Appl. Phys.

B 67, 743748 (1998)

Applied Physics B
Lasers
and Optics
Springer-Verlag 1998
Quantum cryptography
H. Zbinden, H. Bechmann-Pasquinucci, N. Gisin, G. Ribordy
Group of Applied Physics, University of Geneva, CH-1211 Geneva 4, Switzerland
Received: 29 May 1998
Abstract. After a short introduction to classic cryptography
we explain thoroughly how quantum cryptography works.
We present then an elegant experimental realization based
on a self-balanced interferometer with Faraday mirrors. This
phase-coding setup needs no alignment of the interferometer
nor polarization control, and therefore considerably facilitates
the experiment. Moreover it features excellent fringe visibil-
ity. Next, we estimate the practical limits of quantumcryptog-
raphy. The importance of the detector noise is illustrated and
means of reducing it are presented. With present-day tech-
nologies maximum distances of about 70 km with bit rates of
100 Hz are achievable.
PACS: 03.67.Dd; 85.60; 42.25; 33.55.A
Cryptography is the art of hiding information in a string of
bits meaningless to any unauthorized party. To achieve this
goal, one uses encryption: a message is combined according
to an algorithm with some additional secret information the
key to produce a cryptogram. In the traditional terminology,
Alice is the party encrypting and transmitting the message,
Bob the one receiving it, and Eve the malevolent eavesdrop-
per. For a crypto-system to be considered secure, it should
be impossible to unlock the cryptogram without Bobs key.
In practice, this demand is often softened, and one requires
only that the system is sufciently difcult to crack. The idea
is that the message should remain protected as long as the
information it contains is valuable.
There are two main classes of crypto-systems, the public-
key and the secret-key crypto-systems:
Public key systems are based on so-called one-way func-
tions: given a certain x, it is easy to compute f(x), but difcult
to do the inverse, i.e. compute x from f(x). Difcult means
that the task shall take a time that grows exponentially with
the number of bits of the input. The RSA (Rivest, Shamir,
Adleman) crypto-systemfor example is based on the factoriz-
ing of large integers. Anyone can compute 13753 in a few
seconds, but it may take a while to nd the prime factors
of 28907. To transmit a message Bob chooses a private key
(based on two large prime numbers) and computes from it
a public key (based on the product of these numbers) which
he discloses publicly. Now Alice can encrypt her message
using this public key and transmit it to Bob, who decrypts it
with the private key. Public key systems are very convenient
and became very popular over the last 20 years, however,
they suffer from two potential major aws. To date, nobody
knows for sure whether or not factorizing is indeed difcult.
For known algorithms, the time for calculation increases ex-
ponentially with the number of input bits, and one can easily
improve the safety of RSA by choosing a longer key. How-
ever, a fast algorithm for factorization would immediately
annihilate the security of the RSA system. Although it has not
been published yet, there is no guarantee that such an algo-
rithm does not exist. Second, problems that are difcult for
a classical computer could become easy for a quantum com-
puter. With the recent developments in the theory of quantum
computation, there are reasons to fear that building these ma-
chines will eventually become possible. If one of these two
possibilities came true, RSA would become obsolete. One
would then have no choice, but to turn to secret-key crypto-
systems.
Very convenient and broadly used are crypto-systems
based on a public algorithm and a relatively short secret key.
The DES (Data Encryption Standard, 1977) for example uses
a 56-bit key and the same algorithm for coding and decod-
ing. The secrecy of the cryptogram, however, depends again
on the calculating power and the time of the eavesdropper.
The only crypto-system providing proven, perfect secrecy is
the one-time pad proposed by Vernam in 1935. With this
scheme, a message is encrypted using a random key of equal
length, by simply adding each bit of the message to the
corresponding bit of the key. The scrambled text can then be
sent to Bob, who decrypts the message by subtracting the
same key. The bits of the ciphertext are as random as those of
the key and consequently do not contain any information. Al-
though perfectly secure, the problem with this system is that
it is essential for Alice and Bob to share a common secret key,
at least as long as the message they want to exchange, and use
it only for a single encryption. This key must be transmitted
by some trusted means or personal meeting, which turns out
to be complex and expensive.
744
At this point quantum cryptography (QC) developed by
Bennett and Brassard in 1984 [1] enters the scene. QC, bet-
ter named quantum key distribution, allows two physically
separated parties to create a random secret key without re-
sorting to the services of a courier, and to verify that the
key has not been intercepted. This is due to the fact that
any measurement of incompatible quantities on a quantum
system will inevitably modify the state of this system. This
means that an eavesdropper, Eve, might get information out
of a quantum channel by performing measurements, but the
legitimate users will detect her and hence not use the key. For
convenience the quantum system is in practice a single pho-
ton propagating through an optical ber, and the key can be
encoded either by its polarization or by its phase. The rst ex-
perimental demonstration of quantum cryptography was per-
formed in 1989 over 30 cm in air with polarized photons [2].
Since then, several groups have presented realizations of both
the polarization [3, 4] and the phase coding scheme in optical
bers over distances of up to 30 km [5, 6].
In this article, we would like to explain QC by the ex-
ample of a standard polarization-based setup. Then we will
present a special interferometric setup that does not need
alignment nor feedback. We will discuss the performances
and technical limits of current QC systems and, as a con-
clusion, estimate transmission distances and bit rates of QC
systems now and in the near future.
1 How quantum cryptography works
To understand how quantum cryptography works, consider
the BB84 communication protocol [1] by Bennett and Bras-
sard (Fig. 1). Alice and Bob must be connected by a quantum
channel and a classical public channel. Normally single pho-
tons are being used to carry the information and the quantum
light
source
horizontalvertical
polarization filters
horizontalvert
detector basis
diagonal
detector basis
ALICE's bit sequence
BOB's detection basis
BOB's measurements
retained bit sequence
1 0 1 1 0 0 1 0 1 0 1 1 1 0
1 0 0 1 0 0 1 0 1 0 0 1 0 0
1 1 0 0 0 1 0 1 0
+

