Quantum Cryptog Quantum Cryptog - OSA Publishing

3 downloads 0 Views 138KB Size Report
who has access to all of the message traffic passing between ... sent, Alice and Bob compare the bases they used for each ... from this raw key in subsequent computa- ... interferometers provide a way to carry out quantum cryptography ... reliably decode if his apparatus uses a lin- ... not change more rapidly than the time it.
Quantum Cryptog Using Autocompensating Fiber-Optic Interferometers

William P. Risk and Donald S. Bethune

he desire to communicate in secrecy is an ancient one: literature surviving from the time of the Roman Empire describes a substitution cipher used by Julius Caesar; earlier Greek writings describe methods used to conceal confidential military and diplomatic communiqués from the eyes of unauthorized readers. Two millennia later, modern concepts of quantum mechanics are being combined with state-of-the-art optoelectronics to provide a truly novel solution to this ancient problem. “Quantum cryptography” was first explicitly described by Charles H. Bennett of IBM and Gilles Brassard of the University of Montreal in 1984. Bennett and colleagues reported the first experimental demonstration in 1992. Since then, practical quantum cryptography systems have been under development in laboratories around the world. They are now emerging

T

26 Optics & Photonics News

July 2002

■ 1047-6938/02/07/0026/7-$0015.00 © Optical Society of America

from that environment to be tested in “real world” installations. In contrast to other cryptographic methods that depend on physical or computational barriers for security, quantum cryptography derives its security from the fundamental principles of quantum mechanics—in particular, from the quantum-mechanical properties of single photons. Quantum cryptography is also called “quantum key distribution,” because its aim is to provide a shared, secret key—a random string of 0s and 1s—to two authorized parties who desire to communicate securely (traditionally called “Alice” and “Bob”), even in the presence of an eavesdropper (traditionally called “Eve”) who has access to all of the message traffic passing between Alice and Bob. Once established, this key can be used with conventional encryption methods to send encrypted messages over a public communi-

cations channel. The “Vernam cipher,” or “one-time pad,” is one example of such a method, which has been shown to be unbreakable as long as the key is completely random, totally secret, and used only once. The security of this approach thus depends on ensuring that Alice and Bob have identical copies of the key and that this key is unknown to anyone else. In the past, human couriers have been used to distribute the keys and the security of the method depended on the trustworthiness of these agents. Now, using quantum cryptography, Alice and Bob are able to create a shared, secret key in a way that derives security from the principles of quantum mechanics rather than human dependability. In order to understand how quantum cryptography works, it is important to realize that it does not seek to convey a copy of a pre-existing key from Alice to Bob, as is done in conventional cryptography; rather, the goal in

ography

Quantum cryptography provides a modern solution to an ancient problem: ensuring secure private communication over an unsecured public channel. Autocompensating fiber-optic interferometers provide a way to carry out quantum cryptography over standard telecom fiber links using an implementation that automatically and passively corrects for uncontrolled environmental perturbations.

quantum cryptography is to create from scratch identical, secret keys at Alice’s and Bob’s stations using an unsecured, public communications channel.

Single photons: the essence of quantum cryptography At the heart of quantum cryptography is a quantum optics experiment carried out jointly by Alice and Bob. It is in this stage of the process that quantum mechanical behavior is invoked to assure security. Individual photons are used to carry information between Alice and Bob, since they exhibit the required quantum mechanical properties and can be transmitted over long distances. Two aspects of the quantum mechanical behavior of single photons are exploited in quantum cryptography. The first aspect is that a single photon cannot be divided. In the first stage of the process, Alice

generates a random sequence of 0s and 1s, encodes each bit in the quantum state of a single photon, and sends these photons to Bob. Using a single photon per bit guards against the possibility that Eve might use a partially reflective mirror to sample the optical signal and extract her own copy of the bits, as she could attempt to do if many photons were used to transmit each bit. The second aspect is that a single measurement is not sufficient to determine the quantum state of a photon with certainty, and furthermore, the act of measurement itself alters the state. An exception occurs if the same basis is used in both the preparation and the measurement of the quantum state. For example, suppose that Alice uses two orthogonal polarization states to encode each bit value, sending a photon with horizontal linear polarization to represent a “0,” or with vertical linear polarization to represent a “1.” Bob’s detection apparatus

