Theoretical and Applied Informatics

ISSN 1896–5334
Vol.21 (2009), no. 3-4
pp. 149–166

Quantum Cryptography

A NDRZEJ G RZYWAK , G EORGE P ILCH -KOWALCZYK a

a
Academy of Business, Dabrowa Gornicza, Poland
Received 2 January 2009, Revised 10 August 2009, Accepted 30 September 2009

Abstract: Current popular exchange of cryptographic keys using public key cryptography suffers
from two major flaws. First, it is vulnerable to technological progress. The development of the first quantum
computer will consequently make the exchange of a key with public key algorithms insecure. The second
flaw is the fact that public key cryptography is vulnerable to progress in mathematics. These threats simply
mean that public key cryptography cannot guarantee future-proof key distribution. Quantum cryptography
solves the key distribution problem by allowing the exchange of a cryptographic key between two remote
parties with absolute security, guaranteed by the laws of physics. Mechanics of this exchange has been
described in the paper. The quantum cryptography system is very promising and advancements are being
made to improve upon the technology, most notably a wireless implementation, but it is still susceptible to
hacker attacks and has transmission distance and encryption rate limitations. This paper will discuss the
flaws of quantum cryptographic systems along with the plans for enhancing current quantum cryptographic
systems.
Keywords: brak

1. Quantum Key Distribution

Quantum cryptography – more precisely Quantum Key Distribution (QKD) – is al-

ready making inroads towards practical use outside of laboratories. Use of quantum
computers on one hand creates threat to security of classical cryptography, however on
the other hand quantum computing opens a road to even more secure distribution of
secret keys.
Quantum information is stored as the state of atomic or sub-atomic particles. A qubit
is an elementary unit of quantum information. Some of the physical realizations of
a qubit can be:

– An electron. The information is encoded as the spin of the electron.

– A photon. The information is encoded as the photon polarization.
150

– Quantum dots. Small devices that contain a tiny droplet of free electrons
– And many others

Otto Stern and Walther Gerlach performed in 1922 so called Gerlach experiment
often used to illustrate basic principles of quantum mechanics on the deflection of par-
ticles. They demonstrated that electrons are spin 1 /2 particles. These have only two
possible spin angular momentum values, called spin-up and spin-down (Fig. 1). Spin of
electrons can be considered as an equivalent to binary system. In the experiment spin-up
could mean logical 0, and spin-down could mean logical 1.

Fig. 1. Stern-Gerlach experiment

A significant step in utilization of quantum mechanics laws has been use of light in
quantum cryptography. Light can be polarized in many ways. Polarization of light is
the direction of oscillation of the electromagnetic field associated with its wave. Fig. 2
demonstrates a principle of horizontal and vertical polarization of light with the use of
crystals.

Fig. 2. Polarization of light

 151

In telecommunication networks, light are routinely used to exchange information in

a form of light pulses, typically containing millions of particles of light, called photons.
In quantum cryptography it is reduced to a single photon.
The quantum cryptographic protocols will use some encoding scheme, which as-
sociates the bits 0 and 1 with distinct quantum states. Such an association is called
a quantum alphabet (Fig. 3).

Fig. 3. Quantum alphabet

Quantum cryptography utilizes the Heisenberg uncertainty principle of quantum me-

chanics, leading to the observation that one cannot take a measurement without perturb-
ing the system. Communicating parties can check whether someone “was listening”:
they simply compare a randomly chosen subset of their data using a public channel, how-
ever they could discover any eavesdropper only after they have exchanged their message.
It would of course be much better to ensure their privacy in advance and not afterwards.
It however does not matter if we use the quantum channel only to transmit a random
sequence of bits that is a key. Now, if the key is unperturbed, then quantum physics
guarantees that no one has gotten any information about this key by measuring (eaves-
dropping) the quantum communication channel. In this case, the key can be safely used
to encode messages. If, on the other hand, the key turns out to be perturbed, then it can
be simply disregarded. Since the key does not contain any information, there is no loss
of any kind.
Quantum key distribution therefore employs two separate channels (see Fig. 9).
Quantum channel is used for transmission of quantum key material by means of pho-
tons. The other, public (classical) channel carries all message traffic, including the cryp-
tographic protocols, encrypted user traffic, etc. [3]
Quantum information has special properties:

– The state of a quantum system cannot be measured or copied without disturbing it

– Quantum state can be entangled, two systems have a definite state though neither
has a state of its own
152

Fig. 4. Quantum Key Distribution

– Superposition – we cannot reliably distinguish non-orthogonal states of a quantum

system.

