Quantum Cryptography

Yijia Lu (Eric)
Junior Paper Advisor: Prof. Kirk T. McDonald
Department of Physics, Princeton University, Princeton, NJ08544
(January 10, 2006)
This paper represents my own work in accordance with University regulations.
Signature:
1
1 Introduction
Cryptology, the study of secret communication, has played an important role in the history
of mankind. According to Singh [1], author of The Code Book, records of cryptography date
back to ancient Greece in the fth century B.C., during which the art of secret writing is
said to have saved Greece from Xerxes, the leader of the Persians. During the Second World
War, the success of Allied Forces very much depended on their ability to create machines
(which later developed into computers) to break the codes used by Germany and Japan
[2]. In the world today, the use of cryptography has become even more widespread, as the
application of cryptography has been extended to business transactions. Rapid development
in computer technology generates the need for more advanced protocols to encode messages,
because more advanced computers can decode them more rapidly. At the same time, one
calls for a cryptosystem that is provably secure i.e., where unauthorized decoding is not
realizable.
Quantum cryptography shows the promise for such a secure cryptosystem. As an im-
provement to the provably secure classical Vernam cipher cryptosystem, quantum cryptog-
raphy in essence distributes a random key, based on quantum bits, that is subsequently used
to encode a secret message. The most important two properties of quantum mechanics for
quantum cryptography are:
1. Measurement on an unknown quantum state modies the state.
2. It is impossible to make perfect copies of an unknown quantum state (the no-cloning
theorem).
Therefore, any attempt by an eavesdropper to obtain information in the secret transmission
unavoidably introduces errors, which can help the secret-sharing parties detect eavesdrop-
ping.
In this paper, we rst introduce classical cryptography in Sec. 2, followed by a discussion
of the properties of photon polarization in Sec. 3 (photons are widely used as carriers of
quantum information in quantum cryptography). The BB84 protocol,
1
the rst and arguably
the most widely-known cryptosystem in quantum cryptography, is subsequently introduced
in Sec. 4. The practical problem caused by a noisy quantum channel is briey treated in
Sec. 5. The paper ends with a survey of current progress in the eld in Sec. 6.
1
Named after Bennett and Brassard who invented the protocol in 1984 [3]
2
2 Introduction to Classical Cryptography
This section introduces two types of classical cryptography (asymmetric and symmetric
cryptosystems) so as to highlight the advantages of quantum cryptography and to introduce
some key terms and ideas that have shaped the development of quantum cryptography. We
will show that there exists a provably secure classical cryptosystem, but it has shortcomings.
Quantum cryptography improves on this classical method.
2.1 Terminology
We illustrate the terminology in cryptology with a simple cryptosystem that encrypts a
text by scrambling it according to a mapping between the ordered alphabet (ABCDE...)
to a permutation of the letters. Such a mapping is known as the secret key. As a simple
illustration, we take the secret key to be the mapping of each letter in the English alphabet
to the one after it (A is mapped onto B, B onto C... and Z onto A). For instance, HELLO
is mapped onto IFMMP. Suppose our sender Alice would like to send the receiver Bob the
message HELLO. The content of the message is called the plaintext. Alice rst encrypts her
plaintext according to the secret key and obtains the encrypted message or the ciphertext
IFMMP. The ciphertext is then sent to Bob through a public channel, which is accessible
to everyone and could be an email, a telephone call or even a publication in the newspaper.
Upon receiving the ciphertext, Bob decrypts it by applying the inverse of the key. In this
case, it would be mapping each letter in the ciphertext to the one preceding it (A to Z, B
to A, C to B, and so on). Bob subsequently retrieves the plaintext HELLO. The process is
illustrated in Table 1. Eve, an eavesdropper, would also like to know the secret message.
She is able to read the ciphertext IFMMP from the public channel, but it makes no sense
to her unless she is able to decode the ciphertext: i.e., to recover the plaintext from the
ciphertext.
Plaintext =key= Ciphertext Transmission Ciphertext =key= Plaintext
HELLO IFMMP =To Bob= IFMMP HELLO
Key: A to B, B to C, C to D... Y to Z, and Z to A
Table 1: Basic Terminology Of Cryptology
2.2 Asymmetric Cryptosystems
In asymmetric cryptosystems [4, p. 147], Alice and Bob use dierent keys for encryption
and decryption. The best known asymmetric system is the RSA protocol, named after its
3
inventors Ronald Rivest, Adi Shamir, and Leonard Adleman. Asymmetric cryptosystems
rely on one-way functions, which are easy to compute in the forward direction but dif-
cult to solve inversely. Here easy means that hardware resources and time needed for
computation grow polynomially with the number of bits in the input, and dicult means
the time and resources required grow exponentially with the number of input bits [4, p. 148].
Bob, with his private key will rst compute a public key, which is available to everyone.
Alice then uses this public key and the one-way function to encrypt her plaintext, and sends
the ciphertext back to Bob through the public channel. Although both Eve and Bob hold
the ciphertext as well as the public key, only Bob has the original private key. Bob can thus
decrypt the ciphertext much faster than Eve does: by the time Eve works out the plaintext,
the information has already become obsolete. (An illustration of the one-way function used
in the RSA protocol can be found in Appendix A.)
The reliability of the RSA protocol rests on the assumption that the diculty of factor-
izing numbers undergoes exponential growth as the number of their digits increases. This
assumption does seem to hold so far, and consequently the RSA protocol still serves as a
basis for secure information transfer over the internet today. However, if a better algorithm
is found to make the factorization process more ecient, then the RSA protocol will become
useless. Indeed, Peter Shor demonstrated [5] in 1994 that with the help of a quantum com-
puter, an ecient algorithm does exist to speed up factorization signicantly, although the
idea of a quantum computer still rests very much in theory today. The existence of secure
asymmetric cryptosystems, in fact, has never been proven [4].
2.3 Symmetric Cryptosystems
Symmetric cryptosystems [4, p. 148], on the other hand, are provably secure. In symmetric
cryptosystems, Bob and Alice share the same secret key. From now onwards, we will discuss
messages encoded in bits instead of using character-based messages such as HELLO. In the
language of Computer Science, each character or letter is assigned to an eight-digit binary
number, which is known as a byte. Each digit is known as a bit, which has a value of either
0 or 1. Each byte with 8 bits in it can have 2
8
= 256 dierent values, which are sucient to
be related on a one-to-one basis to the punctuation marks and the 26 letters in the English
alphabet.
2
For example, a message with 50 characters (letters, spaces, etc.) is represented
uniquely by a binary number with 8 50 = 400 bits or digits.
An example of a provably secure symmetric cryptosystem is the Vernam cipher. Sup-
pose we have a message with n characters (so 8n bits). Bob or Alice will rst randomly
generate a binary number with 8n digits (by tossing a coin 8n times, for instance) and share
this number with the other person. This random number, which is made to have the same
2
Some languages such as those used in East Asia have far more characters; two bytes representing 2
16
=
65, 536 possibilities are assigned to each character in these languages instead.
4
length as Alices plaintext, is the secret key that both Bob and Alice hold. Alice adds her
plaintext bitwise modulo 2 to the random key so as to obtain the ciphertext. Bob, upon
receiving the ciphertext, performs the same operation by adding the ciphertext bitwise mod-
ulo 2 to the secret key to recover Alices plaintext. This is because for each bit in the secret
key, applying the same key twice means adding 0 or 1 to itself modulo 2: (0+0) mod 2 = 0
and (1+1) mod 2 = 0. So the secret key added modulo 2 to itself becomes a binary number
with every bit equals 0.
The code is provably secure because the secret key used is random. For instance, a fty-
character message (400 bits) can be encrypted by 2
400
dierent secret keys. So for any given
ciphertext, if Eve adds to it modulo 2 all possible secret keys (provided she is capable of this
exhausting task) to recover meaningful messages, she will recover all possible messages in
the English language with fty characters. But Eve in principle holds such an information
set with or without intercepting Alices ciphertext.
It must be added that the secret key shared by Alice and Bob should only be used
once. Suppose the secret key is used twice. With two cipher texts, Eve can obtain the
bitwise addition modulo 2 of the two plaintexts (the randomness of the secret key cancels
out when the same key is added modulo two twice, as explained in the previous paragraph).
As plaintexts have redundancies (they have patterns instead of being perfectly random
sequences), the code becomes venerable [6, p. 191]. This explains why Vernam cipher must
be used as a one time pad to ensure absolute security.
The Vernam cipher requires that a random secret key of the same length as the message
be shared between Alice and Bob for each message. This leads to the problem of key
distribution: if Alice and Bob can nd a way to distribute the secret key securely, then
they can just use the same secure method to distribute their plaintext of the same length
directly. In other words, one faces the paradox that before Alice and Bob can communicate
in secret, they must rst communicate in secret, as Lomonaco has succinctly pointed out
[7, p. 5].
To avoid this paradox, Alice and Bob have to meet physically to decide on a set of one
time pads before they can take advantage of the perfectly secure Vernam cipher cryptosystem
later. But the storage of these keys makes the cryptosystem vulnerable because if Eve
manages to obtain these keys, she will be able to read all the encoded messages transmitted
between Bob and Alice later.
The key distribution problem thus often leads people to choose the more practical RSA
cryptosystem. However, because the RSA protocol rests on unproven assumptions, one
aspires for a method that solves the key distribution problem. It turns out that quantum
cryptography is a suitable candidate. Based on the Vernam cipher cryptosystem, quantum
key distribution is an ecient method to distribute the random key between Alice and Bob,
because it provides Alice and Bob with a mechanism to detect eavesdropping which is a
5
totally new contribution to the eld of cryptography [7, p. 7].
3 Properties of Polarized Photons
Sec. 4 of this paper discusses the rst and the most widely-discussed example of quantum
cryptography, namely the BB84 protocol proposed by Bennett and Brassard in 1984 [3].
The BB84 protocol is a key distribution cryptosystem based on the perfectly secure Vernam
cipher method described above, and is still widely used in quantum cryptography experi-
ments. In the BB84 protocol, Alice and Bob performs a random key distribution through
a quantum channel, using photons. A quantum channel can simply be a polarization-
preserving optic ber. A photon is the fundamental unit or quantum of light and it can be
viewed as a localized, oscillating electromagnetic eld [4, p. 76], with its polarization dened
by its associated electric eld. Photons exhibit wave-particle duality, a phenomenon that
is explained by quantum mechanics. More specically, photons exhibit wave-like proper-
ties in propagation and particle-like properties upon detection [8]. By detection, we mean
counting the number of photons.
Alice will rst prepare a train of photons in dierent polarizations, which correspond to
dierent bit values. She then sends these prepared photons via the quantum channel to Bob,
who will in turn measure them with detectors. In this section, we will introduce the basic
properties of polarized photons and explain how to use them to transmit information. We
emphasize that the most important property of polarized photons to quantum cryptography
is the impossibility for an observer, who did not participate in the photon preparation process,
to dierentiate between dierent modes of polarizations that are not orthogonal to one
another. We show, for the BB84 protocol in particular, that it is impossible for the observer
to dierentiate the following four polarizations: horizontal, vertical, +45

