1995): it sets a bound on the sum of the information

information than sent out by Alice! Next, combining

available to Bob and to Eve on Alice™s key.

the bound (75) with theorem 1, one deduces that a se-

Theorem 1. For a given P (±, β, «), Alice and Bob

cret key is achievable whenever I(±, β) ≥ n/2. Using

can establish a secret key (using only error correc-

I(±, β) = n (1 ’ D log2 (D) ’ (1 ’ D) log2 (1 ’ D)) one

tion and classical privacy ampli¬cation) if and only if

obtains the su¬cient condition on the error rate D (i.e.

I(±, β) ≥ I(±, «) or I(±, β) ≥ I(β, «), where I(±, β) =

the QBER):

H(±) ’ H(±|β) denotes the mutual information, with H

the Shannon entropy. 1

D log2 (D) + (1 ’ D) log2 (1 ’ D) ¤ (76)

Theorem 2. Let E and B be two observables in an N

2

dimensional Hilbert space. Denote «, β, |« and |β the

corresponding eigenvalues and eigenvectors, respectively, i.e. D ¤ 11%.

and let c = max«,β {| «|β |}. Then This bound, QBER¤11%, is precisely that obtained

in Mayers proof (after improvement by P. Shor and J.

I(±, «) + I(±, β) ¤ 2 log2 (N c), (74) Preskill (2000)). The above proof is, strickly speaking,

only valid if the key is much longer than the number of

where I(±, «) = H(±) ’ H(±|«) and I(±, β) = H(±) ’ qubits that Eve attacks coherently, so that the Shannon

H(±|β) are the entropy di¬erences corresponding to the informations we used represent averages over many in-

probability distribution of the eigenvalues ± prior to and dependent realisations of classical random variables. In

deduced from any measurement by Eve and Bob, respec- other words, assuming that Eve can attack coherently a

tively. large but ¬nite number n0 of qubits, Alice and Bob can

The ¬rst theorem states that Bob must have more in- use the above proof to secure keys much longer than n0

formation on Alice™s bits than Eve (see Fig. 31). Since bits. If one assumes that Eve has an unlimited power,

error correction and privacy ampli¬cation can be imple- able to attack coherently any number of qubits, then the

mented using only 1-way communication, theorem 1 can above proof does not apply, but Mayer™s proof can still

be understood intuitively as follows. The initial situa- be used and provides precisely the same bound.

tion is depicted in a). During the public phase of the This 11% bound for coherent attacks is clearly com-

protocol, because of the 1-way communication, Eve re- patible with the 15% bound found for individual attacks.

ceives as much information as Bob, the initial information The 15% bound is also a necessary one, since an explicit

di¬erence δ thus remains. After error correction, Bob™s eavesdropping strategy reaching this bound is presented

information equals 1, as illustrated on b). After privacy in section VI E. It is not known what happens in the

ampli¬cation Eve™s information is zero. In c) Bob has re- intermediate range 11% < QBER < 15%, but the fol-

placed all bits to be disregarded by random bits. Hence lowing is plausible. If Eve is limited to coherent attacks

the key has still the original length, but his information on a ¬nite number of qubits, then in the limit of arbi-

has decreased. Finally, removing the random bits, the trarily long keys, she has a negligibly small probability

key is shortened to the initial information di¬erence, see that the bits combined by Alice and Bob during the error

41

correction and privacy ampli¬cation protocols originate by Bob, then Eve can get full information without intro-

from qubits attacked coherently. Consequently, the 15% ducing any perturbation! This is possible only when the

bound would still be valid (partial results in favor of this QC protocol is not perfectly implemented, but this is a

conjecture can be found in Cirac and Gisin 1997, and realistic situation (Huttner et al. 1995, Yuen 1997).

in Bechmann-Pasquinucci and Gisin 1999). However, if The QND atacks have recently received a lot of at-

