sions. This is the longest span realized to date for QC Bob, who now knows that Alice™s photon traveled via

with photon pairs. the short arm in her interferometer. Therefore, in the

As already mentioned, it is essential for this scheme to case of joint detection in a satellite peak, Alice and Bob

have a pump laser whose coherence length is longer must have correlated detection times. Assigning a bit

than the path imbalance of the interferometers. In addi- value to each side peak, Alice and Bob can exchange a

tion, its wavelength must remain stable during a key ex- sequence of correlated bits.

change session. These requirements imply that the pump The cases where both ¬nd the photon in the central

laser must be somewhat more elaborate than in the case time slot are used to implement the second basis. They

of polarization entanglement. correspond to the s P , l A l B and l P , s A s B possi-

bilities. If these are indistinguishable, one obtains two-

2. Phase-time coding photon interferences, exactly as in the case discussed in

the previous section on phase coding. Adjusting the

We have mentioned in Sec. IV.C that states generated

phases and keeping them stable, one can use the perfect

by two-path interferometers are two-level quantum sys-

correlations between output ports chosen by the pho-

´

tems. They can also be represented on a Poincare

tons at Alice™s and Bob™s interferometers to establish the

sphere. The four states used for phase coding in the pre-

key bits in this second basis.

vious section would lie equally distributed on the equa-

Phase-time coding has recently been implemented in a

tor of the sphere. The coupling ratio of the beamsplitter

laboratory experiment by our group (Tittel et al., 2000)

is 50%, and a phase difference is introduced between

and was reported at the same time as the two polariza-

the components propagating through either arm. In

tion entanglement-based schemes mentioned above. A

principle, the four-state protocol can be equally well

contrast of approximately 93% was obtained, yielding a

implemented with only two states on the equator and

QBERopt contribution of 3.5%, similar to that obtained

two others on the poles. In this section, we present a

with the phase-coding scheme. This experiment will be

system exploiting such a set of states. Proposed by our

repeated over long distances, since losses in optical ¬-

group in 1999 (Brendel et al., 1999), the scheme follows

bers are low at the downconverted photon wavelength

in principle the Franson con¬guration described in the

(1300 nm).

context of phase coding. However, it is based on a

An advantage of this setup is that coding in the time

pulsed source emitting entangled photons in so-called

basis is particularly stable. In addition, the coherence

energy-time Bell states (Tittel et al., 2000). The emission

length of the pump laser is no longer critical. However, it

time of the photon pair is therefore given by a superpo-

is necessary to use relatively short pulses ( 500 ps)

sition of only two discrete terms, instead of by a wide

powerful enough to induce a signi¬cant downconversion

and continuous range bounded only by the long coher-

probability.

ence length of the pump laser (see Sec. V.B.1).

Phase-time coding, as discussed in this section,

Consider Fig. 26. If Alice registers the arrival times of

can also be realized with faint laser pulses (Bechmann-

the photons with respect to the emission time of the

Pasquinucci and Tittel, 2000). The one-photon con¬gu-

pump pulse t 0 , she ¬nds the photons in one of three

ration has so far never been realized. It would be similar

time slots (note that she has two detectors to take into

to the double Mach-Zehnder setup discussed in Sec.

account). For instance, detection of a photon in the ¬rst

IV.C.1, but with the ¬rst coupler replaced by an active

slot corresponds to the pump photon™s having traveled

via the short arm and the downconverted photon™s hav-

ing traveled via the short arm. To keep it simple, we

46

refer to this process as s P , s A , where P stands for the Note that it does not constitute a product state.

Rev. Mod. Phys., Vol. 74, No. 1, January 2002

180 Gisin et al.: Quantum cryptography

analysis of eavesdropping on a quantum channel has yet

switch. For the time basis, Alice would set the switch

to be achieved. In this section we review some of the

either to full transmission or to full re¬‚ection, while for

problems and solutions, without any claim for math-

the energy basis she would set it at 50%. This illustrates

ematical rigor or complete coverage of the huge and

how research on photon pairs can yield advances on

rapidly evolving literature.

faint-pulse systems.