and 45

.
3.1 Electromagnetic Wave Polarization
Experiments in electromagnetism demonstrate that light is a transverse electromagnetic wave
with an electric eld E and a magnetic eld B orthogonal to each other and to the direction
of propagation. We can write the general formula of the electric eld of an electromagnetic
wave traveling in the positive z-direction:
E
x
(z, t) =

E
0x
()e
i(kzt)
d, (1)
E
y
(z, t) =

E
0y
()e
i(kzt)
d, (2)
and E(z, t) = xE
x
(z, t) + yE
y
(z, t)
=

( xE
0x
() + yE
0y
())e
i(kzt)
d. (3)
6
where E
0x
() and E
0y
() are complex amplitudes. An electromagnetic wave traveling in the
z-direction is said to be linearly polarized if E(z,t) always oscillates along the same line in
the x-y plane, independent of the waves frequency or time.
For our discussion of quantum cryptography, we will work only with linear polarization
modes of light for the sake of simplicity. We are interested in two sets of orthogonal linear
polarization modes for photons:
1. Horizontal ([ )) and Vertical ([ ))
2. +45

([ )) and 45

([ ))
The rst set refers to polarizations in the x-direction and in the y-direction, respectively;
the second set describes polarizations in the directions that make +45

and 45

with the
positive y-axis, respectively, in the x y plane. Mathematically,
Horizontal: xE
0
() = [ ) =
|+|

2
,
Vertical: yE
0
() = [ ) =
||

2
,
+45

:
(

x+

y)

2
E
0
() = [ ) =
|+|

2
,
45

:
(

y)

2
E
0
() = [ ) =
||

2
.
The horizontal and vertical polarizations form an orthogonal basis in a two-dimensional
space, which can also be spanned by the orthogonal basis of +45

and 45

polarizations.
3.2 The Preparation of Polarized Photons
Polarized photons can be readily obtained from a laser source. One can also prepare polarized
photons from an unpolarized (or more precisely, randomly polarized) thermal source (such
as sunlight) by the use of an optically asymmetric material that selectively blocks or alters
the path of photons depending on their polarization direction. This phenomenon can be
realized by four mechanisms: dichroism (i.e., selective absorption), reection, scattering,
and birefringence[9, p. 332].
3
In practice, one usually uses Polaroid lters or calcite crystals
to obtain polarized photons from a thermal source [3].
3
Details on these mechanisms can be found in Hecht, Chapter 8 [9].
7
These methods allow us to obtain photons polarized in the directions that we want, but
they do not guarantee that we can obtain one and only one photon in a time interval.
4
We
need a device to produce exactly one photon per time interval because the BB84 protocol
relies on the fact that an observer cannot distinguish among the four states: [ ), [ ),
[ ), and [ ). If two or more than two photons in the same state are generated in a time
interval, it is possible to obtain more information about the state and this makes the BB84
protocol less secure (this will be elaborated further in Sec. 4.3).
We will rst assume the availability of such an ideal photon generator to prepare exactly
one photon in a selected polarization direction per time interval in Sec. 3, 4.1, and 4.2 so
as to introduce the basic ideas of quantum cryptography. We relax this assumption from
Sec. 4.3 onwards. Experimental diculties in obtaining such a photon source are discussed
in Appendix B.
In the remainder of this section we explain why it is not possible for an observer to
distinguish between the four states: [ ), [ ), [ ), and [ ) of a single photon.
3.3 Measuring a Photons Polarization
To understand why an observer cannot distinguish the polarization of a photon in one of the
four states mentioned above, we start with two orthogonal states, [ ) and [ ), which can be
distinguished with the help of a polarization beam splitter
5
and two photon detectors
[10, p. 28]. Photon detectors count the integer number of photons arriving at the detectors
by measuring the energy released when the photons are absorbed (and thus destroyed). The
polarization beam splitter is an optically asymmetric device that dierentiates photons with
dierent polarizations. It has four unique axes (u, v, 1, and 2) associated with it in space
as shown in Fig. 1.
A photon traveling in the direction of 1-axis will pass through the polarization beam
splitter without deection if it is linearly polarized in the v-direction; it will be deected
by the polarization beam splitter in the direction of 2-axis if it is linearly polarized in
the u-direction. Two photon detectors Det1 and Det2 are placed behind the polarization
beam splitter to measure the photons transmitted through the polarization beam splitter
via directions 1 and 2, respectively.
To distinguish between the states [ ) and [ ), we align the polarization beam splitter
such that its positive u-axis and positive v-axis point in the direction of the positive x-axis
(Horizontal) and positive y-axis (vertical), respectively. We shall denote this alignment of
4
The time interval is determined by the photon generation time and the photon detection time, whichever
one is longer.
5
Nicol prisms are usually used.
8
Figure 1: Polarization Beam Splitter
the polarization beam splitter by the symbol .
6
With this alignment, a vertically polarized
photon, [ ), will pass through the polarization beam splitter undeected, and the detector
Det1 will register a count of 1. Similarly, a horizontally polarized photon, [ ), will pass
through the polarization beam splitter with deection, and the detector Det2 instead will
register a count of 1. With the polarization beam splitter in the alignment, we are thus
able to distinguish between the states [ ) and [ ). We therefore say that the states [ )
and [ ) are in the basis of .
Now we consider the other two states: [ ) and [ ). Quantum mechanics tells us that
if only one photon (in either the state [ ) or the state [ ) reaches the polarization beam
splitter in the alignment, it will be transmitted in either directions 1 or 2 with an equal
probability of
1
2
. The measurement of the states [ ) or [ ) is thus probabilistic, and we
cannot distinguish between these two states with the polarization beam splitter aligned in
the basis. However, if we rotate the polarization beam splitter by +45

