16.1 Introduction

There are several communication tasks in which two parties would like to protect their communication against third party interference. One of them is secret communication, where the two parties would like to assure that no other party can gain some knowledge about the messages they exchange. Another task, for instance, is the problem of authenticating a message, that is, to enable a receiver of a message to verify that it indeed comes from the alleged sender in its exact form. Typically, a secret key is used up in the communication process, so one has to find a way to distribute secret keys. It turns out that this task cannot be achieved in a communication scenario that can be described purely by classical communication without making additional assumptions. However, by resorting to communication that makes explicit use of a quantum mechanical signal structure, it is possible to construct a scheme, called quantum key distribution (QKD), that continuously generates fresh secret key, once it is started.

In this chapter, we will see how to construct QKD protocols. We show that these schemes can be made robust against noise in the quantum channels, thereby opening the path for practical implementations.

16.2 Classical Background to QKD

Today's security of (classical) key distribution, and as well that of secure communication, is based on the practical unfeasibility of decoding encrypted messages by unauthorized parties. In the case of public key cryptography, the secrecy is based on the experience that the factorization of large numbers requires computational resources growing exponentially with the length of the considered number. For symmetric block ciphers, such as data encryption standard (DES) or advanced encryption standard (AES), which uses relatively short secret keys shared by two parties, the security is based on the lack of structure in the encoding and decoding operation. Note that the security is not proven, but is based on failed attempts to break these schemes so far. That might change with the discovery of new classical algorithms, or in the case of public key cryptography, with the advent of quantum computers. Therefore, we are aiming at a key distribution scheme that is provably secure, and therefore secure against future technological advances.

As a motivation to the use of QKD, we analyze the only classical protocol for secure communication that can actually be proven to be secure without additional assumptions: the one‐time pad, also called Vernam cipher (1). The rules for this protocol are easy. Consider a set of messages, M, represented by binary strings of length n. Alice wants to send the message m ∈ M to Bob. Alice and Bob share a secret key k to start with, that is, a random binary sequence of the same length n. Then, they execute the following steps:

1. Alice computes the cipher text c as c = m ⊕ k. Here ⊕ refers to the bitwise addition modulo 2, which corresponds to the bitwise XOR of the two bit strings.
2. Alice sends the cipher text c over a public channel to Bob.
3. Bob calculates the XOR between the cipher text c and the key k and recovers the message m as c ⊕ k = m ⊕ k ⊕ k = m.

Note that it is essential to use each key k only once, hence the name one‐time‐pad, otherwise correlations might reveal information on the messages. For example, consider the simplest possible scenario: Alice wants to send two bits secretly to Bob, but they share only one bit of secret key. So, Alice encrypts both message bits as cryptograms c ₁ = m ₁ ⊕ k and c ₂ = m ₂ ⊕ k and sends them over the public channel to Bob, who then decodes them. Now anyone overhearing the public channel knows the values c ₁ and c ₂. Now, by computing the XOR of the cipher texts c ₁ ⊕ c ₂ = m ₁ ⊕ m ₂, it is possible to learn the parity of the two message bits. So, two of the possible message combinations can be ruled out.

16.3 Ideal QKD

The one‐time pad essentially shifts the problem from secret communication to the problem of distributing secret random key. This is an essential step, as in creating keys one can now use random processes. Moreover, one can now use schemes that can reject keys that cannot be guaranteed to be secret without compromising the secret message itself.

So, how does the distribution of a key work, and what role does quantum mechanics play in this? The crucial observation is the following: if an eavesdropper, traditionally called Eve, attempts to obtain information about signals passing through a quantum channel, she needs to perform a quantum mechanical measurement. In general, such a measurement has a back‐reaction on the signals that disturbs them. Alice and Bob can now search for traces of this disturbance. The absence of the disturbance assures them that no eavesdropping activity took place, and they can use the signals to generate a secret key. If they find a disturbance, they abort the attempt, and start over again. This is an idealized view, and we will refine it later. In order for the basic idea to work, we need to use signals that are represented by nonorthogonal quantum mechanical states. This is so because classical messages can be represented by an orthogonal set of quantum mechanical signals.

