**2.1 Quantum key distribution**

QKD includes the following protocols: protocols using single (non-entangled) qubits (two-level quantum systems) and qudits (d-level quantum systems, d>2) (Bennett, 1992; Bennett et al., 1992; Bourennane et al., 2002; Bruss & Macchiavello, 2002; Cerf et al., 2002; Gnatyuk et al., 2009); protocols using phase coding (Bennett, 1992); protocols using entangled states (Ekert, 1991; Durt et al., 2004); decoy states protocols (Brassard et al., 2000; Liu et al., 2010; Peng et al., 2007; Yin et al., 2008; Zhao et al., 2006a, 2006b); and some

• *Classical computationally secure symmetric-key cryptographic schemes* (requires a preinstalled key on both sides and can be used only as scheme for increase in key size but

• *Quantum key distribution* (provides information-theoretic security; it can also be used as

• *Trusted Couriers Key Distribution* (it has a high price and is dependent on the human

In recent years, quantum cryptography (QC) has attracted considerable interest. Quantum key distribution (QKD) (Bennett, 1992; Bennett et al., 1992; Bennett et al., 1995; Bennett & Brassard, 1984; Bouwmeester et al., 2000; Gisin et al., 2002; Lütkenhaus & Shields, 2009; Scarani et al., 2009; Vasiliu & Vorobiyenko 2006; Williams, 2011) plays a dominant role in QC. The overwhelming majority of theoretic and practical research projects in QC are related to the development of QKD protocols. The number of different quantum technologies is increasing, but there is no comprehensive information about classification of these technologies in scientific literature (there are only a few works concerning different classifications of QKD protocols, for example (Gisin et al., 2002; Scarani, et al., 2009)). This makes it difficult to estimate the level of the latest achievements and does not allow using quantum technologies with full efficiency. The main purpose of this chapter is the systematisation and classification of up-to-date effective quantum technologies of data (transmitted via telecommunication channels) security, analysis of their strengths and weaknesses, prospects and difficulties of implementation in telecommunication systems.

The first of all *quantum technologies of information security* consist of (Korchenko et al., 2010b):

The theoretical basis of quantum cryptography is stated in set of books and review papers (see e.g. Bouwmeester et al., 2000; Gisin et al., 2002; Hayashi, 2006; Imre & Balazs, 2005; Kollmitzer & Pivk, 2010; Lomonaco, 1998; Nielsen & Chuang, 2000; Schumacher &

QKD includes the following protocols: protocols using single (non-entangled) qubits (two-level quantum systems) and qudits (d-level quantum systems, d>2) (Bennett, 1992; Bennett et al., 1992; Bourennane et al., 2002; Bruss & Macchiavello, 2002; Cerf et al., 2002; Gnatyuk et al., 2009); protocols using phase coding (Bennett, 1992); protocols using entangled states (Ekert, 1991; Durt et al., 2004); decoy states protocols (Brassard et al., 2000; Liu et al., 2010; Peng et al., 2007; Yin et al., 2008; Zhao et al., 2006a, 2006b); and some

**2. Main approaches to quantum secure telecommunication systems** 

not as key distribution scheme).

• Quantum key distribution.

• Quantum steganography. • Quantum secret sharing. • Quantum stream cipher. • Quantum digital signature, etc.

**2.1 Quantum key distribution** 

**construction** 

• Quantum secure direct communication.

Westmoreland, 2010; Vedral, 2006; Williams, 2011).

factor).

a scheme for increase in key length).

other protocols (Bradler, 2005; Lütkenhaus & Shields, 2009; Navascués & Acín, 2005; Pirandola et al., 2008).

The main task of QKD protocols is encryption key generation and distribution between two users connecting via quantum and classical channels (Gisin et al., 2002). In 1984 Ch. Bennett from IBM and G. Brassard from Montreal University introduced the first QKD protocol (Bennett & Brassard, 1984), which has become an alternative solution for the problem of key distribution. This protocol is called *BB84* (Bouwmeester et al., 2000) and it refers to QKD protocols using single qubits. The states of these qubits are the polarisation states of single photons. The BB84 protocol uses four polarisation states of photons (0°, 45°, 90°, 135°). These states refer to two mutually unbiased bases. Error searching and correcting is performed using classical public channel, which need not be confidential but only authenticated. For the detection of intruder actions in the BB84 protocol, an error control procedure is used, and for providing unconditionally security a privacy amplification procedure is used (Bennett et al., 1995). The efficiency of the BB84 protocol equals 50%. Efficiency means the ratio of the photons number which are used for key generation to the general number of transmitted photons.

