practical issues in quantum cryptography · 2012-11-03 · used modern encryption algorithm is the...
TRANSCRIPT
Practical Issues in QuantumCryptography
by
Feihu Xu
A thesis submitted in conformity with the requirements
for the degree of Master of Applied ScienceGraduate Department of Electrical & Computer Engineering
University of Toronto
Copyright c© 2012 by Feihu Xu
Abstract
Practical Issues in Quantum Cryptography
Feihu Xu
Master of Applied Science
Graduate Department of Electrical & Computer Engineering
University of Toronto
2012
Cryptography plays a key role in our life ranging from computer passwords to electronic
commerce to national military security. The most widely used modern encryption al-
gorithm is the public-key algorithm. However, the security of all public-key algorithms
relies on unproven computational assumptions. Hence, there is a potential loophole for
a fast algorithm to compromise their security. Quantum cryptography or quantum key
distribution (QKD), on the other hand, is an unbreakable encryption algorithm. In
principle, QKD can provide unconditional security based on the fundamental laws of
quantum physics. Unfortunately, real-life implementations of a QKD system may con-
tain overlooked imperfections and thus violate the practical security of QKD. It is vital
to explore these imperfections. In this thesis, I study two practical imperfections in quan-
tum cryptography: i) Security loophole in QKD system because of imperfect quantum
state preparation; ii) How to generate high-speed truly random numbers.
i) Discovering security loophole in a commercial QKD system: One key assumption in
QKD is that the sender (Alice) can prepare the required quantum states without errors.
However, such an assumption may be violated in a practical QKD system. I perform a
proof-of-principle experiment to demonstrate a technically feasible quantum attack that
exploits such a security loophole in a commercial QKD system. The attack I utilize is
called phase-remapping attack.
ii) Generating high-speed truly random numbers: An essential element in QKD is a
quantum random number generator (QRNG), which can generate true randomness by
exploiting the indeterminism of quantum mechanics. However, due to the difficulties
of measuring quantum effects in real setups, most approaches to QRNG are limited in
speed. Here, I propose and experimentally demonstrate an ultrafast QRNG at a rate
over 6 Gb/s, which is based on the quantum phase fluctuations of a laser. Moreover, I
consider a potential adversary who has partial knowledge of the raw data and discuss
how one can rigorously remove such partial knowledge with post-processing.
ii
Acknowledgements
I would like to take this opportunity to thank various people for making my M.A.Sc.
study in the University of Toronto an exciting experience. First and foremost, I owe my
deepest gratitude to my supervisor, Prof. Hoi-Kwong Lo, who has supported me with
his patience and knowledge during the past two years. I am grateful to him for many
useful discussions that motivated me.
I would extend my thanks to Dr. Bing Qi, who is my experimental supervisor and
kindly teaches me everything in our quantum information technology lab. It has been
a great honor to work with him. I am also deeply appreciate the help and advice from
Prof. Li Qian and Dr. Xiongfeng Ma, who provide many invaluable suggestions for my
research as well as for my future career. Special thanks are extended to Prof. Joyce
Poon, Prof. Ben Liang, and Prof. Ashish Khisti for their time and willingness to serve
on my thesis committee.
Next, it is a pleasure to thank a friendly and cheerful group of fellow students, He
Xu, Jiancheng Xuan, Haoxuan Zheng, Viacheslav Burenkov, Zhiyuan Tang, Wei Cui,
Dongpeng Kang, Fei Ye, Chao Zhuang, Xiaofeng Xu, David Lynall for many stimulating
discussions. I have also largely benefited from the inspiring discussions with many out-
standing scientists. In particular, I would like to thank Dr. Christian Weedbrook, Dr.
Eric Chritambar, Dr. Vadim Makarov, Dr. Chi-Hang Fred Fung, Dr. Kiyoshi Tamaki,
Dr. Richard Hughes and Dr. Zhiliang Yuan.
Finally and most importantly, I am very grateful to my family for their endless en-
couragement and support. This thesis is dedicated to my dear Alice.
iii
Contents
1 Introduction 1
1.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.1.1 Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1.2 Quantum cryptography . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1.3 Imperfections of practical quantum cryptography . . . . . . . . . 4
1.1.4 Truly random number generator . . . . . . . . . . . . . . . . . . . 4
1.2 Highlight and Outline . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.3 Publications and Presentations . . . . . . . . . . . . . . . . . . . . . . . 6
2 Elements of Practical Quantum Key Distribution (QKD) 8
2.1 BB84 protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.2 Intercept-and-resend attack . . . . . . . . . . . . . . . . . . . . . . . . . 10
2.3 Security proofs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.4 QKD implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
2.4.1 Basic components . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
2.4.2 Plug-and-Play QKD system . . . . . . . . . . . . . . . . . . . . . 16
2.5 Quantum hacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
2.5.1 Attacks on quantum state detection . . . . . . . . . . . . . . . . . 17
2.5.2 Attacks on quantum state preparation . . . . . . . . . . . . . . . 19
3 Experimental Phase-Remapping Attack 21
3.1 Practical attack strategy . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
3.2 Experiment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
3.2.1 Experimental setup . . . . . . . . . . . . . . . . . . . . . . . . . . 22
3.2.2 Polarization control . . . . . . . . . . . . . . . . . . . . . . . . . . 24
3.2.3 Minimized quantum bit error rate . . . . . . . . . . . . . . . . . . 26
3.3 Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
iv
3.3.1 Theoretical quantum bit error rate . . . . . . . . . . . . . . . . . 29
3.3.2 Experimental quantum bit error rate . . . . . . . . . . . . . . . . 30
3.4 Discussions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
3.4.1 Optimization of the attack . . . . . . . . . . . . . . . . . . . . . . 31
3.4.2 Countermeasures . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
3.5 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
4 High-speed quantum random number generator 34
4.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
4.2 Experimental demonstration . . . . . . . . . . . . . . . . . . . . . . . . . 37
4.2.1 Physical model . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
4.2.2 Parameters optimization . . . . . . . . . . . . . . . . . . . . . . . 39
4.2.3 Experimental procedures . . . . . . . . . . . . . . . . . . . . . . . 40
4.3 Quantum min-entropy evaluation . . . . . . . . . . . . . . . . . . . . . . 42
4.4 Randomness extraction . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
4.4.1 Extraction schemes: Review . . . . . . . . . . . . . . . . . . . . . 45
4.4.2 Toeplitz-hashing extractor . . . . . . . . . . . . . . . . . . . . . . 47
4.4.3 Trevisan’s extractor . . . . . . . . . . . . . . . . . . . . . . . . . . 49
4.5 Randomness verification . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
4.5.1 Statistic test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
4.5.2 Autocorrelation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
4.6 Discussions and conclusions . . . . . . . . . . . . . . . . . . . . . . . . . 51
5 Conclusion and Outlook 55
5.1 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
5.1.1 Phase-remapping attack . . . . . . . . . . . . . . . . . . . . . . . 55
5.1.2 Quantum random number generator . . . . . . . . . . . . . . . . 56
5.2 Outlook . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
5.2.1 Detector-control attack . . . . . . . . . . . . . . . . . . . . . . . . 56
5.2.2 Other quantum attacks . . . . . . . . . . . . . . . . . . . . . . . . 57
5.2.3 Quantum random number generator . . . . . . . . . . . . . . . . 59
5.2.4 Practical QKD . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
5.3 Thoughts on future QKD . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
v
A Temperature control 62
A.1 Temperature accuracy . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
A.2 Temperature controller . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
B Laser Noise Characterization in Frequency Domain 65
B.1 Parameters quantification . . . . . . . . . . . . . . . . . . . . . . . . . . 65
B.2 Quantum and classical phase noise . . . . . . . . . . . . . . . . . . . . . 67
C Statistic test 70
C.1 Statistic test suits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
C.2 Test results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Bibliography 71
vi
Chapter 1
Introduction
1.1 Motivation
The introduction of the Internet has enriched many lives by offering users a plethora of
information and convenience. One of the many conveniences is online shopping and the
ability to make purchases and other financial transactions online. However, Internet se-
curity has become an increasingly important issue and many people question whether or
not the information they divulge when making online purchases is really secure. Although
current technology protects this vital information from hackers and identity theft, this
information will indeed be vulnerable once a super-computer, such as a quantum com-
puter, is developed. In current secure communication system, the key component that
can be compromised by future technology is the encryption algorithm. The most widely
used modern encryption algorithm is the public-key algorithm. However, the security of
all public-key algorithms relies on unproven computational assumptions. Hence, there is
a potential loophole of a fast algorithm compromising its security. Indeed, a quantum
computer can easily break standard public-key systems via Shor’s quantum algorithm.
In contrast to the public-key encryption algorithm, quantum cryptography (QC) is
the unbreakable encryption algorithm based on the laws of quantum physics. In the past
decade, the unconditional security of QC has been rigorously proven and various QC
networks have been demonstrated in USA, Europe, China, and Japan. Unfortunately,
a crucial problem in QC is the big gap between its theory and practice due to the
imperfections in real-life implementation. An adversary may exploit these imperfections
and launch specific attacks. In this thesis, my primary interest is to address some of
these imperfections and their security consequences in a practical QC system.
1
Chapter 1. Introduction 2
1.1.1 Cryptography
Cryptography is the art of secret writing and reading. More generally, it is about con-
structing and analyzing protocols that overcome the influence of adversaries. Cryptogra-
phy plays a key role in our life ranging from computer passwords to electronic commerce
to national military security. Modern cryptography can be divided into two categories,
asymmetric and symmetric cryptography, depending on whether the encoding and de-
coding keys are the same or different.
Asymmetric or public-key cryptography involves the use of different keys for encryp-
tion and decryption. The principle was proposed in 1976 by W. Diffie and M. Hellman
[1]. The first real implementation was then developed by R. Rivest, A. Shamir, and L.
Adleman in 1978 [2], which is commonly known as RSA. In fact, RSA is the most popular
algorithm in current applications of cryptography. However, the security of public-key
cryptosystems rely on unproven computational assumptions. For example, the security
of a standard RSA system is based on the difficulty of factoring a large composite num-
ber. So far, it has not been possible to prove whether factoring is really difficult or not.
This implies the potential existence of a fast algorithm for factorization. Indeed, a quan-
tum computer can easily break standard RSA system via Shor’s quantum algorithm (a
polynomial algorithm allowing efficient factoring) [3].
Symmetric cryptography, on the other hand, requires a single key for both encryption
and decryption. In symmetrical cryptosystems, an unbreakable code does exist. It is
called the one-time-pad (OTP), invented by Gilbert Vernam in 1917 [4]. The principle
of OTP is the following. The sender (Alice) and the receiver (Bob) first share a private
random key. The message (plain-text) is converted into a binary form by a public method,
and then combined with the random key to achieve the cipher-text, where the most typical
method is an XOR1 operation between the message and the key. For OTP to be secure,
it is important that the key must be as long as the message and used only once. Three
decades after OTP was proposed, Shannon proved that OTP can provide perfect secrecy:
the cipher-text does not give any additional information on the message [5].
The OTP method is unbreakable, but it has a serious drawback: Alice and Bob
must initially share a secure key that is the same length as the message. Is there an
efficient way for Alice and Bob to share such a secure key? This is the so-called key
1The logical operation exclusive disjunction, also called exclusive or, is a logical operation on twological values, typically the values of two propositions, that produces a value of true only in cases wherethe truth value of the operands differ.
Chapter 1. Introduction 3
distribution problem. One solution to this problem is by trusted couriers. Unfortunately,
trusted couriers can be easily bribed or compromised in real life. Another solution is
by public-key cryptosystem. Nonetheless, as mentioned earlier, the security of public-
key cryptography is only based on unproven computational assumptions. Therefore, the
security of its whole implementation can be compromised. If classical communication
and classical physics can not provide an optimal way to the key distribution problem,
quantum mechanics, or more precisely, quantum cryptography would constitute the only
solution.
1.1.2 Quantum cryptography
The idea of using quantum physics to achieve missions impossible in classical information
was first mentioned in the early 1970s by Stephen Wiesner. He proposed an idea of
counterfeit-free quantum money. However, his paper was rejected and could not be
published until a decade later [6]. In 1984, Charles H. Bennett and Gilles Brassard
applied Wiesner’s idea to solve the key distribution problem in classical cryptography
and published the famous Bennett-Brassard-1984 (BB84) protocol [7].
Quantum cryptography, or quantum key distribution (QKD) [8, 9, 10, 11] enables
an unconditionally secure means of distributing secret keys between Alice and Bob. Its
security is rigorously based on the fundamental laws of quantum physics. In QKD, an
encryption key is generated randomly by using quantum states. In contrast to classical
physics, in quantum mechanics there is a quantum no-cloning [12] theorem: an unknown
quantum state cannot be perfectly copied. This theorem is closely related to another
important theorem: information gain implies disturbance. More specifically, given one
state of a quantum system chosen from distinct nonorthogonal states, any operation that
can gain information about the state necessarily disturbs the state.
Now, we describe the picture of how QKD works as follows. If an eavesdropper (Eve)
attempts to learn information about some signals (quantum states, for instance photons)
sent through a quantum channel, she will have to perform some measurements on the
signals. These measurements will generally disturb the state of those signals. Alice
and Bob can catch an eavesdropper by searching for traces of this disturbance, such
as checking the bit error rate of a random sample of the raw transmission data. The
absence of disturbance ensures to Alice and Bob that Eve does not have any information
about the transmitted quantum signals. Therefore, the security of QKD is rigorously
guaranteed by the quantum no-cloning theorem. The best-known QKD protocol is the
Chapter 1. Introduction 4
BB84 protocol [7], which will be discussed in Section 2.1.
1.1.3 Imperfections of practical quantum cryptography
The unconditional security of QKD is based on the laws of quantum mechanics and has
been rigorously proven during the past decade [13, 14, 15]. Nevertheless, owing to the
imperfections in the real-life implementations of QKD, there is still a large gap between
its theory and practice. To connect the theory with practice, security proofs of QKD have
already considered some of these imperfections, such as weak coherent pulses, detector
dark counts [16, 17] and detector efficiency mismatch [18]. Unfortunately, a practical
QKD system has many other imperfections. Eve may try to exploit these imperfections
and launch quantum hacking not covered by the original security proofs. Is it possible
that a small unnoticed imperfection spoils the security of the otherwise carefully designed
QKD system? This question has drawn a lot of attention.
Various quantum attacks, including the Trojan-horse attack [19, 20], the faked-state
attack [21], the time-shift attack [22, 23], and the detector-control attack [24], have
been proposed. Meanwhile, the time-shift attack [23] and the detector-control attack
[24] have already been successfully demonstrated against commercial QKD systems. To
close the gap between the theory and the practice of QKD, it is important to inves-
tigate these hacking strategies. Nonetheless, previous studies are largely concentrated
on the imperfections in the quantum-state-detection stage of a QKD process. For in-
stance, both the faked-state attack [21] and the time-shift attack [22, 23] exploit the
imperfection of the detection-efficiency mismatch between the two detectors in a stan-
dard QKD system. Hence, a natural question is: Are there any security loopholes in the
quantum-state-preparation stage of QKD? In this thesis, one of my primary interests is
addressing such a security loophole in a practical QKD system with imperfect quantum
state preparations. We experimentally investigate a specific quantum hacking strategy,
called phase-remapping attack, against a widely-used commercial QKD system. Fig. 1.1
shows the commercial ID-500 QKD system (manufactured by ID quantique) I cracked in
our lab.
1.1.4 Truly random number generator
Another potential imperfection in QKD is the requirement for a truly random number
generator (RNG). A RNG is an essential element because most QKD protocols require
Chapter 1. Introduction 5
Figure 1.1: ID-500 commercial QKD system in our lab (manufactured by ID quantique).
Alice and Bob to actively choose random basis/signals. Moreover, in all security proofs
of QKD, the fundamental assumption is that Alice and Bob can generate perfectly ran-
dom numbers. Traditionally, pseudo-RNG based on computer algorithms has long been
used for applications. However, due to its deterministic nature, it cannot generate truly
random numbers with theoretically provable randomness. In contrast, quantum-RNG
can generate true randomness by exploiting the fundamental indeterminism of quantum
physics [25]. In the past decade, several quantum-RNGs based on different schemes have
already been demonstrated [25, 26, 27, 28, 29, 30, 31] and commercial products have
appeared on the market [32]. Intel usually integrates an analog-hardware quantum-RNG
based on thermal noise in some of its chips [33, 34]. Unfortunately, due to the difficulties
of measuring quantum effects in real setups, most approaches to quantum-RNG are lim-
ited in speed (typically near 20 Mbits/s). Furthermore, in practice, quantum randomness
may be compromised due to the mixing with classical noise, which may be observed or
even controlled by Eve.
In this thesis, an ultrafast and unique quantum-RNG is proposed and experimentally
demonstrated. A rigorous method to remove the contamination of classical noise is
implemented. Our approach is based on measuring the quantum phase fluctuations of a
laser operating near its threshold.
Chapter 1. Introduction 6
1.2 Highlight and Outline
• In Chapter 2, the preliminaries of QKD, including the BB84 QKD protocol, security
proofs, real-life QKD implementations, and quantum hackings, are presented.
• In Chapter 3, one of the first successful quantum attacks, called phase-remapping
attack, against a widely-used commercial QKD system is experimentally demon-
strated. This work has been published in Ref. [35], and I was the first author. The
demonstration highlights not only the vulnerabilities of practical QKD systems,
but also the importance for QKD researchers to re-double their efforts on the study
of the imperfections of QKD and their counter-measures. After the publication of
this work, it has been widely reported in the news media including new articles in
Nature, The Economist, New Scientist, Physics World, MIT Technology Review,
and so forth. It has been cited 24 times by Google Scholar.
• In Chapter 4, the world’s fastest truly random number generator is presented.
A preprint version of this work has been been posted [36], and I was the first
author. The approach is by measuring the quantum phase fluctuations of a laser.
The key advantages of our approach are simplicity, high-speed and information-
theoretically provable randomness. This work not only demonstrates the large
potential for random number generations by quantum phase fluctuations as the true
entropy source, but also highlights the importance on the rigorous quantification
and distillation of quantum randomness in a practical quantum-RNG.
• In Chapter 5, I conclude my thesis with a summary and an outlook.
1.3 Publications and Presentations
Journal papers
• Feihu Xu, Bing Qi, and Hoi-Kwong Lo, “Experimental demonstration of phase-
remapping attack in a practical quantum key distribution system”, New Journal of
Physics, 12, 113026, 2010.
• Feihu Xu, Bing Qi, Xiongfeng Ma, He Xu, Haoxuan Zheng, and Hoi-Kwong Lo,
“An ultrafast quantum random number generator based on quantum phase fluctu-
ations”, submitted, 2011. [preprint arXiv:1109.0643]
Chapter 1. Introduction 7
Refereed conference proceedings
• Feihu Xu, Bing Qi, Xiongfeng Ma, He Xu, Haoxuan Zheng, and Hoi-Kwong Lo,
“A high-speed quantum random number generator based on quantum phase fluc-
tuations”, in Proceedings of the 11th Asian Conference on Quantum Information
Science (11th AQIS), 2011.
Conference talks
• Feihu Xu, “An ultrafast quantum random number generator with quantum phase
fluctuations”, contributed talk (25 min), QCRYPT 2011: First Annual Conference
on Quantum Cryptography, Zurich, Switzerland (Sep. 2011)
• Feihu Xu, Bing Qi, “A high speed quantum random number generator based on
quantum phase noise”, contributed talk (20 min, presented by Bing Qi), 11th AQIS,
Busan, Korea (Aug. 2011)
• Bing Qi, Feihu Xu, Viacheslav Burenkov, et al., “Security of practical quantum
key distribution system”, invited talk (presented by Bing Qi), Updating Quantum
Cryptography and Communications (UQCC), Tokyo, Japan (Oct. 2010)
Poster presentations and Conference attending
• Feihu Xu, “A high speed quantum random number generator based on quan-
tum phase noise”, poster presentation, Conference on Quantum Information and
Quantum Control IV (CQIQC IV), Toronto, Canada (Aug. 2011)
• Feihu Xu, “Experimental demonstration of phase-remapping attack in a practi-
cal quantum key distribution system”, poster presentation, 10th Canada Research
Chairs Conference (10th CRC), Toronto, Canada (Nov. 2010)
• Feihu Xu, “Experimental demonstration of phase-remapping attack in a practical
quantum key distribution system”, poster presentation, 10th International Confer-
ence on Quantum Communication, Measurement and Computation (10th QCMC),
Brisbane, Australia (Jul. 2010)
• Feihu Xu, attending, Tropical QKD conference, Institute for Quantum Comput-
ing, Waterloo, Canada (Jun. 2010)
Chapter 2
Elements of Practical Quantum Key
Distribution (QKD)
“A theory is acceptable to us only if it is beautiful.” - Albert Einstein
The first quantum information task to reach the level of practical applications is
quantum key distribution (QKD). In the past decade, QKD has experienced a dramatic
development in both theoretical study and experimental demonstration. In theory, the
principle of QKD has been rigorously proven based on the laws of quantum physics and
information theory [13, 14, 15]. In experiment, QKD has achieved a key generation rate
of over 1 Mbits/s [37] and a transmission distance of over 200 km [38]. Various QKD
networks have already been built in USA [39], Europe [40], China [41, 42], and Japan [37].
