<< . .

. 11
( : 12)



. . >>

cuss this eventuality below. Another possibility would be
nate from qubits attacked coherently. Consequently, the
for Eve to map her photon to a quantum memory. This
15% bound would still be valid (partial results in favor
does not exist today but might well exist in the future.
of this conjecture can be found in Cirac and Gisin, 1997
Note that the quantum memory should have essentially
and Bechmann-Pasquinucci and Gisin, 1999). However,
unlimited decoherence time, since Alice and Bob could
if Eve has unlimited power, in particular, if she can co-
easily wait for minutes before revealing the bases.58 Fi-
herently attack an unlimited number of qubits, then the
nally, Eve must access a lossless channel, or at least a
11% bound might be required.
channel with lower losses than that used by Alice and
To conclude this section, let us stress that the above
security proof applies equally to the six-state protocol
(Sec. II.D.2). It also extends in a straightforward
56
For polarization coding, this is quite clear, but for phase
fashion to protocols using larger alphabets (Bechmann-
coding one may think (incorrectly) that phase and photon
Pasquinucci and Peres, 2000; Bechmann-Pasquinucci
number are incompatible. However, the phase used for encod-
¨
and Tittel, 2000; Bourennane, Karlsson, and Bjorn, 2001;
ing is a relative phase between two modes. Whether these
¨
Bourennane, Karlsson, Bjorn, Gisin, and Cerf, 2001).
modes are polarization modes or correspond to different times
(determined, for example, by the relative length of interferom-
eters), does not matter.
57
Recall that a mixture of coherent states e i with a
random phase , as produced by lasers when no phase refer-
H. Photon number measurements and lossless channels ence is available, is equal to a mixture of photon number states
2 i
ei
n with Poisson statistics: 0e (d /2 )
In Sec. III.A we saw that all real photon sources have n 2
n 0( /n!) e n n , where .
a ¬nite probability of emittting more than one photon. If 58
The quantum part of the protocol could run continuously,
all emitted photons encode the same qubit, Eve can take storing large amounts of raw classical data, but the classical
advantage of this. In principle, she can ¬rst measure the part of the protocol, which processes these raw data, could
number of photons in each pulse without disturbing the take place just seconds before the key is used.


Rev. Mod. Phys., Vol. 74, No. 1, January 2002
188 Gisin et al.: Quantum cryptography


