166

10th INTERNATIONAL CONFERENCE AND SEMINAR EDM'2009, SECTION III, JULY 1-6, ERLAGOL

Quantum Cryptography
Vladimir L. Kurochkin, Igor G. Neizvestny Institute ofSemiconductor Physics, Siberian Division, RAS, Novosibirsk, Russia
Abstract -Work presents the brief review of the contemporary state of quantum cryptography science. Main principles of the quantum cryptography protocol development are illustrated by giving the example of BB84 protocol. Examples of experimental setups for the quantum key distribution through the atmosphere and fiber quantum channel are described in this work. The work presents results of experiments conducted on the developed setup based on single photon polarization coding. Problem of single photon detection in the visible and near IR area is considered. Work describes developed fiber based quantum cryptography working with the telecom wavelength 1555 nm, With the use of this experimental setup using the 25 km single mode telecom fiber (1555 nm wavelength) between sender and receiver we achieved the 450 bit/s quantum key generation with the use of 5 MHz pulse repetition rate, '-"'().2 photon/pulse. Given the achieved photodetector parameters an average quantum bit error rate is less than 3.7% Index Terms - Quantum informatics, quantum cryptography.

I. INTRODUCTION

ROM THE PRACTICAL STANDPOINT, quantum cryptography is today the most mature area of quantum informatics. Quantum cryptography allows for absolutely secure data transfer between legitimate users of communication lines. The security of data transfer, combined with the complete impossibility of unauthorized access, relies on fundamental laws of nature, unlike those cryptography approaches using mathematical methods, where the information basically may be decoded. In accordance with the mathematically proven Shannon statement [1], a message being transferred cannot be decoded if it is encoded by a random one-shot key whose length equals that of the message, provided that the key is known by legitimate users alone. However, the problem in this situation is how to transport the key to remote users. Generally speaking, classical communication methods cannot provide secure transfer of the key over accessible data channels, since there are techniques of inconspicuous listening with subsequent decoding. The ideas of quantum physics and quantum informatics as applied to long-range data communication may be used to attack the problem of transfer of an absolutely random key through accessible data hannels with security assurance. The absolute security provided by quantum cryptography follows from

the forbidding of quantum physics that are imposed on a metering device: (i) it is impossible to extract information about nonorthogonal states without disturbance [2] and (ii) it is impossible to clone an unknown quantum state (the no-cloning theorem) [3]. From these forbidding, it follows that, if single quantum objects are employed as data carriers, any intervention into the data transfer process undertaken by an unauthorized person will inevitably cause irreversible changes in the quantum states of the objects, from which the fact of intervention can be established. Bennet and Brassard in 1984 [4] were the first to justify the principles of quantum cryptography and to devise a communications protocol. The first experimental demonstration of their concept [5] attracted much interest worldwide and gave an impetus to extensive research in this field. In [5], a key dissemination protocol was suggested, which was represented as a secured sequence of zeros and unities enciphered by single photons polarized in two mutually nonorthogonal bases. Later, this protocol was named BB84. Subsequently, a protocol based on phase coding using a Mach-Zender interferometer found wide application (for the basic ideas behind this protocol, see [2]). A radically new way of disseminating a quantum key through entangled states that is based on the Einstein-Podolsky-Rozen effect was suggested by Ekert [6]. The ideas of quantum cryptography turned out to be so promising that many research groups worldwide immediately launched work on creating commercial devices. A comprehensive review of theoretical and experimental works in this field is presented in [7]. Since the publication of that review, a variety of new approaches to organizing data channels have been suggested. For example, a time-frequency scheme of encoding was suggested in [8], and the concept of using a phase shift between two sequential single photons to generate a key was put forward in [9,10]. Using single-photon quantum cryptography, a quantum key has been disseminated to advantage over several tens of kilometers both along fiber-optic links and in open space. It should be noted that the early protocols still remain the most efficient in terms of organization of real quantum data channels. The concept of phase encoding has been implemented in 67- [11], 100- [12], 150-kIn-Iong [13] and over 200 km with help superconductor detectors [14,15] fiber-optic communication lines. The polari-

