As is known, Quantum Key Distribution (QKD) is a technique based on the principles of quantum mechanics that enables two communication devices connected to each other by means of a quantum channel to generate a random cryptographic key, called quantum key, which can be used by said communication devices, or by the users of said communication devices, to communicate with each other in a secure manner over a public channel, or rather over an eavesdroppable channel, for example a connection via the Internet.
In general, the quantum channel comprises a quantum link, for example a link via optical fibre or in free space, and a conventional, or rather non-quantum, link, such as a connection via the Internet.
QKD provides that a series of quantum states, usually in the form of photons, is transmitted on the quantum channel, in particular over the quantum link of the quantum channel, in order to generate a quantum key common to the two communication devices.
In particular, QKD provides that the two communication devices perform the following operations:                they measure specific properties, for example the polarization plane, of the photons transmitted over the quantum link of the quantum channel;        they exchange, over the conventional link of the quantum channel, information related to the measurements carried out: and        they generate one and the same quantum key on the basis of the measurements carried out and of the information exchanged over the conventional link of the quantum channel.        
As is known, traditional cryptographic key distribution protocols do not permit detecting whether the distributed cryptographic keys have been eavesdropped. In particular, traditional cryptographic key distribution protocols do not permit discovering whether a cryptographic key distributed before starting an encrypted communication based on said cryptographic key has been eavesdropped, for example by means of a “man in the middle” attack.
On the contrary, QKD enables detecting if someone has attempted to abusively eavesdrop the quantum key. In particular, QKD not only enables detecting whether or not someone has abusively eavesdropped any exchanged information and/or any photons transmitted over the quantum channel during the generation of the quantum key, but also enables avoiding that the eavesdropped information could be used to trace the quantum key.
BB84 protocol is a known QKD algorithm that was described for the first time by C. H. Bennett and G. Brassard in “Quantium cryptography: Public key distribution and coin tossing”, Proc. of the IEEE Int. Conf. on Computers, Systems & Signal Processing, Bangalore, India, Dec. 10-12, 1984, pp. 175-179.
In particular, the BB84 protocol enables two communication devices connected to each other by means of a quantum channel that comprises a quantum link and a conventional link, i.e., a non-quantum link, to generate a secure binary quantum key. Neither of the two links needs to be a secure connection; in fact, the BB84 protocol is also designed to take into account possible interference, in any form, with both of the links by an unauthorized third party.
In the following, the two communication devices will be called device A and device B for the sake of description simplicity.
In particular, according to the BB84 protocol, the device A transmits a series of quantum states to the device B over the quantum channel, specifically over the quantum link of the quantum channel, in the form of photons opportunely polarized to encode binary information. The polarizations of the transmitted photons can be defined according to two distinct bases, for example a first base + that comprises the orthogonal polarizations 0° and 90° and a second base × that comprises the orthogonal polarizations 45° and 135°.
In detail, according to the BB84 protocol, the device A performs the following operations:                it generates a random sequence of bits; and,        for each generated bit,                    it randomly selects a respective base,            it transmits, over the quantum channel, specifically over the quantum link of the quantum channel, a respective photon polarized according to the respective selected base to encode said bit, and            it stores said bit, the respective selected base and the time instant when the respective photon is transmitted.                        
An example of how the photons transmitted over the quantum channel can be polarized to encode 0 or 1 in the two bases + and × is provided in the table below.
TABLEBASE01+ 0° 90°x45°135°
Moreover, for each photon received over the quantum channel, specifically over the quantum link of the quantum channel, the device B performs the following operations:                it randomly selects a respective base;        it measures the polarization of the received photon using the respective selected base;        it determines the bit encoded by the measured polarization; and        it stores the determined bit, the respective selected base and the time instant when said photon is received.        
