**Quantum Key Distribution**

Philip Chan1, Itzel Lucio-Martínez2, Xiaofan Mo2 and Wolfgang Tittel<sup>2</sup>

<sup>1</sup>*Institute for Quantum Information Science, and Department of Electrical and Computer Engineering, University of Calgary* <sup>2</sup>*Institute for Quantum Information Science, and Department of Physics and Astronomy, University of Calgary Canada*

## **1. Introduction**

334 Femtosecond–Scale Optics

[51] P. L. Lang, Y. G. Zhao, C. M. Xiong, P. Wang, J. Li and D. N. Zheng, J. Appl. Phys. 100,

[53] R. W. Li, H. B. Wang, X. W. Wang, X. Z. Yu, Y. Matsui, Z. H. Cheng, B. G. Shen, E. W.

[54] I. Genish, Y. Kats, L. Klein, J. W. Reiner and M. R. Beasley, J. Appl. Phys. 95 6681 (2004). [55] C. Prados, D. V. Dimitrov, C. Y. Ni, A. Hernando and G. C. Hadjipanayis, Phys. Rev. B

[56] F. Lesmes, A. Salcedo, J. J. Freijo, D. Garcia, A. Hernando and C. Prados, Appl. Phys.

[52] J. R. Sun, C. M. Xiong and B. G. Shen, Appl. Phys. Lett. 85, 4977 (2004).

Plummer and J. D. Zhang, Proc. Natl Acad. Sci. 106, 14224 (2008).

053909 (2006).

56 14076 (1997).

Lett. 69 2596 (1996).

This chapter describes the application of lasers, specifically diode lasers, in the area of quantum key distribution (QKD). First, we motivate the distribution of cryptographic keys based on quantum physical properties of light, give a brief introduction to QKD assuming the reader has no or very little knowledge about cryptography, and briefly present the state-of-the-art of QKD. In the second half of the chapter we describe, as an example of a real-world QKD system, the system deployed between the University of Calgary and SAIT Polytechnic. We conclude the chapter with a brief discussion of quantum networks and future steps.

## **2. Motivation**

The importance of communication networks has increased significantly in the last three decades. As an ever-growing fraction of our daily activities (including e-mail and e-banking) now depends on communication over public channels such as optical fibers, the security of the exchange of sensitive information also became an issue of high importance. Of special concern are credit card numbers, personal health records and business-related information, just to give some examples.

The problem of guaranteeing security is solved by encrypting the sensitive information (referred to as the *plaintext* and assumed to be in its binary form) before transmission. During encryption, the plaintext is processed using a *key* and a certain algorithm (the *cipher* or *cryptosystem*). The encrypted message is referred to as the *cryptogram* (or *ciphertext*), and the sender is typically denoted *Alice*. The cryptogram is sent through the communication channel to the receiver, *Bob*. If intercepted during transmission, it should be incomprehensible to an eavesdropper, typically called *Eve*. The encrypted message becomes meaningful only once it is decrypted. This requires a *secret key*, which must be known only to the legitimate receiver and, depending on the cryptosystem, the sender of the message.

Different types of ciphers exist; they can be divided into two groups: symmetric and asymmetric ciphers.

• *Asymmetric* ciphers use two different keys: a *public key* with which anyone can encrypt a message and a *private key* that belongs to the receiver of the message. Only the private key allows decrypting the message.

**Cryptosystems** *Type Example Security* Asymmetric RSA Computational security Symmetric One-time pad Information theoretic security

Quantum Key Distribution 337

random binary key, see figure 1. The key must be used only once, must be as long as the message that is to be encrypted, and, obviously, must only be known to the sender and the receiver. Then, regardless of the available time, an eavesdropper will never obtain the

An important problem when using the one-time pad is thus the distribution of the secret key. This is generally accomplished using trusted couriers, a cumbersome solution that restricts its wide implementation and leaves a security loophole in the overall encryption procedure. Indeed, the key itself does not reveal if a non-trustworthy courier has duplicated it. This raises the question of whether alternative key distribution mechanisms exist that operate over standard communication channels and allow the detection of

> 7UDQVPLVVLRQWKURXJK DSXEOLFFKDQQHO

Fig. 1. The one-time pad. Alice encodes her message with a random binary key using the XOR operation (i.e. 0+0=0, 0+1=1, 1+0=1, and 1+1=0). The encrypted message is then sent over a public channel to Bob. He decodes it with the same key, again using the XOR

Quantum key distribution (QKD) (Gisin et al. (2002); Scarani et al. (2009)) takes advantage of the peculiar properties of individual photons to provide two parties with arbitrarily long secret keys, provided a short key for authentication purposes is initially available. Hence, a more appropriate name for QKD would be quantum key growing. Yet, as is common use, we will refer to this procedure as QKD. For QKD, information is encoded into one degree of freedom of photons (e.g. their polarization state), while all other degrees of freedom (phase, wavelength, etc.) must not contain any information. Each information-carrying photon

eavesdropper to extract information about the encoded quantum states during transmission

<sup>2</sup> Encoding information into so-called continuous quantum variables (Scarani et al. (2009)) is possible as

XOR

2. Due to their quantum nature, it is impossible for an

Table 1. Examples for two different cryptosystems

message from the ciphertext.

Alice Bob

operation, and thereby obtains Alice's original message.

XOR

**3. Quantum key distribution**

then becomes a *quantum bit (qubit*)

well but will not be discussed here.

eavesdropping.

• *Symmetric* ciphers use the same secret key for encryption and decryption.

Obviously, the encrypted message must not reveal any information about the plaintext. Hence, the secrecy of the encrypted message transmitted over a public channel relies on the secrecy of the key used for decryption. The security of a cryptosystem is generally assessed in terms of the time required to break it; two general categories exist:

• *Computational security* assumes the eavesdropper has limited computational power, and relies on assumptions about the difficulty to solve a certain mathematical problem. An example of a cryptosystem that provides computational security is RSA (named after the inventors Ronald Rivest, Adi Shamir and Leonard Adleman)1; its security relies on the difficulty to factorize a large number into its primes. In the factoring problem, the number of computational steps required increases exponentially with the number of bits used to represent the number to be factorized (Nielsen & Chuang (2004)). This is generally believed not to be computable for sufficiently large numbers. For instance, to factorize a 768-bit number, the best known classical algorithm has been estimated in 2010 to require on the order of 1500 years if a single-core, high-end processor is used (Kleinjung et al. (2010)). Furthermore, the factorization of a 1024-bit number, the current standard for RSA, is believed by the same authors to be 1000 times harder. This should suffice to safeguard any information one may want to encrypt.

However, the difficulty to factorize large numbers on a classical computer (a computer whose operation can be described using classical physics) is not proven, and less time-consuming algorithms may exist, or a large computer cluster may be used. Referring again to the example of a 768-bit number given above, this number has actually been factorized in 2010 using many hundreds of computers over a period of only two years (Kleinjung et al. (2010)). Furthermore, the researchers estimated that it is not unreasonable to expect that a 1024-bit RSA key can be factored within the next decade. Probably even more threatening, it is known that a quantum computer can factorize large numbers efficiently (i.e. in polynomial time – exponentially faster than the best known classical algorithm) by means of Shor's algorithm (Nielsen & Chuang (2004)). While these threats to RSA encryption do not yet exist (or rather, are currently not known to exist), today's eavesdropper could simply copy the encrypted information, wait for algorithmic or technological advances, and then decrypt the message efficiently.

We thus have to ask: when is it necessary to research alternative methods to safeguard information in transit? To answer this question, let us assume that the information has to remain encrypted for *x* years. Furthermore, let *y* be the time needed to retool the current secure-communication infrastructure. Hence, if disruptive technology appears in *z* years, where *z* < *x* + *y*, then a secret that has been encoded before the encryption infrastructure was improved becomes unprotected before the end of its lifetime. There is thus clear need to investigate and implement new encryption systems long before the old ones are broken (Stebila et al. (2010)).

• *Information-theoretic security* relies only on information-theoretic arguments. In particular, the security of the encrypted message does not depend on any assumptions about the computational power of an eavesdropper. The *one-time pad* satisfies this stringent condition. In the one-time pad the message is encrypted by combining it bit by bit with a

<sup>1</sup> RSA encryption was independently invented by Clifford Cocks four years earlier. Yet, his discovery was classified top secret by British Intelligence and was only revealed in 1997.

2 Will-be-set-by-IN-TECH

Obviously, the encrypted message must not reveal any information about the plaintext. Hence, the secrecy of the encrypted message transmitted over a public channel relies on the secrecy of the key used for decryption. The security of a cryptosystem is generally assessed in

• *Computational security* assumes the eavesdropper has limited computational power, and relies on assumptions about the difficulty to solve a certain mathematical problem. An example of a cryptosystem that provides computational security is RSA (named after the inventors Ronald Rivest, Adi Shamir and Leonard Adleman)1; its security relies on the difficulty to factorize a large number into its primes. In the factoring problem, the number of computational steps required increases exponentially with the number of bits used to represent the number to be factorized (Nielsen & Chuang (2004)). This is generally believed not to be computable for sufficiently large numbers. For instance, to factorize a 768-bit number, the best known classical algorithm has been estimated in 2010 to require on the order of 1500 years if a single-core, high-end processor is used (Kleinjung et al. (2010)). Furthermore, the factorization of a 1024-bit number, the current standard for RSA, is believed by the same authors to be 1000 times harder. This should suffice to safeguard

However, the difficulty to factorize large numbers on a classical computer (a computer whose operation can be described using classical physics) is not proven, and less time-consuming algorithms may exist, or a large computer cluster may be used. Referring again to the example of a 768-bit number given above, this number has actually been factorized in 2010 using many hundreds of computers over a period of only two years (Kleinjung et al. (2010)). Furthermore, the researchers estimated that it is not unreasonable to expect that a 1024-bit RSA key can be factored within the next decade. Probably even more threatening, it is known that a quantum computer can factorize large numbers efficiently (i.e. in polynomial time – exponentially faster than the best known classical algorithm) by means of Shor's algorithm (Nielsen & Chuang (2004)). While these threats to RSA encryption do not yet exist (or rather, are currently not known to exist), today's eavesdropper could simply copy the encrypted information, wait for algorithmic or

We thus have to ask: when is it necessary to research alternative methods to safeguard information in transit? To answer this question, let us assume that the information has to remain encrypted for *x* years. Furthermore, let *y* be the time needed to retool the current secure-communication infrastructure. Hence, if disruptive technology appears in *z* years, where *z* < *x* + *y*, then a secret that has been encoded before the encryption infrastructure was improved becomes unprotected before the end of its lifetime. There is thus clear need to investigate and implement new encryption systems long before the old ones are broken

• *Information-theoretic security* relies only on information-theoretic arguments. In particular, the security of the encrypted message does not depend on any assumptions about the computational power of an eavesdropper. The *one-time pad* satisfies this stringent condition. In the one-time pad the message is encrypted by combining it bit by bit with a

<sup>1</sup> RSA encryption was independently invented by Clifford Cocks four years earlier. Yet, his discovery

• *Symmetric* ciphers use the same secret key for encryption and decryption.

terms of the time required to break it; two general categories exist:

technological advances, and then decrypt the message efficiently.

was classified top secret by British Intelligence and was only revealed in 1997.

any information one may want to encrypt.

(Stebila et al. (2010)).


Table 1. Examples for two different cryptosystems

random binary key, see figure 1. The key must be used only once, must be as long as the message that is to be encrypted, and, obviously, must only be known to the sender and the receiver. Then, regardless of the available time, an eavesdropper will never obtain the message from the ciphertext.