These properties create major difference between quantum cryptography technology

and traditional cryptographic technology. Quantum cryptography relies on the laws of
quantum mechanics to provide a secure system, while traditional systems rely on the
computational difficulty of the encryption methods used to provide a secure system.

2. Quantum Cryptography Protocols

2.1. The BB84 quantum cryptographic protocol

Creation of a quantum alphabet was a basis for development of quantum crypto-

graphic communication protocols. In 1984 Bennett and Brassard proposed the first quan-
tum cryptographic communication protocol, called BB84 [16]. This protocol has been
experimentally demonstrated to work for a transmission over fiber optic cable [22], and
also over free space [23]. Although new emerging protocols, apparently more efficient,
are gaining popularity nowadays, BB84 still remains in use.
The BB84 protocol utilizes any two incompatible orthogonal quantum alphabets,
such as depicted on Fig. 3. Bennett and Brassard note that, if Alice were to use only
one specific orthogonal quantum alphabet for her communication to Bob, then Eve’s
eavesdropping could go undetected. To assure the detection of Eve’s eavesdropping,
Bennett and Brassard require Alice and Bob to communicate in two stages [9], the first
stage over a one-way quantum communication channel from Alice to Bob, the second
stage over a two-way public communication channel. (Fig. 5.)
 153

Fig. 5. Quantum key distribution employing BB84 protocol

Ideally, in the absence of noise, any discrepancy between Alice’s and Bob’s raw keys
is proof of Eve’s intrusion. So to detect Eve, Alice and Bob select a publicly agreed upon
random subset of m bit locations in the raw key, and publicly compare corresponding
bits, making sure to discard from raw key each bit as it is revealed. Should at least one
comparison reveal an inconsistency, then Eve’s eavesdropping has been detected.
In reality, noise unavoidable due to technical, material reasons, introduces errors
still with the assumption that all errors in raw key are caused by Eve. Comparison in the
subset m will then reveal errors at an estimate R of the error-rate. If R exceeds a certain
threshold Rmax , then Alice and Bob would repeat transmission to start over, otherwise
revealed error bits will be removed from the key. Then a process of reconciliation called
also a key distillation will follow.
First step in this process employs a classical error correction protocol, to get a shorter
key without errors, reducing error rate from few percent to usual 10−9 . After error cor-
rection, Alice and Bob have identical copies of a reconciled key, but Eve may still have
some information about it, therefore it is only partially secret from Eve. The next step
is the privacy amplification, being the process whereby Alice and Bob reduce Eve’s
knowledge of their shared bits to an acceptable level. This technique is also sometimes
called advantage distillation. Privacy amplification is used to convert the realized rec-
onciled key into a smaller length key through some hashing function chosen at random
from a known set of hashing functions.

Fig. 6. Man-in-the-middle attack

c – classic channel q – quantum channel
154

Finally, in order to prevent certain form of “Man-in-the-middle” attack (Fig. 6),

there is a need of initial authentication before any exchange of a secret key over a secure
communication channel could take place.
This can be done in several ways such as for example the way GSM is using; however
it may carry some implications on the overall security of the system.

