Quantum cryptography is an emerging technology in which two parties may simultaneously generate shared, secret cryptographic key material using the transmission of quantum states of light. The security of these transmissions is based on the inviolability of the laws of quantum mechanics and information theoretically secure post-processing methods. An adversary can neither successfully tap the quantum transmissions nor evade detection, owing to the Heisenberg uncertainty principle.
Two of the main goals of cryptography (encryption and authentication of messages) can be accomplished, with provable security, if the sender (xe2x80x9cAlicexe2x80x9d) and recipient (xe2x80x9cBobxe2x80x9d) possess a secret random bit sequence known as xe2x80x9ckeyxe2x80x9d material. The initial step of key distribution, in which the two parties acquire the key material, must be accomplished with a high level of confidence that a third party (xe2x80x9cEvexe2x80x9d) cannot acquire even partial information about the random bit sequence. If Alice and Bob communicate solely through classical messages, it is impossible for them to generate a certifiably secret key owing to the possibility of passive eavesdropping. However, secure key generation becomes possible if they communicate with single-photon transmissions using the emerging technology of quantum cryptography, or more accurately, quantum key distribution (QKD). A small amount of shared secret key material is required to perform initial authentication. See, e.g., U.S. Pat. No. 5,966,224, issued Oct. 12, 1999, to Hughes, et al., incorporated herein by reference.
The security of QKD is based on the inviolability of the laws of quantum mechanics and provably secure (information theoretic) public discussion protocols. Eve can neither xe2x80x9ctapxe2x80x9d the key transmissions owing to the indivisibility of quanta nor copy them faithfully because of the quantum xe2x80x9cno-cloningxe2x80x9d theorem. At a deeper level, QKD resists interception and retransmission by an eavesdropper because in quantum mechanics, in contrast to the classical world, the result of a measurement cannot be thought of as revealing a xe2x80x9cpossessed valuexe2x80x9d of a quantum state. A unique aspect of quantum cryptography is that the Heisenberg uncertainty principle ensures that if Eve attempts to intercept and measure Alice""s quantum transmissions, her activities must produce an irreversible change in the quantum states (she xe2x80x9ccollapses the wavefunctionxe2x80x9d) that are retransmitted to Bob. These changes will introduce an error rate having a high number of anomalies in the transmissions between Alice and Bob, allowing them to detect the attempted eaves-dropping. In particular, from the observed error rate Alice and Bob can put an upper bound on any partial knowledge that an eavesdropper may have acquired by monitoring their transmissions. This bound allows the intended users to apply conventional information theoretic techniques by public discussion to distill an error-free, secret key.
Because it has the ultimate security assurance of a law of nature, quantum cryptography offers potentially attractive xe2x80x9cease of usexe2x80x9d advantages over conventional key distribution schemes: it avoids the xe2x80x9cinsider threatxe2x80x9d because key material does not exist before the quantum transmissions take place; it replaces cumbersome conventional key distribution methods whose security is based on the physical security of the distribution process; and it provides a secure alternative to key distribution schemes based on public key cryptography, which are potentially vulnerable to algorithmic advances and improved computing techniques. Thus, quantum key distribution enables xe2x80x9cencrypted communications on demand,xe2x80x9d because it allows key generation at transmission time over an unsecured optical communications link.
The first quantum key distribution protocol was published by Charles Bennett and Gilles Brassard in 1984 and is now known as xe2x80x9cBB84xe2x80x9d. A further advance in theoretical quantum cryptography took place in 1991 when Ekert proposed that Einstein-Podolsky-Rosen (EPR) xe2x80x9centangledxe2x80x9d two-particle states could be used to implement a quantum cryptography protocol whose security was based on Bell""s inequalities. Starting in 1989, Bennett, Brassard and collaborators performed the first experimental demonstration of QKD by constructing a working prototype system for the BB84 protocol using polarized photons. Although the propagation distance was only about 30 cm, this experiment is in several ways still the most thorough demonstration of quantum cryptography.
