With the growth of conventional computational power,the integrity of traditional cryptographic algorithms1,2
is increasingly at risk. Computational complexity-based traditional algorithms are vulnerable not onlyto increasingly powerful computers (both classicaland quantum) but also to an uncertainty in theirultimate effectiveness. The key lengths of traditionalcryptographic algorithms are chosen such that currentcomputers using the best known cypher-crackingalgorithms will require an unreasonable amount oftime to break the cipher. Whereas some algorithmsgenerate keys and (or) ciphertext that appears tobe secure through computational complexity, onlyin degenerate cases can any information-theoreticanalysis of security be performed. The end result isthat cipher-cracking algorithms may exist that aremuch more powerful than a cryptographic protocol isprovisioned for.
Armed with the inherent measurement uncertaintyof nonorthogonal quantum states, several researchershave put forward proposals that offer quantum effectsas cryptographic mechanisms. The most famous ofthese proposals was made by Bennett and Brassardin their BB84 protocol.3 In that scheme, two usersare able to agree remotely on a string of binary ran-dom numbers known only to each other. These ran-dom numbers are stored by the users for later useeither as keys in traditional (classical) cryptographicalgorithms or as a running key for a public Vernam ci-pher4 (one-time pad).
Whereas the Vernam cipher does provide provableinformation-theoretic security on public channels, it isinefficient in the sense that every bit of data to beciphered requires one bit of the BB84-generated key.This means that the encrypted data transmission rateis limited to the BB84 key generation rate. Because oftechnical and physical limitations, current implemen-tations5 of BB84 have much lower key generation ratesthan available classical data rates.
One of the major technical problems that limitBB84’s key generation rate (and more importantly,BB84’s rate–distance product) is the protocol’s re-quirement for single-photon number states. Thisrequirement is a burden not only in requiring the
0146-9592/03/212040-03$15.00/0
generation of such states but also because such statesare acutely susceptible to loss, are not optically ampli-fiable (in general), and are difficult to detect at highrates (greater than 1 MHz).
We propose a cryptographic scheme, based on Yuen’sM-ry protocol, which uses the inherent quantum noisein two-mode coherent states of light as a data encryp-tion mechanism. Unlike single-photon number states,two-mode coherent states are easily generated, easilydetected, optically amplif iable, and loss tolerant. Inour scheme a legitimate receiver, using a short, shared,secret key, makes an optimal quantum measurementof every transmitted bit. An eavesdropper, however,who does not possess the secret key, is subject to an ir-reducible quantum uncertainty in each measurement,even with the use of ideal, lossless detectors. Modu-lating a finite set of orthogonal polarization states(two-mode states), we demonstrate secure data encryp-tion through 25 km of standard fiber at 250 Mbps us-ing commercial off-the-shelf components.
The irreducible measurement uncertainty of two-mode coherent states is the key element in the secu-rity of our scheme. The two-mode coherent states(polarization states) employed in our scheme are
jCm�a�� � ja�x ≠ ja exp�ium�y , (1)
jCm�b�� � ja�x ≠ ja exp�i�um 1 p���y , (2)
where um � pm�M , m [ �0, 1, 2, . . . �M 2 1��, andM is odd. Viewed on the Poincaré sphere, these2M polarization states form M bases that uni-formly span a great circle, as shown in Fig. 1(right). Using a publicly known s-bit linear feed-back-shift register6 (LSFR) with judiciously chosenfeedback terms,7 the transmitter (Alice) extends ans-bit secret key, K, to a �2s 2 1�-bit extended key,K0. The extended key is grouped into disjointedblocks of r-bit running keys, R, where r � log2�M�and s ¿ r. Depending on the data bit and onrunning key R, the state in Eq. (1) or (2) is trans-mitted, where m is the decimal representation of R.Specifically, if m is even, �0, 1� ! �jCm
Fig. 1. Left, Numerical calculation of Eve’s P̄e versussignal power for M � 2047. Inset: r1 and r0 representdensity operators that correspond to logical 1 and 0,respectively. Right, M pairs of orthogonal polarizationstates uniformly span a great circle of the Poincaré sphere.
if m is odd, �0, 1� ! �jCm�b��, jCm
�a���. The result isthe logical bit mapping of the polarization states onthe Poincaré sphere to be interleaved, 0, 1, 0, 1, . . . , asshown in Fig. 1, right.