We will now present a first protocol that performs QKD, the so‐called BB84 protocol. It is contributed to by Bennett and Brassard (2), while its idea goes back to Wiesner (3). The basic tools are a quantum channel connecting Alice and Bob and a public classical channel, where Eve can listen to the classical communication, but she cannot change the signals. The implications of this will be discussed later. For the quantum channel, we use four signal states, and we will think for now about signals realized as single photons in the polarization degree of freedom, so that we have qubits. Consider two sets of orthogonal signals, one formed by a horizontal and a vertical polarized photon, and the other formed by a +45 and −45 polarized photon.

These four signal states are nonorthogonal, as the overlap probability between signals from different sets is just one half. Bob has two measurement devices in his hand, one in the horizontal/vertical polarization, the other in the ±45° basis. Both measurement devices do not commute, as required.

With these tools, we can execute the following protocol: (See Figure 16.1.)

1. Phase I (Quantum Protocol)
   1. Alice sends a random sequence of n signals to Bob.
   2. Bob selects for each signal at random the polarization basis to measure it and performs that measurement.
   3. Bob confirms that he received and measured all signals.
2. Phase II (Public Discussion Protocol)
   1. Alice announces the polarization basis for each signal; Bob announces the polarization basis of each measurement he performed. Both discard all events where these bases do not agree.
   2. Alice reveals a fraction p of all remaining events in random positions and transmits the positions and the corresponding signals to Bob. Bob compares the signals with his measurement outcomes and tells Alice whether the signals agree with his measurement results.
   3. In case of agreement, Alice and Bob translate their signals and measurement results to binary digits, for example, by calling all horizontal and +45 signals a “0,” and the other signals a “1” and using the resulting binary string as secret key.

The first phase of the protocol utilizes the signals and measurements via the quantum channel. Alice then has a classical record of the signal states she sent, Bob has a classical record of the measurement devices he has chosen together with the measurement results he obtained.

In the second phase, Alice and Bob use their public channel to discuss their data. We find two classes of data: those where Bob's measurement outcome is deterministic, since he applied the polarization measurement that matches the polarization basis of the signal, and those signals where the two bases do not match. By opening up their respective basis used in preparation and measurement and discarding those events where the bases do not match, they retain only the deterministic events. This procedure is referred to as sifting. Next, they test whether the retained events are indeed perfectly correlated. In the presence of an eavesdropper, we know that the signals will be changed on average, so at least some of the input signals will no longer be represented by the original state vector. As a consequence, the projection onto the original state or its orthogonal complement will now sometimes give the orthogonal state as outcome. This can be detected by Alice and Bob by comparing a fraction of their data as statistical test for these error outcomes. Within the statistical error margin, they may conclude whether eavesdropping activity took place or not. If no eavesdropping activity is detected, they translate their signal and measurement results into a binary string and use it as a key.

We already pointed out that the signal structure must contain nonorthogonal quantum states. Note that it is also essential that there is no measurement that would possibly commute with Bob's measurement, otherwise the disturbance of Eve's measurement would not be detectable by Alice and Bob. Here, the random choice of the two polarization measurements guarantees this property. The formal criteria can be expressed by describing Bob's total measurement strategy by a positive operator valued measure (POVM) with four elements. They contain some pairwise noncommuting elements, which gives us the desired property.

Note that it is essential that the public classical channel assures that Eve may listen to the signals, but she may not change the data flow between Alice and Bob. Consider the setting that Alice and Bob use a channel where Eve can also change the signals in the classical channel. Following the BB84 protocol, they might assume that they share a secret key in the end. (See Figure 16.2.) Instead, Alice might have talked to Eve, establishing actually a secret key with Eve, and not with Bob. Similarly, Eve might impersonate Alice to Bob, establishing a secret key also with Bob. If Alice now encrypts her secrets with the first key, Eve can decode it, and encode it with her second key she shares with Bob. As a result, Alice and Bob can communicate, but their communication will not be secure at all.

