arX

iv:0

802.

4155

v1 [

quan

t-ph

] 2

8 Fe

b 20

08

A Framework for Practical Quantum Cryptography

Valerio Scarani 1,2, Helle Bechmann-Pasquinucci 3,4, Nicolas J. Cerf 5, Miloslav Dusek 6, Norbert Lutkenhaus 7,8,

Momtchil Peev 9

1 Centre for Quantum Technologies, National University of Singapore, Singapore2 Group of Applied Physics, University of Geneva, Geneva, Switzerland3 University of Pavia, Dipartimento di Fisica “A. Volta”, Pavia, Italy4 UCCI.IT, Rovagnate (LC), Italy5 Quantum Information and Communication, Ecole Polytechnique, Universite Libre de Bruxelles, Brussels, Belgium6 Department of Optics, Faculty of Science, Palacky University, Olomouc, Czech Republic7 Institute for Quantum Computing & Department for Physics and Astronomy, University of Waterloo, Waterloo, Canada8 Max Planck Research Group, Institute for Optics, Informationand Photonics, University of Erlangen-Nuremberg, Erlangen, Germany9 Quantum Technologies, Smart Systems Division, Austrian Research Centers GmbH ARC, Vienna,Austria

(Dated: October 24, 2018)

Quantum cryptography is the first quantum information task to reach the level of mature technol-ogy, already fit for commercialization. It aims at the creation of a secret key between authorizedpartners connected by a quantum channel and a classical authenticated channel, whence the propername of Quantum Key Distribution (QKD). The security of the key can in principle be guaranteedwithout putting any restriction on the eavesdropper’s power.The first two sections provide a concise up-to-date review of QKD, biased toward the practicalside. The rest of the paper presents the essential theoretical tools and the main experimentalplatforms (discrete variables, continuous variables and distributed-phase-reference protocols) in asynthetic framework, which highlights similarities and differences and is open to include futureprogress.

Contents

I. Introduction 2A. Cryptography 2B. Quantum Key Distribution (QKD) 2

1. Classical and quantum channels 22. Unconditional security, and its conditions 3

C. Goal of the review 3D. Outline of the review 3

II. The Elements of Practical QKD 4A. Milestones 4

1. Foundations: 1984-1992 42. The theory-experiment gap opens: 1993-2000 43. Closing the gap: 2000 to present 4

B. Generic QKD Protocol 51. Quantum information processing 52. Classical information processing 5

C. Notions of Security 61. Definition of security 62. Proofs, and Secret key rate 6

D. Explicit Protocols 71. Three families 72. Discrete-variable Protocols 73. Continuous-variable Protocols 94. Distributed-phase-reference Protocols 10

E. Sources 111. Lasers 112. Sub-Poissonian Sources 113. Sources of Entangled Photons 12

F. Physical Channels 121. Fiber Links 132. Free Space Links 13

G. Detectors 131. Photon Counters 132. Homodyne Detection 14

H. A case study: the Plug&Play configuration 15

III. Secret Key Rate 15A. Raw key rate 15B. Secret fraction 16

1. Classical information post-processing 162. Individual, Collective and Coherent Attacks 173. Quantum side channels and zero-error attacks 194. Hacking on Practical QKD 195. A crutch: the “uncalibrated-device scenario” 20

IV. Discrete-variable protocols 20A. Generic Assumptions and Tools 20

1. Photon-number statistics 212. Secret key rate 21

B. BB84 coding: lower bounds 221. Prepare-and-Measure: Generalities 222. P&M without decoy states 223. P&M with decoy states 224. P&M: analytical estimates 235. Entanglement-Based 23

C. BB84 coding: upper bounds incorporating thecalibration of the devices 241. Statistical parameters 242. Upper bounds 25

D. Bounds for the SARG04 coding 25

V. Continuous-variable protocols 26A. Status of security proofs 26B. Bounds for Gaussian protocols 27

1. Generalities 272. Modeling the noise 273. Information Alice-Bob 284. Individual attacks 285. Collective attacks 286. Collective attacks and post-selection 29

VI. Distributed-phase-reference protocols 29A. Status of security proofs 29

2

B. Bounds for DPS and COW 301. Collective beam-splitting attack 302. More sophisticated attacks 30

VII. Comparison of experimental platforms 31A. Generalities 31

1. Model for the source and channel 312. Choice of the parameters 32

B. Comparisons based on K 321. All platforms on a plot 322. Effect of a duty cycle 323. Upper bound incorporating the calibration of the

devices 32C. Comparison based on the “cost of a linear network” 33

VIII. Perspectives 34A. Perspectives within QKD 34

1. Finite-key analysis 342. Open issues in unconditional security 353. Black-box security proofs 354. Toward longer distances: satellites and repeaters 355. QKD in networks 36

B. QKD versus other solutions 36

Acknowledgements 38

A. Unconditional security bounds for BB84 and

six-states, single-qubit signals 38

B. Elementary estimates for quantum repeaters 391. Quantum memories 392. Model of quantum repeater 39

a. Definition of the model 39b. Detection rates 40

References 40

I. INTRODUCTION

A. Cryptography

Cryptography is a field of applications that provide pri-vacy, authentication and confidentiality to users. An im-portant subfield is that of secure communication, aimingat allowing confidential communication between differentparties such that no unauthorized party has access to thecontent of the messages. This field has a long history ofsuccesses and failures, as many methods to encode mes-sages emerged along the centuries, always to be brokensome time later.History needs not repeat forever, though. In 1926, Ver-

nam proposed the so-called One-Time Pad encryption,which uses a symmetric, random secret key shared be-tween sender and receiver (Vernam, 1926). A few yearslater, Shannon proved that this scheme cannot be brokenin principle, provided the parties do not reuse their key(Shannon, 1949). This means that the key is being usedup in the process. To employ this scheme, therefore,one has to find means to distribute absolutely securelyto the communicating parties amounts of key materialthat are equal to the text to be encrypted. Becauseof this limitation, which becomes severe in case hugeamounts of information have to be securely transmitted,most cryptographic applications nowadays are based on

schemes, whose security cannot be proved in principle,but is rather based on our experience that some problemsare hard to solve. In other words, these schemes can bebroken, but with a substantial amount of computationalpower. One can therefore set a security parameter to avalue, such that the amount of required computationalpower lies beyond the amount deemed to be available toan adversary; the value can be adjusted in time, alongwith technological advances.

The picture has changed in the last two decades,thanks to unexpected inputs from quantum physics. In1984, Bennett and Brassard proposed a solution tothe key distribution problem based on quantum physics(Bennett and Brassard, 1984): this was the beginningof quantum cryptography, or more precisely quantumkey distribution (QKD). Since then, QKD devices haveconstantly increased their key generation rate and havestarted approaching maturity, needed for implementationin realistic settings.

In an intriguing independent development, ten yearsafter the advent of QKD, Peter Shor discovered that largenumbers can in principle be factorized efficiently if onecan perform coherent manipulations on many quantumsystems (Shor, 1994, 1997). Factorizing large numbers isan example of a mathematical task considered classicallyhard to solve and for this reason related to a class ofcryptographic schemes which are currently widely used.Though quantum computers are not realized yet, themere fact that they could be built brought into awarenessthat the security of some cryptographic schemes may bethreatened1.

This review focuses therefore on the cryptographic taskof key distribution, and in particular on its realization us-ing quantum physics. Note that a secret key serves manyuseful purposes in cryptography other than message en-cryption: it can be used, for example, to authenticatemessages, that is, to prove that a message has been in-deed sent by the claimed sender.

B. Quantum Key Distribution (QKD)

Let us now describe the elements of quantum key dis-tribution, which provides secret key to a sender (Alice)and a receiver (Bob) in the potential presence of an eaves-dropper (Eve).

1. Classical and quantum channels

Alice and Bob need to be connected by two channels.On the quantum channel, Alice can send quantum sig-nals to Bob. Eve can interact with these signal, but if

1 This issue will be discussed in more detail in VIII.B.

3

she does, the signals are changed because of the laws ofquantum physics – the essence of QKD lies precisely here.On the classical channel, Alice and Bob can send classi-

cal messages for and back. Eve can listen without penaltyto all communication that takes place on this channel.However, in contrast to the quantum channel, the classi-cal channel is required to be authenticated, so that Evecannot change the messages that are being sent on thischannel. Failure to authenticate the classical channel canlead to the situation where Eve impersonates one of theparties to the other, thus entirely compromising the se-curity. The secure authentication of the classical channelrequires Alice and Bob to pre-share an initial secret key.QKD therefore does not create a secret key out of noth-ing: rather, it will expand a short secret key into a longone, so strictly speaking it is a way of key-growing. Thisremark calls for two comments: first, key growing cannotbe achieved by use of classical means alone; second, itis important to show that the secret key emerging fromQKD is composable, that is, it can be used like a perfectrandom secret key, because one has to use a part of it asauthentication key for the next round.

2. Unconditional security, and its conditions

The appeal of QKD comes mainly from the fact that,in principle, it can achieve unconditional security. Thistechnical term means that security can be proved withoutimposing any restriction on the computational resourcesor the manipulation techniques that are available to theeavesdropper. The possibility of achieving unconditionalsecurity in QKD is deeply rooted in quantum physics. Tolearn something about the key, Eve must interact withthe quantum system; now, if the coding uses randomlychosen non-orthogonal states, Eve’s intervention neces-sarily modifies the state sometimes, and this modificationcan be observed by the parties. There are many equiva-lent formulations of this basic principle. A popular oneis to evoke the no-cloning theorem (Wootters and Zurek,1982), which states that Eve cannot duplicate the signaland keep a perfect copy for herself while sending a perfectcopy to Bob. However formulated, it must be stressedthat this criterion can be made quantitative: the observedperturbations in the quantum channel allow computing abound on the information that Eve might have obtained.Like many other technical terms, the wording “uncon-

ditional security” has to be used in its precise meaninggiven above, and not as a synonym of “absolute secu-rity” — something that does not exist. As a matter offact, unconditional security of QKD holds under someconditions. First of all, there are some compulsory re-quirements :

1. Eve cannot intrude into Alice’s or Bob’s devices toaccess the emerging key.

2. Alice and Bob must trust the random number gen-erators that select the state to be sent or the mea-

surement to be performed.

3. The classical channel is authenticated withunconditionally secure protocols, which exist(Carter and Wegman, 1979; Wegman and Carter,1981).

4. Eve is limited by the laws of quantum physics2.

We shall take these requirements, the failure of whichwould obviously compromise any security, as granted.Even so, many other issues have to be settled, beforeunconditional security is claimed for a given protocol:for instance, the theoretical description of the quantumstates must match the signals that are really exchanged;the implementations must be proved free of unwanted in-formation leakage through side-channels or back-doors,against which no theoretical protection can be invoked.

C. Goal of the review

The goal of this review is to provide a synthetic frame-work for practical QKD. In the last years, several newprotocols have been proposed, and significant advanceshave been reported for the security analysis. We presenta comprehensive view of security issues (status and as-sumption of the proofs, warnings that have been raisedetc.), a set of consistent formulas in which one can insertthe value of the most meaningful experimental parame-ters, and some tentative criteria to assess the quality of agiven platform as compared to other alternatives. Practi-cal QKD has witnessed — and actually triggered—manyadvances on the technological side too: new sources, bet-ter detectors, and so on. These technical progresses willbe mentioned, but without any claim of exhaustiveness.We have made our best to write a self-consistent text,

but, in order to reach our goal while keeping the textwithin a reasonable length, we could obviously not in-dulge on the very bases of QKD. A reader, who wouldnot be familiar with the field at all, is encouraged to readfirst the review published in this same journal a few yearsago (Gisin, Ribordy, Tittel and Zbinden, 2002), a morerecent one (Dusek, Lutkenhaus and Hendrych, 2006), orat least one of the several available basic presentations.

D. Outline of the review

The review is structured as follows. Section II in-troduces all the basic elements of practical QKD. Sec-

2 This requirement, to which we obviously hold in this review,may be weakened; in particular, security can be based only onthe so-called “no-signaling” condition. In this framework, as oftoday, unconditional security has been proved only in the caseof strictly error-free channels (Barrett, Hardy and Kent, 2005),while only limited security has been proved in more realistic cases(Acın, Gisin and Masanes, 2006; Scarani et al., 2006).

4

tion III is devoted to the rate at which a secret key isproduced: this is the fundamental parameter of QKD,and depends both on the speed and efficiency of the de-vices, and on the intrinsic security of the protocol againsteavesdropping. The next three sections provide a de-tailed analysis, with a consistent set of explicit formu-las, for the three main families of protocols: those basedon discrete-variable coding (Section IV), those based oncontinuous-variable coding (Section V) and the more re-cent distributed-phase-reference coding (Section VI). InSection VII, we put everything together and sketch somedirections for comparison of different experimental plat-forms. Finally, in Section VIII, we discuss future per-spectives for QKD, both as a field in itself and in thebroader context of key distribution.

II. THE ELEMENTS OF PRACTICAL QKD

A. Milestones

1. Foundations: 1984-1992

QKD unfolded with the presentation of the first com-plete protocol (Bennett and Brassard, 1984), which wasbased on earlier ideas by Wiesner (Wiesner, 1983). Inthe BB84 protocol, bits are coded in two complementarybases of a two level system (qubit); this qubit is sentby Alice to Bob, who measures it. The no-cloning the-orem is explicitly mentioned as the reason for security.In an independent approach, Ekert introduced a QKDprotocol based on entangled states (Ekert, 1991). Hisargument for security had a different flavor: an eaves-dropper introduces “elements of reality” into the cor-relations shared by Alice and Bob; so, if they observecorrelations that violate a Bell inequality, the commu-nication cannot have been completely broken by Eve.Shortly later, Bennett, Brassard and Mermin argued3

that entanglement-based protocols, such as E91, areequivalent to prepare&measure protocols, such as theBB84 protocol (Bennett, Brassard and Mermin, 1992).The same year 1992 witnessed two additional milestones:the invention of the B92 protocol (Bennett, 1992) andthe very first in-principle experimental demonstration(Bennett et al., 1992).

2. The theory-experiment gap opens: 1993-2000

After these foundational works, the inter-est and feasibility of QKD became apparent tomany. Improved experimental demonstrations

3 The argument is correct under some assumptions; only very re-cently it was realized that Ekert’s view is qualitatively differentand allows to reduce the set of assumptions about Alice’s andBob’s devices; see VIII.A.3.

took place, first in the lab with a growing dis-tance of optical fiber next to the optical table(Breguet, Muller and Gisin, 1994; Franson and Ilves,1994; Townsend, Rarity and Tapster, 1993), then ininstalled optical fibers (Muller, Zbinden and Gisin,1995), thereby demonstrating that QKD can be madesufficiently robust for a real-world implementation. Inthis development, an obvious milestone is the inventionof the so-called Plug&Play setups by the Geneva group(Muller et al., 1997; Ribordy et al., 1998). By the year2000, QKD over large distances was demonstratedalso with entangled photons (Jennewein et al., 2000;Naik et al., 2000; Tittel et al., 2000).Theorists became very active too. New proto-

cols were proposed, like the elegant six-state protocol(Bechmann-Pasquinucci and Gisin, 1999; Bruß, 1998).But by far a more complex task was at stake: the deriva-tion of rigorous security proofs that would replace theintuitive arguments and the first, obviously sub-optimalestimates. The first such proof has been given by Mayers,who included even advanced features such as the analysisof finite key effects (Mayers, 1996, 2001). However, thisproof is not very intuitive, and other proofs emerged,starting with the basic principle of entanglement distil-lation ideas (Deutsch et al., 1996) which were put intoa rigorous framework by Lo and Chau (Lo and Chau,1999). These entanglement based proofs would requirethe ability to perform quantum logic operations on sig-nals. At present, we do not have the experimental capa-bility to do so. Therefore the result by Shor and Preskill(Shor and Preskill, 2000) provided a step forward, as itcombined the property of Mayers result of using onlyclassical error correction and privacy amplification witha very intuitive way of proving the security of the BB84protocol. That result uses the ideas of quantum errorcorrection methods, and reduces the corresponding quan-tum protocol to an actual classically-assisted prepare-and-measure protocol.

As of the year 2000 therefore, both experimental andtheoretical QKD had made very significant advances.However, almost inevitably, a gap had opened betweenthe two: security proofs had been derived only for veryidealized schemes; setups had been made practical with-out paying paranoid attention to all the security issues.

3. Closing the gap: 2000 to present

The awareness of the gap was triggered by thediscovery of photon-number-splitting (PNS) attacks(Brassard et al., 2000), which had actually been antici-pated years before (Bennett, 1992; Huttner et al., 1995)but had passed rather unnoticed. The focus is on thesource: the theoretical protocols supposed single-photonsources, but experiments were rather using attenuatedlaser pulses, with average photon numbers below one.In these pulses, photons are distributed according to thePoissonian statistics: in particular, there are sometimes

5

two or more photons, and this opens an importantloophole. Security proofs could be adapted to dealwith the case (Gottesman, Lo, Lutkenhaus and Preskill,2004; Inamori, Lutkenhaus and Mayers, 2001-2007;Lutkenhaus, 2000): the extractable secret key rate wasfound to scale much worse with the distance than forsingle-photon sources (t2 compared to t, where t is thetransmittivity of the quantum channel).

It took a few years to realize that methods canbe devised to reduce the power of PNS attacks whilekeeping the very convenient laser sources. One im-provement can be made by a mere change of softwareby modifying the announcements of the BB84 proto-col (Scarani, Acın, Ribordy and Gisin, 2004): in thisSARG04 protocol, the key rate scales as t3/2 (Koashi,2005; Kraus, Gisin and Renner, 2005). Another signif-icant improvement can be made by an easy change ofhardware: by using signal pulses with different intensities(decoy states), one can perform a more complete test ofthe quantum channel (Hwang, 2003). In decoy state pro-tocols, the key rate scales as t (Lo, Ma and Chen, 2005;Wang, 2005).

Parallel to this development, the field of practicalQKD4 has grown in breadth and maturity. New fami-lies of protocols have been proposed, notably continuous-variable protocols (Cerf, Levy and Van Assche, 2001;Gottesman and Preskill, 2001; Grosshans and Grangier,2002a; Hillery, 2000; Ralph, 1999; Silberhorn et al., 2002)and the more recent distributed-phase-reference protocols(Inoue, Waks and Yamamoto, 2002; Stucki et al., 2005).Critical thinking on existing setups has lead to the aware-ness that the security against Eve tapping on the quan-tum channel is not all: one should also protect the de-vices against more commonplace hacking attacks and ver-ify that information does not leak out in side-channels.Since a short time, QKD has also reached the commer-cial market : at least three companies5 are offering work-ing QKD devices. New questions can now be addressed:in which applications QKD can help (Alleaume et al.,2007), how to implement a network of QKD systems6,how to certify QKD devices for commercial markets (in-cluding the verification that these devices indeed fulfillthe specifications of the corresponding security proofs)etc.

4 The whole field of QKD witnessed many other remarkable devel-opments, especially in theoretical studies, which are not includedin this paragraph but are mentioned in due place in the paper.

5 idQuantique, Geneva (Switzerland), www.idquantique.com;MagiQ Technologies, Inc., New York., www.magiqtech.com; andSmartquantum, Lannion (France), www.smartquantum.com.

6 This is the aim of the European Network SECOQC,www.secoqc.net.

B. Generic QKD Protocol

1. Quantum information processing

The first step of a QKD protocol is the exchange andmeasurement of signals on the quantum channel. Al-ice’s role is encoding: the protocol must specify whichquantum state |Ψ(Sn)〉 codes for the sequence of n sym-bols Sn = {s1, ..., sn}. In most protocols, but notin all, the state |Ψ(Sn)〉 has the tensor product form|ψ(s1)〉 ⊗ ...⊗ |ψ(sn)〉. In all cases, it is crucial that theprotocol uses a set of non-orthogonal states, otherwiseEve could decode the sequence without introducing errorsby measuring in the appropriate basis (in other words, aset of orthogonal states can be perfectly cloned). Bob’srole is twofold: his measurements allow of course to de-code the signal, but also to estimate the loss of quantumcoherence and therefore Eve’s information. For this to bepossible, non-compatible measurements must be used.We have described the quantum coding of QKD pro-

tocols with the language of Prepare-and-Measure (P&M)schemes: Alice chooses actively the sequence Sn shewants to send, prepares the state |Ψ(Sn)〉 and sends it toBob, who performs some measurement. Any such schemecan be immediately translated into an entanglement-based (EB) scheme: Alice prepares the entangled state

|Φn〉AB =1√dn

∑

Sn

|Sn〉A ⊗ |Ψ(Sn)〉B (1)

where dn is the number of possible Sn sequences and the|Sn〉A form an orthogonal basis. By measuring in thisbasis, Alice learns one Sn and prepares the correspond-ing |Ψ(Sn)〉 on the sub-system that is sent to Bob: fromBob’s point of view, nothing changes. This formal trans-lation obviously does not mean that both realizations areequally practical or even feasible with present-day tech-nology. However, it implies that the security proof for theEB protocol translates immediately to the correspondingP&M protocol and viceversa7.

2. Classical information processing

Once a large number N of signals have been exchangedand measured on the quantum channel, Alice and Bobstart processing their data by exchanging communicationon the classical channel. In all protocols, Alice and Bob

7 The statement “entanglement is a necessary condi-tion to extract a secret key” (Acın and Gisin, 2005;Curty, Lewenstein and Lutkenhaus, 2004) is not a state-ment about implementations, but about the quantum channel:no key can be extracted from an entanglement-breaking channel.This holds under the usual assumption that Eve is given apurification of the Alice-Bob state; if this assumption is relaxed,the role of entanglement may be different (Horodecki et al.,2005, 2006).

6

reveal a random sample of m of their symbols and esti-mate the statistics of their data; in particular, they canextract the meaningful parameters of the quantum chan-nel: error rate in decoding, loss of quantum coherence,transmission rate, detection rates... This step, called pa-rameter estimation, may be preceded in some protocolsby a sifting phase, in which Alice and Bob agree to dis-card some symbols (typically, because Bob learns thathe has not applied the suitable decoding on those items).After parameter estimation and possibly sifting, both Al-ice and Bob hold a list of n ≤ N −m symbols, called rawkeys. These raw keys are only partially correlated andonly partially secret. Using some classical informationpost-processing (see III.B.1), they can be transformedinto a fully secure key K of length ℓ ≤ n. The lengthℓ of the final secret key depends of course on Eve’s infor-mation on the raw keys.

C. Notions of Security

1. Definition of security

The security of a key K can be parametrized by itsdeviation ε from a perfect key, which is defined as a listof perfectly correlated symbols shared between Alice andBob, on which Eve has no information (in particular, allthe possible lists must be equally probable a priori). Adefinition of security is a choice of the quantity that isrequired to be bounded by ε. The main property that adefinition of security must fulfill is composability, mean-ing that the security of the key is guaranteed whateverits application may be — more precisely: if an ε-securekey is used in an ε′-secure task8, one wants the com-posed task to be (ε + ε′)-secure. The issue of compos-ability was raised rather late in the development of QKD(Ben-Or et al., 2005; Renner and Konig, 2005). Most,if not all, of the early security studies had adopted adefinition of security that is not composable9 but theasymptotic bounds that were derived can be “redeemed”using a composable definition. For the purpose of prac-tical QKD, it is enough to keep in mind that those QKDschemes, in which the privacy amplification is done by

8 For instance, the One-Time Pad is a 0-secure task; while anyimplementation of channel authentication, for which a part ofthe key is used (I.B.1), must allow for a non-zero ε′.

9 The early security proofs of QKD defined security by analogywith the classical definition: Eve, who holds a quantum stateρE , performs the measurement M which maximizes her mutualinformation with the key K. This defines the so-called accessible

information Iacc(K : ρE) = maxE=M(ρE) I(K : E), and the se-curity criterion read Iacc(K : ρE) ≤ ε. An explicit counterexam-ple showed that this definition is not composable (Konig et al.,2007). A definition that leads to composability is based on thetrace-norm: 1

2‖ρKE −τK⊗ρE‖1 ≤ ε, where τK is the completely

mixed state on K. In this definition, the parameter ε has a clearinterpretation as the maximum failure probability of the processof key extraction (Renner and Konig, 2005).

two-universal hashing, are generally secure according toa composable definition.

2. Proofs, and Secret key rate

Once the security criterion is defined, one can derive afull security proof, leading to an explicit (and hopefullycomputable) expression for the length of the extractablesecret key rate. Several techniques have been used:

• The very first proofs by Mayers were somehowbased on the uncertainty principle (Mayers, 1996,2001). This approach has been revived recently byKoashi (Koashi, 2005, 2007).

• Most of the subsequent security proofs havebeen based on the correspondence betweenentanglement distillation and classical post-processing, generalizing the techniques ofShor and Preskill (Shor and Preskill, 2000).For instance, the most developed securityproofs for imperfect devices follow this pat-tern (Gottesman, Lo, Lutkenhaus and Preskill,2004).

• The most recent techniques use rather information-theoretical notions, in particular smooth Renyi en-tropies (Kraus, Gisin and Renner, 2005; Renner,2005; Renner, Gisin and Kraus, 2005).

• Some authors (Horodecki et al., 2005, 2006) haveapproached QKD from a different perspective thanthe usual one: they set out to characterize generi-cally which quantum states can give some secrecy(private states). The most striking result is thatsome bound entangled states are private10. Al-though very insightful, this approach has not yetlead to propose new, more efficient protocols; there-fore we leave it aside in this paper.

In the asymptotic case N → ∞ of infinitely long keys,the meaningful quantity is the secret fraction11

r = limn,m→∞

ℓ/n . (2)

The secret fraction is clearly the heart of QKD: this isthe quantity for which the security proofs must providean explicit expression. However, a more prosaic param-eter must also be taken into account as well in practical

10 The precise statement is: suppose that, in addition to systemA, Alice is given a “shield system” A′; and similarly Bob, sothat Eve has a purification of ρAA′BB′ and not of ρAB . In thisscenario, there exist bound entangled states ρAA′BB′ such thata secret key can be extracted out of the correlations A−B.

11 Often, especially in theoretical studies, this quantity is called“secret key rate”. In this paper, we reserve this term to (3),which is more meaningful for practical QKD.

7

QKD: namely, the raw-key rate R, i.e. the length of theraw key that can be produced per unit time. This ratedepends partly on the protocol: for instance, it containsthe sifting factor, i.e. the fraction of exchanged sym-bols that is discarded in a possible sifting phase. But,surely enough, its largest dependence is on the detailsof the setup: repetition rate of the source, losses in thechannel, efficiency and dead time of the detectors, possi-ble duty cycle, etc. In conclusion, in order to assess theperformances of practical QKD systems, it is natural todefine the secret key rate as the product

K = Rr . (3)

The whole Section III will be devoted to a detailed dis-cussion of this quantity.As mentioned, these definitions hold in the asymptotic

regime of infinitely long keys. When finite-key correc-tions are taken into account, a reduction of the secretfraction is expected, mainly for two reasons. On the onehand, parameter estimation is made on a finite number ofsamples, and consequently one has to consider the worstpossible values compatible with statistical fluctuations.On the other hand, the classical post-processing itselfdoes not work optimally on finite samples. In this re-view, we restrict our attention to the asymptotic case,not because finite-key corrections are negligible — quitethe opposite seems to be true12 — but because their esti-mate is still the object of on-going research (see VIII.A.1for the state-of-the-art).