There have also been demonstrations of QKD in a Swiss election and the 2010 World
Cup. Moreover, commercial QKD products, for instance the ID Quantique system [32]
and the MagiQ system [43], have appeared on the market. These products have been
used by a number of Swiss banks to encrypt critical traffic. There are excellent up-to-date
reviews [8, 9, 10, 11] summarizing this development. In this chapter, we only focus on a
few basics of QKD that are relevant to this thesis.
2.1 BB84 protocol
BB84 [7] is the best-known protocol of QKD. The basic tool of BB84 protocol is a quan-
tum channel (such as optical fiber) connecting Alice and Bob, and an authenticated public
8
Chapter 2. Elements of Practical Quantum Key Distribution (QKD) 9
classical channel (such as Internet)1. The quantum channel represents that information
through this channel is encoded on the quantum state of photons. Eve is allowed to fully
control the quantum channel, but she is not allowed to sneak into Alice’s or Bob’s local
laboratory to steal information. For public channel, Eve is allowed to listen passively,
but not change the transmitted message.
Before introducing the procedure of BB84 protocol, it is important to be aware that
the quantum no-cloning theorem [12] cannot be applied to a set of orthogonal states. In
other words, at least two non-orthogonal bases should be employed to perform a secure
quantum communication. Basis represents how Alice encodes the random bits on the
quantum states. For instance, Alice can randomly choose two state bases, rectilinear
basis + and diagonal basis ×. In rectilinear basis, she uses horizontal polarization state
to represent bit 0 and vertical polarization state to represent bit 1. In diagonal basis, she
uses 45 degree polarization to represent bit 0 and 135 degree polarization to represent bit
1. In quantum mechanics, these two bases are complementary bases, whose measurement
operators do not commute with each other2. Hence, it is impossible to measure in both
basis simultaneously and measuring in one basis automatically disturbs the outcome in
the other basis.
In BB84 protocol, for each transmission between Alice and Bob, Alice randomly
chooses to use either rectilinear or diagonal basis to encode her random number. The
polarization of each photon is randomly chosen from a set of {horizontal, vertical, 45
degree, 135 degree}. Therefore, it is impossible for Eve to determine its polarization
state without knowing the encode basis chosen by Alice. If Eve uses a polarization beam
splitter to project the input photon into either horizontal or vertical polarization state,
which is called a measurement in rectilinear basis, then she will destroy information
encoded in diagonal basis, since a 45 degree or 135 degree polarized photon has the same
chance to be projected into either horizontal or vertical polarization state. As a result,
any operation by Eve to randomly choose the basis and perform the measurement will
introduce some errors, and these errors can be statistically calculated by Alice and Bob.
1An authenticated classical channel is essentially required in QKD. In classical cryptography, aninformation-theoretically secure authentication algorithm does exist, for instance the Wegman-Carteralgorithm [44], where authentication can be done with a rather short key. Authentication of an m-bit classical message requires only logarithmic in m-bit of an authentication key. Note that withoutauthentication by a pre-shared secret between Alice and Bob, Eve can disguise herself as Bob, whichleads the scheme not secure. Therefore, the goal of QKD is to allow Alice and Bob with a small amountof pre-shared secret to expand it into a much longer one.
2In linear algebra, it corresponds to two no-commuting matrices, which generally cannot be simulta-neously diagonalized.
Chapter 2. Elements of Practical Quantum Key Distribution (QKD) 10
This is the essence of the security of BB84 protocol. The full procedure of BB84 protocol
is stated as follows (see Table 2.1).
1. Alice randomly selects a sequence of photons from one of the four polarizations,
vertical, horizontal, 45-degrees and 135-degrees, and sends the sequence to Bob.
2. For each photon, Bob randomly chooses one of the two measurement bases (rec-
tilinear basis and diagonal basis) to perform a measurement and records his mea-
surement basis and results3.
3. Alice and Bob both broadcast their basis of measurements.
4. Alice and Bob discard all events where they use different basis for a signal. The
remaining results are called “sifted data”.
5. Alice randomly chooses a fraction of remaining events as testing events, and she
publicly broadcasts the testing events’ positions and polarizations. Bob then broad-
casts the measured polarizations of the testing events.
6. Alice and Bob compute the quantum bit error rate (QBER) of the testing events.
If the computed error rate is larger than some prescribed threshold value, they stop
the process. Otherwise, they proceed to the next step.
7. Alice and Bob convert all remaining data into a binary string. They perform clas-
sical post-processing such as error correction and privacy amplification to generate
a final key.
2.2 Intercept-and-resend attack
Let us see what happens if an eavesdropper (Eve) launches a simple “intercept and
resend” attack: For each photon sent from Alice, Eve performs a measurement in a
randomly chosen basis and re-sends a new photon to Bob according to her measurement
result. Let us focus on those cases when Alice and Bob happen to use the same basis
since they will throw away other cases. If Eve happens to use the correct basis (50%),
then both she and Bob will decode Alice’s bit value correctly. No error is introduced
3Rectilinear and diagonal are two conjugate basis, where measurement in one basis randomizes theoutcome of a measurement in the other basis.
Chapter 2. Elements of Practical Quantum Key Distribution (QKD) 11
Alice’s encoding bits 0 1 0 1 1 1 0 1
Alice’s basis × × + + + × + +
Alice’s photon polarization ր տ ↔ l l տ ↔ l
Bob’s measurement basis × × × + × + + +
Bob’s measured result ր ◦ ր l l ↔ ↔ l
Bob’s raw data 0 - 0 1 1 0 0 1
Bob’s sifted data 0 - - 1 - - 0 1
Table 2.1: Schematics of BB84 protocol. +, rectilinear basis; ×, diagonal basis; ◦, photon
lost.
by Eve. On the other hand, if Eve uses the wrong basis (50%), then both she and Bob
will have random measurement results. This suggests that if Alice and Bob compare a
subset of the sifted key, they will see a significant amount of errors, called quantum bit
error. Here, for these bits, the photons will be passed on to Bob in the wrong basis, so
regardless of Eve’s measurement result, Bob will have a 50% probability of measuring the
opposite of Alice’s bit value. In other words, Eve’s attack will introduce 50% quantum
bit error rate (QBER) for half of the total bits, and thus a total of 25% QBER. This
example illustrates the basic principle behind QKD: Eve can only gain information at
the cost of introducing errors, which will expose her existence.
2.3 Security proofs
The basic idea of the BB84 protocol is beautiful and its security can be intuitively
understood from the quantum no-cloning theorem [12] as following. Non-orthogonal
quantum states cannot be perfectly distinguished. Thus, it is impossible for Eve to find
out which state has been sent by Alice without knowing the basis. However, proving the
security of QKD in a practical implementation is an extremely difficult problem, because
it is very hard to take all possible Eve’s attacks into account.
It took a long time after BB84 was proposed, but finally, the unconditional security
of QKD was proven [13, 14, 15]. Among the security proofs, the one by Shor and Preskill
[15] is very simple. Their proof essentially converts an entanglement distillation protocol
(EDP)-based QKD protocol proposed by Lo and Chau [14] to the BB84 protocol by using
the quantum error correction idea. With one-way classical communication between Alice
and Bob, Shor and Preskill’s proof shows that BB84 is secure whenever the QBER is less
Chapter 2. Elements of Practical Quantum Key Distribution (QKD) 12
than 11% [15]. If allowing two-way classical communications, Gottesman-Lo proof [45]
has improved the tolerable QBER to 18.9%, which has been further improved by Chau to
20% [46]. Note that the above QBER bounds apply only to perfect single-photon sources
and in the asymptotic limit of infinite signals.
Security proofs of QKD were further extended to explicitly accommodate some im-
perfections in practical QKD settings [16, 17, 18]. One important imperfection is that
the laser source used in practice is weak coherent pulse (WCP), which occasionally con-
tains more than one photon in each signal (see subsection 2.4.1). Hence, it is not a
single-photon source that the other security proofs [13, 14, 15] assumed. In particular,
BB84 may become insecure when WCP with strong intensity is used. For instance, Eve
can launch a so called photon-number-splitting (PNS) attack [47], in which she blocks
all single-photon pulses and splits multi-photon pulses. She keeps one photon of each
of the split pulses to herself and forwards the rest to Bob through a lossless channel.
After the basis announcement by Alice and Bob, Eve can unambiguously identify the
bit values of the multi-photon signals of which she has kept copies, thereby learning the
entire secret key. Refs. [16, 17] have shown that secure QKD is still possible even with
a WCP source. However, the drawback is that the PNS attack puts severe limits on the
distance and the key generation rate of QKD. A novel solution to this problem is the
decoy-state QKD protocol [48, 49, 50], which uses extra test states, called “decoy states”,
to learn the properties of the channel (channel transmission) and the eavesdropping on
the key-generating signal states.
2.4 QKD implementation
2.4.1 Basic components
The basic components in a typical QKD setup are stated as follows.
• Random number generator: Random number generator (RNG) is an essential
element for QKD because most QKD protocols require Alice and Bob to actively
choose random basis/signals. Moreover, in all security proofs of QKD, the funda-
mental assumption is that Alice and Bob can generate perfectly random numbers.
Traditionally, pseudo-RNG based on computer algorithms has long been used for
applications. Recently, physical-RNG based on chaotic behaviors of semiconductor
lasers has been proposed to generate fast random bits [51, 52, 53, 54]. However, due
Chapter 2. Elements of Practical Quantum Key Distribution (QKD) 13
to their deterministic nature, both of the schemes cannot generate truly random
numbers with information-theoretically provable randomness. Quantum-RNG, on
the other hand, can generate true randomness from the fundamentally probabilistic
nature of quantum processes. In the past decade, several Quantum-RNG schemes,
such as single-photon detections [25, 26, 27], quantum non-locality [28, 29], and
vacuum state fluctuations [30, 31], have been demonstrated. Meanwhile, commer-
cial ones, like ID Quantique system [32], have already appeared on the market.
Unfortunately, due to the difficulties of measuring quantum effects, previous imple-
mentations have been limited to a relatively slow rate (typically near 20 Mbits/s).
In 2009, Qi et al. proposed and built a fast QRNG by measuring the quantum phase
fluctuations of a laser, which yields a speed of 500 Mb/s [55, 56]. A similar scheme
at a lower speed has also been demonstrated by Guo et al. [57]. Nonetheless, the
key point is, the generation rates of all previous QRNGs are still too low for many
applications, such as high-speed QKD operating over gigahertz [58]. Furthermore,
in practice, some imperfections in the numbers generated by a quantum-RNG are
inevitable [29]. The theoretical foundation of QKD is still at risk because security
proofs (discussed above) all assume the existence of perfect RNGs and do not apply
to imperfect RNGs.
• Source: In most QKD implementations, the attenuated laser is commonly used as
the source due to its simplicity and low-cost. Attenuated laser source is essentially
the same as the laser source used in classical optical communication except for
that heavy attenuation is applied on it (usually attenuated to below 1 photon per
pulse). The output state from a laser is a coherent state, which can be expressed
as a Poissonian mixture of the different number states:
ρ =
∞∑
n=0
e−µµn
n!|n〉〈n| (2.1)
where n is the number state4, µ is the mean number of photons in a pulse, and
phase-randomization has been assumed. Attenuated lasers were considered to be
non-ideal for BB84 as they always have the probability of emitting multi-photon
pulses. Fortunately, as discussed in the subsection 2.3, the discovery of decoy-
state method [48, 49, 50] made weak coherent lasers much more appealing without
significant losses on the performance of a BB84 QKD system.
4In quantum mechanics, a physical state is represented by a state vector in a complex vector space. |•〉(called ket) and 〈•| (called bra) are two physical-states notations following Dirac in quantum mechanics.
Chapter 2. Elements of Practical Quantum Key Distribution (QKD) 14
Another important class of QKD sources is entangled photon source, which is used
in the Ekert915 [59] and the BBM92 [60] QKD protocols, and is an essential ingre-
dient in quantum computing [61]. A widely used entangled photon source is based
on parametric down-conversion, where a high energy photon propagates through a
highly non-linear crystal, producing two entangled photons with frequency halved.
• Quantum channel: The fundamental requirements for a quantum channel are
low-loss and preservation of quantum state (avoiding de-coherence from the en-
vironment). In practice, two types of channels have these desirable properties:
single-mode optical fiber and free-space.
Standard optical fibers have been developed and used in telecommunication for
four decades. Currently, standard optical fiber is the most popular choice for QKD
implementations, because it can easily connect two arbitrary points and be extended
to a network. The loss α of an optical fiber is usually measured in dB/km. The
probability for a single photon to be transmitted through an optical fiber of length
l, is given by 10−αl/10. The losses depend heavily on the wavelength of the photons,
and are minimal in the two “telecom window wavelengths”: around 0.35 dB/km
at 1330nm, and 0.21 dB/km at 1550nm. In QKD, since loss is critical for the
transmission range and key generation rate, the 1550nm wavelength is usually used.
The main disadvantage of optical fiber is its birefringence. The strong polarization
dispersion made it hard to implement polarization-coding system. Moreover, it has
strong spectral dispersion, which affects the high-speed QKD systems heavily as
the pulses are broadened and overlap with each other. Therefore, the loss in fibers
puts an limit on the longest distance that a fiber-based QKD system can reach
(typical, less than 400 km).
Free-space links have negligible dispersions on the polarization and the frequency.
There are “atmospheric transmission windows” that have small loss (α < 0.1
dB/km) in clear weather. It is an ideal link for the polarization-coding QKD. Re-
cently, free-space QKD has attracted more attention [62, 63, 64, 65]. Nonetheless,
over long distance communication, atmospheric fluctuations make it challenging to
predict the arrival point of a photon and align the optical beams. Another disadvan-
tage of the free-space link is that it requires a line-of-sight between Alice and Bob.
Buildings and mountains are serious obstacles for free-space QKD systems. The
5This QKD protocol is essentially connected to the fundamental testing of Bell’s inequality.
Chapter 2. Elements of Practical Quantum Key Distribution (QKD) 15
greatest motivation for open-air QKD scheme is the hope for ground-to-satellite and
satellite-to-satellite quantum communications [63, 64, 65]. As there is negligible op-
tical absorption in the outer space, we may be able to achieve an inter-continental
quantum communication with free-space QKD. Indeed, many countries, including
USA, Japan, China and Canada, have proposed to build the satellite-based quan-
tum communications.
• Detector: In QKD, the most popular type of single-photon detector is InGaAs
avalanche photodiode (APD) [66]. Single-photon detectors are typically threshold
detectors, i.e. the detector output is binary and distinguishes between “0” and
“one or more photons”. InGaAs-APD utilizes the avalanche effect of semiconduc-
tor diodes. A strong biased voltage is applied on the InGaAs diode. The incident
photon will trigger the avalanche effect, generating a voltage pulse. The narrow
band gap of InGaAs makes it possible to detect photons at telecom wavelengths.
They normally work below -50 ◦C to lower the dark count rate (i.e. the event that
the detector generates a detection click while no actual photon hits it). This tem-
perature can be easily achieved by thermal-electric coolers. The quantum efficiency
(detection efficiency) of InGaAs-APDs is usually around 10%.
During an avalanche, carriers are trapped in impurities in the semiconductor.
Hence, there is a high dark count probability due to the decay of trapped car-
ries after an avalanche. This is called after-pulse effect. To reduce the after-pulse
effect, the detector is usually set to be deactivated for a time period, which is
called the “dead time”, after a detection event. The dead time should be set to
long enough so that when the detector is re-activated, the after-pulse effect is neg-
ligible 6. Moreover, in a practical QKD system, the APDs are often operated at a
gating mode, where the detectors are only activated when the photons are expected
to hit them. This activated time period is called a gate. The gates are usually ap-
plied at a high repetition rate and a number of gates is removed after a detection
event, such as the id Quantique system [32]. Gating mode indeed reduces the dark
count rate by several orders and is thus used in most InGaAs APDs. However,
it may open up a security loophole, such as the time-shift attack [22, 23] and the
detector-control attack [24, 67, 68] (to be introduced below). For more details of
6The dead time is typically in the order of microseconds. At a lower temperature, it takes a longertime for the trapped carries to decay, and therefore low temperature effectively reduces the detectionrate. Typically, the InGaAs-APDs work no faster than several megahertz.
Chapter 2. Elements of Practical Quantum Key Distribution (QKD) 16
single-photon detectors, see Ref. [69].
2.4.2 Plug-and-Play QKD system
There are excellent reviews of different QKD implementation schemes [8, 9, 10]. So, this
section only contains a brief review of the QKD scheme relevant to this thesis: “Plug-
and-Play” QKD system.
Besides the polarization-coding BB84 protocol described in Section 2.1, BB84 can be
implemented with any two-level quantum system (qubits). Indeed, other coding meth-
ods, particularly phase-coding, also exist. In phase-coding BB84, a signal consists of a
superposition of two time-separated pulses, known as the reference pulse and the signal
pulse. The information is encoded in the relative phase between the two pulses. Hence,
the encoded relative phases of {0, π/2, π, 3π/2} in the phase-coding BB84 are essentially
equivalent to the encoded polarizations of {Horizon, 45 degree, Vertical, 135 degree} in
the polarization-coding BB84. They are simply different embodiments of the same BB84
protocol. The phase-coding BB84 has been practically implemented based on various
schemes, and one specific scheme is “Plug-and-Play” QKD implementation.
Practical limitations associated with phase and polarization instabilities over long
distance fibers have led to the development of bidirectional QKD schemes, such as the
plug-and-play [70] and the Sagnac QKD structure [71]. Specially, the plug-and-play
BB84 structure is widely used in commercial QKD systems [32]. Its schematic is shown
in Fig. 2.1. We can see that it employs the phase-coding QKD shceme, which is an
improved version of the double Mach-Zehnder interferometer scheme [72]. It has only
one Mach-Zehnder interferometer and the light propagates through the same channel
and interferometer twice due to the faraday mirror on Alice’s side. This system works
as follows. Bob first sends two strong laser pulses (signal pulse and reference pulse) to
Alice. Alice uses the reference pulse as a synchronization signal to activate her phase
modulator. Then Alice modulates the phase of the signal pulse only, attenuates the two
pulses to single photon level, and sends them back to Bob. Bob randomly chooses his
measurement basis by modulating the phase of the returning reference pulse.
Owing to its good phase and polarization stability, the “Plug-and-Play” QKD system
has attracted much scientific attention. However, in plug-and-play system, since Alice
allows signals to go in and go out of her device, this opens a potential back door for Eve
Chapter 2. Elements of Practical Quantum Key Distribution (QKD) 17
to launch various attacks [19, 20], such as the Trojan-horse attack 7. One specific attack
is the phase-remapping attack [73] (to be discussed below).D e t 1 P M B C D P M AL D D e t 2 P B S F MB o b A l i c eC D LFigure 2.1: Schematic for “plug-and-play” BB84 QKD system. LD, laser diode.
Det1/Det2, single-photon detector; PMA/B, phase modulator; C, circulator. PBS, polar-
ization beam splitter; CD, classical photodetector; DL, delay line; FM, Faraday mirror.
2.5 Quantum hacking
Owing to the imperfections in a real-life QKD system, there is still a large gap between
the theory and practice of QKD. Particularly, Eve may try to exploit these imperfections
and launch specific attacks, called quantum hacking, not covered by original security
proofs [13, 14, 15]. In this section, a number of well-known quantum hacking strategies
that are outside of standard security proofs are reviewed.
2.5.1 Attacks on quantum state detection
In 2005, Makarov et al. proposed a faked-state attack, which exploits the efficiency
mismatch of two detectors in a practical QKD system [21]. As discussed in subsec-
tion 2.4.1, in practice, the standard single-photon detectors (such as InGaAs APDs) are
often operated in a gated mode. Therefore, the detection efficiency of each detector is
7Trojan-horse attack employs the unwanted internal reflection from a phase modulator [19, 20]. Thisattack is more vulnerable in a “Plug-and-Play” QKD system, because Alice allows signals to go in and goout of her device. In Alice’s system, the phase modulator setting contains the bit and basis value. Theback-reflections passing the phase modulator in a phase-coding QKD implementation reveal the settingof the phase modulator. It is also called large-pulse attack. In this attack [20], Eve sends a strong laserpulse to Alice’s laboratory to try to read off Alice’s phase modulator setting from a reflected signal. Asa result, Eve may learn which BB84 state Alice is sending to Bob.