*Six-state protocol* requires the usage of four states, which are the same as in the BB84 protocol, and two additional directions of polarization: right circular and left circular (Bruss, 1998). Such changes decrease the amount of information, which can be intercepted. But on the other hand, the efficiency of the protocol decreases to 33%.

Next, the *4+2 protocol* is intermediate between the BB84 and B92 protocol (Huttner et al., 1995). There are four different states used in this protocol for encryption: "0" and "1" in two bases. States in each base are selected non-orthogonal. Moreover, states in different bases must also be pairwise non-orthogonal. This protocol has a higher information security level than the BB84 protocol, when weak coherent pulses, but not a single photon source, are used by sender (Huttner et al., 1995). But the efficiency of the 4+2 protocol is lower than efficiency of BB84 protocol.

In the *Goldenberg-Vaidman protocol* (Goldenberg & Vaidman, 1995), encryption of "0" and "1" is performed using two orthogonal states. Each of these two states is the superposition of two localised normalised wave packets. For protection against intercept-resend attack, packets are sent at random times.

A modified type of Goldenberg-Vaidman protocol is called the *Koashi-Imoto protocol* (Koashi & Imoto, 1997). This protocol does not use a random time for sending packets, but it uses an interferometer's non-symmetrisation (the light is broken in equal proportions between both long and short interferometer arms).

The measure of QKD protocol security is Shannon's mutual information between legitimate users (Alice and Bob) and an eavesdropper (Eve): *I D AE* ( ) and *I D BE* ( ) , where *D* is error level which is created by eavesdropping. For most attacks on QKD protocols, *I DID AE BE* () () = , we will therefore use *I D AE* ( ) . The lower *I D AE* ( ) in the extended range of *D* is, the more secure the protocol is.

Six-state protocol and BB84 protocol were generalised in case of using *d*-level quantum systems — qudits instead qubits (Cerf et al., 2002). This allows increasing the information

Quantum Secure Telecommunication Systems 215

key by means of a privacy amplification procedure (even when eavesdropping occurs)

It is shown (Vasiliu & Mamedov, 2008) that the security of a protocol with qudits using two bases against intercept-resend attack is practically equal to the security of this protocol against non-coherent attack at any *d*. At the same time, the security of the protocol using *d*+1 bases against this attack is much higher. Intercept-resend attack is the weakest of all possible attacks on QKD protocols, but on the other hand, the efficiency of the protocol using *d*+1 bases rapidly decreases as *d* increases. A protocol with qudits using two bases therefore has

Another type of QKD protocol is a *protocol using phase coding*: for example, the *B92 protocol* (Bennett, 1992) using strong reference pulses (Gisin et al., 2002). An eavesdropper can obtain more information about the encryption key in the B92 protocol than in the BB84 protocol for the given error level, however. Thus, the security of the B92 protocol is lower than the security of the BB84 protocol (Fuchs et al., 1997). The efficiency of the B92

The *Ekert protocol (E91)* (Ekert, 1991) refers to QKD protocols using entangled states.

this protocol. Qubit interception between Alice to Bob does not give Eve any information because no coded information is there. Information appears only after legitimate users make measurements and communicate via classical public authenticated channel (Ekert, 1991). But attacks with additional quantum systems (ancillas) are nevertheless possible on this

Kaszlikowski et al. carried out the generalisation of the Ekert scheme for three-level quantum systems (Kaszlikowski et al., 2003) and Durt et al. carried out the generalisation of the Ekert scheme for *d*-level quantum systems (Durt et al., 2004): this increases the information capacity of the protocol a lot. Also the security of the protocol using entangled qudits is investigated (Durt et al., 2004). In the paper (Vasiliu & Mamedov, 2008), based on the results of (Durt et al., 2004), the security comparison of protocol using entangled qudits and protocols using single qudits (Cerf et al., 2002) against non-coherent attack is made. It was found that the security of these two kinds of protocols is almost identical. But the efficiency of the protocol using entangled qudits increases more slowly with the increasing dimension of qudits than the efficiency of the protocol using single qudits and two bases. Thus, from all contemporary QKD protocols using qudits, the most effective and secure against non-coherent attack is the protocol using single qudits and two bases (BB84 for

