nate from qubits attacked coherently. Consequently, the

for Eve to map her photon to a quantum memory. This

15% bound would still be valid (partial results in favor

does not exist today but might well exist in the future.

of this conjecture can be found in Cirac and Gisin, 1997

Note that the quantum memory should have essentially

and Bechmann-Pasquinucci and Gisin, 1999). However,

unlimited decoherence time, since Alice and Bob could

if Eve has unlimited power, in particular, if she can co-

easily wait for minutes before revealing the bases.58 Fi-

herently attack an unlimited number of qubits, then the

nally, Eve must access a lossless channel, or at least a

11% bound might be required.

channel with lower losses than that used by Alice and

To conclude this section, let us stress that the above

security proof applies equally to the six-state protocol

(Sec. II.D.2). It also extends in a straightforward

56

For polarization coding, this is quite clear, but for phase

fashion to protocols using larger alphabets (Bechmann-

coding one may think (incorrectly) that phase and photon

Pasquinucci and Peres, 2000; Bechmann-Pasquinucci

number are incompatible. However, the phase used for encod-

¨

and Tittel, 2000; Bourennane, Karlsson, and Bjorn, 2001;

ing is a relative phase between two modes. Whether these

¨

Bourennane, Karlsson, Bjorn, Gisin, and Cerf, 2001).

modes are polarization modes or correspond to different times

(determined, for example, by the relative length of interferom-

eters), does not matter.

57

Recall that a mixture of coherent states e i with a

random phase , as produced by lasers when no phase refer-

H. Photon number measurements and lossless channels ence is available, is equal to a mixture of photon number states

2 i

ei

n with Poisson statistics: 0e (d /2 )

In Sec. III.A we saw that all real photon sources have n 2

n 0( /n!) e n n , where .

a ¬nite probability of emittting more than one photon. If 58

The quantum part of the protocol could run continuously,

all emitted photons encode the same qubit, Eve can take storing large amounts of raw classical data, but the classical

advantage of this. In principle, she can ¬rst measure the part of the protocol, which processes these raw data, could

number of photons in each pulse without disturbing the take place just seconds before the key is used.

Rev. Mod. Phys., Vol. 74, No. 1, January 2002

188 Gisin et al.: Quantum cryptography

Bob. This might be the trickiest point. Indeed, besides

using a shorter channel, what can Eve do? Telecommu-

nications ¬bers are already at the physical limits of what

can be achieved (Thomas et al., 2000). The loss is almost

entirely due to Rayleigh scattering, which is unavoid-

¨

able: solve the Schrodinger equation in a medium with

inhomogeneities and you get scattering. When the inho-

mogeneities are due to the molecular stucture of the

medium, it is dif¬cult to imagine lossless ¬bers. The

FIG. 32. Realistic beamsplitter attack. Eve stops all pulses.

0.18-dB/km attenuation in silica ¬bers at 1550 nm is a

The two photon pulses have a 50% probability of being ana-

lower bound imposed by physics rather then

lyzed by the same analyzer. If this analyzer is compatible with

technology.59 Note that using air is not a viable solution,

the state prepared by Alice, then both photons are detected

since attenuation at telecommunications wavelengths is

with the same outcome; if not, there is a 50% chance that they

rather high. Vacuum, the only way to avoid Rayleigh are detected with the same outcome. Hence there is a prob-

scattering, also has limitations, due to diffraction, again 3

ability of 8 that Eve detects both photons with the same out-

an unavoidable physical phenomenon. In the end, it come. In such a case, and only in such a case, she resends a

seems that Eve has only two possibilities left. Either she 2

photon to Bob. In 3 of these cases she introduces no errors,

uses teleportation (with extremely high success prob- since she has identi¬ed the correct state and gets full informa-

ability and ¬delity) or she converts the photons to an- tion; in the remaining cases she has a 50% probability of in-

other wavelength (without perturbing the qubit). Both troducing an error and gains no information. The total QBER

1 2

of these ˜˜solutions™™ seem unrealistic in the foreseeable is thus 6, and Eve™s information gain is 3.

future.