about the z-axis

(we shall denote this new alignment by and say [ ) and [ ) are in the basis of ),
we can now distinguish between the states [ ) and [ ), but we cannot then distinguish
between [ ) and [ ).
6
This alignment is not the only one to distinguish between the states [ ) and [ ). But it suces to
consider only one case here. For the sake of simplicity and consistency, we therefore consider in this paper
only the alignment described in the main text above to distinguish between the states [ ) and [ ).
9
In general, any alignment of the polarization beam splitter will always give probabilistic
measurements of at least two of the four states, because these four states are not orthogonal
to one another. Measurements in the alignments and are illustrated in Fig. 2.
Figure 2: Results of measurements of the four polarization states [ ), [ ), [ ), and [ )
for a polarization beam splitter aligned in the and bases.
We are thus not able to distinguish between the four polarization states of a photon if
we do not know its polarization basis. However, if we have a large number of photons in the
same state ([ ), [ ), [ ), or [ )), then we can learn the polarization state. We can pass
half of the photons through a polarization beam splitter in the alignment. If we make the
same measurement for all these photons (i.e., all the photons are detected by either Det1 or
Det2), then we know that the photon is polarized in basis of , and we know its polarization
state based on the result of the measurement. However, if both Det1 and Det2 register an
approximately equal number of counts, then we know that is not the basis of the photon
state. We thus pass the other half of the photons through a polarization beam splitter in
the alignment, as the polarization state has to be in the basis. We can then determine
the state, as all the photons will be detected by either detector Det1 or detector Det2.
If we are given only one photon, we may want to make copies of it before making mea-
surement in the hope of learning more about its state using the method mentioned above.
However, the no-cloning theorem in quantum mechanics, explained in the following section,
tells us that we will not be able to make a perfect copy of a photon state unless we know its
10
basis.
3.4 The No-Cloning Theorem
The no-cloning theorem [11, 12] is one of the most important theorems in quantum cryptog-
raphy. It states simply that one is not able to make a perfect copy of an unknown quantum
state. The proof is by contradiction. We assume that we can have a linear, unitary copy
operator

C. The operator is linear because all quantum operators are linear. It is unitary
because it is a time evolution operator that preserves probability.
7
Suppose [) and [) are
any two quantum states to be copied onto [0), the blank or zero state. Then:

C[)[0) = [)[) and

C[)[0) = [)[). (4)
Because the copy operator is unitary,

C

C = 1, so:
[) = 0[0)[) = 0[[)[0)
= 0[[

C[)[0) = [[)[) = [)
2
,
Hence, [) = 0 or 1. (5)
However, since [) and [) are any quantum states, they need not be identical or orthogonal,
i.e., [) , = 0 or 1 for all [) and [). This contradicts Eq. (5).
We thus conclude that a perfect quantum copying machine is not theoretically possible.
However, the no-cloning theorem does not forbid us from making imperfect copies. In partic-
ular, we can have a copier (often called the Controlled-Not or CNOT operator) that copies
and as long as [) = 0 or 1. For instance, we can have a copier

C

that copies [ )
and [ ) but fails to copy [ ) and [ ):

[ )[0) = [ )[ ) (6)

[ )[0) = [ )[ ) (7)

[ )[0) =

C

(
[ ) +[ )

2
)[0) =
[ )[ ) +[ )[ )

2
=
[ )[ ) +[ )[ )

2
(8)

[ )[0) =

C

(
[ ) [ )

2
)[0) =
[ )[ ) [ )[ )

2
=
[ )[ ) +[ )[ )

2
(9)
The nal states of Eqs. (8) and (9) are entangled states rather than the desired direct product
states [ )[ ) and [ )[ ), respectively.
7
Suppose U is a time evolution operator that preserves probability and it acts on a state [a) to give a
state [b): U[a) = [b). Since probability is preserved, we expected a[a) = b[b). Now b[b) = a[U

U[a). So
a[U

U[a) = a[a). Hence U

U=1 i.e., U is unitary.

11
Similarly, a copier

C

copies [ ) and [ ) but fails to copy [ ) and [ ):

[ )[0) = [ )[ ) (10)

[ )[0) = [ )[ ) (11)

[ )[0) =

C

(
[ ) +[ )

2
)[0) =
[ )[ ) +[ )[ )

2
=
[ )[ ) +[ )[ )

2
(12)

[ )[0) =

C

(
[ ) [ )

2
)[0) =
[ )[ ) [ )[ )

2
=
[ )[ ) +[ )[ )

2
(13)
The nal states of Eqs. (12) and (13) are entangled states rather than the desired direct
product states [ )[ ) and [ )[ ), respectively.
If we do not know the basis of the photon, we do not know which imperfect copier to
choose. Suppose we randomly choose one of the two imperfect copiers to copy an unknown
state. Can we then use the method described at the end of Sec. 3.3 to determine the
polarization state of the photon? No, because the measurements of both copies of the
photon always yield the same result, whether or not that result matches the original state
of the photon.
As an illustration, suppose the photon is horizontally polarized. If we use

C

to make
n exact copies of [ )and passing these photons through a polarization beam splitter in
the alignment, we will observe that all of them are deected in direction 2 as mentioned
in Sec. 3.3. On the other hand, if we use

C

to make n copies of [ ), we will obtain

||...n...|+||...n...|

2
. The n photons are entangled. If we measure one of the photons
and nd it to be in the state of [ ) (or [ )), then the remaining (n 1) photons will
be in the state of [ ) (or [ )) as well. Passing these n photons through a polarization
beam splitter in the alignment will cause all of the n photons to be transmitted either
with deection in direction 2, or without deection in direction 1, with the probability of
one half. One thus always observes that all photon copies of a photon are detected by only
one of the two detectors whether or not one has used the correct imperfect copier.
3.5 The Use of Photons to Transmit a Random Key
We end this section by illustrating how a random key can be transmitted by photons. We
start rst with a crude example of key distribution via a quantum channel to illustrate the
basics of information transfer by photons. We then consider how this method can be rened.
Suppose Alice wants to send Bob a random key with polarized photons. Encoding in
quantum cryptography is realized by making a train of photons polarized in dierent direc-
tions that correspond to dierent bit values. Alice and Bob decide beforehand the assignment
of 0s and 1s to the photon polarization modes used. For instance, Bob and Alice may agree
that a photon in the vertical polarization represents a bit value of 0 and one in the horizontal
12
polarization represents 1. If Alice wants to send Bob the random key 101001, she can then
send Bob six photons encoded as via the quantum channel. We will assume here
that the quantum channel is noiseless: i.e., all properties (especially the polarizations) of
the photons that Alice sends to Bob are preserved in transmission. Noisy quantum channels
are briey discussed in Sec. 5. We also assume that the quantum channel is lossless, i.e.,
it does not attenuate photons. Upon receiving the photons from Alice, Bob decodes them
by measuring their corresponding polarizations with the polarization beam splitter in the
alignment so that his measurements of Alices photons match Alices original bit values.
This method to transmit information encoded on polarized photons is crude because it
is not any better than classical information transmission: Eve can easily eavesdrop without
being detected. With her polarization beam splitter aligned in (the same alignment as
Bobs polarization beam splitter), Eve can intercept Alices photons, measure their polariza-
tions, and thereby obtain Alices key. Eve can eavesdrop without being detected by sending
Bob photons polarized in the direction that she has measured.
However, if Alice sends photons one per time interval each with a random choice of the
two bases, and , Eve will not be able to measure each photons polarization correctly if
she does not know the basis Alice has chosen for each photon. Thus the key Eve holds is
bound to contain errors. Indeed, Bob faces the same trouble as Eve. The BB84 protocol,
however, turns this problem into an advantage. If Bob and Alice have used the same basis
for a photon, then Bobs measured value of that photon should match Alices bit value. These
bit values are therefore useful to Bob and Alice. To know which of the bit values measured
by Bob are in the same basis, either Alice or Bob must share with the other person the
knowledge as to which basis (but not the bit value) is used for each photon. But, as noted
by Bennett and Brassard [3], Alice and Bob can delay sharing this information until after
Bob has made his measurements, in which case only half of the bit values remain useful.
Since Alice and Bob are trying to distribute a random key, losing some random bit values
does not matter. If Eve tries to eavesdrop by measuring Alices photons and sending photons
of the measured values on to Bob, then she is bound to change the states of some of Alices
photons, thus altering the results in some of Bobs measurements. Bob and Alice can then
discover Eves presence by comparing a part of the bit values that each of them keeps. We
elaborate this further in the next section.
4 Quantum Cryptography: the BB84 Protocol
We demonstrate here how the impossibility form an observer to distinguish the four polariza-
tion states mentioned above can be used to make a secure key distribution. The particular
example given here is the BB84 protocol [3]. We have to make two general assumptions.
First, we assume Eve is not able to fool Alice (or Bob) into believing that she is Bob (or Al-
ice), and subsequently establishes one set of communication with Alice and another set with
13
Bob. Second, we also assume that Eve does not want to cut o the communication between
Alice and Bob entirely: in many cases, an eavesdropper wants to obtain secret information
instead of obstructing information.
Bob and Alice agree to use the four polarization states [ ), [ ), [ )and [ ) as
encodings for bit values 0, 1, 0, and 1, respectively:
Polarization
Bit Value 0 1 0 1
We reemphasize here that if Bob and Alice use the same basis for a photon, then Bobs
measurement of this photon matches the bit value that Alice assigned to it. Such a bit value
is therefore useful to Alice and Bob. The possible measurements by Bob on Alices four
polarization states have been tabulated in Table 2. Boldface indicates useful bit values.
Bob Measures in

