be guaranteed in all the auxiliary protocols. How- ever, breaking the authentication code after one round of QKD does not threaten security of the key that has been produced; one may therefore consider authentication schemes that guar- antee security only for a limited time, e.g.based on complexity assumptions. 13 There is only one exception (Goldenberg and Vaidman, 1995) when Alice uses just two orthogonal states. Alice prepares a qubit in one of the two orthogonal superposition of two spatially Eve could decode the sequence without introducing errors by measuring in the appropriate basis (in other words, a set of orthogonal states can be perfectly cloned). Bob’s role is twofold: his measurements allow of course to de- code the signal, but also to estimate the loss of quantum coherence and therefore Eve’s information. For this to be possible, non-compatible measurements must be used. We have described the quantum coding of QKD pro- tocols with the language of Prepare-and-Measure (P&M) schemes: Alice chooses actively the sequence Sn she wants to send, prepares the state |Ψ(Sn) and sends it to Bob, who performs some measurement. Any such scheme can be immediately translated into an entanglement- based (EB) scheme: Alice prepares the entangled state |Φn AB = 1 √ dn Sn |Sn A ⊗ |Ψ(Sn) B (4) where dn is the number of possible Sn sequences and the |Sn A form an orthogonal basis. By measuring in this basis, Alice learns one Sn and prepares the correspond- ing |Ψ(Sn) on the sub-system that is sent to Bob: from Bob’s point of view, nothing changes. This formal trans- lation obviously does not mean that both realizations are equally practical or even feasible with present-day tech- nology. However, it implies that the security proof for the EB protocol translates immediately to the corresponding P&M protocol and viceversa. A frequently quoted statement concerning the role of entanglement in QKD says that “entanglement is a nec- essary condition to extract a secret key” (Ac´ın and Gisin, 2005; Curty, Lewenstein and L¨utkenhaus, 2004). Two important comments have to be made to understand it correctly. First of all, this is not a statement about imple- mentations, but about the quantum channel: it says that no key can be extracted from an entanglement-breaking channel14 . In particular, the statement does not say that entanglement-based implementations are the only secure ones. Second: as formulated above, the statement has been derived under the assumption that Eve holds a purifica- tion of ρAB, where A and B are the degrees of freedom that Alice and Bob are going to measure. One may ask a more general question, namely, how to characterize all the private states, i.e. the states out of which secrecy can be extracted (Horodecki et al., 2005, 2008a,b). It was re- alized that, in the most general situation, Alice and Bob separated states, then – at a random time instant – she sends one component of this superposition to Bob. Only later she sends the second component. Precise time synchronization between Alice and Bob is crucial. See also Peres’ criticism (Peres, 1996), the authors’ reply (Goldenberg and Vaidman, 1996) and a related discussion (Koashi and Imoto, 1997). Unconditional security has not been proved for this protocol. 14 As the name indicates, a channel ρ → ρ′ = C(ρ) is called entanglement-breaking if (11⊗C)|Ψ AB is separable for any input |Ψ AB. A typical example of such a channel is the one obtained by performing a measurement on half of the entangled pair.
  • 9. 9 may control some additional degrees of freedom A′ and B′ ; thus, Eve is not given a purification of ρAB, but of ρAA′BB′ . In such situation, it turns out that ρAB can even be separable; as for ρAA′BB′ , it must be entangled, but may even be bound entangled. The reason is quite clear: A′ and B′ shield the meaningful degrees of free- dom from Eve’s knowledge. We do not consider this most general approach in what follows15 , because at the mo- ment of writing no practical QKD scheme with shielding systems has been proposed. 3. Classical information processing Once a large number N of signals have been exchanged and measured on the quantum channel, Alice and Bob start processing their data by exchanging communica- tion on the classical channel. In all protocols, Alice and Bob estimate the statistics of their data; in particular, they can extract the meaningful parameters of the quan- tum channel: error rate in decoding, loss of quantum co- herence, transmission rate, detection rates... This step, called parameter estimation, may be preceded in some protocols by a sifting phase, in which Alice and Bob agree to discard some symbols (typically, because Bob learns that he has not applied the suitable decoding on those items). After parameter estimation and possibly sifting, both Alice and Bob hold a list of n ≤ N sym- bols, called raw keys. These raw keys are only partially correlated and only partially secret. Using some classi- cal information post-processing (see III.B.1), they can be transformed into a fully secure key K of length ℓ ≤ n. The length ℓ of the final secret key depends of course on Eve’s information on the raw keys. 4. Secret fraction and secret key rate In the asymptotic case N → ∞ of infinitely long keys, the meaningful quantity is the secret fraction16 r = lim N→∞ ℓ/n . (5) The secret fraction is clearly the heart of QKD: this is the quantity for which the security proofs (II.C.3) must provide an explicit expression. However, a more pro- saic parameter must also be taken into account as well in practical QKD: namely, the raw-key rate R, i.e. the length of the raw key that can be produced per unit time. This rate depends partly on the protocol: for instance, it contains the sifting factor, i.e. the fraction of exchanged 15 In (Smith, Renes and Smolin, 2008), the formalism of private states is used to study pre-processing, see III.B.1. 16 Often, especially in theoretical studies, this quantity is called “secret key rate”. In this paper, we reserve this term to (6), which is more meaningful for practical QKD. symbols that is discarded in a possible sifting phase. But, surely enough, its largest dependence is on the details of the setup: repetition rate of the source, losses in the channel, efficiency and dead time of the detectors, possi- ble duty cycle, etc. In conclusion, in order to assess the performances of practical QKD systems, it is natural to define the secret key rate as the product K = R r . (6) The whole Section III will be devoted to a detailed dis- cussion of this quantity. As mentioned, these definitions hold in the asymptotic regime of infinitely long keys. When finite-key corrections are taken into account, a reduction of the secret fraction is expected, mainly for two reasons. On the one hand, parameter estimation is made on a finite number of sam- ples, and consequently one has to consider the worst pos- sible values compatible with statistical fluctuations. On the other hand, the yield of the classical post-processing contains terms that vanish only in the asymptotic limit; intuitively, these correction take care of the fact that se- curity is never absolute: the probability that Eve knows a n-bit key is at least 2−n , which is strictly positive. In this review, we restrict our attention to the asymptotic case, not because finite-key corrections are negligible — quite the opposite seems to be true17 — but because their esti- mate is still the object of on-going research (see VIII.A.1 for the state-of-the-art). C. Notions of Security 1. Unconditional security, and its conditions The appeal of QKD comes mainly from the fact that, in principle, it can achieve unconditional security. This technical term means that security can be proved with- out imposing any restriction on the computational re- sources or the manipulation techniques that are available to the eavesdropper acting on the signal. The possibil- ity of achieving unconditional security in QKD is deeply rooted in quantum physics. To learn something about the key, Eve must interact with the quantum system; now, if the coding uses randomly chosen non-orthogonal states, Eve’s intervention necessarily modifies the state on average, and this modification can be observed by the parties. As we discussed in Sec. I.B, there are many equivalent formulations of this basic principle. However formulated, it must be stressed that this criterion can be made quantitative: the observed perturbations in the quantum channel allow computing a bound on the infor- mation that Eve might have obtained. 17 For instance, in the only experiment analyzed with finite-key formalism to date (Hasegawa et al., 2007), the authors extracted r ≈ 2%, whereas, for the observed error rate, the asymptotic bound would have yielded r > ∼ 40%!
  • 10. 10 Like many other technical terms, the wording “uncon- ditional security” has to be used in its precise meaning given above, and not as a synonym of “absolute secu- rity” — something that does not exist. As a matter of fact, unconditional security of QKD holds under some conditions. First of all, there are some compulsory re- quirements: 1. Eve cannot intrude Alice’s and Bob’s devices to access either the emerging key or their choices of settings (we shall see in Sec. III.B.4 how complex it is to check this point thoroughly). 2. Alice and Bob must trust the random number gen- erators that select the state to be sent or the mea- surement to be performed. 3. The classical channel is authenticated with unconditionally secure protocols, which ex- ist (Carter and Wegman, 1979; Stinson, 1995; Wegman and Carter, 1981). 4. Eve is limited by the laws of physics. This require- ment can be sharpened: in particular, one can ask whether security can be based on a restricted set of laws18 . In this review, as in the whole field of practical QKD, we assume that Eve has to obey the whole of quantum physics. We shall take these requirements, the failure of which would obviously compromise any security, as granted. Even so, many other issues have to be settled, before unconditional security is claimed for a given protocol: for instance, the theoretical description of the quantum states must match the signals that are really exchanged; the implementations must be proved free of unwanted in- formation leakage through side-channels or back-doors, against which no theoretical protection can be invoked. 2. Definition of security The security of a key K can be parametrized by its deviation ε from a perfect key, which is defined as a list 18 As we have seen (I.B.2), intuition suggests that the security of QKD can be traced back to a few specific principles or laws like “no-cloning” or “non-locality without signaling”. One may ask whether this intuition may be made fully rigorous. Con- cretely, since any theory that does not allow signaling and is non-local exhibits a no-cloning theorem (Barnum et al., 2006; Masanes, Ac´ın and Gisin, 2006), and since non-locality itself can be checked, one may hope to derive security only from the physical law of no-signaling. In this framework, as of to- day, unconditional security has been proved only in the case of strictly error-free channels and for a key of vanishing length (Barrett, Hardy and Kent, 2005). Only limited security has been proved in more realistic cases (Ac´ın, Gisin and Masanes, 2006; Scarani et al., 2006). Recently, Masanes showed that uncondi- tional composable security can be proved if no-signaling is as- sumed not only between Alice and Bob, but also among the systems that are measured by each partner (Masanes, 2009). of perfectly correlated symbols shared between Alice and Bob, on which Eve has no information (in particular, all the possible lists must be equally probable a priori). A definition of security is a choice of the quantity that is re- quired to be bounded by ε; a key that deviates by ε from a perfect key is called ε-secure. The main property that a definition of security must fulfill is composability, mean- ing that the security of the key is guaranteed whatever its application may be — more precisely: if an ε-secure key is used in an ε′ -secure task19 , composability ensures that the whole procedure is at least (ε + ε′ )-secure. A composable definition of security is the one based on the trace-norm (Ben-Or et al., 2005; Renner and K¨onig, 2005): 1 2 ρKE − τK ⊗ ρE 1 ≤ ε, where ρKE is the actual state containing some correlations between the final key and Eve, τK is the completely mixed state on the set K of possible final keys and ρE is any state of Eve. In this definition, the parameter ε has a clear interpretation as the maximum failure probability of the process of key ex- traction. As the dates of the references show, the issue of composability was raised rather late in the development of QKD. Most, if not all, of the early security studies had adopted a definition of security that is not compos- able, but the asymptotic bounds that were derived can be “redeemed” using a composable definition20 . 3. Security proofs Once the security criterion is defined, one can derive a full security proof, leading to an explicit (and hopefully computable) expression for the length of the extractable 19 For instance, the One-Time Pad is a 0-secure task; while any implementation of channel authentication, for which a part of the key is used (II.B.1), must allow for a non-zero ε′. 20 The early proofs defined security by analogy with the classi- cal definition: Eve, who holds a quantum state ρE, performs the measurement M which maximizes her mutual information with the key K. This defines the so-called accessible informa- tion Iacc(K : ρE) = maxE=M(ρE) I(K : E), and the security criterion reads Iacc(K : ρE) ≤ ε. As for the history of claims, it is quite intricate. Accessible information was first claimed to provide composable security (Ben-Or et al., 2005). The proof is correct, but composability follows from the use of two-universal hashing in the privacy amplification step (see III.B.1), rather than from the properties of accessible information itself. Indeed, shortly later, an explicit counterexample showed that accessi- ble information is in general not composable for any reasonable choice of the security parameter ε (K¨onig et al., 2007). The rea- son why accessible information is not composable can be ex- plained qualitatively: this criterion supposes that Eve performs a measurement to guess the key at the end of the key exchange. But Eve may prefer not to measure her systems until the key is actually used in a further protocol: for instance, if a plain- text attack can reveal some information, Eve has certainly bet- ter adapt her measurement to this additional knowledge. The counterexample also implies that the classical results on privacy amplification by two-universal hashing (Bennett et al., 1995) do not apply and have to be replaced by a quantum version of the statement (Renner and K¨onig, 2005).
  • 11. 11 secret key rate. Several techniques have been used: • The very first proofs by Mayers were somehow based on the uncertainty principle (Mayers, 1996, 2001). This approach has been revived recently by Koashi (Koashi, 2006, 2007). • Most of the subsequent security proofs have been based on the correspondence between entanglement distillation and classical post- processing, generalizing the techniques of Shor and Preskill (Shor and Preskill, 2000). For instance, the most developed security proofs for imperfect devices follow this pat- tern (Gottesman, Lo, L¨utkenhaus and Preskill, 2004). • The most recent techniques use rather information-theoretical notions (Ben-Or, 2002; Kraus, Gisin and Renner, 2005; Renner, 2005; Renner, Gisin and Kraus, 2005). A detailed description on how a security proof is built goes beyond the scope of this review. The core lies in how to relate the security requirement 1 2 ρKE − τK ⊗ ρE 1 ≤ ε to a statement about the length ℓ of the secret key that can be extracted. This step is achieved using inequalities that can be seen as a generalization of the Chernoff bound. In other words, one must use or prove an inequality of the form Prob [ ρKE − τK ⊗ ρE 1 > 2ε] < ∼ eℓ−F (ρKE,ε) (7) where we omitted constant factors. From such an in- equality, one immediately reads that the security require- ment will fail with exponentially small probability pro- vided ℓ < ∼ F(ρKE, ε). Explicit security bounds will be provided below (Sec. III.B) for the asymptotic limit of infinitely long keys — note that in this limit one can take ε → 0, whence no explicit dependence on ε is manifest in those expressions. D. Explicit Protocols 1. Three families The number of explicit QKD protocols is virtually in- finite: after all, Bennett has proved that security can be obtained when coding a bit in just two non-orthogonal quantum states (Bennett, 1992). But as a matter of fact, this possible variety has crystallized into three main families: discrete-variable coding (II.D.2), continuous- variable coding (II.D.3), and more recently distributed- phase-reference coding (II.D.4). The crucial difference is the detection scheme: discrete-variable coding and distributed-phase-reference coding use photon counting and post-select the events in which a detection has ef- fectively taken place, while continuous-variable coding is defined by the use of homodyne detection (detection techniques are reviewed in Sec. II.G). Discrete-variable coding is the original one. Its main advantage is that protocols can be designed in such a way that, in the absence of errors, Alice and Bob would share immediately a perfect secret key. They are still the most implemented QKD protocols. Any discrete quantum de- gree of freedom can be chosen in principle, but the most frequent ones are polarization for free-space implementa- tions and phase-coding in fiber-based implementations21 . The case for continuous-variable coding stems from the observation that photon counters normally feature low quantum efficiencies, high dark count rates, and rather long dead times; while these inconveniences can be over- come by using homodyne detection. The price to pay is that the protocol provides Alice and Bob with correlated but rather noisy realization of a continuous random vari- able, because losses translate into noise (see I.B.3): as a consequence, a significant amount of error correction pro- cedures must be used. In short, the issue is, whether it is better to build up slowly a noiseless raw key, or rapidly a noisy one. As for distributed-phase-reference coding, its origin lies in the effort of some experimental groups to- ward a more and more practical implementation. From the point of view of detection, these protocols produce a discrete-valued result; but the nature of the quantum signals is very different from the case of discrete-variable coding, and this motivates a separate treatment. Despite the differences originating from the use of a different detection device, there is a strong conceptual unity underlying discrete- and continuous-variable QKD. To take just one example, in both cases the ability to distribute a quantum key is closely related to the abil- ity to distribute entanglement, regardless of the detec- tion scheme used and even if no actual entanglement is present. These similarities are not very surprising since it has long been known that the quantum features of light may be revealed either via photon counting (e.g., antibunching or anticorrelation experiments) or via ho- modyne detection (e.g., squeezing experiments). Being a technique that exploits these quantum features of light, QKD has thus no reason to be restricted to the photon- counting regime. Surprisingly, just like antibunching (or a single-photon source) is not even needed in photon- counting based QKD, we shall see that squeezing is not needed in homodyne-detection based QKD. The only quantum feature that happens to be needed is the non- orthogonality of light states. 21 Other degrees of freedom have been explored, for instance cod- ing in sidebands of phase-modulated light (M´erolla et al., 1999) and time-coding (Boucher and Debuisschert, 2005). Energy- time entanglement gives also rise to a peculiar form of coding (Tittel et al., 2000).
  • 12. 12 2. Discrete-variable Protocols a. BB84-BBM. The best known discrete-variable proto- col is of course BB84 (Bennett and Brassard, 1984), that we introduced in Sec. I.B. The corresponding EB pro- tocol is known as BBM (Bennett, Brassard and Mermin, 1992); the E91 protocol (Ekert, 1991) is equivalent to it when implemented with qubits. Alice prepares a single particle in one of the four states: | + x , | − x , eigenstates of σx | + y , | − y , eigenstates of σy (8) where the σ’s are Pauli operators. The states with “+” code for the bit value 0, the states with “−” for the bit value 1. Bob measures either σx or σy. In the absence of errors, measurement in the correct basis reveals the bit- value encoded by Alice. The protocol includes a sifting phase: Alice reveals the basis, X or Y , of each of her signals; Bob accepts the values for which he has used the same basis and discards the others22 . Unconditional security of BB84-BBM has been proved with many different techniques (Kraus, Gisin and Renner, 2005; Lo and Chau, 1999; Mayers, 1996, 2001; Shor and Preskill, 2000). The same coding can be implemented with other sources, leading to a family of BB84-like protocols. We review them at length in Sec. IV.B. b. SARG04. The SARG04 proto- col (Ac´ın, Gisin and Scarani, 2004; Scarani, Ac´ın, Ribordy and Gisin, 2004) uses the same four states (8) and the same measurements on Bob’s side as BB84, but the bit is coded in the basis rather than in the state (basis X codes for 0 and basis Y codes for 1). Bob has to choose his bases with prob- ability 1 2 . The creation of the raw key is slightly more complicated than in BB84. Suppose for definiteness that Alice sends | + x : in the absence of errors, if Bob measures X he gets sb = +; if he measures Y , he may get both sb = +/− with equal probability. In the sifting phase, Bob reveals sb; Alice tells him to accept if she had prepared a state with sa = sb, in which case Bob accepts the bit corresponding to the basis he has not used. The reason is clear in the example above: in the 22 In the original version of BB84, both bases are used with the same probability, so that the sifting factor is psift = 1 2 , i.e. only half of the detected bits will be kept in the raw key. But the protocol can be made asymmetric without changing the security (Lo, Chau and Ardehali, 1998-2005): Alice and Bob can agree on using one basis with probability 1 − ǫ where ǫ can be taken as small as one wants, so as to have psift ≈ 1 (recall that we are considering only asymptotic bounds; in the finite key regime, the optimal value of ǫ can be computed (Scarani and Renner, 2008)). absence of errors, sb = − singles out the wrong basis 23 . SARG04 was invented for implementations with at- tenuated laser sources, because it is more robust than BB84 against the PNS attacks. Unconditional security has been proved, we shall review the main results in Sec. IV.D. c. Other discrete-variable protocols. A large number of other discrete-variable protocols have been proposed; all of them have features that makes them less interesting for practical QKD than BB84 or SARG04. The six-state protocol (Bechmann-Pasquinucci and Gisin, 1999; Bennett et al., 1984; Bruß, 1998) follows the same structure as BB84, to which it adds the third mutually unbiased basis Z defined by the Pauli matrix σz. Its unconditional security has been proved quite early (Lo, 2001). The interest of this protocol lies in the fact that the channel estimation becomes “tomographically complete”, that is, the measured parameters completely characterize the channel. As a consequence, more noise can be tolerated with respect to BB84 or SARG04. However, noise is quite low in optical setups, while losses are a greater concern (see II.F). Under this respect, six-state perform worse, because it requires additional lossy optical com- ponents. Similar considerations apply to the six-state version of the SARG04 coding (Tamaki and Lo, 2006) and to the Singapore protocol (Englert et al., 2004). The coding of BB84 and six-state has been generalized to larger dimensional quantum sys- tems (Bechmann-Pasquinucci and Peres, 2000; Bechmann-Pasquinucci and Tittel, 2000). For any d, protocols that use either two or d + 1 mutually unbiased bases have been defined (Cerf et al., 2002). Unconditional security was not studied; for restricted at- tacks, the robustness to noise increases with d. Time-bin coding allows producing d-dimensional quantum states of light in a rather natural way (De Riedmatten et al., 2004; Thew et al., 2004). However, the production and detection of these states requires d-arm interferometers with couplers or switches, that must moreover be kept stable. Thus again, the possible advantages are overcome by the practical issues of losses and stability. Finally, we have to mention the B92 protocol (Bennett, 1992), which uses only two non-orthogonal states, each one coding for one bit-value. In terms of encoding, this is obviously the most economic possibility. Un- 23 In an alternative version of the sifting, Alice reveals that the state she sent belongs to one of the two sets {|sax , |say }, and Bob accepts if he has detected a state sb = sa. This is a sim- plified version with respect to the original proposal, where Alice could declare any of the four sets of two non-orthogonal states. The fact, that the two versions are equivalent in terms of secu- rity, was not clear when the first rigorous bounds were derived (Branciard et al., 2005), but was verified later.
  • 13. 13 fortunately, B92 is a rather sensitive protocol: as no- ticed already in the original paper, this protocol is se- cure only if some other signal (e.g. a strong reference pulse) is present along with the two states that code the bit. Unconditional security has been proved for single- photon implementations (Tamaki, Koashi and Imoto, 2003; Tamaki and L¨utkenhaus, 2004) and for some im- plementations with a strong reference pulse (Koashi, 2004; Tamaki et al., 2006). Incidentally, SARG04 may be seen as a modified B92, in which a second set of non-orthogonal states is added — actually, an almost forgotten protocol served as a link between the two (Huttner et al., 1995). 3. Continuous-variable Protocols Discrete-variable coding can be implemented with sev- eral sources, but requires photon-counting techniques. An alternative approach to QKD has been suggested, in which the photon counters are replaced by standard tele- com PIN photodiodes, which are faster (GHz instead of MHz) and more efficient (typically 80% instead of 10%). The corresponding schemes are then based on homodyne detection (II.G.2) and involve measuring data that are real amplitudes instead of discrete events; hence these schemes are named continuous-variable (CV) QKD. The first proposals suggesting the use of homodyne de- tection in QKD are due to (Hillery, 2000; Ralph, 1999; Reid, 2000). In particular, a squeezed-state version of BB84 was proposed in (Hillery, 2000), where Alice’s basis choice consists of selecting whether the state of light sent to Bob is squeezed in either quadrature q = x or q = p. Next, this q-squeezed state is displaced in q either by +c or −c depending on a random bit chosen by Alice, where c is an appropriately chosen constant. Bob’s random ba- sis choice defines whether it is the x or p quadrature that is measured. The sifting simply consists in keeping only the instances where Alice and Bob’s chosen quadratures coincide. In this case, the value measured by Bob is dis- tributed according to a Gaussian distribution centered on the value (+c or −c) sent by Alice. In some sense, this protocol can be viewed as “hybrid” because Alice’s data are binary while Bob’s data are real (Gaussian dis- tributed). These early proposals and their direct generalization are called CV protocols with discrete modulation; at the same time, another class of CV protocols was proposed that rather use a continuous modulation, in particular a Gaussian modulation. Although CV protocols are much more recent than discrete-variable protocols, their secu- rity proofs have been progressing steadily over the last years, and are now close to reach a comparable status: see a thorough discussion in Sec. V.A. a. Gaussian protocols. The first proposed Gaussian QKD protocol was based on squeezed states of light, which are modulated with a Gaussian distribution in the x or p quadrature by Alice, and are measured via homodyne de- tection by Bob (Cerf, L´evy and Van Assche, 2001). This protocol can be viewed as the proper continuous-variable counterpart of BB84 in the sense that the average state sent by Alice is the same regardless of the chosen basis (it is a thermal state, replacing the maximally-mixed qubit state in BB84). The security of this protocol can be analyzed using the connection with continuous-variable cloning (Cerf, Ipe and Rottenberg, 2000); using a con- nection with quantum error-correcting codes, uncondi- tional security was proved when the squeezing exceeds 2.51 dB (Gottesman and Preskill, 2001). The main draw- back of this protocol is the need for a source of squeezed light. A second Gaussian QKD protocol was therefore de- vised, in which Alice generates coherent states of light, which are then Gaussian modulated both in x and p, while Bob still performs homodyne detec- tion (Grosshans and Grangier, 2002a). A first proof-of- principle experiment, supplemented with the technique of reverse reconciliation24 , was run with bulk optical ele- ments on an optics table (Grosshans, Van Assche et al., 2003). Subsequent experiments have used optical fibers and telecom wavelengths. The scheme was thus imple- mented over distances up to 14 km using a Plug&Play configuration (Legr´e, Zbinden and Gisin, 2006), then up to 25 km by time-multiplexing the local oscillator pulses with the signal pulses in the same optical fiber and using an improved classical post-processing (Lodewyck et al., 2005; Lodewyck, Bloch et al., 2007). Another fiber- based implementation over 5 km has been reported (Qi, Huang et al., 2007). Note that, in these two first protocols, Bob randomly chooses to homodyning one quadrature, either x or p. In the squeezed-state protocol, this implies the need for sift- ing. Bob indeed needs to reject the instances where he measured the other quadrature than the one modulated by Alice, which results in a decrease of the key rate by a factor of 2 (this factor may actually be reduced arbitrar- ily close to 1 by making an asymmetric choice between x and p, provided that the key length is sufficiently large) (Lo, Chau and Ardehali, 1998-2005). In the coherent- state protocol, Alice simply forgets the quadrature that is not measured by Bob, so that all pulses do carry useful information that is exploited to establish the final secret key. The fact that Alice, in this second protocol, dis- cards half of her data may look like a loss of efficiency since some information is transmitted and then lost. A third Gaussian QKD protocol was therefore proposed 24 In all Gaussian QKD protocols, reversing the one-way reconcil- iation procedure (i.e., using Bob’s measured data instead of Al- ice’s sent data as the raw key) is beneficial in terms of attainable range, provided that the noise is not too large. We will come back to this point in Section V.
