Norbert Lütkenhaus

The security of practical quantum key distribution

Quantum key distribution (QKD) is the first quantum information task to reach the level of mature technology, already fit for commercialization. It aims at the creation of a secret key between authorized partners connected by a quantum channel and a classical authenticated channel. The security of the key can in principle be guaranteed without putting any restriction on an eavesdroppers power. This article provides a concise up-to-date review of QKD, biased toward the practical side. Essential theoretical tools that have been developed to assess the security of the main experimental platforms are presented (discrete-variable, continuous-variable, and distributed-phase-reference protocols).

Security against individual attacks for realistic quantum key distribution

The first complete protocol for quantum key distribution (qkd) has been introduced by Bennett and Brassard in 1984 [1] following earlier ideas by Wiesner [2]. Since then, this protocol (BB84 for short) has been implemented by several groups [3–13]. For an overview containing more details about the background, the experimental implementation and the classical evaluation procedure see for example [7,14–16]. The basic idea of the BB84 protocol is to use a random string of signal states which, for example, can be realized as single photons in horizontal, vertical, right circular, or left circular polarization states. These are two set of states which are orthogonal within each set, and have overlap probability 1/2 between the sets. If the receiver chooses at random between a polarization analyzer for linear polarization and one for circular polarization, then they obtain in this way a raw key [17]. From this they distill the sifted key by publicly exchanging information about the polarization basis of the signals and the measurement apparatus. They keep only those bits where the basis is the same for the signal and the measurement, since those signals give a deterministic relation between signal and measurement outcome. The practical implementations deviate from the theoretical abstraction used in the original proposal in two important points. The first is that the signal states do not have the correct overlap probabilities. Especially in the photonic realization, the signals contain contributions from higher photon numbers and from the vacuum state cause this deviation. The second point is that the quantum channel in these implementations (optical fibers) shows a considerable loss. It has been shown earlier [18,19] that the combination of the two effects open up a security gap. The extent of this security gap has been extensively illuminated for different signal sources in [20] giving necessary conditions on the feasibility of qkd without restriction to any particular class of eavesdropping attacks. From these results one can conclude that most current experiments are performed in a parameter regime where the necessary conditions for security are violated. In the present work I will complement these results by a positive proof of security for a scenario where the power of the eavesdropper is restricted to attacking signals separately (individual attack). This restriction allows us to proof the security for a realistic protocol, i. e. one where all components are known and work efficiently. It is necessary to distinguish this work from earlier work by other groups. Lo and Chau [21] gave a proof of principle for the security of quantum key distribution. At present, it is not possible to use their proof to implement secure qkd since the procedure involves devices to manipulate qubits coherently in order to allow fault-tolerant computing. The approach of Mayers [22] is certainly the most advanced result towards practical qkd which is provable secure against all eavesdropping attacks on the signals. However, the proof assumes ideal single photon signals, and, at present, we do not have an extension of that proof which can cope with realistic signal sources and effective error correction codes, although work in these directions is in progress. The restriction to eavesdropping on individual signals allows a much simpler analysis of a realistic scenario, and it is therefore advisable to use this scenario as a study for the generalization in the sense of Mayer’s proof. Furthermore, the results are interesting in their own right: it seems to be impossible to perform collective measurements on the signals with today’s technology. Therefore, qkd secure against individual attack will today create keys which are secure against future developments in coherent eavesdropping strategies, since tomorrows technology cannot be used for todays eavesdropping strategy. This is in contrast to the implication of an increase of future computation power or improvements in algorithms which threatens todays use of classical encryption schemes. In this paper I will derive a formula for the gain of secure bits per signal sent, that is per time slot of the experiment. These formulas are presented only in the limit of long keys, so that the influence of the necessary authentication of the key and all statistical influences regarding the number of errors etc. can be neglected. It is necessary to embed these results into a full protocol, derived, for example, in [10,23,24] to which I refer the reader for further details. This paper is organized as follows. In section II I

Unconditional security of practical quantum key distribution

Abstract.We present a complete protocol for BB84 quantum key distribution for a realistic setting (noise, loss, multi-photon signals of the source) that covers many of todays experimental implementations. The security of this protocol is shown against an eavesdropper having unrestricted power to manipulate the signals coherently on their path from sender to receiver. The protocol and the security proof take into account the effects concerning the finite size of the generated key. This paper is identical to the preprint arXiv:quant-ph/0107017, which was finalized in 2001. Therefore, some of the more recent developments, including the question of composability, are not addressed.

