Quantum key distribution involves establishing a key between a sender (“Alice”) and a receiver (“Bob”) by using weak (e.g., 0.1 photon on average) optical signals transmitted over a “quantum channel.” The security of the key distribution is based on the quantum mechanical principal that any measurement of a quantum system in unknown state will modify its state. As a consequence, an eavesdropper (“Eve”) that attempts to intercept or otherwise measure the quantum signal will introduce errors into the transmitted signals, thereby revealing her presence.
The general principles of quantum cryptography were first set forth by Bennett and Brassard in their article “Quantum Cryptography: Public key distribution and coin tossing,” Proceedings of the International Conference on Computers, Systems and Signal Processing, Bangalore, India, 1984, pp. 175–179 (IEEE, New York, 1984). Specific QKD systems are described in publications by C. H. Bennett et al entitled “Experimental Quantum Cryptography” and by C. H. Bennett entitled “Quantum Cryptography Using Any Two Non-Orthogonal States”, Phys. Rev. Lett. 68 3121 (1992).
The above mentioned publications each describe a so-called “one-way” QKD system wherein Alice randomly encodes the polarization or phase of single photons, and Bob randomly measures the polarization or phase of the photons. The one-way system described in the Bennett 1992 paper and incorporated by reference herein is based on a shared interferometric system. Respective parts of the interferometric system are accessible by Alice and Bob so that each can control the phase of the interferometer. The signals (pulses) sent from Alice to Bob are time-multiplexed and follow different paths. As a consequence, the interferometers need to be actively stabilized to within a nanoseconds or even milliseconds during transmission to compensate for thermal drifts.
U.S. Pat. No. 6,438,234 to Gisin (the '234 patent), which patent is incorporated herein by reference, discloses a so-called “two-way” QKD system that is autocompensated for polarization and thermal variations. Thus, the two-way QKD system of the '234 patent is less susceptible to environmental effects than a one-way system.
The general process for performing QKD is described in the book by Bouwmeester et al., “The Physics of Quantum Information,” Springer-Verlag 2001, in Section 2.3, pages 27–33. During the QKD process, Alice uses a true random number generator (TRNG) to generate a random bit for the basis (“basis bit”) and a random bit for the key (“key bit”) to create a qubit (e.g., using polarization or phase encoding) and sends this qubit to Bob.
The security of a QKD system greatly depends on authentication, which is the process that ensures that the parties communicating with each other over a communication link are who they say they are. In a QKD system, Alice and Bob must be sure they are talking to each other and that there is no man-in-the-middle impersonating Bob or Alice. This problem is addressed by authentication, which is essentially classical and completely depends on the security of the key on which authentication is based. Unconditionally secure authentication protocols exist, so that if the key used is unconditionally secure the authentication can be made unconditionally secure as well. If the security is compromised, Alice and Bob must recheck they are indeed communicating with each other and not to an eavesdropper in between. They can repeatedly perform authentication if they share keys they can absolutely trust.
The authentication protocol is also the only guarantee that Eve cannot change the data in a classical communication between Alice and Bob. One of the important assumptions in QKD is that Eve can listen to the classical communication but due to authentication she cannot change this communication.
The authentication procedure works as follows. The initial key for authentication is preinstalled by a trusted party. The QKD system is capable of producing keys (it can be treated as key regeneration) thus delivering enough fresh keys for authentication purposes. The security of the new key depends on the security of the QKD protocol. It is proven that this procedure can be made absolutely secure using a single-photon source and an appropriate protocol such as BB84. For most practical QKD systems used to date, a weak coherent pulse source is used. The security of a QKD system that utilizes weak coherent pulses is complicated by the fact that there is a probability that some pulses will have more than one photon per pulse.
Normally, it is supposed that for QKD systems that rely on weak coherent pulses, the QKD procedure is always run with the mean number of photons per pulse (μ) set to a secure level determined by the distance and losses. The main problem with this approach is that longer distances require longer times needed for establishing a key, thus making the key regeneration rate extremely low. This is especially critical because in a real operational regime, a quantum cryptography system needs keys for several purposes-namely, for encrypting messages, for running QKD protocols over public channel, and for authentication. Further, a sufficient number of secure keys need to be stored so that the key distribution process can be securely restarted if necessary.
The various elements depicted in the drawings are merely representational and are not necessarily drawn to scale. Certain sections thereof may be exaggerated, while others may be minimized. The drawings are intended to illustrate various embodiments of the invention that can be understood and appropriately carried out by those of ordinary skill in the art.