This can be prevented if Alice and Bob authenticate their public discussion. This is a technique drawn from classical cryptography (4). It uses requires that the two parties share some initial key of the order log |M| where |M| is the size of the possible message space to be authenticated. This method provides unconditional security in the sense that the success probability of faking the authentication can be made exponentially small, and thus does not degrade the security of QKD. Once we authenticate the classical communication with the initial key, we can obtain a much larger amount of new secure key. Part of that can be used for authentication in subsequent rounds of QKD. The fact that there is no degradation of security by using this new secure key is called composability and has been investigated recently in a rigorous manner (5). As a result, we should strictly speak of QKD as quantum key growing, though we stick here to the more common label QKD.

There are other QKD protocols. As Bennett showed, it is sufficient to use any two nonorthogonal quantum states as signal states with a suitable detection process. This is formulated as two‐state protocol (6). Another qubit protocol that shows a high symmetry of signal states is the six‐state protocol (7,8). A different class of QKD schemes is based on the distribution of entangled bipartite quantum states (9).

16.4 Idealized QKD in Noisy Environment

The BB84 protocol as described above will not work in any realistic implementation. This is due to the presence of errors even when there is no eavesdropping activity. These errors can originate from misalignment of devices, loss and noise in fibers, or dark counts in single‐photon detectors. We need, therefore, to extend the protocol in such a way that it remains stable in the presence of some small error rate.

In a conservative view, all observed errors must be ascribed to the activities of an eavesdropper. Therefore, we face two effects of the noise on the key drawn from the sifted data since

1. the data of Alice and Bob do not agree, and the partners do not share a common key;
2. the errors are a signature of eavesdropping, and Eve's data can be correlated with Alice's and Bob's data, so the key is not secret.

First, we should convince ourselves that in this situation it can be possible to create a secret key. For this, we remember that the important idea is to transport nonorthogonal signals states across a channel without the signal being changed. We have to do this in the presence of noisy and lossy channels. This problem is very similar to classical noiseless communication via noisy channels, and the solution to that problem is classical error correction. (See Chapter 1.) Here a classical message is encoded redundantly, sent across a channel that adds some noise to the redundant message, and then it is asymptotically perfectly decoded. (See Chapter 7.) The same idea can be realized with quantum signals sent via a quantum channel. We encode the non‐orthogonal signals with a quantum error correction code (QECC), send them over the channel and then decode them. So we obtain an effective perfect channel even in the presence of noise. It is therefore possible to perform perfectly secure QKD in the BB84 protocol even over noisy channels, just using QECCs.

For a realistic implementation, this would leave us with encoding and decoding operations that require controlled entangling and disentangling operations of several qubits. This is beyond our present technological capability. Fortunately, as we show next, we do not really need to implement these operations. As shown by Shor and Preskill (10), these operations are equivalent to a protocol that uses the same quantum operations as in the first phase of the BB84 protocol, only the second phase of the protocol needs to be complemented by two new classical communication protocols:

1. 2. Phase II (continued)
   1. Alice and Bob perform classical error correction via linear error correction codes.
   2. Alice and Bob perform privacy amplification by taking parity bits of random subsets as their final key.

Both protocols are motivated by the Calderbank–Shor–Steane (CSS) QECCs (11,12). In these codes, the bit and the phase errors occurring (see Chapter 7) in the channel can be corrected independent of each other. Classical error correction corresponds to the bit error correction and reconciles Alice's and Bob's sifted bit string. For this, Alice encodes a random bit string k into a code word w of a linear error correction code. Then she encodes the result with bits of her sifted key s and obtains c = w ⊕ s. Finally, she sends c over the public channel to Bob. Bob has a sifted bit string s′ = s ⊕ e where e is the error string characterizing the difference between Alice's and Bob's sifted key. Bob can calculate w′ = c ⊕ s′ = w ⊕ e. By measuring the error syndrome of w′, Bob now can determine e and decode the random sequence k chosen by Alice. With that, Alice and Bob share a new random sequence k that is shorter than the original sifted key. Given Shannon's theory of error correction, the length of the key shrinks ideally only to the factor 1 − I(A; B) where I(A; B) is the mutual information shared by Alice and Bob. For the binary situation we are facing here, we find the new rate of corrected key per sifted key as r _corrected = 1 − h(e) with the binary entropy function h(e) = −e log₂ e − (1 − e)log₂ (1 − e).

