Invented by Charles Bennet and Giles Brassard in 1984, Quantum Key Distribution (QKD)
begins with a radically different premise: we should base security on known physical laws
rather than on mathematical complexities. Physical devices with specialized cryptographic
protocols can conjure up ever-ﬂowing streams of random bits whose values will remain
unknown to third parties. When we use these bits as key material for Vernam ciphers, we can
achieve Shannon’s ideal of perfect secrecy—cheaply and easily. In contrast with the unproven
foundations of public-key techniques, QKD provides information-theoretic secrecy firmly
based on the laws of physics .
How does it work
QKD lets two parties—for example, Alice and Bob—agree on secret keys. More formally, it’s
a technique for agreeing on a shared random bit sequence within two distinct devices, with a
very low probability that other eavesdroppers will be able to make successful inferences as to
those bits’ values. We use the random bit sequences as secret keys for encoding and decoding
messages between the two devices. Thus, QKD is not, in itself, a full cryptosystem. Rather,
we should compare it to other key-distribution techniques, such as trusted couriers, the Difﬁe-
Hellman key exchange, and so on.
QKD can be an intensely confusing ﬁeld: there are many approaches, the schemes are
complex, and it helps to have a working knowledge of quantum optics, which is fundamental
to the technology. However, the basic idea is simple, as Figure 1 illustrates.
Figure 1.The basic idea of quantum cryptography.
Alice sends a series of single photons to Bob, each modulated with a random basis (here, a
two-sided card) and a random value. Alice chooses a card side at random, writes a random 0
or 1 on that side, and sends the card to Bob. Bob also chooses a side at random and reads that
side’s value. When Alice and Bob choose the same side, Bob reads exactly what Alice wrote.
Otherwise, he reads a 0 or 1 completely at random.
After Bob reads all the photons he performs a sifting transaction with Alice to discard all
cases where he read the wrong side (basis). He sends the random basis settings list that he
used to Alice, and she tells which ones were correct. Then Alice and Bob discard all values
where they disagreed on the basis and keep the remaining values for raw key material.
Now, what about an eavesdropper, who we shall call Eve? At ﬁrst, Eve is in a situation
similar to Bob’s. She must guess which side of the card to read; half the time she will be
able to read what Alice sent, and the other half she’ll get a random value But she can’t
surreptitiously siphon off a little bit of a single photon because when she reads it, she
demolishes it. But if Bob doesn’t get that photon, it’s no loss; the sifting process will discard
that photon and Alice and Bob won’t use that bit in their key material.
A clever Eve might try to regenerate a demolished photon and send a copy to Bob but she
can’t. Quantum physics’ no-cloning theorem says that she can’t copy values from both
sides of the card—only from the side she read. The other side will have a random value. If
that’s a side that Alice and Bob agree on during sifting, any Eve-generated random values will
appear as small noise bursts in the communicated values. Hence, eavesdropping always pro-
duces QKD noise, and a cautious Alice and Bob interpret all noise as evidence of active
In a perfect world, that would end the story. However, in real systems, some channel noise is
always present, and a cryptographic system must operate with some noise levels even if they
imply eavesdropping activities. To address this, we employ relatively elaborate error detection
and -correction protocols to ﬁnd and correct bit errors and privacy amplify the result so that
Eve has a vanishingly small knowledge of the resultant bit values Alice and Bob use.
Operating on bits in computer memory, privacy ampliﬁcation is a classical algorithm that
smears out the value of each initial shared bit across the shorter resulting set of bits; that is, it
distributes its value via a universal hash across the resulting bits .
Quantum Key Distribution (QKD)
Quantum Cryptosystem can be explained with a simple example. System is consists of a
transmitter and a receiver. Alice can utilize the transmitter to send photons having one of four
different polarizations at the angles of 0°, 45°, 90°, 135°. Bob utilizes the receiver to measure
the polarizations at the other side. According to laws of Quantum Mechanics, the receiver can
discriminate between rectilinear polarizations (horizontal-0° and vertical-90°) or circular
(diagonal) polarizations (right circular-45° and left circular-135°), but can not discriminate
between rectilinear and circular (diagonal) polarizations .
Each bit is encoded with the polarization of a photon. Polarization of a photon is the
oscillation direction of its electric field, which is vertical (90°), horizontal (0°), or diagonal
(+45° or -45°).
Figure 2. Quantum cryptography with polarized photons.
(a) Firstly, Alice and Bob agrees on an encoding scheme:”0” bit is encoded with 90° or
45° polarizations and “1” bit is encoded with 0° or -45° polarizations.
(b) A rectilinear filter is used to discriminate between horizontal and vertical photons and
a diagonal filter is used to discriminate between right-diagonal and left-diagonal
(c) A photon polarized 0° and 90° will come out polarized 0° and 90° when filtered out
with a rectilinear filter and a photon polarized 45° and -45° will come out polarized
45° and -45° when filtered out with a diagonal filter. No change in polarizations.