might consist of a polarizing beam splitter and two detectors, as shown in Fig. 1(a). Light that is polarized parallel to the plane of the apparatus is transmitted to the “0 Detector,” and light that is polarized perpendicular to the plane is reflected to the “1 Detector.” If Bob’s apparatus is aligned so that this reference plane is perfectly horizontal, then he will accurately interpret the bits sent to him by Alice. However, suppose that Bob’s apparatus is rotated by 45° [Fig. 1(b)]. Then, for example, an arriving horizontally polarized photon will be directed at random by the polarizing beam splitter to either detector with equal probability and, upon leaving the beam splitter, will be polarized accordingly either perpendicular to or parallel to the plane of the apparatus. For about half of the photons he receives, Bob will measure the correct bit values by random chance; for the other half, he will measure the wrong bit values. In this basis-mismatched situation, Bob’s measurements will give completely random results and no information at all about the states Alice sends. The requirement that Alice and Bob use matching bases in order to deterministically communicate bit values has several important practical implications. One is that by varying the basis they use unpredictably, Alice and Bob can hamper Eve’s attempts to measure the photon states. Suppose that Eve intercepts the photons sent by Alice, attempts to measure the polarization state of each one, and then generates a replacement photon polarized according to her measurement. If Eve knew that Alice and Bob were using a horizontal-vertical (H-V) polarization basis, she could succeed in this attack. However, suppose that for each photon sent, Alice randomly chooses to use either the H-V basis or a different basis consisting of linear polarizations at 45°, and Bob randomly chooses to align his apparatus to measure according to one basis or the other. Then, after a large number of photons have been sent, Alice and Bob compare the bases they used for each photon Bob measured. For those cases in which they used the same basis, Bob should have determined the correct bit value, so he and Alice retain these bits as their “raw key” and discard the rest. Alice and Bob distill their final key from this raw key in subsequent computational steps they carry out cooperatively, as explained below. Now suppose that in this “four-state” case, Eve attempts to intercept, measure,

July 2002



Optics & Photonics News 27

QUANTUM CRYPTOGRAPHY

Figure 1.Alice can reliably communicate bit values to Bob only if they use the same basis for setting and measuring polarization state, as in (a). In this case, a horizontally polarized photon emitted by Alice’s “0” single-photon source (SPS) is reliably directed to Bob’s “0” detector, and similarly for a vertically polarized photon representing a “1.” If Bob does not use the same basis as Alice, as in (b), then for a photon of either polarization, there is a non-zero probability that it will be directed to the wrong detector.

and retransmit the photons. Her activity will cause about 25% of the retransmitted bits in Bob’s copy of the raw key to be in error. To see this, consider the following argument: Alice and Bob ultimately retain only those bits for which they used the same basis. For each intercepted bit, Eve had to make a random choice of basis. If she picked correctly (and used that same basis to encode the photon she sent on to Bob), she will have successfully learned the value of a given bit without altering Bob’s result. However, for about half the bits, she will have chosen the incorrect basis and the photon sent on to Bob will have been polarized according to this mismatched basis. By random chance, Bob will interpret this bit correctly in about half the cases and incorrectly in the remainder. Thus, because of Eve’s activity, Bob’s bits will disagree with Alice’s in about one-fourth of the cases, even though they used the same basis. Alice and Bob can discover this fact by directly comparing a fraction of their bits (which they then discard and do not use in further distillation of the final key). Another practical implication of the requirement that Alice and Bob use matching bases to deterministically communicate bit values is that Bob’s measurements will be accurate only if the polarization states sent by Alice are preserved during propagation to Bob. This will not, in general, be the case if the transmission medium is an optical fiber. Many factors, such