Chapter 2. Elements of Practical Quantum Key Distribution (QKD) 18
time-dependent. Since QKD systems require the detection of two different bit values,
they require at least two detectors. Then it is inevitable that finite manufacturing preci-
sion in the detector and the electronics, and difference in optical path length will slightly
misalign the two detector gates, and cause detector-efficiency mismatch. This problem
often exist in practical QKD systems, and it will leave a back door for Eve to launch the
faked-state attack as follows.
A conceptual schematic of this attack is shown in Fig. 2.2. At the expected arrival
time T, the detection efficiencies of the two detectors are similar. However, if the signal
is chosen to arrive at some unexpected times (such as t1 and t2 in Fig. 2.2), it is possible
that the detector efficiencies of the two detectors differ greatly.
T i m et 2t ₁E f f i c i e n c y S P D ₂S P D ₁
TFigure 2.2: Schematic of detection efficiency mismatch. SPD, single-photon detector. At
the expected arrival time T, the detection efficiencies of SPD1 (represent the event of
bit 0) and SPD2 (represent the event of bit 1) are the same. However, at time t1, SPD1
is more sensitive to the incoming photon than SPD2.
The faked-state attack is an intercept-and-resend attack. For each signal, Eve ran-
domly chooses one of the two BB84 basis (rectilinear or diagonal) to perform a measure-
ment and obtain a measurement result. Then, she re-sends the opposite bit value from
her measurement result in the opposite basis, at a time when the detector for the opposite
bit has a lower detection efficiency than the other detector. As shown in Ref. [21], Eve
introduces less than 11% QBER if the detection efficiency η ≤ 0.066.
The faked-state attack, while conceptually interesting, is hard to implement in a real-
life QKD system. This is because it is an intercept-resend attack and as such involves
finite detection efficiency in Eve’s detectors and precise synchronization between Eve
and Alice-Bob’s system. Therefore, the faked state attack has never been implemented
Chapter 2. Elements of Practical Quantum Key Distribution (QKD) 19
in practice. A typical countermeasure against detector-efficiency mismatch is the four-
state QKD protocol [21].
In 2007, Qi et al. [22] proposed the time-shift attack, which is also based on the
detection-efficiency mismatch in the time domain, but is much easier to implement than
the faked-state attack. Let us suppose Fig. 2.2 illustrates the detection efficiencies of
the two single-photon detectors in a real-life QKD system. Eve can simply shift the
arrival time of each pulse sent from Alice by employing a variable optical delay line. For
example, Eve randomly shifts the pulse from Alice to arrive at t1 or t2 through a shorter
path or a longer path of optical line. This shifting process can partially reveal the bit
value of Bob: if the pulse arrived at t1 (or t2) and Bob announces receipt, the bit value is
more likely to be 0 (1). Moreover, Eve can carefully set how many bits should be shifted
forward and how many should be shifted backward to ensure that the distribution of bit
0 and bit 1 received by Bob is balanced. Hence, the time-shift attack does not make any
measurement on the quantum state, and quantum information is not destroyed.
Since Eve does not need to make any measurement or state preparation, the time-shift
attack is practically feasible with current technology. In 2007, it has been successfully
implemented on a commercial QKD system by Zhao et al. [23]. This is the first suc-
cessful demonstration of quantum hacking on a widely-used commercial QKD system.
In their experiment [23], Eve got an information-theoretical advantage in around 4% of
her attempts. It shows that a practical QKD system has non-negligible probability to be
vulnerable to the time-shift attack.
2.5.2 Attacks on quantum state preparation
Previous studies of quantum attacks are largely concentrated on the imperfections in
the quantum-state-detection stage of a QKD process. For instance, both the faked-
state attack [21] and the time-shift attack [22, 23] exploit the imperfection of detection-
efficiency mismatch in a standard QKD system. Hence, a substantial question is: Is it
really secure in the quantum-state-preparation stage of QKD?
Fung et al. [73] answered this question negative, and proposed a novel quantum attack,
called phase-remapping attack, exploiting such a security loophole. In fiber-based phase-
coding “Plug-and-Play” BB84 QKD system (see Fig. 2.1), LiNbO3 waveguide phase
modulator is commonly used to encode random bits. In practice, a phase modulator
has finite response time, as shown in Fig. 2.3. Ideally, Bob’s signal pulse passes through
Alice’s phase modulator in the middle of the modulation signal and undergoes a proper
Chapter 2. Elements of Practical Quantum Key Distribution (QKD) 20P Mt i m et .t /
0 .0 /Phase shift
Figure 2.3: Diagram of phase modulation (PM) signal. t0 is the original time location
where Bob’s signal pulse is properly modulated to have phase φ0. Eve time shifts the
signal pulse from t0 to t1. This pulse will undergo a new modulated phase φ1. Reproduced
from [35] with permission. c©2010 IOP.
modulation (time t0 in Fig. 2.3). However, if Eve changes the time difference between the
reference and the signal pulse, the signal pulse will pass through the phase modulator at
a different time (time t1 in Fig. 2.3), and the encoded phase will be different. Originally,
Alice uses {0, π/2, π, 3π/2} to encode {01(bit “0” in basis1), 02(bit “0” in basis2),
11(bit “1” in basis1), 12(bit “1” in basis2)}. Now, after Eve’s remapping process, Alice’s
encoded phases will be mapped to {0, φ1, φ1 +φ2, φ1 +φ2 +φ3}, where φi (i=1,2,3) is the
new phase difference between two adjacent states. This phase-remapping process allows
Eve to launch a novel “intercept-and-resend” attack: phase-remapping attack [73].
The theory of the phase-remapping attack was first proposed in 2007. Nonetheless,
it did not draw much scientific attention at that time. In my first year of M.A.Sc study,
I experimentally demonstrated this attack on top of a widely-used commercial QKD
system, “Plug-and-Play” QKD system. The resulting quantum bit error rate is 19.7%,
which is substantially lower than the well-known 25% error rate for an intercept-and-
resend attack in BB84. The success of my demonstration has attracted more attention
from both the QKD community and the public. This work not only has been cited 24
times by Google Scholar but also has been widely reported in the news media including
new articles in Nature, The Economist, New Scientist, Physics World, MIT Technology
Review and so forth. The details of my demonstration are stated in the following section.
Chapter 3
Experimental Phase-Remapping
Attack
“If you think cryptography is the answer to your problem, then you don’t know what your
problem is.” - Peter G. Neumann
In this chapter, we present the experimental investigation of the phase-remapping
attack in a commercial QKD system. In our experiment, we found that the phase-
remapping process in a practical QKD system was much more complicated than the
theoretical model described in Ref. [73]. To adapt to this complexity, we modified the
original phase-remapping attack into type I and type II practical attacks. It is well
known that in a standard BB84 QKD system, a simple “intercept-and-resend” attack
will introduce a quantum bit error rate (QBER) of 25%, which alarms the users that
no secure keys can be generated. Our experimental results show that by performing the
phase-remapping attack, Eve can gain the full information at the cost of only introducing
a QBER of 19.7%. Hence, a key assumption in the security proof of QKD has been
substantially violated by this attack. The content of this chapter is heavily based on
Ref. [35].
3.1 Practical attack strategy
We implement the phase-remapping attack on top of a Plug-and-Play QKD system. In
our experiment, the practical attack strategy is stated as follows.
1. Eve intercepts Bob’s strong pulse and sends a time-shifted pulse to Alice via her
21
Chapter 3. Experimental Phase-Remapping Attack 22
own device. Note that Eve can change the actual values of φi (i=1,2,3) by changing
the time displacement. However, she cannot change φ1, φ2, and φ3 independently.
2. Eve’s strategy is to either distinguish {01} from {02, 11, 12} or {12} from {01,
02, 11} with minimal errors. To distinguish {01}, Eve introduces a phase shift of
{φ1 + φ2} by using her phase modulator on the reference pulse sent back by Alice
and performs an interference measurement. If detector1 (Det1) has a click 1, Eve
sends a standard BB84 state {01} to Bob. Otherwise, Eve simply discards it. A
similar procedure is performed to distinguish {12}, where Eve introduces a phase
shift of {φ1}. Here, we define Eve’s phase shift {φ1} as Basis X, {φ1 + φ2} as Basis
Y.
Now, assume that Eve uses Y to distinguish {01}; given Alice sends different states
{01, 02, 11, 12}, Det1’s detecting probabilities {P01, P02
, P11, P12
} are {sin2(φ1+φ2
2),
sin2(φ2
2), 0, sin2(φ3
2)}. After Eve’s attack, the error probabilities introduced are {0, 1/2,
1, 1/2}. The analysis in X can be carried out similarly. So, the QBERs are
Y : QBERY =
sin2(φ2
2)
2+
sin2(φ3
2)
2
sin2(φ1+φ2
2) + sin2(φ2
2) + sin2(φ3
2)
(3.1)
X : QBERX =
sin2(φ1
2)
2+
sin2(φ2
2)
2
sin2(φ2+φ3
2) + sin2(φ2
2) + sin2(φ1
2)
(3.2)
Ref [73] assumed φ1 = φ2 = φ3 = φ, then the overall QBER is given by
QBER =QBERX + QBERY
2=
sin2(φ2)
sin2(φ) + 2 sin2(φ2)
(3.3)
As shown in Fig. 3.1, there is a range of “φ” that allows QBER to go below 20.0%,
which is tolerable in the BB84 protocol [45, 46]. Hence, if Eve remaps the phase small
enough into this range, she can successfully apply this “intercept-and-resend” attack.
3.2 Experiment
3.2.1 Experimental setup
We implemented the phase-remapping attack in a commercial ID-500 QKD system (man-
ufactured by id Quantique), as shown in Fig. 3.2. Bob’s (replaced by Eve) signal pulse,
1After the Mach-Zehnder interferometer, if the phase difference between reference and signal pulse isπ (0), detector1 (detector2) clicks.
Chapter 3. Experimental Phase-Remapping Attack 23
0 /16 /8 3 /16 /40.16
0.17
0.18
0.19
0.2
0.21
0.22
0.23
0.24
0.25
Phase difference
QB
ER
Figure 3.1: QBER of phase-remapping attack. Eve remaps the four BB84 states with
the same new phase difference (φ1 = φ2 = φ3 = φ).
reference pulse and Alice’s phase modulation signal of the original QKD system are shown
in Fig. 3.3. Note that in Fig. 3.3, since Alice uses the reference pulse as a trigger signal,
the time delay ∆t1 is determined by the internal delay of Alice’s system and can’t be
controlled by Eve. On the other hand, since Alice doesn’t monitor the arrival time of the
signal pulse, Eve can change the time delay ∆t3 without being detected. Furthermore,
the rising edge time (10-90%) of the phase modulation signal is around 6ns, while the
width of the laser pulse is about 500ps (FWHM). Eve can easily place her pulse on the
rising edge to get partial phase modulation 2. This specific QKD design opens a security
loophole which allows Eve to launch the phase-remapping attack.
In our experiment, Eve utilized the same setup as Bob to launch her attack. Eve
modified the length of the short arm of her Mach-Zehnder interferometer by adding a
variable optical delay line (VODL in Fig. 3.2) to shift the time delay between the reference
pulse and the signal pulse. To remap the phase small enough into the low QBER range,
the optimal strategy we found is: by using VODL, Eve shifts the forward signal pulse
out and only the backward signal pulse in the phase modulation range (see Fig. 3.4(b));
by using polarization controller (PC in Fig. 3.2), Eve aligns the polarization direction of
2Eve could also use a laser source with a much narrower pulse width to launch this attack.
Chapter 3. Experimental Phase-Remapping Attack 24D e t 1 P M B C D P M AL D D e t 2 P B S P CV O D L4 8 n s
1 2 k m D L F ME v e A l i c eC
Figure 3.2: (Color online). Experimental implementation of the phase-remapping attack
in a commercial ID-500 QKD system. Original QKD system: LD, laser diode. Det1/Det2,
single photon detector; PMA/B, phase modulator; C, circulator. PBS, polarization beam
splitter; CD, classical photodetector; DL, delay line; FM, Faraday mirror. Our modifica-
tions: Eve replaces Bob; VODL, variable optical delay line; PC, polarization controller.
Reproduced from [35] with permission. c©2010 IOP.
the backward signal pulse orthogonal to the principal axis [74] of the phase modulator.
3.2.2 Polarization control
One crucial issue in our experiment is polarization control. Practical phase modulator, for
instance the one in Alice’s system, is polarization dependent and has one principle axis.
When the voltage is applied on the phase modulator, photons with different polarization
directions will be phase-modulated differently. Photons with polarization aligned with
the principle axis will undergo a large phase modulation, while photons with orthogonal
polarization state will undergo a small phase modulation [74]. In our experiment, we
find the relative modulation magnitude ratio of the two polarizations is about 1:3 3. In
the original “plug and play” system, the signal pulse will be modulated twice as it passes
through Alice’s phase modulator back and forth (see Fig. 3.4(a)). Because of the Faraday
mirror, the total phase shift is independent of the polarization state of the signal pulse.
However, since Eve’s signal pulse will pass through the modulator at a different time and
3The relative magnitude ratio is experimentally tested by appling different voltages on Alice’s phasemodulator (PMA in Fig. 3.2) to modulate the signal pulses with the two polarization directions (adjustedby PC in Fig. 3.2). From the data of applied voltages and modulating phases, we got the relative ratio isabout 1:3. Ref. [74] gives the parameters of LiNbO3 phase modulator and the relations between phasemodulation and the parameters. The relative ratio is 9.6 : 30.9 (see Section 9.2 and Table 9.2 of Ref[74]).
Chapter 3. Experimental Phase-Remapping Attack 25
Figure 3.3: (Color online). Time patterns of the reference pulse (Ref), the signal pulse
(Sig) and the phase modulation signal in the commercial ID-500 QKD setup. Here,
Alice’s encoding phase is {π} and we only show the forward pulses. Reproduced from
[35] with permission. c©2010 IOP.
be modulated only once (see Fig. 3.4(b)), the above auto-compensating method will not
work. Eve has to control the polarization direction either aligned with or orthogonal to
the principal axis of the phase modulator when her signal pulse is modulated. This is
achieved by adding a polarization controller (PC in Fig. 3.2) and adjusting it carefully.
Here, Eve can assume that the polarization has been aligned properly by maximizing the
total counts of D1+D2 (D1 and D2 denote the counts of Det1 and Det2) 4.
By combining variable shifting time and two different polarization directions, Eve can
apply two types of practical phase-remapping attack:
• Type I practical attack is shown in Fig. 3.4(b). Eve shifts the forward signal pulse
out of the phase modulation signal and the backward pulse to the rising edge, and
adjusts the PC to control the backward pulse’s polarization direction aligned with
the modulator’s principal axis. Here, we remark that if the width of laser pulse is
comparable with the rising time of the modulation signal, type I attack will cause
4If the polarization is not properly controlled by PC, after Alice’s modualtion, the original linearpolarization state of the signal pulse will change to circular or ellipse polarization state. So, when thesignal pulse returns back and passes through Eve’s PBS (see Fig. 3.2), part of it will wrongly go to thelong arm instead of the short arm. Since the Detector (Det in Fig. 3.2) is gated, this part will hit theDetector at a wrong time and thus cannot be detected.
Chapter 3. Experimental Phase-Remapping Attack 26
R e fR e f S i g P M
P M tR e f P M tS i g
(a)
(b) S i g t(c)
Figure 3.4: Time pattern of practical phase-remapping attack. Sig: signal pulse. Ref:
reference pulse. PM: phase modulation signal. (a) Normal QKD operation. (b) Type I
practical phase-remapping attack. (c) Type II practical phase-remapping attack; here,
even if we assume Alice has a perfect phase modulator with strictly sharp rising and
following edge, type II attack still works. Reproduced from [35] with permission. c©2010
IOP.
an unreasonably high QBER, thus it is easy for Alice and Bob to detect the attack.
• Type II practical attack is shown in Fig. 3.4(c). Eve shifts the backward pulse
to the plateau region of the phase modulation signal, and aligns its polarization
direction orthogonal to the principal axis. Since the orthogonal direction has the
smallest phase modulation, Eve can successfully remap the phase small enough into
the low QBER range. One important advantage is: even if Alice’s phase modulator
is good enough with strictly sharp rising and following edge (force type I attack
noneffective), Eve can still apply type II attack in practical QKD systems.
3.2.3 Minimized quantum bit error rate
Fung et al. [73] assumed that Eve could remap Alice’s encoded phase with φ1 = φ2 = φ3.
However, in our experiment, the relation among φ1, φ2, and φ3 is more complicated. As
shown in Fig. 3.5, Alice’s phase modulation signals {π/2, π, 3π/2} not only start at
different times but also have different average rising times. Furthermore, there is also
an overshoot after the rising edge, and the time of the overshoot is different from each
other. So, if we use different lengths of VODL to shift the pulse either to the rising edge
Chapter 3. Experimental Phase-Remapping Attack 27
or to the overshooting range, the pulse will not undergo a proportional phase modulation.
Eve’s remapping phase will be φ1 6= φ2 6= φ3. These complicated phases will thus cause
an effect of QBER, as shown in equations (3.1) and (3.2). In our experiment, the optimal
length of VODL was determined by minimizing the resulting QBER. We finally applied
two optimal VODL (see Fig. 3.5(b)) to launch two types of practical phase-remapping
attack: VODL I: 5.8m and VODL II: 4.65m. Our attack strategy was the one discussed
in Subsection 3.1. We finally remark two experimental details: (i) from the time pattern
graph in Fig. 3.3, the laser pulse is narrow enough to allow us to apply type I attack;
(ii) in type I attack, to make the remapping phase small enough, we still control the
polarization of the backward signal pulse orthogonal to the principal axis of the phase
modulator.
20 40 60 80 100 120 140−0.5
0
0.5
1
1.5
2
2.5
3
Time (ns)
App
lied
Vol
tage
(V
)
π/2π3π/2
(a)
50 52 54 56 58 60 62 64 66
0
0.5
1
1.5
2
2.5
Time (ns)
App
lied
Vol
tage
(V
)
VODL BVODL A
(b)
Figure 3.5: (Color online). (a) Alice’s phase modulation signals, π/2, π, and 3π/2,
respectively. (b) The zoomed rising edge of each modulation signal and the approximate
time of the optimal VODL used in our attack. Reproduced from [35] with permission.
c©2010 IOP.
3.3 Results
Some experimental parameters of our ID-500 commercial QKD system, including dark
count rate Y0, detector error rate edet, Bob’s overall quantum efficiency ηBob (including
the detection efficiency of single photon detector) and mean photon number µ are listed
in Table 3.1. Our transmission distance was a few meters. We repeated the measurement
Chapter 3. Experimental Phase-Remapping Attack 28
10 million times5 for each state sent by Alice and the experimental results are shown in
Table 3.2.
Y0 edet ηBob µ
2.11 × 10−5 0.38 × 10−2 5.82 × 10−2 1.39
Table 3.1: Experimental parameters. c©2010 IOP.
Z X Y
State φA φE D1 D2 D1 D2 D1 D2
01 0◦ 0◦ 734 171851 6617 166671 16311 158479
02 90◦ 23.9◦ 7435 165402 928 169814 2772 169669
11 180◦ 35.9◦ 16474 157385 3545 166427 1348 168924
12 270◦ 46.3◦ 26879 146917 8434 161575 2672 168078
(a)
Z X Y
State φA φE D1 D2 D1 D2 D1 D2
01 0◦ 0◦ 617 168910 7068 174061 24841 156007
02 90◦ 21.1◦ 5843 167206 1074 179218 8557 170786
11 180◦ 37.8◦ 18096 153962 5285 174161 1239 176091
12 270◦ 52.7◦ 33260 135616 19770 160300 3530 173428
(b)
Table 3.2: Experiment results. φA is Alice’s original standard BB84 phase. φE is the
new phase remapped by Eve. D1 (D2) is the counts number of Det1 (Det2). Here, Eve
introduced phase {0} (Basis Z), {φ1} (Basis X), and {φ1 + φ2} (Basis Y), respectively
on the reference pulse to measure each state, and repeated the measurement 10 million
times for each state. (a) Variable Optical Delay Line I (5.8m). (b) Variable Optical
Delay Line II (4.65m). Reproduced from [35] with permission. c©2010 IOP.
5This data size is large enough to converge the statistical error rate in our experiment.
Chapter 3. Experimental Phase-Remapping Attack 29
3.3.1 Theoretical quantum bit error rate
We calculate QBER from the theoretical model discussed in Section 3.1. The detecting
probability of phase-coding BB84 is
Det1 : P1 =1 − cos(φA − φB)
2= sin2(
φA − φB
2) =
D1 − NY0
D1 + D2 − 2NY0(3.4)
Det2 : P2 =1 + cos(φA − φB)
2= cos2(
φA − φB
2) =
D2 − NY0
D1 + D2 − 2NY0
(3.5)
where N denotes the gating number 6. Here, we subtract the dark counts number NY0
from each detector’s counts number to get the theoretical detecting probability.
