1. Field of the Invention
This invention relates generally to the field of quantum cryptography, and more particularly to an apparatus and method for allowing two users to exchange a sequence of bits and to confirm its secrecy.
2. Description of the Prior Art
If two users possess shared random secret information (below the “key”), they can achieve, with provable security, two of the goals of cryptography: 1) making their messages unintelligible to an eavesdropper and 2) distinguishing legitimate messages from forged or altered ones. A one-time pad cryptographic algorithm achieves the first goal, while Wegman-Carter authentication achieves the second one. Unfortunately both of these cryptographic schemes consume key material and render it unfit for use. It is thus necessary for the two parties wishing to protect the messages they exchange with either or both of these cryptographic techniques to devise a way to exchange fresh key material. The first possibility is for one party to generate the key and to inscribe it on a physical medium (disc, cd-rom, rom) before passing it to the second party. The problem with this approach is that the security of the key depends on the fact that it has been protected during its entire lifetime, from its generation to its use, until it is finally discarded. In addition, it is unpractical and very tedious.
Because of these difficulties, in many applications one resorts instead to purely mathematical methods allowing two parties to agree on a shared secret over an insecure communication channel. Unfortunately, all such mathematical methods for key agreement rest upon unproven assumptions, such as the difficulty of factoring large integers. Their security is thus only conditional and questionable. Future mathematical developments may prove them totally insecure.
Quantum cryptography (QC) is a method allowing the exchange of a secret key between two distant parties, the emitter and the receiver, with a provable absolute security. An explanation of the method can be found in Nicolas Gisin, Grégoire Ribordy, Wolfgang Tittel, and Hugo Zbinden, “Quantum Cryptography”, Rev. of Mod. Phys. 74, (2002), the content of which is incorporated herein by reference thereto. One party—the emitter—encodes the value of each binary digit—or bit—of the key on a quantum system, such as a photon, by preparing this quantum system in a corresponding quantum state. A quantum system carrying a bit of the key is known as a qubit. The qubits are sent over a quantum channel, such as an optical fiber, to the other party—the receiver—which performs a quantum measurement to determine in which quantum state each qubit has been prepared. The results of these measurements are recorded and are used to produce the key. The security of this method comes from the well-known fact that the measurement of the quantum state of an unknown quantum system induces modifications of this system. This implies that a spy eavesdropping on the quantum channel cannot get information on the key without introducing errors in the key exchanged between the emitter and the receiver. In equivalent terms, QC is secure because of the no-cloning theorem of quantum mechanics: a spy cannot duplicate the transmitted quantum system and forward a perfect copy to the receiver.
Several QC protocols exist. These protocols describe how the bit values are encoded on quantum systems using sets of quantum states and how the emitter and the receiver cooperate to produce a secret key. The most commonly used of these protocols, which was also the first one to be invented, is known as the Bennett-Brassard 84 protocol (BB84), disclosed by Charles Bennett and Gilles Brassard in Proceedings IEEE Int. Conf. on Computers, Systems and Signal Processing, Bangalore, India (IEEE, New York, 1984), pp. 175-179, the content of which is incorporated herein by reference thereto. The emitter encodes each bit he wants to send on a two-level quantum system to prepare a qubit. Each qubit can be prepared either as an eigenstate of σx (|+x coding for “0” and |−x coding for “1”) or as an eigenstate of σy (|+y or |−y, with the same convention). One says that the bits are encoded in two incompatible bases. For each bit, the emitter uses an appropriate random number generator to generate two random bits of information, which are used to determine the bit value (one random bit) and the basis information (one random bit). Each qubit is sent across the quantum channel to the receiver, who analyses it in one of the two bases, i.e measures either σx or σy. The receiver uses an appropriate random number generator to produce a random bit of information which determines the measurement basis (the basis information). The measurement basis is selected randomly for each qubit. After the exchange of a large number of quantum systems, the emitter and the receiver perform a procedure called basis reconciliation. The emitter announces to the receiver, over a conventional and public communication channel the basis x or y (eigenstate of σx or σy) in which each qubit was prepared. When the receiver has used the same basis as the emitter for his measurement, he knows that the bit value he has measured must be the one which was sent over by the emitter. He indicates publicly for which qubits this condition is fulfilled. The corresponding bits constitute the so-called raw key. Measurements for which the wrong basis was used are simply discarded. In the absence of a spy, the sequence of bits shared is error free. Although a spy who wants to get some information about the sequence of qubits that is being exchanged can choose between several attacks, the laws of quantum physics guarantee that he is not able to do so without introducing a noticeable perturbation in the key. The security of the BB84 protocol relies on the fact that the qubits sent by the emitter are prepared in quantum states belonging to incompatible bases. For a given qubit, it is thus not possible for an eavesdropper to determine its quantum state with absolute certainty. More generally, the BB84 protocol belongs to a class of protocols where at least two quantum states, in at least two incompatible bases, are used.