  • 14. 14 (Weedbrook et al., 2004), in which Alice still transmits doubly-modulated coherent states drawn from a bivari- ate Gaussian distribution, but Bob performs heterodyne instead of homodyne measurements25 , that is, he mea- sures both x and p quadratures simultaneously. At first sight, this seems to imply that the rate is doubled since Bob then acquires a pair of quadratures (x, p). Actually, since heterodyne measurement effects one additional unit of vacuum noise on the measured quadratures, the two quadratures received by Bob are noisier than the single quadrature in the homodyne-based protocol. The net ef- fect, however, is often an increase of the key rate when the two quadratures are measured simultaneously. In addition, a technological advantage of this heterodyne- based coherent-state protocol is that there is no need to choose a random quadrature at Bob’s side (that is, no active basis choice is needed). The experiment has been realized (Lance et al., 2005). Finally, a fourth Gaussian QKD protocol was in- troduced recently (Garc´ıa-Patr´on, 2007), which com- pletes this family of Gaussian QKD protocols. Here, Alice sends again squeezed states, as in the proto- col of (Cerf, L´evy and Van Assche, 2001), but Bob per- forms heterodyne measurements, as in the protocol of (Weedbrook et al., 2004). This protocol is associated with the highest rate and range among all Gaussian QKD protocols, but requires a source of squeezed light. As seen in the discussion about BB84 and SARG04 above, it turns out also for the CV QKD protocols that the classical processing is an essential element of the protocol. As will be discussed later (V.A), the per- formance of CV-QKD protocols depends crucially on the exact protocol that extracts the secret key from the experimental data. Two important tools here are reverse reconciliation (Grosshans and Grangier, 2002a) and post-selection (Silberhorn et al., 2002). As shown in (Heid and L¨utkenhaus, 2007), the combination of both will lead to the optimal key rate. b. Discrete-modulation protocols. On the side of practical implementation, it is desirable to keep the number of sig- nals as low as possible, and also to minimize the number of parameters in the detection process that needs to be monitored. The deep reason behind this is that in prac- tical implementation at some stage one has to consider finite size effects in the statistics and also in the security proof stage. For a continuous family of signals, it will be intuitively harder to get hold of these finite size effects and to include statistical fluctuations of observations into a full security proof. For this reason, it becomes interesting to have a look 25 This possibility was also suggested for postselection-based pro- tocols in (Lorenz, Korolkova and Leuchs, 2004), and the experi- ment has been performed (Lorenz et al., 2006). at QKD systems that combine a finite number of sig- nals with the continuous variable detection schemes: discrete-modulation protocols have been devised follow- ing this proposal, some based on coherent states instead of squeezed states (Silberhorn et al., 2002). The signals consist here of a weak coherent state together with a strong phase reference. The signal is imprinted onto the weak coherent state by setting the relative optical phase between weak coherent state and reference pulse either to 0 or π. Schematically, the strong phase reference could be represented by two local oscillators, e.g. phase-locked lasers at the sending and receiving station. These type of signals have been used already in the original B92 pro- tocol (Bennett, 1992). The receiver then uses the local oscillator in the homodyne or heterodyne measurement. The security of this protocol is still based on the fact that the weak signal pulses represent non-orthogonal sig- nal states. On the receiver side, homodyne detection is performed by choosing at random one of the two relevant quadra- ture measurement (one quadrature serves the purpose of being able to measure the bit values, the other one serves the purpose to monitor the channel to limit possi- ble eavesdropping attacks). Alternatively, a heterodyne measurement can, in a way, monitor both quadratures. Consider for definiteness a simple detection scheme, in which bit-values are assigned by the sign of the detec- tion signal, + or −, with respect to the half-planes in the quantum optical phase space in which the two sig- nals reside. As a result, both sender and receiver have binary data at hand. As in the case of Gaussian modu- lation, they can now perform post-selection of data, and use error-correction and privacy amplification to extract secret keys from these data. 4. Distributed-phase-reference Protocols Both discrete- and continuous-variable protocols have been invented by theorists. Some experimental groups, in their developments toward practical QKD systems, have conceived new protocols, which do not fit in the cate- gories above. In these, like in discrete-variable protocols, the raw keys are made of realizations of a discrete variable (a bit) and are already perfectly correlated in the absence of errors. However, the quantum channel is monitored us- ing the properties of coherent states — more specifically, by observing the phase coherence of subsequent pulses; whence the name distributed-phase-reference protocols. The first such protocol has been called Differential- Phase-Shift (DPS) (Inoue, Waks and Yamamoto, 2002, 2003). Alice produces a sequence of coherent states of same intensity |Ψ(Sn) = ...|eiϕk−1 √ µ |eiϕk √ µ |eiϕk+1 √ µ ... (9) where each phase can be set at ϕ = 0 or ϕ = π (Fig. 2). The bits are coded in the difference between two successive phases: bk = 0 if eiϕk = eiϕk+1 and
  • 15. 15 tB DB DM1 DM2 1 t- B Alice Bob Laser IM D0 Alice Laser PM p00pp0 Bob D1 FIG. 2 The two distributed-phase reference protocol: differ- ential phase shift (DPS, top) and coherent one-way (COW, bottom). Legend: PM: phase modulator; IM: intensity mod- ulator. See text for description. bk = 1 otherwise. This can be unambiguously discrim- inated using an unbalanced interferometer. The com- plexity in the analysis of this protocol lies in the fact that |Ψ(Sn) = |ψ(b1) ⊗ ... ⊗ |ψ(bn) : the k-th pulse contributes to both the k-th and the (k + 1)-st bit. The DPS protocol has been already the object of sev- eral experimental demonstrations (Diamanti et al., 2006; Takesue et al., 2005, 2007). In the protocol called Coherent-One-Way (COW) (Gisin et al., 2004; Stucki et al., 2005), each bit is coded in a sequence of one non-empty and one empty pulse: |0 k = | √ µ 2k−1 |0 2k , |1 k = |0 2k−1| √ µ 2k . (10) These two states can be unambiguously discriminated in an optimal way by just measuring the time of ar- rival (Fig. 2). For the channel estimation, one checks the coherence between two successive non-empty pulses; these can be produced on purpose as a “decoy sequence” | √ µ 2k−1 | √ µ 2k , or can happen as | √ µ 2k | √ µ 2k+1 across a bit separation, when a sequence |1 k|0 k+1 is coded. This last check, important to detect PNS attacks, implies that the phase between any two successive pulses must be controlled; therefore, as it happened for DPS, the whole sequence must be considered as a single signal. A prototype of a full QKD system based on COW has been reported recently (Stucki et al., 2008). Both DPS and COW are P&M schemes, tailored for laser sources. It has not yet been possible to derive a bound for unconditional security, because the existing techniques apply only when |Ψ(Sn) can be decomposed in independent signals. We shall review the status of partial security proofs in Sec. VI. E. Sources 1. Lasers Lasers are the most practical and versatile light sources available today. For this reason, they are chosen by the vast majority of groups working in the field. Of course, all implementations in which the source is a laser are P&M schemes. For the purposes of this review, we don’t have to delve deep into laser physics. The output of a laser in a given mode is described by a coherent state of the field | √ µ eiθ ≡ |α = e−µ/2 ∞ n=0 αn √ n! |n (11) where µ = |α2 | is the average photon number (also called intensity). The phase factor eiθ is accessible if a reference for the phase is available; if not, the emitted state is rather described by the mixture ρ = 2π 0 dθ 2π |α α| = n P(n|µ)|n n| (12) with P(n|µ) = e−µ µn n! . (13) Since two equivalent decompositions of the same density matrix cannot be distinguished, one may say as well that, in the absence of a phase reference, the laser produces a Poissonian mixture of number states. The randomization of θ generalizes to multimode co- herent states (Mølmer, 1997; van Enk and Fuchs, 2002). Consider for instance the two-mode coherent state | √ µ ei(θ+ϕ) | √ µ′ eiθ that may describe for instance a weak pulse and a reference beam. The phase ϕ is the rel- ative phase between the two modes and is well-defined, but the common phase θ is random. One can then carry out the same integral as before; the resulting ρ is the Pois- sonian mixture with average photon number µ + µ′ and the number states generated in the mode described by the creation operator A† = eiϕ√ µa† 1 + √ µ′a† 2 / √ µ + µ′. Let us turn now to QKD. The existence of a refer- ence for the phase is essential in both continuous-variable and distributed-phase-reference protocols: after all, these protocols have been designed having specifically in mind the laser as a source. On the contrary, when attenuated lasers are used to approximate qubits in discrete proto- cols, the phase reference does not play any role. In this implementations, ρ given in (12) is generically26 an accu- rate description of the quantum signal outside Alice’s lab. 26 One must be careful though: the fact that the phase reference is not used in the protocol does not necessarily mean that such a reference is physically not available. In particular, such reference is available for some source, e.g. when a mode-locked laser is used
  • 16. 16 Since ρ commutes with the measurement of the number of photons, this opens the possibility of the photon-number- splitting (PNS) attacks (Bennett, 1992; Brassard et al., 2000; L¨utkenhaus, 2000), a major concern in practical QKD that will be addressed in Sec. III.B.3. 2. Sub-Poissonian Sources Sub-Poissonian sources (sometimes called “single- photon sources”) come closer to a single-photon source than an attenuated laser, in the sense that the proba- bility of emitting two photons is smaller. The quantum signal in each mode is taken to be a photon-number diag- onal mixture with a very small contribution of the multi- photon terms. The quality of a sub-Poissonian source is usually measured through the second order correlation function g2(τ) = : I(t)I(t + τ) : I(t) 2 (14) where I(t) is the signal intensity emitted by the source and : − : denotes normal ordering of the creation and an- nihilation operators. In particular, g2(0) ≈ 2p(2)/p(1)2 , while p(n) is the probability that the source emits n pho- tons. For Poissonian sources, g2(0) = 1; the smaller g2(0), the closer the source is to an ideal single-photon source. It has been noticed that the knowledge of the efficiency and of g2 is enough to characterize the perfor- mance of such a source in an implementation of BB84 (Waks, Santori and Yamamoto, 2002). Sub-Poissonian sources have been, and still are, the object of intensive research; recent reviews cover the most meaningful developments (Lounis and Orrit, 2005; Shields, 2007). In the context of QKD, the discovery of PNS attacks triggered a lot of interest in sub-Poissonian sources, because they would reach much higher secret fractions. QKD experiments have been performed with such sources (All´eaume et al., 2004; Beveratos et al., 2002; Waks et al., 2002), also in fibers (Intallura et al., 2007) thanks to the development of sources at tele- com wavelengths (Saint-Girons et al., 2006; Ward et al., 2005; Zinoni et al., 2006). At the moment of writing, this interest has significantly dropped, as it was shown that the same rate can be achieved with lasers by using decoy states, see IV.B.3 and IV.B.4. But the tide may turn again in the near future, for applications in QKD with quantum repeaters (Sangouard et al., 2007). to produce pulses. In such cases, even though Alice and Bob don’t use the phase coherence in the protocol, the signal is no longer correctly described by (12), and Eve can in principle take advantage of the existing coherence to obtain more information (Lo and Preskill, 2007). Therefore it is necessary to implement active randomization (Gisin et al., 2006; Zhao, Qi and Lo, 2007). 3. Sources of Entangled Photons Entangled photon pairs suitable for entanglement- based protocols or for heralded sub-Poissonian sources are mostly generated by spontaneous parametric down conversion (SPDC) (Mandel and Wolf, 1995). In this process some photons from a pump laser beam are con- verted due to the non-linear interaction in an optical crys- tal27 into pairs of photons with lower energies. The total energy and momentum are conserved. In QKD devices, cw-pumped sources are predominantly used. In the approximation of two output modes, the state behind the crystal can be described as follows |ψ P DC = 1 − λ2 ∞ n=0 λn |nA, nB , (15) where λ = tanh ξ with ξ proportional to the pump ampli- tude, and where |nA, nB denotes the state with n pho- tons in the mode destined to Alice and n photons in the other mode aiming to Bob. This is the so called two- mode squeezed vacuum. The photons are entangled in time and in frequen- cies (energies); one can also prepare pairs of pho- tons correlated in other degrees of freedom: polariza- tion (Kwiat et al., 1995, 1999), time bins (Brendel et al., 1999; Tittel et al., 2000), momenta (directions), or or- bital angular momenta (Mair et al., 2001). The state (15) can be directly utilized in continuous- variable protocols. In the case of discrete-variable protocols, one would prefer only single pair of pho- tons per signal; however, SPDC always produces multi- pair components, whose presence must be taken into account. Let us describe this in the four-mode ap- proximation, which is sufficient for the description of fs-pulse pumped SPDC (Li et al., 2005). An ideal two-photon maximally entangled state reads |Ψ2 = 1√ 2 (|1, 0 A|1, 0 B + |0, 1 A|0, 1 B) where each photon can be in two different modes (orthogonal polarizations, dif- ferent time-bins...). This state can be approximately achieved if λ ≪ 1, i.e. if the mean pair number per pulse µ = 2λ2 /(1 − λ2 ) ≪ 1. But there are multi-pair compo- nents: in fact, again in the case of a four-mode approxi- mation, the generated state reads |Ψ ≈ p(0) |0 + p(1) |Ψ2 + p(2) |Ψ4 (16) where p(1) ≈ µ and p(2) ≈ 3 4 µ2 , |0 is the vacuum state, and the four-photon state is |Ψ4 = 1√ 3 |0, 2 |0, 2 + 27 Crystals like KNbO3, LiIO3, LiNbO3, β-BaB2O4, etc. Very promising are periodically-poled nonlinear materials (Tanzilli at al., 2001). Besides the spontaneous parametric down conversion, new sources of entangled photons based on quantum dots are tested in laboratories (Young at al., 2006). But these sources are still at an early stage of development. Their main drawback is the need of cryogenic environment.
  • 17. 17 |2, 0 |2, 0 +|1, 1 |1, 1 . We recall that this description is good for short pump pulses; when a cw-pumped source is used (or the pulse-pumped source with the pulse du- ration much larger than the coherence time τ of the down-converted photons) the four-mode approximation is not applicable and a continuum of frequency modes must be taken into account. The multiple excitations created during the coherence time τ are coherent and partially correlated: in this case, the four-photon state is a fully entangled state that cannot be written as “two pairs” — see |Ψ4 above28 . However, τ is usually much shorter than the typical time ∆t that one can discrimi- nate, this time being defined as the time resolution of the detectors for cw-pumped sources29 or as the duration of a pulse for pulsed sources. This implies that, when two photons arrive “at the same time”, they may actually arise from two incoherent processes, and in this case the observed statistics corresponds to that of two indepen- dent pairs. This physics has been the object of several studies (De Riedmatten et al., 2004b; Eisenberg et al., 2004; Ou, Rhee and Wang, 1999; Scarani et al., 2005; Tapster and Rarity, 1998; Tsujino et al., 2004). What concerns us here is the advantage that Eve may obtain, and in particular the efficiency of PNS attacks. If the source is used in a P&M scheme as heralded single- photon source, then the PNS attack is effective as usual, because all the photons that travel to Bob have been actively prepared in the same state (L¨utkenhaus, 2000); ideas inspired from decoy states can be used to detect it (Adachi et al., 2007; Mauerer and Silberhorn, 2007). In an EB scheme, the PNS attack is effective on the frac- tion ζ ≈ τ/∆t of coherent four-photon states; besides, all multi-pair contributions inevitably produce errors in the correlations Alice-Bob. We shall come back to these points in Sec. IV.B.5. F. Physical Channels As far as the security is concerned, the quantum chan- nel must be characterized only a posteriori, because Eve has full freedom of acting on it. However, the knowledge of the a priori expected behavior is obviously important at the moment of designing a setup. We review here the physics of the two main quantum channels used for light, namely optical fibers and free space beams. An important parameter of the quantum channel is the amount of losses. Surely enough, a key can be built by post-selecting only those photons that have actually been 28 Though a nuisance in qubit-based protocols, the existence of such four photon components can lead to new opportunities for QKD, as pointed out independently in (Brassard, Mor and Sanders, 2000) and (Durkin et al., 2002). 29 However, a recent entanglement-swapping experiment combined fast detectors and narrow filters to achieve ∆t < τ in cw-pumped SPDC (Halder et al., 2007). detected. But, since quantum signals cannot be ampli- fied, the raw key rate decreases with the distance as the transmission t of the channel; in addition, at some point the detection rate reaches the level of the dark counts of the detectors, and this effectively limits the maximal achievable distance. Finally, in general the lost photons are correlated to the signal and thus must be counted as information that leaked to Eve. Concerning the interaction of photons with the envi- ronment in the channel, the effect of decoherence depends strongly on the quantum degree of freedom that is used; therefore, although weak in principle, it cannot be fully neglected and may become critical in some implementa- tions. 1. Fiber Links The physics of optical fibers has been explored in depth because of its importance for communication (Agrawal, 1997). When we quote a value, we refer to the specifi- cations of the standard fiber Corning SMF-28 (see e.g. www.ee.byu.edu/photonics/connectors.parts/smf28.pdf); obviously, the actual values must be measured in any experiment. The losses are due to random scattering processes and depend therefore exponentially on the length ℓ: t = 10−α ℓ/10 . (17) The value of α is strongly dependent on the wavelength and is minimal in the two “telecom windows” around 1330nm (α ≃ 0.34dB/km) and 1550nm (α ≃ 0.2dB/km). The decoherence channels and their importance vary with the coding of the information. Two main effects modify the state of light in optical fibers. The first effect is chromatic dispersion: different wavelengths travel at slightly different velocities, thus leading to an incoherent temporal spread of a light pulse. This may become problematic as soon as subsequent pulses start to overlap. However, chromatic dispersion is a fixed quantity for a given fiber, and can be compen- sated (Fasel, Gisin, Ribordy and Zbinden, 2004). The second effect is polarization mode dispersion (PMD) (Galtarossa and Menyuk, 2005; Gisin and Pellaux, 1992). This is a birefringent effect, which defines a fast and a slow polarization mode orthogonal to one another, so that any pulse tends to split into two components. This induces a depolarization of the pulse. Moreover, the direction of the birefringence may vary in time due to environmental factors: as such, it cannot be compen- sated statically. Birefringence effects induce decoherence in polarization coding, and may be problematic for all implementations that require a control on polarization. The importance of such effects depend on the fibers and on the sources; recent implementations can be made stable, even though they use a rather broadband source (H¨ubel et al., 2007).
  • 18. 18 2. Free Space Links A free space QKD link can be used in several very different scenarios, from short distance line- of-sight links with small telescopes mounted on rooftops in urban areas, to ground-space or even space-space links, involving the use of astronomi- cal telescopes (see also VIII.A.4). Free-space QKD has been demonstrated in both the prepare-and- measure (Buttler et al., 1998; Hughes et al., 2002; Kurtsiefer et al., 2002; Rarity, Gorman and Tapster, 2001) and the entanglement-based configu- rations (Erven et al., 2008; Ling et al., 2008; Marcikic, Lamas-Linares and Kurtsiefer, 2006; Ursin et al., 2007). The decoherence of polarization or of any other de- gree of freedom is practically negligible. The losses can roughly be divided into geometric and atmospheric. The geometric losses are related with the apertures of receiv- ing telescopes and with the effective aperture of the send- ing telescope (the one perceived by the receiving tele- scope, which is influenced by alignment, moving build- ings, atmospheric turbulence etc.). The atmospheric losses are due to scattering and to scintillation. Con- cerning scattering, within the 700-10.000nm wavelength range there are several ’atmospheric transmission win- dows’, e.g. 780-850nm and 1520-1600nm, which have an attenuation α < 0.1dB/km in clear weather. Obviously, the weather conditions influence heavily such losses; nu- merical values are available, see e.g. (Bloom et al., 2003; Kim and Korevaar, 2001). A simple model of the losses for a line-of-sight free space channel of length ℓ is there- fore given by t ≈ dr ds+D ℓ 2 10−α ℓ/10 , where the first term is an estimate of the geometric losses (ds and dr are the apertures of the sending and receiving telescopes, D is the divergence of the beam) and the second describes scattering (α is the atmospheric attenuation). We note that this formula does not account for scintillation, which is often the most critical factor in practice. G. Detectors 1. Photon Counters Discrete-variable protocols use photon-counters as de- tectors. The main quantities characterizing photon- counters are the quantum efficiency η that represents the probability of a detector click when the detector is hit by a photon, and the dark-count rate pd characterizing the noise of the detector – dark counts are events when a detector sends an impulse even if no photon has entered it. An important parameter is also the dead time of the detector, i.e. the time it takes to reset the detector af- ter a click. These three quantities are not independent. Most often, the overall repetition rate at which the de- tector can be operated is determined by the dead time. For each of the detectors discussed below, the meaningful parameters are listed in Table I. The most commonly used photon counters in discrete- variable systems are avalanche photodiodes (APD). Specifically, for wavelengths from the interval approx- imately 400–1000nm Si APD can be used, for wave- lengths from about 950 nm to 1650 nm, including tele- com wavelengths, InGaAs/InP diodes are most often applied. A whole savoir-faire on the use of APDs has originated in the field of QKD (Cova et al., 2004; Gisin, Ribordy, Tittel and Zbinden, 2002). Because they can be operated with thermo-electric cooling, these de- tectors are an obvious choice for practical QKD, and in particular for commercial devices (Ribordy et al., 2004; Trifonov et al., 2004). Two recent developments are worth mentioning. First: instead of direct use of In- GaAs APDs, one can detect signals at telecom wave- lengths (1310 nm and 1550 nm) by applying parametric frequency up-conversion and then using efficient silicon APDs (Diamanti et al., 2005; Thew et al., 2006). Com- pared with InGaAs APDs, these up-conversion detectors have lower quantum efficiency but could in principle be operated in continuous mode thus leading to repetition rates (GHz); however, as of today’s knowledge, they suf- fer from an intrinsic noise source that leads to high dark count rates. Second: more recently, an improvement of the repetition rate and count rate by several orders of magnitude has been obtained by using a circuit that compares the output of the APD with that in the pre- ceding clock cycle; such devices have been named self- differencing APDs (Yuan et al., 2007). Single-photon detectors other than APDs have been and are being developed. For instance, Visi- ble Light Photon Counters are semiconductor detec- tors that can also distinguish the number of im- pinging photons (Kim et al., 1999; Waks et al., 2003; Waks, Diamanti and Yamamoto, 2006). Other photon- counters are based on superconductors, for instance Su- perconducting Single Photon Detectors (Verevkin et al., 2002, 2004) and Transition Edge Sensors (Miller et al., 2003; Rosenberg et al., 2005); both types have been al- ready used in QKD experiments (Hadfield et al., 2006; Hiskett et al., 2006; Rosenberg et al., 2007, 2009). Each type has its own strong and weak features; in particular, all of them must be operated at cryogenic temperatures. 2. Homodyne Detection Continuous-variable QKD is based on the measure- ment of quadrature components of light. This can con- veniently be done by means of optical homodyne detec- tion. This detection scheme uses two beams of the same frequency: the signal and the so-called local oscillator (much stronger and therefore often treated as classical). The beams are superimposed at a balanced beam split- ter. The intensity of light in each of the output modes is measured with proportional detectors, and the differ- ence between the resulting photocurrents is recorded. If
  • 19. 19 Name λ η pd Rep. Count Jitter T n [nm] [MHz] [MHz] [ps] [K] APDs: Si 600 50% 100Hz cw 15 50-200 250 N InGaAs 1550 10% 10−5 /g 10 0.1 500 220 N Self-Diff. 1250 100 60 Others: VLPC 650 58-85% 20kHz cw 0.015 N.A. 6 Y SSPD 1550 0.9% 100Hz cw N.A. 68 2.9 N TES 1550 65% 10Hz cw 0.001 9×104 0.1 Y TABLE I Overview of typical parameters of single-photon de- tectors: detected wavelength λ, quantum efficiency η, fraction of dark counts pd (g: gate), repetition rate (cw: continuous wave), maximum count rate, jitter, temperature of operation T; the last column refers to the possibility of distinguishing the photon numbers. For acronyms and references, refer to the main text. the amplitude and the phase of the local oscillator are stable, the differential current carries information about a quadrature component of the input signal — what quadrature component is actually measured depends on the phase difference between the signal and local oscil- lator. To keep this phase difference constant, the signal and local oscillator are usually derived from the same light source: the local oscillator beam needs to be trans- mitted along with the signal from Alice to Bob; in prac- tice, they are actually sent through the same channel, so that they experience the same phase noise and the relative phase remains unaltered — note however that this practical change may render the scheme completely insecure, unless additional measurements are performed to verify the character of both the weak and the strong signal (H¨aseler, Moroder and L¨utkenhaus, 2008). The intensities are measured by PIN diodes, which provide high detection efficiency (typically 80%) and relatively low noise. Therefore homodyne detection could in principle operate at GHz repetition rates (Camatel and Ferrero, 2006) in contrast to photon coun- ters based on APDs, whose detection rate is limited by the detector dead-time. The use of such a high-rate homodyne detection tech- nique unfortunately comes with a price. Because of the uncertainty principle, the measurement of comple- mentary quadratures is intrinsically noisy. The vacuum noise (or intrinsic noise) is the noise obtained when there is vacuum in the signal port (only the local os- cillator is present). Now, the unavoidable transmission losses in the optical line, which simply cause “missing clicks” in photon-counting based schemes, result in a de- crease of the signal-to-noise ratio in homodyne-detection based schemes. The vacuum noise is responsible for a rather significant added noise in continuous-variable QKD, which needs to be corrected during the classical post-processing stage: an additional computing effort in continuous-variable QKD. In addition to the vacuum noise, an excess noise is gen- erated mainly by detectors themselves and by the subse- quent electronics. In real systems, it is possible to reduce the excess noise even 20 dB below the shot noise; but this ratio depends on the width of the spectral window, and narrow spectral windows bound the modulation frequen- cies (i.e. the repetition rates). H. Synchronization and alignment 1. Generalities The problem of the synchronization of two distant clocks, in itself, is a technical matter that has been solved efficiently in several different ways; basically, either one sends out a synchronization signal at regular intervals during the whole protocol, or one relies on an initial syn- chronization of two sufficiently stable clocks. In the con- text of QKD, one has to consider possible hacking attacks that would exploit this channel (more in Sec. III.B.4). The physical meaning of alignment depends on the coding. For coding in polarization, it obviously means that Alice and Bob agree on the polarization directions. For phase coding, it refers rather to the stabilization of in- terferometers. Both procedures are most often performed by sending a servoing signal at a different frequency than the quantum signal, taking advantage of the bandwidth of the optical channel. Alternatively, self-stabilized se- tups have been proposed: this is the so-called Plug&Play configuration, that we shall describe in the next para- graph in the context of phase-coding. Before that, we have to mention that quantum me- chanics allows also for a coding that does not require any alignment by exploiting the so-called “decoherence-free subspaces” (Boileau et al., 2004; Zanardi and Rasetti, 1997). However, though demonstrated in some proof-of-principle experiments (Bourennane et al., 2004; Chen et al., 2006), such coding is highly impractical, as it requires the preparation and measurement of com- plex multi-photon states; moreover, it is very sensitive to losses30 . 30 The simplest example is the singlet state of two qubits: when both qubits are sent into the quantum channel, the state is ro- bust against any misalignment U since U ⊗U|Ψ− = |Ψ− . With four physical qubits, there are two orthogonal states such that U ⊗ U ⊗ U ⊗ U|ψ0,1 = |ψ0,1 ; therefore, one can form an ef- fective logical qubit |0 ≡ |ψ0 and |1 ≡ |ψ1 that is insensitive to misalignments. The states |ψ0,1 are not easy to prepare and to detect. As a matter of fact, the available experiments did not produce those states: they produced a quite complex pho- tonic state, that gives the required statistics conditioned on the observation of a specific detection pattern. In turn, this implies that all four photons must be transmitted and detected, therefore losses lead to a very fast decrease of the detection rate.