The general objective of eavesdropping analysis is to

¬nd ultimate and practical proofs of security for some

3. Quantum secret sharing

quantum cryptosystems. ˜˜Ultimate proofs™™ guarantee

In addition to QC using phase-time coding, we used security against entire classes of eavesdropping attacks,

the setup depicted in Fig. 26 for the ¬rst proof-of- even if Eve uses not only the best of today™s technology,

principle demonstration of quantum secret sharing”the but any conceivable future technology. These proofs

generalization of quantum key distribution to more than take the form of theorems, with clearly stated assump-

two parties (Tittel et al., 2001). In this new application of tions expressed in mathematical terms. In contrast, prac-

quantum communication, Alice distributes a secret key tical proofs deal with some actual pieces of hardware

to two other users, Bob and Charlie, in such a way that and software. There is thus a tension between ˜˜ulti-

neither Bob nor Charlie alone has any information mate™™ and ˜˜practical™™ proofs. Indeed, the former favor

about the key, but together they have full information. general abstract assumptions, whereas the latter concen-

trate on physical implementations. Nevertheless, it is

As in traditional QC, an eavesdropper trying to get

worth ¬nding such proofs. In addition to the security

some information about the key creates errors in the

issue, they provide illuminating lessons for our general

transmission data and thus reveals her presence. The

understanding of quantum information.

motivation behind quantum secret sharing is to guaran-

In the ideal game Eve has perfect technology: she is

tee that Bob and Charlie cooperate”one of them might

limited only by the laws of quantum mechanics, but not

be dishonest”in order to obtain a given piece of infor-

at all by current technology.47 In particular, Eve cannot

mation. In contrast with previous proposals using three-

clone qubits, as this is incompatible with quantum dy-

™

particle Greenberger-Horne-Zeilinger states (Zukowski

namics (see Sec. II.C.2), but she is free to use any uni-

et al., 1998; Hillery et al., 1999), pairs of entangled pho-

tary interaction between one or several qubits and an

tons in so-called energy-time Bell states were used to

auxiliary system of her choice. Moreover, after the inter-

mimic the necessary quantum correlation of three en-

action, Eve may keep her auxiliary system unperturbed,

tangled qubits, although only two photons exist at the

in complete isolation from the environment, for an arbi-

same time. This is possible because of the symmetry be- trarily long time. Finally, after listening to all the public

tween the preparation device acting on the pump pulse discussion between Alice and Bob, she can perform the

and the devices analyzing the downconverted photons. measurement of her choice on her system, being again

Therefore the emission of a pump pulse can be consid- limited only by the laws of quantum mechanics. One

ered as the detection of a photon with 100% ef¬ciency, assumes further that all errors are due to Eve. It is

and the scheme features a much higher coincidence rate tempting to assume that some errors are due to Alice™s

than that expected with the initially proposed ˜˜triple- and Bob™s instruments, and this probably makes sense in

photon™™ schemes. practice. However, there is the danger of Eve™s replacing

them with higher-quality instruments (see the next sec-

tion).

VI. EAVESDROPPING

In the next section we elaborate on the most relevant

differences between the above ideal game (ideal espe-

A. Problems and objectives

cially from Eve™s point of view) and real systems. Next,

we return to the idealized situation and present several

After the qubit exchange and basis reconciliation, Al-

eavesdropping strategies, starting from the simplest, in

ice and Bob each have a sifted key. Ideally, these keys

which explicit formulas can be written down, and ending

are identical. But in real life, there are always some er-

with a general abstract security proof. Finally, we discuss

rors, and Alice and Bob must apply some classical infor-

practical eavesdropping attacks and comment on the

mation processing protocols, like error correction and

complexity of a real system™s security.

privacy ampli¬cation to their data (see Sec. II.C.4). The

¬rst protocol is necessary to obtain identical keys and B. Idealized versus real implementation

the second to obtain a secret key. Essentially, the prob-

lem of eavesdropping is to ¬nd protocols which, given Alice and Bob use the technology available today.