Continuous variable quantum cryptography: beating the 3 dB loss limit.

We demonstrate that secure quantum key distribution systems based on continuous variable implementations can operate beyond the apparent 3 dB loss limit that is implied by the beam splitting attack. The loss limit was established for standard minimum uncertainty states such as coherent states. We show that, by an appropriate postselection mechanism, we can enter a region where Eves knowledge on Alices key falls behind the information shared between Alice and Bob, even in the presence of substantial losses.

ESTIMATES FOR PRACTICAL QUANTUM CRYPTOGRAPHY

In this article I present a protocol for quantum cryptography which is secure against attacks on individual signals. It is based on the Bennett-Brassard protocol of 1984 (BB84). The security proof is complete as far as the use of single photons as signal states is concerned. Emphasis is given to the practicability of the resulting protocol. For each run of the quantum key distribution the security statement gives the probability of a successful key generation and the probability for an eavesdroppers knowledge, measured as change in Shannon entropy, to be below a specified maximal value.

Quantum key distribution with realistic states: photon-number statistics in the photon-number splitting attack

Quantum key distribution can be performed with practical signal sources such as weak coherent pulses. One example of such a scheme is the Bennett-Brassard protocol that can be implemented via polarization of the signals, or equivalent signals. It turns out that the most powerful tool at the disposition of an eavesdropper is the photon-number splitting attack. We show that this attack can be extended in the relevant parameter regime so as to preserve the Poissonian photon number distribution of the combination of the signal source and the lossy channel.

Security of quantum key distribution with imperfect devices

This paper prove the security of the Bennett-Brassard (BB84) quantum key distribution protocol in the case where the source and detector are under the limited control of an adversary. This proof applies when both the source and the detector have small basis-dependent flaws, as is typical in practical implementations of the protocol. The estimation of the key generation rate in some special cases: sources that emit weak coherent states, detectors with basis-dependent efficiency, and misaligned sources and detectors.

Higher-dimensional orbital-angular-momentum-based quantum key distribution with mutually unbiased bases

We present an experimental study of higher-dimensional quantum key distribution protocols based on mutually unbiased bases, implemented by means of photons carrying orbital angular momentum. We perform (d + 1) mutually unbiased measurements in a classically simulated prepare-and-measure scheme and on a pair of entangled photons for dimensions ranging from d = 2 to 5. In our analysis, we pay attention to the detection efficiency and photon pair creation probability. As security measures, we determine from experimental data the average error rate, the mutual information shared between the sender and receiver, and the secret key generation rate per photon. We demonstrate that increasing the dimension leads to an increased information capacity as well as higher key generation rates per photon. However, we find that the benefit of increasing the dimension is limited by practical implementation considerations, which in our case results in deleterious effects observed beyond a dimension of d = 4.

Entanglement as a Precondition for Secure Quantum Key Distribution

We demonstrate that a necessary precondition for an unconditionally secure quantum key distribution is that both sender and receiver can use the available measurement results to prove the presence of entanglement in a quantum state that is effectively distributed between them. One can thus systematically search for entanglement using the class of entanglement witness operators that can be constructed from the observed data. We apply such analysis to two well-known quantum key distribution protocols, namely, the 4-state protocol and the 6-state protocol. As a special case, we show that, for some asymmetric error patterns, the presence of entanglement can be proven even for error rates above 25% (4-state protocol) and 33% (6-state protocol).

Maximum efficiency of a linear-optical Bell-state analyzer

Abstract.In a photonic realization of qubits the implementation of quantum logic is rather difficult due to the extremely weak interaction on the few photon level. On the other hand, in these systems interference is available to process the quantum states. We formalize the use of interference by the definition of a simple class of operations which include linear-optical elements, auxiliary states and conditional operations.We investigate an important subclass of these tools, namely linear-optical elements and auxiliary modes in the vacuum state. For these tools, we are able to extend a previous qualitative result, a no-go theorem for perfect Bell-state analyzer on two qubits in polarization entanglement, by a quantitative statement. We show that within this subclass it is not possible to discriminate unambiguously four equiprobable Bell states with a probability higher than 50%.