OPTICAL FIBER TECHNOLOGY 4, 345᎐370 Ž1998.

ARTICLE NO. OF980270

Invited Paper

Quantum Cryptography on Optical

Fiber Networks
Paul D. Townsend

BT Laboratories, B55-131D, Martlesham Heath, Ipswich, IP5 3RE, United Kingdom

E-mail: paul.townsend@bt-sys.bt.co.uk

Received June 3, 1998

The security of conventional or classical cryptography systems relies upon

the supposed Žbut often unproven. difficulty of solving certain classes of
mathematical problems. Quantum cryptography represents a new paradigm
for secure communications systems since its security is based not on compu-
tational complexity, but instead on the laws of quantum physics, the same
fundamental laws that govern the behavior of the universe. This paper
describes recent progress at BT Laboratories in the development of practical
optical fiber-based quantum cryptography systems. These developments in-
clude interferometric systems operating in the 1.3-␮ m-wavelength fiber
transparency window over point-to-point links up to ; 50 km in length and
on multi-user passive optical networks. We describe how this technology
performs on fiber links installed in BT’s public network and discuss issues
such as cross-talk with conventional data channels propagating at different
wavelengths in the same fiber. The experimental results are used to make
some conclusions about the likely performance parameters and application
opportunities for this new technology. 䊚 1998 Academic Press

1. INTRODUCTION

The information revolution of the latter half of the 20th century has been driven
by rapid technological developments in the fields of digital communications and
digital data processing. A defining feature of today’s digital information systems is
that they operate within the domain of classical physics. Each bit of information
can be fully described by a classical variable such as, for example, the voltage level
at the input to a transistor or microprocessor. However, information can also be
processed and transported quantum mechanically, leading to a range of radically
345
1068-5200r98 $25.00
Copyright 䊚 1998 by Academic Press
All rights of reproduction in any form reserved.
346 PAUL D. TOWNSEND

new functionalities w1x. These new features occur because the properties of quan-
tum and classical information are fundamentally different. For example, while
classical bits must take on one of the two mutually exclusive values of zero or one,
quantum superposition enables a bit of quantum information to have the strange
property of being both zero and one simultaneously. Furthermore, it is always
possible, in principle, to read classical information and make a perfect copy of it
without changing it. In contrast, quantum systems can be used to carry information
coded in such a way that it is impossible to read it without changing it and
impossible to make a perfect copy of it w2x. It is these properties that are directly
exploited in quantum cryptography w3᎐5x to provide secure communications on
optical fiber systems w6᎐10x. This technique enables the secrecy of information
transmitted over public networks to be tested in a fundamental way, since an
eavesdropper will inevitably introduce readily detectable errors in the transmission.
Quantum cryptography offers the intriguing prospect of certifiable levels of secu-
rity that are guaranteed by fundamental physical laws. This possibility arises from
the quantum nature of the communication system and cannot be realized with any
conventional classical system.
This paper is intended to provide the reader with a simple overview of the
practical security problems that quantum cryptography addresses and the basic
concepts that underlie the technique. The main emphasis is on practical applica-
tions of quantum cryptography in optical fiber systems and the remainder of the
paper is devoted to a description of a number of experimental systems that have
been developed and tested recently at BT Laboratories. At the end of the paper
the results and inferences obtained from the experiments are used to make some
conclusions about the likely performance parameters and application opportunities
for this new technology.

2. CLASSICAL CRYPTOGRAPHY

In order to understand the problems that quantum cryptography addresses it is

necessary to first review some background ideas from conventional or classical
cryptography. Encryption is the process of taking a message or plain text and
scrambling it so that it is unreadable by anyone except the authorized recipient.
This process is perhaps best described by a simple analogy. Encryption is the
mathematical analogue of taking a message and placing it inside a lockable box.
The box is then locked with a key held only by the sender and the authorized
recipients of the message. Any unauthorized person intercepting the locked box
will be unable to retrieve the message from the box without possessing a copy of
the key.
Mathematically encryption can be described as an invertible mapping of a
message m into a ciphertext c. The mapping is achieved by an encryption algo-
rithm, E, which takes as input the secret key, k, and the message so that
c s EŽm, k.. The message, key, and ciphertext are expressible as binary data
strings. The decryption is achieved with the use of the inverse algorithm, D, so that
m s DŽc, k..
 QUANTUM CRYPTOGRAPHY 347

In terms of the lockable box analogy the algorithm is the locking mechanism
which is activated by the key. As with the case of a mechanical lock it is the secrecy
of the key that keeps the system secure. A well-designed lock should be difficult to
open without the key even when the details of the lock are known. It is an accepted
design principle of cryptographic algorithms that the security should not be
dependent on the secrecy of the algorithm but should reside entirely in the secrecy
of the key. A graphic example of this idea is provided by the ‘‘one-time pad’’ cipher
system w11x proposed by Vernam in 1926. In the binary version of the one-time pad
encryption is performed by modulo 2 addition Žequivalent to a bit by bit Boolean
XOR. of the message and a random key of equal length. Despite the simplicity
Žand public availability! . of the XOR algorithm the one-time pad offers theoreti-
cally perfect secrecy as long as the key is kept secret and used only once w12x. In
practice, the one-time pad is not widely used because of the requirement for large
volumes of key data. However, most commercial algorithms, such as the Data
Encryption Standard ŽDES., also use publicly available algorithms w13x.
The requirement that the secrecy be entirely dependent upon the key also
imposes another good design principle. In a practical system such as DES, which
does not offer the perfect secrecy of the one-time pad, an eavesdropper can always
attack the system simply by trying each possible key in turn. A good algorithm will
be designed such that this least efficient strategy is, nevertheless, the fastest
method of attack. DES, for example, uses a key length of 56 bits so that an attacker
performing an exhaustive key search will have to test, on average, 2 55 keys.
Although this is a huge number, future increases in computational power will
necessitate the use of longer keys.
Figure 1 shows a schematic representation of a cryptography system, where the
standard terminology of Alice, Bob, and Eve is used to describe the transmitter,
the receiver, and an unauthorized eavesdropper, respectively. In order to operate
the scheme Alice and Bob must exchange keys and, most importantly, must ensure
that these keys do not fall into Eve’s hands. Furthermore, if the system is to remain
secure Alice and Bob must regularly repeat this process, ensuring that the updated
keys are also secret. How to achieve this goal is one of the central problems in

FIG. 1. The basic elements of a cipher system.

348 PAUL D. TOWNSEND

secure communications; keys must be generated and distributed and the whole
process managed in such a way as to ensure the secrecy of the system.
In essence quantum cryptography is a communication protocol that enables
cryptographic keys to be securely distributed over communication channels that are
physically insecure and hence potentially subject to eavesdropping. This technique
achieves the desirable goal of an automated key establishment procedure between
two or more parties in such a way that any unauthorized interception can be
discovered and dealt with. Some modern cryptography systems attempt to solve the
key management problems using a technique known as public-key cryptography
w13x. In public-key cryptography each user has two keys, a private key and a public
key. The public key is widely distributed; the private key is kept secret. To send a
confidential message using a public-key scheme Alice obtains Bob’s public key
from a public directory and uses this to encrypt her message to Bob. Once this has
been done, only Bob can decrypt the message using his private key. In terms of the
lockable box analogy this is like having a box whose lock is operated by two keys.
Everyone has access to the key that locks the box but cannot unlock it. Only one
key will open the box and that is the private key held by the message recipient.
The security of public-key cryptography systems is based on ‘‘one-way functions’’
that is, readily computable mathematical problems for which the solution of the
inverse problem is thought to be computationally infeasible. The classic example of
such a function is multiplication and its inverse factorization. For example, it is
easy to multiply two large prime numbers, but extremely difficult to factorize the
resulting product into its two prime factors. Cryptographers using public-key
cryptography have to make the assumption that advances in mathematics and
computing will not dramatically change the ability of an attacker to compute these
difficult problems. This issue has received a great deal of attention recently
because of Shor’s discovery of a high-speed factorization algorithm for quantum
computers w14x. If such computers can ever be built, the security of public-key
cryptosystems may be dramatically reduced.