Alice Sends and records
1 = [ ) 1 0 or 1
0 = [ ) 0 0 or 1
1 = [ ) 0 or 1 1
0 = [ ) 0 or 1 0
Table 2: Bobs possible measurements on Alices four states.
4.1 Basic Procedures of the BB84 Protocol
The key distribution process starts with Alice sending Bob, via a quantum channel, one
per time interval photons selected randomly from the four polarization states. Alice keeps a
record of the random photon states that she is sending to Bob. As an example, suppose Alice
has randomly generated the rst sixteen states with their corresponding bit values shown in
the rst two rows of Table 3.
Bob, on the receiving end, measures each photon from Alice in either the or the basis,
chosen randomly for each photon. Bobs measured bit value matches Alices whenever they
use the same basis for encoding and measurement. On the other hand, if they use dierent
bases, then their bit values match 50% of the time. So Alice and Bob will want to keep
the bits they encoded and measured with the same basis, and discard the ones measured
in dierent bases. However, Bob does not know whether he has used the right basis, so
he records for every measurement the basis used as well as the result. We tabulated one
possible example of Bobs randomly selected basis and the corresponding measured results
14
Alices Bit Values 0 1 0 0 0 1 1 0 1 1 1 1 0 1 0 ...
Alices Encodings ...
Same Basis? Y Y Y Y Y Y Y ...
Bobs Basis ...
Bobs Result 1 1 0 0 0 1 0 1 1 1 1 0 0 1 1 ...
Final key 1 0 0 1 1 1 0 ...
Table 3: An example of quantum key distribution from Alice to Bob.
in the fourth and fth rows of Table 3. Notice that whenever the bases used are the same,
Alices bit value and Bobs result agree.
After Bob and Alice have completed the transmission outlined above, they communicate
with each other over a public channel during which Bob reveals to Alice the basis (not the
bit value) for each measurement. In our example, Bob reveals to Alice via a public channel
the fourth row in Table 3: ...
Alice now compares the basis she has used to encode each of her photons with the basis
Bob used for his measurements. She then knows which of Bobs measurements match her bit
values: the ones for which they have used the same basis. These measurements are useful.
Alice thus tells Bob, via the public channel, which photon measurements to keep and which
to discard. In our tabulated example, Alice, with access to information from row 2 and row 4
nds out the photons that Bob has measured with the correct basis. We indicate the choices
with a Y in row 3 of Table 3. Alice will then tell Bob which photons she has labeled
with Y and the two of them will subsequently discard the unlabeled photon encodings and
measurements.
The remaining bit values held by Alice constitute her raw key. Likewise, Bob holds a
raw key as well. In this case, for each of the photons that remains, Bobs measurement of it
corresponds to Alices bit value because we assume the photons sent by Alice are the ones
received by Bob (there is no tampering of these photons). So their raw keys should agree
perfectly. Therefore, Alice and Bob now hold a common key, called the sifted key [10,
p. 29]. In our example, this key is shown in the last row of Table 3: 1001110... Due to the
randomness throughout the steps performed so far, the sifted key is random as well.
The next section shows what happens if an eavesdropper were present.
4.2 Eavesdropping
If the quantum channel used by Alice and Bob is noiseless, then Alices raw key should agree
perfectly with Bobs raw key, provided nobody has tampered with the transmission in the
15
quantum channel. However, if Eve eavesdrops, then Alices and Bobs raw keys in general do
not match perfectly. This is because if Eve eavesdrops in the quantum channel, she has to
intercept and make measurements of Alices photons. But because two sets of bases are used
by Alice, Eve cannot know for sure which basis to use to make her measurement. So half of
the time, she measures the photons in the wrong basis. Eve wants to send Bob photons in
place of the ones she has intercepted and measured because otherwise the communication
between Alice and Bob is interrupted, which will alert Alice and Bob of the presence of Eve.
So for each photon Eve intercepts, she must send another one to Bob. But because some of
her measurements are performed in dierent bases, some of the photons that Eve sends to
Bob will be in dierent states from the original photons that she has intercepted from Alice.
This causes some of Bobs measured bit values to dier from what he would have measured
if he had received Alices original photons.
It is therefore a practical step in the BB84 protocol for Bob and Alice to compare a
random part of their raw keys. Assuming a noiseless quantum channel, if Alice and Bob
notice disagreement in the revealed part of the their raw keys, then they know someone has
tampered with their photons, so the communication is not secure. On the other hand, if
Alice and Bob do not notice any errors, they can then discard the revealed part of the sifted
key and use the remaining bit values as the random one-time pad to communicate securely.
Eve thus has the incentive to increase the level of agreement between Alices and Bobs
sifted key. If Eve intercepts and measures all the photons in the quantum channel, she has
three strategies for each of the photons she intercepts and measures:
1. Send Bob one photon in the same basis with the polarization she has measured;
2. Send Bob one photon in the same basis, but use the other polarization;
3. Send Bob one photon in the other basis with a random choice of polarization.
We show in Appendix C that the rst strategy among the three is the best one:
8
it maximizes
the level of agreement of Alices and Bobs sifted keys as well as the amount of useful
information Eve holds. It is shown that strategy 1 will cause Alices raw key to agree with
Bobs raw key 75% of the time if Eve intercepts every photon Alice sends to Bob. An error
rate of 25% is large enough for Alice and Bob to notice eavesdropping when they compare a
part of their sifted key.
In practice, things are more tricky because there is noise in the quantum channel, so Alice
and Bob expect some degree of disagreement in their sifted keys even without the tampering
8
There is a fourth choice: sending the photon in a random polarization not conned to the two sets
of basis in use. From the analysis of Eves strategies given in Appendix C, we see that this strategy is
equivalent to 3 except that it reduces the probability for Eve to know about Bobs measurement. But Eve
is not interested in knowing about Bobs measurement.
16
of an eavesdropper. Eve may consider the strategy of making measurement on a fraction of
the photons Alice sends to Bob so that she not cause too much disagreement in the raw keys
held by Alice and Bob, who may thus believe that the disagreement in their raw keys is due
to noise in the quantum channel instead of eavesdropping. However, if Eve only eavesdrops
on a fraction of the photons, she reduces the amount of useful information available to her,
thereby reducing the amount the information that she will be able to retrieve by decoding
Alices ciphertext.
4.3 Optimal Photon Source and the PNS attack
We mentioned in Sec. 3.2 that it is extremely important for Alice to be able to generate
exactly one photon per time interval. This is because if Alice sends several photons in the
same polarization in one time interval, then Eve can make measurement(s) on some of these
photons in one or both of the and bases to extract information while passing on the
rest to Bob. She then holds some useful information as to what the secret key is without
alerting Alice and Bob of her presence because Bob always receives a photon in the state
prepared by Alice.
Removing photons from the quantum channel, however, reduces the rate of photon trans-
mission between Bob and Alice, who will in turn suspect that the decrease in this rate is
due to the actions of Eve. However, in practical quantum cryptography, there is another
source that reduces this rate of photon transmission: photon attenuation in the quantum
channel. In cryptography literature, Eve is assumed to have unlimited technological power
within the laws of physics [13].
9
In particular, she is assumed to possess [13] a perfectly
transparent quantum channel, which does not suer from photon attenuation.
10
So Eve
can increase the transmission rate in Alice and Bobs lossy quantum channel by replacing
it with her perfectly transparent (lossless) quantum channel. She can then take away some
of Alices photons until the transmission rate decreases to equate the original rate that is
expected by Alice and Bob in the lossy quantum channel.
If there are two or more photons in one time interval and Eve stores one of these photons
in a quantum memory, she can then delay her measurement on the photon until Alice and
Bob announce the bases they have used for the photons whose corresponding measurements
they have decided to keep. If the photon in Eves quantum memory is one of the photons kept
by Alice and Bob, then Eve can measure it in the announced basis so that her measurement
matches the bit value held by Alice and Bob. This is known as a photon-number-splitting
attack in quantum cryptography literature [14, p. 1]. It makes quantum key distribution
9
In the study of cryptography, researchers always assume the worst possible attack, because if a cryp-
tosystem is robust against the most powerful attack imaginable, then it is robust against any less powerful
attacks in reality.
10
We can relax the assumption and claim that Eve has a better quantum channel which undergoes less
attenuation than the one Bob and Alice have.
17
vulnerable if Alice does not have a perfect photon source that generates exactly one photon
per time interval.
Unfortunately, such a device has not yet been developed. In practical quantum key
distribution, the photon source used is usually a weak laser pulse whose behavior obeys the
Poissonian distribution, which is discussed in detail in Appendix B. This means that in
some time intervals, two or more photons will be generated. Due to the technical diculty
of obtaining a photon source that produces exactly one photon per time interval, practical
quantum cryptography may appear insecure, especially if the technology for photon-number-
splitting attack matures. Indeed, the Hau group at Harvard has already demonstrated the
possibility of producing quantum memories in the near future. The group demonstrated
that light can be slowed down and indeed stopped when passed through a Bose-Einstein
condensate [15]. The Hau group demonstrated further the possibility of using ultra-slow
light to store light, although the storage time then was limited to a few milliseconds in the
experiment [16].
The consequence of photon-number-splitting attacks can be dramatic [13], as along as we
do not have a better photon source. This has motivated Scarani, Acn, et al. to propose the
SARG04 protocol, which is a modication of the BB84 protocol that makes quantum key
distribution robust against photon-number-splitting attacks. We will discuss this modied
protocol in Sec. 6.2.4.
5 Noisy Quantum Channel
In the discussion above, we have shown that a noiseless quantum channel permits perfect
agreement between the raw keys held by Bob and Alice at the end of the BB84 protocol
procedures, if there is no eavesdropping. However, the quantum channel is in practice noisy
due to its interaction with the environment. Here, environment is dened as everything
outside the degree of freedom used for the encoding, which is not necessarily outside the
physical system [4, p. 158]. In the particular case of polarization states that we have