In practice, one has to use imperfect apparatuses, which implies that some errors are present in the bit sequence, even without interaction of the eavesdropper with the qubits. In order to still allow the production of a secret key, the basis reconciliation part of the protocol is complemented by other steps. This whole procedure is called key distillation. The emitter and the receiver check the perturbation level, also known as quantum bit error rate (QBER), on a sample of the bit sequence in order to assess the secrecy of the transmission. Provided this error rate is not too large, it does not prevent the distillation of a secure key, also known as the distilled key, from the raw key. The errors can indeed be corrected, before the two parties apply a so-called privacy amplification algorithm that reduces the information amount that the eavesdropper could obtain to an arbitrarily low level.
Several other quantum cryptography protocols have been proposed. In 1992, Charles Bennett showed that it is sufficient to prepare the qubits in one of two non-orthogonal states and disclosed the so-called B92 protocol in Phys. Rev. Lett. 68, 3121 (1992), the content of which is incorporated herein by reference thereto. In this case, the emitter repeatedly sends qubits in one of two pure states |u1> or |u2>, which are non-orthogonal. It is not possible for the receiver to distinguish between them deterministically. However, he can perform a generalized measurement, also known as a positive operator value measurement, which some-times fails to give an answer, but at all other times gives the correct one (formally this measurement is a set of two projectors P1=1−|u2><u2| and P2=1−|u1><u1|). The results of this measurement on the qubits are used to generate bits of key. The fact that only two states are necessary means that this protocol is easier to implement in practice. It is nevertheless important to realize that an eavesdropper can also perform the generalized measurement. When he obtains an answer, he can forward a qubit prepared accordingly, while not doing anything when the result is inconclusive. This attack is particularly powerful in real apparatuses, where the receiver expects to detect only a small fraction of the qubits sent by the emitter, because of quantum channel attenuation and limited detector efficiency. When using mixed states Q1 and Q2 instead of pure states |u1> or |u2>, which is the case in practice, ft is nevertheless possible to foil this attack by ensuring that the mixed states selected span two disjoint subspaces of Hilbert space. This allows the receiver to find two operators P1 and P2, such that P1 annihilates Q2 and P2 annihilates Q1, but no state is annihilated by both operators. This guarantees that if the eavesdropper sends a vacuum state instead of one of the mixed states Q1 and Q2, the receiver still registers conclusive measurement results, which introduce errors with a non-zero probability. When considering a large number of qubits, this non-zero probability produces a measurable error rate.
In the past decade, several demonstrations of QC apparatuses have been implemented using photons as the qubits and optical fibers as the quantum channel. For these implementations to be of practical use, it is important that they are simple and allow, if possible, high rate key exchange, in spite of current technological limitations. This consideration influences the choice of the QC apparatus and of the set of quantum states in which the qubits are prepared. In spite of the fact that polarization states of the electromagnetic field represent natural candidates for the implementation of QC, they are difficult to use in practice when optical fibers carry the qubits. Optical fibers indeed usually induce polarization state transformations. On the contrary, timing information is extremely stable and it can be used to implement simple QC apparatuses. Debuisschert et al. have proposed in Physical Review A 70, 042306 (2004), the content of which is incorporated herein by reference thereto, a family of time coding protocols. In the simplest of these protocols, the emitter sends for each bit a single-photon pulse. One of the bit values, say “0”, is coded by an undelayed pulse, while “1” is coded by a delayed pulse. The value of the delay is smaller than the pulse duration. The receiver measures the time of arrival of the photons with respect to a time reference and defines three sets of events. The first one contains detections that can only come from undelayed pulses and are counted as “0” value bits. The second set contains detections that can only come from delayed pulses and are counted as “1” value bits. Finally, the third sets contains detections that can come from both the undelayed and the delayed pulses. They correspond to inconclusive results and are discarded. The receiver also sometimes sends the pulses into an interferometer to interferometrically measure their duration. The security of this protocol comes from the fact that whenever the eavesdropper obtains an inconclusive result, he must guess what state to forward to the receiver and has a non-zero probability of introducing errors. The interferometric measurement of the pulse duration prevents the eavesdropper from sending pulses much shorter than the original one to force the measurement result of the receiver. Using two additional delayed pulses carrying no information imposes supplementary symmetry constraints on the eavesdropper, which prevents him from exploiting quantum channel attenuation.