Bob. This might be the trickiest point. Indeed, besides
using a shorter channel, what can Eve do? Telecommu-
nications ¬bers are already at the physical limits of what
can be achieved (Thomas et al., 2000). The loss is almost
entirely due to Rayleigh scattering, which is unavoid-
¨
able: solve the Schrodinger equation in a medium with
inhomogeneities and you get scattering. When the inho-
mogeneities are due to the molecular stucture of the
medium, it is dif¬cult to imagine lossless ¬bers. The
FIG. 32. Realistic beamsplitter attack. Eve stops all pulses.
0.18-dB/km attenuation in silica ¬bers at 1550 nm is a
The two photon pulses have a 50% probability of being ana-
lower bound imposed by physics rather then
lyzed by the same analyzer. If this analyzer is compatible with
technology.59 Note that using air is not a viable solution,
the state prepared by Alice, then both photons are detected
since attenuation at telecommunications wavelengths is
with the same outcome; if not, there is a 50% chance that they
rather high. Vacuum, the only way to avoid Rayleigh are detected with the same outcome. Hence there is a prob-
scattering, also has limitations, due to diffraction, again 3
ability of 8 that Eve detects both photons with the same out-
an unavoidable physical phenomenon. In the end, it come. In such a case, and only in such a case, she resends a
seems that Eve has only two possibilities left. Either she 2
photon to Bob. In 3 of these cases she introduces no errors,
uses teleportation (with extremely high success prob- since she has identi¬ed the correct state and gets full informa-
ability and ¬delity) or she converts the photons to an- tion; in the remaining cases she has a 50% probability of in-
other wavelength (without perturbing the qubit). Both troducing an error and gains no information. The total QBER
1 2
of these ˜˜solutions™™ seem unrealistic in the foreseeable is thus 6, and Eve™s information gain is 3.
future.
Consequently, when considering the type of attacks
state into Bob™s apparatus. Since Eve™s information is
discussed in this section, it is essential to distinguish the
classical, she can overcome all the losses of the quantum
ultimate proofs from the practical ones. Indeed, the as-
channel. In all other cases, Eve sends nothing to Bob. In
sumptions about the defects of Alice and Bob™s appara- 3
this way, Eve sends a fraction ( 8 ) of the pulses contain-
tuses must be very speci¬c and might thus be of limited
ing at least two photons to Bob. She introduces a QBER
interest, while for practical considerations these assump- 1 2
of 6 and gets information I(A,E) 3 4•QBER. Bob
tions must be very general and might thus be excessive.
does not see any reduction in the number of detected
photons, provided that the transmission coef¬cient of
the quantum channel t satis¬es
I. A realistic beamsplitter attack
3 3
t Prob n 2 n 1 , (76)
The attack presented in the previous section takes ad- 8 16
vantage of pulses containing more than one photon.
where the last expression assumes Poissonian photon
However, as discussed, it uses unrealistic assumptions. In
distribution. Accordingly, for a ¬xed QBER, this attack
¨
this section, following Dusek et al. (2000) and Lutken-
provides Eve with twice the information she would get
haus (2000), we brie¬‚y comment on a realistic attack
from using the intercept-resend strategy. To counter
that, also exploits multiphoton pulses (for details, see
such an attack, Alice should use a mean photon number
Felix et al., 2001, where this and other examples are pre-
such that Eve can use this attack on only a fraction of
sented). Assume that Eve splits all pulses in two, analyz-
the pulses. For example, Alice could use pulses weak
ing each half in one of the two bases, using photon
enough that Eve™s mean information gain is identical to
counting devices able to distinguish between pulses with
what she would obtain with the simple intercept-resend
0, 1, and 2 photons (see Fig. 32). In practice this could be
strategy (see Sec. II.C.3). For 10-, 14-, and 20-dB attenu-
realized using many single-photon counters in parallel.
ation, this corresponds to 0.25, 0.1, and 0.025, respec-
This requires nearly perfect detectors, but at least one
tively.
does not need to assume technology completely out of
today™s realm. Whenever Eve detects two photons in the
same output, she sends a photon in the corresponding
J. Multiphoton pulses and passive choice of states

Multiphoton pulses do not necessarily constitute a
59
Photonics crystal ¬bers have the potential to overcome the threat to key security, but they limit the key creation
Rayleigh scattering limit. There are two kinds of such ¬bers. rate because they imply that more bits must be dis-
The ¬rst kind guides light by total internal re¬‚ection, as in carded during key distillation. This fact is based on the
ordinary ¬bers. In these ¬bers most of the light also propagates
assumption that all photons in a pulse carry the same
in silica, and thus the loss limit is similar. In the second kind,
qubit, so that Eve does not need to copy the qubit going
most of the light propagates in air. Thus the theoretical loss
to Bob, but merely keeps the copy that Alice inadvert-
limit is lower. However, today the losses are extremely high, in
ently provides. When using weak pulses, it seems un-
the range of hundreds of dB/km. The best reported result that
avoidable that all the photons in a pulse carry the same
we are aware of is 11 dB/km, and it was obtained with the ¬rst
qubit. However, in two-photon implementations, each
kind of ¬ber (Canning et al., 2000).


