<< . .

. 9
( : 12)

. . >>

left satellite or in the central peak. The same holds for
sions. This is the longest span realized to date for QC Bob, who now knows that Alice™s photon traveled via
with photon pairs. the short arm in her interferometer. Therefore, in the
As already mentioned, it is essential for this scheme to case of joint detection in a satellite peak, Alice and Bob
have a pump laser whose coherence length is longer must have correlated detection times. Assigning a bit
than the path imbalance of the interferometers. In addi- value to each side peak, Alice and Bob can exchange a
tion, its wavelength must remain stable during a key ex- sequence of correlated bits.
change session. These requirements imply that the pump The cases where both ¬nd the photon in the central
laser must be somewhat more elaborate than in the case time slot are used to implement the second basis. They
of polarization entanglement. correspond to the s P , l A l B and l P , s A s B possi-
bilities. If these are indistinguishable, one obtains two-
2. Phase-time coding photon interferences, exactly as in the case discussed in
the previous section on phase coding. Adjusting the
We have mentioned in Sec. IV.C that states generated
phases and keeping them stable, one can use the perfect
by two-path interferometers are two-level quantum sys-
correlations between output ports chosen by the pho-
tems. They can also be represented on a Poincare
tons at Alice™s and Bob™s interferometers to establish the
sphere. The four states used for phase coding in the pre-
key bits in this second basis.
vious section would lie equally distributed on the equa-
Phase-time coding has recently been implemented in a
tor of the sphere. The coupling ratio of the beamsplitter
laboratory experiment by our group (Tittel et al., 2000)
is 50%, and a phase difference is introduced between
and was reported at the same time as the two polariza-
the components propagating through either arm. In
tion entanglement-based schemes mentioned above. A
principle, the four-state protocol can be equally well
contrast of approximately 93% was obtained, yielding a
implemented with only two states on the equator and
QBERopt contribution of 3.5%, similar to that obtained
two others on the poles. In this section, we present a
with the phase-coding scheme. This experiment will be
system exploiting such a set of states. Proposed by our
repeated over long distances, since losses in optical ¬-
group in 1999 (Brendel et al., 1999), the scheme follows
bers are low at the downconverted photon wavelength
in principle the Franson con¬guration described in the
(1300 nm).
context of phase coding. However, it is based on a
An advantage of this setup is that coding in the time
pulsed source emitting entangled photons in so-called
basis is particularly stable. In addition, the coherence
energy-time Bell states (Tittel et al., 2000). The emission
length of the pump laser is no longer critical. However, it
time of the photon pair is therefore given by a superpo-
is necessary to use relatively short pulses ( 500 ps)
sition of only two discrete terms, instead of by a wide
powerful enough to induce a signi¬cant downconversion
and continuous range bounded only by the long coher-
ence length of the pump laser (see Sec. V.B.1).
Phase-time coding, as discussed in this section,
Consider Fig. 26. If Alice registers the arrival times of
can also be realized with faint laser pulses (Bechmann-
the photons with respect to the emission time of the
Pasquinucci and Tittel, 2000). The one-photon con¬gu-
pump pulse t 0 , she ¬nds the photons in one of three
ration has so far never been realized. It would be similar
time slots (note that she has two detectors to take into
to the double Mach-Zehnder setup discussed in Sec.
account). For instance, detection of a photon in the ¬rst
IV.C.1, but with the ¬rst coupler replaced by an active
slot corresponds to the pump photon™s having traveled
via the short arm and the downconverted photon™s hav-
ing traveled via the short arm. To keep it simple, we
refer to this process as s P , s A , where P stands for the Note that it does not constitute a product state.