diagonal
polarization filters
sender
ALICE
receiver
BOB
+
+
+ +
+ + + + +
+ + + +
1
0
0
1
Fig. 1. The principle of QC according to the BB84 protocol. Alice sends down an optical ber photons polarized randomly either horizontally, vertically, at
+45

, or at 45

(row 1), Bob randomly chooses one of his analyzer basis (row 2) and records his result (row 3). Then they compare the used basis and
retain all results with compatible basis (row 4)
channel is usually an optical ber. The public channel can
be any communication link, such as a phone line or an In-
ternet connection (which is often an optical ber, too, but
this time with macroscopic pulses). The procedure consists of
four steps.
First, Alice sends single photons in one of the four follow-
ing polarization states: vertical, horizontal, +45

, and 45

.
She chooses randomly one of the polarization states for each
bit and records her choice. Bob has two analyzers available
and selects one randomly before recording each photon. One
of the analyzers allows him to distinguish between horizon-
tally and vertically polarized photons, whereas the second one
distinguishes between +45

and 45

photons. Every time

Bob uses the analyzer that does not correspond to the polar-
ization states sent by Alice, each outcome can happen with
a 50% probability. Bob records the analyzers used and the
outcomes.
Second, after exchanging a sufcient number of photons,
Bob announces on the public channel the sequence of analyz-
ers he used, but not the results he obtained. Alice compares
this sequence with the list of bits she sent, and tells Bob for
which photons compatible polarization states and analyzers
were used, but not which polarization states she sent. In the
cases where incompatible states and analyzers were used, the
bits are simply discarded. For the remaining bits, Alice and
Bob know that they have the same values, at least if nothing
no eavesdropper perturbed the transmission. If, for example,
Alice send a vertically polarized photon and Bob measures
it with the vertical-horizontal analyzer, he should always get
a vertical result.
Third, Alice and Bob select a random subset of their key
and compare it over the public channel to assess the secrecy
of their communication. The consequence of the interception
of their key by an eavesdropper would be a reduction of the
correlation between the values of their bits. Let us suppose,
745
Eve cuts the ber, performs a measurement on each photon
with an equipment similar to Bobs, and sends a photon to
Bob, prepared according to her result. In 50% of cases she
will choose the wrong analyzer and send a photon polarized
in the wrong basis that will result with 50% chance in a wrong
count at Bobs. Hence 25% of Alices and Bobs bit values
will disagree, such that the eavesdropper can easily be de-
tected.
Fourth, also when no eavesdropper is disturbing the bit ex-
change, there will be in practice some errors in the transmis-
sion and Alice and Bobs string will not coincide perfectly.
The remaining errors are removed by standard error correc-
tion methods, which in turn reduces the length of the key.
The determined error rate (normally in the order of 1%) must
be completely attributed to Eve. The corresponding informa-
tion that Eve might gain can be reduced to an arbitrarily low
value, by a procedure called privacy amplication, again at
the expense of the length of the usable key. Therefore it is
very important to keep the experimental error rate as low as
possible.
The remaining key can now be used with total condence
to encrypt a message, in spite of more elaborated eavesdrop-
ping strategies than the simple intercept and resend technique
described above. Other eavesdropping strategies are thor-
oughly discussed elsewhere [2, 7, 8].
2 Experimental realization
2.1 Polarization coding setup
Let us have a look at the experimental polarization coding
setup based on the four-states protocol BB84. In all presented
setups faint laser pulses are used instead of real single photon
states. The number of photons in a laser pulsed being Pois-
son distributed, the average number of photon per pulse
must be well below 1 ( = 0.1, say), to limit the probabil-
ity of obtaining more than 1 photon per pulse. Alices light
source is hence a pulsed strongly attenuated semiconductor
laser. An electro-optic polarization controller creates four dif-
