1. Field of the Invention
This invention relates to distributing cryptographic key information and, more particularly, to constructive and destructive interference of light pulses of such low intensity that they could not in principle be measured reliably by an eavesdropper.
2. Description of the Prior Art
If two users possess shared random secret information ("key"), they can achieve, with provable security, the two chief goals of cryptography: 1) making their messages unintelligible to an eavesdropper and 2) distinguishing legitimate messages from forged or altered ones. A one-time-pad encryption achieves the first goal while Wegman-Carter authentication achieves the second goal. Unfortunately, both one-time-pad encryption and Wegman-Carter authentication consume key information and render it unfit for reuse. Therefore, some means of distributing fresh key information is needed in order for two users to achieve provable security that their messages are unintelligible to an eavesdropper. One way of distributing fresh key information is by carrying a material storage medium such as magnetic tape, containing a copy of the fresh key, from one user to the other. Such a key is good only between the two users who have copies of it, and its security depends on its having been continually protected from inspection not only during its transport from one user to the other, but during the entire time from its generation until its destruction after the users have used to encrypt or authenticate a particular message and no longer need it. The logistic problems of key distribution and storage are so great that many applications, such as secure telephones, instead use purely mathematical techniques by which two users, who may not have anticipated their need to communicate secretly, can nevertheless agree over an insecure telephone line on a "session key" which they use to encrypt the ensuing conversation and then destroy. Unfortunately, all such mathematical techniques for key agreement over an unprotected channel rest on unproven assumptions such as the difficulty of factoring large numbers.
In a publication by C. H. Bennet and G. Brassard entitled "Quantum Public Key Distribution System", IBM Technical Disclosure Bulletin, 28, 3153 (1985), faint pulses of polarized light are used to distribute key information via a low-attenuating (10-20 dB), non-depolarizing optical channel, called the "quantum channel". By utilizing the "quantum channel", two users can agree on a secret key in an impromptu manner, just before it is needed, but with provable security based on the uncertainty principle of quantum physics. To do so, the users may not exchange any material medium, but they do require a communication channel of a particular physical form, whose transmissions, owing to the uncertainty principle, cannot be eavesdropped on without disturbance.
In a publication by A. K., Ekert et al., entitled "Practical Quantum Cryptography Based on Two-Photon Interferometry", Phys. Rev. Lett., 69, 1293 (1992), a short-wavelength laser illuminates a suitably cut non-linear crystal. Apertures A.sub.S and A.sub.I select photon pair beams which are launched into single-mode fibers by lenses L. Identical Mach-Zehnder interferometers are placed in the signal and idler arms of the apparatus. The interferometer outputs are viewed by signals So, Sl and idler Io, Il single-photon counting detectors.
In quantum cryptography, after the quantum transmission has been sent and received, the sender and receiver exchange further messages through a second channel, called the "public channel", which may be of any physical form such as an optical, microwave, or radio channel. These messages, which need not be kept secret from the eavesdropper, allow the legitimate sender and receiver to assess the extent of the disturbance of the quantum transmission by eavesdropping by another and noise sources such as photomultiplier dark current, and, if the disturbance of the quantum transmission has not been too great, to distill from the sent and received versions of the quantum transmission a smaller body of random key information which with high probability is known to the sender and receiver but to no one else.
To prevent an impersonation attack, the public channel messages must be authenticated or otherwise protected against alternation or substitution, but they need not be kept secret. It should be emphasized that in quantum cryptography, no effort need be made to guard the quantum channel against passive or active wiretapping, because even if an eavesdropper did tap into it, the eavesdropper could not gain significant information about the key without introducing so much disturbance of the quantum transmission as to be detected. In the embodiment described in the publication by Bennett et al. above, each key bit is encoded in the polarization state of a single dim light pulse. When an optical fiber is used as the quantum channel, the polarization state of a single dim light pulse is affected by the mechanical and thermal fluctuations in the fiber environment which causes the output polarization of a long fiber to wander unpredictably.