Autocompensating quantum cryptography

Quantum cryptographic key distribution (QKD) uses extremely faint light pulses to carry quantum information between two parties (Alice and Bob), allowing them to generate a shared, secret cryptographic key. Autocompensating QKD systems automatically and passively compensate for uncontrolled time-dependent variations of the optical fibre properties by coding the information as a differential phase between orthogonally polarized components of a light pulse sent on a round trip through the fibre, reflected at mid-course using a Faraday mirror. We have built a prototype system based on standard telecom technology that achieves a privacy-amplified bit generation rate of ~1000 bits s-1 over a 10 km optical fibre link. Quantum cryptography is an example of an application that, by using quantum states of individual particles to represent information, accomplishes a practical task that is impossible using classical means.


42.2
have built a variety of systems for carrying out QKD, both over optical fibre and through free space. [3] provides an excellent recent review of the field.
In its simplest (and to date, most practical) form, quantum information is encoded in the states of single photons (or extremely faint coherent light pulses) that travel from Alice to Bob. An equivalent [4], but more difficult, method for conveying quantum information is to let Alice and Bob share an entangled pair of photons [3]- [8]. In that case, a definite value of a physical quantity (such as angular momentum or energy) is associated with the pair state, but not with either of the photons individually. For these entangled-pair states, very strong correlations will exist in the results of measurements Alice and Bob make on their separate photons, allowing them to generate a cryptographic key from these results and public discussion of them. Eavesdropping necessarily reduces the degree of correlation between Alice and Bob's measurements, so the degree of correlation in the data can be used to calculate an upper bound on the amount of information leaked to possible adversaries.

Autocompensating interferometry as a basis for QKD
A general challenge for quantum information is to choose a coding scheme that avoids disturbance by the dominant noise sources. For QKD based on either fibre or free space optical systems, fluctuations of the medium through which the photons travel are a source of noise. In free space, atmospheric density fluctuations are locally highly isotropic. Because polarization coding is essentially a differential phase encoding between two orthogonal polarization states, density fluctuations give rise to 'common mode' phase fluctuations, which do not degrade the contrast between the polarization basis states. Perturbations of the photon's propagation direction by density fluctuations only reduce the collection efficiency and key generation rate.
The situation is quite different when QKD is carried out over optical fibres. Optical fibre systems are a natural choice for QKD over distances up to several tens of kilometres, particularly since fibre-optic networks already connect many computers. Unfortunately standard optical fibre (for example SMF-28) has small but significant birefringence due to variations in its structure and composition and due to mechanical stresses caused, for example, by bends and twists. Other optical components used in a fibre-optic network can also introduce birefringence. These effects lead to random time-varying changes of polarization state, so that constant measurement of the properties of the optical fibre and active feedback control of some sort of compensating optical devices is required to use polarization as a basis for coding quantum information.
While this active approach has been successfully used in fibre-optic QKD systems [9], it is also possible to build a system that inherently compensates for changing fibre characteristics by using a differential coding scheme. This idea can be understood by considering Martinelli's observation that light sent on a round trip through an optical fibre terminated with a Faraday mirror returns in the polarization state orthogonal to that in which it started, independent of the optical properties of the fibre [10]. This property arises from the fact that a Faraday mirror exchanges orthogonal polarization states, with the consequence that the total phase accumulated by light over the course of a round-trip is independent of the input polarization. Because of this, information encoded as a differential phase between two orthogonal polarization states will be unaffected by birefringence in the system, provided that this birefringence does not change in the time it takes light to make a round-trip through the fibre (2n/c ∼ 10 µs km −1 ). The idea that a QKD system could be made insensitive to the state of the fibre by using round-trip propagation with a Faraday reflection mid-course was developed independently by groups at the University 42.3 of Geneva [11]- [14] and IBM [15,16], who built systems that used 1.3 µm light. Operation at 1.55 µm, preferred for long-haul telecom systems, has also been demonstrated [17,18].