If Eve introduces phase shift {0} (Basis Z) on the reference pulse to measure each
state, the remapping phase φE and phase difference φi (i=1,2,3) are
φE = 2 tan−1(
√
D1 − NY0
D2 − NY0) (3.7)
φi = φE(i) − φE(i−1) (3.8)
Using data in Table 3.2, from Eqns. (3.8), (3.1) and (3.2), we obtain
V ODL I : φ1 = 23.9◦ ± 1.2◦ φ2 = 12◦ ± 1.2◦ φ3 = 10.4◦ ± 1.2◦ (3.9)
QBERX(I) = 29% ± 1% QBERY (I) = 8% ± 1% (3.10)
V ODL II : φ1 = 21.1◦ ± 1.1◦ φ2 = 16.7◦ ± 1.1◦ φ3 = 14.9◦ ± 1.1◦ (3.11)
QBERX(II) = 21% ± 1% QBERY (II) = 13% ± 1% (3.12)
The phase error fluctuations are mainly due to the imperfections of our experimental
QKD system. From the results in Table 3.2, we can see that even though Eve uses
Basis Z to measure state {01}, it still has about “600 ∼ 700” counts on Det1. These
error counts are mostly from the imperfect interference between the signal pulse and the
reference pulse. Hence, Eqns. (3.12) and (3.10) give the theoretical QBERs introduced
by Eve with perfect detection system.
6We repeated the measurement 10 million times for each state. Notice that, in order to reduce theafter-pulsing probability, an external dead time has been introduced to both detectors after the detectionof a photon by a detector. On average, after each detection event, the following around 46 gating signalswill be blocked. So, the total gating number N can be estimated by
N ≈ 107 − (D1 + D2) × 46 ≈ 2.1 × 106 (3.6)
Chapter 3. Experimental Phase-Remapping Attack 30
3.3.2 Experimental quantum bit error rate
We calculate QBER via our direct experimental results. From Table 3.2, we can see the
total counts (D1+D2) for each state is almost identical, so Det1’s detecting probability
for each state is proportional to D1. Using data in Table 3.2, the QBERs are
X : QBERX =
D101
2+
D111
2+ D102
D101+ D102
+ D111+ D112
(3.13)
Y : QBERY =
D102
2+
D112
2+ D111
D101+ D102
+ D111+ D112
(3.14)
V ODL I : QBERX(I) = 30.8% QBERY (I) = 17.6% (3.15)
V ODL II : QBERX(II) = 21.8% QBERY (II) = 19.1% (3.16)
If Eve utilizes the optimal strategy to combine two types of attack together and
carefully chooses the probability of each attack to ensure the distribution of bit “0” and
bit “1” received by Bob is balanced, the overall QBER is
QBER =QBERX(II) + QBERY (I)
2= 19.7% (3.17)
Note that we used a weak coherent pulse (WCP) source in our experiment. Before
calculating the QBERs for single-photon (SP) source, we emphasize two facts: (i) the
phase shift introduced by the phase modulator is independent of the source. If the source
is a SP, the phase will be also remapped to {0, φ1, φ1 + φ2, φ1 + φ2 + φ3}. (ii) Eve’s
interference visibility is the same for SP and WCP. Now, assuming that Eve uses Basis1
to launch attack and Det1’s detecting probability for each state is Pstate, i.e. {P01, P02
,
P11, P12
}, Det1’s overall gain and QBERs for the two different sources are:
SP : Qsp = ηBobPstate + Y0
QBERsp =ηBob(
P01
2+
P11
2+ P02
) + 2Y0
ηBob(P01+ P02
+ P11+ P12
) + 4Y0
(3.18)
WCP : Qwcp =
∞∑
i=0
(Y0 + 1 − (1 − ηBobPstate)i)
µi
i!e−µ (3.19)
= (1 − e−µηBobPstate) + Y0 (3.20)
QBERwcp =2 − e
−µηBobP01
2− e
−µηBobP11
2− e−µηBobP02 + 2Y0
4 − e−µηBobP01 − e−µηBobP02 − e−µηBobP11 − e−µηBobP12 + 4Y0
(3.21)
Chapter 3. Experimental Phase-Remapping Attack 31
Using Eqn. (3.18), (3.21) and data in Table 3.1 and 3.2, the overall QBER differ-
ence between SP and WCP for Eve’s optimal strategy (combine two types of attack as
Eqn. (3.17)) is:
∆QBER = QBERsp − QBERwcp = 0.1% (3.22)
Therefore, in a practical SP BB84 QKD system, we can expect the QBER is
QBERsp=19.8%, which is substantially below the bound of 25% for an intercept-and-
resend attack in BB84. This shows clearly that an important assumption (Alice prepares
her states correctly) in a security proof has been violated. So, the security proofs can
not be directly applied to a practical QKD system.
3.4 Discussions
3.4.1 Optimization of the attack
Our attack can be further improved to lower the QBER: (i) in our experiment, we only
use off-the-shelf imperfect detectors and other components. If some adversaries, such
as KGB or NSA, have better detectors (e.g. low dark counts and misalignment), lasers
(narrow pulse width) and other components, the QBER of phase-remapping attack will
be decreased further. So, we can assume that under attack real Bob will introduce the
same additional errors as our Eve introduces in our experiment, while Eve will introduce
zero (or negligible) errors through the use of better more expensive components. (ii)
as shown in Fig. 3.5(a), in principle, Eve can move the signal pulse to the falling edge
regain to distinguish 3π/2 with a very low error probability, and thus reduce the QBER.
(iii) if Eve launches her attack not on every signal but only on a subset of signals, the
introduced QBER will be much lower. (iv) Eve can also maximize her ability to eavesdrop
by combining various attacks. For instance, she may combine the phase-remapping attack
with the time-shift attack to exploit both the imperfections of Alice’s encoding system
and Bob’s detection system. If she does so, her attacking power will be amplified and
the QBER can be reduced further. So, we remark that, it is impossible to remove all
imperfections completely in practice. Instead of removing them, what we can do is to
quantify them carefully. Once quantified, those imperfections may be taken care of in
security proofs [16]. As an example, mismatch in detection efficiency has been taken into
account in the security proof of [18].
Chapter 3. Experimental Phase-Remapping Attack 32
Unfortunately, our research-version of QKD system from ID Quantique does not per-
form privacy amplification. Therefore, it is unclear what key rate formula or error thresh-
old should be used. We cannot find any detailed public information about the key rate
formula for a commercial-user version of ID Quantique systems. Since it is unclear what
privacy amplification is performed, whether decoy state is used and finite-key effects have
been considered, we cannot comment on its security neither. For future security research,
it would be very useful if the QKD manufacturers could provide these details.
Regardless, one might ask “As commercial QKD systems might abort at lower QBER
such as 10% rather than 20%, does it mean that those commercial QKD systems are se-
cure without patching?” In our opinion, the answer is no. Setting a lower error rate is
a technological requirement (we could always improve the attack to get lower QBER as
discussed above) rather that a guarantee of the laws of physics. More importantly, people
are using commercial QKD systems because they are expected to be good implementa-
tions of the QKD theory, which offers unconditional (i.e. information-theoretic) security.
The very fact that one fundamental assumption—correct encoding of signal—has been
seriously violated means that such systems are very far from offering such type of secu-
rity. Without patching, those systems only offer ad hoc security, in direct contradiction
to the spirit of QKD. Indeed, it is important for manufacture to provide a clear security
parameter epsilon for a QKD system and back it up with a clear statement and proof of
security with a list of testable assumptions.
3.4.2 Countermeasures
In the “plug-and-play” QKD system, one specific countermeasure is the following: Alice
carefully checks the arrival time of the reference pulse and the signal pulse by monitoring
with her classical detector (CD in Fig. 3.2). From the time delay between the two pulses,
she can find whether the time difference has been shifted by Eve, and thus counter Eve’s
attack. Moreover, in our attack, Eve only sends two states to Bob. Alice and Bob can
detect this attack by estimating the statistics of the four BB84 states. Note that, once a
security loophole has been found, it is often easy to develop countermeasures. However,
the unanticipated attacks are the most fatal ones.
What is more, this work mainly focuses on one key assumption in unconditional secu-
rity proofs, i.e. Alice prepares the required states correctly. From a simple experimental
demonstration, we show this assumption can be violated by our attack. So, we emphasize
that, in a practical QKD system, Alice needs to experimentally verify she is applying
Chapter 3. Experimental Phase-Remapping Attack 33
the correct modulations on her states. One possible way in a general QKD system is:
after encoding her random bits, Alice uses a beam splitter to split part of each strong
modulated signal, and then use a classical detector, such as a high speed photo detector
(rather than a single-photon detector), to implement a local measurement to directly
verify whether she has performed the correct modulation. In order to achieve uncondi-
tional security with a practical QKD system, it is useful to perform such a verification
experimentally. In the long term, it is important to work towards QKD with testable
assumptions.
One might wonder whether publishing results like ours on experimentally attacking
a commercial QKD system will in some way aid a hacker and undermine the confidence
in the security of QKD. In our opinion, the answer is no. The theory of the phase-
remapping attack was published three years ago [73]. An interested hacker could have
performed our attack with public information three years ago already. Our work only
serves to remind people of the importance of implementing appropriate counter-measures
and battle-testing the security of the improved system in future.
3.5 Conclusions
We have experimentally demonstrated one of the first successful “intercept-and-resend”
attacks on top of a widely used QKD implementation in commercial QKD systems, where
Eve can get full information and only introduces a QBER of 19.7%. The success of our
attack highlights not only the importance for Alice to verify that she is encoding the right
state during the encoding process, but also, more generally, the importance of verification
of the correctness of each step of an implementation of a QKD protocol in a practical
QKD system.
By finding security loopholes and fixing them early, we hope that our work will make
practical QKD systems more secure.
Chapter 4
High-speed quantum random
number generator
“The generation of random numbers is too important to be left to chance.” - Robert R.
Coveyou
“Anyone who considers arithmetical methods of producing random digits is, of
course, in a state of sin.” - J. von Neumann
In this chapter, we propose and experimentally demonstrate an ultrafast quantum
random number generator (QRNG) at a rate over 6 Gbits/s. The approach is by mea-
suring the quantum phase fluctuations of a laser, which is operated near its threshold.
Moreover, we consider a potential adversary who has partial knowledge on the raw data
and discuss how one can rigorously remove such partial knowledge with post-processing.
The simplicity and high-speed of our experimental setup shows the feasibility of a robust,
low-cost, high-speed QRNG. The content of this chapter is largely based on Ref. [36].
4.1 Introduction
Random numbers play a key role in many areas, such as statistical analysis, computer
simulations [75] and cryptography [7, 76]. Traditionally, pseudo-random number gener-
ator (pseudo-RNG) based on computer algorithms has long been used for various appli-
cations. Recently, physical-RNG based on chaotic behaviors of semiconductor lasers has
been proposed to generate fast random bits [51, 52, 53, 54]. Generally speaking, due to
34
Chapter 4. High-speed quantum random number generator 35
their deterministic nature1, both of the schemes cannot generate truly random numbers
with information-theoretically provable randomness.
Quantum random number generator (QRNG), on the other hand, can generate true
randomness by exploiting the fundamental indeterminism of quantum physics [25]. As
a simple example, we consider the polarization measurement of a polarization quantum
state, 1√2(|H〉+ |V 〉), in the rectilinear basis of {|H〉, |V 〉}. It will yield the unbiased and
thus completely unpredictable outcomes |H〉 and |V 〉. Then by assigning the classical
bit values “0” and “1” to these outcomes, a sequence of truly random numbers can be
generated. As shown in Fig. 4.1, this scheme can be easily realized by a single-photon
source followed by a polarization beam splitter (PBS), and two single-photon detectors
(SPDs), one for each output arm of the PBS. Indeed, this scheme has drawn much
scientific attention [25, 26], where commercial QRNGs, like ID Quantique system [32],
have already appeared on the market.
Figure 4.1: QRNG based on polarization measurement. A single-photon source generates
a 45◦ single photon, which passes through a polarization beam splitter (PBS) projecting
the photon into either horizontal (|H〉) or vertical (|V 〉) polarization state. The single-
photon is consequently detected by two single-photon detectors (SPDs) assigned with bit
“0” (|H〉) and bit “1” (|V 〉).
Besides polarization measurement, several QRNGs based on the single-photon de-
tection technology, such as the photon arrival time [27, 77, 78, 79, 80] and the photon
number counting [81, 82, 83], have been demonstrated. Another promising approach is
relied on Vacuum state fluctuations [30, 31, 84], where a homodyne detection is typically
applied to measure the electrical field fluctuation of Vacuum state. Recently, a QRNG
1For chaotic-laser RNG [51, 52, 53, 54], since the signal of chaotic-laser has a periodicity originatedfrom the photon round trip time, it is essentially not a truly random source.
Chapter 4. High-speed quantum random number generator 36
−6 −4 −2 0 2 4 60
0.02
0.04
0.06
0.08
0.1
0.12
0.14
0.16
0.18
0.2
voltage
Pro
ba
bili
ty
Accurate functioning
−6 −4 −2 0 2 4 60
0.02
0.04
0.06
0.08
0.1
0.12
0.14
0.16
0.18
0.2
voltage
Pro
ba
bili
ty
Eve shifting
bit ’0’bit ’1’bit ’0’
(a) (b)
bit ’1’
Eveshift
Figure 4.2: Eve’s attack on QRNG. (a) The quantum source follows a Gaussian distri-
bution, which is sampled by a comparator to generate random bit “0” or “1”. (b) The
adversary (Eve) controls the classical noise to shift the mean value of quantum source,
and then guesses random bit “1” to acquire information.
based on quantum non-locality has also been proposed [28, 29].
Unfortunately, due to the difficulties of measuring quantum effects in real experiments,
previous implementations of QRNG have been limited to a relatively slow rate (typically
below 20 Mbits/s)2. In 2009, Qi et al. proposed and built a fast QRNG by measuring
the quantum phase fluctuations of a laser, which yields a speed of 500 Mbits/s [55, 56].
A similar scheme at a lower speed has also been demonstrated by Guo et al. [57].
Nonetheless, the key point is, the generation rates of all previous QRNGs are still too
low for many applications, such as high-speed QKD [58].
On the other hand, in real experiments, the quantum randomness is inevitably mixed
with the classical noise, which may be observed or even controlled by a potential adver-
sary, Eve. If we consider a scenario where Eve tries to guess the outcomes from a QRNG,
then she could take advantage of the side information due to classical noise. Fig. 4.2
illustrates an example about how Eve can control the classical noise to acquire the in-
formation on the generated random numbers. This consideration is directly relevant to
applications of randomness, specially those in cryptography, such as authentication, one-
time pad encryption and QKD. With the exception of Refs. [29, 31], the possibility of
such a potential adversary has rarely been considered in previous QRNGs.
2Very recently, a 2 Gbits/s QRNG based on vacuum state fluctuations has appeared [85].
Chapter 4. High-speed quantum random number generator 37
The approach based on quantum non-locality [29] can produce information-
theoretically provable randomness. However, the generation rate is very low (on the
order of 1 bit/s) and thus unsuitable for practical applications. Gabriel et al. proposed
a practical post-processing method to remove Eve’s information [31]. It is important to
perform such post-processing on the raw data to distill out a shorter, but more secure,
string of random numbers. Unfortunately, the discussion there is based on Shannon en-
tropy, which does not take finite-size effects into consideration. That is, the number of
executions of a random process used for generating randomness is always finite in any
real experiment. Thus, its randomness is not information-theoretically proven.
In theoretical computer science, there has also been a lot of interest in randomness
post-processing methods, which is called randomness extractors [44, 86, 87]. The random-
ness from many extractors has been information-theoretically proven, such as Trevisan’s
extractor [86]. Nevertheless, none of these extractors have been implemented in a real
QRNG experiment. Therefore, there is a large gap between theory and experiment.
4.2 Experimental demonstration
It is well known that the fundamental phase fluctuations (or noise) of a laser can be
attributed to spontaneous emission, which is quantum mechanical by nature [88]. The
quantum phase fluctuations are inversely proportional to the laser output power [88].
By operating the laser at a low intensity level, the quantum phase fluctuations can be
dominant over classical phase noise and is readily extracted to generate truly random
numbers.
We have developed a delayed self-heterodyning system to measure the phase fluctu-
ations. The schematic diagram of the experimental setup is shown in Fig. 4.3. A 1.55
µm single mode cw DFB diode laser (ILX lightwave) operating at a low intensity level
is the source of quantum phase fluctuations. A PLC-MZI with a 500ps delay difference
(manufactured by NTT) is employed to convert the phase fluctuations to intensity fluc-
tuations, which is subsequently detected by a 5GHz InGaAs photodetector (Thorlab).
Note that to achieve a high interference visibility, a polarization maintaining fiber is used
to connect the laser and the PLC-MZI. A temperature controller (TC) is used to stabilize
the phase difference of PLC-MZI. More discussions of temperature control are shown in
Appendix A. The photodetector output is further digitized by an 8-bit analog-to-digital
convertor (ADC) to generate random bits.
Chapter 4. High-speed quantum random number generator 38
Laser ADC
TC
PLC-MZI
PD
Figure 4.3: Experimental setup. Laser, 1550nm cw DFB laser diode (ILX Lightwave);
PLC-MZI, planar lightwave circuit Mach-Zehnder interferometer with a 500ps delay dif-
ference (manufactured by NTT); TC, temperature controller (PTC 5K from Wavelength
Electronics Inc.); PD, 5GHz InGaAs photodetector (Thorlabs SIR5-FC); ADC, 8-bit
analog-to-digital convertor inside an oscilloscope (Agilent DSO81204A).
4.2.1 Physical model
By stabilizing the phase difference of the MZI at [2mπ + π/2] (where m is an integer),
the output voltage V (t) from the photodetector (after removing a DC background) can
be described by [88, 89]
V (t) ∝ 2E(t)E(t + τ) sin(∆θ(t)) ∝ P∆θ(t) (4.1)
where E(t) is the electric field of input light, τ is the time delay difference between the two
arms of the MZI, ∆θ(t) is total phase fluctuations and P is the laser output power. Here,
∆θ(t) is sufficiently small such that sin(∆θ(t)) ≈ ∆θ(t) 3. We have assumed that the
intensity noise of the laser is negligible [88], which has also been verified experimentally
(see discussion below).
It is convenient to further separate the total phase fluctuations into a quantum part
and a classical part. While the quantum phase fluctuations are inversely proportional to
laser output power and can be treated as Gaussian white noise [89], the classical phase
noise is laser power independent and could be controlled by Eve. Thus, the total phase
fluctuations can be written as
〈∆θ(t)2〉 =Q
P+ C (4.2)
where QP
and C represent quantum phase fluctuations and classical phase noise respec-
3In our system, we measure that ∆θ(t) is around 0.19. The assumption, sin(∆θ(t)) ≈ ∆θ(t), intro-duces a error of 0.6 %, which is acceptable in our experiment.
Chapter 4. High-speed quantum random number generator 39
tively.
In practice, the detection system will also contribute a laser power independent back-
ground noise F . Using Eqs. (4.1) and (4.2), the variance of output voltage of a practical
system Vpr(t) is given by
〈Vpr(t)2〉 = AQP + ACP 2 + F (4.3)
where A is a constant determined by detection system.
4.2.2 Parameters optimization
In Eq. (4.3), the term AQP is quantum fluctuations part, from which true random-
ness can be extracted. We name it as quantum signal. On the other hand, the term
ACP 2 +F quantifies classical noise due to technical imperfections that potentially could
be controlled by an eavesdropper. In principle, the amount of extractable quantum ran-
domness is independent of the magnitude of classical noise. However, in practice, it is
challenging to extract a small quantum signal on top of a large classical noise background.
To generate high-quality random numbers, we would like to maximize the quantum signal
while keep the classical noise as low as possible.
One commonly used figure of merit in signal processing is the signal-to-noise ratio
(SNR), which can be defined as γ = AQP/(ACP 2 + F ) in our QRNG system. Given
parameters AQ, AC, and F , we can choose a suitable laser power P to maximize γ.
To determine the parameters AQ, AC, and F experimentally, we have measured the
variance of Vpr(t) under different optical power level and then fit the experimental data
(with least square estimation fitting) using Eq. (4.3). The experimental results and the
corresponding confidence intervals (level α = 0.99) are shown in Table 4.1.
F (mV 2) AQ (mV 2/mW ) AC (mV 2/mW 2)
0.36 ± 0.06 16.12 ± 0.49 0.40 ± 0.16
Table 4.1: Experimental results (with 0.99 confidence intervals) of parameters in
Eq. (4.3).