discussed, an example of the environment noise that can cause trouble is the coupling between
the polarizations and the optical frequencies of photons [4, p. 158].
Thus errors in the raw keys that Bob and Alice hold can be due to both the environment
and the eavesdropper. Eve can make use of this fact in practice to fool Alice and Bob into
believing that the disagreement between the keys they hold is due to the imperfect quantum
channel instead of eavesdropping. This leads us to wonder how secure the BB84 protocol
really is. The proof of security of the BB84 protocol in a noisy quantum channel is delicate
and we refer interested readers to Lo and Chau [17] who have shown that with the help
of quantum computers, quantum key distribution over an arbitrarily long distance can be
made unconditionally secure [18, p. 94]. Mayers [19, quoted in [18]] has given another proof
18
of the security of the quantum key distribution based on the BB84 protocol. This proof does
not require a quantum computer but is fairly complex.
In practical quantum cryptography, Bob and Alice recognize that there is some disagree-
ment in the raw keys they hold, and that Eve holds a part of their keys. At the end of the
BB84 protocol procedures, Bob and Alice therefore must perform error correction to re-
move the disagreement in their raw keys and privacy amplication to decrease the amount
of information held by Eve. Details of these procedures can be found in [4, 10, 18, 20]. These
two methods, however, shorten the length of the nal sifted key.
For error correction, if the estimated error probability in Bobs and Alices raw keys is
,
11
then Bob and Alice must reveal and subsequently discard at least a fraction, h(), of
their bits to correct all errors [10], where r is determined by Shannons coding theorem [21]:
h() = log
2
(1 ) log
2
(1 )
And the error correction procedure known as CASCADE [22] proposed by Brassard and
Salvail gets very close to this limit.
The estimation of the fraction of key that must be discarded due to privacy amplication
also uses Shannons coding theorem, but it is more complicated, so we refer the reader to
[23, 24] cited in References.
6 Current Progress in Quantum Cryptography
Research in quantum cryptography can generally be divided into two subelds. The rst
subeld deals with experiments that aim to realize prototypes of quantum cryptography, and
the second subeld deals with theoretical research to strengthen security of communication as
well as to improve the protocols of quantum key distribution [14]. We review some important
progress made in these two subelds in this section.
6.1 Experiments and the Communication Distance Problem
Quantum key distribution was rst demonstrated in lab over a distance of 32 cm in air
in 1989 and reported in 1992 by Bennett, Bessette, et al [20]. Since then several research
groups have carried out quantum key distribution in optic bers over long distances [25,
26, 27, 28, 29]. On Oct. 23, 2003, the rst computer network (known as the DARPA
Quantum Network) whose security depends on quantum cryptography became operational
in Cambridge, Massachusetts by the quantum engineering team at BBN Technologies [28].
11
The value of can be estimated statistically after Alice and Bob compare a part of their raw keys.
19
The worlds longest reported quantum key distribution experiment was achieved over 125
kilometers between Beijing and Tianjin in 2005 [29].
The transmission distance in optic ber is limited because photon signals undergo expo-
nential decay (i.e., attenuation) with increasing distance whereas the level of noise remains
approximately constant [30]. Depending on the wavelength chosen for the photon, the atten-
uation loss, L
f
ranges from 0.2 to 2 dB/km under current technology [18, p. 133]. The total
transfer eciency
t
= 10
(L
f
l+L
B
)
, where l is the length of optic ber and L
B
is the internal
loss at Bobs end in decibels [18, p. 129]. For a discussion of how the maximal transmission
distance is determined, we refer the reader to [2, 18].
Although quantum repeaters [31] were introduced in 1998 to ameliorate the limited-
distance problem, they are not very practical in the near future because they require a
complicated set of quantum operations, a quantum memory and a photon non-demolition
measurement, [30]. Collins, Gisin and de Riedmatten instead proposed in 2003 the use
of quantum relays to increase the maximum distance. Quantum relays improve the signal
to noise ratio at each detector by the placement of a source of entangled photon pairs in
the middle of the quantum channel. A possible maximum distance of about 650 kilometers
appears to be possible with the use of the quantum relays [30].
6.2 Quantum Cryptography Protocols after the BB84
6.2.1 The E91 Protocol
Although the BB84 solves the problem of key distribution, it faces the problem of key
storage [18, p. 91]. Once the key distribution is completed, Bob and Alice may have to
store the sifted key, for reasons such as the unavailability of the quantum channel at all
times. However, the sifted key obtained by the BB84 protocol is a classical string of 0s
and 1s, which can in principle be copied and stolen by Eve [6, p. 204]. Ekert proposed
in 1991 [32] a protocol that solves the key storage problem. Known as the E91 protocol,
the method makes use of Einstein-Podolsky-Rosen (EPR) [33] pairs of entangled photons
and detects eavesdropping by using the generalized Bells theorem [34]. Alice and Bob rst
generate EPR pairs of entangled photons (by a method called parametric down conversion
[10, p. 53]) such that each of them holds one of the photons in each of the generated EPR
pairs. Alice and Bob can then, in principle, store these photons without having to worry
about Eves attempt to copy them because of the no-cloning theorem. When Alice wants to
send Bob a secret message, they construct a random key from the entangled photons that
they both hold. They rst measure some of the stored pairs and compare the results in the
public channel to see if there is any eavesdropping. If they determine that the photons have
not been tampered, they then make measurements on the remaining photons to establish a
secret key. We refer the reader to Ekerts original article for a more detailed discussion [32].
20
In practice, the protocol is not very realistic because it is dicult to protect the EPR pairs
from noise eects for a long time [6, p. 204].
6.2.2 The B92 protocol
In 1992, Bennett showed [35] that instead of having to use four polarization states in the BB84
protocol, any two nonorthogonal states suce for the purpose of quantum key distribution.
Suppose we have two nonorthogonal states: [a) and [b) where a[b) = cos() ,= 0 or 1.
For instance, the two states can be photons polarized in two dierent and non-orthogonal
directions in the x-y plane. Because the two states are nonorthogonal, an observer cannot
distinguish between them. We dene P
a
= 1 [b)b[ and P
b
= 1 [a)a[, which are non-
commuting projection operators. P
a
and P
b
annihilate [b) and [a), respectively, giving the
eigenvalue of 0. However, applying P
a
and P
b
to [a) and [b), respectively, gives eigenvalues
0 and 1 probabilistically. Thus whenever an eigenvalue of 1 obtained from the measurement
by operator P
a
(or P
b
), we know that the state before measurement must be [a) (or [b)).
The key distribution starts with the assignment of bit values 0 and 1 to the two states.
Alice then sends Bob photons in these two states randomly and Bob measures each photon
with either the operator P
a
or the operator P
b
chosen randomly for each photon (he cannot
use both operators as they do not commute). Bob then announces to Alice which photons
he has obtained a measurement result of 1. For these photons, Bob knows that the ones he
measured with P
a
corresponds to the state [a) and the ones he measured with P
b
correspond
to the state [b). Bob and Alice can subsequently convert these states into the bit values
assigned earlier to obtain their raw keys. As usual, they check for eavesdropping by revealing
a part of the raw keys. An eavesdropper, who did not participate in the preparation of
these two non-orthogonal states, does not know how to distinguish them, and thus makes
unavoidable changes to some of the photons whenever she tries to make measurements of
them. B92 has been successfully implemented in a recent experiment in Los Alamos [2]
6.2.3 Other Variations of the BB84 Protocol
A large number of variants of the BB84 protocol have been introduced [4, p. 153] and we
cannot list all of them. Most of these variants are attempts to address practical issues such
as the signal attenuation and noise in the quantum channel, the absence of a perfect photon
source that produces exactly one photon per time interval, and the secret key distribution
eciency. We remind the reader that under practical settings, Bob and Alice do not just
discard their raw keys if they observe any disagreement when they reveal and compare a
part of them. Instead, they take errors due to quantum channel noise into consideration,
and perform error correction and privacy amplication as mentioned at the end of Sec. 5.
In this section, we briey mention two more variants of the BB84 protocol, and in the next
21
subsection we introduce the most important BB84 variant in recent years: the SARG04
protocol.
While the BB84 is a four-state cryptosystem (it uses four polarizations states) and the
B92 is a two-state cryptosystem, a six-state (three-basis) cryptosystem has been discussed
in depth by Bru [36]. If Eve adpts the strategy to intercept all Alices photons, measure
each of them in one of the three bases chosen randomly, and send photons in the measured
states onto Bob, she measures Alices photons in the right basis only
1
3
of the time in the six-
state cryptosystem compared to
1
2
of the time in the four-state BB84 protocol. Thus under
practical settings, the maximal amount of information Eve can obtain by eavesdropping
is lower in the six-state cryptosystem. Due to this reason, it is shown that if a perfect
photon source that produces exactly one photon per time interval is available, the six-state
cryptosystem is safer against eavesdropping than the BB84 protocol and the security analysis
(privacy amplication) process is simplied [36].
The cryptosystems mentioned above are based on encoding bits on two-level quantum
systems. Bechmann-Pasquinucci and Tittel proposed to enlarge the dimensions of quantum
systems in 2000 [37]. An example given by them is to extend the BB84 protocol to a
four-level quantum system. The rst basis is spanned by [
a
), [
b
), [
c
) and [
d
), where
[
i
[
j
)[ =
ij
.
12
Another basis spanned by [
a
), [
b
), [
c
) and [
d
) is chosen such that
[
i
[
j
)[ =
ij
and [
i
[
j
)[ =
1
2
. One example of such a basis is [37]:
[
a
) =
1
2
([
a
) +[
b
) +[
c
) +[
d
)) (14)
[
b
) =
1
2
([
a
) [
b
) +[
c
) [
d
)) (15)
[
c
) =
1
2
([
a
) [
b
) [
c
) +[
d
)) (16)
[
d
) =
1
2
([
a
) +[
b
) [
c
) [
d
)) (17)
Bob measures in one of the two bases randomly and therefore on average, as in the original
two-level BB84 protocol, half of his measurements have to be discarded. However, each of
the four states [
a
), [
b
), [
c
) and [
d
) can be distinguished when measured in their basis.
The same goes for the states [
a
), [
b
), [
c
) and [
d
) in the other basis. Hence, in a four-level
quantum system, each state of a basis represents two bits of information instead of just one
bit in the original BB84 protocol. For example, Bob and Alice we can have the following
assignment:
Bit value 00 01 10 11
States [
a
) and [
a
) [
b
) and [
b
) [
c
) and [
c
) [
d
) and [
d
)
12