978-1-4244-4572-1109/$25.00 IEEE

KUROCHKIN andNEIZVESTNY: QUANTUM CRYPTOGRAPHY

167

zation encoding protocol BB84, which was also used in this work, was applied to organize communication through open space over a distance of 10 [16] and 23 [17] and 144 km [18]. Today, the feasibility of communicating with satellites is being discussed [19]. II. THEORY Let us outline the generation of a quantum key using the BB84 protocol [4, 7]. A transmitter (usually called Alice) produces single photons linearly polarized in two mutually nonorthogonal bases; in one (vertical- horizontal basis), the photons are of 0 and 90 polarizations; in the other (diagonal basis), the photons are of 45 and --45 polarizations. Alice and a receiver (Bob) come to an agreement about a code assigned to each of the polarization in binary notation. For example, photons with 0 and 45 polarizations mean "0," while those with 90 and --45 polarizations mean "I." During a session, Alice sends a sequence of randomly polarized photons (0 , 45, 90, or --45) and Bob records the photons arrived and randomly selects a measurement basis for each of them. Then, using an extra (unsecured) channel, Bob informs Alice of the basis in which he has made the measurement but does not tell the results of this measurement. Since the photon can take values either "0" or "1," the message about recording the photons, while sent over the unsecured channel, carries no information for an outside listener (usually called Eva). In answer to the message, Alice tells whether the basis was correctly chosen for each of the photons. Keeping only correct-basis measurements during the session, Alice and Bob generate a unique random sequence of zeros and unities, of which a secured key is then formed. An important step in quantum cryptographic data transfer is a test for possibility of capturing information transmitted through a quantum channel. To this end, Alice and Bob, using the unsecured transmission line, make a checking comparison of a randomly selected part of the key generated. If listening was absent, the codes coincide. The error in the code is due to the noise of the detector and imperfections in the data channel. If an outside listener penetrates into the channel and reads out the information, he will have to generate the same photon (it is remembered that the information is transferred by a single photon!) and send it to Bob again. Then, according to the no-cloning theorem as applied to the state of an arbitrary quantum object [3], the listener will irreversibly break the polarizations of the photons and will not be able to exactly reproduce them, causing a discrepancy between Alice's and Bob's codes. As a result, the error that will be revealed by comparing the codes in the unsecured channel will far exceed the error inherent in undisturbed data transfer. In this

way, the fact of unauthorized penetration into the quantum channel will be disclosed and the legitimate users will be able to take necessary precautions against intervention. In essence, two mutually nonorthogonal bases and a relatively low bit rate are needed to assure security. Note also that data transfer through a quantum communication line implies using one-photon laser pulses, since many-photon pulses will allow Eva to inconspicuously direct some of the photons to her photodetectors and, hence, the fact of penetration will pass unnoticed. III. QUANTUM KEY DISTRIBUTION OVER FREE SPACE To research on the quantum key distribution over free space was create experimental set up [20,21]. The transmitting unit consists of four semiconductor lasers. Each laser generates light pulses with one of the four polarizations 0, 45, 90 If --45. The laser beams are combined by a system of mirrors into one beam, which is attenuated by an absorbing filter at the exit and is directed through a 70-cm-Iong air gap toward the receiving unit. The semiconductor lasers with source supplies (modulated in current) operate in a pulsed mode with a pulse length of 8--10 ns. Each laser generates a coherent light pulse when a control pulse from a computer is fed into its power supply. The attenuated laser pulses arrive at the entrance of the receiving unit and are divided by a beam-splitting 50% mirror into two beams. The analysis of photons polarization was with help two Glan prism and four single-photon detectors. The scheme of the receiving unit permits us to adjust the transmitting unit so that, after the exit attenuator, each laser pulse predominantly involves no more than one photon and the fraction of pulses containing two and more photons is insignificant. Under these conditions, the distribution of photons over the pulses obeys the Poisson statistics. In quantum cryptography, a signal is considered to be a singlephoton signal if the mean number n of photons per pulse falls in the range 0.1 - 0.2 [7]. In particular, at n = 0.1, the fraction of pulses containing two (three) photons is equal to 5% (0.16%) of the number of single-photon pulses. Actually, in this case, nine out often pulses contain no photons. A photon (with any polarization) sent by Alice can arrive at three photoreceivers, namely, at one photoreceiver in its own basis (the polarizing splitting prism does not transmit this photon to the second photoreceiver) and at two photoreceivers in the foreign basis with equal probability. In the case when signals from all four photoreceivers are detected simultaneously and, in addition, the number of simultaneous operations of two and more photoreceivers is counted, the fraction of multiphoton pulses in the transmission can be calculated in terms of the Poisson statistics. The re-

