1. Field of the Invention
The present invention relates to a method for use in encrypted communication and to apparatus for use in the method; it is primarily concerned with a technique for establishing cryptographic key information. In particular it relates to a technique known as quantum cryptography.
2. Technical Background
In quantum cryptography fundamental physical laws are exploited to guarantee the secrecy of cryptographic keys transmitted over communication channels that may be subject to eavesdropping. Secure digital communication between two parties can in principle be achieved using the techniques of classical ‘secret key’ cryptography in which a publicly available algorithm that is activated by a secret and preferably random bit sequence (key) is used for encryption and decryption of transmitted information. In such a scheme the security of the system hinges entirely upon the secrecy of the key, and the users of the system must therefore ensure that any process used to establish, transmit, share or distribute the key is not susceptible to eavesdropping.
This problem of establishing a key securely has conventionally been addressed, for example, by the use of trusted couriers or by the use of ‘public key’ encryption techniques that allow the key to be transmitted in encrypted form over an insecure communication channel. However, the security of these methods cannot be guaranteed in principle: the former relies on the trustworthiness of the courier and the latter upon unproven assumptions concerning the difficulty of factoring large numbers. By contrast, quantum cryptography provides a method of establishing a key whereby the secrecy of the key can in principle be guaranteed since security is based upon fundamental physical laws.
In quantum cryptography the key information is encoded in a characteristic (in practice polarisation or phase) that can be carried by single optical photons that are transmitted over an optical path linking the two users of the system. In practical terms, encoding of single photons is not needed, and the signal transmitted is normally a notional encoded pulse sequence of so low an intensity that the probability of an individual pulse being observed to contain more than one photon is small. Typically the intensity will be such that only about one pulse in ten contains even one photon and the proportion containing two or more photons is less than one in a hundred. Pulses meeting this requirement will be referred to as “dim” pulses. The quantum properties of such signals ensure that any attempt at eavesdropping during transit will yield only partial information on the key and will also generate errors that are detectable by the legitimate users of the apparatus, since any photon detected by an eavesdropper is likely either to fail to reach its intended destination or to have been changed by the detection process. The quantum cryptography protocol exploits these fundamental properties to allow the legitimate users of such a communication channel to establish a shared, authenticated and certifiably secret key. The users can then employ the secret key together with an encryption algorithm such as the one-time-pad, for example, to encrypt and decrypt sensitive information that they wish to exchange in either direction.
The original quantum cryptography protocol formulated by C. H. Bennett and G. Brassard is described in their publication entitled ‘Quantum Public Key Distribution System’, IBM Technical Disclosure Bulletin, 28, 3153 (1985). This paper describes a system in which dim pulses of polarisation-encoded light are used to distribute the key information over an optical channel called the ‘quantum channel’. In such a scheme the transmitter A and the receiver B must share and maintain a common polarisation reference frame such that a vertically polarised pulse transmitted by A is received as a vertically polarised pulse by B, for example. This leads to the requirement for a polarisation maintaining quantum channel since any polarisation changes induced by the channel will increase the error rate in the system and so may make the system insecure or wholly ineffective. Standard optical communications fiber is potentially an excellent low loss medium that could be used to provide a quantum channel. However, the optical polarisation is not maintained in this type of fiber and instead tends to evolve and fluctuate with time. This is caused by environmental variations that lead to unpredictable fluctuations in the fiber birefringence. In principle an active polarisation controller can be used to track and compensate these polarisation changes, but this adds significantly to the cost and complexity of the quantum cryptography apparatus.
In a subsequent publication “Quantum Cryptography Using Any Two Non-Orthogonal States”, Physical Review Letters, 68, 3121 (1992), C. H. Bennett described an interferometric version of quantum cryptography in which dim pulses of light are phase encoded within a Mach-Zehnder interferometer that forms the basic quantum channel. In principle such an interferometric scheme can be immune to polarisation variation in the transmission fiber. This is because interference ‘visibility’ does not depend on the specific polarisation states of the interfering optical field components, only upon relative differences in these polarisation states. In practice, however, real implementations of this scheme are not immune to polarisation variations in the transmission fiber, because the optical components such as fiber couplers and phase modulators that are used to fabricate the transmitter and receiver parts of such a system typically exhibit birefringence and other polarisation dependencies. In general the degrees of birefringence in the spatially separated paths within the interferometer will not be identical and this leads to variations in the relative polarisation states of the interfering optical fields when the polarisation in the transmission fiber evolves.
C. Marand and P. D Townsend demonstrated a practical version of this interferometric approach using four non-orthogonal phase states in the paper “Quantum Key Distribution Over Distances as Long as 30 km”, Optics Letters, 20, 1695 (1995). Their experimental quantum cryptography system required active polarisation control to avoid the deficiencies described above.
Subsequently H. Zbinden, et al proposed an alternative solution to this problem in the publication “Interferometry with Faraday Mirrors for Quantum Cryptography,” Electronics Letters, 33, 586 (1997). In this approach the dim, phase encoded optical pulses are also polarised and also undergo a time dependent polarisation evolution in the fiber. However, by transmitting the optical pulses in both directions over the fiber and using a Faraday mirror to perform the reflection function, the polarisation evolution can be automatically compensated via the non-reciprocal properties of the Faraday Effect. This advantage is only obtained, however, at the penalty of the additional cost and complexity associated with the use of the Faraday mirror based design.
Recently G. Bonfrate et al demonstrated a compact, potentially low cost interferometer for quantum cryptography based on waveguide integrated optics in a publication entitled “Asymmetric Mach-Zehnder Germano-Silicate Waveguide Interferometer for Quantum Cryptography Systems”, Electronics Letters, 37, 846 (2001). The Faraday mirror based design is not amenable to monolithic integration using such waveguides since germano-silicate does not exhibit the Faraday effect.
One of the present inventors has proposed in WO97/44936 a technique for establishing a key in a method of using a non-polarisation-preserving optical link in which a first party to the communication (referred to as the transmitter, as it is the party that transmits by the quantum channel, though it may be either the transmitter or the receiver, or both by turns, of the eventual encrypted signal) sends to a second party (the receiver) a signal comprising pairs of effectively unpolarised dim pulses obtained by delaying a fraction of the signal by a constant predetermined time interval; at the receiver, a component of the signal that is polarised in a predetermined direction is selected by a polariser, and the relative phases of pulse pairs in that component are determined by delaying a substantially equal fraction of the signal by substantially the same predetermined interval, so that the pulses that were delayed in the transmitter but not in the receiver are brought into coincidence with those which were delayed in the receiver but not in the transmitter, whereby interference occurs, and phase differences between pairs of pulses are distinguished by observations responsive to the nature of such interference. It will be noted that the apparatus described requires a receiver that is active in the sense that it contains an active phase modulator driven by a random number generator, a polariser (which necessarily has an insertion loss of at least −3dB) and several polarisation controllers at different points.