--------------------------------------------------

Ben Catchpole

(000-499-444)

Free-space QKD

--------------------------------------------------

PHYS5820M Coursework – Prof. Tim Spiller

Cryptography is a long-established approach to information security which was being applied in ancient Mesopotamia at least 3500 years ago in the name of secrecy [40]; the process involves encoding a message such that only sanctioned recipients are able to retrieve the private information, cryptographic techniques are therefore critical to military and governmental functioning, as well as in many other information-sensitive industries in the corporate sphere, such as the financial sector [45].

The system offers security through the process of encryption, whereby a cipher algorithm is applied to transform (or encrypt) the chosen information - often referred to as a ‘plain text message’ (PTM) - to produce a ‘ciphertext’ [41]. The process also requires a key, both for the production of the ciphertext (or cryptogram), and subsequent information retrieval, the cryptographic key can either be ‘symmetric’, or ‘asymmetric’, depending on the specific implementation.

Symmetric encryption represents the more long-standing approach, whereby a secret key (which could be a word, number or random alpha-numeric string) is applied to encrypt some information, and the same (hence ‘symmetric’) key is used for decryption by the recipient. The issue with this approach is that the problem of security is not genuinely resolved, rather shifted from a question of information security to a question of key security – as anyone able to access (or deduce) the secret key is able to decrypt the message.

An illustrative example of this weakness is provided by the infamous ENIGMA cipher invented by the German engineer Arthur Scherbius, which was widely adopted before and during the second world war by Nazi Germany for the purposes of secret correspondence. The inherent flaw in the ENIGMA system is true of all classical encryption techniques; the system is only as secure as the cryptographic key itself. This was demonstrated by Alan Turing, largely considered to be responsible for modern computer science, who conceived and built the electromechanical ‘bombe’ to decrypt the German ciphertext via what is now known as a ‘brute-force’ approach. His achievements illustrate the fact that whether a key is compromised through old-fashioned theft or computational techniques the underlying principle is the same: symmetric key cryptography is fundamentally unsafe.

Anti-symmetric encryption provides a solution to this problem with the generation of distinct (hence ‘asymmetric’) ‘public’ and ‘private’ cryptographic keys, the public encryption key can be readily shared in the public domain without compromising the secret decryption key. Unfortunately, the system relies upon computational difficulty as the source of security – as a result, absolutely no protection is offered against inevitable advances in hardware and processing power, or the discovery of more efficient decryption algorithms. Consequently asymmetric techniques also represent a fundamentally flawed approach to the problem of information security, whilst they may offer short-term security the information can always (potentially) be compromised, to make things worse, there is no way of determining when a breach has occurred, as with symmetric techniques.

The only truly unbreakable (robust to ‘brute-force’) classical cipher is the Vernam cipher [42], which is also known as the one-time-pad (OTP). The approach ensures maximal security (as it is able to withstand infinite computational power [39]) from any unwanted third party (‘Eavesdropper’) when a random and unique cryptographic key as long as the message itself is used for a single encryption only. As such, the most efficient approach to for any unsanctioned

decryption (without a key) is an exhaustive search over all possible cryptographic keys [41,42,43].

Initially proposed in 1917, the scheme requires a random binary bit sequence for encryption, it is this randomness that provides the intrinsic security, as there are no patterns to subsequently identify. During research at Bell Labs Claude Shannon concluded that the OTP offered genuine information security in his classified report: ‘A Mathematical Theory of Cryptography’ [44]. He demonstrated that any unbreakable system must comprise of the same essential characteristics as the OTP: the key must be truly random, as large as the plaintext, never reused, and kept entirely secret [47]. Shannon’s findings, which were later published openly were independently reached by Vladimir Kotelnikov, in a still classified report [48].

Whilst the condition of a random unique key for each bit of information provides the inherent strength of the system, it is also the principal limitation: as there is no classical solution for sharing the key-string without making it susceptible to eavesdropping, the need to securely distribute extensive key-strings means the standard problem of key-security has largely prevented its wider use [39].

The need to resolve the limitations associated with exchanging secret keys, whether for use in OTP systems or otherwise, has led to the widespread implementation of ‘asymmetric’ key systems. A technique known as public-key encryption utilises two distinct, but mathematically linked keys, that are related in an asymmetric manner to provide a ‘one-way’ function. This asymmetry provides the (supposed) security of the scheme and crucially removes the need to agree upon a shared key beforehand.

A freely available ‘public’ key can be used to encrypt information, whilst the secret, mathematically linked ‘private’ key allows the decryption of anything encoded with the associated public key. The fact that the public key can be openly shared means that (supposedly) secure communication can take place repeatedly over a non-encrypted public channel, with the same public key used by an arbitrarily large number of people. The considerable increase in throughput offered by this approach (and corresponding reduction in logistical and financial complexity) explains why use of public-key cryptography is so prevalent, despite its inherent weakness.

The security of the public-key system relies upon the computational difficulty of what are known as ‘one-way functions’, first highlighted by W.S. Jevons in 1874 when he outlined the application to cryptography, in particular the problem of prime factorisation [49]. The asymmetry is used to create a ‘trapdoor function’ (the feature which provides the security in the widely-used RSA cryptographic system), alternative approaches that also make use of asymmetric problems include the EIGamal and digital signature algorithm (DSA) cryptosystems, which employs the discrete logarithm problem to ensure security. As there is no classical algorithm to effectively compute discrete logarithms, the running time of the most efficient (known-about) algorithm scales proportionally to the size of the specific group under consideration. An efficient quantum algorithm exists however, proposed by Peter Shor in 1995 [52], in a seminal paper that went on to encourage the rapid growth of quantum computing.

In addition to the DSA system, which was initially developed by the NSA but has since been adopted by NIST as a national standard, there is also elliptic curve cryptography [51], which was developed simultaneously by Koblitz and Miller in the 1980s. The scheme, based on the algebraic structure of elliptic curves over finite fields has provided powerful new

public key algorithms, which have facilitated much faster operations due to the use of smaller keys. The technique is sufficiently robust that it is used by the NSA for their encryption requirements; at www.nsa.gov it states that ‘elliptic curve public key cryptography using the 256-bit prime modulus elliptic curve…is appropriate for protecting classified information up to the SECRET level. Use of the 384-bit prime modulus elliptic curve is necessary for the protection of TOP SECRET INFORMATION [57].”

The most familiar ‘flavour’ of asymmetric key distribution is the RSA system [28], a scheme which takes the names of its creators: Rivest, Shamir and Adleman, who were working together at MIT at the time of development in 1978. However, the encryption algorithm was actually developed by Ellis, Cocks and Williamson at GCHQ in the 60s and early 70s, as it was classified information at the time it was not publically disclosed until 1997 [51]. Interestingly, they developed the system completely independently of Diffie and Hellman, who reported public key cryptography in 1976 and Merkle who also invented the technique in 1974 and published his work in 1978 [51].

The security of the RSA scheme derives from the fact that is computationally insignificant to multiply large prime numbers together but the inverse operation of finding the prime factors is far from trivial, even for powerful computers. This is due to the fact that the time taken to find the prime factors of a large integer increases exponentially with the number of digits [45] - hence the reason 2048-bit encryption is currently in-use, and should be sufficient until 2030 (after which 3072-bit encryption will be required)

The RSA scheme is used to provide security for a range of critical infrastructure, for example, the algorithm is built into all current operating systems manufactured by Microsoft, Apple, Sun and Novell, it can be found in phone hardware, in Ethernet network cards, as well as being incorporated into all major internet security protocols and being used by numerous branches of the U.S. government and major corporations [58]. Despite this, the specific extent of the security provided by the system is frequently overlooked or intentionally disregarded; crucially, RSA encryption is only very difficult to decipher, not impossible - a critical distinction when it comes to highly sensitive information [45].

The security of the scheme is illusory for a number of reasons: firstly, the message is only secure for a finite period - as it is not an impossible task to find the prime factors, it just takes time (proportional to the computing power applied), therefore the supposed security lies in the fact that any information encrypted is contextually insignificant by the time the prime factors have been computed. The ‘security’ also presupposes that an eavesdropper is limited to applying commercially available computing power, it makes no allowances for the possibility of an adversary with greatly enhanced processing power (utilising a supercomputer, a large network of computers or even an early undeclared quantum computer), or perhaps an unrevealed algorithm that allows prime factors (or the equivalent for alternative schemes) to be found more efficiently on commercially-available processors.

Significantly, there is no definitive mathematical proof that the process of prime factor multiplication cannot be readily inverted, it could easily be the case that a much more efficient algorithm for finding the prime factors of a large number has been formulated but not publically announced [45], a situation that would allow an eavesdropper real-time access to supposedly secure information. Irrespective of whether a security lapse arises from the existence of a more efficient algorithm, an adversary with exceptionally large computational resources, or simply an eavesdropper that is in no particular rush, the outcome is the same: the information is not fundamentally secure. Consequently it is only a matter of time before the approach becomes completely obsolete, either through the application of a more efficient reverse-factorisation algorithm, or the realisation of quantum computation in a manner that would enable the application of Shor’s algorithm (which can efficiently factor the product of two large primes and as such threatens to undermine the security of global military and commercial communication) [45].

As cryptography constitutes a fundamentally important and widely-applied solution to information security that exhibits critical weaknesses, irrespective of the specific implementation (even the OTP technique suffers from the same drawbacks as any symmetric key system – the key is never entirely secure as it can always be stolen), it is not surprising that the field of quantum cryptography has received so much attention in recent years.

The improvements offered by ‘going quantum’ are considerable; quantum cryptography offers the only genuinely secure method of achieving private key distribution [19,25,45], security is guaranteed by the laws of quantum mechanics [19,25,] which are universally accepted to be phenomenally accurate. Importantly, the process provides a failsafe indication as to the presence of an unwanted eavesdropper, directly contrasting schemes where security arises from the (perceived!) intractability of specific problems in number theory [10,15], and offer no indication of a security-breach.

Quantum cryptography is able to provide a reliable method for transmitting a secret key and knowing categorically whether the transmission has been intercepted - the process of sharing a secret key with the secrecy protected by the laws of quantum mechanics is known as quantum key distribution (QKD). A range of approaches have been implemented in the realisation of QKD, but they can generally be grouped into two principal mechanisms; one which utilises the properties of entanglement and simpler approaches which make utilise quantum-measurement principles [45]. Alternative schemes have also been developed, which modify the more established protocols, such as the use of orbital angular momentum [29], in a revision of the BB84 protocol that encoded information in the spatial modes of propagating photons. The approach, which does not require reference frame alignment, achieved a substantial increase in key generation rates by increasing the bits per photon that can be sent [29].

Since the demonstration of a free-space (as opposed to fibre-based distribution) QKD proof-of-principle, over a 32cm tabletop path in 1989 [6] the field has experienced rapid growth, to the extent where a global system of QKD distribution utilising satellites and ground stations is now a serious proposition [11,14,18,19,20,21,26,35,36,39]. Phenomenal distribution rates and distances have subsequently been realised with the demonstration of sifted key-rates of up to Mbit s-1 rates [23], and transmissions over 144km distances [34,36]. The utility of QKD schemes for applications in built-up urban areas was also demonstrated with the 8km distribution of entangled photons over the city of Vienna, demonstrating QKD capabilities in a location that would undoubtedly see an exceptionally large amount of usage due to the nature of the Swiss banking industry [27].

In addition to this QKD setups have been demonstrated that can be left unattended for long periods of time (up to four days), due to the incorporation of closed-loop tracking techniques [33], as well as QKD systems that could be miniaturised to allow portable

secrecy for everyday consumer applications [32]. Compact transmitters could be incorporated into hand-held devices such as a smart cards or mobile phones, to provide on-demand, portable secrecy over short ranges (a few metres), that could be ‘topped up’ like phone credit [32]. Low cost QKD manifestations have also been demonstrated, which utilise ‘off the shelf’ components and run-off LabVIEW to provide a low cost, DIY quantum cryptography system for anyone on a budget [37].

