Telecommunication Components for Fast Quantum Key Distribution

UNIVERSITY OF CALGARY

Itzel Lucio Martinez

A THESIS SUBMITTED TO THE FACULTY OF GRADUATE STUDIES IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE DEGREE OF MASTER OF SCIENCE

DEPARTMENT OF PHYSICS AND ASTRONOMY

CALGARY,ALBERTA May, 2008

395 Wellington Street 395, rue Wellington Ottawa ON K1A0N4 Ottawa ON K1A0N4 Canada Canada

Your file Votre reference ISBN: 978-0-494-44272-2 Our file Notre reference ISBN: 978-0-494-44272-2

NOTICE: AVIS: The author has granted a non L'auteur a accorde une licence non exclusive exclusive license allowing Library permettant a la Bibliotheque et Archives and Archives Canada to reproduce, Canada de reproduire, publier, archiver, publish, archive, preserve, conserve, sauvegarder, conserver, transmettre au public communicate to the public by par telecommunication ou par Plntemet, prefer, telecommunication or on the Internet, distribuer et vendre des theses partout dans loan, distribute and sell theses le monde, a des fins commerciales ou autres, worldwide, for commercial or non sur support microforme, papier, electronique commercial purposes, in microform, et/ou autres formats. paper, electronic and/or any other formats.

The author retains copyright L'auteur conserve la propriete du droit d'auteur ownership and moral rights in et des droits moraux qui protege cette these. this thesis. Neither the thesis Ni la these ni des extraits substantiels de nor substantial extracts from it celle-ci ne doivent etre imprimes ou autrement may be printed or otherwise reproduits sans son autorisation. reproduced without the author's permission.

In compliance with the Canadian Conformement a la loi canadienne Privacy Act some supporting sur la protection de la vie privee, forms may have been removed quelques formulaires secondaires from this thesis. ont ete enleves de cette these.

While these forms may be included Bien que ces formulaires in the document page count, aient inclus dans la pagination, their removal does not represent il n'y aura aucun contenu manquant. any loss of content from the thesis. Canada Abstract

Quantum Key Distribution in combination with the one-time pad encryption protocol promises unconditional secure communication. However, current Quantum Key Distribution (QKD) systems distribute keys with low rates, making the implementation of the highly key consum ing one-time pad impractical. This thesis describes a detailed characterization of telecommu nication components in view of possible use for high rate QKD through telecommunication fibre networks, and a proof-of-principle demonstration of a QKD system using the compo nents studied. Specific problems have been identified, and solutions are suggested Acknowledgements

I would like to thank my supervisor, Dr. Wolfgang Tittel, for all his guidance, help, patience and great sense of humor throughout the duration of this work. I would also like to thank

Xiaofan Mo, a postdoc in our group, for all of his time, advice, help and for making the lab an enjoyable place. I would like to thank Steve Hosier and Philip Chan, members of the

QC2 group and the Quantum Cryptography project for their help in all sort of things during this work.

I would specially like to thank my family, Tofio, Alejandrina and Jose Luis, for their encouragement and support throughout my life, without them I would not be who I am today.

I would like to thank Tim for all the delicious meals and many good moments we have shared that have made my time in Canada so enjoyable. I would like to thank Michael S.,

Mike D., Georg, Frank and all the people in IQIS that have shared their friendship with me.

I could not forget all my coworkers in the QC2 group (Gina, Ahdiyeh, Josh, Allison, Cecilia,

Erhan, Felix, John, Mike, Neil and Vladimir) who create such a pleasant atmosphere in the office and the lab.

Finally, I would like to thank CONACyT and the Mexican public education system for giving me, and many other Mexican people, the opportunity to improve our quality of life.

m Table of Contents

Abstract ii Acknowledgements iii Table of Contents iv List of Tables vii List of Figures viii 1 Introduction 1 1.1 Background 1 1.2 Classical Cryptography 2 1.2.1 Asymmetric Cryptography 2 1.2.2 Public-Key Cryptography 3 1.2.3 Classical symmetric-key cryptography 4 1.2.4 Advanced Encryption Standard 6 1.3 Key Distribution 7 1.4 Quantum Cryptography 8 1.5 This work 9 1.5.1 Motivation 9 1.5.2 Organization 11 2 Quantum Key Distribution (QKD) 12 2.1 Quantum key distribution protocols 12 2.1.1 BB84 12 2.1.2 Ekert91 14 2.1.3 BBM92 14 2.2 Classical Post-processing 15 2.2.1 Error Correction 16 2.2.2 Privacy Amplification 17 2.3 Eavesdropping 18 2.3.1 Qubit attacks 18 2.3.2 Individual attacks 20 2.3.3 Coherent attacks 21 2.3.4 Photon number splitting attack 22 2.3.5 Other channel attacks 28 2.4 Experimental QKD: The State of the Art 29 2.4.1 Fiber-based QKD 29 2.4.2 Free-Space QKD 31 2.4.3 Networking 32 3 Experimental investigations 33 3.1 The set-up 33 3.1.1 Alice 33 3.1.2 Bob 36 3.2 Components 37 3.2.1 The Laser Diodes 37 3.2.2 Intensity Modulator 41

iv V

3.2.3 The Phase Modulator 42 3.2.4 Polarization Controller 47 3.2.5 Single Photon Detector 49 3.3 Quantum Key Distribution 52 3.3.1 Measurement of the QBER and Key generation rate 52 4 Discussion 55 4.1 Components 55 4.1.1 Laser Diode 55 4.1.2 Intensity Modulator 55 4.1.3 Phase Modulator 58 4.1.4 Polarization Stabilizer 59 4.1.5 Single Photon Detector 59 4.2 Performance of the QKD system 60 4.2.1 Decoy State protocol 60 4.2.2 Detector noise based distance limitations 61 5 Summary and Outlook 62 Bibliography 65 vi

Glossary a Absorption coefficient r\ Quantum efficiency of single photon detectors A Wavelength H Signal state (mean photon number of 0.5) v\ First decoy state (mean photon number of 0.1) vQ Second decoy state (vacuum state) AES Advanced Encryption Standard (symmetric cryptosystem) APD Avalanche Photodiode Att Attenuator AWG Arbitrary Waveform Generator BS Beamsplitter CG Clock Generator Det Detector e Quantum bit error rate e\ Single photon pulse error rate eM Multi-photon pulse error rate FM Faraday mirror Y12 Shannon entropy IM Intensity modulator LDc Classical laser diode LDQ Quantum laser diode LDPC Low density parity check n Index of refraction P Power PD Dark count probability of a single photon detector PBS Polarization Beam Splitter PM Phase modulator PSY Polarization synthesizer/analyzer (polarization controller) Qi Single photon detection rate Qn Signal state detection rate Qv Decoy state detection rate QBER Quantum bit error rate QKD Quantum Key Distribution RSA Rivest, Shamir and Adleman (asymmetric cryptosystem) s Secret key yield per sifted key SPD Single Photon Detector t Transmission coefficient TDC Time-to-digital converter V Voltage Yi Conditional probability of a detection event for an i-photon state sent Y0 Background rate List of Tables

1.1 Encryption using the one-time pad 5 1.2 Comparision of classical cryptographic schemes 7

3.1 Dark counts and Quantum Efficiency for 4 different detectors 50 3.2 Results of the measurements of the QBER for signal and decoy states 54

4.1 Single photon gain and error rate assessed via decoy states 61

vn List of Figures

2.1 Polarization states represented on the Poincare sphere 13 2.2 Flow diagram showing Quantum Key Distribution 19 2.3 Information vs. QBER 22 2.4 The plug-and-play system 30 2.5 Free-space QKD 31

3.1 The entire QKD system 34 3.2 Classical header and quantum data 35 3.3 Alice's setup 36 3.4 Bob's setup 37 3.5 Screen shots of LD pulses 38 3.6 Measurement of output power stability of quantum and classical LD 39 3.7 Measurement of polarization stability and extinction ratio of the quantum LD 40 3.8 Intensity modulator 41 3.9 Measurement of the output power stability of the IM 42 3.10 Phase modulator 43 3.11 Measurement of the polarization extinction ratio of the PM 44 3.12 Performance of the PM 46 3.13 Working principle of the PSY 47 3.14 Compensation of polarization transformation with a PSY 48 3.15 Time response of a PSY for compensating polarization transformation. ... 49 3.16 Measurement of afterpulses 51 3.17 Our QKD system 53

4.1 Home-made IM 56

via Chapter 1

Introduction

Cryptography is the science of hiding the meaning of a message. The purpose of a cryp tographic system is to help a party, typically called Alice, to send a message to a receiver,

Bob, using a public channel, and to prevent the eavesdropper, Eve, from learning the message when eavesdropping the transmission.

1.1 Background

A possible solution to the problem of secret communication, besides cryptography, is steganog- raphy which consists in hiding the message rather than hiding the meaning of it. The security of the information transmitted relies on the security of the message. An example can be the story of Demeratus who sent a warning about a forthcoming attack to Greece by writing it on a wooden panel and covering it in wax [1],

In order to better understand cryptography, I will introduce some of the terminology used in this field. In cryptography, the plaintext is referred to as the message before being encrypted. The process of converting information to make it indecipherable to anyone, except those who posses a key (additional information), is called encryption, and the reverse of the process is called decryption. A cryptosystem refers to a set of algorithms (ciphers), needed to implement a particular form of encryption/decryption. A plaintext that has been encrypted is called ciphertext.

Cryptography is as old as writing itself. Among the oldest cryptosystems are transpo sition and substitution ciphers [1]. In transposition ciphers, the order of the letters in a message is rearranged (e.g. "go left" becomes "og eltf"). In substitution ciphers, some let ters or group of letters are replaced with other letters (e.g. "do not move" becomes "fq pqv 2 oqxg", where each letter has been replaced by the second next in the alphabet). Transpo sition and substitution ciphers require a key to decrypt the ciphertext but it can be found very easily. Old cryptosystems where often broken because the encryption algorithm was not secure, for instance, frequency analysis allows to crack substitution ciphers.

In the 19th century, Auguste Kerchoffs recognized that the secrecy of a cipher is not a good safeguard; in fact, a good cipher should remain secure when under attack if the key is secure. This fundamental principle is generally called Kerckhoffs' principle [2].

Different physical devices have been used to assist with ciphers. Encryption/decryption devices were created using rods, cylinders and disks. Early in the 20th century the devices became more complex and included rotor machines. The most famous example is the Enigma machine, used by Germany in World War II. All these technological advances increased the cryptanalytic difficulty. With the development of electronics and digital computers, much more complex ciphers were produced. One of the biggest changes introduced by this technology was the representation of data in binary format, rendering linguistic approaches more complicated.

1.2 Classical Cryptography

At present many different cryptosystems exist. They can be divided into two groups, asym metrical systems and symmetrical systems. In the following paragraphs, I give a more detailed description of each kind of system, and its applications.

1.2.1 Asymmetric Cryptography

Asymmetrical cryptosystems use two different keys, a public key with which anyone can encrypt a message and a private key, belonging to an authorized party, normally the receiver of the message, which can decrypt the message. 3

1.2.2 Public-Key Cryptography

Public-key cryptography classifies as an asymmetrical cryptosystem. Current use of elec tronic communications, including e-mail, e-commerce and e-banking use public-key cryp tography to protect sensitive data transmitted through public channels. Public-key cryp tography was invented in the early 1970's by James H. Ellis, Clifford Cocks, and Malcolm

Williamson in the UK but their work was not published; their invention became what now is known as Dime-Hellman key exchange [3] who reinvented it in 1976.

To understand how public-key cryptography works I will introduce one-way functions.

One-way functions are easy to compute in one direction but it is computationally hard to reverse the calculation. As an example consider a function / that takes two prime numbers and multiplies them; this is easy to compute in the sense that some algorithm can compute the function in a time that is no greater than a polynomial function of the number of bits required to represent the prime numbers. On the other hand, inverting the function requires solving the factoring problem for which there is no known efficient algorithm: in the factoring problem the number of steps increases exponentially with the number of bits required to represent the number that we want to factorize.

The security of public-key cryptography relies on the difficulty to solve one-way func tions. All known algorithms used to decrypt the data would take an impractical amount of time when long enough keys are used to encrypt the message. The security of public-key cryptosystems is based on the assumption that the eavesdropper has only limited computa tional power. Therefore it is only computational secure. If the eavesdropper, Eve, had access to different algorithms that could solve the factoring problem in a more efficient way than the ones known today, then the security of the ciphertext would be compromised since Eve could decrypt the message in a reasonable short time. In addition, the possibility of using a quantum computer to execute Shor's algorithm1 would allow fast factorization of integers [4],

1 Quantum algorithm for factoring exponentially faster than the best currently known algorithm running on a classical computer. 4 and thereby reading recent as well as past encrypted messages.