Eve has unlimited power, in particular, if she can coher- tention (L¨ tkenhaus 2000, Brassard et al. 2000). The

u

ently attack an unlimited number of qubits, then the 11% debate is not yet settled. We would like to argue that

bound might be required. it might be unrealistic, or even unphysical, to assume

To conclude this section, let us stress that the above that Eve can perform ideal QND attacks. Indeed, ¬rst

security proof equally applies to the 6-state protocol she needs the capacity to perform QND photon number

(paragraph II D 2). It also extends straightforwardly to measurements. Although impossible with today™s tech-

protocols using larger alphabets (Bechmann-Pasquinucci nology, this is a reasonable assumption (Nogues et al.

and Tittel 2000, Bechmann-Pasquinucci and Peres 2000, 1999). Next, she should be able to keep her photon until

Bourennane et al. 2001a, Bourennane et al. 2001b). Alice and Bob reveal the basis. In principle this could

be achieved using a lossless channel in a loop. We dis-

cuss this eventuality below. Another possibility would

be that Eve maps her photon to a quantum memory.

H. Photon number measurements, lossless channels

This does not exist today, but might well exist in the

future. Note that the quantum memory should have es-

In section III A we saw that all real photon sources

sentially unlimited time, since Alice and Bob could easily

have a ¬nite probability to emit more than 1 photon. If

wait for minutes before revealing the bases58 . Finally,

all emitted photons encode the same qubit, Eve can take

Eve must access a lossless channel, or at least a chan-

advantage of this. In principle, she can ¬rst measure

nel with losses lower than that used by Alice and Bob.

the number of photons in each pulse, without disturbing

This might be the most tricky point. Indeed, besides

the degree of freedom encoding the qubits56 . Such mea-

using a shorter channel, what can Eve do? The tele-

surements are sometimes called Quantum Non Demoli-

com ¬bers are already at the physical limits of what can

tion (QND) measurements, because they do not perturb

be achieved (Thomas et al. 2000). The loss is almost

the qubit, in particular they do not destroy the photons.

entirely due to the Rayleigh scattering which is unavoid-

This is possible because Eve knows in advance that Al-

able: solve the Schr¨dinger equation in a medium with

o

ice sends a mixture of states with well de¬ned photon

inhomogeneities and you get scattering. And when the

numbers57 , (see section II F). Next, if Eve ¬nds more

inhomogeneities are due to the molecular stucture of the

than one photon, she keeps one and sends the other(s)

medium, it is di¬cult to imagine lossless ¬bers! The 0.18

to Bob. In order to prevent that Bob detects a lower

dB/km attenuation in silica ¬bers at 1550 nm is a lower

qubit rate, Eve must use a channel with lower losses. Us-

bound which is based on physics, not on technology59 .

ing an ideally lossless quantum channel, Eve can even,

Note that using the air is not a viable solution, since the

under certain conditions, keep one photon and increase

attenuation at the telecom wavelengths is rather high.

the probability that pulses with more than one photon

Vacuum, the only way to avoid Rayleigh scattering, has

get to Bob! Thirdly, when Eve ¬nds one photon, she

also limitations, due to di¬raction, again an unavoidable

may destroy it with a certain probability, such that she

physical phenomenon. In the end, it seems that Eve has

does not a¬ect the total number of qubits received by

only two possibilities left. Either she uses teleportation

Bob. Consequently, if the probability that a non-empty

(with extremely high success probability and ¬delity) or

pulse has more than one photon (on Alice™s side) is larger

than the probability that a non-empty pulse is detected

58

The quantum part of the protocol could run continuously,

storing large ammount of raw classical data. But the classical

56

For polarization coding, this is quite clear. But for phase

part of the protocol, processing these raw data, could take

coding one may think (incorrectly) that phase and photon

place just seconds before the key is used.

number are incompatible! However, the phase used for en-

59

Photonics crystal ¬bers have the potential to overcome

coding is a relative phase between two modes. Whether these

the Rayleigh scaterring limit. Actually, there are two kinds

modes are polarization modes or correspond to di¬erent times

of such ¬bers. The ¬rst kind guides light by total internal

(determined e.g. by the relative length of interferometers),

re¬‚ection, like in ordinary ¬bers. In these most of the light

does not matter.