Consequently, when considering the type of attacks

state into Bob™s apparatus. Since Eve™s information is

discussed in this section, it is essential to distinguish the

classical, she can overcome all the losses of the quantum

ultimate proofs from the practical ones. Indeed, the as-

channel. In all other cases, Eve sends nothing to Bob. In

sumptions about the defects of Alice and Bob™s appara- 3

this way, Eve sends a fraction ( 8 ) of the pulses contain-

tuses must be very speci¬c and might thus be of limited

ing at least two photons to Bob. She introduces a QBER

interest, while for practical considerations these assump- 1 2

of 6 and gets information I(A,E) 3 4•QBER. Bob

tions must be very general and might thus be excessive.

does not see any reduction in the number of detected

photons, provided that the transmission coef¬cient of

the quantum channel t satis¬es

I. A realistic beamsplitter attack

3 3

t Prob n 2 n 1 , (76)

The attack presented in the previous section takes ad- 8 16

vantage of pulses containing more than one photon.

where the last expression assumes Poissonian photon

However, as discussed, it uses unrealistic assumptions. In

distribution. Accordingly, for a ¬xed QBER, this attack

¨

this section, following Dusek et al. (2000) and Lutken-

provides Eve with twice the information she would get

haus (2000), we brie¬‚y comment on a realistic attack

from using the intercept-resend strategy. To counter

that, also exploits multiphoton pulses (for details, see

such an attack, Alice should use a mean photon number

Felix et al., 2001, where this and other examples are pre-

such that Eve can use this attack on only a fraction of

sented). Assume that Eve splits all pulses in two, analyz-

the pulses. For example, Alice could use pulses weak

ing each half in one of the two bases, using photon

enough that Eve™s mean information gain is identical to

counting devices able to distinguish between pulses with

what she would obtain with the simple intercept-resend

0, 1, and 2 photons (see Fig. 32). In practice this could be

strategy (see Sec. II.C.3). For 10-, 14-, and 20-dB attenu-

realized using many single-photon counters in parallel.

ation, this corresponds to 0.25, 0.1, and 0.025, respec-

This requires nearly perfect detectors, but at least one

tively.

does not need to assume technology completely out of

today™s realm. Whenever Eve detects two photons in the

same output, she sends a photon in the corresponding

J. Multiphoton pulses and passive choice of states

Multiphoton pulses do not necessarily constitute a

59

Photonics crystal ¬bers have the potential to overcome the threat to key security, but they limit the key creation

Rayleigh scattering limit. There are two kinds of such ¬bers. rate because they imply that more bits must be dis-

The ¬rst kind guides light by total internal re¬‚ection, as in carded during key distillation. This fact is based on the

ordinary ¬bers. In these ¬bers most of the light also propagates

assumption that all photons in a pulse carry the same

in silica, and thus the loss limit is similar. In the second kind,

qubit, so that Eve does not need to copy the qubit going

most of the light propagates in air. Thus the theoretical loss

to Bob, but merely keeps the copy that Alice inadvert-

limit is lower. However, today the losses are extremely high, in

ently provides. When using weak pulses, it seems un-

the range of hundreds of dB/km. The best reported result that

avoidable that all the photons in a pulse carry the same

we are aware of is 11 dB/km, and it was obtained with the ¬rst

qubit. However, in two-photon implementations, each

kind of ¬ber (Canning et al., 2000).