(d) A photon polarized 0° and 90° will come out randomly polarized when filtered out
with a diagonal filter and a photon polarized 45° and -45° will come out randomly
polarized when filtered out with a rectilinear filter. Random change in polarizations.
(e) Quantum communication system used for Quantum cryptography.
Figure 3. Quantum Key Distribution (QKD)
(a) Alice prepares photons randomly with either rectilinear (horizontal or vertical) or
circular (right-diagonal or left-diagonal) polarizations, records the polarization of each
photon and then sends it to Bob .
(b) Bob receives each photon and randomly measures its polarization according to the
rectilinear or circular basis. He records the measurement type (basis used) and the
resulting polarization measured. (It is important to remember that the polarization sent
by Alice may not be the same polarization Bob finds if he does not use the same basis
(c) Bob publicly tells Alice what the measurement types were, but not the results of his
measurements. Alice publicly tells Bob which measurements were of the correct type.
A correct measurement is the correct type of Bob used the same basis for
measurement as Alice did for preparation.
(d) Alice and Bob each throw out the data from measurements that were not of the correct
type, and convert the remaining data to a string of bits. This string of bits forms the
Using a demonstration program, the following example data was generated assuming that
Alice sends 12 photons and the detector never fails .
The string of bits now owned by Alice and Bob is: 1 0 0 1 0 1 0 1. This string of bits forms
the secret key. In practice, the number of photons sent and the resulting length of the string of
bits would be much greater.
Security Issues of Quantum Cryptography
A message encrypted using quantum cryptography is secured by the laws of quantum
physics, so if it was provably insecure the most successful theory in the history of physics
would be disproved and our current understanding of the universe shattered. However, there
are issues of data security relevant to a cipher beyond its confidentiality .
It is acknowledged in the 1991 paper “Experimental Quantum Cryptography” contributed to
by Bennett and Brassard, that there are issues of authentication not fully resolved by the
current system . It is stated that “the assumption that the public messages cannot be
corrupted by [an eavesdropper] is necessary” to avoid what is known as the man-in-the-
middle attack. As both Alice and Bob have no way within the proposed system of proving
their identity to each other, it is possible for an attacker to sit between them and impersonate
Bob to Alice, and Alice to Bob thus negotiating a secret key with each of them. The suggested
solutions are an “unjammable public channel” or a standard authentication scheme which
would require that both Alice and Bob shared some secret information beforehand. The latter
approach would seem to negate the main advantage of Bennett and Brassard’s key exchange
protocol, which is the ability for two entities to negotiate shared secret knowledge in a public
channel without the need for any prior secrets. This, as it currently stands, suffers from the
same drawback as the one-time pad which provides absolute secrecy but with the additional
headache of securely distributing the keys. It would be possible to extend Bennett and
Brassard’s protocol to include an adaptation of the current certification authority
authentication mechanism for conventional public keys. The current system uses trusted
agencies to digitally sign public keys and so verify the identity of their owner. This however,
whilst removing the need for shared secret knowledge, relies on computationally infeasible,
but breakable, mathematical equations and, as such, would not offer an absolutely secure
means of identification.
Figure 4. Man-in-the-middle attack using both classical and quantum channels
Another element of a quantum cipher’s security is that of availability, which has not
previously been an issue with conventional encryption. The root of the problem is an
eavesdropper’s ability to alter photons in transit and so prevent two entities from achieving
an error free channel. This could be seen as a denial of service (DoS) vulnerability, and a
malicious user is not limited to this line of attack. Even if Alice and Bob are sharing secret
authentication keys, an attacker could repeatedly corrupt the public authentication exchange
leading to both parties exhausting their supplies of keys before a secure connection is
established. However the majority of DoS attacks, whilst annoying, are not considered
security critical, and there is certainly no way for an attacker to trick Alice and Bob into
believing that a secure connection exists.
There are physical attacks which may be mounted on the transmission medium itself.
Assuming that an eavesdropper has access to unlimited technology, two major techniques
which have been identified are intercept/resend and beam-splitting.
Intercept/resend takes advantage of the fact that current photon detecting equipment is far
from perfect; only around 1 in 400 pulses (one tenth of a photon) are successfully transmitted
and received. As Alice and Bob know to expect this level of photon loss, an attacker can
intercept selected pulses of light before they reach Bob, measure them, and then resend them
on with the detected polarity. However, due to the difficulties in quantum measurement of
photons, the probability of the resent and measured photons still having the correct
polarization when measured by Bob is only 0.25 or one in four. The discrepancies will
therefore be apparent to both Alice and Bob. Additionally Bennett’s calculations as to any
advantage gained by the eavesdropper puts the probability that they have correctly guessed a
particular bit as 1/√2 or approximately 0.7 (1 DP). For a cipher to be absolutely secure, it is
unacceptable that even partial disclosure of the key occurs, so therefore whilst the optical
technology is imperfect, any errors in transmission must be treated as an eavesdropping
attempt and the entire exchange repeated.