Rev. Mod. Phys., Vol. 74, No. 1, January 2002
180 Gisin et al.: Quantum cryptography

analysis of eavesdropping on a quantum channel has yet
switch. For the time basis, Alice would set the switch
to be achieved. In this section we review some of the
either to full transmission or to full re¬‚ection, while for
problems and solutions, without any claim for math-
the energy basis she would set it at 50%. This illustrates
ematical rigor or complete coverage of the huge and
how research on photon pairs can yield advances on
rapidly evolving literature.
faint-pulse systems.
The general objective of eavesdropping analysis is to
¬nd ultimate and practical proofs of security for some
3. Quantum secret sharing
quantum cryptosystems. ˜˜Ultimate proofs™™ guarantee
In addition to QC using phase-time coding, we used security against entire classes of eavesdropping attacks,
the setup depicted in Fig. 26 for the ¬rst proof-of- even if Eve uses not only the best of today™s technology,
principle demonstration of quantum secret sharing”the but any conceivable future technology. These proofs
generalization of quantum key distribution to more than take the form of theorems, with clearly stated assump-
two parties (Tittel et al., 2001). In this new application of tions expressed in mathematical terms. In contrast, prac-
quantum communication, Alice distributes a secret key tical proofs deal with some actual pieces of hardware
to two other users, Bob and Charlie, in such a way that and software. There is thus a tension between ˜˜ulti-
neither Bob nor Charlie alone has any information mate™™ and ˜˜practical™™ proofs. Indeed, the former favor
about the key, but together they have full information. general abstract assumptions, whereas the latter concen-
trate on physical implementations. Nevertheless, it is
As in traditional QC, an eavesdropper trying to get
worth ¬nding such proofs. In addition to the security
some information about the key creates errors in the
issue, they provide illuminating lessons for our general
transmission data and thus reveals her presence. The
understanding of quantum information.
motivation behind quantum secret sharing is to guaran-
In the ideal game Eve has perfect technology: she is
tee that Bob and Charlie cooperate”one of them might
limited only by the laws of quantum mechanics, but not
be dishonest”in order to obtain a given piece of infor-
at all by current technology.47 In particular, Eve cannot
mation. In contrast with previous proposals using three-
clone qubits, as this is incompatible with quantum dy-

particle Greenberger-Horne-Zeilinger states (Zukowski
namics (see Sec. II.C.2), but she is free to use any uni-
et al., 1998; Hillery et al., 1999), pairs of entangled pho-
tary interaction between one or several qubits and an
tons in so-called energy-time Bell states were used to
auxiliary system of her choice. Moreover, after the inter-
mimic the necessary quantum correlation of three en-
action, Eve may keep her auxiliary system unperturbed,
tangled qubits, although only two photons exist at the
in complete isolation from the environment, for an arbi-
same time. This is possible because of the symmetry be- trarily long time. Finally, after listening to all the public
tween the preparation device acting on the pump pulse discussion between Alice and Bob, she can perform the
and the devices analyzing the downconverted photons. measurement of her choice on her system, being again
Therefore the emission of a pump pulse can be consid- limited only by the laws of quantum mechanics. One
ered as the detection of a photon with 100% ef¬ciency, assumes further that all errors are due to Eve. It is
and the scheme features a much higher coincidence rate tempting to assume that some errors are due to Alice™s
than that expected with the initially proposed ˜˜triple- and Bob™s instruments, and this probably makes sense in
photon™™ schemes. practice. However, there is the danger of Eve™s replacing
them with higher-quality instruments (see the next sec-
In the next section we elaborate on the most relevant
differences between the above ideal game (ideal espe-
A. Problems and objectives
cially from Eve™s point of view) and real systems. Next,
we return to the idealized situation and present several
After the qubit exchange and basis reconciliation, Al-
eavesdropping strategies, starting from the simplest, in
ice and Bob each have a sifted key. Ideally, these keys
which explicit formulas can be written down, and ending
are identical. But in real life, there are always some er-
with a general abstract security proof. Finally, we discuss
rors, and Alice and Bob must apply some classical infor-
practical eavesdropping attacks and comment on the
mation processing protocols, like error correction and
complexity of a real system™s security.
privacy ampli¬cation to their data (see Sec. II.C.4). The
¬rst protocol is necessary to obtain identical keys and B. Idealized versus real implementation
the second to obtain a secret key. Essentially, the prob-
lem of eavesdropping is to ¬nd protocols which, given Alice and Bob use the technology available today.
that Alice and Bob can only measure the QBER, either This trivial remark has several implications. First, all
provide Alice and Bob with a veri¬ably secure key or
stop the protocol and inform the users that the key dis-
tribution has failed. This is a delicate problem at the 47
The question of whether QC would survive the discovery of
intersection of quantum physics and information theory.
the currently unknown validity limits of quantum mechanics is
Actually, it comprises several eavesdropping problems, interesting. Let us argue that it is likely that quantum mechan-
depending on the precise protocol, the degree of ideali- ics will always adequately describe photons at telecommunica-
zation one admits, the technological power one assumes tions and visible wavelengths, just as classical mechanics will
Eve has, and the assumed ¬delity of Alice and Bob™s always adequately describe the fall of apples, whatever the
equipment. Let us immediately stress that a complete future of physics may be.