The rapid growth of the field is also attributable to the development of post-transmission protocols, as much as it is to technical developments on the practical side. Once a key-string has been shared by two parties it is necessary (in most implementations) to discuss specific experimental details and parameters – this produces a shorter ‘sifted’ key which (in an ideal scenario) is identical for both parties. Any deviations can be attributed to a range of environmental disruption mechanisms and experimental limitations, however common practice is to attribute all errors to the presence of an eavesdropper (Lutkenhaus approach [24]). In order to reduce (or eliminate) the partial knowledge of the key that an eavesdropper could potentially hold, the technique of privacy amplification [4] is performed; this produces a new, shorter key, of which Eve has negligible information. The technique was specifically introduced in 1988, shortly after a similar paper [3] two years earlier, in which it was outlined how a compromised channel could be salvaged through distillation of a shorter bit-string [4]. The concept of quantum cryptography was initially formulated by Stephen Wiesner in the late 1960s when he wrote ‘Conjugate Coding’ [1], initially unpublished, his ideas went unnoticed by the wider scientific community for an unduly long time, and his manuscript was not even published until 1983 [1]. Wiesner envisioned that quantum mechanics could be applied to the production of ‘quantum money’, utilising the laws of nature as the ultimate anti-counterfeiting measure. This was considered to be pure science-fiction [6], as any usable quantum currency (‘quantum bank notes’ [1]) would require the ability to store a polarised photon or spin-1/2 particle, whilst keeping the information resistant to depolarisation, absorption or general environmental interaction [6]. Real progress was made when Bennett and Brassard began to consider photonic information transfer rather than photons information storage, and Bennett introduced the quantum key distribution channel [2,3,6]

QKD means that information can be encoded with what is essentially an unconditionally secure OTP cipher, when two communicating parties have shared a sufficient amount of private key material a private message can be encrypted and sent across public channels at high rates with maximal security. Providing a fresh key is used for each communication a OTP cipher is being implemented, and the message is completely robust to eavesdropping strategies [45]. Classically, a OTP key would have to be physically shared (making it susceptible to theft), however with QKD the key is instantaneously shared – meaning secure communication can take place before key becomes vulnerable, in addition, the technique is extremely sensitive to the presence of an unwanted eavesdropper during communication.

In classical data transmission systems there is no way that Alice or Bob could be aware of the presence of Eve (simply through analysis of what has been transmitted) as there is no physical law prohibiting Eve from making a perfect copy of the data. In conventional cryptography and information theory it is therefore implicitly accepted that digital communications can always be passively monitored, without either Alice or Bob being aware of any eavesdropping taking place. [6] Quantum mechanically things are very different, the ‘no-cloning’ theorem [60] dictates that it is not possible to make an arbitrarily good copy of a quantum state, consequently, when digital information is encoded into quantum systems (such as photons) a secure communications channel is produced, whereby any eavesdropper not privy to specific experimental parameters cannot successfully intercept the key transmission without giving their actions away [6]. More specifically, it is not possible to make a quantum measurement without affecting the state - after detection of a photon Eve cannot transmit an exact copy of what she received. This constitutes the principal tenant and source of strength for the QKD system and quantum cryptography in general; if the key data is encoded quantum mechanically any eavesdropper will give away their presence through the process of measurement. (These key bits can subsequently be discarded in favour of secure key bits) [45] The specific property of quantum mechanics that is utilised is Heisenberg’s uncertainty principle, which describes how certain pairs of properties have an uncertainty associated with them and how the act of measuring one property randomises the value of the other, and vice versa, familiar examples are energy/time and position/momentum, but it is also true for different orthogonal basis states [6]. For example, measuring the linear polarisation of a photon will completely randomise it circular polarisation, and vice versa, quantum indeterminacy means that the state cannot be measured in a chosen orthogonal basis set without disturbing the conjugate basis set.

Figure 1. Measurement of the linear polarisation of a single Figure 2. Block diagram depicting the QKD process (taken from [22])

photon in two different coordinate frames (taken from [9])

Generally, any pair of orthogonal polarisation states are referred to as a basis if they correspond to a measurable property of a photon, the bases are said to be conjugate if the measurement of one property completely randomises the other [6]. The polarisation state pairs used in the first-developed QKD scheme (the BB84 protocol) are the rectilinear basis of horizontal and vertical polarisation (|H> and |V>), the diagonal basis of 45° and 135° and the circular basis of left- or right-handed circularly polarisation (lhcp and rhcp), of these three bases any two are conjugate to each other. A useful illustration of this process is seen in Figure 1 (taken from [9]), which demonstrates the fact that a quantum mechanical measurement of one set of variables will introduce uncertainty into another set of variables [9]. In Figure 1 the measurement of the linear polarisation of a photon can be measured in either the x-y or the x’-y’ coordinate frame (which corresponds to the rectilinear and diagonal bases respectively), if the photon is initially polarised along the x’ axis in the diagonal basis, a measurement of its polarisation in the x-y basis will produce two possible outcomes: polarisation along the x or y axis, consequently the polarisation in the x’-y’ coordinate frame becomes completely randomised [9] – it is precisely this disturbance that can be used to identify the presence of an eavesdropper during key distribution.

Perhaps the most well known method for achieving QKD is based on transmitting attenuated laser pulses, where the polarisation of each photon is used to encode the information according to the BB84 protocol. The scheme uses four distinct quantum states, which arise from two conjugate Hilbert-space bases - meaning each basis set is capable of being encoded with two bit values [2,41].

Whilst an ideal scenario would involve the use of genuine single photon states the drawbacks and restrictions associated with trying to incorporate a single photon source (SPS) into a QKD scheme means that single photon states are usually approximated by highly attenuated laser pulses, known as a weak coherent pulse (WCP). Encoding is achieved using a random number generator (RNG), this allows Alice to transmit a random sequence of polarised photons to Bob (as depicted in Figure 2), who also randomly chooses which basis to measure each received photon in, producing an associated bit value for each measurement [6,41]. This produces an uncorrelated ‘raw’ key, as there are

multiple discrepancies caused by instances where Alice and Bob chose a different basis, to reconcile these differences the two parties subsequently perform ‘basis reconciliation’ to remove the erroneous bits, once achieved the two strings are expected to be perfectly correlated, provided the channel is noise-free and there is no active eavesdropper [41].

For each key bit Bob only has to publically inform Alice the measurement basis that was applied, without having to discuss the specific bit-value obtained in each case. Alice’s response reveals when similar bases where used, allowing the identification of correlated bits in what is known as ‘basis reconciliation’, a procedure that results in a ‘sifted key’ (see Figure 2) [41] - when coincidental bases are used the assigned bit value is retained, whereas all other bits are discarded. This produces a bit string that is typically half the length of the raw transmission bit string, as Bob will guess the correct basis 50% of the time on average. As basis reconciliation reveals no useful information to an Eavesdropper, the classical channel used to refine the data need not be secure, it merely has to be ‘authentic’ [3,4,41]

The presence of an eavesdropper is always revealed by errors contained within these (ideally) correlated bit strings; this is usually discussed in terms of a quantum bit error rate, or QBER (the ratio of the number of erroneous bits to the total number of bits), an additional error rate of between 25-50% would be introduced into the QBER of the ideally correlated system, dependent on how lucky Eve was with her basis choices [41]. Consequently Alice and Bob only need to publically compare a random subset of the sifted key string to identify Eve’s presence. In practice, even without the presence of an eavesdropper a sifted key will contain a non-zero QBER, with bit errors attributable to transmission channel noise, or issues with the sender/receiver apparatus [24,41]. Following the approach of Lutkenhaus all errors (including those associated with photodiode dark counts) are attributed to an eavesdropper [24,39], applying this extremely stringent assumption enables the calculation of upper bounds for Eve’s potential information from QBER values, which in turn allows inferences to be made regarding the amount of joint secrecy shared between Alice and Bob [24].

Using well-established error-correction techniques Alice and Bob are able to ‘distil’ a smaller keystring from the sifted key that contains almost perfect secrecy [6,22,41]. Overall system performance is generally characterised by the secrecy

efficiency as it describes the total number of secret bits produced per unit time [22,24], although with the eventual incorporation of a SPS the BB84 protocol would be unconditionally secure following the implementation of privacy amplification [22]. The specific approach to QKD described above has been widely implemented by many groups since it was first formulated by Bennett and Brassard in 1984 [54]. The principle was demonstrated experimentally shortly after, with the first successful QKD exchange occuring in October 1989 [6,55]. This development signified ‘the dawn of a new era’ for the field of quantum cryptography with transmission over a free air optical path of ~32cm, in a setup that was heralded to be secure (after application of post-transmission protocols) against an enemy with ‘unlimited computational power’ [6]. A more rigorous (in that it was performed over a more realistic distance) proof of principle of the QKD system was given a few years later over a 10km optical fibre, whilst this was demonstrated with a transmission channel largely unsuited for global key distribution, the ability to produce effective secret key rates (~16kbit s-1) over extended distances was demonstrated [7], it was around this time that Bennett and Brassard published another key paper on privacy amplification [8] - an essential and frequently used component of the QKD toolkit. Shortly after the 32cm tabletop transmission channel was shown to be effective, free space distribution protocols were successfully demonstrated in more realistic conditions and over much greater distances, with a 150m indoor transmission and an outdoor daylight transmission over 75m outdoors reported in 1996 [9], successful key distribution was reported for an indoor optical path of 205m in April 1998 [11] and the first 1km night-time transmission over outdoor folded paths (to a mirror and back) was reported in October 1998 [10]. The close co-location of the transmitter and receiver in the ‘folded-path’ approach is not necessarily representative of real-world practical applications and can therefore mis-represent the effects of turbulence (and other atmospheric effects) on beam transmission [15]. The first point to point demonstration of free-space QKD over an extended distance was reported in 2000 at the University of California, with a 1.6km daylight transmission [15], shortly after a group in India reported a free space point to point distance of 0.5km [14]. Since breaching the 1km milestone in 2000 the field progressed just as rapidly as the preceding 16 years, with

considerable improvements realised both in key distribution rates, and the transmission distances that are attainable, to the point where many of the crucial requirements for global QKD have now been satisfied [18]. Long distance free-space QKD was demonstrated at night over a 23.4km distance between two mountaintops in southern Germany in 2002 [20], which after sifting and error correction produced key exchange rates of the order of hundreds of bits per second. In the same year the group at Los Alamos reported day and night transmission over a 10km distance [22], with slightly better rates of secure key generation, reporting up to 2000 sifted key bits per second. With more recent developments, free-space QKD has demonstrated an attainable range of hundreds of kilometres [34,36] and key distribution rates routinely in the kHz-MHz range, as well as reliable setups designed to work with ‘off the shelf’ components [37]. Free space links have been demonstrated in a wide range of settings, over mountaintops [19,20], crowded urban areas [27] and even between two of the Canary Islands [34,36], demonstrating that QKD techniques are versatile enough to be applied around the world in shorter point-to-point links, as well as in a ground-satellite global network. The pioneering work performed by Bennet and Brassard in 1989 (using the apparatus pictured in Figure 3) implemented the BB84 protocol to perform the first free-space key transmission; their specific realisation used the conjugate rectilinear and circular bases for the experiment, which they conducted inside a light-tight box ~1.5m long. The source (Alice) on the left hand side of the bench consisted of a green LED that produced incoherent flashes, these were collimated by a pinhole and lens and passed through a 550nm interference filter to reduce the spectral width and intensity of the beam, and select a specific region of the spectrum for which the photomultipliers had optimal quantum efficiency [6]. The LED, after collimation, filtration and polarisation produced a beam intensity of ~0.1 photons per pulse, half of which were emitted during the first 500 ns. This low light intensity is a crucial component in the eavesdropper-prevention strategy, as any adversary could try to exploit the statistical nature of the pulses, implementing a photon splitting attack on any pulses containing two or more photons [6].