2.2. The B92 quantum cryptographic protocol

The B92 protocol is an extension of BB84, which shows how photons with non-
orthogonal states can be used to distribute a secret key [24]. As in BB84, Alice and Bob
communicate in two stages, the first over a one-way quantum channel, and the second
over a two-way public channel. Unlike BB84, which requires two incompatible orthog-
onal quantum alphabets, B92 requires only a single nonorthogonal quantum alphabet. In
the B92 coding scheme, the bit b = 0 is encoded by a photon with horizontal polarization
and the bit b = 1 is encoded by a photon with diagonal polarization at 45◦ .
In the first stage, Alice is required, each time she transmits a single bit, to use ran-
domly with equal probability either of two nonorthogonal pure states from the alphabet
Aθ . Since no measurement can distinguish two non-orthogonal quantum states, it is
impossible to identify the bit with certainty. Moreover, any attempt to learn the bit will
modify the state in a noticeable way. Bob performs a test which provides him with a con-
clusive or inconclusive result, using one of many possible measurement strategies, such
as suggesting that the measurements will be based on the two incompatible experiments.
Stage 2 for the B92 protocol is similar to that for the BB84 protocol. Alice and Bob
use a public channel to inform which bits were identified conclusively, and to compare
some of the common bits in order to estimate the error rate. They must accept some
small error rate due to imperfections in handling the quantum states. If the estimated
error rate exceeds the allowed error rate they return to stage 1 and start over.

2.3. EPR quantum cryptographic protocols

Another encoding scheme gaining popularity, also called the Ekert encoding scheme
(E91), is similar to BB84, but is based on two photons, called entangled photons.[2]
These photon pairs can be created by either Alice, Bob or a third party by splitting a
single photon into two, using a laser. After the split, one of the photons is sent by
the sender or on behalf of the sender to the receiver while the other photon is kept.
The entangled photons follow a principle similar the Heisenberg’s Uncertainty Principle
where disturbing, monitoring or measuring the state of one entangled photon will disturb
the other entangled photon no matter how far apart the entangled paired photons are
separated. This property was described as the EPR Paradox (Einstein, Podolsky, Rosen)
questioning completeness of the quantum mechanics theory.
 155

Fig. 7. Quantum key distribution employing Ekert protocol

The EPR quantum protocol is a 3-state protocol that uses Bell’s inequality. In the
first stage occurring over the quantum channel, for each time slot, a state is randomly
selected with equal probability from the set of states. Than an EPR pair is created in the
selected state. One photon of the constructed EPR pair is sent to Alice, the other to Bob.
Alice and Bob at random with equal probability separately and independently select one
of the three measurement operators, and accordingly measure their respective photons.
Alice records her measured bit. On the other hand, Bob records the complement of his
measured bit to detect the presence or absence of Eve as a hidden variable.
In stage 2 Alice and Bob discuss over a public channel which measurement basis
they used for each photon. The two parties then separate the bits of the transmission
into two groups called raw key and rejected key. The raw key group contains the bits
where Alice and Bob used the same basis for measurement. The rejected key group
contains all the other bits. Now, Alice and Bob compare over a public channel their
respective rejected key. If their comparison satisfies Bell’s inequality then a third party
has been detected, then the entire process is repeated. Otherwise the raw key is retained.
Unlike the BB84 and B92 protocols, the EPR protocol, instead of discarding rejected
key, actually uses it to detect Eve’s presence. Alice and Bob now carry on a discussion
over a public channel comparing their respective rejected keys to determine whether or
not Bell’s inequality is satisfied. If it is, Eve’s presence is detected. If not, then Eve is
absent, and the remainder of the protocol is similar to that of BB84.[9]

2.4. Quantum teleportation

Quantum teleportation in quantum cryptography can be seen as the fully quantum

version of the one-time pad [26]. Shannon’s work on information theory showed that
to achieve perfect secrecy, it is necessary for the key length to be at least as large as
the message to be transmitted and only used once (this algorithm is called the One-time
pad). In that context, quantum teleportation involves the transfer of an unknown quantum
state over an arbitrary spatial distance by exploiting the prearranged entanglement of
156

quantum systems in conjunction with the transmission of a minimal amount of classical

information (Fig. 8).

Fig. 8. Quantum Teleportation

First, a source of entangled (EPR) particles is prepared. Sender and receiver share
each particle from a pair emitted by that source. Second, a Bell-operator measurement is
performed at the sender on his EPR particle and the teleportation-target particle, whose
quantum state is unknown. Third, the outcome of the Bell measurement is transmitted
to the receiver via a classical channel. This is followed by an appropriate unitary oper-
ation on the receiver’s EPR particle. The name “teleportation” is justified by the fact
that the unknown state of the transfer-target particle is destroyed at the sender site and
instantaneously appears at the receiver site. Actually, the state of the EPR particle at the
receiver site becomes its exact replica, but the teleported state is transported between the
two sites without transferring the media containing information, therefore it should be
immune from eavesdropping.