After Alice and Bob reconcile their key, we still need to take care of the correlation Eve might have with this corrected key. This is done in the step of privacy amplification which corresponds to the phase error correction in QECC. Actually, since we already measured the qubits, we cannot correct the phase errors. Instead, we take care of the influence the phase error correction would have had on the decoding procedure of the quantum signals before measuring. This corresponds to a shrinking of the corrected bit string via a linear map that is derived from the CSS code. Denote by P a matrix representing a linear map induced by the CSS code, and denote by k the corrected key resulting from bit error correction, taken as a vector with binary values. Then, the key resulting from the operation k _final = P. k _corrected is a secret key shared by Alice and Bob. Here, the operations are taken modulo 2. The dimensions of the matrix P are chosen such that the final rate of secret key per element of the sifted key is given by

16.1

The resulting rate shows that we can obtain a secret key with this method up to an error rate of about 11%. The rate assumes an identical distribution of phase and bit errors as they would result from a random permutation of the signals. In that case, the Shannon limits in error correction and privacy amplification hold. Without those permutations, the rate would drop to r _final = 1 − h(2e) − h(e). This comes from the Gilbert–Varshamov bound (13) in classical error correction theory, which affects the choice of dimensions of the privacy amplification matrix.

We still need to discuss the final security statement. As we have seen above, we are using the knowledge of an error rate for bit and phase errors. These are identical in the BB84 protocol due to the equal use of the two polarization bases that interchanges bit and phase errors. So, the security of the final key is guaranteed to the level that the QECC behind the scheme would be able to correct all the bit and phase errors that occurred during the transmission. At this point, classical statistics comes into the game. Alice and Bob can open up some random signals and compare them via the public channel. From these data, they can conclude that the total number of bit and phase errors e is below the number which the QECC's can cope with. To obtain valid estimations is actually one of the tricky parts in the security proofs of QKD.

This security proof is valid against all attacks of an eavesdropper within the laws of quantum mechanics. The only restriction is that we assume that Eve has only access to the quantum mechanical systems as they pass through the quantum channel and to the full information flowing through the public channel. She cannot access Alice's or Bob's sending and detection devices. Such access would, for example, enable her to read off the internal settings that determine the choice of Alice's signals and the choice of Bob's measurement setting. This assumption is natural; actually no secure communication can be performed without it. However, it needs always to be enforced by technology. Moreover, in quantum optical implementations, one has to take special care of this, as an optical channel (fiber or free space open air) provides a clear path right to the heart of the devices. We refer to this scenario as “unconditional security.” Obviously not because we do not make any assumptions (we do make assumptions about the isolation of Alice's and Bob's devices), but because this term parallels the established notion in classical cryptography meaning that no assumptions are made about computational power of an eavesdropper analyzing the encrypted data.

This general eavesdropping attack is typically referred to as coherent attack since Eve can interact coherently with all the signals. In contrast to that, we refer to an attack as individual attack if Eve interacts with each signal separately, for example, by attaching to each signal a probe and then measuring that probe. There is an intermediate level of attack in which Eve interacts with each signal individually, attaching to each an independent probe. However, she then can perform joint measurements on all probes. This type of attack is called collective attack. Due to the structure of the BB84 protocol (random sequence of signals and measurements), it is believed that the collective attacks are indeed optimal. However, a rigorous proof that we can restrict ourselves to collective attacks is still missing.

16.5 Realistic QKD in Noisy and Lossy Environment

As we have seen, the BB84 protocol can be made stable against noisy channels as long as the noise leads to a reasonable error rate below about 11%. However, for an implementation with polarization signals, we would require single‐photon sources. Presently, no perfect single‐photon source is available, though there are quite many research groups that work in that direction. The purpose is not only an implementation of QKD: Single‐photon sources are useful also for the implementation of a small set of quantum gates in linear optics implementations (see Chapter 19). As we will see in this section, it is not necessary to use single‐photon sources in order to perform unconditionally secure QKD.