The aforementioned protocols with qubits are vulnerable to photon number splitting attack. This attack cannot be applied when the photon source emits exactly one photon. But there are still no such photon sources. Therefore, sources with Poisson distribution of photon number are used in practice. The part of pulses of this source has more than one photon. That is why Eve can intercept one photon from pulse (which contains two or more photons) and store it in quantum memory until Alice transfers Bob the sequence of bases used. Then Eve can measure stored states in correct basis and get the cryptographic key while

ψ

1 2 01 10 ( ) <sup>−</sup> = − are used in

higher security and efficiency than a protocol using *d*+1 bases.

Entangled pairs of qubits that are in a singlet state

(Bennett et al., 1995).

protocol is 25%.

qubits).

protocol (Inamori et al., 2001).

capacity of protocols. We can transfer information using *d*-level quantum systems (which correspond to the usage of trits, quarts, etc.). It is important to notice that QKD protocols are intended for classical information (key) transfer via quantum channel.

The generalisation of BB84 protocol for qudits is called protocol using single qudits and two bases due to use of two mutually unbiased bases for the eavesdropping detection. Similarly, the generalisation of six-state protocol is called protocol using qudits and *d*+1 bases. These protocols' security against intercept-resend attack and non-coherent attack was investigated in a number of articles (see e.g. Cerf et al., 2002). Vasiliu & Mamedov have carried out a comparative analysis of the efficiency and security of different protocols using qudits on the basis of known formulas for mutual information (Vasiliu & Mamedov, 2008).

In fig. 1 dependences of *I D AB* ( ) , ( ) ( ) *<sup>d</sup>* <sup>1</sup> *AE I D* <sup>+</sup> and ( ) ( ) <sup>2</sup> *AE I D* are presented, where *I D AB* ( ) is mutual information between Alice and Bob and ( ) ( ) *<sup>d</sup>* <sup>1</sup> *AE I D* <sup>+</sup> and ( ) ( ) <sup>2</sup> *AE I D* is mutual information between Alice and Eve for protocols using *d*+1 and two bases accordingly.

Fig. 1. Mutual information for non-coherent attack. 1, 2, 3 — *I D AB* ( ) for *d* = 2, 4, 8 (а) and *d* = 16, 32, 64 (b); 4, 5, 6— ( ) ( ) *<sup>d</sup>* <sup>1</sup> *AE I D* <sup>+</sup> for *d* = 2, 4, 8 (а) and *d* = 16, 32, 64 (b); 7, 8, 9— ( ) ( ) <sup>2</sup> *AE I D* for *d* = 2, 4, 8 (а) and *d* = 16, 32, 64 (b).

In fig. 1 we can see that at low qudit dimension (up to *d* ~ 16) the protocol's security against non-coherent attack is higher when *d*+1 bases are used (when *d* = 2 it corresponds as noted above to greater security of six-state protocol than BB84 protocol). But the protocol's security is higher when two bases are used in the case of large *d*, while the difference in Eve's information (using *d*+1 or two bases) is not large in the work region of the protocol, i.e. in the region of Alice's and Bob's low error level. That's why that the number of bases used has little influence on the security of the protocol against non-coherent attack (at least for the qudit dimension up to *d* = 64). The crossing points of curves *I D AB* ( ) and *I D AE* ( ) correspond to boundary values *D*, up to which one's legitimate users can establish a secret

capacity of protocols. We can transfer information using *d*-level quantum systems (which correspond to the usage of trits, quarts, etc.). It is important to notice that QKD protocols are

The generalisation of BB84 protocol for qudits is called protocol using single qudits and two bases due to use of two mutually unbiased bases for the eavesdropping detection. Similarly, the generalisation of six-state protocol is called protocol using qudits and *d*+1 bases. These protocols' security against intercept-resend attack and non-coherent attack was investigated in a number of articles (see e.g. Cerf et al., 2002). Vasiliu & Mamedov have carried out a comparative analysis of the efficiency and security of different protocols using qudits on the

