1. Field of the Invention
The purpose of this invention is a process and device for quantum distribution of an encryption key. It has applications in cryptography, in other words secret transmission of information.
2. Discussion of the Background
The invention relates to cryptography with a secret key. In this technique, a plain text message is transformed into a coded message using an algorithm with a secret key. This key is formed from a sequence of random numbers. The message sender and receiver must exchange this secret key in order to be able to correctly encrypt and decrypt the message.
If the key is as long as the message and if it is only used once, then it is impossible to decrypt the signal without the key.
The problem that occurs with this type of encryption is that the key has to be transmitted without being detectable by a third party eavesdropping on exchanges between the sender and the receiver.
Quantum key distribution or "quantum encryption" solves this problem. This technique uses some properties of quantum physics, particularly the following:
the state of an elementary particle (for example the polarization state of a photon) cannot be determined unless the measurement is made in the same base as the base that was used to prepare this state (for example, it is impossible to determine the state of a photon that was polarized circularly to the right or to the left, by measuring this state in a linear polarization base); PA1 any measurement projects the studied system into a state specific to the base used to make this measurement; it is then no longer possible to determine the state in which the system was before the measurement if the base is not the same; thus, measuring the linear polarization of a photon prepared in a circular polarization state will result in loss of knowledge of its initial polarization state. PA1 the protocol with four states: Alice uses two bases not orthogonal with each other formed by two orthogonal states. Bob uses one of the two bases at random to measure the state of the photon sent by Alice. This protocol was suggested by S. J. D. PHOENIX and P. D. TOWNSEND in an article entitled "Quantum Cryptography and Secure Optical Communications" published in the "revue BT Techn. Journ.", 11, 2, PP 65-75, 1993; PA1 the protocol with two states: Alice only uses two non-orthogonal states of a photon to code her information. This protocol is described in document U.S. Pat. No. 5,307,410. PA1 a) Bob detects nothing; this means either that there is no photon to be detected, or that the base used to make the measurement is orthogonal to the state to the transmitted photon; therefore, Bob cannot know which bit Alice sent to him. PA1 b) The base used by Bob is not orthogonal to the state sent by Alice; there is then a non-zero probability of detecting a photon; in this case (when he detects a photon) Bob will know the state (and therefore the corresponding bit) of the photon sent by Alice, (since he knows it is the state that is not orthogonal to the base that he used). PA1 a) use fibers retailing the polarization, but this solution makes it impossible to use existing optical networks; PA1 b) use a polarization control system; a polarized signal is sent and used to determine and correct polarization changes along the transmission line. In this case, the quantum transmission system becomes more complex and the polarization fluctuation aloner the quantum channel has to be checked regularly (and therefore the key transmission rate has to be reduced). PA1 a sender emits a sequence of photons by choosing one of two determined states at random for each photon, each photon thus forming a code for one information bit, PA1 an addressee detects the photons by choosing one out of two determined measurement bases, at random, PA1 the addressee informs the sender which photons he detected through a public channel, without revealing which base he used, PA1 a) generates a light beam with a given angular frequency (wo) and a given intensity, PA1 b) produces a first electrical modulation signal with a given angular frequency (.OMEGA.), PA1 c) gives this first electrical modulation signal a first phase (.O slashed..sub.A) chosen at random from two values, the code for each bit thus being determined by this first phase (.O slashed..sub.A), PA1 d) modulates the light beam by the first electrical signal, this modulation showing up a central mode (wo) and at least two lateral modes (wo .+-..OMEGA.), PA1 e) attenuates the intensity of the light beam such that the intensity of the lateral modes is sufficiently low so that there is only one photon in the lateral modes, photons associated with the information bits that will form the encryption key thus being the photons transmitted in the two lateral modes and not in the central mode, PA1 a) produces a second electrical modulation signal synchronous with the first electrical modulation signal used in the emission, PA1 b) gives the second electrical signal a second phase (.O slashed..sub.B) chosen at random from two given values, these two values being different from the two values chosen for the first phase (.O slashed..sub.A) at the time of the emission, PA1 c) modulates the light beam received by the second electrical signal, PA1 d) optically separates the received central mode and the lateral modes, PA1 e) in one of the lateral modes, detects the presence of a photon, this detection depending on the phase difference (.O