An important problem when using the one-time pad is thus the distribution of the secret key. This is generally accomplished using trusted couriers, a cumbersome solution that restricts its wide implementation and leaves a security loophole in the overall encryption procedure. Indeed, the key itself does not reveal if a non-trustworthy courier has duplicated it. This raises the question of whether alternative key distribution mechanisms exist that operate over standard communication channels and allow the detection of eavesdropping.

Fig. 1. The one-time pad. Alice encodes her message with a random binary key using the XOR operation (i.e. 0+0=0, 0+1=1, 1+0=1, and 1+1=0). The encrypted message is then sent over a public channel to Bob. He decodes it with the same key, again using the XOR operation, and thereby obtains Alice's original message.

## **3. Quantum key distribution**

Quantum key distribution (QKD) (Gisin et al. (2002); Scarani et al. (2009)) takes advantage of the peculiar properties of individual photons to provide two parties with arbitrarily long secret keys, provided a short key for authentication purposes is initially available. Hence, a more appropriate name for QKD would be quantum key growing. Yet, as is common use, we will refer to this procedure as QKD. For QKD, information is encoded into one degree of freedom of photons (e.g. their polarization state), while all other degrees of freedom (phase, wavelength, etc.) must not contain any information. Each information-carrying photon then becomes a *quantum bit (qubit*) 2. Due to their quantum nature, it is impossible for an eavesdropper to extract information about the encoded quantum states during transmission

<sup>2</sup> Encoding information into so-called continuous quantum variables (Scarani et al. (2009)) is possible as well but will not be discussed here.

the difference (overlap) between any two states, one from each pair, is the same. A specific bit value is assigned to each state. For example, if the linear polarization states horizontal (|*H*�), vertical (|*V*�), +45◦ (|+�) and -45◦ (|−�) are used, |*H*� and |*V*� form one pair, |+� and |−� form the other pair, then |*H*� and |−� correspond to bit 0, while |*V*� and |+� correspond to bit 1, see figure 24. For each photon Alice sends to Bob, she randomly selects one out of these four states. Bob, before receiving it, randomly decides whether to make a measurement that allows discriminating horizontally from vertically polarized photons, or +45◦ from -45◦ polarized photons. It is important to note that it is impossible to make a measurement that allows distinguishing between all four possible states (Nielsen & Chuang (2004)). Hence, whenever Bob picks the measurement that allows him to distinguish between the state that Alice sent and the orthogonal state, his measurement result indicates with certainty which state was originally prepared by Alice. Identifying states with bits, as described above, then obviously results in equal bits at Alice's and Bob's. Conversely, in the case where Bob choses to do the 'wrong' measurement, the measurement result as well as the associated bit value

Quantum Key Distribution 339

Let us use the example of Alice sending state |*H*� to make this concept more concrete: If Bob makes the 'correct' measurement (i.e. the measurement that distinguishes between |*H*� and |*V*�), he will find the result |*H*�. Hence, Alice and Bob have sent and received the same bit value: 0. However, if Bob choses the measurement that distinguishes between |+� and |−�, he will randomly obtain one of these two possible outcomes, and hence randomly obtain the bit value 0 or 1. From this point on all information exchange between Alice and Bob is performed over the classical channel, and the remaining steps in the protocol are known under the name

Assume now that an eavesdropper intercepts photons during transmission from Alice to Bob. She (the eavesdropper) may duplicate each photon, keep one copy to measure it and obtain a bit value, and send the other copy to Bob. Fortunately, one of these steps is not allowed by quantum theory: the *no-cloning theorem* states that it is impossible to make a perfect copy of a photon in an unknown quantum state (Nielsen & Chuang (2004)). In fact, both 'duplicates' will only approximately resemble the original. Hence, the eavesdropper's attempt to eavesdrop inevitably leads to a modification of the state of the photon sent on to Bob, which results in errors in the bits that should be perfectly correlated and thereby reveals

Classical post-processing in QKD consists of four operations, as shown in Figure 4.

Alice and Bob start by performing key sifting: Bob communicates which photons he detected, and which measurements he performed in these cases. However, he does not specify the results he obtained. Alice and Bob only keep those bits from their *raw keys* (i.e. the list of bits specifying the quantum states Alice sent and Bob detected, see figure 3) where Bob detected a photon, and that resulted from correct measurements (as defined above). All other bits are discarded. The result of this step is called the *sifted key*. Ideally, the sifted key would be error

<sup>4</sup> We use the usual ket-notation to denote quantum states, e.g. <sup>|</sup>*ψ*� denotes the quantum state *<sup>ψ</sup>*. <sup>5</sup> Note that other, more sophisticated eavesdropping strategies exist. However, regardless of the strategy, an eavesdropper gaining information about the photon states inevitably introduces errors at Bob's.

will be uncorrelated with the state sent by Alice.

eavesdropping5.

**4.1 Sifting**

**4. Classical post-processing**

of *classical post-processing*. These procedures are explained below.

without altering them, which can be detected by Alice and Bob. Ignoring for the moment loopholes arising from imperfect implementations (we will discuss this problem later), the combination of QKD with one-time pad encoding provides information-theoretic secure communication3 that withstands any technological and algorithmic advances – even the development of the quantum computer.

Fig. 2. The Poincaré sphere (left-hand picture), and two examples of polarization states that are suitable for the BB84 protocol (center and right-hand picture). The first example comprises the |*H*�, |*V*�, |+� and |−� linear polarization states, the second one comprises the |*R*�, |*L*� circular polarization states and the |+� and |−� linear polarization states. Note that the states belonging to each example are arranged equally on two great circles around the Poincaré sphere.

Fig. 3. Illustration of the BB84 protocol.

For QKD, Alice and Bob share two communication channels: a quantum channel that is used to transmit qubits, and a classical (standard) channel to send classical messages. The quantum channel is generally an optical fiber or a free-space link connecting Alice and Bob, while the classical channel may be the Internet.

#### **3.1 The BB84 protocol**

Quantum key distribution was proposed in 1984 by Charles Bennett and Gilles Brassard (Bennett & Brassard (1984)). The first QKD protocol, generally referred to as the BB84 or four-state protocol, uses four different quantum states that form two pairs, chosen such that

<sup>3</sup> This property is sometimes also referred to as *unconditional security*, a technical term that refers to the fact that the security is not based on mathematical assumptions. This meaning must not be confused with *secure without any conditions*.

4 Will-be-set-by-IN-TECH

without altering them, which can be detected by Alice and Bob. Ignoring for the moment loopholes arising from imperfect implementations (we will discuss this problem later), the combination of QKD with one-time pad encoding provides information-theoretic secure communication3 that withstands any technological and algorithmic advances – even the

+

5

5/SDLU

SDLU

/

±45º measurement

9

9 +

Fig. 2. The Poincaré sphere (left-hand picture), and two examples of polarization states that

comprises the |*H*�, |*V*�, |+� and |−� linear polarization states, the second one comprises the |*R*�, |*L*� circular polarization states and the |+� and |−� linear polarization states. Note that the states belonging to each example are arranged equally on two great circles around the

**1 1 1 00 0 0 1 0 1 1 0**

h/v measurement

**0 1 0 -0 1 - 1 0 1 1 0 - 1 - - 0 1 - - - 1 1 0**

For QKD, Alice and Bob share two communication channels: a quantum channel that is used to transmit qubits, and a classical (standard) channel to send classical messages. The quantum channel is generally an optical fiber or a free-space link connecting Alice and Bob, while the

Quantum key distribution was proposed in 1984 by Charles Bennett and Gilles Brassard (Bennett & Brassard (1984)). The first QKD protocol, generally referred to as the BB84 or four-state protocol, uses four different quantum states that form two pairs, chosen such that

<sup>3</sup> This property is sometimes also referred to as *unconditional security*, a technical term that refers to the fact that the security is not based on mathematical assumptions. This meaning must not be confused

+9SDLU

are suitable for the BB84 protocol (center and right-hand picture). The first example

SDLU

development of the quantum computer.

single photon source

Fig. 3. Illustration of the BB84 protocol.

classical channel may be the Internet.

with *secure without any conditions*.

**3.1 The BB84 protocol**

Poincaré sphere.

/

**0 <sup>1</sup> <sup>0</sup>**

**Alice's bits Bob's measurements** 

**Bob's results Sifted key** 

**1**

5

the difference (overlap) between any two states, one from each pair, is the same. A specific bit value is assigned to each state. For example, if the linear polarization states horizontal (|*H*�), vertical (|*V*�), +45◦ (|+�) and -45◦ (|−�) are used, |*H*� and |*V*� form one pair, |+� and |−� form the other pair, then |*H*� and |−� correspond to bit 0, while |*V*� and |+� correspond to bit 1, see figure 24. For each photon Alice sends to Bob, she randomly selects one out of these four states. Bob, before receiving it, randomly decides whether to make a measurement that allows discriminating horizontally from vertically polarized photons, or +45◦ from -45◦ polarized photons. It is important to note that it is impossible to make a measurement that allows distinguishing between all four possible states (Nielsen & Chuang (2004)). Hence, whenever Bob picks the measurement that allows him to distinguish between the state that Alice sent and the orthogonal state, his measurement result indicates with certainty which state was originally prepared by Alice. Identifying states with bits, as described above, then obviously results in equal bits at Alice's and Bob's. Conversely, in the case where Bob choses to do the 'wrong' measurement, the measurement result as well as the associated bit value will be uncorrelated with the state sent by Alice.

Let us use the example of Alice sending state |*H*� to make this concept more concrete: If Bob makes the 'correct' measurement (i.e. the measurement that distinguishes between |*H*� and |*V*�), he will find the result |*H*�. Hence, Alice and Bob have sent and received the same bit value: 0. However, if Bob choses the measurement that distinguishes between |+� and |−�, he will randomly obtain one of these two possible outcomes, and hence randomly obtain the bit value 0 or 1. From this point on all information exchange between Alice and Bob is performed over the classical channel, and the remaining steps in the protocol are known under the name of *classical post-processing*. These procedures are explained below.

Assume now that an eavesdropper intercepts photons during transmission from Alice to Bob. She (the eavesdropper) may duplicate each photon, keep one copy to measure it and obtain a bit value, and send the other copy to Bob. Fortunately, one of these steps is not allowed by quantum theory: the *no-cloning theorem* states that it is impossible to make a perfect copy of a photon in an unknown quantum state (Nielsen & Chuang (2004)). In fact, both 'duplicates' will only approximately resemble the original. Hence, the eavesdropper's attempt to eavesdrop inevitably leads to a modification of the state of the photon sent on to Bob, which results in errors in the bits that should be perfectly correlated and thereby reveals eavesdropping5.

## **4. Classical post-processing**

Classical post-processing in QKD consists of four operations, as shown in Figure 4.