28 Optics & Photonics News



July 2002

as mechanical stresses and geometrical imperfections, create birefringence in a typical telecommunications-grade fiber, which alters photon polarization states in a complex, time-varying and unpredictable way. Hence, a linearly polarized photon sent to Bob via a long length of optical fiber will in general arrive in some elliptical polarization state that he cannot reliably decode if his apparatus uses a linearly polarized basis. This polarization stability issue is a crucial problem that must be addressed in order to perform quantum cryptography over practical fiber-optic links. (However, one way to avoid this problem is to transmit photons through the atmosphere rather than through a fiber. Work on this approach is being pursued at the Los Alamos National Laboratory, for example, with the ultimate aim of establishing shared, secret keys between terrestrial users and orbiting satellites).

Autocompensating quantum cryptography The basic approach Two main approaches for solving this polarization stability problem have been pursued. The first approach—and the most straightforward one—is to give Bob a polarization compensator that can be set to undo whatever polarization transformation occurs in the fiber. The disadvantage of this technique is that it requires Alice

and Bob to interrupt the process of key generation periodically in order to recharacterize the system and readjust Bob’s compensator. The second approach for solving the polarization problem is to use the phenomenon of “Faraday orthoconjugation,” as first described by Mario Martinelli in 1989.1 Martinelli showed that if light sent through a fiber is reflected using a “Faraday mirror”—a Faraday rotator set for 45° rotation followed by a standard mirror— and made to pass a second time through the fiber in the reverse direction, the returning light emerges from the fiber in a polarization state exactly orthogonal to that which was originally launched. For example, vertically polarized light launched into the fiber will return horizontally polarized. This will be true no matter what general elliptical polarization state the light is in when it reaches the Faraday mirror, and even if the polarization-transforming characteristics of the fiber are time-varying (so long as they do not change more rapidly than the time it takes light to make a round trip through the system). Faraday orthoconjugation provides polarization compensation that is passive and automatic, but at first glance it seems incompatible with quantum cryptography, which is usually thought of in terms of one-way transmission of single photons from Alice to Bob. However, a system using Faraday autocompensation can be adapted for quantum key distribution. Suppose that Bob generates a train of “plain vanilla” linearly polarized pulses, each containing many photons, which he sends down a fiber to Alice. She reflects them with a Faraday mirror and, in addition, attenuates them to the single-photon level before returning them through the fiber to Bob. Any photon that makes it back to Bob’s end will have completed a round trip through the system and, because of Faraday orthoconjugation, will return in a stable, orthogonal polarization state. This stream of returning single-photon level pulses can be used to implement quantum cryptography, One thing, however, is still lacking— Alice must have some way of encoding the photons at her station so that their polarization states upon arrival at Bob’s station are altered, thus communicating her randomly chosen bit values. Consider the arrangement shown in Fig. 2. Using a po-

QUANTUM CRYPTOGRAPHY

larizing beam splitter (PBS1), Bob splits an initial pulse, polarized at +45°, into horizontally polarized (H) and vertically polarized (V) components [Fig. 2(a)]. V is forced to take a longer path to PBS2, so that it is delayed by a time  relative to H, before following H down the fiber [Fig. 2(b)]. The two pulses emerge from the far end of the fiber in orthogonal elliptical polarization states [Fig. 2(c)]. Assume for the moment that Alice does nothing but Faraday reflect and attenuate the two pulses. The two pulses re-enter the fiber with “orthoconjugated” polarization states [Fig. 2(d)], such that after an additional transit through the fiber, they emerge at Bob’s end in pure horizontal and vertical polarization states [Fig. 2(e)]. However, the first pulse to return to Bob’s end, which left horizontally polarized, returns vertically polarized and the second, which left vertically polarized, returns horizontally polarized [Fig. 2(e)]. The first returning pulse is then delayed by  and arrives back at PBS1 exactly coincident with the second pulse [Fig. 2(f)]. The two pulses finally recombine to create a single pulse polarized at –45°. Now, suppose that Alice is equipped with a phase modulator fast enough to allow her to impart a phase shift A to only one of the two pulse components arriving at her end. Then, when these two components arrive back at Bob’s end and recombine, the reconstructed polarization state will be determined by this phase difference. For example, if Alice chooses A=0, the reconstructed state will have a linear polarization at –45° as before, but if she chooses A=, the reconstructed state will have a linear polarization at +45°. If she chooses A=2, the reconstructed state will be circularly polarized. Hence, by using her fast phase modulator, Alice can control the polarization states of photons received by Bob. This is just what is required to implement quantum cryptography. Alice and Bob can use the “four-state” protocol described previously by giving Bob a phase modulator in his delay loop, which he can use to impart a phase shift to the first pulse of the returning pair. By selecting a phase shift of 0 or –/2, he can choose to measure the state of the returning single photon in the linear or circular polarization basis, respectively. Thus, depending on the phase values he and Alice choose, the photon is routed to one of two