Using the data given in Table 4.1, we calculate the SNR γ as a function of laser
power. The results are shown in Fig. 4.4. At low and high power range, either the
background noise F or the classical phase noise ACP 2 will dominate over the quantum
signal. The optimal ratio γ = 21 is achieved at P = 0.95 mW . As discussed in next
Chapter 4. High-speed quantum random number generator 40
0 1 2 3 4 5 6 7 8 90
5
10
15
20
25
Laser output power (mW)
Qua
ntum
sig
nal t
o cl
assi
cal n
oise
rat
io γ
of r
aw d
ata
ExperimentTheory
0.95 mW
21
Figure 4.4: Quantum signal to classical noise ratio. The theoretical curve of signal to
noise ratio γ = AQP/(ACP 2 + F ) is acquired from the results given in Table 4.1, and
the experimental results are measured with an oscilloscope under different laser powers.
At low and high power range, either the background noise F or the classical phase noise
ACP 2 will dominate over the quantum signal. The optimal ratio γ = 21 is achieved at
P = 0.95 mW .
Section, by operating the laser at this power, the extractable quantum randomness is
also maximized. Therefore, we choose 0.95 mW as the laser working point.
4.2.3 Experimental procedures
The experimental procedures for random number generation are as follows. The laser
output power is set to 0.95 mW by adjusting its driving current. The TC 4 is carefully
adjusted to stabilize the phase difference of PLC-MZI at [2mπ+π/2]. The photodetector
output is sampled by an 8-bit ADC at a sampling rate of 1 GSample/s 5. Fig. 4.5 shows
the sampling results acquired in 5 ms. As a comparison, in the same figure, we also show
the background noise acquired when the laser is turned off. The histograms (Gaussian
fit) of the sampling results are shown in Fig. 4.5(b).
We also perform measurements in the frequency domain by using an RF spectrum
4The measured accuracy of temperature controller is 0.01◦C, and the fluctuations of the set-pointtemperature of PLC-MZI are smaller than 0.01◦C during a few hours. Details are shown in Appendix A.
5The sampling time (1 ns) is larger than the addition of MZI time difference (500 ps) and detectorresponse time (200 ps), which reduces the correlations between adjacent samples [56].
Chapter 4. High-speed quantum random number generator 41
0 1 2 3 4 5
x 106
−0.02
−0.015
−0.01
−0.005
0
0.005
0.01
0.015
0.02Time domain of raw data
Time (ns)
Vol
tage
(v)
0 1 2 3 4 5 6
x 104
−0.02
−0.015
−0.01
−0.005
0
0.005
0.01
0.015
0.02Fitted Histogram
Points
Total phase fluctuationBackground noise
(a) (b)
Figure 4.5: (Color online) (a) Time domain of the raw data. The total phase fluctuations
are measured at the optimal laser power 0.95 mW , while the background noise is acquired
by blocking the laser output. (b) Histogram. Gaussian fit.
analyzer. Three different power spectra have been acquired: (1) the total phase fluctu-
ations spectrum under the normal working conditions (0.95 mW ); (2) the background
noise spectrum acquired by turning off the laser; (3) the intensity noise spectrum ac-
quired by connecting the laser (at 0.95 mW ) output directly to the photodetector. The
measurement results are shown in Fig. 4.6. We can see that under the normal operating
condition, the intensity noise is negligible comparing to the phase fluctuations. This re-
sult supports our previous assumption. As we expect from a perfect white noise source,
the spectrum of phase fluctuations itself is flat over the whole measurement frequency
range. There are a few spectral lines in the spectrum of background noise which could
be environmental EM noise picked up by our detector 6.
6There are mainly five spikes around 0, 100, 200, 500, and 650 MHz. These frequencies are all withinpractical broadcast radio bands (see http://www.fcc.gov/oet/spectrum).
Chapter 4. High-speed quantum random number generator 42
0 100 200 300 400 500 600 700 800 900 1000−90
−85
−80
−75
−70
−65
−60
−55
Frequency (MHz)
Pow
er D
ensi
ty (
dBm
)
Total phase fluctuationIntensity noiseBackground noise
Figure 4.6: (Color online) Noise spectrums. The spectral power density of total phase
fluctuations (blue), intensity noise (green), and background noise (red).
4.3 Quantum min-entropy evaluation
As mentioned in the above Section, the raw data from our QRNG is a mixture of the quan-
tum signal and the classical noise, and the quantum fluctuations follow a non-uniform
(Gaussian) distribution. In order to extract out an uniform-quantum randomness, we ap-
ply a post-processing scheme that is composed of two main parts, quantum min-entropy
evaluation and randomness extraction. In this Section, we focus on discussing quantum
min-entropy evaluation.
A physical model is employed to evaluate the quantum randomness (min-entropy
defined in Eq. (4.4)) of the raw data. Our assumptions are as follows.
1. Quantum signal is independent of classical noise;
2. Quantum signal follows a Gaussian distribution [89];
3. Quantum signal to classical noise ratio can be calculated (see Fig. 4.4);
4. Total phase fluctuations, the mixture of quantum signal and classical noise, can be
characterized by random sampling.
5. The sequence of the raw data is independent and identically distributed (IID).
The quantum randomness of the raw data is evaluated by the min-entropy, defined
as below.
Chapter 4. High-speed quantum random number generator 43
Definition 4.3.1 (min-entropy) The min-entropy of a distribution X on {0, 1}n is de-
fined by
H∞(X) = − log
(
maxv∈{0,1}n
Pr[X = v]
)
. (4.4)
Based on our physical model, we can calculate the quantum min-entropy of the raw
data by the following procedures.
1. Determine the sampling range and evaluate the total variance: the working range
of sampling system (see ADC in Fig. 4.3) is determined by the total fluctuations
of raw-analogy data. From random sampling, we can obtain the variance of total
fluctuations, AQP + ACP 2 + F .
2. Measure signal to noise ratio: from experimental measurements, we derive the
quantum signal to classical noise ratio (AQP/(ACP 2 + F ) as shown in Fig. 4.4).
3. Evaluate the quantum variance: from step 1 and 2, we can calculate the variance
of quantum signal, AQP . Then we can derive the whole Gaussian distribution of
the quantum signal.
4. Calculate the quantum min-entropy: given the ADC range, we evaluate the maxi-
mal probability from the Gaussian distribution derived from Step 3, which follows
the min-entropy of the quantum signal7.
From our QRNG, we lower bound the min-entropy of the quantum signal at different
laser optical powers, as shown in Fig. 4.7. We can see that the optimal laser power is
around 0.95 mW and the corresponding min-entropy of the quantum signal is 6.7 bits per
sample (8 bits, sampled by an 8-bit ADC). The quantum min-entropy is stable for a laser
power larger than 0.9 mW . Here, in Step1 of min-entropy calculation, we determine the
practical ADC range as that either the first or the last bin of the 256 bins (8-bit ADC)
has a 1/256 probability. We remark that, in practice, the ADC range could indeed effect
the lower bound value of min-entropy. We perform a mathematical simulation to analyze
this assumption as shown in Fig. 4.8. It will be interesting to further investigate how
to determine the optimal ADC range and maximize the quantum min-entropy in a real
QRNG setup.
7Given a specific value of classical noise, the quantum signal will be a shifted Gaussian distribution;If the quantum signal is shifted in a small range, the quantum min-entropy is lower bounded as thequantum signal is shifted to the center of any digital bins of sampling system.
Chapter 4. High-speed quantum random number generator 44
0 1 2 3 4 5 6 7 80
1
2
3
4
5
6
7
8
Laser optical power P (mW)
Low
er b
ound
of q
uant
um m
in−
entr
opy
(bits
)
0.95 mW
6.7 bits
Figure 4.7: Lower bound of the quantum min-entropy of raw data. The optimal laser
power is around 0.95 mW and the corresponding quantum min-entropy is 6.7 bits per
raw sample (8 bits, sampled by an 8-bit ADC in Fig. 4.3).
Figure 4.8: The relation of quantum min-entropy (Z axis) with ADC range (X axis).
There is no single optimality, but a range of ADC and laser power matching conditional
optimality.
To show how much room left for further improvement in post-processing, we also
upper-bound the min-entropy. As the setup given in Fig. 4.3, the quantum signal is
Chapter 4. High-speed quantum random number generator 45
measured by a PD. In the ideal case, the PD can resolve the photon numbers of the
optical signal. The laser power used in our setup is 0.95 mW , and the time-constant of
our PD is around 200 ps (5 GHz PD in Fig. 4.3). It corresponds to 1.5×106 photons with
a wavelength of 1550 nm within 200 ps. Thus, the maximal entropy of a sample from
the PD is given by log2(1.5 × 106) = 20.5 bits, which is the upper bound of min-entropy
of our QRNG source.
In our experimental demonstration, we use an 8-bit ADC in the end, which results a
min-entropy of 6.7 bits per sample. Therefore, a factor of 3 improvement on the random
number generation rate can be potentially achieved by a better resolution ADC (such
as a 16-bit ADC). Nonetheless, this min-entropy is ultimately bounded by 20.5 bits per
sample as shown above.
4.4 Randomness extraction
After quantifying the quantum randomness, randomness extraction is applied to distill
uniform-quantum random numbers from the raw data. In this section, we first briefly re-
view various extraction schemes in QRNG, for instance least significant bits (LSB), XOR
(exclusive-OR) and Hashing, and then present our extraction scheme: strong randomness
extractor. We implement two strong randomness extractors, Toeplitz-hashing [44] and
Trevisan’s extractor [86], both of which are proven to be information-theoretically secure.
4.4.1 Extraction schemes: Review
A random extraction is an algorithm that generates nearly perfect random numbers from
the output of high entropy source. Various randomness extraction schemes have been
employed in the implementation of QRNG. The widely-used one is the least significant
bits (LSB), which has been used in the QRNG of Refs. [30, 51, 53, 54, 57, 85]. An m-bit
LSB takes the last m bits of a bit string and simply discards the rest. Applying LSB
effectively flats out a non-uniform distribution to make it more uniform. Intuitively, LSB
essentially operates a “re-binning” by combining certain digital bins. For example, if
the pdf (probability density function) of the raw data (sampled by an 8-bit ADC) is a
Gaussian curve, a 7-bit LSB is cutting the curve into two halves and super-positioning
the second half onto the first. A 6-bit LSB is cutting the resulting pdf from 7-bit LSB
into two halves and super-positioning again. The procedure repeats a few times till m-bit
LSB.
Chapter 4. High-speed quantum random number generator 46
50 100 150 200 250
10
20
30
40
50
XOR
0 20 40 60 80 100 1207 bit numbers
0.002
0.004
0.006
0.008
p
XOR - 7 LSB
0 10 20 30 40 50 606 bit numbers
0.002
0.004
0.006
0.008
0.010
0.012
0.014
p
XOR - 6 LSB
0 5 10 15 20 25 305 bit numbers
0.005
0.010
0.015
0.020
0.025
0.030
p
XOR - 5 LSB
Figure 4.9: The resulting distributions of different XOR (exclusive-OR) and LSB (Least
Significant Bits) extractions. The Histogram of the raw data follows a Gaussian distri-
bution. XOR combined with 6-LSB has processed the original Gaussian distribution to
a Uniform distribution.
To reduce the bias and possible correlations of the raw data, another popular ran-
domness extraction scheme is XOR (exclusive-OR or mod 2 addition). For instance, in
the QRNGs [55, 57, 79], XOR is applied to eliminate correlations between consecutive
samples and improve the quality of randomness.
Here, we have also tested XOR and LSB scheme on our raw data, which is generated
as the procedures discussed in Section 4.2. The resulting distributions of different LSB
are shown in Fig. 4.9. We also applied XOR with 6-bit LSB on our 1 Gbits raw data.
The extracted results successfully passed the random test suits of Diehard [90] and NIST
[91]. We remark however that since we cannot provide an information-theoretical proof of
the XOR-LSB procedure, it is arguable that XOR-LSB can indeed extract out perfectly
uniform-random bits.
Another promising extraction scheme is hashing. In computer science, various hashing
functions have been proposed to realize randomness extraction [92]. Hence, we can build
the software algorithm and apply it on QRNG. Indeed, more recent scientific attention
has been shifted to the hashing functions, for instance the SHA512 function [31], the
Bose-Chaudhuri-Hocquenghen function [80] and the Wirhlpool [84].
Among these hashing implementations, the one proposed by Gabriel et al. [31] to-
gether with their entropy evolution method is interesting. Their data processing can be
Chapter 4. High-speed quantum random number generator 47
essentially divided into two steps, “binning” and “hashing”. In the “binning” process,
they start with a 16-bit ADC, and combine some of the bins to form the equal bin area
between each other. Then they calculate the Shannon entropy of classical noise and to-
tal noise (quantum signal and classical noise) separately given each bit value, and show
that the difference of those two entropies plateaus at 5 bits. After determining that the
Shannon entropy of the quantum signal is lower bounded by 3.25 bits, they applied the
SHA-512 algorithm as the hashing function to extract out 3 bits/sample. In general,
this algorithm is carefully developed and can be easily realized by hardware. We remark
that it is important to perform such post-processing on the raw data to distill out a
shorter but more secure string of random numbers. Unfortunately, the discussion there
[31] is based on Shannon entropy, which does not take finite-size effects (i.e., the number
of times of executions of a random process used for generating randomness is always
finite in any real experiment) into consideration. The entropy evaluation method there
is also not efficient. In fact, it costs at least one random bit per sample8. Furthermore,
a non-universal hashing function, SHA-512 function, is not an information-theoretically
provable randomness extractor. Therefore, the random numbers generated there could
not be theoretically verified as random and unique.
In summary, up to now, none of the randomness extraction schemes, including XOR,
LSB and hashing, can strictly offer a randomness extractor [44, 86, 87]. Fortunately,
in theoretical computer science, there indeed exists information-theoretically proven ex-
tractors, such as Trevisan’s extractor [86]. However, these extractors have never been
implemented in a real QRNG experiment. Therefore, there is a large gap between theory
and experiment. Here, we close the gap by implementing two information-theoretically
secure extractors, Trevisan’s extractor [86] and Toeplitz-hashing [44].
4.4.2 Toeplitz-hashing extractor
Due to the similarity between the definitions of extractors [44] and privacy amplification
[93], any privacy amplification scheme can be used as an extractor in principle. In privacy
amplification, the widely-used function is universal-hashing defined as
Definition 4.4.1 (Universal-hashing) A class G of functions A → B is universal2 (uni-
versal for short) if, for any distinct x1 and x2 in A, the probability that g(x1) = g(x2) is
at most 1/|B| when g is chosen at random from G according to the uniform distribution.
8The scheme [31] does also not work when classical noise is larger than quantum noise.
Chapter 4. High-speed quantum random number generator 48
Among the universal-hashing functions, Toeplitz-hashing [94, 95] has the advantages
of shorter random-seed (the random bits to construct a hashing function) length and
computation simplicity in hardware, thus it is the popular one in privacy amplification.
Nonetheless, in practice, the random-seed is assumed to be free in the QKD privacy
amplification task [93]. A direct transplant of privacy amplification schemes may not
work for randomness extraction. In fact, for Toeplitz-hashing [94, 95], the random-seed
used to construct a Toeplitz matrix is longer than the output string. To overcome this,
one needs to prove that the privacy amplification scheme constructs a strong extractor.
The definition of strong extractor is the following.
Definition 4.4.2 (Strong extractor) A (k,ε,n,d,m)-strong extractor Ext(X, Ud) is an
extractor such that the distribution Ext(X, Ud) ◦Ud is ε-close to the uniform distribution
on {0, 1}m+d.
Fortunately, the extractors constructed by universal hashing functions [96] can be
easily proven to be strong extractors by the Leftover Hash Lemma [97].
Lemma 4.4.3 (Leftover Hash Lemma [97]) Let H = {h1, h2, . . . , h2d} be a universal
hashing family, mapping from {0, 1}n to {0, 1}m, and X be a distribution on {0, 1}n with
H∞(X) ≥ k. Then for x ∈ X and hy ∈ H where y ∈ Ud, the distribution formed by
hy(x) ◦ y is ε = 2(m−k)/2-close to Um+d. That is, it forms a (k,2(m−k)/2,n,d,m)-strong
extractor.
We use Toeplitz matrices for universal hashing function construction [94, 95, 98]. A
Toeplitz matrix of dimension n×m requires only the specification of the first row and the
first column, and the other elements of the matrix is determined by descending diagonally
down from left to right. Thus, the total random bits required to construct (choose) a
Toeplitz matrix is n + m − 1.
The procedure of Toeplitz-hashing extractor is given as follows.
1. Given raw data of size n with the min-entropy of k and a security parameter ε,
determine output length to be
m = k − 2 log ε. (4.5)
2. Construct a Toeplitz matrix with an n + m − 1 random-seed. For demonstration
purpose, we use pseudo random numbers in this step.
Chapter 4. High-speed quantum random number generator 49
3. The extracted random bit string is obtained by multiplying the raw data with the
Toeplitz matrix.
As calculated in the Section 4.3, the min-entropy of our raw data is bounded by 6.78
bits per sample (8 bits). With the input bit-string length of 212 = 4096, the output
bit-string length is (4096× 6.7)/8 ≥ 3471. Thus, we use a 4096-by-3471 Toeplitz matrix
for randomness extraction. Our implementation of Toeplitz-hashing is based on MatLab
in a standard PC. The generation rate is 441 kb/s 9. However, the availability of 64-bit
computer with more than 4 GBytes of memory extends the input size from 212 = 4096 to
214 = 16, 384. Although cost effective in terms of seed length, the increased input length
do entail speed penalty due to O(n2) complexity of matrix multiplication.
We finally discuss how to generate the random-seed for Toeplitz-hashing. Even though
the seed length (n+m−1) to specify a Toeplitz matrices is short, it is still longer than the
output length m. Therefore, if we want to use a secure quantum source to randomly pick
the seed, we cannot afford picking a new seed for every extraction. Fortunately, reusing
the seeds will only increase the deviation of the actual average entropy from Uniform
distribution [94, 98]. We could reuse the seeds at a rate that keeps the deviation negligible
and the average entropy for each extraction small compared to extracted entropy. One
secure scheme to construct the random-seed is using the pre-extracted random bits. In
a real setup, using small portion of extracted bits as successive key can be realized
by software or hardware. However, we recognize that it is not easy to construct such
a hardware circuit that can operate over a GHz range. The solution to this problem
is using pseudo-RNG for seed generation. As long as the pseudo-RNG produces desired
uniformity, it can be used to generate the random-seed. In our demonstration, we employ
the pseudo-RNG of MatLab to generate the random-seed on every 4096-bits input. The
extracted bit sequence successfully passes all the statistical test suites of Diehard [90],
NIST [91] and TestU01 [99] (Small Crush). The test results are shown in Section 4.5.1.
4.4.3 Trevisan’s extractor
Trevisan proposed an approach to construct extractors based on pseudo-RNGs [86]. Here,
we implement its improved version by Raz, Reingold and Vadhan [100]. There are two
main steps to construct a Trevisan extractor: error correction code and combinatorial
design. The error correction code is constructed by concatenating a Reed-Solomon code
9Toeplitz-hashing can be implemented much faster with hardware implementation [95].
Chapter 4. High-speed quantum random number generator 50
with a Hadamard code [101]. For the combinatorial design part, we implement a refined
version of Nisan-Wigderson design [102, 103].
In our implementation, the top generation rate of our extractor is 706.8 bits/s. This
low speed is a consequence of the lack of efficient implementation of finite field opera-
tions. While slow in speed, the Travisan’s Extractor do provide more stringent passing of
statistical tests (see Section 4.5.1). Although Travisan’s Extractor may be more secure
than Toeplitz-hashing, the severe restriction on speed has limited its usage in real-time
applications. One conclusive result is to use Hashing in speed-critical applications, while
Travisan’s Extractor in security-critical applications where the speed can be sacrificed to
trade for secureness. Furthermore, Our implementation is done on mere personal com-
puter (PC), but a mainframe computer can crunch number-theoretical operations much
faster than a PC. As a future perspective, once we tackle the implementation on any
graphical processing unit (GPU) platforms, the architecture of GPU will allow us to ex-
ploit the intrinsic parallelism of the extractor much more efficiently via multi-threading
capability.
4.5 Randomness verification
4.5.1 Statistic test
We employ three statistic test suits, Diehard [90], NIST [91] and TestU01 [99], to evaluate
the randomness of our extracted results from Toeplitz-hashing and Trevisan’s extractor.
Each test suits contain many individual tests and one individual test evaluates one aspect
of randomness (i.e. bias, repetition and so on). The implementation details of these test
suits are shown in Appendix C.1. Given the constraint of computational power, we
only perform Diehard test on the Trevisan’s extractor. Without post-processing, the
raw data cannot pass any statistic tests, which is mainly due to the classical noises
mixed in the raw data, and the fact that the measured quantum fluctuations follow
Gaussian distribution instead of uniform distribution. It demonstrates the requirement of
effective post-processing in our QRNG. After Toeplitz-hashing and Trevisan’s extractor,
the outputs successfully pass all the standard statistic tests.