slashed.) between the first phase shift ((.O slashed..sub.A) chosen by the sender and the second phase shift (.O slashed..sub.B) chosen by the addressee, PA1 f) informs the sender which photons he detected, through the public channel, but without revealing the values of the second phase shift (.O slashed..sub.B) that he used, PA1 a) a light source capable of generating a light beam with a given angular frequency (wo) and a given intensity, PA1 b) means of producing a first electrical modulation signal, PA1 c) means of giving this first electrical modulation signal a first phase (.O slashed..sub.A) chosen at random from two determined values, the code of each bit thus being determined by this first phase (.O slashed..sub.A), PA1 d) means of modulating the light beam by this first electrical signal, this modulation introducing a central mode (wo) and at least two lateral modes (wo .+-..OMEGA.) in the modulated light beam, PA1 e) a light beam intensity attenuator, such that the intensity of the lateral modes is sufficiently low so that there is statistically only a single photon in the lateral modes, the photons associated with he information bits that will form the encryption key thus being the photons transmitted in the lateral modes and not in the central mode. PA1 a) means of producing a second electrical modulation signal synchronous with the first electrical modulation signal used in the emission, PA1 b) means of giving the second electrical signal a second phase (.O slashed..sub.B) chosen at random from two determined values, these two values being different from the two determined values chosen at the time of the emission for the first phase (.O slashed..sub.A), PA1 c) means of modulating the light beam received by the second electrical signal, PA1 d) an analyzer for optically separating the received central mode and the lateral modes, PA1 e) a photodetector receiving one of the lateral modes, the signal output by this photodetector depending on the phase difference (.O slashed.) between the first phase shift (.O slashed..sub.A) chosen by the sender and the second phase shift (.O slashed..sub.B) chosen by the addressee, PA1 f) means of informing the sender which photons were detected, through a public channel, but without revealing the values of the second phase shift (.O slashed..sub.B) used,
FIG. 1 attached clarifies the principles of quantum key distribution to a certain extent. The sender and receiver are called Alice and Bob, according to the usual terminology in cryptography. Alice has a transmission set 10 composed of conventional transmission means 12 and quantum transmission means 14. Bob has a reception set 20 composed of conventional reception means 22 and quantum reception means 24. Alice and Bob communicate through two channels, one of which is public (Cp) and the other is quantum (Cq). Furthermore, it is assumed that a third party called Eve is eavesdropping on lines Cp and Cq.
The general process comprises the following steps:
1) Alice sends a sequence of photons to Bob on the quantum channel Cq, choosing the state in which each photon will be prepared in a random manner; each state is used to code one information bit; it is considered that the correspondence between the value of the coding bit and the state that codes it is known publicly.
2) On reception, Bob decides to measure the state of each detected photon at random, without knowing in advance the state in which it was prepared.
3) After the quantum communication, Alice and Bob discuss the results of their transmission through the public line Cp; the purpose of this discussion is to eliminate the incorrect measurements that can be explained by the quantum principles mentioned above; having done this, Alice and Bob each have a common string formed of a random sequence of bits; the presence of an eavesdropper will cause a higher error rate than would occur if there was no eavesdropper; this increase in the error rate is due to bad measurements (according to the quantum principles mentioned) made by Eve who wants to know the state of the photon sent by Alice.
4) The error rate is calculated by means of a publicly known process, and will detect the presence of the spy.
The protocols used at the present time can be classed into two groups:
The procedure for the latter protocol is as follows:
1) Alice sends a sequence of photons individually, choosing the type of state in which she prepares them at random (non-orthogonal states). These two states represent bits 0 and 1. The correspondence between the state and the value of the bit is known publicly.
2) On reception, Bob attempts to measure the state of the photon sent by Alice. He does this by choosing one of two measurement bases mutually orthogonal to the two states chosen by Alice, at random. Two cases may arise:
3) To determine the state of the photons sent by Alice, Eve has to make the same type of measurements as Bob and therefore is subject to the same constraints as Bob. When she detects a photon, she knows the state of the photon sent by Alice with certainty and can send a photon to Bob in the same state (obviously she will have one chance out of two of making the right choice). When she detects nothing she cannot know if it is because she chose the wrong base or if it is because there was no photon. In this case she must either delete the transmission signal or send a photon in the state that she assumes is right and thus introduce errors between Alice and Bob.