## **4.1 Sifting**

Alice and Bob start by performing key sifting: Bob communicates which photons he detected, and which measurements he performed in these cases. However, he does not specify the results he obtained. Alice and Bob only keep those bits from their *raw keys* (i.e. the list of bits specifying the quantum states Alice sent and Bob detected, see figure 3) where Bob detected a photon, and that resulted from correct measurements (as defined above). All other bits are discarded. The result of this step is called the *sifted key*. Ideally, the sifted key would be error

<sup>4</sup> We use the usual ket-notation to denote quantum states, e.g. <sup>|</sup>*ψ*� denotes the quantum state *<sup>ψ</sup>*. <sup>5</sup> Note that other, more sophisticated eavesdropping strategies exist. However, regardless of the strategy, an eavesdropper gaining information about the photon states inevitably introduces errors at Bob's.

different mean photon number – to the signals used to establish the sifted key (Scarani et al. (2009)). This allows determining the information gained by the eavesdropper from PNS attacks, and makes implementations using faint laser pulses comparable to those using

Quantum Key Distribution 341

• Second, the eavesdropper gains additional information by monitoring the error-correction

• Third, as we will discuss in more detail later, an implementation of QKD using imperfect devices can impact the security of the protocol. Sometimes, it is possible to quantify the

Using these three contributions, the length of the secret key to be distilled from the corrected key is computed. Assuming for simplicity that Alice has used true single photons6, the secret

Privacy amplification, implemented by both Alice and Bob, then maps the error-corrected keys onto shorter secret keys in a way that knowledge of many bits in the corrected key is required to calculate any bit of the secret key. This step is typically performed by multiplication of the corrected key (expressed as a bit vector) with a suitably chosen binary

An important consideration in all post-processing steps is to ensure that Alice and Bob are in fact going through this process with each other. Otherwise, an eavesdropper could simply block all quantum and classical communication between Alice and Bob and perform QKD with Alice while taking on Bob's role and vice versa. This is known as a man-in-the-middle attack, and would allow Eve to establish different secret keys with both Alice and Bob. She could then intercept a secret message, for example, being sent from Alice to Bob, decrypt it using the key she shares with Alice, read it, and then encrypt it again using the key she shares with Bob before forwarding it to him. She could thus read the entire message. To avoid man-in-the middle attacks, the classical channel has to be authenticated. In other words, Alice and Bob have to identify each message they send as originating from themselves. This can be achieved using a protocol known as Wegman-Carter authentication (Wegman & Carter (1981)). Hence, while the eavesdropper can listen to the conversation during post-processing (i.e. the classical channel is not required to be secure), she cannot modify or replace it. Authentication requires a short initial key, which is consumed during the first round of QKD. For subsequent rounds, it is replaced by some of the key generated during the key expansion7.

As introduced above, eavesdropping qubits encoded into individual photons during transmission is revealed through the observed error rate, regardless of the strategy. However,

<sup>6</sup> This formula is easily adapted to the case of faint laser pulses. However, for pedagogical reasons, we

<sup>7</sup> Note that the security of QKD is not compromised if the initial key is revealed after the first round of QKD. This property therefore allows, for instance, the use of a computational secure cryptosystem for

the distribution of this initial key, provided it features sufficient short-term security.

*Isecret* = 1 − *It* − *Iec* − *Ileak*. (1)

procedure. The amount, *Iec*, is directly given by the number of bits exchanged.

(much more difficult to generate) single photons.

key per error-corrected bit amounts to

**4.4 Authentication**

**5. Security loopholes in QKD**

only give this simple expression.

information leakage *Ileak* (Lamas-Linares & Kurtsiefer (2007)).

Toeplitz matrix. This removes the eavesdropper's information about the key.

free, but in practice, no communication system is perfect and thus a small error rate, generally referred to as the *quantum bit error rate* (QBER), always remains. In addition, errors introduced by eavesdropping may also be present in the sifted key.

## **4.2 Error-correction**

The next step is to perform error correction: Alice sends Bob additional information that allows him to generate an *error-corrected key* that is identical to Alice's. Furthermore, this procedure yields the QBER. Error correction in QKD is similar to error correction in classical communications, with the sifted key in QKD being analogous to the transmitted message. However, there is one important difference: rather than combining information that allows correcting errors directly into the message to be transmitted, this information is sent after key sifting is complete as it is only at this point that the message to be corrected is known. Furthermore, we need not worry about protecting the information for error correction against transmission errors as we can use existing protocols that provide error-free communication. With this in mind, the Cascade error correction protocol was originally designed for QKD (Bennett et al. (1992)). It requires many rounds of back-and-forth communication between Alice and Bob, which limits the maximum key rates that can be handled, due to communications delays. More recently, Low-Density Parity-Check codes (Gallager (1962); MacKay & Neal (1997)) have been adapted from classical communication protocols – they are capable of handling larger key rates (Pearson (2004)).

Fig. 4. Post-processing in QKD. Example keys for Alice (A) and Bob (B) are shown. Only key bits resulting from correct measurements and photon detections are kept during sifting, yielding the sifted key. Remaining errors are corrected to form the error-corrected key. The eavesdropper's information about the error-corrected key is removed, yielding the secret key. Authentication is required for all steps.

## **4.3 Privacy amplification**

Next, the amount of information that an eavesdropper may have obtained is estimated. The analysis considers several factors:

• First, the maximum amount of information Eve may have gained from measuring photons in transit, *It*, is evaluated from the error rate introduced into the sifted key (Gottesman et al. (2004)). Generally, all errors are attributed to eavesdropping as this is the worst-case scenario. If QKD is implemented using extremely faint laser pulses (containing on average less than one photon) instead of single photons, this procedure has to take into account the possibility of a so-called photon number splitting (PNS) attack (Brassard et al. (2000)). This attack exploits the fact that faint laser pulses sometimes contain more than one photon. It is generally thwarted by adding decoy states – qubits encoded into faint pulses with 6 Will-be-set-by-IN-TECH

free, but in practice, no communication system is perfect and thus a small error rate, generally referred to as the *quantum bit error rate* (QBER), always remains. In addition, errors introduced

The next step is to perform error correction: Alice sends Bob additional information that allows him to generate an *error-corrected key* that is identical to Alice's. Furthermore, this procedure yields the QBER. Error correction in QKD is similar to error correction in classical communications, with the sifted key in QKD being analogous to the transmitted message. However, there is one important difference: rather than combining information that allows correcting errors directly into the message to be transmitted, this information is sent after key sifting is complete as it is only at this point that the message to be corrected is known. Furthermore, we need not worry about protecting the information for error correction against transmission errors as we can use existing protocols that provide error-free communication. With this in mind, the Cascade error correction protocol was originally designed for QKD (Bennett et al. (1992)). It requires many rounds of back-and-forth communication between Alice and Bob, which limits the maximum key rates that can be handled, due to communications delays. More recently, Low-Density Parity-Check codes (Gallager (1962); MacKay & Neal (1997)) have been adapted from classical communication protocols – they are

by eavesdropping may also be present in the sifted key.

capable of handling larger key rates (Pearson (2004)).

raw key

Authentication is required for all steps.

analysis considers several factors:

**4.3 Privacy amplification**

**A: 01010101100101110 B: 11--0-010--10--01**

> sifted key

**A: 00101 B: 00100**

sifting

error correction

authentication

Fig. 4. Post-processing in QKD. Example keys for Alice (A) and Bob (B) are shown. Only key bits resulting from correct measurements and photon detections are kept during sifting, yielding the sifted key. Remaining errors are corrected to form the error-corrected key. The eavesdropper's information about the error-corrected key is removed, yielding the secret key.

Next, the amount of information that an eavesdropper may have obtained is estimated. The

• First, the maximum amount of information Eve may have gained from measuring photons in transit, *It*, is evaluated from the error rate introduced into the sifted key (Gottesman et al. (2004)). Generally, all errors are attributed to eavesdropping as this is the worst-case scenario. If QKD is implemented using extremely faint laser pulses (containing on average less than one photon) instead of single photons, this procedure has to take into account the possibility of a so-called photon number splitting (PNS) attack (Brassard et al. (2000)). This attack exploits the fact that faint laser pulses sometimes contain more than one photon. It is generally thwarted by adding decoy states – qubits encoded into faint pulses with

corrected key

QBER

**A: 00101 B: 00101**

> secret key

**A: 110 B: 110**

analysis and privacy amplification

**4.2 Error-correction**

different mean photon number – to the signals used to establish the sifted key (Scarani et al. (2009)). This allows determining the information gained by the eavesdropper from PNS attacks, and makes implementations using faint laser pulses comparable to those using (much more difficult to generate) single photons.


Using these three contributions, the length of the secret key to be distilled from the corrected key is computed. Assuming for simplicity that Alice has used true single photons6, the secret key per error-corrected bit amounts to

$$I\_{\text{secret}} = 1 - I\_{\text{f}} - I\_{\text{ec}} - I\_{\text{leak}}.\tag{1}$$

Privacy amplification, implemented by both Alice and Bob, then maps the error-corrected keys onto shorter secret keys in a way that knowledge of many bits in the corrected key is required to calculate any bit of the secret key. This step is typically performed by multiplication of the corrected key (expressed as a bit vector) with a suitably chosen binary Toeplitz matrix. This removes the eavesdropper's information about the key.

## **4.4 Authentication**

An important consideration in all post-processing steps is to ensure that Alice and Bob are in fact going through this process with each other. Otherwise, an eavesdropper could simply block all quantum and classical communication between Alice and Bob and perform QKD with Alice while taking on Bob's role and vice versa. This is known as a man-in-the-middle attack, and would allow Eve to establish different secret keys with both Alice and Bob. She could then intercept a secret message, for example, being sent from Alice to Bob, decrypt it using the key she shares with Alice, read it, and then encrypt it again using the key she shares with Bob before forwarding it to him. She could thus read the entire message. To avoid man-in-the middle attacks, the classical channel has to be authenticated. In other words, Alice and Bob have to identify each message they send as originating from themselves. This can be achieved using a protocol known as Wegman-Carter authentication (Wegman & Carter (1981)). Hence, while the eavesdropper can listen to the conversation during post-processing (i.e. the classical channel is not required to be secure), she cannot modify or replace it. Authentication requires a short initial key, which is consumed during the first round of QKD. For subsequent rounds, it is replaced by some of the key generated during the key expansion7.

## **5. Security loopholes in QKD**

As introduced above, eavesdropping qubits encoded into individual photons during transmission is revealed through the observed error rate, regardless of the strategy. However,

<sup>6</sup> This formula is easily adapted to the case of faint laser pulses. However, for pedagogical reasons, we only give this simple expression.