Since its invention, public-key cryptography has been improved and now different ciphers exist [5]. One of the most popular method is RSA (named after Rivest, Shamir and Adle- man), invented in 1977 at MIT [6]. This cryptosystem can be used to establish a shared secret key over a public communication channel and it is widely used in electronic commerce protocols. The basic idea behind RSA is the following:

Bob: picks two large prime numbers pi,p2 and calculates b = p\ • p2.

Bob: publicly announces b.

Alice: calculates ciphertext c = f(m,b).

Alice: sends c over public channel.

Bob: calculates m = g(c,p\,p2) where b is the public key, pi,p2 form the private key, / is a one-way function and m represents the message. One of the disadvantages of this cipher is that it is very time-consuming and its performance depends severely on hardware. Typical times to encrypt and decrypt a

2048 bit key are 30ms. For this reason this cryptosystem is used mostly for an initial key establishment. After this, classical symmetric-key cryptography is generally employed.

1.2.3 Classical symmetric-key cryptography

In symmetric systems both parties use the same key for encryption and decryption. The key represent a shared secret between the parties that can be used to maintain a private information link.

In comparison with asymmetric cryptosystems, symmetric cryptosystems are typically hundred to thousand times faster. A very important example of symmetric-key cryptog raphy is the One-Time Pad or Vernam, Cipher [7]. While public-key cryptography is only computational secure, it has been proven that the one-time pad is an unconditional secure 5

Table 1.1: Encryption using the one-time pad. Text Binary format Operation Message from Alice "NO" 0110111001101111 Me {0,1}" Key 1010111001110010 K e {o,i}n Encryption "192;" 1100000000011101 Message to Bob "192;" 1100000000011101 C = M®K Key 1010111001110010 Decryption "NO" 0110111001101111 C@K={M®K)®K = M

encryption algorithm. Unconditional secure (or information theoretic secure) means that the security of the protocol does not depend on the computational power or the algorithms used by the adversary.

The one-time pad fulfills three conditions to ensure perfect security:

• The key must be generated randomly, with uniform distribution of symbols.

• The key must be used only once and kept secret.

• The key must be as long as the message to be encrypted.

In the one-time pad protocol a message is first converted into binary form, a string of 0's and l's; the key is another binary string. The message is encrypted by combining each bit of the plaintext with the respective bit of the key using addition modulo 2 (also known as

XOR and represented by ©). The ciphertext is sent to Bob using a public channel. Bob, in turn, combines each bit of the ciphertext with the same key, and since applying the XOR operation twice is the identity, he recovers the initial message, as illustrated in table 1.1.

Claude Shannon proved that in the one-time pad the ciphertext does not reveal any new or additional information about the message [8], in agreement with Kerckhoffs' principle. If the key used is created randomly, the ciphertext will be random too. The only option left for an eavesdropper is to do an exhaustive key search. By doing this, Eve will obtain the correct message but with the same probability she will also obtain any other message of the 6 same length (i.e 2n different messages if the ciphertext contains n bits). In fact it is not possible for her to know which message is the correct one. Therefore, having more powerful computers would not help and this makes the one-time pad unconditional secure.

1.2.4 Advanced Encryption Standard

The Advanced Encryption Standard (AES), or Rijndael cipher, is another example of symmetric- key cryptography, more specifically of block ciphers. It was developed by two Belgian cryp tographers, Joan Daemen and Vincent Rijmen; the name Rijndael comes from a combination of the name of the authors. In 2001, AES was announced as an encryption standard by the

U.S government as FIPS (Federal Information Processing Standard); the new standard is

now used as a worldwide cryptographic standard by banks, administrations and industry.

Symmetric key ciphers are generally divided into stream ciphers and block ciphers. In stream ciphers the plaintext bits are encrypted one at a time. Block ciphers operate on a fixed length string of bits, and the length of the bit string is the block size. AES typically has a fixed block size of 128 bits.

AES can be used to compute message authentication codes (MACs), that is, to protect the integrity and authenticity of a message, but it is also used for encryption. It uses the concept of diffusion and confusion in multiple rounds (10 rounds for a 128-bit key) to construct the

ciphertext. Confusion is related to operations made using the key and the plaintext to make the relationship between them as confusing and involved as possible. Diffusion refers to the property of "dissipating" the redundancy in the frequency distribution of symbols of the

plaintext.

As a new encryption standard, AES is being utilized on a large scale since it is fast in both, software and hardware, it is relatively easy to implement, and requires little memory.

Still, the key in used for AES is changed infrequently, and is used to encode many messages.

Therefore, AES does not offer information theoretic security, in opposition to the One-Time

Pad. 7

In table 1.2, the cryptosystenis mentioned before are compared: their performance, mini mum key length needed to encrypt a message and the type of security offered are summarized.

Table 1.2: Comparision of classical cryptographic schemes Type Cryptosystems Performance Key length Security Asymmetric RSA 2048-bit key takes 30ms 1024 or 2048 bits Computational Symmetric AES Gbit/sec range 128-256 bits Computational Symmetric One-time pad Gbit/sec range =message length Unconditional

1.3 Key Distribution

At present, cryptography uses publicly known algorithms; the security of transmitted sensi tive data lies in a secret key shared between the parties, as explained in previous sections. In this approach the problem of securing information consists thus in the ability to distribute these keys among legitimate parties, guaranteeing their secrecy. This is known as the key es tablishment problem. This problem is particularly severe for information theoretic encoding via the one-time pad, where a lot of key material is needed.

As explained before the security of public-key cryptography is based on assumptions about computational resources of the eavesdropper. If the eavesdropper has access to unan ticipated computational power (e.g. quantum computer) or algorithms, the encrypted mes sage could be decoded in a period of time which might be shorter than expected at present.

The key could also be distributed by an encounter of the two parties, or the use of a trusted courier; however this is very impractical considering the amount of key material we need nowadays to secure all our electronic communications.

Common to all classical key distribution protocol is the fact that the integrity of the key can not be assessed after its distribution

All these facts lead to the conclusion that there is an urgent need to develop key dis tribution systems that can deliver secret keys at high rates to ensure the secrecy of the 8 transmission of sensitive data over the internet despite the rapid development of computa tional systems.

1.4 Quantum Cryptography

Quantum Cryptography, or more correctly Quantum Key Distribution (QKD) [9], enables two parties, Alice and Bob, to share a key known only to them. The secrecy of the key is guaranteed by the use of quantum mechanics to distribute the key.

Based on the particular properties of single quantum systems such as individual photons,

QKD enables Alice and Bob to establish a key, whose secrecy can be proven after key distribution, as opposed to classical key distribution where the security relies on assumptions such as the computational power of the eavesdropper. Alice can encode key material in individual quantum systems and then send them to Bob using a quantum channel. The information that Bob receives, after measurement, is a random sequence of bits, i.e. a key.

An eavesdropper, Eve, who tries to gain information about the quantum states sent from

Alice to Bob has to perform some kind of measurement on the quantum systems. However, in quantum mechanics a measurement, in general, disturbs the system to be measured, leading to a detectable disturbance, which allows, in turn, to assess the information gained by her.

The quantum states exchanged between Alice and Bob are called qubils, a short term for quantum bits [10]. A qubit is the quantum analogue of a classical bit or carrier of information in QKD. The information contained in a qubit is described by a state vector of a two-level quantum mechanical system in a two-dimensional Hilbert space. It is represented in the

Dirac notation by \ip) (ket psi). Qubits, like classical bits, can have a binary value of 0 or

1, assigned to one of the two orthogonal vectors of a specific basis, \%jj) = |0) or j-i/'} = |1).

Furthermore, a qubit can be in a superposition of these two states too, \ip) = a|0) + 0\1), where a and j3 are the probability amplitudes and in general are complex.

Qubits can physically be implemented using the spin of a physical system or the polar- 9 ization of photons. For example, it is possible to use vertical and horizontal polarization to represent the bit values 0 and 1, respectively. Alternatively one could use the circular polarization, where R (right circular polarization) represents the bit 1 and L (left circular polarization) represents the bit 0.

When Alice and Bob compare, using a classical channel, a randomly chosen subset of the data obtained from the qubits, they can assess the error rate and thereby upper bound the information Eve may have obtained (see sec. 2.3). If the number of errors in the key they share is below a certain threshold, a secret key can be extracted by means of error correction and privacy amplification. Note that the classical channel shared by Alice and Bob can be public and untrusted but it must be authenticated to prevent man-in-the-middle attacks.

Hence, before QKD, Alice and Bob must initially share a short secret key to authenticate all classical communication. QKD can thus be seen as quantum key expansion, rendering a long secret key from a shorter one. Part of the long key will be retained for the next authentication procedures and the remaining key can be used to encrypt and decrypt any message. For perfect security the one-time pad is used.

On the other hand when the error is too high, Alice and Bob simply discard the key and start the key distribution process again. Note that the key itself does not contain any information.

1.5 This work

1.5.1 Motivation

The development of information technologies (IT) has led to an enormous increment of trans mission of sensitive information through public channels. Advances in classical computer technology, algorithms or the possibility of building a quantum computer, is threatening for the security of sensitive information that has been encoded with cryptographic schemes that offer only computational security. It is thus necessary to develop better key distribu- 10 tion systems. QKD has the potential to provide a solution to the key distribution problem guaranteeing unconditional security.

Although commercial QKD systems are already available [11, 12], they are limited to bit rates of the order of kbits/s, making the implementation of the one-time pad impractical.

Hence, faster QKD systems are required, which is currently an important research topic. Two

QKD systems which can generate sifted keys at rates of Mbit/s have been developed [13, 14] by using frequency upconversion and Si avalanche detectors instead of detectors based on

InGaAs APDs. However, the problem in these systems is the data acquisition which slows down the process of distilling a secret key even if the sifted key generation rate at Bob's side is high. Furthermore, current point to point QKD systems should also be easily adapted for use in telecommunication networks, as is investigated in [15, 16]. Also, standards that ensure that QKD systems from different vendors are compatible should be created. It is highly desirable that such new QKD systems work with small, robust and low cost components.

Finally, the distillation of secret keys is currently limited to a distance of ^100 km between

Alice and Bob. One way to overcome this distance barrier would be the development of quantum repeaters [17].

The ultimate goal of our quantum cryptography group is to develop a QKD system with the afore mentioned characteristics, except for distance. Such a QKD system should work at

1550nm wavelength and deliver secret keys over a distance of a few tens of km over optical fibres in a real-world setting, i.e. outside the laboratory and in a network environment. This thesis concerns the study of specific telecommunication components used to build a QKD system and a proof-of-principle demonstration of such a QKD system. The implementation of this system into telecommunication networks is facilitated by the addition of a classical data header which contains routing information plus information regarding protocol and type of encoding utilized and allows synchronization and stabilization. To the best of our knowledge this is the first time that this type of header is included in a QKD system. Our 11 system is intended to produce a secret key with Gbits per second (Gbps) clock rate, this will allow distillation of a secret key at Mbps (mega bits per second). Yet, fast single photon detectors are not available at the moment, but they can be included into the system once they become available.

1.5.2 Organization

In this chapter I have introduced classical cryptography, in particular, encryption schemes such as RSA, AES and the One-Time Pad. I also introduced the concepts of computational security and unconditional security.

Chapter 2 contains a detailed explanation of the QKD protocol utilized in our system, the so called BB84 protocol, and a short description of other QKD protocols (Ekert91 and

BBM92). I also describe in detail specific methods used for classical post-processing and I present an introduction to some eavesdropping strategies that have been studied as well as possible solutions to overcome such attacks. At the end of the chapter I describe relevant proof-of-principle demonstrations that have been realized so far, including different kinds of encodings such as polarization encoding and time-bin encoding.

In chapter 3 I present the complete characterization of each component used and I give a detailed description of our proof-of-principle demonstration of the QKD system. Given that our QKD system works with polarization encoding and uses the decoy state protocol, I also describe how these protocols are implemented in our system by means of telecommunication components.

A discussion about the results obtained is presented in Chapter 4, including possible solutions to the problems encountered with certain components in the system.

Finally, in chapter 5, I give a summary of this work and I discuss the improvements that should be done in the near future in order to build a complete, integrated QKD system operating in a real world fiber link and delivering secret keys at Mbps. Chapter 2

Quantum Key Distribution (QKD)

Many different QKD protocols exist and most of them have been implemented experimen tally. In this chapter I will introduce the protocol used in our QKD system and I will give a brief introduction to some other important protocols. Finally, I will also introduce some of the most important realization of principle of QKD and eavesdropping attacks that have been realized so far.

2.1 Quantum key distribution protocols

2.1.1 BB84

The first and best-known QKD protocol was published by C.H. Bennett (IBM) and G.

Brassard (University of Montreal) in 1984. It is now known as BB84 [18].

In this protocol Alice and Bob share two communication channels, a quantum channel that is used to transmit qubits, in our case single photons in different polarization states, and a classical channel for classical information. In our case both channels are optical fibers.

