<< . .

. 9
( : 11)



. . >>

itive result: together, Eve and Bob cannot get more
1995): it sets a bound on the sum of the information
information than sent out by Alice! Next, combining
available to Bob and to Eve on Alice™s key.
the bound (75) with theorem 1, one deduces that a se-
Theorem 1. For a given P (±, β, «), Alice and Bob
cret key is achievable whenever I(±, β) ≥ n/2. Using
can establish a secret key (using only error correc-
I(±, β) = n (1 ’ D log2 (D) ’ (1 ’ D) log2 (1 ’ D)) one
tion and classical privacy ampli¬cation) if and only if
obtains the su¬cient condition on the error rate D (i.e.
I(±, β) ≥ I(±, «) or I(±, β) ≥ I(β, «), where I(±, β) =
the QBER):
H(±) ’ H(±|β) denotes the mutual information, with H
the Shannon entropy. 1
D log2 (D) + (1 ’ D) log2 (1 ’ D) ¤ (76)
Theorem 2. Let E and B be two observables in an N
2
dimensional Hilbert space. Denote «, β, |« and |β the
corresponding eigenvalues and eigenvectors, respectively, i.e. D ¤ 11%.
and let c = max«,β {| «|β |}. Then This bound, QBER¤11%, is precisely that obtained
in Mayers proof (after improvement by P. Shor and J.
I(±, «) + I(±, β) ¤ 2 log2 (N c), (74) Preskill (2000)). The above proof is, strickly speaking,
only valid if the key is much longer than the number of
where I(±, «) = H(±) ’ H(±|«) and I(±, β) = H(±) ’ qubits that Eve attacks coherently, so that the Shannon
H(±|β) are the entropy di¬erences corresponding to the informations we used represent averages over many in-
probability distribution of the eigenvalues ± prior to and dependent realisations of classical random variables. In
deduced from any measurement by Eve and Bob, respec- other words, assuming that Eve can attack coherently a
tively. large but ¬nite number n0 of qubits, Alice and Bob can
The ¬rst theorem states that Bob must have more in- use the above proof to secure keys much longer than n0
formation on Alice™s bits than Eve (see Fig. 31). Since bits. If one assumes that Eve has an unlimited power,
error correction and privacy ampli¬cation can be imple- able to attack coherently any number of qubits, then the
mented using only 1-way communication, theorem 1 can above proof does not apply, but Mayer™s proof can still
be understood intuitively as follows. The initial situa- be used and provides precisely the same bound.
tion is depicted in a). During the public phase of the This 11% bound for coherent attacks is clearly com-
protocol, because of the 1-way communication, Eve re- patible with the 15% bound found for individual attacks.
ceives as much information as Bob, the initial information The 15% bound is also a necessary one, since an explicit
di¬erence δ thus remains. After error correction, Bob™s eavesdropping strategy reaching this bound is presented
information equals 1, as illustrated on b). After privacy in section VI E. It is not known what happens in the
ampli¬cation Eve™s information is zero. In c) Bob has re- intermediate range 11% < QBER < 15%, but the fol-
placed all bits to be disregarded by random bits. Hence lowing is plausible. If Eve is limited to coherent attacks
the key has still the original length, but his information on a ¬nite number of qubits, then in the limit of arbi-
has decreased. Finally, removing the random bits, the trarily long keys, she has a negligibly small probability
key is shortened to the initial information di¬erence, see that the bits combined by Alice and Bob during the error