<sup>7</sup> Note that the security of QKD is not compromised if the initial key is revealed after the first round of QKD. This property therefore allows, for instance, the use of a computational secure cryptosystem for the distribution of this initial key, provided it features sufficient short-term security.

about what is currently achievable, let us briefly summarize recent results that have advanced practical QKD in terms of maximum distance and key rate. Please note that, while these systems deliver secret keys if eavesdropping is restricted to measuring qubits in transit8, we make no claim concerning their robustness against security loopholes such as those discussed

Quantum Key Distribution 343

QKD systems differ in terms of the type of quantum channel used (fiber or free space), the degree of freedom utilized to encode qubits (e.g. polarization or phase), and the nature of the quantum effect exploited (qubit states encoded into faint laser pulses, or so-called entangled qubits (Tittel & Weihs (2001))). Furthermore, they may employ single photon detectors based on avalanche photo diodes or on superconductors. As the state-of-the-art (in terms of distance and key rate) is only weakly system-dependent, we will not distinguish between different

Distances over which QKD systems operate can, in the best case, exceed ∼200 km (Liu (2010); Schmitt-Manderbach et al. (2007); Stucki et al. (2009)). Due to the high channel loss experienced, the secret key rates are typically limited to ∼10 bps. On the other hand, QKD systems have been demonstrated to deliver secret key rates up to ∼1 Mpbs (Dixon et al. (2010); Restelli et al. (2009)). Obviously, the distances are reduced compared to those mentioned previously; the current maximum is 50 km. It is likely that these two benchmarks will not be improved significantly over the next few years, the only exception possibly being QKD over a free-space link between a ground station and a (very distant) satellite (Ursin et al. (2009)). An important concern in QKD systems, in particular in those clocked at high rates, is the generation of random numbers. For instance, in faint pulse based QKD, the security relies on Alice generating randomly selected qubit states encoded into laser pulses with average photon number chosen randomly from a small set. Furthermore, Bob has to randomly select which measurement to perform9 and some randomness is required for privacy amplification. Hence, true random number generators, possibly exploiting randomness of certain quantum effects, are needed. A lot of progress has been made over the past years; quantum random number generators delivering random numbers at 16 Mbps are commercially available (idQuantique (2011)), and 50 Mbps rates have meanwhile been achieved in an academic effort (Fürst et al. (2010)). Yet, further improvement is required for QKD systems clocked at Gbps rates. Another possibility is the use of physical (non-quantum) RNGs for which Gbps rates

The optical part of a QKD system consists of subsystems for signal generation, modulation, transmission, demodulation and detection, see figure 5. Figure 6 shows pictures of the sender and receiver of the QKD system that is currently being developed in our group (Lucio-Martinez et al. (2009)). Laser pulses generated by a standard telecommunication laser diode are attenuated to faint pulses and are used as carriers for qubits. Each of these laser pulses are modulated to a random polarization state (i.e. a qubit) and a random intensity

<sup>8</sup> Note that some QKD protocols still lack an unconditional security proof, i.e. a proof that takes into account any eavesdropping allowed by the laws of quantum physics. More precisely, some protocols have so far only been shown to resist attacks on individual photons, as opposed to attacking all photons

<sup>9</sup> Often, the latter condition is satisfied by a beamsplitter that randomly reflects, or transmits, photons to different measurement devices; as we describe below, our implementation is an example for this very

above.

implementations.

have been reported (Honjo et al. (2009)).

**7. Our QKD system - a case study**

coherently (jointly).

simple approach.

loopholes in the actual implementation of QKD may exist and can be exploited for attacks that are not reflected in the QBER. This was already noted in the very first implementation of QKD, where Charles Bennett realized that the noise emitted by the QKD system rendered the key only secure against an eavesdropper who happened to be deaf.

*Quantum hacking* has become an important research field during the past five years, and various attacks have been proposed and experimentally studied. The most important ones are briefly introduced below.


It is of utmost importance to critically assess vulnerabilities of QKD systems and devise counter measures, either of theoretical nature or on the technological level, to remove the threat to security. Yet, even in the case of remaining potential loopholes, one should not underestimate that the security of QKD depends on the technological capabilities of the adversary at the time of the key exchange, in contrast to complexity-based cryptosystems that generate ciphertexts that can be recorded and decoded later. This point is important for secrets that should remain secure over many years.

## **6. State-of-the-art**

Quantum key distribution is the most mature application in the field of quantum information processing. For a few years, QKD systems have been commercially available (idQuantique (2011); MagiQ (2011); Quintessence (2011)) but research still continues to progress both theoretically and experimentally. Comparing different QKD systems is not a simple task, and trying to identify the 'best' system in a field that still evolves quickly is quite a pointless effort. Furthermore, it is unclear what figure of merit one should use. However, to give some idea 8 Will-be-set-by-IN-TECH

loopholes in the actual implementation of QKD may exist and can be exploited for attacks that are not reflected in the QBER. This was already noted in the very first implementation of QKD, where Charles Bennett realized that the noise emitted by the QKD system rendered the

*Quantum hacking* has become an important research field during the past five years, and various attacks have been proposed and experimentally studied. The most important ones

• The already mentioned *photon number splitting attack* takes advantage of the fact that faint laser pulses sometimes contain more than one photon (Brassard et al. (2000)). This opens a security loophole when using the original BB84 protocol. Interestingly, this loophole can be closed by a small modification of the protocol, i.e. the addition of decoy states (Scarani

• In the *Trojan-horse attack* (Vakhitov et al. (2001)), Eve exploits the fact that every optical element reflects some of the incident light. It is then possible to analyze the status of optical components such as phase (polarization) modulators by reflecting short pulses of light from them, yielding for instance information about the qubit state that is being generated. This technique is called reflectometry and is well known to optical engineers. Counter measures include active monitoring of light at the input of Alice and Bob, and, for Alice,

• QKD systems rely on single photon detectors. In the *detector blinding attack*, an eavesdropper exploits that these detectors can be prevented from detecting photons, and then forced to announce detections at will using various mechanisms (Makarov (2011)). In the *time-shift attack* (Lamas-Linares & Kurtsiefer (2007); Qi et al. (2007)) the eavesdropper exploits a possible detection efficiency mismatch between two detectors in the time domain. In this case, controlling the arrival time of each photon at Bob's device allows the eavesdropper to modify the probabilities for certain detectors to detect a given photon, and thereby yields information about the key. Counter measures against attacks exploiting vulnerabilities of single photon detectors, often combining hardware and protocol modifications, have already been proposed and investigated (Makarov

It is of utmost importance to critically assess vulnerabilities of QKD systems and devise counter measures, either of theoretical nature or on the technological level, to remove the threat to security. Yet, even in the case of remaining potential loopholes, one should not underestimate that the security of QKD depends on the technological capabilities of the adversary at the time of the key exchange, in contrast to complexity-based cryptosystems that generate ciphertexts that can be recorded and decoded later. This point is important for

Quantum key distribution is the most mature application in the field of quantum information processing. For a few years, QKD systems have been commercially available (idQuantique (2011); MagiQ (2011); Quintessence (2011)) but research still continues to progress both theoretically and experimentally. Comparing different QKD systems is not a simple task, and trying to identify the 'best' system in a field that still evolves quickly is quite a pointless effort. Furthermore, it is unclear what figure of merit one should use. However, to give some idea

key only secure against an eavesdropper who happened to be deaf.

are briefly introduced below.

et al. (2009)).

an optical isolator.

(2011); Yuan et al. (2010)).

**6. State-of-the-art**

secrets that should remain secure over many years.

about what is currently achievable, let us briefly summarize recent results that have advanced practical QKD in terms of maximum distance and key rate. Please note that, while these systems deliver secret keys if eavesdropping is restricted to measuring qubits in transit8, we make no claim concerning their robustness against security loopholes such as those discussed above.

QKD systems differ in terms of the type of quantum channel used (fiber or free space), the degree of freedom utilized to encode qubits (e.g. polarization or phase), and the nature of the quantum effect exploited (qubit states encoded into faint laser pulses, or so-called entangled qubits (Tittel & Weihs (2001))). Furthermore, they may employ single photon detectors based on avalanche photo diodes or on superconductors. As the state-of-the-art (in terms of distance and key rate) is only weakly system-dependent, we will not distinguish between different implementations.

Distances over which QKD systems operate can, in the best case, exceed ∼200 km (Liu (2010); Schmitt-Manderbach et al. (2007); Stucki et al. (2009)). Due to the high channel loss experienced, the secret key rates are typically limited to ∼10 bps. On the other hand, QKD systems have been demonstrated to deliver secret key rates up to ∼1 Mpbs (Dixon et al. (2010); Restelli et al. (2009)). Obviously, the distances are reduced compared to those mentioned previously; the current maximum is 50 km. It is likely that these two benchmarks will not be improved significantly over the next few years, the only exception possibly being QKD over a free-space link between a ground station and a (very distant) satellite (Ursin et al. (2009)).

An important concern in QKD systems, in particular in those clocked at high rates, is the generation of random numbers. For instance, in faint pulse based QKD, the security relies on Alice generating randomly selected qubit states encoded into laser pulses with average photon number chosen randomly from a small set. Furthermore, Bob has to randomly select which measurement to perform9 and some randomness is required for privacy amplification. Hence, true random number generators, possibly exploiting randomness of certain quantum effects, are needed. A lot of progress has been made over the past years; quantum random number generators delivering random numbers at 16 Mbps are commercially available (idQuantique (2011)), and 50 Mbps rates have meanwhile been achieved in an academic effort (Fürst et al. (2010)). Yet, further improvement is required for QKD systems clocked at Gbps rates. Another possibility is the use of physical (non-quantum) RNGs for which Gbps rates have been reported (Honjo et al. (2009)).

## **7. Our QKD system - a case study**

The optical part of a QKD system consists of subsystems for signal generation, modulation, transmission, demodulation and detection, see figure 5. Figure 6 shows pictures of the sender and receiver of the QKD system that is currently being developed in our group (Lucio-Martinez et al. (2009)). Laser pulses generated by a standard telecommunication laser diode are attenuated to faint pulses and are used as carriers for qubits. Each of these laser pulses are modulated to a random polarization state (i.e. a qubit) and a random intensity

<sup>8</sup> Note that some QKD protocols still lack an unconditional security proof, i.e. a proof that takes into account any eavesdropping allowed by the laws of quantum physics. More precisely, some protocols have so far only been shown to resist attacks on individual photons, as opposed to attacking all photons coherently (jointly).

<sup>9</sup> Often, the latter condition is satisfied by a beamsplitter that randomly reflects, or transmits, photons to different measurement devices; as we describe below, our implementation is an example for this very simple approach.

**7.2 Modulation**

by the Jones vector

where Δ*φ* = <sup>1</sup>

(Δ*φ* = *<sup>π</sup>*

The horizontally polarized laser pulse passes through the PBS, enters the subsequent polarization-maintaining fiber with its polarization aligned along one of the fiber's principal axes (slow, let's say), and arrives at an element denoted R45. The axes of the polarization maintaining fibers on both sides of R45 are rotated by 45◦ with respect to each other. This rotation leads to a decomposition of the incoming laser pulse into two orthogonally polarized components with equal intensity, but randomly varying phase difference. The two components are polarized along the two polarization-maintaining axes of the second fiber, and arrive parallel to the slow (S) and the fast (F) axes of the subsequent LiNbO3 phase modulator (PM). This modulator introduces a random and a controllable phase shift (*φin*) to one of the two components (slow, let's say), and another random phase shift to the component parallel to the other axis. Next, the Faraday mirror reflects the input light. Due to the Faraday effect, the polarization of the input light and that of the reflected light are orthogonal to each other, i.e. the component previously traveling along the slow axis of the modulator now travels along the fast one and vice versa. Hence, provided the random phase shifts introduced by the PM during the first passage of light have not changed before the second passage (a correct assumption given the small time difference of a few nanoseconds), the random phase shifts are equally present in both polarization components, and the phase difference is entirely due to the controllable phases (*φin* and *φout*) that are applied during the two passages. When arriving again at the PBS, the polarization of the reflected laser pulse can thus be expressed

Quantum Key Distribution 345

*Jout* = 

(pulses without photons) are generated by not triggering the laser diode.

then acts as a polarization modulator instead of an intensity modulator.

intensity of less than ±1.5% over 12 hours.

observe 20 dB power extinction ratio.