Figure 2. Adaptation of Faraday orthoconjugation for quantum cryptography. A detailed explanation is given in the text.

detectors according to its reconstructed polarization state, either deterministically or randomly, as shown in Table I. The system being used by Alice and Bob is thus an interferometer—tens of kilometers long, but requiring no mechanical or thermal stabilization and producing high-contrast (~650:1) routing of photons in response to intentionally applied phase shifts. Alternative configurations of fiber-optic interferometers have also been used for quantum cryptography, but because of the long path length, problems resulting from sensitivity to the environment are hard to avoid, and these approaches generally require some form of active intervention either to continuously maintain or periodically “retune” the interferometer. The Faraday orthoconjugation approach has the practical advantage of providing interferometric stability in a way that is completely automatic and passive. (For a detailed review of both autocompensating and alternative designs, the reader is referred to the article by N. Gisin, et al.2).

Basis, Bit Odd, 0 Even, 1 Basis B↓, A→

Odd, 1 Even, 0

−π/2

0

π/2

π

Odd

−π/2

D0

?

D1

?

Even

0

?

D0

?

D1

Table 1. Example of an assignment of bit and basis to various A , B combinations. For deterministic cases, the detector receiving the photon is indicated, while random arrival cases are indicated by a question mark.

Practical implementations The use of autocompensating interferometers for quantum cryptography was conceived independently at about the same time by our group at IBM and by that of Professor Nicolas Gisin at the University of Geneva. Our initial system used some bulk-optic components; the earliest Geneva system was all fiber but of a design that suffered from some optical inefficiencies. In subsequent refinements, both groups have arrived at rather similar, all-fiber designs. Most of the earlier work on these systems used the 1310-nm telecom wavelength. Recently, a third group, at the Roy-

July 2002



Optics & Photonics News 29

QUANTUM CRYPTOGRAPHY

Figure 3. Experimental arrangement for the all-fiber QKD system.

al Institute of Technology in Sweden, has demonstrated a similar system working at 1550 nm, which the Gisin group has also used in their most recent work. Figure 3 shows the most recent allfiber-optic implementation of the quantum cryptography system developed at IBM. Although it is possible in an all-fiber system for Bob to use polarization-sensitive components to route the photons, as described in Fig. 2, in practice two-beam interference provides better contrast and hence, better accuracy in sending each photon to the correct detector. In operation, Bob uses a standard telecom distributed-feedback laser to produce a 1310-nm pulse, with intensity adjustable using a variable attenuator. A fiber loop polarization controller is used to maximize transmission through Bob’s phase modulator, which uses a lithium niobate waveguide made by annealed proton exchange and therefore guides only a single linear polarization. The pulse is split in two by a variable coupler made from polarizationmaintaining (PM) fiber and carefully adjusted to have a 50:50 split ratio; at this point, both pulses have the same linear polarization. Now the pulses take different paths, so that they arrive at PBS1 with a 30-ns delay between them. The pulse taking the longer path travels through Bob’s phase modulator, which he turns off for outbound pulses. The pulse taking the shorter path has its polarization rotated by 90° using a modified fiber connector that aligns the slow axis of one PM fiber with the fast axis of the other. Fiber polarization