3. QUANTUM CRYPTOGRAPHY

3.1. Background
The following section describes the original ‘‘BB84’’ quantum key distribution
protocol developed by Bennett and Brassard w3x since this is of most relevance for
the experiments described later. In general, quantum information systems require
the use of some suitable two-state quantum objects to provide quantum-level
representations of binary information Žqubits.. In the BB84 scheme Alice and Bob
employ the linear and circular polarization states of single photons of light for this
purpose. Figure 2 shows schematic representations of these states together with the
notation used to represent them and their associated binary values. The linear and
circular ‘‘bases’’ are used to provide two different quantum level representations of
zero and one. Before describing how the properties of these single photon
polarization states are exploited in the key distribution protocol we will consider
the outcomes and interpretation of various possible measurements that can be
performed on them.
 QUANTUM CRYPTOGRAPHY 349

FIG. 2. Schematic representation and notation used to describe the linear and circular polarization
states of single photons of light. In the BB84 quantum cryptography scheme the linear and circular
states are used to provide two different quantum level representations of ‘‘0’’ and ‘‘1.’’

Figures 3a᎐3d illustrate the possible outcomes of measurements on each of the

four polarization states shown in Fig. 2. In each case the receiver has arranged a
polarizer and two single photon detectors to perform a linear polarization mea-
surement on the incoming photon Žthe apparatus is assumed to be perfect.. For the
two linear states the outcome of the measurement is deterministic; i.e., the < V : linear
photon is registered at detector D¨ and the < H : linear photon is registered at
detector D h both with 100% accuracy. Of course similar results would also be
obtained for classical input fields in the vertical and horizontal polarization states.
In contrast, a classical input state with circular polarization would generate
equal-intensity signals at the two detectors. Single photons, however, are elemen-
tary excitations of the electromagnetic field and they cannot split in two. Instead
the < R :circ and < L:circ states behave in a random fashion and have a 50%
probability of being repolarized in the state < V : linear and registered at D¨ and,
similarly, a 50% probability of being repolarized in the state < H : linear and regis-
tered at D h . In quantum mechanics terminology the photon is said to be projected
into an eigenstate of the measurement operator, namely, either < V : linear or
< H : linear . Taking the example of the < R :circ state, the probability of each possible
outcome is given by the squared modulus of the amplitude coefficients in

< R :circ s 1r'2 Ž < V : linear q i < H : linear . , Ž 1.

the expansion of < R :circ in the linear representation. In the case of the current
example it can be seen that the measurement provides no information at all on a
photon’s state of circular polarization. Of course, the receiver could have included
a 1r4-wave retardation plate in front of the polarizer in order to perform a perfect
circular measurement. However, this would only be obtained at the expense of no
information on the photon’s linear polarization state since the < V : linear and
< H : linear states behave in a random fashion when subjected to a circular polariza-
tion measurement. This situation arises because linear and circular polarization are
complementary quantum observables that are incompatible in the sense that a
measurement of one property will always disturb the other. Consider now the
situation where one of the four possible polarization states is chosen at random
and the receiver is asked to distinguish which one has been sent. Evidently the
receiver must choose a measurement to perform on the photon. If he happens to
350 PAUL D. TOWNSEND

FIG. 3. A receiver uses a polarizer and two single photon detectors to perform linear polarization
measurements on the linear Ža and b. and circular Žc and d. single photon polarization states. The
probabilities of the various outcomes are indicated as percentage values. The linear measurement is
incompatible with the circular representation and the photon is equally likely to be repolarized as either
a horizontal or a vertical state and detected at the appropriate detector.

choose an incompatible measurement the outcome will be random, but this fact
cannot be deduced from the measurement itself. Hence, the receiver cannot
determine unambiguously the polarization state of the photon unless he is supplied
with additional information on which type of state has been sent. All that can be
said after a particular measurement is that the photon is now in the polarization
state measured. Although we have used the example of a specific type of measure-
ment here, there is in fact no single measurement or sequence of measurements
that will allow the receiver to accurately determine the state of the photon when he
is told only that it has been coded in one of two incompatible representations, but
not which one. As we shall see, this peculiarly quantum phenomenon can be
directly exploited to provide security in a quantum cryptography scheme. The
reader might be tempted to suggest at this point that a solution to the measure-
ment problem could be to copy the photon so that the receiver could measure
different properties on the identical copies. Fortunately, at least from the quantum
 QUANTUM CRYPTOGRAPHY 351

cryptographer’s point of view, this type of ‘‘cloning’’ is forbidden by quantum

mechanics w2x.

3.2. Quantum Key Distribution Protocol

The aim of quantum key distribution is not to take a specific predetermined key
and send it to the recipient but rather to generate a random bit sequence in two
separate locations that can then be used as a key. The key only comes into
existence when the entire protocol has been executed. In order to carry out this
process the transmitter Alice and the receiver Bob employ a pair of communication
channels: a quantum channel used for sending the photons and a classical channel
used for a subsequent public discussion about various aspects of the quantum
transmission. It is assumed that Eve may have access to both of these channels at
any time. She may make any measurement that she chooses on the quantum
channel and is free to learn the contents of all the public channel messages,
although, as discussed later, she cannot change their content. The key distribution
process is illustrated schematically in Fig. 4. Alice begins by choosing a random bit
sequence and for each bit randomly selects either the linear or the circular
representation. She then prepares a regular-clocked sequence of photons in the
appropriate polarization states and transmits them to Bob over the quantum
channel. For the example shown in the figure Alice has chosen to send a ‘‘1’’ in the
first timeslot using the linear representation, i.e., a vertically polarized photon, a
‘‘1’’ in the second timeslot using the circular representation, i.e., a left polarized
photon, and so on. At the other end of the channel Bob makes an independent
random choice of whether to perform a linear or a circular measurement in each
time period and records the result. As discussed in the example above, the type of
measurement is selected by applying a 1r4-wave retardation before the polarizer
for circular and no retardation for linear, and the result depends on which of the
detectors registers the photon. The optical transmission system will also inevitably

FIG. 4. Schematic representation of the quantum transmission phase of the BB84 quantum
cryptography protocol. The top row shows Alice’s outputs in eight time slots that run sequentially from
right to left. Bob’s choice of measurements Žcross, linear; circle, circular . and his results for the eight
timeslots are shown in the lower rows ŽX, no photon detected.. During the public discussion Alice and
Bob agree to discard the results where they used different representations Žgreyed boxes. and retain the
shared bit sequence 101.
352 PAUL D. TOWNSEND

suffer from a variety of loss processes that randomly delete photons from the
system and in these cases neither of Bob’s detectors fires and he denotes this null
event by an ‘‘X.’’ In the timeslots where Bob did receive a photon and happened to
choose the same representation as Alice Žas in timeslot 1, for example. the bit that
he registers agrees with what Alice sent. In timeslots where Bob used a different
representation to Alice Žas in timeslot 2, for example. the outcome of the
measurement is unpredictable and he is equally likely to obtain a ‘‘1’’ or a ‘‘0.’’
Alice and Bob now carry out a discussion using the classical public channel that
enables them to generate a shared random bit sequence from the data and test its
secrecy. Bob announces the timeslots when he received a photon and the type of
measurement he performed in each but, crucially, not the result of the measure-
ment, as this would give away the bit value if Eve were monitoring the discussion.
In the case of the transmission shown in Fig. 4 Bob reveals that he received
photons in timeslots 1, 2, 6, and 8 using linear, and timeslots 3 and 5 using circular.
Alice then tells Bob in which of these timeslots they both used the same represen-
tation Ž1, 3, and 8. and they discard all other data. In this way they identify the
photons for which Bob’s measurements had deterministic outcomes and hence
distil the shared subset 101 from Alice’s initial random bit sequence. These are the
‘‘raw’’ key data. In practice, the process would of course be continued until a much
longer sequence had been established.
Why do Alice and Bob go through this tedious and inefficient process? Recall
that the goal is to establish a secret random bit sequence for use as a cryptographic
key. Consider the situation illustrated in Fig. 5, where Eve attempts to intercept
the quantum transmission, make a copy, and then resend it on to Bob. In each
timeslot Eve Žlike Bob. has to make a choice of what measurement to perform.
Without any a priori knowledge of the representation chosen by Alice, Eve Žlike
Bob. has a 50% chance of performing an incompatible measurement as shown in
the figure. This leads to a random outcome and a change of polarization state for
the photon Žnote that we assume for simplicity that Eve makes the same type of
polarization measurements as Bob, but the system is designed to be secure for any
measurements that Eve may make.. Eve has no way of knowing that she has
performed an incompatible measurement because, unlike Bob, she does not have