Using the same s-bit secret key and the LFSR, theintended receiver (Bob) applies unitary transforma-tions U to his received polarization states accordingto the running key, where
U �
∑1 00 exp�2ium�
∏. (3)
Bob then further rotates the states by p�4 such thatthe states under measurement are
jCm�a��0 � j
p2ha�x ≠ j0�y , (4)
jCm�b��0 � j0�x ≠ j2
p2ha�y , (5)
where h is the channel transmissivity. Equations (4)and (5) make up a two-mode on–off-key signal set,where the logical mapping corresponds to the parityof the running key, R.
An important point to note is that Bob does not re-quire high precision in decrypting a transmitted bit.The application of a slightly incorrect unitary trans-formation gives
jCm�a��0 � jexp�idu�2�
p2ha cos�du�2��x
≠ ji exp�idu�2�p2ha sin�du�2��y , (6)
jCm�b��0 � j2i exp�idu�2�
p2ha sin�du�2��x
≠ j2exp�idu�2�p2ha cos�du�2��y . (7)
Although a nonzero du results in a larger probability oferror for the bit, it does not categorically render Bob’smeasurement useless for bit decryption. For small du
the majority of the two-mode signal energy is in one ofthe two modes. The same condition applies to Bob’sdetector noise; whereas an ideal receiver allows for op-timized detection of the two-mode signal, a noisy de-tector does not limit Bob’s decryption ability beyondan increased probability of bit error.
Without knowledge of the secret key and lacking theplaintext, an eavesdropper (Eve) is unable to decryptAlice’s transmission, even when Eve is granted idealdetection equipment and all the transmitted energy.
Individual ciphertext-only attacks on the message arethwarted by the irreducible measurement uncertaintyof two-mode coherent states. An attack on the mes-sage requires Eve to distinguish neighboring polariza-tion states because of the interleaving of the logical bitmappings (Fig. 1, right). A calculation of Eve’s opti-mal quantum measurement8 shows that her bit errorP̄e asymptotically approaches 1�2 as jaj is decreasedfor a given M (see Fig. 1, left). A more-detailed analy-sis of direct attacks on the message is given in Refs. 8and 9. The inability to distinguish neighboring polar-ization states also ensures computational security ofthe secret key by forcing the search space of possibleLFSR states to be exponential in s. With the addi-tion of classical randomization at the transmitter, thescheme provides information-theoretic security for thesecret key. We intend to expand security analyses forboth ciphertext-only and known-plaintext attacks onthe secret key in future publications. An importantpoint to note is that this scheme requires no intrusiondetection. Intrusion detection is essential to BB84; onthe contrary, our scheme grants Eve all the signal en-ergy so long as she retransmits a reasonably good es-timate of the original state to maintain the channelintegrity for the users.
Our implementation of the described encryption–decryption scheme uses commercially available off-the-shelf components. As illustrated in Fig. 2, apolarization-control paddle (PCP) is adjusted toproject 235 dBm �2jaj2 � 5000 photons�bit� of powerfrom a 1550-nm-wavelength distributed-feedback(DFB) laser equally into the two polarization modesof Alice’s 10-GHz-bandwidth fiber-coupled LiNbO3phase modulator. Driven by the amplif ied output of a12-bit digital-to-analog (D-A) board (Chase Scientific,Model AWG2000), the modulator introduces a relativephase �0 2p rad� between the two polarization modes.The 32-bit LFSR, which is implemented in softwareon a personal computer (PC), yields a running keythat, when combined with the data bit, instructs thegeneration of one of the two states described in Eq. (1)or (2).
On passing through 25 km of SMF-28 fiber, whichintroduces 5 dB of loss, the light is amplif ied by a
Fig. 3. 5-kbit fragments of 9.1-Mbit bitmap transmissionsat 250 Mbps over 25 km of f iber. Insets, the receivedbit-map images. Top, Bob’s detection; bottom, Eve’sdetection. The apparent banding of Eve’s measurementsis due to the sinusoidal intensity transfer function ofpolarization modulation.
home-built erbium-doped fiber amplif ier with 30 dBof small-signal gain and a noise figure that is veryclose to the quantum limit �3 dB�. Before passingthrough Bob’s LiNbO3 phase modulator, the receivedlight is sent through a second PCP to cancel the po-larization rotation caused by the 25 km of fiber. Al-though these rotations f luctuate with a bandwidth ofthe order of kilohertz, the magnitude of the f luctua-tions drops quickly with frequency, permitting the useof a manual PCP to cancel the unwanted polarizationrotations. In future implementations, Bob’s measure-ments could be used to drive an automated feedbackcontrol on the PCP.