<sup>2</sup> ), left-hand circular (Δ*<sup>φ</sup>* <sup>=</sup> <sup>−</sup>*<sup>π</sup>*

compared to a standard modulator based on a Mach-Zehnder interferometer:

−*i* sin Δ*φ* cos Δ*φ*

(2009)). Equation 2 shows that the polarization of the reflected laser pulse varies as a function of Δ*φ*, which is determined by the modulation voltages applied to the phase modulator. The horizontally polarized component of the laser pulse passes again through the PBS and is absorbed by the attenuator. The vertical polarization component is reflected by the PBS and is subsequently used to encode a qubit. By changing the polarization of the laser pulse, its intensity (or rather the average number of photons in the laser pulse) is modulated to a high or low value, as required by the decoy-state protocol. Furthermore, so-called vacuum states

Due to the use of a Faraday mirror, this intensity modulator has the following advantages

• The modulator is insensitive to changes in the environment, such as temperature and mechanical stress in the fiber. As an example, we have observed a variation of the output

• The modulator is insensitive to polarization mode dispersion, which makes it suitable for use with a light source with large spectral width. As a second example, we routinely

The faint laser pulses are then transmitted to the second, equally built polarization modulator. Depending on the value of the phase difference Δ*φ*, we generate +45◦ (Δ*φ* = 0), −45◦

equivalent to the example given in the text above, as can be seen by comparing the center and right-hand parts of figure 7. We note that the second modulator comprises an optical circulator (CIR) instead of a PBS. Hence, both polarization components will exit the modulator, which

<sup>4</sup> ) or right-hand circular (Δ*<sup>φ</sup>* <sup>=</sup> *<sup>π</sup>*

<sup>2</sup> (*φout* − *φin*). The details of the calculation can be found in (Lucio-Martinez et al.

, (2)

<sup>4</sup> ) polarization. This is

level to implement the BB84 protocol supplemented with decoy states10. The pulses then pass through a standard, 12 km long telecommunication fiber and arrive at the receiver of the QKD system. On Bob's side, each qubit is measured using one out of two, randomly selected devices (see figure 3). The measurement results are post-processed, as described above, resulting in a shared secret key. The details of each subsystem are given below.

Fig. 5. Diagram of the optical part of a QKD system, where Alice and Bob denote the sender and the receiver, respectively.

Fig. 6. The QKD system currently being developed at the Quantum Communication and Cryptography (QC2) Lab at the University of Calgary. The left-hand picture shows Alice (located at SAIT Polytechnic), the right-hand one depicts Bob (located at the University of Calgary).

## **7.1 Generation**

Figure 7 depicts the schematics of Alice's part of the QKD system. All fiber-optical components are polarization maintaining unless stated otherwise. We assume that the polarization beam splitter (PBS) transmits horizontal, and reflects vertical polarization.

The laser diode LDQ is driven by a homemade laser diode driver that is under the control of a field-programmable gate-array (FPGA)-based circuit. When the circuit sends a short digital signal to the driver, a 500 ps long, horizontally polarized laser pulse is generated. It features a central wavelength of 1548.07 nm, and a spectral width of 0.214 nm (full-width at half-maximum). The ratio between the power levels of a laser pulse and the background is around 100 to 1. An optical attenuator (ATT) reduces the energy of the laser pulse down to single-photon level; the background is reduced accordingly.

<sup>10</sup> Our QKD system currently employs a software-based pseudo-random number generator. While being acceptable in the current development phase, true random numbers, as described above, are needed in a system that is used to encode actual secrets.

#### **7.2 Modulation**

10 Will-be-set-by-IN-TECH

level to implement the BB84 protocol supplemented with decoy states10. The pulses then pass through a standard, 12 km long telecommunication fiber and arrive at the receiver of the QKD system. On Bob's side, each qubit is measured using one out of two, randomly selected devices (see figure 3). The measurement results are post-processed, as described above, resulting in a shared secret key. The details of each subsystem are given below.

Fig. 5. Diagram of the optical part of a QKD system, where Alice and Bob denote the sender

Fig. 6. The QKD system currently being developed at the Quantum Communication and Cryptography (QC2) Lab at the University of Calgary. The left-hand picture shows Alice (located at SAIT Polytechnic), the right-hand one depicts Bob (located at the University of

Figure 7 depicts the schematics of Alice's part of the QKD system. All fiber-optical components are polarization maintaining unless stated otherwise. We assume that the polarization beam splitter (PBS) transmits horizontal, and reflects vertical polarization. The laser diode LDQ is driven by a homemade laser diode driver that is under the control of a field-programmable gate-array (FPGA)-based circuit. When the circuit sends a short digital signal to the driver, a 500 ps long, horizontally polarized laser pulse is generated. It features a central wavelength of 1548.07 nm, and a spectral width of 0.214 nm (full-width at half-maximum). The ratio between the power levels of a laser pulse and the background is around 100 to 1. An optical attenuator (ATT) reduces the energy of the laser pulse down to

<sup>10</sup> Our QKD system currently employs a software-based pseudo-random number generator. While being acceptable in the current development phase, true random numbers, as described above, are needed in

 4 single photon detectors

Computer

Bob

Beamsplitters and polarized beamsplitters

 Intensity modulator and polarization modulator

Electronic amplifiers and laser diodes

Computer

single-photon level; the background is reduced accordingly.

a system that is used to encode actual secrets.

FPGA & electronics

and the receiver, respectively.

Calgary).

**7.1 Generation**

Alice

The horizontally polarized laser pulse passes through the PBS, enters the subsequent polarization-maintaining fiber with its polarization aligned along one of the fiber's principal axes (slow, let's say), and arrives at an element denoted R45. The axes of the polarization maintaining fibers on both sides of R45 are rotated by 45◦ with respect to each other. This rotation leads to a decomposition of the incoming laser pulse into two orthogonally polarized components with equal intensity, but randomly varying phase difference. The two components are polarized along the two polarization-maintaining axes of the second fiber, and arrive parallel to the slow (S) and the fast (F) axes of the subsequent LiNbO3 phase modulator (PM). This modulator introduces a random and a controllable phase shift (*φin*) to one of the two components (slow, let's say), and another random phase shift to the component parallel to the other axis. Next, the Faraday mirror reflects the input light. Due to the Faraday effect, the polarization of the input light and that of the reflected light are orthogonal to each other, i.e. the component previously traveling along the slow axis of the modulator now travels along the fast one and vice versa. Hence, provided the random phase shifts introduced by the PM during the first passage of light have not changed before the second passage (a correct assumption given the small time difference of a few nanoseconds), the random phase shifts are equally present in both polarization components, and the phase difference is entirely due to the controllable phases (*φin* and *φout*) that are applied during the two passages. When arriving again at the PBS, the polarization of the reflected laser pulse can thus be expressed by the Jones vector

$$J\_{out} = \begin{bmatrix} -i\sin\Delta\phi\\ \cos\Delta\phi \end{bmatrix} \tag{2}$$

where Δ*φ* = <sup>1</sup> <sup>2</sup> (*φout* − *φin*). The details of the calculation can be found in (Lucio-Martinez et al. (2009)). Equation 2 shows that the polarization of the reflected laser pulse varies as a function of Δ*φ*, which is determined by the modulation voltages applied to the phase modulator.

The horizontally polarized component of the laser pulse passes again through the PBS and is absorbed by the attenuator. The vertical polarization component is reflected by the PBS and is subsequently used to encode a qubit. By changing the polarization of the laser pulse, its intensity (or rather the average number of photons in the laser pulse) is modulated to a high or low value, as required by the decoy-state protocol. Furthermore, so-called vacuum states (pulses without photons) are generated by not triggering the laser diode.

Due to the use of a Faraday mirror, this intensity modulator has the following advantages compared to a standard modulator based on a Mach-Zehnder interferometer:


The faint laser pulses are then transmitted to the second, equally built polarization modulator. Depending on the value of the phase difference Δ*φ*, we generate +45◦ (Δ*φ* = 0), −45◦ (Δ*φ* = *<sup>π</sup>* <sup>2</sup> ), left-hand circular (Δ*<sup>φ</sup>* <sup>=</sup> <sup>−</sup>*<sup>π</sup>* <sup>4</sup> ) or right-hand circular (Δ*<sup>φ</sup>* <sup>=</sup> *<sup>π</sup>* <sup>4</sup> ) polarization. This is equivalent to the example given in the text above, as can be seen by comparing the center and right-hand parts of figure 7. We note that the second modulator comprises an optical circulator (CIR) instead of a PBS. Hence, both polarization components will exit the modulator, which then acts as a polarization modulator instead of an intensity modulator.

strong pulses of light in specific polarization states to solve this problem. More precisely, the classical control frames contain information for Bob, which allows him to actively

Quantum Key Distribution 347

• *Clock Synchronization*: One of the challenges in QKD, especially in high-rate QKD, is clock synchronization between the two parties. This is needed to associate the generation with the corresponding detection of qubits. Information for clock synchronization is included into the classical control frames, allowing for periodic synchronization of Alice's and Bob's

classical data quantum data classical data quantum data Q-frame #1 Q-frame #n Fig. 8. Structure of a quantum frame (not to scale). Classical information (high intensity pulses) are time-multiplexed with quantum bits (faint laser pulses). Each color in the quantum data indicates one of the four different polarization states required in the BB84

The laser pulses constituting the classical control frames are generated by the laser diode LDC in figure 7: Horizontally polarized laser pulses pass through the PBS and are modulated to a specific polarization by the polarization modulator. On Bob's side, as shown in figure 9, 10% of the optical power is reflected towards a standard photodiode (PD), which detects the data header of the quantum frame to provide timing information for Bob's control circuit and

Ninety percent of the optical power is transmitted through a 10/90 beam splitter (BS1) and is then equally divided by a 50/50 beam splitter (BS2). The outputs of BS2 are connected to two polarization measurement devices. Each device consists of a polarization controller (PC1, PC2), a polarization beam splitter (PBS1, PBS2) and two single photon detectors (SPD1*a*, SPD2*<sup>a</sup>*

PC1 ensures that −45◦ polarized classical data, and hence qubits, emitted at Alice's arrive horizontally polarized at PBS1 and will be detected by SPD1*a*. Similarly, PC2 is set up such that right circular polarized classical data and qubits emitted at Alice's always impinge horizontally polarized on PBS2, and will thus be detected by SPD2*a*. This directly implies that qubits prepared with +45◦ or left circular polarization arrive vertically polarized on PBS1 or PBS2, respectively, and will thus be detected by SPD1*<sup>b</sup>* and SPD2*b*. Hence, the two sets of PC, PBS and two SPDs allow compensation of unwanted polarization transformations in the

At the end of each classical data header, the control circuit disables the polarization controller as well as the clock synchronization and starts gating single photon detectors based on InGaAs/InP avalanche photo-diodes operated in Geiger mode. The outputs of these detectors produce the raw key at Bob's, which is transmitted to a personal computer for classical

quantum channel, and appropriate measurements of qubit states.

Routing (IP addresses)

Clock synchronization

Information for polarization

compensation

Time

compensate for these polarization changes.

clocks.

protocol.

and SPD1*b*, SPD2*b*).

post-processing.

Optical Power

thereby allow for clock synchronization.

Fig. 7. Schematics of Alice's system, which consists of sub-systems for signal generation (*I*), intensity modulation (*II*) and polarization modulation (*III*).

#### **7.3 Transmission, demodulation and detection**

The generated qubits are transmitted from Alice to Bob using a dedicated (dark) fiber, and then demodulated and detected using appropriate measurement devices. Before going into detail, we will briefly introduce the concept of quantum frames, which play an important role for selecting and maintaining quantum channels suitable for QKD.

The idea of *quantum frames* is inspired by the Ethernet protocol. A quantum frame consists of alternating sequences of high-intensity pulses (the classical control frame, providing a platform to include classical control information into quantum communication) and qubits encoded into faint laser pulses (the quantum data), see figure 8. Adding classical control frames (also referred to as data headers) allows for a variety of tasks related to establishing a link for QKD (e.g. in a network environment, which will be discussed below), and maintaining its properties:


<sup>11</sup> We point out that the so-called polarization-maintaining fibers only maintain polarization for two, orthogonally polarized polarization states, which is insufficient for QKD.