168

10th INTERNATIONAL CONFERENCE AND SEMINAR EDM'2009, SECTION III, JULY 1-6, ERLAGOL

quired mean number of photons in light pulses of the transmitting unit can be achieved by the sequential tuning of the laser power for each laser. The security of the transmission of information is ensured in the case when each laser pulse involves no more than one photon. This imposes stringent requirements on photodetectors of the receiving unit. These photodetectors should possess a high quantum efficiency of detection, low noises, and a sufficiently high counting rate. Modem optical fiber communication lines operate in the near-IR wavelength range. At present, the best single-photon detectors in this range are avalanche photodiodes. In our setup, the specially chosen avalanche photodiodes C30902S (EG&G), which are the most sensitive photodiodes in the range of 0.8 micrometer [7], served as singlephoton detectors. With the aim of counting single photons, the avalanche diodes were connected so that they operated in the Geiger mode, when one photon can induce an avalanche of charge carriers. The diodes were connected in a passive avalanche quenching circuit. If a voltage above the threshold voltage U(BR) is applied across the avalanche photodiode, a photon arrived at the diode initiates an avalanche of charge carriers and the gain of the photodiode can be as large as 105 - 106 The probability of detecting a single photon at a wavelength of 830 nm reaches 50%. In order to decrease intrinsic noises, the diodes were cooled to -20 0 C with the use of Peltier semiconductor microrefrigerators. The frequency of noise pulses in the avalanche photodiodes operating in the Geiger mode depends on the temperature and the excess of the applied voltage over the threshold value. In our experiment, the quantum key was generated as follows. Alice's computer specified the clock frequency of laser pulse repetition. For every clock period, a sync (gate) pulse was generated and sent to Bob in order to synchronize the transmission and reception. Simultaneously with a gate pulse, one more pulse was randomly fed into one of the four semiconductor lasers, which generated a light pulse with a length of IOns. Random numbers were obtained with a programmable random-number generator, even though, in the general case, it is more preferable to use a random-number generator based on natural noise processes [7]. When Bob received a sync pulse, he additionally generated his own gate pulse with a length of 20 ns. The pulses of the photoreceivers were detected only during the gate pulse. This made it possible to eliminate the majority of intrinsic noise pulses of the photoreceivers. For example, the total number of noise pulses at a temperature of - 200 and a voltage of 20 V above the threshold value was approximately equal to 3 103 per second. At the same time, upon time gating of the signal, the number of noise pulses was approximately equal to 100 per 106 clock pulses of the transmis-

sion. The length of noise and single-photon pulses from the photodiode after the amplifier was 8-10 ns. Preliminary matching of the delay time between the gate pulse and the pulse of the avalanche photodiode (upon operation under a laser pulse of the transmitter) enabled us to improve considerably the signalto-noise ratio and to decrease the number of errors in the fmal code. The output pulse of the avalanche photodiode was considered to be informative only in the case when it coincided in time with the laser pulse. All intrinsic photoreceiver noises that were generated not during the gate pulse stopped short of the pulse counter. The data from four avalanche photodiodes were read by the command of the sync pulse from Bob's computer. In our setup, we used one computer. Without loss of generality, this somewhat simplified the instrumental implementation of the experiment. If a pulse came from any photodiode during the gate pulse, Bob stored this information, including the number of the clock pulse, and generated a signal pulse for Alice, according to which she stored the number of the pulse and the laser operating during the given clock period. Since the mean number of photons per light pulse is considerably less than unity, there was no need to store the entire message. Bob randomly chose the basis of measurement of the arrived photons. If Bob's and Alice's bases coincided, the next ordinal number was assigned to the results of measurements and they were stored in the key generation file; otherwise, the data were rejected. According to the BB84 protocol, this procedure leads to the generation of a random secret key shared by Alice and Bob. The rate of key generation depends on the clock frequency of laser pulse repetition, the number n of photons per pulse, and the frequency characteristics of the avalanche photodiodes used. In our experiment, the rate of key generation was limited by the rate of data exchange between the computer and the receiving and transmitting units, which corresponded to a transmission clock frequency of 100 kHz. With due regard for the computer time of data processing, our results are in reasonable agreement with the data obtained in [16]. The quantum key generation in our setup can be illustrated with the following experimental data. Upon transmission of 106 clock pulses at n ---0.1, we generated a quantum key with a length of 10721 bits, of which 104 bits (0.97%) appeared to be in error (Alice's and Bob's bits did not coincide). Upon transmission at n ---0.2, the key length was equal to 18306 bits and 174 bits (0.95%) turned out to be in error. At a clock frequency of 100 kHz (used in our experiment), the aforementioned key lengths corresponded to key generation rates of ---1 and 1.8 kbit/s, respectively. A small number of errors in our work as compared to that obtained in [16] can be ex-