The relative phase shift introduced by Bob’s modu-lator is determined by the running key R generatedthrough a software LFSR in Bob’s PC and applied viathe amplif ied output of a second D–A board. Afterthis phase shift has been applied, the relative phase be-tween the two polarization modes is 0 or p, correspond-ing to 0 or 1 according to the running key: if R is even,�0,p� ! �0, 1�; if R is odd, �0,p� ! �1, 0�. With use ofa fiber-coupled polarization beam splitter oriented atp�4 rad with respect to the modulator’s principal axes,the state under measurement [Eq. (4) or (5) or, moregenerally Eq. (6) or (7)] is directly detected with two1-GHz-bandwidth InGaAs PIN photodiodes operatingat room temperature, one for each of the two polariza-tion modes. The resultant photocurrents are ampli-fied by a 40-dB gain amplif ier (Miteq Model AM-1551),sampled by an analog-to-digital (A–D) board (GaGe,Model 82G), and stored for analysis. The overall sen-sitivity of Bob’s preamplified receiver was measured tobe 660 photons�bit for 1029 error probability.
Figure 3 shows results from 5000 A–D measure-ments (one of the two polarization modes) of a 9.1-Mbbitmap file transmitted from Alice to Bob (top) andto Eve (bottom). The data rate is 250 Mbps, andthe insets show the respective decoded images. Inthis experiment the actions of Eve can be physicallysimulated by Bob, starting with an incorrect secretkey. Clearly, a real eavesdropper would aim tomake better measurements by placing herself closeto Alice and implementing the optimal quantummeasurement.9 Although Fig. 3 does not explicitlydemonstrate Eve’s inability to distinguish neighboringpolarization states, it does show that a simple bit de-cision is impossible. In the current setup, the 12-bitD-A conversion allows Alice to generate and transmit4094 distinct polarization states (2047 bases). Thenumerical calculation used to plot Fig. 1, left, thenshows that for 2jaj2 � 5000 and M � 2047, Eve’s mini-mum probability of error follows jP̄e 2 1�2j , 10216.Note, however, that because of the use of a short secretkey the security of this demonstration is weak againstattacks on the secret key through exhaustive search.
In conclusion, we have demonstrated data encryp-tion at a 250-Mbps rate over 25 km of telecom fiber byusing two-mode coherent states that are loss tolerantand optically amplif iable. Our scheme uses commer-cially available off-the-shelf optical components andis sound against individual ciphertext-only eavesdrop-ping attacks near the transmitter with ideal detectionequipment.
This work has been supported by the DefenseAdvanced Research Projects Agency under grantF30602-01-2-0528. E. Corndorf’s e-mail address [email protected].
References
1. J. Daemen and V. Rijmen, in Smart Card Researchand Applications, LNCS 1820, J. J. Quisquater andB. Schneier, eds. (Springer-Verlag, Berlin, 2000),pp. 288–296.
3. C. H. Bennett and G. Brassard, in Proceedings of theIEEE International Conference on Computers, Systems,and Signal Processing (Institute of Electrical and Elec-tronics Engineers, Piscataway, N.J., 1984), pp. 175–179.
4. G. S. Vernam, J. Am. Inst. Electr. Eng. 45, 109 (1926).5. N. Gisin, G. Ribordy, W. Tittel, and H. Zbinden, Rev.
Mod. Phys. 74, 145 (2002).6. E. S. Selmer, Linear Recurrence over Finite Field (Univ.
Bergen Press, Bergen, Norway, 1966).7. N. Zierler and J. Brillhart, Inf. Control 15, 541 (1968).8. G. A. Barbosa, E. Corndorf, P. Kumar, H. P. Yuen, G.
Mauro D’Ariano, M. G. A. Paris, and P. Perinotti, inQuantum Communication, Measurement and Comput-ing (QCMO’02), J. H. Shapiro and Q. Hirota, eds. (Rin-ton Press, Paramus, N.J., 2002), pp. 357–360.
9. G. A. Barbosa, E. Corndorf, P. Kumar, and H. P. Yuen,Phys. Rev. Lett. 90, 227901 (2003).