also propagates in silica, and thus the loss limit is similar. In

57

Recall that a mixture of coherent states |eiφ ± with a

the second kind, most of the light propagates in air, thus the

random phase φ, as produced by lasers when no phase ref-

theoretical loss limit is lower. However, today the losses are

erence in available, is equal to a mixture of photon num-

2π extremely high, in the range of hundreds of dB/km. The best

ber states |n with Poisson statistics: 0 |eiφ ± eiφ ±| dφ =

2π

reported result that we are aware of is 11 dB/km and it was

µn ’µ

e |n n|, where µ = |±|2 .

n≥0 n! obtained with a ¬ber of the ¬rst kind (Canning et al. 2000).

42

she converts the photons to another wavelength (with- J. Multi-photon pulses and passive choice of states

out perturbing the qubit). Both of these “solutions” are

seemingly unrealistic in any foreseeable future. Multi-photon pulses do not necessarily constitute a

Consequently, when considering the type of attacks threat for the key security, but limit the key creation

discussed in this section, it is essential to distinguish the rate because they imply that more bits must be discarded

ultimate proofs from the practical ones discussed in the during key distillation. This fact is based on the assump-

¬rst part of this chapter. Indeed, the assumptions about tion that all photons in a pulse carry the same qubit, so

the defects of Alice and Bob™s apparatuses must be very that Eve does not need to copy the qubit going to Bob,

speci¬c and might thus be of limited interest. While for but merely keeps the copy that Alice inadvertently pro-

practical considerations, these assumptions must be very vides. When using weak pulses, it seems unavoidable

general and might thus be excessive. that all the photons in a pulse carry the same qubit.

However, in 2-photon implementations, each photon on

Alice™s side chooses independently a state (in the experi-

I. A realistic beamsplitter attack ments of Ribordy et al. 2001 and Tittel et al. 2000, each

photon chooses randomly both its basis and its bit value;

The attack presented in the previous section takes ad- in the experiments of Naik et al. 2000 and Jennewein et

vantage of the pulses containing more than one photon. al. 2000b, the bit value choice only is random). Hence,

However, as discussed, it uses unrealistic assumptions. when two photon pairs are simultaneously produced, by

In this section, following N. L¨ tkenhaus (2000) and M.

u accident, the two twins carry independent qubits. Con-

Dusek et al (2000), we brie¬‚y comment on a realistic at- sequently, Eve can™t take advantage of such multi-photon

tack, also exploiting the multiphoton pulses (for details, twin-pulses. This might be one of the main advantages

see Felix et al. 2001, where this and another examples of the 2-photon schemes compared to the much simpler

are presented). Assume that Eve splits all pulses in two, weak-pulse schemes. But the multi-photon problem is

analysing each half in one of the two bases, using pho- then on Bob™s side who gets a noisy signal, consisting

ton counting devices able to distinguish pulses with 0, partly in photons not in Alice™s state!

1 and 2 photons (see Fig. 32). In practice this could

be realized using many single photon counters in paral-

lel. This requires nearly perfect detectors, but at least K. Trojan Horse Attacks

one does not need to assume technology completely out

of today™s realm. Whenever Eve detects two photons All eavesdropping strategies discussed up to now con-

in the same output, she sends a photon in the corre- sisted of Eve™s attempt to get a maximum information

sponding state into Bob™s apparatus. Since Eve™s infor- out of the qubits exchanged by Alice and Bob. But Eve

mation is classical, she can overcome all the losses of the can also follow a completely di¬erent strategy: she can

quantum channel. In all other cases, Eve sends noth- herself send signals that enter Alice and Bob™s o¬ces

ing to Bob. In this way, Eve sends a fraction 3/8 of the through the quantum channel. This kind of strategies

pulses containing at least 2 photons to Bob. On these, are called Trojan horse attacks. For example, Eve can

she introduces a QBER=1/6 and gets an information send light pulses into the ¬ber entering Alice or Bob ap-

