Download Quantum cryptography

Appl. Phys. B 67, 743–748 (1998)
Applied Physics B
Lasers
and Optics
 Springer-Verlag 1998
Quantum cryptography
H. Zbinden, H. Bechmann-Pasquinucci, N. Gisin, G. Ribordy
Group of Applied Physics, University of Geneva, CH-1211 Geneva 4, Switzerland
Received: 29 May 1998
Abstract. After a short introduction to classic cryptography
we explain thoroughly how quantum cryptography works.
We present then an elegant experimental realization based
on a self-balanced interferometer with Faraday mirrors. This
phase-coding setup needs no alignment of the interferometer
nor polarization control, and therefore considerably facilitates
the experiment. Moreover it features excellent fringe visibility. Next, we estimate the practical limits of quantum cryptography. The importance of the detector noise is illustrated and
means of reducing it are presented. With present-day technologies maximum distances of about 70 km with bit rates of
100 Hz are achievable.
PACS: 03.67.Dd; 85.60; 42.25; 33.55.A
Cryptography is the art of hiding information in a string of
bits meaningless to any unauthorized party. To achieve this
goal, one uses encryption: a message is combined according
to an algorithm with some additional secret information – the
key – to produce a cryptogram. In the traditional terminology,
Alice is the party encrypting and transmitting the message,
Bob the one receiving it, and Eve the malevolent eavesdropper. For a crypto-system to be considered secure, it should
be impossible to unlock the cryptogram without Bob’s key.
In practice, this demand is often softened, and one requires
only that the system is sufficiently difficult to crack. The idea
is that the message should remain protected as long as the
information it contains is valuable.
There are two main classes of crypto-systems, the publickey and the secret-key crypto-systems:
Public key systems are based on so-called one-way functions: given a certain x, it is easy to compute f(x), but difficult
to do the inverse, i.e. compute x from f(x). “Difficult” means
that the task shall take a time that grows exponentially with
the number of bits of the input. The RSA (Rivest, Shamir,
Adleman) crypto-system for example is based on the factorizing of large integers. Anyone can compute 137 × 53 in a few
seconds, but it may take a while to find the prime factors
of 28 907. To transmit a message Bob chooses a private key
(based on two large prime numbers) and computes from it
a public key (based on the product of these numbers) which
he discloses publicly. Now Alice can encrypt her message
using this public key and transmit it to Bob, who decrypts it
with the private key. Public key systems are very convenient
and became very popular over the last 20 years, however,
they suffer from two potential major flaws. To date, nobody
knows for sure whether or not factorizing is indeed difficult.
For known algorithms, the time for calculation increases exponentially with the number of input bits, and one can easily
improve the safety of RSA by choosing a longer key. However, a fast algorithm for factorization would immediately
annihilate the security of the RSA system. Although it has not
been published yet, there is no guarantee that such an algorithm does not exist. Second, problems that are difficult for
a classical computer could become easy for a quantum computer. With the recent developments in the theory of quantum
computation, there are reasons to fear that building these machines will eventually become possible. If one of these two
possibilities came true, RSA would become obsolete. One
would then have no choice, but to turn to secret-key cryptosystems.
Very convenient and broadly used are crypto-systems
based on a public algorithm and a relatively short secret key.
The DES (Data Encryption Standard, 1977) for example uses
a 56-bit key and the same algorithm for coding and decoding. The secrecy of the cryptogram, however, depends again
on the calculating power and the time of the eavesdropper.
The only crypto-system providing proven, perfect secrecy is
the “one-time pad” proposed by Vernam in 1935. With this
scheme, a message is encrypted using a random key of equal
length, by simply “adding” each bit of the message to the
corresponding bit of the key. The scrambled text can then be
sent to Bob, who decrypts the message by “subtracting” the
same key. The bits of the ciphertext are as random as those of
the key and consequently do not contain any information. Although perfectly secure, the problem with this system is that
it is essential for Alice and Bob to share a common secret key,
at least as long as the message they want to exchange, and use
it only for a single encryption. This key must be transmitted
by some trusted means or personal meeting, which turns out
to be complex and expensive.