In the BB84 protocol, four quantum states are used. They form two bases, with basis vectors chosen such that the overlap between any pair of vectors, one from each basis, is the same.

For example, the bases used in this work are {|+), |—)} and {\R), \L)}; where +, - refers to the +45° and —45° diagonal linear polarization, with respect to a previously established frame of reference, and R, L to right circular and left circular polarization states of a photon

(see fig. 2.1). For these states |(+|i?-)|2 = 1/2 and the same holds for the other pairs of vectors from different bases. We attribute the binary value 0 to the states |+) and \R), and

1 to the states |—) and \L).

In the BB84 protocol Alice sends individual photons to Bob in different qubit states, 13

-45 (1)

R(0)

Figure 2.1: Four polarization states represented on the Poincare sphere. Each pair (square or circle, respectively) represents a basis. Two different bases are shown. which are chosen uniformly and at random among the four states. Bob in turn chooses randomly among the same two bases, from now on referred to as "Bob's bases", to measure the photons received from Alice. Bob now announces to Alice the qubits that he detected.

Whenever Alice and Bob choose the same basis, their bit value should be equal. When different bases are used, their bit values are uncorrelated. At this point of the protocol,

Alice and Bob share a raw key, and the error rate in the key is 25%.

To discard the events when the bases do not match, Alice and Bob must do a basis reconciliation process in which they publicly announce and compare the bases used to prepare and measure each photon. Note that they do not announce the result obtained from each measurement. Since the bases were chosen randomly, in half of the cases, on average, they will coincide. The bits for which the bases do not coincide, about 50% of the raw key, are discarded. During the basis reconciliation process Alice and Bob use a public channel where

Eve can listen but cannot modify the transmitted message. The resulting key is called sifted key.

Alice and Bob now estimate the quantum bit error rate (QBER). This step is done by disclosing randomly selected bits and comparing their values. The QBER is the ratio of the number of wrong bits to the total number of bits received, 14

QBER = ^^.. (2.1) Ntotal

The QBER can originate from a number of different sources, including noisy detectors, poor state preparation, or eavesdropping. From a conservative point of view, all the errors should be assigned to Eve trying to extract information from the transmitted qubits. As we will discuss in sec. 2.3 different eavesdropping attacks lead to different relations between the

QBER and Eve's information with Alice and Bob. Assuming one-way communication and provided Eve's information is smaller than the information shared between Alice and Bob, they can distill an error-free secret key by means of error correction and privacy amplification

(see section 2.2).

2.1.2 Ekert91

In this protocol, proposed by Artur Ekert in 1991 [19], Alice and Bob are linked to each other by a common source. The source emits two qubits in a maximally entangled state. Alice and

Bob choose uniform and at random between two maximally conjugate bases to measure the qubits. Alice and Bob should have correlated results in the cases where the bases they used to measure coincide. As proposed by Ekert, Alice and Bob can use a third basis to measure the violation of a Bell inequality [20, 21]. Only when the inequality is violated a secret key can be distilled from the sifted key.

2.1.3 BBM92

The BBM92 protocol was proposed by Bennett, Brassard and Mermin in 1992 [22]. This protocol combines elements from both, BB84 and Ekert91. As before, qubits are distributed to Alice and Bob in maximally entangled states, i.e. \ij)~) = -4|(|01) — |10)). They randomly choose between two maximally conjugate bases (as in the BB84 protocol) to measure the photons. If they choose the same basis, the results they have should be perfectly corre- 15 lated, provided Eve did not eavesdrop the transmission. After this the processes of QBER estimation, error correction and privacy amplification are performed.

2.2 Classical Post-processing

Regardless the protocol used, Alice and Bob will share a sifted key. Although they discard

all the events where the bases do not match, the sifted key may contain errors and these errors may originate from different sources. A first possible source is the channel they share,

which in general will be noisy, that is a channel where qubits may be modified. A second possible source of errors is an eavesdropper who might have been listening and could have obtained partial information on the sifted key. In order to distill an error-free secret key

Alice and Bob perform classical post-processing on the sifted key they share.

According to the Csisar-Korner bound [23], for one-way error correction (such as low density parity check matrix based) Alice and Bob can distill a secret key as long as their mutual information is larger than the mutual information between Alice and Eve or the

mutual information between Bob and Eve, whatever is smaller

I(A : B) > min(l{A : E),I{B : E)) (2.2) where

I(A : B) = 1 - Me) (2-3) is the mutual information between A and B, e is the quantum bit error rate, see sec. 2.2.1

and /12 is the Shannon entropy given by,

Me) = -elog2(e) - (1 - e)log2(l - e). (2.4) 16

Classical post-processing is common to all QKD systems regardless of the protocol used to establish a key. Nevertheless different methods of error correction and privacy amplification can be implemented. In the following paragraphs I will discuss in more detail the procedures required for distilling a secret key.

2.2.1 Error Correction

The first step is to apply an error correction protocol to the sifted key. The most well-known code for error correction in the quantum cryptography community is the cascade code [24].

Although the cascade code is efficient (the information exchange for error correction ap proaches the Shannon limit), it requires multiple rounds of bidirectional communication, which is a time consuming process. In a future QKD system where the quantum key can be delivered at a high bit rate and over a long distance, error correction may become the bottleneck in the key distillation procedure.

An algorithm that could work better is based on low density parity check matrices

(LDPC) [25], the advantage being that it requires only one-way communication. Either

Bob can correct the error in his sifted key (forward error correction) or Alice can correct the errors in her sifted key (backwards error correction). In forward error correction Alice sends to Bob additional information (parity bits represented by vector p) calculated by means of a known low density parity check matrix and her sifted key.

p = Ha (2.5) where H is the low density parity check matrix and a is a vector containing Alice's key bits.

Bob, knowing p, has to find the new sifted key b' using b, his sifted key before being corrected, so that p = Hb'. To do this he takes into account the error in b, i.e. the probability of having a bit value 0 given that Alice sent a bit value of 1 or vice versa, which he knows from having assessed the QBER. The error correction algorithm is iterative and it 17 stops when the probability for each element of b' to be one is 0 + e or 1 — e.

The amount of parity bits required for error correction depends on the error rate. Using the channel capacity given by

= I(X : Y) = 1 - h2(e) (2.6) where I is the number of bits to be corrected, p is the amount of parity bits, e is the QBER and /12 is the Shannon entropy, we find the number of parity bits needed to be

P = lh2(e). (2.7)

At this point of the protocol Alice and Bob share an identical key, but Eve could have obtained partial information during the transmission of qubits or during the error correction process. Therefore Alice and Bob need to reduce Eve's information to an arbitrary low value.

To do so they use privacy amplification.

2.2.2 Privacy Amplification

During the privacy amplification process Alice and Bob randomly choose a compression function (hash function) to eliminate the partial information Eve may have. Hash functions map a large amount of possible message strings (Alice's and Bob's error corrected key) to a smaller amount of possible hash values (the secret key) so that the probability that another message (Eve's key after error correction) is hashed to the same value is very small, at most

P = 1/2™, where n is the number of bits in the secret key. In the context of QKD this means that the probability that Alice's key and Eve's key are the same is very small.

Before the key distillation process Alice and Bob agree to use a randomly chosen hash 18

function gab from a set of possible hash functions G:

G = {ga,b\l

9a,b(x) = [(ax + b) mod p) mod n, (2.9) p is fixed beforehand and x is the message to be hashed. In the privacy amplification process

Alice sends to Bob the parameters a and b, which are randomly chosen, n determines the size of the secret key.

After the process of error correction and privacy amplification, the secret key size relative to the sifted key, that is, the amount of secret key generated per sifted key bit, is

s = l-h2(e)-I(A:E) (2.10) where I(A:E) is the mutual information between Alice and Eve due to eavesdropping on the quantum transmission and I(A:B)= 1 - /12(e) is the information between Alice and Bob

(see eq. 2.3). Note that this formula can also be understood in the following way: after the process of error correction and privacy amplification, I(A:B)=1 is the information of the key shared by Alice and Bob and I(A:E)= /12(e) + I(A : E) is the information acquired by Eve after listening to the error correction process and eavesdropping the quantum transmission.

2.3 Eavesdropping

2.3.1 Qubit attacks

Eve's goal is to acquire as much information as possible on the quantum states sent by Alice and causing as little modifications as necessary. Depending on the specific eavesdropping strategy, the amount of information that Eve gains for a given QBER varies. In the ideal 19

1. Initial short key used for authentication

2. Establishment of raw key (BB84)

3. Key sifting

4. Assessment of QBER

5. Calculate l(A:B),l(A:E),l(B;E)

7. Error Correction

Privacy Amplification

Figure 2.2: The diagram above shows the steps required in QKD to distribute a secret key between two parties. 20 case Eve has access to perfect technology and she is only limited by the laws of quantum mechanics. As an example, Eve can interact with the qubits using any unitary interaction and an auxiliary system of her choice but she can not clone the qubits perfectly [26].

In a conservative analysis, Eve is only limited by the laws of physics and all errors in the sifted key will be attributed to Eve's interaction. Analysis with these strict assumptions are known as ultimate proofs. A second kind of analysis are the practical proofs where Eve is restricted to current technology or where we assume that part of the errors in the sifted key come from experimental imperfections.

Eavesdropping strategies have been classified in two main groups

1. Individual attacks (incoherent attacks): Eve attacks each qubit individually and then

measures each qubit one after the other (e.g intercept resend attack).

2. Collective attacks (coherent attacks): Eve attacks and process all qubits coherently.

This is the most general attack allowed by quantum mechanics.

In sec. 2.2 it was shown that the secret key size per sifted bit is given by

s=l~h2(e)-I(A:E) (2.11) where I (A:E) can be upper bounded depending on the type of attack that is considered.

2.3.2 Individual attacks

The intercept-resend attack is the most intuitive example for individual attacks. Eve inter cepts a fraction q of the qubits and measures each randomly in one of the two bases used by

Alice, then she resends to Bob another qubit in the state corresponding to her measurement result. In 50% of these cases she measures in the same basis that Alice chooses and she does not introduce any errors. In the other 50%, Eve chooses the wrong basis and introduces

50% error at Bob's. After key sifting, Eve has 50% information on all qubits attacked, i.e. 21

I (A : E) = §, leading to a QBER of e = f.

It has been shown [9] that for optimal individual attacks, such as the phase covariant cloning attack, Eve's maximal information is given by

max I {A:E) = h2(^ + J7^1>). (2.12)

Alice and Bob's mutual information is given by

I{A:B) = l-/i2(e)

= l + elog2(e) + (l-e)log2(l-~e). (2.13)

Figure 2.3 is a plot of the information I (A : E) and I {A : B) versus the QBER. As the QBER increases, Eve's information increases while Bob's decreases. Eventually the two curves intersect at the specific QBER

1 1 y/ e = ~ J * = 14.6% (2.14)

This is the upper bound for the QBER for which Alice and Bob can apply error correction and privacy amplification to their classical bits assuming one-way communication.

2.3.3 Coherent attacks

Assuming the most general attack, i.e. coherent attacks [27, 28], I(A:E) is

Im™(A : E) = Me). (2.15)

This bounds the QBER < 11%. Again, this limit assumes only one-way communication. 22

1 l(A:B) Coherent 0.9 l(A:E),„.-•"•"" •'Individual 0.8 -' l(A:E) Intercept-resend 0.7 /"' l(A:E)

0.6

0.5 V

0.1

0.3

0.2

0.1

I5%v7% QBER

Figure 2.3: The plot shows the information that Alice and Bob share, I (A : B), as a function of the QBER. It also shows the information that Eve obtains, I (A : E), for different kinds of attacks (optimal coherent, optimal individual and intercept-resend).

2.3.4 Photon number splitting attack

The security of QKD is based on the use of single photons. However, current QKD systems often use attenuated laser pulses (faint pulses) to simulate single photons [29, 30, 31] which have a non-zero probability of emitting more than one photon since the state produced is described by a mixture of photon number states \n)

. .n+m pi(n—m)9 n)(m\, 2?r JO „ITO vn\m\ £P„(/i)|n)(n| (2.16) where

Pn(fi) = (2.17) n\ 23 is the Poisson distribution, JJ, is the mean photon number and n is the number of photons in the pulse.

Photon number splitting (PNS) attacks were first mentioned in [32]. They have been analyzed thoroughly in [33, 34]. PNS attacks are based on the fact that Alice can not control when multiphoton pulses are emitted. Each multiphoton signal contains more than one photon, all of them in the same quantum state. Realizing a quantum non demolition

(QND) measurement Eve can find the number of photons in each pulse without disturbing their quantum state.

In the PNS attack, when Eve finds a multiphoton pulse, she keeps one photon and sends the rest to Bob. She modifies the transmission of the quantum channel as well as Bob's detector efficiency to ensure that these cases always lead to a detection event at Bob's.