Rev. Mod. Phys., Vol. 74, No. 1, January 2002

189

Gisin et al.: Quantum cryptography

photon on Alice™s side independently chooses a state [in this class of attacks exists illustrates that the security of

the experiments of Ribordy et al. (2001) and Tittel et al. QC can never be guaranteed by the principles of

(2000), each photon randomly chooses both its basis and quantum mechanics only, but must necessarily rely on

measures that are subject to discussion.60

its bit value; in the experiments of Naik et al. (2000) and technical

Jennewein, Simon, et al. (2000), only the bit value choice

is random]. Hence, when two photon pairs are simulta-

neously produced, the two twins carry independent qu-

bits by accident. Consequently, Eve cannot take advan- L. Real security: Technology, cost, and complexity

tage of such multiphoton twin pulses. This might be one

Despite the elegance and generality of security proofs,

of the main advantages of two-photon schemes over the

the ideal of a QC system whose security relies entirely

much simpler weak-pulse schemes. But the multiphoton

on quantum principles is unrealistic. The technological

problem is then on Bob™s side, which gets a noisy signal,

implementation of abstract principles will always be

consisting partly of photons not in Alice™s state.

questionable. It is likely that they will remain the weak-

est point in all systems. Moreover, one should remember

K. Trojan horse attacks

the obvious relation:

All eavesdropping strategies discussed up to this point In¬nite security’In¬nite cost

have consisted of Eve™s attempt to get a maximum infor-

’Zero practical interest . (77)

mation from the qubits exchanged by Alice and Bob.

However, Eve can also pursue a completely different On the other hand, however, one should not underes-

strategy: she can herself send signals that enter Alice timate the following two advantages of QC. First, it is

and Bob™s of¬ces through the quantum channel. This much easier to forecast progress in technology than in

kind of strategy is called a Trojan horse attack. For ex- mathematics: the danger that QC will break down over-

ample, Eve can send light pulses into the ¬ber entering night is negligible, in contrast to public-key cryptosys-

Alice™s or Bob™s apparatus and analyze the backre¬‚ected tems. Next, the security of QC depends on the techno-

light. In this way, it is in principle possible to detect logical level of the adversary at the time of the key

which laser just ¬‚ashed, which detector just ¬red, or the exchange, in contrast to complexity-based systems whose

settings of phase and polarization modulators. This can- coded message can be registered and broken thanks to

not be prevented by simply using a shutter, since Alice future progress. The latter point is relevant for secrets

and Bob must leave the ˜˜door open™™ for the photons to whose value lasts many years.

exit and enter, respectively. One often points to low bit rate as one of the current

In most QC setups the amount of backre¬‚ected light limitations of QC. However, it is important to stress that

can be made very small, and sensing the apparatus with QC need not be used in conjunction with one-time-pad

light pulses through the quantum channel is dif¬cult. encryption. It can also be used to provide a key for a

Nevertheless, this attack is especially threatening in the symmetrical cipher such as AES, whose security is

plug-and-play scheme on Alice™s side (Sec. IV.C.2), since greatly enhanced by frequent key changes.

a mirror is used to send the light pulses back to Bob. To conclude this section, let us brie¬‚y elaborate on the

Thus, in principle, Eve can send strong light pulses to differences and similarities between technological and

Alice and sense the applied phase shift. However, by mathematical complexity and on their possible connec-

applying the phase shift only during a short time t phase tions and implications. Mathematical complexity means

(a few nanoseconds), Alice can oblige Eve to send the that the number of steps needed to run complex algo-

spying pulse at the same time as Bob. Remember that in rithms increases exponentially as the size of the input

the plug-and-play scheme, pulses coming from Bob are grows linearly. Similarly, one can de¬ne the technologi-

macroscopic and an attenuator at Alice™s end reduces cal complexity of a quantum computer as an exponen-

them to below the one-photon level, say, 0.1 photons per tially increasing dif¬culty to process coherently all the

pulse. Hence, if Eve wants to get, say, one photon per qubits necessary to run a (noncomplex) algorithm on a

pulse, she has to send ten times Bob™s pulse energy. linearly growing number of input data. It might be inter-