Figure 3. Photograph of the experimental apparatus described in [6]. Incoherent light flashes produced by a LED on the left are collimated by a pinhole and lens,

and subsequently passed through a 550nm filter and horizontal polariser. Pockel’s cells are used to convert the horizontal polarisation to an arbitrary polarisation

state, after the 32cm transmission the beam passes through another Pockel’s cell before detection on the right hand side (Figure taken from [6])

Modulation of the polarisation was achieved with two Pockels cells (operated at ± the quarter-wave voltage), which allowed a choice of four polarisations: horizontal, vertical, lhcp and rhcp. Diagonal polarisations could also be generated with the apparatus but it required twice as much voltage to be applied to the Pockels cell [6]. The receiver (Bob) consisted of another Pockels cell and a beamsplitter which divided the beam into |H> and |V> beams before they were passed into two photomultiplier tubes, as these cells were also operated at quarter-wave voltage, ‘Bob’ was able to measure in either the rectilinear or circularly polarised basis simply by switching the voltage on/off [6]. In order to achieve maximal effectiveness a 500ns coincidence time window was utilised, this ensured that the most intense region of each light pulse was targeted and avoiding the excessive dark counts that inevitably accumulate if the

window was open for the entire 5μs duration of the pulse [6]. Utilising the post-transmission techniques detailed above a total of 754 bits of perfectly correlated secret key were ‘distilled’ from an original 2000 bits; Eve’s expected information was calculated to be less than 10-6 bits, according to privacy amplification theory and the probability of a 5 sigma deviation [6]. This early milestone in free-space key transmission was hugely significant, both for the field of quantum cryptography in general, but more specifically for the development of a global system of free-space QKD. The integrity of the physical medium used to transmit key bits between Alice and Bob (known as the transmission channel), and its associated quantum transmission efficiency is extremely significant - the channel must be able to accurately and reliably preserve the quantum states during the process of transmission [39]. Whilst a large number of applications make use of optical fibres for key distribution, there are significant distance limitations introduced by dark count detector noise and photon absorption and decoherence in the transmission channel [9]; these factors (along with others) limit the attainable range of fibre-based schemes to between 100-200km [9,26,39]. Progress has been made towards the realisation of a ‘quantum repeater’ scheme in an attempt to remove this crucial obstacle for fibre optic systems - combining the emerging fields of entanglement swapping, entanglement purification and quantum memory [21,26] to enable entanglement sharing over extended distances, however the scheme has yet to be translated to any kind of integrated, usable system [39]. In the mean-time free-space QKD holds much greater potential for secure long distance communication, exploiting a network of satellites and ground stations it would be possible to distribute single photons and entangled photon pairs around the world [11,14,18,19,20,21,26,35,36,39], creating a system that would allow secure, high bandwidth global communication [14,26]. For many reasons, free-space key distribution represents a more promising approach to long-distance key transmission and the eventual realisation of a global QKD network, the atmosphere does not significantly perturb the polarisation of a photon as it is essentially non-birefringent at optical wavelengths [10,14,22,39], and the existence of a low absorption window near 800nm means that free-space systems do not require compensatory or amplification schemes, as is the case with optical fibres [39]. A surface-to-space transmission of 80% was recorded for 772nm photons in 1998 [10], whilst in 2011 atmospheric attenuation was measured to be as little as <0.1 dB km-1 between 780nm and

850nm [39], at these optical wavelengths the depolarising effects of Faraday rotation are also negligible [14]. In addition, absorption and depolarising effects play a negligible role in outer space, another factor that further indicative of the feasibility of a ground-satellite global QKD system (along with many other adverse atmospheric influences that subside with increasing altitude). An equally useful application of free-space QKD is likely to be for short-distance ground-ground communication in high-density urban areas with high bandwidth demand [27,39], many metropolitan fibre-optic networks often suffer from what is known as a ‘connectivity bottleneck’, an effective solution to this bandwidth shortage would be the application of free-space communication techniques [39]. Free space links are also financially preferable to fibre-optic cables as they can be installed between any two arbitrary points without concerns regarding the logistics of the associated cabling, thereby allowing rapid deployment and high bit-rate secure communication between locations in a built-up metropolitan area [39]. Whilst free-space key distribution undoubtedly offers a superior transmission channel to that offered by fibre-optic schemes, there are drawbacks that are specific to free-space techniques. Challenges include beam divergence [39], background radiance (which is significant even during night time operation), beam wander and turbulence [22]. Of these concerns, the role played by sunlight and ambient light is particularly significant, as unwanted photons are registered by the photo-detectors in addition to the signal, thereby increasing the error rate. Fortunately, many techniques exist to counteract these effects, a combination of which can largely render the problem tractable. These include (amongst others) spatial filtering (the use of small solid angles for photon acceptance) [10,11], spectral filtering (application of narrow wavelength filters – such as rubidium vapour filters) [31], adaptive optics [10], and the (almost universal) use of narrow time sub-ns windows, known as temporal filtering [39]. As each photon carries a bit of information (as opposed to classical communication where binary values are represented by >1 photon) QKD receivers are required to function as single photon detectors. They are characterised by three inter-dependent properties, the quantum efficiency (the probability of a detector response given a photon), the dead time of the detector (time to reset after a response) and the dark count rate (instances when the detector gives a response with no photon) [39]; although generally, the maximum achievable repetition rate for a given detector is dictated by the dead time. Following the initial breakthrough in 1989, the next crucial milestone was reached in 1996 with the demonstration that free-space QKD was possible outside of the carefully controlled environment of Bennett and Brassard’s light tight box - and therefore robust to the adverse effects of ambient photons. Single photons were transmitted over a 75m distance in bright daytime conditions [9], in what represents the first successful transmission of qubits in an uncontrolled environment. This work confirmed that genuine free-space QKD (rather than indoor free-space) was indeed possible, and could offer a feasible key-distribution system that would not be significantly hindered by the intense ambient photonic background. Consequently, as the first outdoor free-space quantum transmission, the experiment represents a highly significant milestone towards the realisation of a global QKD system [9].

The group were able to generate secret key-bits at rates of ~1kHz, producing over107 error-free bits during their total transmission over the 150m indoor path (which was illuminated with fluorescent lighting) and 75m path in bright daylight conditions [9]. They recorded a reasonably large error rate (pre-reconciliation) of 2% due to an abnormally high dark count of one of the photodetectors (600 Hz), however the single channel error rate of the alternative detector was 0.7%, a rate more typical of fiber-optic systems [9]. In order to reduce the background a wide range of techniques were applied, including the use of a narrow time coincidence window, combined with the use of a small acceptance angle, filters and etalons, it was deduced that these procedures reduced the background by a factor of 1010, 102 and 105, respectively [9]. Before transmission a computer at each end of the channel made a randomised choice between the x-y or x’-y’ basis, as with the 32-cm implementation, Pockels cells were subsequently used to implement each specific choice of polarisation; after transmission bases were compared and only correlated choices were retained. As discussed, this procedure established a secure, and (ideally) identical random bit string that could be used to realise OTP encryption [9]. A narrow-band (1nm) interference filter and two Fabry-Perot etalons were incorporated into the setup to reduce the effects of background radiation and detector shot noise, whilst neutral-density filters (NDFs) were used to attenuate the laser light such that there was a negligible (~2%) probability of a pulse containing >1 photon.

Whilst the work undeniably represents a key development in free-space QKD, the experimental set-up was simplified somewhat by the application of a ‘folded-path’ approach. As the primary focus of the experiment was demonstrating the ability to send and receive key bits securely in free-space, the group chose to locate the transmitting and receiving optics in the same position. The result of this is that the transmission channel was not subject to many of the disturbing influences that would be manifest in a real world free-space application, such as turbulence and other atmospheric effects [9]

Another folded-path free-space QKD transmission was demonstrated over a 1km distance in 1998, at Los Alamos National Laboratory. In this instance the alternative B92 protocol was implemented in a scheme that allowed for efficient key distribution, even under turbulent environmental conditions. The paper reported a QBER (defined as the ratio of the bits received in error to the total number of received bits) of ~1.5% when the system was transmitting <0.1 photons per pulse, and an impressive ~0.7% was recorded as the QBER for a smaller 240m folded-path [10]. The ability to produce strongly attenuated photon pulses is an essential component of the vast majority of QKD implementations [39], it represents the most frequently used source of ‘single’ photons for QKD applications, and will undoubtedly remain so, despite the inherent security flaws, until a reliable and cost-effective SPS becomes readily available [39]. The technique is relatively simple, reliable, and offers the possibility of much higher repetition rates [39], despite this the technique is known to be fundamentally insecure due to the possibility of a range of attacks, the most formidable being the photon-number splitting (PNS) attack. If an eavesdropper were able to perform quantum non-demolition (QND) measurements on the transmission channel they would simply have to wait for Poissonian photon statistics to deliver key bits to them free of

charge – as multi-photon pulses transmitted along the channel contribute to the key but also are also completely susceptible to eavesdropping [34,39].

Whilst attenuation of the laser produces a situation where the average photon number per pulse <1, the Poissonian distribution of this number means that there is always a non-zero probability of transmitting >1 photon, i.e attenuation reduces rather than prohibits the transmission of multi-photon pulses [14,39]. This non-zero probability means an eavesdropper has opportunities to ‘syphon-off’ photons; additionally, there is always a higher probability of vacuum transmission than anything else, particularly when pulses are attenuated to <0.1 photons per pulse [39]. Although privacy amplification is a widely applied and efficient solution to the problem, the only way to truly protect against the threats of emerging technology is the incorporation of a SPS technology in a QKD protocol.

Despite the clear disadvantages, the application of WCPs is widespread throughout the field of QKD, as they can be realised with little more than a calibrated attenuator and a semiconductor laser [14,39]. Alternative approaches to key distribution have also been successfully employed, such as the use of parametric down conversion (PDC) techniques, whereby a laser beam is used to pump a nonlinear crystal, and produce an entangled pair of photons. Using the detection of one of these entangled photons as a trigger for the second detector provides an efficient solution to the problem of empty pulses and coincidence windows, whilst the issues associated with a Poissonian distribution are negated simply through the use of genuine single photons. Despite this, pair creation is an extremely inefficient process [39], a drawback which effectively undermines many advantages offered by the technique.

The use of a true SPS presents a well-established advantage over all WCP schemes, a SPS-scheme is completely secure against PNS and other significant attacks, and offers much better bit-secrecy rates, a significant advantage for high-loss applications such as ground-satellite QKD [24]. The superiority of SPS based QKD is repeatedly asserted throughout the literature [24], and the technology has become steadily more attainable as the 21st century has progressed. For example, a pulsed SPS was demonstrated in 2004, based on the fluorescence of a single-colour nitrogen vacancy centre in a diamond nanocrystal [24]. In addition, WCPs have been experimentally assessed for increasing propagation losses, with the results quantitatively demonstrating that QKD with a SPS offers measurable advantages over WCP QKD, particularly when transmission losses exceed 10 dB. [24]

The transmitter in the 1998 1km folded-path experiment at Los Alamos consisted of a temperature-controlled single-mode diode laser, tuned to 772nm (therefore operating in ~ optimal transmission window) and pulsing at 105 photons per ns. The experiment incorporated a bandwidth interference filter, a variable optical attenuator, and (as with previous realisations) a low-voltage Pockels cells [10]. Whilst the rudimentary scheme was not yet sophisticated enough for real-world applications (as the transmission was conducted over a folded-path and key generation rates were not sufficiently high), the demonstrated results were strongly indicative of the inherent potential of free-space QKD schemes for 21 century communication, with the authors asserting they “believe that it will be feasible to use free-space QKD for rekeying satellites in low-earth orbit from a ground station” in the near future [10].

They calculated that in a real ground-satellite transmission scenario a key generation rate of 35-450 Hz would be

attainable - considering that photons arrive at the detector at a rate of between 1-10,000 Hz, and given a laser pulse rate of 10 MHz, an average of one photon per pulse, atmospheric transmission of 80%, a 65% detector efficiency, and the 25% intrinsic efficiency of the B92 protocol (amongst other considerations). Whilst rates of this order are certainly not sufficient for commercial applications, the authors assert that this could be significantly increased (by a factor of 100) with the application of adaptive tilt correction, leading to secure key generation at a rate of 3.5–45 kHz for the B92 scheme; although using the BB84 protocol would see the rate double [10].

The B92 protocol is similar in many ways to the earlier BB84 approach, as with other quantum cryptography techniques the security arises from the in-distinguishability of non-orthogonal quantum states and the inescapable disturbances that arise from the quantum measurement process [41]. The four-state solution implemented in BB84 is more than is actually necessary for secure key distribution, as such the B92 protocol [61] encodes with just two orthogonal pure states [41,61] (A complex 6-state protocol has also been proposed, which has the advantage of greater symmetry within the Bloch sphere [41]). A typical BB92 procedure involves Alice generating a random binary sequence, and transmitting a single photon, chosen from a set of possible (non-orthogonal) states for each generated bit. Upon detection of a photon, Bob attempts to identify the specific transmitted bit value in each instance [10]. As with the BB84 protocol, Alice and Bob are completely free to discuss the decisions they made over an unencrypted, public channel.

Whenever Bob’s choice of basis is not coincidental to the choice made by Alice the associated key bit is disregarded, this leaves only secure, identical key-strings (which are subsequently verified through parity checks of the two strings). A useful technique for monitoring the removal of pulses involves analysis of the interference generated between a macroscopic bright laser pulse and the dim pulse (with <1 photon on average), as removing a dim pulse significantly alters the resultant interference effects [41].