FIG. 5. Eve tries to intercept, make a copy, and then resend the bit sequence on to Bob. For each
photon Eve has a 50% chance of choosing an incompatible measurement that leads to a random
outcome. This is the case shown here where Eve has chosen to perform a linear measurement on Alice’s
circular photon. As a result Eve uses her source S to send on a vertical photon to Bob, who now has a
50% chance of obtaining an error even though he has performed a compatible Žas far as Alice and Bob
are concerned. measurement.
 QUANTUM CRYPTOGRAPHY 353

the benefit of the post-transmission public discussion. The latter only takes place
after the photons have arrived at Bob’s end of the channel. Consequently, Eve
sends a repolarized photon on to Bob, who now has a 50% chance of observing an
error in a timeslot where he has used the same representation as Alice and
therefore expects a deterministic outcome. Consequently, if Eve makes continuous
measurements on the channel she will generate a substantial bit-error rate ŽBER.
of the order of 25% in the raw key. Of course, Eve may make measurements on
only some of the photons or she may use other measurement techniques that yield
less information but produce less disturbance on the channel w4, 15, 16x. Neverthe-
less, the crucial point is that Eve can only reduce the disturbance that she causes
by also reducing the amount of information that she obtains; quantum mechanics
ensures that these two quantities are directly related. For the specific example
given above, Eve has a 50% chance per interception of making the correct choice
of measurement and hence obtaining the correct bit and a 50% chance of making
an incorrect choice of measurement that yields no information and causes distur-
bance on the channel. If Eve listens to the subsequent public discussion she can
identify the instances in which her choice of measurement was correct and hence
identify the bits Žapproximately 50%. in her data string that are shared with Alice
and Bob Hence if Eve intercepts 20% of the photons, for example, she will learn
10% of Alice and Bob’s bits and generate an error rate of around 5%. This simple
example is unrealistic, because it does not describe all the measurement strategies
that are available to Eve in a practical system or the relative ‘‘values’’ of the
different types of information that she can obtain. Nevertheless, it does emphasize
the basic principle of the technique, which is that Alice and Bob can set an upper
limit on the amount of information that Eve has obtained on their shared bit string
simply by evaluating the error rate for their transmission w4x. As discussed below, if
this is sufficiently low, they can generate a final highly secret key; if not, they
identify that the channel is currently insecure and cannot be used for secure key
distribution. Quantum cryptography thus prevents the situation, which can always
arise in principle with any classical key distribution system, where Alice and Bob’s
encrypted communications are compromised because they are unaware that Eve
has surreptitiously obtained a copy of the key.
A full discussion of the final stages of the protocol that achieve this goal is
beyond the scope of this paper; however, the main procedures that are involved
will be briefly outlined. After discarding the inconclusive results from their bit
strings, Alice and Bob publicly compare the parities of blocks of their data, and
where these do not match, perform a bisective search within the block to identify
and discard the error w4x. In this way they can derive a shared, error free, random
bit sequence from their raw data together with a measurement of the error rate.
This is achieved at the cost of leaking some additional information to Eve in the
form of the parities of the data subsets. In real systems transmission errors occur
even when no eavesdropper is present on the channel. These errors can arise, or
example, from the finite polarization extinction ratios of the various optical
components in the system or from noise sources such as detector dark counts. In
principle there is no way in to distinguish these errors from those caused by
eavesdropping, and hence all errors are conservatively assumed to have been
354 PAUL D. TOWNSEND

generated by Eve. If the error rate is sufficiently low Žtypically of the order of a few
percent in practice., then a technique known as ‘‘privacy amplification’’ w17, 18x can
be employed to distil from the error-corrected Žbut possibly only partially secret.
key a smaller amount of highly secret key, about which Eve is very unlikely to know
even one bit. If, for example, Alice and Bob calculate that Eve may know e bits of
their error-corrected n-bit string, they can generate from this data a highly secret
m-bit key Žwhere m f n y e . simply by computing Žbut not announcing as in error
correction. the parities of m publicly agreed-on random subsets of their data w4, 17,
18x. The final stage of the process is for Alice and Bob to authenticate their public
channel discussions using an information-theoretically secure authentication
scheme w19x. This is to prevent the powerful attack in which Eve breaks in to the
public channel and impersonates Bob to Alice and vice versa w4x. If this were
possible Eve could share one key with Alice and another with Bob, who would be
unaware that this were the case. Like the one-time pad cipher, the authentication
scheme requires Alice and Bob to possess in advance a modest amount of shared
secret key data, part of which is used up each time a message is authenticated.
However, this initial key is only required at system turn-on time because each
implementation of the quantum key distribution protocol generates a fresh volume
of key data, some of which can be used for authentication. After privacy amplifica-
tion and authentication Alice and Bob are now in possession of a shared key that is
certifiably secret. They can now safely use this key together with an appropriate
algorithm for data encryption purposes.

3.3. Alternati¨ e Coding Schemes and Extensions for Practical Systems

Although the original BB84 coding scheme was designed to exploit the quantum
properties of single photon polarization states, phase coding schemes can also be
realized w20᎐23x. These coding schemes are based on the properties of interferome-
ters and the coding is implemented by changing the relative optical path lengths or
phase between the internal arms of the interferometer. The scheme we shall
concentrate on is a version of the BB84 protocol implemented using a
Mach᎐Zehnder interferometer as shown in Fig. 6. Alice and Bob each control a
phase modulator in their respective half of the interferometer. If Alice sends a
single photon into this device an interference phenomenon will be observed w24x;
the photon will be detected at only one of Bob’s photodetectors, either ‘‘0’’ or ‘‘1,’’
with a probability that varies with the phase difference ⌬ ␾ s Ž ␾A y ␾ B . in an
identical fashion to the classical interference pattern. If, for example, ⌬ ␾ s 0⬚ the
photon will arrive at detector ‘‘0,’’ whereas if ⌬ ␾ s 180⬚ the photon will arrive at
detector ‘‘1.’’ For intermediate values of ⌬ ␾ the photon behaves probabilistically;
for example, if ⌬ ␾ s "90⬚ or 270⬚ the photon is equally likely to be observed at
‘‘0’’ or ‘‘1.’’ If any measurement is applied to the system to determine which arm
the photon is ‘‘in’’ then the interference, or phase, information is destroyed.
In order to use this interferometer to transmit keys Alice and Bob use the coding
scheme shown in Table 1. Alice can choose between two different coding represen-
tations for 0 and 1, either 0⬚r180⬚ or 90⬚r270⬚. Bob can choose to make his
measurement in either of these representations by applying either a 0⬚ or a 90⬚
 QUANTUM CRYPTOGRAPHY 355

FIG. 6. Illustration of the basic interferometer used to implement a phase-coded BB84 protocol.