I(A, E) = 2/3 = 4 · QBER. Bob doesn™t see any re- paratuses and analyze the backre¬‚ected light. In this

duction in the number of detected photons, provided the way, it is in principle possible to detect which laser just

transmission coe¬cient of the quantum channel t satis- ¬‚ashed, or which detector just ¬red, or the settings of

¬es: phase and polarization modulators. This cannot be sim-

ply prevented by using a shutter, since Alice and Bob

3 3µ

t¤ P rob(n ≥ 2|n ≥ 1) ≈ (77) must leave the “door open” for the photons to go out

8 16

and in, respectively.

In most QC-setups the amount of backre¬‚ected light

where the last expression assumes Poissonian photon dis-

can be made very small and sensing the apparatuses with

tribution. Accordingly, for a ¬xed QBER, this attacks

light pulses through the quantum channel is di¬cult.

provides Eve with twice the information she would get

Nevertheless, this attack is especially threatening in the

using the intercept resend strategy. To counter such an

plug-&-play scheme on Alice™s side (section IV C 2), since

attack, Alice should use a mean photon number µ such

a mirror is used to send the light pulses back to Bob.

that Eve can only use this attack on a fraction of the

So in principle, Eve can send strong light pulses to Alice

pulses. For example, Alice could use pulses weak enough

and sense the applied phase shift. However, by applying

that Eve™s mean information gain is identical to the one

the phase shift only during a short time ∆tphase (a few

she would obtain with the simple intercept resend strat-

nanoseconds), Alice can oblige Eve to send the spying

egy (see paragraph II C 3). For 10, 14 and 20 dB at-

pulse at the same time as Bob. Remember that in the

tenuation, this corresponds to µ = 0.25, 0.1 and 0.025,

plug-&-play scheme pulse coming from Bob are macro-

respectively.

scopic and an attenuator at Alice reduces them to the

43

below one photon level, say 0.1 photons per pulse. Hence, To conclude this chapter, let us brie¬‚y elaborate on

if Eve wants to get, say 1 photon per pulse, she has to the di¬erences and similarities between technological and

send 10 times Bob™s pulse energy. Since Alice is detect- mathematical complexity and on their possible connec-

ing Bob™s pulses for triggering her apparatus, she must tions and implications. Mathematical complexity means

be able to detect an increase of energy of these pulses that the number of steps needed to run complex algo-

in order to reveal the presence of a spying pulse. This rithms explodes exponentially when the size of the input

is a relatively easy task, provided that Eve™s pulses look data grows linearly. Similarly, one can de¬ne technolog-

the same as Bob™s. But, Eve could of course use another ical complexity of a quantum computer by an exploding

wavelength or ultrashort pulses (or very long pulses with di¬culty to process coherently all the qubits necessary

low intensity, hence the importance of ∆tphase ), there- to run a (non-complex) algorithm on a linearly growing

fore Alice must introduce an optical bandpass ¬lter with number of input data. It might be interesting to con-

a transmission spectrum corresponding to the sensitivity sider the possibility that the relation between these two

spectrum of her detector, and choose a ∆tphase that ¬ts concepts of complexity is deeper. It could be that the

to the bandwidth of her detector. solution of a problem requires either a complex classi-

There is no doubt that Trojan horse attacks can be cal algorithm or a quantum one which itself requires a

complex quantum computer61 .

prevented by technical measures. However, the fact that

this class of attacks exist illustrates that the security of

QC can never be guaranteed only by the principles of

quantum mechanics, but necessarily relies also on tech- VII. CONCLUSION

nical measures that are subject to discussions 60 .