Mathematical treatment of autocompensating system
Martinelli originally used the Jones matrix formalism to show that a Faraday mirror can 'orthoconjugate' light-i.e., generally transform any polarization state into an orthogonally polarized state. This formalism can be extended to describe autocompensating QKD systems. We represent the transformation of the polarization state of light propagating forward and backward through an optical component or system by matrices T and T R given by Here U and V are arbitrary unitary matrices that transform between the eigenmode basis of the optical system and any desired bases at the system ends, and e iX and e iY describe the phase and amplitude changes for each of the eigenmodes. The matrices for backward propagation through such components are derived from their forward counterparts by transposing and negating the off-diagonal elements (following the convention that backward propagating fields be described in a right-handed coordinate system with reversed zand x-axes) [19,20,21]. For reciprocal components, X and Y are independent of propagation direction. For non-reciprocal components such as Faraday rotators, reversing the propagation direction also changes the sign of the Faraday rotation angle, given by γ = ∆n c k 0 L = V Bk 0 L where ∆n c = 1 2 (n − − n + ) (with n ± the refractive indices for positive and negative helicity light), k 0 is the light wavevector in vacuo, V is the Verdet constant, B is the component of magnetic field parallel to k 0 and L is the path length in the medium. Thus the forward and backward polarization transformations through a Faraday rotator are related by F (γ) = F R (−γ), and can be written as 2 × 2 rotation matrices for angles ±γ. Purely optically active media are described similarly, but with no sign change for γ in the reverse direction.
A Faraday mirror (FM), which is a combination of a 45 • Faraday rotator and a normal mirror, transforms polarization states according to the Jones matrix: FM can be multiplied by a factor r to account for attenuation and phase shift due to the optics. It is readily verified that for unitary matrices such as U , U R F MU = F M. Thus, for a round trip through a system described by T and terminated by an FM, the overall Jones matrix M is given by M is simply given by the FM matrix multiplied by overall phase and amplitude attenuation factors. If several components described by T i of the form in equation (1) are concatenated before Faraday reflection, a round trip is described by the matrix M with X and Y replaced by X i and Y i , respectively. The final polarization state of light after a round trip is still orthogonal to the initial state, independent of the properties of the optical system described by the T i , and the total phase accumulated is Σ(X i + Y i ), independent of the initial polarization state.

42.4
When a light pulse with horizontal polarization state ψ i = a H 0 is presented at the input of such a system, the state that is returned is which has vertical linear polarization. Similarly, when the vertically polarized state 0 a V is input to the system, the returned state is −e i(ΣX i +ΣY i ) r a V 0 , and is horizontally polarized. The prefactors are the same in both cases; thus no differential phase shift or attenuation is introduced between two orthogonally polarized light pulses that travel on a round trip through the same sequence of optical elements terminated by a FM. For QKD, this result allows Alice and Bob to robustly encode quantum information in the differential phase between orthogonally polarized pulses. In the preceding discussion, we assumed that the modal phase shifts X and Y were the same for outgoing and returning light. However, this will only be true if the system optical properties vary slowly compared with the round trip time for light. By deliberately violating this condition using fast phase modulators, Alice and Bob can introduce useful differential phase shifts between the orthogonal polarization states. These shifts can be read out at Bob's station either polarimetrically (by combining the orthogonally polarized waves) or interferometrically (by combining the waves with parallel polarization) using appropriate optics. Systems built at IBM based on these two read-out methods are described below in sections 2 and 3, respectively. Figure 1 shows the initial version of our quantum cryptography setup. Alice and Bob's setups, in the same lab but with separate computers and independent equipment, are only connected via a 10 km (or 20 km) SMF-28 optical fibre link that carries both quantum information at 1.3 µm and wavelength multiplexed bi-directional timing and coordination pulses using 1.55 µm transceivers. They also communicate via the building LAN to carry on public discussions.