D. Explicit Protocols

1. Three families

The number of explicit QKD protocols is virtually in-finite: after all, Bennett has proved that security can beobtained when coding a bit in just two non-orthogonalquantum states (Bennett, 1992). But as a matter offact, this possible variety has crystallized into three mainfamilies: discrete-variable coding (II.D.2), continuous-variable coding (II.D.3), and more recently distributed-phase-reference coding (II.D.4).Discrete-variable coding is the original one. Its main

advantage is that protocols can be designed in such away that, in the absence of errors, Alice and Bob wouldshare immediately a perfect secret key. They are still themost implemented QKD protocols. Any discrete quan-tum degree of freedom can be chosen in principle, but themost frequent ones are polarization for free-space imple-mentations and phase-coding in fiber-based implementa-

12 For instance, in the only experiment analyzed with finite-keyformalism to date (Hasegawa et al., 2007), the authors extractedr ≈ 2%, whereas, for the observed error rate, the asymptoticbound would have yielded r >∼ 40%!

tions13. The case for continuous-variable coding stemsfrom the observation that photon counters, required fordiscrete-variable protocols, normally feature low quan-tum efficiencies, high dark count rates, and rather longdead times; while these inconveniences can be overcomeby using homodyne detection (detection techniques arereviewed in II.G). The price to pay is that the protocolprovides Alice and Bob with correlated but rather noisyrealization of a continuous random variable: a signifi-cant amount of error correction procedures must be used.In short, the issue is, whether it is better to build upslowly a noiseless raw key, or rapidly a noisy one. As fordistributed-phase-reference coding, its origin lies in theeffort of some experimental groups towards a more andmore practical implementation. From the point of viewof detection, these protocols produce a discrete-valuedresult.Despite the differences originating from the use of a

different detection device, there is a strong conceptualunity underlying discrete- and continuous-variable QKD.To take just one example, in both cases the existence of“virtual” entanglement plays an essential role in the se-curity proofs, even if no actual entanglement is present.This is because the ability to distribute a quantum key isclosely related to the ability to distribute entanglement,regardless of the detection scheme used. These similari-ties are not very surprising since it has long been knownthat the quantum features of light may be revealed ei-ther via photon counting (e.g., antibunching or anticor-relation experiments) or via homodyne detection (e.g.,squeezing experiments). Being a technique that exploitsthese quantum features of light, QKD has thus no reasonto be restricted to the photon-counting regime. Surpris-ingly, just like antibunching (or a single-photon source) isnot even needed in photon-counting based QKD, we shallsee that squeezing is not needed in homodyne-detectionbased QKD. The only quantum feature that happens tobe needed is the non-orthogonality of light states.

2. Discrete-variable Protocols

a. BB84-BBM. The best known discrete-variable pro-tocol is of course BB84 (Bennett and Brassard, 1984).The corresponding EB protocol is known as BBM(Bennett, Brassard and Mermin, 1992); the E91 proto-col (Ekert, 1991) is equivalent to it when implementedwith qubits. Alice prepares a single particle in one of thefour states:

|+ x〉, | − x〉 , eigenstates of σx|+ y〉, | − y〉 , eigenstates of σy

(4)

13 Other degrees of freedom have been explored, for instance cod-ing in sidebands of phase-modulated light (Merolla et al., 1999)and time-coding (Boucher and Debuisschert, 2005). Energy-time entanglement gives also rise to a peculiar form of coding(Tittel et al., 2000).

8

where the σ’s are Pauli operators. The states with “+”code for the bit value 0, the states with “−” for the bitvalue 1. Bob measures either σx or σy. In the absence oferrors, measurement in the correct basis reveals the bit-value encoded by Alice. The protocol includes a siftingphase: Alice reveals the basis, X or Y , of each of hersignals; Bob accepts the values for which he has used thesame basis and discards the others14.

Unconditional security of BB84-BBM hasbeen proved with many different techniques(Kraus, Gisin and Renner, 2005; Lo and Chau, 1999;Mayers, 1996, 2001; Shor and Preskill, 2000). The samecoding can be implemented with other sources, leadingto a family of BB84-like protocols. We review them atlength in IV.B.

b. SARG04. The SARG04 proto-col (Acın, Gisin and Scarani, 2004;Scarani, Acın, Ribordy and Gisin, 2004) uses thesame four states (4) and the same measurements onBob’s side as BB84, but the bit is coded in the basisrather than in the state (basis X codes for 0 and basisY codes for 1). Bob has to choose his bases with prob-ability 1

2 . The creation of the raw key is slightly morecomplicated than in BB84. Suppose for definitenessthat Alice sends |+ x〉: in the absence of errors, if Bobmeasures X he gets sb = +; if he measures Y , he mayget both sb = +/− with equal probability. In the siftingphase, Bob reveals sb; Alice tells him to accept if shehad prepared a state with sa 6= sb, in which case Bobaccepts the bit corresponding to the basis he has notused. The reason is clear in the example above: in theabsence of errors, sb = − singles out the wrong basis 15.

SARG04 was invented for implementations with at-tenuated laser sources, because it is more robust thanBB84 against the PNS attacks. Unconditional securityhas been proved, we shall review the main results in IV.D.

14 In the original version of BB84, both bases are used with thesame probability, so that the sifting factor is psift =

12, i.e. only

half of the detected bits will be kept in the raw key. But theprotocol can be made asymmetric without changing the security(Lo, Chau and Ardehali, 1998-2005): Alice and Bob can agreeon using one basis with probability 1 − ǫ where ǫ can be takenas small as one wants, so as to have psift ≈ 1 (recall that weare considering only asymptotic bounds; in the finite key regime,the optimal value of ǫ can be computed (Scarani and Renner,2007)).

15 In an alternative version of the sifting, Alice reveals that thestate she sent belongs to one of the two sets {|sax〉, |say〉}, andBob accepts if he has detected a state sb 6= sa. This is a sim-plified version with respect to the original proposal, where Alicecould declare any of the four sets of two non-orthogonal states.The fact, that the two versions are equivalent in terms of secu-rity, was not clear when the first rigorous bounds were derived(Branciard et al., 2005), but was verified later.

c. Other discrete-variable protocols. A large number ofother discrete-variable protocols have been proposed; allof them have features that makes them less interestingfor practical QKD than BB84 or SARG04.

The six-state protocol(Bechmann-Pasquinucci and Gisin, 1999; Bruß, 1998)follows the same structure as BB84, to which it adds thethird mutually unbiased basis Z defined by the Paulimatrix σz . Its unconditional security has been provedquite early (Lo, 2001). The interest of this protocollies in the fact that the channel estimation becomes“tomographically complete”, that is, the measuredparameters completely characterize the channel. As aconsequence, more noise can be tolerated with respectto BB84 or SARG04. However, noise is quite low inoptical setups, while losses are a greater concern (seeII.F). Under this respect, six-state perform worse,because it requires additional lossy optical components.Similar considerations apply to the six-state version ofthe SARG04 coding (Tamaki and Lo, 2006) and to theSingapore protocol (Englert et al., 2004).

The coding of BB84 and six-state has beengeneralized to larger dimensional quantum sys-tems (Bechmann-Pasquinucci and Peres, 2000;Bechmann-Pasquinucci and Tittel, 2000). For anyd, protocols that use either two or d + 1 mutuallyunbiased bases have been defined (Cerf et al., 2002).Unconditional security was not studied; for restricted at-tacks, the robustness to noise increases with d. Time-bincoding allows producing d-dimensional quantum statesof light in a rather natural way (De Riedmatten et al.,2004; Thew at al., 2004). However, the production anddetection of these states requires d-arm interferometerswith couplers or switches, that must moreover be keptstable. Thus again, the possible advantages are overcomeby the practical issues of losses and stability.

Finally, we have to mention the B92 protocol (Bennett,1992), which uses only two non-orthogonal states, eachone coding for one bit-value. In terms of encoding,this is obviously the most economic possibility. Un-fortunately, B92 is a rather sensitive protocol: as no-ticed already in the original paper, this protocol is se-cure only if some other signal (e.g. a strong referencepulse) is present along with the two states that code thebit. Unconditional security has been proved for single-photon implementations (Tamaki, Koashi and Imoto,2003; Tamaki and Lutkenhaus, 2004) and for some im-plementations with a strong reference pulse (Koashi,2004; Tamaki et al., 2006). Incidentally, SARG04 maybe seen as a modified B92, in which a second set ofnon-orthogonal states is added — actually, an almostforgotten protocol served as a link between the two(Huttner et al., 1995).

9

3. Continuous-variable Protocols

Discrete-variable coding can be implemented with sev-eral sources, but requires photon-counting techniques.An alternative approach to QKD has been suggested, inwhich the photon counters are replaced by standard tele-com PIN photodiodes, which are faster (GHz instead ofMHz) and more efficient (typically 80% instead of 10%).The corresponding schemes are then based on homodynedetection (II.G.2) and involve measuring data that arereal amplitudes instead of discrete events ; hence theseschemes are named continuous-variable (CV) QKD.The first proposals suggesting the use of homodyne de-

tection in QKD are due to (Hillery, 2000; Ralph, 1999;Reid, 2000). In particular, a squeezed-state version ofBB84 was proposed in (Hillery, 2000), where Alice’s basischoice consists of selecting whether the state of light sentto Bob is squeezed in either quadrature q = x or q = p.Next, this q-squeezed state is displaced in q either by +cor −c depending on a random bit chosen by Alice, wherec is an appropriately chosen constant. Bob’s random ba-sis choice defines whether it is the x or p quadrature thatis measured. The sifting simply consists in keeping onlythe instances where Alice and Bob’s chosen quadraturescoincide. In this case, the value measured by Bob is dis-tributed according to a Gaussian distribution centeredon the value (+c or −c) sent by Alice. In some sense,this protocol can be viewed as “hybrid” because Alice’sdata are binary while Bob’s data are real (Gaussian dis-tributed).These early proposals and their direct generalization

are called CV protocols with discrete modulation; at thesame time, another class of CV protocols was proposedthat rather use a continuous modulation, in particular aGaussian modulation. Although CV protocols are muchmore recent than discrete-variable protocols, their secu-rity proofs have been progressing steadily over the lastyears, and are now close to reach a comparable status. Inparticular, the security of Gaussian modulation schemesis now established against arbitrary collective attacks (seea more thorough discussion in V.A).

a. Gaussian protocols. The first proposed Gaussian QKDprotocol was based on squeezed states of light, which aremodulated with a Gaussian distribution in the x or pquadrature by Alice, and are measured via homodyne de-tection by Bob (Cerf, Levy and Van Assche, 2001). Thisprotocol can be viewed as the proper continuous-variablecounterpart of BB84 in the sense that the average statesent by Alice is the same regardless of the chosen basis (itis a thermal state, replacing the maximally-mixed qubitstate in BB84). The security of this protocol can beanalyzed using the connection with continuous-variablecloning (Cerf, Ipe and Rottenberg, 2000); using a con-nection with quantum error-correcting codes, uncondi-tional security was proved when the squeezing exceeds2.51 dB (Gottesman and Preskill, 2001). The main draw-

back of this protocol is the need for a source of squeezedlight.

A second Gaussian QKD protocol was therefore de-vised, in which Alice generates coherent states oflight, which are then Gaussian modulated both inx and p, while Bob still performs homodyne detec-tion (Grosshans and Grangier, 2002a). A first proof-of-principle experiment, supplemented with the techniqueof reverse reconciliation16, was run with bulk optical ele-ments on an optics table (Grosshans, Van Assche et al.,2003). Subsequent experiments have used optical fibersand telecom wavelengths. The scheme was thus imple-mented over distances up to 14 km using a Plug&Playconfiguration (Legre, Zbinden and Gisin, 2006), then upto 25 km by time-multiplexing the local oscillator pulseswith the signal pulses in the same optical fiber and usingan improved classical post-processing (Lodewyck et al.,2005; Lodewyck, Bloch et al., 2007).

Note that, in these two first protocols, Bob randomlychooses to homodyning one quadrature, either x or p. Inthe squeezed-state protocol, this implies the need for sift-ing. Bob indeed needs to reject the instances where hemeasured the other quadrature than the one modulatedby Alice, which results in a decrease of the key rate by afactor of 2 (this factor may actually be reduced arbitrar-ily close to 1 by making an asymmetric choice between xand p, provided that the key length is sufficiently large)(Lo, Chau and Ardehali, 1998-2005). In the coherent-state protocol, Alice simply forgets the quadrature thatis not measured by Bob, so that all pulses do carry usefulinformation that is exploited to establish the final secretkey.

The fact that Alice, in this second protocol, dis-cards half of her data may look like a loss of efficiencysince some information is transmitted and then lost. Athird Gaussian QKD protocol was therefore proposed(Weedbrook et al., 2004), in which Alice still transmitsdoubly-modulated coherent states drawn from a bivari-ate Gaussian distribution, but Bob performs heterodyneinstead of homodyne measurements17, that is, he mea-sures both x and p quadratures simultaneously. At firstsight, this seems to imply that the rate is doubled sinceBob then acquires a pair of quadratures (x, p). Actually,since heterodyne measurement effects one additional unitof vacuum noise on the measured quadratures, the twoquadratures received by Bob are noisier than the singlequadrature in the homodyne-based protocol. The net ef-fect, however, is often an increase of the key rate when

16 In all Gaussian QKD protocols, reversing the one-way reconcil-iation procedure (i.e., using Bob’s measured data instead of Al-ice’s sent data as the raw key) is beneficial in terms of attainablerange, provided that the noise is not too large. We will comeback to this point in Section V.

17 This possibility was also suggested for postselection-based pro-tocols in (Lorenz, Korolkova and Leuchs, 2004), and the experi-ment has been performed (Lorenz et al., 2006).

10

the two quadratures are measured simultaneously. Inaddition, a technological advantage of this heterodyne-based coherent-state protocol is that there is no need tochoose a random quadrature at Bob’s side (that is, noactive basis choice is needed).Finally, a fourth Gaussian QKD protocol was in-

troduced recently (Garcıa-Patron, 2007), which com-pletes this family of Gaussian QKD protocols. Here,Alice sends again squeezed states, as in the proto-col of (Cerf, Levy and Van Assche, 2001), but Bob per-forms heterodyne measurements, as in the protocol of(Weedbrook et al., 2004). This may seem useless at firstsight, since one of the two quadratures measured by Bobis not even modulated by Alice. However, the heterodynemeasurement is actually a noisy version of a homodynemeasurement, and it can be shown that noise may bebeneficial to overcome the noise of the transmission line,similarly to what was found for qubits. Although thisprotocol is associated with the highest rate and rangeamong all Gaussian QKD protocols, it is not very prac-tical as it again requires a source of squeezed light.As seen in the discussion about BB84 and SARG04

above, it turns out also for the CV QKD protocols thatthe classical processing is an essential element of theprotocol. As will be discussed later (V.A), the per-formance of CV-QKD protocols depends crucially onthe exact protocol that extracts the secret key fromthe experimental data. Two important tools here arereverse reconciliation (Grosshans and Grangier, 2002a)and post-selection (Silberhorn et al., 2002). As shown in(Heid and Lutkenhaus, 2007), the combination of bothwill lead to the optimal key rate.

b. Discrete-modulation protocols. On the side of practicalimplementation, it is desirable to keep the number of sig-nals as low as possible, and also to minimize the numberof parameters in the detection process that needs to bemonitored. The deep reason behind this is that in prac-tical implementation at some stage one has to considerfinite size effects in the statistics and also in the securityproof stage. For a continuous family of signals, it will beintuitively harder to get hold of these finite size effectsand to include statistical fluctuations of observations intoa full security proof.For this reason, it becomes interesting to have a look

at QKD systems that combine a finite number of sig-nals with the continuous variable detection schemes:discrete-modulation protocols have been devised follow-ing this proposal, some based on coherent states insteadof squeezed states (Silberhorn et al., 2002). The signalsconsist here of a weak coherent state together with astrong phase reference. The signal is imprinted onto theweak coherent state by setting the relative optical phasebetween weak coherent state and reference pulse eitherto 0 or π. Schematically, the strong phase reference couldbe represented by two local oscillators, e.g. phase-lockedlasers at the sending and receiving station. These type

of signals have been used already in the original B92 pro-tocol (Bennett, 1992). The receiver then uses the localoscillator in the homodyne or heterodyne measurement.The security of this protocol is still based on the factthat the weak signal pulses represent non-orthogonal sig-nal states.On the receiver side, homodyne detection is performed

by choosing at random one of the two relevant quadra-ture measurement (one quadrature serves the purposeof being able to measure the bit values, the other oneserves the purpose to monitor the channel to limit possi-ble eavesdropping attacks). Alternatively, a heterodynemeasurement can, in a way, monitor both quadratures.Consider for definiteness a simple detection scheme, inwhich bit-values are assigned by the sign of the detec-tion signal, + or −, with respect to the half-planes inthe quantum optical phase space in which the two sig-nals reside. As a result, both sender and receiver havebinary data at hand. As in the case of Gaussian modu-lation, they can now perform post-selection of data, anduse error-correction and privacy amplification to extractsecret keys from these data.

4. Distributed-phase-reference Protocols

Both discrete- and continuous-variable protocols havebeen invented by theorists. Some experimental groups,in their developments towards practical QKD systems,have conceived new protocols, which do not fit in thecategories above. In these, like in discrete-variable pro-tocols, the raw keys are made of realizations of a discretevariable (a bit) and are already perfectly correlated inthe absence of errors. However, the quantum channelis monitored using the properties of coherent states —more specifically, by observing the phase coherence ofsubsequent pulses; whence the name distributed-phase-reference protocols.The first such protocol has been called Differential-

Phase-Shift (DPS) (Inoue, Waks and Yamamoto, 2002,2003). Alice produces a sequence of coherent states ofsame intensity

|Ψ(Sn)〉 = ...|eiϕk−1√µ〉|eiϕk

√µ〉|eiϕk+1

√µ〉... (5)

where each phase can be set at ϕ = 0 or ϕ = π. The bitsare coded in the difference between two successive phases:bk = 0 if eiϕk = eiϕk+1 and bk = 1 otherwise. This can beunambiguously discriminated using an unbalanced inter-ferometer. The complexity in the analysis of this protocollies in the fact that |Ψ(Sn)〉 6= |ψ(b1)〉 ⊗ ...⊗ |ψ(bn)〉: thek-th pulse contributes to both the k-th and the (k + 1)-st bit. The DPS protocol has been already the objectof several experimental demonstrations (Diamanti et al.,2006; Takesue et al., 2005, 2007).In the protocol called Coherent-One-Way (COW)

(Gisin et al., 2004; Stucki et al., 2005), each bit is codedin a sequence of one non-empty and one empty pulse:

|0〉k = |√µ〉2k−1

|0〉2k , |1〉k = |0〉2k−1|√µ〉

2k. (6)

11

These two states can be unambiguously discriminated inan optimal way by just measuring the time of arrival. Forthe channel estimation, one checks the coherence betweentwo successive non-empty pulses; these can be producedon purpose as a “decoy sequence” |√µ〉

2k−1|√µ〉

2k, or

can happen as |√µ〉2k|√µ〉

2k+1across a bit separation,

when a sequence |1〉k|0〉k+1 is coded. This last check,important to detect PNS attacks, implies that the phasebetween any two successive pulses must be controlled;therefore, as it happened for DPS, the whole sequencemust be considered as a single signal.Both DPS and COW are P&M schemes, tailored for

laser sources. It has not yet been possible to derive abound for unconditional security, because the existingtechniques apply only when |Ψ(Sn)〉 can be decomposedin independent signals.

E. Sources

1. Lasers

Lasers are the most practical and versatile light sourcesavailable today. For this reason, they are chosen by thevast majority of groups working in the field. Of course,all implementations in which the source is a laser areP&M schemes. For the purposes of this review, we don’thave to delve deep into laser physics. The output of alaser in a given mode is described by a coherent state ofthe field

|√µeiθ〉 ≡ |α〉 = e−µ/2∞∑

n=0

αn√n!|n〉 (7)

where µ = |α2| is the average photon number (also calledintensity). The phase factor eiθ is well-defined only if aphase-reference is available, as in continuous-variable andin distributed-phase-reference protocols. When lasers areused in discrete protocols, the phase is not accessible andhas to be randomized18. In this case, instead of the coher-ent state |α〉, Alice is actually sending Bob the mixture

ρ =

∫ 2π

0

dθ

2π|α〉〈α| =

∑

n

P (n|µ)|n〉〈n| (8)

with

P (n|µ) = e−µµn

n!. (9)

18 A phase reference is available for some source, e.g. when a mode-locked laser is used to produce pulses. In such cases, even thoughAlice and Bob don’t use the phase coherence, the signal is nolonger correctly described by (8), and Eve can in principle takeadvantage of the existing coherence to obtain more information(Lo and Preskill, 2006). Therefore it is necessary to implementactive randomization (Gisin et al., 2006; Zhao, Qi and Lo, 2007).

Since two equivalent decomposition of the same densitymatrix cannot be distinguished, one may say as wellthat, in the absence of a phase reference, the laser pro-duces a Poissonian mixture of number states. In partic-ular, ρ commutes with the measurement of the numberof photons: this opens the possibility of the so-calledphoton-number-splitting (PNS) attacks (Bennett, 1992;Brassard et al., 2000; Lutkenhaus, 2000), see III.B.3.The randomization of θ generalizes to multimode co-

herent states (Mølmer, 1997; van Enk and Fuchs, 2002).Consider for instance the two-mode coherent state|√µ ei(θ+ϕ)〉|√µ′ eiθ〉 that may describe for instance aweak pulse and a reference beam. The phase ϕ is the rel-ative phase between the two modes and is well-defined,but the common phase θ is random. One can thencarry out the same integral as before; the resulting ρis the Poissonian mixture with average photon numberµ + µ′ and the number states generated in the mode

A† =(

eiϕ√µa†1 +

√µ′a†2

)

/√µ+ µ′.

2. Sub-Poissonian Sources

Sub-Poissonian sources (sometimes called “single-photon sources”) come closer to a single-photon sourcethan an attenuated laser, in the sense that the proba-bility of emitting two photons is smaller. The quantumsignal in each mode is taken to be a photon-number diag-onal mixture with a very small contribution of the multi-photon terms. The quality of a sub-Poissonian source isusually measured through the second order correlationfunction

g2(τ) =〈: I(t)I(t + τ) :〉

〈I(t)〉2 (10)

where I(t) is the signal intensity emitted by the sourceand : − : denotes normal ordering of the creation and an-nihilation operators. In particular, g2(0) ≈ 2p(2)/p(1)2,while p(n) is the probability that the source emits n pho-tons. For Poissonian sources, g2(0) = 1; the smallerg2(0), the closer the source is to an ideal single-photonsource. It has been noticed that the knowledge of theefficiency and of g2 is enough to characterize the perfor-mance of such a source in an implementation of BB84(Waks, Santori and Yamamoto, 2002).Sub-Poissonian sources have been, and still are, the

object of intensive research; recent reviews cover themost meaningful developments (Lounis and Orrit, 2005;Shields, 2007). In the context of QKD, the discovery ofPNS attacks triggered a lot of interest in sub-Poissoniansources, because they would reach much higher secretfractions. QKD experiments have been performed withsuch sources (Alleaume et al., 2004; Beveratos et al.,2002; Waks et al., 2002), also in fibers (Intallura et al.,2007) thanks to the development of sources at tele-com wavelengths (Saint-Girons et al., 2006; Ward et al.,2005; Zinoni et al., 2006). At the moment of writing, thisinterest has significantly dropped, as it was shown that

12

the same rate can be achieved with lasers by using decoystates, see IV.B.3 and IV.B.4. But the tide may turnagain in the near future, for applications in QKD withquantum repeaters (Sangouard et al., 2007).

3. Sources of Entangled Photons

Entangled photon pairs suitable for entanglement-based protocols or for heralded sub-Poissonian sourcesare mostly generated by spontaneous parametric downconversion (SPDC) (Mandel and Wolf, 1995). In thisprocess some photons from a pump laser beam are con-verted due to the non-linear interaction in an optical crys-tal19 into pairs of photons with lower energies. The totalenergy and momentum are conserved. In QKD devices,cw-pumped sources are predominantly used.

In the approximation of two output modes, the statebehind the crystal can be described as follows

|ψ〉PDC =√

1− λ2∞∑

n=0

λn|nA, nB〉, (11)

where λ = tanh ξ with ξ proportional to the pump ampli-tude, and where |nA, nB〉 denotes the state with n pho-tons in the mode destined to Alice and n photons in theother mode aiming to Bob. This is the so called two-mode squeezed vacuum.

The photons are entangled in time and in frequen-cies (energies); one can also prepare pairs of pho-tons correlated in other degrees of freedom: polariza-tion (Kwiat et al., 1995, 1999), time bins (Brendel et al.,1999; Tittel et al., 2000), momenta (directions), or or-bital angular momenta (Mair et al., 2001).

The state (11) can be directly utilized in continuous-variable protocols. In the case of discrete-variableprotocols, one would prefer only single pair of pho-tons per signal; however, SPDC always produces multi-pair components, whose presence must be taken intoaccount. Let us describe this in the four-mode ap-proximation, which is sufficient for the description offs-pulse pumped SPDC (Li et al., 2005). An idealtwo-photon maximally entangled state reads |Ψ2〉 =1√2(|1, 0〉A|1, 0〉B + |0, 1〉A|0, 1〉B) where each photon can

be in two different modes (orthogonal polarizations, dif-ferent time-bins...). This state can be approximatelyachieved if λ≪ 1, i.e. if the mean pair number per pulseµ = 2λ2/(1 − λ2) ≪ 1. But there are multi-pair compo-

19 Crystals like KNbO3, LiIO3, LiNbO3, β-BaB2O4, etc.Very promising are periodically-poled nonlinear materials(Tanzilli at al., 2001). Besides the spontaneous parametric downconversion, new sources of entangled photons based on quantumdots are tested in laboratories (Young at al., 2006). But thesesources are still at an early stage of development. Their maindrawback is the need of cryogenic environment.

nents : in fact, again in the case of a four-mode approxi-mation, the generated state reads

|Ψ〉 ≈√

p(0) |0〉+√

p(1) |Ψ2〉+√

p(2) |Ψ4〉 (12)

where p(1) ≈ µ and p(2) ≈ 34µ

2, |0〉 is the vacuum state,

and the four-photon state is |Ψ4〉 = 1√3

(

|0, 2〉|0, 2〉 +|2, 0〉|2, 0〉+ |1, 1〉|1, 1〉

)

. We recall that this description isgood for short pump pulses; when a cw-pumped sourceis used (or the pulse-pumped source with the pulse du-ration much larger than the coherence time τ of thedown-converted photons) the four-mode approximationis not applicable and a continuum of frequency modesmust be taken into account. The multiple excitationscreated during the coherence time τ are coherent andpartially correlated: in this case, the four-photon stateis a fully entangled state that cannot be written as “twopairs” — see |Ψ4〉 above. However, τ is usually muchshorter than the typical time ∆t that one can discrimi-nate, this time being defined as the time resolution of thedetectors for cw-pumped sources20 or as the duration ofa pulse for pulsed sources. This implies that, when twophotons arrive “at the same time”, they may actuallyarise from two incoherent processes, and in this case theobserved statistics corresponds to that of two indepen-dent pairs. This physics has been the object of severalstudies (De Riedmatten et al., 2004b; Eisenberg et al.,2004; Ou, Rhee and Wang, 1999; Scarani et al., 2005;Tapster and Rarity, 1998; Tsujino et al., 2004).What concerns us here is the advantage that Eve may

obtain, and in particular the efficiency of PNS attacks. Ifthe source is used in a P&M scheme as heralded single-photon source, then the PNS attack is effective as usual,because all the photons that travel to Bob have beenactively prepared in the same state (Lutkenhaus, 2000);ideas inspired from decoy states can be used to detect it(Adachi et al., 2007; Mauerer and Silberhorn, 2007). Inan EB scheme, the PNS attack is effective on the fractionζ ≈ τ/∆t of coherent four-photon states; this will be usedin IV.B.5.

