The publication of the BB84 protocol by Bennett and Brassard in 1984 [10] marks the beginning of quantum key distribution. Since then, many other protocols have been invented. Yet, BB84 keeps a privileged place in the list of existing protocols: it is the one most analyzed and most often implemented, including those used in commercial products, e.g., [91, 113].

In this chapter, I define the BB84 protocol, although I already described it informally in Section 1.1. The physical implementation is then investigated. Finally, I analyze the eavesdropping strategies against BB84 and deduce the secret key rate.

Description

Alice chooses binary key elements randomly and independently, denoted by the random variable X ∈ χ = {0, 1}. In this protocol, there are two encoding rules, numbered by i ∈ {1, 2}. Alice randomly and independently chooses which encoding rule she uses for each key element.

• In case 1, Alice prepares a qubit from the basis {|0〉, |1〉} as

• In case 2, Alice prepares a qubit from the basis {|+〉, |−〉} as

On his side, Bob measures either Z or X, yielding the result YZ or YX, choosing at random which observable he measures. After sending a predefined number of qubits, Alice reveals to Bob the encoding rule for each of them. They proceed with sifting, that is, they discard the key elements for which Alice used case 1 (or case 2) and Bob measured Z (or X). For the remaining (sifted) key elements, we denote Bob's sifted measurements by Y.

David Bohm: life and times

In what is perhaps Virginia Woolf's most famous novel, much of the narrative describes intentions, hopes, plans for the visit To the Lighthouse, a visit forestalled by bad weather. There follows a section ‘Time passes’ in which all is war, death, decay, desperation; only the poets thrive. Then life returns slowly and timorously; the visit is at last made, in sombre reflective mood.

Between perhaps 1930 and 1952, the study of the meaning of quantum theory went through its own period of emptiness. Von Neumann had done most to cause it. Einstein could not disturb it … When interest did creep back, it was a result of the work of David Bohm.

Bohm had already experienced a chequered career. He was born in the USA in 1917, and rapidly built up an exceedingly high reputation as a theoretical physicist. After initial collaboration with Robert Oppenheimer, he specialised in the physics of plasmas – gases in which, because of high temperature or low pressure, atoms are ionised, or broken up into negatively charged electrons and positively charged ions. Plasmas [118] are important in astrophysics and also in the effort to achieve controlled nuclear fusion. In nuclear fusion, small nuclei fuse together to form one large one, with the emission of energy; high temperatures are required, and so one is forced to deal with plasmas. This is also exactly the process that causes stars to radiate energy.

In this section, I wish to put quantum key distribution (QKD) in the wider context of a cryptosystem. I shall discuss informally some aspects that are considered important. The questions I wish to answer here are: “What are the ingredients needed to make a QKD-based cryptosystem work? What services does it bring? What are its limitations?”

As I shall detail below, QKD may be used to provide the users with confidential communications. This can be achieved when we combine QKD and the one-time pad. For the quantum modulation, QKD needs a source of truly random numbers. Also, QKD requires a classical authenticated channel to work, so authentication plays an essential role. As a consequence, QKD must start with a secret key, making it a secret-key encryption scheme. I will also discuss what happens if classical cryptography is introduced in the system. Finally, I will describe the implementation of a simple cryptosystem on top of QKD.

A key distribution scheme

The first function of QKD is to distribute a secret key between two parties. The use of this key is outside the scope of this first section – the need for a secret key is omnipresent in cryptography.

As depicted in Fig. 5.1, QKD relies on a classical authenticated channel for sifting and secret-key distillation and on random bits for the modulation of quantum states. The key produced by QKD can be intended for encryption purposes – this will be discussed in Section 5.2 – but is also required by authentication. A part of the distributed key is used for authentication. When QKD is run for the first time, however, an initial secret key must be used instead.

Following its etymology, the term cryptography denotes the techniques used to ensure the confidentiality of information in its storage or transmission. Besides confidentiality, cryptography also encompasses other important functions such as authentication, signature, non-repudiation or secret sharing, to name just a few.

The purpose of this section is to give a short introduction to classical cryptography, but only for areas that are relevant to quantum cryptography. For our purposes, we will only deal with confidentiality and authentication. The former is the most important function that quantum key distribution helps to achieve, while the latter is a requirement for quantum key distribution to work. Also, we will cover some topics on the security of classical cryptographic schemes so as to give some insight when comparing classical and quantum cryptography.

The study of cryptography ranges from the analysis of cryptographic algorithms (or primitives) to the design of a solution to a security problem. A cryptographic algorithm is a mathematical tool that provides a solution to a very specific problem and may be based on premises or on other primitives. A solution can be designed by combining primitives, and the requirements and functions of the primitives have to be combined properly.

