Warning: this page is an excerpt of the book *Quantum Cryptography and Secret-Key Distillation*, © Cambridge University Press

Note: this page is available in **XHTML+MathML**, HTML only (approximate
equation layout) and PDF formats.

## 1 Introduction

In the history of cryptography, quantum cryptography is a new and important chapter. It is a recent technique that can be used to ensure the confidentiality of information transmitted between two parties, usually called Alice and Bob, by exploiting the counterintuitive behavior of elementary particles such as photons.

The physics of elementary particles is governed by the laws of quantum mechanics, which were discovered in the early twentieth century by talented physicists. Quantum mechanics fundamentally change the way we must see our world. At atomic scales, elementary particles do not have a precise location or speed, as we would intuitively expect. An observer who would want to get information on the particle's location would destroy information on its speed – and vice versa – as captured by the famous *Heisenberg uncertainty principle*. This is not a limitation due to the observer's technology but rather a fundamental limitation that no one can ever overcome.

The uncertainty principle has long been considered as an inconvenient limitation, until recently, when positive applications were found.

In the meantime, the mid-twentieth century was marked by the creation of a new discipline called *information theory*. Information theory is aimed at defining the concept of information and mathematically describing tasks such as communication, coding and encryption. Pioneered by famous scientists like Turing and von Neumann and formally laid down by Shannon, it answers two fundamental questions: what is the fundamental limit of data compression, and what is the highest possible transmission rate over a communication channel?

Shannon was also interested in cryptography and in the way we can transmit confidential information. He proved that a perfectly secure cipher would need a secret key that is as long as the message to encrypt. But he does not say how to obtain such a long secret key. This is rather limiting because the secret key needs to be transmitted confidentially, e.g., using a diplomatic suitcase. If we had a way, say a private line, to transmit it securely, we could directly use this private line to transmit our confidential information.

Since the seventies and up to today, cryptographers have found several clever ways to send confidential information using encryption. In particular, classical ciphers encrypt messages using a small secret key, much smaller than the message size. This makes confidentiality achievable in practice. Yet, we know from Shannon's theory that the security of such schemes cannot be perfect.

Leaving aside the problem of sending confidential information, let us come back to information theory. Shannon defined information as a mathematical concept. Nevertheless, a piece of information must somehow be stored or written on a medium and, hence, must follow the laws of physics. Landauer was one of the first to realize the consequences of the fact that any piece of information ultimately exists because of its physical support. Shannon's theory essentially assumes a classical physical support. When the medium is of atomic scale, the carried information behaves quite differently, and all the features specific to quantum mechanics must be translated into an information-theoretic language, giving rise to *quantum information theory*.

The first application of quantum information theory was found by Wiesner in the late sixties [186]. He proposed using the spin of particles to make unforgeable bank notes. Roughly speaking, the spin of a particle obeys the uncertainty principle: an observer cannot get all the information about the spin of a single particle; he would irreversibly destroy some part of the information when acquiring another part. By encoding identification information on bank notes in a clever way using elementary particles, a bank can verify their authenticity by later checking the consistency of this identification information. At the atomic scale, the forger cannot perfectly copy quantum information stored in the elementary particles; instead, he will unavoidably make mistakes. Simply stated, copying the bank note identification information is subject to the uncertainty principle, and thus a forgery will be distinguishable from a legitimate bank note.

Other applications of quantum information theory were found. For instance, a *quantum computer*, that is, a computer that uses quantum principles instead of the usual classical principles, can solve some problems much faster than the traditional computer. In a classical computer, every computation is a combination of zeroes and ones (i.e., bits). At a given time, a bit can either be zero or one. In contrast, a *qubit*, the quantum equivalent of a bit, can be a zero and a one at the same time. In a sense, processing qubits is like processing several combinations of zeroes and ones simultaneously, and the increased speed of quantum computing comes from exploiting this parallelism. Unfortunately, the current technologies are still far away from making this possible in practice.