Rev. Mod. Phys., Vol. 74, No. 1, January 2002
Gisin et al.: Quantum cryptography

real components are imperfect, so that the qubits are not ciency, and so on. Except for Sec. VI.K, in which this
assumption is discussed, we shall henceforth assume that
prepared and detected in the exact basis described by
Alice and Bob are isolated from Eve.
the theory. Moreover, a real source always has a ¬nite
probability of producing more than one photon. De-
pending on the details of the encoding device, all pho- C. Individual, joint, and collective attacks
tons carry the same qubit (see Sec. VI.J). Hence, in prin-
In order to simplify the problem, several eavesdrop-
ciple, Eve could measure the photon number without
ping strategies of limited generality have been de¬ned
perturbing the qubit. This scenario is discussed in Sec.
(Lutkenhaus, 1996; Biham and Mor, 1997a, 1997b) and
VI.H. Recall that, ideally, Alice should emit single-qubit
analyzed. Of particular interest is the assumption that
photons, i.e., each logical qubit should be encoded in a
Eve attaches independent probes to each qubit and
single degree of freedom of a single photon.
measures her probes one after the other. This class of
On Bob™s side the ef¬ciency of his detectors is quite
attack is called the individual attack, or incoherent at-
limited and the dark counts (spontaneous counts not
tack. This important class is analyzed in Secs. VI.D and
produced by photons) are non-negligible. The limited
VI.E. Two other classes of eavesdropping strategies let
ef¬ciency is analogous to the losses in the quantum
Eve process several qubits coherently, hence the name
channel. The analysis of the dark counts is more deli-
coherent attacks. The most general coherent attacks are
cate, and no complete solution is known. Conservatively,
¨ called joint attacks, while an intermediate class assumes
Lutkenhaus (2000) assumes in his analysis that all dark
that Eve attaches one probe per qubit, as in individual
counts provide information to Eve. He also advises that,
attacks, but can measure several probes coherently, as in
whenever two detectors ¬re simultaneously (generally
coherent attacks. This intermediate class is called the
due to a real photon and a dark count), Bob should not
collective attack. It is not known whether this class is less
disregard such events but should choose a value at ran-
ef¬cient than the most general class, that of joint attacks.
dom. Note also that the different contributions of dark
It is also not known whether it is more ef¬cient than the
counts to the total QBER depend on whether Bob™s
simpler individual attacks. Actually, it is not even known
choice of basis is implemented using an active or a pas-
whether joint attacks are more ef¬cient than individual
sive switch (see Sec. IV.A).
Next, one usually assumes that Alice and Bob have
For joint and collective attacks, the usual assumption
thoroughly checked their equipment and that it is func-
is that Eve measures her probe only after Alice and Bob
tioning according to speci¬cations. This assumption is
have completed all public discussion about basis recon-
not unique to quantum cryptography but is critical, as
ciliation, error correction, and privacy ampli¬cation. For
Eve could be the actual manufacturer of the equipment.
the more realistic individual attacks, one assumes that
Classical cryptosystems must also be carefully tested,
Eve waits only until the basis reconciliation phase of the
like any commercial apparatus. Testing a cryptosystem is
public discussion.49 The motivation for this assumption
tricky, however, because in cryptography the client buys
is that one hardly sees what Eve could gain by waiting
con¬dence and security, two qualities dif¬cult to quan-
until after the public discussion on error correction and
tify. Mayers and Yao (1998) proposed using Bell™s in-
privacy ampli¬cation before measuring her probes, since
equality to test whether the equipment really obeys
she is going to measure them independently anyway.
quantum mechanics, but even this is not entirely satis-
Individual attacks have the nice feature that the prob-
factory. Interestingly, one of the most subtle loopholes in
lem can be entirely translated into a classical one: Alice,
all present-day tests of Bell™s inequality, the detection
Bob, and Eve all have classical information in the form
loophole, can be exploited to produce purely classical
of random variables , , and , respectively, and the
software mimicking all quantum correlations (Gisin and
laws of quantum mechanics impose constraints on the
Gisin, 1999). This illustrates once again the close con-
joint probability distribution P( , , ). Such classical
nection between practical issues in QC and philosophi-
scenarios have been widely studied by the classical cryp-
cal debates about the foundations of quantum physics.
tology community, and many of their results can thus be
Finally, one must assume that Alice and Bob are per-
directly applied.
fectly isolated from Eve. Without such an assumption
the entire game would be meaningless: clearly, Eve is
not allowed to look over Alice™s shoulder. However, this D. Simple individual attacks: Intercept-resend and
elementary assumption is again nontrivial. What if Eve measurement in the intermediate basis
uses the quantum channel connecting Alice to the out-
side world? Ideally, the channel should incorporate an The simplest attack for Eve consists in intercepting all
isolator48 to keep Eve from shining light into Alice™s out- photons individually, measuring them in a basis chosen
put port to examine the interior of her laboratory. Since randomly between the two bases used by Alice, and
all isolators operate only on a ¬nite bandwidth, there sending new photons to Bob prepared according to her
should also be a ¬lter, but ¬lters have only a ¬nite ef¬-