We will first review the confidentiality provided by ciphers that use the same key for both encryption and decryption, hence called secret-key ciphers. Then, we will discuss authentication techniques. Finally, we will show some aspects of public-key cryptography.

The 1927 Solvay Congress

In Chapter 4, we left Einstein in early 1926, cautiously optimistic that Schrödinger's scheme might provide what Heisenberg's could not, and did not attempt to – a mathematical description of atomic processes that could also give a physical picture of what was actually occurring. But the demonstration that the two formalisms were equivalent severely dented such optimism.

It was still possible for Einstein to prefer Schrödinger's version as offering more hope for future physical interpretation. Thus it is interesting to review the recommendations Einstein made for Nobel Prizes [1]. In 1928, Einstein suggested that Heisenberg and Schrödinger might share a prize, adding ‘With respect to achievement, each one … deserves a full Nobel prize although their theories in the main coincide in regard to reality content.’ However, Einstein was cautious enough to add that ‘it still seems problematic how much will ultimately survive of [their] grandiosely conceived theories’, and gave precedence to de Broglie, also mentioning Davisson, Germer, Born and Jordan.

By 1931, more convinced that quantum theory would last (and with de Broglie the 1929 prizewinner), Einstein plumped for Heisenberg and Schrödinger, commenting that ‘In my opinion, this theory contains without doubt a piece of the ultimate truth. The achievements of both men are independent of each other, and so significant that it would not be appropriate to divide a Nobel prize between them.’

The discrete modulation of quantum states as in BB84 stems fairly naturally from the need to produce zeroes and ones for the final secret key. But since secret-key distillation can also process continuous key elements, there is no reason not to investigate the continuous modulation of quantum states. In fact, continuous-variable protocols are fairly elegant alternatives to their discrete counterparts and allow for high secret key rates.

In this chapter, I describe two important QKD protocols involving continuous variables: first a protocol involving the Gaussian modulation of squeezed states and then a protocol with coherent states. These QKD protocols must be seen as a source of Gaussian key elements, from which we can extract a secret key. Finally, I detail the implementation of the protocol with coherent states.

From discrete to continuous variables

In the scope of continuous-variable QKD, we focus on quantum states that are represented in a continuous Hilbert space, of which their most notable examples are the coherent and squeezed states.

The BB84 protocol was designed with single photon states in mind. The coherent states, much easier to produce, are used only as an approximation of single photon states.

Classical physics

Quantum theory was produced roughly between 1900 and 1925; it changed our view of the Universe in a revolutionary way. Such is the central preoccupation of this book. Relativity was another revolutionary theory produced between 1905 and 1916; it is less central here. The clear implication of these statements is that, prior to 1900, there was an established body of theory that was widely successful and was thought to provide final answers to fundamental physical questions. This body of theory is known as classical physics.

The above is a simplified account of the development of physics over the last few hundred years. There is a good deal of truth in it. By 1900, Newton's Laws of mechanics had been established for over 200 years; they had been overwhelmingly successful in describing a huge range of phenomena, both terrestrial and in the solar system. They were held to be among the greatest human achievements, indeed the very greatest strictly scientific achievement, and practically a direct revelation of divine intent, and by 1900 it seemed unthinkable that they could be challenged.

The same could not quite be said of electromagnetism, an area of physics that encompasses electricity, magnetism and, as will be seen later in this chapter, optics. By 1900, what we now take to be the complete and final theory of classical electromagnetism, that of James Clerk Maxwell, was over 30 years old, and the discovery of radio waves by Heinrich Hertz which was acknowledged to confirm the theory, more than ten years old.

Everett and relative states

In this chapter I shall discuss briefly a number of the interesting developments – interpretational, theoretical, experimental – that have taken place in the foundations of quantum theory over the last few decades, where appropriate relating them to the work of Bohr or Einstein. While the topics considered will range well beyond the specific areas studied by John Bell, I think it is fair to say that it was the interest stimulated by his ideas that led to nearly all the work described.

This could not, though, apply to the very first ideas I discuss, which date from as early as 1957, when a PhD student at Princeton University, Hugh Everett, wrote a thesis titled The Theory of the Universal Wave Function [231]. A short version of this was published [232], and it was followed by a brief positive assessment [233] of Everett's ideas by John Wheeler, who had guided and encouraged him. (Sixteen years later, both of Everett's papers, and a number of related ones, were collected in a single volume [234].)

I shall now sketch his ideas. Till now, we have allowed wave-functions for microscopic systems, such as atoms or electrons, to be sums of wave-functions for highly distinct states, so that the corresponding properties of the systems – position, momentum and so on – do not usually have precise values, at least not till a measurement is made.