Rev. Mod. Phys., Vol. 74, No. 1, January 2002
189
Gisin et al.: Quantum cryptography


photon on Alice™s side independently chooses a state [in this class of attacks exists illustrates that the security of
the experiments of Ribordy et al. (2001) and Tittel et al. QC can never be guaranteed by the principles of
(2000), each photon randomly chooses both its basis and quantum mechanics only, but must necessarily rely on
measures that are subject to discussion.60
its bit value; in the experiments of Naik et al. (2000) and technical
Jennewein, Simon, et al. (2000), only the bit value choice
is random]. Hence, when two photon pairs are simulta-
neously produced, the two twins carry independent qu-
bits by accident. Consequently, Eve cannot take advan- L. Real security: Technology, cost, and complexity
tage of such multiphoton twin pulses. This might be one
Despite the elegance and generality of security proofs,
of the main advantages of two-photon schemes over the
the ideal of a QC system whose security relies entirely
much simpler weak-pulse schemes. But the multiphoton
on quantum principles is unrealistic. The technological
problem is then on Bob™s side, which gets a noisy signal,
implementation of abstract principles will always be
consisting partly of photons not in Alice™s state.
questionable. It is likely that they will remain the weak-
est point in all systems. Moreover, one should remember
K. Trojan horse attacks
the obvious relation:
All eavesdropping strategies discussed up to this point In¬nite security’In¬nite cost
have consisted of Eve™s attempt to get a maximum infor-
’Zero practical interest . (77)
mation from the qubits exchanged by Alice and Bob.
However, Eve can also pursue a completely different On the other hand, however, one should not underes-
strategy: she can herself send signals that enter Alice timate the following two advantages of QC. First, it is
and Bob™s of¬ces through the quantum channel. This much easier to forecast progress in technology than in
kind of strategy is called a Trojan horse attack. For ex- mathematics: the danger that QC will break down over-
ample, Eve can send light pulses into the ¬ber entering night is negligible, in contrast to public-key cryptosys-
Alice™s or Bob™s apparatus and analyze the backre¬‚ected tems. Next, the security of QC depends on the techno-
light. In this way, it is in principle possible to detect logical level of the adversary at the time of the key
which laser just ¬‚ashed, which detector just ¬red, or the exchange, in contrast to complexity-based systems whose
settings of phase and polarization modulators. This can- coded message can be registered and broken thanks to
not be prevented by simply using a shutter, since Alice future progress. The latter point is relevant for secrets
and Bob must leave the ˜˜door open™™ for the photons to whose value lasts many years.
exit and enter, respectively. One often points to low bit rate as one of the current
In most QC setups the amount of backre¬‚ected light limitations of QC. However, it is important to stress that
can be made very small, and sensing the apparatus with QC need not be used in conjunction with one-time-pad
light pulses through the quantum channel is dif¬cult. encryption. It can also be used to provide a key for a
Nevertheless, this attack is especially threatening in the symmetrical cipher such as AES, whose security is
plug-and-play scheme on Alice™s side (Sec. IV.C.2), since greatly enhanced by frequent key changes.
a mirror is used to send the light pulses back to Bob. To conclude this section, let us brie¬‚y elaborate on the
Thus, in principle, Eve can send strong light pulses to differences and similarities between technological and
Alice and sense the applied phase shift. However, by mathematical complexity and on their possible connec-
applying the phase shift only during a short time t phase tions and implications. Mathematical complexity means
(a few nanoseconds), Alice can oblige Eve to send the that the number of steps needed to run complex algo-
spying pulse at the same time as Bob. Remember that in rithms increases exponentially as the size of the input
the plug-and-play scheme, pulses coming from Bob are grows linearly. Similarly, one can de¬ne the technologi-
macroscopic and an attenuator at Alice™s end reduces cal complexity of a quantum computer as an exponen-
them to below the one-photon level, say, 0.1 photons per tially increasing dif¬culty to process coherently all the
pulse. Hence, if Eve wants to get, say, one photon per qubits necessary to run a (noncomplex) algorithm on a
pulse, she has to send ten times Bob™s pulse energy. linearly growing number of input data. It might be inter-
Since Alice is detecting Bob™s pulses for triggering her esting to consider the possibility that the relationship
apparatus, she must be able to detect an increase in en- between these two concepts of complexity is deeper. It
ergy of these pulses in order to reveal the presence of a could be that the solution of a problem requires either a
spying pulse. This is a relatively easy task, provided that complex classical algorithm or a quantum algorithm that
itself requires a complex quantum computer.61
Eve™s pulses look the same as Bob™s. However, Eve could
of course use another wavelength or ultrashort pulses
(or very long pulses with low intensity, hence the impor-
tance of t phase ); therefore Alice must introduce an op- 60
Another technological loophole, recently pointed out by
tical bandpass ¬lter with a transmission spectrum corre- Kurtsiefer et al. (2001), is the possible information leakage
sponding to the sensitivity spectrum of her detector and caused by light emitted by APD™s during their breakdown.
choose a t phase that ¬ts the bandwidth of her detector. 61
Penrose (1994) pushes these speculations even further, sug-
There is no doubt that Trojan horse attacks can be gesting that spontaneous collapses stop quantum computers
prevented by technical measures. However, the fact that whenever they try to compute beyond a certain complexity.