30 Optics & Photonics News



July 2002

splitter/combiner PBS1 is then used to efficiently couple both pulses (now orthogonally polarized) onto the main 20-km length of fiber. When the pulse pair arrives at Alice’s end, her goal is to impart a phase shift to one of them but not to the other. She has a phase modulator identical to Bob’s, which only transmits one linear polarization. This is a problem, however, since each pulse emerges from the 20-km fiber in some arbitrary elliptical polarization state. In order to use her modulator with such a pulse, Alice exploits the following trick. She splits the pulse into linearly polarized components corresponding to the fast (F) and slow (S) axes of polarizing beam splitter PBS2. The F-polarized component is aligned correctly for transmission through the phase modulator and is sent directly to it, traveling clockwise around the loop. The S-polarized component is sent to the Faraday mirror, where it is rotated to Fpolarization upon reflection, and is then sent to the modulator, traveling counterclockwise around the loop. If the path lengths are chosen correctly, both components will pass through the modulator at the same time, in opposite directions, and will acquire the same phase shift, A, chosen by Alice. After the two components pass through the modulator, the component traveling counter-clockwise (which previously encountered the Faraday mirror and was flipped from S to F) continues around the loop to PBS2. The component that is traveling clockwise is first sent to the Faraday mirror, where its polarization

is flipped from F to S, and then sent back to PBS2. The two orthogonally polarized components arrive back at PBS2 at exactly the same time and are recombined into a single pulse. The polarization state of this reconstituted pulse is whatever it would have been had it simply been reflected from the Faraday mirror, but in addition the pulse has an overall phase shift A. All the activity just described applies to each of the members of the pulse pair arriving at Alice’s end. For the first pulse, Alice turns her phase modulator off so that no phase shift is imparted to it, while for the second she applies a phase chosen at random from the values {-/2, 0, /2, }. Both pulses are also attenuated to the single photon level before being returned to Bob. When the two pulses return to Bob’s end, they emerge in linear polarization states aligned to the fast and slow axis of Bob’s PM fiber. The polarization of the first pulse is such that it is directed by PBS1 along the longer path containing Bob’s phase modulator, which he can use to impart a phase shift B= -π/2 or 0. The second pulse is directed along the shorter path and its polarization is rotated 90° by the fast-slow coupler. Thus, both pulses arrive at the PM variable coupler at the same time, with the same polarization, and with a relative phase shift =A– B. The interference of these two components at the coupler, controlled by their phase difference , determines to which detector the returning light is routed. In this interferometric scheme, the “bases” correspond to the choice of phase shifts that are “even” or “odd” multiples of /2. Figure 3 also shows other components that are used to make the system work. Alice and Bob must be able to precisely coordinate the activation of their phase modulators and Bob must have some way of knowing when to activate his detectors. In order to achieve this synchronization, a 1550-nm timing signal is multiplexed onto the same fiber that carries the 1310-nm quantum key signal. Bob must be able to reliably detect 1310-nm single photons. In order to do this, he uses InGaAs avalanche photodiodes (APDs) operated in the so-called “Geiger mode.” In this mode, the APD is biased below its breakdown voltage, VB , except for brief intervals when the arrival of a photon is expected. At these times, it is pulsed a few volts above VB for approxi-

QUANTUM CRYPTOGRAPHY

mately 1 ns. If a single photon arrives during this period of excess bias, it can trigger an avalanche consisting of millions of electrons, which can be easily detected. Unfortunately, other events can also trigger avalanches when the APD is biased above breakdown. In particular, charges that are thermally excited out of traps can produce “dark counts” that result in errors in the key. In order to reduce these dark counts to an acceptable level, our InGaAs APDs are cooled to ~120 K.