We also perform the statistic tests on a pseudo-RNG, MatLab2007 internal RNG. It
generates uniformly random numbers from 0 to 255 (as emulation of 8-bits ADC output).
After converting the 255-valued integer to bits, the bit sequence is written to a binary file,
which is fed into the tests suites. It cannot pass all tests without exposing the underlying
Chapter 4. High-speed quantum random number generator 51
determinism. This result has further confirmed the effectiveness of our extractors. The
test results are shown in Tables C.2, C.3,and C.4 of Appendix C.1.
4.5.2 Autocorrelation
Another approach to verify randomness is to evaluate the autocorrelation, and check the
absence or periodic correlation. The autocorrelation R of a sequence X is defined as
R(τ) =E[(Xi − µ)(Xi+τ − µ)]
σ2(4.6)
where E is the expected value operator, τ is the sample delay, µ is the mean and σ is
the standard derivation of X.
The autocorrelation results of our raw data are shown in Fig. 4.10(a) to Fig. 4.10(d).
The raw data from our QRNG is digitalized by an 8-bit ADC, therefore, the autocorre-
lation between bits (Fig. 4.10(a)) is only significant up to the 7th bit delay and, beyond
that, the autocorrelation is negligible. The low values of autocorrelation between sam-
ples (Fig. 4.10(b)) support the assumption of IID raw sequence, where a slightly large
coefficient at the 2nd delay sample can be attributed to the finite bandwidth of our
photodetector. We remark that the correlation among samples cannot reach zero for a
practical detector with finite bandwidth. Eve might explore this correlation and gain
partial information on the generated random numbers. In principle, we can removed
Eve’s information by using the same randomness extractor developed in this paper.
After post-processing, the autocorrelation of the outputs from both extractors is sub-
stantially improved, as shown in Fig. 4.11(a) to Fig. 4.11(d). Here, in theory, for an
infinite IID sequence as random process, the autocorrelation is a broadband white curve.
However, in practice, due to the inevitable presence of bias and finite data size, the au-
tocorrelation of data sequence can never reach 0. A back-of-envelope calculation [104]
shows the effect of truncation on the autocorrelation coefficient. From central limit the-
orem, one standard deviation will result a range of autocorrelation, [−1√n, 1√
n], where n is
the data size.
4.6 Discussions and conclusions
In post-processing, we find that our implementations of randomness extractors with
MatLab on a standard laptop computer are not fast enough (with a maximal speed of
441 kbit/s) for a real-time high-speed QRNG. In practice, this might restrict the random
Chapter 4. High-speed quantum random number generator 52
bit generation speed. It will be interesting for future investigations to create a real-time
extractor (by a better software or hardware implementation) for our high-speed QRNG.
Our system can be further improved as follows. The sensitivity of the detection
system can be further improved by replacing the photodetector with a balanced detector
followed by an electrical substraction circuit. The DFB laser used could be replaced by
a combination of a broadband light source and a narrowband optical filter. In this case,
the linewidth is determined by the bandwidth of the filter. The real-time oscilloscope
can be replaced by a fast and high-resolution ADC.
In conclusion, we have successfully demonstrated an ultrafast QRNG at a generation
rate of over 6 Gb/s. The randomness is generated from the intrinsic quantum phase
fluctuations of a laser. Our work not only highlights the importance on the quantification
of quantum randomness and the consideration of possible Eve’s attacks in a practical
QRNG, but also demonstrates the large potential for random number generations by
quantum phase fluctuations as the true entropy source.
Chapter 4. High-speed quantum random number generator 53
0 10 20 30 40 50 60 70 80 90 10010
−5
10−4
10−3
10−2
10−1
100
Delay (bits)
Positive value
Negative value
(a) Raw data between bits (100 delay)
0 10 20 30 40 50 60 70 80 90 10010
−6
10−5
10−4
10−3
10−2
10−1
100
Delay (sample)
Positive value
Negative value
(b) Raw data between samples (100 delay)
0 100 200 300 400 500 600 700 800 900 100010
−7
10−6
10−5
10−4
10−3
10−2
10−1
100
Delay (bits)
Auto−correlation coefficient
Positive value
Negative value
(c) Raw data between bits (1000 delay)
0 100 200 300 400 500 600 700 800 900 100010
−6
10−5
10−4
10−3
10−2
10−1
100
Delay (sample)
Positive value
Negative value
(d) Raw data between samples (1000 delay)
Figure 4.10: Autocorrelation of the raw data. All normalized correlation is evaluated
from a 10 Mb record of the raw data. (a) The average value is 9.5 × 10−4. The most
significant correlations are within 8 bits (from one sample digitalized by an 8-bit ADC).
(b) The average value is 4.9×10−4. The correlation among samples cannot reach zero for
a practical detector with finite bandwidth. (c) The average value is −9.2×10−5. (d) The
average value is 1.2 × 10−4. It demonstrates the absence of long period autocorrelation.
Chapter 4. High-speed quantum random number generator 54
0 10 20 30 40 50 60 70 80 90 10010
−6
10−5
10−4
10−3
10−2
10−1
100
Delay (bits)
Positive value
Negative value
(a) Toeplitz-hashing (100 delay)
0 10 20 30 40 50 60 70 80 90 10010
−7
10−6
10−5
10−4
10−3
10−2
10−1
100
Delay (bits)
Positive value
Negative value
(b) Trevisan’s extractor (100 delay)
0 100 200 300 400 500 600 700 800 900 100010
−7
10−6
10−5
10−4
10−3
10−2
10−1
100
Delay (bits)
Positive value
Negative value
(c) Toeplitz-hashing (1000 delay)
0 100 200 300 400 500 600 700 800 900 100010
−7
10−6
10−5
10−4
10−3
10−2
10−1
100
Delay (bits)
Positive value
Negative value
(d) Trevisan’s extractor (1000 delay)
Figure 4.11: Autocorrelation after randomness extraction (Toeplitz-hashing or Trevisan’s
extractor). The data size is 10 × 106 bits for each case. In theory, for a truly random
10× 106 bit string, the average normalized correlation is 0 and the standard deviation is
2.2 × 10−5. (a) The average value is −1.0 × 10−5. (b) The average value is 1.6 × 10−5.
(c) The average value is 1.1 × 10−6. (d) The average value is 1.5 × 10−5.
Chapter 5
Conclusion and Outlook
“There is no royal road to science ,and only those who do not dread the fatiguing climb
of gaining its numinous summits.” - Karl Marx
5.1 Conclusion
In this thesis, I intensively studied two imperfections in practical quantum cryptosystems
- phase-remapping attack and quantum random number generator - and their security
consequences.
5.1.1 Phase-remapping attack
Unconditional security proofs of various QKD protocols are built on idealized assump-
tions. However, a real-life QKD system may contain overlooked imperfections, which can
violate some of these assumptions. An adversary could exploit these imperfections and
launch specific quantum attacks in a practical implementation of QKD. In this thesis, I
investigated one of these imperfections in a commercial “plug-and-play” system and per-
formed a proof-of-principle experiment to demonstrate a technologically feasible attack,
known as a phase-remapping attack. In our attack, Eve could get full information and
only introduced a quantum bit error rate of 19.7%.
The success of our attack shows clearly an imperfection in the practical QKD imple-
mentation. Specifically, this is the first successful “intercept-and-resend” attack on top
of a commercial bidirectional QKD system, and it highlights not only the importance
for Alice to verify that she is encoding the right state during the encoding process, but
also, more generally, the importance of verification of the correctness of each step of an
55
Chapter 5. Conclusion and Outlook 56
implementation of a QKD protocol in a practical QKD system.
5.1.2 Quantum random number generator
A quantum random number generator (QRNG) can generate true randomness by ex-
ploiting the fundamental indeterminism of quantum mechanics. Several QRNGs, includ-
ing commercial products, have already been proposed and demonstrated. Nevertheless,
due to the difficulties of measuring quantum effects in real setups, most approaches to
QRNG are limited in speed. Moreover, in real experiments, the quantum randomness is
inevitably mixed with classical noise, which may be controlled by Eve.
In this thesis, I proposed and experimentally demonstrated a fast QRNG at a rate of
over 6 Gbits/s. Our approach was based on the quantum phase fluctuations of a laser,
which was operated near its threshold. Furthermore, we presented and implemented a
rigorous method to remove the contamination of classical noise by modeling our system,
quantifying randomness through min-entropy and employing a post-processing function
- randomness extractor- to distill randomness. A key advantage of our approach is that
its security is theoretically provable based on information theory. The simplicity and
high-speed of our experimental setup shows the feasibility of a robust, low-cost, high-
speed QRNG. Our work not only highlights the importance of the rigorous quantification
and distillation of quantum randomness in a practical QRNG, but also demonstrates the
potential for random number generation using quantum phase fluctuations of a laser as
a true entropy source.
5.2 Outlook
5.2.1 Detector-control attack
The detector-control attack [24] has drawn much scientific attention, and has been suc-
cessfully demonstrated on most types of practical QKD systems [24, 105, 106]. A full
implementation of the attacking strategy has been investigated in Ref. [106]. The key
concept of detector-control attack is the following. By sending a strong optical pulse
to Bob, Eve can force Bob’s single-photon detectors to always work in a Linear mode
instead of Geiger mode. In the Linear mode, the single-photon detector, such as the one
based on InGaAs APDs, is only sensitive to bright illumination. This detector state is
called “detector blinding”. Then, Eve sends a bright pulse with tailored power level such
Chapter 5. Conclusion and Outlook 57
that Bob’s detector always reports a detection event from the bright pulse, but never
reports a detection event from a pulse with half power. As a result, Eve can successfully
launch an intercept-and-resend attack without increasing QBERs. For example, when
Eve uses the same basis as Bob to measure the quantum state from Alice, Bob gets a
detection event as if there is no eavesdropper. And if Eve uses the opposite basis from
Bob to measure the quantum state from Alice, her bright pulse will strike both of Bob’s
detectors with half power, and neither detector will report a detection event. In prac-
tice, a simple detector-control attack will introduces a 50% total loss. However, Eve can
place her intercept-unit close to Alice’s laboratory while compensating the loss in the
remaining fiber by re-sending brighter states.
The detector-control attack is applicable to various types of single-photon detectors,
such as gated APDs [24], passively or actively quenched APDs [107, 108], and SSPDs
[109]. How to remove such an attack is still a big challenge for QKD researchers. One
proposed countermeasure is carefully operating the single-photon detectors inside Bob’s
system [67, 68] and monitoring the photocurrent for anomalously high values [110]. How-
ever, such a countermeasure may lead away from provable security models of QKD and
can often be defeated by advanced hacking technologies. Hence, the eventual solution
to this attack may develop a QKD system with free detection loopholes. The device-
independent QKD protocol [111] can be a perfect candidate to such a task. However, the
strict requirement of the detection efficiency of single-photon detector (larger than 83%)
makes it still unmature for practical demonstrations (typically, the detection efficiency
of a practical single-photon detector is around 10%). Very recently, a promising counter-
measure to this attack is the so called measurement-device-independent QKD protocol
proposed by Lo et al. [112], which in principle can remove all detector side channels
automatically. It is important to demonstrate and verify this scheme in a real setup in
the future.
5.2.2 Other quantum attacks
Recently, Sun et al. have studied the imperfections of Faraday mirror and proposed
the passive Faraday-mirror attack in a “plug-and-play” system [113]. Jain et al. have
experimentally demonstrated that the calibration routine of a commercial QKD system
can be tricked into setting a large detector efficiency mismatch, and proposed an attack
strategy on such a compromised system with a QBER less that 7% [114]. Very recently,
Li et al [115] have studied the imperfection of a practical beam splitter and demonstrated
Chapter 5. Conclusion and Outlook 58
a wavelength-dependent quantum attack on top of a polarization-coding QKD system. A
substantial question is thus raised: How to counter such an Eve that she combines various
quantum attacks together? For instance, in a commercial “plug-and-play” QKD system,
Eve can perform a quantum attack as follows. Eve employs the phase-remapping attack
and the Faraday-mirror attack on Alice’s encoding stage, tricks the calibration process
to set a large detector efficiency mismatch between Bob’s two detectors, and applies the
fake-state attack or the time-shift attack on Bob’s detection stage. If she does so, the
resulting QBER will dramatically reduce. Furthermore, if Eve launches her attack not
on every signal but only on a subset of signals, the introduced QBER will be much lower.
How to remove such attacks will be a notoriously hard problem. Therefore, we remark
that instead of removing the attacks, what we can do is to quantify them carefully. Once
quantified, those imperfections may be taken care of in the further security proofs of
QKD.
Besides the loopholes discussed above, other imperfections of a practical QKD system
should also be carefully investigated. In most phase-coding based QKD systems, the
polarization component of quantum state is often used to optimize the system design.
A natural question is: Is it still secure if Eve actively introduces some polarization
redundances into such a QKD system? Moreover, the potential developments of QKD
technology are long distances and high bit rates. Therefore, another question is: Will
more unnoticed imperfections appear in a long-distance and high-speed QKD system?
For example, the detector dead-time issue in a high-speed QKD system has recently been
studied in Refs. [116, 117, 118]. Furthermore, there also exists another type of QKD,
continuous variable QKD [10, 119], whose security is based on the uncertainty principle
of the amplitude quadrature and the phase quadrature of a coherent state. However,
the practical security of continuous variable QKD is still unclear and deserves future
investigations.
Up to now, most of the imperfections that have been studied are in fiber-based QKD
systems. Hence, it is still unclear about the practical security of the free-space-based QKD
systems. Indeed, the imperfection due to non-single-mode quantum signals is a crucial
issue in free-space QKD. Eve can exploit this imperfection and launch the spatial-mode
attack against a free-space QKD system [62, 63, 64, 65], such as a satellite-based QKD
implementation.
Chapter 5. Conclusion and Outlook 59
5.2.3 Quantum random number generator
A novel approach to generate and post-process random numbers has been demonstrated
in Chapter 4. We can improve the system (Fig. 4.3) by making it more compact and
robust. A proposed new system design is shown in Fig. 5.1. Compared to the previous
setup (see Fig. 4.3), the improvements are the following.
• The DFB laser is replaced by a compact OEM laser diode.
• The photodetector is replaced by a balance detection system with two photodetec-
tors (PD1/2 in Fig. 5.1) followed by a differential amplifier (DA in Fig. 5.1).
• The real-time oscilloscope is improved by a high-speed (with a sampling rate of
over GHz) and high-resolution analog-to-digital convertor (ADC)1.
Furthermore, it is important to create a real-time hardware-based randomness extractor
in a practical QRNG system for future investigations. By implementing the above new
system design, it will be easy to build a compact, low-cost, high-speed, and robust
QRNG system with USB port in the future. A commercial QRNG with USB port and a
generation rate of 4 Mbits/s has already appeared on the market (see Fig. 5.2) [32].
OEM Laser ADC
TC
PLC MZI
PD1
Power
supply Clock
DA.
PD2
PC
Figure 5.1: New system design of QRNG based on quantum phase fluctuations of a laser.
PC, polarization controller; PLC-MZI, planar lightwave circuit Mach-Zehnder interfer-
ometer; TC, temperature controller; PD1/2, photodetector; DA, differential amplifier;
ADC, analog-to-digital convertor;
1Optimization of the ADC range is also an interesting direction for future research.
Chapter 5. Conclusion and Outlook 60
Figure 5.2: Commercial QRNG with USB port at a rate of 4 Mbits/s [32].
Recently, based on a different type of laser and system design, the intensity fluctua-
tions of a laser have been studied to generate fast random bits [120]. An improved system
with a super-luminescent LED has also been demonstrated [121]. Since the fundamental
physical origin of both the phase fluctuations and the intensity fluctuations of a laser is
amplified spontaneous emissions, it will be interesting to demonstrate a QRNG exploiting
both fluctuations.
5.2.4 Practical QKD
One potential development of practical QKD technology is long-distance transmission
and global communication. However, as discussed in subsection 2.4.1, the propagation
loss in fibers puts a limit on the longest-distance fiber-based quantum communication
(typical, less than 400 km). To extend the transmission distance without relying the
intermediate nodes, quantum repeater has been proposed [122]. A quantum repeater
relys on the concept of entanglement swapping, which allows Alice and Bob to distill
out a number of entangled states over long distance. Currently, the main challenge in
building a quantum repeater is the limited technology for a quantum memory. Hence, it
will be interesting for future research to develop a feasible quantum repeater and thus
achieve secure QKD over long distances.
A natural way to build a practical QKD network is by using the standard optical
fibers, which have been developed and used in daily telecommunication, as the quantum
channels. Therefore, an important future topic is the wavelength division multiplexing
between QKD (quantum communication) and classical optical communication. Moreover,
when QKD is widely used in real-life applications, it is also important to design and build
Chapter 5. Conclusion and Outlook 61
the standardization of QKD.
5.3 Thoughts on future QKD
QKD has experienced the stages of theoretical foundations (1970-1993) and initial imple-
mentations (1993-2000). The gap between its theory and experiment is currently being
closed (2000-now). QKD has achieved a key generation rate of over 1 Mbits/s [37] and
a transmission distance of over 200 km [38]. Various QKD networks have been built in
USA [39], Europe [40], China [41, 42], and Japan [37]. There have also been demonstra-
tions of QKD in a Swiss election and the 2010 World Cup. Moreover, commercial QKD
products [32, 43] have appeared on the market. These OKD products have been used by
a number of Swiss banks to encrypt critical traffic.
Thanks to the quantum no-cloning theorem, the principle of QKD is rigorously guar-
anteed by the laws of quantum physics. Hence, QKD can be considered as an uncondition-
ally secure means of information transmission. However, when it is applied in a real-life
implementation, even a small unnoticed imperfection can easily break the security of an
otherwise carefully designed QKD system. The recent successes of the quantum hacking
strategies once again highlight the large gap between its theory and practice. How can
we bridge this gap?
In my opinion, the answer is working on security proofs of QKD with testable assump-
tions. Every assumption in a security proof should be written down and experimentally
verified. For instance, one fundamental assumption in all QKD protocols, including the
device-independent QKD protocol [111], is that Alice and Bob can generate perfectly
random numbers. Unfortunately, as discussed in Chapter 4, most random number gen-
erators cannot generate truly random numbers. Hence, it is important to battle-test the
local random number generators of Alice and Bob. Once this assumption is verified, we
can move to test other assumptions. This is a long-term research program, which is the
superposition of a quantum future and a classical present. We need to focus our atten-
tion on the study of the imperfections of QKD and their counter-measures. Only through
battle-testing can we gain confidence about the security of a practical QKD system, and
thus the security of a future cryptosystem.
Appendix A
Temperature control
In our experimental system (see Fig. 4.3), one requirement is precisely controlling the
PLC-MZI to a fixed temperature, thus stabling its phase difference. Alternatively, our
PLC-MZI (500 ps by NTT elctronics corporation) provides a so called long/short arm
heater (adjusted by an external DC power supply) to control the temperature. However,
heating the thermal resistance inside PLC-MZI by arm heater usually costs a long time
(around 1 ∼ 3 min), and the arm heater can only increase but not cool down the temper-
ature. Therefore, it is experimentally difficult to control the temperature by arm heater.
Temperature controller (TC)1, which uses the Peltier process to control the temperature,
on the other hand, can precisely stabilize and control the temperature of the PLC-MZI.
One important parameter to determine a TC is the temperature accuracy.
A.1 Temperature accuracy
n λ ∆n
1.446 1.55µm 1.0 × 10−5/◦C
Table A.1: Basic experimental parameters.
Some experimental parameters, including the fiber reflective index n (quartz glass),
laser wavelength λ, and index fluctuation (with temperature) ∆n/◦C are listed in Ta-
ble A.1. The relation between the time fluctuation (∆τ) and the phase fluctuation (∆θ)
1TC also provides feedback control. If the PLC-MZI experiences a phase shift (by classical noise,such as environment fluctuations), TC can automatically feedback control the temperature and stabilizeits phase.
62
Appendix A. Temperature control 63
of the PLC-MZI is described by
∆τ =∆n
nτ
∆θ =∆n
nτω0 =
∆n
nτ2πc
λ
(A.1)
Using the data in Table A.1, the phase fluctuation is ∆θ = 1.33π/◦C.
To achieve a 1% accuracy of relative power density, the voltage accuracy is 0.1 and
the voltage fluctuation ∆V is given by ∆V2V0
= 0.1, where V0 is the amplitude of the voltage
drift as V = V0 sin θ (see Eqn. 4.1). Therefore, the average phase fluctuation is described
by
〈sin(∆θ)〉 =∆V
V0= 0.2 ≈ ∆θ (A.2)
where the required temperature accuracy is 0.05 0C.
On the other hand, when the laser (see Fig. 4.3) is operated below 3 mW , its linewidth
is larger than 6.5 MHz. Hence, based on Refs. [74, 56], the variance of phase fluctuation
is given by
〈∆θ2)〉 = 2πτ∆f ≥ 0.02 (A.3)
where τ=500ps is the time difference of PLC-MZI, and ∆f is the laser linwidth. The
required temperature accuracy is ∆T = 0.03 ◦C.