744
At this point quantum cryptography (QC) developed by
Bennett and Brassard in 1984 [1] enters the scene. QC, better named quantum key distribution, allows two physically
separated parties to create a random secret key without resorting to the services of a courier, and to verify that the
key has not been intercepted. This is due to the fact that
any measurement of incompatible quantities on a quantum
system will inevitably modify the state of this system. This
means that an eavesdropper, Eve, might get information out
of a quantum channel by performing measurements, but the
legitimate users will detect her and hence not use the key. For
convenience the quantum system is in practice a single photon propagating through an optical fiber, and the key can be
encoded either by its polarization or by its phase. The first experimental demonstration of quantum cryptography was performed in 1989 over 30 cm in air with polarized photons [2].
Since then, several groups have presented realizations of both
the polarization [3, 4] and the phase coding scheme in optical
fibers over distances of up to 30 km [5, 6].
In this article, we would like to explain QC by the example of a standard polarization-based setup. Then we will
present a special interferometric setup that does not need
alignment nor feedback. We will discuss the performances
and technical limits of current QC systems and, as a conclusion, estimate transmission distances and bit rates of QC
systems now and in the near future.
channel is usually an optical fiber. The public channel can
be any communication link, such as a phone line or an Internet connection (which is often an optical fiber, too, but
this time with macroscopic pulses). The procedure consists of
four steps.
First, Alice sends single photons in one of the four following polarization states: vertical, horizontal, +45◦ , and −45◦ .
She chooses randomly one of the polarization states for each
bit and records her choice. Bob has two analyzers available
and selects one randomly before recording each photon. One
of the analyzers allows him to distinguish between horizontally and vertically polarized photons, whereas the second one
distinguishes between +45◦ and −45◦ photons. Every time
Bob uses the analyzer that does not correspond to the polarization states sent by Alice, each outcome can happen with
a 50% probability. Bob records the analyzers used and the
outcomes.
Second, after exchanging a sufficient number of photons,
Bob announces on the public channel the sequence of analyzers he used, but not the results he obtained. Alice compares
this sequence with the list of bits she sent, and tells Bob for
which photons compatible polarization states and analyzers
were used, but not which polarization states she sent. In the
cases where incompatible states and analyzers were used, the
bits are simply discarded. For the remaining bits, Alice and
Bob know that they have the same values, at least if nothing –
no eavesdropper – perturbed the transmission. If, for example,
Alice send a vertically polarized photon and Bob measures
it with the vertical-horizontal analyzer, he should always get
a ‘vertical’ result.
Third, Alice and Bob select a random subset of their key
and compare it over the public channel to assess the secrecy
of their communication. The consequence of the interception
of their key by an eavesdropper would be a reduction of the
correlation between the values of their bits. Let us suppose,
1 How quantum cryptography works
To understand how quantum cryptography works, consider
the BB84 communication protocol [1] by Bennett and Brassard (Fig. 1). Alice and Bob must be connected by a quantum
channel and a classical public channel. Normally single photons are being used to carry the information and the quantum
receiver
BOB
diagonal
detector basis
sender
ALICE
diagonal
0
polarization filters
1
horizontal–vert
detector basis
0
horizontal–vertical
polarization filters
1
0
0
1
—
1
1
1
0
—
0
—
1
1
0
0
1
0
0
0
+
0
0
0
0
1
1
0
+
+
1
+
+
1
+
1
+
1
+
1
+
BOB's measurements
retained bit sequence
0
0
+
+
ALICE's bit sequence
BOB's detection basis
+
light
source
+
+
0
—
1
0
—
0
1
1
0
Fig. 1. The principle of QC according to the BB84 protocol. Alice sends down an optical fiber photons polarized randomly either horizontally, vertically, at
+45◦ , or at −45◦ (row 1), Bob randomly chooses one of his analyzer basis (row 2) and records his result (row 3). Then they compare the used basis and
retain all results with compatible basis (row 4)
745
Eve cuts the fiber, performs a measurement on each photon
with an equipment similar to Bob’s, and sends a photon to
Bob, prepared according to her result. In 50% of cases she
will choose the wrong analyzer and send a photon polarized
in the wrong basis that will result with 50% chance in a wrong
count at Bob’s. Hence 25% of Alice’s and Bob’s bit values
will disagree, such that the eavesdropper can easily be detected.