As discussed, ‘folded-path’ implementations, such as those described in [9,10] can overly simplify the experimental landscape (specifically in terms of turbulence and other atmospheric hindrances), and they are therefore not necessarily indicative of practical real-life applications. The ability to perform key distribution over a free-space ‘point to point’ quantum channel was demonstrated with distances of 0.5km [14] and 1.6km [15] in 2000, with the scheme described in [15] reporting a ‘novel’ QKD system with no active polarisation switching elements [15]. A critical weakness of the original form of the B92 protocol is the vulnerability to what is known as a ‘man in the middle’ attack, whereby Eve takes control of both the public and the quantum channels simultaneously (allowing her to masquerade as Bob to Alice and vice-versa) [14]. The consequence of this is that Alice and Bob will both unknowingly exchange keys with Eve, meaning she is effectively invisible and can read all their subsequently encrypted communications [14]. It has subsequently been discovered, however, that the incorporation of a short, secret key to initiate the protocol can offer effective protection against such an attack [14]. A year after [10] was published a challenging response appeared in Physical Review Letters, suggesting that the experimental setup for the 1km folded-path transmission was

not adequately “protected against a peculiar type of opaque (Bennett) attack.” The criticism (which was refuted on the next page of the journal by Buttler et al [13]), argued that the implementation described in [10] was fundamentally insecure, on the basis of hypothetical technology that could be developed at some point in the future [12]. In their response [13] the authors highlight the important distinction between attacks that are currently feasible, and attacks that could become possible at some point, and are limited only by the laws of physics [13]. More importantly they emphasise that the intention of the work detailed in [10] was not to introduce a fully secure, fully optimised and definitive QKD protocol, rather to simply demonstrate the potential offered by free-space QKD [13]. Indeed, they re-iterated the claim that a properly implemented B92 protocol could form the basis of a ground-satellite QKD system, secure against all currently “feasible attacks without any additional physical security requirements [13].” Furthermore, if the scheme implemented the BB84 protocol instead of B92 (a relatively trivial modification) the setup would also be secure against the hypothetical Bennett attack, and if a SPS were to be incorporated the approach would be unconditionally secure, even against QND attacks [13]. Additionally, the specific attack considered in [12] would require the eavesdropper to produce non-Poissonian photon states; as this is clearly not an option the best approach for an eavesdropper would be to retransmit a WCP, however this would be revealed through an increase in ‘dual-fire’ errors which occur when both detectors fire simultaneously [13]. One sensible comment made in [12] is regarding the use of a true SPS, they concede that the experimental procedure described in [10] adequately demonstrates the potential of free-space QKD schemes, but insist that the development of a SPS is required before truly secure QKD can be realised [12] as it is the only way to thoroughly safeguard against the plethora of attack strategies open to Eve (although it is pointed out in [10,13] that simply switching to a BB84 protocol would protect against the hypothetical Bennett (non-Poissonian) attack [10,13]). The group at Los Alamos also demonstrated the ability to operate free-space QKD systems under the disruptive effects of fluorescent lighting [11], reporting the successful transmission over a 205m indoor optical path in 1998. As with previous work the transmitter and receiver were collocated, meaning that the transmission was conducted over a folded optical path – with the beam transmitted up and down a 17m hallway [11]. The experiment incorporated a ‘corner cube’, identical to those found on LEO satellites of the time (such as LAGEOS-I and LAGEOS-II) to demonstrate the feasibility of ground-satellite QKD. The setup was able to achieve key-bit generation at rates of up to 50Hz when the transmitter was pulsed at a rate of 20kHz, with an average of ~0.7 photons per pulse, along with a QBER of 6% [11]. This disappointing rate can be

attributed to an atrocious coupling efficiency, 𝜂, between the

transmitter and receiver of ~2% (where 𝜂 accounts for losses between the transmitter and the power coupled into the single-mode fibers preceding the detector at the receiver); this poor coupling efficiency prevented the group from operating below values of 0.7 photons per pulse [11]. As part of the protocol a two-dimensional parity check was implemented to enable the generation of error-free key material, however, the important step of ‘privacy amplification’, used to reduce the partial knowledge of any

eavesdropper to less than 1 bit of information was not incorporated into the scheme [11]. The QKD scheme described in [14] was the first successful demonstration of point-to-point free-space QKD outside of a lab environment, it was operated for several days, both through the day and night, over a 500m distance [14]. Achieving an impressive rate of secure key distribution (~5kHz), this important proof-of-concept free-space transmission represents a crucial milestone. The ability to realise usable key-distribution rates, in realistic operating conditions, gave an extremely strong indication that ground-satellite QKD was genuinely feasible [14]. The setup was able to achieve much better attenuation than previous implementations, with an average photon number of ~ 0.3, there was a 22% probability of each pulse containing exactly one photon, 25.9% containing at least one photon, and15% containing more than one photon [14]. Whilst the transmission was performed over a relatively insignificant 0.5km distance, the result clearly evidenced the fact that a secure key could be shared, either other a ground-satellite or satellite-satellite link (meaning a satellite could be rekeyed an arbitrary number of times whilst remaining in orbit [14] - a highly significant development). Shortly after this, a point-to-point free-space transmission was successfully demonstrated over a slightly more useful 1.6km distance [15]. This use of horizontal terrestrial transmission paths [14,15] constitutes a sufficiently convincing proof-of-principle, as the detrimental effects of turbulence (one of the principal hurdles in free-space QKD schemes) are most prevalent over the lowest 2km of the atmosphere [14]. Consequently, the successful realisation of a 1.6km ‘horizontal’ transmission strongly suggests that secure QKD is possible, both with low-earth orbit (LEO) and geostationary (GEO) satellites. Atmospheric turbulence represents the by far the most serious limitation to free-space schemes, as it can cause ‘jitter’ in the photon arrival time, along with a significant amount of beam wander, through variations in the refractive index (RI). In order to negate issues associated with arrival times the scheme incorporated the use of a bright timing pulse (which carries no information). Transmitted at an alternative wavelength immediately before each key-bit the arrival of the timing pulse ~100ns before the key-bit triggers an avalanche photodiode detector to set up a narrow (~5ns) time window, thereby allowing spurious detection events from the ambient background to be disregarded [14,15]. Beam wander makes a more significant contribution to the QBER, fortunately the effects can be compensated for with the application of active beam steering (known as ‘tip-tilt control’) techniques. It is possible to derive an error signal from a reflected component of the timing pulse to generate a feedback-loop - this provides a reliable and effective stability mechanism that is able to keep the beam tightly locked into position [14]. Another serious consideration for any free-space QKD scheme is the unavoidable background of ambient light, both during the day, and at night - as single photon detectors are easily saturated by rogue photons. The effects of this ambient background can largely be counteracted through the use of nano-second coincidence windows (achieved with ‘temporal filtering’), narrow wavelength filters to specifically select the signal of interest, and spatial filtering at the receiver, achieved through the application of a small solid angle for photon acceptance [14] In addition, the scheme implemented the critical technique of privacy amplification to obtain an optimal number of secure

key bits; the use of such protocols rendered the scheme secure against all possible attacks (according to acknowledged technology). The author’s accept that the system is vulnerable to a QND attack, in which Eve makes use of non-destructive measurements to ascertain which pulses are multi-photonic, an attack that facilitates non-detectable eavesdropping (QND measurement techniques however, are still very much in their infancy). The inclusion of a SPS, however, would remove the susceptibility to a QND attack, meaning that by the time such an attack is possible there should almost certainly be an efficient coping mechanism (a SPS) [14]. The 1.6km transmission demonstrated shortly after at Los Alamos [15] was similarly robust to simple beam-splitting and intercept-resend attacks, and would have been equally ‘future-proof’ with the addition of a SPS. Achieving successful key-distribution over a free-space optical path which is comparable in distance to the effective turbulent atmospheric thickness, the scheme added further credence to the feasibility of ground-satellite QKD - particularly considering that secret bit rates of several kHz were routinely achieved with the setup [15]. During the course of the experiment a total of 1.6 Mbit of data was sent in 40 data exchanges, this led to the generation of significant quantities of secure sifted key material (>17kbit) with a respectfully low

QBER of <3% for low average photon number (��) pulses of

��~0.2 [15]. The transmitter was able to operate at MHz clock rates, controlling two temperature-controlled dim-pulse diode lasers, which were both capable of emitting 1ns attenuated optical pulses on demand. As per the B92 protocol, polarisers arranged the output of one laser to be 450 and the other to be vertically polarised; the randomised choice in this instance was determined by the random bit-value generated by discriminating electrical noise [15]. The intense Los Alamos sunshine means the effects of turbulence are always a significant consideration; turbulence induced beam-spreading can substantially increase the QBER and severely limit system efficiency. With an average efficiency of 0.13, fluctuations of ~30% caused by turbulence induced beam spreading and beam wander constituted a serious concern for the setup in [15]. The most significant contribution to the QBER of the system came from the ambient solar background, accounting for 5.9% of the 7.8%

BER (for ��=0.2). Imperfections and misalignment of polarising elements produced the second largest contribution, with values as high as ~2% (significantly previous results have suggested this component could be reduced to 0.5% [15]). Detector noise, produced by ‘dark-counts’ made a minute contribution of <0.1% to the QBER [15]. With numerous groups addressing the challenges and requirements of free-space QKD the years post-2000 saw a ‘flurry’ of interest in the academic literature regarding the development of satellite-based global QKD schemes. The possibility of ground-satellite QKD was comprehensively demonstrated by Rarity et al [18] in 2002, with an extensive feasibility study concluding that no significant ‘technical obstacle’ remained to prevent the realisation of a global key-distribution system, capable of operating between any two arbitrary points on the globe [18]. The group anticipated the system would involve the exchange of a secure key-string between a ground station and satellite, which could then be exchanged with another chosen ground station, as and when required; thereby enabling secure OTP-quality cryptographic communication

between any given locations across the planet. The fundamental importance of a worldwide QKD scheme for the security of global data is emphasised throughout [18], given the inherent weakness of conventional public-key cryptography, the promise of unconditional security which is (theoretically) future-proof against the relentless evolution of computational power is extremely alluring, particularly given the ‘exponential expansion of electronic commerce’ [18]. A range of possible methodologies and different arrangements of the transmitter, encoder and detector are explored in what is termed the ‘satellite key exchange problem’. Usefully, the paper defines ‘key performance metrics’ with which they systematically evaluate specific configurations and system designs according to their suitability for ground-satellite key exchange. The group directly compare three alternative key-exchange methods: (i) Laser/encoding on the ground, detector on the satellite, (ii) Laser/encoding on the satellite, detector on the ground, and (iii) Laser/detector on the ground, retro-reflector and polariser on the satellite. Their analysis concluded that all three variations could be used to successfully exchange key-bits with LEO (0.8-1.6km) satellites and ground stations, during night-time, or (with the addition of narrow-band filtering) daytime operation, and similar conclusions were independently reached in a parallel US-based study published in 2002 [62]. Generally payloads of a couple of kg and tens of watts power consumption were considered possible, in addition to key exchange rates of up to 10kbit s-1 (during the closest approach to the ground station), leading to megabits of uploaded key per satellite pass (satellite in range for 100-200s) [18]. In terms of

suitability, the second option was favoured, whereby a top-down transmitter system is utilised; in this configuration expected key rates were up to 7kbit s-1 at 100 MHz repetition rates [18]. A handful of groups had already successfully demonstrated free-space QKD over multiple-km distances by the time the paper was being written, whilst experiments being conducted at the same time demonstrated that ranges of 10km [22] and 23km [20] were readily attainable. In many instances important developments were being made to reduce the size, mass and power consumption of the systems, to allow portability in the short term and fully automated remote operation in the long term [18]. Lightweight transmitter and receiver designs were emerging as early as 2002 [20], these generally avoided active optical elements to reduce size and complexity, and were instead based on combining or splitting the light in passive beam-splitters [18]. Comprehensive system design analysis for satellite-based QKD was also offered in [21]. As in [18], it was suggested that the most sensible location for the transmitter module is on-board the satellite, with the receiver module in an easily accessible ground-based location [21]. Additional significant considerations include the fact that the majority of QKD experiments require higher flexibility at the receiver due to active polarisation control and data analysis; and the fact that the atmosphere causes a larger footprint in an uplink than in a downlink, due to the more significant influence of turbulence [21]. The paper also concluded that LEO-LEO satellite transmission links were entirely feasible according to the currently demonstrated technologies

. Figure 4. Experimental Overview: Four separate lasers were used at the transmission module to encode the four random polarisation states. They were combined in

a spatial filter before the 23.4 km transmission between the mountain peaks. A telescope at the receiver collected and filtered the light before it was passed to four

separate photon-counting detectors. (Figure taken from [20])

Another significant experimental development, depicted in Figure 4, reported in 2002 was the 23.4km key exchange between two mountain-tops in Southern Germany. To avoid the effects of turbulence the transmission was conducted at a highly-elevated altitude, whilst this achieved the desired effect, the approach introduced a new range of obstacles and considerations due to temperature changes and extreme weather conditions. The apparatus demonstrated reassuring (considering the temperature of space!) stability despite ambient temperatures ranging from 5 to -250C [19,20].