KUROCHKIN andNEIZVESTNY: QUANTUM CRYPTOGRAPHY

169

plained by the absence of interferences and losses of signals in the optical communication channel. Moreover, we used the same setup in order to simulate an unauthorized interception of all photons by detectors of an eavesdropper and an attempt to transmit the intercepted data to Bob. By comparing the code obtained through the public channel, we immediately found that the percentage of errors in the code increased by a factor of several tens, which indicated the presence of an eavesdropper on the quantum communication line. IV. FIBER QUANTUM KEY DISTRIBUTION We constructed a fiber based quantum cryptography setup to investigate the quantum key generation in the fiber channel. This setup is controlled by the integrated processor and operates on the standard telecom wavelength. Quantum key distribution was implemented on the base of phase coding of the quantum states of single photons, emitted from a pulsed semiconductor laser, in the two alternative non-orthogonal bases. All the optical elements including laser, phase modulators and high speed attenuators are integrated to the single mode fiber. The optical scheme of the setup is designed in a two-pass autocompensating scheme [11]. This scheme consists of transmitter Alice and receiver Bob which are connected with the 25 krn quantum channel made of the single mode fiber SMF-28. The quantum key generation process is totally guided by the standard computers (PC). These computers are setting the optolectromic components adjustments with the use of the high speed programmable array (FPGA) totally integrated in the setup. Photons were counted by the specially designed single photon detector. Nowadays the most suitable for the practical use are avalanche InGaAs-InP photodiodes (APD) [7,22-25]. In order to detect single photons photodiodes work in the Geiger mode when one photon can cause an avalanche of the charge carriers [17,22,23]. The reverse voltage in this case is above the brake down level. The higher voltage above the brake down higher the detection probability but at the same time it increases dark noise and the so-called afterpulsing noise probability after the photodiode click. A number of methods used to reduce these negative consequences. For example the photodiode cooling allows significantly reduce the dark noise. Usually InGaAs-InP photodiodes are cooled to -400 - -700 C with the use of micro refrigerators based on Peltier elements. To reduce the afterpulsing probability the active avalanche quenching method is used [24,25] or use the pulse voltage when the reverse voltage is below the breakdown level but to detect expected photon it is increased above the breakdown