*AE I D* <sup>+</sup> and ( ) ( ) <sup>2</sup>

a) b) Fig. 1. Mutual information for non-coherent attack. 1, 2, 3 — *I D AB* ( ) for *d* = 2, 4, 8 (а) and

In fig. 1 we can see that at low qudit dimension (up to *d* ~ 16) the protocol's security against non-coherent attack is higher when *d*+1 bases are used (when *d* = 2 it corresponds as noted above to greater security of six-state protocol than BB84 protocol). But the protocol's security is higher when two bases are used in the case of large *d*, while the difference in Eve's information (using *d*+1 or two bases) is not large in the work region of the protocol, i.e. in the region of Alice's and Bob's low error level. That's why that the number of bases used has little influence on the security of the protocol against non-coherent attack (at least for the qudit dimension up to *d* = 64). The crossing points of curves *I D AB* ( ) and *I D AE* ( ) correspond to boundary values *D*, up to which one's legitimate users can establish a secret

*AE I D* <sup>+</sup> for *d* = 2, 4, 8 (а) and *d* = 16, 32, 64 (b); 7, 8, 9— ( ) ( ) <sup>2</sup>

information between Alice and Eve for protocols using *d*+1 and two bases accordingly.

*AE I D* are presented, where *I D AB* ( ) is

*AE I D* is mutual

*AE I D*

*AE I D* <sup>+</sup> and ( ) ( ) <sup>2</sup>

intended for classical information (key) transfer via quantum channel.

basis of known formulas for mutual information (Vasiliu & Mamedov, 2008).

mutual information between Alice and Bob and ( ) ( ) *<sup>d</sup>* <sup>1</sup>

In fig. 1 dependences of *I D AB* ( ) , ( ) ( ) *<sup>d</sup>* <sup>1</sup>

*d* = 16, 32, 64 (b); 4, 5, 6— ( ) ( ) *<sup>d</sup>* <sup>1</sup>

for *d* = 2, 4, 8 (а) and *d* = 16, 32, 64 (b).

key by means of a privacy amplification procedure (even when eavesdropping occurs) (Bennett et al., 1995).

It is shown (Vasiliu & Mamedov, 2008) that the security of a protocol with qudits using two bases against intercept-resend attack is practically equal to the security of this protocol against non-coherent attack at any *d*. At the same time, the security of the protocol using *d*+1 bases against this attack is much higher. Intercept-resend attack is the weakest of all possible attacks on QKD protocols, but on the other hand, the efficiency of the protocol using *d*+1 bases rapidly decreases as *d* increases. A protocol with qudits using two bases therefore has higher security and efficiency than a protocol using *d*+1 bases.

Another type of QKD protocol is a *protocol using phase coding*: for example, the *B92 protocol* (Bennett, 1992) using strong reference pulses (Gisin et al., 2002). An eavesdropper can obtain more information about the encryption key in the B92 protocol than in the BB84 protocol for the given error level, however. Thus, the security of the B92 protocol is lower than the security of the BB84 protocol (Fuchs et al., 1997). The efficiency of the B92 protocol is 25%.

The *Ekert protocol (E91)* (Ekert, 1991) refers to QKD protocols using entangled states. Entangled pairs of qubits that are in a singlet state ψ 1 2 01 10 ( ) <sup>−</sup> = − are used in this protocol. Qubit interception between Alice to Bob does not give Eve any information because no coded information is there. Information appears only after legitimate users make measurements and communicate via classical public authenticated channel (Ekert, 1991). But attacks with additional quantum systems (ancillas) are nevertheless possible on this protocol (Inamori et al., 2001).

Kaszlikowski et al. carried out the generalisation of the Ekert scheme for three-level quantum systems (Kaszlikowski et al., 2003) and Durt et al. carried out the generalisation of the Ekert scheme for *d*-level quantum systems (Durt et al., 2004): this increases the information capacity of the protocol a lot. Also the security of the protocol using entangled qudits is investigated (Durt et al., 2004). In the paper (Vasiliu & Mamedov, 2008), based on the results of (Durt et al., 2004), the security comparison of protocol using entangled qudits and protocols using single qudits (Cerf et al., 2002) against non-coherent attack is made. It was found that the security of these two kinds of protocols is almost identical. But the efficiency of the protocol using entangled qudits increases more slowly with the increasing dimension of qudits than the efficiency of the protocol using single qudits and two bases. Thus, from all contemporary QKD protocols using qudits, the most effective and secure against non-coherent attack is the protocol using single qudits and two bases (BB84 for qubits).