Error correction and privacy amplification After Alice and Bob identify and retain those bits for which they used the same basis (the “raw key”), they must find and eliminate any differences in their respective copies of the raw key. These errors may have been caused by the activity of an eavesdropper or may be due to imperfections in their apparatus. For example, their interferometer has excellent, but not perfect, contrast. Hence, there is a small probability that a photon will be routed to the wrong detector. Also, either of Bob’s detectors may occasionally avalanche, even when no photon has been received, so that an incorrect count may be recorded. Alice and Bob can perform error correction by each arranging their “raw key” into blocks of fixed length and comparing the parity they compute for each block. If the parities agree, they assume that there is no error in that block (although there may be an even number of errors); if they disagree, they perform a bisective search on the block to find and remove the error. Each time they publicly reveal a parity bit, they discard one key bit to prevent Eve from accumulating knowledge about the key. In the system of Fig. 3, the discussion required to perform these steps is carried out using the laboratory’s local area network. Performing this operation three times, using different block sizes each time and randomly rearranging the key bits in between (in order to expose errors that were clustered in even numbers within a block in a previous step) is usually sufficient to reduce the errors to a very small number. At that point, it becomes more efficient to compare the parities of randomly chosen subsets of half the bits in the entire key. Again, if the parities of a subset disagree, a bisective search is performed to find and eliminate the error. Once Alice

Figure 4. Bit rates (black: raw; blue: error-corrected; green: privacy-amplified) and bit-error rate (red) as a function of average photon number per pulse, for a 10-km (a) and 20-km (b) fiber link.

and Bob’s parities agree for a large number (20–30) of successive random subsets, they can have a high level of confidence that their copies of the key agree exactly. However, they cannot be equally certain that their key is secret. The errors they discovered may betray the activity of an eavesdropper. Hence, in order to reduce the knowledge any potential eavesdropper could have about their key, they perform a further joint computation, dubbed “privacy amplification” by Bennett and Brassard. As a first step, Alice and Bob calculate a conservative, upper bound for Eve’s knowledge about their key. Then, in a process that closely resembles the last stage of error correction, Alice and Bob compute the parities of random subsets of the error-corrected key bits, but now they keep these parity bits secret and save them as bits of their final key. Bennett showed that if they choose the number of bits to save properly, Alice and Bob can exponen-

tially dilute the amount of information Eve could have about this final key. When this process is completed, Alice and Bob can have quantifiably high confidence that their key is truly secret.

System performance and limitations The rate at which Alice and Bob can generate error-corrected, privacy-amplified key bits over distances of 10 km and 20 km using the system of Fig. 3 is shown in Figs. 4 (a) and (b), respectively. The figure shows the rate at which raw key, error-corrected key, and privacy-amplified key can be generated, and makes clear the bit cost associated with the latter two processes. For the shorter link, key generation rates exceeding 1.5 Kbit/s of final key were obtained. For the longer link, the key generation rate was reduced by about a factor of ten. Part of this reduction comes from the greater loss of the longer fiber—fewer

July 2002



Optics & Photonics News 31

QUANTUM CRYPTOGRAPHY

photons survive all the way from Alice to Bob—but some also results from a higher bit-error rate, which makes error correction and privacy amplification more costly in terms of the number of bits that must be sacrificed. Detector dark counts occur at roughly the same rate as in the 10-km system, but fewer bit-bearing photons are received in a given time interval when the 20-km fiber is used. Thus, a greater fraction of the received bits are errors. In addition, errors are induced by photons backscattered from the strong pulses traveling from Bob to Alice. This effect increases for longer lengths of fiber. One way to address the backscattering problem is to slightly shift the frequency of the single photons returning from Alice’s station so that they can be distinguished from backscattered photons.3 Although it turns out that a slight frequency shift does not degrade the autocompensation, it proves to be difficult in practice to adequately filter the desired photons from the undesired ones. An alternative approach that has been demonstrated by the Geneva group is for Bob to send pulses in bursts, which accumulate in a fiber delay line behind Alice’s attenuator and then return during a time when no other light is present on the fiber.4 Although our experiments were carried out using a fiber spool in the laboratory, other groups have experimented with installed fiber links. The Gisin group has recently reported generating final, privacyamplified key at a rate of about 50 bits/s with an autocompensating system using 1550-nm light transmitted through a 67-km long fiber running under Lake Geneva.5 Single-photon detection at telecom wavelengths is a major factor limiting performance of the system. The commercially available APDs that have been used in prototype QKD systems were designed to operate at room temperature with a particular bias. Quantum cryptographers subject them to cold temperatures to reduce dark counts and to bias voltages above breakdown in order to obtain single-photon sensitivity. It is perhaps not surprising that there is considerable variability in their performance under these harsh conditions. The InGaAs detectors used in our experiments are cooled to about 120 K and are pulse-biased about 3.5 V above VB at 1 MHz; these operating conditions give an efficiency for detection of single photons of 15–20% and an (ungated) dark 32 Optics & Photonics News