Following the tracks of Weisner's idea, Bennett and Brassard proposed in 1984 a protocol to distribute secret keys using the principles of quantum mechanics called *quantum cryptography* or more precisely *quantum key distribution* [10]. By again exploiting the counterintuitive properties of quantum mechanics, they developed a way to exchange a secret key whose secrecy is guaranteed by the laws of physics. Following the uncertainty principle, an eavesdropper cannot know everything about a photon that carries a key bit and will destroy a part of the information. Hence, eavesdropping causes errors on the transmission line, which can be detected by Alice and Bob.

Quantum key distribution is not only based on the principles of quantum physics, it also relies on classical information theory. The distributed key must be both common and secret. First, the transmission errors must be corrected, whether they are caused by eavesdropping or by imperfections in the setup. Second, a potential eavesdropper must know nothing about the key. To achieve these two goals, techniques from classical information theory, collectively denoted as *secret-key distillation*, must be used.

Unlike the quantum computer, quantum key distribution is achievable using current technologies, such as commercially available lasers and fiber optics. Furthermore, Shannon's condition on the secret key length no longer poses any problem, as one can use quantum key distribution to obtain a long secret key and then use it classically to encrypt a message of the same length. The uncertainty principle finds a positive application by removing the difficulty of confidentially transmitting long keys.

State-of-the-art ciphers, if correctly used, are unbreakable according to today's knowledge. Unfortunately, their small key size does not offer any long-term guarantee. No one knows what the future will bring, so if clever advances in computer science or mathematics once jeopardize today's ciphers' security, quantum key distribution may offer a beautiful alternative solution. Remarkably, the security of quantum key distribution is guaranteed by the laws of quantum mechanics.

Furthermore, quantum key distribution guarantees long-term secrecy of confidential data transmission. Long-term secrets encrypted today using classical ciphers could very well become illegitimately decryptable in the next decades. There is nothing that prevents an eavesdropper from intercepting an encrypted classical transmission and keeping it until technology makes it feasible to break the encryption. On the other hand, the key obtained using quantum key distribution cannot be copied. Attacking the key means attacking the quantum transmission today, which can only be done using today's technology.

For some authors, quantum cryptography and quantum key distribution are synonymous. For others, however, quantum cryptography also includes other applications of quantum mechanics related to cryptography, such as quantum secret sharing. A large portion of these other applications requires a quantum computer, and so cannot be used in practice. On the other hand, the notion of key is so central to cryptography that quantum key distribution plays a privileged role. Owing to this last comment, we will follow the first convention and restrict ourselves to quantum key distribution in the scope of this book.

### 1.1 A first tour of quantum key distribution

As already mentioned, quantum key distribution (QKD) is a technique that allows two parties, conventionally called Alice and Bob, to share a common secret key for cryptographic purposes. In this section, I wish to give a general idea of what QKD is and the techniques it involves. The concepts will be covered in more details in the subsequent chapters.

To ensure the confidentiality of communications, Alice and Bob agree on a common, yet secret, piece of information called a key. Encryption is performed by combining the message with the key in such a way that the result is incomprehensible by an observer who does not know the key. The recipient of the message uses his copy of the key to decrypt the message.

Let us insist that it is not the purpose of QKD to encrypt data. Instead, the goal of QKD is to guarantee the secrecy of a distributed key. In turn, the legitimate parties may use this key for encryption. The confidentiality of the transmitted data is then ensured by a chain with two links: the quantum-distributed key and the encryption algorithm. If one of these two links is broken, the whole chain is compromised; hence we have to look at the strengths of both links.

First, how is the confidentiality of the key ensured? The laws of quantum mechanics have strange properties, with the nice consequence of making the eavesdropping detectable. If an eavesdropper, conventionally called Eve, tries to determine the key, she will be detected. The legitimate parties will then discard the key, while no confidential information has been transmitted yet. If, on the other hand, no tapping is detected, the secrecy of the distributed key is guaranteed.

As the second link of the chain, the encryption algorithm must also have strong properties. As explained above, the confidentiality of data is absolutely guaranteed if the encryption key is as long as the message to transmit and is not reused for subsequent messages. This is where quantum key distribution is particularly useful, as it can distribute long keys as often as needed by Alice and Bob.