In summary, the required temperature accuracy of temperature controller is in the
order of 0.01 ◦C.
A.2 Temperature controller
The temperature sensor of our PLC-MZI is Thermistor and the control device is Peltier.
Thus, the requirements of TC can be summarized as follows. The input supports Ther-
mistor and the output current is high enough to drive the Peltier (Imax = 4A). Meanwhile,
the resolution is in the order of 0.01 ◦C. We finally choose PTC-5K, manufactured by
Wavelength Electronics Inc., as our TC.
After implementing the TC in our system (Fig. 4.3), we analyze the temperature
stability in the following. By adjusting the temperature from 24 ◦C to 26 ◦C, the mea-
sured phase drift is shown in Fig. A.1. We can see that the phase drift follows a sin/cos
function. A 1.5 ◦C temperature change will cause a 2π phase drift, which is consistent
to the theoretical calculations in Section A.1. The TC can be adjusted to either 25.39◦C or 24.72 ◦C to stabilize the phase difference of PLC-MZI at ωτ = 2mπ + π/2. The
Appendix A. Temperature control 64
24.4 24.6 24.8 25.0 25.2 25.4 25.6 25.8 26.0 26.20
5
10
15
20
25
Pha
se d
rift o
f PLC
MZI
(mV
)
Temperature (Centi Degree)
Figure A.1: Phase drift of the PLC-MZI. By adjusting the temperature controller in
Fig. 4.3, the temperature is scanned from 24 ◦C to 26 ◦C and the phase drift is measured
by an Oscilloscope.
measured temperature resolution is around 0.02 ◦C, which is mainly determined by the
resolution of our digital voltmeter (with a resolution of 1 mV ). A better temperature
resolution can be achieved with a higher-resolution digital voltmeter.
We stabilize the TC to 24.72 ◦C and set the laser power at 0.95 mW. By a real-time
oscilloscope, we measured the standard deviation (i.e. square root of voltage variance in
Eqn. 4.3) of the interferometric signal as Vrms = 2.28 ± 0.01mV , which is corresponding
to a phase fluctuation variance of 〈∆θ2〉 = 0.035. Furthermore, the measured voltage
fluctuation during a few hours is in the range of 0.3 mV, which is equal to a temperature
fluctuation of 0.01 ◦C and thus shows a good phase stability of our system.
Appendix B
Laser Noise Characterization in
Frequency Domain
In this chapter, we discuss our approach to characterize laser noise in frequency domain.
B.1 Parameters quantification
The parameters in Eq. (4.3) are quantified in frequency domain by measuring the noise
spectrums with a spectrum analyzer (model HP8564) in the frequency range of [0Hz,
1GHz] (Sampling rate is 1 GHZ). Fig. 4.6 shows the measurement results when the laser
power is set at 0.95 mW . We can see that the intensity noise is insignificant, and can be
neglected [88, 89]. We further measured the intensity noise of our laser in a wide band
up to 10 GHz. The laser was operated at 0.18 mW (right above threshold), in which we
can detect the strongest intensity noise. The measurement result is shown in Fig. B.1.
It shows that the intensity noise spectrum presents a peak value in a certain frequency
(around 1.5 GHz), and on average it is 4 dB higher than the electrical background
noise floor. Therefore, we conclude that the intensity noise is not as good as the phase
fluctuations to be a randomness entropy source. Note however that by employing some
optical filters and post-processing, it is still possible to generate random numbers from
the intensity noise.
To quantify the parameters of AQ, AC, and F in Eq. (4.3), we operate the laser
under different optical power levels and measure the total noise (the addition of quantum
noise and classical noise) spectrums. Since each spectrum presents a flat response (see
Fig. 4.6 for an example), we then calculate the area of each spectrum (in the range of
65
Appendix B. Laser Noise Characterization in Frequency Domain 66
0 100 200 300 400 500 600 700 800 900 1000−86
−84
−82
−80
−78
−76
−74
−72
−70
−68
−66
Frequency (MHz)
Pow
er D
ensi
ty (
dBm
)
8 mA9 mA10 mA15 mAElectrical Noise
Figure B.1: Intensity noise of the DFB laser at 9.4 mA (0.18 mW). The intensity noise
presents a peak value in a certain frequency (around 1.5 GHZ) and on average it is 4 dB
higher than the electrical background noise floor. All of these responses indicate that the
intensity noise of our laser is not as good as the phase noise to be a randomness source.
[0Hz, 1GHz]), which is proportional to the voltage variance Vpr(t) in Eq. (4.3). The
experimental results are shown in Fig. B.2, where the laser power and voltage variance
have negligible systematic errors. The expectation of each measurement result is used for
statistical inference of fitting (2-order polynomial fitting with least square estimation).
The fitting results and the corresponding confidence intervals (level α = 0.99) are shown
in Table B.1. We remark that the confidence intervals are relatively small to contain
statistical variations in different trials of inference. To validate our model, we further
employ the standard analysis of variance (ANOVA) F test [123]. The resulting p-value
(or probability of mis-fit) is smaller than 10−5, which shows that our model essentially
captures all statistical nature of the underlying relationship.
F AQ AC
4.75 ± 0.83 194.50 ± 6.65 4.85 ± 1.94
Table B.1: Experimental results of parameters in Eq. (4.3) (Arb. Units). The parameters
are quantified in frequency domain.
Using the data given in Table B.1, we calculate the quantum signal to classical noise
ratio γ = AQP/(ACP 2 + F ) as a function of laser power. The results are shown in
Appendix B. Laser Noise Characterization in Frequency Domain 67
0 2 4 6 8 10 120
100
200
300
400
500
600
Laser output power P (mW)
Vol
tage
fluc
tuat
ion
varia
nce
<V2 >
(A
rb. U
nits
)
ExperimentFitting
Figure B.2: Voltage variance measured in frequency domain. The experimental results
are measured by a spectrum analyzer, which contains negligible systematic errors. The
expectations of the experimental results are fitted by a quadratic polynomial function.
Fig. B.31. The optimal ratio γ = 20 is achieved at P = 0.99 mW . The difference
between time-domain results (γ = 21 and P = 0.95 mW ) and frequency-domain results
stems from the discrepancy of the electrical noise of oscilloscope and that of spectrum
analyzer. It is tolerable in our experiment.
B.2 Quantum and classical phase noise
As shown in Eq. (4.3), the detected signal consists of both quantum signal and classical
noise. In real experiment, they are mixed together and cannot be separated. In this
section, we propose an approach to experimentally derive an upper bound of classical
noise in a practical QRNG system.
For a laser, the quantum signal is laser power-dependant, while the classical noises are
1The experimental data is determined as follows. At each laser power P , we measure the totalnoise (quantum and classical noise) spectrum by a spectrum analyzer and calculate the voltage variance(spectrum area) as V ar1 = 〈V 2
pr〉 = AP 2(Q
P+C)+E. Then we apply the method discussed in Section B.2
to quantify the classical noise by operating the laser at at its highest power 19.63mW , and measure thevoltage variance as V ar2 = AP 2( Q
19.63 + C) + E. From V ar1 and V ar2, we can get γ = AQP
ACP 2+F=
V ar1−V ar2
1−P/19.63
V ar1−V ar1−V ar2
1−P/19.63
= V ar1−V ar2
(1− P19.63 )(V ar2−
V ar1P
19.63 ), which is the experimental data shown in Fig. B.3.
Appendix B. Laser Noise Characterization in Frequency Domain 68
0 1 2 3 4 5 6 7 8 90
2
4
6
8
10
12
14
16
18
20
22
Laser output power (mW)
Qua
ntum
sou
rce
vers
us c
lass
ical
noi
ses
ratio
γ of
raw
dat
a
ExperimentTheory
Figure B.3: Quantum signal to classical noise ratio measured in frequency domain. The
theoretical curve is acquired from the ratio γ = AQP/(ACP 2 + F ), and the parameters
in Table B.1. The experimental results are measured by a spectrum analyzer.
power-independent [88, 89], which can be treated as a constant. Therefore, by operating
the laser under different optical power level, the quantum signal and classical noise can
be experimentally bounded.
As shown in Eq. (4.3), after interference, the signal detected by the photodetector is a
function of laser optical power. Here, we further distinguish the power of the interference
signal (i.e. the input of the PLC-MZI in Fig. 4.3, denoted as Pi) from the laser emission
power (denoted as Plaser). Eq. (4.3) is given by
〈V 2〉 = AP 2i (
Q
Plaser+ C) + E (B.1)
Fig. B.4 shows the experimental setup to quantify the bound of classical noise. To
measure the phase noises of the laser, Pi is fixed when the laser is operated at different
emission power (Plaser). This is achieved by an optical attenuator (JDS Uniphase HA1)
and a power multimeter (Agilent 8163A). A spectrum analyzer (SA in Fig. B.4) is applied
to measure the noise spectrums. In our experiment, the driving current of the DFB laser
is operated from 12 mA (0.85 mW ) to its maximum, 89 mA (19.63 mW )2, while Pi is
fixed at 0.85 mW. The results of laser total phase noises (quantum signal and classical
2The relation of laser optical power p (mW) and driving current I (mA) is described by P = 0.256(I−8.7), where 8.7 mA is the threshold of the DFB laser.
Appendix B. Laser Noise Characterization in Frequency Domain 69
Laser
SA
TC
PLC MZI
PD1
Att
PM
Figure B.4: Experimental setup to quantify the phase noises. Laser, 1550nm cw DFB
laser diode; PLC-MZI, planar lightwave circuit Mach-Zehnder interferometer (500ps delay
by NTT); TC, temperature controller (PTC 5K by Wavelength); PD1, photodetector
(5GHz InGaAs photodetector); Att, optical attenuator (JDS Uniphase HA1); PM, power
multimeter (Agilent 8163A); SA, spectrum analyzer (HP 8564).
0 100 200 300 400 500 600 700 800 900 1000−85
−80
−75
−70
−65
Frequency (MHz)
Power Density (dB)
Figure B.5: (Color online) Laser phase noise spectrums. As shown in Fig. B.4, the
interference signal power Pi is fixed at 0.85 mW when the laser is operated at different
emission power (Plaser). With the increase of Plaser, the phase noise is decreasing [88, 89].
noise) are shown in Fig. B.5. We can see that with the increase of laser optical power,
the total phase noise is decreasing. We remark that if the laser emission power can be
operated arbitrarily high, then the spectrum of laser phase noise (Fig. B.5) will approach
to a constant, which is the upper bound of classical noise. In our system, since the highest
power of the laser is around 20 mW, the phase noise at this power level can be defined
as the upper bound of classical noise.
Appendix C
Statistic test
C.1 Statistic test suits
We implement three standard statistic test suits, Diehard, NIST and TestU01, to test
our extracted results. The minimal requirements of the input data sizes for the three test
suits are summarized in Table C.1. A brief description of these suits is the following.
Test Suite Data size
TestU01 (smallCrush) 907 MByte
TestU01 (Crush) 180 GByte
TestU01 (bigCrush) over 1 Tbyte
Diehard 8 MByte
Nist 470 MByte
stream size 6.5 Mbit
number of stream 500
Table C.1: Minimal data-size requirements of TestU01, Diehard and NIST.
1. Diehard [90]: Diehard, containing 20 tests, provides options for output file, and
the output file, [.txt], consists of all the resulting P-values for interpretation of
its 20 tests. For the test with multiple P-values, a Kolmogorov-smirnov (KS) test
is usually used to obtain a final P-value, which measures the uniformity of the
multiple P-values. Diehard is successful if all final P-values satisfy 0.01 ≤ P ≤ 0.99
2. NIST [91]: NIST, which consists of 15 tests, does not require a fixed input data
size. There are two parameters - number of stream (NoS) and stream size (SS) -
70
Appendix C. Statistic test 71
determining the test results. The minimum number of NoS to give useful result in
terms of uniformity of P-values is 500. A smaller NoS will result in incapability
of discrimination of uniformity and non-uniformity. SS is empirically taken as 6.5
Mbits, which ensures that the probabilistic dependency between the random bits
within a stream is washed-out. A smaller size of SS will lead non-passing of many of
the tests due to the statistical independency between bits. To pass NIST, P-value
should be larger than the lowest significant level α = 0.01, and the proportion of
sequences satisfying P > α should be greater than a value β.
3. TestU01 [99]: TestU01 consists of three test batteries, known as SmallCrush, Crush
and BigCrush, where SmallCrush and Crush are subsets of BigCrush. Storage and
processing limitations only allow the execution of SmallCrush in our implementa-
tion. SmallCrush has 15 tests, where the P-value of falling a test converges to 0 or
1 (eps or 1-eps).
C.2 Test results
Appendix C. Statistic test 72
Pseudo-RNG Trevisan’s Hashing
Statistical test Result p-value result p-value result
Birthday Spacings [KS] success 0.82263 success 0.340863 success
Overlapping permutations success 0.679927 success 0.403824 success
Ranks of 31x31 matrices success 0.419095 success 0.349441 success
Ranks of 31x32 matrices success 0.715705 success 0.816752 success
Ranks of 6x8 matrices [KS] success 0.195485 success 0.408573 success
Bit stream test success 0.048260 success 0.281680 success
Monkey test OPSO success 0.027300 success 0.892600 success
Monkey test OQSO success 0.023200 success 0.267200 success
Monkey test DNA failure 0.038000 success 0.736700 success
Count 1’s in stream of bytes success 0.380162 success 0.639691 success
Count 1’s in specific bytes failure 0.020417 success 0.373149 success
Parking lot test [KS] failure 0.629013 success 0.151689 success
Minimum distance test [KS] success 0.019499 success 0.688780 success
Random spheres test [KS] success 0.488703 success 0.939227 success
Squeeze test success 0.238004 success 0.155403 success
Overlapping sums test [KS] success 0.022339 success 0.909675 success
Runs test (up) [KS] failure 0.403504 success 0.181024 success
Runs test (down) [KS] success 0.119132 success 0.668512 success
Craps test No. of wins success 0.757521 success 0.826358 success
Craps test throws/game success 0.179705 success 0.862986 success
Table C.2: Diehard. Data size is 240 Mb. For the cases of multiple P-values, a
Kolmogorov-smirnov (KS) test is used to obtain a final P-value, which measures the
uniformity of the multiple P-values. The test is successful if all final P-values satisfy
0.01 ≤ P ≤ 0.99.
Appendix C. Statistic test 73
Pseudo-RNG Hashing
Statistical test Result p-value Proportion Result
Frequency success 0.373625 0.9900 success
Block-frequency success 0.310049 0.9960 success
Cumulative sums success 0.422638 0.9980 success
Runs success 0.703417 0.9900 success
LongestRun success 0.013569 0.9880 success
Rank success 0.411840 0.9940 success
FFT success 0.987079 0.9860 success
NonOverlappingTemplate failure 0.727851 0.9820 success
overlappingTemplate success 0.110083 0.9780 success
Universal success 0.962688 0.9880 success
ApproximateEntropy success 0.674543 0.9920 success
Random-excursions success 0.409207 0.9900 success
Random-excursions Variant success 0.426358 0.9840 success
Serial success 0.217570 0.9860 success
Linear-complexity success 0.657833 0.9940 success
Table C.3: NIST. Data size is 3.25 Gbits (500 sequences with each sequence around
6.5 Mbits). To pass the test, P-value should be larger than the lowest significant level
α = 0.01, and the proportion of sequences satisfying P > α should be greater than 0.976.
Where the test has multiple P-values, the worst case is selected.
Appendix C. Statistic test 74
Raw data Hashing
Statistical Test Result p-value Result
BirthdaySpacings failure 0.5300 success
Collision failure 0.1500 success
Gap Chi-square failure 0.8900 success
SimpPoker Chi-square failure 0.3500 success
CouponCollector Chi-square failure 0.6700 success
MaxOft Chi-square failure 0.6900 success
MaxOft Anderson-Darling failure 0.9500 success
WeightDistrib Chi-square failure 0.5600 success
MatrixRank Chi-square failure 0.5100 success
Hammingindep Chi-square failure 0.1000 success
RandomWalk1 H Chi-square failure 0.9931 success
RandomWalk1 M Chi-square failure 0.8300 success
RandomWalk1 J Chi-square failure 0.9400 success
RandomWalk1 R Chi-square failure 0.7000 success
RandomWalk1 C Chi-square failure 0.6600 success
Table C.4: TestU01 (Small Crush). Given the constraint of the data size and computa-
tional power of Crush and Big Crush, we only perform Small Crush test. Data size is 8
Gbits. The P-value of falling a test converges to 0 or 1 (eps or 1-eps). Where the test
has multiple P-values, the worst case is selected.
Bibliography
[1] W. Diffie and M. Hellman, “New directions in cryptography,” IEEE Transactions
on Information Theory, vol. 22, no. 6, pp. 644–654, 1976.
[2] R. Rivest, A. Shamir, and L. Adleman, “A method for obtaining digital signa-
tures and public-key cryptosystems,” Communications of the ACM, vol. 21, no. 2,
pp. 120–126, 1978.
[3] P. Shor, “Polynomial-time algorithms for prime factorization and discrete loga-
rithms on a quantum computer,” SIAM J.Sci.Statist.Comput., vol. 26, p. 1484,
1997.
[4] G. Vernam, “Cipher printing telegraph systems for secret wire and radio telegraphic
communications,” Transactions of the American Institute of Electrical Engineers,
vol. 45, pp. 295–301, 1926.
[5] C. Shannon, Communication theory of secrecy systems. AT & T, 1949.
[6] S. Wiesner, “Conjugate coding,” ACM Sigact News, vol. 15, no. 1, pp. 78–88, 1983.
[7] C. Bennett, G. Brassard, et al., “Quantum cryptography: Public key distribution
and coin tossing,” in Proceedings of IEEE International Conference on Computers,
Systems and Signal Processing, vol. 175, Bangalore, India, 1984.
[8] N. Gisin, G. Ribordy, W. Tittel, and H. Zbinden, “Quantum cryptography,” Re-
views of modern physics, vol. 74, no. 1, pp. 145–195, 2002.
[9] H.-K. Lo and Y. Zhao, “Quantum cryptography,” Encyclopedia of Complexity and
Systems Science, vol. 8, pp. 7265–7289, 2009.
[10] V. Scarani, H. Bechmann-Pasquinucci, N. Cerf, M. Dusek, N. Lutkenhaus, and
M. Peev, “The security of practical quantum key distribution,” Reviews of Modern
Physics, vol. 81, no. 3, p. 1301, 2009.
75
Bibliography 76
[11] B. Qi, L. Qian, and H.-K. Lo, “A brief introduction of quantum cryptography for
engineers,” Arxiv preprint arXiv:1002.1237, 2010.
[12] W. Wootters and W. Zurek, “A single quantum cannot be cloned,” Nature, vol. 299,
no. 5886, pp. 802–803, 1982.
[13] D. Mayers, “Unconditional security in quantum cryptography,” Journal of the ACM
(JACM), vol. 48, no. 3, pp. 351–406, 2001.
[14] H.-K. Lo and H. Chau, “Unconditional security of quantum key distribution over
arbitrarily long distances,” Science, vol. 283, no. 5410, p. 2050, 1999.
[15] P. Shor and J. Preskill, “Simple proof of security of the bb84 quantum key distri-
bution protocol,” Physical Review Letters, vol. 85, no. 2, pp. 441–444, 2000.
[16] D. Gottesman, H.-K. Lo, N. Lutkenhaus, and J. Preskill, “Security of quantum key
distribution with imperfect devices,” Quant. Inf. Comput., vol. 4, no. 325, 2004.
[17] H. Inamori, N. Lutkenhaus, and D. Mayers, “Unconditional security of practical
quantum key distribution,” The European Physical Journal D-Atomic, Molecular,
Optical and Plasma Physics, vol. 41, no. 3, pp. 599–627, 2007.
[18] C. Fung, K. Tamaki, B. Qi, H.-K. Lo, and X. Ma, “Security proof of quantum
key distribution with detection efficiency mismatch,” Quant. Inf. Comput., vol. 9,
p. 131, 2009.
[19] A. Vakhitov, V. Makarov, and D. Hjelme, “Large pulse attack as a method of
conventional optical eavesdropping in quantum cryptography,” Journal of modern
optics, vol. 48, no. 13, pp. 2023–2038, 2001.
[20] N. Gisin, S. Fasel, B. Kraus, H. Zbinden, and G. Ribordy, “Trojan-horse attacks on
quantum-key-distribution systems,” Physical Review A, vol. 73, no. 022320, 2006.
[21] V. Makarov, A. Anisimov, and J. Skaar, “Effects of detector efficiency mismatch on
security of quantum cryptosystems,” Physical Review A, vol. 74, no. 022313, 2006.