As we look at optical implementations of QKD, we find that one uses either attenuated laser pulses or signals generated by parametric down‐conversion. Both signals do not generate single photons.

In a typical realization, the attenuated laser pulses can be described by a Poissonian distribution of photon‐number states (Fock states), that is, the density matrix of the signal states is . Here, μ is the average photon number of the signals. Alice imprints her signal information on the polarization of these photons. Bob measures the polarization of the arriving light pulses. The signals are attenuated, for example, one chooses μ = 0 .1 so that most of the signals are vacuum signals, some contain single photons, and a fraction of order 0 .005 signals contains several photons.

Let us now consider what happens if we use this signal source instead of the single‐photon source in the BB84 protocol. The vacuum component of the signal reduces the signal rate since no signal will be detected by Bob. The single‐photon signals work ideally. The problematic part is the multiphoton pulses. Their presence allows Eve to perform the photon‐number splitting attack (PNS). This attack is particularly powerful in the presence of loss in the quantum channel. In the PNS attack, Eve replaces the lossy channel by a perfect quantum channel. Then, she performs a quantum nondemolition measurement of the total photon number of the pulses. Such a measurement tells Eve the exact number of photons in the signal, but it does not disturb their polarization. Now she can act on the signals according to the total photon number. (See Figure 16.3.) Whenever she finds a vacuum signal, she forwards a vacuum signal to Bob since she cannot learn anything about the polarization of the signal. If she finds a multiphoton signal, she splits off one photon from the pulse and sends the remaining to Bob. This does not disturb the signal polarization either in the photon she split off or in the photons she sends. Later in the protocol, Alice will reveal the polarization basis of the signal and this allows Eve to perform the correct measurement on the single photon she split off, thereby obtaining perfect information about the signal encoded in multiphoton pulses. The remaining signals are single‐photon pulses. Here Eve blocks a fraction of the signals to match the expectation of detection events for Bob's detectors. On those single‐photon signals that she does not block, she can perform any coherent eavesdropping attack. This means, in the worst‐case scenario, all errors are concentrated in signals arising from eavesdropping in single‐photon signals.

Let us illustrate this attack with a Poissonian photon number distribution in a channel with single‐photon transmittivity η. In that case, the signal source emits vacuum, single‐photon, and multi‐photon signals with the probability

16.2

16.3

16.4

The channel is lossy, so in the absence of an eavesdropper we would expect the photon number distribution to be Poissonian with average detected photon number μη. Therefore, we find that Bob expects to find nonvacuum signals with the probability p _exp = 1 − e^−μη . Eve can mimic the loss of the original channel with the PNS attack. For this, she follows the above description, and she lets only the fraction of (p _exp − p _multi)/p _single single‐photon signals pass. Still, as long as there are single‐photon signals contributing to the observed events, we can distill a secret key. The resulting key rate is given by

16.5

where R = (p _exp − p _multi)/p _exp is the fraction of detected signals that come from single‐photon signals. The formula is easily understood. Only that fraction of signals can lead to a secret key where at least one photon has been detected, therefore the leading factor p _exp. Within that set, only the fraction R of the sifted key can lead to a secret key and is affected by a rescaled error rate e/R, so that the amount of privacy amplification we need to apply is Rh(e/R). The amount of classical error correction is still just h(e) and applies to all signals, whether they come from the single‐photon or multiphoton case. In the case of ideal single‐photon sources, we find R = 1 and recover Eq. 16.1. Clearly, only if this rate is positive, we can achieve QKD. This poses constraints on the tolerable loss and the tolerable error rate. To understand that we can treat the single‐photon and the multiphoton signal separately, let us introduce the idea of tagging (14,15). We consider any multiphoton signal that is split by Eve as a tagged single‐photon signal, that is, a single‐photon signal where we have given an eavesdropper the full information about the signal. Clearly, from these events we cannot generate a secret key, while from the remaining events we can. But in the implementation, we do not know which bits come from which part. So, we apply classical error correction to all the bits, regardless of the set from which they are drawn. Next, we apply privacy amplification on the total reconciled key. Actually, we consider here privacy amplification methods that are linear in the sifted key, so we obtain