Reconciliation is the technique needed to ensure that Claude's and Dominique's key elements are equal. Starting from outcomes of the random variables X and Y, they wish to agree on an equal string Ψ.

In this chapter, I will first give some general properties and then overview and introduce several classes of reconciliation techniques.

Problem description

The goal of the legitimate parties is to distill a secret key, i.e., to end up with a shared binary string that is unknown to Eve. We assume as a convention that Claude's outcomes of X will determine the shared key K. The common string Ψ before privacy amplification can thus be expressed as a function Ψ(X).

Reconciliation consists in exchanging messages over the public classical authenticated channel, collectively denoted M, so that Dominique can recover Ψ from M and the outcomes of Y. If we denote as x1…l a vector of l independent outcomes of X, the string can be compressed to obtain about lH(Ψ(X)) common uniform bits.

As explained in Chapter 6, the impact of reconciliation on privacy amplification is a decrease of |M| bits in the key length, where |M| is the number of bits exchanged during reconciliation.

Our goal is thus to maximize lH(Ψ(X))-|M|, or if Ψ is given, to minimize the number |M| of disclosed bits.

Characteristics of reconciliation protocols

Before dealing with the details of reconciliation, let us here review some of its characteristics.

First, reconciliation can be either one-way or interactive. The first case is obviously only possible with one-way secret-key distillation, as information is sent only from Claude to Dominique.

The distribution of secret keys through quantum means has certainly become the most mature application of quantum information science. Much has been written on quantum cryptography today, two decades after its inception by Gilles Brassard and Charles Bennett, and even longer after the pioneering work of Stephen Wiesner on non-counterfeitable quantum money which is often considered as the key to quantum cryptography. Quantum key distribution has gone from a bench-top experiment to a practical reality with products beginning to appear. As such, while there remain scientific challenges, the shift from basic science to engineering is underway. The wider interest by both the scientific and engineering community has raised the need for a fresh new perspective that addresses both.

Gilles Van Assche has taken up the challenge of approaching this exciting field from a non-traditional perspective, where classical cryptography and quantum mechanics are very closely intertwined. Most available papers on quantum cryptography suffer from being focused on one of these aspects alone, being written either by physicists or computer scientists. In contrast, probably as a consequence of his twofold background in engineering and physics, Gilles Van Assche has succeeded in writing a comprehensive monograph on this topic, which follows a very original view. It also reflects the types of challenge in this field – moving from basic science to engineering. His emphasis is on the classical procedures of authentication, reconciliation and privacy amplification as much as on the quantum mechanical basic concepts. Another noticeable feature of this book is that it provides detailed material on the very recent quantum cryptographic protocols using continuous variables, to which the author has personally contributed.

In this chapter, I will introduce the concepts of quantum information that are necessary to the understanding of quantum cryptography. I first review the main principles of quantum mechanics. I then introduce concepts that somehow translate information theory into the quantum realm and discuss their unique features. Finally, I conclude this chapter with some elements of quantum optics.

Fundamental definitions in quantum mechanics

In classical mechanics, a system is described with physical quantities that can take certain values at a given moment in time; we say that is has a state. For instance, the state of an elevator comprises its position and speed at a given time. As dictated by common sense, if the elevator is at a given height, it cannot be simultaneously found at another location. With quantum mechanics, things are fundamentally different and elementary particles can behave against common sense. For instance, a quantum system can simultaneously be in different levels of energy. This is not because our knowledge of the state of the system is incomplete: the behavior of the quantum system is consistent with the fact that it is in simultaneous levels of energy.

It would go beyond the scope of this book to describe quantum mechanics in detail. Instead, I propose a synthetic introduction suitable for the understanding of quantum cryptography. For a more detailed introduction, please refer to the books listed at the end of this chapter.

The idea of relativity

Probably all of us have had the experience of sitting in a stationary train, and suddenly seeing a train on an adjacent track moving (or appearing to move) past our own. The doubt is there because it might not immediately be quite clear whether we are indeed still stationary and the other train is moving, to the right, say, or whether it is stationary and we have begun moving to the left.

In fact, all our normal actions in the train – sitting, eating, drinking, walking, may be carried on in exactly the same way, irrespective of whether our train is moving or not – at least so long as the motion is at constant speed in a straight line. Could this be raised to the status of a principle – ‘All laws of physics are the same in the two circumstances’? Answering this question is the subject of this chapter [30, 31].

It may perhaps seem at first sight rather a dry formal question. In fact in the previous chapter I hinted at the important part it played in Galileo's argument on the movement of the Earth. But it has a more general importance even than this. If such a principle is adopted, it puts considerable restrictions on the laws of physics – in fact it ends up by making most of classical physics unacceptable.