The transmitter unit (Alice) was located at a small experimental facility (Max Planck Institute for Extraerrestial Physics) located on the summit of Zugspitze (2.96km), whilst Bob was located on the neighbouring mountain of Karwendelspitze (2.24km), 23.4km away [19,20]. The semi-portable free-space QKD system was used to carry out multiple night transmissions between September 2001 and January 2002, with a final trial involving a three-day key exchange, at a selection of pulse intensities ranging from 0.4

to 0.08 photons per bit (operating with ��=0.08 led to optical losses of ~ 18dB) [19]. In associated experiments the group also demonstrated that key exchange could be carried out even with transmission losses up to 27 dB, and argued that with proposed improvements to receiver efficiency this could exceed 33dB, meaning key-exchange to near-Earth orbit (500-1,000 km) satellites would be achievable [20]. Whilst the group were typically enthusiastic about the implications of their QKD scheme, asserting that their “experiment paves the way for the development of a secure global key-distribution network based on optical links to LEO satellites [20]”, the reality is the setup described in [20] is still a long way from the standard required. Despite achieving an impressive transmission efficiency and distance, key generation rates offered by the setup were far from competitive. After sifting and error correction the scheme was only able to produce a secret key string at the rate of hundreds of bits per second. This weak performance is partly attributable to a number of factors; ambient background rates were particularly high due to scattered light from snow cover (which made a large contribution to the error rate), whilst the low bit rate (9.8kb) of the classical mobile telephone link was also a limiting factor in the sifting and error correction process [19]. The group anticipated significantly improved performance could be achieved with a combination of improved spatial filtering at the receiver, a narrow band-pass filter tuned to the correct wavelength, and accurate temperature control of the transmitter lasers. A 10km transmission using the BB84 protocol was also demonstrated in 2002, with the system operating continuously for several-hour periods both during the night and day [22]. The authors reported the generation of secret key-bit sequences at ‘practical’ rates and of a sufficient quality to enable secure communications. The 772nm QKD system utilised spectral, spatial and temporal filtering techniques to extract a usable signal despite the adverse effects of atmospheric turbulence and an ever-present background radiance (with rogue ambient photons presenting a significant source of error even through the night) [22]. The authors assert that the setup described in [22] would be entirely capable of realising ground-to-ground cryptographic applications, with the realisation of distribution rates that would support practical cryptosystems such as the Advanced Encryption Standard (AES) or even short OTP encryption. With Alice sited at an altitude of 2760m on Pajarito Mountain, Los Alamos, and Bob at an altitude of 2153m,

9.81km away the scheme was operated successfully for many hours over several days. Crucially, the scheme was reported to be secure against intercept/resend, beamsplitting and an unambiguous state discrimination (USD) attacks, as well as night-time PNS attacks [22]. In order to improve security and reduce the complexity of the system the specific implementation described in [22] included no active polarisation switching elements. During each successful cycle of the 1MHz clock a nanosecond, ~mW timing pulse was emitted at 1550nm, this caused two secret random bits to be generated by a cryptographic monolithic randomiser, which in turn determined which of four 772nm diode lasers fire (thereby selecting 1 of 4 polarisations) [22]. Understanding of the factors that parameterise free space QKD was greatly enhanced as a result of the development of a precise methodology in [22] to deduce the ‘secrecy efficiency’ for alternative transmission distances, instrumental conditions, atmospheric properties and

alternative radiances, through scaling of the defined ηopt/C parameter from the values obtained over a 10km distance. Their analysis was crucially able to deduce the lower threshold for values of secrecy efficiency, below which no secret bits can ever be extracted from a sifted key, shared between Alice and Bob. The secrecy efficiency Psecret is perhaps the most significant parameter when categorising overall system performance; as the quantity determines the total number of secret bits that can be exchanged per unit time. The group were able to achieve an average daytime efficiency of Psecret =(3.2±1.4)x10-4, and a maximum value of Psecret,max =7x10-4. At nighttime the system was slightly more efficient, with an average of Psecret =(4.2±1.4)x10-4 and a maximum efficiency of Psecret =8x10-4.

For larger values of ηopt/C there are a specific range of optimal values known to consistently produce a non-zero bit

yield, i.e when the average photon number per pulse (μ), μmin

< μ < μmax [22]. For situations where μ < μmin the bit error rate (BER) of the sifted key is overwhelmingly large, to the extent that no secret bits can be extracted whatsoever – due to the large amount of information potentially leaked to errors and through intercept/resend eavesdropping strategies. Overall they were able to conclude that free-space QKD would be more than feasible with the system, either over 15km daylight paths or 45km paths at night, additionally they deduced that optimal secrecy efficiency is

attained for values of μ=0.5, independent of range and time of day [22].

Figure 4. A histogram of the secrecy efficiency Psecret (the number of secret bits produced per transmitted bit) versus the average photon number and the atmospheric

quantum channel parameter. In the region below the red line no secret bits can be transferred with the system. Even thiough these transmissions yield a large

number of sifted bits no secrecy could be produced from them after reconciliation and privacy amplification due to the large amount of info acquired by an

eavesdropper. The night transmissions marked with an asterisk are PNS-resistant (Figure taken from [22])

Another significant benchmark for free-space QKD was realised in 2004 with the demonstration that free space quantum transmission rates of up to 1.25 Gbps were possible over ~1km distances, in conjunction with phenomenally large sifted key rates of 1.0 Mbps. The scheme described in [23] operated a 1550nm classical channel in parallel with an 845 nm quantum channel, this development facilitated a phenomenal increase in system performance, with sifted cryptographic key rates two orders of magnitude faster than anything previously recorded [23]. Incredibly the authors insisted that with improved detector resolution their setup would be able to achieve an order of magnitude increase in performance” [23]. As with many other successful implementations, the strategy utilised narrow temporal gates to improve the SNR, however instead of operating in asynchronous mode, with a timing pulse immediately preceding the signal to trigger a specific coincidence window the scheme in [23] was able to operate in ‘synchronous’ mode, through the 1.25 Gbps clock rate and the use of 8B/10B encoding [23]. The transmission board

(Alice) generated and stored two (1.25 Gbps) randomised bit-streams for the selected quantum channel basis and a bit value (as per the BB84 protocol), random data was generated by a pseudo-RNG [23]. The experiment constitutes a phenomenal increase to secure encryption capabilities in general, with the demonstration of unprecedented transmission and sifted key rates. As there is no commercially-available SPS capable of operating at GHz repetition rates the setup was forced to employ attenuated

laser pulses, with a mean photon number μ= 0.1. It has been calculated that with such values, approximately 9% of the pulses transmitted contain a single photon, 1% contain two or more photons and the remaining 90% will (statistically) be empty pulses [23]. The downside of this approach, however, is that is leads to a ten-fold reduction in throughput – meaning when a high speed on-demand SPS becomes available there will be an order of magnitude improvement in key generation rates [23].

Figure 5. Sifted key bit rate and QBER plotted against mean photon number (Figure taken from [23])

In addition to offering a revolutionary increase in transmission speed and sifted key rates, the 2004 paper presented a useful analysis of the response of the sifted key rate (kbps) and the QBER to varying photon number; both values were plotted as a function of mean photon number in Figure 5 (the QBER is the percentage of sifted key bits, produced per 60 seconds of key generation, for which Alice and Bob do not have the same value) [23]. Clear trends can be identified in their experimental data: the sifted key rate (marked in black) clearly increases with mean photon number before plateauing at 1Mbps, the plot also allows instantaneous related values to be determined, for example,

for a value of μ<0.2, the group recorded nearly 900kb of sifted key data per second of transmission, and an error rate of 1.0% [23]. The principal limitation of [23] can also clearly be seen - their software was unable to successfully process bit rates greater than 900kbps, causing the sifted key rate to flatten out. This limitation greatly reduced the throughput of the system, causing the sifted-key rate to max-out at ~1Mbps once the mean photon number increased past 0.2 [23]. Whilst the 1.25Gbps transmission rate demonstrated in [23] was undoubtedly impressive, the transmission speed is a less significant consideration than security - the use of inherently insecure attenuated laser pulses, rather than a SPS, is a significant limitation of any QKD scheme. The inevitable

transmission of multi-photon pulses provides an ‘open door’ for any eavesdropper; to recover as much secrecy as possible, attenuated pulse (WCP) schemes seek to employ ever weaker pulses, leading ultimately to a compromise between security and transmission rates [50]. Whilst operating nowhere near the 1.25 Gbps transmission speed demonstrated in [23] the incorporation of a SPS into a free-space QKD scheme in 2002 [50] represents a crucial milestone, the paper reported the first complete implementation of single-photon quantum cryptography using a reliable room temperature SPS [50]. Using the fluorescence of a single nitrogen-vacancy (NV) colour centre inside a diamond nano-crystal the group were able to successfully emit photon pulses on-demand to distribute key-bits over a 50m distance, at a rate of 7,700 secret key bits per second, and with a QBER of 4.6% [50]. Despite much shorter transmission distances and lower key generation rates the scheme is fundamentally much more secure than those making use of attenuated laser pulses. In addition to enhanced security “the overall performance of the system reached a ‘domain’ where the use of single photons demonstrate da measurable advantage over an equivalent setup based on attenuated pulses,” emphasizing the fact that single photon QKD is a realistic candidate for long distance QKD applications. [50]”.

The scheme implemented a BB84 protocol to achieve four-state encoding and decoding, through the application of an electro-optical modulator (EOM) unit, driven by a pseudo-RNG and capable of switching 500V in 30ns to achieve a 5.3MHz SPS repetition rate [50]. Unfortunately, after travelling down the short corridor, polarised photons were detected at only a fraction of the 5.3 MHz source rate, despite transmission via a 2cm-diameter beam to minimise the effects of diffraction. A rate of 7x104 Hz was recorded after the 50m transmission, while this represents an order of magnitude decrease from the 5.3MHz source such a valuable is more than tolerable for such a pioneering experiment. The complete secret key transmission was achieved through the use of error correction and privacy amplification (using the public domain software QUCRYPT), these techniques led to an average of 77 secret bits shared between Alice and Bob for each 10ms transmission [50], and an associated QBER of 4.6% ±1%. The paper proceeds to offer a comparison of the performance of their single photon BB84 implementation with more traditional WCP approached, in terms of detection efficiencies and Bob’s dark count rates They demonstrate that the SPS approach has a patent advantage over even the very-best WCP setups; irrespective of the type of attack that is implemented, the specific scheme implemented in [50] also

offers a much higher secure bit rate than alternative entangled-photon QKD schemes [50]. Another strong indication as to the superiority of SPS QKD implementations was offered by [56], when a photon turnstile device, where a quantum dot trapped in a micropost cavity is optically excited by a pulsed laser, was used to realise the BB84 protocol, facilitating “completely secure communication in circumstances under which would normally be impossible with an attenuated laser [56].” Whilst transmission was only demonstrated over a trivial 1m distance the group were able to achieve secure communication rates of 25 kbits per second [56], and a QBER of 2.5% in this important proof of principle. The group used the exchanged key bits to implement a OTP encryption of the message seen in Figure 6 (a picture of the memorial church at Stanford University). Alice and Bob were able to exchange a 20-kbyte key, with which Alice performed an XOR operation on each individual bit of the information. The result of this is something that looks very much like white noise to any unwanted recipients without the secret key bits. Bob is able to faithfully recover the information simply by using his version of the key to XOR the received message (as seen in Figure 6) [56].

Figure 6. Illustration of a cryptographic encoding and decoding process, the message, a (140x141) 256-pixel bitmap of Stanford University’s memorial church was

encoded by a secure quantum key in a OTP encryption process. The encrypted image appears as noise to a third party, not in possession of the key. The recipient

(Bob) is able to faithfully recover the contents of the message by decoding with the shared secret key. (Figure taken from [56])

Whilst the initial SPS proof-of-principle QKD setups [50,56] were crucial milestones in the progression of free-space SPS QKD, the experiments were both performed over a relatively insignificant distances at least in terms of the requirements for real-world applications. Whilst this is similarly true of the 30m transmission distance demonstrated in [24], the scheme was operated under open-air experimental conditions and consequently represents a much more robust proof-of-principle as the realisation is much closer to a genuine practical setup with environmental hazards. Additionally, the authors claim that the setup could readily be extended to km distances [24] As with [50] the SPS was provided by the pulsed excitation of a single nitrogen-vacancy colour centre (NVCC) in a diamond nano-crystal. Single photons were subsequently transmitted from window to window over a 30m distance, between two wings of the Institut d’Optiques building in open air at night-time. As such, the QKD scheme was implemented with a realistic ambient background and with the two communicants completely removed from each other. The scheme reported an average of 3200 secure bits exchanged within a typical 0.2s transmission sequence, corresponding to a 16kbit s-1 key generation rate [24], a value well over double that demonstrated in [50]. The scheme utilised the BB84 protocol, using a KDP EOM to

obtain the 4 random polarisation states through the randomly choice of either the rectilinear or the circular polarisation bases; after transmission over the 30m channel (at rates of up to 16kbits-1) the key bits were subjected to error correction and privacy amplification {ref 37 in 24}techniques to ensure maximal information security.