that Alice and Bob can only measure the QBER, either This trivial remark has several implications. First, all

provide Alice and Bob with a veri¬ably secure key or

stop the protocol and inform the users that the key dis-

tribution has failed. This is a delicate problem at the 47

The question of whether QC would survive the discovery of

intersection of quantum physics and information theory.

the currently unknown validity limits of quantum mechanics is

Actually, it comprises several eavesdropping problems, interesting. Let us argue that it is likely that quantum mechan-

depending on the precise protocol, the degree of ideali- ics will always adequately describe photons at telecommunica-

zation one admits, the technological power one assumes tions and visible wavelengths, just as classical mechanics will

Eve has, and the assumed ¬delity of Alice and Bob™s always adequately describe the fall of apples, whatever the

equipment. Let us immediately stress that a complete future of physics may be.

Rev. Mod. Phys., Vol. 74, No. 1, January 2002

181

Gisin et al.: Quantum cryptography

real components are imperfect, so that the qubits are not ciency, and so on. Except for Sec. VI.K, in which this

assumption is discussed, we shall henceforth assume that

prepared and detected in the exact basis described by

Alice and Bob are isolated from Eve.

the theory. Moreover, a real source always has a ¬nite

probability of producing more than one photon. De-

pending on the details of the encoding device, all pho- C. Individual, joint, and collective attacks

tons carry the same qubit (see Sec. VI.J). Hence, in prin-

In order to simplify the problem, several eavesdrop-

ciple, Eve could measure the photon number without

ping strategies of limited generality have been de¬ned

perturbing the qubit. This scenario is discussed in Sec.

¨

(Lutkenhaus, 1996; Biham and Mor, 1997a, 1997b) and

VI.H. Recall that, ideally, Alice should emit single-qubit

analyzed. Of particular interest is the assumption that

photons, i.e., each logical qubit should be encoded in a

Eve attaches independent probes to each qubit and

single degree of freedom of a single photon.

measures her probes one after the other. This class of

On Bob™s side the ef¬ciency of his detectors is quite

attack is called the individual attack, or incoherent at-

limited and the dark counts (spontaneous counts not

tack. This important class is analyzed in Secs. VI.D and

produced by photons) are non-negligible. The limited

VI.E. Two other classes of eavesdropping strategies let

ef¬ciency is analogous to the losses in the quantum

Eve process several qubits coherently, hence the name

channel. The analysis of the dark counts is more deli-

coherent attacks. The most general coherent attacks are

cate, and no complete solution is known. Conservatively,

¨ called joint attacks, while an intermediate class assumes

Lutkenhaus (2000) assumes in his analysis that all dark

that Eve attaches one probe per qubit, as in individual

counts provide information to Eve. He also advises that,

attacks, but can measure several probes coherently, as in

whenever two detectors ¬re simultaneously (generally

coherent attacks. This intermediate class is called the

due to a real photon and a dark count), Bob should not

collective attack. It is not known whether this class is less

disregard such events but should choose a value at ran-

ef¬cient than the most general class, that of joint attacks.

dom. Note also that the different contributions of dark

It is also not known whether it is more ef¬cient than the

counts to the total QBER depend on whether Bob™s

simpler individual attacks. Actually, it is not even known

choice of basis is implemented using an active or a pas-

whether joint attacks are more ef¬cient than individual

sive switch (see Sec. IV.A).

ones.

Next, one usually assumes that Alice and Bob have

For joint and collective attacks, the usual assumption

thoroughly checked their equipment and that it is func-

is that Eve measures her probe only after Alice and Bob

tioning according to speci¬cations. This assumption is

have completed all public discussion about basis recon-

not unique to quantum cryptography but is critical, as

ciliation, error correction, and privacy ampli¬cation. For

Eve could be the actual manufacturer of the equipment.