ferent polarization states. Or, as proposed by the setup shown
in Fig. 2, four lasers with polarizers oriented at 0

, 90

, 45

,
and 135

are used, followed by three passive couplers. The

lasers re at random at a given pulse rate . Bob randomly se-
lects the polarization analyzer basis. This is most easily done
by introducing a passive optical coupler that directs the pho-
ton to one of the two polarizing beam splitters (PBS) oriented
at 45

. The photons are then detected with a photon counter

and acquisition electronics collects the data.
Laser
Laser
Laser
Laser
PBS
PBS
Pol. Control
Det
Det
Det
Det
Alice Bob
Fig. 2. Scheme of a polarization coding QC setup. PBS = polarization beam
splitter
The axis of the polarizers at Alice and Bob must be
aligned and kept aligned. This is the main specic difculty
of a ber-optic implementation of the polarization scheme.
For this reason a polarization controller with an automated
feedback must be introduced, to compensate polarization
uctuations due to mechanical or thermal changes in the
ber link. Realignment may be necessary every few sec-
onds or after an hour depending on the stability of the
link [3]. Conventional phase coding setups also need polar-
ization control and moreover an automated balancing of the
interferometers [5].
2.2 Plug and play interferometric setup
In this paragraph we would like to present an auto-balanced
QC setup based on an interferometer with Faraday mirrors
that does not need any alignment [9]. Let us have a closer
look at the QC scheme depicted in Fig. 3 disregarding the
Faraday rotators (FR) for the moment. Their crucial effect
will be explained later. In principle Bob has a very unbal-
anced Michelson interferometer (beamsplitter C2) with one
long arm going all the way to Alice. The laser pulse imping-
ing on C2 is split in two pulses P1 and P2. P2 propagates
through the short armrst (mirror M2 then M1) and then trav-
els to Alice and back, whereas P1 propagates rst to Alice
and next passes through the short arm. As both pulses run
exactly the same path length, they interfere maximally at
C2 (disregarding polarization for the time being). To encode
their bits, Alice acts with her phase modulator (PM) only
on P2 (phase shift a), whereas Bob lets pulse P2 pass un-
altered and modulates the phase of P1 (phase shift b). If
no phase shifts are applied or if a b = 0, then the in-
terference will be constructive. On the contrary, when a
b = the interference will be destructive and no light will
be detected by detector D0. With this setup 2-states proto-
col B92 [10] has to be applied. We are working actually on
a slightly modied setup that allows us to introduce a sec-
ond detector and to implement the BB84 4-states protocol.
The key exchange in the B92 protocol proceeds as follows.
Alice and Bob choose at random 0 or phase shifts, de-
ned as bit values 0 and 1. If a detection, i.e. constructive
interference occurred, Alice and Bob know that they applied
the same phase shift, and they register the same bit value.
In our interferometric setup the pulses leaving Bob carry no
Alice
PM
M3
D
C3
A
&
FG
FR
Bob
Laser
PM D
M2 M1
C2 C1
T
SRS
&
FG
FR
FR
0
A
Fig. 3. Experimental setup of an interferometric QC system with Faraday
mirrors. C1, C2, and C3: ber optic couplers, M1, M2, and M3: Faraday
mirrors (ordinary mirrors in combination with Faraday rotators, FR), PM:
phase modulator, A: Attenuator, D
0
: photon counter, D
A
: photodiode, T:
optional trigger output, SRS: delay generator, FG: function generator, &:
and-gate
746
phase information. The information is in the phase difference
of the two pulses P1 and P2 leaving Alice. The attenuator
(A) is set such that the weaker pulse P2 that already passed
through Bobs delay line has 0.05 photons on average when
leaving Alice.
Since the interfering pulses travel the same path, the in-
terferometer is automatically aligned. The visibility of the
fringes is also independent of the splitting ratio of C2. How-
ever, the visibility depends also strongly on the polariza-
tion states of the interfering pulses. The pulses undergo in
each arm of the interferometer an arbitrary polarization trans-
formation depending on the environmental conditions. These
transformations do not commute, hence the two outcoming
polarizations are in general not parallel. Consequently, we
replace all three mirrors of the interferometer by Faraday
mirrors (FM). A FM is composed of a 45