  • 20. 20 2. Phase coding: two configurations D0 Alice Laser a a Bob D1 b D0 Alice LaserBob D1 R CFM DL PD Att. FIG. 3 Comparison of the one-way and two-way configura- tions for phase coding. The one-way configuration is called double Mach-Zehnder (top). Alice splits each laser pulse into two pulses with relative phase α; if Bob’s phase is such that α − β = 0 modulo π, the outcome is deterministic in the absence of errors. In the two-way configuration, or Plug&Play(bottom), the source of light is on Bob’s side. In detail: an intense laser pulse is sent through a circulator (C) into Bob’s interferometer. The phase modulator is passive at this stage, but a polarization rotation (R) is implemented so that all the light finally couples in the fiber. On Alice’s side, part of the light is deflected to a proportional detector (PD) that is used to monitor Trojan Horse attacks. The remaining light goes to a Faraday mirror (FM) that sends each polar- ization on the orthogonal one. On the way back, the pulses are attenuated down to the suitable level, then the coding is done as above. The role of the delay line (DL) is explained in the text. We consider P&M schemes with phase coding. This coding has been the preferential choice in fiber imple- mentations and has given rise to two possible configu- rations (Fig. 3). In the configuration called one-way, the laser is on Alice’s side; it is typically realized with a double Mach-Zehnder interferometer (Bennett, 1992; Townsend, Rarity and Tapster, 1993). The other possi- ble configuration has been called Plug&Play configura- tion (Muller et al., 1997; Ribordy et al., 1998). As the name suggests, the goal of the Plug&Play configuration is to achieve self-alignment of the system. Contrary to the one-way configuration, the Plug&Play configuration puts the source of light on Bob’s side: a strong laser pulse travels on the quantum channel from Bob to Alice. Alice attenuates this light to the suitable weak intensity (surely less than one photon per pulse in average, more precisions below and in Sec. IV.B.4), codes the infor- mation and sends the remaining light back to Bob, who detects. The coded signal goes as usual from Alice to Bob; but the same photons have first traveled through the line going from Bob to Alice. This way, interferome- ters become self-stabilized because the light passes twice through them; if the reflection on Alice’s side is done with a Faraday mirror, polarization effects in the channel are compensated as well. These two configurations have shaped the beginning of practical QKD; we refer to a pre- vious review (Gisin, Ribordy, Tittel and Zbinden, 2002) for a thorough discussion. It is useful here to address some problems that are specific for the Plug&Play configuration, since they il- lustrate the subtleties of practical QKD. The system has an intrinsic duty cycle, which limits the rate at long dis- tances: Bob must wait a go-and-return cycle before send- ing other strong signals, otherwise the weak signal coded by Alice will be overwhelmed by the backscattered pho- tons of the new strong ones31 . The nuisance has been reduced by having Bob send, not just one pulse, but a train of pulses; on Alice’s side, a sufficiently long delay line must be added: all the pulses must have passed the phase modulator before the first one comes back and is coded. Still, this duty cycle is a serious bottleneck com- pared to one-way configurations. Also, two specific security concerns arise for the Plug&Play configuration. First concern: in full general- ity, there is no reason to assume that Eve interacts only with the signal going from Alice to Bob: she might as well modify the signal going from Bob to Alice. A sim- ple argument suggests that this is not helpful for Eve: Alice attenuates the light strongly and should actively randomize the global phase; then, whatever the state of the incoming light, the outgoing coded light consists of weak signals with almost exact Poissonian statistics (Gisin et al., 2006). Indeed, the rigorous analysis shows that unconditional security can be proved if the global phase is actively randomize, and that the resulting se- cret fractions are only slightly lower than those achievable with the one-way configuration (Zhao, Qi and Lo, 2008). Second concern: since Alice’s box must allow two-way transit of light, Trojan Horse attacks (see III.B.4) must be monitored actively, whereas in one-way setups they can be avoided by passive optical isolators. In practice, this may decrease the limiting distance32 . 31 As a matter of fact, the back-scattering and the corresponding duty cycle could be avoided, but at the price of attenuating the pulses already at Bob’s side. In turn, this implies that (i) a different channel should be used for synchronization, and (ii) the maximal operating distance is reduced in practice, especially if one takes Trojan Horse attacks into account,see below. Such a setup has been demonstrated (Bethune and Risk, 2000). 32 The argument goes as follows: upon receiving Bob’s pulse, Alice attenuates it down to the desired intensity µ. Now, it turns out that a simple error by a factor of 2, i.e. sending out 2µ instead of µ, would spoil all security (see IV.B.4). This implies that the intensity of the input pulse must be monitored to a precision far better than this factor 2. This precision may be hard to achieve at long distances, when Bob’s pulse has already been significantly attenuated by transmission.
  • 21. 21 It is not obvious what the future perspectives of the Plug&Play configuration will be: recently, stabilized one- way configurations have been demonstrated, which can also reach optical visibilities larger than 99% and have a less constraining duty cycle (Gobby, Yuan and Shields, 2004). Still, the Plug&Play configuration is an impor- tant milestone of practical QKD: in particular, the first commercial QKD systems are based on it33 . III. SECRET KEY RATE We have seen in Sec. II.B.4 that the secret key rate K is the product of two terms (6), the raw key rate R and the secret fraction r. This section is devoted to a detailed study of these two factors. Clearly, the latter is by far the more complex one, and most security studies are devoted only to it; however the raw key rate is crucial as well in practice and its proper description involves some subtleties as well. We will therefore start from this description. A. Raw key rate The raw key rate reads R = νS Prob(Bob accepts) (18) The second factor depends both on the protocol and on the hardware (losses, detectors) and will be studied for each specific case. The factor νS is the repetition rate. In the case of pulsed sources νS is the repetition rate of the source of pulses. Of course, νS ≤ νmax S , the maximal repetition rate allowed by the source itself; but two other limitations may become important in limiting cases, so that the correct expression reads νpulse S = min νmax S , 1 τd µt tBη , 1 Tdc . (19) We explain now what the two last terms mean. The first limitation is due to the dead-time of the de- tectors τd. In fact, it is useless to send more light than can actually be detected (worse, an excess of light may even give an advantage to Eve). One can require that at most one photon is detected in an interval of time τd; the detection probability is Prob(Bob detects) ≈ µ t tBη with µ = n < ∼ 1 the average number of photons pro- duced by the source, t the transmittivity of the quantum channel, tB the losses in Bob’s device and η the efficiency of the detector. Therefore, νS < ∼ (τd µ t tBη) −1 . It is clear that this limitation plays a role only at short distances: 33 The configuration has been used also for continuous-variable cod- ing (Legr´e, Zbinden and Gisin, 2006), for a distributed-phase- reference protocol (Zhou et al., 2003) and for non-cryptographic quantum information tasks (Brainis et al., 2003). as soon as there are enough losses in the channel, fewer photon will arrive to Bob than can actually be detected. The second limitation is associated to the existence of a duty cycle: two pulses cannot be sent at a time interval smaller than a time Tdc determined by the setup. The expression for Tdc depends on the details of the setup. In Plug&Play configurations for instance, one cannot send the next train of bright pulses before the weak signal of the earlier train has come back (II.H.2): the effect be- comes important at long distance. Another example of a duty cycle is the one introduced by a stabilization scheme for one-way configurations, in which each coded signal is preceded by a strong reference signal (Yuan and Shields, 2005). Note finally that in any implementation with time-bin coding, the advanced component of the next signal must not overlap with the delayed component of the previous one. In the case of heralded photon sources or entanglement-based schemes working in a continuous- wave (cw) regime it is reasonable to define νS as an average rate of Alice’s detections, thus34 νcw S = min ηAtAµ′ , 1 τA d , 1 τd t tBη , 1 ∆t . (20) Here ηAtAµ′ is the trigger rate, with which Alice an- nounces the pair creations to Bob, with µ′ being the pair-generation rate of the source, tA is the overall trans- mittance of Alice’s part of the apparatus, and ηA is the efficiency of Alice’s detectors. Of course, in practice this rate is limited by the dead time of Alice’s detectors τA d . The whole repetition rate is limited by Bob’s detector dead time τd and by the width of coincidence window ∆t (usually ∆t ≪ τd). B. Secret fraction 1. Classical information post-processing To extract a short secret key from the raw key, clas- sical post-processing is required. This is the object of this paragraph, for more details see e.g. (Renner, 2005; Van Assche, 2006). The security bounds for the secret fraction crucially depend on how this step is performed. a. One-way post-processing. These are the most studied and best known procedures. One of the partners, the one who is chosen to hold the reference raw key, sends classi- cal information through the public channel to the other one, who acts according to the established procedure on 34 The source is assumed to be safe at Alice’s side. It is supposed that Alice’s detectors are still “open” (not gated). Dark counts and multi-pair contributions were neglected in the estimation of νcw S .
  • 22. 22 his data but never gives a feedback. If the sender in this procedure is the same as the sender of the quantum states (Alice with our convention), one speaks of direct recon- ciliation; in the other case, of reverse reconciliation. The optimal one-way post-processing has been characterized and consists of two steps. The first step is error correction (EC), also called in- formation reconciliation, at the end of which the lists of symbols of Alice and Bob have become shorter but per- fectly correlated. As proved by Shannon, the fraction of perfectly correlated symbols that can be extracted from a list of partially correlated symbols is bounded by the mutual information I(A : B) = H(A) + H(B) − H(AB) where H is the entropy of the probability distribution. In the context of one-way procedures with a sender S and a receiver R, it is natural to write I(A : B) in the apparently asymmetric form H(S) − H(S|R). This for- mula has an intuitive interpretation, if one remembers that the entropy is a measure of uncertainty: the sender must reveal an amount of information at least as large as the uncertainty the receiver has on the reference raw key. The second step is privacy amplification (PA). This procedure is aimed at destroying Eve’s knowledge on the reference raw key. Of course, Alice and Bob will have chosen as a reference raw key the one on which Eve has the smallest information: here is where the choice be- tween direct and reverse reconciliation becomes meaning- ful35 . The fraction to be further removed can therefore be written min (IEA, IEB), where IE· is Eve’s informa- tion on the raw key of Alice or Bob, that will be defined more precisely in the next paragraph III.B.2. PA was first mentioned in (Bennett, Brassard and Robert, 1988), then established in (Bennett et al., 1995). This reference has been considered as valid for one decade but, after the notion of universally composable security was intro- duced (see II.C.2), it had to be replaced by a generalized version (Renner and K¨onig, 2005). At the moment of writing, the only PA procedure that works in a provable way is the one based on two-universal hash functions36 . 35 Note that, I(A : B) being symmetric, there is no difference be- tween direct and reverse reconciliation at the level of EC, as expected from the nature of the task. 36 A set F of functions f : X → Z is called two-universal if Pr[f(x) = f(x′)] ≤ 1 |Z| for x = x′ and f chosen at random with uniform probability. It is instructive to see why this defi- nition is meaningful for privacy amplification. After EC, Alice and Bob share the same list of bits x; Eve has an estimate x′ of this list. For PA, Alice chooses f from the two-universal set and announces it publicly to Bob. Both Alice and Bob end up with the shorter key z = f(x); but the probability that Eve’s estimate z′ = f(x′) coincides with z is roughly 1/|Z|: Eve might as well choose randomly out of the set Z of possible final keys. Two-universal hash-functions, e.g. in the form of matrix multi- plication, can be implemented efficiently (Carter and Wegman, 1979; Wegman and Carter, 1981). The size of the matrices is proportional to the length N of the raw key. Against a classi- cal adversary, other extractors exist whose size grows only like Also, for composability, the protocol must be symmetric under permutations: in particular, the pairs for the pa- rameter estimation must be chosen at random, and the hash function has to be symmetric (as it is usually). In summary, the expression for the secret fraction ex- tractable using one-way classical post-processing reads r = I(A : B) − min (IEA, IEB) . (21) b. Remarks on practical EC. As mentioned above, the performance of EC codes is bounded by Shannon’s mu- tual information. Practical EC codes however do not reach up to the Shannon bound. For a priori theoretical estimates, it is fair to increase the number of bits to be removed by 10-20%; more precise estimates are available (L¨utkenhaus, 1999) but ultimately the performance must be evaluated on each code. We shall take this correction explicitly into account in Sections IV-VII. In addition, most of the efficient EC codes that are ac- tually implemented, e.g. Cascade (Brassard and Salvail, 1994), use two-way communication. To fit these two-way EC codes in the framework of one-way post-processing, one can give the position of the errors to Eve and treat all communication as one-way communication (L¨utkenhaus, 1999). Alternatively, one can use encryption of the EC data, as suggested in (L¨utkenhaus, 1999) and formally proved in (Lo, 2003). Note finally that it is not necessary to estimate the error rate with a small sample of the data: instead, the parties learn naturally the precise number of errors dur- ing the EC procedure. c. Other forms of post-processing. Bounds can be im- proved by two-way post-processing, one refers to any pos- sible procedure in which both partners are allowed to send information. Since its first appearance in QKD (Chau, 2002; Gisin and Wolf, 1999; Gottesman and Lo, 2003), this possibility has been the object of several stud- ies37 . Contrary to the one-way case, the optimal proce- dure is still not known, basically because of the complex- ity of taking feedback into account. More recently, a further trick to improve bounds was found, called pre-processing: before post-processing, the sender (for one-way) or both partners (for two-way) can add locally some randomness to their data. Of course, log N; but at the moment of writing, it is not known whether a similar construction exists in the case where the adversary is quantum (K¨onig and Renner, 2007). 37 We note that some of the security claims in the first pa- per dealing with advantage distillation (Gisin and Wolf, 1999) were imprecise. These works have also had an intriguing off- spring, the conjecture of the existence of “bound information” (Gisin and Wolf, 2000), later proved for three-partite distribu- tions (Ac´ın, Cirac and Masanes, 2004).
  • 23. 23 this decreases the correlations between them, but it de- creases Eve’s information as well, and remarkably the overall effect may be positive (Kraus, Gisin and Renner, 2005; Renner, Gisin and Kraus, 2005). Both pre-processing and two-way post-processing are easy to implement and allow extracting a secret key in a parameter region where one-way post-processing would fail; in particular, the critical tolerable error rate is pushed much higher38 . To our knowledge though, they have been implemented only once in real systems (Ma et al., 2006). The reason is that, in terms of se- cret key rate, an improvement can be appreciated only when the dark counts become dominant39 , a regime in which few systems tend to operate — see however (Rosenberg et al., 2009; Tanaka et al., 2008; Yuan et al., 2008). Therefore, in what follows, we shall present only bounds for one-way classical post-processing without pre- processing. 2. Individual, Collective and Coherent Attacks As stressed from the beginning (II.C.1), one aims ul- timately at proving unconditional security, i.e. security bounds in the case where Eve’s attack on the quantum channel is not restricted. Such a lower bound for security has been elusive for many years (II.A); it has nowadays been proved for many protocols, but is still missing for others. In order to provide an ordered view of the past, as well as to keep ideas that may also be useful in the future, we discuss now several levels of security. a. Individual (or incoherent) attacks. This family de- scribes the most constrained attacks that have been stud- ied. They are characterized by the following properties: (I1) Eve attacks each of the systems flying from Alice to Bob independently from all the other, and using the 38 The order of magnitude of the improvements is roughly the same for all examples that have been studied. Consider e.g. BB84 in a single-photon implementation, and security against the most general attacks: the critical QBER for one-way post- processing without pre-processing is 11% (Shor and Preskill, 2000); bitwise pre-processing brings this value up to 12.4% (Kraus, Gisin and Renner, 2005), more complex pre-processing up to 12.9% (Smith, Renes and Smolin, 2008); two-way post- processing can increase it significantly further, at least up to 20.0%, but at the expenses of drastically reduced key rate (Bae and Ac´ın, 2007; Chau, 2002; Gottesman and Lo, 2003). In weak coherent pulses implementations, pre-processing increases the critical distance of BB84 and of SARG04 by a few kilometers, both for security against individual (Branciard et al., 2005) and most general attacks (Kraus, Branciard and Renner, 2007). 39 Recall that optical error is routinely kept far below 5%; therefore, the total error rate exceeds ∼ 10% when the error is largely due to the dark counts. same strategy40 . This property is easily formalized in the EB scheme: the state of n symbols for Alice and Bob has the form ρn AB = (ρAB) ⊗n . (I2) Eve must measure her ancillae before the classical post-processing. This means that, at the beginning of the classical post-processing, Alice, Bob and Eve share a product probability distribution of classical symbols. In this case, the security bound for one-way post- processing is the Csisz´ar-K¨orner bound, given by (21) with IAE = max Eve I(A : E) (individual attacks) (22) and of course similarly for IBE (Csisz´ar and K¨orner, 1978). Here, I(A : E) is the mutual infor- mation between the classical symbols; the notation maxEve recalls that one must maximize this mutual information over Eve’s strategies. There is actu- ally an ambiguity in the literature, about the mo- ment where Eve is forced to perform her measure- ment: namely, whether she is forced to measure im- mediately after the interaction (Bechmann-Pasquinucci, 2006; Curty and L¨utkenhaus, 2005; L¨utkenhaus, 1996) or whether she can keep the signals in a quantum memory until the end of the sifting and error cor- rection phase (Bechmann-Pasquinucci and Gisin, 1999; Brassard et al., 2000; Bruß, 1998; Cerf et al., 2002; Fuchs et al., 1997; Herbauts et al., 2008; L¨utkenhaus, 1999; Slutsky et al., 1998). The first case is associated to the hardware assumption that Eve is restricted not to have a quantum memory41 . The second case is associ- ated to the hardware assumption that Eve cannot per- form arbitrary coherent measurements and can be useful as a step on the way to unconditional security proofs. However, we stress that the bound for collective attacks can nowadays be calculated more easily and gives more powerful results42 . 40 We note here that this “same strategy” may be probabilistic (with probability p1, Eve does something; with probability p2, something else; etc), provided the probabilities are fixed during the whole key exchange. Strange as it may seem from the stand- point of practical QKD, an attack, in which Eve would simply stop attacking for a while, belongs to the family of the most general attacks! 41 Generalizing (Wang, 2001), it is conjectured that individual at- tacks should be optimal under the weaker assumption of a quan- tum memory that would be bounded, either in capacity or in lifetime; but only rougher bounds have been derived so far (Damgaard et al., 2005, 2007; K¨onig and Terhal, 2008). 42 At the moment of writing, there is still something that is known only for individual attacks, and this is Eve’s full strategy; the op- timal procedures been found both for the scenario without quan- tum memory (L¨utkenhaus, 1996) and with it (Herbauts et al., 2008; L¨utkenhaus, 1999). On the contrary, the bound for collec- tive and coherent attacks is computed by optimizing the Holevo
  • 24. 24 An important sub-family of individual attacks are the intercept-resend (IR) attacks. As the name indicates, Eve intercepts the quantum signal flying from Alice to Bob, performs a measurement on it, and conditioned on the re- sult she obtains she prepares a new quantum signal that she sends to Bob. If performed identically on all items, this is an individual attack. Moreover, it obviously real- izes an entanglement-breaking channel between Alice and Bob, thus providing an easily computed upper bound on the security of a protocol (Bechmann-Pasquinucci, 2006; Curty and L¨utkenhaus, 2005). b. Collective attacks. This notion was first proposed by Biham, Mor and coworkers, who proved the security of BB84 against them and conjectured that the same bound would hold for the most general attacks (Biham and Mor, 1997; Biham et al., 2002). Collective attacks are defined as follows: (C1) The same as (I1). (C2) Eve can keep her ancillae in a quantum memory until the end of the classical post-processing, and more generally until any later time convenient to her (for instance: if the key is used to encode a message, part of which is vulnerable to plaintext attack, Eve may delay her measurement until she obtains the information coming from this attack). She can then perform the best measurement com- patible with what she knows. In general, this will be a collective measurement. Only (C1) is an assumption on Eve’s power. The generic bound for the secret key fraction achievable us- ing one-way post-processing (Devetak-Winter bound) is given by (21) with IAE = max Eve χ(A : E) (collective attacks) (23) and IBE defined in the analog way (Devetak and Winter, 2005). Here, χ(A : E) is the so-called Holevo quantity (Holevo, 1973) χ(A : E) = S(ρE) − a p(a)S(ρE|a) (24) where S is von Neumann entropy, a is a symbol of Alice’s classical alphabet distributed with probability p(a), ρE|a is the corresponding state of Eve’s ancilla and ρE = a p(a)ρE|a is Eve’s partial state. The Holevo quantity bounds the capacity of a channel, in which a bound over all possible interactions between the signal and Eve’s ancillae (see below): one implicitly assumes that suitable mea- surements and data processing exist, which will allow Eve to ex- tract that amount of information. It would be surely interesting to exhibit explicit procedures also for more general attacks. classical value (here a) is encoded into a family of quan- tum states (here, the ρE|a): in this sense, it is the natural generalization of the mutual information. As mentioned, it is actually easier to compute (23) than (22). The reason lies in the optimization of Eve’s strategy. In fact, the Holevo quantity depends only on Eve’s states ρE|a, that is, on the unitary operation with which she couples her ancilla to the system flying to Bob. In contrast to that, the mutual information depends both on Eve’s states and on the best measurement that Eve can perform to discriminate them, which can be con- structed only for very specific examples of the set of states (Helstrom, 1976). c. General (or coherent) attacks. Eve’s most general strat- egy includes so many possible variations (she may entan- gle several systems flying from Alice to Bob, she may modify her attack according to the result of an inter- mediate measurement...) that it cannot be efficiently parametrized. A brute force optimization is therefore impossible. Nevertheless, as mentioned several times al- ready, bounds for unconditional security have been found in many cases. In all these cases, it turns out the bound is the same as for collective attacks. This remarkable result calls for several comments. First remark: this result has an intuitive justification. If the state |Ψ(Sn) that codes the sequence Sn has the tensor product form |ψ(s1) ⊗...⊗|ψ(sn) , then the states flying from Alice to Bob are uncorrelated in the quantum channel; therefore Eve does not seem to have any advan- tage in introducing artificial correlations at this point43 . However, correlations do appear later, during the clas- sical post-processing of the raw key; such that in fact, the final key is determined by the relations between the symbols of the raw key, rather than by those symbols themselves. Thus, Eve must not try and guess the value of each symbol of the raw key, but rather some relation between them — and this is typically a situation in which entanglement is powerful. This vision also clarifies why unconditional security is still elusive for those protocols, for which |Ψ(Sn) is not of the tensor product form (see VI.A). Second remark: for BB84, six-state and other pro- tocols, assuming the squashing property of detec- tors (see IV.A.2), this result is a consequence of the internal symmetries (Kraus, Gisin and Renner, 2005; Renner, Gisin and Kraus, 2005). The explicit calcula- tions are given in Appendix A. In a more general frame- work, the same conclusion can be reached by invoking the exponential De Finetti theorem (Renner, 2005, 2007). This theorem says that, after some suitable symmetriza- 43 Of course, one is not saying that Eve does fulfill (I1): Eve can do whatever she wants; but there exist an attack that fulfills (I1) and that performs as well as the best possible attack.
  • 25. 25 tion, the statistics of the raw key are never significantly different from those that would be obtained under con- straint (I1). This is a very powerful result, but again does not solve all the issues: for instance, because the ac- tual exponential bound depends on the dimension of the Hilbert space of the quantum signals, it cannot be ap- plied to continuous-variable QKD (see however the Note added in proof at the end of this paper). Also recall that we consider only the asymptotic bound: the finite-key bounds obtained by invoking the De Finetti theorem are over-pessimistic (Scarani and Renner, 2008). 3. Quantum side channels and zero-error attacks The possibility of zero-error attacks seems to be at odds with the fundamental tenet of QKD, namely that Eve must introduce modifications in the state as soon as she obtains some information. However, there is no contradiction: for instance, in the presence of losses the quantum signal is also changed between the source and the receiver. Even if in most protocols (see discussion in Sec. I.B.3) losses do not lead to errors in the raw key, some information about the value of the coded symbol may have leaked to Eve. Losses are the most universal example of leakage of in- formation in a quantum side-channel, i.e. in some degree of freedom other than the one which is monitored. We stress that the existence of side-channels does not com- promise the security, provided the corresponding attacks are taken into account in the privacy amplification. The beam-splitting (BS) attack translates the fact that all the light that is lost in the channel must be given to Eve: specifically, Eve could be simulating the losses by putting a beam-splitter just outside Alice’s laboratory, and then forwarding the remaining photons to Bob on a lossless line. The BS attack does not modify the optical mode that Bob receives: it is therefore always possible for lossy channels and does not introduce any error44 . For an explicit computation of BS attacks, see VI.B. When the signal can consist of more than one pho- ton, Eve can count the number of photons in each sig- nal and act differently according to the result n of this measurement. Such attacks are called photon-number splitting (PNS) attacks (Bennett, 1992; Brassard et al., 2000; Duˇsek, Haderka and Hendrych, 1999; L¨utkenhaus, 2000) and can be much more powerful than the BS attack. They were discovered as zero-error attacks against BB84 implemented with weak laser pulses; in the typical parameter regime of QKD, even the Pois- sonian photon number distribution can be preserved (L¨utkenhaus and Jahma, 2002), so that the PNS attack 44 For some sources, this attack simply does not give Eve any in- formation: for a perfect single-photon source, if the photon goes to Eve, nothing goes to Bob, and viceversa. cannot be detected even in principle as long as one known signal intensity is used. To use different intensities in or- der to detect PNS attacks is the idea behind the decoy states method (Hwang, 2003; Lo, Ma and Chen, 2005; Wang, 2005). Also the distributed-phase-reference pro- tocols detect the PNS attacks (Inoue and Honjo, 2005; Stucki et al., 2005). Finally, we mention the possibility of attacks based on unambiguous state discrimination (USD) followed by resend of a signal (Duˇsek, Jahma and L¨utkenhaus, 2000). These can be part of a PNS attack (Scarani, Ac´ın, Ribordy and Gisin, 2004) or define an attack of its own (Branciard et al., 2007; Curty et al., 2007); they are clearly zero-error attacks and modify the photon-number statistics in general. Of course, a quantum side-channel may hide in any im- perfect component of the device (e.g., a polarizer which would also distort the wave function according to the chosen polarization). The list of the possibilities is un- bounded, whence the need for careful testing45 . 4. Hacking on Practical QKD In practical QKD, the security concerns are not limited to the computation of security bounds for Eve’s action on the quantum channel. Any specific implementation must be checked against hacking attacks and classical leakage of information. Hacking attacks are related to the weaknesses of an implementation. A first common feature of hacking at- tacks is that they are feasible, or almost feasible, with present-day technology. The best-known example is the family of Trojan Horse Attacks, in which Eve probes the settings of Alice’s and/or Bob’s devices by send- ing some light into them and collecting the reflected signal (Vakhitov, Makarov and Hjelme, 2001). Actually, the first kind of hacking attack that was considered is a form of Trojan Horse that would come for free: it was in fact noticed that some photon counters (silicon- based avalanche photo-diodes) emit some light at various wavelengths when they detect a photon (Kurtsiefer et al., 2001). If this light carries some information about which detector has fired, it must be prevented to propagate out, where Eve could detect it. On these two examples, one sees also the second common feature of all hacking at- tacks, namely, that once they have been noticed, they can be countered by adding some component. In all se- tups where light goes only one way (out of Alice’s lab and into Bob’s lab), the solution against Trojan Horse attacks consists in simply putting an optical isolator; in implementations where light must go both ways (typi- 45 Some very specific protocols and the corresponding secu- rity proofs can be made robust against such imperfections (Ac´ın et al., 2007).