Rev. Mod. Phys., Vol. 74, No. 1, January 2002
190 Gisin et al.: Quantum cryptography


VII. CONCLUSIONS QC could well be the ¬rst application of quantum me-
chanics at the single-quantum level. Experiments have
Quantum cryptography is a fascinating illustration of demonstrated that keys can be exchanged over distances
the dialog between basic and applied physics. It is based of a few tens of kilometers at rates on the order of at
on a beautiful combination of concepts from quantum least a thousand bits per second. There is no doubt that
physics and information theory and made possible by the technology can be mastered and the question is not
whether QC will ¬nd commercial applications, but
the tremendous progress in quantum optics and the
when. At present QC is still very limited in distance and
technology of optical ¬bers and free-space optical com-
in secret bit rate. Moreover, public-key systems domi-
munication. Its security principle relies on deep theo-
nate the market and, being pure software, are tremen-
rems in classical information theory and on a profound
dously easier to manage. Every so often, we hear in the
understanding of Heisenberg™s uncertainty principle, as
news that some classical cryptosystem has been broken.
illustrated by Theorems 1 and 2 in Sec. VI.G (the only
This would be impossible with properly implemented
mathematically involved theorems in this review). Let us
QC. But this apparent strength of QC might turn out to
also emphasize the important contributions of QC to
be its weak point: security agencies would be equally
classical cryptography: privacy ampli¬cation and classi-
unable to break quantum cryptograms!
cal bound information (Secs. II.C.4 and II.C.5) are ex-
amples of concepts in classical information whose dis-
covery were much inspired by QC. Moreover, the
ACKNOWLEDGMENTS
fascinating tension between quantum physics and rela-
tivity, as illustrated by Bell™s inequality, is not far away, This work was supported by the Swiss Fonds National
as discussed in Sec. VI.F. Now, despite signi¬cant de la Recherche Scienti¬que (FNRS) and the European
progress in recent years, many open questions and tech- Union projects European Quantum Cryptography and
nological challenges remain. Single-Photon Optical Technologies (EQCSPOT) and
One technological challenge at present concerns im- Long-Distance Photonic Quantum Communication
proved detectors compatible with telecommunications ´´
(QUCOMM) ¬nanced by the Swiss Of¬ce Federal de
¬bers. Two other issues concern free-space QC and l™Education et de la Science (OFES). The authors would
quantum repeaters. The former is currently the only way also like to thank Richard Hughes for providing Fig. 8,
to realize QC over thousands of kilometers using the and acknowledge Charles H. Bennett and Paul G. Kwiat
technology of the near future (see Sec. IV.E). The idea for their very careful reading of the manuscript and their
of quantum repeaters (Sec. III.E) is to encode the qubits helpful remarks.