Founded by Shannon, information theory deals with the fundamental principles of communication. The two most important questions answered by this theory are how much we can compress a given data source and how much data we can transmit in a given communication channel.

Information theory is essentially statistically minded. Data sources are modeled as random processes, and transmission channels are also modeled in probabilistic terms. The theory does not deal with the content of information – it deals with the frequency at which symbols (letters, figures, etc.) appear or are processed but not their meaning. A statistical model is not the only option. Non-statistical theories also exist (e.g., Kolmogorov complexity). However, in this section and throughout this book, we will only use the statistical tools.

Information theory is of central importance in quantum cryptography. It may be used to model the transmission of the key elements from Alice to Bob. Note that what may happen on the quantum channel is better described using quantum information theory – see Chapter 4. Yet, the key elements chosen by Alice and those obtained by Bob after measurement are classical values so, for instance, the transmission errors can accurately be modeled using classical information theory. Reconciliation, in particular, requires classical information-theoretic techniques.

Source coding

Source coding is the first problem that information theory addresses. Assume that a source emits symbols xi from an alphabet χ and that it can be modeled by the random variable X on χ. For instance, the source can be the temperature measured by some meteorological station at regular intervals or the traffic on a network connection.

The rapid rise of quantum information

For the last four chapters I have been describing what may be called the ‘fundamental’ or ‘foundational’ aspects of quantum theory. I have been explaining what happens when you penetrate deeper into the ideas of quantum theory than when you merely make use of it, when you try to understand its basic meaning and what, if true, it tells us about the physical nature of the Universe.

As I said in Chapter 5, once Bohr had given his approach to these matters in his Como paper of 1927, general opinion was that his views were sacrosanct, and that no self-respecting physicist needed to return to discuss them further. It was Bell's great achievement to dent this complacency at least a little, and from the very end of the 1960s for the next quarter of a century or so, there were a few experimentalists keen to test the Bell inequalities with increasing stringency, and a few theoreticians with fresh ideas about how quantum theory should be interpreted.

While it was generally admitted that Bell's work was a genuine and important contribution to our understanding of quantum theory, and eventually the ideas actually reached some of the textbooks, in the 1970s and 1980s the field was still very much a minority interest, and even those who found it interesting would scarcely have felt that it had, or was likely to have in the foreseeable future, practical application.

Planck and the genesis of the quantum

During the first quarter-century of quantum theory, it developed by addressing a considerable range of topics – atomic physics, especially atomic spectroscopy; interactions involving fundamental particles – electrons, protons and so on, and also electromagnetic radiation; and the thermal capacities of solids and gases, where deviations from classical physics seem, at least in retrospect, rather straightforward.

Yet the first intimation of quantum ideas, which came to Max Planck in 1900, appeared in rather a recondite area of physics, where there would be no satisfactory classical theory for another five years, and where considerations were very much complicated by the fact that statistical methods were required. This was the area of black-body radiation or cavity radiation [32].

All surfaces emit energy in the form of electromagnetic radiation. This emission is of so-called thermal radiation, the word ‘thermal’ emphasising that the amount of energy radiated, and its frequency distribution, depend strongly on temperature. In 1879, Josef Stefan deduced from experiment that the total amount of radiation is proportional to T4 (T being an absolute temperature, of course), and Boltzmann confirmed this theoretically using thermodynamics.

The nature of the surface is also very influential and, to explain this, it is helpful to start with the absorption of energy. Different surfaces absorb different fractions of the energy that is incident on them. In particular, black surfaces absorb more than white ones.

At the beginning of the twenty-first century, quantum information theory is an exceptionally lively area of scientific research. Quantum computation and quantum cryptography promise powerful and efficient methods way beyond the scope of classical physics for solving practical problems. Quantum teleportation suggests the even more exciting possibility of achievements that would not even be dreamed of classically, and as minds adapt to new ways of thinking we must expect many other examples.

Quantum information theory emerged from a rich brew of scientific ideas that developed particularly in the 1980s and early 1990s. The ideas centred around the idea of quantum entanglement – the fact that, when two quantum particles have once interacted, even after separation their properties will be mutually dependent in a totally non-classical way. Crucially important were the theoretical analysis and experimental testing of the so-called Bell inequalities, the brain-child of John Bell, a physicist from Ireland.

Bell's main work and the initial experiments were performed in the 1960s and 1970s, respectively, and behind him was the famous Bohr–Einstein debate of the 1920s and 1930s. The Bohr–Einstein debate occurred at a critical point in the intellectual history of the twentieth century. By 1926, the ‘new’ quantum theory of Heisenberg and Schrödinger promised to provide the exact theoretical basis for the physics of atoms, but important questions remained about fundamental aspects of the theory.