While the original QC proposal called for the use of single photons as qubits to encode the key, their generation is difficult and good single-photon sources do not exist yet. Instead, most implementations have relied, because of simplicity considerations, on the exchange between the emitter and the receiver of weak coherent states, as approximations to the ideal qubits. A coherent state consists of a coherent superposition of photon states. In other words, a fixed phase relationship exists between the different photon state components inside a coherent state. In order to describe such a state, it is sufficient to know its amplitude and global phase. A coherent state is said to be weak when its amplitude is small. Weak coherent states can be produced by attenuating laser pulses.
The fact that weak coherent states are used in practical implementations, instead of single photons, means that the eavesdropper can perform a very powerful attack, known as the Photon Number Splitting (PNS) attack. The eavesdropper performs a quantum non-demolition measurement to measure the number of photons present in each weak pulse. When a pulse contains exactly one photon, the eavesdropper blocks it. When a pulse contains two photons, the eavesdropper takes one photon and stores it in a quantum memory, while forwarding the other photon to the receiver. The eavesdropper finally measures the quantum states of the photons he has stored after the basis reconciliation step of the protocol. At this stage, the eavesdropper knows which measurement he must perform to obtain full information on the quantum state that had been sent by the emitter. In order to hide his presence, which could be revealed by a reduction of the detection rate of the receiver because of the blocked fraction of the pulses, the eavesdropper can make use of a perfect lossless channel—remember that in QC the eavesdropper is limited by physics but not technology—to forward to the receiver the multi-photon pulses from which he removed one photon. The PNS attack is particularly powerful in the real world, where the receiver expects to detect only a small fraction of the photons, because of quantum channel attenuation and limited detector efficiency. It is thus important to devise QC apparatuses and protocols that are resistant to these attacks.
Several approaches have been proposed to reduce the possibility for the eavesdropper to perform PNS attacks. Hwang W. Y. in Physical Review Letters 91, 057901 (2003), Wang X. B. in Physical Review Letters 94, 230503 (2005) and Lo H. K. et al. in Physical Review Letters 94, 230504 (2005), the contents of which are incorporated herein by reference thereto, have proposed to use Decoy states. Novel protocols resilient to PNS attacks have also been proposed. In H. Takesue et al, entitled “Differential phase shift quantum key distribution experiment over 105 km fibre”, quant-ph/0507110, the content of which is incorporated herein by reference thereto. Takesue et al. presented such a protocol using a binary (0, π) phase difference between two adjacent weak coherent states of duration t and separated by a time T in an infinite stream, with t smaller than T, to code the bit values. In this stream, adjacent weak coherent states are said to be phase coherent. The receiver performs an interferometric measurement to determine this differential phase and hence establish the bit value. The security of this protocol comes from the fact that the two quantum states corresponding to each differential phase value are non-orthogonal. An eavesdropper trying to measure bit values sometime obtains inconclusive results. In these cases, he has to guess which state to forward and introduces errors with non-zero probability. If he elects instead not to forward anything to the receiver when he obtains an inconclusive results, he suppresses interference for the adjacent weak coherent state, which causes errors with non-zero probability. In this protocol, PNS attacks on individual weak coherent states are obviously useless as the bit value is coded in the phase difference between adjacent states. An effective PNS attack would have to measure the number of photons in two adjacent weak coherent states. This would however destroy the phase coherence with the other neighboring states and introduce errors with a non-zero probability.