Then, Eve waits for the key sifting and measures her qubits in the correct basis, thereby gaining full information without introducing errors.

For the single photons emitted at Alice's, Eve can not pursue the same strategy (a single photon can not be split). Her best strategy would thus be to block all these pulses.

Obviously, this introduces loss at Bob's. Yet, by carefully choosing the fraction of blocked single photons, she can balance the loss (for the single photon cases) with the increased detection probability (for the multiphoton cases), thereby remaining undetected. In the case

H>2-qt, (2.18) where r\ is the quantum efficiency of the single photon detector (SPD) and t is the transmis sion coefficient, she can block all single photons, thereby gaining full information about the secret key. 24

Overcoming PNS attacks

Assuming current or near future technology PNS attacks seem unrealistic. However, as mentioned before, from a security point of view it is better to consider that Eve has access to better technology and her actions are only bounded by physical laws. The possibilities to overcome the threat of PNS attacks are: use of very small mean photon numbers that are adjusted to the transmission probability [33], use of non-orthogonal states [35], or decoy states [36].

As described before, in the case where Alice sends only single photons, the probability of obtaining a secret key bit for each sifted key bit (secret key yield per sifted key bit) is given by

s = 1 - Me) - Me) (2-19)

(see equations 2.10 and 2.15). When expressed per faint laser pulse emitted, equation 2.19 becomes

s = ^(Qi-QiMei)-QiMei)) (2.20) where Q\ is the probability of a detection event that stems from a single photon emitted at

Alice's and e\ is the associated error rate. In this work we define the yield as the probability that Bob's detector clicks given that Alice sent an i-photon state and the gain as the yield weighted with the probability that Alice generated an i-photon state.

In the case of Alice sending faint pulses, the secret key has to be extracted strictly from detection events that originate from single photons emitted at Alice's. The secret key yield

(per faint pulse) is then given by

s = \{Qi - QM^) - QiMei)) (2.21) where Q^ is the probability to detect a faint pulse of mean value JJL emitted at Alice's and ei, e^ are the associated error rates. 25

Alice and Bob should then use faint laser pulses with optimized mean photon numbers, that is, they should find the optimum value of \i (for 0 < \i < 2rjt) to maximize s, for small ft, rj and t. The probability to detect a faint pulse is a function of the mean photon number

(/x), the quantum efficiency of the SPD (77) and the transmission (£):

Pdet = n-vt. (2.22)

The probability of emitting multiphoton pulses Pmuiu can be approximated by the prob ability of emitting a two photons pulse (P27) f°r small fi and is given by:

6 (2 23) PmulU ~ P27 = Y ^ ~ ^' ' leading to u2 QxO1 = PdetP,i„, —~ Po_P^, == n,ntmt~~ — (2-24)

The optimum mean photon value follows from

*9± = nt - n = 0 (2.25)

Hapi = 7}t, (2.26) hence, together with eq. 2.24

„Qx. = (: (j~ (2.27) 2

The sifted key rate for the BB84 protocol is small

2 Qi oc {Vt) (2.28) in comparison with the secret key rate obtained when the decoy state protocol is used as shown in the following paragraphs. 26

SARG04

Another way to overcome a PNS attack is using non-orthogonal states to encode different bit values. This protocol was proposed by Scarani, Acin, Ribordy and Gisin in 2004 [35].

During the sifting process, Alice announces a set containing the qubit state prepared. Using a generalized measurement, Bob can distinguish between the states in a fraction of cases with certainty. If Eve realizes a PNS attack and keeps one photon, she also has to discriminate between non-orthogonal states and will hence get conclusive results only in a fraction of cases, as opposed to BB84 where she always get full information about the key.

Decoy States

A third way to overcome the threat of the PNS attack was proposed by Hwang [37] and further studied by Wang [38] and Lo [36]. In the decoy state protocol, Alice randomly creates decoy states of various mean photon numbers (UQ, U\) in addition to the regular signal states of mean photon number [i. After the transmission, Alice announces which detection events stem from either signal or decoy states. This allows Alice and Bob to calculate the detection rates (Q^, Qvi,Qvo) and the QBER rates (e^, e„, e^o) independently. Now, Eve can not distinguish between different mean photon numbers (H,VQ,V\) and therefore can not adapt her eavesdropping strategy.

The key point of the decoy state protocol (studied in detail in [36]) is that the gain and error analysis of signals and decoy states allow Alice and Bob to lower bound the gain of single photon states that Bob received and upperbound their error rate. The measured quantities (Qi and e») can be expressed as

E e Y (^)P (fi) i l i l (2.29) i

Q„ = X»)/^), e,, = (2.30) i where P%[p) and P%{v) refer to the Poisson distribution of signal and decoy states respectively 27 and ej is the error rate caused by an i-photon state. Yj, the yield, is the conditional probability of a detection event at Bob's side given that Alice sent out an i-photon state. It depends on the transmission t and detection efficiency 77, which may have been modified by Eve.

Yi = Yo + i7it(l-Y0). (2.31)

YQ is the background rate, which includes the probability of dark counts and other background contributions. Note that YQ can be measured by Alice sending the vacuum state.

In [36], it was shown that two decoy states with different intensities are sufficient to find the lower bound of the gain of single photons Q\% and to calculate the upper bound of the error rate e\. In fact, the average photon number of the first decoy state is u\ =0.1 and of the second decoy state is v§ = 0, which is the vacuum state. Since one of the decoy states is zero, the formulas below contain only one decoy state (v\ = v) and the background rate

(YQ) which comes from using the vacuum state as a second decoy state. Also, it was shown that the optimal mean number of photons of the signal state is now /x^ = 0.5.

The single photon bounds are determined by experimental parameters and are given by

Qi > Qf = -^^{Quef - Q„e"4 " ^2^0), (2.32)

v „0 EvQve - e0Y0 , . ei < e{ = -J—Q •, (2.33) Yj v

Y?'° = —£-5(Q„C" - Q^-2 - ^^Y0)- (2.34)

The sifted key generation rate is now proportional to rjt,

Qi oc rjt. (2.35)

In comparison to the optimization of mean photon number method, this sifted key rate is 28 larger (for rjt < |)

2 Q{ oc rjt » (rjt) (2.36)

This implies that the distance between Alice and Bob can be increased. Experiments imple menting the decoy state protocol have been done and reported in [39, 30, 40].

2.3.5 Other channel attacks

Trojan horse attacks are attacks on Alice and Bob made via the quantum channel. Eve could use the quantum channel to send pulses to Alice and Bob during short times when such a channel is open, monitor the reflection at the elements that are used to encode the quantum states, and find out exactly which quantum state Alice prepared. This would give

Eve access to the entire key. These attacks are particularly dangerous for plug-and-play systems. Counter-measures to this attack have been proposed in [41].

Another attack is the so called time-shift attack. This attack is based on the fact that, in QKD systems using gated avalanche photodiodes, the detection efficiency peak for the bit

"0" or "1" may depend in a different way on time, for example, the detector efficiency peak for bit 0 is at to and the detector efficiency peak for bit 1 is at t\.

In timeshift attacks, an eavesdropper shifts the arrival time of each quantum signal to modify the probability that the qubit will be detected in detector 0 (creating a bit 0) or 1

(creating a bit 1), thereby getting information about the key. Moreover, she can carefully choose the probability to ensure that the ratio of Bob's detection events for 0 and 1 is about 1:1. Therefore, Alice and Bob are unable to catch the attack by checking the ratio

0 to 1 ratio of events. The threat of this attack can be removed if Bob randomly changes which detector detects a particular qubit state (for example, by applying a 90° rotation of polarization before the PBS). Eve's information about which detector clicked will thus give no information about the secret key itself (note that the bit value depends on the state detected, not on the detector that clicked) [42]. 29

2.4 Experimental QKD: The State of the Art

Quantum cryptography is said to be the most promising application of quantum communi cation theory [43]. It is beyond other areas of quantum information as far as experimental development is concerned, and commercial systems have been available since 2001 [11, 12, 44].

The first experiment of quantum key distribution was realized in 1989 [45]. Since then, many proof-of-principle demonstrations have been reported using different protocols as well as types of encoding [9, 46, 14, 40]. Today, one of the major challenge for QKD systems, besides increasing the distance, is increasing the rate at which secret keys can be produced and their implementation into telecommunication networks.

2.4.1 Fiber-based QKD

Time-bin encoding (plug-and-play)

One of the most advanced systems in QKD is the so called "Plug-and-Play" system. This system was developed at the University of Geneva [47, 48] and it was one of the first QKD systems to be commercialized [11].

In this system the key is encoded in the phase between two localized wavepackets, travel ing from Alice to Bob, i.e. the system is based on time-bin encoding. Strong laser pulses are emitted by a laser diode and injected into an interferometer which is connected to a polariza tion beam splitter (PBS), see fig. 2.4. The polarization state of the pulses are prepared such that the pulses traveling through the short arm (Hs) are transmitted and the pulses trav eling through the long arm (HL) are reflected when arriving at the PBS. Both them travel to Alice's side via an optical fiber. At Alice side they will be reflected on a Faraday mirror1

(FM). On the way back, the pulses go through a phase modulator which is activated only for the second pulse. After the phase modulator, an attenuator is placed to attenuate the pulses to the single photon level. Hence, Alice sends to Bob the qubit \ip) = 4= Ms) +elipA\l)J. Since

:A Faraday mirror is an ordinary mirror, mounted on a Faraday rotator, which rotates the polarization by 45°. It transforms any polarization state into its orthogonal. 30

FM PBS •—AA

APD AA—• / BS \

PMB

ALICE BOB

Figure 2.4: The plug-and-play system [9] the polarization states have been reflected on the FM, the pulses (Hs) now travel through the long arm and {Hi) travel through the short arm. A second phase modulator (PM) which is located in the long arm of the interferometer is activated. The phase setting determines the basis for Bob's measurement. Both pulses will arrive at the same time at the BS and will be detected in one of the detectors placed at Bob's side.

This system is called "plug-and-play" since it automatically compensates for the polar ization changes in the fiber link. Also, the problem of matching the path length difference, presented when two interferometers are used, is solved by the use of only one interferometer.

Polarization encoding

The quantum information to be transmitted from Alice to Bob can also be encoded in the polarization of the photons.

For this type of encoding there are difficulties that Alice and Bob have to solve when the quantum channel they use is an optical fiber [49]. First, time varying birefringence (phase velocity difference) along the optical fiber, produces instability of the polarization state of the light at the output. This requires an active stabilization mechanism. Second, polarization mode dispersion (PMD) may lead to depolarization. PMD is due to different group velocities for orthogonal polarization states

There are also advantages when using polarization encoding in fibers, for example, polar ization encoded qubits can be easily produced, manipulated and detected with simple optical 31

Alice Bob Basis 1 APD LD1 Quantum PBS \^ Channel BS [j^j]t[Z] ES O i is LD4 W$r ) Waveplates BasisAP 2 D

Figure 2.5: Experimental setup used for free-space polarization encoding. [9] components. The first proof of principle demonstration using polarization encoding based on fibers was demonstrated during the course of this work [40].

2.4.2 Free-Space QKD

If Alice and Bob are not connected through an optical fiber, they could use a free-space channel to distribute a key. The main advantage offered by a free-space channel is its non-birefringence, which implies that polarization encoding is easy to implement since the photons will remain polarized until they get to Bob [31, 50].

To produce four different polarization states, it is possible to use four different laser diodes, (e.g. \H), \V), |+), |—)), see fig. 2.5. However using four different laser diodes can compromise the security of the key if the wavelength of all the four laser diodes is not identical and Eve is able to deduce what polarization state is created each time by Alice.

A problem in free space QKD is the presence of background light, in particular during daytime. This noise source can be maintained low through timing discrimination (usually nanoseconds), spectral filtering, and spatial filtering [51, 52]. The main disadvantage of free-space QKD is its dependence on weather conditions and air quality. 32

2.4.3 Networking

Many proof of principle demonstrations of QKD have been implemented in a point to point configuration. Recently, studies have been done towards the expansion of a two-user system to multi-user network. It is progressing steadily and will allow QKD to achieve widespread usage in practical environments, such as already existing fiber networks [15, 53].

The first experiment for multi-user optical fiber networks was realized by Townsend [54] in 1997, he investigated a passive optical splitter. However, while Alice can establish a secret key with each Bob (Bobi, Bob2... Bobj) she can not switch from one communication party to another one actively. Afterwards, QKD transmission through three different active optical switches was tested [55]. These results were used in the construction of the DARPA Quantum

Network [56]. Another way of implementing multi-user QKD is based on wavelength division multipling (WDM) [57]. Yet, in this case the sender needs a tunable source in order to reach a specific receiver.

The networks mentioned above would work only for distances smaller than 100 km.

