Quantum key distribution involves establishing a key between a sender (“Alice”) and a receiver (“Bob”) by using weak (e.g., 0.1 photon on average) optical signals transmitted over a “quantum channel. ” The security of the key distribution is based on the quantum mechanical principle that any measurement of a quantum system in unknown state will modify its state. As a consequence, an eavesdropper (“Eve”) that attempts to intercept or otherwise measure the quantum signal will introduce errors into the transmitted signals, thereby revealing her presence.
The general principles of quantum cryptography were first set forth by Bennett and Brassard in their article “Quantum Cryptography: Public key distribution and coin tossing,” Proceedings of the International Conference on Computers, Systems and Signal Processing, Bangalore, India, 1984, pp. 175-179 (IEEE, New York, 1984). A specific QKD system is described in U.S. Pat. No. 5,307,410 to Bennet (the '410 patent).
The Bennett-Brassard article and the '410 patent each describe a so-called “one-way” QKD system wherein Alice randomly encodes the polarization of single photons, and Bob randomly measures the polarization of the photons. The one-way system described in the '410 patent is based on a two-part optical fiber Mach-Zehnder interferometer. Respective parts of the interferometer are accessible by Alice and Bob so that each can control the phase of the interferometer. The signals (pulses) sent from Alice to Bob are time-multiplexed and follow different paths. As a consequence, the interferometers need to be actively stabilized to within a few tens of nanometers during transmission to compensate for thermal drifts. This is generally inconvenient for practical applications involving transmission distances measured in kilometers.
U.S. Pat. No. 6,438,234 to Gisin (the ‘234 patent’), which patent is incorporated herein by reference, discloses a so-called “two-way” QKD system that is autocompensated for polarization and thermal variations. FIG. 1 is a schematic diagram of the QKD device according to the '234 patent, and further including an optical delay line DL, the role of which is discussed below.
The device includes Alice and Bob connected by an optical fiber 3. Bob includes a 2×2 coupler 12. In principle, Bob's side is an unbalanced Michelson interferometer with one long arm going to Alice. Bob's side includes a pulsed laser 10, a first coupler 11, a Faraday mirror 16, a second coupler 12, a phase modulator 13, a second Faraday mirror 14 and a single photon detector 17. The laser 10 may be, e.g., a DFB laser and produces e.g. 300 picosecond (ps) long pulses at 1300 nm, with a repetition rate of e.g. 1 MHz. Alice's side includes a coupler 20, a “normal” detector 23 (i.e., a non-single-photon detector), a phase modulator 21, a Faraday mirror 22 and an attenuator 24 controlled by the detector 23.
Bob initiates transmission by sending a short, relatively strong laser pulse towards Alice. The pulse arriving in the coupler 12 is split into two parts (pulses), P1 and P2 (not shown). P1 goes directly towards Alice and P2 is first delayed by one bounce in the mirrors 14 and 16 (delay line). Pulses P1 and P2, travel down the fiber to Alice. The two pulses are split at coupler 20, with the majority of the pulse going to detector 23 so that weak pulses are sent through phase modulator 21. In order to encode her bits, Alice lets the first pulse P1 be reflected by mirror 22, but modulates the phase (phase shift φA) of the second pulse P2 using phase modulator 21 situated in front of Faraday mirror 22 The two pulses then travel back to Bob.
Detection on Bob's side is done by delaying part of P1 in the same delay line 14-16. Bob lets pulse P2 pass unaltered but modulates the phase of the first pulse P1 with the phase modulator 13 situated in front of the mirror 14 (phase shift φB). This pulse then interferes with P2. If the phase modulators at both Alice's and Bob's are off, or if the difference φA−φB.=0 (same phase shift applied to the two pulses P1 and P2), then the interference will be constructive (the two pulses follow exactly the same path). If however Alice or Bob change their phase setting between the two pulses, the interference may become destructive. Totally destructive interference is obtained when φA−φB=π. In this case no light is detected at single photon detector 17. Note that it is essential that the interference obtained when the phase shifts are different is totally destructive. This ensures that, when Bob obtains a detection event, he can be certain that Alice did not use a different phase, and thus that she used the same phase as Bob.
Because coupler 20 sends most of the light to detector 23, this detector is a convention detector, such as a PIN photodiode. Further, coupler 20 serves to attenuate the signal down to below the single-photon level (on average) needed to ensure protection against an eavesdropper (not shown). In addition, detector 23 can serve to monitor the intensity of the incoming signals from Bob and watch for a so-called “Trojan horse” attack, whereby an eavesdropper sends a strong probing pulse through Alice in order to read the value of her phase shifted reflected pulses.
As discussed in the article by Gisin et al., entitled “Quantum Cryptography,” Rev. Mod. Phys., Vol. 74, No. 1, January 2002, on pages 172-173, the intrinsically bi-directional nature of the reflective QKD system makes Rayleigh backscattering a cause of concern. With continuing reference to FIG. 1, light pulses P1 and P2 emitted by Bob into optical fiber 3 undergo scattering by inhomogeneities in the optical fiber material, and a small fraction of this light (˜1%) is recaptured by the fiber and travels backwards towards Bob. The backward traveling light can combine with phase-encoded signals returning to Bob from Alice, causing false counts at Bob.
To solve this problem, the QKD system described in the '234 and shown in FIG. 1 needs to further include the aforementioned optical delay line DL (e.g., an optical fiber spool) in Alice in which trains of pulses sent by Bob are stored. This ensures that pulses traveling to and from Bob are not simultaneously present in optical fiber 3 connecting Bob and Alice.
Another way of solving the problem of Rayleigh backscattering is to have Bob send weaker pulses. However, for this approach to be successful the system must have reduced attenuation, e.g., coupler 22 at Alice must allow much less light to travel to detector 23. Unfortunately, this makes the system more vulnerable to eavesdropping because Eve can use a probing pulse weak enough to avoid being detected by detector 23, which only detect optical signals having on the order of hundreds of photons or greater.
Specifically, the lack of sensitivity of detector 23 makes the two-way system of FIG. 1 vulnerable to two types of attacks: the Trojan horse attack, and the “man in the middle” attack. In an example of a Trojan horse attack, eavesdropper Eve transmits a relatively weak and short probing signal to Alice by tapping into the quantum channel. The probe pulse is timed so that it is sent through Alice's phase modulator 21 at or near the same time (or at or near the center frequency) as the pulse sent by Bob in an effort to obtain information about the phase Alice imparts to the pulse. The signal sent from Bob to Alice that is modulated at Alice and sent back to Bob remains unaffected by the probe signal. Again, for weak probe pulses, conventional detector 23 will not detect this kind of attack.
In a man in the middle attack, Eve places her apparatus between Alice and Bob and pretends that she is Alice or Bob. Eve can prepare weak signals to be transmitted to Alice to ascertain the phase modulator settings for an appropriate time and frequency. In addition, Eve makes a replica of signals modulated by Alice and introduces them onto the optical fiber so that the signals received by Bob appear to be identical. When Eve learns about the original Alice signals, she applies a corresponding phase shift. Due to the loss in the channel, Eve needs to learn only a small fraction of the time bins, which makes this type of attack very powerful.
Again, the presence of ordinary detector 23 cannot prevent such an attack because it is not sensitive enough to detect weak signals (i.e., signals having less than thousands of photons).