Experimental setup
In this optical design, a horizontally polarized pulse from the 1.31 µm DFB laser (Lucent D2304G) passes through a variable attenuator and bat-wing polarization adjuster (not shown) and then is fibre coupled to a bulk optical polarization and analysis module. The pulse passes through two polarizing beamsplitters (PBSs) PBS1 and PBS2 (with cancelling ±45 • rotations between due to the Faraday rotator and WP1), and then, after a 45 • rotation by WP2, is split by PBS3 into Hand V -polarized components with amplitudes we can describe by the vector ns by a loop of polarization-maintaining fibre before a second encounter with PBS3 directs it into the fibre toward Alice. Since pulses H and V pass through the system at different times, they can be independently traced through the system in order to determine their states upon returning to PBS3.  figure 2, an annealed-proton-exchange (APE) LiNbO 3 waveguide modulator can be used to apply an overall phase shift to the arbitrarily polarized pulse, even though the waveguide transmits only one linear polarization (y). The y-polarized component of ψ 1H is sent by PBS4 directly to PM A . The x-component travels to the FM, is rotated to y-polarization by the FM, returns to PBS4 and is coupled into the loop by PBS4. PM A is offset from the loop midpoint by an optical path L equal to the path from PBS4 to the FM, so that the counter-propagating x and y pulse components meet in PM A having each travelled the same distance (C/2 + L) from PBS4, where C is the loop circumference. This arrangement places the modulator at the exact midpoint of the overall optical path. As the x and y components pass through PM A at the same time in opposite directions, an equal phase shift φ AH is imparted to both of them. The component that was originally x-polarized continues anticlockwise around the loop to PBS4. The component that was originally y-polarized travels clockwise around the loop to PBS4 and then onto the FM, where it is rotated to x-polarization and sent back to PBS4, where the two components are reunited.
The overall combined effect of PBS4, the fibre loop and PM, the FM, and the attenuation due to WM and Alice's other components (which is included in r), can be described by the matrix  Here φ s = k x L + k y (C + L) is a static phase shift that takes into account the birefringence of the polarization-maintaining fibre path. This arrangement is thus equivalent to a standard FM plus a controllable phase shift, φ AH , that can be intentionally applied using Alice's PM. After reflection, phase shifting and attenuation, as represented by matrix F M , pulse H returns through the fibre to PBS3, arriving in the state Thus H, which originally was horizontally polarized, returns to PBS3 vertically polarized and is directed through Bob's delay loop. The loop adds both a fixed phase, φ τ , and a controllable phase φ BH that Bob can apply using PM B . H then arrives at PBS3 for the second time in the state where the attenuation and fixed phase factors have been combined into the new constant r .

The V-polarized pulse.
The vertically polarized pulse V , initially in state ψ 0V , travels through the system in an analogous way, but passes through the delay loop immediately on departure. As it did for H, the loop adds the fixed phase φ τ and a phase shift φ BV , controlled by PM B . V returns to PBS3 in the state which is horizontally polarized and has an intentional phase shift φ AV + φ BV .

42.7
Recall that the first pulse, H, is directed through Bob's delay loop on its return to PBS3 and arrives at PBS3 for the second time after a delay τ . Since τ is also the delay between H and V , H's second arrival at PBS3 coincides with V 's arrival. The two orthogonally polarized pulses thus emerge from PBS3 at the same time, overlapping in space, and travel together toward WP2. The polarization state of the recombined pulse as it leaves PBS3 can be expressed by the vector where In typical operation, Alice sets φ AH = 0 while the first pulse passes through the modulator and then rapidly switches to φ AV = 0 in a time short compared with the delay τ between the H and V pulses. Similarly, Bob turns his modulator off for all pulses leaving his station (φ BV = 0), but sometimes applies a phase φ BH = 0 to returning pulses, so that ∆φ = (φ AV − φ BH )/2.

Polarization analysis for decoding the quantum bits.
After leaving PBS3, the light represented by state ψ 3 is rotated by WP2 to the final state Recalling that the state ψ 0 = a H a V was originally produced by the passage of a purely horizontally polarized state through WP2 in the forward direction, we can write so that ψ 4 = −r e iΣφ − cos 2θ sin 2θ sin 2θ cos 2θ e i∆φ sin 2θ e −i∆φ cos 2θ = −r e iΣφ −i sin ∆φ sin 4θ cos ∆φ − i sin ∆φ cos 4θ .
In the ideal case WP2 is rotated to the angle θ = π/8, and thus This shows that PBS2 directs all of the light to D 0 for ∆φ an even multiple of π/2, and to D 1 (via PBS1) for ∆φ an odd multiple of π/2. If WP2 is rotated by δ away from its ideal angle, the fraction of the intensity leaking to D 1 has a minimum value (4δ) 2 (when ∆φ = π), while the minimum intensity to D 0 (for ∆φ = 0) will be 0, independent of δ. A 2 • misalignment of WP2, for example, will misroute ∼2% of the intensity for even ∆φ/(π/2), while for odd ∆φ/(π/2) all photons will be routed correctly. Thus, on average, a 2 • misalignment of θ will contribute ∼1% to the bit error rate (BER). With their shared control over the differential phase shift ∆φ in equation (13), Alice and Bob can implement the four-state BB84 protocol. A possible assignment of basis and bit values to Alice and Bob's phase shifts is given in table 1. When Alice and Bob match bases, with both choosing either an odd or an even multiple of π/2, the photons are deterministically routed to a specific detector, depending on Alice's choice of bit.