Quantum cryptography is a fascinating illustration of

the dialog between basic and applied physics. It is based

L. Real security: technology, cost and complexity on a beautiful combinations of concepts from quantum

physics and information theory and made possible thanks

Despite the elegant and generality of security proofs, to the tremendous progress in quantum optics and in the

the dream of a QC system whose security relies entirely technology of optical ¬bers and of free space optical com-

on quantum principles is unrealistic. The technological munication. Its security principle relies on deep theorems

implementation of the abstract principles will always be in classical information theory and on a profound under-

questionable. It is likely that they will remain the weak- standing of the Heisenberg™s uncertainty principle, as il-

est point in all systems. Moreover, one should remember lustrated by theorems 1 and 2 in section VI G (the only

the obvious equation: mathematically involved theorems in this review!). Let

us also emphasize the important contributions of QC to

Inf inite security ’ Inf inite cost (78) classical cryptography: privacy ampli¬cation and classi-

’ Zero practical interest cal bound information (paragraphs II C 4 and II C 5) are

examples of concepts in classical information whose dis-

On the other hand, however, one should not under- covery were much inspired by QC. Moreover, the fasci-

estimate the following two advantages of QC. First, it nating tension between quantum physics and relativity,

is much easier to forecast progress in technology than in as illustrated by Bell™s inequality, is not far away, as dis-

mathematics: the danger that QC breaks down overnight cussed in section VI F. Now, despite the huge progress

is negligible, contrary to public-key cryptosystems. Next, over the recent years, many open questions and techno-

the security of QC depends on the technological level of logical challenges remain.

the adversary at the time of the key exchange, contrary One technological challenge at present concerns im-

to complexity based systems whose coded message can proved detectors compatible with telecom ¬bers. Two

be registered and broken thanks to future progress. The other issues concern free space QC and quantum re-

latter point is relevant for secrets whose value last many peaters. The ¬rst is presently the only way to realize

years. QC over thousands of kilometers using near future tech-

One often points at the low bit rate as one of the cur- nology (see section IV E). The idea of quantum repeaters

rent limitations of QC. However, it is important to stress (section III E) is to encode the qubits in such a way that if

that QC must not necessarily be used in conjunction with the error rate is low, then errors can be detected and cor-

one-time pad encryption. It can also be used to provide rected entirely in the quantum domain. The hope is that

a key for a symmetrical cipher “ such as AES “ whose

security is greatly enhanced by frequent key changes.

61

Penrose (1994) pushes these speculations even further,

suggesting that spontaneous collapses stop quantum com-

60

Another technological loophole, recently pointed out by puters whenever they try to compute beyond a certain

Kurtsiefer et al., is the possible information leakage caused complexity.

by light emitted by APDs during their breakdown (2001).

44

such techniques could extend the range of quantum com- REFERENCES

munication to essentially unlimited distances. Indeed,

Hans Briegel, then at Innsbruck University (1998), and Ardehali, M., H. F. Chau and H.-K. Lo, 1998, “E¬cient

coworkers, showed that the number of additional qubits Quantum Key Distribution”, quant-ph/9803007.

needed for quantum repeaters can be made smaller than Aspect, A., J. Dalibard, and G. Roger, 1982, “Experimen-

the numbers of qubits needed to improved the ¬delity of tal Test of Bell™s Inequalities Using Time-Varying Analyzers”,

the quantum channel (Dur et al. 1999). One could thus Phys. Rev. Lett. 49, 1804-1807.

overcome the decoherence problem. However, the main Bechmann-Pasquinucci, H., and N. Gisin, 1999, “Incoher-

ent and Coherent Eavesdropping in the 6-state Protocol of

practical limitation is not decoherence but loss (most

Quantum Cryptography”, Phys. Rev. A 59, 4238-4248.

photons never get to Bob, but those which get there,

Bechmann-Pasquinucci, H., and A. Peres, 2000, “Quantum

exhibit high ¬delity).

cryptography with 3-state systems”, Phys. Rev. Lett. 85,

On the open questions side, let us emphasize three

3313-3316.

main concerns. First, complete and realistic analyses

Bechmann-Pasquinucci, H., and W. Tittel, 2000, “Quan-

of the security issues are still missing. Next, ¬gures of

tum cryptography using larger alphabets”, Phys. Rev. A 61,

merit to compare QC schemes based on di¬erent quan-

062308-1.