Another type of network that allows the establishment of a secret key between two parties separated by more than 100 km is currently being developed in the European SECOQC network [53]. This type of network uses trusted nodes. Chapter 3

Experimental investigations

Since 1970, when optical fibers became practical for use in communications, millions of km of fiber have been placed to form a world wide network. Nowadays fiber optics is widely used in the telecommunications world and has substituted the old copper cable. An optical fiber is lightweight, flexible, water resistant, it has a large bandwidth and low loss. Fiber optics are easy to use and because of their many applications, including optical amplifiers, sensors, medical applications, etc, their fabrication is cheap in comparison with other devices [58].

In this chapter I describe the characterization of various telecommunication components, based on fiber optics, in view of possible use for high key generation rate QKD systems, and present a proof-of-principle demonstration of polarization based QKD.

3.1 The set-up

The entire setup consists of fiber optics components. It is depicted in fig. 3.1. All the components preceding the phase modulator (PM) on Alice's side are made with polarization maintaining fiber. The core of polarization maintaining fibers are made highly asymmetric on purpose. Then, linear polarized light injected with its polarization along one of two orthogonal directions will not change its polarization while being transmitted through the fibre. However, all other polarization states change, i.e. polarization maintaining fibers can not be used as a quantum channel.

3.1.1 Alice

In this system Alice produces a signal composed of alternating trains of high intensity pulses and faint pulses, which we refer to as classical header (or classical data header) and quantum 34

ALICE BOB | AWG21 CG AWG3

ATT PBS2 PBS LDa 10/90 50/50 IM —0— PM 7 PSY *—D-l I 1 ~ \BS /\BT +/- L 1 SPD's AWG1 DET VPSY t i R/L PBS1 PBS[ -0/vl LDC T J. ™ *-

Figure 3.1: The entire QKD system. See also figures 3.3 and 3.4.

data, respectively (see fig.3.2).

The use of different intensity pulses has different purposes; first of all it gives structure to the quantum communication, ft facilitates the time tagging of the qubits since they can be organized in subsets belonging to different classical headers. Second it can be used for clock synchronization between Alice and Bob and it can include information about the length of the quantum data sequence. Third, it allows stabilization of polarization changes of the qubits originating from the birefringence of the fiber by serving as a reference pulse for polarization controller (see sec. 3.2.4). Furthermore, the data header provides a platform to extend QKD to network applications. For instance, the classical header may contain information about sender and receiver (for routing purposes), encoding and protocol used

(we assume this to be preestablished in a dedicated point-to-point link).

The classical header and quantum data are generated by means of two laser diodes

(LD), which are triggered by an arbitrary waveform function generator (AWG) with two independent outputs.

The polarization state of the pulses of the data header is horizontal. The pulses are thus transmitted through the polarization beam splitter (PBS1), reflected at the Faraday mirror (FM) and then arrive at the same PBS, see fig. 3.3. The pulses will now be vertically polarized and therefore they will be reflected towards a second PBS and there reflected 35

classical info qubits classical info

AAAAAAAAAAAAAAAAA 1 i 11 1 classical header quantum data classical header

frame

Figure 3.2: Structure of Alice's signal showing a complete frame consisting of the classical header and quantum data. again. In this way the classical header and the quantum signal are combined into one fibre.

The polarization beam splitter (PBS1) and Faraday mirror are used to convert the output polarization state of the classical laser diode from horizontal to vertical. It would be possible to just rotate the fibres but the key of the connectors would not be aligned and this actually prevents from connecting them.

The pulses produced by the quantum LD are attenuated using a fiber optic attenuator of 50 dB to lower the mean photon number of the light pulses to the single photon level.

After the optical attenuator, the quantum pulses are sent to an intensity modulator (IM) driven by a second AWG. The IM is used to modulate the light intensity to implement the decoy state protocol. Our protocol requires pulses with a mean photon number of 0.5 (signal states), 0.1 (first decoy state) and vacuum states (second decoy state), as explained before.

At this point, both, signal states and decoy states are horizontally polarized. They are thus transmitted at a PBS2 and combined with the data header. Both, the classical header and the quantum data, then go through a phase modulator (PM). The phase modulator encodes qubits into the faint pulses, and modifies the polarization states of the classical data header to allow for stabilization of the polarization transformation during transmission, as explained in sec. 3.2. Finally all the signals are sent to Bob using an optical fiber. 36

ALICE AWG2 data qubits header ATT LD C A A An AAAAAA IM A A* AAA A A PM .». A,*., AAA »A. AAAAA ft PBS2 0 1 sm fiber (link to Bob) AWG1 PBS1 LDcJ^AAAAA AAAAA . FM 7FT' dat a header

Figure 3.3: Alice's setup. LD: laser diode. AWG: arbitrary wave function generator. ATT: attenuator. IM: intensity modulator. PBS: polarization beam splitter. PM: phase modula tor. FM: faraday mirror. On Alice side the entire setup consists of polarization maintaining fiber optics components except the output fiber of the phase modulator, which is a non polarization maintaining single mode fiber.

3.1.2 Bob

At Bob's side a first standard telecommunication detector (New Focus 1554-B) is placed after the low power output of a 10/90 beam splitter (BS). It monitors the classical data header and will be used for clock synchronization or determines the measurement to be done or the protocol to be used, depending on the information encoded in the classical header.

90% of the qubits will be transmitted at this BS and then impinge on a 50/50 BS which serves to randomly choose between the two bases in which the qubits will be measured, see fig. 3.4. A polarization controller (PSY) is placed in each arm, after the BS to compensate for the polarization changes during the transmission from Alice to Bob, see fig. 3.4.

A second function of the polarization controller (see sec. 3.2) is to rotate the polarization state to realize the projection measurement in the proper bases. The PBS after the polar ization controller is needed to do the projection measurement. After the PBS, single photon detectors (SPD) are used to detect the photons. The SPD's are triggered by a third function generator and are currently synchronized with the quantum pulses emitted by the quantum

LD by means of a clock generator (CG) and a direct electrical link with AWG2. 37

BOB CG AWG3

PBS 10/90 50/50 II- PSY +/- L—Q3. SPD's PSYT—5 {)-; PBS1—0^-;

Figure 3.4: Bob's setup based on fiber optics components. BS: beam splitter. DET: classical detector. PSY: polarization controller. PBS: polarization beam splitter. SPD: single photon detector. AWG: Arbitrary Waveform Generator. CG: Clock Generator. The gray drawn components have not been included in this work but will be added to the setup in the future.

3.2 Components

3.2.1 The Laser Diodes

The first attempt to create classical and faint pulses was to use a transceiver (SFP-GE-S

1000BASE-SX). A transceiver is a commercial telecommunication device, which offers the

benefits of being small and non-expensive. It consists of a laser diode (transmitter) and a

photodetector (receiver) which are combined and share common circuitry used to produce

and detect signals. The transmitter is able to produce light pulses with a repetition rate

up to 1.25 GHz. The main problem was a constant background of CW light in the emitted

signal, which would swamp the single photon detectors on Bob's side.

As a second choice we used a laser diode with a single mode output fiber (AVANEX laser

module 1915LMI). Its on/off ratio is about 30 dB and it can produce up to 10 Gbits per

second (Gbps). The problem encountered with this laser diode was the single mode output

fiber. The pulses produced by this laser diodes are linearly polarized with a polarization

extinction ratio of 30 dB (see fig. 3.7b) but due to birefringence the polarization state is

not maintained as the pulses travel through the fiber pigtail and this produces an unstable 38

a) 500 ps/div b) 1.0 ns/div : A ^_

^ '

Figure 3.5: Screen shots of pulses produced by the quantum LD. a) 500 ps pulse with a repetition frequency of 120 MHz. b) 5 ns pulse produced with a repetition rate of 120MHz. Measurements made with a 12GHz bandwidth detector and a 6GHz bandwidth oscilloscope. polarization output which would lead to an increased QBER in the full QKD system.

In the current setup two identical LDs (Avanex laser module A1905LMI with single mode polarization maintaining output fiber) are used to produce the classical header and the quantum data. Both LDs were tested but polarization stabilization and extinction ratio are reported only for the quantum LD (both diodes have similar characteristics).

In the current setup the laser diode produces pulses of 5 ns (see fig. 3.5b) but it can also produce shorter pulses (~ 500ps) as shown in fig. 3.5a. The short pulses are required for a faster system. These measurements were made with a detector (New Focus 1554-B) and an oscilloscope (LeCroy Wavemeter 8600A, 6 GHz). Due to bandwidth limits of our AWG it was not possible to trigger the laser diodes at the maximum rate, which is 10 GHz, according to the specifications.

Next, we measured the output power fluctuations as shown in fig. 3.6a. We found a variation of only ~2% for both laser diodes over a period of time of 3 hours.

The polarization stability of the quantum laser diode was measured by placing a PBS after the laser diode and measuring the power after the PBS in one of the arms. The projection of the polarization state produced by this laser presented a variation of only 2% 39

a) AWG •*- -0^ DET

1.0 1.5 2.0 Time (hrs) Time (hrs)

Figure 3.6: a) Experimental setup used for the measurement of the output power stability of the two LDs. Output power stability of b) quantum LD and c) classical LD. The inset in b) shows the maximum range of the output power for this LD. The measurement was done for the mid output power. Both laser diodes produced pulses of 500 ps and were triggered at a repetition frequency of 120 Mhz. for a period of time of at least 7 hours, much longer than the time needed to produce a key, see fig. 3.7a. The frequency of the fluctuations found for this measurement is similar to the frequency of the intensity fluctuations (compare plots from fig. 3.6a and fig. 3.7a).

This suggests that the variation encountered in the polarization states might be due to the intensity fluctuations.

Finally, we measured the polarization extinction ratio of the LD while changing the pulse length using the AWG. We found it to be at least 20 dB (fig. 3.7b) regardless of the width of the pulse, at least within the represented available range. The polarization extinction ratio, e, in general is expressed in dB and is calculated by the following formula:

p e = -lOlog (3.1) 10 x mm *min * * max where Pmin is the minimum output power and Pmax is the maximum output power. These 40

a) b) )K~ PBS $N f"0,*_ PBS DET 1—» DET PC 1 [)/V

d) single mode fiber LD /

polarization maintaining fiber LD

Time (hrs) Width (ns)

Figure 3.7: a) Experimental setup for measuring the stability of the polarization state pro duced by the LD. b) Experimental setup for the measurement of polarization extinction ratio. The three circles denote a manual polarization controller, which is used to maximize the extinction ratio, c) Outcome of the measurement of the stability of a polarization state produced by the quantum LD. d)Polarization extinction ratio measured for the single mode fiber LD, and single mode polarization maintaining fiber LD, respectively, as a function of pulse width. 41

Figure 3.8: The intensity modulator. The working principle is based on a Mach-Zender interferometer. measurements were made to show that the polarization extinction ratio is not dependant on the pulse length after the laser diode.

3.2.2 Intensity Modulator

The intensity modulator (IM) used in this QKD system is a commercial optical modulator

(Avanex 791054301) based on a Mach-Zender interferometer implemented in LiNbOs, see figure 3.8. The application of a voltage allows changing the refractive index in one arm, and hence leads to an intensity variation at the output. It is possible to produce complete destructive interference by applying a phase shift of n.

First, we characterized the output power stability with the experimental setup shown in fig. 3.9a. We found fluctuations in the output power, which we assume to be due to the fluctuation of the laboratory temperature. The power instability was then suppressed by means of an insulating box. The IM is placed on a metal plate that is stabilized to

10°C above room temperature by means of a thermometer, a heating resistor and a PID temperature controller. With this setup it was possible to maintain the temperature of the

IM constant with a precision of ±0.01°C, leading to output power fluctuations below ~ 2% when DC voltage was applied to it (see fig. 3.9b). Using an AWG it was possible to apply

AC voltage into the IM, in this case it took much longer (up to 14 hours) to obtain small fluctuations in the average output power, possibly due to the heating of a 50O resistor inside 42 the IM.

0.0-) 'o 20 •

t- S 15'

T 1 ' 1 V 0.0 0.2 0.4 Time (hrs) Voltage (V)

Figure 3.9: a) Experimental setup for the measurement of stability and intensity extinction ratio of the IM. b) Output power stability of the IM (in CW operation). The inset shows the maximum and minimum intensities obtained behind the IM. The stability measurement was done at the mid output power, c) Intensity extinction ratio vs. voltage

Next, the voltage necessary for a TT phase shift (ir voltage) was measured using a pulsed laser diode with a repetition frequency of 20 MHz. The IM was driven by a square pulse at

20 MHz repetition rate synchronized to the arrival time of the photons. The IT voltage is

~ 4.5V and the extinction ratio of the signal was up to 30 dB, see fig. 3.9c.

3.2.3 The Phase Modulator

In this QKD system the four different polarization states required for the BB84 protocol are created using a phase modulator (PM) (EOspace LiNbOs phase modulator PM-3K5- 10-PFU45-SFU45). The PM introduces a phase change that is different for two orthogonal linear polarizations.