With today™s technology, it might even be fair to assume
Optical isolators, based on the Faraday effect, let light pass that in individual attacks Eve must measure her probe before
through in only one direction. the basis reconciliation.

Rev. Mod. Phys., Vol. 74, No. 1, January 2002
182 Gisin et al.: Quantum cryptography

FIG. 28. Eavesdropping on a quantum channel. Eve extracts
information from the quantum channel between Alice and
Bob at the cost of introducing noise into that channel.
FIG. 27. Poincare representation of the BB84 states and the
intermediate basis, also known as the Breidbart basis, that can Consequently, this strategy is less advantageous for Eve
be used by Eve.
than the intercept-resend strategy. Note however, that
with this strategy Eve™s probability of guessing the cor-
rect bit value is 85%, compared to only 75% in the
result. As presented in Sec. II.C.3 and assuming that the
intercept-resend case. This is possible because in the lat-
BB84 protocol is used, Eve thus gets 0.5 bits of informa-
ter case, Eve™s information is deterministic in half the
tion per bit in the sifted key, for an induced QBER of
cases, while in the former Eve™s information is always
25%. Let us illustrate the general formalism with this
probabilistic (formally, this results from the convexity of
simple example. Eve™s mean information gain on Alice™s
the entropy function).
bit, I( , ), equals their relative entropy decrease:
I , H a priori H a posteriori , (40)
E. Symmetric individual attacks
i.e., I( , ) is the number of bits one can save by writing
when knowing . Since the a priori probability for In this section we present in some detail how Eve
Alice™s bit is uniform, H a priori 1. The a posteriori en- could get the maximum Shannon information for a ¬xed
tropy has to be averaged over all possible results r that QBER, assuming a perfect single-qubit source and re-
Eve might get: stricting Eve to attacks on one qubit after the other (i.e.,
individual attacks). The motivation is that this idealized
Ha PrHir, (41) situation is rather simple to treat and nicely illustrates
several of the subtleties of the subject. Here we concen-
trate on the BB84 four-state protocol; for related results
Hir P i r log2 P i r , (42) on the two-state and six-state protocols, see Fuchs and
Peres (1996) and Bechmann-Pasquinucci and Gisin
where the a posteriori probability of bit i, given Eve™s (1999), respectively.
result r, is given by Bayes™s theorem: The general idea of eavesdropping on a quantum
channel is as follows. When a qubit propagates from Al-
ice to Bob, Eve can let a system of her choice, called a
Pir , (43)
Pr probe, interact with the qubit (see Fig. 28). She can
freely choose the probe and its initial state, but the sys-
with P(r) i P(r i)P(i). In the case of intercept re-
tem must obey the rules of quantum mechanics (i.e., be
send, Eve gets one out of four possible results: r
‘,“,←,’ . After the basis has been revealed, Alice™s described in some Hilbert space). Eve can also choose
input assumes one of two values: i ‘,“ (assuming the the interaction, but it should be independent of the qu-
‘“ basis was used, the other case is completely analo- bit state, and she should obey the laws of quantum me-
gous). One gets P(i ‘ r ‘) 1, P(i ‘ r ’) 2 , chanics; i.e., her interaction must be described by a uni-