The aforementioned protocols with qubits are vulnerable to photon number splitting attack. This attack cannot be applied when the photon source emits exactly one photon. But there are still no such photon sources. Therefore, sources with Poisson distribution of photon number are used in practice. The part of pulses of this source has more than one photon. That is why Eve can intercept one photon from pulse (which contains two or more photons) and store it in quantum memory until Alice transfers Bob the sequence of bases used. Then Eve can measure stored states in correct basis and get the cryptographic key while

Quantum Secure Telecommunication Systems 217

2. The limitation of quantum channel length which is caused by the fact that there is no possibility of amplification without quantum properties being lost. However, the technology of quantum repeaters could overcome this limitation in the near future

3. Need for using weak coherent pulses instead of single photon pulses. This decreases the efficiency of protocol in practice. But this technology limitation might be defeated in the

6. Photon depolarization in the quantum channel. This leads to errors during data transfer. Now the typical error level equals a few percent, which is much greater than

The next method of information security based on quantum technologies is the usage of *quantum secure direct communication (QSDC) protocols* (Boström & Felbinger, 2002; Chuan et al., 2005; Cai, 2004; Cai & Li, 2004a; Cai & Li, 2004b; Deng et al., 2003; Vasiliu, 2011; Wang et al., 2005a, 2005b). The main feature of QSDC protocols is that there are no cryptographic transformations; thus, there is no key distribution problem in QSDC. In these protocols, a secret message is coded by qubits' (qudits') – quantum states, which are sent via quantum

• *Ping-pong protocol (and its enhanced variants)* (Boström & Felbinger, 2002; Cai & Li, 2004b; Chamoli & Bhandari, 2009; Gao et al., 2008; Ostermeyer & Walenta, 2008;Vasiliu &

• *Protocols using block transfer of entangled qubits* (Deng et al., 2003; Chuan et al., 2005; Gao et al., 2005; Li et al., 2006; Lin et al., 2008; Xiu et al., 2009; Wang et al., 2005a, 2005b).

There are QSDC protocols for two parties and for multi-parties, e.g. broadcasting or when

Most contemporary protocols require a transfer of qubits by blocks (Chuan et al., 2005; Wang et al., 2005). This allows eavesdropping to be detected in the quantum channel before transfer of information. Thus, transfer will be terminated and Eve will not obtain any secret information. But for storing such blocks of qubits there is a need for a large amount of quantum memory. The technology of quantum memory is actively being developed, but it is still far from usage in common standard telecommunication equipment. So from the viewpoint of technical realisation, protocols using single qubits or their non-large groups (for one cycle of protocol) have an advantage. There are few such protocols and they have only asymptotic security, i.e. the attack will be detected with high probability, but Eve can obtain some part of information before detection. Thus, the problem of privacy amplification appears. In other words, new pre-processing methods of

7. Difficulty of the practical realisation of QKD protocols for *d*-level quantum systems.

4. The data transfer rate decreases rapidly with the increase in the channel length. 5. Photon registration problem which leads to key rate decreasing in practice.

the error level in classical telecommunication systems.

channel. QSDC protocols can be divided into several types:

• *Protocols using single qubits* (Cai, 2004; Cai & Li, 2004a).

• *Protocols using entangled qudits* (Wang et al., 2005b; Vasiliu, 2011).

one user sends message to another under the control of a trusted third party.

8. The high price of commercial QKD systems.

**2.2 Quantum secure direct communication** 

Nikolaenko, 2009; Vasiliu, 2011).

(Sangouard et al., 2011).

nearest future.

remaining invisible. It should be noted that there are more advanced strategies of photon number splitting attack which allow Bob to get the correct statistics of the photon number in pulses if Bob is controlling these statistics (Lutkenhaus & Jahma, 2002).

In practice for realisation of BB84 and six-state protocols weak coherent pulses with average photon number about 0,1 are used. This allows avoiding small probability of two- and multi-photon pulses, but this also considerably reduces the key rate.