41
correction and privacy ampli¬cation protocols originate by Bob, then Eve can get full information without intro-
from qubits attacked coherently. Consequently, the 15% ducing any perturbation! This is possible only when the
bound would still be valid (partial results in favor of this QC protocol is not perfectly implemented, but this is a
conjecture can be found in Cirac and Gisin 1997, and realistic situation (Huttner et al. 1995, Yuen 1997).
in Bechmann-Pasquinucci and Gisin 1999). However, if The QND atacks have recently received a lot of at-
Eve has unlimited power, in particular, if she can coher- tention (L¨ tkenhaus 2000, Brassard et al. 2000). The
u
ently attack an unlimited number of qubits, then the 11% debate is not yet settled. We would like to argue that
bound might be required. it might be unrealistic, or even unphysical, to assume
To conclude this section, let us stress that the above that Eve can perform ideal QND attacks. Indeed, ¬rst
security proof equally applies to the 6-state protocol she needs the capacity to perform QND photon number
(paragraph II D 2). It also extends straightforwardly to measurements. Although impossible with today™s tech-
protocols using larger alphabets (Bechmann-Pasquinucci nology, this is a reasonable assumption (Nogues et al.
and Tittel 2000, Bechmann-Pasquinucci and Peres 2000, 1999). Next, she should be able to keep her photon until
Bourennane et al. 2001a, Bourennane et al. 2001b). Alice and Bob reveal the basis. In principle this could
be achieved using a lossless channel in a loop. We dis-
cuss this eventuality below. Another possibility would
be that Eve maps her photon to a quantum memory.
H. Photon number measurements, lossless channels
This does not exist today, but might well exist in the
future. Note that the quantum memory should have es-
In section III A we saw that all real photon sources
sentially unlimited time, since Alice and Bob could easily
have a ¬nite probability to emit more than 1 photon. If
wait for minutes before revealing the bases58 . Finally,
all emitted photons encode the same qubit, Eve can take
Eve must access a lossless channel, or at least a chan-
advantage of this. In principle, she can ¬rst measure
nel with losses lower than that used by Alice and Bob.
the number of photons in each pulse, without disturbing
This might be the most tricky point. Indeed, besides
the degree of freedom encoding the qubits56 . Such mea-
using a shorter channel, what can Eve do? The tele-
surements are sometimes called Quantum Non Demoli-
com ¬bers are already at the physical limits of what can
tion (QND) measurements, because they do not perturb
be achieved (Thomas et al. 2000). The loss is almost
the qubit, in particular they do not destroy the photons.
entirely due to the Rayleigh scattering which is unavoid-
This is possible because Eve knows in advance that Al-
able: solve the Schr¨dinger equation in a medium with
o
ice sends a mixture of states with well de¬ned photon
inhomogeneities and you get scattering. And when the
numbers57 , (see section II F). Next, if Eve ¬nds more
inhomogeneities are due to the molecular stucture of the
than one photon, she keeps one and sends the other(s)
medium, it is di¬cult to imagine lossless ¬bers! The 0.18
to Bob. In order to prevent that Bob detects a lower
dB/km attenuation in silica ¬bers at 1550 nm is a lower
qubit rate, Eve must use a channel with lower losses. Us-
bound which is based on physics, not on technology59 .
ing an ideally lossless quantum channel, Eve can even,
Note that using the air is not a viable solution, since the
under certain conditions, keep one photon and increase
attenuation at the telecom wavelengths is rather high.
the probability that pulses with more than one photon
Vacuum, the only way to avoid Rayleigh scattering, has
get to Bob! Thirdly, when Eve ¬nds one photon, she
also limitations, due to di¬raction, again an unavoidable
may destroy it with a certain probability, such that she
physical phenomenon. In the end, it seems that Eve has
does not a¬ect the total number of qubits received by
only two possibilities left. Either she uses teleportation
Bob. Consequently, if the probability that a non-empty
(with extremely high success probability and ¬delity) or
pulse has more than one photon (on Alice™s side) is larger
than the probability that a non-empty pulse is detected