Fourth, also when no eavesdropper is disturbing the bit exchange, there will be in practice some errors in the transmission and Alice and Bob’s string will not coincide perfectly.
The remaining errors are removed by standard error correction methods, which in turn reduces the length of the key.
The determined error rate (normally in the order of 1%) must
be completely attributed to Eve. The corresponding information that Eve might gain can be reduced to an arbitrarily low
value, by a procedure called privacy amplification, again at
the expense of the length of the usable key. Therefore it is
very important to keep the experimental error rate as low as
possible.
The remaining key can now be used with total confidence
to encrypt a message, in spite of more elaborated eavesdropping strategies than the simple intercept and resend technique
described above. Other eavesdropping strategies are thoroughly discussed elsewhere [2, 7, 8].
2 Experimental realization
2.1 Polarization coding setup
Let us have a look at the experimental polarization coding
setup based on the four-states protocol BB84. In all presented
setups faint laser pulses are used instead of real single photon
states. The number of photons in a laser pulsed being Poisson distributed, the average number of photon per pulse µ
must be well below 1 (µ = 0.1, say), to limit the probability of obtaining more than 1 photon per pulse. Alice’s light
source is hence a pulsed strongly attenuated semiconductor
laser. An electro-optic polarization controller creates four different polarization states. Or, as proposed by the setup shown
in Fig. 2, four lasers with polarizers oriented at 0◦ , 90◦ , 45◦ ,
and 135◦ are used, followed by three passive couplers. The
lasers fire at random at a given pulse rate ν. Bob randomly selects the polarization analyzer basis. This is most easily done
by introducing a passive optical coupler that directs the photon to one of the two polarizing beam splitters (PBS) oriented
at 45◦ . The photons are then detected with a photon counter
and acquisition electronics collects the data.
The axis of the polarizers at Alice and Bob must be
aligned and kept aligned. This is the main specific difficulty
of a fiber-optic implementation of the polarization scheme.
For this reason a polarization controller with an automated
feedback must be introduced, to compensate polarization
fluctuations due to mechanical or thermal changes in the
fiber link. Realignment may be necessary every few seconds or after an hour depending on the stability of the
link [3]. Conventional phase coding setups also need polarization control and moreover an automated balancing of the
interferometers [5].
2.2 “Plug and play” interferometric setup
In this paragraph we would like to present an auto-balanced
QC setup based on an interferometer with Faraday mirrors
that does not need any alignment [9]. Let us have a closer
look at the QC scheme depicted in Fig. 3 disregarding the
Faraday rotators (FR) for the moment. Their crucial effect
will be explained later. In principle Bob has a very unbalanced Michelson interferometer (beamsplitter C2) with one
long arm going all the way to Alice. The laser pulse impinging on C2 is split in two pulses P1 and P2. P2 propagates
through the short arm first (mirror M2 then M1) and then travels to Alice and back, whereas P1 propagates first to Alice
and next passes through the short arm. As both pulses run
exactly the same path length, they interfere maximally at
C2 (disregarding polarization for the time being). To encode
their bits, Alice acts with her phase modulator (PM) only
on P2 (phase shift φa), whereas Bob lets pulse P2 pass unaltered and modulates the phase of P1 (phase shift φb). If
no phase shifts are applied or if φa − φb = 0, then the interference will be constructive. On the contrary, when φa −
φb = π the interference will be destructive and no light will
be detected by detector D0. With this setup 2-states protocol B92 [10] has to be applied. We are working actually on
a slightly modified setup that allows us to introduce a second detector and to implement the BB84 4-states protocol.
The key exchange in the B92 protocol proceeds as follows.
Alice and Bob choose at random 0 or π phase shifts, defined as bit values 0 and 1. If a detection, i.e. constructive
interference occurred, Alice and Bob know that they applied
the same phase shift, and they register the same bit value.
In our interferometric setup the pulses leaving Bob carry no
Bob
T
&
Alice
Bob
Det
PM
A
M1
C3
FR
PM
FG
Alice
Laser
FR
M2
&
C2
C1
D0
SRS
Det
Laser
Laser
FR
DA
M3
PBS
Laser
Laser
FG
Det
Pol. Control
PBS
Det
Fig. 2. Scheme of a polarization coding QC setup. PBS = polarization beam
splitter
Fig. 3. Experimental setup of an interferometric QC system with Faraday
mirrors. C1, C2, and C3: fiber optic couplers, M1, M2, and M3: Faraday
mirrors (ordinary mirrors in combination with Faraday rotators, FR), PM:
phase modulator, A: Attenuator, D0 : photon counter, DA : photodiode, T:
optional trigger output, SRS: delay generator, FG: function generator, &:
and-gate
746
phase information. The information is in the phase difference
of the two pulses P1 and P2 leaving Alice. The attenuator
(A) is set such that the weaker pulse P2 that already passed
through Bob’s delay line has 0.05 photons on average when
leaving Alice.
Since the interfering pulses travel the same path, the interferometer is automatically aligned. The visibility of the
fringes is also independent of the splitting ratio of C2. However, the visibility depends also strongly on the polarization states of the interfering pulses. The pulses undergo in
each arm of the interferometer an arbitrary polarization transformation depending on the environmental conditions. These
transformations do not commute, hence the two outcoming
polarizations are in general not parallel. Consequently, we
replace all three mirrors of the interferometer by Faraday
mirrors (FM). A FM is composed of a 45◦ Faraday rotator and a mirror. A light pulse injected in any arbitrary polarization into a fiber terminated by a FM will come back
exactly orthogonally polarized, regardless of the polarization transformations in the fiber. Therefore both pulses undergo three identical polarization transformations and impinge on the beamsplitter with identical polarizations. To
quantify the performance of the interferometer, the ratio
of the count rates for constructive and destructive interference is measured. This ratio is as large as 30 dB! Replacing one Faraday mirror by an ordinary mirror, the extinction is strongly fluctuating and can be reduced to 20 dB. If
two Faraday mirrors are removed, essentially no interference
is visible.
We successfully performed a first test with a Faraday
setup using a 23-km-long telecom link [10]. The setup featured an impressive stability and a fringe visibility of 99.8%.
We produced a secret key of 20 kbit length with a quantum bit
error rate (see below) of 1.35% for 0.1 photon per pulse. The
bit rate, however, was only about 1 Hz due to the low pulse
rate. At the moment we are building up a setup with a pulse
frequency of 2.5 MHz that will result in a raw bit rate of about
1 kHz over 20 km.
The great advantage of this setup is of course that no continuous alignment is needed. It is also noteworthy that the
timing of Alice’s apparatus can be pre-adjusted in the lab, and
will not change, even if the apparatus is plugged to another
fiber to communicate with another party. This is the reason
why we informally refer to our system as a “plug and play”
system. The timing of Bob’s apparatus, especially of his photon counter has to be adjusted once for every link. Going
to higher pulse rates, however, this system suffers from an
increased noise level due to Raleigh backscattering and parasitic reflections. We are currently working on a modification
of the setup that considerably reduces this effect.
3 Practical limits of QC
In the preceding chapters we learned about the principles of
QC and a rather elegant and promising experimental implementation. In this chapter we want to establish the practical
limits of the QC. The transmission length, the data rate, and
the quantum bit error rate are the three values of interest. We
will discuss how these values depend on the used wavelength
and performance of the corresponding detector.
3.1 Data rate and QBER
Let us consider a QC setup with a laser pulse rate ν. µ is the
average number of photons at the output of Alice, ηd and ηt
are the detector and transfer efficiency, respectively. Hence
the raw data rate R, i.e. the number of exchanged bits per
second before any error correction, is given by:
R = qµνηt ηd .
(1)
q is a systematic factor depending on the chosen implementation. It cannot be bigger than 1/2 due to the fact that half
of the time the randomly chosen bases of Alice and Bob are
not compatible. The raw bit rate R will be further reduced
when error correction and privacy amplification are applied,
depending on the error rate and the used algorithm. The total
transfer ηt efficiency between the output of Alice to the detector can be expressed as:
ηt = 10
−(L f l+L B )
10
,
(2)
where L f is the losses in the fiber in dB/km, l is the length
of the link in km and L B are internal losses at Bob in dB.