The *SARG04 protocol* does not differ much from the original BB84 protocol (Branciard et al., 2005; Scarani et al., 2004; Scarani et al., 2009). The main difference does not refer to the "quantum" part of the protocol; it refers to the "classical" procedure of key sifting, which goes after quantum transfer. Such improvement allows increasing security against photon number splitting attack. The SARG04 protocol in practice has a higher key rate than the BB84 protocol (Branciard et al., 2005).

Another way of protecting against photon number splitting attack is the use of *decoy states QKD protocols* (Brassard et al., 2000; Peng et al., 2007; Rosenberg et al., 2007; Zhao et al., 2006), which are also advanced types of BB84 protocol. In such protocols, besides information signals Alice's source also emits additional pulses (decoys) in which the average photon number differs from the average photon number in the information signal. Eve's attack will modify the statistical characteristics of the decoy states and/or signal state and will be detected. As practical experiments have shown for these protocols (as for the SARG04 protocol), the key rate and practical length of the channel is bigger than for BB84 protocols (Peng et al., 2007; Rosenberg et al., 2007; Zhao et al., 2006). Nevertheless, it is necessary to notice that using these protocols, as well as the others considered above, it is also impossible without users pre-authentication to construct the complete high-grade solution of the problem of key distribution.

As a conclusion, after the analysis of the first and scale quantum method, we must sum up and highlight the following *advantages of QKD protocols:*


The disadvantages of quantum key distribution protocols are:

1. A system based only on QKD protocols cannot serve as a complete solution for key distribution in open networks (additional tools for authentication are needed).

remaining invisible. It should be noted that there are more advanced strategies of photon number splitting attack which allow Bob to get the correct statistics of the photon number in

In practice for realisation of BB84 and six-state protocols weak coherent pulses with average photon number about 0,1 are used. This allows avoiding small probability of two- and

The *SARG04 protocol* does not differ much from the original BB84 protocol (Branciard et al., 2005; Scarani et al., 2004; Scarani et al., 2009). The main difference does not refer to the "quantum" part of the protocol; it refers to the "classical" procedure of key sifting, which goes after quantum transfer. Such improvement allows increasing security against photon number splitting attack. The SARG04 protocol in practice has a higher key rate than the

Another way of protecting against photon number splitting attack is the use of *decoy states QKD protocols* (Brassard et al., 2000; Peng et al., 2007; Rosenberg et al., 2007; Zhao et al., 2006), which are also advanced types of BB84 protocol. In such protocols, besides information signals Alice's source also emits additional pulses (decoys) in which the average photon number differs from the average photon number in the information signal. Eve's attack will modify the statistical characteristics of the decoy states and/or signal state and will be detected. As practical experiments have shown for these protocols (as for the SARG04 protocol), the key rate and practical length of the channel is bigger than for BB84 protocols (Peng et al., 2007; Rosenberg et al., 2007; Zhao et al., 2006). Nevertheless, it is necessary to notice that using these protocols, as well as the others considered above, it is also impossible without users pre-authentication to construct the complete high-grade

As a conclusion, after the analysis of the first and scale quantum method, we must sum up

1. These protocols always allow eavesdropping to be detected because Eve's connection brings much more error level (compared with natural error level) to the quantum channel. The laws of quantum mechanics allow eavesdropping to be detected and the dependence between error level and intercepted information to be set. This allows applying privacy amplification procedure, which decreases the quantity of information about the key, which can be intercepted by Eve. Thus, QKD protocols have

2. The information-theoretic security of QKD allows using an absolutely secret key for further encryption using well-known classical symmetrical algorithms. Thus, the entire information security level increases. It is also possible to synthesize QKD protocols with Vernam cipher (one-time pad) which in complex with unconditionally secured authenticated schemes gives a totally secured system for transferring

1. A system based only on QKD protocols cannot serve as a complete solution for key distribution in open networks (additional tools for authentication are needed).

pulses if Bob is controlling these statistics (Lutkenhaus & Jahma, 2002).

multi-photon pulses, but this also considerably reduces the key rate.

BB84 protocol (Branciard et al., 2005).

solution of the problem of key distribution.

information.

and highlight the following *advantages of QKD protocols:*

unconditional (information-theoretic) security.

The disadvantages of quantum key distribution protocols are:

