Two of the goals of cryptography are: (1) making a communication unintelligible to an eavesdropper, and (2) distinguishing legitimate communications from forged or altered ones. If parties duly in communication possess certain shared random secret information (the encryption “key”), they can achieve, with provable security, these two of the goals of cryptography. A one-time pad cryptographic algorithm scheme can achieve the first goal, and a Wegman-Carter authentication scheme can achieve the second goal. Unfortunately both of these cryptographic schemes consume key material and render it unfit for use. It is thus necessary for the parties wishing to protect their communications/messages by using either or both of these cryptographic techniques to devise a way to exchange fresh key material. The first possibility is for one party to generate the key and to inscribe it on a physical medium (disc, cd-rom, rom) before passing it to another party. The problem with this approach is that the security of the key depends on the fact that it has been protected during its entire lifetime, from its generation to its use, until it is finally discarded. In addition, it can be unpractical and tedious to physically distribute the keys.
Because of these difficulties, in many applications one resorts instead to purely mathematical methods which allow parties to agree on a shared secret key over an unsecured communication channel. Unfortunately, all such mathematical methods for key agreement rest upon unproven assumptions, such as the difficulty of factoring large integers. Thus, their security is only conditional and questionable. Future mathematical developments may prove them totally unsecured.
Quantum cryptography (QC) is a method allowing the distribution of a secret key between two distant parties, the emitter and the receiver, with a provable absolute security. QC is new, but known in the field. For example, see Quantum Cryptography, N. Gisin, G. Ribordy, W. Tittel and H. Zbinden, Rev. of Mod. Phys. 74 (2002). In QC, the parties encode each bit of the key on an elementary quantum system, such as a photon, which they exchange over a quantum channel, such as an optical fiber. The security of this method comes from the well-known fact that the measurement of the quantum state of an unknown quantum system modifies or perturbs the system itself, and said perturbation is detectable. In other words, an eavesdropper on the quantum channel cannot get information on the key without introducing errors in the key exchanged between the quantum emitter and the receiver. The QC key is secure because of the no-cloning theorem of quantum mechanics, which ensures that an eavesdropper cannot duplicate the transmitted quantum system and forward a perfect copy to the receiver.
Several QC protocols currently exist. These protocols describe how bit values are encoded on a quantum systems using sets of quantum states, and how the emitter and the receiver cooperate to produce a secret key. The most commonly used of these protocols, which was also the first one to be invented, is known as the Bennett-Brassard 84 protocol (BB84), disclosed by Charles Bennett and Gilles Brassard in Proceedings IEEE Int. Conf. on Computers, Systems and Signal Processing, Bangalore, India (IEEE, New York, pp. 175-179 (1984)). The emitter encodes each bit on a two-level quantum system either as an eigenstate of:                σx(|+x coding for “0” and |+x coding for “1”)or as an eigenstate of:        σy(|+y coding for “0” and |+y coding for “1”).        
One says that the bits are encoded in two incompatible bases. For each bit, the emitter uses an appropriate random number generator to generate two random bits of information, which are used to determine the bit value (one random bit) and the basis information (one random bit). The quantum system is sent to the receiver, who analyses it in one of the two bases, i.e., it measures either σx or σy. The measurement basis is selected randomly for each quantum system. The receiver uses an appropriate random number generator to produce a random bit of information used to determine the measurement basis (the basis information). After the exchange of a large number of quantum systems, the emitter and the receiver perform a procedure called basis reconciliation. The emitter announces to the receiver, over a conventional and public communication channel the basis x or y (eigenstate of σx or σy) in which each quantum system was prepared. When the receiver has used the same basis as the emitter for its measurement, the receiver knows that the bit value it has measured must be the one which was sent over by the emitter. The receiver indicates publicly for which quantum systems this condition is fulfilled. Measurements for which the wrong basis was used are simply discarded. In the absence of a eavesdropper, the sequence of bits shared is error free. Although a eavesdropper who wants to get some information about the sequence of bits that is being exchanged can choose between several attacks, the laws of quantum physics guarantee that he/she will not be able to do so without introducing a detectable perturbation into the QC key.
In practice, the apparatuses are imperfect and themselves introduce some error in the bit sequence, even when no eavesdropper is present. In order to still allow the production of a secret key, the basis reconciliation part of the protocol is complemented by other steps. This whole procedure is called key distillation. The emitter and the receiver check the perturbation level, also know as quantum bit error rate (QBER), on a sample of the bit sequence in order to assess the secrecy of the transmission. Provided this error rate is not too large, it does not prevent the distillation of a secure key. These errors can indeed be corrected, before the communicating parties apply a so-called privacy amplification algorithm that will reduce the information (in the sense of Shannon's information theory) the eavesdropper (spy) has on the key to an arbitrarily low level.
In recent years, several demonstrations of QC apparatuses have been implemented using photons as the information carrying quantum system and optical fibers as quantum channels. While the original proposal called for the use of single photons as elementary quantum systems to encode the key, their generation is difficult and good single-photon sources do not exist yet. Instead, most implementations have relied on the exchange between the emitter and the receiver of weak coherent states, such as weak laser pulses, as approximations to ideal elementary quantum systems. The level of security achieved by a weak laser pulse QC apparatus can be as high as that of a true single-photon implementation, provided the mean photon number does not exceed a certain value, which depends on the loss budget of the quantum channel.