58
The quantum part of the protocol could run continuously,
storing large ammount of raw classical data. But the classical
56
For polarization coding, this is quite clear. But for phase
part of the protocol, processing these raw data, could take
coding one may think (incorrectly) that phase and photon
place just seconds before the key is used.
number are incompatible! However, the phase used for en-
59
Photonics crystal ¬bers have the potential to overcome
coding is a relative phase between two modes. Whether these
the Rayleigh scaterring limit. Actually, there are two kinds
modes are polarization modes or correspond to di¬erent times
of such ¬bers. The ¬rst kind guides light by total internal
(determined e.g. by the relative length of interferometers),
re¬‚ection, like in ordinary ¬bers. In these most of the light
does not matter.
also propagates in silica, and thus the loss limit is similar. In
57
Recall that a mixture of coherent states |eiφ ± with a
the second kind, most of the light propagates in air, thus the
random phase φ, as produced by lasers when no phase ref-
theoretical loss limit is lower. However, today the losses are
erence in available, is equal to a mixture of photon num-
2π extremely high, in the range of hundreds of dB/km. The best
ber states |n with Poisson statistics: 0 |eiφ ± eiφ ±| dφ =

reported result that we are aware of is 11 dB/km and it was
µn ’µ
e |n n|, where µ = |±|2 .
n≥0 n! obtained with a ¬ber of the ¬rst kind (Canning et al. 2000).


42
she converts the photons to another wavelength (with- J. Multi-photon pulses and passive choice of states
out perturbing the qubit). Both of these “solutions” are
seemingly unrealistic in any foreseeable future. Multi-photon pulses do not necessarily constitute a
Consequently, when considering the type of attacks threat for the key security, but limit the key creation
discussed in this section, it is essential to distinguish the rate because they imply that more bits must be discarded
ultimate proofs from the practical ones discussed in the during key distillation. This fact is based on the assump-
¬rst part of this chapter. Indeed, the assumptions about tion that all photons in a pulse carry the same qubit, so
the defects of Alice and Bob™s apparatuses must be very that Eve does not need to copy the qubit going to Bob,
speci¬c and might thus be of limited interest. While for but merely keeps the copy that Alice inadvertently pro-
practical considerations, these assumptions must be very vides. When using weak pulses, it seems unavoidable
general and might thus be excessive. that all the photons in a pulse carry the same qubit.
However, in 2-photon implementations, each photon on
Alice™s side chooses independently a state (in the experi-
I. A realistic beamsplitter attack ments of Ribordy et al. 2001 and Tittel et al. 2000, each
photon chooses randomly both its basis and its bit value;
The attack presented in the previous section takes ad- in the experiments of Naik et al. 2000 and Jennewein et
vantage of the pulses containing more than one photon. al. 2000b, the bit value choice only is random). Hence,
However, as discussed, it uses unrealistic assumptions. when two photon pairs are simultaneously produced, by
In this section, following N. L¨ tkenhaus (2000) and M.
u accident, the two twins carry independent qubits. Con-
Dusek et al (2000), we brie¬‚y comment on a realistic at- sequently, Eve can™t take advantage of such multi-photon