  • 26. 26 cally, the Plug & Play setups), the solution is provided by an additional monitoring detector (Gisin et al., 2006). Apart from Trojan Horses, other hacking attacks have been invented to exploit potential weaknesses of specific implementations, e.g. faked state at- tacks (Makarov and Hjelme, 2005; Makarov et al., 2006; Makarov and Skaar, 2008), phase-remapping attacks (Fung et al., 2007), time-shift attacks (Qi, Fung et al., 2007; Zhao et al., 2008). It has also been noticed that a too precise timing disclosed in the Alice-Bob synchro- nization protocol may disclose information about which detector actually fired (Lamas-Linares and Kurtsiefer, 2007). 5. A crutch: the “uncalibrated-device scenario” As stressed, all the errors and losses in the quantum channel must be attributed to Eve’s intervention. But in a real experiment, there are errors and losses also in- side the devices of the authorized partners. In particu- lar, the detectors have finite efficiency (losses) and dark counts (errors); these values are known to the authorized partners, through calibration of their devices. A security proof should take this fact into account. The task of integrating this knowledge into security proofs, however, has proved harder than one might think. In general, the naive approach, consisting in taking an attack and removing the device imperfections from the parameters used in privacy amplification, gives only an upper bound, even at the level of individual attacks46 . In particular, unconditional security proofs, whenever avail- able, have been provided only under the assumption that all the losses and all the errors are attributed to Eve and must therefore be taken into account in privacy amplifica- tion. We refer to this assumption as to the uncalibrated- device scenario, because it all happens as if Alice and Bob would have no means of distinguishing the losses and 46 Consider a PNS attack (III.B.3) on BB84 implemented with weak coherent pulses, and focus on the pulses for which Eve has found n = 2 photons. The obvious PNS attack consists in Eve keeping one photon in a quantum memory and sending the other one to Bob, because in this case she obtains full information and in- troduces no error. But there is no information on non-detected photons: in particular, if Eve cannot control the losses in Bob’s apparatus tB and the detector efficiency η, her information rate on such events will be I2→1+1 = tBη. Now, consider another strategy: Eve applies a quantum cloner 2 → 3, keeps one pho- ton and sends the other two to Bob. Since no perfect cloning is possible, this introduces an error ε2 on Bob’s side and Eve’s information on each detected bit is I(ε2) < 1. But Eve’s informa- tion rate is I2→2+1 = [1 − (1 − tBη)2]I(ε2) ≈ 2tBηI(ε2) and can therefore become larger than I2→1+1. The full analysis must be done carefully, taking into account the observed total error rate; in the family of individual attacks, the cloning strategy performs indeed better than the “obvious” one for typical values of tB η (Curty and L¨utkenhaus, 2004; Niederberger, Scarani and Gisin, 2005). Note that there is no claim of optimality in this example: another attack may be found that performs still better. errors of their devices from those originating in the chan- nel47 . These issues have been raised in a non-uniform way in the literature. Most of the discussions have taken place for discrete-variable protocols; the security stud- ies of distributed-phase-reference protocols are in a too early stage, but will surely have to address the question. The case of CV QKD may prove different because of the difference in the detection process (homodyne detection instead of photon counting). At the moment of writing, the uncalibrated-device sce- nario is still a necessary condition to derive lower bounds. In the following sections, we shall work with this scenario. In IV.C and VII.B.2, we shall compare the best available lower bounds with the upper bounds obtained with a naive approach to calibrated devices: we shall show (for the first time explicitly, to our knowledge) that in some cases the two bounds coincide for every practical pur- pose. In VIII.A.2, we summarize the status of this open problem. IV. DISCRETE-VARIABLE PROTOCOLS A. Generic Assumptions and Tools As argued in Sec. III.B.5, in order to present lower bounds as they are available today, we work systemati- cally in the uncalibrated-device scenario; paragraph IV.C will present how to derive an upper bound for calibrated devices. 1. Photon-number statistics We suppose that each signal is represented by a diago- nal state in the photon-number basis, or in other words, that there is no phase reference available and no coher- ence between successive signals48 . Thus, Alice’s source can be described as sending out a pulse that contains n photons with probability pA(n); Eve can learn n without modifying the state, so this step is indeed part of the optimal collective attack (Eve may always choose not to take advantage of this information). The statistical parameters that describe a key ex- change are basically detection rates and error rates49 . 47 The name “uncalibrated-device scenario” is proposed here for the first time. In the literature, the assumption used to be named “untrusted-device scenario”; but this name is clearly inadequate (see II.C.1 for the elements that must be always trusted in a QKD setup, and VIII.A.3 for those may not be trusted in some very specific protocols). 48 In some cases like Plug&Play implementations, the random- ization of the phase should in principle be ensured actively (Gisin et al., 2006; Zhao, Qi and Lo, 2008). 49 We assume that these parameters are independent of Bob’s mea- surements, either because they are really measured to be the same for all bases (a reasonable case in practice), or because, af-
  • 27. 27 Here are the main notations: • R: total detection rate; • Rn: detection rate for the events when Alice sent n photons ( n Rn = R); • Yn = Rn/R a convenient notation ( n Yn = 1); • Rw n : wrong counts among the Rn; • εn = Rw n /Rn the error rate on the n photon signals; • Q = n Ynεn the total error rate (QBER). Concerning photon statistics on Bob’s side, it is impor- tant to notice the following. If the channel introduces random losses, the photons that enter Bob’s device are distributed according to pt B(k) = n≥k pA(n) Ck ntk (1 − t)n−k where Ck n = k! n!(n−k)! is the binomial factor; one could compute Rn from this value and the details of the protocol. However, Eve can adapt her strategy to the value of n, so the photon-number statistics pB(k) on Bob’s side may be completely different from pt B(k) (L¨utkenhaus and Jahma, 2002). 2. Qubits and Modes Many, though not all, security proofs can be obtained by finding qubit protocols in the optical implementations that work with optical modes. a. Sources: Tagging. On the source side, this can be done by ’tagging’, by assuming that all multi-photon sig- nals (with respect to the total signal) becoming fully known to an eavesdropper. This leaves us effectively with qubits, using the single photons and the coding degree of freedom, for example polarization or rela- tive phase between two modes. This method has been used in (Inamori, L¨utkenhaus and Mayers, 2001-2007; L¨utkenhaus, 2000), but the term tagging has been intro- duced only in (Gottesman, Lo, L¨utkenhaus and Preskill, 2004). Note that security proofs can be done without this assumptions, e.g. in the case of the SARG protocol. b. Detectors: Squashing. Detectors act on optical modes, and typically threshold detectors are used that cannot re- solve the incoming photon number. Some security proofs (Koashi, 2006; Mayers, 1996, 2001) can directly deal with this situation. In other security proofs one has either to search through all possible photon number of arriving signals to prove that it is Eve’s optimal strategy to send ter the sifting procedure, Alice and Bob forget from which mea- surement each bit was derived and work with average values. preferentially single photons to Bob (L¨utkenhaus, 1999). It was there realized that double clicks in detection de- vices, resulting from multi-photon signals or dark counts, cannot be simply ignored, as a security loophole would open up. 50 As a countermeasure, in (L¨utkenhaus, 1999, 2000) it was introduced to assign double clicks at random to the values corresponding to single click events. The concept of squashing, originally in- troduced in a continuous variable context (Gottesman and Preskill, 2001), has been coined in (Gottesman, Lo, L¨utkenhaus and Preskill, 2004), where it is assumed that the detection device can be described by a two-step process: in a first step, the optical signal is mapped (squashed) into a single photon (qubit), and then the ideal measurement in the qubit descrip- tion is performed. Only recently, it has been shown that a squashing model actually exists for the BB84 protocol (Beaudry, Moroder and L¨utkenhaus, 2008; Tsurumaru and Tamaki, 2008) with the given assign- ment of double clicks to random single detector clicks. Actually, in (Beaudry, Moroder and L¨utkenhaus, 2008), a framework has been developed to find squashing maps for different detector set-ups, including the implemen- tation of passive basis choice in the BB84 protocols via a beamsplitter. Note that the existence of a squashing model should not be taken for granted, as for example the six-state protocol does not admit a squashing model. However, a six-state protocol measurement with a passive basis choice via a linear optics array admits a squashing model for suitable assignment of multi-clicks. (Beaudry et al., 2008b). Note again that it is not necessary to find a squash- ing model to prove security, but it is certainly an ele- gant short cut, as now the combination of tagging in the source and squashing in the detector allows to reduce the security analysis of QKD to qubit protocols. For the re- mainder of this review, however, we adopt the squashing model view. 3. Secret key rate The bound for the secret fraction is (21). In the case of the protocols under study, H(A) = H(B) = 1 and H(A|B) = H(B|A) = h(Q), where h is binary entropy and Q is the QBER. Therefore I(A : B) = 1 − h(Q). However, we want to provide formulas that take imper- 50 A simple attack exploiting this loophole goes as follows: Eve per- forms an intercept/resend attack and resend a pulse containing a large number of photons in the detected polarization. If Bob measures in the same basis as Eve, he will receive a single detec- tor click, about which Eve has full information. If Bob measures in a different basis, he will receive almost always double clicks, which he would discard. Therefore Eve has perfect information about all signals retained by Eve, allowing her to break the QKD scheme.
  • 28. 28 fect error correction into account. Therefore we shall use K = R [1 − leakEC(Q) − IE] (25) with leakEC(Q) ≥ h(Q) and IE = min (IAE, IBE). Let us study this last term. Eve gains information only on the non-empty pulses, and provided Bob detects the photon she has forwarded. Since, due to the squashing model, the exponential De Finetti theorem applies to discrete- variable protocols (see discussion in Sec. III.B.2), and since the optimal collective attack includes the measure- ment of the number of photons, the generic structure for the Eve’s information reads51 IE = max Eve n Yn IE,n (26) where, as usual, the maximum is to be taken on all Eve’s attacks compatible with the measured parameters. B. BB84 coding: lower bounds In the BB84 coding, the probability that Bob accepts an item depends only on the fact that he has used the same basis as Alice, which happens with probability psift. Therefore, writing ˜νS = νS psift, we have Rn = ˜νS pA(n) fn (27) where fn is the probability that Eve forwards some sig- nal to Bob for n-photon pulses. Eve’s attack must be optimized over the possible {fn}n≥0 compatible with n Rn = R. Now we consider different implementations of this coding. 1. Prepare-and-Measure: Generalities In P&M BB84, IAE = IBE. On the events when Al- ice sends no photons (n = 0) but Bob has a detection, the intuitive result IE,0 = 0 (Lo, 2005) has indeed been proved (Koashi, 2006b). On the single-photon pulses, Eve can gain information only at the expense of intro- ducing an error ε1; the maximal information that she can obtain this way is IE,1 = h(ε1) where h is binary entropy (Shor and Preskill, 2000). A possible demonstration of this well-known result is given in Appendix A. For multi- photon pulses, the best attack is the PNS attack in which Eve forwards one photon to Bob and keeps the others: i.e. for n ≥ 2, εn = 0 and IE,n = 1 (Fung, Tamaki and Lo, 51 More explicitly, this formula should read IE = min (IAE, IBE) with IAE = maxEve n Yn IAE,n and similarly for IBE. In the development of QKD, this formula was derived first for BB84 (Gottesman, Lo, L¨utkenhaus and Preskill, 2004), then for SARG04 (Fung, Tamaki and Lo, 2006), then generalized to all discrete-variable protocols (Kraus, Branciard and Renner, 2007). 2006; Gottesman, Lo, L¨utkenhaus and Preskill, 2004; Kraus, Branciard and Renner, 2007). Therefore (26) be- comes IE = max Eve Y1h(ε1) + 1 − Y0 − Y1 = 1 − min Eve {Y0 + Y1[1 − h(ε1)]} . (28) 2. P&M without decoy states In P&M schemes without decoy states, the only mea- sured parameters are R and Q. We have to assume εn≥2 = 0; therefore we obtain ε1 = Q/Y1. From this and (28), we see52 that Eve’s optimal attack compatible with the measured parameters is the one which minimizes Y1, a situation which is obviously achieved by setting f0 = 0 and fn≥2 = 1. One finds then Y1 = 1 − (˜νS/R) pA(n ≥ 2) . (29) As a conclusion, for BB84 in a P&M scheme without decoy states, the quantity to be subtracted in PA is IE = 1 − Y1[1 − h(Q/Y1)] ; (30) the corresponding achievable secret key rate (25) is K = R [Y1 (1 − h(Q/Y1)) − leakEC(Q)] (31) where Y1 is given in (29). As expected, K contains only quantities that are known either from calibration or from the parameter estimation of the protocol (R, Q). 3. P&M with decoy states The idea of decoy states is simple and deep. Alice changes the nature of the quantum signal at random during the protocol; at the end of the exchange of quan- tum signals, she will reveal which state she sent in each run. This way, Eve cannot adapt her attack to Al- ice’s state, but in the post-processing Alice and Bob can estimate their parameters conditioned to that knowl- edge. The first proposal using one- and two-photon sig- nals (Hwang, 2003) was rapidly modified to the more realistic implementation in which Alice modulates the intensity of the laser (Lo, Ma and Chen, 2005; Wang, 2005). As we mentioned, several experiments have al- ready been performed (Ma et al., 2006; Peng et al., 2007; Rosenberg et al., 2007; Yuan, Sharpe and Shields, 2007; Zhao et al., 2006), more recently even including finite- key effects (Hasegawa et al., 2007). Let ξ be some tunable parameter(s) in the source, the typical example being ξ = µ the intensity (mean photon- number) of a laser. Alice changes the value of ξ randomly 52 First proved in (Inamori, L¨utkenhaus and Mayers, 2001-2007) in the context of unconditional security.
  • 29. 29 from one pulse to the other; at the end of the exchange of quantum signals, Alice reveals the list of values of ξ ∈ X, and the data are sorted in order to estimate the parame- ters separately for each value. With this simple method, Alice and Bob measure 2|X| parameters, namely the Rξ and the Qξ . The set X is publicly known as part of the protocol; but if |X| > 1, Eve cannot adapt her strategy to the actual value of ξ in each pulse, because she does not know it. Therefore, fn and εn are independent of ξ; in particular, Rξ n = ˜νS pA(n|ξ) fn. The measured parameters Rξ = n≥0 Rξ n and Qξ = n≥0 Rξ n Rξ εn (32) define a linear system with 2|X| equations for the fn and the εn. The optimization in (28) must then be performed using the lower bounds for Y ξ 1 and the upper bound for ε1 as obtained from the measured quantities {Rξ , Qξ }ξ∈X (Tsurumaru, Soujaeff, Takeuchi, 2008). In practice, the meaningful contributions are typically the n = 0, 1, 2 terms, and a decoy-state protocol with |X| = 3 reaches very close an exact determination (Hayashi, 2007b). For simplicity, here we suppose that all the fn and εn have been determined exactly53 . Also, we consider a protocol in which the classical post-processing that extracts a key is done separately on the data that correspond to differ- ent ξ. For each ξ, the quantity to be subtracted in PA is54 Iξ E = 1 − Y ξ 0 − Y ξ 1 [1 − h(ε1)] (33) with Y ξ 0,1 = Rξ 0,1/Rξ and the corresponding achievable secret key rate is Kξ = Rξ Y ξ 0 + Y ξ 1 (1 − h(ε1)) − leakEC(Qξ ) .(34) The total secret key rate is K = ′ ξ Kξ , where the sum is taken on all the values of ξ such that Kξ ≥ 0. If the classical post-processing were done on the whole raw key, the total secret key rate would read K = R[1 − leakEC(Q)] − ξ Rξ Iξ E. The two expressions coincide if there exists a ξ which is used almost always. 4. P&M: analytical estimates Alice and Bob can optimize K by playing with the pa- rameters of the source, typically the intensity. A rigorous optimization can be done only numerically. In this para- graph, we re-derive some often-quoted results for P&M 53 As a side remark: one might find εn≥2 > 0, but this does not modify the discussion in Sec. IV.B.1 about the optimal attack. Indeed, Eve might have performed the attack that gives εn≥2 = 0, then added some errors “for free”. 54 Note the presence of Y ξ 0 in the next two equations. implementations of BB84. For this a priori estimate, one has to assume that some “typical” values for the Rn and the Qn will indeed be observed. As stressed above, se- curity must be based on the actually measured values: what follows provides only guidelines to start working with the correct orders of magnitude. Here, we chose to work in a regime in which the rate of detection of true photons is much larger than the dark count rate. For simplicity, we also assume optimal error correction, so that leakEC(Q) = h(Q). The reference case is the case of single-photon sources, for which the meaningful scheme is P&M without decoy states. For this source, pA(1) = 1 therefore Y1 = 1; the expected detection rate is R = ˜νSt tBη, and Eq. (31) yields immediately K ≈ ˜νSt tBη [1 − 2h(Q)] (single photon) . (35) As expected, K scales linearly with the losses in the line and the efficiency of the detector. The most widespread source in P&M schemes are at- tenuated lasers. The estimate can be made by consid- ering only the single-photon and the two-photon emis- sions: pA(1) = µe−µ , pA(2) = µ2 e−µ /2. The expected detection rate is R = ˜νSµt tBη. The important feature, which is absent in the study of single-photon sources, is the existence of an optimal value for the intensity µ, a compromise between a large R and a small pA(2). We focus first on implementations without decoy states. We can set pA(1) ≈ µ and pA(2) ≈ µ2 /2, but still, the op- timal value of µ cannot be estimated exactly in gen- eral, because Y1 = 1 − µ 2t tBη depends on µ and ap- pears in a non-algebraic function. Let us then con- sider first the limiting case Q = 0: Eq. (31) becomes K/˜νS ≈ µt tBη −µ2 /2, whose maximal value is 1 2 (t tBη)2 obtained for µ0 = t tBη (L¨utkenhaus, 2000). To obtain estimates for the Q > 0 case, we can make the approx- imation of using µ0 to compute Y1, i.e. to set Y1 = 1 2 . Then, the optimization of Eq. (31) is also immediate: writing F(Q) = 1 −h(2Q)−h(Q), the highest achievable secret key rate is K ˜νSt tBη ≈ 1 2 µopt F(Q) (laser, no decoy) (36) obtained for the optimal mean photon number µopt ≈ t tBη F(Q) 1 − h(2Q) . (37) Let us now perform the estimate for an implementa- tion using decoy states. The decoy consists in varying the intensity of the laser from one pulse to the other, so that the general parameter ξ is in fact µ. We sup- pose that a given value µ is used almost always (and this one we want to optimize), while sufficiently many decoy values are used in order to provide a full parame- ter estimation. The expected values are Rµ = ˜νSµt tBη, Rµ 1 = ˜νSµe−µ t tBη and ε1 = Q. Inserted into Eq. (34),
  • 30. 30 one obtains K ≈ ˜νSµt tBη[e−µ (1 − h(Q)) − h(Q)]; using e−µ ≈ 1 − µ, this expression reaches the maximal value K ˜νSt tBη ≈ 1 2 µopt [1 − 2h(Q)] (laser, decoy) (38) for the optimal mean photon number µopt ≈ 1 2 1 − h(Q) 1 − h(Q) . (39) Let us summarize. Without decoy states, µopt ∼ t and consequently K ∝ t2 : the larger the losses, the more attenuated must the laser be. The reason are PNS at- tacks: Alice must ensure that Eve cannot reproduce the detection rate at Bob’s by using only photons that come from 2-photon pulses (on which she has full information). With decoy states, one can determine the fraction of detections that involve photons coming from 2-photon pulses; if this fraction is as low as expected, one can ex- clude a PNS attack by Eve — as a benefit, the linear scaling K ∝ t is recovered. This is the same scaling ob- tained with single-photon sources, with the obvious bene- fit that lasers are much more versatile and well-developed than strongly sub-Poissonian sources. Another interest- ing remark is that, both with and without decoy states, µopt ≈ 1 2 µcrit, where the critical value µcrit is defined as the one for which K ≈ 0. In other words, an intensity double than the optimal one is already enough to spoil all security. In implementations without decoy states, where µ decreases with t, this calibration may be critical at long distances. 5. Entanglement-Based If Alice holds the down-conversion source, as is the case in almost all the EB QKD experiments performed to date55 , an EB scheme is equivalent to a P&M one (see II.B.2) so the corresponding security proofs could be ap- plied. The only specific difference to address concerns the events in which more than one pair is produced in- side a coincidence window. As described in Sec. II.E.3, two kinds of such contributions exist and Eve is able to distinguish between them: • A fraction of the multi-pair events contain partial correlations in the degrees of freedom used for sym- bol encoding; thus, Eve can get information on the key bit by some form of PNS attacks. This situ- ation is similar to the multi-photon case in P&M schemes, although here it is difficult to determine exactly the amount of information that leaks out. 55 We are aware of a single case, in which the source was in the middle (Erven et al., 2008). As we shall discuss below in this paragraph, security proofs have been provided also for this situ- ation. To be on the safe side we will suppose that Eve can obtain full information without introducing any er- rors. • The other, usually much larger fraction of multi- pair events consists of independent uncorrelated pairs. In this case Eve cannot obtain any informa- tion on Bob’s symbol using the PNS attack. She can only apply “standard” single particle attack. We suppose that Eve can somehow find out which one of multiple pairs were selected by Alice’s detec- tor, so we treat all such multi-pair contributions as if they were single pairs. Therefore Eq. (28) is replaced by IE ≤ Y ′ m + Y ′ 1 h Q Y ′ 1 , (40) where Y ′ 1 is the fraction of single-pair plus uncorrelated multi-pair events and Y ′ m is the fraction of multi-pair events which are (partially) correlated in the degree of freedom the information is encoded in. Explicitly, Y ′ m = pA(n ≥ 2) ˜νS R ζ (41) with ζ being the ratio of the number of partially corre- lated multi-pair contributions to all multi-pair contribu- tions (see Sec. II.E.3). In total Y ′ m + Y ′ 1 = 1. Finally, the achievable secret-key rate reads K = R [Y ′ 1 (1 − h(Q/Y ′ 1)) − leakEC(Q)] . (42) Recall that these formulas apply to implementations, in which the source is safe on Alice’s side. Notice also that two different sorts of multi-pair contributions are consid- ered and for each of them different eavesdropping strat- egy is assumed. However, in reality there is a smooth transition between correlated and uncorrelated pairs. All multi-pair events which exhibit non-negligible correla- tions must be counted as correlated. Recently security has been demonstrated also for EB systems, in which the source is under Eve’s control (Ma, Fung and Lo, 2007). The authors describe the con- ditions, under which the whole object “Eve’s state prepa- ration and Alice’s measurement” behaves like an un- characterized source in the sense of Koashi and Preskill (Koashi and Preskill, 2003). Alice has a box where she can dial a basis and gets an information bit from her box indicating which signal (0 or 1) was sent. Whatever state Eve prepares, when she gives one part into Alice’s box and Alice chooses a measurement, then the average den- sity matrix outside this box is independent of this choice (assuming that the no-click event probability is basis in- dependent).56 On Alice’s side no Hilbert space argument 56 This is clearly true for an active basis choice. In case of the pas- sive basis selection some additional assumptions on the detection may be necessary.
  • 31. 31 is needed, but on Bob’s side the squshing property of the detection is required (see IV.A.2). The formula for the achievable secret-key rate then reads K = R [1 − h(Q) − leakEC(Q)] . (43) Formally, this is the same as obtained in a P&M scheme using single photons [Eq. (31) with Y1 = 1]. As such, it is a remarkable result: it states that, under the as- sumptions listed above, all the deviations from a perfect two-photon source — in particular, the presence of multi- photon components — are taken care of by measuring the error rate Q (Koashi and Preskill, 2003). Besides, it has been found that the EB QKD can tolerate higher losses if the source is placed in the middle between Alice and Bob rather than if it is in Alice’s side (Ma, Fung and Lo, 2007; Waks, Zeevi and Yamamoto, 2002). Finally, we note that very recently another proof of the security of entanglement-based systems with real detec- tors was proposed, that does not rely on the squashing property but rather on the measurement of the double- click rate (Koashi et al., 2008). C. BB84 coding: upper bounds incorporating the calibration of the devices As explained in Sec. III.B.5, the bounds for uncon- ditional security are always found for the uncalibrated- device scenario, which is over-pessimistic. It is instruc- tive to present some upper bounds that take the calibra- tion of the devices into account: the comparison between these and the lower bounds will determine the “realm of hope”, i.e. the range in which improvements on K may yet be found. Clearly, the contribution leakEC(Q) of er- ror correction is independent of the scenario: one has to correct for all the errors, whatever their origin. The dif- ference appears in the quantity to be removed in privacy amplification. 1. Statistical parameters In order to single out the parameters of the devices, one has first to recast the general notations (IV.A.1) in a more elaborated form. The detection rates must be explicitly written as Rn = Rn,p + Rn,d (44) where Rn,p is the contribution of detections and Rn,d is the contribution of dark counts. Since Eve can act only on the first part, it is convenient to redefine Yn = Rn,p/R, so that n Yn ≡ Y < 1. The errors on the line εn are introduced only on the photon contribution, while the dark counts always give an error rate of 1 2 ; therefore the total error is Q = Y ε + δ (45) where ε = n≥1 Yn Y εn and δ = 1−Y 2 . Note that the content of this paragraph is not specific to BB84; but all that follows is. 2. Upper bounds To derive an upper bound, we use a simple recipe, which consists in following closely the calculations of the previous subsection IV.B and just making the necessary modifications, although this is known to be sub-optimal and no squashing model is known in this situation to jus- tify the assumption. In particular, Eve is still supposed to forward to Bob at most one photon, although this is known to be sub-optimal. Therefore Rn,p = ˜νSpA(n)fn tBη (46) Rn,d = ˜νSpA(n)(1 − fn tBη) 2pd (47) where pd is the dark count rate. Note the presence of tBη in these formulas: the detector efficiency has not been incorporated into fn. Extracting fn tBη from these equations, one finds Y = (1 − 2pd˜νS/R) /(1 − 2pd) (48) which means that the ratio between detections and dark counts depends only on the total detection rate R. Also, for our simple recipe, it is immediate that the modifica- tion of the general expression (28) reads IE = max Eve Y1h(ε1) + Y − Y1 = Y − min Eve Y1[1 − h(ε1)] . (49) We restrict now to the P&M schemes. In the imple- mentation with decoy states, the Yn and the εn are known, so the only difference with the uncalibrated-device for- mula (34) is the role of dark counts: Kξ = Rξ Y ξ 1 (1 − h(ε1)) + 2δξ − leakEC(Qξ ) (50) where Y0 is replaced by the very slightly larger term57 2δξ = 1−Y ξ . Things are different for the implementation without decoy states, because now Y1 and ε1 are not di- rectly measured, only R and Q are. Since we are suppos- ing that the optimal strategy is still such that εn≥2 = 0 and fn≥2 = 1, we have Y1 = Y − tBη ˜νS R pA(n ≥ 2) and ε1 = Q − δ Y1 .(51) 57 In the notation of this paragraph, the previous Y0 would read R0/R = R0,d/R; while 2δ = n≥0 Rn,d/R. Note that, strictly speaking, R0 = R0,d is an assumption: a priori, one can imagine that Eve creates some photons to send to Bob also when Alice is sending no photons — but we don’t consider here such a highly artificial situation.