The authors are keen to highlight the importance of SPS schemes, since first proposals {ref 16-18 in 24}, a diverse range of approaches have been investigated, although all are essentially based on controlling fluorescence from various emitters, such as molecules {ref 19-22 in 24}, atoms {ref 23 in 24}, colour centres {24 in 24} and semi-conductors. The use of a NVCC in a diamond nanocrystal offers many practical advantages over alternative solutions as it can be operated at room temperature (as with molecule emission), and is perfectly photo-stable for both pulsed and continuous-wave (cw) laser excitations [24]. The relative advantages offered by SPS implementations are clearly outlined in [24], along with a quantitative demonstration that the use of pure single-photon states provides a significant advantage over the use of WCPs in the strong attenuation regime (when transmission losses exceed 10dB) [24]. The efficiency of a specific QKD implementation in terms of secure key bit distribution is best

characterised by the mean amount of secure information exchanged on each transmitted pulse [24]. Through comparison of experimental data (recorded for a range of quantum-channel attenuations) with numerical simulations based on analytical derivation of mean number of bits per pulse (after privacy amplification and error correction) the group were able to verify the superiority of SPS implementations over long distances and large attenuations [24]. A significant milestone was reached in 2005 with the demonstration of free-space entangled photon distribution over the more realistic (in terms of practical applications) distance of 13km, entangled photons were produced by type-II parametric down-conversion [26]. For the first time a group was able to conclusively demonstrate key distribution over distances far greater than the effective thickness of the atmosphere, and were able to achieve link efficiencies well beyond the threshold required for satellite-based QKD, thereby verifying the feasibility of a global QKD network utilising satellites and ground stations [26]. Performed in Hefei, China the sender was located at the top of Dashu mountain (with an elevation of 281m) and two receivers (Alice and Bob) were located at the west campus of USTC and at Feixi, in Hefei. The distance between the two receivers was approximately 10.5km, whilst the distances from the sender to Alice and Bob were 7.7 and 5.3 km, respectively [26]. One of the entangled photons was made to pass through the a challenging cityscape (traversing nearly half of the city of Hefei), according to the cityscape the two receivers were not in direct sight of each other – due to the presence of many buildings between them [26] Whilst the system made use of the popular BB84 protocol, the key was instead distributed using entangled photons as opposed to attenuated laser pulses, consequently, when Alice and Bob happen to choose the same basis set their private keys are perfectly anti-correlated [26], this represents a trivial obstacle as it simply requires one party to convert all of their key bits. Following these procedures the group were able to demonstrate coincidence events at rates of nearly 7,500 per minute [26]. Discarding events where Alice and Bob selected contradictory bases led to a total of nearly 7,956 sifted key-bits, and a QBER of 5.83%. After the process of error correction the number of key-bits was considerably reduced to 4,869 bits and a QBER of 1.47%, after performing privacy amplification they finally obtained a secure key-string that was 2,435 bits in length. This value corresponds to an average key distribution rate of 10 bits s-1, however the authors point out the this figure could be significantly enhanced, with the incorporation of a high-intensity entangled photon source key distribution rates in the region of 100s bits s-1 could comfortably be achieved [26]. Crucially, the group were able to show that entanglement was able to withstand the 13km transmission through the noisy atmosphere (well beyond the effective thickness of the atmosphere), despite being strongly influenced by atmospheric pollution and background light - even at night background count rates are as high as 30,000 per second without interference filters. Their achievement was confirmed by recording a spacelike-separated violation of a Bell inequality of 2.45±0.09 [26], with the “strong violation more than sufficient to guarantee the absolute security of the QKD scheme, thereby closing the eavesdropping loophole.”

The scheme described in [26] utilised an argon ion laser to pump a beta-barium-borate crystal with a wavelength of 350nm; for a pump power of 300mW (and with the use of a narrow bandwith (2.8nm) interference filter) the group recorded 10,000 pairs of entangled photons per second. With the application of the interference filters the average background count was reduced from 30,000+ per second to as little as 400 per second and with perfect weather conditions they were able to achieve coincident count rates of up to 300 counts per second [26]. The group also applied the technique of laser-pulse synchronisation to achieve a 20ns coincidence window, thereby reducing the effect of ambient photons and detector dark counts [26]. With the eventual addition of a pulsed and gateable entangled photon source, and with the application of high precision spatial and spectral filtering the methods outlined in [26] would also allow for free-space QKD in daylight conditions [26]. Another important proof-of-principle for entangled-photon free-space QKD was published in the same year [27], when entangled photons were distributed over a 7.8km distance, at nightime, over the city of Vienna. The result was particularly significant given that the transmission was over the centre of Vienna, demonstrating quantum cryptography in a location with a long-standing requirement for secrecy (due to the nature of the Swiss banking industry), and to a market that would have great need for QKD services when they become commercially available. The group were able to conclusively demonstrate the high-fidelity transfer of entangled photons over sufficiently long distances, however, with no provision for spectral filtering, the scheme was only suited for night-time operation [27]. Despite this, the scheme was able to clearly demonstrate the feasibility of sending entangled photons through free-space optical links given realistic atmospheric conditions, with entanglement distribution confirmed by the violation of a Bell inequality by 14 standard deviations [27]. The source was located inside a 19th century observatory located on top of a hill, with the receiving station nearly 8km away on the 46th floor of a modern skyscraper, as such, the majority of the transmission path was at an altitude of 150m. The entangled pairs of photons were produced by PDC techniques, which ensure extremely tight temporal correlations, in addition to polarisation entanglement. The utility of such time correlations is well-recognised, as the narrow coincidence windows allow for low-noise operation, even when the background is greater than the signal intensity [27]. During the course of a 40-minute transmission a total of 60,000 coincident detection events were recorded, however this was reduced by a factor of ten following bases reconciliation, error correction and privacy amplification. The group were able to infer a QBER of ~10% (which would correspond to a drop in average visibility from 93% at the source to 80% at the receiver), of which they attributed 3.5% to the source, 1.5% to accidental coincidence counts, and the rest to polarisation misalignments. The challenge of transmitting through a busy city environment is a far from trivial proposition, pollution and atmospheric turbulence cause significant scattering rates, beam fluctuations and wander – all of which adversely affect link stability and efficiency [27]. The group were able to demonstrate secure key distribution over a distance that corresponds to just over one airmass, as the characteristic thickness of the atmosphere is just over 7 km [27], as the scattering loss experienced by a vertical transmission is represented by a 4.5km horizontal transmission the experiment comfortably surpassed the required threshold for successful atmospheric transmission [27].

Typically with entangled photon QKD schemes coincidence events are identified through the direct comparison of detection events over a time-stable public channel; this most commonly occurs via a direct cable connection, however for transmissions over longer distances bright optical pulses can be used to transmit detection and timing information [27]. The scheme described in [27] was able to identify coincidences without the use of a time-stable channel, instead each detection event is locally recorded with time tags shared later over a public internet channel. Detection coincidences were identified by looking for cross-correlations in 64-bit binary time stamps, which were able to record the time of each event with a precision of 125ps. The time-stamping cards were stabilised by Rubidium oscillators, which are known to drift by approximately 1ns every 20s. The polarisation correlations obtained in [27] were sufficient to convincingly violate a CHSH-Bell inequality (by 14 standard deviations), and demonstrate entanglement between the two locations.

A radical departure was made in 2006 when photon orbital angular momentum was utilised in a new BB84 implementation. The protocol encoded information in different spatial modes (that span a d-dimensional Hilbert space) of propagating photons that have a definite value of orbital angular momentum (OAM) [29]. In the specific implementation described in [29] each transmitted state was encoded in a subspace of spatial modes with zero orbital angular momentum (although a subspace with a definite value of orbital angular momentum could also be utilised) [29]. The technique offers two principal advantages; by encoding in a d-dimensional space a logarithmic increase in the key generation rate can be achieved - as each transmitted photon is able to hold log d-bits of information the approach offers greatly increased rates. In addition, the fact that the transmitted states are eigenstates of OAM means they are rotationally-invariant about the propagation direction of the beam. As a consequence the relative sender-receiver alignment is completely irrelevant (an appealing advantage in free-space QKD), meaning the protocol can be implemented without reference frame alignment [29] - “By encoding the information in rotationally invariant states they were able to decouple the alignment between preparation and measuring devices” [29]. This property is particularly useful in the case of ground-satellite, or satellite-satellite communication. As such systems facilitate secure key distribution between moving parties, the need to maintain a strict alignment with polarisation-based implementations adds significant complexity to any scheme. These limitations are obviously negated by the use of techniques detailed in [29], additionally, as no information is encoded in photon arrival times the scheme is also able to avoid significant problems introduced by transmission through turbulent environments, such as beam wander and time-of-arrival jitter [29].

Whilst impressive transmission distances and high secure key distribution rates have been repeatedly demonstrated, the majority of implementations tend to record relatively small time periods of key distribution. The specific free-space implementation detailed in [30] was left to run continuously for 10 hours through the night. Based on the BB84 protocol with polarisation-entangled photons, the scheme was able to generate an average secure key at a rate of 630 bits s-1 (after error correction and privacy amplification) over a distance of 1.5km (between the rooftops of two University of Singapore

buildings), and with the application of a long-pass filter they were able to achieve up to 850 bits s-1 over a period of 6 hours [30]. Using a PDC source and compact detection modules, a free-space wireless internet protocol link and a software-based coincidence identification scheme the setup represents a robust and efficient approach to extended key distribution sessions. The use of software-based coincidence identification removed the need for a dedicated synchronisation hardware channel. During the experiment the detection time of all photoevents was registered with a time stamp unit, which was locked to a Rubidium oscillator [30]; the scheme also implemented typical interference and spatial filtering techniques for the purposes of background suppression [30]. Additional advantages offered by [30] are that the scheme doesn’t require an explicit RNG, as well as the ability to perform error correction and privacy amplification techniques ‘on the fly’, enabling the production of a continuous stream of secure key bits [30]. The authors argue that the setup could also be successfully deployed for daytime key distribution if the accidental coincidence rate could be reduced by an order of magnitude - a reduction that could potentially be realised through the application of stronger spectral and spatial filtering and reduced coincidence windows [30].

The use of Rubidium (Rb) filters is widespread in QKD implementations; in [31], for example, in a system designed to operate at a 780nm wavelength, homemade Rb vapour filters were operated on the D2 transition line to successfully suppress strong background light. Based on the Faraday anomalous dispersion effect the filters act as an ‘ultra-narrow’ spectral-filtering device, capable of efficiently removing the strong, broadband solar background and greatly increasing the signal-to-noise ratio (SNR). This use of atomic filters allowed for the transmission of sifted and corrected key bits at rates as high as 3.14 and 1.56 kbits s-1, respectively [31] - whilst an error rate of around 5.1% was maintained throughout [31]. The widespread use of quantum cryptography for everyday consumers was advocated in 2006 with the demonstration of a short-range, low-cost QKD system. Both transmitter and receiver modules were constructed from inexpensive, off-the-shelf components and were able to generate and renew secrecy (an impressive 4,000 secret keybits s-1), over short distances of a few metres in shaded daylight conditions [32]. Whilst the traditional market base for QKD technologies are high-level organisations such as the military, and financial and academic institutions, the system described in [32] represents more of a ‘ground-up’ implementation designed for use on a regular day-to-day basis by the general public, in a variety of short-range consumer applications that could incorporate OTP and authentication protocols [32]. With a compact transmitter the system was designed to be eventually incorporated into a hand-held device such as a smart card or a mobile phone [32], leading to a range of promising potential short-range consumer applications. A frequently imagined scenario describes a consumer utilising a ‘secrecy’ allowance (for use with a portable OTP encryption device) and where necessary buying a ‘top-up’ for the account, as with a pre-pay mobile phone. The paper proposes a method of protecting against card-fraud, with an Alice module incorporated into a mobile phone and the Bob module located in a fixed device such as a bank ATM, known as a ‘quantum ATM’ (QATM). A typical usage scenario envisaged by the authors would involve “registered

customers sharing a unique secret bit-string with a central secure server the QATMs are able to communicate with. The OTP is subsequently used to authenticate and encrypt transactions such as cash withdrawals or online purchasing, with each security operation consuming some of the shared secret”. Consequently, the need to ‘replenish’ secrecy reserves will require consumers to repeatedly ‘top-up’ their shared secret via the QATMs [32] In order to limit costs and reduce the end product-size the group utilised a holographic diffraction grating to produce 2x2 matrix of beam paths, with the grating making the random basis selection for each transmitted photon. In this arrangement protocol efficiency drops to 25% as the photon is directed randomly in one of four ways, however this reduction was deemed acceptable due to reduced costs and the fact that there are far fewer transmission losses in a short-range system [32]. The group were also able to develop a full software system to control synchronisation, error correction and privacy amplification; in addition to this they detailed various technical improvements implemented to increase bit rates and the systems background light tolerance, whilst reducing complexity and cost [32].

Unlike most QKD schemes which implement the CASCADE algorithm for error-correction purposes, they instead opted for a version of the low-density parity check (LDPC) algorithm. The approach involves minimal interactive communication, unlike CASCADE, which requires frequent and involved two-way communication – a factor that can often lead to latency in the classical channel [32].