[22] B. Qi, C. Fung, H.-K. Lo, and X. Ma, “Time-shift attack in practical quantum
cryptosystems,” Quant. Inf. Comput., vol. 7, no. 73, 2007.
Bibliography 77
[23] Y. Zhao, C. Fung, B. Qi, C. Chen, and H.-K. Lo, “Quantum hacking: Experimen-
tal demonstration of time-shift attack against practical quantum-key-distribution
systems,” Physical Review A, vol. 78, no. 042333, 2008.
[24] L. Lydersen, C. Wiechers, C. Wittmann, D. Elser, J. Skaar, and V. Makarov,
“Hacking commercial quantum cryptography systems by tailored bright illumina-
tion,” Nature photonics, vol. 4, no. 10, pp. 686–689, 2010.
[25] T. Jennewein, U. Achleitner, G. Weihs, H. Weinfurter, and A. Zeilinger, “A fast and
compact quantum random number generator,” Review of Scientific Instruments,
vol. 71, p. 1675, 2000.
[26] A. Stefanov, N. Gisin, O. Guinnard, L. Guinnard, and H. Zbinden, “Optical quan-
tum random number generator,” Journal of Modern Optics, vol. 47, no. 4, pp. 595–
598, 2000.
[27] J. Dynes, Z. Yuan, A. Sharpe, and A. Shields, “A high speed, postprocessing free,
quantum random number generator,” Applied Physics Letters, vol. 93, no. 031109,
2008.
[28] R. Colbeck and A. Kent, “Private randomness expansion with untrusted devices,”
Journal of Physics A: Mathematical and Theoretical, vol. 44, p. 095305, 2011.
[29] S. Pironio, A. Acın, S. Massar, A. Boyer de la Giroday, D. N. Matsukevich,
P. Maunz, S. Olmschenk, D. Hayes, L. Luo, T. A. Manning, and C. Monroe, “Ran-
dom numbers certified by bell’s theorem.,” Nature, vol. 464, no. 7291, p. 1021,
2010.
[30] Y. Shen, L. Tian, and H. Zou, “Practical quantum random number generator
based on measuring the shot noise of vacuum states,” Physical Review A, vol. 81,
no. 063814, 2010.
[31] C. Gabriel, C. Wittmann, D. Sych, R. Dong, W. Mauerer, U. Andersen, C. Mar-
quardt, and G. Leuchs, “A generator for unique quantum random numbers based
on vacuum states,” Nature Photonics, vol. 4, pp. 711–715, 2010.
[32] http://www.idquantique.com
[33] http://www.intel.com/design/software/drivers/platform/security
Bibliography 78
[34] http://spectrum.ieee.org/computing/hardware/behind-intels-new-randomnumber
generator
[35] F. Xu, B. Qi, and H.-K. Lo, “Experimental demonstration of phase-remapping
attack in a practical quantum key distribution system,” New Journal of Physics,
vol. 12, no. 113026, 2010.
[36] F. Xu, B. Qi, X. Ma, H. Xu, H. Zheng, and H.-K. Lo, “An ultrafast quantum
random number generator based on quantum phase fluctuations,” Arxiv preprint
arXiv:1109.0643, 2011.
[37] M. Sasaki et al., “Field test of quantum key distribution in the tokyo qkd network,”
Optics Express, vol. 19, no. 11, pp. 10387–10409, 2011.
[38] D. Stucki, N. Walenta, F. Vannel, R. Thew, N. Gisin, H. Zbinden, S. Gray, C. Tow-
ery, and S. Ten, “High rate, long-distance quantum key distribution over 250 km
of ultra low loss fibres,” New Journal of Physics, vol. 11, p. 075003, 2009.
[39] C. Elliott et al., “Current status of the darpa quantum network,” in Proceedings of
SPIE, the International Society for Optical Engineering, pp. 138–149, 2005.
[40] M. Peev et al., “The secoqc quantum key distribution network in vienna,” New
Journal of Physics, vol. 11, p. 075001, 2009.
[41] F. Xu et al., “Field experiment on a robust hierarchical metropolitan quantum
cryptography network,” Chinese Science Bulletin, vol. 54, no. 17, pp. 2991–2997,
2009.
[42] T.-Y. Chen et al., “Field test of a practical secure communication network with
decoy-state quantum cryptography,” Opt. Express, vol. 17, no. 8, pp. 6540–6549,
2009.
[43] http://www.magiqtech.com/MagiQ/Home
[44] M. Wegman and J. Carter, “New hash functions and their use in authentication and
set equality,” Journal of computer and system sciences, vol. 22, no. 3, pp. 265–279,
1981.
[45] D. Gottesman and H.-K. Lo, “Proof of security of quantum key distribution with
two-way classical communications,” IEEE Transactions on Information Theory,
vol. 49, no. 2, pp. 457–475, 2003.
Bibliography 79
[46] H. Chau, “Practical scheme to share a secret key through a quantum channel with
a 27.6% bit error rate,” Physical Review A, vol. 66, no. 060302, 2002.
[47] G. Brassard, N. Lutkenhaus, T. Mor, and B. Sanders, “Limitations on practical
quantum cryptography,” Physical Review Letters, vol. 85, no. 6, pp. 1330–1333,
2000.
[48] W. Hwang, “Quantum key distribution with high loss: Toward global secure com-
munication,” Physical Review Letters, vol. 91, no. 57901, 2003.
[49] H.-K. Lo, X. Ma, and K. Chen, “Decoy state quantum key distribution,” Physical
review letters, vol. 94, no. 230504, 2005.
[50] X. Wang, “Beating the photon-number-splitting attack in practical quantum cryp-
tography,” Physical review letters, vol. 94, no. 230503, 2005.
[51] A. Uchida, , et al., “Fast physical random bit generation with chaotic semiconductor
lasers,” Nature Photonics, vol. 2, no. 12, pp. 728–732, 2008.
[52] T. Murphy and R. Roy, “Chaotic lasers: The world’s fastest dice,” Nature Photon-
ics, vol. 2, no. 12, pp. 714–715, 2008.
[53] I. Reidler, Y. Aviad, M. Rosenbluh, and I. Kanter, “Ultrahigh-speed random num-
ber generation based on a chaotic semiconductor laser,” Physical Review Letters,
vol. 103, no. 24102, 2009.
[54] I. Kanter, Y. Aviad, I. Reidler, E. Cohen, and M. Rosenbluh, “An optical ultrafast
random bit generator,” Nature Photonics, vol. 4, no. 1, pp. 58–61, 2009.
[55] B. Qi, Y.-M. Chi, H.-K. Lo, and L. Qian, “High-speed quantum random number
generation by measuring phase noise of a single-mode laser,” in Proceedings of The
9th Asian Conference on Quantum Information Science (AQIS), pp. 64–65, 2009.
[56] B. Qi, Y.-M. Chi, H.-K. Lo, and L. Qian, “High-speed quantum random number
generation by measuring phase noise of a single-mode laser,” Opt. Lett., vol. 35,
no. 3, pp. 312–314, 2010.
[57] H. Guo, W. Tang, Y. Liu, and W. Wei, “Truly random number generation based
on measurement of phase noise of a laser,” Physical Review E, vol. 81, no. 051137,
2010.
Bibliography 80
[58] H. Takesue, S. Nam, Q. Zhang, R. Hadfield, T. Honjo, K. Tamaki, and Y. Ya-
mamoto, “Quantum key distribution over a 40-db channel loss using supercon-
ducting single-photon detectors,” Nature Photonics, vol. 1, no. 6, pp. 343–348,
2007.
[59] A. Ekert, “Quantum cryptography based on bells theorem,” Physical Review Let-
ters, vol. 67, no. 6, pp. 661–663, 1991.
[60] C. Bennett, G. Brassard, and N. Mermin, “Quantum cryptography without bells
theorem,” Physical Review Letters, vol. 68, no. 5, pp. 557–559, 1992.
[61] T. Ladd, F. Jelezko, R. Laflamme, Y. Nakamura, C. Monroe, and J. OBrien,
“Quantum computers,” Nature, vol. 464, no. 7285, pp. 45–53, 2010.
[62] W. Buttler, R. Hughes, P. Kwiat, S. Lamoreaux, G. Luther, G. Morgan, J. Nord-
holt, C. Peterson, and C. Simmons, “Practical free-space quantum key distribution
over 1 km,” Physical Review Letters, vol. 81, no. 15, pp. 3283–3286, 1998.
[63] R. Hughes, W. Buttler, P. Kwiat, S. Lamoreuax, G. Morgan, J. Nordholt, and
C. Peterson, “Quantum cryptography for secure satellite communications,” in IEEE
Aerospace Conference Proceedings, vol. 1, pp. 191–200, IEEE, 2000.
[64] C. Kurtsiefer, P. Zarda, M. Halder, H. Weinfurter, P. Gorman, P. Tapster, and
J. Rarity, “A step towards global key distribution.,” Nature, vol. 419, no. 6906,
p. 450, 2002.
[65] C. Peng et al., “Experimental free-space distribution of entangled photon pairs over
13 km: towards satellite-based global quantum communication,” Physical review
letters, vol. 94, no. 15, p. 150501, 2005.
[66] S. Cova, M. Ghioni, A. Lotito, I. Rech, and F. Zappa, “Evolution and prospects for
single-photon avalanche diodes and quenching circuits,” Journal of Modern Optics,
vol. 51, no. 9-10, pp. 1267–1288, 2004.
[67] Z. Yuan, J. Dynes, and A. Shields, “Avoiding the blinding attack in qkd,” Nature
Photonics, vol. 4, no. 12, pp. 800–801, 2010.
[68] L. Lydersen, C. Wiechers, C. Wittmann, D. Elser, J. Skaar, and V. Makarov,
“Avoiding the blinding attack in qkd,” Nature Photonics, vol. 4, no. 12, p. 801,
2010.
Bibliography 81
[69] R. Hadfield, “Single-photon detectors for optical quantum information applica-
tions,” Nature Photonics, vol. 3, no. 12, pp. 696–705, 2009.
[70] A. Muller, T. Herzog, B. Huttner, W. Tittel, H. Zbinden, and N. Gisin, “plug and
play systems for quantum cryptography,” Applied Physics Letters, vol. 70, no. 793,
1997.
[71] T. Nishioka, H. Ishizuka, T. Hasegawa, and J. Abe, “Circular type quantum key
distribution,” IEEE Photonics Technology Letters, vol. 14, no. 4, pp. 576–578, 2002.
[72] P. Townsend, “Secure key distribution system based on quantum cryptography,”
Electronics Letters, vol. 30, no. 10, pp. 809–811, 1994.
[73] C. Fung, B. Qi, K. Tamaki, and H.-K. Lo, “Phase-remapping attack in practical
quantum-key-distribution systems,” Physical Review A, vol. 75, no. 3, p. 032314,
2007.
[74] A. Yariv and P. Yeh, Photonics: Optical electronics in modern communications.
Oxford University Press, 2007.
[75] N. Meteopolis and S. Ulam, “The monte carlo method,” Journal of the American
Statistical Association, vol. 44, no. 247, pp. 335–341, 1949.
[76] B. Schneier and P. Sutherland, Applied cryptography: protocols, algorithms, and
source code in C. John Wiley & Sons, NY, USA, 1995.
[77] M. Wayne, E. Jeffrey, G. Akselrod, and P. Kwiat, “Photon arrival time quantum
random number generation,” Journal of Modern Optics, vol. 56, no. 4, pp. 516–522,
2009.
[78] M. Wayne and P. Kwiat, “Low-bias high-speed quantum random number generator
via shaped optical pulses,” Opt. Express, vol. 18, no. 9, pp. 9351–9357, 2010.
[79] L. Yu, M. Yang, P. Wang, and S. Kawata, “Note: A sampling method for quantum
random bit generation,” Review of Scientific Instruments, vol. 81, p. 046107, 2010.
[80] M. Wahl, M. Leifgen, M. Berlin, T. Rohlicke, H. Rahn, and O. Benson, “An ul-
trafast quantum random number generator with provably bounded output bias
based on photon arrival time measurements,” Applied Physics Letters, vol. 98,
pp. 171105–171105, 2011.
Bibliography 82
[81] M. Furst, H. Weier, S. Nauerth, D. Marangon, C. Kurtsiefer, and H. Weinfurter,
“High speed optical quantum random number generation,” Optics Express, vol. 18,
no. 12, pp. 13029–13037, 2010.
[82] M. Ren, E. Wu, Y. Liang, Y. Jian, G. Wu, and H. Zeng, “Quantum random-
number generator based on a photon-number-resolving detector,” Physical Review
A, vol. 83, no. 023820, 2011.
[83] Y. Jian, M. Ren, E. Wu, G. Wu, and H. Zeng, “Two-bit quantum random num-
ber generator based on photon-number-resolving detection,” Review of Scientific
Instruments, vol. 82, no. 7, pp. 073109–073109, 2011.
[84] M. Jofre, M. Curty, F. Steinlechner, G. Anzolin, J. Torres, M. Mitchell, and
V. Pruneri, “True random numbers from amplified quantum vacuum,” Optics Ex-
press, vol. 19, no. 21, pp. 20665–20672, 2011.
[85] T. Symul, S. Assad, and P. Lam, “Real time demonstration of high bitrate quantum
random number generation with coherent laser light,” Applied Physics Letters,
vol. 98, pp. 231103–231103, 2011.
[86] L. Trevisan, “Extractors and pseudorandom generators,” Journal of the ACM,
vol. 48, p. 2001, 1999.
[87] R. Shaltiel, “Recent developments in explicit constructions of extractors,” Current
Trends in Theoretical Computer Science: The Challenge of the New Century, 2004.
[88] C. Henry, “Theory of the linewidth of semiconductor lasers,” IEEE Journal of
Quantum Electronics, vol. 18, no. 2, pp. 259–264, 1982.
[89] K. Petermann, Laser diode modulation and noise. Springer, 1988.
[90] http://www.stat.fsu.edu/pub/diehard
[91] http://csrc.nist.gov/groups/ST/toolkit/rng
[92] N. Nisan and A. Ta-Shma, “Extracting randomness: A survey and new construc-
tions,” Journal of Computer and System Sciences, vol. 58, no. 1, pp. 148–173,
1999.
Bibliography 83
[93] C. Bennett, G. Brassard, C. Crepeau, and U. Maurer, “Generalized privacy ampli-
fication,” IEEE Transactions on Information Theory, vol. 41, no. 6, pp. 1915–1923,
1995.
[94] Y. Mansour, N. Nisan, and P. Tiwari, “The computational complexity of universal
hashing,” Theoretical Computer Science, vol. 107, pp. 235–243, 2002.
[95] H. Krawczyk, “LFSR-based hashing and authentication,” in Advances in Cryp-
tology - CRYPTO’94, Lecture Notes in Computer Science, vol. 893, pp. 129–139,
Springer-Verlag, 1994.
[96] M. N. Wegman and J. L. Carter, “Universal classes of hash functions,” Journal of
Computer and System Sciences, vol. 18, pp. 143–154, 1979.
[97] R. Impagliazzo, L. A. Levin, and M. Luby, “Pseudo-random generation from one-
way functions,” in Proceedings of the twenty-first annual ACM symposium on The-
ory of computing, STOC ’89, (New York, NY, USA), pp. 12–24, ACM, 1989.
[98] X. Ma, C.-H. F. Fung, J.-C. Boileau, and H. Chau, “Universally composable and
customizable post-processing for practical quantum key distribution,” Computers
and Security, vol. 30, no. 4, pp. 172 – 177, 2011.
[99] P. L’Ecuyer and R. Simard, “Testu01: Ac library for empirical testing of ran-
dom number generators,” ACM Transactions on Mathematical Software (TOMS),
vol. 33, no. 4, pp. 22–es, 2007.
[100] R. Raz, O. Reingold, and S. Vadhan, “Extracting all the randomness and reduc-
ing the error in trevisan’s extractors,” in Proceedings of the 31st Annual ACM
Symposium on Theory of Computing, pp. 149–158, 1999.
[101] R. Raz, O. Reingold, and S. Vadhan, “Extracting all the randomness and reduc-
ing the error in trevisan’s extractors,” Journal of Computer and System Sciences,
vol. 65, no. 1, pp. 97 – 128, 2002.
[102] N. Nisan and A. Wigderson, “Hardness vs randomness,” J. Comput. Syst. Sci.,
vol. 49, pp. 149–167, 1994.
[103] X. Ma and X. Tan, “An explicit combinatorial design,” Arxiv preprint
arXiv:1109.6147, 2011.
Bibliography 84
[104] D. E. Knuth, The art of computer programming: seminumerical algorithms. Boston,
MA, USA: Addison-Wesley Longman Publishing Co., Inc., 1997.
[105] L. Lydersen, J. Skaar, and V. Makarov, “Tailored bright illumination attack on
distributed-phase-reference protocols,” Journal of Modern Optics, vol. 58, no. 8,
pp. 680–685, 2011.
[106] I. Gerhardt, Q. Liu, A. Lamas-Linares, J. Skaar, C. Kurtsiefer, and V. Makarov,
“Perfect eavesdropping on a quantum cryptography system,” Nature communica-
tions, vol. 2, no. 349, 2011.
[107] V. Makarov, “Controlling passively quenched single photon detectors by bright
light,” New Journal of Physics, vol. 11, no. 065003, 2009.
[108] S. Sauge, L. Lydersen, A. Anisimov, J. Skaar, and V. Makarov, “Controlling
an actively-quenched single photon detector with bright light,” Arxiv preprint
arXiv:0809.3408, 2008.
[109] L. Lydersen, M. Akhlaghi, A. Majedi, J. Skaar, and V. Makarov, “Controlling a su-
perconducting nanowire single-photon detector using tailored bright illumination,”
Arxiv preprint arXiv:1106.2396, 2011.
[110] Z. Yuan, J. Dynes, and A. Shields, “Resilience of gated avalanche photodiodes
against bright illumination attacks in quantum cryptography,” Applied Physics
Letters, vol. 98, no. 231104, 2011.
[111] A. Acın, N. Brunner, N. Gisin, S. Massar, S. Pironio, and V. Scarani, “Device-
independent security of quantum cryptography against collective attacks,” Physical
Review Letters, vol. 98, p. 230501, 2007.
[112] H.-K. Lo, M. Curty, and B. Qi, “Measurement device independent quantum key
distribution,” Arxiv preprint arXiv:1109.1473, 2011.
[113] S. Sun, M. Jiang, and L. Liang, “Passive faraday-mirror attack in a practical two-
way quantum-key-distribution system,” Physical Review A, vol. 83, no. 062331,
2011.
[114] N. Jain, C. Wittmann, L. Lydersen, C. Wiechers, D. Elser, C. Marquardt,
V. Makarov, and G. Leuchs, “Device calibration impacts security of quantum key
distribution,” Physical Review Letters, vol. 107, no. 110501, 2011.
Bibliography 85
[115] H. Li, S. Wang, J. Huang, W. Chen, Z. Yin, F. Li, Z. Zhou, D. Liu, Y. Zhang,
G. Guo, W. Bao, and Z. Han, “Attacking practical quantum key distribution system
with wavelength dependent beam splitter and multi-wavelength sources,” Arxiv
preprint arXiv:1110.4574, 2011.
[116] D. Rogers, J. Bienfang, A. Nakassis, H. Xu, and C. Clark, “Detector dead-time
effects and paralyzability in high-speed quantum key distribution,” New Journal
of Physics, vol. 9, p. 319, 2007.
[117] V. Burenkov, B. Qi, B. Fortescue, and H. Lo, “Security of high speed quantum key
distribution with finite detector dead time,” Arxiv preprint arXiv:1005.0272, 2010.
[118] H. Weier, H. Krauss, M. Rau, M. Fuerst, S. Nauerth, and H. Weinfurter, “Quantum
eavesdropping without interception: An attack exploiting the dead time of single
photon detectors,” New Journal of Physics, vol. 13, p. 073024, 2011.
[119] C. Weedbrook, S. Pirandola, R. Garcia-Patron, N. Cerf, T. Ralph, J. Shapiro, and
S. Lloyd, “Gaussian quantum information,” Arxiv preprint arXiv:1110.3234, 2011.
[120] C. Williams, J. Salevan, X. Li, R. Roy, and T. Murphy, “Fast physical random
number generator using amplified spontaneous emission,” Optics Express, vol. 18,
no. 23584–23597, 2010.
[121] X. Li, A. Cohen, T. Murphy, and R. Roy, “Scalable parallel physical random num-
ber generator based on a superluminescent led,” Optics Letters, vol. 36, no. 6,
pp. 1020–1022, 2011.
[122] L. Duan, M. Lukin, J. Cirac, and P. Zoller, “Long-distance quantum communication
with atomic ensembles and linear optics.,” Nature, vol. 414, no. 6862, p. 413, 2001.
[123] D. Wackerly, W. Mendenhall, and R. Scheaffer, Mathematical statistics with appli-
cations. Thomson, Brooks/Cole, 2008.