Commercial phase modulators, see figure 3.10, are typically made using a LiNbO-i waveg- 43

Light'ightln- -"a • ,|x \ ^-^^ Z\ —> N IJ O

Figure 3.10: The Phase modulator uide across which a voltage is applied to change the index of refraction of the material in the direction in which the voltage is applied. The relative phase shift is then given by

/W=2!rLAn0O (3 2) K where L is the length of the crystal through which the index of refraction changes by An,

Ac is the wavelength and V refers to the voltage applied.

As mentioned earlier our QKD system uses polarization encoding. Polarization states are created by means of the phase modulator, which has an input polarization maintaining fiber aligned at 45°. The alignment of the fiber is referred to the direction of one of its axis with respect to the axis of the crystal inside the PM. The output fiber of the phase modulator is single mode fiber.

The polarization state of the incoming pulse is expressed as

|0in) = -L(|tf> + |V>), (3.3) where \H) and \V) refers to horizontal and vertical polarization, respectively.

The phase modulator allows us to change the phase of one of the components, here assumed to be the vertical component, in the following way:

i \ipout) = -L(\H)+e ^\V}.) (3.4) 44

Using four appropriate voltages (i.e phases), we can create the four states:

±{\H) + e°\V)) = \+) (3.5)

-~(\H) + e^\V)) = \R) (3.6)

= IT ^(\H) + e*"\V)) = \-) (3.7)

,3m/2 = 3TT/2 1^4) + e' \V)) = \L) (3.8)

The polarization extinction ratio was measured (see fig. 3.11a). We found that it depends on the duration of the electrical pulse applied to the LD (see fig. 3.11c). As shown also in that plot, a sufficiently high extinction ratio of 20dB is produced for a pulse duration of 30 ns.

a) b)

d) 24-| •

22- J *""' '"'-»- * * •' » M J* f'' 20- f •••• •'"

18- f s f y- 3J 16-

* r y 1 - 2 o 14- f /* ,4 12- i S 10- _, , , , , , , j—, , , , ,__, . ( . _,—,—,— 30 40 SO 18 2.0 2 2 2 4 2.6 2.3 3 0 3 2 3.4 3.6 Width (ns) LD Input Voltage (V)

Figure 3.11: a) Setup used for the measurement of the polarization extinction ratio of the quantum LD. b)Setup of the measurement of the optical pulse length, c) Polarization ex tinction ratio as a function of the optical pulse width behind the LD (blue curve, squares) and the PM (red curve, circles), d) Extinction ratio (red curve, circles) and optical pulse width (blue curve, squares) as a function of the drive voltage into the LD. 45

From the results shown in fig. 3.11c, we assumed that the polarization extinction ratio after the phase modulator dependeds on the optical pulse duration (i.e. spectral bandwidth) and that this could be varied by varying the drive voltage into the LD. Therefore, in a second measurement, the width of the electrical pulse triggering the LD was fixed to 4 ns and the optical pulse was changed by changing the drive voltage into the LD. The bias voltage was set to OV during this measurements. The optical pulse width of the LD was measured using a fast detector and an oscilloscope, see fig. 3.11b, and then the polarization extinction ratio was measured after the PM again. For a drive voltage of 3.5 V, we obtain an optical pulse of 5 ns width and an extinction ratio e of 14 dB. A polarization extinction ratio of 14dB induces a QBER of approximately 4%,

QBER = Pmin = l(T0-l£ (3.9) *max i~ *rnin

In fig. 3.12a I show the experimental set up used to measure the polarization extinction ratio for two orthogonal polarization states. A variety of polarization states are prepared by applying different voltage into the PM varying from -5V to +5V. In fig. 3.12c I show the results of the measurement: in particular, two orthogonal polarization states, one for the highest positive polarization extinction ratio and the orthogonal one for the lowest negative, are prepared with a polarization extinction ratio of ±14dB, respectively.

We also tested the polarization stability of the PM with the setup shown in fig. 3.12b. The three circles in the schematics following the PM represent a manual polarization controller, which is used to map the created polarization states onto horizontal and vertical states. The plot in fig. 3.12d shows the result of this measurement for right circular polarization {\R)) and left circular polarization (\L)) states, prepared by applying Vi = 0.4V and V2 = —1.6V, respectively. These measurements were done with an optical pulse of 5ns. Input DC voltage

Vi drove the PM for 25mins and we recorded the output power after the PBS. After that, the input DC voltage was changed to produce the orthogonal polarization state and the output 46 power was recorded again for the following 15 minutes. We found, with the example of two polarization states, power fluctuations with a maximum variation of 3%, for periods of, at least, 15 mins.

a) b)

d) IR> •TO / •Mil Voltage 1 A 60

50- s A 3- 40 / 0 /A \ Q. 30 • • / \ \/\ L \ V/ > V Voltage 2 —i—|— —i— —I -2 0 2 5 20 25 40 Voltage (V) Time (mins)

Figure 3.12: a) Experimental setup for the measurement of polarization states prepared by the PM. The three circles denote a manual polarization controller, which is used to maximize the extinction ration for the circular polarization states, b) Experimental setup used to test the polarization stability of states produced by the PM. c) Extinction ration measured for different polarization states prepared using the PM. d) Measurement of the polarization stability of the PM. 47

3.2.4 Polarization Controller

The instrument used to compensate the polarization change during transmission of the qubits is a polarization synthesizer/analyzer (General Photonics PSY). I assume its working prin ciple to be as follows: input light goes through a series of waveplates which can be used to change the polarization state. The light is then sent to a 90/10 coupler. One of the arms goes to a polarization analyzer to monitor the state produced. The result is compared to the desired state, and a feedback to the waveplates allows minimizing the difference, see fig. 3.13.

"PSY Feedback

input 10% lates pol analyzer

90% output

Figure 3.13: Working principle of the PSY.

The compensation of the polarization transformation is done using the PSY which, in the future, will be activated by the data header. While compensating the polarization transformation of a given state \ijj), the transformation for the orthogonal state (|V,J_)) will also be compensated as the transformation is described by a unitary operator U:

(^-L) = ($\U+U\il>L) = 0 (3.10) implying that orthogonal states remain orthogonal under unitary transformations. However, any other state will be modified. For this reason it is necessary to stabilize the transformation of one state of each of Alice's bases independently, using two PSYs at Bob's. The PSYs both precede a PBSs, see fig. 3.4, which make the projection measurement onto the respective basis. The first PSY is set up such as to ensure that +45 (|+)) and -45 (|—)) polarized light created at Alice's, impinges on the PBS as horizontal and vertical, respectively. Similarly, 48 the second PSY will be set up to ensure that right hand circular and left hand circular polarization states arrive at the PBS horizontally or vertically polarized, respectively.

25 scrambling PSY active (PSY not active) PSY active I ,, n 1

20 detl detl a) I pol state 1 i; g 15 DET1 PM -R9- PSY —S-D^- PBSL—•{yv- o '0- 10 DET2

det2 f I I , det2 f pol state 2 ! | pol state 2 —i—'—i—'—i—'—i—i—i—'—i—'—i—'—i—<—i 20 40 60 80 100 120 140 160 180 Time (sec)

Figure 3.14: a) Experimental setup used to show the compensation of polarization trans formation using a PSY, and measurement of the time response of a PSY. The three circles denote a manual polarization controller (see text), b) Results of the measurement.

The polarization compensation of the PSY was tested with the setup shown in fig. 3.14a.

At first, the PSY was active and it was aligned to maximize the polarization extinction ratio obtained at the two detectors, after the PBS. The output power of each detector corresponds to the projection of the polarization state created by the PSY onto \H) and

|V) (see fig. 3.14b). The output power is recorded using a data acquisition card. After that the PSY is deactivated and, using a polarization controller between the PSY and the PM, a polarization transformation in the fiber is simulated. Then, the PSY is reactivated, the polarization transformation in the fiber is compensated again and the original polarization state is recovered.

The reaction time of the PSY was also measured using the setup shown in fig. 3.14a. First,

I maximized the polarization extinction ratio by means of the PSY. Then, I deactivated the

PSY and aligned the polarization state using the manual polarization controller to achieve 49 equal projections onto horizontal and vertical, i.e. equal output powers. Then the PSY is reactivated and the initial polarization state is automatically recovered. The output powers from the two detectors are recorded using a data acquisition card and analyzed afterwards with software. From the results obtained and shown in fig. 3.15, one obtains a reaction time of the order of a few ms.

18 ms

0.30-

~ 0.25- 3 •2- "fe 0.20- o Q. Pp^AfP - 0.15- a. O 0.10- d °-«>

0.05-

0.00- 1 1 1 1 1 1 1 r • 1

Time (sec)

Figure 3.15: Time response of a PSY for compensating polarization transformation.

Finally we measured the minimum operating intensity required for the PSY. We found that the mean intensity required is constant regardless of the duty cycle of the pulses of the

LD. The minimum input power that the PSY requires is 5fiW.

3.2.5 Single Photon Detector

All the qubits sent by Alice are detected at Bob's side using single photon detectors (SPD).

The devices we use are SPD modules from idQuantique (id 201 single-photon detection module), which are based on InGaAs avalanche photodiodes (APD). They can be used to detect single photons if they work in the so called gated Geiger mode [59]. In this mode the photodiode is reversed biased just below breakdown voltage (Vj,), and the voltage is raised above VJ, for 5 ns when the photon is expected. During this gate interval no current 50

Table 3.1: Dark counts and Quantum Efficiency for 4 different detectors Detector No. Prob. Dark Count Quantum Efficiency 1 6.15 ± 0.16 x l'O-5 6.0% 2 3.5 ±0.13 x 10"5 7.7% 3 5.36 ± 0.16 x 10"5 6.8% 4 1.61 ± 0.27 x 10-4 6.3% is flowing through the diode unless a photon impinges the sensitive area and triggers an avalanche which generates a macroscopic current which is sensed by a discriminator and indicates the arrival of a photon. At the end of the gate interval the bias is lowered again below Vb and the avalanche is quenched in order to reset the detector and prepare it for subsequent photons [60, 61].

However, a SPD is not perfect and sometimes it fails to record a photon when it strikes the detector area; the probability for an impinging photon to be detected is called detection efficiency and it is usually much lower than 100%. A second flaw is its non-zero probability to produce a count even though no photon is present. These events are called dark counts and they are produced when the avalanche is generated by thermal excitation or tunneling processes, instead of a photon. A false count can also be produced by the release of a charge trapped in the junction during a previous avalanche. These counts are called afterpulses.

Finally, the time between the absorption of a photon and the detection of the avalanche is statistically distributed around an average value, and the uncertainty of this distribution is called time jitter.

In the case of InGaAs APDs, typical values of the detector efficiency are around 10%, the dark count probability is around 10~5 per 5 ns gate, afterpulses should become negligible after ~ 1/zsec, and time jitter is below 1 ns.

We measured the dark count probability for a gate frequency of 1 MHz and a gate pulse of 5ns of four SPD's, see table 3.1. We also calculated the quantum efficiency of each detector 51 using: 1, P«fc - 1 V —In —— (3.11) H Pdc + -Ps•5i * 9 1 where 77 is the quantum efficiency, /i is the mean photon number per pulse, Pdc is the probability of dark counts and PSig is the probability of obtaining a count [62].

a) b)

-•—•-•_

0 100 200 300 400 500 600 700 800 Delay (ns)

Figure 3.16: a) Experimental setup used to measure afterpulses probabilities. Gate: gate signal, ref: reference signal, start: start signal, stop: stop signal, b) Plot of counts/laser pulses as a function of time delays.

The maximum frequency at which our SPD's can be triggered is around 1 MHz. This limitation comes from the afterpulses. The probability of finding an afterpulse is higher for shorter time delays after the detection of a photon. Figure 3.16a shows the experimental setup used to measure the afterpulses probability. A laser diode, a single photon detector

(SPD) and a time-to-digital converter (TDC) are triggered by two synchronized function generators. A TDC is a device utilized to measure the time between two events. The two function generators trigger simultaneously the LD (emission of optical pulse) and the TDC

(starting the time interval measurement). The SPD emits an electrical output signal for every count (signal or afterpulses) and this electrical signal stops the TDC. After that, it is possible to obtain an histogram of the counts obtained as a function of the delay between 52 start and stop of the TDC, see fig. 3.16b. The plot shows the ratio of counts/laser signals which are emitted with a mean number of photon of one per laser pulse. The first point (at

100ns) corresponds to a detection of a photon. The other points correspond to the detection of afterpulses, and show a rapid decay as the delay time increases. From the plot it is possible to observe that the ratio afterpulses/detected photons decreases for increasing delay times.

Hence, the QBER (induced by afterpulses) decreases for increasing delay. For this reason, the deadtime of the APD is normally set to around l^sec. The limitation of 1MHz triggering frequency comes from here.