  • 32. 32 Note that Y1 can be significantly larger than in the uncalibrated-device scenario, eq. (29): in fact, although Y is slightly smaller than one, the term to be subtracted is multiplied by tBη. This difference is specifically due to the fact that Eve is not supposed to influence the ef- ficiency of the detector. Finally, one obtains K = R [Y1 (1 − h(ε1)) + 2δ − leakEC(Q)] (52) with the expressions (51) and with 2δ = 1 − Y . D. Bounds for the SARG04 coding We sketch here the analysis of SARG04 because it con- tains a certain number of instructive differences with re- spect to BB84. Here we note ˜νS = νS/2 because Bob must always choose the bases with probability 1 2 , even if Alice would almost always use the same set of states. The raw key rates are different from those of BB84. For definiteness, suppose that Alice send | + x , so the bit is accepted if Bob finds “−”. If Bob measures X, he ac- cepts the bit only if he obtains “−”, but this can only be due to an error. We write Rw n = ˜νSpA(n) fn ˜εn where the relation of ˜εn to the induced error rate εn will be computed just below. If Bob measures Y , he gets “−” in half of the cases58 and the bit value is correct. So Rn = ˜νSpA(n) fn 1 2 + ˜εn . (53) We see that the detection rate increases in the presence of errors, contrary to BB84 where the detection rate is determined only by psift. The error rate is εn = ˜εn 1 2 + ˜εn : (54) for a given perturbation ˜εn in the quantum channel, the error introduced in SARG04 is roughly twice the error εn = ˜εn which would be introduced in BB84. The protocol can be analyzed following the same pat- tern as the one presented for BB84. Here we just review the main results: • SARG04 was invented as a method to reduce the effect of PNS attacks, taking advantage of the fact that Eve cannot extract full information from the 2-photon pulses (Ac´ın, Gisin and Scarani, 2004; Scarani, Ac´ın, Ribordy and Gisin, 2004). This ini- tial intuition has been confirmed by all subsequent, more rigorous studies. In particular, it was proved 58 As such, this statement contains an assumption on Eve’s attack, namely Tr[σyρ(±x)] = 0 where ρ(±x) is the state received by Bob after Eve’s intervention, when Alice has sent | ± x . But the result holds in general for the average detection rate, if Alice prepares all four states with equal probability. that a fraction of fully secure secret key can be ex- tracted from the 2-photon pulses (Tamaki and Lo, 2006), and that in implementations using weak co- herent lasers and without decoy states, for small error rate SARG04 performs indeed better than BB84 and shows a scaling ∼ t3/2 as a function of the distance (Branciard et al., 2005; Koashi, 2005; Kraus, Branciard and Renner, 2007). • In the literature one finds the claim that, when implemented with decoy states, SARG04 performs worse than BB84 (Fung, Tamaki and Lo, 2006; Kraus, Branciard and Renner, 2007). This must be properly understood: decoy states are a method to gain additional knowledge on Eve’s attack. If this method does not reveal any PNS attack (as it will be the case in most experiments, because losses appear random and therefore Eve is acting as a beam-splitter), indeed the BB84 rate is better than the one of SARG04. However, if one would find that Eve is actually performing a PNS attack, SARG04 would of course be more robust, consis- tently with what we wrote in the previous item. • An interesting case arises if one considers im- plementations with single-photon sources. The first unconditional security bound yielded that SARG04 tolerates a smaller QBER than BB84 (Tamaki and Lo, 2006). But this bound was im- proved shortly later: the optimal IE,1, which is not known analytically but can easily be com- puted numerically, goes to zero for ε1 ≈ 11.67% (Kraus, Branciard and Renner, 2007). This im- proved value is slightly better than the correspond- ing value for BB84, ε1 ≈ 11.0%: it seems therefore that SARG04 would perform better than BB84 also in a single-photon implementation. The picture is however different if one relates the error rate to the parameters of the channel, typically the visibility of interference fringes: this parameter is related to the ones introduced here through ˜ε1 = 1−V 2 . For BB84, ˜ε1 = ε1 and consequently the critical visibil- ity is V ≈ 78%; while for SARG04, because of (54), the critical visibility is worse, namely V ≈ 87%. V. CONTINUOUS-VARIABLE PROTOCOLS A. Status of security proofs In the case of Gaussian modulation, se- curity has been proved against collec- tive attacks (Garc´ıa-Patr´on and Cerf, 2006; Navascu´es, Grosshans and Ac´ın, 2006). We shall present this bound below (V.B) and use it for the comparison with the other platforms (VII). There is some hope that the same bound would hold also for the most general attack, as it is the case for discrete-variable systems: in particular, we note that the “intuitive”
  • 33. 33 reason behind that equivalence (III.B.2) would apply also to CV protocols. Unfortunately, the exponential de Finetti bound (Renner, 2007) does not help because it explicitely depends on the dimension of the quantum signals. On this issue, see Note add in proof at the end of this paper. In the case of discrete modulation, the security status is even less advanced. Technically, the difficulty lies in the fact that the raw key is made of discrete variables for Alice, while Bob has a string of real numbers. A full analysis has been possible only in the case where the quantum channel does not add excess noise to the signal, so that the observed conditional variances still describe minimum uncertainty states. In this case, the eavesdrop- per’s attack is always describable as a generalized beam- splitting attack, simulating the observed loss. The corre- sponding key rates depend on the classical communica- tion protocols chosen (with or without post-selection of data, in reverse or direct reconciliation); the best known protocol involves a combination of post-selection and re- verse reconciliation, especially when the error correction algorithms work away from the asymptotic Shannon effi- ciency (Heid and L¨utkenhaus, 2006). In the presence of excess noise, the formula for the key rate is the object of ongoing research; it has at least been possible to derive entanglement witnesses (Rigas, G¨uhne and L¨utkenhaus, 2006). Entanglement verification has been performed and has shown that excess noise in typical installations does not wipe out the quantum correlation within the experimentally accessible domain (Lorenz et al., 2006). Finally, in all works on CV QKD with no exception, it has been assumed that Eve does not act on the local oscillator59 — of course, she is allowed to have access to it in order to measure quadratures. Since the local oscillator travels through Eve’s domain, this assumption opens a security loophole60 . Note that a similar situation burdened until very recently the security of Plug&Play configurations, for which finally unconditional security could be proved (see II.H.2); it is not clear however that the same approach will work here, since the strong pulses have very different roles in the two schemes. In any case, the open issue just discussed, together with the fact that the existing exponential de Finetti theorem does not ap- ply to infinitely-dimensional systems, are the main rea- 59 This amounts at viewing the local oscillator as an authenticated channel, building on the closeness to classical signals. In an alter- native set-up, this problem can be circumvented by Bob measur- ing the phase of the local oscillator, followed by the recreation within Bob’s detector of a local oscillator with the measured phase (Koashi, 2004). 60 For the setups as they have been implemented, all observed cor- relations are compatible with an intercept/resend attack involv- ing both the signal and the local oscillator. Security against this specific attack can be easily recovered by simple modifica- tions of the setups, for example the independent measurement of the intensity of the phase reference pulse and the signal pulse (H¨aseler, Moroder and L¨utkenhaus, 2008). sons unconditional security proofs are not available yet for CV QKD. As mentioned earlier (II.D.3), continuous variable protocols show interesting features also on the classical part. In contrast to typical discrete variable protocols, where losses simply reduce the number of detected signals, continuous variable protocols will always detect a result, so that loss corresponds now to increased noise in the signal. Two main methods have been formu- lated to deal with this situation at the protocol level: reverse reconciliation (Grosshans and Grangier, 2002a) and post-selection (Silberhorn et al., 2002). The first method can be realized using one-way EC schemes, but turns out to be sensitive to the efficiency of those very schemes. Its main advantage is that its security can be rigorously assessed versus general collective attacks (and has been conjectured to hold even for coherent attacks) In contrast, the second method can use both one-way and two-way EC schemes, and is fairly stable even if those schemes do not perform at the Shannon limit. However, its security can be analyzed only by making assumptions on Eve’s interception (see below). The status of its security is not clear even for general individual attacks. Note that for close-to-perfect EC, reverse reconciliation outperforms post-selection. While progress is being made in the efficiency of EC schemes, it turns out that a combination of post-selection and reverse reconcilia- tion provides a practical solution to obtain reasonable rates with current technology, both for discrete- modulation (Heid and L¨utkenhaus, 2006) and for Gaussian-modulation protocols (Heid and L¨utkenhaus, 2007). B. Bounds for Gaussian protocols 1. Generalities As announced, we provide an explicit security bound for coherent-state homodyne-detection protocol of (Grosshans and Grangier, 2002a). Like all Gaus- sian protocols, this prepare-and-measure protocol can be shown to be equivalent to an entanglement-based scheme (Grosshans, Cerf et al., 2003). In such a scheme, Alice prepares an EPR state — more precisely, the two-mode squeezed vacuum state (15). By applying an heterodyne measurement on mode A, she prepares in the second mode of the EPR pair a coherent state, whose displace- ment vector is Gaussian distributed in x and p. Then, Bob applies a homodyne measurement on mode B, mea- suring quadrature x or p. It can be shown that reverse reconciliation is always favorable for Alice and Bob, so we have to compute Eq. (21) with IEB on the right hand side. It has been proved that Eve’s opti- mal attack is Gaussian for both individual (Garc´ıa-Patr´on, 2007; Grosshans and Cerf, 2004; Lodewyck, Debuisschert et al., 2007) and col-
  • 34. 34 lective attacks (Garc´ıa-Patr´on and Cerf, 2006; Navascu´es, Grosshans and Ac´ın, 2006). We can there- fore assume that Eve effects a Gaussian channel, so that the quantum state ρAB just before Alice and Bob’s measurements can be assumed to be a Gaussian two-mode state with zero mean value and covariance matrix γAB. The Gaussian channel is characterized by two parame- ters: the transmittance, which here, since we work in the uncalibrated-device scenario, is tη with η the efficiency of the detectors; and the noise δ referred to the input of the channel61 . Since the two-mode squeezed state (15) is also symmetric and has no correlations between x and p, the resulting covariance matrix of modes A and B can be written in a block-diagonal form, γAB = γx AB 0 0 γp AB (55) with γ x(p) AB = v ± tη(v2 − 1) ± tη(v2 − 1) tη(v + δ) (56) where the signs + and − correspond to γx AB and γp AB, respectively. Here, v is the variance of both quadratures of Alice’s output thermal state expressed in shot-noise units, that is, v = vA +1, vA being the variance of Alice’s Gaussian modulation. For what follows, it is convenient to define vX|Y , the conditional variance that quantifies the remaining uncer- tainty on X after the measurement of Y : vX|Y = x2 − xy 2 / y2 , (57) expressed in shot-noise units. 2. Modeling the noise The noise δ is the total noise of the channel Alice-Bob. It can be modeled as the sum of three terms: δ = 1 − t t + δh t + ǫ . (58) The first term (1−t)/t stands for the loss-induced vacuum noise (referred to the input); this term is at the origin of the higher sensitivity to losses of continuous-variable QKD. The second term stands for the noise added by the imperfection of the homodyne detection. This is modeled by assuming that the signal reaching Bob’s station is at- tenuated by a factor η (detection efficiency) and mixed 61 The observed noise in channels such as optical fibers is typically symmetric and uncorrelated in both quadratures x and p (there is no preferred phase), so we restrict to this case here. with some thermal noise vel (electronic noise of the de- tector), giving62 δh = 1 + vel η − 1 . (59) The third term ǫ is the excess noise (referred to the in- put) that is not due to line losses nor detector imper- fections. For a perfect detector, it can be viewed as the continuous-variable counterpart of the QBER in discrete- variable QKD; it is zero for a lossy but noiseless line. 3. Information Alice-Bob In the EB version of the coherent-state protocol con- sidered here (Grosshans and Grangier, 2002a), Alice per- forms heterodyne detection, so her uncertainty on Bob’s quadratures is expressed as vB|AM = tη(δ + 1) . (60) The mutual information between Alice and Bob is there- fore given by I(A : B) = 1 2 log2 vB vB|AM = 1 2 log2 δ + v δ + 1 .(61) As mentioned above, the main bottleneck of continuous- variable QKD schemes comes from the heavy post- processing that is needed in order to correct the errors due to the vacuum noise that is induced by the line losses. In practice, the amount of information left after error correction will be a fraction β of I(A : B). This value has an important effect on the achievable secret key rate and the limiting distance (as we shall discuss below, for β = 1 a secure key can in principle be extracted for ar- bitrarily large distances). This provides a strong incen- tive for developing better reconciliation algorithms. The first technique that was proposed to perform continuous- variable error correction relied on a so-called “sliced reconciliation” method (Van Assche, Cardinal and Cerf, 2004), and gave an efficiency β ≈ 80%. These al- gorithms have been improved by using turbo-codes (Nguyen, Van Assche and Cerf, 2004) and low-density parity codes (LDPC) (Bloch et al., 2005), which both allow to work with noisy data, hence longer distances. More recently, multi-dimensional reconciliation algo- rithms have been introduced, which allow to deal with even noisier data while keeping similar or higher recon- ciliation efficiencies (Leverrier et al., 2008). 62 Replacing the expression for δh into (58), one obtains δ = (1 − tη + vel)/(tη) + ε, which depends only on tη as it should in the uncalibrated-device scenario.
  • 35. 35 4. Individual attacks To become familiar with the security analysis, we first present individual attacks. In order to address the secu- rity of the protocol, we assume as usual that Eve holds the purification of ρAB. Then, by measuring their sys- tems, Alice and Eve project Bob’s share of the joint pure state |ΨABE onto another pure state (we may assume without loss of generality that Eve’s projection results from a rank-one POVM). Applying the Heisenberg un- certainty relation on the pure state held by Bob condi- tionally on Alice and Eve’s measurements, we have vXB |E vPB|A ≥ 1, vPB |E vXB |A ≥ 1, (62) where XB and PB are the canonically conjugate quadra- tures of Bob’s mode. Equation (62) can be written as a single uncertainty relation vB|E vB|A ≥ 1 (63) where B stands for any quadrature of Bob’s mode. This inequality can be used to put a lower bound on the un- certainty of Eve’s estimate of the key in reverse reconcil- iation, that is, when the key is made out of Bob’s data while Alice and Eve compete to estimate it. Now, vB|A is not necessarily given by (60): Eve’s at- tack cannot depend on how the mixed state sent by Al- ice (i.e., the thermal state) has been prepared, since all possible ensembles are indistinguishable. An acceptable possibility is Alice performing homodyne measurement, or, equivalently, preparing squeezed states just as in the protocol of (Cerf, L´evy and Van Assche, 2001); in which case we obtain vB|A = tη(δ + 1/v) . (64) It can be shown that this is the lowest possible value of vB|A, hence from (63) vB|E ≥ 1 tη(δ + 1/v) . (65) This gives a bound for I(B : E), so the extractable se- cret key rate under the assumption of individual attacks becomes r = I(A : B) − I(E : B) = 1 2 log2 vB|E vB|AM ≥ 1 2 log2 1 (tη)2(δ + 1/v)(δ + 1) (66) as shown in (Grosshans, Van Assche et al., 2003). Note that the scheme that implements the optimal attack (sat- urating this bound) is the entanglement cloner defined in (Grosshans and Grangier, 2002b). Using Eq. (58), it ap- pears that in the case of high losses (tη → 0) and large modulation (v → ∞), the secret key rate r remains non- zero provided that the excess noise satisfies ǫ < 1/2. This is a remarkable result, due to reverse reconciliation: for direct reconciliation, obviously there can be no security when Eve has as much light as Bob, i.e. for tη ≤ 1 2 . A similar reasoning can be followed to derive the se- curity of all Gaussian QKD protocols against individual attacks (Garc´ıa-Patr´on, 2007). The only special case con- cerns the coherent-state heterodyne-detection protocol, whose security study against individual attacks is more involved (Lodewyck and Grangier, 2007; Sudjana et al., 2007). 5. Collective attacks The security of the coherent-state homodyne-detection scheme against the class of collective attacks has been fully studied. The corresponding rates were first provided assuming that Eve’s collective attack is Gaussian (Grosshans, 2005; Navascu´es and Ac´ın, 2005). Later on, it was proved that this choice is actually optimal (Garc´ıa-Patr´on and Cerf, 2006; Navascu´es, Grosshans and Ac´ın, 2006). This implies that it remains sufficient to assess the security against Gaussian collective attacks, which are completely charac- terized by the covariance matrix γAB estimated by Alice and Bob. A long but straightforward calculation shows that χ(B : E) = g(˜λ1) + g(˜λ2) − g(˜λ3) (67) where g(x) = (x + 1) log2(x + 1) − x log2 x is the entropy of a thermal state with a mean photon number of x and ˜λk = λk−1 2 where λ2 1,2 = 1 2 (A ± A2 − 4B) , λ2 3 = v 1 + vδ v + δ (68) with A = v2 (1−2tη)+2tη+[tη(v+δ)]2 and B = [tη(vδ+ 1)]2 . In conclusion, the secret key rate achievable against collective attacks is obtained by inserting expressions (61) and (67) into K = R [β I(A : B) − χ(B : E)] . (69) Finally, we note that the optimality of Gaussian attacks is actually valid also for protocols that use heterodyne detection; a bound for security against Gaussian collec- tive attacks in these protocols has been provided recently (Pirandola, Braunstein and Lloyd, 2008). 6. Collective attacks and post-selection In the case where all observed data are Gaussian, in- cluding the observed noise, we can again provide a se- curity proof which also allows to include post-selection of data in the procedure. The starting point of this se- curity proof is the protocol with Gaussian distribution of the amplitude together with the heterodyne detection by Bob. In this case, in a collective attack scenario, we
  • 36. 36 can assume a product structure of the subsequent sig- nals, and the density matrix ρAB of the joint state of Alice and Bob is completely determined due to the to- mographic structure of the source replacement picture and the measurement. In this scenario, we can therefore determine the quantum states in the hand of the eaves- dropper as Eve holds the system E of the purification |Ψ ABE of ρAB. Let us consider the situation where all observed data in this scenario are Gaussian distributions, which is the typical observation made in experiments. Note that this is an assumption that can be verified in each run of the QKD protocol! In principle, one can now just use the standard formula for the key rate in the collective sce- nario, Eq. (69). However, we would like to introduce a post-selection procedure (Silberhorn et al., 2002) to im- prove the stability of the protocol against imperfections in the error correction protocol. To facilitate the introduction of post-selection, we add further public announcements to the CV QKD proto- col: Alice makes an announcement ’a’ consistent of the imaginary component αy and the modulus of the real component |αx| of the complex amplitude α of her sig- nals. That leaves two possible signals state open. Sim- ilarly, Bob makes an announcement ’b’ which contains again the complex component βy and the modulus |βx| of the complex measurement result β of her heterodyne measurement. That leaves, again, two possible measure- ments from Eve’s point of view. For any announcement combination (a, b) we have therefore an effective binary channel between Alice and Bob. As the purification of the total state ρAB is known, we can calculate for each effective binary channel a key rate ∆I(a, b) = max (1 − f(ea,b )h[ea,b ] − χa,b ), 0 . (70) This expression contains the post-selection idea in the way that whenever 1 − h[ea,b ] − χa,b is negative, the data are discarded, leading to a zero contribution of the corre- sponding effective binary channel to the overall key rate. The expressions for χa,b have been calculated analytically in (Heid and L¨utkenhaus, 2007), which is possible since now the conditional states of Eve, as calculated from the purification of ρAB, are now at most of rank four. Several scenarios have been considered there, but the one that is of highest interest is the combination of post-selection with reverse reconciliation. The explicit expressions are omitted here, as they do not give additional insight. The evaluations of the overall key rate K = R da db ∆I(a, b) (71) is then done numerically. VI. DISTRIBUTED-PHASE-REFERENCE PROTOCOLS A. Status of security proofs As we said in Sec. II.D.4, distributed-phase-reference protocols were invented by experimentalists, looking for practical solutions. Only later it was noticed that these protocols, in addition to be practical, may even yield bet- ter rates than the traditional discrete-variable protocols, i.e. rates comparable to those of decoy-states implemen- tations. The reason is that the PNS attacks are no longer zero-error attacks both for DPS (Inoue and Honjo, 2005) and for COW (Gisin et al., 2004; Stucki et al., 2005). In fact, the number of photons in a given pulse and the phase coherence between pulses are incompatible phys- ical quantities. At the moment of writing, no lower bound is known for the unconditional security of DPS or COW, but several restricted attacks have been studied (Branciard et al., 2007; Branciard, Gisin and Scarani, 2008; Curty et al., 2007; Curty, Tamaki and Moroder, 2008; Gomez-Sousa and Curty, 2009; Tsurumaru, 2007; Waks, Takesue and Yamamoto, 2006). In these stud- ies, it has also been noticed that DPS and especially COW can be modified in a way that does not make them more complicated, but may make them more robust (Branciard, Gisin and Scarani, 2008). Since this point has not been fully developed though, we restrict our at- tention to the original version of these protocols. B. Bounds for DPS and COW 1. Collective beam-splitting attack We present the calculation of the simplest zero- error collective attack, namely the beam-splitting attack (Branciard, Gisin and Scarani, 2008). For both DPS and COW, Alice prepares a sequence of coherent states k |α(k) : each α(k) is chosen in {+α, −α} for DPS, in {+α, 0} for COW. Eve simulates the losses with a beam- splitter, keeps a fraction of the signal and sends the re- maining fraction τ = t tBη to Bob on a lossless line — note that, although this security study does not provide a lower bound, we work in the uncalibrated-device sce- nario for the sake of comparison with the other protocols. Bob receives the state k |α(k) √ τ : in particular, Bob’s optical mode is not modified, i.e. BSA introduces no er- ror63 . Eve’s state is k |α(k) √ 1 − τ ; let us introduce the notations αE = α √ 1 − τ and γ = e−|αE|2 = e−µ(1−τ) . (72) 63 Apart from BSA, other attacks exist that do not introduce errors: for instance, photon-number-splitting attacks over the whole key, preserving the coherence (these are hard to parametrize and have never been studied in detail). For COW, there exist also attacks based on unambiguous state discrimination (Branciard et al., 2007).
  • 37. 37 When Bob announces a detection involving pulses k − 1 and k, Eve tries to learn the value of his bit by looking at her systems. Assuming that each bit value is equally probable, Eve’s information is given by IEve = S(ρE) − 1 2 S(ρE|0) − 1 2 S(ρE|1) with ρE = 1 2 ρE|0 + 1 2 ρE|1. The information available to Eve differs for the two protocols, because of the different coding of the bits. In DPS, the bit is 0 when α(k − 1) = α(k) and is 1 when α(k − 1) = −α(k). So, writing Pψ the projector on |ψ , the state of two consecutive pulses reads ρE|0 = 1 2 P+αE ,+αE + 1 2 P−αE ,−αE and ρE|1 = 1 2 P+αE ,−αE + 1 2 P−αE,+αE ; therefore, noticing that | +αE| − αE | = γ2 , we obtain IDP S E,BS(µ) = 2h[(1 − γ2 )/2] − h[(1 − γ4 )/2] (73) where h is the binary entropy function, and K(µ) = νS 1 − e−µt tBη 1 − IDP S E,BS(µ) . (74) In COW, the bit is 0 when α(k − 1) = √ µ , α(k) = 0 and is 1 when α(k − 1) = 0 , α(k) = √ µ; so, with similar notations as above, ρE|0 = P+αE ,0 and ρE|1 = P0,+αE ; therefore, noticing that | +αE|0 | = γ, we obtain ICOW E,BS (µ) = h[(1 − γ)/2] . (75) The secret key rate is given by K(µ) = ˜νS 1 − e−µt tBη 1 − ICOW E,BS (µ) (76) where ˜νS = νS 1−f 2 because the fraction f of decoy se- quences does not contribute to the raw key, and half of the remaining pulses are empty. 2. More sophisticated attacks For the purpose of comparison with other protocols later in this review, it is useful to move away from the strictly zero-error attacks. As mentioned above, several examples of more sophisticated attacks have indeed been found. Instead of looking for the exact optimum among those attacks, we prefer to keep the discussion simple, bearing in mind that all available bounds are to be re- placed one day by unconditional security proofs. We consider attacks in which Eve interacts coher- ently with pairs of pulses (Branciard, Gisin and Scarani, 2008). Upper bounds have been provided in the limit µt ≪ 1 of not-too-short distances. Even within this family, a simple formula is available only for COW. For COW, there is no a priori relation between the error on the key ε and the visibility V observed on the interferom- eter. If e−µ ≤ ξ ≡ 2 V (1 − V ), one finds ICOW E (µ) = 1: µ is too large and no security is possible. If on the con- trary e−µ > ξ, the best attack in the family yields ICOW E (µ) = ε + (1 − ε)h 1 + FV (µ) 2 (77) with FV (µ) = (2V − 1)e−µ − ξ √ 1 − e−2µ. Therefore K(µ) = R 1 − ICOW E (µ) − leakEC(Q) (78) where the value of R is constrained by the definition of the attack to be ˜νS[µt tBη + 2pd]. As for DPS, numerical estimates show that its ro- bustness under the same family of attacks is very sim- ilar (slightly better) than the one of COW. Therefore, we shall use (78) as an estimate of the performances of distributed-phase-reference protocols in the presence of errors; again, for the sake of comparison with the other protocols, we have adopted the uncalibrated-device sce- nario here64 . VII. COMPARISON OF EXPERIMENTAL PLATFORMS A. Generalities After having presented the various forms that practi- cal QKD can take, it is legitimate to try and draw some comparison. If one would dispose of unlimited financial means and manpower, then obviously the best platform would just be the one that maximizes the secret key rate K for the desired distance. A choice in the real world will obviously put other parameters in the balance, like simplicity, stability, cost... Some partial comparisons are available in the literature; but, to our knowledge, this is the first systematic attempt of comparing all the most meaningful platforms of practical QKD. Of course, any attempt of putting all platforms on equal footing con- tains elements of arbitrariness, which we shall discuss. Also, we are bounded by the state-of-the-art, both con- cerning the performance of the devices and the develop- ment of the security proofs, as largely discussed in the previous sections. We have chosen to compare the best available bounds, which however do not correspond to the same degree of security: for the implementations of the BB84 coding, we have bounds for unconditional security; for continuous variable systems, we have security against collective attacks; for the new protocols like COW and DPS, we have security only against specific families of attacks. Also, one must be reminded that all security proofs hold under some assumptions: these have been discussed in Sections IV, V and VI; it is crucial to check if they apply correctly to any given implementation. 64 For the family of attacks under study, the rate scales linearly with the losses, therefore the difference between calibrated and uncalibrated devices is only due to the dark counts. We have to warn that the attacks based on unambiguous state discrimina- tion, which have been studied explicitly for calibrated devices (Branciard et al., 2007), are expected to become significantly more critical in the uncalibrated-device scenario. However, this more complex family of attacks can be further restricted by a careful statistical analysis of the data: we can therefore leave it out of our analysis, which is anyway very partial.