phase shift, respectively. He then reads the bit according to which the photodetec-
tor fires; if a photon arrives at the detector labeled ‘‘0’’ it is given the bit value 0,
while if it arrives at the detector labeled ‘‘1’’ it is given the bit value 1. As we have
seen, the photon will only behave in a deterministic fashion when Alice and Bob’s
phase shifts are such that ⌬ ␾ s 0⬚ or 180⬚, that is, only when they both use the
same representation. The analogy with the polarization coding scheme should now
be clear; the 0⬚r180⬚ and 90⬚r270⬚ phase shift pairs replace the linear and circular
polarization states and the BB84 protocol is carried out in an otherwise identical
fashion.
Until now we have discussed the use of single photons; however, sources of
single photons are difficult to realize experimentally. Instead we use a heavily
attenuated laser as the source in our quantum cryptography experiments. The

TABLE 1
Coding Scheme Employed by Alice and Bob

Alice Bob
Phase Phase Photon destination
setting Ž⬚. Bit value setting Ž⬚. and interpretation

0 0 0 Detector ‘‘0’’' 0
180 1 Detector ‘‘1’’' 1

90 0 90 Detector ‘‘0’’' 0
270 1 detector ‘‘1’’' 1
356 PAUL D. TOWNSEND

output from a laser operating well above threshold can be described by a coherent
state. Attenuation of such a state simply produces a coherent state of reduced
amplitude. If < n: describes a field state with exactly n photons Žusually termed the
photon number states . then a coherent state of amplitude ␣ is given by the
expansion

1 ⬁ ␣n
< ␣ : s exp y < ␣ < 2 < n: .
ž 2 /Ý'
ns0 n!
Ž 2.

The mean intensity is given by < ␣ < 2 so that Eq. Ž2. is a Poisson distribution of
states with exact numbers of photons. Attenuation of Ž2. so that terms of O Ž< ␣ < 3 .
are negligible gives the state

1 ␣2
<␣: f 1 y < ␣ < 2 <0: q ␣ <1: q <2: .
ž 2 / 2
Ž 3.

This state has a large zero photon ‘‘vacuum’’ component so that such a state
incident upon a photodetector would not cause a count most of the time. When a
count is registered it is much more likely to have originated from the single photon
state than from any state with two or more photons. Experimental quantum
cryptography systems must operate in the limit < ␣ < 2 - 1 in order to achieve this
situation.
The details of the interferometric coding scheme used with attenuated coherent
states are identical to those shown in Table 1 for single photons. However, the
origin of the security in the system is subtly different w21x. Coherent states and
single photon states incident upon beamsplitters do not behave in the same
fashion. Coherent states are the quantum analogues of classical field states and
split at beamsplitters in very much the same way as a classical pulse. In the single
photon case, each coding representation is made up of a pair of orthonormal
states, that is, a pair of states that can always be distinguished perfectly because
their overlap is zero. However, when using attenuated coherent states none of the
four output states generated by Alice using the phase settings of 0⬚r90⬚r180⬚r270⬚
is orthonormal w21x. This is because coherent states with small < ␣ < 2 have overlaps
that are close to unity due to the dominance of the vacuum component in the
expansion Ž3.. Because of this large overlap it is not possible to distinguish between
the four states generated by the phase settings 0⬚r90⬚r180⬚r270⬚, in every in-
stance, and it is this indistinguishability that gives the phase-encoded version of
BB84 its security when attenuated coherent states are used as approximations to
the single photon number state. Of course, Alice and Bob must be able to
distinguish between these states, without ambiguity, in order to establish a key. The
interferometer we have already described allows them to do this, although only
some of the time. Because Alice’s output intensity is extremely low, most of the
time Bob’s photodetectors will not register a count even if they are perfectly
efficient. Again this is because of the large vacuum component of these four states.
 QUANTUM CRYPTOGRAPHY 357

If one of Bob’s detectors fires, he records his phase setting and the received bit. If,
in the subsequent public discussion, it is found that Bob’s phase setting was
incorrect, this bit is discarded. If, however, Bob’s phase setting is correct and a
count is registered, that bit will, for noiseless detectors, also be correct. This can be
seen from an inspection of the output states of the interferometer w23x. Under
these conditions the input to Bob’s ‘‘incorrect’’ detector is in the vacuum state,
whereas the input to his ‘‘correct’’ detector is a low-intensity coherent state that
causes a count with a probability of approximately < ␣ < 2 Žremember that < ␣ < 2 - 1..
Hence, if Bob registers a count he will record the same bit as Alice sent. This is an
example of how two nonorthogonal states, for example the 0⬚r180⬚ states, can
occasionally be distinguished without ambiguity by a single measurement. This
does not violate any fundamental principle since, on average, the bits retain their
indistinguishability.
The use of such a strongly attenuated coherent state in a quantum cryptography
system allows Eve a particular kind of attack known as a beamsplitting attack w4x.
These kinds of attacks can at most only obtain a small fraction of the key bits for
reasons that we shall now discuss. From Eqs. Ž2. and Ž3. it can be seen that the
probability that any given pulse is found to contain one and only one photon is < ␣ < 2
and the probability that any given pulse is found to contain two or more photons is
< ␣ < 4r2. In the experiments < ␣ < 2 is typically of the order of 0.1 so that about 1 in 10
pulses will be found to contain one photon and about 1 in 200 pulses will be found
to have two or more photons. In principle, therefore, Eve can try to exploit this by
using a beamsplitter to tap off a fraction of the signal so that in some instances
both she and Bob will receive a photon. If Eve stores this photon until Bob has
publicly announced the representations that he chose and then uses this informa-
tion to perform a measurement in the basis announced by Bob, she will be able to
obtain some of the key bits. However, the key will eventually be made up of bits
actually measured by Bob, and not all of these bits will have originated from pulses
for which both he and Eve received a photon. The events in which Bob receives a
photon and Eve receives no photon predominate so that a beamsplitting attack can
only obtain a small fraction of the key. This leakage of information to Eve can be
accommodated within the privacy amplification procedure w4, 17, 18x. Of course,
the beamsplitting attack does not work at all in the case of single photons because
any given photon must ‘‘make a random choice’’ at the beamsplitter of whether to
go to Eve or to Bob, but it cannot go to both. Since the key is only generated from
the photons that Bob receives, Eve obtains no useful information through this
strategy.
The interferometric quantum key distribution scheme works because, in general,
two nonorthogonal states are eigenstates of different incompatible operators. The
incompatibility of the operators leads to the nonorthogonality of the states, as well
as to an uncertainty relation between the operators. Thus, while not wholly
analogous to the polarization coding case, the security of this system depends
fundamentally on the quantum properties of low-intensity coherent states. The
following sections show how these interferometric schemes are realized in the
laboratory.
358 PAUL D. TOWNSEND

4. PRACTICAL SYSTEMS

4.1. Phase-Encoded Quantum Key Distribution: Experimental Details and Results

Over the past few years we have developed a fully automated quantum cryptog-
raphy system at BT Laboratories that is capable of secure key distribution over
distances of up to ; 50 km of standard optical fiber w6, 7, 21, 25, 26x. The system is
controlled by a pair of personal computers ŽPCs. that run software representations
of Alice and Bob. These programs control the terminal equipment on the 1.3-␮ m-
wavelength optical fiber-based quantum channel Ždescribed below. and communi-
cate the public discussion phase of the protocol via an Ethernet network or a
dedicated optical asynchronous transfer mode ŽATM. channel running over fiber.
The public channel is also used for encrypted data communication using the keys
established by the system.
The quantum channel w25x shown in Fig. 7 is based on a fiber version of the
phase-encoded Mach᎐Zehnder scheme discussed above. The laser source is a
1.3-␮ m-wavelength distributed-feedback ŽDFB. laser that is gain switched at 1
MHz to produce a train of ; 100-ps-duration pulses. The output of the laser is
strongly attenuated so that the intensity at the input to the transmission fiber is in
the range 0.1᎐0.2 photons per pulse pair, on average. Each attenuated laser pulse
enters a 50r50 optical coupler where the pulse splits and one component travels
through a lithium niobate phase modulator and experiences a phase-shift ␾A
chosen at random from one of the four possibilities, 0⬚, 90⬚, 180⬚, 270⬚. The other
component travels through a 2-ns delay loop and a polarization controller that
rotates the polarization into the orthogonal state. The two pulses, now with
orthogonal polarizations, are fed into the transmission fiber via a further 50r50

FIG. 7. Experimental phase-coded quantum cryptography scheme.