12 Will-be-set-by-IN-TECH

Fig. 7. Schematics of Alice's system, which consists of sub-systems for signal generation (*I*),

The generated qubits are transmitted from Alice to Bob using a dedicated (dark) fiber, and then demodulated and detected using appropriate measurement devices. Before going into detail, we will briefly introduce the concept of quantum frames, which play an important role

The idea of *quantum frames* is inspired by the Ethernet protocol. A quantum frame consists of alternating sequences of high-intensity pulses (the classical control frame, providing a platform to include classical control information into quantum communication) and qubits encoded into faint laser pulses (the quantum data), see figure 8. Adding classical control frames (also referred to as data headers) allows for a variety of tasks related to establishing a link for QKD (e.g. in a network environment, which will be discussed below), and

• *Routing:* To allow all-optical routing of quantum data in a network, the classical control frames include information about the sender and the receiver. This information can be read using standard detectors, which, in turn, can activate optical switches to route entire quantum frames along specific optical paths. Work on quantum networks will be

• *Compatibility*: In a future quantum network, it is likely that different types of QKD systems co-exist. They may vary in the degree of freedom chosen to encode quantum information into photons, or the protocol employed, which impacts on the way post-processing (in particular privacy amplification) is done. This information can be included into the

• *Polarization compensation*: Unfortunately, a fiber that maintains all polarization states required for the implementation of the BB84 protocol does not exist11. Hence, Bob will receive photons in states that differ from those sent by Alice. Moreover, the polarization change during transmission through the link varies with time (e.g. due to temperature fluctuations) rather than being constant. A feedback mechanism that tracks and compensates the change introduced by the link is thus required. We exploit

<sup>11</sup> We point out that the so-called polarization-maintaining fibers only maintain polarization for two,

classical control frames, and allows Bob to take appropriate action.

orthogonally polarized polarization states, which is insufficient for QKD.

intensity modulation (*II*) and polarization modulation (*III*).

for selecting and maintaining quantum channels suitable for QKD.

**7.3 Transmission, demodulation and detection**

maintaining its properties:

discussed briefly in section 8.

strong pulses of light in specific polarization states to solve this problem. More precisely, the classical control frames contain information for Bob, which allows him to actively compensate for these polarization changes.

• *Clock Synchronization*: One of the challenges in QKD, especially in high-rate QKD, is clock synchronization between the two parties. This is needed to associate the generation with the corresponding detection of qubits. Information for clock synchronization is included into the classical control frames, allowing for periodic synchronization of Alice's and Bob's clocks.

Fig. 8. Structure of a quantum frame (not to scale). Classical information (high intensity pulses) are time-multiplexed with quantum bits (faint laser pulses). Each color in the quantum data indicates one of the four different polarization states required in the BB84 protocol.

The laser pulses constituting the classical control frames are generated by the laser diode LDC in figure 7: Horizontally polarized laser pulses pass through the PBS and are modulated to a specific polarization by the polarization modulator. On Bob's side, as shown in figure 9, 10% of the optical power is reflected towards a standard photodiode (PD), which detects the data header of the quantum frame to provide timing information for Bob's control circuit and thereby allow for clock synchronization.

Ninety percent of the optical power is transmitted through a 10/90 beam splitter (BS1) and is then equally divided by a 50/50 beam splitter (BS2). The outputs of BS2 are connected to two polarization measurement devices. Each device consists of a polarization controller (PC1, PC2), a polarization beam splitter (PBS1, PBS2) and two single photon detectors (SPD1*a*, SPD2*<sup>a</sup>* and SPD1*b*, SPD2*b*).

PC1 ensures that −45◦ polarized classical data, and hence qubits, emitted at Alice's arrive horizontally polarized at PBS1 and will be detected by SPD1*a*. Similarly, PC2 is set up such that right circular polarized classical data and qubits emitted at Alice's always impinge horizontally polarized on PBS2, and will thus be detected by SPD2*a*. This directly implies that qubits prepared with +45◦ or left circular polarization arrive vertically polarized on PBS1 or PBS2, respectively, and will thus be detected by SPD1*<sup>b</sup>* and SPD2*b*. Hence, the two sets of PC, PBS and two SPDs allow compensation of unwanted polarization transformations in the quantum channel, and appropriate measurements of qubit states.

At the end of each classical data header, the control circuit disables the polarization controller as well as the clock synchronization and starts gating single photon detectors based on InGaAs/InP avalanche photo-diodes operated in Geiger mode. The outputs of these detectors produce the raw key at Bob's, which is transmitted to a personal computer for classical post-processing.

fraction of time that is used for qubit generation and transmission (∼10%; the remaining time is used for classical post-processing, which is currently done sequentially, and polarization compensation), loss in the optical components at Bob's (∼3dB), and the quantum efficiency (i.e. the probability to detect a photon) of the single-photon detectors (∼10%). The sifted key rate is ∼0.25 KHz leading to a secret key rate of ∼50 bps for an average of 0.5 photons per

Quantum Key Distribution 349

The performance can be improved by several orders of magnitude by employing high-rate single photon detectors14, and parallel implementation of classical post-processing using

As described above, the no-cloning theorem prevents an eavesdropper from copying quantum data, but excludes at the same time broadcasting of identical quantum keys to several legitimate users. While QKD systems can thus operate only in point-to-point (P2P) fashion, it still benefits from being implemented in networks. This is due to the possibility to connect different users in a flexible and efficient way. Various types of quantum networks have been

A trusted-node QKD network is composed of dedicated QKD links, each one connecting two neighboring locations or *nodes*. Secret keys for encoding messages (henceforth referred to as the message-encryption-key, MEK) are distributed between arbitrary (non-neighboring) nodes using a chain of QKD links. More precisely, the MEK is encrypted using the one-time pad and a key-encryption-key established with the neighboring node by means of QKD. The MEK is sent to the next node, attached with an authentication tag. Upon reception, the authentication tag is verified, and the MEK is decrypted. The process repeats until the MEK reaches its final destination. A potential drawback is that the security of the distribution of the MEK is only ensured if all intermediate nodes between the sender and receiver can be trusted as they posses full information about the MEK. However, on the other hand, the distribution of the MEK is not limited in distance as any distance can always be covered using many

An example of a trusted-node quantum network is the *SECOQC Network*, implemented in October 2008 in Vienna, Austria (Peev et al. (2009)). This network comprised six nodes, connected by different QKD systems (or platforms). One of the main results of the deployment of this network was the development of an interface between a QKD system and existing (non-quantum) information and communication technology (ICT) systems. Also as a result of this project, an Industry Specification Group (ISG) of the European Telecommunications Standards Institute (ETSI) for QKD was put in operation to create universally accepted QKD standards (Langer & Lenhart (2009)). Another example is the *Tokyo QKD Network*, inaugurated in October 2010, also comprising six trusted-nodes connected by P2P QKD links forming the quantum backbone. The Tokyo Network includes a key management server for centralized management of the key life cycle and to determine the secure paths between two distant nodes

<sup>14</sup> The current state-of-the-art allows gate rates of 2 GHz – an improvement of a factor of 1000 compared

considered; the differences are determined by the available (or assumed) technology.

faint laser pulse.

dedicated hardware.

**8. Quantum networks**

**8.1 Trusted-node quantum networks**

short-distance QKD links.

(Sasaki et al. (2011)).

to commercially available detectors.

Fig. 9. Schematics of Bob's system, which consists of demodulation and detection subsystems.

#### **7.4 QKD performance**

As described above, each deployed optical fiber introduces polarization changes to transmitted states of light (both quantum and classical) that vary over time. As shown in figure 10a, these variations are rapid during day-time (when the sun is out and the fiber heats up despite running through underground conduits) and are less pronounced during the night. However, even in the worst case, the polarization transformation is stable on a timescale of seconds. Due to the feedback system described above, our QKD system is able to perform continuously during ∼30 hours: as depicted in figure 10b, the QBER remains at ∼3% (a typical value for a QKD setup operating over ∼10 km optical fiber), independent on the time of the day.

Fig. 10. a) Plot of the polarization state of originally +45◦ polarized classical control frames arriving at Bob's as a function of time. The states are parametrized in terms of their Stokes vectors S1-S3. A correlation between the time of the day and the polarization variation can be seen. b) QBER as a function of time, measured over a period of 9 hours.

Our QKD system currently features a raw key rate<sup>12</sup> of <sup>∼</sup>0.5 KHz, which is sufficient to provide cryptographic keys for encoding using the Advanced Encryption Standard (AES)13, but too small to provide keys for one-time pad encoding in real-time. The raw key rate is determined by the repetition rate at which qubits are produced or the single-photon detectors can be gated (whatever is smaller), the loss in the channel between Alice to Bob (∼6.5dB), the

<sup>12</sup> The raw key rate is defined as the rate with which photons are detected at Bob's.

<sup>13</sup> AES is a widely used symmetric cipher. It uses a short key to encrypt large amount of data, and therefore does not provide information-theoretic security.

14 Will-be-set-by-IN-TECH

Fig. 9. Schematics of Bob's system, which consists of demodulation and detection

\$SU \$SU \$SU \$SU \$SU

seen. b) QBER as a function of time, measured over a period of 9 hours.

<sup>12</sup> The raw key rate is defined as the rate with which photons are detected at Bob's.

(a) Polarization variation

therefore does not provide information-theoretic security.

As described above, each deployed optical fiber introduces polarization changes to transmitted states of light (both quantum and classical) that vary over time. As shown in figure 10a, these variations are rapid during day-time (when the sun is out and the fiber heats up despite running through underground conduits) and are less pronounced during the night. However, even in the worst case, the polarization transformation is stable on a timescale of seconds. Due to the feedback system described above, our QKD system is able to perform continuously during ∼30 hours: as depicted in figure 10b, the QBER remains at ∼3% (a typical value for a QKD setup operating over ∼10 km optical fiber), independent on the time of the

<sup>0</sup> <sup>1</sup> 23 6 45 78 <sup>9</sup> <sup>0</sup>

(b) QBER as a function of time

Fig. 10. a) Plot of the polarization state of originally +45◦ polarized classical control frames arriving at Bob's as a function of time. The states are parametrized in terms of their Stokes vectors S1-S3. A correlation between the time of the day and the polarization variation can be

Our QKD system currently features a raw key rate<sup>12</sup> of <sup>∼</sup>0.5 KHz, which is sufficient to provide cryptographic keys for encoding using the Advanced Encryption Standard (AES)13, but too small to provide keys for one-time pad encoding in real-time. The raw key rate is determined by the repetition rate at which qubits are produced or the single-photon detectors can be gated (whatever is smaller), the loss in the channel between Alice to Bob (∼6.5dB), the

<sup>13</sup> AES is a widely used symmetric cipher. It uses a short key to encrypt large amount of data, and

subsystems.

day.

**7.4 QKD performance**

 6

 6

 6

 

fraction of time that is used for qubit generation and transmission (∼10%; the remaining time is used for classical post-processing, which is currently done sequentially, and polarization compensation), loss in the optical components at Bob's (∼3dB), and the quantum efficiency (i.e. the probability to detect a photon) of the single-photon detectors (∼10%). The sifted key rate is ∼0.25 KHz leading to a secret key rate of ∼50 bps for an average of 0.5 photons per faint laser pulse.

The performance can be improved by several orders of magnitude by employing high-rate single photon detectors14, and parallel implementation of classical post-processing using dedicated hardware.