in such a way that if the error rate is low, then errors can
be detected and corrected entirely in the quantum do-
main. The hope is that such techniques could extend the REFERENCES
range of quantum communication to essentially unlim-
ited distances. Indeed, Hans Briegel, then at the Univer- Ardehali, M., H. F. Chau, and H.-K. Lo, 1998, ˜˜Ef¬cient quan-
sity of Innsbruck, and co-workers (1998) showed that tum key distribution,™™ preprint quant-ph/9803007.
the number of additional qubits needed for quantum re- Aspect, A., J. Dalibard, and G. Roger, 1982, ˜˜Experimental
peaters can be made smaller than the numbers of qubits test of Bell™s inequalities using time-varying analyzers,™™ Phys.
needed to improve the ¬delity of the quantum channel Rev. Lett. 49, 1804“1807.
(Dur et al., 1999). One could thus overcome the deco- Bechmann-Pasquinucci, H., and N. Gisin, 1999, ˜˜Incoherent
herence problem. However, the main practical limitation and coherent eavesdropping in the 6-state protocol of quan-
is not decoherence but loss (most photons never get to tum cryptography,™™ Phys. Rev. A 59, 4238“4248.
Bechmann-Pasquinucci, H., and A. Peres, 2000, ˜˜Quantum
Bob, but those that do get there exhibit high ¬delity).
cryptography with 3-state systems,™™ Phys. Rev. Lett. 85,
As for open questions, let us emphasize three main
3313“3316.
concerns. First, complete and realistic analyses of the
Bechmann-Pasquinucci, H., and W. Tittel, 2000, ˜˜Quantum
security issues are still missing. Next, ¬gures of merit for
cryptography using larger alphabets,™™ Phys. Rev. A 61,
comparing QC schemes based on different quantum sys-
062308.
tems (with different dimensions, for example) are still
Bell, J. S., 1964, ˜˜On the problem of hidden variables in quan-
awaited. Finally, the delicate question of how to test the
tum mechanics,™™ Rev. Mod. Phys. 38, 447“452 [reprinted in
apparatuses has not yet received enough attention. In-
Bell, J. S., 1987, Speakable and Unspeakable in Quantum Me-
deed, a potential customer of quantum cryptography
chanics (Cambridge University, Cambridge, England)].
buys con¬dence and secrecy, two qualities hard to quan- Bennett, C. H., 1992, ˜˜Quantum cryptography using any two
tify. Interestingly, both of these issues are connected to nonorthogonal states,™™ Phys. Rev. Lett. 68, 3121“3124.
Bell™s inequality (see Secs. VI.F and VI.B). Clearly, this Bennett, C. H., F. Bessette, G. Brassard, L. Salvail, and J. Smo-
connection cannot be phrased in the old context of local lin, 1992, ˜˜Experimental quantum cryptography,™™ J. Cryptol-
hidden variables, but rather in the context of the secu- ogy 5, 3“28.
rity of tomorrow™s communications. Here, as in the en- Bennett, C. H., and G. Brassard, 1984, in Proceedings of the
tire ¬eld of quantum information, old concepts are re- IEEE International Conference on Computers, Systems and
newed by looking at them from a fresh perspective: let Signal Processing, Bangalore, India, (IEEE, New York), pp.
us exploit quantum weirdness. 175“179.