Potentially practical applications of QKD, outside the carefully controlled environment of a physics laboratory, are largely determined by the physics of single-photon production, the requirement of faithful transmission of the quantum states involved, the existence of high-efficiency single-photon detectors at the required wavelengths, and the compatibility of QKD with existing optical communications infrastructures. In 1992 Bennett published a xe2x80x9cminimalxe2x80x9d QKD scheme (xe2x80x9cB92xe2x80x9d) and proposed that it could be implemented using single-photon interference with photons propagating for long distances over optical fibers. Since then, several experimental groups have developed optical fiber-based QKD systems.
For example, Los Alamos National Laboratory has demonstrated the feasibility of low-error rate QKD over underground optical fibers that were installed for network applications. QKD was demonstrated over 24 km of fiber and operated for over one year at an increased propagation distance of 48 km. In recent years there have also been considerable developments in the use of free-space laser communications for high-bandwidth terrestrial, surface-to-satellite, satellite-to-satellite, and (potentially) deep space communications.
The optical pointing, acquisition and tracking techniques developed for laser communications can be used to make QKD possible over line-of-sight transmissions in free-space, provided that signal-to-noise and bit rates adequate for cryptographic applications can be achieved. There are certain key distribution problems for which free-space QKD would have definite practical advantages. For example, it is impractical to send a courier to a satellite when new cryptographic key material is needed. We believe that free-space QKD could be used for key generation between a low-earth orbit satellite and a ground station, as well as in other applications where laser communications are possible.
Additional objects, advantages and novel features of the invention will be set forth in part in the description which follows, and in part will become apparent to those skilled in the art upon examination of the following or may be learned by practice of the invention. The objects and advantages of the invention may be realized and attained by means of the instrumentalities and combinations particularly pointed out in the appended claims.
In accordance with the purposes of the present invention, as embodied and broadly described herein, the present invention includes apparatus for securely generating a key to be used for secure transmission between a sender and a receiver connected by an atmospheric transmission link. A first laser outputs a timing bright light pulse; a second laser outputs a first polarized optical data state; and a third laser for outputting a second polarized optical data state. A random bit generator randomly enables either the second laser or the third laser. Output optics transmit output light from the first, second, and third lasers that is received by receiving optics. Once inside the receiver, a first beam splitter receives light from a receiving telescope, where a received bright light pulse is directed to a delay circuit for establishing a timing window for receiving light from the second or third lasers and where an optical data pulse from either the second or third laser has a probability of being either transmitted by the beam splitter or reflected by the beam splitter. A first polarizer receives optical data pulses transmitted by the beam splitter and, if the data pulse is transmitted through the polarizer and detected, one data bit value is recorded. A second polarizer receives optical data pulses reflected by the beam splitter and if transmitted by the polarizer and detected, produces a second data bit value. A computer receives pulses representing receipt of a bright timing pulse and the first and second data bit values, where receipt of the first and second data bit values is indexed by the bright timing pulse.
In another aspect of the present invention and in accordance with its objectives and purposes apparatus for securely generating a key to be used for secure transmission between a sender and a receiver connected by an atmospheric transmission link, comprises at least one first laser for outputting timing bright light pulses, with second and third lasers for outputting first and second polarized optical data states, and fourth and fifth lasers for outputting third and fourth polarized optical data states. A random bit generator randomly enables either the second and third lasers or the fourth and fifth lasers. Output optics are effective to transmit output light from the first, second, third, fourth and fifth lasers to receiving optics that are effective to receive output light of the output optics from the first, second, third, fourth and fifth lasers. A first beam splitter receives light from the receiving optics, where a received bright light pulse is directed to a delay circuit for establishing a window for receiving light from the second, third, fourth or fifth lasers and where an optical data state from either the second, or third, or fourth or fifth laser has a probability of being either transmitted by the beam splitter or reflected by the beam splitter. A first polarizer receives transmitted optical data states to output one data bit value, and a second polarizer receives reflected optical data states to output a second data bit value. A computer receives pulses representing receipt of a bright timing pulse and the first and second data bit values, where receipt of the first and second data bit values is indexed by the bright timing pulse.