## **8. Quantum networks**

As described above, the no-cloning theorem prevents an eavesdropper from copying quantum data, but excludes at the same time broadcasting of identical quantum keys to several legitimate users. While QKD systems can thus operate only in point-to-point (P2P) fashion, it still benefits from being implemented in networks. This is due to the possibility to connect different users in a flexible and efficient way. Various types of quantum networks have been considered; the differences are determined by the available (or assumed) technology.

## **8.1 Trusted-node quantum networks**

A trusted-node QKD network is composed of dedicated QKD links, each one connecting two neighboring locations or *nodes*. Secret keys for encoding messages (henceforth referred to as the message-encryption-key, MEK) are distributed between arbitrary (non-neighboring) nodes using a chain of QKD links. More precisely, the MEK is encrypted using the one-time pad and a key-encryption-key established with the neighboring node by means of QKD. The MEK is sent to the next node, attached with an authentication tag. Upon reception, the authentication tag is verified, and the MEK is decrypted. The process repeats until the MEK reaches its final destination. A potential drawback is that the security of the distribution of the MEK is only ensured if all intermediate nodes between the sender and receiver can be trusted as they posses full information about the MEK. However, on the other hand, the distribution of the MEK is not limited in distance as any distance can always be covered using many short-distance QKD links.

An example of a trusted-node quantum network is the *SECOQC Network*, implemented in October 2008 in Vienna, Austria (Peev et al. (2009)). This network comprised six nodes, connected by different QKD systems (or platforms). One of the main results of the deployment of this network was the development of an interface between a QKD system and existing (non-quantum) information and communication technology (ICT) systems. Also as a result of this project, an Industry Specification Group (ISG) of the European Telecommunications Standards Institute (ETSI) for QKD was put in operation to create universally accepted QKD standards (Langer & Lenhart (2009)). Another example is the *Tokyo QKD Network*, inaugurated in October 2010, also comprising six trusted-nodes connected by P2P QKD links forming the quantum backbone. The Tokyo Network includes a key management server for centralized management of the key life cycle and to determine the secure paths between two distant nodes (Sasaki et al. (2011)).

<sup>14</sup> The current state-of-the-art allows gate rates of 2 GHz – an improvement of a factor of 1000 compared to commercially available detectors.

Next, the critical assessment of QKD implementations with respect to security loopholes will continue, and a lot of work will be devoted to the elimination of attacks through the development of better technology and the improvement of security proofs and protocols in the sense of making them more applicable to real-world devices. Key words here are *squashing models* (Lütkenhaus (2000)) and *device-independent protocols* (Masanes et al. (2011)). Squashing models allow the use of qubit-based security proofs for non-qubit-based implementations. Device-independent protocols go beyond squashing and attempt to remove not only all assumptions about the nature of the quantum systems used to transmit quantum information,

Quantum Key Distribution 351

Furthermore, going beyond QKD, other quantum cryptography protocols that provide benefits compared to their classical analogs will receive more attention. Examples include quantum coin flipping (Berlin et al. (2009)) or quantum private database queries (Jakobi et al. (2011)). An interesting problem here is to devise protocols that can tolerate loss and errors,

Finally, the integration of QKD into networks will be improved, and technologies required for breaking the distance barrier by means of quantum repeaters and for fully quantum-enabled networks will be further advanced. This challenge is huge and immensely interesting, but progress over the past 5 years has been surprisingly rapid, and we believe that a fully

The authors thank V. Kiselyov for technical support and S. Hosier for all the help with setting up the QKD system. This work is supported by General Dynamics Canada, Alberta's Informatics Circle of Research Excellence (iCORE, now part of Alberta Innovates Technology Futures), the National Science and Engineering Research Council of Canada (NSERC), QuantumWorks, Canada Foundation for Innovation (CFI), Alberta Advanced Education and Technology (AET), and the Mexican Consejo Nacional de Ciencia y Tecnología (CONACYT).

Bennett, C. & Brassard, G. (1984). Quantum cryptography: Public key distribution and coin

Bennett, C. H., Bessette, F., Brassard, G., Salvail, L. & Smolin, J. (1992). Experimental quantum

Berlin, G., Brassard, G., Bussières, F. & Godbout, N. (2009). Fair loss-tolerant quantum coin

Brassard, G., Lütkenhaus, N., Mor, T. & Sanders, B. (2000). Limitation on practical quantum

Chen, T., Wang, J., Liang, H., Liu, W.-Y., Liu, Y., Jiang, X., Wang, Y., Wan, X., Cai, W.-Q., Ju,

Dixon, A., Yuan, Z. L., Dynes, J., Sharpe, A. W. & Shields, A. (2010). Continuous operation of high bit rate quantum key distribution, *Applied Physics Letters* 96: 161102–161105. Elliot, C., Colvin, A., Pearson, D., Pikalo, O., Schlafer, J. & Yeh, H. (2005). Current status of the

DARPA quantum network, *Proceedings of SPIE* 5815: 138–149.

L., Chen, L.-K., Wang, L.-J., Gao, Y., Chen, K., Peng, C.-Z., Chen, Z.-B. & Pan, J.-W. (2010). Metropolitan all-pass and inter-city quantum communication network, *Optics*

cryptography, *Journal of Cryptology* 5(3): 253–265.

cryptography, *Physical Review Letters* 85: 1330–1333.

flipping, *Physical Review A* 80(6):062321.

tossing, *Proceedings of IEEE International Conference on Computers Systems and Signal*

but also those about the classical devices used by Alice and Bob.

which are both present in real-world implementations.

quantum-enabled network will eventually be built.

*Processing* pp. 175–179.

*Express* 18(26): 27217–27225.

**10. Acknowledgements**

**11. References**

Fig. 11. Examples for different quantum network topologies (all based on trusted nodes). a) SECOQC Network showing quantum channels (black) and classical channels (green) between the nodes. b) Tokyo Network. c) Hefei Network showing a star-type network.

## **8.2 Optically configurable quantum networks**

An optically configurable quantum network utilizes passive or active optical devices (e.g. beam splitters, optical switches, wavelength multiplexers, etc.) in the quantum channel to allow QKD between multiple pairs of users. The benefit of this kind of network, in contrast to the previous kind, is that the nodes between the two parties that establish a secret key do not have to be trusted. Configurable quantum networks can be implemented with current technology. However, the distance over which a secret key can be established is limited to ∼100 km, restricting its use to local or metropolitan areas.

The first investigations towards optically configurable quantum networks were pursued within the framework of the *DARPA Quantum Network* (Elliot et al. (2005)) which was operational from 2004 to approximately 2008 in Massachusetts, USA. This network consisted of 8 nodes and employed various QKD platforms; 4 of these nodes were connected via active optical switches. A second example is the quantum network located in Hefei (Anhui), China. This hybrid network combines trusted relays and all-pass optical switches, allowing interconnection among all 5 nodes (Chen et al. (2010)).

## **8.3 Fully quantum-enabled networks**

Fully quantum-enabled networks require technologies such as entanglement swapping, entanglement purification, quantum error correction and quantum memories (Kimble (2008)). These networks are not limited by the distance barrier imposed to optically configurable networks, and do not require trust in nodes, as opposed to trusted-node networks. However, the technology required for fully quantum-enabled networks is not yet mature, even though all basic building blocks have meanwhile been demonstrated in proof-of-concept experiments (Lvovsky et al. (2009); Sangouard et al. (2011)).

## **9. The future**

To conclude this chapter, let us briefly address a few directions in which QKD is likely to evolve in the near future.

First, QKD systems will be improved to deliver secret keys at Mbps rates, as has already been demonstrated in the QKD system developed by Toshiba. Progress beyond this rate can be expected to be slow, as many constituents, such as single photon detectors, face technical limitations that would require expensive and time-consuming engineering at the component level.

16 Will-be-set-by-IN-TECH

45 km

Koganei-1 Otemachi-1

45 km

Fig. 11. Examples for different quantum network topologies (all based on trusted nodes). a) SECOQC Network showing quantum channels (black) and classical channels (green) between the nodes. b) Tokyo Network. c) Hefei Network showing a star-type network.

An optically configurable quantum network utilizes passive or active optical devices (e.g. beam splitters, optical switches, wavelength multiplexers, etc.) in the quantum channel to allow QKD between multiple pairs of users. The benefit of this kind of network, in contrast to the previous kind, is that the nodes between the two parties that establish a secret key do not have to be trusted. Configurable quantum networks can be implemented with current technology. However, the distance over which a secret key can be established is limited to

The first investigations towards optically configurable quantum networks were pursued within the framework of the *DARPA Quantum Network* (Elliot et al. (2005)) which was operational from 2004 to approximately 2008 in Massachusetts, USA. This network consisted of 8 nodes and employed various QKD platforms; 4 of these nodes were connected via active optical switches. A second example is the quantum network located in Hefei (Anhui), China. This hybrid network combines trusted relays and all-pass optical switches, allowing

Fully quantum-enabled networks require technologies such as entanglement swapping, entanglement purification, quantum error correction and quantum memories (Kimble (2008)). These networks are not limited by the distance barrier imposed to optically configurable networks, and do not require trust in nodes, as opposed to trusted-node networks. However, the technology required for fully quantum-enabled networks is not yet mature, even though all basic building blocks have meanwhile been demonstrated in proof-of-concept experiments

To conclude this chapter, let us briefly address a few directions in which QKD is likely to

First, QKD systems will be improved to deliver secret keys at Mbps rates, as has already been demonstrated in the QKD system developed by Toshiba. Progress beyond this rate can be expected to be slow, as many constituents, such as single photon detectors, face technical limitations that would require expensive and time-consuming engineering at the component

90 km

1km

Koganei-3

b)

16 km

Siemensstraße Erdberger Siemens

80 m

Forum

19 km

85km

St Pölten

a)

22 km

Lände

Breitenfurterstraße Gudrunstraße

**8.2 Optically configurable quantum networks**

∼100 km, restricting its use to local or metropolitan areas.

interconnection among all 5 nodes (Chen et al. (2010)).

**8.3 Fully quantum-enabled networks**

**9. The future**

level.

evolve in the near future.

(Lvovsky et al. (2009); Sangouard et al. (2011)).

32 km 6 km 25 km

USTC

10 km

8 km

Wan'an

c)

13 km

24 km

Koganei-2 Otemachi-2 Hongo

Wanxi

Feixi

60 km

Meilan

9 km 8 km

Next, the critical assessment of QKD implementations with respect to security loopholes will continue, and a lot of work will be devoted to the elimination of attacks through the development of better technology and the improvement of security proofs and protocols in the sense of making them more applicable to real-world devices. Key words here are *squashing models* (Lütkenhaus (2000)) and *device-independent protocols* (Masanes et al. (2011)). Squashing models allow the use of qubit-based security proofs for non-qubit-based implementations. Device-independent protocols go beyond squashing and attempt to remove not only all assumptions about the nature of the quantum systems used to transmit quantum information, but also those about the classical devices used by Alice and Bob.

Furthermore, going beyond QKD, other quantum cryptography protocols that provide benefits compared to their classical analogs will receive more attention. Examples include quantum coin flipping (Berlin et al. (2009)) or quantum private database queries (Jakobi et al. (2011)). An interesting problem here is to devise protocols that can tolerate loss and errors, which are both present in real-world implementations.

Finally, the integration of QKD into networks will be improved, and technologies required for breaking the distance barrier by means of quantum repeaters and for fully quantum-enabled networks will be further advanced. This challenge is huge and immensely interesting, but progress over the past 5 years has been surprisingly rapid, and we believe that a fully quantum-enabled network will eventually be built.