ij
is the Kronecker delta which equals unity when i = j and vanishes otherwise.
22
Thus the four-level quantum system improves the secret-key distribution eciency of the
original BB84 protocol. It can also be shown that a multi-level quantum cryptosystem also
makes it easier for Alice and Bob to detect eavesdropping [37]. The drawback of a multi-level
quantum cryptosystem is the practical diculty of carrying it out [4, p. 153].
6.2.4 The SARG04 protocol
Perhaps the most signicant recent addition to quantum key distribution protocols is the
SARG04 protocol, named after Scarani, Acn, Ribordy and Gisin who invented it in 2004 [13].
The SARG04 has since its invention been discussed profusely in literature [14, 38, 39, 40],
mainly because it is robust against photon-number-splitting attacks, which are introduced
in Sec. 4.3.
A modication of the BB84 protocol, the SARG04 protocol uses the same four non-
orthogonal states as in the original two-level BB84 protocol and thus its experimental setup
is exactly the same as that for the original BB84 protocol. The dierence lies in the classical
sifting procedure: instead of having Bob revealing his basis, Alice instead announces publicly
one of the four sets of states, [ ), [ ), [ ), [ ), [ ), [ ), and [ ), [ ),
that contains the state of the photon sent out by her.
For instance, for a photon encoded in the state [ ), Alice announces either the set
[ ), [ ) or the set [ ), [ ) in the public channel. Suppose Bob has used the
for measurement of the state [ ), then he measures the bit value 1. However, it is also
possible for Bob to obtain a measurement of 1 if the state measured were [ ) or [ ). Bob
therefore cannot conclude from this measurement the state of Alices photon according to
her announcement. He therefore tells Alice to discard the bit value corresponding to this
measurement. On the other hand, if Bob measures the state [ ) in the basis of , he
obtains a measurement corresponding to bit value 0 or 1 with equal probability. Suppose
Bobs measurement is 0. If Alice announces [ ), [ ) then Bobs measurement is not
conclusive because the state [ ) measured in the basis always gives the measurement
of 0. Alice and Bob thus have to discard the bit value corresponding to this measurement.
However, if Alice announces [ ), [ ) instead, then Bob knows for sure that the state
of the photon cannot be [ ), which will always give a measurement of 1 if measured in
the basis of . Alice and Bob will thus want to keep the value bit corresponding to this
measurement. The following table summarizes all the cases for which the bit values will be
kept.
23
Alice Bob Measures
State Announcement In Basis Bit Value
[ ) [ ), [ ) 1
[ ) [ ), [ ) 0
[ ) [ ), [ ) 1
[ ) [ ), [ ) 0
[ ) [ ), [ ) 0
[ ) [ ), [ ) 1
[ ) [ ), [ ) 0
[ ) [ ), [ ) 1
To see the robustness of the SARG04 protocol against photon-number-splitting attacks,
we assume that Eve stores one particular photon in a time interval when Alice has sent two
or more photons in the same state to Bob, and that Alice and Bob have decided to keep the
bit value corresponding to this photon state. If the BB84 protocol is carried out, Eve knows
the basis used by Alice to generate this particular photon, so she measures her stored photon
in the same basis and her measured bit value matches Alices bit value. The BB84 protocol
is thus weak against photon-number-splitting attacks because as long as a photon in Eves
quantum memory corresponds to the photon state that Alice and Bob have decided to keep,
Eve can always determine the photon states bit value known to Alice [13]. On the other
hand, if the SARG04 protocol is carried out instead, Eve only knows from Alice and Bobs
public announcement that the photon is encoded in one of the two non-orthogonal states
listed in the second column in the table above. Eve, however, cannot determine the state of
the photon she is storing in this case because she does not know which basis to use in the
measurement. The SARG04 protocol thus successfully reduces Eves chance of knowing the
precise state of the photon she has stored.
There is, however, a drawback. Assuming that Alice chooses the photon polarization
state and the corresponding announcement randomly, then the probability of Bob and Alices
retaining a bit value = 8
1
4
(
1
2