tary operator. After the interaction a qubit has to go to
1 1 1 1 1
and P(r) 2 . Hence, I( , ) 1 2 h(1) 2 h( 2 ) 1 2
Bob (in Sec. VI.H we consider lossy channels, so that
2 [with h(p) p log2(p) (1 p)log2(1 p)].
Bob does not always expect a qubit, a fact that Eve can
Another strategy for Eve, no more dif¬cult to imple-
take advantage of). It makes no difference whether this
ment, consists in measuring the photons in the interme-
qubit is the original one (possibly in a modi¬ed state).
diate basis (see Fig. 27), also known as the Breidbart
Indeed, the question does not even make sense, since a
basis (Bennett, Bessette, et al., 1992). In this case the
qubit is nothing but a qubit. However, in the formalism
probability that Eve guesses the correct bit value is p
it is convenient to use the same Hilbert space for the
cos( /8) 2 2 &/4 0.854, corresponding to a
qubit sent by Alice as for the qubit received by Bob (this
QBER 2p(1 p) 25% and a Shannon information
is no loss of generality, since the swap operator”de¬ned
gain per bit of
by  ’  for all , ”is unitary and could be ap-
I 1 Hp 0.399. (44) pended to Eve™s interaction).

Rev. Mod. Phys., Vol. 74, No. 1, January 2002
Gisin et al.: Quantum cryptography

0. (49)
‘ “ ‘ “

The ™s correspond to Eve™s state when Bob receives the
qubit undisturbed, while the ™s are Eve™s state when the
qubit is disturbed.
Let us emphasize that this is the most general unitary
interaction satisfying Eq. (46). One ¬nds that the shrink-
F D. Accordingly, if Alice
ing factor is given by
sends ‘ and Bob measures it in the compatible basis,
then ‘ Bob (m ) ‘ F is the probability that Bob gets
the correct result. Hence F is the ¬delity and D the
Note that only four states span Eve™s relevant state
FIG. 29. Poincare representation of BB84 states in the event space. Hence Eve™s effective Hilbert space is at most
four dimensional, no matter how subtle she might be.51
of a symmetrical attack. The state received by Bob after the
interaction of Eve™s probe is related to the one sent by Alice by This greatly simpli¬es the analysis.
a simple shrinking factor. When the unitary operator U en- Symmetry requires that the attack on the other basis
tangles the qubit and Eve™s probe, Bob™s state [Eq. (46)] is satisfy
mixed and is represented by a point inside the Poincare
‘,0 “,0
U ’,0 U (50)
Let HEve and C2  HEve be the Hilbert spaces of Eve™s
probe and of the total qubit probe system, respectively. ‘ “
 ‘ (51)

If m , 0 , and U denote the qubit™s and the probe™s
initial states and the unitary interaction, respectively,

<< . .

. 9
( : 12)

. . >>