The losses in optical fibers are typically around 2 dB/km at
800 nm, 0.35 dB/km in the 1300 nm telecom window, and
0.2 dB/km in the 1550 nm telecom window.
The error is generally expressed as the ratio of wrong bits
to the total amount of detected bits. We call this quantity
quantum bit error rate (QBER). It is equivalent to the ratio of
the probability of getting a false detection to the total probability of detection per pulse:
popt pphot + pdark ∼
pdark
= popt +
pphot + 2 pdark
pphot
≡ QBERopt + QBERdet .
QBER =
(3)
with pdark = n dark ∆τ, and pphot = µηt ηd we obtain:
QBERdet =
n dark ∆t
.
µηt ηd
(4)
pdark , pphot , and popt are the probabilities to get a darkcount,
to detect a photon, and the probability that a photon went to
an erroneous detector, respectively. n dark is the dark count rate
of the detector and ∆τ is the detection time window. This
formula applies for a setup with two detectors. Since a darkcount will with a 50% chance not lead to an error, but just to
an additional count, there is a factor two in the denominator,
but not in the numerator. Note that the QBER is independent
of the factor q of (1), since we do not consider errors when
incompatible bases are used.
The QBER consists of two parts. The first part is what we
call QBERopt , that is the fraction of photons popt whose polarization or phase is erroneously determined, i.e. the fraction
of photons who end up in the wrong detector. This is mainly
due to depolarization and to poor polarization alignments or
due to the limited visibility of the interferometers. popt can be
determined by measuring the polarization ratio, the extinction
ratio or the classical fringe visibility V . In our interferometric
setup presented in the preceding section we measured a popt
of 0.15%. Generally popt below 1% can be easily achieved
with any setup.
747
InGaAs/InP passive
1E-1
Ge passive
1E-2
Ge active
1E-3
pdark
The second part, QBERdet , is due to the dark count rate
of the photon counters and increases with decreasing transfer efficiency ηt . Hence QBERdet is the determining factor for
longer transmission distances. The detector dark count rate finally limits in combination with the losses in the fibers the
transmission distance. Since fiber losses have already attained
the physical limits, the detectors deserve a thorough discussion.
1E+0
1E-4
InGaAs/InP active
1E-5
3.2 Near-IR photon counting
1E-6
To take advantage of the low losses in optical fibers, we
need photon counters in the near IR that are unfortunately
not commercially available. However, photon counting can
be achieved with liquid nitrogen (LN2 )-cooled Ge avalanche
photodiodes working in the passively quenched Geiger
mode [12]. In this mode the diodes are driven above breakdown, i.e. the bias voltage is so high that one electron–hole
pair created by an absorbed photon will be able to produce an
avalanche of thousands of carriers. The avalanche only stops
when the created current through the resistance in series with
the diode lowers the applied voltage below the breakdown
value. The noise in such detectors is due to carriers generated in the detector volume by causes other than an impinging
photon (darkcounts). They can be created thermally or by
band-to-band tunneling processes, or can be emitted from
trapping levels that were populated in previous avalanches
(after pulsing). The quantum efficiency ηd and the darkcount
rate n dark both increase with increasing bias voltage Ubias .
However, the ratio n dark to ηd is not constant, so QBERdet will
depend on Ubias , i.e. a tradeoff between high efficiency and
low noise has to be found.
The photon counting performance of APDs can be improved with a so-called active biasing or gating. The bias
voltage of diode is the sum of a dc part well below breakdown
and a short (say, 2 ns) almost rectangular pulse of a few V
amplitude that pushes the diode over breakdown at the time
when the photon is expected. Since the diode is below threshold, no spontaneous avalanches can occur before the detection
interval and consequently no afterpulses will fall into the detection time interval. This allows us to increase considerably
the voltage (therefore the efficiency) without excessively increasing the noise. Moreover the time jitter is reduced to
a value below 100 ps.
Moreover InGaAs APDs, not suitable for single-photon
counting with passive quenching, show a promising behavior
with active biasing [13]. Figure 4 shows the noise as a function of the quantum efficiency at 1300 nm for actively and
Table 1. Photon counting performance of APDs.