tum systems (with di¬erent dimensions for example) are

Bell, J.S., 1964, “On the problem of hidden variables in

still awaited. Finally, the delicate question of how to

quantummechanics”, Review of Modern Phys. 38, 447-452;

test the apparatuses did not yet receive enough atten-

reprinted in “Speakable and unspeakable in quantum mechan-

tion. Indeed, a potential customer of quantum cryptog-

ics”, Cambridge University Press, New-York 1987.

raphy buys con¬dence and secrecy, two qualities hard to Bennett, Ch.H., 1992, “Quantum cryptography using any

quantify. Interestingly, both of these issues have a con- two nonorthogonal states”, Phys. Rev. Lett. 68, 3121-3124.

nection with Bell inequality (see sections VI F and VI B). Bennett, Ch.H. and G. Brassard, 1984, “Quantum cryptog-

But, clearly, this connection can not be phrased in the old raphy: public key distribution and coin tossing”, Int. conf.

context of local hidden variables, but rather in the con- Computers, Systems & Signal Processing, Bangalore, India,

text of the security of tomorrows communications. Here, December 10-12, 175-179.

like in all the ¬eld of quantum information, old concepts Bennett, Ch.H. and G. Brassard, 1985, “Quantum public

are renewed by looking at them from a fresh perspective: key distribution system”, IBM Technical Disclosure Bulletin,

let™s exploit the quantum weirdness! 28, 3153-3163.

QC could well be the ¬rst application of quantum me- Bennett, Ch.H., G. Brassard and J.-M. Robert, 1988, “Pri-

chanics at the single quanta level. Experiments have vacy ampli¬cation by public discussion” SIAM J. Comp. 17,

demonstrated that keys can be exchanged over distances 210-229.

Bennett, Ch.H., F. Bessette, G. Brassard, L. Salvail, and

of a few tens of kilometers at rates at least of the order

J. Smolin, 1992a, “Experimental Quantum Cryptography”, J.

of a thousand bits per second. There is no doubt that

Cryptology 5, 3-28.

the technology can be mastered and the question is not

Bennett, Ch.H., G. Brassard and Mermin N.D., 1992b,

whether QC will ¬nd commercial applications, but when.

“Quantum cryptography without Bell™s theorem”, Phys. Rev.

Indeed, presently QC is still very limited in distance and

Lett. 68, 557-559.

in secret-bit rate. Moreover, public key systems occupy

Bennett, Ch.H., G. Brassard and A. Ekert, 1992c, “Quan-

the market and, being pure software, are tremendously

tum cryptography”, Scienti¬c Am. 267, 26-33 (int. ed.).

easier to manage. Every so often, the news is that some

Bennett, Ch.H., G. Brassard, C. Cr´peau, R. Jozsa, A.

e

classical ciphersystem has been broken. This would be

Peres and W.K. Wootters, 1993, “Teleporting an unknown

impossible with properly implemented QC. But this ap-

quantum state via dual classical and Einstein-Podolsky-Rosen

parent strength of QC might turn out to be its weak channels”, Phys. Rev. Lett. 70, 1895-1899.

point: the security agencies would equally be unable to Bennett, Ch.H., G. Brassard, C. Cr´peau, and U.M. Mau-

e

break quantum cryptograms! rer, 1995, “Generalized privacy ampli¬cation”, IEEE Trans.

Information th., 41, 1915-1923.

Berry, M.V., 1984, “Quantal phase factors accompanying

ACKNOWLEDGMENTS adiabatic changes”, Proc. Roy. Soc. Lond. A 392, 45-57.

Bethune, D., and W. Risk, 2000, “An Autocompensating

Fiber-Optic Quantum Cryptography System Based on Polar-

Work supported by the Swiss FNRS and the European

ization Splitting of Light”, IEEE J. Quantum Electron., 36,

projects EQCSPOT and QUCOMM ¬nanced by the Swiss

340-347.