F. Physical Channels

As far as the security is concerned, the quantum chan-nel must be characterized only a posteriori, because Evehas full freedom of acting on it. However, the knowledgeof the a priori expected behavior is obviously importantat the moment of designing a setup. We review here thephysics of the two main quantum channels used for light,namely optical fibers and free space beams.An important parameter of the quantum channel is the

amount of losses. Surely enough, a key can be built by

20 However, a recent entanglement-swapping experiment combinedfast detectors and narrow filters to achieve ∆t < τ in cw-pumpedSPDC (Halder et al., 2007).

13

post-selecting only those photons that have actually beendetected21. But, since quantum signals cannot be ampli-fied, the raw key rate decreases with the distance as thetransmission t of the channel; in addition, at some pointthe detection rate reaches the level of the dark countsof the detectors, and this effectively limits the maximalachievable distance. Finally, in general the lost photonsare correlated to the signal and thus must be counted asinformation that leaked to Eve.Concerning the interaction of photons with the envi-

ronment in the channel, the effect of decoherence dependsstrongly on the quantum degree of freedom that is used;therefore, although weak in principle, it cannot be fullyneglected and may become critical in some implementa-tions.

1. Fiber Links

The physics of optical fibers has been explored in depthbecause of its importance for communication (Agrawal,1997). When we quote a value, we refer to the specifi-cations of the standard fiber Corning SMF-28 (see e.g.www.ee.byu.edu/photonics/connectors.parts/smf28.pdf);obviously, the actual values must be measured in anyexperiment.The losses are due to random scattering processes and

depend therefore exponentially on the length ℓ:

t = 10−αℓ/10 . (13)

The value of α is strongly dependent on the wavelengthand is minimal in the two “telecom windows” around1330nm (α ≃ 0.34dB/km) and 1550nm (α ≃ 0.2dB/km).The decoherence channels and their importance vary

with the coding of the information. Two main effectsmodify the state of light in optical fibers. The firsteffect is chromatic dispersion: different wavelengthstravel at slightly different velocities, thus leading toan incoherent temporal spread of a light pulse. Thismay become problematic as soon as subsequent pulsesstart to overlap. However, chromatic dispersion is afixed quantity for a given fiber, and can be compen-sated (Fasel, Gisin, Ribordy and Zbinden, 2004). Thesecond effect is polarization mode dispersion (PMD)(Galtarossa and Menyuk, 2005; Gisin and Pellaux,1992). This is a birefringent effect, which defines a fastand a slow polarization mode orthogonal to one another,so that any pulse tends to split into two components.This induces a depolarization of the pulse. Moreover,the direction of the birefringence may vary in time dueto environmental factors: as such, it cannot be compen-sated statically. Birefringence effects induce decoherence

21 On the contrary, “Quantum Secure Direct Communication” pro-tocols, which use the quantum channel to send directly the mes-sage, are obviously not robust against losses.

in polarization coding, and may be problematic for allimplementations that require a control on polarization.The importance of such effects depend on the fibers andon the sources; recent implementations can be madestable, even though they use a rather broadband source(Hubel et al., 2007).

2. Free Space Links

A free space QKD link can be used in severalvery different scenarios, from short distance line-of-sight links with small telescopes mounted onrooftops in urban areas, to ground-space or evenspace-space links, involving the use of astronomi-cal telescopes (see also VIII.A.4). Free-space QKDhas been demonstrated in both the prepare-and-measure (Buttler et al., 1998; Hughes et al., 2002;Kurtsiefer et al., 2002; Rarity, Gorman and Tapster,2001) and the entanglement-based configurations(Marcikic, Lamas-Linares and Kurtsiefer, 2006;Ursin et al., 2007).The decoherence of polarization or of any other de-

gree of freedom is practically negligible. The losses canroughly be divided into geometric and atmospheric. Thefirst are related with the apertures of receiving telescopesand with the effective aperture of the sending telescope(the one perceived by the receiving telescope, which isinfluenced by alignment, moving buildings, atmosphericturbulence etc.). The atmospheric losses are due to theinteraction with water and gas molecules in the Earth’satmosphere. Within the 700-10.000nm wavelength rangethere are several ’atmospheric transmission windows’,e.g. 780-850nm and 1520-1600nm, which have an at-tenuation α < 0.1dB/km in clear weather. Obviously,the weather conditions influence heavily the losses; nu-merical values are available, see e.g. (Bloom et al., 2003;Kim and Korevaar, 2001). A simple model of the losses(suitable for line-of-sight implementations) is thereforegiven by

t = tg × ta =

(

drds +Dℓ

)2

10−αℓ/10 (14)

where ds and dr are the apertures of the sending andreceiving telescopes, D is the divergence, α is the atmo-spheric attenuation, and ℓ is the link distance.

G. Detectors

1. Photon Counters

Discrete-variable protocols use photon-counters as de-tectors. The main quantities characterizing photon-counters are the quantum efficiency η that represents theprobability of detector click when the detector is hit bya photon, and the dark-count rate pd characterizing the

14

noise of the detector – dark counts are events when de-tector sends an impulse even if no photon has enteredit. An important parameter is also the dead time of thedetector, i.e. the time it takes to reset the detector af-ter a click. These three quantities are not independent.Most often, the overall repetition rate at which the de-tector can be operated is determined by the dead time.For each of the detectors discussed below, the meaningfulparameters are listed in Table I.The most commonly used photon counters in discrete-

variable systems are avalanche photodiodes (APD).Specifically, for wavelengths from the interval approx-imately 400–1000nm Si APD can be used, for wave-lengths from about 950nm to 1650nm, including tele-com wavelengths, InGaAs/InP diodes are most oftenapplied. A whole savoir-faire on the use of APDshas originated in the field of QKD (Cova et al., 2004;Gisin, Ribordy, Tittel and Zbinden, 2002). Because theycan be operated at room temperature (or close to it foroptimized performances), these detectors are an obviouschoice for practical QKD, and in particular for commer-cial devices (Ribordy et al., 2004; Trifonov et al., 2004).Two recent developments are worth mentioning. First:instead of direct use of InGaAs APDs, one can detectsignals at telecom wavelengths (1310nm and 1550nm)by applying parametric frequency up-conversion andthen using efficient silicon APDs (Diamanti et al., 2005;Thew at al., 2006). Compared with InGaAs APDs, theseup-conversion detectors have better quantum efficiencyand can be operated in continuous mode thus leadingto higher repetition rates (GHz); however, as of today’sknowledge, they suffer from an intrinsic noise source thatleads to high dark count rates. Second: more recently,an improvement of the performances by several ordersof magnitude has been obtained recently, by using a cir-cuit that compares the output of the APD with that inthe preceding clock cycle; such devices have been namedself-differencing APDs (Yuan et al., 2007).

Single-photon detectors other than APDs have beenand are being developed. For instance, Visi-ble Light Photon Counters are semiconductor detec-tors that can also distinguish the number of im-pinging photons (Kim et al., 1999; Waks et al., 2003;Waks, Diamanti and Yamamoto, 2006). Other photon-counters are based on superconductors, for instance Su-perconducting Single Photon Detectors (Verevkin et al.,2002, 2004), which have already been used in aQKD experiment (Hadfield et al., 2006), and TransitionEdge Sensors (Hiskett et al., 2006; Miller et al., 2003;Rosenberg et al., 2005). Each type has its own strongand weak features; in particular, all of them must beoperated at cryogenic temperatures.

2. Homodyne Detection

Continuous-variable QKD is based on the measure-ment of quadrature components of light. This can con-

Name λ η pd Rep. Count Jitter T n

[nm] [MHz] [MHz] [ps] [K]

APDs:

Si 600 50% 100Hz cw 15 50-200 250 N

InGaAs 1550 10% 10−5/g 10 0.1 500 250 N

Self-Diff. 1250 100 60

Others:

VLPC 650 58-85% 20kHz cw 0.015 N.A. 6 Y

SSPD 1550 0.9% 100Hz cw N.A. 68 2.9 N

TES 1550 65% 10Hz cw 0.001 9×104 0.1 Y

TABLE I Overview of typical parameters of single-photon de-tectors: detected wavelength λ, quantum efficiency η, fractionof dark counts pd (g: gate), repetition rate (cw: continuouswave), maximum count rate, jitter, temperature of operationT ; the last column refers to the possibility of distinguishingthe photon numbers. For acronyms and references, refer tothe main text.

veniently be done by means of optical homodyne detec-tion. This detection scheme uses two beams of the samefrequency: the signal and the so-called local oscillator(much stronger and therefore often treated as classical).The beams are superimposed at a balanced beam splitter.The intensity of light in each of the output modes is mea-sured with proportional detectors, and the difference be-tween the resulting photocurrents is recorded. If the am-plitude and the phase of the local oscillator are stable, thedifferential current carries information about a quadra-ture component of the input signal — what quadraturecomponent is actually measured depends on the phasedifference between the signal and local oscillator. To keepthis phase difference constant, the signal and local oscil-lator are usually derived from the same light source: thelocal oscillator beam needs to be transmitted along withthe signal from Alice to Bob; in practice, they are actu-ally sent through the same channel, so that they experi-ence the same phase noise and the relative phase remainsunaltered.The intensities are measured by PIN diodes, which pro-

vide high detection efficiency (typically 80%) and rela-tively low noise. Therefore homodyne detection can op-erate at high repetition rates (GHz) in contrast to photoncounters based on APDs, whose detection rate is limitedby the detector dead-time.The use of such a high-rate homodyne detection tech-

nique unfortunately comes with a price. The unavoid-able transmission losses in the optical line, which simplycause “missing clicks” in photon-counting based schemes,result in vacuum noise (or intrinsic noise) in homodyne-detection based schemes. The vacuum noise is respon-sible for a rather significant added noise in continuous-variable QKD, which needs to be corrected during theclassical post-processing stage: an additional computingeffort in continuous-variable QKD.In addition to the vacuum noise, an excess noise is gen-

erated mainly by detectors themselves and by the subse-

15

quent electronics. In real systems, it is possible to reducethe excess noise even 20 dB below the shot noise; but thisratio depends on the width of the spectral window, andnarrow spectral windows bound the modulation frequen-cies (i.e. the repetition rates).

H. A case study: the Plug&Play configuration

This paragraph is devoted to the so-called Plug&Playconfiguration (Muller et al., 1997; Ribordy et al., 1998).The first commercial QKD systems are based onthis configuration and on discrete-variable protocols;the configuration has been used also for continuous-variable coding (Legre, Zbinden and Gisin, 2006), for adistributed-phase-reference protocol (Zhou et al., 2003)and for non-cryptographic quantum information tasks(Brainis et al., 2003). In the few last years, stabilizedone-way configurations have been demonstrated, whichcan also reach optical visibilities larger than 99% andhave higher duty cycle than Plug&Play configurations(Gobby, Yuan and Shields, 2004). Whatever the futuremay be, the Plug&Play configuration will remain as amilestone of practical QKD. We discuss it as a case study.As the name suggests, the goal of the Plug&Play con-

figuration is to achieve self-calibration of the system.Consider a P&M scheme, in which Alice encodes activelythe values in quantum states. In the obvious configura-tion, called one-way, the source is on Alice’s side. On thecontrary, the Plug&Play configuration puts the source onBob’s side: a strong laser pulse travels on the quantumchannel from Bob to Alice. Alice attenuates this lightto the suitable weak intensity (surely less than one pho-ton per pulse in average, more precisions below and inIV.B.4), codes the information and sends the remaininglight back to Bob, who detects. The coded signal goesas usual from Alice to Bob; but the same photons havefirst traveled through the line going from Bob to Alice.This way, interferometers become self-stabilized becausethe light passes twice through them; if the reflection onAlice’s side is done with a Faraday mirror, polarizationeffects in the channel are compensated as well.It is useful to address also the problems of the

Plug&Play configuration, since they illustrate the sub-tleties of practical QKD. The system has an intrinsic dutycycle, which limits the rate at long distances: Bob mustwait a go-and-return cycle before sending another pulse,otherwise the weak signal coded by Alice will be over-whelmed by the backscattered photons of the new strongpulse22. Also, two specific security concerns arise. First

22 As a matter of fact, the back-scattering and the correspondingduty cycle could be avoided, but at the price of attenuating thepulse already at Bob’s side. In turn, this implies that (i) a dif-ferent channel should be used for synchronization, and (ii) themaximal operating distance is reduced in practice, especially ifone takes Trojan Horse attacks into account,see below. Such a

concern: in full generality, there is no reason to assumethat Eve interacts only with the signal going from Aliceto Bob: she might as well modify the signal going fromBob to Alice. A simple argument suggests that this isnot helpful for Eve: indeed, Alice attenuates the lightstrongly and should actively randomize the global phase;then, whatever the state of the incoming light, the out-going coded light consists of weak signals with almostexact Poissonian statistics (Gisin et al., 2006). Indeed,the rigorous analysis shows that unconditional securitycan be proved if the global phase is actively randomized(Zhao et al., 2008). Second concern: since Alice’s boxmust allow two-way transit of light, Trojan Horse at-tacks (see III.B.4) must be monitored actively, whereasin one-way setups they can be avoided by passive opti-cal isolators. In practice, this may decrease the limitingdistance23.

III. SECRET KEY RATE

We have seen in II.C.2 that the secret key rate K isthe product of two terms (3), the raw key rate R andthe secret fraction r. This section is devoted to a de-tailed study of these two factors. Clearly, the latter isby far the more complex one, and most security studiesare devoted only to it; however the raw key rate is cru-cial as well in practice and its proper description involvessome subtleties as well. We will therefore start from thisdescription.

A. Raw key rate

The raw key rate reads

R = νS Prob(Bob accepts) (15)

The second factor depends both on the protocol and onthe hardware (losses, detectors) and will be studied foreach specific case. The factor νS is the repetition rate.In the case of pulsed sources νS is the repetition rate of

the source of pulses. Of course, νS ≤ νmaxS , the maximalrepetition rate allowed by the source itself; but two otherlimitations may become important in limiting cases, sothat the correct expression reads

νpulseS = min

(

νmaxS ,1

τd µt tBη,

1

Tdc

)

. (16)

setup has been demonstrated (Bethune and Risk, 2000).23 The argument goes as follows: upon receiving Bob’s pulse, Alice

attenuates it down to the desired intensity µ. Now, it turns outthat a simple error by a factor of 2, i.e. sending out 2µ insteadof µ, would spoil all security (see IV.B.4). This implies that theintensity of the input pulse must be monitored to a precision farbetter than this factor 2. This precision may be hard to achieveat long distances, when Bob’s pulse has already been significantlyattenuated by transmission.

16

We explain now what the two last terms mean.

The first limitation is due to the dead-time of the de-tectors τd. In fact, it is useless to send more light thancan actually be detected (worse, an excess of light mayeven give an advantage to Eve). One can require that atmost one photon is detected in an interval of time τd; thedetection probability is Prob(Bob detects) ≈ µttBη withµ = 〈n〉 <∼ 1 the average number of photons producedby the source and tB the losses in Bob’s device. There-fore, νS <∼ (τd µttBη)

−1. It is clear that this limitation ismeaningful only at short distances: as soon as there areenough losses in the channel, fewer photon will arrive toBob than can actually be detected.

The second limitation is associated to the existence ofa duty cycle: two pulses cannot be sent at a time intervalsmaller than a time Tdc determined by the setup. Theexpression for Tdc depends on the details of the setup. InPlug&Play configurations for instance, one cannot sendthe next bright pulse before the weak signal has comeback (II.H): this fixes Tdc = 2nrℓ/c where c/nr is thespeed of light in the medium, so that the effect becomesimportant at long distance. Another example of a dutycycle is the one introduced by a stabilization scheme forone-way configurations, in which each coded signal is pre-ceded by a strong reference signal (Yuan and Shields,2005). Note finally that in any implementation withtime-bin coding, the advanced component of the nextsignal must not overlap with the delayed component ofthe previous one.

In the case of heralded photon sources orentanglement-based schemes working in a continuous-wave (cw) regime it is reasonable to define νS as anaverage rate of Alice’s detections, thus24

νcwS = min

(

ηAtAµ′,

1

τAd,

1

τd t tBη,1

∆t

)

. (17)

Here ηAtAµ′ is the trigger rate, with which Alice an-

nounces the pair creations to Bob, with µ′ being thepair-generation rate of the source, tA is the overall trans-mittance of Alice’s part of the apparatus, and ηA is theefficiency of Alice’s detectors. Of course, in practice thisrate is limited by the dead time of Alice’s detectors τAd .The whole repetition rate is limited by Bob’s detectordead time τd and by the width of coincidence window ∆t(usually ∆t ≪ τd).

24 The source is assumed to be safe at Alice’s side. It is supposedthat Alice’s detectors are still “open” (not gated). Dark countsand multi-pair contributions were neglected in the estimation ofνcwS

.

B. Secret fraction

1. Classical information post-processing

To extract a short secret key from the raw key, clas-sical post-processing is required. This is the object ofthis paragraph, for more details see e.g. (Renner, 2005;Van Assche, 2006). The security bounds for the secretfraction crucially depend on how this step is performed.

a. One-way post-processing. These are the most studiedand best known procedures. One of the partners, the onewho is chosen to hold the reference raw key, sends classi-cal information through the public channel to the otherone, who acts according to the established procedure onhis data but never gives a feedback. If the sender in thisprocedure is the same as the sender of the quantum states(Alice with our convention), one speaks of direct recon-ciliation; in the other case, of reverse reconciliation. Theoptimal one-way post-processing has been characterizedand consists of two steps.

The first step is error correction (EC), also called in-formation reconciliation, at the end of which the lists ofsymbols of Alice and Bob have become shorter but per-fectly correlated. As proved by Shannon, the fraction ofperfectly correlated symbols that can be extracted froma list of partially correlated symbols is bounded by themutual information I(A : B) = H(A) +H(B) −H(AB)where H is the entropy of the probability distribution.In the context of one-way procedures with a sender Sand a receiver R, it is natural to write I(A : B) in theapparently asymmetric form H(S) −H(S|R). This for-mula has an intuitive interpretation, if one remembersthat the entropy is a measure of uncertainty: the sendermust reveal an amount of information at least as largeas the uncertainty the receiver has on the reference rawkey.

The second step is privacy amplification (PA). Thisprocedure is aimed at destroying Eve’s knowledge on thereference raw key. Of course, Alice and Bob will have cho-sen as a reference raw key the one on which Eve has thesmallest information: here is where the choice betweendirect and reverse reconciliation becomes meaningful25.The fraction to be further removed can therefore be writ-ten min (IEA, IEB), where IE· is Eve’s information on theraw key of Alice or Bob, that will be defined more pre-cisely in the next paragraph III.B.2. The only PA pro-cedure that works in a provable way is the one based ontwo-universal hash functions (Renner and Konig, 2005).Such functions, e.g. in the form of matrix multiplication,can be implemented efficiently. Finally, for universally

25 Note that, I(A : B) being symmetric, there is no difference be-tween direct and reverse reconciliation at the level of EC, asexpected from the nature of the task.

17

composable security, the protocol must be symmetric: inparticular, the pairs for the parameter estimation mustbe chosen at random, and the hash function has to besymmetric (as it is usually).In summary, the expression for the secret fraction ex-

tractable using one-way classical post-processing reads

r = I(A : B)−min (IEA, IEB) . (18)

In practice, the most efficient existing EC codes, e.g.Cascade (Brassard and Salvail, 1994), use two-way com-munication and do not reach up to the Shannon bound.For a priori theoretical estimates, it is fair to increasethe number of bits to be removed by 10-20%. In applica-tions, one runs the EC code and sees what is the result.All in all, EC does not require further attention in thisreview26; therefore, we shall concentrate below on Eve’sinformation, i.e. the fraction that must be removed inPA.

b. Other forms of post-processing. Bounds can be im-proved by two-way post-processing, one refers to any pos-sible procedure in which both partners are allowed tosend information. Since its first appearance in QKD(Chau, 2002; Gisin and Wolf, 1999; Gottesman and Lo,2003), this possibility has been the object of several stud-ies27. Contrary to the one-way case, the optimal proce-dure is still not known, basically because of the com-plexity of taking feedback into account; moreover, allthe procedures known to date (generically called “ad-vantage distillation”) are very inefficient in terms ofthe extractable secret fraction. More recently, a fur-ther trick to improve bounds was found, called pre-processing: before post-processing, the sender (for one-way) or both partners (for two-way) can add locallysome randomness to their data. Of course, this de-creases the correlations between them, but it decreasesEve’s information as well, and remarkably the overalleffect may be positive (Kraus, Gisin and Renner, 2005;Renner, Gisin and Kraus, 2005). Both pre-processingand two-way post-processing allow extracting a secretkey in a parameter region where one-way post-processingwould fail. These improvements are remarkable fromthe conceptual point of view, but from the standpoint ofpractical QKD their help is actually negligible28. There-

26 Of course, any improvement on EC codes will be very welcomein practical QKD.

27 These works have also had an intriguing offspring, theconjecture of the existence of “bound information”(Gisin and Wolf, 2000), later proved for three-partite dis-tributions (Acın, Cirac and Masanes, 2004).

28 The order of magnitude of the improvements is roughly the samefor all examples that have been studied. Consider e.g. BB84in a single-photon implementation, and security against themost general attacks: the critical QBER for one-way post-processing without pre-processing is 11% (Shor and Preskill,

fore, in what follows, we shall present only bounds forone-way classical post-processing without pre-processing.

2. Individual, Collective and Coherent Attacks

As stressed from the beginning (I.B.2), one aims ul-timately at proving unconditional security, i.e. securitybounds in the case where Eve’s attack on the quantumchannel is not restricted. Such a lower bound for securityhas been elusive for many years (II.A); it has nowadaysbeen proved for many protocols, but is still missing forothers. In order to provide an ordered view of the past,as well as to keep ideas that may also be useful in thefuture, we discuss now several levels of security.

a. Individual (or incoherent) attacks. This family de-scribes the most constrained attacks that have been stud-ied. They are characterized by the following properties:

(I1) Eve attacks each of the systems flying from Alice toBob independently from all the other, and using thesame strategy29. This property is easily formalizedin the EB scheme: the state of n symbols for Aliceand Bob has the form ρn

AB= (ρAB)

⊗n.

(I2) Eve must measure her ancillae before the classicalpost-processing. This means that, at the beginningof the classical post-processing, Alice, Bob and Eveshare a product probability distribution of classicalsymbols.

In this case, the security bound for one-way post-processing is the Csiszar-Korner bound, given by (18)with

IAE = maxEve

I(A : E) (individual attacks) (19)

and of course similarly for IBE (Csiszar and Korner,1978). Here, I(A : E) is the mutual infor-mation between the classical symbols; the notation

2000); bitwise pre-processing brings this value up to 12.4%(Kraus, Gisin and Renner, 2005), more complex pre-processingup to 12.9% (Smith, Renes and Smolin, 2006); two-way post-processing can increase it significantly further, at least up to20.0%, but at the expenses of drastically reduced key rate(Bae and Acın, 2007; Chau, 2002; Gottesman and Lo, 2003). Inweak coherent pulses implementations, pre-processing increasesthe critical distance of BB84 and of SARG04 by a few kilometers,both for security against individual (Branciard et al., 2005) andmost general attacks (Kraus, Branciard and Renner, 2007).

29 We note here that this “same strategy” may be probabilistic(with probability p1, Eve does something; with probability p2,something else; etc), provided the probabilities are fixed duringthe whole key exchange. Strange as it may seem from the stand-point of practical QKD, an attack, in which Eve would simplystop attacking for a while, belongs to the family of the mostgeneral attacks!

18

maxEve recalls that one must maximize this mutualinformation over Eve’s strategies. There is actu-ally an ambiguity in the literature, about the mo-ment where Eve is forced to perform her measure-ment: namely, whether she is forced to measure im-mediately after the interaction (Bechmann-Pasquinucci,2006; Curty and Lutkenhaus, 2005; Lutkenhaus, 1996)or whether she can keep the signals in a quantummemory until the end of the sifting and error cor-rection phase (Bechmann-Pasquinucci and Gisin, 1999;Brassard et al., 2000; Bruß, 1998; Cerf et al., 2002;Fuchs et al., 1997; Herbauts et al., 2008; Lutkenhaus,1999; Slutsky et al., 1998). The first case is associatedto a clear assumption: Eve is restricted not to have aquantum memory30. The second case can be useful asa step on the way to unconditional security proofs, butdoes not have a clear easy hardware assumption associ-ated with it. Moreover, the bound for collective attackscan nowadays be calculated more easily and gives morepowerful results31.

An important sub-family of individual attacks are theintercept-resend (IR) attacks. As the name indicates, Eveintercepts the quantum signal flying from Alice to Bob,performs a measurement on it, and conditioned on the re-sult she obtains she prepares a new quantum signal thatshe sends to Bob. If performed identically on all items,this is an individual attack. Moreover, it obviously re-alizes an entanglement-breaking channel32 between Aliceand Bob, thus providing an easily computed upper boundon the security of a protocol.

b. Collective attacks. This notion was first proposed byBiham, Mor and coworkers, who proved the security ofBB84 against them and conjectured that the same boundwould hold for the most general attacks (Biham and Mor,1997; Biham et al., 2002). Collective attacks are definedas follows:

30 Generalizing (Wang, 2001), it is conjectured that individual at-tacks should be optimal under the weaker assumption of a quan-tum memory that would be bounded, either in capacity or inlifetime; but only rougher bounds have been derived so far(Damgaard et al., 2007; Konig and Terhal, 2006).

31 At the moment of writing, there is still something that is knownonly for individual attacks, and this is Eve’s full strategy; the op-timal procedures been found both for the scenario without quan-tum memory (Lutkenhaus, 1996) and with it (Herbauts et al.,2008; Lutkenhaus, 1999). On the contrary, the bound for collec-tive and coherent attacks is computed by optimizing the Holevobound over all possible interactions between the signal and Eve’sancillae (see below): one implicitly assumes that suitable mea-surements and data processing exist, which will allow Eve to ex-tract that amount of information. It would be surely interestingto exhibit explicit procedures also for more general attacks.

32 As the name indicates, a channel ρ → ρ′ = C(ρ) is calledentanglement-breaking if (11⊗C)|Ψ〉AB is separable for any input|Ψ〉AB. A typical example of such a channel is the one obtainedby performing a measurement on half of the entangled pair.

(C1) The same as (I1).

(C2) Eve can keep her ancillae in a quantum memoryuntil the end of the classical post-processing. Shecan then perform the best measurement compatiblewith what she knows. In general, this will be acollective measurement.