1
2

1
2
) =
1
4
; where 8 refers to the eight possibilities listed
in the table above,
1
4
refers to Alices random choice among the four polarization states, and
the three
1
2
terms refer to Alices random choice between two possible announcements, Bobs
random choice between two measurement bases, and the random measurement results of 0
and 1 when measurement is carried out in the dierent basis. So three-fourths of the raw
bits corresponding to the photons sent out by Alice will have to be discarded in the SARG04
protocol whereas in the BB84 protocol Alice and Bob discard only half of the raw bits. The
SARG04 thus has a lower random key distribution eciency compared to the BB84 protocol.
A great deal of work has been done to show the advantage of the SARG04 protocol
[14, 38, 39, 40] since 2004. In late 2005, Branciard, Gisin, et al. showed that under practical
experimental conditions, SARG04 actually performs better than BB84 in terms of actual
random key distribution eciency as well as in maximal achievable distance for various
types of Eves attacks [14]. We refer interested readers to these researchers papers cited in
24
the References section.
7 Conclusion
In this paper we have considered the theoretical background of quantum cryptography. We
have shown how the apparently dismal parts of quantum mechanics (the inability to distin-
guish between non-orthogonal states by an observer and the impossibility to make a perfect
copy of a quantum state without knowing its basis) can actually be turned into a positive
technique that solves the key distribution problem. Quantum cryptography is still in the
development stage, as important problems such as the lack of an ecient single-photon gen-
erator and the limitation in transmission distance still remain unsolved. Due to attenuation
and noise in the quantum channel as well as the lack of a source that generates exactly one
photon every time interval, the raw bit transmission rate in the quantum channel is typically
about 1/3,000 (for a distance of over 10 km in an optical ber) of the laser pulse rate at which
ordinary computers operate [2]. Thus the low transmission rate in the quantum channel is
the bottleneck of secure communication.
Nevertheless, researchers are positive about the future in the eld: they believe that
quantum key distribution is going to be the rst quantum information protocol to nd
commercial applications [6, p. 213]. Some experiments have been performed for key distri-
bution over open air. In fact, Hughes, Nordholt, et al. have demonstrated open air secret key
transmission over a distance of 10km in day light and at night [41]. Although attenuation in
open air may be as low as 0.01dB/km, open air cryptography has two problems that reduce
the transmission length: the ecient collection of the emitted photon and the suppression
of parasitic light [18, p. 137].
13
It is hoped that in the future we can use satellites to
distribute secret keys between parties located very far apart in space [6, p. 213].
Finally, assuming that researchers can eventually overcome all the problems mentioned
and make technologies of quantum cryptography cheaply available to everyone, then it may
be argued that the eavesdropper will just change her strategy and start to cut o communi-
cation between the parties involved in the key distribution, rendering quantum cryptography
useless. Although this may be true in important situations such as intelligence work during
wars, it is unlikely that eavesdroppers will want to cut o all communications. For instance, I
may want to send my credit card number securely to a remote website. An illegal eavesdrop-
per who wants to steal my card number only has the incentive to eavesdrop on my attempt
to transfer the number. However, cutting o my communication with the web server does
not benet the eavesdropper in any way. The added benet of quantum cryptography is that
once a user has completed a secure quantum key distribution, he or she can rest assured of
the security of the subsequent communication, using the Vernam cipher cryptosystem.
13
We refer the reader to Zbindens article in this citation for more discussion on this topic.
25
Acknowledgements
I would like to thank Prof. Kirk T. McDonald for all his help in the completion of this junior
paper. He has spent a great deal of his precious time, especially during the winter vacation,
commenting on my work. At the same time, he has never stopped encouraging me to learn
more about quantum cryptography and physics in general.
APPENDIX
A One-way Functions: an example
An example of a one-way function is prime number factorization, which is an important part
of the RSA cryptosystem. It takes about a few seconds for a person to compute the product
of two primes such as 4357 and 571 by hand: 4357 571 = 2487847. However, factorizing
the number 2487847 is much more dicult.
However, if one is told that 4357 is a factor of 2487847, then nding the other factor
becomes signicantly easier. In practice, the numbers used are signicantly larger. Bob,
with the knowledge of the private key, is able to do factorization much faster than Eve,
therefore he can decode the ciphertext much more quickly.
For the complete procedures of the RSA cryptosystem, we refer the reader to [6, p. 192].
B Single-Photon Source
The experimental realization of a single-photon source, which produces exactly one photon
per time interval is challenging. Researchers usually use a weak laser pulse: i.e., they use
lters to attenuate photons from a polarized laser source. However, the distribution of the
weak laser pulse is Poissonian [4, p. 156]:
P(n, ) =

n
n!
e

(18)
26
where P(n, ) is the probability of nding n photons per controlled time interval when the
mean photon number is , which is determined by the quantity and the type of the lters,
the controlled time interval, and the intensity of the input laser source. The maximum of
P(1,), the probability of obtaining one photon per time interval, occurs at
dP(1, )
d
= 0 i.e., when = 1
which corresponds to P(1,1)=
1
e
0.368, so the maximum probability of obtain one photon
per time interval is only 36.8%.
The probability of obtaining two or more photons per time interval is:
P(n > 1, ) = 1 P(0, ) P(1, ) = 1 e

(1 + ) (19)
So for =1, P(n > 1, 1) = 1 e
1
(1 + 1) 26.4%. Because generating two or more
than two photons per time interval makes quantum cryptography vulnerable, we want to
decrease P(n > 1, ). So we must make small (this can be shown by plotting the graph of
P(n > 1, )). When is small, we can make rst order approximations.
The probability of obtaining two or more than two photons for a non-empty pulse per
time interval is [4, p. 156]:
P(n > 1[n > 0, ) =
1 P(0, ) P(1, )
1 P(0, )
=
1 e

(1 + )
1 e

/2 (20)
On the other hand, the probability of obtaining no photon per time interval is
P(n = 0, ) = e

1 (21)
We see a trade-o: by making small, one reduces (20), the probability of creating two or
more than two photons when the output pulse is non-empty, but one also increases (21), the
probability of obtaining no photon at all per time interval. Having a large number of empty
pulse (with no photon) per time interval makes the key distribution inecient. In practice,
researchers usually set to be around 0.1, which corresponds to about 5% of non-empty
pulses to contain two or more photons per time interval.
C Eavesdropping Strategies
We assume here that Alice is able to generate exactly one photon per time interval. Because
Alice and Bob discard their records for photons measured and prepared in dierent basis,
information related to these discarded photons is not relevant for Eve. We therefore consider
27
only the photons for which Alice and Bob have used the same bases of and . To get
some information out of the communication between Bob and Alice, suppose Eve measures
one of Alices photons randomly in either or . She will eventually know whether or not
she has chosen the correct basis as Bob and Alice will announce their basis over the public
channel. But before Eve knows this, she will have to send a photon to Bob. As mentioned
above, Eve has three strategies:
1. Send one photon in the same basis with the polarization she has measured;
2. Send one photon in the same basis, but use the other polarization;
3. Send one in the other basis with a random choice of polarization.
Suppose Eve has used the correct basis, this implies that Eves measurement matches Alices
bit value. If she chooses strategy 1 to send to Bob a photon encoded in the polarization
that she has measured, then this photon is in the state of Alices original photon. Thus,
Eve in this case holds the same bit value as the corresponding bit held by both Alice and
Bob. This is tabulated in column (i) of Table 4. If Alice chooses strategy 2 and thus sends
Bob in the same basis a photon polarized in the other direction, Bobs measured result will
not match Alices bit value. So Eve knows for sure that Alices and Bobs value bits do not
agree. Eve also knows that the value she measures matches the one Alice holds, and that
Bob holds the wrong value. This result is tabulated in column (ii). If, however, Alice decides
to adopt strategy 3, she will then send Bob a photon with a random polarization direction
in the other (wrong) basis. Bob measures the photon in the correct basis, so he obtains a
bit value of either 0 or 1 with the probability of one half. In other words, Bobs measured
value matches Alices bit value with a probability of one half. Eve thus knows that Bob and
Alice hold the same bit value with the probability of one half, but she does not know Bobs
measurement. This result is included in column (iii).
If Eve has used the wrong basis for her measurement, her measured value does not match
Alices bit value with a probability of
1
2
. If Eve chooses the rst or the second strategy
to send her photon in the same basis that she has used for her measurement, Bob in this
case measures the photon in the other basis (Alices basis) and obtains a bit value of 0 or
1 with equal probability of
1
2
. Thus Bobs measurement matches Alices bit value with a
probability of one half. Consequently the probability for Alice and Bob to hold the same bit
value in this case is
1
2
. Eve holds no useful information as to what Bobs measurement is.
The result for these two cases are tabulated in columns (iv) and (v). Finally, if Eve chooses
option 3, then she knows Bobs measurement because Bob measures it in the basis that Eve
has chosen to encode the photon. However, because Eve has chosen the polarization of this
photon randomly, Bob and Alice can only share the same bit value with a probability of one
half. This is tabulated in column (vi) of the table.
As Eve chooses her basis of measurement randomly, so half of the time Eve chooses the
right basis (Alices basis) and half of the time she chooses the other (wrong) basis. with
28
Column No. (i) (ii) (iii) (iv) (v) (vi)
Strategy 1 2 3 1 2 3
Alice and Bob Use
Eve Measures in
Eve Sends a Photon in
T