 QUANTUM CRYPTOGRAPHY 359

coupler. Because the 2-ns time delay between pulses is small compared to the
typical timescales for environmental fluctuations the device can be made interfero-
metrically stable even though the transmission fiber is many kilometers in length.
At the output of the fiber the two pulses enter Bob’s half of the interferometer,
where they are spatially separated by a polarization splitter. Bob now gives the
pulse that did not undergo any phase modulation in Alice’s half-interferometer a
random phase modulation ␾ B of 0⬚ or 90⬚. The other pulse experiences a time
delay of the same magnitude as its partner pulse did in Alice’s system and its state
of polarization is rotated to match that of the other pulse. The pulses are now
recombined at a 50r50 optical coupler where, because they are now temporally
coincident with the same polarization, they interfere. Depending on the relative
phase difference set by Alice and Bob’s modulators the resulting output pulse will
emerge in the arm labeled ‘‘0,’’ the arm labeled ‘‘1,’’ or both. Note that the
probability for the latter pulse splitting case Žwhich is maximum when Alice and
Bob use different representations, i.e., when ⌬ ␾ s "90⬚ or 270⬚. is extremely
small due to the very low intensity of the interfering pulses. The polarizations of
the two outputs from the 50r50 coupler are then made orthogonal so that they can
be combined with negligible loss via a polarization multiplexer Ždetails not shown
in figure for clarity.. One input arm has a further Ž; 6-ns. delay loop which allows
the temporal separation of the bits so that a ‘‘0’’ value causes the detector, a liquid
nitrogen-cooled germanium ŽGe. avalanche photodiode ŽAPD., to fire first. The
Ge APD is operated in Geiger mode using a gated biasing technique with passive
quenching w27x. In this scheme the APD bias is raised approximately 1 V beyond
the reverse-breakdown level for a period of 100 ns once in every 1-␮ s laser period
and coincident with the expected pulse arrival time. Avalanche pulses from the
APD are amplified and then undergo leading-edge discrimination to generate logic
pulses of a standard height that feed into a time-correlator system.
The time-correlator system records each event as a data pair which represents
the time elapsed since the start of the key transmission and the time-interval value
which indicates where the detection occurred within the concurrent laser pulse
period. Because photons arriving at the detector originate from the ; 100-ps
optical pulses they are synchronized with the laser drive and hence give rise to
well-defined time intervals between the detection event and the beginning of the
next laser drive pulse. These time interval values lie Žin the case of the following
example data. within two windows centered at around 614 ns for the ‘‘1’’ output
port with the longer path and around 620 ns for the ‘‘0’’ output port. These
windows are around 0.5 ns wide due to timing jitter in the detector output pulse
that arises from the stochastic nature of the avalanche process. In contrast,
detector noise mechanisms such as dark counts and after pulses give rise to counts
randomly distributed in time and consequently give rise to random time interval
values. After the data transmission is complete the receiver can use the recorded
time interval values to classify each detection event as a ‘‘1,’’ a ‘‘0,’’ or a noise
count Žwhich is then discarded.. To show qualitatively how this scheme works, an
actual data set from a typical key transmission is plotted in Figs. 8a and 8b. In this
figure the transmission has been separated into two parts for clarity. Figure 8a
shows Bob’s results for the time slots where Alice transmitted a ‘‘1.’’ Figure 8b
360 PAUL D. TOWNSEND

FIG. 8. Typical data output from the experimental quantum key distribution system. Each point
represents a photon or darkcount detection event. The received data is separated into two; data from
timeslots where a ‘‘1’’ was sent are shown in Ža., and data from timeslots where a ‘‘0’’ was sent are
shown in Žb.. Note the small number of errors in each case. The experiment was carried out with a
mean photon number of 0.1 per pulse pair at the input to the 10.8-km-long transmission fiber.

gives the result of those time slots where a ‘‘0’’ was transmitted. Separating the
data in this way allows the low error rates achieved in the experiment Žf 1.5%. to
be directly observed. The errors that do occur arise from two distinct sources: APD
dark counts that happen to fall within the photocount windows and photons that
are coded as ‘‘0,’’ but detected as a ‘‘1’’ Žor visa versa.. The second type of event
occurs because the interferometer is not perfect; the fringe visibility V is less than
unity Žtypically V ; 99%. due to imperfections in the various optical components,
and the frequency response of the phase modulators is not flat across the full
frequency range of Alice and Bob’s random drive signals. The latter causes the
phase shifts that are actually applied to the pulses to vary slightly from the selected
values. In a perfect system, the retained portion of the transmission data is made
up of cases in which Alice and Bob’s shifts differed by ⌬ ␾ s 0⬚ or 180⬚, leading to
perfectly deterministic behavior Žno errors.. However, if V / 1 and ⌬ ␾ / 0⬚ or
180⬚ then there is a finite probability that an error will occur.
A quantitative measure of the performance of the experimental quantum key
distribution system is obtained from the bit rate and bit-error rate values. The bit
rate is given by
Bf 1
2 Ž ␮ RTf Tr ␩ q 2 D . , Ž 4.
where the two terms inside the brackets represent the photocount and the
darkcount contributions to Bob’s data, respectively. Here, ␮ Ž' < ␣ < 2 . is the mean
photon number per pulse pair at Alice’s output, R is the laser pulse frequency, Tf
is the transmission coefficient of the fiber, Tr is the effective transmission coeffi-
 QUANTUM CRYPTOGRAPHY 361

cient of Bob’s receiver, ␩ is the quantum efficiency ŽQE. of the Ge APD, and D is
the mean darkcount rate in each photocount window. The factor of 12 Eq. Ž4. arises
because Alice and Bob discard half of their data during the public discussion phase
of the protocol. The fiber transmission varies as

Tf s 10y0 .1 A L , Ž 5.
where A is the fiber loss in dBrkm and L is the fiber length in kilometers. The
bit-error rate of the quantum channel can be modeled by

D
QBER s ␬ q , Ž 6.
2B

where ␬ represents the probability of an error due to the optical system imperfec-
tions discussed above and the second term represents the probability of an error
arising from a darkcount.
Equations Ž4. ᎐ Ž6. reveal that quantum cryptography systems have properties
very different from those of conventional optical communication systems. For
example, even in an ideal lossless quantum cryptography system the bit rate B is
always less than the laser drive rate R. This is because Alice’s output pulses must
have very low intensities Ž ␮ - 1. in order for the system to operate securely and,
in addition, half of the received bits are discarded during the public discussion
phase. In real systems that suffer from loss a further price must be paid for
security, since the bit rate falls exponentially with distance. This is due to the
scattering and absorption loss in the fiber that has the effect of randomly deleting
photons from the system. Since each photon carries a distinct bit, this loss leads to
a proportional reduction in bit rate. Note that the bit rate at a given distance
cannot be increased by simply raising the intensity ␮ of Alice’s pulses, because this
would make the channel more classical in nature and hence less secure. For
example, Eve’s beamsplitting attack discussed in subsection 3.3 becomes more
efficient as ␮ increases. A further difference with conventional communication
systems is in the magnitude of the bit error rates that can be achieved. Equation
Ž6. shows that a quantum cryptography system with an ideal single photon detector
with zero darkcount rate would achieve a bit error rate QBER s ␬ . The parameter
␬ represents the interference fringe contrast averaged over all modulation fre-
quencies. It is technically difficult to achieve ␬ values smaller than about y20 to
y30 dB, so quantum cryptography systems typically operate with best-case QBER
values of ; 1% and employ error correction techniques as discussed above. Of
course, a conventional communication system employing a discrete Mach᎐Zehnder
amplitude modulator will achieve a similar ‘‘off᎐on’’ contrast ratio in the range
y20 to y30 dB. However, such systems operate in the classical multi-photon
regime where a received ‘‘1’’ and a received ‘‘0’’ may be represented by optical
pulses containing, for example, ; 10,000 and ; 100 photons, respectively. The
electrical signal levels that result from the detection of such pulses can be
distinguished with high probability Ž) 1 in 10 9 . by applying a 0r1 decision circuit
with a threshold set to the equivalent of say a 5000-photon pulse. It is this
characteristic that allows conventional classical systems to operate at much lower
362 PAUL D. TOWNSEND