Only (C1) is an assumption on Eve’s power. Thegeneric bound for the secret key fraction achievable us-ing one-way post-processing (Devetak-Winter bound) isgiven by (18) with

IAE = maxEve

χ(A : E) (collective attacks) (20)

and IBE defined in the analog way (Devetak and Winter,2005). Here, χ(A : E) is the so-called Holevo quantity(Holevo, 1973)

χ(A : E) = S(ρE)−∑

a

p(a)S(ρE|a) (21)

where S is von Neumann entropy, a is a symbol ofAlice’s classical alphabet distributed with probabilityp(a), ρE|a is the corresponding state of Eve’s ancilla andρE =

∑

a p(a)ρE|a is Eve’s partial state. The Holevoquantity bounds the capacity of a channel, in which aclassical value (here a) is encoded into a family of quan-tum states (here, the ρE|a): in this sense, it is the naturalgeneralization of the mutual information.As mentioned, it is actually easier to compute (20)

than (19). The reason lies in the optimization of Eve’sstrategy. In fact, the Holevo quantity depends only onEve’s states ρE|a, that is, on the unitary operation withwhich she couples her ancilla to the system flying to Bob.On the contrary, the mutual information depends bothon Eve’s states and on the best measurement that Evecan perform to discriminate them, which can be con-structed only for very specific examples of the set of states(Helstrom, 1976).

c. General (or coherent) attacks. Eve’s most general strat-egy includes so many possible variations (she may entan-gle several systems flying from Alice to Bob, she maymodify her attack according to the result of an inter-mediate measurement...) that it cannot be efficientlyparametrized. A brute force optimization is thereforeimpossible. Nevertheless, as mentioned several times al-ready, bounds for unconditional security have been foundin many cases. In all these cases, it turns out the bound isthe same as for collective attacks. This remarkable resultcalls for several comments.First remark: this result has an intuitive justification.

If the state |Ψ(Sn)〉 that codes the sequence Sn has thetensor product form |ψ(s1)〉⊗...⊗|ψ(sn)〉, then the statesflying from Alice to Bob are uncorrelated in the quantumchannel; therefore Eve does not seem to have any advan-

19

tage in introducing artificial correlations at this point33.However, correlations do appear later, during the clas-sical post-processing of the raw key; such that in fact,the final key is determined by the relations between thesymbols of the raw key, rather than by those symbolsthemselves. Thus, Eve must not try and guess the valueof each symbol of the raw key, but rather some relationbetween them — and this is typically a situation in whichentanglement is powerful. This vision also clarifies whyunconditional security is still elusive for those protocols,for which |Ψ(Sn)〉 is not of the tensor product form (seeVI.A).

Second remark: for BB84, six-state and otherprotocols, this result is a consequence of the in-ternal symmetries (Kraus, Gisin and Renner, 2005;Renner, Gisin and Kraus, 2005). The explicit calcu-lations are given in Appendix A. In a more generalframework, the same conclusion can be reached byinvoking the exponential De Finetti theorem (Renner,2005, 2007). This theorem says that, after some suitablesymmetrization, the statistics of the raw key are neversignificantly different from those that would be obtainedunder constraint (I1). This is a very powerful result, butagain does not solve all the issues: for instance, becausethe actual exponential bound depends on the dimensionof the Hilbert space of the quantum signals, it cannotbe applied to continuous-variable QKD (see V.A). Alsorecall that we consider only the asymptotic bound: thefinite-key bounds obtained by invoking the De Finettitheorem are over-pessimistic (Scarani and Renner,2007).

3. Quantum side channels and zero-error attacks

The possibility of zero-error attacks seems to be atodds with the fundamental tenet of QKD, namely thatEve must introduce modifications in the state as soon asshe obtains some information. This is indeed the case inprinciple; however, in real situations, some informationabout the value of the coded symbol may leak in a quan-tum side-channel, i.e. some degree of freedom other thanthe one which is monitored. The most universal sourceof leakage are losses. We stress that the existence of side-channels does not compromise the security, provided thecorresponding zero-error attacks are taken into accountin the privacy amplification.

The beam-splitting (BS) attack translates the fact thatall the light that is lost in the channel must be given toEve: specifically, Eve could be simulating the losses byputting a beam-splitter just outside Alice’s laboratory,and then forwarding the remaining photons to Bob on a

33 Of course, one is not saying that Eve does fulfill (I1): Eve cando whatever she wants; but there exist an attack that fulfills (I1)and that performs as well as the best possible attack.

lossless line. The BS attack does not modify the opticalmode that Bob receives: it is therefore always possiblefor lossy channels and does not introduce any error34.For an explicit computation of BS attacks, see VI.B.When the signal can consist of more than one pho-

ton, Eve can count the number of photons in each sig-nal and act differently according to the result n of thismeasurement. Such attacks are called photon-numbersplitting (PNS) attacks (Bennett, 1992; Brassard et al.,2000; Dusek, Haderka and Hendrych, 1999; Lutkenhaus,2000) and can be much more powerful than the BSattack. They were discovered as zero-error attacksagainst BB84 implemented with weak laser pulses; inthe typical parameter regime of QKD, even the Pois-sonian photon number distribution can be preserved(Lutkenhaus and Jahma, 2002), so that the PNS attackcannot be detected even in principle as long as oneknown signal intensity is used. To use different intensi-ties in order to detect PNS attacks is the idea behind thedecoy states method (Hwang, 2003; Lo, Ma and Chen,2005; Wang, 2005), which has already been im-plemented in several experiments (Peng et al., 2007;Rosenberg et al., 2007; Yuan, Sharpe and Shields, 2007;Zhao et al., 2006). Also the distributed-phase-referenceprotocols detect the PNS attacks (Inoue and Honjo,2005; Stucki et al., 2005).Finally, we mention the possibility of attacks based on

unambiguous state discrimination (USD) followed by re-send of a signal (Dusek, Jahma and Lutkenhaus, 2000;Raynal, Lutkenhaus and van Enk, 2003). These can bepart of a PNS attack (Scarani, Acın, Ribordy and Gisin,2004) or define an attack of its own (Branciard et al.,2007; Curty et al., 2007); they are clearly zero-error at-tacks and modify the photon-number statistics in general.Of course, a quantum side-channel may hide in any im-

perfect component of the device (e.g., a polarizer whichwould also distort the wave function according to thechosen polarization). The list of the possibilities is un-bounded, whence the need for careful testing35.

4. Hacking on Practical QKD

In practical QKD, the security concerns are not limitedto the computation of security bounds for Eve’s action onthe quantum channel. Any specific implementation mustbe checked against hacking attacks and classical leakageof information.Hacking attacks are related to the weaknesses of an

implementation. A first common feature of hacking at-

34 For some sources, this attack simply does not give Eve any in-formation: for a perfect single-photon source, if the photon goesto Eve, nothing goes to Bob, and viceversa.

35 Some very specific protocols and the corresponding secu-rity proofs can be made robust against such imperfections(Acın et al., 2007).

20

tacks is that they are feasible, or almost feasible, withpresent-day technology. The best-known example is thefamily of Trojan Horse Attacks, in which Eve probesthe settings of Alice’s and/or Bob’s devices by send-ing some light into them and collecting the reflectedsignal (Vakhitov, Makarov and Hjelme, 2001). Actually,the first kind of hacking attack that was considered isa form of Trojan Horse that would come for free: itwas in fact noticed that some photon counters (silicon-based avalanche photo-diodes) emit some light at variouswavelengths when they detect a photon (Kurtsiefer et al.,2001). If this light carries some information about whichdetector has fired, it must be prevented to propagate out,where Eve could detect it. On these two examples, onesees also the second common feature of all hacking at-tacks, namely, that once they have been noticed, theycan be countered by adding some component. In all se-tups where light goes only one way (out of Alice’s laband into Bob’s lab), the solution against Trojan Horseattacks consists in simply putting an optical isolator; inimplementations where light must go both ways (typi-cally, the Plug & Play setups), the solution is providedby an additional monitoring detector (Gisin et al., 2006).Apart from Trojan Horses, other hacking at-

tacks have been invented to exploit potential weak-nesses of specific implementations, e.g. fakedstate attacks (Makarov and Hjelme, 2005), phase-remapping attacks (Fung et al., 2007), time-shift at-tacks (Makarov et al., 2006; Makarov and Skaar, 2007;Qi et al., 2007; Zhao et al., 2007). It has alsobeen noticed that a too precise timing disclosedin the Alice-Bob synchronization protocol may dis-close information about which detector actually fired(Lamas-Linares and Kurtsiefer, 2007).

5. A crutch: the “uncalibrated-device scenario”

As stressed, all the errors and losses in the quantumchannel must be attributed to Eve’s intervention. Butin a real experiment, there are errors and losses also in-side the devices of the authorized partners. In particu-lar, the detectors have finite efficiency (losses) and darkcounts (errors); these values are known to the authorizedpartners, through calibration of their devices. A securityproof should take this fact into account.The task of integrating this knowledge into security

proofs, however, has proved harder than one might think.In general, the naive approach, consisting in taking anattack and removing the device imperfections from theparameters used in privacy amplification, gives only anupper bound, even at the level of individual attacks36. In

36 Consider a PNS attack (III.B.3) on BB84 implemented with weakcoherent pulses, and focus on the pulses for which Eve has foundn = 2 photons. The obvious PNS attack consists in Eve keepingone photon in a quantum memory and sending the other one to

particular, unconditional security proofs, whenever avail-able, have been provided only under the assumption thatall the losses and all the errors are attributed to Eve andmust therefore be taken into account in privacy amplifica-tion. We refer to this assumption as to the uncalibrated-device scenario, because it all happens as if Alice andBob would have no means of distinguishing the losses anderrors of their devices from those originating in the chan-nel37. These issues have been raised in a non-uniformway in the literature. Most of the discussions have takenplace for discrete-variable protocols; the security stud-ies of distributed-phase-reference protocols are in a tooearly stage, but will surely have to address the question.The case of CV QKD may prove different because of thedifference in the detection process (homodyne detectioninstead of photon counting).

At the moment of writing, the uncalibrated-device sce-nario is still a necessary condition to derive lower bounds.In the following sections, we shall work with this sce-nario. In IV.C and VII.B.3, we shall compare the bestavailable lower bounds with the upper bounds obtainedwith a naive approach to calibrated devices: we shallshow (for the first time explicitly, to our knowledge) thatin some cases the two bounds coincide for every practi-cal purpose. In VIII.A.2, we shall stress once again thatthe uncalibrated-device scenario is an over-conservativeassumption, a crutch we shall have to get rid of in thecoming years.

IV. DISCRETE-VARIABLE PROTOCOLS

A. Generic Assumptions and Tools

As argued in III.B.5, in order to present lower boundsas they are available today, we work systematically in

Bob, because in this case she obtains full information and in-troduces no error. But there is no information on non-detectedphotons: in particular, if Eve cannot control the losses in Bob’sapparatus tB and the detector efficiency η, her information rateon such events will be I2→1+1 = tBη. Now, consider anotherstrategy: Eve applies a quantum cloner 2 → 3, keeps one pho-ton and sends the other two to Bob. Since no perfect cloningis possible, this introduces an error ε2 on Bob’s side and Eve’sinformation on each detected bit is I(ε2) < 1. But Eve’s informa-tion rate is I2→2+1 = [1− (1− tBη)2]I(ε2) ≈ 2tBηI(ε2) and cantherefore become larger than I2→1+1. The full analysis must bedone carefully, taking into account the observed total error rate;in the family of individual attacks, the cloning strategy performsindeed better than the “obvious” one for typical values of tBη(Curty and Lutkenhaus, 2004; Niederberger, Scarani and Gisin,2005). Note that there is no claim of optimality in this example:another attack may be found that performs still better.

37 The name “uncalibrated-device scenario” is proposed here for thefirst time. In the literature, the assumption used to be named“untrusted-device scenario”; but this name is clearly inadequate(see I.B.2 for the elements that must be always trusted in a QKDsetup, and VIII.A.3 for those may not be trusted in some veryspecific protocols).

21

the uncalibrated-device scenario; paragraph IV.C willpresent how to derive an upper bound for calibrated de-vices.

1. Photon-number statistics

We suppose that each signal is represented by a diago-nal state in the photon-number basis, or in other words,that there is no phase reference available and no coher-ence between successive signals38. Thus, Alice’s sourcecan be described as sending out a pulse that contains nphotons with probability pA(n); Eve can learn n withoutmodifying the state, so this step is indeed part of theoptimal collective attack (Eve may always choose not totake advantage of this information).The statistical parameters that describe a key ex-

change are basically detection rates and error rates39.Here are the main notations:

• R: total detection rate;

• Rn: detection rate for the events when Alice sentn photons (

∑

nRn = R);

• Yn = Rn/R a convenient notation (∑

n Yn = 1);

• Rwn : wrong counts among the Rn;

• εn = Rwn /Rn the error rate on the n photon signals;

• Q =∑

n Ynεn the total error rate (QBER).

This list deserves two important remarks:

a. Photon statistics on Bob’s side. If the channel in-troduces random losses, the photons that enterBob’s device are distributed according to p tB(k) =∑

n≥k pA(n)Ckntk(1 − t)n−k where Ckn = k!

n!(n−k)! is the

binomial factor; one could compute Rn from this valueand the details of the protocol. However, Eve can adapther strategy to the value of n, so the photon-numberstatistics pB(k) on Bob’s side may be completely differ-ent from p tB(k) (Lutkenhaus and Jahma, 2002).

b. About double clicks. In the list above, the reader mayhave noticed the absence of an important accessible pa-rameter, namely the rate of double clicks, i.e. the cases in

38 In some cases like Plug&Play implementations, the random-ization of the phase should in principle be ensured actively(Gisin et al., 2006).

39 We assume that these parameters are independent of Bob’s mea-surements, either because they are really measured to be thesame for all bases (a reasonable case in practice), or because, af-ter the sifting procedure, Alice and Bob forget from which mea-surement each bit was derived and work with average values.

which both detectors have been triggered. The reason isthat independent assessment of this rate is crucial if onewants to incorporate the calibration of the devices (seediscussion in VIII.A.2), but in the uncalibrated-devicescenario the rate of double clicks can be absorbed intoRn. The argument goes as follows (Lutkenhaus, 1999,2000): in the protocol, one prescribes that, in the caseof a double click, Bob generates a random bit. This sim-ulates exactly the outcome that a single photon in thesame state would have produced40. This means in par-ticular that, for this modified protocol, one can supposewithout loss of generality that Eve forwards at most onephoton to Bob. Therefore, from now onwards we setpB(k ≥ 2) = 0; after measuring n, Eve forwards a pho-ton to Bob with probability fn and blocks everything inthe other cases.

2. Secret key rate

The bound for the secret fraction is (18). In the caseof the protocols under study, H(A) = H(B) = 1 andH(A|B) = H(B|A) = h(Q), where h is binary entropyand Q is the QBER. Therefore I(A : B) = 1 − h(Q).However, we want to provide formulas that take imper-fect error correction into account. Therefore we shall use

K = R [1− leakEC(Q)− IE ] (22)

with leakEC(Q) ≥ h(Q) and IE = min (IAE , IBE). Letus study this last term. Eve gains information only onthe non-empty pulses, and provided Bob detects the pho-ton she has forwarded. Since the exponential De Finettitheorem applies to discrete-variable protocols (see discus-sion in III.B.2), and since the optimal collective attackincludes the measurement of the number of photons, thegeneric structure for the Eve’s information reads41

IE = maxEve

∑

n

Yn IE,n (23)

where, as usual, the maximum is to be taken on all Eve’sattacks compatible with the measured parameters.

40 In fact, recall first that dark counts do not happen in theuncalibrated-device scenario, because Eve replaces them with“useful” errors. Therefore, double-clicks can only happen if thepulse contained n > 1 photons and these are not in an eigenstateof the measurement setting.

41 More explicitly, this formula should read IE = min (IAE , IBE)with IAE = maxEve

∑

nYn IAE,n and similarly for IBE .

In the development of QKD, this formula was derived firstfor BB84 (Gottesman, Lo, Lutkenhaus and Preskill, 2004), thenfor SARG04 (Fung, Tamaki and Lo, 2006), then generalizedto all discrete-variable protocols (Kraus, Branciard and Renner,2007).

22

B. BB84 coding: lower bounds

In the BB84 coding, the probability that Bob acceptsan item depends only on the fact that he has used thesame basis as Alice, which happens with probability psift.Therefore, writing νS = νS psift, we have

Rn = νS pA(n) fn : (24)

the only free parameter here is fn. Now we considerdifferent implementations of this coding.

1. Prepare-and-Measure: Generalities

In P&M BB84, IAE = IBE . On the events when Al-ice sends no photons (n = 0) but Bob has a detection,the intuitive result IE,0 = 0 (Lo, 2005) has indeed beenproved (Koashi, 2006). On the single-photon pulses, Evecan gain information only at the expense of introducingan error ε1; the maximal information that she can ob-tain this way is IE,1 = h(ε1) where h is binary entropy(Shor and Preskill, 2000). A possible demonstration ofthis well-known result is given in Appendix A. For multi-photon pulses, the best attack is the PNS attack in whichEve forwards one photon to Bob and keeps the others: i.e.for n ≥ 2, εn = 0 and IE,n = 1 (Fung, Tamaki and Lo,2006; Gottesman, Lo, Lutkenhaus and Preskill, 2004;Kraus, Branciard and Renner, 2007). Therefore (23) be-comes

IE = maxEve

[

Y1h(ε1) +(

1− Y0 − Y1)]

= 1−minEve

{Y0 + Y1[1− h(ε1)]} . (25)

2. P&M without decoy states

In P&M schemes without decoy states, the only mea-sured parameters are R and Q. We have to assumeεn≥2 = 0; therefore we obtain ε1 = Q/Y1. From this and(25), we see42 that Eve’s optimal attack compatible withthe measured parameters is the one which minimizes Y1,a situation which is obviously achieved by setting f0 = 0and fn≥2 = 1. One finds then

Y1 = 1− (νS/R) pA(n ≥ 2) . (26)

As a conclusion, for BB84 in a P&M scheme withoutdecoy states, the quantity to be subtracted in PA is

IE = 1− Y1[1− h(Q/Y1)] ; (27)

the corresponding achievable secret key rate (22) is

K = R [Y1 (1− h(Q/Y1))− leakEC(Q)] (28)

42 First proved in (Inamori, Lutkenhaus and Mayers, 2001-2007) inthe context of unconditional security.

where Y1 is given in (26). As expected, K contains onlyquantities that are known either from calibration or fromthe parameter estimation of the protocol (R, Q).

3. P&M with decoy states

The idea of decoy states is simple and deep (Hwang,2003) and has been rapidly embedded in proofs of uncon-ditional security (Lo, Ma and Chen, 2005; Wang, 2005).Let ξ be some tunable parameter(s) in the source, thetypical example being ξ = µ the intensity (mean photon-number) of a laser. Alice changes the value of ξ randomlyfrom one pulse to the other; at the end of the exchange ofquantum signals, Alice reveals the list of values of ξ ∈ X ,and the data are sorted in order to estimate the parame-ters separately for each value. With this simple method,Alice and Bob measure 2|X | parameters, namely the Rξ

and the Qξ.

The set X is publicly known as part of the protocol;but if |X | > 1, Eve cannot adapt her strategy to actualvalue of ξ in each pulse, because she does not know it.Therefore, fn and εn are independent of ξ; in particular,Rξn = νS pA(n|ξ) fn. The measured parameters

Rξ =∑

n≥0

Rξn and Qξ =∑

n≥0

RξnRξ

εn (29)

define a linear system with 2|X | equations for the fn andthe εn. The optimization in (25) must then be performed

using the lower bounds for Y ξ1 and the upper bound forε1 as obtained from the measured quantities {Rξ, Qξ}ξ∈X(Tsurumaru, Soujaeff, Takeuchi, 2007). In practice, themeaningful contributions are typically the n = 0, 1, 2terms, and a decoy-state protocol with |X | = 3 reachesvery close an exact determination (Hayashi, 2007b). Forsimplicity, here we suppose that all the fn and εn havebeen determined exactly43. Also, we consider a protocolin which the classical post-processing that extracts a keyis done separately on the data that correspond to differ-ent ξ. For each ξ, the quantity to be subtracted in PAis44

IξE = 1− Y ξ0 − Y ξ1 [1− h(ε1)] (30)

with Y ξ1 = Rξ1/Rξ and the corresponding achievable se-

cret key rate is

Kξ = Rξ[

Y ξ0 + Y ξ1 (1− h(ε1))− leakEC(Qξ)]

.(31)

43 As a side remark: one might find εn≥2 > 0, but this does notmodify the discussion in IV.B.1 about the optimal attack. In-deed, Eve might have performed the attack that gives εn≥2 = 0,then added some errors “for free”.

44 Note the presence of Y ξ0 in the next two equations.

23

The total secret key rate is K =∑′

ξKξ, where the sum

is taken on all the values of ξ such that Kξ ≥ 0. Ifthe classical post-processing were done on the whole rawkey, the total secret key rate would read K = R[1 −leakEC(Q)] −∑ξ R

ξIξE . The two expressions coincide ifthere exists a ξ which is used almost always.

4. P&M: analytical estimates

Alice and Bob can optimize K by playing with the pa-rameters of the source, typically the intensity. A rigorousoptimization can be done only numerically. In this para-graph, we re-derive some often-quoted results for P&Mimplementations of BB84. For this a priori estimate, onehas to assume that some “typical” values for the Rn andthe Qn will indeed be observed. As stressed above, se-curity must be based on the actually measured values:what follows provides only guidelines to start workingwith the correct orders of magnitude. Here, we chose towork in a regime in which the rate of detection of truephotons is much larger than the dark count rate. Forsimplicity, we also assume optimal error correction, sothat leakEC(Q) = h(Q).The reference case is the case of single-photon sources,

for which the meaningful scheme is P&M without decoystates. For this source, pA(1) = 1 therefore Y1 = 1; theexpected detection rate is R = νSt tBη, and Eq. (28)yields immediately

K ≈ νSt tBη [1− 2h(Q)] (single photon) . (32)

As expected, K scales linearly with the losses in the lineand the efficiency of the detector.The most widespread source in P&M schemes are at-

tenuated lasers. The estimate can be made by consid-ering only the single-photon and the two-photon emis-sions: pA(1) = µe−µ, pA(2) = µ2e−µ/2. The expecteddetection rate is R = νSµt tBη. The important feature,which is absent in the study of single-photon sources, isthe existence of an optimal value for the intensity µ, acompromise between a large R and a small pA(2). Wefocus first on implementations without decoy states. Wecan set pA(1) ≈ µ and pA(2) ≈ µ2/2, but still, the op-timal value of µ cannot be estimated exactly in gen-eral, because Y1 = 1 − µ

2t tBηdepends on µ and ap-

pears in a non-algebraic function. Let us then con-sider first the limiting case Q = 0: Eq. (28) becomesK/νS ≈ µt tBη−µ2/2, whose maximal value is 1

2 (t tBη)2

obtained for µ0 = t tBη (Lutkenhaus, 2000). To obtainestimates for the Q > 0 case, we can make the approx-imation of using µ0 to compute Y1, i.e. to set Y1 = 1

2 .Then, the optimization of Eq. (28) is also immediate:writing F (Q) = 1−h(2Q)−h(Q), the highest achievablesecret key rate is

K

νSt tBη≈ 1

2µopt F (Q) (laser, no decoy) (33)

obtained for the optimal mean photon number

µopt ≈ t tBηF (Q)

1− h(2Q). (34)

Let us now perform the estimate for an implementa-tion using decoy states. The decoy consists in varyingthe intensity of the laser from one pulse to the other,so that the general parameter ξ is in fact µ. We sup-pose that a given value µ is used almost always (andthis one we want to optimize), while sufficiently manydecoy values are used in order to provide a full parame-ter estimation. The expected values are Rµ = νSµt tBη,Rµ1 = νSµe

−µt tBη and ε1 = Q. Inserted into Eq. (31),one obtains K ≈ νSµt tBη[e

−µ(1 − h(Q))− h(Q)]; usinge−µ ≈ 1− µ, this expression reaches the maximal value

K

νSt tBη≈ 1

2µopt [1 − 2h(Q)] (laser, decoy) (35)

for the optimal mean photon number

µopt ≈ 1

2

[

1− h(Q)

1− h(Q)

]

. (36)

Let us summarize. Without decoy states, µopt ∼ t andconsequently K ∝ t2: the larger the losses, the moreattenuated must the laser be. The reason are PNS at-tacks: Alice must ensure that Eve cannot reproduce thedetection rate at Bob’s by using only photons that comefrom 2-photon pulses (on which she has full information).With decoy states, one can determine the fraction ofdetections that involve photons coming from 2-photonpulses; if this fraction is as low as expected, one can ex-clude a PNS attack by Eve — as a benefit, the linearscaling K ∝ t is recovered. This is the same scaling ob-tained with single-photon sources, with the obvious bene-fit that lasers are much more versatile and well-developedthan strongly sub-Poissonian sources. Another interest-ing remark is that, both with and without decoy states,µopt ≈ 1

2µcrit, where the critical value µcrit is defined asthe one for which K ≈ 0. In other words, an intensitydouble than the optimal one is already enough to spoil allsecurity. In implementations without decoy states, whereµ decreases with t, this calibration may be critical at longdistances.

5. Entanglement-Based

In all versions of EB QKD implemented to date, Al-ice holds the down-conversion source. In this case, anEB scheme is equivalent to a P&M one (see II.B.1) sothe corresponding security proofs could be applied. Theonly specific difference to address concerns the events inwhich more than one pair is produced inside a coinci-dence window. As described in Sec. II.E.3, two kinds ofsuch contributions exist and Eve is able to distinguishbetween them:

24

• A fraction of the multi-pair events contain partialcorrelations in the degrees of freedom used for sym-bol encoding; thus, Eve can get information on thekey bit by some form of PNS attacks. This situ-ation is similar to the multi-photon case in P&Mschemes, although here it is difficult to determineexactly the amount of information that leaks out.To be on the safe side we will suppose that Eve canobtain full information without introducing any er-rors.

• The other, usually much larger fraction of multi-pair events consists of independent uncorrelatedpairs. In this case Eve cannot obtain any informa-tion on Bob’s symbol using the PNS attack. Shecan only apply “standard” single particle attack.We suppose that Eve can somehow find out whichone of multiple pairs were selected by Alice’s detec-tor, so we treat all such multi-pair contributions asif they were single pairs.