F

T

F

Probability of Shared Bit Value for AB 1 0
1
2
1
2
1
2
1
2
Eves Information AB AB A / / B
Alice and Bob Use
Eve Measures in
Eve Sends a Photon in
T

F

T

F

Probability of Shared Bit Value for AB 1 0
1
2
1
2
1
2
1
2
Eves Information AB AB A / / B
Table 4: Eves Choices (A - Alice; B - Bob; AB - Alice and Bob; subscript T - send in the
measured basis; subscript F - send in the other basis.)
strategy 1 [Table 4: column (i) and (iv)], half of the time Alices and Bobs keys agree and
half of the time their keys agree with a probability of
1
2
. So overall, their keys agree with a
probability of
3
4
. Eve has information of both Alices and Bobs keys half of the time and
only Bobs information the other half of the time. Thus She has either AB (indicating both
Alices and Bobs bit values) or B (indicating Bobs bit value only) for her information set.
We can perform the same analysis for strategy 2 [Table 4: column (ii) and (v)] and strategy
3 [Table 4: column (iii) and (vi)]. The results are tabulated in Table 5.
Strategy Probability of Eves
No. AB Agreement Information
1. same basis, same polarization 3/4 AB [B correct] or nothing
2. same basis, dierent polarization 1/4 AB [B wrong] or nothing
3. dierent basis 1/2 A or B
Table 5: The Evaluation of Eves Strategies (in column 3 Eves Information, the expression
X or Y means 50% X and 50% Y. The word nothing means that the guess over Alices
key or Bobs key is 50%.
We recognize Eves desire to maximize the probability in the second column (AB Agree-
ment) in Table 5 so as to reduce the chance for Alice and Bob to discover her presence when
they compare a part of their raw keys. So strategy 1 provides the maximized probability of
3
4
. Eve also wants to maximize her information set. Eve wants to know Alices plaintext,
and knowing Bobs key does not help in the decryption of Alices ciphertext. So eectively
each strategy gives Eve the same amount of information. AB or nothing for strategies 1
29
and 2 is equivalent to 50% Alices key or 50% nothing. A or Bfor strategy 3 is equivalent
to A or nothing. So there is no preference amongst the three strategies when we attempt
to maximize Eves information. So in conclusion, strategy 1 is preferred (or dominant, using
the jargon from Game Theory.)
It is possible that Eve wants to minimize Bobs information so as to reduce Bobs ability
to decrypt Alices ciphertext.(Bob may, for instance, want to know Alices secret plaintext
earlier than Bob does. Then Strategy 2 will be preferred in this case. But since the proba-
bility of AB agreement in this case is only
1
4
, Alice and Bob will almost certainly know that
Eve is eavesdropping when they compare a part of their sifted key. For Eve, making Alice
and Bob believe they have performed a secure key distribution and thereby having Alice to
encode her plaintext with the sifted random key is much more important than preventing
Bob from getting the correct sifted key. So when preventing Bob from getting the key jeop-
ardizes the chance of making Alice and Bob trust their sifted key, Eve is only rational when
she foregoes the goal of preventing Bob from receiving the sifted key. So Eve will always use
Strategy 1.
But even if Eve uses strategy 1, she still makes Bobs key dierent from Alices key one
out of four times, and this is also considered signicant statistical error, even though 25%
fares better than the other two strategies. It is this unavoidable presence of disagreement
over Alices and Bobs sifted keys whenever Eve eavesdrops that enables Alice and Bob to
detect eavesdropping.
References
[1] S. Singh, The Code Book: The Science of Secrecy from Ancient Egypt to Quantum
Cryptography (Anchor, 2000).
[2] R. J. Hughes, D. Alde, P. Dyer, G. Luther, G. Morgan, and M. Schauer (1995),
quant-ph/9504002.
[3] Quantum Cryptography: Public Key Distribution and Coin Tossing (International Con-
ference on Computers, Systems and Signal Processing, Bangalore, India, 1984).
[4] N. Gisin, G. Ribordy, W. Tittel, and H. Zbinden, Rev. Mod. Phys. 74, 145 (2002).
[5] Proc. of 35th Annual Symposium on the Foundations of Computer Science (IEEE Com-
puter Society, Los Alamitos, 1994).
[6] G. Benenti, G. Casati, and G. Strini, Principles of Quantum Computation and Infor-
mation, vol. I (World Scientic, 2004).
[7] S. J. Lomonaco, Jr., Cryptologia 23, 1 (1999).
30
[8] Light polarization (2005), this is an electronic document. Date retrieved: December 27,
2005., URL http://www.lanl.gov/science/centers/quantum/light.shtml.
[9] E. Hecht, Optics (Addison Wesley, 2002).
[10] D. Bouwmeester, A. Ekert, and A. Zeilinger, eds., The Physics of Quantum Information
(Springer, 2000).
[11] W. K. Wootters and W. H. Zurek, Nature 299, 802 (1982).
[12] D. Dieks, Phys. Lett. A 92, 271 (1982).
[13] V. Scarani, A. Acn, G. Ribordy, and N. Gisin, Phys. Rev. Lett. 92, 057901 (2004).
[14] C. Branciard, N. Gisin, B. Kraus, and V. Scarani (2005), quant-ph/0505035.
[15] C. Liu, Z. Dutton, C. H. Behroozi, and L. V. Hau, Nature 409, 490 (2001).
[16] Z. Dutton, N. S. Ginsberg, C. Slowe, and L. V. Hau, Europhys. News 35 (2004), URL
http://www.europhysicsnews.com/full/26/article1/article1.html.
[17] H.-K. Lo and H. Chau (1998), quant-ph/9803006.
[18] H.-K. Lo, S. Popescu, and T. Spiller, eds., Introduction to Quantum Computation and
Information (World Scientic, 1998).
[19] D. Mayers (1998), quant-ph/9802025.
[20] C. Bennett, F. Bessette, G. Brassard, L. Salvail, and J. Smolin, J. Crypto. 5, 3 (1992).
[21] C. E. Shannon, The Mathematical Theory of Information (University of Illinois Press,
1949).
[22] Secret key reconciliation by public discussion (EuroCrypt 93, Norway, 1993).
[23] Generalized Privacy Amplication, vol. 41 (IEEE Trans. Inf. Th., 1995).
[24] G. Gilbert, M. Hamrick, and F. Thayer (2001), quant-ph/0108013.
[25] A. Muller, H. Zbinden, and N. Gisin, Europhys. Lett. 33, 335 (1996).
[26] C. Marand and P. D. Townsend, Opt. Lett. 20, 1695 (1995).
[27] R. J. Hughes, G. L. Morgan, and C. G. Peterson, J. Mod. Opt. 47, 533 (2000).
[28] C. Elliott (2004), quant-ph/0412029.
[29] X.-F. Mo, B. Zhu, Z.-F. Han, Y.-Z. Gui, and G.-C. Guo, Opt. Lett. 30, 2632 (2005).
31
[30] D. Collins, N. Gisin, and H. de Riedmatten (2003), quant-ph/0311101.
[31] H. Briegel, W. Dur, J. Cirac, and P. Zoller, Phys. Rev. Lett. 81, 5932 (1998).
[32] A. K. Ekert, Phys. Rev. Lett. 67, 661 (1991).
[33] A. Einstein, B. Podolsky, , and N. Rosen, Phys. Rev. Lett. 47, 777 (1935).
[34] J. Bell, Physics 1, 195 (1964).
[35] C. H. Bennett, Phys. Rev. Lett. 68, 3121 (1992).
[36] D. Bru, Phys. Rev. Lett. 81, 3018 (1998).
[37] H. Bechmann-Pasquinucci and W. Tittel, Phys. Rev. A 61, 062308 (2000).
[38] K. Tamaki and H.-K. Lo (2005), quant-ph/0412035.
[39] C.-H. F. Fung, K. Tamaki, and H.-K. Lo (2006), quant-ph/0510025.
[40] M. Koashi (2005), quant-ph/0507154.
[41] R. J. Hughes, J. E. Nordholt, D. Derkacs, and C. G. Peterson, New J. Phys. 4 (2002),
43.1-43.14.
32