bit-error rates compared to quantum cryptography systems. It can be seen from the
preceding discussion that the differences between classical communication systems
and their quantum counterparts are fundamental and do not arise from any
particular ‘‘deficiencies’’ in the quantum systems. As we shall see, the properties of
practical quantum cryptography systems are perfectly suitable for the secure key
distribution function for which they are designed.
Figure 9 shows the effective bit rates B obtained for the raw key data as a
function of transmission fiber length. The data are plotted on a logarithmic scale as
Ž B-D . using the experimentally determined darkcount value of D f 6 sy1 . This
allows a straight line fit to the data using Eq. Ž4. and Ž5. which yields a loss value of
A s 0.4 dBrkm. This value is slightly higher than the manufacturer’s specification
of 0.38 dBrkm at 1.3 ␮ m because of the small amount of additional loss in the
splices joining the various lengths of fiber. The magnitude of the bit rate is
consistent with the values for ␮ s 0.15 Ž"0.02., R s 10 6 sy1 , Tr s 0.4, and
␩ s 0.15 Ž"0.03. that were obtained in separate experiments. Figure 9 also shows
the variation in the quantum bit error rate with transmission distance. The
observed QBER rises only slowly from 1.5% at 4 km to 4.5% at 47 km. This can be
understood as due to the dominance of the ␬ term in Eq. Ž6. when the bit rate is
high. However, for distances longer than 5 km the darkcounts rapidly become the
main source of errors and the QBER begins to rise rapidly, reaching a value of 9%
at the longest distance of 55 km measured in the experiment. The solid curve in the
figure is obtained from Eq. Ž6. using a ␬ value of 1.4% and the measured
darkcount value D f 6 sy1 . The error rate threshold at which privacy amplification
can no longer be used to generate a secret key is currently an active research topic
w28, 29x. However, it is clear that quantum cryptography systems become very
inefficient as error rates approach ; 10% due to the large numbers of bits that

FIG. 9. Experimental results for quantum key distribution over fiber. The effective bit rate minus
darkcount rate B y D Žopen circles. and quantum bit-error rate ŽQBER. values Žfilled diamonds. are
shown for different transmission distances. The upper solid line is a fit to Eqs. Ž4. and Ž5., and the lower
solid curve is obtained from Eq. Ž6. using measured parameter values. Detector dark counts cause the
QBER to rise rapidly at long distances and limit the achievable span to F 50 km.
 QUANTUM CRYPTOGRAPHY 363

must be discarded during privacy amplification w4x, and for error rates larger than
; 15% secure key distribution may no longer be possible w16x. The results shown in
Fig. 9 suggest that current germanium APD detector technology limits the span of
quantum cryptography systems to, at most, around 50 km at 1.3 ␮ m.

4.2. Simultaneous Quantum Key Distribution and Con¨ entional Data Transmission
o¨ er Installed Fiber
In the experiments discussed above, the fiber was employed solely for the
purposes of quantum key distribution. However, in most real networks fiber
capacity is an expensive and often scarce resource that needs to be allocated with
care. Consequently the scope for applications of quantum cryptography could be
seriously restricted if the technique were limited to use on dedicated dark fibers.
This is not the case, however, as is shown from the following experiment in which
wavelength division multiplexing ŽWDM. is used to add a quantum key distribution
channel to an existing installed fiber link carrying a conventional high-capacity data
channel w26x. In operation the secret keys exchanged across the link could be used
for encrypting some or all of the traffic carried by the data channel.
In the experiment shown in Fig. 10 the PCs Alice and Bob are linked via 28 km
of standard telecommunication fiber installed in the Ipswich area of BT’s public
network. The quantum key distribution channel operates at a wavelength ␭ q s
1.3 ␮ m and is identical in design to the interferometric scheme shown in Fig. 7.
The conventional data channel can operate over a 100-nm range of wavelength ␭d
centered on 1.55 ␮ m. The two channels are multiplexed at the transmitter onto the
single transmission fiber and then demultiplexed at the receiver using commercial
WDM couplers. In the current experiment the public discussion traffic required for
the quantum cryptography protocol is carried by a physically separate 155 Mbitrs
optical ATM channel operating over additional fiber in the installed cable. How-

FIG. 10. Schematic diagram of the Ipswich installed fiber experiment. The PCs Alice and Bob are
linked via 28 km of fiber installed in the Ipswich area of BT’s public network. QCT and QCR are the
transmitter and the receiver, respectively, for the 1.3-␮ m quantum channel. DCT and DCR are the
transmitter and the receiver, respectively, for the 1.55-␮ m conventional data channel.
364 PAUL D. TOWNSEND

ever, in a practical system the public discussion could be carried as part of the data
channel traffic to avoid the use of additional fiber. The data channel transmitter
consists of an externally modulated DFB laser driven by a 1.2 Gbitrs non-return-
to-zero ŽNRZ. modulation format 2 23 y 1 pseudo-random bit sequence ŽPRBS.
output from a pattern generator. The data receiver contains a 1.2 Gbitrs optical
receiver and a bit-error rate detector. Three different DFB lasers with wavelengths
of 1505, 1551, and 1591 nm are used to investigate the wavelength dependence of
the system. A crucial factor to investigate in the experiment is the effect that the
high-intensity data channel has on the quantum bit-error rate. This is very
important since cross-talk from the data channel can increase the QBER by
generating photocounts in the quantum channel detector that act as an additive
source of noise. Evidently if the level of cross-talk is too high the quantum
cryptography system cannot be operated securely.
Initial experiments performed with the data transmitter turned off showed a
base-level QBER of ; 4% for the quantum channel. For this and all other
measurements the mean photon number at the quantum channel input was equal
to 0.2. Figure 11 shows the QBER performance of the combined system when the
classical data channel is turned on. The bit-error rate for the conventional data
channel is also shown, but since the wavelength dependence is weak only represen-
tative results for one wavelength Ž ␭ d s 1591 nm. are shown. In this case, the BER
is 10y9 at a received power level of y30.8 dBm. However, in practice an installed
optical communication system would operate at higher power levels in order to
attain essentially error free performance. In the current experiment we define this
power as Pe f s y28 dBm, which is the level where the data channel BER
extrapolates to a value of 10y1 6 . The cross-talk at this power level must be low
enough for the quantum channel to operate securely. In fact, the quantum channel

FIG. 11. QBER values for quantum channel and data channel BER against received data channel
power. QBER plotted for ␭ d s 1505 nm Ždiamonds., ␭ d s 1551 nm Žsquares., and ␭ d s 1591 nm
Žtriangles.. The crosses show the data channel BER for ␭ d s 1591 nm. Secure key distribution can be
performed with minimal cross-talk penalties when ␭ d s 1505 or 1551 nm.
 QUANTUM CRYPTOGRAPHY 365

QBER at Pe f shows a strong wavelength dependence, with values of ; 22% at

1505 nm, ; 6.5% at 1551 nm, and ; 4% at 1591 nm. Hence, secure key
distribution can currently be achieved at 1591 nm with no penalty and at 1551 nm
with a small additional penalty, but not at 1505 nm since the error rate is too high.
This wavelength dependence results from an increase of approximately 15 dB in
the effective channel isolation between 1505 and 1591 nm. This change is due to a
6-dB fall in APD QE and an effective 9-dB increase in the channel isolation due to
wavelength dependence of the output WDM and the loss in the optical compo-
nents of the quantum channel receiver. The QE of cooled Ge APDs operating in
single-photon counting mode is known to decrease rapidly for wavelengths longer
than ; 1450 nm w30x. For the device used in the current experiment the QE was
measured to be ; 15% at 1300 nm, falling to ; 0.4% at 1591 nm. This wave-
length dependence is highly desirable in the current experiment since it increases
the effective channel isolation above the value set by the output WDM coupler
Ž45᎐50 dB. by as much as 16 dB. The current experimental system is the simplest
possible configuration in that it contains only a pair of WDM couplers and no
additional wavelength filters. In fact, if a filter were added to the input of the
quantum receiver the rejection of ␭ d could easily be increased by ) 20 dB with
negligible additional loss at 1.3 ␮ m, giving a range of operation across the full 1.5-
to 1.6-␮ m window.