3. Quantum Cryptography in Practice

Today, QKD is no longer confined to laboratories; commercial systems are available,

capable of automated continuous operation using available standard telecom fibers. In
the SECOQC project of the 6th Framework Programme of the European Community six
technologically different systems were operated under realistic assumptions in a QKD
network in Vienna in October 2008, providing user level applications with cryptographic
keys [27]. Commercial products for point-to-point QKD are today available from at least
three small companies (id Quantique, Geneva, SmartQuantum Group, MagiQ Technolo-
gies Inc.), supplying products mainly for experimental evaluation. Some major com-
panies are working currently on QKD products as well. Few larger scale experimental
projects were designed, such as The DARPA Quantum Network, Swiss voting ballots,
The Vienna network, and far advanced projects in Spain and South Africa.
 157

3.1. The DARPA Quantum Network

BBN Technologies (Cambridge, MA) operates the world’s first quantum crypto-
graphic network, which links several different kinds of QKD systems (Fig. 9). Some
use off-the-shelf optical lasers and detectors to emit and detect single photons; others
use entangled pairs of photons. This DARPA-funded network runs between BBN, Har-
vard, and Boston University, a city sized schematic designed to test the robustness of
such systems in real-world applications [3].

Fig. 9. Virtual Private Network (VPN) based on Quantum Key Distribution

BBN security model is the cryptographic Virtual Private Network (VPN), where ex-
isting VPN key agreement primitives are augmented or completely replaced by keys pro-
vided by quantum cryptography. The remainder of the VPN construct is left unchanged;
see Fig. 9. Thus such QKD-secured network is fully compatible with conventional
Internet hosts, routers, firewalls, and so on.

3.2. The Vienna Network

The network, which is based in Vienna, Austria, was developed under the integrated
EU project “Development of a Global Network for Secure Communication Based on
Quantum Cryptography” (SECOQC). The Vienna network consists of six nodes and
eight intermediary links with distances between 6 and 82 km. There are seven links
utilizing commercial standard telecommunication optical fibres and one free-space link.
Toshiba, UK supplied hardware to the Vienna network and sites connected in the network
were Siemens sites.
158

3.3. Commercial Quantum Products

Swiss company id Quantique is offering a variety of quantum technology products,

such as single photon detectors, random number generators as well as quantum key
distribution equipment and even complete encryption systems using QKD technology.
An example of Quantum Key Distribution System is Clavis2 that uses a proprietary
auto-compensating optical platform, featuring good stability and interference contrast,
guaranteeing low quantum bit error rate. Secure key exchange becomes possible up to
100 km. It consists of two stations controlled by one or two external computers. A soft-
ware suite implements automated hardware operation and complete key distillation. Two
quantum cryptography protocols: BB84 and SARG are implemented.
Complete encryption system with QKD is represented by Cerberis, combining QKD
solution with few encryption devices implementing AES protocol. The Cerberis solution
integrates into existing fiber-optic network infrastructures [6].

Fig. 10. Encryption solution with Cerberis

Equipment from id Quantique has been successfully used in Geneva electronic vot-
ing.
US based MagicQ, Inc. is another quantum technology vendor. MAGIQ QPN 8505
Security Gateway is a highly-compatible, hardware-based, VPN security solution built
on quantum cryptography [7]. MagiQ QPNTM solves the problem of refreshing en-
cryption keys regularly as often as 100 times per second by incorporating real-time,
continuous, symmetrical quantum key generation based on truly random numbers.
MagiQ QPNTM 8505 comprises of a set of industry standard protocols including
BB84, IPSEC based VPN and AES. MagiQ QPNs were implemented in the DARPA
network in Boston, MA.
 159

Fig. 11. Multi-Site Network Security

4. Security of Quantum Cryptography

Quantum cryptography, as introduced, was believed to be a perfectly secure way

of communication based on the laws of physics. However, along with theoretical and
practical implementation progress many researchers undertook a scrutiny on security
of QKD based communication systems, realizing that there are many fine points in the
protocol and hardware.