3.3 Quantum Key Distribution

3.3.1 Measurement of the QBER and Key generation rate

The setup of the full system is depicted in fig. 3.17. The system was tested in a laboratory environment. We made a series of measurements to assess the QBER and to test the key generation rate of the system.

Two synchronized function generators (Tektronix AWG 3252 and Tektronix AWG 3102) with two independent outputs each are used to drive four different devices: two laser diodes

(Avanex A1905LMI), an intensity modulator (Avanex 6P075A00) and a phase modulator

(EoSpace PM-3K5-10-PFU45-SFU45).

First, Alice produces the data header (classical LD, Avanex polarization maintaining fiber-pigtail, A1905LMI, @1550nm) which consists of high intensity pulses (of mean power

P~ 30/xW) at a repetition frequency of 20 MHz and of 10 ns width. These pulses are sent to Bob via an optical fiber (1 m) and are used to adjust the polarization transformation in the fibre by means of the PSY. Then, the classical LD is turned off and the quantum

LD (Avanex polarization maintaining fiber-pigtail, A1905LMI, @1550nm) is turned on and triggered (also at 20 MHz) to produce faint laser pulses. The pulse length of the signal produced by the quantum laser diode is 5ns. 53

ALICE

ATT LD Q *-fH IM

AWG1

LD, r !PBS1 ™ ^_

Figure 3.17: Full setup of our QKD system. The gray figures show the devices that were not implemented in this experimental setup but that will be implemented in the future.

Two different voltages are applied to the IM to produce a sequence of signal states, or decoy states. The third decoy state (vacuum state) is produced by simply not triggering the laser diode. The IM is also triggered with a repetition frequency of 20 MHz, and synchronized with the arrival of the faint pulses.

For the test we created a sequence of |+) states, measured the detection rate and the

QBER and then repeated the measurement with the |—), \R) and \L) states independently.

The required polarization states are created by applying short (5ns) electrical pulses to the

PM with 20 MHz repetition rate. For the states |+) and |—) states, voltages of 0.0 V and

1.72 V are applied, respectively; while for the states \R) and \L) voltages of 0.4 V and -1.57

V are applied, respectively. Note that it was impossible to test the system using all four states without adjustment, we only had one PSY available and only two SPD's were used when the measurements were made. However, in the future the system will include two polarization controller and four SPD's as shown in fig 3.17. In the current setup the mean photon number and polarization states of the faint pulses were not randomly generated but were preprogrammed, which is sufficient for a proof-of-principle demonstration.

After the link, a first beamsplitter (coupling ratio of 10/90) was placed but the synchro nization between Alice's emission and Bob's detections was done through a direct electrical 54 link instead of using the classical header. After a second 50/50 BS used for random selec tion between the two bases, a PSY is placed. The PSY compensates for the polarization transformation. A PBS and two SPDs follow for the projection measurement.

Tab le3.2 : Results of the measurements of t ie QBER for signa and decoy st A* Polarization Correct detection Wrong detection QBER (%) state per faint pulse per faint pulse 0.5 + 0.012043 0.0005113 4.07 ± 0.01 0.5 - 0.017162 0.0005829 3.28 ± 0.01 0.5 R 0.017090 0.0006102 4.23 ± 0.01 0.5 L 0.017278 0.0016379 2.24 ± 0.01 V Polarization Correct detection Wrong detection QBER (%) state per faint pulse per faint pulse 0.1 + 0.004868 0.00032 6.19 ± 0.04 0.1 - 0.004526 0.00022 4.80 ± 0.03 0.1 R 0.005361 0.00031 5.55 ± 0.04 0.1 L 0.004957 0.00028 5.40 ± 0.03

VQ Detector No. Dark Counts Trigger Y0 0 2 50156 340,550,743 1.4 x 10~4 0 3 51978 340,550,743 1.5 x 10"4

Each SPD is triggered at 1 MHz by a third function generator (Tektronix AWG 3102).

The trigger pulses are synchronized with the pulses emitted by the LD (triggered only one out of twenty times) by means of a clock generator (Stanford Synthesized Clock Generator

CG635) which is synchronized to one of the function generator's at Alice's side. The number of detected photons and total number of gates are registered for each state produced. The same measurement is repeated for the states of the second basis. The results obtained are shown in table 3.2. The table also shows the dark counts, i.e. the yield of the vacuum decoy state, for detectors two and three (as defined in table 3.1). Chapter 4

Discussion

In this chapter I discuss the results obtained from the characterization of the telecommu nication components used to build our QKD system. I also present a discussion of the performance of the complete system.

4.1 Components

4.1.1 Laser Diode

As mentioned in section 3.2.1, all the sources tested are fast enough to produce light pulses with a repetition frequency of the order of GHz. According to the specifications of each device, the repetition frequency of the transceiver is 1.25 GHz and 10 GHz for the two LD

(single mode fiber and polarization maintaining fiber). This is important considering the ultimate goal of the project is to build a QKD system with GHz clock rate. However, the transceiver presented a constant background which makes it inappropriate for QKD and the single mode fiber LD does not maintain polarization states during the transmission to the phase modulator. However both devices had to be discarded.

Only the polarization state of the pulses produced by the polarization maintaining fiber

LD are stable. A polarization extinction ratio of 20 dB, as found in our investigations, translates into a QBER of 1%, which is acceptable for a final QKD system.

4.1.2 Intensity Modulator

The intensity extinction ratio of the commercial IM is up to 30 dB. This is by far sufficient to implement the decoy state protocol. Its max trigger frequency is up to 10 GHz, according to the specifications, which allows building a fast QKD system. 56

Nevertheless, the IM presented some problems regarding the output power stability.

Power dissipation within the internal 50fi resistor leads to heating, hence intensity instabil ities. This resistor can not be removed since it is a requirement to allow the IM to work at high frequencies. A solution to this problem was to use an isolating box and controlling the temperature constantly.

PBS PM CJ FM

Figure 4.1: Home-made IM based on a polarization beam splitter (PBS), a phase modulator (PM) and a Faraday mirror (FM).

A second solution could be to use a "home-made IM". Our home-made IM was built using a PBS with polarization maintaining fiber, a phase modulator and a Faraday mirror

(see fig. 4.1). This IM does not require temperature stabilization. It works in the following way: a horizontal polarization state emitted from the quantum LD is injected into the PBS

Wn) = \H), (4.1) this state is transmitted through the PBS and enters the phase modulator, whose optical axis is aligned at 45°. The input state is then expressed as

bn = ^(l+) + R)- (4.2)

In the phase modulator, each state acquires a phase that depends on the index of refraction of the respective axis and they also acquire a relative phase, v?i(V), which depends on the 57 voltage applied to the phase modulator. This leads to

ut \^ ) = _L(ei(v++*i(V))|+) + ew>-|_)) (4.3) where

Faraday mirror (FM), and the reflected state thus is

ut i i(v++v l(v )) \^ ) = _L(-e- *-|+)+e- ' ' |-)) (4.4)

Note that a FM rotates any polarization state to its orthogonal. At the second passage through the phase modulator the state becomes

|^°»«) = J=(_e-*v-e-i(v++92(v))|+^ + e-i(v«++vi(v))e-

= _Le-*(v++V->( - e-^2(V)| + ) + e-iV,V|_^

= ~e-^+^{ - ^r*»

v = ig-»(v++V-) f C _ g-»¥>2(V) _ e-iv>i(V)\ | m + f — e-*V2( ') _ g-^^VjN |y\ j _

At the PBS only the vertical polarization is reflected, leading to

j^out) = _Ie-i(v»++v-)^e-iv2(v) + e-

so the reflected power is

POTi oc i [l - cos (^(V) - ^(0))] Pm (4.7) in the last step we set 2(V) = ¥>(0)- The power can be varied from 0 to 58

Pin depending on the drive voltage into the phase modulator.

The 2-way configuration of the home made intensity modulator, made using a phase mod ulator and a Faraday mirror, automatically compensates for the slowly varying birefringence that causes instability in the output power. This makes this home made intensity modulator temperature independent and superior as compared to the commercial device, as confirmed by preliminary tests. Furthermore, it can be operated at GHz, and could thus be a good device for building a fast QKD system.

4.1.3 Phase Modulator

A large fraction of the QBER for this QKD system is due to the imperfect polarization state preparation of the PM.

The first problem encountered is the dependence of the polarization extinction ratio on the pulse width of the LD, see fig. 3.11. A possible explanation of this could be that the bandwidth of the light emitted by the LD is wider than the bandwidth of the PM (range of wavelengths for which the PM generates the same polarization transformation). If this is the case, then the PM acts differently for different wavelengths of the pulse transmitted through it, leading to depolarization. This could be tested by measuring the polarization extinction ratio after the PM with pulses of different bandwidth. If the bandwidth of the

LD is wider than the bandwidth of the PM then we could use a spectral filter to select the appropriate wavelength and improve the preparation of polarization states. The preparation of polarization states is important since it affects directly the QBER measured at Bob's.

As shown in figure 3.12, the drive voltage into the PM was changed to create two orthog onal states of the same basis (i.e. \R) and \L)). From the data obtained, we see that both states are created with an extinction ration of around 14 dB.

Finally the trigger rate of the PM is at least 10 GHz which means it could be used in a faster QKD system. 59

4.1.4 Polarization Stabilizer

The manual activation of the PSY is sufficient for a proof-of-principle demonstration, how ever, in a real QKD system this activation should be done automatically by means of the data header. The supplying company has already made the appropriate modification to two

PSYs and we will test the new PSYs stability in near future.

The response time of the PSY is short enough to compensate for polarization changes which have been reported to be on the order of tens of minutes, for 19 km and 35 km of fiber, respectively, between Alice and Bob [63, 64].

In an actual QKD system a stabilization time of the order of ms could seem long, however it might not represent a problem since the full quantum communication frame, including classical header and quantum data, have been planned to be 1 sec long, i.e. only 20ms per sec (=2%) would be used for stabilization.

4.1.5 Single Photon Detector

Finally, the performance of the SPD should be improved. As discussed before, the maximum trigger rate of an APD based SPD is of around 1MHz. The mean photon number of the pulses is n = 0.5. Taking into account a transmission of around 40% in a 20km fibre link and a typical quantum efficiency of 77=10%, this reduces the raw key rate to 20kHz, and results in a secret key rate of a few kHz. Hence, for the moment, the bottleneck to obtain higher key generation rates in QKD systems is the low triggering rate of the SPD. However faster detectors are being developed and should become available soon.

First, superconducting detectors are being developed and tested [65, 66]. These novel detectors have the proper characteristics to be used in QKD systems. Their maximum counting rate is close to 1 GHz, the quantum efficiency is 77 «10%, the dark count rate is

0.1/sec and the timing jitter is 35 ps. The drawback of these detectors is the operation temperature which is 4K. 60

Second, another possibility to overcome the low triggering rate, imposed by current In-

GaAs APDs, is to use Si detectors, which present a better performance, such as: rj ss80%, a typical darkcount rate of 100Hz, free-running mode and an operational temperature of

—20°C. The drawback for these detectors is the operational wavelength, which is

A third possibility would be to use the InGaAs APDs gated with a sine wave, instead of a square wave. In [67], a gate frequency of 800 MHz has been reported with this technique.

Finally, in [68], an InGaAs APD was operated in the free running mode with active quenching. This only limits the detection rate but not the clock rate.

4.2 Performance of the QKD system

4.2.1 Decoy State protocol

The secret key yield originating from single photons can be bounded using the decoy state protocol, which has been implemented in this proof-of-principle demonstration of this QKD system. Using equations 2.32, 2.33, and 2.34 it is possible to lower bound the secret key yield originating from single photons. To estimate it we use the gain of signal states given by the third column of table 3.2 (first four rows), the gain of decoy states given by the third column of table 3.2 (last four rows), the error of the decoy states given by the fourth column, the mean number of photons for the signal states and decoy states, which are 0.5 and 0.1, respectively, and the dark count probability of the detector, which is ~ 5 x 10~5. From the results obtained from our measurements we obtain the following bounds for the single photon gain and error rate, see table 4.1. 61

Table 4.1: Sing: e photon gain and error rate assessed via decoy states. Pol. State Gain Qi Error rate e\ + 0.017 0.054 - 0.014 0.044 R 0.017 0.050 L 0.016 0.050

4.2.2 Detector noise based distance limitations

Alice and Bob can distill a secret key for a QBERmax (or emax) < 11%. Here we only consider the QBER due to detector noise. Using

Pr. (4. T)fJ.t + 2PD it is possible to estimate the maximum possible distance between Alice and Bob

PD-2e *"max (4.9) max PD erjfi where t = lo0-1^*6* a is the absorption coefficient of the fiber (with a typical value of

0.2dB/km), PD is the dark count probability of the SPD used, rj is the quantum efficiency of the SPD and n is the mean number of photons per pulse produced at Alice's. The transmission includes the loss (6 dB losses) due to the 50/50 BS, the PBS and the PSY, at

Bob's side. The maximum distance is then given by

1/ (PD-2e 777. ax -* D L < - -log !v )-0.6). (4.10) a V emaxr)iJ,

For a mean photon number of 0.5, a dark count probability of 5 • 10~5 and a quantum efficiency r) = 0.07, the maximum distance between Alice and Bob for this QKD system is

L« 65 km. Chapter 5

Summary and Outlook

QKD in combination with the One-Time Pad protocol is unconditionally secure, contrary to classical cryptography systems in which the security of encrypted information is based on assumptions about the computational resources of the eavesdropper.