Rev. Mod. Phys., Vol. 74, No. 1, January 2002
191
Gisin et al.: Quantum cryptography


´
Bennett, C. H., and G. Brassard, 1985, ˜˜Quantum public key Breguet, J., and N. Gisin, 1995, ˜˜New interferometer using a
distribution system,™™ IBM Tech. Discl. Bull. 28, 3153“3163. 3 3 coupler and Faraday mirrors,™™ Opt. Lett. 20, 1447“1449.
´ ´
Bennett, C. H., G. Brassard, C. Crepeau, R. Jozsa, A. Peres, Breguet, J., A. Muller, and N. Gisin, 1994, ˜˜Quantum cryptog-
and W. K. Wootters, 1993, ˜˜Teleporting an unknown quan- raphy with polarized photons in optical ¬bers: experimental
tum state via dual classical and Einstein-Podolsky-Rosen and practical limits,™™ J. Mod. Opt. 41, 2405“2412.
channels,™™ Phys. Rev. Lett. 70, 1895“1899. Brendel, J., W. Dultz, and W. Martienssen, 1995, ˜˜Geometric
´
Bennett, C. H., G. Brassard, C. Crepeau, and U. M. Maurer, phase in 2-photon interference experiments,™™ Phys. Rev. A
1995, ˜˜Generalized privacy ampli¬cation,™™ IEEE Trans. Inf. 52, 2551“2556.
Theory 41, 1915“1923. Brendel, J., N. Gisin, W. Tittel, and H. Zbinden, 1999, ˜˜Pulsed
Bennett, C. H., G. Brassard, and A. Ekert, 1992, ˜˜Quantum energy-time entangled twin-photon source for quantum com-
cryptography,™™ Sci. Am. 267, 50“57. munication,™™ Phys. Rev. Lett. 82, 2594“2597.
Bennett, C. H., G. Brassard, and N. D. Mermin, 1992, ˜˜Quan- Briegel, H.-J., W. Dur, J. I. Cirac, and P. Zoller, 1998, ˜˜Quan-
tum cryptography without Bell™s theorem,™™ Phys. Rev. Lett. tum repeaters: the role of imperfect local operations in quan-
68, 557“559. tum communication,™™ Phys. Rev. Lett. 81, 5932“5935.
Bennett, C. H., G. Brassard, and J.-M. Robert, 1988, ˜˜Privacy Brouri, R., A. Beveratios, J.-P. Poizat, and P. Grangier, 2000,
ampli¬cation by public discussion,™™ SIAM J. Comput. 17, ˜˜Photon antibunching in the ¬‚uorescence of individual col-
210“229. ored centers in diamond,™™ Opt. Lett. 25, 1294“1296.
Berry, M. V., 1984, ˜˜Quantal phase factors accompanying adia- Brown, R. G. W., and M. Daniels, 1989, ˜˜Characterization of
batic changes,™™ Proc. R. Soc. London, Ser. A 392, 45“57. silicon avalanche photodiodes for photon correlation mea-
Bethune, D., and W. Risk, 2000, ˜˜An autocompensating ¬ber- surements. 3: Sub-Geiger operation,™™ Appl. Opt. 28, 4616“
optic quantum cryptography system based on polarization 4621.
splitting of light,™™ IEEE J. Quantum Electron. 36, 340“347. Brown, R. G. W., R. Jones, J. G. Rarity, and K. D. Ridley,
Biham, E., M. Boyer, P. O. Boykin, T. Mor, and V. Roy- 1987, ˜˜Characterization of silicon avalanche photodiodes for
chowdhury, 1999, ˜˜A proof of the security of quantum key photon correlation measurements. 2: Active quenching,™™
distribution,™™ preprint quant-ph/9912053. Appl. Opt. 26, 2383“2389.
Biham, E., and T. Mor, 1997a, ˜˜Security of quantum cryptog- Brown, R. G. W., K. D. Ridley, and J. G. Rarity, 1986, ˜˜Char-
raphy against collective attacks,™™ Phys. Rev. Lett. 78, 2256“ acterization of silicon avalanche photodiodes for photon cor-
1159. relation measurements. 1: Passive quenching,™™ Appl. Opt. 25,
Biham, E., and T. Mor, 1997b, ˜˜Bounds on information and the 4122“4126.
security of quantum cryptography,™™ Phys. Rev. Lett. 79, Brunel, C., B. Lounis, P. Tamarat, and M. Orrit, 1999, ˜˜Trig-
4034“4037. gered source of single photons based on controlled single