tack, also exploiting the multiphoton pulses (for details, twin-pulses. This might be one of the main advantages
see Felix et al. 2001, where this and another examples of the 2-photon schemes compared to the much simpler
are presented). Assume that Eve splits all pulses in two, weak-pulse schemes. But the multi-photon problem is
analysing each half in one of the two bases, using pho- then on Bob™s side who gets a noisy signal, consisting
ton counting devices able to distinguish pulses with 0, partly in photons not in Alice™s state!
1 and 2 photons (see Fig. 32). In practice this could
be realized using many single photon counters in paral-
lel. This requires nearly perfect detectors, but at least K. Trojan Horse Attacks
one does not need to assume technology completely out
of today™s realm. Whenever Eve detects two photons All eavesdropping strategies discussed up to now con-
in the same output, she sends a photon in the corre- sisted of Eve™s attempt to get a maximum information
sponding state into Bob™s apparatus. Since Eve™s infor- out of the qubits exchanged by Alice and Bob. But Eve
mation is classical, she can overcome all the losses of the can also follow a completely di¬erent strategy: she can
quantum channel. In all other cases, Eve sends noth- herself send signals that enter Alice and Bob™s o¬ces
ing to Bob. In this way, Eve sends a fraction 3/8 of the through the quantum channel. This kind of strategies
pulses containing at least 2 photons to Bob. On these, are called Trojan horse attacks. For example, Eve can
she introduces a QBER=1/6 and gets an information send light pulses into the ¬ber entering Alice or Bob ap-
I(A, E) = 2/3 = 4 · QBER. Bob doesn™t see any re- paratuses and analyze the backre¬‚ected light. In this
duction in the number of detected photons, provided the way, it is in principle possible to detect which laser just
transmission coe¬cient of the quantum channel t satis- ¬‚ashed, or which detector just ¬red, or the settings of
¬es: phase and polarization modulators. This cannot be sim-
ply prevented by using a shutter, since Alice and Bob
3 3µ
t¤ P rob(n ≥ 2|n ≥ 1) ≈ (77) must leave the “door open” for the photons to go out
8 16
and in, respectively.
In most QC-setups the amount of backre¬‚ected light
where the last expression assumes Poissonian photon dis-
can be made very small and sensing the apparatuses with
tribution. Accordingly, for a ¬xed QBER, this attacks
light pulses through the quantum channel is di¬cult.
provides Eve with twice the information she would get
Nevertheless, this attack is especially threatening in the
using the intercept resend strategy. To counter such an
plug-&-play scheme on Alice™s side (section IV C 2), since
attack, Alice should use a mean photon number µ such
a mirror is used to send the light pulses back to Bob.
that Eve can only use this attack on a fraction of the
So in principle, Eve can send strong light pulses to Alice
pulses. For example, Alice could use pulses weak enough
and sense the applied phase shift. However, by applying
that Eve™s mean information gain is identical to the one
the phase shift only during a short time ∆tphase (a few
she would obtain with the simple intercept resend strat-
nanoseconds), Alice can oblige Eve to send the spying
egy (see paragraph II C 3). For 10, 14 and 20 dB at-
pulse at the same time as Bob. Remember that in the
tenuation, this corresponds to µ = 0.25, 0.1 and 0.025,
plug-&-play scheme pulse coming from Bob are macro-
respectively.
scopic and an attenuator at Alice reduces them to the