  • 38. 38 As stressed many times, the security of a given QKD realization must be assessed using measured values. Here, we have to present some a priori estimates: they neces- sarily involve choices, which have some degree of arbi- trariness. The first step is to provide a model for the channel: the one that we give (VII.A.1) corresponds well to what is observed in all experiments and is therefore rather universally accepted as an a priori model. At the risk of being redundant, we stress that the actual realiza- tion of this specific channel is not a condition for security: Eve might realize a completely different channel, and the general formulas for security apply to any case65 . Once the model of the channel accepted, one still has to choose the numerical values for all the parameters. 1. Model for the source and channel We assume that the detection rates are those that are expected in the absence of Eve, given the source and the distance between Alice and Bob. As for the error rates, we consider a depolarizing channel with visibility V . For an a priori choice, the modeling of the channel just sketched is rather universally accepted. In detail, it gives the following: Discrete-variable protocols, P&M. We consider imple- mentations of the BB84 coding. The rate is estimated by R = ˜νS[P + Pd] with P = n≥1 pA(n)[1 − (1 − t tBη)n ] and Pd = 2pd n≥0 pA(n)(1 − t tBη)n . The error rate in the channel is ε = (1 − V )/2, so the expected er- ror rate is Q = [εP + Pd/2]/(R/˜νS). For weak coher- ent pulses without decoy states, pA(1) = e−µ µ, pA(n ≥ 2) = 1 − e−µ (1 + µ), and we optimize K, given by (31), over µ. For weak coherent pulses with decoy states, we consider an implementation in which one value of µ is used almost always, while sufficiently many others are used, so that all the parameters are exactly evaluated. The statistics of the source are as above; Y0 is estimated by ˜νS 2pdpA(0)/R, Y1 by ˜νSpA(1)t tBη/R, and we opti- mize K given by (34) over µ. For perfect single-photon sources, pA(1) = 1 and pA(n ≥ 2) = 0; we just compute (31), as there is nothing to optimize. Discrete-variable protocols, EB. Again, we consider implementations of the BB84 coding. Since most of the experiments have been performed using cw-pumped sources, we shall restrict to this case66 . For such sources, 65 The attacks we studied against DPS and COW, Section VI, do suppose a model of the channel. This is a signature of the incom- pleteness of such studies. Security can be guaranteed by adding that, if the channel deviates from the expected one, the protocol is aborted. A full assessment of the channel, of course, requires additional tests: the fact that data can be reproduced by a chan- nel model does not imply that the channel model is correct (for instance, in weak coherent pulses implementations of BB84 with- out decoy states, the observed parameters are compatible both with a BS and a PNS attack). 66 Pulsed sources can be treated in a similar way. For short pulse the probability of having multiple pairs is ζ = 0 with good precision, therefore the bounds (42) and (43) for K are identical. K will be optimized over µ′ , the mean pair-generation rate of the source. Note that νcw S given by Eq. (20) depends on µ′ ; given this, one has pA(1) ≈ 1 and pA(2) ≈ µ′ ∆t if µ′ ∆t ≪ 1: indeed, neglecting dark counts, whenever any of Alice’s detectors fires there is at least one photon going to Bob; and the probability that another pair appears during the coincidence win- dow ∆t is approximately µ′ ∆t. The total expected error is Q = [(ε+ε′ )P +Pd/2]/(R/˜νS), where ε = (1−V )/2 as above and ε′ ≈ µ′ ∆t 2 is the error rate due to double-pair events. Continuous-variable protocols. We consider the proto- col that uses coherent states with Gaussian modulation, and compute the best available bound (69), which give security against collective attacks. The reference beam is supposed to be so intense, that there is always a signal arriving at the homodyne detection, so R = ˜νS. The er- ror is modeled by (58). Now, just as for discrete variable protocols one can optimize K over the mean number of photons (or of pairs) µ for each distance, here one can optimize K over the variance v of the modulation. Note that this optimization outputs rather demanding values, so that only recently it has become possible to implement them in practice, thanks to the latest developments in er- ror correction codes (Leverrier et al., 2008). Distributed-phase-reference protocols. As mentioned, apart from the errorless case, a simple formula exists only for COW, which moreover is valid only at not too short distances. We use this bound to represent distributed- phase reference protocols in this comparison, keeping in mind that DPS performs slightly better, but that any- way only upper bounds are available. Specifically, we have R ≈ ˜νS[µt tBη + 2pd]; we optimize then K(µ) given by (78) over µ, and keep the value only if µoptt ≤ 0.1. The expected error rate is formally the same as for P&M BB84; recall however that here the bit-error ε is not re- lated to the visibility of the channel and must be chosen independently. 2. Choice of the parameters We shall use two sets of parameters (Table II): set #1 corresponds to today’s state-of-the-art, while set #2 re- flects a more optimistic but not unrealistic development. Moreover, we make the following choices: schemes, one would have pA(1) ≈ µ and pA(2) ≈ 3 4 µ2 if µ ≪ 1; for long-pulse pumping, the statistics of pairs is approximately Poissonian: pA(1) ≈ µ and pA(2) ≈ µ2/2 if µ ≪ 1 and the most of the multi-pair events are uncorrelated. In both cases, the intrinsic error rate due to double-pair events is ε′ ≈ µ/2 (Eisenberg et al., 2004; Scarani et al., 2005). Note that the pa- rameter ζ may be different from 0 in the case of short pulse schemes.
  • 39. 39 Platform Parameter Set #1 Set #2 µ mean intensity (opt.) (opt.) V visibility: P&M 0.99 0.99 V visibility: EB 0.96 0.99 BB84, tB transmission in Bob’s device 1 1 COW η det. efficiency 0.1 0.2 pd dark counts 10−5 10−6 ε (COW) bit error 0.03 0.01 ζ (EB) coherent 4 photons 0 0 leak EC code 1.2 1 v = vA + 1 variance (opt.) (opt.) ε optical noise 0.005 0.001 CV η det. efficiency 0.6 0.85 vel electronic noise 0.01 0 β EC code 0.9 0.9 TABLE II Parameters used for the a priori plots in this Sec- tion. See main text for notations and comments. The caption (opt.) means that the parameter will be varied as a function of the distance in order to optimize K. • Unless specified otherwise (see VII.B.2), the plots use the formulas for the uncalibrated-device sce- nario. The reason for this choice is the same as dis- cussed in Sec. III.B.5: unconditional security has been proved only in this over-pessimistic scenario. • Since we are using formulas that are valid only in the asymptotic regime of infinitely long keys, we re- move the nuisance of sifting by allowing an asym- metric choice of bases or of quadratures. Specif- ically, this leads to ˜νS = νS for both BB84 and continuous-variables. Similarly, for COW we can set f = 0, whence ˜νS = νS/2. • For definiteness, we consider fiber-based implemen- tations; in particular, the relation between distance and transmission will be (17) with α = 0.2dB/km; and the parameters for photon counters are given at telecom wavelengths (Table II). The reader must keep in mind that in free space implementations, where one can work with other frequencies, the rates and the achievable distance may be larger. B. Comparisons based on K 1. All platforms on a plot As a first case study, we compare all the platforms on the basis by plotting K/νS as a function of the transmit- tivity t of the channel. The result is shown in Fig. 4. As promised, we have to stress the elements of arbitrariness in this comparison (in addition to the choices discussed above). First of all, we recall that the curves do not correspond to the same degree of security (see VII.A). Second, we have considered “steady-state” key rates, be- cause we have neglected the time needed for the classical post-processing; this supposes that the setup is stable enough to run in that regime (and it is fair to say that many of the existing platforms have not reached such a stage of stability yet). Third, the real performance is of course K: in particular, if some implementations have bottlenecks at the level of νS (see III.A), the order of the curves may change significantly. 0 5 10 15 20 25 30 35 40 10 −6 10 −4 10 −2 10 0 t [dB] K/νS decoy COWWCP EB 1−ph CV 0 5 10 15 20 25 30 35 40 10 −6 10 −4 10 −2 10 0 t [dB] K/νS WCP COW decoy CV EB 1−ph FIG. 4 (Color online). K/νS as a function of the transmit- tivity t, for all the platforms. Legend: 1-ph: perfect single- photon source, unconditional; WCP: weak coherent pulses without decoy states, unconditional; decoy: weak coherent pulses with decoy states, unconditional; EB: entanglement- based, unconditional; CV: continuous-variables with Gaus- sian modulation, security against collective attacks; COW: Coherent-One-Way, security against the restricted family of attacks described in Sec. VI.B.2. Parameters from Table II: set #1 upper graph, set #2 lower graph.
  • 40. 40 2. Upper bound incorporating the calibration of the devices As a second case study, we show the difference between the lower bounds derived in the uncalibrated-device sce- nario, and some upper bounds that incorporate the cali- bration of the devices. We focus first on BB84 implemented with weak coher- ent pulses; the upper bounds under study have been derived in Sec. IV.C. The plots in Fig. 5 show how much one can hope to improve the unconditional security bounds from their present status. As expected, the plot confirms that basically no improvement is expected for implementations with decoy states, because there only the treatment of dark counts is different; while the bound for implementations without decoy states may still be the object of significant improvement. 0 5 10 15 20 25 30 10 −6 10 −4 10 −2 t [dB] K/ν S WCP decoy FIG. 5 (Color online). K/νS as a function of the transmission t for the P&M implementations of BB84 with weak coherent pulses: comparison between the lower bound (solid lines, same as in Fig. 4, upper graph) and the upper bound for calibrated devices (dashed lines). Legend as in Fig. 4. Parameters from Table II, set #1. We turn now to CV QKD with Gaussian modulation. Bounds for the security against collective attacks as- suming calibrated devices are given in Eqs (5)-(12) of (Lodewyck, Bloch et al., 2007). The plots are shown in Fig. 6. One sees that the difference between the two scenarios is significant for set #1 of parameters, but is negligible for the more optimistic set #2. This is interest- ing, given that the efficiency η of the detectors is “only” 85% in set #2. C. Comparison based on the “cost of a linear network” We consider a linear chain of QKD devices, aimed at achieving a secret key rate Ktarget over a distance L. Many devices can be put in parallel, and trusted repeater stations are built at the connecting points. Each individ- ual QKD device is characterized by the point-to-point 0 5 10 15 20 25 30 35 40 10 −4 10 −2 10 0 t [dB] K/νS set #1 set #2 FIG. 6 (Color online). K/νS as a function of the transmission t for CV QKD with Gaussian modulation, security against collective attacks, comparison between the lower bound (solid lines, same as in Fig. 4) and the upper bound for calibrated devices (dashed lines) for both sets of parameters from Table II. Compared to Fig. 4, the color of the lines of set #1 was changed for clarity. rate K(ℓ) it can achieve as a function of the distance ℓ, and by its cost C1. We need N = L ℓ Ktarget K(ℓ) devices to achieve the goal, so the cost of the network is67 Ctot[ℓ] = C1 L ℓ Ktarget K(ℓ) . (79) The best platform is the one that minimizes this cost, i.e., the one that maximizes F(ℓ) = ℓK(ℓ). This quantity, normalized to νS, is plotted in Fig. 7 as a function of the distance for both sets of parameters defined in Table II. Of course, this comparison presents the same elements of arbitrariness as the previous one. The optimal distances are quite short, and this can be understood from a simple analytical argument. Indeed, typical behaviors are K(ℓ) ∝ t (single-photon sources, at- tenuated lasers with decoy states, strong reference pulses) and K(ℓ) ∝ t2 (weak coherent pulses without decoy states). Using t = 10−αℓ/10 , it is easy to find ℓopt which maximizes F(ℓ): K(ℓ) ∝ tk −→ ℓopt = 10/(kα ln 10) . (80) In particular, for α ≈ 0.2dB/km, one has ℓopt ≈ 20km for k = 1 and ℓopt ≈ 10km for k = 2. In conclusion, our toy model suggests that, in a net- work environment, one might not be interested in push- ing the maximal distance of the devices; in particu- lar, detector saturation (which we neglected in the plots 67 In this first toy model, we neglect the cost of the trusted repeater stations; see (All´eaume et al., 2008) for a more elaborated model.
  • 41. 41 above) may become the dominant problem instead of dark counts. 0 50 100 150 200 10 −4 10 −3 10 −2 10 −1 10 0 distance [km] F/νS EB COW WCP CV 1−ph decoy 0 50 100 150 200 10 −4 10 −3 10 −2 10 −1 10 0 10 1 distance [km] F/νS EB decoy COWWCP CV 1−ph FIG. 7 (Color online). F/νS as a function of the distance ℓ for all the platforms. Legend as in Fig. 4. Parameters from Table II: set #1 upper graph, set #2 lower graph. VIII. PERSPECTIVES A. Perspectives within QKD 1. Finite-key analysis As stressed, all the security bounds presented in this review are valid only in the asymptotic limit of in- finitely long keys. Proofs of security for finite-length keys are obviously a crucial tool for practical QKD. The estimate of finite-key effects, unfortunately, has received very limited attention so far. The pioneer- ing works (Inamori, L¨utkenhaus and Mayers, 2001-2007; Mayers, 1996), as well as some subsequent ones (Hayashi, 2006; Watanabe et al., 2004), have used non-composable definitions of security (see II.C.2). This is a problem because the security of a finite key is never perfect, so one needs to know how it composes with other tasks. Others studied a new formalism but failed to prove unconditional security (Meyer et al., 2006). The most recent works comply with the requirements (Hayashi, 2007a; Scarani and Renner, 2008); finite statistics have been incorporated in the analysis of an experiment (Hasegawa et al., 2007). Without going into details, all these works estimate that no key can be extracted if fewer than N ≈ 105 signals are exchanged. 2. Open issues in unconditional security We have said above that, for CV QKD and distributed- phase reference protocols, no unconditional security proof is available yet. However, there is an important difference between these cases. In the existing CV QKD protocols, the information is coded in independent sig- nals; as such, it is believed that unconditional security proofs can be built as generalizations of the existing ones (see also Note added in proof below). On the contrary, the impossibility of identifying signals with qubits in distributed-phase reference protocols will require a com- pletely different approach, which nobody has been able to devise at the moment of writing. As explained in Sec. III.B.5, all unconditional secu- rity proofs have been derived under the over-conservative assumption of uncalibrated devices. Ideally, such an as- sumption should be removed: one should work out un- conditional security proofs taking into account the knowl- edge about the detectors; this would lead to better rates. A possible solution consists in including the calibration of the devices in the protocol itself; the price to pay seems to be a complication of the setup (Qi et al., 2007). The idea is somehow similar to the one used in decoy states. We also discussed how calibrated-device proofs may ul- timately provide significant improvement only for some protocols (see VII.B.2). The difference between protocols can be understood from the fact that typically K ∼ tα where t is the transmittance and α ≥ 1. When α = 1, then the only advantage of calibrating the devices can come from the dark count contribution. If on the con- trary α > 1 (weak coherent pulses without decoy states: α = 2 for BB84, α = 3 2 for SARG04), then the differ- ence is much larger, because it matters whether tBη is included in the losses or not. The urgency of this rather ungrateful68 task is therefore relative to the choice of a 68 Here is an example of the complications that might appear. When taking the calibration into account, it is often assumed that the dark counts do not enter in Eve’s information. Actu- ally, things are more subtle. On the one hand, most of the dark counts will actually decrease Eve’s information, because she does not know if a detection is due to the physical signal (on which she
  • 42. 42 protocol. 3. Black-box security proofs The development of commercial QKD systems makes it natural to ask whether the “quantumness” of such de- vices can be proved in a black-box approach. Of course, the compulsory requirements (II.C.1) must hold. For in- stance, the random number generator cannot be within the black box, because it must be trusted; one must also make sure that no output port is diffusing the keys on the internet; and so on. Remarkably though, all the quan- tum part can in principle be kept in a black-box. The idea is basically the one that triggered Ekert’s discov- ery (Ekert, 1991), although Ekert himself did not push it that far: the fact, that Alice and Bob observe correla- tions that violate a Bell inequality, is enough to guarantee entanglement, independent of the nature of the quantum signals and even of the measurements that are performed on them. This has been called “device-independent se- curity”; a quantitative bound was computed for collec- tive attacks on a modification of Ekert’s protocol, the goal of proving unconditional security is still unattained (Ac´ın et al., 2007). Device-independent security can be proved only for entanglement-based schemes: for this def- inition of security, the equivalence EB-P&M presented in Sec. II.B.2 does not hold. As long as the detection loop- hole is open, these security proofs cannot be applied to any system; but by re-introducing some knowledge of the devices, they might provide a good tool for disposing of all quantum side-channels (III.B.4). 4. Toward longer distances: satellites and repeaters The attempt of achieving efficient QKD over long distances is triggering the most ambitious experimen- tal developments. Basically two solutions are be- ing envisaged. The first is to use the techniques of free space quantum communication to realize ground- to-satellite links (Aspelmeyer et al., 2003; Buttler et al., 1998; Rarity et al., 2002). The main challenges are tech- nical: to adapt the existing optical tracking techniques to the needs of quantum communication, and to build devices that can operate in a satellite without need of maintenance. The second solution are quantum repeaters (Briegel et al., 1998; D¨ur et al., 1999). The basic has gained some information) or is a completely random event. On the other hand, if a detection happens shortly after a previous one, Eve may guess that the second event is in fact a dark count triggered by an afterpulse, and therefore learn some correlations between the two results. Admittedly, these are fine-tuning cor- rections, and have never been fully discussed in the literature; but if one wants to prove unconditional security, also these marginal issues must be properly addressed. idea is the following: the link A-B is cut in segments A-C1, C1-C2, ..., Cn-B. On each segment independently, the two partners exchange pairs of entangled photons, which may of course be lost; but whenever both partners receive the photon, they store it in a quantum memory. As soon as there is an entangled pair on each link, the intermediate stations perform a Bell measurement, thus ultimately swapping all the entanglement into A-B. Actually, variations of this basic scheme may be more practical (Duan et al., 2001). Whatever the exact im- plementation, the advantage is clear: one does not have to ensure that all the links are active simultaneously; but the advantage can only be achieved if quantum memories are available. The experimental research in quantum memories has boosted over the last years, but the applications in practical QKD are still far away because the requirements are challenging (see Appendix B). Teleportation-based links have been studied also in the absence of quantum memories (quantum relays). They are rather inefficient, but allow to reduce the nui- sance of the dark counts and therefore increase the lim- iting distance (Collins, Gisin and de Riedmatten, 2005; Jacobs, Pittman and Franson, 2002); however, it seems simpler and more cost-effective to solve the same prob- lem by using cryogenic detectors (see II.G). 5. QKD in networks QKD is a point-to-point link between two users. But only a tiny fraction of all communication is done in ded- icated point-to-point links, most communication takes place in networks, where many users are interconnected. Note that one-to-many connectivity between QKD de- vices can be obtained with optical switching (Elliott, 2002; Elliott et al., 2005; Townsend et al., 1994). In all models of QKD networks, the nodes are operated by authorized partners, while Eve can eavesdrop on all the links. If the network is built with quantum repeaters or quantum relays, no secret information is available to the nodes: indeed, the role of these nodes is to perform entanglement swapping, so that Alice and Bob end up with a maximally entangled — therefore fully private — state. Since quantum repeaters are still a challenge, trusted relays QKD networks have been considered. In this case, the nodes learn secret information during the protocol. In the simplest model, a QKD key is created be- tween two consecutive nodes and a message is encrypted and decrypted hop-by-hop. This model has been adopted by BBN Technologies and by the SECOQC QKD networks (All´eaume et al., 2007; Dianati and All´eaume, 2006; Dianati et al., 2008; Elliott, 2002; Elliott et al., 2005). Alternatively, the trusted relays can perform an intercept-resend chain at the level of the quantum signal (Bechmann-Pasquinucci and Pasquinucci, 2005).
  • 43. 43 B. QKD versus other solutions Information-theoretically (unconditionally) secure key distribution (key agreement), is a cryptographic task that, as is well known, cannot be solved by public com- munication alone, i.e. without employing additional re- sources or relying on additional assumptions. Besides QKD, the additional resource in this case being the quantum channel, a number of alternative schemes to this end have been put forward (Ahlswede and Csisz´ar, 1993; Csisz´ar and K¨orner, 1978; Maurer, 1993; Wyner, 1975), to which one can also count the traditional trusted courier approach (All´eaume et al., 2007). While the lat- ter is still used in certain high security environments, QKD is the sole automatic, practically feasible and ef- ficient information-theoretically secure key agreement technology, whereby in the point-to-point setting, lim- itations of distance and related key rate apply. These limitations can be lifted by using QKD networks, see VIII.A. With this in mind, we address below typical secure communication solutions in order to relate this subse- quently to the assets offered by QKD. Secure commu- nication in general requires encrypted (and authentic) transition of communication data. In current standard cryptographic practice both the encryption schemes and the key agreement protocols used (whenever needed) are not unconditionally secure. While there is really a very broad range of possible alternatives and combinations, the most typical pattern for confidential communica- tion is the following: public key exchange protocols are used to ensure agreement of two identical keys; the en- cryption itself is done using symmetric-key algorithms. In particular, most often some realization of the Diffie- Hellman algorithm (Diffie and Hellman, 1976) is used in the key agreement phase. The symmetric-encryption al- gorithms most widely used today belong to the bloc- cipher class and are typically 3DES (Coppersmith et al., 1996)or AES (Daemen and Rijmen, 2001). The security of the Diffie-Hellman algorithm is based on the assumption that the so called Diffie-Hellman prob- lem is hard to solve, the complexity of this problem being ultimately related to the hardness of the discrete loga- rithm problem (see (Maurer and Wolf, 1999, 2000) for a detailed discussion). It is widely believed, although it was never proven, that the discrete logarithm prob- lem is classically hard to solve. This is not true in the quantum case, since a quantum computer, if available, can execute a corresponding efficient algorithm by Pe- ter Shor (Shor, 1994, 1997), which is based on the same fundamental approach as is the Shor factoring algorithm, already mentioned in Sec. I.A. It should be further noted that that, similar to QKD, the Diffie-Hellman protocol can trivially be broken, if the authenticity of the communication channel is not ensured. There are many means to guarantee commu- nication authenticity with different degrees of security but in any case additional resources are needed. In cur- rent common practice public key infrastructures are em- ployed, which in turn rely on public-key cryptographic primitives (digital signatures), i.e. rely on similar as- sumptions as for the Diffie-Hellman protocol itself, and on trust in external certifying entities. Turning now to encryption it should be underlined that the security of a block-cipher algorithm is based on the assumption that it has no structural weaknesses, i.e. that only a brute force attack amounting to a thorough search of the key space (utilizing pairs of cipher texts and corre- sponding known or even chosen plain texts) can actually reveal the secret key. The cost of such an attack on a classical computer is O(N) operations, where N is the dimension of the key space. The speed-up of a quan- tum computer in this case is moderate, the total number of operations to be performed being O( √ N) (Grover, 1996, 1997). The assumption on the lack of structural weaknesses itself is not related to any particular class of mathematical problems and in the end relies merely on the fact that such a weakness is not (yet) known. Cryp- tographic practice suggests that for a block-cipher algo- rithm such weaknesses are in fact discovered at the latest a few decades after its introduction69 . Before turning to a direct comparison of the described class of secure communication schemes with QKD-based solutions, it should be explained why public-key based generation combined with symmetric-key encryption is actually the most proliferated solution. The reason is that currently AES or 3DES encryption, in contrast to direct public-key (asymmetric) encryption, can ensure a high encryption speed and appears optimal in this re- spect. Typically high speed is achieved by designing ded- icated hardware devices, which can perform encryption at very high rate and ensure a secure throughput of up to 10Gb per second. Such devices are offered by an in- creasing number of producers (see e.g. ATMedia GmbH, www.atmedia.de) and it is beyond the scope of the cur- rent article to address these in any detail. We would like however to underline an important side-aspect. In gen- eral, security of encryption in the described scenario is increased by changing the key often, the rate of change being proportional to the dimension of the key space. In practice, however, even in the high speed case, the key is changed at a rate lower than once per minute (often once per day or even more seldom). The reason for this is twofold: on the one hand public key agreement algo- rithms are generally slow and on the other, and more importantly, current design of the mentioned dedicated encryption devices is not compatible with a rapid key change. The question now is how QKD compares with the stan- dard practice as outlined above. It is often argued that QKD is too slow for practical uses and that the limited distance due to the losses is a limitation to the system as 69 Vincent Rijmen, private communication.
  • 44. 44 such. In order to allow for a correct comparison one has to define the relevant secure communication scenarios. There are two basic possibilities: (i) QKD is used in con- junction with One-Time Pad, (ii) QKD is used together with some high speed encryptor (we note in passing that the second scenario appears to be a main target for the few QKD producers). The rate as a function of distance has been discussed in detail in the preceding sections. Here we shall consider an average modern QKD device operating in the range of 1 to 10kbps over 25 km; the maximal distance of operation at above 100 bps being around 100 km. Case (i) obviously offers information-theoretic security of communication if the classical channel, both in the key generation and the encryption phase, is addition- ally authenticated with the same degree of security. As this overhead to this end is negligible the QKD genera- tion rates as presented above are also the rates for se- cure communication. Obviously this is not sufficient for broad-band data transmission but pretty adequate for communicating very-highly sensitive data. Another ad- vantage of this combination is the fact that keys can be stored for later use. The security of the case (ii) is equivalent to the security of the high speed encryption, which we addressed above, while all treats related to the key generation-phase are eliminated. At 25 km the QKD speed would allow key refreshment (e.g. in the case of AES with 256 bit key length) of several times per second. This is remarkable for two reasons: first, this is on or rather beyond the key-exchange capacity of current high speed encryptors; second, it compares also to the performances of high level classical link encryptors, which refresh AES keys a few times per second using Diffie-Hellman elliptic curve cryp- tography for key generation. So in the second scenario QKD over performs the stan- dard solution at 25 km distance both in terms of speed and security. Regarding the distance an interesting point is that clas- sical high-end encryptors use direct dark fibers, not for reasons related to security but for achieving maximal speed, which also gives them a limitation in distance. However, classical key generation performed in software is naturally not bounded by the distance. In this sense standard public-key based key agreement appears supe- rior. This is however a QKD limitation, which is typical for the point-to-point regime. As mentioned above, it is lifted in QKD networks. Note added in proof While this paper was being finalized, three groups have independently claimed to have solved one of the pend- ing issues toward unconditional security proofs of CV QKD (see Sec. V.A): namely, the fact that the security bound for collective and for general attacks should coin- cide asymptotically. On the one hand, a new exponential de Finetti theorem has been presented, which would ap- ply to infinite-dimensional systems under some assump- tions that are fulfilled in CV QKD (Renner and Cirac, 2009; ?). A different argument reaches the same con- clusion without any need for a de Finetti-type theorem altogether (Leverrier, Karpov, Grangier and Cerf, 2008). Acknowledgements This paper has been written within the European Project SECOQC. The following members of the QIT sub-project have significantly contributed to the report that formed the starting point of the present review: Ste- fano Bettelli, Kamil Br´adler, Cyril Branciard, Nicolas Gisin, Matthias Heid, Louis Salvail. During the preparation of this review, we had fur- ther fruitful exchanges with the above-mentioned col- leagues, as well as with: Romain All´eaume, Lucie Bart˚uˇskov´a, Alexios Beveratos, Hugues De Riedmatten, Eleni Diamanti, Artur Ekert, Philippe Grangier, Fr´ed´eric Grosshans, Hannes Huebel, Michal Horodecki, Masato Koashi, Christian Kurtsiefer, Antia Lamas-Linares, An- thony Leverrier, Hoi-Kwong Lo, Chiara Macchiavello, Michele Mosca, Miguel Navascu´es, Andrea Pasquin- ucci, Renato Renner, Andrew Shields, Christoph Simon, Kiyoshi Tamaki, Akihisa Tomita, Yasuhiro Tokura, Zhil- iang Yuan, Hugo Zbinden. APPENDIX A: Unconditional security bounds for BB84 and six-states, single-qubit signals In this Appendix, we present a derivation of the uncon- ditional security bounds for the BB84 (Shor and Preskill, 2000) and the six-state protocol (Lo, 2001) for the case where each quantum signal is a single qubit, or more generally when the quantum channel is a qubit channel followed by a qubit detection70 . As usual, the proof is done in the EB scheme, the application to the P&M case following immediately as discussed in Sec. II.B.2. Alice produces the state |Φ+ = 1√ 2 (|00 + |11 ), she keeps the first qubit and sends the other one to Bob. This state is such that σz ⊗ σz = σx ⊗ σx = +1 (perfectly correlated out- comes) and σy ⊗ σy = −1 (perfectly anti-correlated outcomes); to have perfect correlation in all three bases, Bob flips his result when he measures σy. We suppose an asymmetric implementation of the protocols: the key is extracted only from the measurements in the Z basis, which is used almost always; the other measurements are used to estimate Eve’s knowledge on the Z basis, and 70 For real optical channels, we assume therefore the tagging method for real sources and the squashing model for the de- tection, see IV.A.2.