Let us detail further how QKD works. Quantum key distribution requires a transmission channel on which quantum carriers are transmitted from Alice to Bob. In theory, any particle obeying the laws of quantum mechanics can be used. In practice, however, the quantum carriers are usually photons, the elementary particle of light, while the channel may be an optical fiber (e.g., for telecommunication networks) or the open air (e.g., for satellite communications).

In the quantum carriers, Alice encodes random pieces of information that will make up the key. These pieces of information may be, for instance, random bits or Gaussian-distributed random numbers, but for simplicity of the current discussion, let us restrict ourselves to the case of Alice encoding only zeroes and ones. Note that what Alice sends to Bob does not have to – and may not – be meaningful. The whole point is that an eavesdropper cannot predict any of the transmitted bits. In particular, she may not use fixed patterns or pseudo-randomly generated bits, but instead is required to use “truly random” bits – the meaning of “truly random” in this scope will be discussed in Chapter 5.

During the tranmission between Alice and Bob, Eve might listen to the quantum channel and therefore spy on potential secret key bits. This does not pose a fundamental problem to the legitimate parties, as the eavesdropping is detectable by way of transmission errors. Furthermore, the secret-key distillation techniques allow Alice and Bob to recover from such errors and create a secret key out of the bits that are unknown to Eve.

After the transmission, Alice and Bob can compare a fraction of the exchanged key to see if there are any transmission errors caused by eavesdropping. For this process, QKD requires the use of a public classical authenticated channel, as depicted in Fig. 1.1. This classical channel has two important characteristics, namely, publicness and authentication. It is not required to be public, but if Alice and Bob had access to a private channel, they would not need to encrypt messages; hence the channel is assumed to be public. As an important consequence, any message exchanged by Alice and Bob on this channel may be known to Eve. The authentication feature is necessary so that Alice and Bob can make sure that they are talking to each other. We may think that Alice and Bob know each other and will not get fooled if Eve pretends to be either of them – we will come back on this aspect in Section 5.1.1.

I now propose to overview the first QKD protocol, created by Bennett and Brassard in 1984, called BB84 for short [10]. More than twenty years later, BB84 can still be considered as a model for many other protocols and allows me to introduce the main concepts of QKD.

#### 1.1.1 Encoding random bits using qubits

Any message can, at some point, be converted into zeroes and ones. In classical information theory, the unit of information is therefore the bit, that is, the set

There is a correspondence between the quantum state of some physical system and the information it carries. Quantum states are usually written using Dirac's notation, that is, with a symbol enclosed between a vertical bar and an angle bracket, as in

In quantum information theory, the unit of information is the qubit, the quantum equivalent of a bit. Examples of physical systems corresponding to a qubit are the spin of an electron or the polarization of a photon. More precisely, a qubit is described by two complex numbers and belongs to the set

(1.1) |

In BB84, Alice encodes random (classical) bits, called *key elements*, using a set of four different qubits. The bit 0 can be encoded with either

When the photon arrives at Bob's station, he would like to decode what Alice sent. For this, he needs to perform a *measurement*. However, the laws of quantum mechanics prohibit Bob from determining the qubit completely. In particular, it is impossible to determine accurately the coefficients *orthogonal* qubits and perform a measurement that distinguishes only among them. We say that two qubits,

Let us take for instance the qubits

So, what is so special about the qubits

In the BB84 protocol, Bob randomly chooses to do either measurement. About half of the time, he chooses to distinguish

To summarize so far, I have described a way for Alice to send random bits to Bob. Alice chooses among four different qubits for the encoding (two possible qubits per bit value), while Bob chooses between two possible measurement procedures for the decoding. Bob is not always able to determine what Alice sent, but after sifting, Alice and Bob keep a subset of bits for which the transmission was successful. This transmission scheme allows Alice and Bob to detect eavesdropping, and this aspect is described next.