The combination of the conditions imposed by the One-Time Pad (key must be: randomly generated, used only one time and be as long as the message to be encrypted) and the desire to make it practical, results in the demand of fast QKD systems. It is then necessary to develop a QKD system with a high key generation rate (Mbit/s). In addition these QKD systems should allow implementation in existing telecommunication networks. The implementation of QKD into networks would allow the increment of the distance between parties.

Current commercial QKD systems (idQuantique, MagiQ, SmartQuantum) produce sifted keys at rates of only kbit/s. There are proof of principle demonstrations which have been built using different protocols and different types of encoding, but most of them report similar results to the ones given by commercial systems.

This thesis illustrates the development of a proof of principle demonstration of a QKD system that employs polarization encoding and fiber optics. The key is generated by means of telecommunication components in view of the development of a system with Mbps secret key rates. Also, to the best of our knowledge, we propose for the first time a QKD system that includes a data header. This gives structure to the signals sent from Alice to Bob for time-tagging, and can serve for routing purposes in future networks. Furthermore, the data header could facilitate the standardization of QKD systems, allowing the integration of systems from different vendors into a common network.

We realized a complete characterization of each component, as well as the identification 63 of problems that each of them present. We discussed some possible solutions to reduce the

QBER associated to the flaws of each of the components. From the measurements, it is possible to conclude that at least three (LD, PM and IM) of four active components in this QKD system can work at sufficiently high frequencies to produce keys at two orders of magnitude higher than the ones produced today with commercial systems. We expect to distill secret keys at high bit rates with this system once fast single photon detectors become available.

During this thesis a new component was developed. A home-made intensity modulator, used to produce signal states and decoy states, was built using a phase modulator and a

Faraday mirror. This new intensity modulator should be superior as compared to the com mercial device since it does not require temperature stabilization and can also be operated at high frequencies.

Nevertheless, there are still a number of things that have to be added to have a complete system. First, a random number generator is needed for the preparation of polarization states and decoys states, the randomness is required to guarantee the security of the ciphertext.

Second, it is necessary to use the data header for synchronization between Alice and Bob, for time tagging and polarization compensation. Third, once the time-tagging is done, error correction and privacy amplification processes (currently developed by Philip Chan from the

ATIPS laboratory at the University of Calgary) ha.ve to be added in order to distill the secret key. Finally, it is also necessary to test the full system. In fact, in a near future a quantum link (dark fibre) between the University of Calgary (UofC) and SAIT, i.e. a ~11 km link, will be available to test this system in a real world environment.

Regarding a high key generation rate, it is necessary to replace the SPDs since their trigger rate is the main factor that limits its increment. Faster superconducting SPD detectors are expected to be available in a very near future and we anticipate buying and testing nano-wire based detectors. 64

For a compact QKD system, it will be necessary to replace the arbitrary waveform function generators used to trigger the active components (laser diodes, phase modulator, intensity modulator and SPD's) by a Field-programmable gate arrays (FPGAs) which can work at GHz. Steve Hosier from SAIT, who is part of our group, has already started first investigations. Bibliography

[1] www.wikipedia.org.

[2] Kerckhoffs, A. Journal des sciences militaires IX, 5 (1883).

[3] W. Diffie and M. E. Hellman. IEEE Transactions on Information Theory IT-22, 644

(1976).

[4] Shor, P. W. Proceedings of the 35th Annual Symposium on Foundations of Computer

Science (1994).

[5] A. J. Menezes, P. C. van Oorschot and S. A. Vanstone. Handbook of Applied Cryptog

raphy. CRC Press, (1996).

[6] R. Rivest, A. Shamir, L. Adleman. Communications of the ACM 21, 120 (1978).

[7] Vernam, G. J. Am. Inst. Elec. Eng 55, 109 (1926).

[8] Shannon, C. Bell System Technical Journal 28, 657 (1949).

[9] N. Gisin, G. Ribordy, W. Tittel and H. Zbinden. Rev. of Mod. Physics 74, 145 (2002).

[10] M. Nielsen and I. L. Chuang. Quantum Computation and Quantum Information. Cam

bridge, (2000).

[11] www.idQuantique.com.

[12] www.magiqtech.com.

[13] K. J. Gordon, V. Fernandez, G. S. Buller, I. Rech, S. D. Cova, P. D. Townsend. Optics

Express 13, 3015 (2005).

[14] H. Takesue, E. Diamanti, T. Honjo, C. Langrock, M.M. Fejer, K. Inoue and Y. Ya-

mamoto. New Journal of Physics 7 (2005).

65 66

[15] W. Chen, Z.-F. Han, T. Zhang, H. Wen, Z.-Q. Yin, F.-X. Xu, Q.-L. Wu, Y. Liu, Y.

Zhang, X.-F. Mo, Y.-Z. Gui, G. Wei, G.-C. Guo. quant-ph/0708.3546 (2007).

[16] T. Honjoa, K. Inouea, A. Saharac, E. Yamazakic and H. Takahashi. Optics Communi

cations 1, 120-123 (2006).

[17] H.-J. Briegel, W. Dr, J. I. C. and Zoller, P. Phys. Rev. Lett. 81, 4 (1998).

[18] C.H. Bennett and G. Brassard. Proceedings of the IEEE International Conference on

Computers, Systems and Signal Processing , 175 (1984).

[19] Ekert, A. Phys. Rev. Lett. 67, 661 (1991).

[20] Bell, J. Rev. Mod. Phys. 38, 447 (1966).

[21] Bell, J. Speakable and Unspeakable in Quantum Mechanics. Cambridge University,

Cambridge, England, (1987).

[22] C. H. Bennett, G. Brassard and N.D. Mermin. Phys. Rev. Lett. 68, 557 (1992).

[23] I. Csiszar and J. Korner. IEEE Trans. Inf. Theory IT-24 , 339 (1978).

[24] C.H. Bennett, F. Bessette, G. Brassarad, L. Salvail and J. Simolin. Journal of Cryptol-

ogy 5, 3 (1992).

[25] Pearson, D. Quantum Communication, Measurement and Computing. AIP Conference

Proceedings 734, 299 (2004).

[26] Wootters, W. K. and Zurek, W. H. Nature 299 (1982).

[27] Mayers, D. J. Assn. Comput. Mac. 48, 351 (2001).

[28] Shor, P. and Preskill, J. Phys. Rev. Lett. 85, 441 (2000).

[29] C. Gobby, Z. L. Yuan and A. J. Shields. Appl. Phys. Lett. 84, 3762 (2004). 67

[30] Y. Zaho, B. Qi, X. Ma, H.-K. Lo and L. Qian. Phys. Rev. Lett. 96, 070502 (2006).

[31] C. Kurtsiefer, P. Zarda, M. Haider, H. Weinfurter, P. M. Gorman, P.R. Tapster and

J.G. Rarity. Nature 419, 450 (2002).

[32] B. Huttner, N. Imoto, N. Gisin and T. Mor. Phys. Rev. A 51, 1863 (1995).

[33] G. Brassard, N. Liitkenhaus, T. Mor and B. C. Sanders. Phys. Rev. Lett. 85, 1330

(2000).

[34] N. Liitkenhaus. Phys. Rev. A 61, 052304 (2000).

[35] V. Scarani, A. Acin, G. Ribordy, N. Gisin. Phys. Rev. Lett. 92, 057901-1 (2004).

[36] X. Ma, B. Qi, Y. Zhao and H.-K. Lo. Phys. Rev. A 72, 012326 (2005).

[37] Hwang, H.-Y. Phys. Rev. Lett. 91, 57901-1 (2003).

[38] Wang, X. B. Phys. Rev. Lett. 94, 230503 (2005).

[39] D. Rosenberg, J. W. Harrington, P. R. Rice, P. A. Hiskett, C. P. Peterson, R. J. Hughes.

Phys. Rev. Lett. 98, 010503 (2007).

[40] C.-Z. Peng, J. Zhang, D. Yang, W.-B Gao, H.-X. Ma, H. Yin, H.-P. Zeng, T. Yang,

X.-B. Wang, and J.-W. Pan. Phys. Rev. Lett. 98, 010505 (2007).

[41] N. Gisin, S. Fasel, B. Kraus, H. Zbinden and G. Ribordy. Phys. Rev. A 73, 022320

(2006).

[42] Y. Zhao, C.-H. Fung, B. Qi, C. Chen, H.-K. Lo. quant/ph-07043253 .

[43] Gisin, N. and Thew, R. quant-ph/0703255 .

[44] www.smartquantum.com. 68

[45] C. H. Bennett, F. Bessette, G. Brassard, L. Salvail and J. Smolin. J. Cryptology 5, 3

(1992).

[46] R. Ursin, F. Tiefenbacher, T. Shmitt-Manderbach, H. Weier, T. Scheidl, M. Linden-

thai, B. Blauensteiner, T. Jennewein, J. Perdigues, P. Trokek, B. Omer, M. Furst, M.

Meyenburg, J. Rarity, Z. Sodnik, C. Barbieri, H. Weinfurter and A. Zeilinger. Nature

Physics 3, 481 (2007).

[47] A. Muller, T. Herzog, B. Huttner, W. Tittel, H. Zbinden and N. Gisin. Appl. Phys Lett

70, 793 (1997).

[48] D. Stucki, N. Gisin, 0. Guinnard, G. Ribordy and H. Zbinden. New Journal of Physics

4 (2002).

[49] J. Breguet, A. Muller and N. Gisin. J. Mod. Optics 41, 2405 (1994).

[50] J.G. Rarity, P. M. Gorman and P.R. Tapster. J. Mod. Opt 48, 1887 (2001).

[51] W.T. Buttler, R. J. Hughes, S. K. Lamoreaux, G. L. Morgan, J. E. Nordholt and C. G.

Peterson. Phys. Rev. Lett. 84, 5652 (2000).

[52] R.J. Hughes, J. E. Nordholt, D. Derkacs and C. G. Peterson. N. Journal of Physics 4,

43.1 (2002).

[53] SECOQC, quant~ph/0701168 (2007).

[54] P. D. Townsend. Nature 385, 47 (1997).

[55] P. Toliver, R. J. Runser, T. E. Chapuran, J. L Jackel, T. C. Banwell, M. S. Goodman,

R. J. Hughes, C. G. Peterson, D. Derkacs, J. E. Nordholt, L. Mercer, S. McNown, A.

Goldman, J. Blake. IEEE Photonics Tech. Lett 15, 1669-1671 (2003).

[56] C. Elliot, A. Segienko and M. Dekker. CRC Press (2006). 69

[57] P. D. Kumavor, A. C. Beal, E. Donkor and B. C. Wang. J. of Lightwave Tech. 24,

3103-3106 (2006).

[58] Agrawal, G. P. Fiber-Optic Communication Systems. Wiley-Interscience, 3rd. Edition,

(2002).

[59] S. Cova, M. Ghioni, A. Lacaita, C. Samori, and F. Zappa. Appl. Opt. 35, 1956 (1996).

[60] G. Ribordy, J.D. Gautier, H. Zbinden and N. Gisin. Applied Optics 37, 2272 (1998).

[61] F. Zappa, A. Lacaita, S.Cova and P. Webb. Optics Letters 19, 846 (2000).

[62] idQuantique. id 201: Single Photon Detection Module. Operating Guide V. 3.0. (2007).

[63] N. Gisin, R. Passy, J.C. Bishoffand B. Perny. IEEE Photonics Tech. Lett. 5, 819 (1993).

[64] C. DeAngelis, A. Galtarrosa, G. Gianello, F. Matera, and M. Schiano. J. Lightwave

Technol. 10, 552 (1992).

[65] D. Rosenberg, A. E. Lita, A. J. Miller, and S. W. Nam. Phys. Rev. A 71 (2005).

[66] R. Sobolewski, A. Verevkin, G.N. Gol'tsman, A. Lipatov and K. Wilsher. IEEE Trans

action on Applied Superconductivity 13, 1151 (2003).

[67] N. Namekata, S. Sassamori and S. Inoue. Optics Express 14, 10043 (2006).

[68] R. T. Thew, D. Stucki, J-D. Gautier, A. Rochas and H. Zbinden. quant-ph/0801.3899

(2008).