The system described in [33] represents strong evidence (in addition to that offered by [30]) of the potential offered by QKD implementations for continuous, unsupervised key distribution over extended time periods. Also published in 2006, the ‘mid-range’ free-space QKD setup was able to produce average sifted key rates in excess of 50kbit s-1, over nearly 500m distances. Crucially, the system was able to operate unattended for 12-hour periods, with QBER rates typically between 3% and 5%. As with most QKD schemes, additional subroutines such as error correction and privacy amplification were implemented, along with advanced synchronisation and key sifting techniques [33], however the scheme also demonstrated synchronisation without the need for a time-stable classical channel, and was able to operate unattended continuously for four days [33]. The group were able to achieve transmission in most weather conditions, whilst the sifted key rate was seen to drop dramatically in fog, heavy rain and snow the most significant disturbance to the rate arose from turbulence rising from the sun-heated roofs [33]. Quantum transmission was achieved between the rooftops of two university buildings in downtown Munich, with the classical channel provided by a 10 Mbit s-1 internet connection. This allowed precise automatic alignment of the receiving and transmitting telescopes as well as synchronisation and key-sifting procedures [33]. After transmission a receiver unit was used to detect and analyse the polarisation of each photon and a time-stamp card was used to assign a specific time to each click of the detector, software in Bob’s computer was used for synchronization and the subsequent process of key-sifting [33]. Thermal drifts of the setup required an active pointing control mechanism for both sender and receiver stages, in an effort to minimise hardware complexity, alignment was achieved with the actual single photon signal itself [33].

Synchronisation was achieved with the aid of the 10MHz transmitter rate; identification of a pattern in the signal frequency through analysis of the receiver clicks made it possible to filter out a large proportion of background dark counts, patterns in the photon stream (created by Alice) were also used to determine the number of each photon. Significantly, this approach means that Alice and Bob did not need to communicate classically with each other during the synchronisation process - temporarily unavailable or slow classical channels can often hinder throughput of a QKD system, causing delays to the key-sifting process (as a time-stable channel is not required this setup described in [33] is not susceptible to these issues). An additional advantage of the scheme described in [33] is that the equipment did not have to be repeatedly aligned with respect to the telescopes; digital control loops were used to distinguish between the influence of misalignment at the sender, or at the receiver. This automatic alignment was capable of compensating temperature-induced drifts and was able to run for more than four days consecutively without any need for human interaction [33]. One limitation of this approach, however, is that the setup is restricted to operating in complete darkness - as the alignment is performed with the single photon signal [33] By 2007 key distribution had been demonstrated over an impressive 90 mile (144 km) distance, with the successful transmission of WCPs between two Canary Islands; the BB84-style scheme was able to achieve an unprecedented level of security, despite the use of attenuated laser pulses, due to the application of the powerful technique of decoy-state analysis (DSA). The experiment is particularly significant as the ability to securely incorporate WCPs into a QKD scheme represents an extremely attractive feature due to the costs and restrictions associated with SPS implementations [34]. Whilst the group reported modest distribution rates of 12.8 bit s-1, the transmission distance realised by the scheme exceeded the previous free-space transmission record by an order of magnitude and, with the aid of bi-directional telescope tracking, transmission efficiencies up to -30dB were comfortably demonstrated Combining a simple transmitter and a ground station capable of tracking LEO satellites, the international collaboration were able to irrefutably demonstrate the feasibility of satellite-based QKD with the distribution of secure key-bits between an observatory on the island of La Palma, and the ESA Optical Ground Station (OGS), 144km away on the island of Tenerife. The key distribution distance achieved by the team vastly exceeded the distance required for exchanging secure key-bits with any satellite (even the highest altitude satellites typically operate at altitudes less than 50km), whilst LEO satellites generally operate at altitudes of a couple of km’s, a fraction of the 144km distance. Nevertheless, the experiment represents a crucial milestone, and (while not the primary focus of many research groups) extended transmission distances could yet prove useful in a range of non-urban situations, such as long distance point-to-point terrestrial communication and satellite-to-satellite communication. The paper staunchly advocates the development of a global QKD network: arguing that utilising free-space transmission links between LEO satellites and a network of base stations should enable the secure and efficient sharing of secret key bits between isolated locations across the globe. Importantly, all pointing, acquisition and tracking techniques that would be necessary to implement such a global network are already well established and widespread [34]. Traditionally, WCP

implementations have been avoided for high-security applications; attenuated laser pulses are inherently unsafe due to their Poissonian characteristics – a feature which makes eavesdropping strategies a perpetual threat. Whilst much simpler to produce technically (compared to the use of a SPS), the Poissonian nature of the laser photon statistics opens the door to a range of attacks. A particularly powerful attack is the photon number splitting (PNS) attack, despite significant attenuation of the laser pulses (to the extent where the average photon number is much less than one, photon statistics dictate that a proportion of the transmitted pulses will inevitably contain more than one photon. These multi-photon pulses contribute to the shared key, whilst also being completely susceptible to eavesdropping; an adversary simply has to remove a photon from any pulse containing two or more photons (and wait for the bases to be publically announced) to successfully execute a PNS attack, in high-loss situations this can enable an eavesdropper to (theoretically) obtain the entire key [34]. The typical coping-strategy is further attenuation of laser pulses, however as this leads to a significant reduction in key generation rates, the suitability of WCP approaches for high-security QKD applications is limited. In an attempt to address this situation DSA was utilised in [34] as it allowed key security to be guaranteed, despite the use of inherently unsecure WCPs. The ability to securely incorporate WCPs into QKD schemes is understandably extremely attractive due to the inherent costs and restrictions of SPSs schemes - as such the experiment represents a crucial milestone in free-space QKD [34]. Through the application of DSA techniques comprehensive protection can be provided against a variety of attacks,

including the formidable PNS attack [34]. As part of the

approach a range of mean photon number (μ) values are randomly transmitted, it is well-established that coherent

states with μ<1 are non-orthogonal, and as a result cannot be distinguished by an eavesdropper. Consequently, without knowing the specific attenuation used for each transmission, the execution of a PNS attack inevitably leads to a detectable change in photon statistics – usefully revealing the presence of an eavesdropper [34]. During the course of the

experiment decoy pulses with a mean photon number μ𝑑 >μ𝑠 were randomly interspersed in the signal sequence, in

addition to attenuated pulses μ𝑠 and empty ‘pulses’ with no light at all [34]. In order for Alice and Bob to efficiently reconcile their basis choices it is necessary to assign a pulse number to each photoevent to allow identification during the data-sifting process. ‘Time-stamping’ of the various detection events was achieved by feeding output pulses from the detectors into a dedicated timestamp unit, local drifts were recorded to be less than 10-11 over 100s as both clock signals were derived from a GPS signal. Crucially, in [34] this procedure was achieved solely by means of dim pulses, and without the need for an external reference channel. Due to frequent fluctuations in link efficiency the group found that errors were frequently clustered in blocks rather than evenly distributed throughout the key string. Consequently, all blocks with a header corrupted by more than a factor of 1.1 were discarded during the synchronisation process. The popular two-way error correction algorithm CASCADE was subsequently applied to remove additional errors and the technique of privacy amplification was also used to limit the amount of information available to any eavesdropper [34].

Figure 7. Key generation rates for BB84, the decoy-state protocol and an ideal SPS, as a function of channel transmission. The advantages offered by implementing

decoy-state techniques is clearly evident, with a response more akin to that of the SPS than a typical BB84 protocol. It is also possible to determine that BB84

communication is not possible for attenuations greater than 20dB (Figure taken from [34])

The commercial significance of global QKD schemes is highlighted by the fact that, in 2007, over 40 European groups were collaborating in the development of a global network for secure communication based on quantum cryptography (SECOQC), and with the US and UK also developing a worldwide quantum cryptography system [63].

Whilst LEO satellites are generally considered to offer the best suitability for ground-satellite global QKD schemes and have consequently dominated much of the scientific literature, the feasibility of geostationary (GEO) satellite QKD was confirmed in [35]. An investigation into the technological

requirements and analysis of the loss variation as a function of pointing accuracy concluded that the loss budget and attainable bit rates were strongly indicative of the suitability of GEO, suggesting that “a secure global QKD network could be readily constructed using the system” [35]. In addition to detailing the significant advantages offered by GEO implementations the paper comprehensively demonstrates that QKD based on GEO satellites is feasible, at least at night, during times of reduced background radiance [35]. The pointing, acquisition and tracking (ATP) system responsible for maintaining transmission channels with LEO satellites encounters considerable challenges during day-to-day operation; acquisition times of a few minutes are typically required for quantum transmissions, combined with a wide range of potential pointing angles and variable transmission distances ranging from hundreds, to thousands of kms’s. Compared to this, GEO systems offer significant advantages in terms of channel efficiency; when a satellite orbit is synchronised with the rotation of the earth, in a ‘geosynchronous’ orbit it is literally locked into the same position in space. This stable positioning, whereby variations in transmission distance are typically only a few km’s, allows the ATP system to achieve extremely precise tracking of the satellite – significantly improving the integrity of the transmission. In addition to enhanced precision, the transmission link remains largely unbroken, this stability can be used to optimise transmission parameters and also means that communication can be performed at specifically selected times so transmission can be conducted in optimal conditions, with minimal background ambience [35]. Importantly, the set-up described in [35] was able to make significant advances against the issues presented by background ambience; due to the relatively stable positioning offered by almost-stationary GEO satellites it was possible to incorporate atomic filters into the apparatus to enhance the resultant signal. With bandwidths less than a fraction of a nanometer (0.01nm), atomic filters can be used to effectively reduce background noise, filtering out practically all wavelengths other than the signal wavelength [35]. Additional enhancement was provided by the application of time-gate filtering techniques to reduce background noise and dark count rates, with narrow (1ns) time-gates triggered by the arrival of an initial signal photon. The technique is widespread in communication protocols as it is extremely effective in removing spurious detector events and unwanted noise.

Less than 6 months after [34], an alternative entanglement-based QKD technique was also demonstrated, again over the 144km free-space optical link in the Canary Islands, in what represents a confirmation of the suitability of a heralded-SPS for long distance communication. Using entanglement to generate a shared cryptographic key the group presented a

viable alternative to the realisation of global QKD - exploiting the property of randomness and strong correlations inherent in quantum entanglement to generate ‘unconditionally’ secure key-bits [36], with the recorded polarisation correlation between two observers violating the CHSH-Bell inequality by more than 13 standard deviations [36]. As with [34], the experiment represents an order of magnitude improvement in terms of transmission distance, with the previous record for polarisation-entangled photons prior only being 13km. The distance is close to the limit of ground-based free-space quantum communication, as such significant improvements would only be realised with the aid of air- or space-based platforms [36]. As in [34], the concept of a worldwide QKD is staunchly advocated; with the group envisaging a global quantum communication network, realised through a series of free-space satellite links. A schematic of the specific experimental setup can be seen in FIGURE XXX, polarisation-entangled photons were generated on the island of La Palma through the use of a type-II spontaneous parametric down-conversion (PDC) scheme, a picosecond pulsed laser (average power 150 mW) operating at 355nm was used to pump a β–barium-borate crystal [36]. During the course of the experiment one photon from each entangled pair was measured locally (Alice) on the island of La Palma, with each entangled ‘partner’ sent via a single-mode fibre to the receiver (Bob) located at the ESA OGS in Tenerife. Due to variable atmospheric conditions caused by varying temperatures and the presence of humidity gradients the apparent bearing of the receiver station was found to shift on timescales between tens of seconds to minutes, with vertical displacements seeming more pronounced than horizontal movements. In order to accommodate these drifts and other directional shifts specific techniques such as closed-loop tracking were incorporated into the experimental setup to ensure maximal link efficiency, the transmission channel was stabilised through analysis of a 532nm counter-propagating tracking beam, sent from the OGS to La Palma in the opposite direction to reduce the likelihood of optical cross-talk [36]. Figure 9 depicts the deviation of the tracking laser as a function of time. Slow changes in average pointing direction occurred during changes of the atmospheric temperature gradients and layering, using the closed-loop tracking system it was possible to maintain maximum link efficiency. Beam drifts were rectified through keeping the laser in a fixed reference position and readjusting the transmitter platform when necessary, as can be seen from Figure 9, when the tracking system was deactivated the beam rapidly drifted and the power decreased accordingly [36].

Figure 8. The 144km free-space link between the Canary Islands of La Palma and Tenerife. Polarisation-entangled photons were produced using a type-II PDC

source, with a β–barium-borate crystal pumped by a high power UV laser. (Figure taken from [36])

Figure 9. The power received from a test laser at 808nm and the deviation of the tracking laser as a function of time. Slow changes in average pointing direction

occurred during changes of the atmospheric temperature gradients. To maintain maximum link efficiency the alignment of the transmitter platform was

automatically adjusted as required. Without tracking the beam drifted off the receiving telescope and the transmitted power reduced accordingly (Figure taken from

[36])

Two years after presenting the entanglement-based scheme outlined above, in which single photons from entangled pairs were transmitted between two Canary Islands [36], an alternative entanglement-based scheme was demonstrated over the same 144km free-space optical channel. The scheme, also by Zeilinger et al, involved the transmission of both entangled photons over the quantum channel [38]. Received states were reported to have “excellent, noise-limited fidelity, despite being exposed to extreme attenuation by turbulent atmospheric effects.” The total channel loss of 64 dB corresponds to the estimated attenuation regime for a two-photon satellite communication scenario, further indicating the feasibility of satellite-based QKD [38].