The Ge and the InGaAs diodes were actively biased with 2.6-ns pulses. The resulting bit rates
are given in Fig. 5 (except for values designed
with ∗ )
Si (800 nm)
EG&G SPCM200-PQ
Ge (1300 nm)
NEC NDL5131
InGaAs 1300 nm
Fujitsu FPD5W1KS
InGaAs 1300 nm
InGaAs 1550 nm
1E-7
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
efficiency ηd
Fig. 4. The probability of getting a darkcount per pulse pdark vs. the
quantum efficiency ηd for Ge (NEC NDL5131) and InGaAs (Fujitsu
FPD5W1KS) APDs. Comparison of active gating and normal passive
quenching mode (from [13])
passively biased Ge and InGaAs diodes at 77 K. One can easily see that active biasing considerably decreases the noise
with respect to passive quenching. For higher efficiencies
actively biased InGaAs diodes show smaller noise than Ge
diodes.
The quantum efficiency at 1550 nm being very low at
77 K increases with higher temperature, but so does the noise.
InGaAs diodes in contrast to Ge, however, feature at −100 ◦ C
(173 K) a temperature at the limit of Peltier cooling, certainly
increased but still quite reasonable noise levels. So there is legitimate hope that such diodes will be practical without LN2
cooling and open the second telecom window at 1550 nm.
In Table 1 the actual performances of photon counters are
summarized.
3.3 Actual limits of fiber-based QC
With the help of (1), (2), and (4) we can easily calculate the
raw data rate R and QBER in function of the transmission
distance for a given ηd and pdark of the detector at a given
wavelength. As long as the QBER remains below the theoretical limit for the creation of absolutely secure key of 15%,
we can actually forget about the QBER and the only figure of
merit is the final bit rate B after error correction and privacy
amplification. Hence, we need to estimate to what extent R is
reduced by error correction and privacy amplification procedure in function of the error rate.
On the one hand, by using an estimate of Tancevski et
al. [14] the fraction of bits lost due to error correction as
Temperature
ηd
pdark
Time jitter
(FWHM)
Room temperature
(Peltier cooled)
77 K
50%
10−8
(n dark = 10 s−1 )
7 × 10−6 ∗
21 × 10−6 ∗
3.3 × 10−6
10 × 10−6 ∗
20 × 10−6
10 × 10−6
< 400 ps
77 K
173 K
173 K
10%∗
20%∗
20%
30%∗
10%
2%
< 100 ps
< 200 ps
< 300 ps
< 300 ps
748
a function of the QBER(q) can be given as follows (for long
strings, > 100 bit):
7
rec = q − q log2 q .
2
(5)
This estimation works well for small q. Note that rec is almost
1 for q = 15% and roughly 0.4 for q = 5%. The fraction of
bits lost by privacy amplification [2, 15] on the other hand is:
1 + 4q − 4q 2
.
(6)
rpa = 1 + log2
2
We assume that the whole error q is due to the interaction
of Eve
√ and that she can gain a maximum information of
q(4/ 2) [2] or about q(2/ ln 2), which is a good approximation for q < 15% [7]. rpa is 0.75 for q = 5%. The final bit rate
is then:
B = (1 − rec )(1 − rpa )R .
(7)
Figure 5 shows B as a function of distance for the detector
performances in Table 1. Note that the wavelength of 800 nm
is a good choice only for short distances up to a few km, since
the data rate decreases drastically due to the high absorption.
For the other wavelengths, B first decreases exponentially
(linearly in the semi-logarithmic graph of Fig. 5) due to the
absorption in the fiber. But with decreasing bit rate the QBER
is increasing and when it is approaching 15%, error correction
becomes horribly inefficient leading to a sharp drop of B. So
the maximum transmission distance is quite sharply defined
for a given detector. If we consider 100 Hz as a lower limit for
a reasonable key distribution, we get maximum distances between 45 km and 70 km. It is important to mention that these
curves are based on first photon counting performances of off
the shelf InGaAs APDs. There is undoubtedly still a large potential of improvement for such kind of detectors. Assuming
100'000
B (bits/sec)
10'000
1'000
1550nm/future
100
1300nm/77K
800nm
10
1550nm/173K
1300nm/77K
1300nm/single
1
0
20
40
60
80
100
120
distance (km)
Fig. 5. Calculated bit rate as function of distance after error correction
and privacy amplification for different detector configurations as given in
Table 1. The pulse rate ν is 10 MHz, number of photons per pulse µ = 0.1.