the more realistic individual attacks, one assumes that

Classical cryptosystems must also be carefully tested,

Eve waits only until the basis reconciliation phase of the

like any commercial apparatus. Testing a cryptosystem is

public discussion.49 The motivation for this assumption

tricky, however, because in cryptography the client buys

is that one hardly sees what Eve could gain by waiting

con¬dence and security, two qualities dif¬cult to quan-

until after the public discussion on error correction and

tify. Mayers and Yao (1998) proposed using Bell™s in-

privacy ampli¬cation before measuring her probes, since

equality to test whether the equipment really obeys

she is going to measure them independently anyway.

quantum mechanics, but even this is not entirely satis-

Individual attacks have the nice feature that the prob-

factory. Interestingly, one of the most subtle loopholes in

lem can be entirely translated into a classical one: Alice,

all present-day tests of Bell™s inequality, the detection

Bob, and Eve all have classical information in the form

loophole, can be exploited to produce purely classical

of random variables , , and , respectively, and the

software mimicking all quantum correlations (Gisin and

laws of quantum mechanics impose constraints on the

Gisin, 1999). This illustrates once again the close con-

joint probability distribution P( , , ). Such classical

nection between practical issues in QC and philosophi-

scenarios have been widely studied by the classical cryp-

cal debates about the foundations of quantum physics.

tology community, and many of their results can thus be

Finally, one must assume that Alice and Bob are per-

directly applied.

fectly isolated from Eve. Without such an assumption

the entire game would be meaningless: clearly, Eve is

not allowed to look over Alice™s shoulder. However, this D. Simple individual attacks: Intercept-resend and

elementary assumption is again nontrivial. What if Eve measurement in the intermediate basis

uses the quantum channel connecting Alice to the out-

side world? Ideally, the channel should incorporate an The simplest attack for Eve consists in intercepting all

isolator48 to keep Eve from shining light into Alice™s out- photons individually, measuring them in a basis chosen

put port to examine the interior of her laboratory. Since randomly between the two bases used by Alice, and

all isolators operate only on a ¬nite bandwidth, there sending new photons to Bob prepared according to her

should also be a ¬lter, but ¬lters have only a ¬nite ef¬-

49

With today™s technology, it might even be fair to assume

48

Optical isolators, based on the Faraday effect, let light pass that in individual attacks Eve must measure her probe before

through in only one direction. the basis reconciliation.

Rev. Mod. Phys., Vol. 74, No. 1, January 2002

182 Gisin et al.: Quantum cryptography

FIG. 28. Eavesdropping on a quantum channel. Eve extracts

information from the quantum channel between Alice and

Bob at the cost of introducing noise into that channel.

´

FIG. 27. Poincare representation of the BB84 states and the

intermediate basis, also known as the Breidbart basis, that can Consequently, this strategy is less advantageous for Eve

be used by Eve.

than the intercept-resend strategy. Note however, that

with this strategy Eve™s probability of guessing the cor-

rect bit value is 85%, compared to only 75% in the

result. As presented in Sec. II.C.3 and assuming that the

intercept-resend case. This is possible because in the lat-

BB84 protocol is used, Eve thus gets 0.5 bits of informa-

ter case, Eve™s information is deterministic in half the

tion per bit in the sifted key, for an induced QBER of

cases, while in the former Eve™s information is always

25%. Let us illustrate the general formalism with this

probabilistic (formally, this results from the convexity of

simple example. Eve™s mean information gain on Alice™s

the entropy function).

bit, I( , ), equals their relative entropy decrease:

I , H a priori H a posteriori , (40)

E. Symmetric individual attacks

i.e., I( , ) is the number of bits one can save by writing

when knowing . Since the a priori probability for In this section we present in some detail how Eve

Alice™s bit is uniform, H a priori 1. The a posteriori en- could get the maximum Shannon information for a ¬xed

tropy has to be averaged over all possible results r that QBER, assuming a perfect single-qubit source and re-

Eve might get: stricting Eve to attacks on one qubit after the other (i.e.,

individual attacks). The motivation is that this idealized

Ha PrHir, (41) situation is rather simple to treat and nicely illustrates

posteriori

r

several of the subtleties of the subject. Here we concen-

trate on the BB84 four-state protocol; for related results

Hir P i r log2 P i r , (42) on the two-state and six-state protocols, see Fuchs and

i

Peres (1996) and Bechmann-Pasquinucci and Gisin

where the a posteriori probability of bit i, given Eve™s (1999), respectively.