  • 45. 45 will be used on a negligible sample (recall that we work in the asymptotic regime of infinitely long keys). Now we follow the techniques of (Kraus, Gisin and Renner, 2005; Renner, Gisin and Kraus, 2005). Without loss of generality, the symmetries of the BB84 and the six-state protocols71 imply that one can compute the bound by restricting to collective attacks, and even further, to those collective attacks such that the final state of Alice and Bob is Bell-diagonal: ρAB = λ1|Φ+ Φ+ | + λ2|Φ− Φ− | +λ3|Ψ+ Ψ+ | + λ4|Ψ− Ψ− | (A1) with i λi = 1. Since |Φ± give perfect correlations in the Z basis, while |Ψ± give perfect anti-correlations, the QBER εz is given by εz = λ3 + λ4 . (A2) The error rates in the other bases are εx = λ2 + λ4 , εy = λ2 + λ3 . (A3) Eve’s information is given by the Holevo bound (24) IE = S(ρE)−1 2 S(ρE|0)−1 2 S(ρE|1) since both values of the bit are equiprobable in this attack. Since Eve has a purifi- cation of ρAB, S(ρE) = S(ρAB) = H ({λ1, λ2, λ3, λ4}) ≡ H(λ) where H is Shannon entropy. The computation of ρE|b is made in two steps. First, one writes down ex- plicitly the purification72 |Ψ ABE = i √ λi|Φi AB|ei E, where we used an obvious change of notation for the Bell states, and where ei|ej = δij. Then, one traces out Bob and projects Alice on | + z for b = 0, on | − z for b = 1. All calculations done, the result is S(ρE|0) = S(ρE|1) = h(εz). So we have obtained IE(λ) = H(λ) − h(εz) . (A4) Now we have to particularize to the two protocols under study. Let’s start with the six-state protocol. In this case, both εx and εy are measured, so all the four λ’s are di- rectly determined. After easy algebra, one finds IE(ε) = εz h 1 + (εx − εy)/εz 2 +(1 − εz) h 1 − (εx + εy + εz)/2 1 − εz . (A5) 71 Actually, a lower bound can be computed in the same way for a very general class of protocols; but it may not be tight, as explicitly found in the case of SARG04 (Branciard et al., 2005; Kraus, Branciard and Renner, 2007). 72 All purifications are equivalent under a local unitary operation on Eve’s system, so Eve’s information does not change with the choice of the purification. Under the usual assumption of a depolarizing channel, εx = εy = εz = Q, this becomes IE(Q) = Q + (1 − Q) h 1 − 3Q/2 1 − Q . (A6) The corresponding secret fraction (one-way post- processing, no pre-processing and perfect error correc- tion) is r = 1 − h(Q) − IE(Q), which goes to 0 for Q ≈ 12.61%. The calculation is slightly more complicated for BB84, because there only εx is measured; therefore, there is still a free parameter, which must be chosen as to maximize Eve’s information. The simplest way of performing this calculation consists in writing λ1 = (1 − εz)(1 − u), λ2 = (1 − εz)u, λ3 = εz(1 − v), λ4 = εzv, where u, v ∈ [0, 1] are submitted to the additional constraint (1 − εz)u + εzv = εx . (A7) Under this parametrization, H(λ) = h(εz)+(1−εz)h(u)+ εzh(v) and consequently IE(λ) = (1 − εz)h(u) + εzh(v) (A8) to be maximized under the constraint (A7). This can be done easily by inserting v = v(u) and taking the deriva- tive with respect to u. The result is that the optimal choice is u = v = εx so that IE(ε) = h (εx) . (A9) The usual case is εx = εz = Q, which however here does not correspond to the depolarizing channel: the relations above imply εy = 2Q(1 − Q), which corresponds to the application of the so-called “phase-covariant cloning ma- chine” (Brußet al., 2000; Griffiths and Niu, 1997). The corresponding secret fraction (again for one-way post- processing, no pre-processing and perfect error correc- tion) is r = 1 − h(Q) − IE(Q), which goes to 0 for Q ≈ 11%. APPENDIX B: Elementary estimates for quantum repeaters 1. Quantum memories A quantum memory is a device that can store an incoming quantum state (typically, of light) and re- emit it on demand without loss of coherence. A full review of the research in quantum memories is clearly beyond our scope. Experiments are being pur- sued using several techniques, like atomic ensembles (Chou et al., 2007; Julsgaard et al., 2004), NV centers (Childress et al., 2006), doped crystals (Alexander et al., 2006; Staudt et al., 2007). Two characteristics of quantum memories are espe- cially relevant for quantum repeaters. A memory is called multimode if it can store several light modes and one
  • 46. 46 A B A BC M M A B M M C1 C2D A B A BC M M A B M M C1 C2D FIG. 8 Three configurations for quantum repeaters: direct link, two-link repeater and four-link repeater. can select which mode to re-emit; multimode memories are being realized (Simon et al., 2007). A memory is called heralded if its status (loaded or not loaded) can be learned without perturbation; there is no proposal to date on how to realize such a memory, and repeater schemes have been found that work without heralded memories (Duan et al., 2001). 2. Model of quantum repeater Here we present a rapid comparison of the direct link with the two-link repeater and discuss the advantages and problems that arise in more complex repeaters. We con- sider the architecture sketched in Fig. 8, corresponding to the original idea (Briegel et al., 1998). a. Definition of the model Our elementary model is described as follows: • Source: perfect two-photon source with repetition rate νS; • Quantum channel: the total distance between Alice and Bob is ℓ. The channel is noiseless; its losses characterized by α, we denote t = 10−αℓ/10 the total transmittivity. • Detectors of Alice and Bob: efficiency η; neglected dark counts, dead-time and other nuisances. • Quantum memories: multimode memories that can store N modes. We write pM the probability that a photon is absorbed, then re-emitted on demand (contains all the losses due to coupling with other elements). The memory has a typical time TM , that we shall consider as a life-time73 . • Bell measurement: linear optics, i.e. probability of success 1 2 . Fidelity F, depolarized noise (i.e. a detection comes from the desired Bell state with probability F, from any of the others with equal probability (1 − F)/3). The detectors have effi- ciency ηM and no dark counts. b. Detection rates For the direct link, the key rate is just the detection rate in our simplified model: K1 = R1 = νStη2 . (B1) In the two-link repeater, the central station (Christoph) holds the two sources and the memories. Consider one of the links, say with Alice. The source produces groups of N pairs, each pair in a different mode; one photon per pair is kept in the memory, the other is sent to Alice. Alice announces whether she has detected at least one photon: if she has, Christoph notes which one; if she has not, Christoph releases the memory and starts the pro- tocol again. The same is happening on the other link, the one with Bob, independently. As soon as both part- ners have announced a detection, Christoph releases the corresponding photons, performs the Bell measurement and communicates the result to Alice and Bob, who post- select their results accordingly74 . Note that the memories need not be heralded in this scheme. Here is the quantitative analysis of the two-link re- peater. Any elementary run takes the time for the photon to go from the source to the detector, then for the com- munication to reach back Christoph, i.e. ℓ/c. In each run, the probability of a detection is 1−(1 − √ tη)N ≈ N √ tη. Then, in average, the Bell measurement will be per- formed after a time75 τ ≈ 3 2 ℓ/c N √ tη . Consequently, R2 = τ−1 1 2 p2 M η2 M if τ < TM 0 otherwise (B2) 73 That is, photons may be lost but do not decohere in the memory. Note that this can be the case even if the atoms, which form the memory, do undergo some decoherence (Staudt et al., 2007). 74 Recall that there is no time-ordering in quantum correlations: so, this procedure gives exactly the same statistics as the “usual” entanglement swapping, in which the Bell measurement is made beforehand. 75 In fact, let x = 1 − (1 − √ tη)N : the probability that Alice’s (Bob’s) detector is activated by the m-th group of N pairs is p1(m) = x(1−x)m−1. Therefore, the probability that both links are activated exactly by the n-th repetition is p(n) = 2p1(n)p1(< n) + p1(n)2 = x(1 − x)n−1[2 − (2 − x)(1 − x)n−1] with p1(< n) = n−1 m=1 p1(m). Finally, the number of repetitions needed to establish the link is n = n np(n) = 1 x 3−2x 2−x .
  • 47. 47 0 100 200 300 400 500 600 700 10 −5 10 0 10 5 10 10 distance [km] (b) (a) (c) FIG. 9 Comparison of K1 (straight line) and K2. For all curves: νS = 10GHz, η = 0.5, ηM = 0.9, pM = 0.9, α = 0.2dB/km (fibers), TM = 10s. Line (a): best case, N = 1000, F = 0.95; line (b): N = 1000, fidelity reduced to F = 0.9; line (c): supported modes reduced to N = 100, F = 0.95. where we have supposed that the memory time TM de- fines a sharp cut, which is another simplification. This is the expected result: R2 scales with √ tη and not with tη2 , because each link can be activated independently. Finally, in our model, the error rate is uncorrelated with the other parameters and only due to the fidelity of the Bell measurement; so K2 = R2 [1 − 2h(ε)] (B3) with ε = 2 3 (1−F) because one of the “wrong” Bell states gives nevertheless the correct bit correlations. In particu- lar, the fidelity of a Bell measurement must exceed 83.5% to have K2 > 0. Some plots of K1 and K2 as a function of the distance are shown in Fig. 9. The chosen values are already opti- mistic extrapolations of what could be achieved in a not too distant future. We notice that quantum repeaters overcome the direct link for ℓ > ∼ 500km in fibers; with η = 0.5 and N = 1000, this requires TM ≈ 10s. Also, the number of modes supported by the memory is a more critical parameter than the fidelity of the Bell measure- ment. This analysis provides a rough idea of the perfor- mances to be reached in order for quantum repeaters to be useful. For the next step, the four-link repeater, we content ourselves with a few remarks. The four-link repeater al- lows in principle to reach the scaling R4 ∝ t1/4 . The requirements for a practical implementation, however, become more stringent: the four memories must be re- leased before TM ; there are three Bell measurements, so ε < 11% requires F > ∼ 95%; also, pM′ ≈ pM t1/4 . More- over, it is easy to realize that the basic scheme (Fig. 8) requires heralded memories, although other schemes do not (Duan et al., 2001). References Ac´ın, A., J.I. Cirac, and L. Masanes, 2004, Phys. Rev. Lett. 92, 107903. Ac´ın, A., N. Gisin, and V. Scarani, 2004, Phys. Rev. A 69, 012309. Ac´ın, A., and N. Gisin, 2005, Phys. Rev. Lett. 94, 020501. Ac´ın, A., N. Gisin, and L. Masanes, 2006, Phys. Rev. Lett. 97, 120405. Ac´ın, A., N. Brunner, N. Gisin, S. Massar, S. Pironio, V. Scarani, 2007, Phys. Rev. Lett. 98, 230501. Adachi, Y., T. Yamamoto, M. Koashi, and N. Imoto, 2007, Phys. Rev. Lett. 99, 180503. Agrawal, G.P., 1997, Fiber-Optic Communication Systems (John Wiley and Sons). Ahlswede, R., and I. Csisz´ar, 1993, IEEE Trans. Inf. Theory 39, 1121. Alexander, A.L., J.J. Longdell, M.J. Sellars, and N.B. Man- son, 2006, Phys. Rev. Lett. 96, 043602. All´eaume, R., F. Treussart, G. Messin, Y. Dumeige, J.-F. Roch, A. Beveratos, R. Brouri-Tualle, J.-P.Poizat, and P. Grangier, 2004, New J. Phys. 6, 92. All´eaume, R., J. Bouda, C. Branciard, T. Debuisschert, M. Dianati, N. Gisin, M. Godfrey, P. Grangier, T. L¨anger, A. Leverrier, N. L¨utkenhaus, P. Painchault, M. Peev, A. Poppe, T. Pornin, J. Rarity, R. Renner, G. Ribordy, M. Riguidel, L. Salvail, A. Shields, H. Weinfurter, and A. Zeilinger, 2007, eprint quant-ph/0701168 (SECOQC White Paper on Quantum Key Distribution and Cryptography ) All´eaume, R., F. Roueff, E. Diamanti, N. L¨utkenhaus, 2009, eprint arXiv:0903.0839. Aspelmeyer, M., T. Jennewein, M. Pfennigbauer, W. Leeb, and A. Zeilinger, 2003, IEEE J. of Selected Topics in Quan- tum Electronics 9, 1541. Bae, J., and A. Ac´ın, 2007, Phys. Rev. A 75, 012334. Barnum, H., J. Barrett, M. Leifer, and A. Wilce, 2006, eprint quant-ph/0611295 Barrett, J., L. Hardy, and A. Kent, 2005, Phys. Rev. Lett. 95, 010503. Beaudry, N.J., T. Moroder, and N. L¨utkenhaus, 2008, Phys. Rev. Lett. 101, 093601. Beaudry, N.J., T. Moroder, and N. L¨utkenhaus, 2008, in preparation. Bechmann-Pasquinucci, H. and N. Gisin, 1999, Phys. Rev. A 59, 4238. Bechmann-Pasquinucci, H. and A. Peres, 2000, Phys. Rev. Lett. 85, 3313. Bechmann-Pasquinucci, H. and W. Tittel, 2000, Phys. Rev. A 61, 062308. Bechmann-Pasquinucci H. and A. Pasquinucci, 2005, eprint quant-ph/0505089. Bechmann-Pasquinucci, H., 2006, Phys. Rev. A 73, 044305. Beige, A., B.-G. Englert, C. Kurtsiefer, and H. Weinfurter, 2002, Acta Phys. Pol. A 101, 357.
  • 48. 48 Bennett, C.H. and G. Brassard, 1984, in Proceedings IEEE Int. Conf. on Computers, Systems and Signal Processing, Bangalore, India (IEEE, New York), p. 175. Bennett, C.H., G. Brassard, S. Bredibart, and S. Wiesner, 1984, IBM Technical Disclosure Bulletin 26, 4363. Bennett, C.H., G. Brassard, and J.-M. Robert, 1988, SIAM J. Comp. 17, 210. Bennett, C.H., G. Brassard, and N.D. Mermin, 1992, Phys. Rev. Lett. 68, 557. Bennett, C.H., 1992, Phys. Rev. Lett. 68, 3121. Bennett, C. H., F. Bessette, L. Salvail, G. Brassard, and J. Smolin, 1992, J. Cryptology 5, 3. Bennett, C. H., G. Brassard, C. Cr´epeau, and U. Maurer, 1995, IEEE Trans. Info. Theory 41, 1915. Ben-Or, M., 2002, Security of BB84 QKD Protocol, Slides available at Ben-Or, M., M. Horodecki, D. W. Leung, D. Mayers, and J. Oppenheim, 2005, in: Theory of Cryptography: Sec- ond Theory of Cryptography Conference, TCC 2005, Lec- ture Notes in Computer Science Vol. 3378 (Springer Verlag, Berlin), p. 387. Bethune, D., and W.Risk, 2000, IEEE J. Quantum Electron. 36, 340. Beveratos, A., R. Bruori, T. Gacoin, A. Villing, J.P. Poizat, and P. Grangier, 2002, Phys. Rev. Lett. 89, 187901. Biham, E., and T. Mor, 1997, Phys. Rev. Lett. 78, 2256. Biham, E., M. Boyer, G. Brassard, J. van de Graaf, and T. Mor, 2005, Algorithmica 34, 372. Bloch, M., A. Thangaraj, S.W. McLaughlin, and J.-M. Merolla, 2005, eprint cs.IT/0509041 Bloom, S., E. Korevaar, J. Schuster, and H. Willebrand, 2003, J. Opt. Netw. 2, 178. Boileau, J.C., D. Gottesman, R. Laflamme, D. Poulin, R.W. Spekkens, 2004, Phys. Rev. Lett. 92, 017901. Bostr¨om, K., and T. Felbinger, 2002, Phys. Rev. Lett. 89, 187902. Boucher, W., and T. Debuisschert, 2005, Phys. Rev. A 72, 062325. Bourennane, M., M.Eibl, S. Gaertner, C. Kurtsiefer, A. Cabello, and H. Weinfurter, 2004, Phys. Rev. Lett. 92, 107901. Brainis, E., L.-P. Lamoureux, N.J. Cerf, P. Emplit, M. Hael- terman, and S. Massar, 2003, Phys. Rev. Lett. 90, 157902. Branciard, C., N. Gisin, B. Kraus, and V. Scarani, 2005, Phys. Rev. A 72, 032301. Branciard, C., N. Gisin, N. L¨utkenhaus, and V. Scarani, 2007, Quant. Inf. Comput. 7, 639. Branciard, C., N. Gisin, and V. Scarani, 2008, New J. Phys. 10, 013031. Brassard, G., and L. Salvail, 1994, in: Advances in Cryptology - EUROCRYPT ’93, Lecture Notes in Computer Science Vol. 765 (Springer Verlag, Berlin), pp. 410-423. Brassard, G., N. L¨utkenhaus, T. Mor, and B.C. Sanders, 2000, Phys. Rev. Lett. 85, 1330. Brassard, G., T. Mor, and B.C. Sanders, 2000, in: P. Kumar, G.M. D’Ariano and O. Hirota (eds), Quantum Communi- cation, Computing and Measurement 2 (Kluwer Academic/ Plenum Publishers, New York), pp. 381-386. Br´eguet, J., A. Muller, and N. Gisin, 1994, J. Mod. Opt. 41, 2405. Brendel, J., N. Gisin, W. Tittel, and H. Zbinden, 1999, Phys. Rev. Lett. 82, 2594. Briegel, H.-J., W. D¨ur, J.I. Cirac, and P. Zoller, 1998, Phys. Rev. Lett. 81, 5932. Bruß, D., 1998, Phys. Rev. Lett. 81, 3018. Bruß, D., M. Cinchetti, G. M. D’Ariano and C. Macchiavello, 2000, Phys. Rev. A 62, 012302. Buttler, W.T., R.J. Hughes, P.G. Kwiat, S.K. Lamoreaux, G.G. Luther, G.L. Morgan, J.E. Nordholt, C.G. Peterson, and C. M. Simmons, 1998, Phys. Rev. Lett. 81, 3283. Camatel, S., and V. Ferrero, 2006, IEEE Photonics Technol- ogy Letters 18, 142. Carter, J. L., and M. N. Wegman, 1979, J. Comp. Syst. Sci. 18, 143. Cerf, N.J., A. Ipe, and X. Rottenberg, 2000, Phys. Rev. Lett. 85, 1754. Cerf, N.J., M. L´evy, and G. Van Assche, 2001, Phys. Rev. A 63, 052311. Cerf, N.J., M. Bourennane, A. Karlsson and N. Gisin, 2002, Phys. Rev. Lett. 88, 127902. Chen, T.-Y., J. Zhang, J.-C. Boileau, X.-M. Jin, B. Yang, Q. Zhang, T. Yang, R. Laflamme, and J.-W. Pan, 2006, Phys. Rev. Lett. 96, 150504. Childress, L., J.M. Taylor, A.S. Sorensen, and M.D. Lukin, 2006, Phys. Rev. Lett. 96, 070504. Chau, H. F., 2002, Phys. Rev. A 66, 060302(R). Chou, C.-W., J. Laurat, H. Deng, K.S. Choi, H. de Riedmat- ten, D. Felinto, H.J. Kimble , 2007, Science 316, 1316. Cleve, R., D. Gottesman, and H.-K. Lo, 1999, Phys. Rev. Lett. 83, 648. Collins D., N. Gisin and H. de Riedmatten, 2005, J. Mod. Opt. 52, 735. Coppersmith, D., D.B. Johnson, and S.M. Matyas, 1996, IBM J. Res. Dev. 40, 253. Cova, S., M. Ghioni, A. Lotito, I. Rech, and F. Zappa, 2004, J. Mod. Opt. 51, 1267. Cr´epeau, C., D. Gottesman, and A. Smith, 2005, in: Ad- vances in Cryptology - EUROCRYPT 2005, Lecture Notes in Computer Science Vol. 3494 (Springer Verlag, Berlin), pp. 285-301. Csisz´ar, I. and J. K¨orner, 1978, IEEE Trans. Inf. Theory 24, 339. Curty, M., M. Lewenstein, and N. L¨utkenhaus, 2004, Phys. Rev. Lett. 92, 217903. Curty, M., and N. L¨utkenhaus, 2004, Phys. Rev. A 69, 042321. Curty, M., and N. L¨utkenhaus, 2005, Phys. Rev. A 71, 062301. Curty, M., L. Zhang, H.-K. Lo, and N. L¨utkenhaus, 2007, Quant. Inf. Comput. 7, 665. Curty, M., K. Tamaki, and T. Moroder, 2005, Phys. Rev. A 77, 052321. Daemen, J., and V. Rijmen, 2001, Dr. Dobb’s J. 26, 137. Damgaard, I.B., S. Fehr, L. Salvail, C. Schaffner, 2005, in: Proceedings of the 46th IEEE Symposium on Foundations of Computer Science - FOCS 2005, p. 449 Damgaard, I.B., S. Fehr, R. Renner, L. Salvail, C. Schaffner, 2007, in: CRYPTO 2007, Lecture Notes in Computer Sci- ence Vol. 4622 (Springer Verlag, Berlin). De Riedmatten, H., I. Marcikic, V. Scarani, W. Tittel, H.Zbinden, N. Gisin, 2004, Phys. Rev. A 69, 050304(R). De Riedmatten, H., V. Scarani, I. Marcikic, A. Ac´ın, W. Tit- tel, H.Zbinden, N. Gisin, 2004, J. Mod. Opt. 51, 1637. Devetak, I. and A. Winter, 2005, Proc. R. Soc. Lond. A 461, 207. Deutsch, D., A.K. Ekert, R. Jozsa, C. Macchiavello, S. Popescu, and A. Sanpera, 1996, Phys. Rev. Lett. 77, 2818. Diamanti, E., H. Takesue, T. Honjo, K. Inoue, and Y. Ya-
  • 49. 49 mamoto, 2005, Phys. Rev. A 72, 052311. Diamanti, E., H. Takesue, C. Langrock, M.M. Fejer, and Y. Yamamoto, 2006, Optics Express 14, 13073. Dianati, M., and R. All´eaume, 2006, eprint quant-ph/0610202 Dianati, M., R. All´eaume, M. Gagnaire, and X. Shen, 2008, Security and Communication Networks 1, 57. Diffie, W., and M.E. Hellman, 1976, IEEE Trans. Info. Theory IT-22, 644. Duan, L.M., M.D. Lukin, J.I. Cirac, and P. Zoller, 2001, Na- ture 414, 413. D¨ur, W., H.-J. Briegel, J.I. Cirac, and P. Zoller, 1999, Phys. Rev. A 59, 169. Durkin, G.A., C. Simon, and D. Bouwmeester, 2002, Phys. Rev. A 88, 187902. Duˇsek, M., O. Haderka, and M. Hendrych, 1999, Opt. Com- mun. 169, 103. Duˇsek, M., M. Jahma, and N. L¨utkenhaus, 2000, Phys. Rev. A 62, 022306. Duˇsek, M., N. L¨utkenhaus, and M. Hendrych, 2006, Progress in Optics 49, Edt. E. Wolf (Elsevier), 381. Eisenberg, H.S., G. Khoury, G.A. Durkin, C. Simon, and D. Bouwmeester, 2004, Phys. Rev. Lett. 93, 193901. Ekert, A.K., 1991, Phys. Rev. Lett. 67, 661. Ekert, A.K., N. Gisin, B. Huttner, H. Inamori, H. Weinfurter, 2001, Quantum cryptography, in: D. Bouwmeester, A.K. Ekert, A. Zeilinger (eds), The physics of quantum informa- tion (Springer Verlag, London). Elliott, C., 2002, New J. Phys. 4, 46. Elliott, C., A. Colvin, D. Pearson, O. Pikalo, J. Schlafer, and H. Yeh, 2005, eprint quant-ph/0503058. Englert, B.-G., D. Kaszlikowski, H.K. Ng, W.K. Chua, J. Reh´acek, and J. Anders, 2004, eprint quant-ph/0412075. Erven, C., C.Couteau, R. Laflamme, and G. Weihs, 2008, eprint arXiv:0807.2289. Fasel, S., N. Gisin, G. Ribordy, and H. Zbinden, 2004, Eur. Phys. J. D 30, 143. Franson, J. D., and H. Ilves, 1994, J. Mod. Opt. 41, 2391. Fuchs, C.A., N. Gisin, R. B. Griffiths, C.-S. Niu and A. Peres, 1997, Phys. Rev. A 56, 1163. Fung, C.-H. F., K. Tamaki, and H.-K. Lo, 2006, Phys. Rev. A 73, 012337. Fung, C.-H. F., B. Qi, K. Tamaki, and H.-K. Lo, 2007, Phys. Rev. A 75, 032314. Galtarossa, A., and Menyuk, C.R. (eds), 2005, Polarization Mode Dispersion (Springer Verlag, Berlin). Garc´ıa-Patr´on, R., and N.J. Cerf, 2006, Phys. Rev. Lett. 97, 190503. Garc´ıa-Patr´on, R., 2007, Ph.D. thesis (Universit´e Libre de Bruxelles). Gisin, N., and J.P. Pellaux, 1992, Optics Commun. 89, 316. Gisin, N., and S. Wolf, 1999, Phys. Rev. Lett. 83, 4200. Gisin, N., and S. Wolf, 2000, in: Proceedings of CRYPTO 2000, Lecture Notes in Computer Science Vol. 1880 (Springer Verlag, Berlin), p. 482. Gisin, N., G. Ribordy, W. Tittel and H. Zbinden, 2002, Rev. Mod. Phys. 74, 145. Gisin, N., G. Ribordy, H. Zbinden, D. Stucki, N. Brunner, and V. Scarani, 2004, eprint quant-ph/0411022 Gisin, N., S. Fasel, B. Kraus, H. Zbinden, and G. Ribordy, 2006, Phys. Rev. A 73, 022320. Gobby, C., Z.L. Yuan, and A.J. Shields, 2004, Appl. Phys. Lett. 84, 3762. Goldenberg, L., and L. Vaidman, 1995, Phys. Rev. Lett. 75, 1239. Goldenberg, L., and L. Vaidman, 1996, Phys. Rev. Lett. 77, 3265. Gomez-Sousa, H., and M. Curty, 2009, Quant. Inf.Comput. 9, 62. Gottesman, D., and J. Preskill, 2001, Phys. Rev. A 63, 022309. Gottesman, D., and H.-K. Lo, 2003, IEEE Transactions on Information Theory 49, 457. Gottesman, D., H.-K. Lo, N. L¨utkenhaus, and J. Preskill, 2004, Quant. Inf. Comput. 4, 325. Griffiths, R.B. and C.-S. Niu, 1997, Phys. Rev. A 56, 1173. Grosshans, F., and P. Grangier, 2002, Phys. Rev. Lett. 88, 057902. Grosshans, F., and P. Grangier, in: Proc. 6th Int. Conf. on Quantum Communications, Measurement, and Computing (QCMC’02) (Rinton Press); eprint quant-ph/0204127. Grosshans, F., G. Van Assche, J. Wenger, R. Tualle-Brouri, N. J. Cerf, and P. Grangier, 2003, Nature 421, 238. Grosshans, F., N.J. Cerf, J. Wenger, R. Tualle-Brouri, and P. Grangier, 2003, Qunatum Inf. Comput. 3, 535. Grosshans, F., and N. J. Cerf, 2004, Phys. Rev. Lett. 92, 047905. Grosshans, F., 2005, Phys. Rev. Lett. 94, 020504. Grover, L.K., 1996, in Proc. 28th Annual ACM Symp. on the Theory of Computing, STOC’96 (ACM, New York), p. 212. Grover, L.K., 1997, Phys. Rev. Lett. 79, 325. Hadfield, R.H., J.L. Habif, J. Schlafer, R.E. Schwall, S.W. Nam, 2006, Appl. Phys. Lett. 89, 241129. Halder, M., A. Beveratos, N. Gisin, V. Scarani, C. Simon, and H. Zbinden, 2007, Nature Physics 3, 692. H¨aseler, H., T. Moroder, and N. L¨utkenhaus, 2008, Phys. Rev. A 77, 032303. Hasegawa, J., M. Hayashi, T. Hiroshima, A. Tanaka, and A. Tomita, 2007, eprint arXiv:0705.3081. Hayashi, M., 2006, Phys. Rev. A 74, 022307. Hayashi, M., 2007, Phys. Rev. A 76, 012329. Hayashi, M., 2007, New J. Phys. 9, 284. Heid, M., and N. L¨utkenhaus, 2006, Phys. Rev. A 73, 052316. Heid, M., and N. L¨utkenhaus, 2007, Phys. Rev. A 76, 022313. Helstrom, C.W., 1976, Quantum Detection and Estimation Theory (Academic Press, New York). Herbauts, I.M., S. Bettelli, H. H¨ubel, and M. Peev, 2008, Eur. Phys. J. D 46, 395. Hillery, M., V. Buˇzek, and A. Berthiaume, 1999, Phys. Rev. A 59, 1829. Hillery, M., 2000, Phys. Rev. A 61, 022309. Hiskett, P.A., D. Rosenberg, C.G. Peterson, R.J. Hughes, S.W. Nam, A.E. Lita, A.J. Miller, and J.E. Nordholt, 2006, New J. Phys. 8, 193. Holevo, A.S., 1973, Probl. Inf. Trans. 9, 177. Horodecki, K., M. Horodecki, P. Horodecki, and J. Oppen- heim, 2005, Phys. Rev. Lett. 94, 160502. Horodecki, K., M. Horodecki, P. Horodecki, D. Leung, and J. Oppenheim, 2008, IEEE Trans. Info. Theory 54, 2604. Horodecki, K., M. Horodecki, P. Horodecki, D. Leung, and J. Oppenheim, 2008, Phys. Rev. Lett. 100, 110502. H¨ubel, H., M.R. Vanner, T. Lederer, B. Blauensteiner, T. Lor¨unser, A. Poppe, A. Zeilinger, 2007, Optics Express 15, 7853. Hughes, R.J., J.E. Nordholt, D. Derkacs, and C.G. Peterson, 2002, New J. Phys. 4, 43. Huttner, B., N. Imoto, N. Gisin, and T. Mor, 1995, Phys. Rev. A 51, 1863. Hwang, W.-Y., 2003, Phys. Rev. Lett. 91, 057901.