Therefore Eq. (25) is replaced by

IE ≤ Y ′m + Y ′

1 h

(

Q

Y ′1

)

, (37)

where Y ′1 is the fraction of single-pair plus uncorrelated

multi-pair events and Y ′m is the fraction of multi-pair

events which are (partially) correlated in the degree offreedom the information is encoded in. Explicitly,

Y ′m = pA(n ≥ 2)

νSRζ (38)

with ζ being the ratio of the number of partially corre-lated multi-pair contributions to all multi-pair contribu-tions (see Sec. II.E.3). In total Y ′

m+Y ′1 = 1. Finally, the

achievable secret-key rate reads

K = R [Y ′1 (1− h(Q/Y ′

1))− leakEC(Q)] . (39)

Recall that these formulas apply to implementations, inwhich the source is safe on Alice’s side. Notice also thattwo different sorts of multi-pair contributions are consid-ered and for each of them different eavesdropping strat-egy is assumed. However, in reality there is a smoothtransition between correlated and uncorrelated pairs. Allmulti-pair events which exhibit non-negligible correla-tions must be counted as correlated.Recently security has been demonstrated also for EB

systems, in which the source is under Eve’s control(Ma, Fung and Lo, 2007). The authors describe the con-ditions, under which the whole object “Eve’s state prepa-ration and Alice’s measurement” behaves like an un-characterized source in the sense of Koashi and Preskill(Koashi and Preskill, 2003). Alice has a box where shecan dial a basis and gets an information bit from her boxindicating which signal (0 or 1) was sent. Whatever stateEve prepares, when she gives one part into Alice’s boxand Alice chooses a measurement, then the average den-sity matrix outside this box is by definition independent

of this choice (assuming that the no-click event proba-bility is basis independent). On Alice’s side no Hilbertspace argument is needed, but on Bob’s side the squash-ing property of the detection is required. It means thatthe state incoming to Bob is first projected to a two-dimensional qubit subspace and only then measured ina chosen basis. In the moment of writing it is not clearwhether this is fully equivalent to the practical situationwhen, e.g., two polarization components are first sepa-rated and then the detectors which cannot resolve thenumber of incoming photons are used. But there are in-dications that it could be equivalent. The formula for theachievable secret-key rate reads

K = R [1− h(Q)− leakEC(Q)] . (40)

Formally, this is the same as obtained in a P&M schemeusing single photons [Eq. (28) with Y1 = 1]. As such,it is a remarkable result: it states that, under the as-sumptions listed above, all the deviations from a perfecttwo-photon source — in particular, the presence of multi-photon components — are taken care of by measuring theerror rate Q (Koashi and Preskill, 2003). Besides, it hasbeen found that the EB QKD can tolerate higher lossesif the source is placed in the middle between Alice andBob rather than if it is in Alice’s side (Ma, Fung and Lo,2007).

C. BB84 coding: upper bounds incorporating thecalibration of the devices

As explained in III.B.5, the bounds for unconditionalsecurity are always found for the uncalibrated-devicescenario, which is over-pessimistic. It is instructive topresent some upper bounds that take the calibration ofthe devices into account: the comparison between theseand the lower bounds will determine the “realm of hope”,i.e. the range in which improvements on K may yet befound. Clearly, the contribution leakEC(Q) of error cor-rection is independent of the scenario: one has to correctfor all the errors, whatever their origin. The differenceappears in the quantity to be removed in privacy ampli-fication.

1. Statistical parameters

In order to single out the parameters of the devices,one has first to recast the general notations (IV.A.1) ina more elaborated form. The detection rates must beexplicitly written as

Rn = Rn,p +Rn,d (41)

where Rn,p is the contribution of detections and Rn,d isthe contribution of dark counts. Since Eve can act onlyon the first part, it is convenient to redefine Yn = Rn,p/R,so that

∑

n Yn ≡ Y < 1. The errors on the line εn are

25

introduced only on the photon contribution, while thedark counts always give an error rate of 1

2 ; therefore thetotal error is

Q = Y ε+ δ (42)

where ε =∑

n≥1Yn

Y εn and δ = 1−Y2 .

Note that the content of this paragraph is not specificto BB84; but all that follows is.

2. Upper bounds

To derive an upper bound, we use a simple recipe,which consists in following closely the calculations of theprevious subsection IV.B and just making the necessarymodifications. In particular, Eve is still supposed to for-ward to Bob at most one photon, although this is knownto be sub-optimal. Therefore

Rn,p = νSpA(n)fn tBη (43)

Rn,d = νSpA(n)(1− fn tBη) 2pd (44)

where pd is the dark count rate. Note the presence oftBη in these formulas: the detector efficiency has notbeen incorporated into fn. Extracting fn tBη from theseequations, one finds

Y = (1− 2pdνS/R) /(1− 2pd) (45)

which means that the ratio between detections and darkcounts depends only on the total detection rate R. Also,for our simple recipe, it is immediate that the modifica-tion of the general expression (25) reads

IE = maxEve

[

Y1h(ε1) +(

Y − Y1)]

= Y −minEve

Y1[1− h(ε1)] . (46)

We restrict now to the P&M schemes. In the imple-mentation with decoy states, the Yn and the εn are known,so the only difference with the uncalibrated-device for-mula (31) is the role of dark counts:

Kξ = Rξ[

Y ξ1 (1− h(ε1)) + 2δξ − leakEC(Qξ)]

(47)

where Y0 is replaced by the very slightly larger term45

2δξ = 1−Y ξ. Things are different for the implementationwithout decoy states, because now Y1 and ε1 are not di-rectly measured, only R and Q are. Since we are suppos-ing that the optimal strategy is still such that εn≥2 = 0

45 In the notation of this paragraph, the previous Y0 would readR0/R = R0,d/R; while 2δ =

∑

n≥0Rn,d/R. Note that, strictly

speaking, R0 = R0,d is an assumption: a priori, one can imaginethat Eve creates some photons to send to Bob also when Alice issending no photons — but we don’t consider here such a highlyartificial situation.

and fn≥2 = 1, we have

Y1 = Y − tBηνSRpA(n ≥ 2) and ε1 =

Q− δ

Y1.(48)

Note that Y1 can be significantly larger than in theuncalibrated-device scenario, eq. (26): in fact, althoughY is slightly smaller than one, the term to be subtractedis multiplied by tBη. This difference is specifically dueto the fact that Eve is not supposed to influence the ef-ficiency of the detector. Finally, one obtains

K = R [Y1 (1− h(ε1)) + 2δ − leakEC(Q)] (49)

with the expressions (48) and with 2δ = 1− Y .

D. Bounds for the SARG04 coding

We sketch here the analysis of SARG04 because it con-tains a certain number of instructive differences with re-spect to BB84. Here we note νS = νS/2 because Bobmust always choose the bases with probability 1

2 , evenif Alice would almost always use the same set of states.The raw key rates are different from those of BB84. Fordefiniteness, suppose that Alice send |+ x〉, so the bit isaccepted if Bob finds “−”. If Bob measures X , he ac-cepts the bit only if he obtains “−”, but this can onlybe due to an error. We write Rwn = νSpA(n) fn εn wherethe relation of εn to the induced error rate εn will becomputed just below. If Bob measures Y , he gets “−” inhalf of the cases46 and the bit value is correct. So

Rn = νSpA(n) fn

(1

2+ εn

)

. (50)

We see that the detection rate increases in the presenceof errors, contrary to BB84 where the detection rate isdetermined only by psift. The error rate is

εn =εn

12 + εn

: (51)

for a given perturbation εn in the quantum channel, theerror introduced in SARG04 is roughly twice the errorεn = εn which would be introduced in BB84.The protocol can be analyzed following the same pat-

tern as the one presented for BB84. Here we just reviewthe main results:

• SARG04 was invented as a method to reduce theeffect of PNS attacks, taking advantage of the factthat Eve cannot extract full information from the

46 As such, this statement contains an assumption on Eve’s attack,namely Tr[σyρ(±x)] = 0 where ρ(±x) is the state received byBob after Eve’s intervention, when Alice has sent | ± x〉. Butthe result holds in general for the average detection rate, if Aliceprepares all four states with equal probability.

26

2-photon pulses (Acın, Gisin and Scarani, 2004;Scarani, Acın, Ribordy and Gisin, 2004). This ini-tial intuition has been confirmed by all subsequent,more rigorous studies. In particular, it was provedthat a fraction of fully secure secret key can be ex-tracted from the 2-photon pulses (Tamaki and Lo,2006), and that in implementations using weak co-herent lasers and without decoy states, for smallerror rate SARG04 performs indeed better thanBB84 and shows a scaling ∼ t3/2 as a function ofthe distance (Branciard et al., 2005; Koashi, 2005b;Kraus, Branciard and Renner, 2007).

• When implemented with decoy states, SARG04performs worse than BB84 (Fung, Tamaki and Lo,2006; Kraus, Branciard and Renner, 2007).

• An interesting case arises if one considers imple-mentations with single-photon sources. The opti-mal IE,1, which is not known analytically but caneasily be computed numerically, goes to zero forε1 ≈ 11.67% (Kraus, Branciard and Renner, 2007).This value is slightly better than the correspondingvalue for BB84, ε1 ≈ 11.0%: it seems therefore thatSARG04 would perform better than BB84 also in asingle-photon implementation. The picture is how-ever different if one relates the error rate to theparameters of the channel, typically the visibilityof interference fringes: this parameter is related tothe ones introduced here through ε1 = 1−V

2 . ForBB84, ε1 = ε1 and consequently the critical visibil-ity is V ≈ 78%; while for SARG04, because of (51),the critical visibility is worse, namely V ≈ 87%.

V. CONTINUOUS-VARIABLE PROTOCOLS

A. Status of security proofs

In the case of Gaussian modulation, se-curity has been proved against collec-tive attacks (Garcıa-Patron and Cerf, 2006;Navascues, Grosshans and Acın, 2006). We shallpresent this bound below (V.B) and use it for thecomparison with the other platforms (VII). There issome hope that the same bound would hold also for themost general attack, as it is the case for discrete-variablesystems: in particular, we note that the “intuitive”reason behind that equivalence (III.B.2) would applyalso to CV protocols. Unfortunately, the exponential deFinetti bound (Renner, 2007) does not help because itexplicitely depends on the dimension of the quantumsignals.In the case of discrete modulation, the security status

is even less advanced. Technically, the difficulty lies inthe fact that the raw key is made of discrete variablesfor Alice, while Bob has a string of real numbers. Afull analysis has been possible only in the case where thequantum channel does not add excess noise to the signal,

so that the observed conditional variances still describeminimum uncertainty states. In this case, the eavesdrop-per’s attack is always describable as a generalized beam-splitting attack, simulating the observed loss. The corre-sponding key rates depend on the classical communica-tion protocols chosen (with or without post-selection ofdata, in reverse or direct reconciliation); the best knownprotocol involves a combination of post-selection and re-verse reconciliation, especially when the error correctionalgorithms work away from the asymptotic Shannon effi-ciency (Heid and Lutkenhaus, 2006). In the presence ofexcess noise, the formula for the key rate is the object ofongoing research; it has at least been possible to deriveentanglement witnesses (Rigas, Guhne and Lutkenhaus,2006). Entanglement verification has been performedand has shown that excess noise in typical installationsdoes not wipe out the quantum correlation within theexperimentally accessible domain (Lorenz et al., 2006).

Finally, in all works on CV QKD with no exception,it has been assumed that Eve does not act on the localoscillator47 — of course, she is allowed to have accessto it in order to measure quadratures. Since the localoscillator travels through Eve’s domain, this assumptionopens a security loophole48. Note that a similar situationburdened until very recently the security of Plug&Playconfigurations, for which finally unconditional securitycould be proved (see II.H); it is not clear however thatthe same approach will work here, since the strong pulseshave very different roles in the two schemes. In any case,the open issue just discussed, together with the fact thatthe existing exponential de Finetti theorem does not ap-ply to infinitely-dimensional systems, are the main rea-sons unconditional security proofs are not available yetfor CV QKD.

As mentioned earlier (II.D.3), continuous variableprotocols show interesting features also on the classicalpart. In contrast to typical discrete variable protocols,where losses simply reduce the number of detectedsignals, continuous variable protocols will always detecta result, so that loss corresponds now to increased noisein the signal. Two main methods have been formu-lated to deal with this situation at the protocol level:reverse reconciliation (Grosshans and Grangier, 2002a)

47 This amounts at viewing the local oscillator as an authenticated

channel, building on the closeness to classical signals. In an alter-native set-up, this problem can be circumvented by Bob measur-ing the phase of the local oscillator, followed by the recreationwithin Bob’s detector of a local oscillator with the measuredphase (Koashi, 2004).

48 For the setups as they have been implemented, all observedcorrelations can be explained by a specific intercept/resend at-tack involving both the signal and the local oscillator. Se-curity against this specific attack can be easily recovered bysimple modifications of the setups, for example the indepen-dent measurement of the intensity of the phase reference pulseand the signal pulse (Ferenczi, Grangier and Grosshans, 2007;Haseler, Moroder and Lutkenhaus, 2007).

27

and post-selection (Silberhorn et al., 2002). The firstmethod can be realized using one-way EC schemes, butturns out to be sensitive to the efficiency of those veryschemes. Its main advantage is that its security can berigorously assessed versus general collective attacks (andhas been conjectured to hold even for coherent attacks)In contrast, the second method can use both one-way andtwo-way EC schemes, and is fairly stable even if thoseschemes do not perform at the Shannon limit. However,its security can be analyzed only by making assumptionson Eve’s interception (see below). The status of itssecurity is not clear even for general individual attacks.Note that for close-to-perfect EC, reverse reconciliationoutperforms post-selection. While progress is beingmade in the efficiency of EC schemes, it turns out thata combination of post-selection and reverse reconcilia-tion provides a practical solution to obtain reasonablerates with current technology, both for discrete-modulation (Heid and Lutkenhaus, 2006) and forGaussian-modulation protocols (Heid and Lutkenhaus,2007).

B. Bounds for Gaussian protocols

1. Generalities

As announced, we provide an explicit securitybound for coherent-state homodyne-detection protocolof (Grosshans and Grangier, 2002a). Like all Gaus-sian protocols, this prepare-and-measure protocol can beshown to be equivalent to an entanglement-based scheme(Grosshans, Cerf et al., 2003). In such a scheme, Aliceprepares an EPR state — more precisely, the two-modesqueezed vacuum state (11). By applying an heterodynemeasurement on mode A, she prepares in the secondmode of the EPR pair a coherent state, whose displace-ment vector is Gaussian distributed in x and p. Then,Bob applies a homodyne measurement on mode B, mea-suring quadrature x or p. It can be shown that reversereconciliation is always favorable for Alice and Bob, sowe have to compute Eq. (18) with IEB on the right handside.It has been proved that Eve’s opti-

mal attack is Gaussian for both individual(Garcıa-Patron, 2007; Grosshans and Cerf, 2004;Lodewyck, Debuisschert et al., 2007) and col-lective attacks (Garcıa-Patron and Cerf, 2006;Navascues, Grosshans and Acın, 2006). We can there-fore assume that Eve effects a Gaussian channel, sothat the quantum state ρAB just before Alice andBob’s measurements can be assumed to be a Gaussiantwo-mode state with zero mean value and covariancematrix γAB.

The Gaussian channel is characterized by two parame-ters: the transmittance, which here, since we work in theuncalibrated-device scenario, is tη with η the efficiencyof the detectors; and the noise δ referred to the input of

the channel49. Since the two-mode squeezed state (11)is also symmetric and has no correlations between x andp, the resulting covariance matrix of modes A and B canbe written in a block-diagonal form,

γAB =

(

γxAB 0

0 γpAB

)

(52)

with

γx(p)AB =

(

v ±√

tη(v2 − 1)

±√

tη(v2 − 1) tη(v + δ)

)

(53)

where the signs + and − correspond to γxAB and γpAB,respectively. Here, v is the variance of both quadraturesof Alice’s output thermal state expressed in shot-noiseunits, that is, v = vA+1, vA being the variance of Alice’sGaussian modulation.For what follows, it is convenient to define vX|Y , the

conditional variance that quantifies the remaining uncer-tainty on X after the measurement of Y :

vX|Y = 〈x2〉 − 〈xy〉2/〈y2〉 , (54)

expressed in shot-noise units.

2. Modeling the noise

The noise δ is the total noise of the channel Alice-Bob.It can be modeled as the sum of three terms:

δ =1− t

t+δht

+ ǫ . (55)

The first term (1−t)/t stands for the loss-induced vacuumnoise (referred to the input); this term is at the originof the higher sensitivity to losses of continuous-variableQKD. The second term stands for the noise added by theimperfection of the homodyne detection. This is modeledby assuming that the signal reaching Bob’s station is at-tenuated by a factor η (detection efficiency) and mixedwith some thermal noise vel (electronic noise of the de-tector), giving50

δh =1 + velη

− 1 . (56)

The third term ǫ is the excess noise (referred to the in-put) that is not due to line losses nor detector imper-fections. For a perfect detector, it can be viewed as thecontinuous-variable counterpart of the QBER in discrete-variable QKD; it is zero for a lossy but noiseless line.

49 The observed noise in channels such as optical fibers is typicallysymmetric and uncorrelated in both quadratures x and p (thereis no preferred phase), so we restrict to this case here.

50 Replacing the expression for δh into (55), one obtains δ = (1 −tη + vel)/(tη) + ε, which depends only on tη as it should in theuncalibrated-device scenario.

28

3. Information Alice-Bob

In the EB version of the coherent-state protocol con-sidered here (Grosshans and Grangier, 2002a), Alice per-forms heterodyne detection, so her uncertainty on Bob’squadratures is expressed as

vB|AM= tη(δ + 1) . (57)

The mutual information between Alice and Bob is there-fore given by

I(A : B) =1

2log2

[

vBvB|AM

]

=1

2log2

[

δ + v

δ + 1

]

.(58)

As mentioned above, the main bottleneck of continuous-variable QKD schemes comes from the heavy post-processing that is needed in order to correct the errorsdue to the vacuum noise that is induced by the line losses.In practice, the amount of information left after errorcorrection will be a fraction β of I(A : B). This valuehas an important effect on the achievable secret key rateand the limiting distance (as we shall discuss below, forβ = 1 a secure key can in principle be extracted for ar-bitrarily large distances). This provides a strong incen-tive for developing better reconciliation algorithms. Thefirst technique that was proposed to perform continuous-variable error correction relied on a so-called “slicedreconciliation” method (Van Assche, Cardinal and Cerf,2004), and gave an efficiency β ≈ 80%. These al-gorithms have been improved by using turbo-codes(Nguyen, Van Assche and Cerf, 2004) and low-densityparity codes (LDPC) (Bloch et al., 2005), which bothallow to work with noisy data, hence longer distances.More recently, multi-dimensional reconciliation algo-rithms have been introduced, which allow to deal witheven noisier data while keeping similar or higher recon-ciliation efficiencies (Leverrier et al., 2007).

4. Individual attacks

To become familiar with the security analysis, we firstpresent individual attacks. In order to address the secu-rity of the protocol, we assume as usual that Eve holdsthe purification of ρAB. Then, by measuring their sys-tems, Alice and Eve project Bob’s share of the joint purestate |ΨABE〉 onto another pure state (we may assumewithout loss of generality that Eve’s projection resultsfrom a rank-one POVM). Applying the Heisenberg un-certainty relation on the pure state held by Bob condi-tionally on Alice and Eve’s measurements, we have

vXB |E vPB |A ≥ 1, vPB |E vXB |A ≥ 1, (59)

where XB and PB are the canonically conjugate quadra-tures of Bob’s mode. Equation (59) can be written as asingle uncertainty relation

vB|E vB|A ≥ 1 (60)

where B stands for any quadrature of Bob’s mode. Thisinequality can be used to put a lower bound on the un-certainty of Eve’s estimate of the key in reverse reconcil-iation, that is, when the key is made out of Bob’s datawhile Alice and Eve compete to estimate it.Now, vB|A is not necessarily given by (57): Eve’s at-

tack cannot depend on how the mixed state sent by Al-ice (i.e., the thermal state) has been prepared, since allpossible ensembles are indistinguishable. An acceptablepossibility is Alice performing homodyne measurement,or, equivalently, preparing squeezed states just as in theprotocol of (Cerf, Levy and Van Assche, 2001); in whichcase we obtain

vB|A = tη(δ + 1/v) . (61)

It can be shown that this is the lowest possible value ofvB|A, hence from (60)

vB|E ≥ 1

tη(δ + 1/v). (62)

This gives a bound for I(B : E), so the extractable se-cret key rate under the assumption of individual attacksbecomes

r = I(A : B)− I(E : B) =1

2log2

[

vB|EvB|AM

]

≥ 1

2log2

[

1

(tη)2(δ + 1/v)(δ + 1)

]

(63)

as shown in (Grosshans, Van Assche et al., 2003). Notethat the scheme that implements the optimal attack (sat-urating this bound) is the entanglement cloner defined in(Grosshans and Grangier, 2002b). Using Eq. (55), it ap-pears that in the case of high losses (tη → 0) and largemodulation (v → ∞), the secret key rate r remains non-zero provided that the excess noise satisfies ǫ < 1/2. Thisis a remarkable result, due to reverse reconciliation: fordirect reconciliation, obviously there can be no securitywhen Eve has as much light as Bob, i.e. for tη ≤ 1

2 .A similar reasoning can be followed to derive the se-

curity of all Gaussian QKD protocols against individualattacks (Garcıa-Patron, 2007). The only special case con-cerns the coherent-state heterodyne-detection protocol,whose security study against individual attacks is moreinvolved (Lodewyck and Grangier, 2007; Sudjana et al.,2007).

5. Collective attacks

The security of the coherent-state homodyne-detectionscheme against the class of collective attacks hasbeen fully studied. The corresponding rates werefirst provided assuming that Eve’s collective attackis Gaussian (Grosshans, 2005; Navascues and Acın,2006); later on, it was proved that this choiceis actually optimal (Garcıa-Patron and Cerf, 2006;

29

Navascues, Grosshans and Acın, 2006). This impliesthat it remains sufficient to assess the security againstGaussian collective attacks, which are completely charac-terized by the covariance matrix γAB estimated by Aliceand Bob.A long but straightforward calculation shows that

χ(B : E) = g

(

λ1 − 1

2

)

+ g

(

λ2 − 1

2

)

− g

(

λ3 − 1

2

)

(64)

where g(x) = (x+1) log2(x+1)−x log2 x is the entropy ofa thermal state with a mean photon number of x, whileλi’s are defined as:

λ21,2 =1

2(A±

√

A2 − 4B) , λ23 = v1 + vδ

v + δ(65)

with A = v2(1−2tη)+2tη+[tη(v+δ)]2 and B = [tη(vδ+1)]2.In conclusion, the secret key rate achievable against

collective attacks is obtained by inserting expressions(58) and (64) into

K = R [β I(A : B) − χ(B : E)] . (66)

6. Collective attacks and post-selection

In the case where all observed data are Gaussian, in-cluding the observed noise, we can again provide a se-curity proof which also allows to include post-selectionof data in the procedure. The starting point of this se-curity proof is the protocol with Gaussian distributionof the amplitude together with the heterodyne detectionby Bob. In this case, in a collective attack scenario, wecan assume a product structure of the subsequent sig-nals, and the density matrix ρAB of the joint state ofAlice and Bob is completely determined due to the to-mographic structure of the source replacement pictureand the measurement. In this scenario, we can thereforedetermine the quantum states in the hand of the eaves-dropper as Eve holds the system E of the purification|Ψ〉ABE of ρAB.Let us consider the situation where all observed data

in this scenario are Gaussian distributions, which is thetypical observation made in experiments. Note that thisis an assumption that can be verified in each run of theQKD protocol! In principle, one can now just use thestandard formula for the key rate in the collective sce-nario, Eq. (66). However, we would like to introduce apost-selection procedure (Silberhorn et al., 2002) to im-prove the stability of the protocol against imperfectionsin the error correction protocol.To facilitate the introduction of post-selection, we add

further public announcements to the CV QKD proto-col: Alice makes an announcement ’a’ consistent of theimaginary component αy and the modulus of the realcomponent |αx| of the complex amplitude α of her sig-nals. That leaves two possible signals state open. Sim-ilarly, Bob makes an announcement ’b’ which contains

again the complex component βy and the modulus |βx|of the complex measurement result β of her heterodynemeasurement. That leaves, again, two possible measure-ments from Eve’s point of view. For any announcementcombination (a, b) we have therefore an effective binarychannel between Alice and Bob. As the purification ofthe total state ρAB is known, we can calculate for eacheffective binary channel a key rate

∆I(a, b) = max{

(1− f(ea,bh[ea,b]− χa,b, 0}

. (67)

This expression contains the post-selection idea in theway that whenever 1−h[ea,b]−χa,b is negative, the dataare discarded, leading to a zero contribution of the corre-sponding effective binary channel to the overall key rate.The expressions for χa,b have been calculated analyticallyin (Heid and Lutkenhaus, 2007), which is possible sincenow the conditional states of Eve, as calculated from thepurification of ρAB, are now at most of rank four. Severalscenarios have been considered there, but the one that isof highest interest is the combination of post-selectionwith reverse reconciliation. The explicit expressions areomitted here, as they do not give additional insight. Theevaluations of the overall key rate

K = R

∫

da db ∆I(a, b) (68)

is then done numerically.

VI. DISTRIBUTED-PHASE-REFERENCE PROTOCOLS

A. Status of security proofs

As we said in II.D.4, distributed-phase-reference proto-cols were invented by experimentalists, looking for prac-tical solutions. Only later it was noticed that theseprotocols, in addition to be practical, may even yieldbetter rates than the traditional discrete-variable pro-tocols, i.e. rates comparable to those of decoy-statesimplementations. The reason is that the PNS at-tacks are no longer zero-error attacks both for DPS(Inoue and Honjo, 2005) and for COW (Gisin et al.,2004; Stucki et al., 2005). In fact, the number of pho-tons in a given pulse and the phase coherence be-tween pulses are incompatible physical quantities. Atthe moment of writing, no bound is known for theunconditional security of DPS or COW, but severalrestricted attacks have been studied (Branciard et al.,2007; Branciard, Gisin and Scarani, 2008; Curty et al.,2007; Tsurumaru, 2007; Waks, Takesue and Yamamoto,2006). In these studies, it has also been noticed thatDPS and especially COW can be modified in a way thatdoes not make them more complicated, but may makethem more robust (Branciard, Gisin and Scarani, 2008).Since this point has not been fully developed though, werestrict our attention to the original version of these pro-tocols.

30

B. Bounds for DPS and COW

1. Collective beam-splitting attack

We present the calculation of the simplest zero-error collective attack, namely the beam-splitting attack(Branciard, Gisin and Scarani, 2008). For both DPSand COW, Alice prepares a sequence of coherent states⊗

k |α(k)〉: each α(k) is chosen in {+α,−α} for DPS, in{+α, 0} for COW. Eve simulates the losses with a beam-splitter, keeps a fraction of the signal and sends the re-maining fraction τ = t tBη to Bob on a lossless line —note that, although this security study does not provide alower bound, we work in the uncalibrated-device scenariofor the sake of comparison with the other protocols. Bobreceives the state is

⊗

k |α(k)√τ〉: in particular, Bob’s

optical mode is not modified, i.e. BSA introduces no er-ror51. Eve’s state is

⊗

k |α(k)√1− τ 〉; let us introduce

the notations αE = α√1− τ and

γ = e−|αE|2 = e−µ(1−τ) . (69)

When Bob announces a detection involving pulses k − 1and k, Eve tries to learn the value of his bit by lookingat her systems. Assuming that each bit value is equallyprobable, Eve’s information is given by IEve = S(ρE) −12S(ρE|0)− 1

2S(ρE|1) with ρE = 12ρE|0 +

12ρE|1.