Single-photon detection using pulse-biased InGaAs avalanche photodiode (APD) detectors
Quantum cryptography requires detection of single photons. The circuit used for this task is shown in figure 3 . This signal pulse is amplified and sent to an electronic gate (described in detail in [16]), giving the final output pulse shown by the bottom trace of figure 3(b), overlaid on a trace obtained with no photon signal present. The output pulses are sent to a discriminator followed by appropriate logic and counting modules. The transient cancellation is independent of pulse amplitude, pulse shape and photodiode characteristics. The detectors are pulse biased at 1 MHz, and with peak voltages ∼2 V above breakdown a quantum efficiency η ∼ 20% with dark count probability ∼2-4 × 10 −5 is achieved. The 1.55 µm timing pulses sent from Bob to Alice are used to synchronize the modulator PM A to the arriving light pulses, and are echoed from Alice to Bob to trigger Bob's detector bias pulser and drive a counter to keep track of the pulse number. The Fujitsu detectors have worked well, but operate best at quite low temperature and unfortunately are no longer available. However, recent work has identified devices (JDS Uniphase EPM 239 AA SS) that have acceptably good performance even above 200 K, making thermoelectric cooling an attractive option [22]- [24]. the elegant design of Ribordy et al [14], with the slight modification that polarizationmaintaining fibre is used throughout, so no polarization adjusters are needed in the phasesensitive portion of the optical path. Bob, rather than initially splitting a 45 • polarized beam using a bulk-optical polarizing beam-splitter cube, splits his linearly polarized input pulse into two replicas using a 2 × 2 fibre coupler constructed with polarization-maintaining fibre. The upper leg of the splitter is connected to a fibre-optic PBS with a connector modified to couple two polarization-maintaining fibres with their fast axes perpendicular. The delayed pulse from the lower branch of the coupler reaches the PBS without polarization rotation, and leaves Bob's station polarized orthogonally to the undelayed pulse, as in the earlier setup.  Alice also incorporates a fibre PBS with polarization-maintaining fibre to implement her PM loop. Keeping the light in single-mode fibre at both stations reduces the optical loss significantly, and most importantly, gives on/off interferometric switching contrast at the variable coupler of ∼650:1, an order of magnitude higher than the 62:1 contrast obtained with the bulk-optic polarizers. It is also simpler to use a fibre-optic circulator module to direct light to D 1 than to use the waveplate/Faraday-rotator/bulk PBS combination shown in figure 1.

Experimental setup
If we assume the initial coupler is symmetric, with amplitude transmission and reflection coefficients t and ir respectively (r and t real), we obtain expressions for the final amplitudes in the D 0 and D 1 channels analogous to those in equation (12), with the substitutions sin(4θ) → 2irt and cos(4θ) → (t 2 − r 2 ). The minimum probability for photons to be routed to D 1 is (t 2 −r 2 ) 2 . A non-ideal coupler with a 55:45 power splitting ratio, for example, will direct ∼1% of the photons to D 1 at nominal null (∆φ = π). With careful adjustment of the polarization-maintaining variable coupler, we achieve a leakage rate three to four times lower than this.

System operation
Computers at Alice and Bob's stations, running LabVIEW TM programs, control the QKD system. They sequentially carry out the quantum information transfer, error correction and privacy amplification. The weak 1.3 µm pulses and the 1.55 µm timing pulses are carried over a single SMF-28 optical fibre, while coordinating signals and data for error correction and privacy amplification are sent using TCP/IP over the building LAN. Data obtained for 10 and 20 km fibre links with the all-fibre system are shown in figure 5. The raw key rates (squares) for photons detected with matching bases for Alice and Bob (∼1/2 the total detection rate) are given by The error-corrected rates (circles) are based on the bits remaining after Alice's and Bob's computers carry out error correction over the LAN. Starting with the raw key, they shuffle and block the key data three times, each time comparing row parities and bisectively searching out the errors in rows with parities that mismatch. The block sizes are chosen to leave < ∼ 10 errors after three stages. The sparse remaining errors are found by comparing parities of randomly selected matching subsets of one-half of the remaining bits. If for a given draw the parities disagree (as will occur with probability 1 2 if there are any remaining errors), a bisective search is used to find and eliminate the error. Success is assumed after 20 consecutive parity matches occur. In both the block and random subset operations, a bit is discarded for each parity bit revealed.

42.12
As a by-product of the error correction procedure, an estimate of the initial BER is obtained. This estimate is needed for privacy amplification. The actual BERs as a function of µ are also plotted (diamonds) in figure 5. Based on the estimated BER and the measured value of µ, Alice and Bob compute an estimated upper bound, E, for the number of bits of information Eve possesses about their N ec error-corrected bits. To generate privacy-amplified key bits, Alice's and Bob's computers continue to compute parities for matched subsets of one-half of the errorcorrected bits (selected using a publicly transmitted random matrix), but now, rather than publicly comparing them, Alice and Bob keep these parities as secret key bits. (N ec − E − s) bits are generated in this way. The privacy amplification theorem asserts that, for a chosen s, Eve's information about the final key will be at most ∼2 −s / ln 2 bits [1, 2].