4.1. Overall security of a communication system

Currently, quantum technology provides a solution to one only component of the

secure communication system, namely quantum key distribution (QKD). Such a system
can generally be as secure as its weakest component.[5]. From our earlier characteriza-
tion we know that there are two other components required. First, in order to avoid a
man-in-the-middle attaca, communicating parties must use authenticated channel; sec-
ondly there is a classic channel such as AES to carry encrypted data. There is only one
unconditionally secure system, namely so called one-time-pad that requires both parties
to use the same random key of length equal to the length of the message and used once
only. This requirement becomes impractical for majority of applications, however if
the one-time pad is used as the encryption algorithm, then the overall communications
system can also be made unconditionally secure.
Another weak component remains anyways i.e. requirement of having an authentic
channel. All currently existing authentication schemes that offer unconditional security
depend on a pre-established symmetric key. A good example is GSM system, where a
160

Subscriber Identity Module (SIM) contains a 128 bit symmetric key that is shared with
the subscriber’s network service provider. This key is used in an authentication protocol,
one product of which is a new symmetric data encryption key, similar way as QKD
systems do.

4.2. Attacks on quantum cryptosystems

Quantum cryptography systems are vulnerable to a variety of hacker attacks. Three

types of attacks relevant to ideal systems could be mentioned: man-in-the-middle
(MITM), denial of service (DoS), and large pulse attack.[8].
Man-in-the-middle (MITM) attacks can be performed in two different ways. The
first, involves Eve pretending to be “Alice” to Bob and “Bob” to Alice (Fig. 6). Eve
would then perform QC with both Alice and Bob at the same time, obtaining two keys,
one for Alice and one for Bob. Alice’s key would be used to decrypt a message from
Alice then reencrypted by Bob’s key and vice versa. This type of attack is possible,
but preventable by performing some type of identity authentication. The second type
of MITM attack comes from the method photons are transmitted. Most of currently
implemented systems do not use single photon sources, but rather very weak laser pulses
that are small bursts of coherent light. In theory, Eve may be able to split a single proton
from the burst without being detected. Eve could then observe the retrieved photons
until the basis used to create then is announced.
Denial of service (DoS) attack can be performed in two ways: by compromising
the quantum cryptographic hardware or by introducing extra noise into the QC system.
Eve the hacker could tamper with the fiber-optic lines, or compromise QC equipment to
generate photons at random that are not secure. Excessive noise could cause Alice and
Bob to discard a higher number of photons.
Large pulse attack: Eve, the eavesdropper, sends a large pulse of light back to Alice
in between Alice’s photon transmissions. Regardless of how black Alice’s transmitting
equipment may be, some light will be reflected back to Eve where she can discover the
polarization state of Alice’s polarizer because the reflected light will be polarized in the
same manner. We need to consider a theoretical/experimental countermeasure against
this attack.

4.3. Exploiting physical imperfections

Let us now consider the security of the non-ideal protocol, taking into account un-
avoidable technical imperfections.
A major problem in the implementation of BB84 is generation of a single-photon
state. In most experiments, an attenuated coherent laser source is used instead of a
perfect single-photon source. All photon sources so far have some probability of multi-
 161

photon emission, from which Eve can obtain information by exploiting the so-called
photon number splitting (PNS) – see Fig. 12.