QBERopt and losses at Bob’s are neglected. The curve “1550 nm/future”
corresponds to a hypothetical detector with fivefold efficiency. Using single photons (µ = 1, 1 MHz single-photon generation rate) at 1300 nm would
result in bit rates according to the curve “1300 nm/single”
that one could obtain fivefold efficiency without increasing
the noise, a maximum distance of 92 km could be attained.
Using single photon states (µ = 1) all values of QBERdet can
be reduced by a factor of 10. This means that the drop due
to the error correction occurs some 50 km and 28 km later
at 1550 and 1300 nm, respectively. On the other hand, apart
from additional experimental difficulties, attainable pulse frequencies will be in the order of 1 MHz. In conclusion, in
the near future fiber-based QC systems will remain limited
to 100 km distance. Several free-space QC experiments have
been performed successfully. Satellite–Earth QC may one day
be feasible. So if a satellite is accepted as an intermediate station sharing the key with Alice and Bob, one day QC could be
performed all around the world.
4 Conclusions
QC has been experimentally proven feasible. The most important technological challenge remains the development of
better photon counters, whose noise actually limits the transmission distance below 100 km. Whether QC will find a market or not, is a technical and psychological question. More
powerful algorithms and computers could diminish rapidly
the confidence of cryptography users in unproved methods
based on complexity and increasing their interest in QC.
Acknowledgements. We would like to thank the Swisscom and the Swiss
National Science Foundation for financial support and Swisscom for placing
at our disposal the Nyon–Geneva optical fiber link. We appreciate stimulating discussions with our colleagues within the TMR network on the Physics
of Quantum Information. Helle Bechmann-Pasquinucci is sponsored by the
Danish National Science Research Council (grant no. 9601645). We thank
Physics World for Fig. 1.
References
1. C.H. Bennett, G. Brassard: Quantum Cryptography, Public key distribution and coin tossing, Proc. Int. Conf. Computer Systems and Signal
Processing, 175, Bangalore 1984
2. C.H. Bennett, F. Bessette, G. Brassard, L. Salvail, J. Smolin: J. Cryptol.
5, 3 (1992)
3. A. Muller, H. Zbinden, N. Gisin: Europhys. Lett. 33(5), 335 (1996)
4. J.D. Franson, B.C. Jacobs: Electron. Lett. 31(3), 232 (1995)
5. Ch. Marand, P.D. Townsend: Opt. Lett. 20(16), 1695 (1995)
6. R.J. Hughes, G.G. Luther, G.L. Morgan, C.G. Peterson, C. Simmons:
Lecture Notes in Comput. Sci. 1109, 329 (1996)
7. C.A. Fuchs, N. Gisin, R.B. Griffiths, C.-S. Niu, A. Peres: Phys. Rev. A
56, 1063 (1997)
8. B. Huttner, N. Imoto, N. Gisin, T. Mor: Phys. Rev. A 51(3), 1863
(1995)
9. A. Muller, T. Herzog, B. Huttner, W. Tittel, H. Zbinden, N. Gisin:
Appl. Phys. Lett. 70(7), 793 (1997)
10. C.H. Bennett: Phys. Rev. Lett. 68, 3121 (1992)
11. H. Zbinden, J.D. Gautier, N. Gisin, B. Huttner, A. Muller, W. Tittel:
Electron. Lett. 33(7), 586 (1997)
12. P.C.M. Owens, J.G. Rarity, P.R. Tapster, D. Knight, P.D. Townsend:
Appl. Opt. 33(30), 6895 (1994)
13. G. Ribordy, J.D. Gautier, H. Zbinden, N. Gisin: Appl. Opt. 37, 2272
(1998)
14. L.Tancevski. B. Slutsky, R. Rao, S. Fainman: Proc. SPIE 3228, 322
(1997)
15. H. Bechmann-Pasquinucci: Internal report, University of Geneva 1998