The information available to Eve differs for the twoprotocols, because of the different coding of the bits.In DPS, the bit is 0 when α(k − 1) = α(k) and is 1when α(k − 1) = −α(k). So, writing Pψ the projectoron |ψ〉, the state of two consecutive pulses reads ρE|0 =12P+αE ,+αE

+ 12P−αE ,−αE

and ρE|1 = 12P+αE ,−αE

+12P−αE ,+αE

; therefore, noticing that |〈+αE | − αE〉| = γ2,we obtain

IDPSE,BS(µ) = 2h[(1− γ2)/2]− h[(1− γ4)/2] (70)

where h is the binary entropy function, and

K(µ) = νS(

1− e−µt tBη) [

1− IDPSE,BS(µ)]

. (71)

In COW, the bit is 0 when α(k − 1) =√µ , α(k) = 0

and is 1 when α(k − 1) = 0 , α(k) =√µ; so, with similar

notations as above, ρE|0 = P+αE ,0 and ρE|1 = P0,+αE;

therefore, noticing that |〈+αE |0〉| = γ, we obtain

ICOWE,BS (µ) = h[(1− γ)/2] . (72)

The secret key rate is given by

K(µ) = νS(

1− e−µt tBη) [

1− ICOWE,BS (µ)]

(73)

51 Apart from BSA, other attacks exist that do not introduce errors:for instance, photon-number-splitting attacks over the whole key,preserving the coherence (these are hard to parametrize and havenever been studied in detail). For COW, there exist also attacksbased on unambiguous state discrimination (Branciard et al.,2007).

where νS = νS1−f2 because the fraction f of decoy se-

quences does not contribute to the raw key, and half ofthe remaining pulses are empty.

2. More sophisticated attacks

For the purpose of comparison with other pro-tocols later in this review, it is useful to moveaway from the strictly zero-error attacks. Sev-eral examples of more sophisticated attackshave indeed been found (Branciard et al., 2007;Branciard, Gisin and Scarani, 2008; Curty et al., 2007;Tsurumaru, 2007; Waks, Takesue and Yamamoto, 2006).Instead of looking for the exact optimum among thoseattacks, we prefer to keep the discussion simple, bearingin mind that all available bounds are to be replaced oneday by unconditional security proofs.

We consider attacks in which Eve interacts coher-ently with pairs of pulses (Branciard, Gisin and Scarani,2008). Upper bounds have been provided in the limitµt ≪ 1 of not-too-short distances. Even within thisfamily, a simple formula is available only for COW. ForCOW, there is no a priori relation between the error onthe key ε and the visibility V observed on the interferom-eter. If e−µ ≤ ξ ≡ 2

√

V (1 − V ), one finds ICOWE (µ) = 1:µ is too large and no security is possible. If on the con-trary e−µ > ξ, the best attack in the family yields

ICOWE (µ) = ε+ (1 − ε)h

(

1 + FV (µ)

2

)

(74)

with FV (µ) = (2V − 1)e−µ − ξ√1− e−2µ. Therefore

K(µ) = R[

1− ICOWE (µ)− leakEC(Q)]

(75)

where the value of R is constrained by the definition ofthe attack to be νS [µt tBη + 2pd].

As for DPS, numerical estimates show that its ro-bustness under the same family of attacks is very sim-ilar (slightly better) than the one of COW. Therefore,we shall use (75) as an estimate of the performances ofdistributed-phase-reference protocols in the presence oferrors; again, for the sake of comparison with the otherprotocols, we have adopted the uncalibrated-device sce-nario here52.

52 For the family of attacks under study, the rate scales linearlywith the losses, therefore the difference between calibrated anduncalibrated devices is only due to the dark counts. We haveto warn that the attacks based on unambiguous state discrimi-nation (Branciard et al., 2007), which have been studied only infor calibrated devices, are expected to become significantly morecritical in the uncalibrated-device scenario. However, this morecomplex family of attacks can be detected by a careful statisticalanalysis of the data: we can therefore leave it of our analysis,which is anyway very partial.

31

VII. COMPARISON OF EXPERIMENTAL PLATFORMS

A. Generalities

After having presented the various forms that practi-cal QKD can take, it is legitimate to try and draw somecomparison. If one would dispose of unlimited financialmeans and manpower, then obviously the best platformwould just be the one that maximizes the secret key rateK for the desired distance. A choice in the real worldwill obviously put other parameters in the balance, likesimplicity, stability, cost... Some partial comparisons areavailable in the literature; but, to our knowledge, this isthe first systematic attempt of comparing all the mostmeaningful platforms of practical QKD. Of course, anyattempt of putting all platforms on equal footing con-tains elements of arbitrariness, which we shall discuss.Also, we are bounded by the development of the secu-rity proofs, as largely discussed in the previous sections.We have chosen to compare the best available bounds,which however do not correspond to the same degree ofsecurity: for the implementations of the BB84 coding, wehave bounds for unconditional security, i.e. for securityagainst all possible attacks allowed by quantum physics;for continuous variable systems, we have security againstcollective attacks; for the new protocols like COW andDPS, we have security only against specific families ofattacks.As stressed many times, the security of a given QKD

realization must be assessed usingmeasured values. Here,we have to present some a priori estimates: they neces-sarily involve choices, which have some degree of arbi-trariness. The first step is to provide a model for thechannel : the one that we give (VII.A.1) corresponds wellto what is observed in all experiments and is thereforerather universally accepted as an a priori model. At therisk of being redundant, we stress that the actual realiza-tion of this specific channel is not a condition for security:Eve might realize a completely different channel, and thegeneral formulas for security apply to any case53. Oncethe model of the channel accepted, one still has to choosethe numerical values for all the parameters.

1. Model for the source and channel

We assume that the detection rates are those that areexpected in the absence of Eve, given the source andthe distance between Alice and Bob. As for the errorrates, we consider a depolarizing channel with visibilityV . For an a priori choice, the modeling of the channel

53 The attacks we studied against DPS and COW, Section VI, dosuppose a model of the channel. This is a signature of the incom-pleteness of such studies. Security can be guaranteed by addingthat, if the channel deviates from the expected one, the protocolis aborted.

just sketched is rather universally accepted. In detail, itgives the following:

Discrete-variable protocols, P&M. We con-sider implementations of the BB84 coding. Therate is estimated by R = νS [P + Pd] withP = pA(1)t tBη + pA(n ≥ 2)[1 − (1 − t tBη)

2] and Pd =2pd

[

pA(0) + pA(1)(1 − t tBη) + pA(n ≥ 2)(1− t tBη)2]

.The error rate in the channel is ε = (1 − V )/2, so theexpected error rate is Q = [εP+Pd/2]/(R/νS). For weakcoherent pulses without decoy states, pA(1) = e−µµ,pA(n ≥ 2) = 1 − e−µ(1 + µ), and we optimize K givenby (28) over µ. For weak coherent pulses with decoystates, we consider an implementation in which onevalue of µ is used almost always, while sufficiently manyothers are used, so that all the parameters are exactlyevaluated. The statistics of the source are as above; Y0is estimated by νS 2pdpA(0)/R, Y1 by νSpA(1)t tBη/R,and we optimize K given by (31) over µ. For perfectsingle-photon sources, pA(1) = 1 and pA(n ≥ 2) = 0; wejust compute (28), as there is nothing to optimize.

Discrete-variable protocols, EB. Again, we considerimplementations of the BB84 coding. Since most ofthe experiments have been performed using cw-pumpedsources, we shall restrict to this case54. For such sources,ζ = 0 with good precision, therefore the bounds (39)and (40) for K are identical. K will be optimized overµ′, the mean pair-generation rate of the source. Notethat νcwS given by Eq. (17) depends on µ′; given this, onehas pA(1) ≈ 1 and pA(2) ≈ µ′ ∆t if µ′∆t ≪ 1: indeed,neglecting dark counts, whenever any of Alice’s detec-tors fires there is at least one photon going to Bob; andthe probability that another pair appears during the co-incidence window ∆t is approximately µ′∆t. The totalexpected error is Q = [(ε+ ε′)P + Pd/2]/(R/νS), whereε = (1 − V )/2 as above and ε′ ≈ µ′∆t

2 is the error ratedue to double-pair events.

Continuous-variable protocols. We consider the proto-col that uses coherent states with Gaussian modulation,and compute the best available bound (66), which givesecurity against collective attacks. The reference beamis supposed to be so intense, that there is always a signalarriving at the homodyne detection, so R = νS . The er-ror is modeled by (55). Now, just as for discrete variableprotocols one can optimize K over the mean number ofphotons (or of pairs) µ for each distance, here one canoptimize K over the variance v of the modulation. Notethat this optimization has become possible in practice

54 Pulsed sources can be treated in a similar way. For short pulseschemes, one would have pA(1) ≈ µ and pA(2) ≈ 3

4µ2 if µ ≪ 1;

for long-pulse pumping, the statistics of pairs is approximatelyPoissonian: pA(1) ≈ µ and pA(2) ≈ µ2/2 if µ ≪ 1 and themost of the multi-pair events are uncorrelated. In both cases,the intrinsic error rate due to double-pair events is ε′ ≈ µ/2(Eisenberg et al., 2004; Scarani et al., 2005). Note that the pa-rameter ζ may be different from 0 in the case of short pulseschemes.

32

Platform Parameter Set #1 Set #2

µ mean intensity (opt.) (opt.)

V visibility: P&M 0.99 0.99

V visibility: EB 0.96 0.99

BB84, tB transmission in Bob’s device 1 1

COW η det. efficiency 0.1 0.2

pd dark counts 10−5 10−6

ε (COW) bit error 0.03 0.01

ζ (EB) coherent 4 photons 0 0

leak EC code 1.2 1

v = vA + 1 variance (opt.) (opt.)

ε optical noise 0.005 0.001

CV η det. efficiency 0.6 0.85

vel electronic noise 0.01 0

β EC code 0.9 0.9

TABLE II Parameters used for the a priori plots in this Sec-tion. See main text for notations and comments. The caption(opt.) means that the parameter will be varied as a functionof the distance in order to optimize K.

only recently, thanks to the latest developments in errorcorrection codes (Leverrier et al., 2007).Distributed-phase-reference protocols. As mentioned,

apart from the errorless case, a simple formula exists onlyfor COW, which moreover is valid only at not too shortdistances. We use this bound to represent distributed-phase reference protocols in this comparison, keeping inmind that DPS performs slightly better, but that any-way only upper bounds are available. Specifically, wehave R ≈ νS [µt tBη+2pd]; we optimize then K(µ) givenby (75) over µ, and keep the value only if µoptt ≤ 0.1.The expected error rate is formally the same as for P&MBB84; recall however that here the bit-error ε is not re-lated to the visibility of the channel and must be chosenindependently.

2. Choice of the parameters

We shall use two sets of parameters (Table II): set #1corresponds to today’s state-of-the-art, while set #2 re-flects a more optimistic but not unrealistic development.Moreover, we make the following choices:

• Unless specified otherwise (see VII.B.3), the plotsuse the formulas for the uncalibrated-device sce-nario. The reason for this choice is the same as dis-cussed in III.B.5: unconditional security has beenproved only in this over-pessimistic scenario.

• Since we are using formulas that are valid only inthe asymptotic regime of infinitely long keys, we re-move the nuisance of sifting by allowing an asym-metric choice of bases or of quadratures. Specif-ically, this leads to νS = νS for both BB84 and

continuous-variables. Similarly, for COW we canset f = 0, whence νS = νS/2.

• For definiteness, we consider fiber-based implemen-tations; in particular, the relation between distanceand transmission will be (13) with α = 0.2dB/km;and the parameters for photon counters are given attelecom wavelengths (Table II). The reader mustkeep in mind that in free space implementations,where one can work with other frequencies, therates and the achievable distance may be larger.

B. Comparisons based on K

1. All platforms on a plot

As a first case study, we compare all the platforms onthe basis by plotting K/νS as a function of the transmit-tivity t of the channel. The result is shown in Fig. 1. Aspromised, we have to stress the elements of arbitrarinessin this comparison (in addition to the choices discussedabove). First of all, we recall that the curves do notcorrespond to the same degree of security (see VII.A).Second, we have considered “steady-state” key rates, be-cause we have neglected the time needed for the classicalpost-processing; this supposes that the setup is stableenough to run in that regime (and it is fair to say thatmany of the existing platforms have not reached such astage of stability yet). Third, the real performance is ofcourse K: in particular, if some implementations havebottlenecks at the level of νS (see III.A), the order of thecurves may change significantly.

2. Effect of a duty cycle

As a second case study, we consider a more technicalissue related to the repetition rate νS given by (16). Asmentioned (II.H and III.A), the Plug&Play configurationcontains an intrinsic duty cycle over a time Tdc = 2ℓ/c,where ℓ is the distance. The nuisance is not negligi-ble: for ℓ ≈ 100 km, this limits the repetition rate to1/Tdc ≈ 1 kHz. A plot is shown in Fig. 2, where thePlug&Play configuration is compared to an ideal one-way implementation without duty cycle — we recall thatthe best one-way setup as of today has a duty cycle(Gobby, Yuan and Shields, 2004), but this is not intrinsicto the implementation. This plot stresses the importanceof taking the duty cycle into account when assessing the-oretically the performances of an implementation.

3. Upper bound incorporating the calibration of the devices

As a third case study, we show the difference betweenthe lower bounds derived in the uncalibrated-device sce-nario, and some upper bounds that incorporate the cali-bration of the devices.

33

0 10 20 30 40

10−6

10−4

10−2

100

t [dB]

K/ν

S

decoy

1−phEB

WCP COW

CV

0 10 20 30 4010

−6

10−4

10−2

100

t [dB]

K/ν

S

CV

1−phEBWCP COW

decoy

FIG. 1 (Color online). K/νS as a function of the transmit-tivity t, for all the platforms. Legend: 1-ph: perfect single-photon source, unconditional; WCP: weak coherent pulseswithout decoy states, unconditional; decoy: weak coherentpulses with decoy states, unconditional; EB: entanglement-based, unconditional; CV: continuous-variables with Gaus-sian modulation, security against collective attacks; COW:Coherent-One-Way, security against the restricted family ofattacks described in VI.B.2. Parameters from Table II: set#1 upper graph, set #2 lower graph.

We focus first on BB84 implemented with weak coher-ent pulses ; the upper bounds under study have been de-rived in IV.C. The plots in Fig. 3 show how much onecan hope to improve the unconditional security boundsfrom their present status. As expected, the plot con-firms that basically no improvement is expected for im-plementations with decoy states, because there only thetreatment of dark counts is different; while the bound forimplementations without decoy states may still be theobject of significant improvement.

We turn now to CV QKD with Gaussian modulation.Bounds for the security against collective attacks as-suming calibrated devices are given in Eqs (5)-(12) of(Lodewyck, Bloch et al., 2007). The plots are shown in

0 50 100 15010

−2

100

102

104

distance [km]

K [H

z]

decoy

WCP

ideal one−way

Plug&Play

FIG. 2 (Color online). K as a function of the distance ℓfor the P&M implementations of BB84 with weak coherentpulses: ideal one-way implementations (same as in Fig. 1, up-per graph) compared to Plug&Play implementations. Legendas in Fig. 1. Source characterized by νmax

S = 1 MHz, otherparameters from Table II, set #1.

0 5 10 15 20 25 30

10−6

10−4

10−2

t [dB]

K/ν

S

WCP decoy

FIG. 3 (Color online). K/νS as a function of the transmissiont for the P&M implementations of BB84 with weak coherentpulses: comparison between the lower bound (solid lines, sameas in Fig. 1, upper graph) and the upper bound for calibrateddevices (dashed lines). Legend as in Fig. 1. Parameters fromTable II, set #1.

Fig. 4. One sees that the difference between the twoscenarios is significant for set #1 of parameters, but isnegligible for the more optimistic set #2. This is interest-ing, given that the efficiency η of the detectors is “only”85% in set #2.

C. Comparison based on the “cost of a linear network”

We consider a linear chain of QKD devices, aimed atachieving a secret key rate Ktarget over a distance L.

34

0 5 10 15 20 25 30 35 40

10−4

10−2

100

t [dB]

K/ν

S

set #1

set #2

FIG. 4 (Color online). K/νS as a function of the transmissiont for CV QKD with Gaussian modulation, security againstcollective attacks, comparison between the lower bound (solidlines, same as in Fig. 1) and the upper bound for calibrateddevices (dashed lines) for both sets of parameters from TableII. Compared to Fig. 1, the color of the lines of set #1 waschanged for clarity.

Many devices can be put in parallel, and trusted repeaterstations are built at the connecting points. Each individ-ual QKD device is characterized by the point-to-pointrate K(ℓ) it can achieve as a function of the distance ℓ,

and by its cost C1. We need N = LℓKtarget

K(ℓ) devices to

achieve the goal, so the cost of the network is55

Ctot[ℓ] = C1L

ℓ

Ktarget

K(ℓ). (76)

The best platform is the one that minimizes this cost,i.e., the one that maximizes F (ℓ) = ℓK(ℓ). This quantity,normalized to νS , is plotted in Fig. 5 as a function of thedistance for both sets of parameters defined in Table II.Of course, this comparison presents the same elements ofarbitrariness as the previous one.

The optimal distances are quite short, and this can beunderstood from a simple analytical argument. Indeed,typical behaviors areK(ℓ) ∝ t (single-photon sources, at-tenuated lasers with decoy states, strong reference pulses)and K(ℓ) ∝ t2 (weak coherent pulses without decoystates). Using t = 10−αℓ/10, it is easy to find ℓopt whichmaximizes F (ℓ):

K(ℓ) ∝ tk −→ ℓopt = 10/(kα ln 10) . (77)

In particular, for α ≈ 0.2dB/km, one has ℓopt ≈ 20kmfor k = 1 and ℓopt ≈ 10km for k = 2.

55 In this first toy model, we neglect the cost of the trusted repeaterstations; see (Alleaume et al., 2008) for a more elaborated model.

In conclusion, our toy model suggests that, in a net-work environment, one might not be interested in push-ing the maximal distance of the devices; in particu-lar, detector saturation (which we neglected in the plotsabove) may become the dominant problem instead ofdark counts.

0 20 40 60 80 100 120 14010

−4

10−3

10−2

10−1

100

101

distance [km]

F/ν

S

CV

1−ph

decoyEB

COWWCP

0 50 100 150 20010

−4

10−3

10−2

10−1

100

101

distance [km]

F/ν

S

CV

1−ph

decoy

EBCOWWCP

FIG. 5 (Color online). F/νS as a function of the distance ℓfor all the platforms. Legend as in Fig. 1. Parameters fromTable II: set #1 upper graph, set #2 lower graph.

VIII. PERSPECTIVES

A. Perspectives within QKD

1. Finite-key analysis

As stressed, all the security bounds presented in thisreview are valid only in the asymptotic limit of infinitelylong keys. Proofs of security for finite-length keys areobviously a crucial tool for practical QKD. The esti-mate of finite-key effects, unfortunately, has received verylimited attention so far. The pioneering work by In-amori and co-workers (Inamori, Lutkenhaus and Mayers,

35

2001-2007), as well as some subsequent ones (Hayashi,2006; Watanabe et al., 2004), have used non-composabledefinitions of security (see II.C.1). This is a problembecause the security of a finite key is never perfect, soone needs to know how it composes with other tasks.Others studied a new formalism but failed to proveunconditional security (Meyer et al., 2006). The mostrecent works comply with the requirements (Hayashi,2007a; Scarani and Renner, 2007); finite statistics havebeen incorporated in the analysis of an experiment(Hasegawa et al., 2007). Without going into details, allthese works estimate that no key can be extracted if fewerthan N ≈ 105 signals are exchanged.

2. Open issues in unconditional security

We have said above that, for CV QKD and distributed-phase reference protocols, no unconditional securityproof is available yet. However, there is an importantdifference between these cases. In the existing CV QKDprotocols, the information is coded in independent sig-nals; as such, it is believed that unconditional securityproofs can be built as generalizations of the existing ones.On the contrary, the impossibility of identifying signalswith qubits in distributed-phase reference protocols willrequire a completely different approach, which nobodyhas been able to devise at the moment of writing.As explained in III.B.5, all unconditional security

proofs have been derived under the over-conservativeassumption of uncalibrated devices. Ideally, such anassumption should be removed: one should work outunconditional security proofs taking into account theknowledge about the detectors; this would lead to bet-ter rates. We also discussed how this task may providemore improvement for some protocols than for others(see VII.B.3). The difference between protocols can beunderstood from the fact that typically K ∼ (losses)α

with α ≥ 1. When α = 1, then the only advantage ofcalibrating the devices can come from the dark countcontribution. If on the contrary α > 1 (weak coherentpulses without decoy states: α = 2 for BB84, α = 3

2 forSARG04), then the difference is much larger, because itmatters whether tBη is included in the losses or not.Let us now rapidly review a few important points:

• First of all, if one wants to incorporate the calibra-tion of the devices, the protocol must include themonitoring of the double-clicks (Lutkenhaus, 1999).Failure to do so opens the possibility for Eve toinfluence the detections by sending bright pulses,thus effectively leading back to the uncalibrated-device case.

• A possible solution consists in including the cal-ibration of the devices in the protocol itself; theprice to pay seems to be a complication of the setup(Qi et al., 2006). The idea is somehow similar tothe one used in decoy states.

• When taking the calibration into account, it is oftenassumed that the dark counts do not enter in Eve’sinformation. Actually, things are more subtle. Onthe one hand, most of the dark counts will actu-ally decrease Eve’s information, because she doesnot know if a detection is due to the physical sig-nal (on which she has gained some information)or is a completely random event. On the otherhand, if a detection happens shortly after a previ-ous one, Eve may guess that the second event is infact a dark count triggered by an afterpulse, andtherefore learn some correlations between the tworesults. Admittedly, these are fine-tuning correc-tions, and have never been fully discussed in theliterature; but if one wants to prove unconditionalsecurity, also these marginal issues must be prop-erly addressed.

3. Black-box security proofs

The development of commercial QKD systems makesit natural to ask whether the “quantumness” of such de-vices can be proved in a black-box approach. Of course,the compulsory requirements (I.B.2) must hold. For in-stance, the random number generator cannot be withinthe black box, because it must be trusted; one must alsomake sure that no output port is diffusing the keys on theinternet; and so on. Remarkably though, all the quan-tum part can in principle be kept in a black-box. Theidea is basically the one that triggered Ekert’s discov-ery (Ekert, 1991), although Ekert himself did not pushit that far: the fact, that Alice and Bob observe correla-tions that violate a Bell inequality, is enough to guaranteeentanglement, independent of the nature of the quantumsignals and even of the measurements that are performedon them. This has been called “device-independent se-curity”; a quantitative bound was computed for collec-tive attacks on a modification of Ekert’s protocol, thegoal of proving unconditional security is still unattained(Acın et al., 2007). Device-independent security can beproved only for entanglement-based schemes: for this def-inition of security, the equivalence EB-P&M presented inII.B.1 does not hold. As long as the detection loopholeis open, these security proofs cannot be applied to anysystem; but by re-introducing some knowledge of the de-vices, they might provide a good tool for disposing of allquantum side-channels (III.B.4).

4. Toward longer distances: satellites and repeaters

The attempt of achieving efficient QKD over longdistances is triggering the most ambitious experimen-tal developments. Basically two solutions are be-ing envisaged. The first is to use the techniques offree space quantum communication to realize ground-to-satellite links (Aspelmeyer et al., 2003; Buttler et al.,

36

1998; Rarity et al., 2002). The main challenges are tech-nical: to adapt the existing optical tracking techniquesto the needs of quantum communication, and to builddevices that can operate in a satellite without need ofmaintenance.The second solution are quantum repeaters

(Briegel et al., 1998; Dur et al., 1999). The basicidea is the following: the link A-B is cut in segmentsA-C1, C1-C2, ..., Cn-B. On each segment independently,the two partners exchange pairs of entangled photons,which may of course be lost; but whenever both partnersreceive the photon, they store it in a quantum memory.As soon as there is an entangled pair on each link, theintermediate stations perform a Bell measurement, thusultimately swapping all the entanglement into A-B.Actually, variations of this basic scheme may be morepractical (Duan et al., 2001). Whatever the exact im-plementation, the advantage is clear: one does not haveto ensure that all the links are active simultaneously;but the advantage can only be achieved if quantummemories are available. The experimental research inquantum memories has boosted over the last years, butthe applications in practical QKD are still far awaybecause the requirements are challenging (see AppendixB).Teleportation-based links have been studied also in

the absence of quantum memories (quantum relays).They are rather inefficient, but allow to reduce the nui-sance of the dark counts and therefore increase the lim-iting distance (Collins, Gisin and de Riedmatten, 2005;Jacobs, Pittman and Franson, 2002); however, it seemssimpler and more cost-effective to solve the same prob-lem by using cryogenic detectors (see II.G).

5. QKD in networks

QKD is a point-to-point link between two users. Butonly a tiny fraction of all communication is done in ded-icated point-to-point links, most communication takesplace in networks, where many users are interconnected.Note that one-to-many connectivity between QKD de-vices can be obtained with optical switching (Elliott,2002; Elliott et al., 2005; Townsend et al., 1994).In all models of QKD networks, the nodes are operated

by authorized partners, while Eve can eavesdrop on allthe links. If the network is built with quantum repeatersor quantum relays, no secret information is available tothe nodes: indeed, the role of these nodes is to performentanglement swapping, so that Alice and Bob end upwith a maximally entangled — therefore fully private— state. Since quantum repeaters are still a challenge,trusted relays QKD networks have been considered. Inthis case, the nodes learn secret information during theprotocol. In the simplest model, a QKD key is created be-tween two consecutive nodes and a message is encryptedand decrypted hop-by-hop. This model has been adoptedby BBN Technologies and by the SECOQC QKD

networks (Alleaume et al., 2007; Dianati and Alleaume,2006; Dianati et al., 2008; Elliott, 2002; Elliott et al.,2005). Alternatively, the trusted relays can perform anintercept-resend chain at the level of the quantum signal(Bechmann-Pasquinucci and Pasquinucci, 2005).

B. QKD versus other solutions

Information-theoretically (unconditionally) secure keydistribution (key agreement), is a cryptographic taskthat, as well known, cannot be solved by public com-munication alone, i.e. without employing additional re-sources or relying on additional assumptions. BesidesQKD, the additional resource in this case being thequantum channel, a number of alternative schemes tothis end have been put forward (Ahlswede and Csiszar,1993; Csiszar and Korner, 1978; Maurer, 1993; Wyner,1975), to which one can also count the traditional trustedcourier approach (Alleaume et al., 2007). While the lat-ter is still used in certain high security environments,QKD is the sole automatic, practically feasible and ef-ficient information-theoretically secure key agreementtechnology, whereby in the point-to-point setting, lim-itations of distance and related key rate apply. Theselimitations can be lifted by using QKD networks, seeVIII.A.With this in mind, we address below typical secure

communication solutions in order to relate this subse-quently to the assets offered by QKD. Secure commu-nication in general requires encrypted (and authentic)transition of communication data. In current standardcryptographic practice both the encryption schemes andthe key agreement protocols used (whenever needed) arenot unconditionally secure. While there is really a verybroad range of possible alternatives and combinations,the most typical pattern for confidential communica-tion is the following: public key exchange protocols areused to ensure agreement of two identical keys; the en-cryption itself is done using symmetric-key algorithms.In particular, most often some realization of the Diffie-Hellman algorithm (Diffie and Hellman, 1976) is used inthe key agreement phase. The symmetric-encryption al-gorithms most widely used today belong to the bloc-cipher class and are typically 3DES (Coppersmith et al.,1996)or AES (Daemen and Rijmen, 2001).