Fig. 12. PNS attack

Eve may suppress single-photon signals, and allow passing only those signals that
she can split. Since this attack is one of the greatest threats to BB84, protocols with PNS
tolerance have been considered. The differential phase shift (DPS)-QKD [17], SARG04
protocol [18], and decoy state method [19], [20], [10] are examples of such protocols or
PNS-attack-resistant methods.
Increased interest in researching quantum attacks gradually evolved to include such
imperfections of physical apparatus as faint pulse sources (as opposed to true single
photon sources), loss in the transmission line and non-ideal detectors [25]. Most com-
mercial quantum links have two detectors, each tuned to detect protons in one of the two
different polarisation states – "1" or "0" – used to make up the secret code. Hoi-Kwong
Lo at the University of Toronto in Canada realized [4] that small imperfections in the
design of the photon detectors mean they aren’t quite switched on at the same instant,
and for a few picoseconds only one will be on. Eve can make sure the photon arrives at
Bob when only his "1" detector is open. Now, if Bob registers a click and tells Alice,
Eve knows that the photon was in the "1" state. Lo claims that their team was able to
hack a commercial quantum communications device 4% of the time. Just recently id
Quantique said that they were able to fix loopholes exploited by Professor Lo.[21]. Eve
is assumed to know everything about Alice’s and Bob’s equipment. Thus, Eve can fully
exploit every imperfection that exists in legitimate parties’ hardware and software.
Makarov [11],[12] explores successful attacks on commercial single-photon detec-
tors, using fake state pulses, utilizing equipment imperfections. Using bright light Eve
can blind Bob’s detectors forcing them to become totally insensitive to single photons
as well as dark counts and afterpulses, only producing an output pulse (a “click”) when
a brighter optical pulse is applied at its input. With such a control mode Eve could
intercept each quantum bit encoded by Alice with an exact replica of the detection appa-
ratus used by the Bob, then send a faked state targeting the corresponding detector at the
162

receiver’s side, allowing Eve to get a complete copy of the cryptographic key without
being noticed unless light intensity across the link is monitored.
Finally, QKD security is always relying on an implicit assumption: Alice and Bob,
who are storing the final symmetric secret keys in classical memories, must be located
inside secure environments. If there is a channel allowing to spy on the keys, stored
in a classical memory, then the security of the keys is compromised. Providing that
QKD devices are partly made of classical objects, it is essential that such interfaces are
designed with great care.

5. Other challenges

Speed of key exchange and reachable distance of QKD links are challenging factors
today. According to SECOQC reports as of 2007 [13] one can expect to exchange be-
tween 1 and 10 kbits of secret key per second, over a point-to-point QKD link of 25 km
(at 1550 nm, on dark fibres). The maximum span of QKD links is roughly 100 km at
1550 nm on telecom dark fibres. This range is suitable for metropolitan area scale QKD.
Both secret bit rate and maximum reachable distance are expected to continue their pro-
gression during the next years due to combined theoretical and experimental advances.
Significant speed increase is expected in forthcoming future, though it will require very
fast detectors at telecommunications wavelengths, with good quantum efficiency and
low dark count.
Use of trusted relays QKD network can increase distance reacheable by QKD link.
[13]. The relay nodes need to be trusted, although having the sender use a secret sharing
scheme can reduce trust. It is particularly useful when the network operator is already
a network user, as in the case of internal bank networks. Global key distribution is
performed over a QKD path, i.e. a one-dimensional chain of trusted relays connected by
QKD links, establishing a connection between two end nodes, as shown on Fig. 13.

Fig. 13. “Hop-by-hop” secure message passing by QKD links

Secret keys are forwarded, in a hop-by-hop fashion, along QKD paths. To ensure
their secrecy one can use one-time pad encryption and unconditionally secure authenti-
cation, both realised with a local QKD key. The trusted relays QKD network has been
used in the DARPA and Vienna Network.
One of the main targets of the free-space QKD system is to construct an Earth-
satellite link. Several groups have published detailed modeling to show that low-Earth
 163

orbit satellite-to-ground QKD would be feasible even in daylight, with typical ranges of
∼1.000 km [15].
Key Pre-Distribution can pose another challenge for system initialization. After ini-
tialization QKD-generated keys can then be stored and used for later authentication. For
the network of n nodes this may lead to n(n–1)/2 pairs of secret keys distributed, but
thanks to possibility of playing with betwork connectivity, the problem can be reduced
to linear one [13].