43
below one photon level, say 0.1 photons per pulse. Hence, To conclude this chapter, let us brie¬‚y elaborate on
if Eve wants to get, say 1 photon per pulse, she has to the di¬erences and similarities between technological and
send 10 times Bob™s pulse energy. Since Alice is detect- mathematical complexity and on their possible connec-
ing Bob™s pulses for triggering her apparatus, she must tions and implications. Mathematical complexity means
be able to detect an increase of energy of these pulses that the number of steps needed to run complex algo-
in order to reveal the presence of a spying pulse. This rithms explodes exponentially when the size of the input
is a relatively easy task, provided that Eve™s pulses look data grows linearly. Similarly, one can de¬ne technolog-
the same as Bob™s. But, Eve could of course use another ical complexity of a quantum computer by an exploding
wavelength or ultrashort pulses (or very long pulses with di¬culty to process coherently all the qubits necessary
low intensity, hence the importance of ∆tphase ), there- to run a (non-complex) algorithm on a linearly growing
fore Alice must introduce an optical bandpass ¬lter with number of input data. It might be interesting to con-
a transmission spectrum corresponding to the sensitivity sider the possibility that the relation between these two
spectrum of her detector, and choose a ∆tphase that ¬ts concepts of complexity is deeper. It could be that the
to the bandwidth of her detector. solution of a problem requires either a complex classi-
There is no doubt that Trojan horse attacks can be cal algorithm or a quantum one which itself requires a
complex quantum computer61 .
prevented by technical measures. However, the fact that
this class of attacks exist illustrates that the security of
QC can never be guaranteed only by the principles of
quantum mechanics, but necessarily relies also on tech- VII. CONCLUSION
nical measures that are subject to discussions 60 .
Quantum cryptography is a fascinating illustration of
the dialog between basic and applied physics. It is based
L. Real security: technology, cost and complexity on a beautiful combinations of concepts from quantum
physics and information theory and made possible thanks
Despite the elegant and generality of security proofs, to the tremendous progress in quantum optics and in the
the dream of a QC system whose security relies entirely technology of optical ¬bers and of free space optical com-
on quantum principles is unrealistic. The technological munication. Its security principle relies on deep theorems
implementation of the abstract principles will always be in classical information theory and on a profound under-
questionable. It is likely that they will remain the weak- standing of the Heisenberg™s uncertainty principle, as il-
est point in all systems. Moreover, one should remember lustrated by theorems 1 and 2 in section VI G (the only
the obvious equation: mathematically involved theorems in this review!). Let
us also emphasize the important contributions of QC to
Inf inite security ’ Inf inite cost (78) classical cryptography: privacy ampli¬cation and classi-
’ Zero practical interest cal bound information (paragraphs II C 4 and II C 5) are
examples of concepts in classical information whose dis-
On the other hand, however, one should not under- covery were much inspired by QC. Moreover, the fasci-
estimate the following two advantages of QC. First, it nating tension between quantum physics and relativity,
is much easier to forecast progress in technology than in as illustrated by Bell™s inequality, is not far away, as dis-
mathematics: the danger that QC breaks down overnight cussed in section VI F. Now, despite the huge progress
is negligible, contrary to public-key cryptosystems. Next, over the recent years, many open questions and techno-
the security of QC depends on the technological level of logical challenges remain.
the adversary at the time of the key exchange, contrary One technological challenge at present concerns im-
to complexity based systems whose coded message can proved detectors compatible with telecom ¬bers. Two
be registered and broken thanks to future progress. The other issues concern free space QC and quantum re-
latter point is relevant for secrets whose value last many peaters. The ¬rst is presently the only way to realize
years. QC over thousands of kilometers using near future tech-
One often points at the low bit rate as one of the cur- nology (see section IV E). The idea of quantum repeaters
rent limitations of QC. However, it is important to stress (section III E) is to encode the qubits in such a way that if
that QC must not necessarily be used in conjunction with the error rate is low, then errors can be detected and cor-
one-time pad encryption. It can also be used to provide rected entirely in the quantum domain. The hope is that
a key for a symmetrical cipher “ such as AES “ whose
security is greatly enhanced by frequent key changes.