Faraday rota-
tor and a mirror. A light pulse injected in any arbitrary po-
larization into a ber terminated by a FM will come back
exactly orthogonally polarized, regardless of the polariza-
tion transformations in the ber. Therefore both pulses un-
dergo three identical polarization transformations and im-
pinge on the beamsplitter with identical polarizations. To
quantify the performance of the interferometer, the ratio
of the count rates for constructive and destructive interfer-
ence is measured. This ratio is as large as 30 dB! Replac-
ing one Faraday mirror by an ordinary mirror, the extinc-
tion is strongly uctuating and can be reduced to 20 dB. If
two Faraday mirrors are removed, essentially no interference
is visible.
We successfully performed a rst test with a Faraday
setup using a 23-km-long telecom link [10]. The setup fea-
tured an impressive stability and a fringe visibility of 99.8%.
We produced a secret key of 20 kbit length with a quantumbit
error rate (see below) of 1.35% for 0.1 photon per pulse. The
bit rate, however, was only about 1 Hz due to the low pulse
rate. At the moment we are building up a setup with a pulse
frequency of 2.5 MHz that will result in a raw bit rate of about
1 kHz over 20 km.
The great advantage of this setup is of course that no con-
tinuous alignment is needed. It is also noteworthy that the
timing of Alices apparatus can be pre-adjusted in the lab, and
will not change, even if the apparatus is plugged to another
ber to communicate with another party. This is the reason
why we informally refer to our system as a plug and play
system. The timing of Bobs apparatus, especially of his pho-
ton counter has to be adjusted once for every link. Going
to higher pulse rates, however, this system suffers from an
increased noise level due to Raleigh backscattering and par-
asitic reections. We are currently working on a modication
of the setup that considerably reduces this effect.
3 Practical limits of QC
In the preceding chapters we learned about the principles of
QC and a rather elegant and promising experimental imple-
mentation. In this chapter we want to establish the practical
limits of the QC. The transmission length, the data rate, and
the quantum bit error rate are the three values of interest. We
will discuss how these values depend on the used wavelength
and performance of the corresponding detector.
3.1 Data rate and QBER
Let us consider a QC setup with a laser pulse rate . is the
average number of photons at the output of Alice,
d
and
t
are the detector and transfer efciency, respectively. Hence
the raw data rate R, i.e. the number of exchanged bits per
second before any error correction, is given by:
R =q
t

d
. (1)
q is a systematic factor depending on the chosen implemen-
tation. It cannot be bigger than 1/2 due to the fact that half
of the time the randomly chosen bases of Alice and Bob are
not compatible. The raw bit rate R will be further reduced
when error correction and privacy amplication are applied,
depending on the error rate and the used algorithm. The total
transfer
t
efciency between the output of Alice to the detec-
tor can be expressed as:

t
=10
(L
f
l+L
B
)
10
, (2)
where L
f
is the losses in the ber in dB/km, l is the length
of the link in km and L
B
are internal losses at Bob in dB.
The losses in optical bers are typically around 2 dB/km at
800 nm, 0.35 dB/km in the 1300 nm telecom window, and
0.2 dB/km in the 1550 nm telecom window.
The error is generally expressed as the ratio of wrong bits
to the total amount of detected bits. We call this quantity
quantum bit error rate (QBER). It is equivalent to the ratio of
the probability of getting a false detection to the total proba-
bility of detection per pulse:
QBER =
p
opt
p
phot
+ p
dark
p
phot
+2p
dark