16.6

Here, we separate k _corrected into the two components, which induces a separation of the privacy amplification matrix P into two submatrices P_s and P_m , acting onto the single‐photon and the multiphoton signals respectively. Therefore, the final key consists of two components, k_m and k_s . The multiphoton contribution k_m is completely known to the eavesdropper. However, if we choose P_s such that the key component k_s is secure, then also the final key k _final is secure! Actually, P can be chosen to be a random matrix (16,17), and then also P_s is a random matrix, no matter what the decomposition into single‐photon and multiphoton signals is. So, by choosing the dimensions of P appropriately, one can assure that the matrix P_s has the correct dimensions to assure the privacy of k_s , and therefore of k _final.

Clearly, we see that the loss is the leading effect in limiting the key rate. In the absence of errors, we find for a Poissonian distribution with average photon number μ and a single photon transmittivity of η in the channel the secret key rate

16.7

We can optimize the key rate over the choices of μ and find μ _opt ≈ η, so that in total we have

16.8

This rate should be compared to the single‐photon implementation of the BB84 protocol. Here the loss of single photons reduces only the key rate as G ∼ η. Even when this rate is higher, it is important to note at this point that attenuated laser pulses allow us to implement unconditionally secure QKD with simple technology that is available today! Actually, by now QKD has entered the commercial world (18,19).

16.6 Improved Schemes

Clearly, one goal is to find practical QKD schemes that scale more favorable with the loss in the quantum channel. Here, we discuss briefly the basic ideas.

The background of the new schemes is that we have an excellent physical model for a lossy channel. This model consists of a perfect channel with a beam‐splitter that mimics the loss (20). Applied to our simple case of an incoming Poissonian mixture of photon‐number states and the auxiliary mode in the vacuum state, we obtain two outgoing independent Poissonian distributions. The outgoing average photon number for the signal mode is μη, while the one for the auxiliary state is μ(1 − η). The auxiliary mode is available to the eavesdropper. So, if Eve uses this model for her eavesdropping, we find that she can obtain full information about the signal in the sifted key only if she and Bob receive at least one photon. This probability, which is referred to as splitting probability is given by

16.9

With that, the final key rate, assuming beam‐splitting as eavesdropping method, will be

16.10

Note that this expression is positive for any combination of average photon number μ and transmittivity η. The optimization over μ leads to μ _opt ≈ 1 and therefore to

16.11

Clearly, this rate scales much better than the worst‐case scenario from the PNS attack. Actually, it is the same scaling behavior as the implementation of the BB84 protocol with single‐photon signals would provide with a lossy channel. So, the question is how to restrict Eve to beam‐splitting rather than the PNS? Presently, we know of two such strategies.

The first approach is based on the strong phase reference pulse ideas and aims to ban neutral signals. These signals are, in the standard BB84 with weak coherent pulses, the vacuum pulses Eve can forward to Bob. For these pulses, Eve can be sure that Bob will not obtain a sifted key, and moreover, no error will be created for any neutral signal. Banishing neutral signals is a strong defense against attacks such as the PNS. In that attack, it is essential that Eve can separate the pulses in two sets: one in which she can extract easily information and which she wishes Bob to detect, and another set that leaves her with no or minimal information, and which she wishes Bob not to detect, especially not to detect with an error.

The new set‐up is illustrated in Figure 16.4. The signals consist of a strong coherent pulse and a weak coherent pulse. The signal information is imprinted on the relative phase of the two pulses. In principle, Eve can implement attacks that correspond to the PNS attack, but she now faces the problem that there is no way to suppress signals without causing errors. The reason is the following: the detection device splits off a weak pulse from the strong coherent pulse and interferes with the weak pulse of the signal in order to read off the relative phase. The remaining part of the strong signal pulse will be detected by a detector showing a strong classical photo‐current. Eve cannot suppress the strong pulse without this being noticed immediately. If she sends only the strong pulse, but no weak counterpart, then the two detectors monitoring the output of the interference beam‐splitter will show random outcome if a photon is detected. Since the strong pulse is present, at least the weak pulse stemming from that signal will impinge on the beam‐splitter. Therefore, the resulting error rate will be nonzero. This effect has been recently demonstrated in a related set‐up by Koashi (21) who showed that the provably secure rate scales indeed, as hoped, as G ∼ η.