The security of the Diffie-Hellman algorithm is basedon the assumption that the so called Diffie-Hellman prob-lem is hard to solve, the complexity of this problem beingultimately related to the hardness of the discrete loga-rithm problem (see (Maurer and Wolf, 1999, 2000) fora detailed discussion). It is widely believed, althoughit was never proven, that the discrete logarithm prob-lem is classically hard to solve. This is not true in thequantum case, since a quantum computer, if available,can execute a corresponding efficient algorithm by Pe-ter Shor (Shor, 1994, 1997), which is based on the samefundamental approach as is the Shor factoring algorithm,

37

already mentioned in I.A.

It should be further noted that that, similar to QKD,the Diffie-Hellman protocol can trivially be broken, ifthe authenticity of the communication channel is notensured. There are many means to guarantee commu-nication authenticity with different degrees of securitybut in any case additional resources are needed. In cur-rent common practice public key infrastructures are em-ployed, which in turn rely on public-key cryptographicprimitives (digital signatures), i.e. rely on similar as-sumptions as for the Diffie-Hellman protocol itself, andon trust in external certifying entities.

Turning now to encryption it should be underlined thatthe security of a block-cipher algorithm is based on theassumption that it has no structural weaknesses, i.e. thatonly a brute force attack amounting to a thorough searchof the key space (utilizing pairs of cipher texts and corre-sponding known or even chosen plain texts) can actuallyreveal the secret key. The cost of such an attack on aclassical computer is O(N) operations, where N is thedimension of the key space. The speed-up of a quan-tum computer in this case is moderate, the total numberof operations to be performed being O(

√N) (Grover,

1996, 1997). The assumption on the lack of structuralweaknesses itself is not related to any particular class ofmathematical problems and in the end relies merely onthe fact that such a weakness is not (yet) known. Cryp-tographic practice suggests that for a block-cipher algo-rithm such weaknesses are in fact discovered at the latesta few decades after its introduction56.

Before turning to a direct comparison of the describedclass of secure communication schemes with QKD-basedsolutions, it should be explained why public-key basedgeneration combined with symmetric-key encryption isactually the most proliferated solution. The reason isthat currently AES or 3DES encryption, in contrast todirect public-key (asymmetric) encryption, can ensure ahigh encryption speed and appears optimal in this re-spect. Typically high speed is achieved by designing ded-icated hardware devices, which can perform encryptionat very high rate and ensure a secure throughput of upto 10Gb per second. Such devices are offered by an in-creasing number of producers (see e.g. ATMedia GmbH,www.atmedia.de) and it is beyond the scope of the cur-rent article to address these in any detail. We would likehowever to underline an important side-aspect. In gen-eral, security of encryption in the described scenario isincreased by changing the key often, the rate of changebeing proportional to the dimension of the key space. Inpractice, however, even in the high speed case, the keyis changed at a rate lower than once per minute (oftenonce per day or even more seldom). The reason for thisis twofold: on the one hand public key agreement algo-rithms are generally slow and on the other, and more

56 Vincent Rijmen, private communication.

importantly, current design of the mentioned dedicatedencryption devices is not compatible with a rapid keyexchange.

The question now is how QKD compares with the stan-dard practice as outlined above. It is often argued thatQKD is too slow for practical uses and that the limiteddistance due to the losses is a limitation to the system assuch. In order to allow for a correct comparison one hasto define the relevant secure communication scenarios.There are two basic possibilities: (i) QKD is used in con-junction with One-Time Pad, (ii) QKD is used togetherwith some high speed encryptor (we note in passing thatthe second scenario appears to be a main target for thefew QKD producers).

The rate as a function of distance has been discussed indetail in the preceding sections. Here we shall consider anaverage modern QKD device operating in the range of 1to 10kbps over 25 km; the maximal distance of operationat above 100 bps being around 100 km.

Case (i) obviously offers information-theoretic securityof communication if the classical channel, both in thekey generation and the encryption phase, is addition-ally authenticated with the same degree of security. Asthis overhead to this end is negligible the QKD genera-tion rates as presented above are also the rates for se-cure communication. Obviously this is not sufficient forbroad-band data transmission but pretty adequate forcommunicating very-highly sensitive data. Another ad-vantage of this combination is the fact that keys can bestored for later use.

The security of the case (ii) is equivalent to the securityof the high speed encryption, which we addressed above,while all treats related to the key generation-phase areeliminated. At 25 km the QKD speed would allow keyrefreshment (e.g. in the case of AES with 256 bit keylength) of several times per second. This is remarkablefor two reasons: first, this is on or rather beyond thekey-exchange capacity of current high speed encryptors;second, it compares also to the performances of high levelclassical link encryptors, which refresh AES keys a fewtimes per second using Diffie-Hellman elliptic curve cryp-tography for key generation.

So in the second scenario QKD over performs the stan-dard solution at 25 km distance both in terms of speedand security.

Regarding the distance an interesting point is that clas-sical high-end encryptors use direct dark fibers, not forreasons related to security but for achieving maximalspeed, which also gives them a limitation in distance.However, classical key generation performed in softwareis naturally not bounded by the distance. In this sensestandard public-key based key agreement appears supe-rior. This is however a QKD limitation, which is typicalfor the point-to-point regime. As mentioned above, it islifted in QKD networks.

38

Acknowledgements

This paper has been written within the EuropeanProject SECOQC. The following members of the QITsub-project have significantly contributed to the reportthat formed the starting point of the present review: Ste-fano Bettelli, Kamil Bradler, Cyril Branciard, NicolasGisin, Matthias Heid, Louis Salvail.During the preparation of this review, we had fur-

ther fruitful exchanges with the above-mentioned col-leagues, as well as with: Romain Alleaume, Alexios Bev-eratos, Hugues De Riedmatten, Eleni Diamanti, PhilippeGrangier, Frederic Grosshans, Hannes Huebel, MasatoKoashi, Christian Kurtsiefer, Antia Lamas-Linares, An-thony Leverrier, Chiara Macchiavello, Michele Mosca,Miguel Navascues, Andrea Pasquinucci, Renato Renner,Andrew Shields, Christoph Simon, Kiyoshi Tamaki, Ak-ihisa Tomita, Yasuhiro Tokura, Zhiliang Yuan, HugoZbinden.

APPENDIX A: Unconditional security bounds for BB84and six-states, single-qubit signals

In this Appendix, we present a derivation of the uncon-ditional security bounds for the BB84 (Shor and Preskill,2000) and the six-state protocol (Lo, 2001) for the casewhere each quantum signal is a single qubit, or moregenerally when the quantum channel is a qubit channelfollowed by a qubit detection57.As usual, the proof is done in the EB scheme, the

application to the P&M case following immediately asdiscussed in II.B.1. Alice produces the state |Φ+〉 =1√2(|00〉+ |11〉), she keeps the first qubit and sends the

other one to Bob. This state is such that 〈σz ⊗ σz〉 =〈σx ⊗ σx〉 = +1 (perfectly correlated outcomes) and〈σy ⊗ σy〉 = −1 (perfectly anti-correlated outcomes); tohave perfect correlation in all three bases, Bob flips hisresult when he measures σy. We suppose an asymmet-ric implementation of the protocols: the key is extractedonly from the measurements in the Z basis, which is usedalmost always; the other measurements are used to esti-mate Eve’s knowledge on the Z basis, and will be used ona negligible sample (recall that we work in the asymptoticregime of infinitely long keys).Now we follow the techniques

of (Kraus, Gisin and Renner, 2005;Renner, Gisin and Kraus, 2005). Without loss ofgenerality, the symmetries of the BB84 and the six-stateprotocols58 imply that one can compute the bound by

57 For real optical channels and detection devices, even in the caseof perfect single photon source, an eavesdropper can make use ofthe larger Hilbert space supported by the devices. This needs tobe taken into account, leading to a more involved analysis, seee.g. (Lutkenhaus, 1999).

58 Actually, a lower bound can be computed in the same way for

restricting to collective attacks, and even further, tothose collective attacks such that the final state of Aliceand Bob is Bell-diagonal :

ρAB = λ1|Φ+〉〈Φ+|+ λ2|Φ−〉〈Φ−|+λ3|Ψ+〉〈Ψ+|+ λ4|Ψ−〉〈Ψ−| (A1)

with∑

i λi = 1. Since |Φ±〉 give perfect correlations inthe Z basis, while |Ψ±〉 give perfect anti-correlations, theQBER εz is given by

εz = λ3 + λ4 . (A2)

The error rates in the other bases are

εx = λ2 + λ4 , εy = λ2 + λ3 . (A3)

Eve’s information is given by the Holevo bound (21)IE = S(ρE)− 1

2S(ρE|0)− 12S(ρE|1) since both values of the

bit are equiprobable in this attack. Since Eve has a purifi-cation of ρAB, S(ρE) = S(ρAB) = H ({λ1, λ2, λ3, λ4}) ≡H(λ) where H is Shannon entropy. The computation ofρE|b is made in two steps. First, one writes down ex-

plicitly the purification59 |Ψ〉ABE =∑

i

√λi|Φi〉AB|ei〉E ,

where we used an obvious change of notation for theBell states, and where 〈ei|ej〉 = δij . Then, one tracesout Bob and projects Alice on |+ z〉 for b = 0, on| − z〉 for b = 1. All calculations done, the result isS(ρE|0) = S(ρE|1) = h(εz). So we have obtained

IE(λ) = H(λ)− h(εz) . (A4)

Now we have to particularize to the two protocols understudy.Let’s start with the six-state protocol. In this case,

both εx and εy are measured, so all the four λ’s are di-rectly determined. After easy algebra, one finds

IE(ε) = εz h

[

1 + (εx − εy)/εz2

]

+(1− εz)h

[

1− (εx + εy + εz)/2

1− εz

]

. (A5)

Under the usual assumption of a depolarizing channel,εx = εy = εz = Q, this becomes

IE(Q) = Q+ (1−Q)h

[

1− 3Q/2

1−Q

]

. (A6)

The corresponding secret fraction (one-way post-processing, no pre-processing and perfect error correc-tion) is r = 1 − h(Q) − IE(Q), which goes to 0 forQ ≈ 12.61%.

a very general class of protocols; but it may not be tight, asexplicitly found in the case of SARG04 (Branciard et al., 2005;Kraus, Branciard and Renner, 2007).

59 All purifications are equivalent under a local unitary operationon Eve’s system, so Eve’s information does not change with thechoice of the purification.

39

The calculation is slightly more complicated for BB84,because there only εx is measured; therefore, there is stilla free parameter, which must be chosen as to maximizeEve’s information. The simplest way of performing thiscalculation consists in writing λ1 = (1− εz)(1− u), λ2 =(1 − εz)u, λ3 = εz(1 − v), λ4 = εzv, where u, v ∈ [0, 1]are submitted to the additional constraint

(1− εz)u+ εzv = εx . (A7)

Under this parametrization,H(λ) = h(εz)+(1−εz)h(u)+εzh(v) and consequently

IE(λ) = (1− εz)h(u) + εzh(v) (A8)

to be maximized under the constraint (A7). This can bedone easily by inserting v = v(u) and taking the deriva-tive with respect to u. The result is that the optimalchoice is u = v = εx so that

IE(ε) = h (εx) . (A9)

The usual case is εx = εz = Q, which however here doesnot correspond to the depolarizing channel: the relationsabove imply εy = 2Q(1 − Q), which corresponds to theapplication of the so-called “phase-covariant cloning ma-chine” (Brußet al., 2000; Griffiths and Niu, 1997). Thecorresponding secret fraction (again for one-way post-processing, no pre-processing and perfect error correc-tion) is r = 1 − h(Q) − IE(Q), which goes to 0 forQ ≈ 11%.

APPENDIX B: Elementary estimates for quantumrepeaters

1. Quantum memories

A quantum memory is a device that can store anincoming quantum state (typically, of light) and re-emit it on demand without loss of coherence. Afull review of the research in quantum memories isclearly beyond our scope. Experiments are being pur-sued using several techniques, like atomic ensembles(Chou et al., 2007; Julsgaard et al., 2004), NV centers(Childress et al., 2006), doped crystals (Alexander et al.,2006; Staudt et al., 2007).Two characteristics of quantum memories are espe-

cially relevant for quantum repeaters. A memory is calledmultimode if it can store several light modes and onecan select which mode to re-emit; multimode memoriesare being realized (Simon et al., 2007). A memory iscalled heralded if its status (loaded or not loaded) canbe learned without perturbation; there is no proposal todate on how to realize such a memory.

2. Model of quantum repeater

Here we present a rapid comparison of the direct linkwith the two-link repeater and discuss the advantages and

A B

A BC

M M

A B

M� M�

C1 C2D

A B

A BC

M M

A B

M� M�

C1 C2DFIG. 6 Three configurations for quantum repeaters: directlink, two-link repeater and four-link repeater.

problems that arise in more complex repeaters. We con-sider the architecture sketched in Fig. 6, correspondingto the original idea (Briegel et al., 1998).

a. Definition of the model

Our elementary model is described as follows:

• Source: perfect two-photon source with repetitionrate νS ;

• Quantum channel: the total distance between Aliceand Bob is ℓ. The channel is noiseless; its lossescharacterized by α, we denote t = 10−αℓ/10 thetotal transmittivity.

• Detectors of Alice and Bob: efficiency η; neglecteddark counts, dead-time and other nuisances.

• Quantum memories: multimode memories that canstore N modes. We write pM the probability thata photon is absorbed, then re-emitted on demand(contains all the losses due to coupling with otherelements). The memory has a typical time TM ,that we shall consider as a life-time60.

• Bell measurement: linear optics, i.e. probabilityof success 1

2 . Fidelity F , depolarized noise (i.e. adetection comes from the desired Bell state withprobability F , from any of the others with equalprobability (1 − F )/3). The detectors have effi-ciency ηM and no dark counts.

60 That is, photons may be lost but do not decohere in the memory.Note that this can be the case even if the atoms, which form thememory, do undergo some decoherence (Staudt et al., 2007).

40

b. Detection rates

For the direct link, the key rate is just the detectionrate in our simplified model:

K1 = R1 = νStη2 . (B1)

In the two-link repeater, the central station (Christoph)holds the two sources and the memories. Consider oneof the links, say with Alice. The source produces groupsof N pairs, each pair in a different mode; one photonper pair is kept in the memory, the other is sent to Al-ice. Alice announces whether she has detected at leastone photon: if she has, Christoph notes which one; if shehas not, Christoph releases the memory and starts theprotocol again. The same is going on on the other link,the one with Bob, independently. As soon as both part-ners have announced a detection, Christoph releases thecorresponding photons, performs the Bell measurementand communicates the result to Alice and Bob, who post-select their results accordingly61. Note that the memoriesneed not be heralded in this scheme.Here is the quantitative analysis of the two-link re-

peater. Any elementary run takes the time for the photonto go from the source to the detector, then for the com-munication to reach back Christoph, i.e. ℓ/c. In each run,the probability of a detection is 1− (1−

√tη)N ≈ N

√tη.

Then, in average, the Bell measurement will be per-

formed after a time62 τ ≈ 32

ℓ/c

N√tη. Consequently,

R2 =

{

τ−1 12p

2Mη

2M if τ < TM

0 otherwise(B2)

where we have supposed that the memory time TM de-fines a sharp cut, which is another simplification. Thisis the expected result: R2 scales with

√tη and not with

tη2, because each link can be activated independently.Finally, in our model, the error rate is uncorrelated withthe other parameters and only due to the fidelity of theBell measurement; so

K2 = R2 [1− 2h(ε)] (B3)

with ε = 23 (1−F ) because one of the “wrong” Bell states

gives nevertheless the correct bit correlations. In particu-lar, the fidelity of a Bell measurement must exceed 83.5%to have K2 > 0.

61 Recall that there is no time-ordering in quantum correlations:so, this procedure gives exactly the same statistics as the “usual”entanglement swapping, in which the Bell measurement is madebeforehand.

62 In fact, let x = 1 − (1 −√tη)N : the probability that Alice’s

(Bob’s) detector is activated by the m-th group of N pairs isp1(m) = x(1−x)m−1. Therefore, the probability that both linksare activated exactly by the n-th repetition is p(n) = 2p1(n)p1(<n) + p1(n)2 = x(1 − x)n−1[2 − (2 − x)(1 − x)n−1] with p1(<

n) =∑n−1

m=1p1(m). Finally, the number of repetitions needed

to establish the link is 〈n〉 =∑

nnp(n) = 1

x

(

3−2x2−x

)

.

0 100 200 300 400 500 600 70010

−5

100

105

1010

distance [km]

(b)

(a)

(c)

FIG. 7 Comparison of K1 (straight line) and K2. For allcurves: νS = 10GHz, η = 0.5, ηM = 0.9, pM = 0.9, α =0.2dB/km (fibers), TM = 10s. Line (a): best case, N = 1000,F = 0.95; line (b): N = 1000, fidelity reduced to F = 0.9;line (c): supported modes reduced to N = 100, F = 0.95.

Some plots of K1 and K2 as a function of the distanceare shown in Fig. 7. The chosen values are already opti-mistic extrapolations of what could be achieved in a nottoo distant future. We notice that quantum repeatersovercome the direct link for ℓ >∼ 500km in fibers; withη = 0.5 and N = 1000, this requires TM ≈ 10s. Also,the number of modes supported by the memory is a morecritical parameter than the fidelity of the Bell measure-ment. This analysis provides a rough idea of the perfor-mances to be reached in order for quantum repeaters tobe useful.For the next step, the four-link repeater, we content

ourselves with a few remarks. The four-link repeater al-lows in principle to reach the scaling R4 ∝ t1/4. Therequirements for a practical implementation, however,become more stringent: the four memories must be re-leased before TM ; there are three Bell measurements, soε < 11% requires F >∼ 95%; also, pM ′ ≈ pM t

1/4. More-over, it is easy to realize that the basic scheme (Fig. 6)requires heralded memories, although other schemes donot (Duan et al., 2001).

References

Acın, A., J. I. Cirac, and L. Masanes, 2004, Phys. Rev. Lett.92, 107903.

Acın, A., N. Gisin, and V. Scarani, 2004, Phys. Rev. A 69,012309.

41

Acın, A., and N. Gisin, 2005, Phys. Rev. Lett. 94, 020501.Acın, A., N. Gisin, and L. Masanes, 2006, Phys. Rev. Lett.

97, 120405.Acın, A., N. Brunner, N. Gisin, S. Massar, S. Pironio, V.

Scarani, 2007, Phys. Rev. Lett. 98, 230501.Adachi, Y., T. Yamamoto, M. Koashi, and N. Imoto, 2007,

Phys. Rev. Lett. 99, 180503.Agrawal, G.P., 1997, Fiber-Optic Communication Systems

(John Wiley and Sons).Ahlswede, R., and I. Csiszar, 1993, IEEE Trans. Inf. Theory

39, 1121.Alexander, A.L., J.J. Longdell, M.J. Sellars, and N.B. Man-

son, 2006, Phys. Rev. Lett. 96, 043602.Alleaume, R., F. Treussart, G. Messin, Y. Dumeige, J.-F.

Roch, A. Beveratos, R. Brouri-Tualle, J.-P.Poizat, and P.Grangier, 2004, New J. Phys. 6, 92.

Alleaume, R., J. Bouda, C. Branciard, T. Debuisschert, M.Dianati, N. Gisin, M. Godfrey, P. Grangier, T. Langer,A. Leverrier, N. Lutkenhaus, P. Painchault, M. Peev, A.Poppe, T. Pornin, J. Rarity, R. Renner, G. Ribordy, M.Riguidel, L. Salvail, A. Shields, H. Weinfurter, and A.Zeilinger, 2007, eprint quant-ph/0701168 (SECOQC WhitePaper on Quantum Key Distribution and Cryptography )

Alleaume, R., E. Diamanti, N. Lutkenhaus, and F. Roueff,2008, in preparation.

Aspelmeyer, M., T. Jennewein, M. Pfennigbauer, W. Leeb,and A. Zeilinger, 2003, IEEE J. of Selected Topics in Quan-tum Electronics 9, 1541.

Bae, J., and A. Acın, 2007, Phys. Rev. A 75, 012334.Barrett, J., L. Hardy, and A. Kent, 2005, Phys. Rev. Lett.

95, 010503.Bechmann-Pasquinucci, H. and N. Gisin, 1999, Phys. Rev. A

59, 4238.Bechmann-Pasquinucci, H. and A. Peres, 2000, Phys. Rev.

Lett. 85, 3313.Bechmann-Pasquinucci, H. and W. Tittel, 2000, Phys. Rev.

A 61, 062308.Bechmann-Pasquinucci H. and A. Pasquinucci, 2005, eprint

quant-ph/0505089.Bechmann-Pasquinucci, H., 2006, Phys. Rev. A 73, 044305.Bennett, C.H. and G. Brassard, 1984, in Proceedings IEEE

Int. Conf. on Computers, Systems and Signal Processing,Bangalore, India (IEEE, New York), p. 175.

Bennett, C.H., G. Brassard, and N.D. Mermin, 1992, Phys.Rev. Lett. 68, 557.

Bennett, C.H., 1992, Phys. Rev. Lett. 68, 3121.Bennett, C. H., F. Bessette, L. Salvail, G. Brassard, and J.

Smolin, 1992, J. Cryptology 5, 3,Ben-Or, M., M. Horodecki, D. W. Leung, D. Mayers, and

J. Oppenheim, 2005, in: Theory of Cryptography: Sec-ond Theory of Cryptography Conference, TCC 2005, Lec-ture Notes in Computer Science Vol. 3378 (Springer Verlag,Berlin), p. 387. Note: although the content of the paper isentirely correct, the results have been summarized in theabstract in a wrong way (Konig et al., 2007).

Bethune, D., and W.Risk, 2000, IEEE J. Quantum Electron.36, 340.

Beveratos, A., R. Bruori, T. Gacoin, A. Villing, J.P. Poizat,and P. Grangier, 2002, Phys. Rev. Lett. 89, 187901.

Biham, E., and T. Mor, 1997, Phys. Rev. Lett. 78, 2256.Biham, E., M. Boyer, G. Brassard, J. van de Graaf, and T.

Mor, 2005, Algorithmica 34, 372.Bloch, M., A. Thangaraj, S.W. McLaughlin, and J.-M.

Merolla, 2005, eprint cs.IT/0509041

Bloom, S., E. Korevaar, J. Schuster, and H. Willebrand, 2003,J. Opt. Netw. 2, 178.

Boucher, W., and T. Debuisschert, 2005, Phys. Rev. A 72,062325.

Brainis, E., L.-P. Lamoureux, N.J. Cerf, P. Emplit, M. Hael-terman, and S. Massar, 2003, Phys. Rev. Lett. 90, 157902.

Branciard, C., N. Gisin, B. Kraus, and V. Scarani, 2005, Phys.Rev. A 72, 032301.

Branciard, C., N. Gisin, N. Lutkenhaus, and V. Scarani, 2007,Quant. Inf. Comput. 7, 639.

Branciard, C., N. Gisin, and V. Scarani, 2008, New J. Phys.10, 013031.

Brassard, G, and L. Salvail, 1994, in: Advances in Cryptology- EUROCRYPT ’93, Lecture Notes in Computer ScienceVol. 765 (Springer Verlag, Berlin), pp. 410-423.

Brassard, G., N. Lutkenhaus, T. Mor, and B. C. Sanders,2000, Phys. Rev. Lett. 85, 1330.

Breguet, J., A. Muller, and N. Gisin, 1994, J. Mod. Opt. 41,2405.

Brendel, J., N. Gisin, W. Tittel, and H. Zbinden, 1999, Phys.Rev. Lett. 82, 2594.

Briegel, H.-J., W. Dur, J.I. Cirac, and P. Zoller, 1998, Phys.Rev. Lett. 81, 5932.

Bruß, D., 1998, Phys. Rev. Lett. 81, 3018.Bruß, D., M. Cinchetti, G. M. D’Ariano and C. Macchiavello,

2000, Phys. Rev. A 62, 012302.Buttler, W.T., R.J. Hughes, P.G. Kwiat, S.K. Lamoreaux,

G.G. Luther, G.L. Morgan, J.E. Nordholt, C.G. Peterson,and C. M. Simmons, 1998, Phys. Rev. Lett. 81, 3283.

Carter, J. L., and M. N. Wegman, 1979, J. Comp. Syst. Sci.18, 143.

Cerf, N.J., A. Ipe, and X. Rottenberg, 2000, Phys. Rev. Lett.85, 1754.

Cerf, N.J., M. Levy, and G. Van Assche, 2001, Phys. Rev. A63, 052311.

Cerf, N.J., M. Bourennane, A. Karlsson and N. Gisin, 2002,Phys. Rev. Lett. 88, 127902.

Childress, L., J.M. Taylor, A.S. Sorensen, and M.D. Lukin,2006, Phys. Rev. Lett. 96, 070504.

Chau, H. F., 2002, Phys. Rev. A 66, 060302(R).Chou, C.-W., J. Laurat, H. Deng, K.S. Choi, H. de Riedmat-

ten, D. Felinto, H.J. Kimble , 2007, Science 316, 1316.Collins D., N. Gisin and H. de Riedmatten, 2005, J. Mod.

Opt. 52, 735.Coppersmith, D., D.B. Johnson, and S.M. Matyas, 1996, IBM

J. Res. Dev. 40, 253.Cova, S., M. Ghioni, A. Lotito, I.Rech, and F.Zappa, 2004, J.

Mod. Opt. 51, 1267.Csiszar, I. and J. Korner, 1978, IEEE Trans. Inf. Theory 24,

339.Curty, M., M. Lewenstein, and N. Lutkenhaus, 2004, Phys.

Rev. Lett. 92, 217903.Curty, M., and N. Lutkenhaus, 2004, Phys. Rev. A 69,

042321.Curty, M., and N. Lutkenhaus, 2005, Phys. Rev. A 71,

062301.Curty, M., L. Zhang, H.-K. Lo, and N. Lutkenhaus, 2007,

Quant. Inf. Comput. 7, 665.Daemen, J., and V. Rijmen, 2001, Dr. Dobb’s J. 26, 137.Damgaard, I.B., S. Fehr, R. Renner, L. Salvail, C. Schaffner,

2007, in: CRYPTO 2007, Lecture Notes in Computer Sci-ence Vol. 4622 (Springer Verlag, Berlin).

De Riedmatten, H., I. Marcikic, V. Scarani, W. Tittel,H.Zbinden, N. Gisin, 2004, Phys. Rev. A 69, 050304(R).

42

De Riedmatten, H., V. Scarani, I. Marcikic, A. Acın, W. Tit-tel, H.Zbinden, N. Gisin, 2004, J. Mod. Opt. 51, 1637.

Devetak, I. and A. Winter, 2005, Proc. R. Soc. Lond. A 461,207.

Deutsch, D., A.K. Ekert, R. Jozsa, C. Macchiavello, S.Popescu, and A. Sanpera, 1996, Phys. Rev. Lett. 77, 2818.

Diamanti, E., H. Takesue, T. Honjo, K. Inoue, and Y. Ya-mamoto, 2005, Phys. Rev. A 72, 052311.

Diamanti, E., H. Takesue, C. Langrock, M.M. Fejer, and Y.Yamamoto, 2006, Optics Express 14, 13073.

Dianati, M., and R. Alleaume, 2006, eprint quant-ph/0610202Dianati, M., R. Alleaume, M. Gagnaire, and X. Shen, 2008,

Journal of Communication and Network Security 1, 1.Diffie, W., and M.E. Hellman, 1976, IEEE Trans. Inf. Th.