#### 1.1.2 Detecting eavesdropping

The key feature for detecting eavesdropping is that the information is encoded in non-orthogonal qubits. Eve can, of course, intercept the quantum carriers and try to measure them. However, like Bob, she does not know in advance which set of carriers Alice chose for each key element. Like Bob, she may unsuccessfully distinguish between

In quantum mechanics, measurement is destructive. Once measured, the particle takes the result of the measurement as a state. More precisely, assume that an observer measures a qubit *no matter what *! In general, the qubit after measurement

Every time Eve intercepts a photon, measures it and sends it to Bob, she has a probability

So, when Eve tries to eavesdrop, she will get irrelevant results about half of the time and disturb the state. She might decide not to send Bob the states for which she gets irrelevant results, but it is impossible for her to make such a distinction, as she does not know in advance which encoding is used. Discarding a key element is useless for Eve since this sample will not be used by Alice and Bob to make the key. However, if she does retransmit the state (even though it is wrong half of the time), Alice and Bob will detect her presence by an unusually high number of errors between their key elements.

Both Bob and Eve have the same difficulties in determining what Alice sent, since they do not know which encoding is used. But the situation is not symmetric in Bob and Eve: all the communications required to do the sifting are made over the classical authenticated channel. This allows Alice to make sure she is talking to Bob and not to Eve. So, the legitimate parties can guarantee that the sifting process is not influenced by Eve. Owing to this, Alice and Bob can select only the key elements which are correctly measured.

To detect the presence of an eavesdropper, Alice and Bob must be able to detect transmission errors. For this, an option is to disclose a part of the sifted key. A given protocol might specify that after a transmission of

#### 1.1.3 Distilling a secret key

In the case where errors are detected, Alice and Bob may decide to abort the protocol, as errors may be caused by eavesdropping. At least, this prevents the creation of a key that can be known to the adversary. This kind of decision, however, may be a little stringent. In practice, the physical implementation is not perfect and errors may occur for many reasons other than eavesdropping, such as noise or losses in the quantum channel, imperfect generation of quantum states or imperfect detectors. Also, Eve may just eavesdrop a small fraction of the sifted key, making the remaining key elements available for creating a secret key. There should thus be a way to make a QKD protocol more robust against noise.

Alice and Bob count the number of errors in the disclosed key elements and divide this number by *bit error rate*. They can then deduce the amount of information Eve knows about the key elements. For instance, they can statistically estimate that Eve knows no more than, say, *estimation* part of the protocol. The formula giving the quantity

At this point, Alice and Bob know that the *secret-key distillation*.

Secret-key distillation usually comprises a step called *reconciliation*, whose purpose is to correct the transmission errors, and a step called *privacy amplification*, which wipes out Eve's information at the cost of a reduced key length. I shall briefly describe these two processes.

In the case of BB84, the reconciliation usually takes the form of an interactive error correction protocol. Alice and Bob alternatively disclose parities of subsets of their key elements. When they encounter a diverging parity, it means that there is an odd number of errors in the corresponding subset, hence at least one. Using a dichotomy, they can narrow down the error location and correct it. They repeat this process a sufficient number of times and the result is that Alice and Bob now share equal bits.

For secret-key distillation, all the communications are made over the public authenticated classical channel. Remember that Eve cannot intervene in the process but she may listen to exchanged messages, which in this case contain the exchanged parity bits. Therefore, the knowledge of Eve is now composed of

To make the key secret, the idea behind privacy amplification is to exploit what Eve does not know about the key. Alice and Bob can calculate a function

The price to pay for privacy amplification to work is that the output (secret) key must be smaller than the input (partially secret) key. The reduction in size is roughly equal to the number of bits known to Eve, and the resulting key size is thus

Notice that errors on the quantum transmission are paid twice, roughly speaking, on the amount of produced secret key bits. First, errors should be attributed to eavesdropping and are counted towards

Finally, the secret key obtained after privacy amplification can be used by Alice and Bob for cryptographic purposes. In particular, they can use it to encrypt messages and thus create a secret channel.

#### 1.1.4 Further reading

For more information, I would like to point out the paper by Bennett, Brassard and Ekert [12]. One can also find more technical information in the review paper by Gisin, Ribordy, Tittel and Zbinden [64].

### 1.2 Notation and conventions

Throughout this book, we use random variables. A *discrete random variable* *symbols*. The probability distribution is denoted as

The continuous random variables are defined similarly. A *continuous random variable*

The other important definitions are given along the way. For a list of the main symbols and abbreviations, please refer to the Appendix.