After transmission of the photons terminates, the device A sends to the device B, over the conventional link of the quantum channel, the bases used to polarize the transmitted photons, and the device B sends to the device A, again over the conventional link of the quantum channel, the bases used to measure the polarizations of the received photons. The devices A and B discard any bits for which the device B has used a base for measuring the photon's polarization that is different from the one used by the device A to polarize said photon. Each device thus obtains a respective raw key constituted by the non-discarded bits.
For the sake of description simplicity, up to now the BB84 protocol has been described assuming that the device A transmits single photons to the device B over the quantum channel. However, as is known, the BB84 protocol can also be implemented using pairs of so-called entangled photons, where the photons of each pair carry the same quantum information.
In particular, in the case of a BB84 protocol based on pairs of entangled photons, a quantum device coupled to the quantum channel that connects the devices A and B is used to transmit pairs of entangled photons over said quantum channel, specifically over the quantum link of the quantum channel, such that, for each transmitted pair, a first photon is received by the device A and a second photon is received by the device B.
In detail, in the case of a BB84 protocol based on pairs of entangled photons, for each photon received over the quantum channel, each of the devices A and B performs the following operations:                each device randomly selects a respective base;        each device measures the polarization of the received photon using the respective selected base;        each device determines the bit encoded by the measured polarization; and        each device stores the determined bit, the respective selected base and the time instant when said photon is received.        
After transmission of the photons terminates, the devices A and B exchange the bases used to measure the polarizations of the received photons over the conventional link of the quantum channel and discard the bits for which they used different bases. Each device thus obtains a respective raw key constituted by the non-discarded bits.
Ideally, both in the case of a BB84 protocol based on single photons and in the case of a BB84 protocol based on pairs of entangled photons, the raw keys generated by devices A and B should coincide. Unfortunately, however, in real world the two raw keys do not coincide due to possible eavesdropping carried out by an unauthorized third party and due to the non-ideality of the quantum channel and the communication devices involved in QKD, or rather due to errors (QBER) inevitably made in generating the raw keys.
Therefore, both in the case of a BB84 protocol based on single photons and in the case of a BB84 protocol based on pairs of entangled photons, after having generated the raw keys, the devices A and B carry out two further steps that result in the generation of a single cryptographic key known only by said devices A and B. These further steps of the BB84 protocol are respectively known as information reconciliation and privacy amplification and were described for the first time by C. H. Bennett, F. Bessette, G. Brassard, L. Salvail and J. Smolin in “Experimental Quantum Cryptography”, Journal of Cryptology, vol. 5, n. 1, 1992, pp. 3-28.
In particular, in the information reconciliation step, the devices A and B correct errors in the two raw keys so as to generate an identical reconciled key for both the devices A and B.
In detail, in the information reconciliation step, the devices A and B exchange useful information over the conventional link of the quantum channel for correcting the errors in the raw keys, so as to minimize the information transmitted with regard to each raw key.
At the end of the information reconciliation step, the devices A and B obtain one the same reconciled key and are also able to recognise:                what information on the raw keys has been eavesdropped by an unauthorized third party during the generation of the raw keys: and        what information on the reconciled key has been eavesdropped by an unauthorized third party during the information reconciliation step.        
Finally, in the privacy amplification step, on the basis of the reconciled key and by means of a reciprocal authentication mechanism for the devices A and B, or rather for the respective users, the devices A and B generate one and the same secure key that can be used by said devices A and B, or rather by the respective users, to communicate with each other in a secure manner over a public channel.
In particular, in the privacy amplification step, by means of a reciprocal authentication mechanism for the devices A and B, or rather for the respective users, the devices A and B generate one and the same secure key that is shorter than the reconciled key so as to minimize the probability that an unauthorized third party could trace said secure key on the basis of the eavesdropped information.
In detail, each of devices A and B performs the following operations in the privacy amplification step:                each device determines a respective hash matrix on the basis of a respective current authentication key: and        each device compresses the reconciled key by means of the respective hash matrix, thereby obtaining a respective final bit string that is shorter than the reconciled key.        