4.3. Quantum Cryptography on Multi-User Optical Fiber Networks

Quantum cryptography is not confined to use on point-to-point links and can
also be applied to multi-user communication networks, as we have recently
demonstrated for the first time w6x. The network architecture that we employed was
the passive optical network ŽPON. illustrated in Fig. 12, although other configura-
tions have been studied w31, 32x. In the case of the PON Alice plays the role of
network controller and she is linked via a sequence of passive optical splitters to a
multiple of network users, Bob1 y Bob N . In the classical limit, information trans-
mitted by Alice in the downstream direction on the PON is broadcast to all Bobs,
and similarly upstream transmissions by any of the Bobs are ‘‘broadgathered’’ by
Alice. If Alice can establish a verifiably secret and unique individual key with each
Bob she can then use, e.g., the ith key to encrypt information intended for Bob i . In

FIG. 12. Experimental passive optical network. The transmitter Alice is linked to the receivers
Bob1 y Bob 3 via a 4.4-km-long fiber, a 1 = 3 splitter, and a 1-km-long fiber, giving an effective link
length of 5.4 km.
366 PAUL D. TOWNSEND

this way the network can be operated securely since although the encrypted
information is broadcast on the network, Alice and Bob i can be confident that no
other network user or external eavesdropper has obtamed any information on their
shared key. Quantum cryptography can be used to perform the key distribution
task simply by exploiting the quantum level behavior of the optical splitters in the
PON. A single photon incident on such a node cannot split and is instead routed to
one and only one of the output paths. The choice of output path for any particular
photon is random and unpredictable, governed only probabilistically by the classi-
cal splitting ratios for each path. Consequently, if the conventional scheme dis-
cussed above is applied to the network then each Bob will be supplied with a
unique randomly selected subset of bits from the sequence that Alice transmits
into the PON. By carrying out the post-transmission public discussion with each
Bob in turn Alice can identify which photons were shared with each receiver and
via the error rate guarantee secrecy from external eavesdroppers.
These ideas were investigated experimentally using the 1 = 3 PON shown in Fig.
12. The system is again based on the interferometric scheme discussed above so the
internal structures of Alice and each Bob are as shown in Fig. 7. The quantum-level
behavior of the network has been discussed in the case of single photons. However,
in the experiment, Alice’s source generates attenuated coherent states, not single
photons. This leads to a finite probability that a given pulse will be detected at
more than one receiver. This effect is quantified by the data in Fig. 13. The results
show a linear reduction in the detection rate of pulses at any single receiver as the
mean photon number ␮ decreases. However, the rates for shared successful pulses

FIG. 13. Effective detection rates for retained pulses Ži.e., after approximately half of the results
have been discarded during public discussion. plotted against the mean photon number per pulse at the
network input. Solid squares: pulses detected at any single receiver, open squares: pulses detected at
any two of the receivers; filled diamonds: pulses detected at all three receivers. Detection events or
counts are identified with a particular input pulse by means of the time period in which they occurred
and the data points denote mean values obtained for all receivers, or combinations of receivers, on the
network. Quantum key distribution is performed on the network using the lowest ␮ value shown in the
figure Ž0.18.. At this intensity the probability that a pulse will be observed to split is negligibly small.
 QUANTUM CRYPTOGRAPHY 367

fall much more rapidly with ␮ , varying quadratically for pulses shared by any two
receivers and cubically for pulses shared by all three receivers. The data can be
modeled by assuming a Poissonian source and detectors that distinguish between
pulses containing zero photons and pulses containing one or more photon w6x. The
results are shown by the solid lines in the figure and are in close agreement with
the experimental points except at high ␮ values, where the onset of detector
saturation tends to reduce the observed count rates. At the lowest value of
␮ s 0.18 shown in Fig. 13 any individual raw random bit string contains Žon
average. only about 1 in 10 3 bits that are shared with one other receiver and only
about 1 in 10 6 bits that are shared with both of the other receivers on the network.
This level of correlation is extremely low and demonstrates that the low-intensity
pulses are behaving most of the time effectively like indivisible particles that are
randomly routed by the network splitter. If ␮ g 1 the mutual information shared
by the network users and the information accessible to Eve’s beamsplitting attack
are both small. Hence secure quantum key distribution can be carried out on the
network. Further experiments were carried out in this limit using a ␮ value of 0.18.
Similar results were obtained as for the point-to-point systems discussed above with
QBERs ; 3% and bit rates ; 1 kbitrs obtained for all three Bobs on the
network.

5. DISCUSSION AND CONCLUSIONS

The feasibility of quantum key distribution on optical fiber links and networks
has been demonstrated, but how practical are such communication schemes? One
important issue is the distance over which secure key distribution can be achieved.
The results shown above suggest that current germanium APD detector technology
limits the span of quantum cryptography systems to around the 50-km range at 1.3
␮ m. However, interest in single photon detector technology for the telecommuni-
cations wavelengths is currently growing, and it seems likely that lower-noise
detectors capable of operation at 1.55 ␮ m will be developed w33, 34x. If this were
the case, the achievable transmission distances would increase toward 100 km.
Note that the span of a quantum cryptography system cannot be increased simply
by adding optical amplifiers as in a conventional optical communication system.
This is because amplifiers cannot clone w2x photons; if they could, Eve could use
one to make copies of Alice’s photons and the systems would not be secure in the
first place! Hence fiber loss cannot be overcome in the conventional way. Never-
theless, quantum cryptography can still be used over very long distances on a
hop-by-hop basis where keys set up on each individual link are used to encrypt a
master key that is then securely distributed across the entire system. We have also
shown that the fiber links in question need not be reserved solely for the purposes
of quantum key distribution. Instead wavelength division multiplexing technology
can be successfully employed to add secure quantum key distribution channels to
installed fiber systems carrying conventional high-bandwidth data channels.
A further important practical issue is the key distribution rate achievable with
the technology. The majority of modern encryption schemes utilize keys of the
368 PAUL D. TOWNSEND

order of 1000 bits or less and these keys may only be updated relatively infre-
quently. Hence the key distribution rates of ; 1 kbitrs attained experimentally
may be more than adequate for many potential applications. Moreover, the
experimental rates do not represent upper limits and we have, in fact, recently
demonstrated a prototype quantum cryptography system that is capable of key
distribution at Mbitrs rates over distances of a few kilometers w35x. Such a system
would be suitable for use on small-scale local area networks or PONs, for example.
It should be stressed that quantum cryptography systems are only intended for
key distribution; the encrypted data itself is transmitted using conventional high-
bandwidth channels.
In summary, quantum cryptography has been demonstrated in a number of
practical scenarios and the experiments used to assess the potential performance
limits for the technology. The scheme appears, at least from a technical point of
view, to provide a practical solution for secure key distribution on optical fiber
links and networks. We hope that the results presented in this paper illustrate that
quantum cryptography has moved a long way from the original theoretical ideas
toward real-world applications.