for the short period of time (few nanoseconds) [22,23]. For the single photon detection we used specially selected InGaAs-InP avalanche photodiodes ETX40 (Epitaxx, USA). This photodiodes were integrated to the fiber and powered with pulse voltage. Pulse voltage had trapezoid form with 3,5 ns half-height duration and 4.2 V amplitude. This voltage was added to the constant APD bias voltage which was below the breakdown level. To reduce the noise level diodes were cooled with the Peltier microrefrigerators to the -400 -600 C. We present the experimental results of an investigation of dependences of quantum efficiency, afterpulse probability and noise level on various detection modes. This investigation demonstrated that characteristics of our photon detectors based on APD ETX40 are close to published international researches [22]. Using the measured photodiode parameters the operating point of the detector can be chosen. The operating point is based on the required constraints on the noise detections and quantum efficiency required for a specific task. A number of quantum key distribution experiments have been conducted with the use of created setup. These experiments were based on phase coding through the 25 km long fiber channel between Alice and Bob. Before each experiment star the procedure of setup adjustment have been conducted in the multi photon mode. Bob emitted multi photon laser pulses and measured the time of signal forth and back propagation through the quantum channel with the 400 ps precision. Using the measurement result Bob set all corresponding time delays for the optoelectronic elements guidance, single photon detectors synchronization and quantum key distribution BB84 protocol execution. On the next stage Alice attenuated laser pulse to the 0.2 photon/pulse on its way back with the use of fast attenuators. At the same time Bob switched detectors to the single photon counting mode. Frequency of the pulse repetition was 5 MHz. Key was distributed with the use of BB84 protocol. At the 5 MHz repetition rate of the laser pulses we achieved a 450 bit/s key generation rate in the test experiments. The mean amount of errors in the quantum key was below 3.7%. Considering that error rate in the quantum key distribution should be lower than 11% [15] result achieved on this setup can be considered as suitable for the real key generation. At the same tim the achieved result is approximately one order lower than theoretically estimated maximum performance of the setup with measured parameters. It happens due to the set of problems arising from synchronization and data exchange between the computer, programmable array and single photon detectors.

170

IOthINTERNATIONAL CONFERENCE AND SEMINAR EDM'2009, SECTION 111, JULY 1-6, ERLAGOL

V. CONCLUSION Main principles of the quantum cryptography protocol development are illustrated by giving the example of BB84 protocol. The results of experimental investigations into the generation of a quantum key on a setup over free space and fiber line. Experimental quantum cryptography setups for the key distribution through the free space and telecom fiber have been developed. The quantum key is transmitted with pulsed semiconductor lasers by coding polarization states of photons in two alternative nonorthogonal bases. Silicon avalanche photodiodes C30902S serve as single-photon detectors. The rate of key generation is equal to 1.8 kbit/s when the clock frequency of laser pulse repetition is 100 kHz and the mean number of photons per pulse is approximately equal to 0.2. The number of errors in the key does not exceed 1%. Experimental results of the telecom wavelength 1555nm quantum key generation with the use of setup developed by the authors are discussed. The optical scheme of the setup is designed in a two-pass autocompensating scheme. The quantum key is transmitted with pulsed semiconductor lasers by coding phase states of photons in two alternative nonorthogonal bases. As high-sensitive photodetectors, we used the single-photon counters developed by us and based on InGaAs-InP avalanche photodiodes. We present the results of an investigation of dependences of quantum efficiency, afterpulse probability and noise level on various detection modes in the temperature range from -40 C to -60C. At the 5 MHz repetition rate of the laser pulses and at the 0.2 mean photon number per pulse, we achieved a 450 bit/s key generation rate in a single-mode fiber-optic quantum communication channel of the 25 km length between transmitter and receiver. For the obtained photodetector parameters, the mean amount of errors in the quantum key was below 3.7%. REFERENCES
[I] [2] Shannon C.E. Communication Theory of Secret Systems II Bell Syst. Tech. Jour., 1949, V. 28, PP. 658-715. Bennet C.H. Quantum Cryptography Using any Two Nonorthogonal States II Phys. Rev. Lett., 1992, V.68, pp. 3121-3124. Wooters W.K., Zurek W.H. A single quantum cannot be cloned II Nature. 1982, V.299, pp. 802-803. Bennet C.H. Brassard G. Quantum Cryptography: Public Key Distribution and Coin Tossing II Proc. of IEEE Int. Conf. on Comput. Sys. and Sign. Proces., Bangalore, India, December 1984, pp. 175-179. Bennet C.H. Bessette F. Brassard G. et.aI. Experimental Quantum Cryptography J.Cryptology II 1992, V. 5, pp. 3-28. Ekert AK. Quantum Cryptography Based on Bell's Theorem II Phys. Rev. Lett. 1991, V. 67. pp. 661-663. Gisin N., Ribordy G., Title W. et al. Quantum Cryptography II Rev. of Mod. Phys. 2002, V. 74. PP. 145-175. Yelin S.F., Wang B.C. Time-frequency bases for BB84 protocolll 2003, arXiv:quant-phl0309105