4) Bob publicly announces that he has detected a photon (or when he has not detected it), but does not reveal the base used to make the measurement. The remaining bits must be absolutely identical if the message was not intercepted. In order to test if there was any eavesdropping on their line, Alice and Bob publicly compare parts of their key, and then sacrifice this part. The presence of Eve will be detected by the errors that she caused.
The coding used to put the photons in a certain state may be one of two types. The first type is coding by polarization. The information concerns the polarization state of the photon. This method is described by an article by G. H. BENNET, G. BRASSARD and A. EKERT entitled "Quantum Cryptography" published in the "Scientific American" 33, p. 26, 1993. It is also described in the article by C. H. BENNETT et al entitled "Experimental Quantum Cryptography" published in the "Journal of Cryptology" 5, pp 3-28, 1992. The problem with this technique is the difficulty of maintaining the polarization of photons over a long distance.
In a second type of coding, the optical phase is adjusted. The device is shown schematically in FIG. 2 attached. It comprises a single photon source 40, a symmetric Mach-Zehnder interferometer 41 comprising a phase modulator 42 specific to Alice and a phase modulator 52 specific to Bob. At the output from the interferometer there are two photon detectors 61, 62 and a decryption and counting circuit 64.
This device operates as follows: Alice and Bob input a phase difference for each photon emitted by the source 40, using modulators 42 and 52. Alice arbitrarily chooses the phase to which bits 0 and 1 correspond. Bob determines the state of the sent bit using the two detector, 61 and 62 using the second measurement protocol described above.
This solution is difficult to use over long distances (in other words for systems using optical fibers) since the same phase relation has to be kept between the two arms of the interferometer over the entire distance.
Therefore another system is used for long distances, shown in FIG. 3. This system also uses a single photon source 70, a first Mach-Zehnder interferometer 80 used in emission, with a second phase modulator 82 specific to Alice and a second Mach-Zehnder interferometer 90 used in reception with a second phase modulator 92 specific to Bob, two single photon detectors 101, 102 and a decryption and counting means 104. The two interferometers 80, 90 are connected through a channel 95 which in practice is an optical fiber.
This device operates as follows. Each interferometer has an optical phase shifter 82, 92 on one of its arms, used to transmit the key. However, it is necessary that the signals from the two arms in the same interferometer do not interfere. Therefore these two signals have to be separated, for example either by using a delay between the two arms exceeding the source coherence length (which in this case is pulsed) or by using an acoustic-optical modulator to produce a frequency separation of the signal propagating in one of the two arms of the interferometers.
Another possible device is the device described in patent U.S. Pat. No. 5,307,410 already mentioned. The device is shown in FIG. 4 attached. It includes a pulsed source 110, a first interferometer specific to Alice with a first semi-transparent blade 112, a first phase modulator 114 and a second semi-transparent blade 116; it also includes a second interferometer specific to Bob, with a third semi-transparent blade 118, a second phase modulator 120 and a fourth semi-transparent blade 122; the device also comprises a single photon detector 124 and finally a counting and encryption circuit 126.
The source 110 and the arm lengths are such that the light pulses are separated by an interval exceeding the length of the pulses. But unlike the previous device, the pulses propagating in the two arms of the interferometer do not have the same intensity (due to the semi-transparent blades). Thus at the output from the first interferometer, two pulses 130, 132 are observed separated by delay .DELTA.T. The pulse 130, called the reference pulse, is the pulse with the conventional intensity. The other pulse 132, called the signal pulse, containing less than one photon on average, has been subjected to a controlled phase shift by Alice. Three pulses are observed at the output from the second interferometer. The first pulse, 140, has negligible intensity. It originates from the signal pulse that was attenuated again. The second pulse, 142, is the superposition of the first delayed (but not attenuated) signal pulse and the attenuated reference pulse phase shifted by Bob. Therefore the intensity of the second pulse 142 depends on the phase shifts introduced by Bob and Alice. This is used to transmit the encryption key. The final pulse, 144, is the part of the reference pulse that was delayed again and for which the intensity is constant. It will be used to determine if there was a spy on the line.
The devices described above all have disadvantages:
1) For coding by polarization, the technical problem is due to the difficulty of rigorously keeping the polarization through optical fibers used in telecommunication. To solve this problem, it is necessary to:
2) For coding by optical phase, the systems presented above have two interferometers (emitter-receiver) with relatively long arms. The difficulty is to keep the delay between the two arms constant with high precision.
The purpose of this invention is to overcome these disadvantages.