ACKNOWLEDGMENTS

I especially thank Keith Blow for his continued advice, support, and encouragement and Simon
Phoenix for his theoretical contributions. I also acknowledge the important contributions of two
graduate students, Christophe Marand and Guilhem Ensuque, to the experimental work discussed in
this paper. Finally, I thank Gerald Buller, Phil Hiskett, Rodney Loudon, Stephen Barnett, John Rarity,
¨
Paul Tapster, Norbert Lutkenhaus, and Gilles Brassard for advice and useful discussions during the
course of this work.

REFERENCES

w1x See C. H. Bennett, ‘‘Quantum information and computation,’’ Phys. Today ŽOct. 1995., for a review
of this topic.
w2x W. K. Wootters and W. H. Zurek, ‘‘A single quantum cannot be cloned,’’ Nature, vol. 299, 802
Ž1982..
w3x C. H. Bennett and G. Brassard, ‘‘Quantum cryptography: Public-key distribution and coin tossing,’’
in Proceedings of IEEE International Conference on Computers, Systems and Signal Processing,
Bangalore, India, pp. 175᎐179, 1984.
w4x C. H. Bennett, F. Bessette, G. Brassard, L. Salvail, and J. Smolin, ‘‘Experimental quantum
cryptography,’’ J. Cryptology, vol. 5, 3 Ž1992..
w5x A. K. Ekert, ‘‘Quantum cryptography based on Bell’s Theorem,’’ Phys. Re¨ . Lett., vol. 67, 661
Ž1991..
w6x P. D. Townsend, ‘‘Quantum cryptography on multi-user optical fiber networks,’’ Nature, vol. 385, 47
Ž1997..
w7x C. Marand and P. D. Townsend, ‘‘Quantum key distribution over distances as long as 30km,’’ Opt.
Lett., vol. 20, 1695 Ž1995..
w8x J. D. Franson and B. C. Jacobs, ‘‘Operational system for quantum cryptography,’’ Electron. Lett.,
vol. 31, 232 Ž1995..
 QUANTUM CRYPTOGRAPHY 369

w9x R. J. Hughes, G. G. Luther, G. L. Morgan, and C. Simmons, ‘‘Quantum cryptography over 14km of
installed optical fiber,’’ in Proc. 7th Rochester Conf. on Coherence and Quantum Optics ŽJ. H.
Eberly, L. Mandel, and E. Wolf, Eds.., pp. 103᎐112, Plenum, New York, 1996.
w10x H. Zbinden, J. D. Gautier, N. Gisin, B. Huttner, A. Muller, and W. Tittel, ‘‘Interferometry with
Faraday mirrors for quantum cryptography,’’ Electron. Lett., vol. 33, 586 Ž1997..
w11x G. S. Vernam, J. Amer. Inst. Elect. Eng., vol. 45, 109 Ž1926..
w12x C. E. Shannon, ‘‘Communication theory of secrecy systems,’’ Bell Syst. Tech. J., vol. 28, 656 Ž1949..
w13x H. Beker and F. Piper, Cipher Systems: The Protection of Communications, Northwood Publications,
London, 1982; see also G. Brassard, in Modern Cryptology, Lecture Notes in Computer Science ŽG.
Goos and J. Hartmanis, Eds.., Springer-Verlag, Berlin, 1988.
w14x P. Shor, ‘‘Algorithms for quantum computation: Discrete logarithm and factoring,’’ in Proc 35th
Annual IEEE Symposium on Foundations of Computer Science, pp. 124᎐134, IEEE Computer
Society Press, Los Alamitos, CA, 1994.
w15x A. K. Ekert, B. Huttner, G. M. Palma, and A. Peres, ‘‘Eavesdropping on quantum cryptosystems,’’
Phys. Re¨ . A, vol. 50, 1047 Ž1994..
w16x B. Huttner and A. K. Ekert, ‘‘Information gain in quantum eavesdropping,’’ J. Mod. Opt., vol. 41,
2455 Ž1994..
w17x C. H. Bennett, G. Brassard, and J.-M. Robert, ‘‘Privacy amplification by public discussion,’’ SIAM J.
Comput., vol. 17, 210 Ž1988..
w18x C. H. Bennett, G. Brassard, C. Crepeau, and U. Maurer, ‘‘Generalized privacy amplification,’’
SIAM J. Comput., vol. 17, 210 Ž1988..
w19x M. N. Wegman and J. L. Carter, ‘‘New hash functions and their use in authentication and set
equality,’’ J. Comput. Syst. Sci., vol. 22, 265 Ž1981..
w20x C. H. Bennett, ‘‘Quantum cryptography using any two non-orthogonal states,’’ Phys. Re¨ . Lett., vol.
68, 3121 Ž1992..
w21x P. D. Townsend, J. G. Rarity, and P. R. Tapster, ‘‘Single-photon interference in a 10km long optical
fiber interferometer,’’ Electron. Lett., vol. 29, 634 Ž1993..
w22x A. K. Ekert, J. G. Rarity, P. R. Tapster, and G. M. Palma, ‘‘Practical quantum cryptography based
on two-photon interferometry,’’ Phys. Re¨ . Lett., vol. 69, 1293 Ž1992..
w23x S. J. D. Phoenix and P. D. Townsend, ‘‘Quantum cryptography: How to beat the code breakers
using quantum mechanics,’’ Contemp. Phys., vol. 36, 165 Ž1995..
w24x P. Grangier, G. Roger, and A. Aspect, ‘‘Experimental evidence for a photon anticorrelation effect
on a beamsplitter: A new light on single-photon interferences,’’ Europhys. Lett., vol. 1, 173 Ž1986..
w25x P. D. Townsend, J. G. Rarity, and P. R. Tapster, ‘‘Enhanced single-photon fringe visibility in a
10km long prototype quantum cryptography channel,’’ Electron. Lett., vol. 29, 1292 Ž1993..
w26x P. D. Townsend, ‘‘Simultaneous quantum cryptographic key distribution and conventional data
transmission over installed fiber using wavelength division multiplexing,’’ Electron. Lett., vol. 33,
188 Ž1997..
w27x P. C. M. Owens, J. G. Rarity, P. R. Tapster, D. Knight, and P. D. Townsend, ‘‘Photon counting
using passively quenched Germanium avalanche photodiodes,’’ Appl. Opt., vol. 33, 6895 Ž1994..
w28x See, for example, B. Slutsky, R. Rao, P. C. Sun, and Y. Fainman, ‘‘Security of quantum
cryptography against individual attacks,’’ Phys. Re¨ . A, vol. 57, 2383 Ž1998., and references therein.
w29x See, for example, N. Lutkenhaus,
¨ ‘‘LANL quant-ph e-print archive, 9806008,’’ and references
therein.
w30x A. Lacaita, P. A. Francese, F. Zappa and S. Cova, ‘‘Single-photon detection beyond 1 ␮ m:
Performance of commercially available germanium photodiodes,’’ Appl. Opt., vol. 33, 6902 Ž1994..
w31x P. D. Townsend, S. J. D. Phoenix, K. J. Blow, and S. M. Barnett, ‘‘Design of quantum cryptography
systems for passive optical networks,’’ Electron. Lett., vol. 30, 1875 Ž1994..
w32x S. J. D. Phoenix, S. M. Barnett, P. D. Townsend, and K. J. Blow, ‘‘Multi-user quantum cryptography
on optical networks,’’ J. Mod. Opt., vol. 42, 1155 Ž1995..
370 PAUL D. TOWNSEND

w33x A. Lacaita, P. A. Francese, F. Zappa, and S. Cova, ‘‘Single-photon detection beyond 1 m m:

Performance of commercially available InGaAsrInP detectors,’’ Appl. Opt., vol. 35, 2986 Ž1996..
w34x G. Ribordy, J.-D. Gautier, H. Zbinden, and N. Gisin, ‘‘Performance of InGaAsrInP avalanche
photodiodes as gated-mode photon counters,’’ Appl. Opt., vol. 37, 2273 Ž1998..
w35x P. D. Townsend, ‘‘Experimental investigation of the performance limits for first telecommunica-
tions-window quantum cryptography systems,’’ Photon. Technol. Lett. 10, 1048 Ž1998..