= p
opt
+
p
dark
p
phot
QBER
opt
+QBER
det
. (3)
with p
dark
=n
dark
, and p
phot
=
t

d
we obtain:
QBER
det
=
n
dark
t

d
. (4)
p
dark
, p
phot
, and p
opt
are the probabilities to get a darkcount,
to detect a photon, and the probability that a photon went to
an erroneous detector, respectively. n
dark
is the dark count rate
of the detector and is the detection time window. This
formula applies for a setup with two detectors. Since a dark-
count will with a 50% chance not lead to an error, but just to
an additional count, there is a factor two in the denominator,
but not in the numerator. Note that the QBER is independent
of the factor q of (1), since we do not consider errors when
incompatible bases are used.
The QBER consists of two parts. The rst part is what we
call QBER
opt
, that is the fraction of photons p
opt
whose po-
larization or phase is erroneously determined, i.e. the fraction
of photons who end up in the wrong detector. This is mainly
due to depolarization and to poor polarization alignments or
due to the limited visibility of the interferometers. p
opt
can be
determined by measuring the polarization ratio, the extinction
ratio or the classical fringe visibility V. In our interferometric
setup presented in the preceding section we measured a p
opt
of 0.15%. Generally p
opt
below 1% can be easily achieved
with any setup.
747
The second part, QBER
det
, is due to the dark count rate
of the photon counters and increases with decreasing trans-
fer efciency
t
. Hence QBER
det
is the determining factor for
longer transmission distances. The detector dark count rate -
nally limits in combination with the losses in the bers the
transmission distance. Since ber losses have already attained
the physical limits, the detectors deserve a thorough discus-
sion.
3.2 Near-IR photon counting
To take advantage of the low losses in optical bers, we
need photon counters in the near IR that are unfortunately
not commercially available. However, photon counting can
be achieved with liquid nitrogen (LN
2
)-cooled Ge avalanche
photodiodes working in the passively quenched Geiger
mode [12]. In this mode the diodes are driven above break-
down, i.e. the bias voltage is so high that one electronhole
pair created by an absorbed photon will be able to produce an
avalanche of thousands of carriers. The avalanche only stops
when the created current through the resistance in series with
the diode lowers the applied voltage below the breakdown
value. The noise in such detectors is due to carriers gener-
ated in the detector volume by causes other than an impinging
photon (darkcounts). They can be created thermally or by
band-to-band tunneling processes, or can be emitted from
trapping levels that were populated in previous avalanches
(after pulsing). The quantum efciency
d
and the darkcount
rate n
dark
both increase with increasing bias voltage U
bias
.
However, the ratio n
dark
to
d
is not constant, so QBER
det
will
depend on U
bias
, i.e. a tradeoff between high efciency and
low noise has to be found.
The photon counting performance of APDs can be im-
proved with a so-called active biasing or gating. The bias
voltage of diode is the sum of a dc part well below breakdown
and a short (say, 2 ns) almost rectangular pulse of a few V
amplitude that pushes the diode over breakdown at the time
when the photon is expected. Since the diode is below thresh-
old, no spontaneous avalanches can occur before the detection
interval and consequently no afterpulses will fall into the de-
tection time interval. This allows us to increase considerably
the voltage (therefore the efciency) without excessively in-
creasing the noise. Moreover the time jitter is reduced to
a value below 100 ps.
Moreover InGaAs APDs, not suitable for single-photon
counting with passive quenching, show a promising behavior
with active biasing [13]. Figure 4 shows the noise as a func-
tion of the quantum efciency at 1300 nm for actively and
Temperature
d
p
dark
Time jitter
(FWHM)
Si (800 nm) Room temperature 50% 10
8
< 400 ps
EG&G SPCM200-PQ (Peltier cooled) (n
dark
=10 s
1
)
Ge (1300 nm) 77 K 10%