The first implementations of QC relied on the use of polarization states to encode the bit values to be transmitted. The emitter used a laser source to produce short pulses with linear polarization. It rotated their states one-by-one to produce a random sequence of horizontal, vertical and diagonal polarization states and attenuated them before launching them in the quantum channel. The receiver used a polarizing beamsplitter to measure the polarization state of the incoming pulses. The alignment of the polarizing beamsplitter was set randomly to the horizontal/vertical basis or to the diagonal basis. As the optical fiber used for the quantum channel induces a transformation of the transmitted polarization states, the polarization states have to be realigned by the receiver, before being sent on the polarizing beamsplitter. Incorrect alignment indeed induces errors in the bit sequence. The receiver has to use a polarization controller to perform this task. Experiments demonstrated that this alignment requires continuous tracking, as the polarization transformation induced by the fiber changes over time. There are even times when this transformation varies rapidly and randomly, making tracking impossible.
In order to avoid having to track polarization alignment, Paul Townsend et al. proposed in “Single-photon interference in a 10 km long optical fiber interferometer,” Electron. Lett. 29, 634-639 (1993), to use the phase difference between two weak laser pulses to encode the bit value. This approach is also known as “phase coding.” The emitter uses a laser to produce a short laser pulse, which is sent into an imbalanced interferometer—for example an imbalanced Mach-Zehnder interferometer—to split it into two halves. One arm of the interferometer contains a phase modulator to apply one of four phase shifts corresponding to the four states required in the BB84 protocol. The pulses are then attenuated and launched into the quantum channel. The receiver sends the two half pulses into a matching imbalanced interferometer to superpose them in order to record interference. This second interferometer also contains a phase modulator allowing the receiver to select the basis into which a given pulse will be analyzed by inducing a phase shift on one of the half pulses. The probability that the pulse leaves the interferometer by one of the two outputs depends on the difference of the phase shift applied by the emitter and that of the receiver. If this phase difference is varied, interference fringes are recorded. The path length of one of the interferometer is typically adjusted so that fully destructive interference is recorded in one of the output ports when the emitter and the receiver both apply no phase shifts. When the basis used by the emitter and the receiver are compatible and provided that the interference contrast is good, the interference will be fully constructive in one output port and fully destructive in the other one, guaranteeing that the pulse will go deterministically (with 100% probability) into one of the detectors. This approach belongs to a first class of interferometric quantum cryptography apparatuses, of which there currently exist three.
The advantage of this approach is that both “halves” of the photon travel in the same optical fiber. They experience thus the same optical path in the environmentally sensitive part of the apparatus, i.e., the quantum channel, provided that the variations in the fiber are slower than their temporal separation, determined by the interferometer's imbalance (a few ns at most). In practice, this is the case.
The main difficulty associated with phase coding is that the imbalance of the emitter and the receiver interferometers must be kept stable within a fraction of a wavelength of the photon during a key exchange to maintain correct phase relations. A drift of the path length of one of the interferometers indeed amounts to adding a constant phase shift. This changes the possible values of the phase difference between the two half pulses, which means the interference contrast will not be maximum anymore. The photons will experience a non-zero probability to go out of the wrong output port of the interferometer. These events introduce errors in the bit sequence.
The main source of such path length drifts is thermal expansion of the interferometer, caused by temperature variations. Methods relying on temperature stabilization of the interferometers have been used to maintain as high an interference contrast as possible. They are unfortunately difficult to put in practice. A small change in the temperature of one of the interferometers has indeed a large impact on the phase difference. It is thus necessary to stabilize the temperature with a high accuracy, which is difficult because of the large heat capacity of the interferometers.
A second class of interferometric quantum cryptography apparatuses was introduced in H. Takesue et al. (Differential phase shift quantum key distribution experiment over 105 km fibre, quant-ph/0507110) the content of which is incorporated herein by reference. The authors presented an approach, known as “differential phase coding” (DPS) QC, where the bit values are coded on the phase difference between two adjacent pulses of an infinite train. The emitter uses an amplitude modulator to carve out of a continuous wave (CW) laser beam a train of pulses. A phase modulator is used to induce phase shifts, corresponding to the bit values, on the pulses. The receiver uses an imbalanced interferometer, with a path difference corresponding to the distance between two pulses, to superpose adjacent pulses and record interference. In order to obtain stable low error rate transmission, the wavelength of the CW laser is stabilized and the temperature of the interferometer is adjusted to assure high contrast. Just like in the previous case, such an adjustment is difficult because of the strong dependency between the phase difference induced by the interferometer and its temperature, coupled with its large heat capacity which make it difficult to adjust the temperature accurately.
A third class of interferometric quantum cryptography apparatuses was introduced in Stucki et al. (Fast and simple one-way quantum key distribution, App. Phys. Lett. 87, 194108 (2005)), the content of which is incorporated herein by reference. The authors presented an approach, known as “Coherent One-way” (COW) QC, where the bit values are coded on the time of arrival of a pulse out of an infinite train and inter-pulse interference is used for eavesdropping detection. The emitter uses an amplitude modulator to carve out of a continuous wave (CW) laser beam a train of pulse. A bit is coded on a pair of pulses, by removing either the first one or the second one. The receiver sends most of the pulses to a single-photon detector. The time of detection of the pulse reveals the bit value. In order to prevent certain attacks, the receiver will also verify in some cases that a coherent phase relationship exists between adjacent pulses. In order to do so, he/she directs some of the pulses to an imbalanced interferometer, with a path length difference corresponding to the distance between two pulses, to record interference. Just as in the previous case, interference contrast can be maximized by adjusting the temperature of the interferometer while keeping the wavelength of the CW beam stable. In this case, one encounters the same difficulties as those described above.