  • 50. 50 A. Karlsson, M. Koashi, and N. Imoto, 1999, Phys. Rev. A 59, 162. Inamori, H., N. L¨utkenhaus, D. Mayers, 2007, Eur. J. Phys. D 41, 599, eprint quant-ph/0107017. Inoue, K., E. Waks, and Y. Yamamoto, 2002, Phys. Rev. Lett. 89, 037902. Inoue, K., E. Waks, and Y. Yamamoto, 2003, Phys. Rev. A 68, 022317. Inoue, K., and T. Honjo, 2005, Phys. Rev. A 71, 042305. Intallura, P.M., M.B. Ward, O.Z. Karimov, Z.L. Yuan, P. See, A.J. Shields, P. Atkinson, and D.A. Ritchie, 2007, Appl. Phys. Lett. 91, 161103. Jacobs, B.C., T.B. Pittman, and J.D. Franson, 2002, Phys. Rev. A 66, 052307. Jennewein, T., C. Simon, G.Weihs, H. Weinfurter, A. Zeilinger, 2000, Phys. Rev. Lett. 84, 4729. Julsgaard, B., J. Sherson, J.I. Cirac, J. Fiurasek, E.S. Polzik, 2004, Nature 432, 482. Kim, J., S. Takeuchi, Y. Yamamoto, and H. Hogue, 1999, Appl. Phys. Lett. 74, 902. Kim, I.I., and E. Korevaar, 2001, http://www.freespaceoptic.com/WhitePapers/SPIE2001b.pdf. Koashi, M., and N. Imoto, 1997, Phys. Rev. Lett. 79, 2383. Koashi, M., and J. Preskill, 2003, Phys. Rev. Lett. 90, 057902. Koashi, M., 2004, Phys. Rev. Lett. 93, 120501. Koashi, M., 2005, eprint quant-ph/0507154. Koashi, M., 2006, J. of Phys. Conference Series 36, 98. Koashi, M., 2006, eprint quant-ph/0609180. Koashi, M., 2007, eprint arXiv:0704.3661. Koashi, M., Y. Adachi, T. Yamamoto, and N. Imoto, 2008, eprint arXiv:0804.0891. K¨onig, R., R. Renner, A. Bariska, and U. Maurer, 2007, Phys. Rev. Lett. 98, 140502. K¨onig, R., and B. Terhal, 2008, IEEE Trans. Inf. Theo. 54, 749. K¨onig, R., and R. Renner, 2007, eprint arXiv:0712.4291 Kraus, B., N. Gisin and R. Renner, 2005, Phys. Rev. Lett. 95, 080501. Kraus, B., C. Branciard and R. Renner, 2007, Phys. Rev. A 75, 012316. Kurtsiefer, C., P. Zarda, S. Mayer, and H. Weinfurter, 2001, J. Mod. Opt. 48, 2039. Kurtsiefer, C., P. Zarda, M. Halder, H. Weinfurter, P.M. Gor- man, P.R. Tapster, and J.G. Rarity, 2002, Nature 419, 450. Kwiat, P.G., K. Mattle, H. Weinfurter, A. Zeilinger, A. V. Sergienko, and Y. Shih, 1995, Phys. Rev. Lett. 75, 4337. Kwiat, P.G., E. Waks, A.G. White, I. Appelbaum, and P.H. Eberhard, 1999, Phys. Rev. A 60, R773. Lamas-Linares, A., and C. Kurtsiefer, 2007, Opt. Express 15, 9388. Lance, A.M., T. Symul, V. Sharma, C. Weedbrook, T.C. Ralph, P.K. Lam, 2005, Phys. Rev. Lett. 95, 180503. Laurent, S., S. Varoutsis, L. Le Gratiet, A. Lemaˆıtre, I. Sagnes, F. Raineri, J. A. Levenson, I. Robert-Philip, and I. Abram, 2005, Appl. Phys. Lett. 87, 163107. Le Bellac, M., 2006, A Short Introduction to Quantum Infor- mation and Quantum Computation (Cambridge University Press, Cambridge). Legr´e, M., H. Zbinden, and N. Gisin, 2006, Quant. Inf. Com- put. 6, 326. Leverrier, A., R. All´eaume, J. Boutros, G. Z´emor, P. Grang- ier, 2008, Phys. Rev. A 77, 042325. Leverrier, A., E. Karpov, P. Grangier, and N.J. Cerf, 2008, eprint arXiv:0809.2252 Li, Y., H. Mikami, H. Wang, and T. Kobayashi, 2005, Phys. Rev. A 72, 063801. Ling, A., M.P. Peloso, I. Marcikic, V. Scarani, A. Lamas- Linares, C. Kurtsiefer, 2008, Phys. Rev. A 78, 020301(R). Lo, H.-K., and H.F. Chau, 1997, Phys. Rev. Lett. 78, 3410. Lo, H.-K., 1997, Phys. Rev. A 56, 1154. Lo, H.-K., 1998, Quantum cryptology, in: H.-K. Lo, S.Popescu and T.Spiller (eds), Introduction to quantum computation and information (World Scientific, Singapore). Lo, H.-K., and H.F. Chau, 1999, Science 283, 2050. Lo, H.-K., 2001, Quant. Inf. Comput. 1, 81. Lo, H.-K., H. F. Chau, and M. Ardehali, 2005, J. Cryptology 18, 133, eprint quant-ph/9803007. Lo, H.-K., 2003, New J. Phys. 5, 36. Lo, H.-K., 2005, Quant. Inf. Comput. 5, 413. Lo, H.-K., X. Ma, and K. Chen, 2005, Phys. Rev. Lett. 94, 230504. Lo, H.-K., and J. Preskill, 2007, Quant. Inf. Comput. 8, 431. Lo, H.-K., and Y. Zhao, 2008, eprint arXiv:0803.2507. Lodewyck, J., T. Debuisschert, R. Tualle-Brouri, and P. Grangier, 2005, Phys. Rev. A 72, 050303(R). Lodewyck, J., M. Bloch, R. Garcia-Patron, S. Fossier, E. Kar- pov, E. Diamanti, T. Debuisschert, N.J. Cerf, R. Tualle- Brouri, S.W. McLaughlin, and P. Grangier, 2007, Phys. Rev. A 76, 042305. Lodewyck, J., T. Debuisschert, R. Garc´ıa-Patr´on, R. Tualle- Brouri, N.J. Cerf, and P. Grangier, 2007, Phys. Rev. Lett. 98, 030503. Lodewyck, J., and P. Grangier, 2007, Phys. Rev. A 76, 022332. Lorenz, S., N. Korolkova, and G. Leuchs, 2004, Appl. Phys. B 79, 273. Lorenz, S., J. Rigas, M. Heid, U.L. Andersen, N. L¨utkenhaus, and G. Leuchs, 2006, Phys. Rev. A 74, 042326. Lounis, B., and M. Orrit, 2005, Rep. Prog. Phys. 68, 1129. L¨utkenhaus, N., 1996, Phys. Rev. A 54, 97. L¨utkenhaus, N., 1999, Phys. Rev. A 59, 3301. L¨utkenhaus, N., 2000, Phys. Rev. A 61, 052304. L¨utkenhaus, N., and M. Jahma, 2002, New J. Phys. 4, 44. Ma, X., C.-H. F. Fung, F. Dupuis, K. Chen, K.Tamaki, and H.-K. Lo, 2006, Phys. Rev. A 74, 032330. Ma, X., C.-H. F. Fung, and H.-K. Lo, 2007, Phys. Rev. A 76, 012307. Mair, A., A. Vaziri, G. Weihs, and A. Zeilinger, 2001, Nature 412, 3123. Makarov, V., and D. R. Hjelme, 2005, J. Mod. Opt. 52, 691. Makarov, V., A. Anisimov, and J. Skaar, 2006, Phys. Rev. A 74, 022313. Makarov, V., and J. Skaar, 2008, Quant. Inf. Comput. 8, 622. Mandel, L., and E. Wolf, 1995, Optical Coherence and Quan- tum Optics (Cambridge University Press, Cambridge). Marcikic, I., A. Lamas-Linares, and C. Kurtsiefer, 2006, Appl. Phys. Lett. 89, 101122. Masanes, L., A. Ac´ın, and N. Gisin, 2006, Phys. Rev. A 73, 012112. Masanes, L., 2009, Phys. Rev. Lett. 102, 140501. Mauerer, W., and C. Silberhorn, 2007, Phys. Rev. A 75, 050305(R). Maurer, U.M., 1993, IEEE Trans. Info. Theory 39, 733. Maurer, U.M., and S. Wolf, 1999, SIAM J. Comput. 28, 1689. Maurer, U.M., and S. Wolf, 2000, Des. Codes Cryptography 19, 147. Mayers, D., 1996, in: Advances in Cryptology — Proceedings
  • 51. 51 of Crypto ’96 (Springer Verlag, Berlin), p. 343. Mayers, D., 1997, Phys. Rev. Lett. 78, 3414. Mayers, D., 2001, JACM 48, 351. M´erolla, J.-M., Y. Mazurenko, J.-P. Goedgebuer, and W.T. Rhodes, 1999, Phys. Rev. Lett. 82, 1656. Meyer, T., H. Kampermann, M. Kleinmann, and D. Bruss, 2006, Phys. Rev. A 74, 042340. Miller, A. J., S. W. Nam, J. M. Martinis, and A. V. Sergienko, 2003, Appl. Phys. Lett. 83, 791. Mølmer, K., 1997, Phys. Rev. A 55, 3195. Muller, A., H. Zbinden, and N. Gisin, 1995, Nature 378, 449. Muller, A., T. Herzog, B. Huttner, W. Tittel, H. Zbinden, and N. Gisin, 1997, Appl. Phys. Lett. 70, 793. Naik, D.S., C.G. Peterson, A.G. White, A.J. Berglund, P.G. Kwiat, 2000, Phys. Rev. Lett. 84, 4733. Navascu´es, M., and A. Ac´ın, 2005, Phys. Rev. Lett. 94, 020505. Navascu´es, M., F. Grosshans, and A. Ac´ın, 2006, Phys. Rev. Lett. 97, 190502. Nguyen, K.-C., G. Van Assche, and N.J. Cerf, in: Proc. Int. Symposium on Information Theory and its Applications (ISITA, Parma, 2004); eprint cs.IT/0406001. Niederberger, A., V. Scarani and N. Gisin, 2005, Phys. Rev. A 71, 042316. Ou, Z.Y., J.-K. Rhee, and L.J. Wang, 1999, Phys. Rev. A 60, 593. Peng, C.-Z., J. Zhang, D. Yang, W.-B. Gao, H.-X. Ma, H. Yin, H.-P. Zeng, T. Yang, X.-B. Wand, and J.-W. Pan, 2007, Phys. Rev. Lett. 98, 010505. Peres, A., 1996, Phys. Rev. Lett. 77, 3264. Pirandola, S., S.L. Braunstein, S. Lloyd, 2008, Phys. Rev. Lett. 101, 200504. Qi, B., Y. Zhao, X. Ma, H.-K. Lo, and L. Qian, 2007, Phys. Rev. A 75, 052304. Qi, B., C.H. F. Fung, H.-K. Lo, and X. Ma, 2007, Quant. Inf. Comput. 7, 73. Qi, B., L.-L. Huang, L. Qian, and H.-K. Lo, 2007, Phys. Rev. A 76, 052323. Ralph, T.C., 1999, Phys. Rev. A 61, 010303(R). Rarity, J.G., P.M. Gorman, and P.R. Tapster, 2001, Electron. Lett. 37, 512. Rarity, J.G., P.R. Tapster, P.M. Gorman, and P. Knight, 2002, New J. Phys. 4, 82. Reid, M.D., 2000, Phys. Rev. A 62, 062308. Renner, R., and S. Wolf, 2005, in: Advances in cryptology: CRYPTO 2003, Lecture Notes in Computer Science Vol. 2729 (Springer Verlag, Berlin), p. 78. Renner, R., 2005, Ph.D. thesis (ETH Z¨urich), eprint quant- ph/0512258. Renner, R., N. Gisin and B. Kraus, 2005, Phys. Rev. A 72, 012332. Renner, R., and R. K¨onig, 2005, in: Theory of Cryptography: Second Theory of Cryptography Conference, TCC 2005, Lecture Notes in Computer Science Vol. 3378 (Springer Verlag, Berlin), p. 407. Renner, R., 2007, Nature Physics 3, 645. Renner, R., and J.I. Cirac, 2009, Phys. Rev. Lett. 102, 110504. Ribordy, G., J.D. Gautier, N. Gisin, O. Guinnard, and H. Zbinden, 1998, Electron. Lett. 34, 2116. Ribordy, G., N. Gisin, O. Guinnard, D. Stucki, M. Wegm¨uller, and H. Zbinden, 2004, J. Mod. Opt. 51, 1381. Rigas, J., O. G¨uhne, and N. L¨utkenhaus, 2006, Phys. Rev. A 73, 012341. Rosenberg, D., A. E. Lita, A. J. Miller, and S. W. Nam, 2005, Phys. Rev. A 71, 061803(R). Rosenberg, D., J.W. Harrington, P.R. Rice, P.A. Hiskett, C.G. Peterson, R.J. Hughes, A.E. Lita, S.W. Nam, and J.E. Nordholt, 2007, Phys. Rev. Lett. 98, 010503. Rosenberg, D., C.G. Peterson, J.W. Harrington, P.R. Rice, N. Dallmann, K.T. Tyagi, K.P. McCabe, S.W. Nam, B. Baek, R.H. Hadfield, R.J. Hughes, and J.E. Nordholt, 2009, New J. Phys. 11, 045009. Saint-Girons, G., N. Chauvin, A. Michon, G. Patriarche, G. Beaudoin, B Bremond, C. Bru-Chevalier, and I. Sagnes, 2006, Appl. Phys. Lett. 88, 133101. Sangouard, N., C. Simon, J. Minar, H. Zbinden, H. De Ried- matten, and N. Gisin, 2007, Phys. Rev. A 76, 050301(R). Scarani, V., A. Ac´ın, G. Ribordy, and N. Gisin, 2004, Phys. Rev. Lett. 92, 057901. Scarani, V., H. De Riedmatten, I. Marcikic, H. Zbinden and N. Gisin, 2005, Eur. Phys. J. D 32, 129. Scarani, V., 2006, Quantum Physics – A First Encounter (Oxford University Press, Oxford). Scarani, V., N. Gisin, N. Brunner, L. Masanes, S. Pino, and A. Ac´ın, 2006, Phys. Rev. A 74, 042339. Scarani, V., and R. Renner, 2008, Phys. Rev. Lett. 100, 200501. Shannon, C.E., 1949, Bell Syst. Tech. J. 28, 656 Shields, A.J., 2007, Nature Photonics 1, 215 Shor, P.W., 1994, in Proceedings of the 35th Annual Sympo- sium on the Foundations of Computer Science, Santa Fe (IEEE Computer Society, Los Alamitos), p. 124. Shor, P.W., 1997, SIAM J. Sci. Statist. Comput. 26, 1484, eprint quant-ph/9508027 Shor, P.W. and J. Preskill, 2000, Phys. Rev. Lett. 85, 441. Silberhorn, C., T. C. Ralph, N. L¨utkenhaus, and G. Leuchs, 2002, Phys. Rev. Lett. 89, 167901. Simon, C., H. De Riedmatten, M. Afzelius, N. Sangouard, H. Zbinden, and N. Gisin, 2007, Phys. Rev. Lett. 98, 190503. Slutsky, B.A., R. Rao, P.-C. Sun, and Y. Fainman, 1998, Phys. Rev. A 57, 2383. Smith, G., J. M. Renes, and J. A. Smolin, 2008, Phys. Rev. Lett. 100, 170502. Staudt, M.U., S.R. Hastings-Simon, M. Nilsson, M. Afzelius, V. Scarani, R. Ricken, H. Suche, W. Sohler, W. Tittel, and N. Gisin, 2007, Phys. Rev. Lett. 98, 113601. Stinson, D.R., 1995, Cryptography, Theory and Practice (CRC Press, Boca Raton). Stucki, D., N. Brunner, N. Gisin, V. Scarani, and H. Zbinden, 2005, Appl. Phys. Lett. 87, 194108. Stucki, D., C. Barreiro, S. Fasel, J.-D. Gautier, O. Gay, N. Gisin, R. Thew, Y. Thoma, P. Trinkler, F. Vannel, and H. Zbinden, 2008, eprint arXiv:0809.5264 Sudjana, J., L. Magnin, R. Garcia-Patron, and N. J. Cerf, 2007, Phys. Rev. A 76, 052301. Takesue, H., E. Diamanti, T. Honjo, C. Langrock, M.M. Fejer, K. Inoue, and Y. Yamamoto, 2005, New J. Phys. 7, 232. Takesue, H., S.W. Nam, Q. Zhang, R.H. Hadfield, T. Honjo, K. Tamaki, and Y. Yamamoto, 2007, Nature Photonics 1, 343. Tamaki, K., M. Koashi, and N. Imoto, 2003, Phys. Rev. Lett. 90, 167904. Tamaki, K., and N. L¨utkenhaus, 2004, Phys. Rev. A 69, 032316. Tamaki, K., and H.-K. Lo, 2006, Phys. Rev. A 73, 010302(R). Tamaki, K., N. L¨utkenhaus, M. Koashi, and J. Batuwantu- dawe, 2006, eprint quant-ph/0607082.
  • 52. 52 Tanaka, A., M. Fujiwara, S.W. Nam, Y. Nambu, S. Taka- hashi, W. Maeda, K.Yoshino, S. Miki, B. Baek, Z. Wang, A. Tajima, M. Sasaki, and A. Tomita, 2008, eprint arXiv:0805.2193. Tanzilli, S., H. De Riedmatten, W. Tittel, H. Zbinden, P. Baldi, M. De Micheli, D. B. Ostrowsky, and N. Gisin, 2001, Electr. Lett. 37, 26. Tapster, P.R., and J.G. Rarity, 1998, J. Mod. Opt. 45, 595. Thew, R., A. Ac´ın, H. Zbinden, and N. Gisin, 2004, Quant. Inf. Comput. 4, 93. Thew, R., S. Tanzilli, L. Krainer, S. C. Zeller, A. Rochas, I. Rech, S. Cova, H. Zbinden, and N. Gisin, 2006, New J. Phys. 8, 32. Tittel, W., J. Brendel, H. Zbinden, and N. Gisin, 2000, Phys. Rev. Lett. 84, 4737. Townsend, P.D., J. G. Rarity, and P. R. Tapster, 1993, Elec- tronics Letters 29, 1291. Townsend, P.D., S.J.D. Phoenix, K.J. Blow, and S.M. Bar- nett, 1994, Electronics Letters 30, 1875. Trifonov, A., D. Subacius, A. Berzanskis, and A. Zavriyev, 2004, J. Mod. Opt. 51, 1399. Tsujino, K., H.F. Hofmann, S. Takeuchi, and K. Sasaki, 2004, Phys. Rev. Lett. 92, 153602. Tsurumaru, T., 2007, Phys. Rev. A 75, 062319. Tsurumaru, T., A. Soujaeff, and S. Takeuchi, 2008, Phys. Rev. A 77, 022319. Tsurumaru, T., and K. Tamaki, 2008, Phys. Rev. A 78, 032302. Ursin, R., F. Tiefenbacher, T. Schmitt-Manderbach, H. Weier, T. Scheidl, M. Lindenthal, B. Blauensteiner, T. Jen- newein, J. Perdigues, P. Trojek, B. Oemer, M. Fuerst, M. Meyenburg, J. Rarity, Z. Sodnik, C. Barbieri, H. Weinfurter and A. Zeilinger, 2007, Nature Physics 3, 481. Vakhitov, A., V. Makarov, and D.R. Hjelme, 2001, J. Mod. Opt. 48, 2023. Van Assche, G., J. Cardinal, and N.J. Cerf, 2004, IEEE Trans. Inf. Theory 50, 394. Van Assche, G., 2006, Quantum Cryptography and Secret-Key Distillation (Cambridge University Press, Cambridge). van Enk, S.J., and C.A. Fuchs, 2002, Quant. Inf. Comput. 2, 151. Verevkin, A., J. Zhang, R. Sobolewski, A. Lipatov, O. Okunev, G. Chulkova, A. Korneev, K. Smirnov, G. N. Goltsman, and A. Semenov, 2002, Appl. Phys. Lett. 80, 4687. Verevkin, A., A. Pearlmany, W. Slyszyz, J. Zhangy, M. Cur- rie, A. Korneev, G. Chulkova, O. Okunev, P. Kouminov, K. Smirnov, B. Voronov, G. N. Goltsman, and R. Sobolewskiy, 2004, J. Mod. Opt. 51, 1447. Vernam, G.S., 1926, J. AIEE 45, 109. Waks, E., K. Inoue, C. Santori, D. Fattal, J. Vuckovic, G. Solomon, and Y. Yamamoto, 2002, Nature 420, 762. Waks, E., A. Zeevi, and Y. Yamamoto, 2002, Phys. Rev. A 65, 052310. Waks, E., C. Santori, and Y. Yamamoto, 2002, Phys. Rev. A 66, 042315. Waks, E., K. Inoue, W.D. Oliver, E. Diamanti, and Y. Ya- mamoto, 2003, IEEE J. of Selected Topics in Quantum Electronics 9, 1502. Waks, E., H. Takesue, and Y. Yamamoto, 2006, Phys. Rev. A 73, 012344. Waks, E., E. Diamanti, and Y. Yamamoto, 2006, New J. Phys. 8, 4. Wang, X.-B., 2001, eprint quant-ph/0110089. Wang, X.-B., 2005, Phys. Rev. Lett. 94, 230503. Ward, M.B., O.Z. Karimov, D.C. Unitt, Z.L. Yuan, P. See, D.G. Gevaux, A.J. Shields, P. Atkinson, and D.A. Ritchie, 2005, Appl. Phys. Lett. 86, 201111. Watanabe, S., R. Matsumoto, and T. Uyematsu, 2004, eprint quant-ph/0412070. Weedbrook, C., A.M. Lance, W.P. Bowen, T. Symul, T.C. Ralph, and P.K. Lam, 2004, Phys. Rev. Lett. 93, 170504. Wehner, S., C. Schaffner, and B. Terhal, 2008, Phys. Rev. Lett. 100, 220502. Wegman, M. N., and J. L.Carter, 1981, J. Comp. Syst. Sci. 22, 265. Wiesner, S., 1983, Sigact News 15, 78. Wootters, W.K. and W.H. Zurek, 1982, Nature 299, 802. Wyner, A.D., 1975, Bell Syst. Tech. J. 54, 1355. Young, R. J., R. M. Stevenson, P. Atkinson, K. Cooper, D. A. Ritchie, and A. J. Shields, 2006, New J. Phys. 8, 29. Yuan, Z.L., and A.J. Shields, 2005, Opt. Express 13, 660. Yuan, Z.L., A.W. Sharpe, and A.J. Shields, 2007, Appl. Phys. Lett. 90, 011118. Yuan, Z.L., B.E. Kardynal, A.W. Sharpe, and A.J. Shields, 2007, Appl. Phys. Lett. 91, 011114. Yuan, Z.L., A.R. Dixon, J.F. Dynes, A.W. Sharpe, and A.J. Shields, 2008, Appl. Phys. Lett. 92, 201104. Zanardi, P., and M. Rasetti, 1997, Phys. Rev. Lett. 79, 3306. Zhao, Y., B. Qi, X. Ma, H.-K. Lo, and L. Qian, 2006, Phys. Rev. Lett. 96, 070502. Zhao, Y., B. Qi, and H.-K. Lo, 2007, Appl. Phys. Lett. 90, 044106. Zhao, Y., C.-H. F. Fung, B. Qi, C. Chen, and H.-K. Lo, 2008, Phys. Rev. A 78, 042333. Zhao, Y., B. Qi, and H.-K. Lo, 2008, Phys. Rev. A 77, 052327. Zhou, C., G. Wu, X. Chen, and H. Zeng, 2003, Appl. Phys. Lett. 83, 1692. Zinoni, C., B. Alloing, C. Monat, V. Zwiller, L.H. Li, A. Fiore, L. Lunghi, A. Gerardino, H. de Riedmatten, H. Zbinden, and N. Gisin, 2006, Appl. Phys. Lett. 88, 131102.