710
6
NEC NDL5131 20%

2110
6
< 100 ps
InGaAs 1300 nm 77 K 20% 3.310
6
< 200 ps
Fujitsu FPD5W1KS 30%

1010
6
InGaAs 1300 nm 173 K 10% 2010
6
< 300 ps
InGaAs 1550 nm 173 K 2% 1010
6
< 300 ps
Table 1. Photon counting performance of APDs.
The Ge and the InGaAs diodes were actively bi-
ased with 2.6-ns pulses. The resulting bit rates
are given in Fig. 5 (except for values designed
with

)
1E-7
1E-6
1E-5
1E-4
1E-3
1E-2
1E-1
1E+0
0 0.1 0.2 0.3 0.4 0.5 0.6 0.7
efficiency d
p
d
a
r
k
Ge active
InGaAs/InP active
Ge passive
InGaAs/InP passive
Fig. 4. The probability of getting a darkcount per pulse p
dark
vs. the
quantum efciency
d
for Ge (NEC NDL5131) and InGaAs (Fujitsu
FPD5W1KS) APDs. Comparison of active gating and normal passive
quenching mode (from [13])
passively biased Ge and InGaAs diodes at 77 K. One can eas-
ily see that active biasing considerably decreases the noise
with respect to passive quenching. For higher efciencies
actively biased InGaAs diodes show smaller noise than Ge
diodes.
The quantum efciency at 1550 nm being very low at
77 K increases with higher temperature, but so does the noise.
InGaAs diodes in contrast to Ge, however, feature at 100

C
(173 K) a temperature at the limit of Peltier cooling, certainly
increased but still quite reasonable noise levels. So there is le-
gitimate hope that such diodes will be practical without LN
2
cooling and open the second telecom window at 1550 nm.
In Table 1 the actual performances of photon counters are
summarized.
3.3 Actual limits of ber-based QC
With the help of (1), (2), and (4) we can easily calculate the
raw data rate R and QBER in function of the transmission
distance for a given
d
and p
dark
of the detector at a given
wavelength. As long as the QBER remains below the theor-
etical limit for the creation of absolutely secure key of 15%,
we can actually forget about the QBER and the only gure of
merit is the nal bit rate B after error correction and privacy
amplication. Hence, we need to estimate to what extent R is
reduced by error correction and privacy amplication proced-
ure in function of the error rate.
On the one hand, by using an estimate of Tancevski et
al. [14] the fraction of bits lost due to error correction as
748
a function of the QBER(q) can be given as follows (for long
strings, > 100 bit):
r
ec
=
7
2
q q log
2
q . (5)
This estimation works well for small q. Note that r
ec
is almost
1 for q =15% and roughly 0.4 for q =5%. The fraction of
bits lost by privacy amplication [2, 15] on the other hand is:
r
pa
=1+log
2

1+4q4q
2
2

. (6)
We assume that the whole error q is due to the interaction
of Eve and that she can gain a maximum information of
q(4/

2) [2] or about q(2/ ln2), which is a good approxima-

tion for q < 15% [7]. r
pa
is 0.75 for q =5%. The nal bit rate
is then:
B =(1r
ec
)(1r
pa
)R. (7)
Figure 5 shows B as a function of distance for the detector
performances in Table 1. Note that the wavelength of 800 nm
is a good choice only for short distances up to a few km, since
the data rate decreases drastically due to the high absorption.
For the other wavelengths, B rst decreases exponentially
(linearly in the semi-logarithmic graph of Fig. 5) due to the
absorption in the ber. But with decreasing bit rate the QBER
is increasing and when it is approaching 15%, error correction
becomes horribly inefcient leading to a sharp drop of B. So
the maximum transmission distance is quite sharply dened
for a given detector. If we consider 100 Hz as a lower limit for
a reasonable key distribution, we get maximum distances be-
tween 45 km and 70 km. It is important to mention that these
curves are based on rst photon counting performances of off
the shelf InGaAs APDs. There is undoubtedly still a large po-
tential of improvement for such kind of detectors. Assuming
1
10
100
1'000
10'000
100'000
0 20 40 60 80 100 120
distance (km)
B