OFES. The authors would also like to thank Richard Hughes

Biham, E. and T. Mor, 1997a, “Security of quantum cryp-

for providing Fig. 8, and acknowledge both referees, Charles

tograophy against collective attacks”, Phys. Rev. Lett. 78,

H. Bennett and Paul G. Kwiat, for their very careful reading

2256-1159.

of the manuscript and their helpful remarks.

Biham, E. and T. Mor, 1997b, “Bounds on Information and

the Security of Quantum Cryptography”, Phys. Rev. Lett.

79, 4034-4037.

45

Biham, E., M. Boyer, P.O. Boykin, T. Mor and V. Roy- Brown, R.G.W., R. Jones, J. G. Rarity, and Kevin D. Rid-

chowdhury, 1999, “A proof of the security of quantum key ley, 1987, “Characterization of silicon avalanche photodiodes

distribution”, quant-ph/9912053. for photon correlation measurements. 2: Active quenching”,

Bourennane, M., F. Gibson, A. Karlsson, A. Hening, P. Applied Optics 26, 2383-2389.

Jonsson, T. Tsegaye, D. Ljunggren, and E. Sundberg, 1999, Brunel, Ch., B. Lounis, Ph. Tamarat, and M. Orrit, 1999,

“Experiments on long wavelength (1550nm) ™plug and play™ “Triggered Source of Single Photons based on Controlled Sin-

quantum cryptography systems™, Opt. Express 4,383-387 gle Molecule Fluorescence”, Phys. Rev. Lett. 83, 2722-2725.

Bourennane, M., D. Ljunggren, A. Karlsson, P. Jonsson, A. Bruss, D., 1998, “Optimal eavesdropping in quantum cryp-

Hening, and J.P. Ciscar, 2000, “Experimental long wavelength tography with six states”, Phys. Rev. Lett. 81, 3018-3021.

quantum cryptography: from single photon transmission to Bruss, D., A. Ekert and C. Macchiavello, 1998, “Optimal

key extraction protocols”, J. Mod. Optics 47, 563-579. universal quantum cloning and state estimation”, Phys. Rev.

Bourennane, M., A. Karlsson and G. Bj¨rn, 2001a, “Quan-

o Lett. 81, 2598-2601.

tum Key Distribution using multilevel encoding”, Phys. Rev Buttler, W.T., R.J. Hughes, P.G. Kwiat, S. K. Lamoreaux,

A 64, 012306. G.G. Luther, G.L. Morgan, J.E. Nordholt, C.G. Peterson,

Bourennane, M., A. Karlsson, G. Bj¨rn, N. Gisin and N.

o and C. Simmons, 1998, “Practical free-space quantum key

Cerf, 2001b, “Quantum Key distribution using multilevel en- distribution over 1 km”, Phys. Rev. Lett. 81, 3283-3286.

coding : security analysis”, quant-ph/0106049. Buttler, W.T., R.J. Hughes, S.K. Lamoreaux, G.L. Mor-

Braginsky, V.B. and F.Ya. Khalili, 1992, “Quantum Mea- gan, J.E. Nordholt, and C.G. Peterson, 2000, “Daylight

surements”, Cambridge University Press. Quantum key distribution over 1.6 km”, Phys. Rev. Lett,

Brassard, G., 1988, “Modern cryptology”, Springer-Verlag, 84, pp. 5652-5655.

Lecture Notes in Computer Science, vol. 325. Buˇek, V. and M. Hillery, 1996, “Quantum copying: Be-

z

Brassard, G. and L. Salvail, 1993, “Secrete-key reconcilia- yond the no-cloning theorem”, Phys. Rev. A 54, 1844-1852.

tion by public discussion” In Advances in Cryptology, Euro- Cancellieri, G., 1993, “Single-mode optical ¬ber measure-

crypt ™93 Proceedings. ment: characterization and sensing”, Artech House, Boston

Brassard, G., C. Cr´peau, D. Mayers and L. Salvail, 1998,