Privacy amplification
The maxima in the privacy-amplified key rates versus µ seen in figure 5 reflect the tradeoff between low photon arrival rate and high BER at low µ, and Eve's increasing ability to gain information about the pulses at high µ. The degree of vulnerability of weak laser pulses to eavesdropping is a central and interesting question. The rates for privacy-amplified key generation in figure 5 were calculated using the simple BB84 estimate that Eve obtains fractions 2 · BER and µ of the sifted bits using read-and-replace and beamsplitting attacks, respectively [1,2]. For a low BER this approximation gives a key rate that goes as ∼µ(1 − µ), with a maximum near µ = 0.5 and falling to zero as µ → 1. For the 10 km link, using the BB84 leak estimate gives a maximum key rate ∼1.5 kbit s −1 for µ = 0.3, while for the 20 km link, the ∼4 dB greater attenuation, higher backscattering, and consequently increased BER reduce the privacy-amplified key rate at µ = 0.3 by about an order of magnitude, to 200 bit s −1 .
Analyses that consider more sophisticated eavesdropping attacks have been recently made [25]- [33], in some cases granting Eve powers within the realm of known physics, but far beyond those provided by today's technology. Lütkenhaus [29]- [31], for example, considers a scenario where Eve can measure the photon number for each pulse, block the single-photon pulses, enhance the transmission of multi-photon pulses and learn the exact state for pulses containing two or more photons, allowing perfect re-sending. Gilbert and Hamrick (GH) [32] make a similar analysis, but allow Eve less information for two-photon pulses, arguing that their state cannot be analysed perfectly and that only those pulses where Eve and Bob each detect one photon contribute to Eve's knowledge of the error-corrected key. This is an important distinction, since double-photon pulses are relatively numerous. Figure 6 compares the key generation rates versus µ calculated according to the prescriptions of these authors for various levels of system efficiency with those given by the simple BB84 estimate (shown in blue) [1,2]. The calculated curves assume dark count rates and backscattering levels typical of our system with the 10 km fibre link. The predicted net key rates are similar for ideal channels (quantum efficiency η and link transmission T both equal to unity), but diverge for lower η and T . Using the prescription of GH gives a bit rate of 200 bit s −1 for our 10 km system rather than the 1.5 kbit s −1 obtained with the simple BB84 prescription, and no net bits with for the 20 km link. Our 20 km BER is increased significantly (by 2-3%) owing to the greater intensity of backscattered light at 1.3 µm arriving at the detectors. One solution to this problem is to run Bob's laser intermittently, storing a train of pulses behind Alice's attenuator in a delay line [14], and detecting the returning photons during periods when no backscattered photons are present. While the system duty-factor is somewhat reduced using this approach, key bits / pulse µ (photons/pulse) Figure 6. Secure key bits generated per pulse for several detector quantum efficiencies, η, and Alice-to-detector transmission values, T , according to the information leakage bounds given in [1,2,30] and [32].
the very high cost of increased BER to key generation makes the tradeoff highly worthwhile for longer distances.
In considering what level of data sacrifice is required for adequate privacy amplification, it is helpful to consider the point of view of the Geneva group [3,33]: whereas perfect security would be infinitely costly and impractical, practical security to a very high level is achievable with current level QKD systems if we accept quite reasonable limits on Eve's abilities. For example, large high-speed quantum memories with very long retention times are unavailable, and could be defeated simply by delaying sufficiently the exchange of basis information. Alternatively, Alice and Bob could generate all matching basis choices on the fly by using some initially shared secure key information, and never need to reveal the bases [34]! In either of these cases Eve would be forced to analyse the photons split from two-photon pulses without a priori knowledge of the bases, which halves the information she can obtain about them. The optimum value of µ and the net rate of key generation for our 10 km link approximately double if the GH leak estimate is modified in this way, as shown by one example in figure 6.

Conclusion
Autocompensating quantum cryptography systems make it possible to generate shared, secret cryptographic key data at kilobit-per-second rates over distances up to a few tens of kilometres. The advantage of the autocompensating approach is that it allows accurate optical readout of the quantum information with no monitoring or active control of the optical properties of the system, despite the presence of random, time-varying disturbances of the fibre link. This is accomplished by using a differential phase coding that is immune to these disturbances.