Bourennane, M., F. Gibson, A. Karlsson, A. Hening, P. Jons- molecule ¬‚uorescence,™™ Phys. Rev. Lett. 83, 2722“2725.
son, T. Tsegaye, D. Ljunggren, and E. Sundberg, 1999, ˜˜Ex- Bruss, D., 1998, ˜˜Optimal eavesdropping in quantum cryptog-
periments on long wavelength (1550 nm) ˜plug and play™ raphy with six states,™™ Phys. Rev. Lett. 81, 3018“3021.
quantum cryptography system,™™ Opt. Express 4, 383“387. Bruss, D., A. Ekert, and C. Macchiavello, 1998, ˜˜Optimal uni-
¨
Bourennane, M., A. Karlsson, and G. Bjorn, 2001, ˜˜Quantum versal quantum cloning and state estimation,™™ Phys. Rev.
key distribution using multilevel encoding,™™ Phys. Rev. A 64, Lett. 81, 2598“2601.
012306. Buttler, W. T., R. J. Hughes, P. G. Kwiat, S. K. Lamoreaux, G.
¨
Bourennane, M., A. Karlsson, G. Bjorn, N. Gisin, and N. Cerf, G. Luther, G. L. Morgan, J. E. Nordholt, C. G. Peterson, and
2001, ˜˜Quantum key distribution using multilevel encoding: C. Simmons, 1998, ˜˜Practical free-space quantum key distri-
security analysis,™™ preprint quant-ph/0106049. bution over 1 km,™™ Phys. Rev. Lett. 81, 3283“3286.
Bourennane, M., D. Ljunggren, A. Karlsson, P. Jonsson, A. Buttler, W. T., R. J. Hughes, S. K. Lamoreaux, G. L. Morgan, J.
Hening, and J. P. Ciscar, 2000, ˜˜Experimental long wave-
E. Nordholt, and C. G. Peterson, 2000, ˜˜Daylight quantum
length quantum cryptography: from single photon transmis-
key distribution over 1.6 km,™™ Phys. Rev. Lett. 84, 5652“5655.
sion to key extraction protocols,™™ J. Mod. Opt. 47, 563“579.
ˇ
Buzek, V., and M. Hillery, 1996, ˜˜Quantum copying: beyond
Braginsky, V. B., and F. Y. Khalili, 1992, Quantum Measure-
the no-cloning theorem,™™ Phys. Rev. A 54, 1844“1852.
ment (Cambridge University, Cambridge, England).
Cancellieri, G., 1993, Ed., Single-Mode Optical Fiber Measure-
Brassard, G., 1988, Modern Cryptology: A Tutorial, Lecture
ment: Characterization and Sensing (Artech House, Boston).
Notes in Computer Science, Vol. 325 (Springer, New York).
Canning, J., M. A. van Eijkelenborg, T. Ryan, M. Kristensen,
´
Brassard, G., C. Crepeau, D. Mayers, and L. Salvail, 1998, in
and K. Lyytikainen, 2000, ˜˜Complex mode coupling within
Proceedings of Randomized Algorithms, Satellite Workshop
air-silica structured optical ¬bers and applications,™™ Opt.
of the 23rd International Symposium on Mathematical Foun-
Commun. 185, 321“324.
dations of Computer Science, Brno, Czech Republic, edited
Cirac, J. I., and N. Gisin, 1997, ˜˜Coherent eavesdropping strat-
by R. Freivalds (Aachen University, Aachen, Germany), pp.
egies for the 4-state quantum cryptography protocol,™™ Phys.
13“15.
¨ Lett. A 229, 1“7.
Brassard, G., N. Lutkenhaus, T. Mor, and B. C. Sanders, 2000,
Clarke, R. B. M., A. Che¬‚es, S. M. Barnett, and E. Riis, 2000,
˜˜Limitations on practical quantum cryptography,™™ Phys. Rev.
˜˜Experimental demonstration of optimal unambiguous state
Lett. 85, 1330“1333.
discrimination,™™ Phys. Rev. A 63, 040305.
Brassard, G., and L. Salvail, 1994, in Advances in Cryptology”
Clauser, J. F., M. A. Horne, A. Shimony, and R. A. Holt, 1969,
EUROCRYPT ™93 Proceedings, Lecture Notes in Computer
˜˜Proposed experiment to test local hidden variable theories,™™
Science, Vol. 765, edited by T. Helleseth (Springer, New
Phys. Rev. Lett. 23, 880“884.

<< . .

. 11
( : 12)



. . >>