“Photon pairs at a wavelength of 810nm and a bandwidth (FWHM) of 0.6nm were generated at the transmitter in a 10-mm long, periodically poled KTiOPO4 crystal that was bidirectionally pumped by a grating-stabilised 405nm diode laser. The photon pairs were coherently combined in a polarisation Sagnac interferometer and emitted in the maximally entangled state by two telescopes mounted on a motorised platform. A bi-directional closed-loop tracking mechanism was implemented to compensate for drifts in the optical path and a 552nm beacon laser was monitored by a third telescope to ensure maximum link efficiency throughout.

The group were able to confirm that the two-photon states generated by the sagnac down-conversion source were still highly entangled after the 144km free-space transmission, the violation of a Clauser, Horne, Shimony, Holt (CHSH) Bell inequality by more than 5 standard deviations leads to the conclusion that entanglement generated by the apparatus was extremely stable, even over extended time periods. The 0.5ms flight-time of the entangled pair also represents a significant increase to the longest reported lifetime of photonic Bell states, doubling the previous record of 0.25ms [38]. The results show that the photons were subject to virtually no decoherence during the 0.5ms transmission, despite being subject to extreme attenuation, an encouraging development for global QKD [38], additionally, the compact photon source could be readily integrated into a satellite-borne photonic terminal – a development which will enable fundamental tests of the laws of quantum mechanics on a global scale.

The 2008 demonstration of a research-quality QKD setup, capable operating at MHz clock rates but comprising of nothing more than commercially available optical and electronic components also represents a crucial milestone in the development of free-space quantum cryptography. With the system controlled entirely by LabVIEW (used for system control and key sifting) the experiment pointed towards a much more accessible and cost-effective approach to QKD,

and put the emerging technology into the hands of smaller start-up labs and groups with financial restrictions. Experimental QKD setups typically require custom-made electronics, tailored optics and a dedicated system control unit (comprising of electronics to achieve raw key generation, error correction and privacy amplification) with tailor-made software. As such, the promise of a cheap off-the-shelf setup is an important step forward in terms of research, particularly with a system capable of producing sifted key bits at a rate of 25kbps (after the application of classical post-processing procedures secure key bits would be generated at a rate of 14.5 kbps), and with QBERs as low as 2.8% [37] Whilst only demonstrated over a very small distance on an optical table, the work described in [37] is highly significant. Attenuated laser pulses and Pockels cells driven by a pseudo-RNG were used to generate polarisation-encoded photons, the quantum transmission channel consisted of a 17m optical path whilst a coaxial cable was used as the public channel to communicate TTL pulses for timing purposes. The scheme was designed to be upgraded to include DSA techniques and a field-programmable gate array system for continuous operation [37].

[1] S.J. Wiesner, "Conjugate Coding", SIGACT News 15:1, pp. 78–88, (1983).

[2] C. H. Bennett, F. Bessette, G. Brassard, Quantum cryptography: Public key distribution and coin tossing Proceedings of the IEEE International Conference on Computers, Systems and Signal Processing, pp. 175-179 (1984) [3] C. H. Bennett, G. Brassard, How to reduce your enemy’s information, Lecture notes in computer sciences; Advances in cryptology (1986)

[4] C Bennett, G Brassard, J M Robert, Privacy Amplification by Public Discussion. SIAM J. Comput., 17(2), 210–229(1988)

[5] C. H. Bennett, G. Brassard, Experimental quantum cryptography: the dawn of a new era for quantum cryptography: the experimental prototype is working. Sigact News. doi:10.1145/74074.74087 (1989).

[6] C. H. Bennett, F. Bessette, G. Brassard, L. Salvail, and J. Smolin - Experimental Quantum Cryptography, Journal of Cryptography, 5, 3-28 (1992) [7] P.D. Townsend, Secure key distribution system based on quantum cryptography, Electronics Letters , vol.30, no.10, pp.809,811 (1994)

[8] C. H. Bennett, G. Brassard, Generalized privacy amplification, IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 41, NO. 6,(1995)

[9] B.C. Jacobs and J. D. Franson, Quantum Cryptography in free space. Optics Letters 21, 22(1996) 1854 [10] W. T. Buttler, R. J. Hughes, Practical Free-Space Quantum Key Distribution over 1km. Phys. Rev. Lett 81, 15 (1998) 3283 [11] W. T. Buttler, R. J. Hughes, Free-space quantum-key distribution, Phys Rev A 57, 4 (1998) 2379 [12] T. Durt, Comment on “Practical Free-Space Quantum Key Distribution over 1km” Phys. Rev. Lett. 83:12 (1999) 2476 [13] W. T. Buttler, R. J. Hughes, P. G. Kwiat, S. K. Lamoreaux G. L. Morgan, J. E. Nordholt, C. G. Peterson, Comment on “Practical Free-Space Quantum Key Distribution over 1km”, Phys. Rev. Lett. 83:12 (1999) 2476 [14] A. Salai-Jeyaseelan, et al, Practical quantum cryptography for secure free-space communications. Special issue of IJCCT vol1,issue 2 (2000) [15] W. T. Buttler, R. J. Hughes, Daylight Quantum Key Distribution over 1.6km, Phys. Rev. Lett 84, 24(2000) 5652

[16] Richard J. Hughes, William T. Buttler, Free-space quantum key distribution in daylight. Proc. SPIE 3932, Free-Space Laser Communication Technologies XII, 117 (2000)

[17] J.G. Rarity, et al, Secure key exchange over 1.9 km free-space range using quantum cryptography, (2001) Electronics Letters , vol.37, no.8, 512-514

[18] J G Rarity, et al, Ground to satellite secure key exchange using quantum cryptography - New J. Phys. 4 82 (2002) 82.1

[19] J G Rarity, et al, Long Distance Free Space Quantum Cryptography, Proc. SPIE 4917, Quantum Optics in Computing and Communications, 25 (2002). [20] C. Kurtsiefer, J G Rarity, et al, A step towards global key distribution Nature 419 (2002)

[21] M Aspelmeyer, et al, Long-Distance Quantum Communication With Entangled Photons Using Satellites, arXiv:quant-ph/0305105 (2003) [22] R. J. Hughes, et al, Practical free-space quantum key distribution over 10km in daylight and at night. New J. Phys. (2002) 43 [23] J. C. Blenfang,et al Quantum key distribution with 1.25 Gbps clock synchronisation. Optics Express 12, 9 (2004)

[24] R. Alleaume, et al, Experimental open-air quantum key distribution with a single-photon source –New J. Phys. 6 92 (2004) 92 [25] A. Acın, . Gisin, and V. Scaran, Coherent-pulse implementations of quantum cryptography protocols resistant to photon-number-splitting attacks. Phys. Rev. A 69, 012309 (2004) [26] C. Z. Peng, et al, Experimental Free-Space Distribution of Entangled Photon Pairs over 13 km: Towards Satellite-Based Global Quantum Communication. Phys. Rev. Lett 94, 150501 (2005)

[27] K. Resch, et al, Distributing entanglement and single photons through an intra-city, free-space quantum channel. Optics Express, Vol. 13, Issue 1, pp. 202-209 (2005)

[28] Rivest, R.; A. Shamir; L. Adleman (1978). "A Method for Obtaining Digital Signatures and Public-Key Cryptosystems". Communications of the ACM 21 (2): 120–126 [29] F. M. Spedalieri, et al, Quantum key distribution without reference frame alignment: Exploiting photon orbital angular momentum.. Optics Communications 260 (2006) 340

[30] C. Kurtsiefer, et al, Free-space quantum key distribution with entangled photons. Appl. Phys. Lett. 89, 101122 (2006 (2006)

[31]X. Shan, et al, Free-space quantum key distribution with Rb vapour filters. Appl. Phys. Lett. 89, 191121 (2006)(2006) [32] J. L. Duligall, M. S. Godfre, K. A. Harrison, W. J. Munro and J. G. Rarity. Low cost and compact quantum key distribution. New Journal of Physics 8 (2006) 249 [33] H. Weier,et al, Free space quantum key distribution: Towards a real life application. (2006) [34]T. Schmitt-Manderbach, et al, Experimental Demonstration of Free-Space Decoy-State Quantum Key Distribution over 144km. Phys. Rev. Lett 98, 010504 (2007) [35]E-L. Miao, et al, The feasibility of geostationary satellite-to-ground quantum key distribution. Phys. Lett. A 361, 29 (2007) 29-32

[36] R. Ursin, et al, Entanglement-based quantum communication over 144km. Nature 3 (2007) 481

[37] Y.S. Kim, et al, Implementation of Polarisation-Coded Free-Space BB84 Quantum Key Distribution. Laser Physics June 2008, Volume 18, Issue 6, pp 810-814(2008) [38]A. Fedrizzi, et al, High-fidelity transmission of entanglement over a high-loss free-space channel. Nature Physics 5 (2009) 389 [39] M. J. Garcia-Martinez, et al, Free-space quantum key distribution. (2011) 233 [40] D. Kahn. The Codebreakers: The Comprehensive History of Secret Communication from Ancient Times to the Internet (1996) [41] G. Jaeger. Quantum Information. An Overview. Springer (2007) [42] G. S. Vernam, “Cipher printing telegraph systems for secret wire and radio telegraphic communications”, J. Am. Inst. Elect. Eng. 45, 109-115 (1926). [43] G. S. Vernam. Secret signalling system. U.S. Patent No. 1,310,719 (22 July 1919) [44] C. Shannon. A Mathematical Theory of Cryptography, Memorandum MM 45-110-02, Sept. 1, 1945, Bell Laboratories [45] M. Fox. Quantum Optics. An Introduction. (Oxford) (2006) [46]Singh, Simon (1999). The Code Book: The Science of Secrecy from Ancient Egypt to Quantum Cryptography. London: Fourth Estate. p. 127.

[47]C. Shannon (1949). "Communication Theory of Secrecy Systems". Bell System Technical Journal 28 (4): 656–715. [48]Sergei N Molotkov. "Quantum cryptography and V A Kotelnikov's one-time key and sampling theorems". Physics-Uspekhi 49, (2006) 750 [49] evons, William Stanley, The Principles of Science: A Treatise on Logic and Scientific Method p. 141, Macmillan & Co., London, 1874, 2nd ed. 1877, 3rd ed. 1879. Reprinted with a foreword by Ernst Nagel, Dover Publications, New York, NY, 1958. [50] A. Beveratos, R. Brouri, T. Gacion, A. Villing, J. Poizat and P. Grangier. Single Photon Quantum Cryptography. Phys. Rev. Lett, 89,18 (2002) 187901 [51] Chang and Nielsen, Quantum Computation and Quantum Information

[52], P. W. Shor. Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer. arXiv:quant-ph/9508027v2

[53] W. K. Wootters*1 & W. H. Zurek2, A single quantum cannot be cloned, Nature 299, 802 - 803 (1982)

[54] C. H. Bennet and G. Brassard. Proceedings of IEEE International Conference on Computers, Systems and Signal Processing, IEEE (1984) p.175

[55] C. H. Bennet and G. Brassard. The dawn of a new era for quantum cryptography: The experimental prototype is working!. Sigact News, Vol 20, no 4 (1989) p78

[56] E. Waks, K. Inoue, C. Santori, D. Fattal, J. Vuckovic, G. S. Solomon and Y. Yamamoto. Quantum cryptography with a photon turnstile. Nature 420 (2002) 762

[57] http://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml

[58] http://www.rsa.com/rsalabs/node.asp?id=2222

[59] D. N. Mermin. Lecture Notes On Quantum Computation: Breaking RSA Encryption With A Quantum Computer: Shor’s Factoring Algorithm. Cornell University. Accessed at: http://web.archive.org/web/20121115112940/http://people.ccmr.cornell.edu/~mermin/qcomp/chap3.pdf

[60] W. K. Wootters*1 & W. H. Zurek2, A single quantum cannot be cloned, Nature 299, 802 - 803 (1982)

[61] C. H. Bennett. Quantum Cryptography using any two nonorthogonal states. Phys. Rev. Lett 68, 3121 (1992)

[62] Present and future free-space QKD – Nordholt- Proc SPIE 4635, 117 (2002)

[63] C. Elliot, A. Colvin - Current status of the DARPA Quantum Network http://arxiv.org/pdf/quant-ph/0503058.pdf