(
b
i
t
s
/
s
e
c
)
800nm
1300nm/77K
1550nm/173K
1550nm/future
1300nm/77K
1300nm/single
Fig. 5. Calculated bit rate as function of distance after error correction
and privacy amplication for different detector congurations as given in
Table 1. The pulse rate is 10 MHz, number of photons per pulse =0.1.
QBER
opt
and losses at Bobs are neglected. The curve 1550 nm/future
corresponds to a hypothetical detector with vefold efciency. Using sin-
gle photons (=1, 1 MHz single-photon generation rate) at 1300 nm would
result in bit rates according to the curve 1300 nm/single
that one could obtain vefold efciency without increasing
the noise, a maximum distance of 92 km could be attained.
Using single photon states ( =1) all values of QBER
det
can
be reduced by a factor of 10. This means that the drop due
to the error correction occurs some 50 km and 28 km later
at 1550 and 1300 nm, respectively. On the other hand, apart
from additional experimental difculties, attainable pulse fre-
quencies will be in the order of 1 MHz. In conclusion, in
the near future ber-based QC systems will remain limited
to 100 km distance. Several free-space QC experiments have
been performed successfully. SatelliteEarth QCmay one day
be feasible. So if a satellite is accepted as an intermediate sta-
tion sharing the key with Alice and Bob, one day QC could be
performed all around the world.
4 Conclusions
QC has been experimentally proven feasible. The most im-
portant technological challenge remains the development of
better photon counters, whose noise actually limits the trans-
mission distance below 100 km. Whether QC will nd a mar-
ket or not, is a technical and psychological question. More
powerful algorithms and computers could diminish rapidly
the condence of cryptography users in unproved methods
based on complexity and increasing their interest in QC.
Acknowledgements. We would like to thank the Swisscom and the Swiss
National Science Foundation for nancial support and Swisscom for placing
at our disposal the NyonGeneva optical ber link. We appreciate stimulat-
ing discussions with our colleagues within the TMR network on the Physics
of Quantum Information. Helle Bechmann-Pasquinucci is sponsored by the
Danish National Science Research Council (grant no. 9601645). We thank
Physics World for Fig. 1.
References
1. C.H. Bennett, G. Brassard: Quantum Cryptography, Public key distri-
bution and coin tossing, Proc. Int. Conf. Computer Systems and Signal
Processing, 175, Bangalore 1984
2. C.H. Bennett, F. Bessette, G. Brassard, L. Salvail, J. Smolin: J. Cryptol.
5, 3 (1992)
3. A. Muller, H. Zbinden, N. Gisin: Europhys. Lett. 33(5), 335 (1996)
4. J.D. Franson, B.C. Jacobs: Electron. Lett. 31(3), 232 (1995)
5. Ch. Marand, P.D. Townsend: Opt. Lett. 20(16), 1695 (1995)
6. R.J. Hughes, G.G. Luther, G.L. Morgan, C.G. Peterson, C. Simmons:
Lecture Notes in Comput. Sci. 1109, 329 (1996)
7. C.A. Fuchs, N. Gisin, R.B. Grifths, C.-S. Niu, A. Peres: Phys. Rev. A
56, 1063 (1997)
8. B. Huttner, N. Imoto, N. Gisin, T. Mor: Phys. Rev. A 51(3), 1863
(1995)
9. A. Muller, T. Herzog, B. Huttner, W. Tittel, H. Zbinden, N. Gisin:
Appl. Phys. Lett. 70(7), 793 (1997)
10. C.H. Bennett: Phys. Rev. Lett. 68, 3121 (1992)
11. H. Zbinden, J.D. Gautier, N. Gisin, B. Huttner, A. Muller, W. Tittel:
Electron. Lett. 33(7), 586 (1997)
12. P.C.M. Owens, J.G. Rarity, P.R. Tapster, D. Knight, P.D. Townsend:
Appl. Opt. 33(30), 6895 (1994)
13. G. Ribordy, J.D. Gautier, H. Zbinden, N. Gisin: Appl. Opt. 37, 2272
(1998)
14. L.Tancevski. B. Slutsky, R. Rao, S. Fainman: Proc. SPIE 3228, 322
(1997)
15. H. Bechmann-Pasquinucci: Internal report, University of Geneva 1998