61
Penrose (1994) pushes these speculations even further,
suggesting that spontaneous collapses stop quantum com-
60
Another technological loophole, recently pointed out by puters whenever they try to compute beyond a certain
Kurtsiefer et al., is the possible information leakage caused complexity.
by light emitted by APDs during their breakdown (2001).


44
such techniques could extend the range of quantum com- REFERENCES
munication to essentially unlimited distances. Indeed,
Hans Briegel, then at Innsbruck University (1998), and Ardehali, M., H. F. Chau and H.-K. Lo, 1998, “E¬cient
coworkers, showed that the number of additional qubits Quantum Key Distribution”, quant-ph/9803007.
needed for quantum repeaters can be made smaller than Aspect, A., J. Dalibard, and G. Roger, 1982, “Experimen-
the numbers of qubits needed to improved the ¬delity of tal Test of Bell™s Inequalities Using Time-Varying Analyzers”,
the quantum channel (Dur et al. 1999). One could thus Phys. Rev. Lett. 49, 1804-1807.
overcome the decoherence problem. However, the main Bechmann-Pasquinucci, H., and N. Gisin, 1999, “Incoher-
ent and Coherent Eavesdropping in the 6-state Protocol of
practical limitation is not decoherence but loss (most
Quantum Cryptography”, Phys. Rev. A 59, 4238-4248.
photons never get to Bob, but those which get there,
Bechmann-Pasquinucci, H., and A. Peres, 2000, “Quantum
exhibit high ¬delity).
cryptography with 3-state systems”, Phys. Rev. Lett. 85,
On the open questions side, let us emphasize three
3313-3316.
main concerns. First, complete and realistic analyses
Bechmann-Pasquinucci, H., and W. Tittel, 2000, “Quan-
of the security issues are still missing. Next, ¬gures of
tum cryptography using larger alphabets”, Phys. Rev. A 61,
merit to compare QC schemes based on di¬erent quan-
062308-1.
tum systems (with di¬erent dimensions for example) are
Bell, J.S., 1964, “On the problem of hidden variables in
still awaited. Finally, the delicate question of how to
quantummechanics”, Review of Modern Phys. 38, 447-452;
test the apparatuses did not yet receive enough atten-
reprinted in “Speakable and unspeakable in quantum mechan-
tion. Indeed, a potential customer of quantum cryptog-
ics”, Cambridge University Press, New-York 1987.
raphy buys con¬dence and secrecy, two qualities hard to Bennett, Ch.H., 1992, “Quantum cryptography using any
quantify. Interestingly, both of these issues have a con- two nonorthogonal states”, Phys. Rev. Lett. 68, 3121-3124.
nection with Bell inequality (see sections VI F and VI B). Bennett, Ch.H. and G. Brassard, 1984, “Quantum cryptog-
But, clearly, this connection can not be phrased in the old raphy: public key distribution and coin tossing”, Int. conf.
context of local hidden variables, but rather in the con- Computers, Systems & Signal Processing, Bangalore, India,
text of the security of tomorrows communications. Here, December 10-12, 175-179.
like in all the ¬eld of quantum information, old concepts Bennett, Ch.H. and G. Brassard, 1985, “Quantum public
are renewed by looking at them from a fresh perspective: key distribution system”, IBM Technical Disclosure Bulletin,
let™s exploit the quantum weirdness! 28, 3153-3163.
QC could well be the ¬rst application of quantum me- Bennett, Ch.H., G. Brassard and J.-M. Robert, 1988, “Pri-
chanics at the single quanta level. Experiments have vacy ampli¬cation by public discussion” SIAM J. Comp. 17,
demonstrated that keys can be exchanged over distances 210-229.
Bennett, Ch.H., F. Bessette, G. Brassard, L. Salvail, and
of a few tens of kilometers at rates at least of the order
J. Smolin, 1992a, “Experimental Quantum Cryptography”, J.
of a thousand bits per second. There is no doubt that
Cryptology 5, 3-28.
the technology can be mastered and the question is not
Bennett, Ch.H., G. Brassard and Mermin N.D., 1992b,
whether QC will ¬nd commercial applications, but when.
“Quantum cryptography without Bell™s theorem”, Phys. Rev.
Indeed, presently QC is still very limited in distance and
Lett. 68, 557-559.
in secret-bit rate. Moreover, public key systems occupy
Bennett, Ch.H., G. Brassard and A. Ekert, 1992c, “Quan-
the market and, being pure software, are tremendously
tum cryptography”, Scienti¬c Am. 267, 26-33 (int. ed.).
easier to manage. Every so often, the news is that some
Bennett, Ch.H., G. Brassard, C. Cr´peau, R. Jozsa, A.
e
classical ciphersystem has been broken. This would be
Peres and W.K. Wootters, 1993, “Teleporting an unknown
impossible with properly implemented QC. But this ap-
quantum state via dual classical and Einstein-Podolsky-Rosen
parent strength of QC might turn out to be its weak channels”, Phys. Rev. Lett. 70, 1895-1899.
point: the security agencies would equally be unable to Bennett, Ch.H., G. Brassard, C. Cr´peau, and U.M. Mau-
e
break quantum cryptograms! rer, 1995, “Generalized privacy ampli¬cation”, IEEE Trans.
Information th., 41, 1915-1923.
Berry, M.V., 1984, “Quantal phase factors accompanying
ACKNOWLEDGMENTS adiabatic changes”, Proc. Roy. Soc. Lond. A 392, 45-57.
Bethune, D., and W. Risk, 2000, “An Autocompensating
Fiber-Optic Quantum Cryptography System Based on Polar-
Work supported by the Swiss FNRS and the European
ization Splitting of Light”, IEEE J. Quantum Electron., 36,
projects EQCSPOT and QUCOMM ¬nanced by the Swiss
340-347.
OFES. The authors would also like to thank Richard Hughes
Biham, E. and T. Mor, 1997a, “Security of quantum cryp-
for providing Fig. 8, and acknowledge both referees, Charles
tograophy against collective attacks”, Phys. Rev. Lett. 78,
H. Bennett and Paul G. Kwiat, for their very careful reading
2256-1159.
of the manuscript and their helpful remarks.
Biham, E. and T. Mor, 1997b, “Bounds on Information and
the Security of Quantum Cryptography”, Phys. Rev. Lett.
79, 4034-4037.