The second approach is even simpler. When looking at the PNS attack, we notice that in the optimal attack, Eve will have to suppress a fraction of the single‐photon signals, simply by replacing them with neutral vacuum signals. This fraction is determined by the loss in the original quantum channel and by the knowledge of the average photon number of the signals. So, we can make Eve's life harder by using signals where the signal strength is varied at random in the so‐called decoy state protocol (22). Alice and Bob can later sort their signals and detection events by the chosen signal strength and note down the rate of received signals for each of these subsets. Eve cannot do anything like this. When she observes one photon, she does not know from which photon number distribution this photon comes. Her optimal strategy can no longer be the simple PNS attack as shown above. Actually, as shown by Lo et al. (23), in the limit of an infinite number of different choices, the only strategy that will produce the correct number of detected signals for all secretly chosen average photon number of the signal is the beam‐splitting attack. In practice, it turns out that already two different settings improve the rate and distance of the secret key generation drastically (24,25).

16.7 Improvements in Public Discussion

The rate versus distance characteristics of QKD protocols can not only be improved by changing the physical set‐up, for example, using different signal states or measurements. More potential lies also in improvements of the public discussion. The secure key rate of the BB84 protocol based on single photon signals can be made robust to tolerate about 20% error rate, instead of the tolerated 11% error rate according to the Shor–Preskill security proof, by applying a specific two‐way communication protocol (26). In the case of the BB84 protocol with weak coherent pulses, as described above, an improvement has been found by Scarani et al. (27) that is designed to counteract the PNS attack. For this, observe that a two‐photon pulse gives away all of its signal information in the BB84 protocol only because Alice and Bob announce the polarization bases of their signals and measurements. Only then Eve can find out the proper signal without error by measuring her remaining single photon. Scarani et al. propose a new public announcement in which Alice announces sets of two signal states instead of the polarization basis. These signal sets contain the signal she actually sent plus a random choice of one of the neighboring states. For example, if she sent a horizontally polarized photon, she announces at random either the set {horizontal, +45°} or {horizontal, −45°}. Let us assume, she announces the set {horizontal, +45°}. Bob still performs the random measurement. In case that he chooses the ±45° basis and finds the outcome −45°, he can unambiguously identify the signal “horizontal” as signal state. For the other outcome, he cannot conclude which signal state has been sent. Anyway, Alice and Bob can postselect events in this way for which Bob can with certainty identify the signal. The situation of Eve for these signal states is different. She can also perform one of the two polarization measurements on her retained photon, but she has to live with the fact that she can identify the correct signal only with some probability, as she has no power to influence the postselection process. Due to the nonorthogonality of the states of the split‐off photons, there is also no other measurement she could perform that would fare better in always telling the two signals apart. Therefore, multi‐photon signals no longer give away all of their information, and one can extract secret key even for lossy channels where the PNS attack for the original protocol would no longer give secret keys.

16.8 Conclusion

As we have seen in this chapter, quantum mechanics offers a solution to distribute a secret key to two parties once they are provided with an authenticated public channel. This can be done, for example, by sharing some initial secret key. The whole procedure can be made robust under noise and loss in the quantum channel. Moreover, we can use relatively simple signal sources, such as attenuated laser pulses, to achieve this goal. It is important to keep in mind that this progress does not mean that research on the theory in QKD is already completed. One has to find protocols that cope efficiently with the paramount problem in QKD: the loss in the transmission lines. To optimize protocols is today's challenge, and we find that the toolbox for optimal protocols is not complete yet.