[9]

[10]

[II]

[12]

[13]

[14]

[15]

[16]

[17]

[181

[19]

[20]

[211

[22]

[23]

[24]

[31 [4]

[25]

Inoue K., Waks E., Yamamoto Y. Differential Phase Shift Quantum Key Distribution II Phys. Rev. Lett. 2002. V. 89 N. 3 P. 037902. Inoue K., Waks E., Yamamoto Y. Differential-phaseshift quantum key distribution using coherent light II Phys. Rev. A. 2003. V. 68 N. 3 P. 022317. Stucki D., Gisin N., Guinnard O. et al. Quantum key distribution over 67 km with a plug&play system II New 1. Physics. 2002. V. 4. pp. 41.1-41.8. Kosaka H., Tomita A., Nambu Y. et.al. Single-photon interference experiment over 100 km for quantum cryptography system using balanced gated-mode photon detector II Electronics letter. 2003. V. 39 pp. 1119-1201. Kimura T., Nambu Y., Hatanaka T. et.aI. Single-photon interference experiment over 100 km for quantum cryptography system using balanced gated-mode photon detector II 2004, arXiv:quant-phl0403104 H, Takesue, S. W. Nam, Q. Zhang, et al. Quantum key distribution over a 40-dB channel loss using superconducting single-photon detectors. Nature Photonics. 2007, V. I, pp. 343-348. Stucki D., Walenta N., Vannel F. et.al. High rate, longdistance quantum key distribution over 250km of ultra low loss fibres II 2009, arxiv:quant-phl0903.3907. Hughes R.I., Nordholt I.E., Derkacs D., Peterson C.G. Practical free-space quantum key distribution over 10 km in daylight and at night II New J. Physics. 2002, V. 4. pp. 43.1 - 43.14. Kurtsiefer C., Zarda P., Halder M. et.al. Quantum cryptography: A step towards global key distribution II Natura. 2002, V. 419. P. 450. T. Schmitt-Manderbach, H. Weier, M. F'urst. et.al. Experimental Demonstration of Free-Space Decoy-State Quantum Key Distribution over 144 km II Phys. Rev. Lett. 2007, V. 98, P. 010504. Rarity J.G., Tapster P.M., Gorman P.M., Knight P. Ground to Satellite Secure Key Exchange Using Quantum Cryptography I/New J. Physics. 2002, V. 4. pp. 82.1-82.21. V. L. Kurochkin, 1. 1. Ryabtsev, and 1. G. Neizvestniy. Quantum Key Generation Based on Coding of Polarization States of Photons II Optics and Spectroscopi, 2004, V. 96, Bhm.5, PP.703-706. V. L. Kurochkin, 1. 1. Ryabtsev, and 1. G. Neizvestniy. Quantum Cryptography and Quantum-Key Distribution with Single Photons II Russian Microelectronics, 2006, V. 35, .N'21 , pp. 31-36, 2006. D. Stucki, G. Ribordy, A Stefanov et al. Photon counting for quantum key distribution with Peltier cooled InGaAs/InP APD's II 2001, arxiv:quant-phlOI06007. A Trifonov, D. Subacius, A. Berzanskis, A. Zavriev. Single photon counting at telecom wavelength and quantum key distribution II 1. Mod. Optics, 2004,V.5I , N.910, pp.1399-1415. R. T. Thew, D. Stucki, J.-D. Gautier, H. Zbinden, A Rochas. Free-running InGaAs/InP avalanche photodiode with active quenching for single photon counting at telecom wavelengths II Appl. Phys. Lett., 2007, V. 91, P. 201114. A Rochas, C. Guillaume-Gentil, Jean-Daniel Gautier, et aI. ASIC for high speed gating and free running operation of SPADs II Proc. of SPIE, 2007, V. 6583, P. 65830F. Vladimir L.Kurochkin, was born in 1954, graduated Novosibirsk State University, Department of Physics in 1976. In 1991 received PhD degree. Senior scientists of Institute of Semiconductor Physics Siberian Branch of Academy of Science. Main direction of recent research is quantum cryptography. Has about 50 scientific publications.

[51

[61 [7] [8]