## **10. Acknowledgements**

The authors thank V. Kiselyov for technical support and S. Hosier for all the help with setting up the QKD system. This work is supported by General Dynamics Canada, Alberta's Informatics Circle of Research Excellence (iCORE, now part of Alberta Innovates Technology Futures), the National Science and Engineering Research Council of Canada (NSERC), QuantumWorks, Canada Foundation for Innovation (CFI), Alberta Advanced Education and Technology (AET), and the Mexican Consejo Nacional de Ciencia y Tecnología (CONACYT).

## **11. References**


Pearson, D. (2004). High-speed QKD reconciliation using forward error correction, *Proc.*

Quantum Key Distribution 353

Peev, M., Pacher, C., Alléaume, R., Barreiro, C., Bouda, J., Boxleitner, W., Debuisschert, T.,

distribution network in Vienna, *New Journal of Physics* 11: 075001.

detectors, *Physical Review A* 75(5): 052304–052314. Quintessence (2011). http://www.quintessencelabs.com/.

over 144 km, *Physical Review Letters* 98(1): 010504.

ultra low loss fibers, *New Journal of Physics* 11: 075003.

transmission rates, *Proceedings of SPIE* 7236(72360L): 1–7.

Qi, B., Zhao, Y., Ma, X., Lo, H.-K. & Qian, L. (2007). QKD Quantum key distribution with dual

Restelli, A., Bienfang, J. C., Mink, A. & Clark, C. W. (2009). Quanutm key distribution at GHz

Sangouard, N., Simon, C., de Riedmatten, H. & Gisin, N. (2011). Quantum repeaters based on atomic ensembles and linear optics, *Review Modern Physics* 83(1): 33–80. Sasaki, M., Fujiwara, M., Ishizuka, H., Klaus, W., Wakui, K., Takeoka, M., Tanaka, A., Yoshino,

Scarani, V., Bechmann-Pasquinucci, H., Cerf, N. J., Dušek, M., Lütkenhaus, N. & Peev, M.

Schmitt-Manderbach, T., Weier, H., Furst, M., Ursin, R., Tiefenbacher, F., Sheidl, T., Perdigues,

Stebila, D., Mosca, M. & Lütkenhaus, N. (2010). The case for quantum key distribution, *Lecture*

Stucki, D., Walenta, N., Vannel, F., Thew, R. T., Gisin, N., Zbinden, H., Gray, S., Towery, C. R.

Tittel, W. & Weihs, G. (2001). Photonic entanglement for fundamental tests and quantum

Ursin, R., Jennewein, T., Kofler, J., Perdigues, J., Cacciapuoti, L., de Matos, C., Aspelmeyer,

communication, *Quantum Information and Computation* 1(2): 3–56.

K., Nambu, Y., Takahashi, S., Tajima, A., Tomita, A., Domeki, T., Hasegawa, T., Sakai, Y., Kobayashi, H., Asai, T., Shimizu, K., Tokura, T., Tsurumaru, T., Matsui, M., Honjo, T., Tamaki, K., Takesue, H., Tokura, Y., Dynes, J. F., Dixon, A. R., Sharpe, A. W., Yuan, Z. L., Shields, A. J., Uchikoga, S., Legré, M., Robyr, S., Trinkler, P., Monat, L., J.-B., Ribordy, G., Poppe, A., Allacher, A., Maurhart, O., Länger, T., Peev, M. & Zeilinger, A. (2011). Field test of quantum key distribution in the Tokyo QKD network, *Optics*

(2009). The security of practical quantum key distribution, *Review Modern Physics*

J., Sodnik, Z., Kurtsiefer, C., Rarity, J. G., Zeilinger, A. & Weinfurter, H. (2007). Experimental demonstration of free-space decoy-state quantum key distribution

*Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications*

& Ten, S. (2009). High rate, long-distance quantum key distribution over 250 km of

M., Valencia, A., Scheidl, T., Acin, A., Barbieri, C., Bianco, G., Brukner, C., Capmany, J., Cova, S., Giggenbach, D., Leeb, W., Hadfield, R., Laflamme, R., Lütkenhaus, N., Milburn, G., Peev, M., Ralph, T., Rarity, J., Renner, R., Samain, E., Solomos, N., Tittel,

*(QCMC)*, Vol. 734, pp. 299–302.

*Express* 19(11): 10387–10409.

*Engineering* 36: 283–296.

81: 1301.

*7th International Conference on Quantum Communication, Measurement and Computing*

Diamanti, E., Dianati, M., Dynes, J. F., Fasel, S., Fossier, S., Fürst, M., Gautier, J.-D., Gay, O., Gisin, N., Grangier, P., Happe, A., Hasani, Y., Hentschel, M., Hübel, H., Länger, G. H. T., Legré, M., Lieger, R., Lodewyck, J., Lorünser, T., Lütkenhaus, N., Marhold, A., Matyus, T., Maurhart, O., Monat, L., Nauerth, S., Page, J.-B., Poppe, A., Querasser, E., Ribordy, G., Robyr, S., Salvail, L., Sharpe, A. W., Shields, A. J., Stucki, D., Suda, M., Tamas, C., Themel, T., Thew, R. T., Thoma, Y., Treiber, A., Trinkler, P., Tualle-Brouri, R., Vannel, F., Walenta, N., Weier, H., Weinfurter, H., Wimberger, I., Yuan, Z. L., Zbinden, H. & Zeilinger, A. (2009). The SECOQC quantum key


18 Will-be-set-by-IN-TECH

Fürst, M., Weier, H., Nauerth, S., Marangon, D. G., Kurtsiefer, C. & Weinfurter, H.

Gallager, R. (1962). Low-density parity-check codes, *IRE Transactions on Information Theory*

Gisin, N., Ribordy, G., Tittel, W. & Zbinden, H. (2002). Quantum cryptography, *Review Modern*

Gottesman, D., Lo, H., Lütkenhaus, N. & Preskill, J. (2004). Security of quantum key distribution with imperfect devices, *Quantum Information and Computation* 4: 325. Honjo, T., Uchida, A., Amano, K., Hirano, K., Someya, H., Okumura, H., Yoshimura, K., Davis,

Jakobi, M., Simon, C., Gisin, N., Bancal, J.-D., Branciard, C., Walenta, N. & Zbinden, H. (2011).

Kleinjung, T., Aoki, K., Franke, J., Lenstra, A., Thomé, E., Bos, J., Gaudry, P., Kruppa, A.,

Lamas-Linares, A. & Kurtsiefer, C. (2007). Breaking a quantum key distribution system

Langer, T. & Lenhart, G. (2009). Standarization of quantum key distribution and the ETSI standarization initiative ISG-QKD, *New Journal of Physics* 11(5): 055051. Liu, Y. (2010). Decoy-state quantum key distribution with polarized photons over 200 km,

Lucio-Martinez, I., Chan, P., Mo, X.-F., Hosier, S. & Tittel, W. (2009). Proof-of-concept of

Lütkenhaus, N. (2000). Security against individual attacks for realistic quantum key

Lvovsky, A. I., Sanders, B. C. & Tittel, W. (2009). Optical quantum memory, *Nature Photonics*

MacKay, D. & Neal, R. (1997). Near Shannon limit performance of low density parity check

Makarov (2011). Secure gated detection scheme for quantum cryptography, *Physical Review A*

Masanes, L., Pironio, S. & Acín, A. (2011). Secure device-independent quantum key

Nielsen, M. A. & Chuang, I. L. (2004). *Quantum Computation and Quantum Information*

distribution with causally independent measurement devices, *Nat. Commun.* 2(238).

*(Cambridge Series on Information and the Natural Sciences)*, 1 edn, Cambridge University

real world quantum key distribution with quantum frames, *New Journal of Physics*

through a timing side channel, *Optics Express* 15(15): 9388–9393.

18(12): 13029–13037.

*Physics* 74: 145–195.

*Express* 17(11): 9053–9061. idQuantique (2011). www.idQuantique.com.

Heidelberg, pp. 333–350.

*Optics Express* 18(8): 8587.

distribution, *Physical Review A* 61: 052304.

codes, *Electronics Letters* 33(6): 457–458.

MagiQ (2011). http://www.magiqtech.com/MagiQ/Home.html.

11(9): 095001.

3: 706–714.

83(3): 032306.

Press.

*Physical Review A* 83(2): 022301.

Kimble, H. J. (2008). The quantum internet, *Nature* 453: 1023–1030.

8(1): 21–28.

(2010). High speed optical quantum random number generation, *Optics Express*

P. & Tokura, Y. (2009). Differential-phase-shift quantum key disitrbution experiment using fast physical random bit generator with chaotic semiconductor lasers, *Optics*

Practical private database queries based on a quantum-key-distribution protocol,

Montgomery, P., Osvik, D., te Riele, H., Timofeev, A. & Zimmermann, P. (2010). Factorization of a 768-bit RSA modulus, *in* T. Rabin (ed.), *Advances in Cryptology – CRYPTO 2010*, Vol. 6223 of *Lecture Notes in Computer Science*, Springer Berlin /


**0**

**14**

**Terahertz Fields**

*People's Republic of China*

Tong-Yi Zhang and Wei Zhao

*Precision Mechanics, Chinese Academy of Sciences*

**Optical Properties of Quantum-Confined**

**Semiconductor Structures Driven by Strong**

*State Key Laboratory of Transient Optics and Photonics, Xi'an Institute of Optics and*

The development of femtosecond pulse lasers is one of the key breakthroughs in the field of terahertz (THz) technology. THz radiation (also called T-rays) lies in the frequency gap between the infrared and microwaves, loosely referred to the frequencies from 300 GHz to 30 THz. THz radiation has long been used in astronomy and analytical science. Despite great scientific interest, however, the THz frequency range remains one of the least developed regions of the electromagnetic spectrum, due to relative lack of convenient radiation sources, detectors and transmission technology. Thanks to the development of femtosecond pulse lasers, THz research has come into the center stage during the last quarter century. Most milestones in the development of THz technology, such as THz time-domain spectroscopy and THz pulse imaging, rely on the generation of THz pulse by employing high-power

In parallel to the development of THz pulsed sources, there has been a rapid expansion in developing continuous or quasi-continuous THz wave sources, such as THz free-electron lasers, photomixers, and quantum cascade lasers. High-power and frequency-tunable THz free-electron lasers have been successfully applied in scientific research into optical and transport properties in different semiconductor structures. The strong THz ac fields can coherently modify the optical properties of semiconductors. This modulation of optical

This chapter reviews two topics about THz radiation and is organized as follows. In section 2, the generation of THz pulses by exploiting femtosecond laser pulses to excite photoconductive antennas, nonlinear optical crystals, and quantum-confined structures is introduced, with emphasis on the large-aperture photoconductive antennas. In section 3, the fundamental theory about optical absorption and formulations of semiconductor Bloch equations (SBEs) are presented, which have been used to investigate the optical response of semiconductor structures pumped by intense THz radiation and probed by an infrared pulse. The modulated optical properties in quantum-confined semiconductor structures driven by strong THz fields are discussed in section 4. Finally, a brief summary is given in the last section. The contents of the chapter are based on the work by the authors' research group at Xi'an Institute of Optics and Precision Mechanics, Chinese Academy of Sciences, but some

properties is an essential ingredient for advanced optoelectronic devices.

**1. Introduction**

femtosecond laser pulse.

W., Torres, J., Toyoshima, M., Ortigosa-Blanch, A., Pruneri, V., Villoresi, P., Walmsley, I., Weihs, G., Weinfurter, H., Zukowski, M. & Zeilinger, A. (2009). Space-quest, experiments with quantum entanglement in space, *Europhysics News* 40(3): 26–29.