References

1. 1 Vernam, G.S. (1926) Cipher printing telegraph systems. J. AIEE, 45, 295.
2. 2 Bennett, C.H. and Brassard, G. (1984) Quantum cryptography: public key distribution and coin tossing. Proceedings of IEEE International Conference on Computers, Systems, and Signal Processing, Bangalore, India, pp. 175–179, New York, . IEEE.
3. 3 Wiesner, S. (1983) Conjugate coding. Sigact News, 15, 78.
4. 4 Wegman, M.N. and Carter, J.L. (1981) New hash functions and their use in authenticationand set equality. J. Comput. Syst. Sci., 22, 265–279.
5. 5 Ben‐Or, M., Horodecki, M., Leung, D.W., Mayers, D., and Oppenheim, J. (2005) Theory of Cryptography: Second Theory of Cryptography Conference, TCC 2005, J. Kilian (ed.) Springer‐Verlag 2005, vol. 3378, Lecture Notes in Computer Science, pp. 386‐406.
6. 6 Bennett, C.H. (1992) Quantum cryptography using any two nonorthogonal states. Phys. Rev. Lett., 68 (21), 3121–3124.
7. 7 Bechmann‐Pasquinucci, H. and Gisin, N. (1999) Incoherent and coherent eavesdropping in the 6‐state protocol of quantum cryptography. Phys. Rev. A, 59, 4238–4248.
8. 8 Bruß, D. (1998) Optimal eavesdropping in quantum cryptography with six states. Phys. Rev. Lett., 81, 3018–3021.
9. 9 Ekert, A. (1991) Quantum cryptography based on Bell's theorem. Phys. Rev. Lett., 67 (6), 661–663.
10. 10 Shor, P.W. and Preskill, J. (2000) Simple proof of security of the BB84 quantum key distribution protocol. Phys. Rev. Lett., 85, 441–444.
11. 11 Calderbank, A.R. and Shor, P.W. (1996) Good quantum error‐correcting codes exist. Phys. Rev. A, 54, 1098–1105.
12. 12 Steane, A.M. (1996) Error correcting codes in quantum theory. Phys. Rev. Lett., 77, 793.
13. 13 MacWilliams, F.J. and Sloane, J.J.A. (1977) The Theory of Error‐Correcting Codes, North Holland, Amsterdam.
14. 14 Gottesman, D., Lo, H.‐K., Lütkenhaus, N., and Preskill, J. (2004) Security of quantum key distribution with imperfect devices. Quantum Inf. Comput., 4 (5), 325.
15. 15 Inamori, H., Lütkenhaus, N., and Mayers, D. (2007) European Physical Journal D, 41, 599.
16. 16 Mayers, D. (1996) Quantum key distribution and string oblivious transfer in noisy channels, in Advances in Cryptology, Proceedings of Crypto '96, Springer, Berlin, pp. 343–357, quant‐ph/9606003.
17. 17 Mayers, D. (2001) Unconditional security in quantum cryptography. JACM, 48 (3), 351–406.
18. 18 IdQuantique, Geneva, http://www.idquantique.com (accessed 08 November 2017).
19. 19 MagiQ Technologies, Inc., New York http://www.magiqtech.com (accessed 08 November 2017).
20. 20 Vogel, W., Welsch, D.‐G., and Wallentowitz, S. (2001) Quantum Optics: An Introduction, 2nd edn, Wiley‐VCH Verlag GmbH & Co. KGaA, Berlin.
21. 21 Koashi, M. (2004) Unconditional security of coherent‐state quantum key distribution with a strong phase‐reference pulse. Phys. Rev. Lett., 93, 120501.
22. 22 Hwang, W.‐Y. (2003) Quantum key distribution with high loss: toward global secure communication. Phys. Rev. Lett., 91, 57901.
23. 23 Lo, H.‐K., Ma, X., and Chen, K. (2005) Decoy state quantum key distribution. Phys. Rev. Lett., 94, 230504.
24. 24 Ma, X., Qi, B., Zhao, Y., and Lo, H.‐K. (2006) Physical Review Letters, 96, 070502.
25. 25 Wang, X.‐B. (2005) Physical Review A, 72, 049908.
26. 26 Gottesman, D. and Lo, H.‐K. (2003) Proof of security of quantum key distribution with two‐way classical communications. IEEE Trans. Inf. Theory, 49, 457.
27. 27 Scarani, V., Acín, A., Ribordy, G., and Gisin, N. (2004) Quantum cryptography protocols robust against photon number splitting attacks for weak laser pulse implementations. Phys. Rev. Lett., 92, 057901.