In greater detail, if both the devices A and B, or rather both the respective users, possess one and the same current authentication key, said devices A and B determine one and the same hash matrix on the basis of the same current authentication key, and therefore, when compressing the reconciled key using the same hash matrix, generate one and the same final bit string that comprises:                one and the same quantum key that can be used by said devices A and B, or rather by the respective users, to communicate with each other in a secure manner over a public channel; and        one and the same new authentication key to be used as the current authentication key in the privacy amplification step of a subsequent QKD.        
Instead, if the devices A and B, or rather the respective users, do not have a same current authentication key, at the end of the privacy amplification step, said devices A and B generate two different final bit strings and therefore two different quantum keys and two different new authentication keys, which thus become unusable.
A first drawback of QKD is related to the fact that the two involved communication devices must be relatively close because the quantum link of the quantum channel that connects them can only be a few kilometers at most.
Furthermore, a second drawback is related to the fact that, if it is wished to exploit QKD to enable a plurality of communication devices to communicate securely, it is necessary that each possible pair of communication devices is connected by means of a respective quantum channel.
Consequently, since the cost associated with implementing a single quantum channel is rather high, the implementation of a respective quantum channel for every possible pair of communication devices becomes very expensive.
Lastly, the constraint of the existence of a quantum channel for every possible pair of nodes limits the physical size of a network fully connected with the maximum permitted distance for a quantum link.
PCT application WO 2007/123869 A2 describes cryptographic key management and user authentication systems and methods for quantum cryptography networks that enable users to communicate securely over a traditional communication channel.
In particular, WO 2007/123869 A2 describes a method that includes connecting a cryptographic key central authority QKCA to each user in a secure manner by means of quantum links that enable data to be encrypted and decrypted on the basis of quantum keys. According to the method described in WO 2007/123869 A2, when two users wish to communicate with each other in a secure manner, the cryptographic key central authority QKCA sends a random bit sequence to each user over the respective quantum link and then the two users use said random bit sequence as a key to encode and decode the data that they exchange over a traditional communication channel.
According to a specific embodiment of the invention described in WO 2007/123869 A2 (in particular, described on page 8 and illustrated in FIG. 4 of WO 2007/123869 A2), a First user A is connected by means of a first quantum channel QL-A to a first cryptographic key central authority QKCA-A and a second user B is connected by means of a second quantum channel QL-B to a second cryptographic key central authority QKCA-B that, in turn, is connected to the first cryptographic key central authority QKCA-A by means of a third quantum channel QL-AB. When the first user A wishes to communicate with the second user B over a traditional communications channel, said first user A submits a request for communication with said second user B over the first quantum channel QL-A to the first cryptographic key central authority QKCA-A, which routes said request over the third quantum channel QL-AB to the second cryptographic key central authority QKCA-B, which, in turn, routes said request over the second quantum channel QL-B to the second user B. If the second user B accepts the request, the second cryptographic key central authority QKCA-B generates a random bit sequence and sends said random bit sequence to the second user B over the second quantum channel QL-B and to the first cryptographic key central authority QKCA-A over the third quantum channel QL-AB. The first cryptographic key central authority QKCA-A then routes said random bit sequence to the first user A over the first quantum channel QL-A. In other words, the first cryptographic key central authority QKCA-A acts as a router between the first user A and the second cryptographic key central authority QKCA-B that generates the random bit sequence to be used to render communications over the traditional communication channel between users A and B secure.
The aforesaid specific embodiment of the invention described in WO 2007/123869 A2 has some intrinsic security problems, as the first cryptographic key central authority QKCA-A knows the random bit sequence to be uses to render communications between users A and B secure. Therefore, if the first cryptographic key central authority QKCA-A were in bad faith, it could distribute said random bit sequence also to other unauthorized users, that would consequently be able to decode the data exchanged over the traditional communication channel between users A and B without them becoming aware of it.