Since Alice is detecting Bob™s pulses for triggering her esting to consider the possibility that the relationship

apparatus, she must be able to detect an increase in en- between these two concepts of complexity is deeper. It

ergy of these pulses in order to reveal the presence of a could be that the solution of a problem requires either a

spying pulse. This is a relatively easy task, provided that complex classical algorithm or a quantum algorithm that

itself requires a complex quantum computer.61

Eve™s pulses look the same as Bob™s. However, Eve could

of course use another wavelength or ultrashort pulses

(or very long pulses with low intensity, hence the impor-

tance of t phase ); therefore Alice must introduce an op- 60

Another technological loophole, recently pointed out by

tical bandpass ¬lter with a transmission spectrum corre- Kurtsiefer et al. (2001), is the possible information leakage

sponding to the sensitivity spectrum of her detector and caused by light emitted by APD™s during their breakdown.

choose a t phase that ¬ts the bandwidth of her detector. 61

Penrose (1994) pushes these speculations even further, sug-

There is no doubt that Trojan horse attacks can be gesting that spontaneous collapses stop quantum computers

prevented by technical measures. However, the fact that whenever they try to compute beyond a certain complexity.

Rev. Mod. Phys., Vol. 74, No. 1, January 2002

190 Gisin et al.: Quantum cryptography

VII. CONCLUSIONS QC could well be the ¬rst application of quantum me-

chanics at the single-quantum level. Experiments have

Quantum cryptography is a fascinating illustration of demonstrated that keys can be exchanged over distances

the dialog between basic and applied physics. It is based of a few tens of kilometers at rates on the order of at

on a beautiful combination of concepts from quantum least a thousand bits per second. There is no doubt that

physics and information theory and made possible by the technology can be mastered and the question is not

whether QC will ¬nd commercial applications, but

the tremendous progress in quantum optics and the

when. At present QC is still very limited in distance and

technology of optical ¬bers and free-space optical com-

in secret bit rate. Moreover, public-key systems domi-

munication. Its security principle relies on deep theo-

nate the market and, being pure software, are tremen-

rems in classical information theory and on a profound

dously easier to manage. Every so often, we hear in the

understanding of Heisenberg™s uncertainty principle, as

news that some classical cryptosystem has been broken.

illustrated by Theorems 1 and 2 in Sec. VI.G (the only

This would be impossible with properly implemented

mathematically involved theorems in this review). Let us

QC. But this apparent strength of QC might turn out to

also emphasize the important contributions of QC to

be its weak point: security agencies would be equally

classical cryptography: privacy ampli¬cation and classi-

unable to break quantum cryptograms!

cal bound information (Secs. II.C.4 and II.C.5) are ex-

amples of concepts in classical information whose dis-

covery were much inspired by QC. Moreover, the

ACKNOWLEDGMENTS

fascinating tension between quantum physics and rela-

tivity, as illustrated by Bell™s inequality, is not far away, This work was supported by the Swiss Fonds National

as discussed in Sec. VI.F. Now, despite signi¬cant de la Recherche Scienti¬que (FNRS) and the European

progress in recent years, many open questions and tech- Union projects European Quantum Cryptography and

nological challenges remain. Single-Photon Optical Technologies (EQCSPOT) and

One technological challenge at present concerns im- Long-Distance Photonic Quantum Communication

proved detectors compatible with telecommunications ´´

(QUCOMM) ¬nanced by the Swiss Of¬ce Federal de

¬bers. Two other issues concern free-space QC and l™Education et de la Science (OFES). The authors would

quantum repeaters. The former is currently the only way also like to thank Richard Hughes for providing Fig. 8,

to realize QC over thousands of kilometers using the and acknowledge Charles H. Bennett and Paul G. Kwiat

technology of the near future (see Sec. IV.E). The idea for their very careful reading of the manuscript and their

of quantum repeaters (Sec. III.E) is to encode the qubits helpful remarks.

in such a way that if the error rate is low, then errors can

be detected and corrected entirely in the quantum do-

main. The hope is that such techniques could extend the REFERENCES

range of quantum communication to essentially unlim-

ited distances. Indeed, Hans Briegel, then at the Univer- Ardehali, M., H. F. Chau, and H.-K. Lo, 1998, ˜˜Ef¬cient quan-

sity of Innsbruck, and co-workers (1998) showed that tum key distribution,™™ preprint quant-ph/9803007.

the number of additional qubits needed for quantum re- Aspect, A., J. Dalibard, and G. Roger, 1982, ˜˜Experimental

peaters can be made smaller than the numbers of qubits test of Bell™s inequalities using time-varying analyzers,™™ Phys.

needed to improve the ¬delity of the quantum channel Rev. Lett. 49, 1804“1807.

(Dur et al., 1999). One could thus overcome the deco- Bechmann-Pasquinucci, H., and N. Gisin, 1999, ˜˜Incoherent

herence problem. However, the main practical limitation and coherent eavesdropping in the 6-state protocol of quan-

is not decoherence but loss (most photons never get to tum cryptography,™™ Phys. Rev. A 59, 4238“4248.

Bechmann-Pasquinucci, H., and A. Peres, 2000, ˜˜Quantum

Bob, but those that do get there exhibit high ¬delity).

cryptography with 3-state systems,™™ Phys. Rev. Lett. 85,

As for open questions, let us emphasize three main

3313“3316.

concerns. First, complete and realistic analyses of the

Bechmann-Pasquinucci, H., and W. Tittel, 2000, ˜˜Quantum

security issues are still missing. Next, ¬gures of merit for

cryptography using larger alphabets,™™ Phys. Rev. A 61,

comparing QC schemes based on different quantum sys-

062308.

tems (with different dimensions, for example) are still

Bell, J. S., 1964, ˜˜On the problem of hidden variables in quan-

awaited. Finally, the delicate question of how to test the

tum mechanics,™™ Rev. Mod. Phys. 38, 447“452 [reprinted in

apparatuses has not yet received enough attention. In-

Bell, J. S., 1987, Speakable and Unspeakable in Quantum Me-

deed, a potential customer of quantum cryptography

chanics (Cambridge University, Cambridge, England)].

buys con¬dence and secrecy, two qualities hard to quan- Bennett, C. H., 1992, ˜˜Quantum cryptography using any two

tify. Interestingly, both of these issues are connected to nonorthogonal states,™™ Phys. Rev. Lett. 68, 3121“3124.

Bell™s inequality (see Secs. VI.F and VI.B). Clearly, this Bennett, C. H., F. Bessette, G. Brassard, L. Salvail, and J. Smo-

connection cannot be phrased in the old context of local lin, 1992, ˜˜Experimental quantum cryptography,™™ J. Cryptol-

hidden variables, but rather in the context of the secu- ogy 5, 3“28.

rity of tomorrow™s communications. Here, as in the en- Bennett, C. H., and G. Brassard, 1984, in Proceedings of the

tire ¬eld of quantum information, old concepts are re- IEEE International Conference on Computers, Systems and

newed by looking at them from a fresh perspective: let Signal Processing, Bangalore, India, (IEEE, New York), pp.

us exploit quantum weirdness. 175“179.

Rev. Mod. Phys., Vol. 74, No. 1, January 2002

191

Gisin et al.: Quantum cryptography

´

Bennett, C. H., and G. Brassard, 1985, ˜˜Quantum public key Breguet, J., and N. Gisin, 1995, ˜˜New interferometer using a

distribution system,™™ IBM Tech. Discl. Bull. 28, 3153“3163. 3 3 coupler and Faraday mirrors,™™ Opt. Lett. 20, 1447“1449.

´ ´

Bennett, C. H., G. Brassard, C. Crepeau, R. Jozsa, A. Peres, Breguet, J., A. Muller, and N. Gisin, 1994, ˜˜Quantum cryptog-

and W. K. Wootters, 1993, ˜˜Teleporting an unknown quan- raphy with polarized photons in optical ¬bers: experimental

tum state via dual classical and Einstein-Podolsky-Rosen and practical limits,™™ J. Mod. Opt. 41, 2405“2412.

channels,™™ Phys. Rev. Lett. 70, 1895“1899. Brendel, J., W. Dultz, and W. Martienssen, 1995, ˜˜Geometric

´

Bennett, C. H., G. Brassard, C. Crepeau, and U. M. Maurer, phase in 2-photon interference experiments,™™ Phys. Rev. A

1995, ˜˜Generalized privacy ampli¬cation,™™ IEEE Trans. Inf. 52, 2551“2556.

Theory 41, 1915“1923. Brendel, J., N. Gisin, W. Tittel, and H. Zbinden, 1999, ˜˜Pulsed

Bennett, C. H., G. Brassard, and A. Ekert, 1992, ˜˜Quantum energy-time entangled twin-photon source for quantum com-

cryptography,™™ Sci. Am. 267, 50“57. munication,™™ Phys. Rev. Lett. 82, 2594“2597.

Bennett, C. H., G. Brassard, and N. D. Mermin, 1992, ˜˜Quan- Briegel, H.-J., W. Dur, J. I. Cirac, and P. Zoller, 1998, ˜˜Quan-

tum cryptography without Bell™s theorem,™™ Phys. Rev. Lett. tum repeaters: the role of imperfect local operations in quan-

68, 557“559. tum communication,™™ Phys. Rev. Lett. 81, 5932“5935.

Bennett, C. H., G. Brassard, and J.-M. Robert, 1988, ˜˜Privacy Brouri, R., A. Beveratios, J.-P. Poizat, and P. Grangier, 2000,

ampli¬cation by public discussion,™™ SIAM J. Comput. 17, ˜˜Photon antibunching in the ¬‚uorescence of individual col-

210“229. ored centers in diamond,™™ Opt. Lett. 25, 1294“1296.

Berry, M. V., 1984, ˜˜Quantal phase factors accompanying adia- Brown, R. G. W., and M. Daniels, 1989, ˜˜Characterization of

batic changes,™™ Proc. R. Soc. London, Ser. A 392, 45“57. silicon avalanche photodiodes for photon correlation mea-

Bethune, D., and W. Risk, 2000, ˜˜An autocompensating ¬ber- surements. 3: Sub-Geiger operation,™™ Appl. Opt. 28, 4616“

optic quantum cryptography system based on polarization 4621.

splitting of light,™™ IEEE J. Quantum Electron. 36, 340“347. Brown, R. G. W., R. Jones, J. G. Rarity, and K. D. Ridley,

Biham, E., M. Boyer, P. O. Boykin, T. Mor, and V. Roy- 1987, ˜˜Characterization of silicon avalanche photodiodes for

chowdhury, 1999, ˜˜A proof of the security of quantum key photon correlation measurements. 2: Active quenching,™™

distribution,™™ preprint quant-ph/9912053. Appl. Opt. 26, 2383“2389.

Biham, E., and T. Mor, 1997a, ˜˜Security of quantum cryptog- Brown, R. G. W., K. D. Ridley, and J. G. Rarity, 1986, ˜˜Char-

raphy against collective attacks,™™ Phys. Rev. Lett. 78, 2256“ acterization of silicon avalanche photodiodes for photon cor-

1159. relation measurements. 1: Passive quenching,™™ Appl. Opt. 25,

Biham, E., and T. Mor, 1997b, ˜˜Bounds on information and the 4122“4126.

security of quantum cryptography,™™ Phys. Rev. Lett. 79, Brunel, C., B. Lounis, P. Tamarat, and M. Orrit, 1999, ˜˜Trig-

4034“4037. gered source of single photons based on controlled single

Bourennane, M., F. Gibson, A. Karlsson, A. Hening, P. Jons- molecule ¬‚uorescence,™™ Phys. Rev. Lett. 83, 2722“2725.

son, T. Tsegaye, D. Ljunggren, and E. Sundberg, 1999, ˜˜Ex- Bruss, D., 1998, ˜˜Optimal eavesdropping in quantum cryptog-

periments on long wavelength (1550 nm) ˜plug and play™ raphy with six states,™™ Phys. Rev. Lett. 81, 3018“3021.

quantum cryptography system,™™ Opt. Express 4, 383“387. Bruss, D., A. Ekert, and C. Macchiavello, 1998, ˜˜Optimal uni-

¨

Bourennane, M., A. Karlsson, and G. Bjorn, 2001, ˜˜Quantum versal quantum cloning and state estimation,™™ Phys. Rev.

key distribution using multilevel encoding,™™ Phys. Rev. A 64, Lett. 81, 2598“2601.

012306. Buttler, W. T., R. J. Hughes, P. G. Kwiat, S. K. Lamoreaux, G.

¨

Bourennane, M., A. Karlsson, G. Bjorn, N. Gisin, and N. Cerf, G. Luther, G. L. Morgan, J. E. Nordholt, C. G. Peterson, and

2001, ˜˜Quantum key distribution using multilevel encoding: C. Simmons, 1998, ˜˜Practical free-space quantum key distri-

security analysis,™™ preprint quant-ph/0106049. bution over 1 km,™™ Phys. Rev. Lett. 81, 3283“3286.

Bourennane, M., D. Ljunggren, A. Karlsson, P. Jonsson, A. Buttler, W. T., R. J. Hughes, S. K. Lamoreaux, G. L. Morgan, J.

Hening, and J. P. Ciscar, 2000, ˜˜Experimental long wave-

E. Nordholt, and C. G. Peterson, 2000, ˜˜Daylight quantum

length quantum cryptography: from single photon transmis-

key distribution over 1.6 km,™™ Phys. Rev. Lett. 84, 5652“5655.

sion to key extraction protocols,™™ J. Mod. Opt. 47, 563“579.

ˇ

Buzek, V., and M. Hillery, 1996, ˜˜Quantum copying: beyond

Braginsky, V. B., and F. Y. Khalili, 1992, Quantum Measure-

the no-cloning theorem,™™ Phys. Rev. A 54, 1844“1852.

ment (Cambridge University, Cambridge, England).

Cancellieri, G., 1993, Ed., Single-Mode Optical Fiber Measure-

Brassard, G., 1988, Modern Cryptology: A Tutorial, Lecture

ment: Characterization and Sensing (Artech House, Boston).

Notes in Computer Science, Vol. 325 (Springer, New York).

Canning, J., M. A. van Eijkelenborg, T. Ryan, M. Kristensen,

´

Brassard, G., C. Crepeau, D. Mayers, and L. Salvail, 1998, in

and K. Lyytikainen, 2000, ˜˜Complex mode coupling within

Proceedings of Randomized Algorithms, Satellite Workshop

air-silica structured optical ¬bers and applications,™™ Opt.

of the 23rd International Symposium on Mathematical Foun-

Commun. 185, 321“324.

dations of Computer Science, Brno, Czech Republic, edited

Cirac, J. I., and N. Gisin, 1997, ˜˜Coherent eavesdropping strat-

by R. Freivalds (Aachen University, Aachen, Germany), pp.

egies for the 4-state quantum cryptography protocol,™™ Phys.

13“15.

¨ Lett. A 229, 1“7.

Brassard, G., N. Lutkenhaus, T. Mor, and B. C. Sanders, 2000,

Clarke, R. B. M., A. Che¬‚es, S. M. Barnett, and E. Riis, 2000,

˜˜Limitations on practical quantum cryptography,™™ Phys. Rev.

˜˜Experimental demonstration of optimal unambiguous state

Lett. 85, 1330“1333.

discrimination,™™ Phys. Rev. A 63, 040305.

Brassard, G., and L. Salvail, 1994, in Advances in Cryptology”

Clauser, J. F., M. A. Horne, A. Shimony, and R. A. Holt, 1969,

EUROCRYPT ™93 Proceedings, Lecture Notes in Computer

˜˜Proposed experiment to test local hidden variable theories,™™

Science, Vol. 765, edited by T. Helleseth (Springer, New

Phys. Rev. Lett. 23, 880“884.