45
Biham, E., M. Boyer, P.O. Boykin, T. Mor and V. Roy- Brown, R.G.W., R. Jones, J. G. Rarity, and Kevin D. Rid-
chowdhury, 1999, “A proof of the security of quantum key ley, 1987, “Characterization of silicon avalanche photodiodes
distribution”, quant-ph/9912053. for photon correlation measurements. 2: Active quenching”,
Bourennane, M., F. Gibson, A. Karlsson, A. Hening, P. Applied Optics 26, 2383-2389.
Jonsson, T. Tsegaye, D. Ljunggren, and E. Sundberg, 1999, Brunel, Ch., B. Lounis, Ph. Tamarat, and M. Orrit, 1999,
“Experiments on long wavelength (1550nm) ™plug and play™ “Triggered Source of Single Photons based on Controlled Sin-
quantum cryptography systems™, Opt. Express 4,383-387 gle Molecule Fluorescence”, Phys. Rev. Lett. 83, 2722-2725.
Bourennane, M., D. Ljunggren, A. Karlsson, P. Jonsson, A. Bruss, D., 1998, “Optimal eavesdropping in quantum cryp-
Hening, and J.P. Ciscar, 2000, “Experimental long wavelength tography with six states”, Phys. Rev. Lett. 81, 3018-3021.
quantum cryptography: from single photon transmission to Bruss, D., A. Ekert and C. Macchiavello, 1998, “Optimal
key extraction protocols”, J. Mod. Optics 47, 563-579. universal quantum cloning and state estimation”, Phys. Rev.
Bourennane, M., A. Karlsson and G. Bj¨rn, 2001a, “Quan-
o Lett. 81, 2598-2601.
tum Key Distribution using multilevel encoding”, Phys. Rev Buttler, W.T., R.J. Hughes, P.G. Kwiat, S. K. Lamoreaux,
A 64, 012306. G.G. Luther, G.L. Morgan, J.E. Nordholt, C.G. Peterson,
Bourennane, M., A. Karlsson, G. Bj¨rn, N. Gisin and N.
o and C. Simmons, 1998, “Practical free-space quantum key
Cerf, 2001b, “Quantum Key distribution using multilevel en- distribution over 1 km”, Phys. Rev. Lett. 81, 3283-3286.
coding : security analysis”, quant-ph/0106049. Buttler, W.T., R.J. Hughes, S.K. Lamoreaux, G.L. Mor-
Braginsky, V.B. and F.Ya. Khalili, 1992, “Quantum Mea- gan, J.E. Nordholt, and C.G. Peterson, 2000, “Daylight
surements”, Cambridge University Press. Quantum key distribution over 1.6 km”, Phys. Rev. Lett,
Brassard, G., 1988, “Modern cryptology”, Springer-Verlag, 84, pp. 5652-5655.
Lecture Notes in Computer Science, vol. 325. Buˇek, V. and M. Hillery, 1996, “Quantum copying: Be-
z
Brassard, G. and L. Salvail, 1993, “Secrete-key reconcilia- yond the no-cloning theorem”, Phys. Rev. A 54, 1844-1852.
tion by public discussion” In Advances in Cryptology, Euro- Cancellieri, G., 1993, “Single-mode optical ¬ber measure-
crypt ™93 Proceedings. ment: characterization and sensing”, Artech House, Boston
Brassard, G., C. Cr´peau, D. Mayers and L. Salvail, 1998,

<< . .

. 9
( : 11)



. . >>