result r, is given by Bayes™s theorem: The general idea of eavesdropping on a quantum

channel is as follows. When a qubit propagates from Al-

PriPi

ice to Bob, Eve can let a system of her choice, called a

Pir , (43)

Pr probe, interact with the qubit (see Fig. 28). She can

freely choose the probe and its initial state, but the sys-

with P(r) i P(r i)P(i). In the case of intercept re-

tem must obey the rules of quantum mechanics (i.e., be

send, Eve gets one out of four possible results: r

‘,“,←,’ . After the basis has been revealed, Alice™s described in some Hilbert space). Eve can also choose

input assumes one of two values: i ‘,“ (assuming the the interaction, but it should be independent of the qu-

‘“ basis was used, the other case is completely analo- bit state, and she should obey the laws of quantum me-

gous). One gets P(i ‘ r ‘) 1, P(i ‘ r ’) 2 , chanics; i.e., her interaction must be described by a uni-

1

tary operator. After the interaction a qubit has to go to

1 1 1 1 1

and P(r) 2 . Hence, I( , ) 1 2 h(1) 2 h( 2 ) 1 2

Bob (in Sec. VI.H we consider lossy channels, so that

1

2 [with h(p) p log2(p) (1 p)log2(1 p)].

Bob does not always expect a qubit, a fact that Eve can

Another strategy for Eve, no more dif¬cult to imple-

take advantage of). It makes no difference whether this

ment, consists in measuring the photons in the interme-

qubit is the original one (possibly in a modi¬ed state).

diate basis (see Fig. 27), also known as the Breidbart

Indeed, the question does not even make sense, since a

basis (Bennett, Bessette, et al., 1992). In this case the

qubit is nothing but a qubit. However, in the formalism

probability that Eve guesses the correct bit value is p

it is convenient to use the same Hilbert space for the

cos( /8) 2 2 &/4 0.854, corresponding to a

1

qubit sent by Alice as for the qubit received by Bob (this

QBER 2p(1 p) 25% and a Shannon information

is no loss of generality, since the swap operator”de¬ned

gain per bit of

by ’ for all , ”is unitary and could be ap-

I 1 Hp 0.399. (44) pended to Eve™s interaction).

Rev. Mod. Phys., Vol. 74, No. 1, January 2002

183

Gisin et al.: Quantum cryptography

0. (49)

‘ “ ‘ “

The ™s correspond to Eve™s state when Bob receives the

qubit undisturbed, while the ™s are Eve™s state when the

qubit is disturbed.

Let us emphasize that this is the most general unitary

interaction satisfying Eq. (46). One ¬nds that the shrink-

F D. Accordingly, if Alice

ing factor is given by

sends ‘ and Bob measures it in the compatible basis,

then ‘ Bob (m ) ‘ F is the probability that Bob gets

the correct result. Hence F is the ¬delity and D the

QBER.

Note that only four states span Eve™s relevant state

´

FIG. 29. Poincare representation of BB84 states in the event space. Hence Eve™s effective Hilbert space is at most

four dimensional, no matter how subtle she might be.51

of a symmetrical attack. The state received by Bob after the

interaction of Eve™s probe is related to the one sent by Alice by This greatly simpli¬es the analysis.

a simple shrinking factor. When the unitary operator U en- Symmetry requires that the attack on the other basis

tangles the qubit and Eve™s probe, Bob™s state [Eq. (46)] is satisfy

´

mixed and is represented by a point inside the Poincare

‘,0 “,0

sphere.

U ’,0 U (50)

&

Let HEve and C2 HEve be the Hilbert spaces of Eve™s

1

probe and of the total qubit probe system, respectively. ‘ “

‘ (51)

‘

&

If m , 0 , and U denote the qubit™s and the probe™s

initial states and the unitary interaction, respectively,