Beam-splitting utilizes the fact that the pulses of light which Alice and Bob use to
communicate, in practice, are not single photon-states. The attacker uses a mirror to deflect
part of the original light beam allowing it to continue, albeit with reduced intensity, towards
Bob. The deflected pulses will be stored until Alice and Bob publicly announce the bases
used to encode each bit, at which point the stored beam can be correctly measured. At the
current time the technology does not exist, and it is not known if it is possible, to store
polarised light pulses. However a present-day attacker is still able to make guesses as to the
correct measurements of their diverted beam, as in the intercept/resend attack, with the added
bonus of avoiding error creation in the data stream. The drop in beam intensity is likely to
alert Alice and Bob to an intruder, and a sufficient delay before the bases are publicly
discussed will also allow time for any stored photons to decay.
After a quantum key exchange has completed, according to Bennett and Brassard “Alice and
Bob are now in the possession of a string that is almost certainly shared, but only partly
secret”. This is due to their assumption that the exchange will be eavesdropped, and that it
will be done to the best of an attacker’s ability. Instead of repetition of the whole process,
Alice and Bob can make an estimation as to the amount of their secret key which can have
been divulged (or lucky guessed), and then perform a process known as “privacy
amplification”. This involves publicly selecting a hashing function from a shared secret set,
and then applying it to their shared secret key. The result will be a different secret key which
they both share, and of which an attacker knows nothing.
The protocol developed by Bennett & Brassard et al is the first quantum cryptographic
protocol ever produced. Quantum cryptography itself is still very much in its infancy, and has
not yet made it out of the laboratory and become widely and publicly used. It is not surprising
therefore, that while the physics behind the idea are unshakable, there are issues which may
impede its rapid take-up and acceptance. The very feature of quantum physics which gives
quantum cryptography its security as a confidential cipher also reduces its security as a
reliable cryptosystem. The act of observation of a quantum key exchange will irreversibly
alter it, destroy data and possibly necessitate the repetition of the exchange. In practice in a
public channel, this could easily be classified a denial of service attack, and at the very least
will waste time and cause frustration.
As the protocol stands, the issue of authentication is not fully resolved. A small amount of
shared data is required between communicants before the exchange even begins, if this is
necessary before a secure channel is established then it is an echo of the key-distribution
problems faced by Diffie and Hellman, and GCHQ in the Sixties. The protocol however does
allow for a key to be exchanged between two parties who may never have met, although there
is no way for them to be assured that they are actually negotiating with each other.
The telephone networks in the countries which would lead the implementation of quantum
cryptosystems are heavily reliant on optical fibers. These use pulses of light to transfer
telephone conversations in digital form. The existing infrastructure of optical fibers would be
an ideal medium for the transfer of quantum encrypted data. An added advantage is the
perceived security of the telephone system in comparison to a local network or the Internet on
which anyone with a grounding in security can sniff traffic. The practice of placing telephone
taps has so far largely been restricted to law enforcement and requires more engineering and
electrical knowledge than most malicious attackers will possess. There is physical security at
local exchanges giving another barrier to eavesdropping. Essentially this adds up to an
existing, secure infrastructure for the rollout of quantum cryptography.
The communications security offered by quantum encryption cannot be disputed. If two
people have established a secret key and are passing polarized photons between two points,
the laws of quantum physics dictate that it is impossible for the information exchanged to be
compromised. The ability of private citizens to achieve this, which has never before been
possible, is likely to be of particular interest to national government and law enforcement
agencies. Since computer encryption has been available to the public it has been legislated
and the export of algorithms from country to country tightly controlled.
Quantum cryptography requires a relatively complex array of hardware to operate, or at least
out of the reach of the average home user. The most likely implementation of quantum
cryptography which resolves the hardware issue will be on a local exchange level, similar to
the current telephone network. If the quantum encryption itself is performed at a local
exchange, this gives security agencies the opportunity to place taps to record information
before it is unbreakably encrypted.
Quantum cryptography, as it stands at the moment, is purely a transmission cryptosystem.
There is no provision for storage of encrypted data which can, and does, impede criminal
Only time will tell how cryptography will evolve in the future, the catalyst for development
will be practical quantum computers which currently still lie in the realm of science fiction.
 Elliott Chip, “Quantum Cryptography”, IEEE Security and Privacy, July, pp.57-61,
 Toyran Mustafa, “Quantum Cryptography”, TÜBİTAK, UEKAE, 2010.
 Hunter Karen and Duncan Todd, “Quantum Cryptography”, SCI 510: Quantum,
December 9, 2002.
 Grindlay Bill, “Quantum Cryptography”, White paper, Next Generation Security
Software, January, 14, 2003.
 Bennett, C. H., Bessette, F., Brassard, G., Salvail, L., and Smolin J., “Experimental
Quantum Cryptography” Journal of Cryptology, vol. 5, no. 1, 1992, pp. 3 – 28.