IT-22, 644.Duan, L.M., M.D. Lukin, J.I. Cirac, and P. Zoller, 2001, Na-

ture 414, 413.Dur, W., H.-J.Briegel, J.I. Cirac, and P. Zoller, 1999, Phys.

Rev. A 59, 169.Dusek, M., O. Haderka, and M. Hendrych, 1999, Opt. Com-

mun. 169, 103.Dusek, M., M. Jahma, and N. Lutkenhaus, 2000, Phys. Rev.

A 62, 022306.Dusek, M., N. Lutkenhaus, and M. Hendrych, 2006, Progress

in Optics 49, Edt. E. Wolf (Elsevier), 381.Eisenberg, H.S., G. Khoury, G.A. Durkin, C. Simon, and D.

Bouwmeester, 2004, Phys. Rev. Lett. 93, 193901.Ekert, A.K., 1991, Phys. Rev. Lett. 67, 661.Elliott, C., 2002, New J. Phys. 4, 46.Elliott, C., A. Colvin, D. Pearson, O. Pikalo, J. Schlafer, and

H. Yeh, 2005, eprint quant-ph/0503058.Englert, B.-G., D. Kaszlikowski, H.K. Ng, W.K. Chua, J.

Rehacek, and J. Anders, 2004, eprint quant-ph/0412075.Fasel, S., N. Gisin, G. Ribordy, and H. Zbinden, 2004, Eur.

Phys. J. D 30, 143.Ferenczi, A., P. Grangier, and F. Grosshans, 2007, in prepa-

ration.Franson, J. D., and H. Ilves, 1994, J. Mod. Opt. 41, 2391.Fuchs, C.A., N. Gisin, R. B. Griffiths, C.-S. Niu and A. Peres,

1997, Phys. Rev. A 56, 1163.Fung, C.-H. F., K. Tamaki, and H.-K. Lo, 2006, Phys. Rev.

A 73, 012337.Fung, C.-H. F., B. Qi, K. Tamaki, and H.-K. Lo, 2007, Phys.

Rev. A 75, 032314.Galtarossa, A., and Menyuk, C.R. (eds), 2005, Polarization

Mode Dispersion (Springer Verlag, Berlin).Garcıa-Patron, R., and N.J. Cerf, 2006, Phys. Rev. Lett. 97,

190503.Garcıa-Patron, R., 2007, Ph.D. thesis (Universite Libre de

Bruxelles).Gisin, N., and J.P. Pellaux, 1992, Optics Commun. 89, 316.Gisin, N., and S. Wolf, 1999, Phys. Rev. Lett. 83, 4200.Gisin, N., and S. Wolf, 2000, in: Proceedings of CRYPTO

2000, Lecture Notes in Computer Science Vol. 1880(Springer Verlag, Berlin), p. 482.

Gisin, N., G. Ribordy, W. Tittel and H. Zbinden, 2002, Rev.Mod. Phys. 74, 145.

Gisin, N., G. Ribordy, H. Zbinden, D. Stucki, N. Brunner,and V. Scarani, 2004, eprint quant-ph/0411022

Gisin, N., S. Fasel, B. Kraus, H. Zbinden, and G. Ribordy,2006, Phys. Rev. A 73, 022320.

Gobby, C., Z.L. Yuan, and A.J. Shields, 2004, Appl. Phys.Lett. 84, 3762.

Gottesman, D., and J. Preskill, 2001, Phys. Rev. A 63,

022309.Gottesman, D., and H.-K. Lo, 2003, IEEE Transactions on

Information Theory 49, 457.Gottesman, D., H.-K. Lo, N. Lutkenhaus, and J. Preskill,

2004, Quant. Inf. Comput. 4, 325.Griffiths, R.B. and C.-S. Niu, 1997, Phys. Rev. A 56, 1173.Grosshans, F., and P. Grangier, 2002, Phys. Rev. Lett. 88,

057902.Grosshans, F., and P. Grangier, in: Proc. 6th Int. Conf. on

Quantum Communications, Measurement, and Computing(QCMC’02) (Rinton Press); eprint quant-ph/0204127.

Grosshans, F., G. Van Assche, J. Wenger, R. Tualle-Brouri,N. J. Cerf, and P. Grangier, 2003, Nature 421, 238.

Grosshans, F., N.J. Cerf, J. Wenger, R. Tualle-Brouri, and P.Grangier, 2003, Qunatum Inf. Comput. 3, 535.

Grosshans, F., and N. J. Cerf, 2004, Phys. Rev. Lett. 92,047905.

Grosshans, F., 2005, Phys. Rev. Lett. 94, 020504.Grover, L.K., 1996, in Proc. 28th Annual ACM Symp. on the

Theory of Computing, STOC’96 (ACM, New York), p. 212.Grover, L.K., 1997, Phys. Rev. Lett. 79, 325.Hadfield, R.H., J.L. Habif, J. Schlafer, R.E. Schwall, S.W.

Nam, 2006, Appl. Phys. Lett. 89, 241129.Halder, M., A. Beveratos, N. Gisin, V. Scarani, C. Simon,

and H. Zbinden, 2007, Nature Physics 3, 692.Haseler, H., T. Moroder, and N. Lutkenhaus, 2007, eprint

arXiv:0711:2709Hasegawa, J., M. Hayashi, T. Hiroshima, A. Tanaka, and A.

Tomita, 2007, eprint arXiv:0705.3081v1.Hayashi, M., 2006, Phys. Rev. A 74, 022307.Hayashi, M., 2007, Phys. Rev. A 76, 012329.Hayashi, M., 2007, eprint quant-ph/0702251.Heid, M., and N. Lutkenhaus, 2006, Phys. Rev. A 73, 052316.Heid, M., and N. Lutkenhaus, 2007, Phys. Rev. A 76, 022313.Helstrom, C.W., 1976, Quantum Detection and Estimation

Theory (Academic Press, New York).Herbauts, I.M., S. Bettelli, H. Hubel, and M. Peev, 2008, Eur.

Phys. J. D 46, 395.Hillery, M., 2000, Phys. Rev. A 61, 022309.Hiskett, P.A., D. Rosenberg, C.G. Peterson, R.J. Hughes,

S.W. Nam, A.E. Lita, A.J. Miller, and J.E. Nordholt, 2006,New J. Phys. 8, 193.

Holevo, A.S., 1973, Probl. Inf. Trans. 9, 177.Horodecki, K., M. Horodecki, P. Horodecki, and J. Oppen-

heim, 2005, Phys. Rev. Lett. 94, 160502.Horodecki, K., M. Horodecki, P. Horodecki, D. Leung, and J.

Oppenheim, 2006, eprint quant-ph/0608195.Hubel, H., M.R. Vanner, T. Lederer, B. Blauensteiner, T.

Lorunser, A. Poppe, A. Zeilinger, 2007, Optics Express 15,7853.

Hughes, R.J., J.E. Nordholt, D. Derkacs, and C.G. Peterson,2002, New J. Phys. 4, 43.

Huttner, B., N. Imoto, N. Gisin, and T. Mor, 1995, Phys.Rev. A 51, 1863.

Hwang, W.-Y., 2003, Phys. Rev. Lett. 91, 057901.Inamori, H., N. Lutkenhaus, D. Mayers, 2007, Eur. J. Phys.

D 41, 599, eprint quant-ph/0107017.Inoue, K., E. Waks, and Y. Yamamoto, 2002, Phys. Rev. Lett.

89, 037902.Inoue, K., E. Waks, and Y. Yamamoto, 2003, Phys. Rev. A

68, 022317.Inoue, K., and T. Honjo, 2005, Phys. Rev. A 71, 042305.Intallura, P.M., M.B. Ward, O.Z. Karimov, Z.L. Yuan, P. See,

A.J. Shields, P. Atkinson, and D.A. Ritchie, 2007, Appl.

43

Phys. Lett. 91, 161103.Jacobs, B.C., T.B. Pittman, and J.D. Franson, 2002, Phys.

Rev. A 66, 052307.Jennewein, T., C. Simon, G.Weihs, H. Weinfurter, A.

Zeilinger, 2000, Phys. Rev. Lett. 84, 4729.Julsgaard, B., J. Sherson, J.I. Cirac, J. Fiurasek, E.S. Polzik,

2004, Nature 432, 482.Kim, J., S. Takeuchi, Y. Yamamoto, and H. Hogue, 1999,

Appl. Phys. Lett. 74, 902.Kim, I.I., and E. Korevaar, 2001,

http://www.freespaceoptic.com/WhitePapers/SPIE2001b.pdf.Koashi, M., and J. Preskill, 2003, Phys. Rev. Lett. 90, 057902.Koashi, M., 2004, Phys. Rev. Lett. 93, 120501.Koashi, M., 2005, eprint quant-ph/0505108.Koashi, M., 2005, eprint quant-ph/0507154.Koashi, M., 2006, eprint quant-ph/0609180.Koashi, M., 2007, eprint arXiv:0704:3661.Konig, R., and B. Terhal, 2006, eprint quant-ph/0608101.Konig, R., R. Renner, A. Bariska, and U. Maurer, 2007, Phys.

Rev. Lett. 98, 140502.Kraus, B., N. Gisin and R. Renner, 2005, Phys. Rev. Lett.

95, 080501.Kraus, B., C. Branciard and R. Renner, 2007, Phys. Rev. A

75, 012316.Kurtsiefer, C., P. Zarda, S. Mayer, and H. Weinfurter, 2001,

J. Mod. Opt. 48, 2039.Kurtsiefer, C., P. Zarda, M. Halder, H. Weinfurter, P.M. Gor-

man, P.R. Tapster, and J.G. Rarity, 2002, Nature 419, 450.Kwiat, P.G., K. Mattle, H. Weinfurter, A. Zeilinger,

A.V. Sergienko, and Y. Shih, 1995, Phys. Rev. Lett. 75,4337.

Kwiat, P.G., E. Waks, A.G. White, I. Appelbaum, andP.H. Eberhard, 1999, Phys. Rev. A 60, R773.

Lamas-Linares, A., and C. Kurtsiefer, 2007, eprintarXiv:0704.3297.

Laurent, S., S. Varoutsis, L. Le Gratiet, A. Lemaıtre, I.Sagnes, F. Raineri, J. A. Levenson, I. Robert-Philip, andI. Abram, 2005, Appl. Phys. Lett. 87, 163107.

Legre, M., H. Zbinden, and N. Gisin, 2006, Quant. Inf. Com-put. 6, 326.

Leverrier, A., R. Alleaume, J. Boutros, G.Zemor, P. Grangier,2007, eprint arXiv:0712.3823v1.

Li, Y., H. Mikami, H. Wang, and T. Kobayashi, 2005, Phys.Rev. A 72, 063801.

Lo, H.-K., and H. F. Chau, 1999, Science 283, 2050.Lo, H.-K., 2001, Quant. Inf. Comput. 1, 81.Lo, H.-K., H. F. Chau, and M. Ardehali, 2005, J. Cryptology

18, 133, eprint quant-ph/9803007.Lo, H.-K., 2005, Quant. Inf. Comput. 5, 413.Lo, H.-K., X. Ma, and K. Chen, 2005, Phys. Rev. Lett. 94,

230504.Lo, H.-K., and J. Preskill, 2006, eprint quant-ph/0610203.Lodewyck, J., T. Debuisschert, R. Tualle-Brouri, and P.

Grangier, 2005, Phys. Rev. A 72, 050303(R).Lodewyck, J., M. Bloch, R. Garcia-Patron, S. Fossier, E. Kar-

pov, E. Diamanti, T. Debuisschert, N.J. Cerf, R. Tualle-Brouri, S.W. McLaughlin, and P. Grangier, 2007, Phys.Rev. A 76, 042305.

Lodewyck, J., T. Debuisschert, R. Garcıa-Patron, R. Tualle-Brouri, N.J. Cerf, and P. Grangier, 2007, Phys. Rev. Lett.98, 030503.

Lodewyck, J., and P. Grangier, 2007, Phys. Rev. A 76,022332.

Lorenz, S., N. Korolkova, and G. Leuchs, 2004, Appl. Phys.

B 79, 273.Lorenz, S., J. Rigas, M. Heid, U.L. Andersen, N. Lutkenhaus,

and G. Leuchs, 2006, Phys. Rev. A 74, 042326.Lounis, B., and M. Orrit, 2005, Rep. Prog. Phys. 68, 1129.Lutkenhaus, N., 1996, Phys. Rev. A 54, 97.Lutkenhaus, N., 1999, Phys. Rev. A 59, 3301.Lutkenhaus, N., 2000, Phys. Rev. A 61, 052304.Lutkenhaus, N., and M. Jahma, 2002, New J. Phys. 4, 44.Ma, X., C.-H. F. Fung, and H.-K. Lo, 2007, Phys. Rev. A 76,

012307.Mair, A., A. Vaziri, G. Weihs, and A. Zeilinger, 2001, Nature

412, 3123.Makarov, V., and D. R. Hjelme, 2005, J. Mod. Opt. 52, 691.Makarov, V., A. Anisimov, and J. Skaar, 2006, Phys. Rev. A

74, 022313.Makarov, V., and J. Skaar, 2007, eprint quant-ph/0702262.Mandel, L., and E. Wolf, 1995, Optical Coherence and Quan-

tum Optics (Cambridge University Press, Cambridge).Marcikic, I., A. Lamas-Linares, and C. Kurtsiefer, 2006, Appl.

Phys. Lett. 89, 101122.Mauerer, W., and C. Silberhorn, 2007, Phys. Rev. A 75,

050305(R).Maurer, U.M., 1993, IEEE Trans. Inf. Th. 39, 733.Maurer, U.M., and S. Wolf, 1999, SIAM J. Comput. 28, 1689.Maurer, U.M., and S. Wolf, 2000, Des. Codes Cryptography

19, 147.Mayers, D., 1996, in: Advances in Cryptology — Proceedings

of Crypto ’96 (Springer Verlag, Berlin), p. 343.Mayers, D., 2001, JACM 48, 351.Merolla, J.-M., Y. Mazurenko, J.-P. Goedgebuer, and W.T.

Rhodes, 1999, Phys. Rev. Lett. 82, 1656.Meyer, T., H. Kampermann, M. Kleinmann, and D. Bruss,

2006, Phys. Rev. A 74, 042340.Miller, A. J., S.W. Nam, J.M. Martinis, and A.V. Sergienko,

2003, Appl. Phys. Lett. 83, 791.Mølmer, K., 1997, Phys. Rev. A 55, 3195.Muller, A., H. Zbinden, and N. Gisin, 1995, Nature 378, 449.Muller, A., T. Herzog, B. Huttner, W. Tittel, H. Zbinden,

and N. Gisin, 1997, Appl. Phys. Lett. 70, 793.Naik, D.S., C.G. Peterson, A.G. White, A.J. Berglund, P.G.

Kwiat, 2000, Phys. Rev. Lett. 84, 4733.Navascues, M., and A. Acın, 2005, Phys. Rev. Lett. 94,

020505.Navascues, M., F. Grosshans, and A. Acın, 2006, Phys. Rev.

Lett. 97, 190502.Nguyen, K.-C., G. Van Assche, and N.J. Cerf, in: Proc. Int.

Symposium on Information Theory and its Applications(ISITA, Parma, 2004); eprint cs.IT/0406001.

Niederberger, A., V. Scarani and N. Gisin, 2005, Phys. Rev.A 71, 042316.

Ou, Z.Y., J.-K. Rhee, and L.J. Wang, 1999, Phys. Rev. A 60,593.

Peng, C.-Z., J. Zhang, D. Yang, W.-B. Gao, H.-X. Ma, H.Yin, H.-P. Zeng, T. Yang, X.-B. Wand, and J.-W. Pan,2007, Phys. Rev. Lett. 98, 010505.

Qi, B., Y. Zhao, X. Ma, H.-K. Lo, and L. Qian, 2006, eprintquant-ph/0611044.

Qi, B., C.H. F. Fung, H.-K. Lo, and X. Ma, 2007, Quant. Inf.Comput. 7, 73.

Ralph, T.C., 1999, Phys. Rev. A 61, 010303(R).Rarity, J.G., P.M. Gorman, and P.R. Tapster, 2001, Electron.

Lett. 37, 512.Rarity, J.G., P.R. Tapster, P.M. Gorman, and P. Knight,

2002, New J. Phys. 4, 82.

44

Raynal, P., N. Lutkenhaus, and S.J. van Enk, 2003, Phys.Rev. A 68, 022308.

Reid, M.D., 2000, Phys. Rev. A 62, 062308.Renner, R., 2005, Ph.D. thesis (ETH Zurich), eprint quant-

ph/0512258.Renner, R., N. Gisin and B. Kraus, 2005, Phys. Rev. A 72,

012332.Renner, R., and R. Konig, 2005, in: Theory of Cryptography:

Second Theory of Cryptography Conference, TCC 2005,Lecture Notes in Computer Science Vol. 3378 (SpringerVerlag, Berlin), p. 407.

Renner, R., 2007, Nature Physics 3, 645.Ribordy, G., J.D. Gautier, N. Gisin, O. Guinnard, and H.

Zbinden, 1998, Electron. Lett. 34, 2116.Ribordy, G., N. Gisin, O. Guinnard, D. Stucki, M. Wegmuller,

and H. Zbinden, 2004, J. Mod. Opt. 51, 1381.Rigas, J., O. Guhne, and N. Lutkenhaus, 2006, Phys. Rev. A

73, 012341.Rosenberg, D., A. E. Lita, A. J. Miller, and S.W. Nam, 2005,

Phys. Rev. A 71, 061803(R).Rosenberg, D., J.W. Harrington, P.R. Rice, P.A. Hiskett,

C.G. Peterson, R.J. Hughes, A.E. Lita, S.W. Nam, andJ.E. Nordholt, 2007, Phys. Rev. Lett. 98, 010503.

Saint-Girons, G., N. Chauvin, A. Michon, G. Patriarche, G.Beaudoin, B Bremond, C. Bru-Chevalier, and I. Sagnes,2006, Appl. Phys. Lett. 88, 133101.

Sangouard, N., C. Simon, J. Minar, H. Zbinden, H. De Ried-matten, and N. Gisin, 2007, eprint arXiv:0706.1924v1.

Scarani, V., A. Acın, G. Ribordy, and N. Gisin, 2004, Phys.Rev. Lett. 92, 057901.

Scarani, V., H. De Riedmatten, I. Marcikic, H. Zbinden andN. Gisin, 2005, Eur. Phys. J. D 32, 129.

Scarani, V., N. Gisin, N. Brunner, L. Masanes, S. Pino, andA. Acın, 2006, Phys. Rev. A 74, 042339.

Scarani, V., and R. Renner, 2007, eprint arXiv:0708.0709v1.Shannon, C.E., 1949, Bell Syst. Tech. J. 28, 656Shields, A.J., 2007, Nature Photonics 1, 215Shor, P.W., 1994, in Proceedings of the 35th Annual Sympo-

sium on the Foundations of Computer Science, Santa Fe(IEEE Computer Society, Los Alamitos), p. 124.

Shor, P.W., 1997, SIAM J. Sci. Statist. Comput. 26, 1484,eprint quant-ph/9508027

Shor, P.W. and J. Preskill, 2000, Phys. Rev. Lett. 85, 441.Silberhorn, C., T. C. Ralph, N. Lutkenhaus, and G. Leuchs,

2002, Phys. Rev. Lett. 89, 167901.Simon, C., H. De Riedmatten, M. Afzelius, N. Sangouard, H.

Zbinden, and N. Gisin, 2007, Phys. Rev. Lett. 98, 190503.Slutsky, B.A., R. Rao, P.-C. Sun, and Y. Fainman, 1998,

Phys. Rev. A 57, 2383.Smith, G., J. M. Renes, and J. A. Smolin, 2006, eprint quant-

ph/0607018.Staudt, M.U., S.R. Hastings-Simon, M. Nilsson, M. Afzelius,

V. Scarani, R. Ricken, H. Suche, W. Sohler, W. Tittel, andN. Gisin, 2007, Phys. Rev. Lett. 98, 113601.

Stucki, D., N. Brunner, N. Gisin, V. Scarani, and H. Zbinden,2005, Appl. Phys. Lett. 87, 194108.

Sudjana, J., L. Magnin, R. Garcia-Patron, and N. J. Cerf,2007, Phys. Rev. A 76, 052301.

Takesue, H., E. Diamanti, T. Honjo, C. Langrock, M.M. Fejer,K. Inoue, and Y. Yamamoto, 2005, New J. Phys. 7, 232.

Takesue, H., S.W. Nam, Q. Zhang, R.H. Hadfield, T. Honjo,K. Tamaki, and Y. Yamamoto, 2007, Nature Photonics 1,343.

Tamaki, K., M. Koashi, and N. Imoto, 2003, Phys. Rev. Lett.

90, 167904.Tamaki, K., and N. Lutkenhaus, 2004, Phys. Rev. A 69,

032316.Tamaki, K., and H.-K. Lo, 2006, Phys. Rev. A 73, 010302(R).Tamaki, K., N. Lutkenhaus, M. Koashi, and J. Batuwantu-

dawe, 2006, eprint quant-ph/0607082.Tanzilli, S., H. De Riedmatten, W. Tittel, H. Zbinden, P.

Baldi, M. De Micheli, D.B. Ostrowsky, and N. Gisin, 2001,Electr. Lett. 37, 26.

Tapster, P.R., and J.G. Rarity, 1998, J. Mod. Opt. 45, 595.Thew, R., A. Acın, H. Zbinden, and N. Gisin, 2004, Quant.

Inf. Comput. 4, 93.Thew, R., S. Tanzilli, L. Krainer, S. C. Zeller, A. Rochas,

I. Rech, S. Cova, H. Zbinden, and N. Gisin, 2006, New J.Phys. 8, 32.

Tittel, W., J. Brendel, H. Zbinden, and N. Gisin, 2000, Phys.Rev. Lett. 84, 4737.

Townsend, P.D., J. G. Rarity, and P. R. Tapster, 1993, Elec-tronics Letters 29, 1291.

Townsend, P.D., S.J.D. Phoenix, K.J. Blow, and S.M. Bar-nett, 1994, Electronics Letters 30, 1875.

Trifonov, A., D. Subacius, A. Berzanskis, and A. Zavriyev,2004, J. Mod. Opt. 51, 1399.

Tsujino, K., H.F. Hofmann, S. Takeuchi, and K. Sasaki, 2004,Phys. Rev. Lett. 92, 153602.

Tsurumaru, T., 2007, Phys. Rev. A 75, 062319.Tsurumaru, T., A. Soujaeff, and S. Takeuchi, 2007, eprint

arXiv:0710.4989Ursin, R., F. Tiefenbacher, T. Schmitt-Manderbach, H.

Weier, T. Scheidl, M. Lindenthal, B. Blauensteiner, T. Jen-newein, J. Perdigues, P. Trojek, B. Oemer, M. Fuerst, M.Meyenburg, J. Rarity, Z. Sodnik, C. Barbieri, H. Weinfurterand A. Zeilinger, 2007, Nature Physics 3, 481.

Vakhitov, A., V. Makarov, and D.R. Hjelme, 2001, J. Mod.Opt. 48, 2023.

Van Assche, G., J. Cardinal, and N.J. Cerf, 2004, IEEE Trans.Inf. Theory 50, 394.

Van Assche, G., 2006, Quantum Cryptography and Secret-KeyDistillation (Cambridge University Press, Cambridge).

van Enk, S.J., and C.A. Fuchs, 2002, Quant. Inf. Comput. 2,151.

Verevkin, A., J. Zhang, R. Sobolewski, A. Lipatov, O.Okunev, G. Chulkova, A. Korneev, K. Smirnov, G.N.Goltsman, and A. Semenov, 2002, Appl. Phys. Lett. 80,4687.

Verevkin, A., A. Pearlmany, W. Slyszyz, J. Zhangy, M. Cur-rie, A. Korneev, G. Chulkova, O. Okunev, P. Kouminov, K.Smirnov, B. Voronov, G.N. Goltsman, and R. Sobolewskiy,2004, J. Mod. Opt. 51, 1447.

Vernam, G.S., 1926, J. AIEE 45, 109.Waks, E., K. Inoue, C. Santori, D. Fattal, J. Vuckovic, G.

Solomon, and Y. Yamamoto, 2002, Nature 420, 762.Waks, E., C. Santori, and Y. Yamamoto, 2002, Phys. Rev. A

66, 042315.Waks, E., K. Inoue, W.D. Oliver, E. Diamanti, and Y. Ya-

mamoto, 2003, IEEE J. of Selected Topics in QuantumElectronics 9, 1502.

Waks, E., H. Takesue, and Y. Yamamoto, 2006, Phys. Rev.A 73, 012344.

Waks, E., E. Diamanti, and Y. Yamamoto, 2006, New J. Phys.8, 4.

Wang, X.-B., 2001, eprint quant-ph/0110089.Wang, X.-B., 2005, Phys. Rev. Lett. 94, 230503.Ward, M.B., O.Z. Karimov, D.C. Unitt, Z.L. Yuan, P. See,

45

D.G. Gevaux, A.J. Shields, P. Atkinson, and D.A. Ritchie,2005, Appl. Phys. Lett. 86, 201111.

Watanabe, S., R. Matsumoto, and T. Uyematsu, 2004, eprintquant-ph/0412070.

Weedbrook, C., A.M. Lance, W.P. Bowen, T. Symul, T.C.Ralph, and P.K. Lam, 2004, Phys. Rev. Lett. 93, 170504.

Wegman, M. N., and J. L.Carter, 1981, J. Comp. Syst. Sci.22, 265.

Wiesner, S., 1983, Sigact News 15, 78.Wootters, W.K. and W.H. Zurek, 1982, Nature 299, 802.Wyner, A.D., 1975, Bell Syst. Tech. J. 54, 1355.Young, R. J., R.M. Stevenson, P. Atkinson, K. Cooper,

D.A. Ritchie, and A. J. Shields, 2006, New J. Phys. 8, 29.Yuan, Z.L., and A.J. Shields, 2005, Opt. Express 13, 660.Yuan, Z.L., A.W. Sharpe, and A.J. Shields, 2007, Appl. Phys.

Lett. 90, 011118.

Yuan, Z.L., B.E. Kardynal, A.W. Sharpe, and A.J. Shields,2007, Appl. Phys. Lett. 91, 011114.

Zhao, Y., B. Qi, X. Ma, H.-K. Lo, and L. Qian, 2006, Phys.Rev. Lett. 96, 070502.

Zhao, Y., B. Qi, and H.-K. Lo, 2007, Appl. Phys. Lett. 90,044106.

Zhao, Y., C.-H. F. Fung, B. Qi, C. Chen, and H.-K. Lo, 2007,eprint arXiv:0704.3253.

Zhao, Y., B. Qi, and H.-K. Lo, 2007, eprint arXiv:0802.2725.Zhou, C., G. Wu, X. Chen, and H. Zeng, 2003, Appl. Phys.

Lett. 83, 1692.Zinoni, C., B. Alloing, C. Monat, V. Zwiller, L.H. Li, A. Fiore,

L. Lunghi, A. Gerardino, H. de Riedmatten, H. Zbinden,and N. Gisin, 2006, Appl. Phys. Lett. 88, 131102.