6. Conclusions

Quantum key distribution solves the key distribution problem with security based
on the laws of physics, but it is important to develop network architecture able to fully
benefit from the possibilities offered by point-to-point, distance limited QKD links.
Few experimental demonstrations have included all of the ingredients of a full QKD
protocol, and their focus has been almost exclusively on closing the gap between the
idealized assumptions of “theoretical secrecy” proofs for QKD and the realities of im-
perfect realizations of fundamental quantum processes. As the technology continues
to evolve into more mature stage, it is apparent that QKD is capable of significantly
and positively impacting information-security requirements without insisting on theo-
retically perfect secrecy from inevitably imperfect physical realizations. According to
a roadmap projected by the Quantum Cryptography Technology Experts Panel [14], at
least two distinct practical roles for QKD are possible within future networked optical
communications infrastructures

– “key-transfer-mode QKD”: an enhancement to conventional key management in-

frastructures supporting the transfer or generation of keys for symmetric key cryp-
tography
– “encryptor-mode QKD”: a new, physical layer encryption technology (a quantum
generated one-time-pad stream cipher).

The roadmap sets out specific goals that will stimulate the necessary basic theoretical
and experimental physics research and advances in the enabling component technolo-
gies. The roadmap has been a living document, updated on an annual basis to reflect
progress.
The latest Updating Quantum Cryptography Working Group Report [1] outlines the
standardization of quantum cryptography. Specifically it raises issues of the interop-
erability specifications and requirements. One is the interoperability between quantum
cryptographic technology and contemporary cryptographic systems and the other is that
among quantum cryptosystems. It also refers to issues relating to test requirements.
164

Research goals related to New Generation Quantum Cryptography define a short-

term strategy that is to combine current quantum cryptography and photonic network
technology with reasonable assumptions for the nodes and a compromise of the secu-
rity level. The long-term strategy is to invent new schemes that have the merits of all
known protocols and study and develop quantum repeaters that can realize full quantum
networking.

References

1. The Updating Quantum Cryptography Report, Ver. 1, May 2009.

2. A. K. Ekert: Quantum cryptography based on Bell’s theorem, Physical Review Letters,
Vol. 67, No. 6, 5 August 1991, pp. 661–663.
3. C. Elliott, D. Pearson, G. Troxel: “Quantum Cryptography in Practice”, BBN, 2003.
4. A. Vakhitov, V. Makarov, D.R. Hjelme: “Large pulse attack as a method of conventional
optical eavesdropping in quantum cryptography,” Journal of Modern Optics 48, pp. 2023-
2038, (2001).
5. K. G. Paterson, F. Piper, R. Schack: Why Quantum Cryptography?, Cryptology ePrint
Archive: Report 2004/156. http://eprint.iacr.org/2004/156.
6. Id Quantique: “Specifications sheet Cerberis,” http://www.idquantique.com/products/ cer-
beris.htm, 2008.
7. MagicQ, Inc.: “Specifications sheet MagiQ QPNTM Security Gateway,” http://www.
magiqtech.com, 2007.
8. Lester Houston III: Secure Ballots Using Quantum Cryptography, 2007, http://www.cse.
wustl.edu/∼jain/cse571-07/ftp/ballots/index.html
9. S.J. Lomonaco: “A quick glance at quantum cryptography,” Dept. of Comput. Sci. and
Elect. Engr., Univ. of Maryland Baltimore County quant-ph/9811056, Nov. 1998.
10. Y. Zhao, B. Qi, X. Ma, H.-K. Lo, L. Qian: Experimental Decoy State Quantum Key
Distribution Over 15 km, arXiv: 0503.192v2 [quant-ph], Mar. 2005.
11. S. Sauge, V. Makarov, A. Anisimov: "Quantum hacking: how Eve can exploit compo-
nent imperfections to control yet another of Bob’s single-photon qubit detectors", CLEO
Europe EQEC, 2009.
12. V. Makarov: “Controlling passively-quenched single photon detectors by bright light,”
arXiv: 0707.3987v3 [quant-ph], Apr. 2009.
13. SECOQC White Paper on Quantum Key Distribution and Cryptography, Secoqc-WP-v5,
Jan.2007.
14. A Quantum Information Science and Technology Roadmap Part 2: Quantum Cryptogra-
phy, Report of the Quantum Cryptography Technology Experts Panel, ARDA. July 2004.
 165