July 2002

count rate of about 10,000/s. In contrast, silicon APDs used for detection of visible and near-IR single photons have an efficiency around 70% and a dark count rate of about 25/s. Better single-photon detectors designed for telecom wavelengths could dramatically improve the performance of QKD systems. In most implementations of quantum cryptography investigated so far, “single photons” have been obtained by greatly attenuating a train of laser pulses, each of which contains a very large number of photons. Because the behavior of the photons emitted by a laser are governed by Poisson statistics, attenuating a laser pulse to the power level corresponding to a single photon per pulse does not consistently produce pulses containing single photons—in fact, for pulses averaging one photon per pulse, about 37% will contain a single photon, an equal number will contain no photon, and about 26% will contain two or more photons. These multiple photon pulses present a security risk, since Eve can sample them using a beam splitter. In practice, the laser pulses are attenuated so that they have an average of perhaps 0.1 photon per pulse. Under these conditions, the likelihood of a multiplephoton pulse is reduced to about 1 in 200; the price paid is that only about 1 pulse in 10 contains a photon and the rest contain none. Hence, even though the laser is triggered at a repetition rate of 1 MHz, the rate at which single-photon pulses leave Alice’s station is roughly a factor of ten smaller. On-demand generation of true single-photon pulses at high repetition rates is thus another area of active research that could improve the performance of quantum cryptography.

Future directions The successful operation of quantum cryptography systems in the laboratory has prompted new interest in evaluating them in more realistic and demanding environments and in further refining their hardware design, software integration, network architecture, and implementation of protocols. For example, one DARPAfunded consortium led by BBN Technologies aims to build and test a three-way quantum cryptography network in the Boston area and subject it to attacks from real eavesdroppers. Other efforts based on free-space transmission rather than fiber are being pursued by NIST and Los Alamos National Laboratory. A Swiss start-up

company, “id Quantique,” spawned from the work of the University of Geneva group, now offers an autocompensating, fiber-based QKD system for sale. Research is still needed on improved sources and detectors at telecom wavelengths suitable for quantum cryptography. Ongoing programs at universities and industrial research laboratories are exploring a number of mechanisms that may lead to on-demand, electrically triggered generation of single photons and high-efficiency, low-noise, near-room-temperature detection of single photons at telecom wavelengths. Other approaches to quantum cryptography are also being investigated. Some are essentially variations on the scheme presented here, perhaps using a different number or different kinds of bases, or with adaptations designed to thwart other kinds of potential attacks by an eavesdropper. Other approaches are fundamentally different and more exotic—for example, using entangled pairs of photons produced by parametric down-conversion in a nonlinear crystal—to establish correlations between measurements made by Alice and Bob from which a key can be derived. It now seems likely that quantum cryptography will find niches in situations in which secure communication is considered vital, alternative approaches are unavailable (such as for satellite rekeying), or in which there is some reason to believe that more conventional encryption methods are inadequate. The success of efforts to develop quantum computers would clearly provide such a reason, since some of the most widely used cryptographic methods depend for security on the difficulty of factoring large numbers—a problem that quantum computers would be particularly adept at solving. In cases that require the extraordinary security provided by quantum cryptography for communication over distances ranging out to perhaps 100 km, fiber links will very likely be used; and for such links, the autocompensating approach provides a practical and robust implementation.

References Please see OPN Feature Article References, page 62. William P. Risk and Donald S. Bethune are with the IBM Almaden Research Center in San Jose, California. They can be reached by e-mail at risk@almaden .ibm.com and [email protected]. com, respectively.