15. J.G. Rarity, P.R. Tapster, P.M. Gorman, P. Knight: “Ground to satellite secure key ex-
change using quantum cryptography,” New Journal of Physics 4, 82.1-82.9 (2002).
16. Ch. H. Bennett, G. Brassard, Quantum cryptography: Public key distribution and coin
tossing, International Conference on Computers, Systems & Signal Processing, Bagalore,
India, December 10–12, 1984, pp. 175–179.
17. K. Inoue, E. Waks, Y. Yamamoto: “Differential Phase Shift Quanum Key Distribution,”
Physical Review Letters 89, 037–902 (2002).
18. V. Scarani, A. Acin, G. Ribordy, N. Gisin: “Quantum Cryptography Protocols Robust
against Photon Number Splitting Attacks for Weak Laser Pulse Implementations,” Physi-
cal Review Letters 92, 057–901 (2004).
19. W.-Y. Hwang: Quantum key distribution with high loss: Toward global secure communi-
cation. Phys. Rev. Lett., 91(5):057901, 2003 doi:10.1103/PhysRevLett.91.057901. eprint
arXiv:quant-ph/0211153.
20. X.-B. Wang: “Beating the Photon-Number-Splitting Attack in Practical Quantum Cryp-
tograpy,” Physical Review Letters 94, 230–503 (2005).
21. C. Barras: Quantum computers get commercial – and hackable, New Scientist, Apr. 2009.
22. P. D. Townsend, I. Thompson: Journal of Modern Optics, A quantum key distribution
channel based on optical fibre, Vol. 41, No. 12, 1994, pp. 2425–2433.
23. B.C. Jacobs, J.D. Franson: Quantum cryptography in free space, Optics Letters, Vol. 21,
November 15, 1996, pp. 1854–1856.
24. H. Ch. Bennett: Quantum cryptography using any two nonorthogonal states, Physical
Review Letters, Vol. 68, No. 21, 25 May 1992, pp. 3121–3124.
25. V. Makarov, D. Hjelme: Faked states on quantum cryptosystems, J. Mod. Opt. 45, pp.
2039–2047, 2001.
26. N. Gisin, G. Ribordy, W. Tittel, H. Zbinden: Quantum cryptography, Reviews of Modern
Physics, Vol. 74, January 2002.
27. N. Anscombe: Quantum cryptography: Vienna encrypts com, OLE, Jan. 2009 op-
tics.org/ole.

Kryptografia kwantowa

Streszczenie

Kryptografia publicznego klucza, dominujaca

˛ obecnie, jest zagrożona przez rozwój
informatyki kwantowej. Z chwila,˛ gdy kwantowy komputer stanie si˛e rzeczywistościa,˛
charakteryzować si˛e on b˛edzie wielkimi zdolnościami równoległego przetwarzania.
Chociaż jest to odległa perspektywa, pewne rozwiazania
˛ już powstały. Kryptografia
kwantowa rozwiazuje
˛ problem dystrybucji kluczy kryptograficznych umożliwiajac ˛
166

wymian˛e kluczy mi˛edzy stronami z zachowaniem całkowitego bezpieczeństwa. Za-

sadnicze właściwości tej wymiany opisano w niniejszej pracy. Opiera si˛e ona na
użyciu dwóch kanałów transmisji: kwantowgo i klasycznego (Rys. 4). Istnieje szereg
protokolów transmisji kluczy kryptograficznych opisanych w niniejszej pracy. Jednym
z praktycznych zastosowań kryptografii kwantowej była wirtualna siec prywatna (VPN)
zrealizowana w Bostonie w r. 2003 (patrz Rys. 9). Wiele urzadzeń˛ stosowaych w kry-
tografii kwantowej jest oferowanych komercyjnie. Podano niektóre przykłady. Systemy
kryptografii kwantowej daja˛ obiecujac ˛ a˛ perspektyw˛e, post˛epy sa˛ widoczne, ale sys-
temy te sa˛ wcia˛ż wrażliwe na ataki, a także maja˛ ograniczenia odległości transmisji
i szybkości szyfrowania. W niniejszym opracowaniu przedyskutowano ograniczenia
systemów kryptografii kwantowej, a także perspektywy rozwoju i doskonalenia
obecnych rozwiazań.
˛