practical issues in quantum cryptography · 2012-11-03 · used modern encryption algorithm is the...

Practical Issues in QuantumCryptography

by

Feihu Xu

A thesis submitted in conformity with the requirements

for the degree of Master of Applied ScienceGraduate Department of Electrical & Computer Engineering

University of Toronto

Copyright c© 2012 by Feihu Xu

Abstract

Practical Issues in Quantum Cryptography

Feihu Xu

Master of Applied Science

Graduate Department of Electrical & Computer Engineering

University of Toronto

2012

Cryptography plays a key role in our life ranging from computer passwords to electronic

commerce to national military security. The most widely used modern encryption al-

gorithm is the public-key algorithm. However, the security of all public-key algorithms

relies on unproven computational assumptions. Hence, there is a potential loophole for

a fast algorithm to compromise their security. Quantum cryptography or quantum key

distribution (QKD), on the other hand, is an unbreakable encryption algorithm. In

principle, QKD can provide unconditional security based on the fundamental laws of

quantum physics. Unfortunately, real-life implementations of a QKD system may con-

tain overlooked imperfections and thus violate the practical security of QKD. It is vital

to explore these imperfections. In this thesis, I study two practical imperfections in quan-

tum cryptography: i) Security loophole in QKD system because of imperfect quantum

state preparation; ii) How to generate high-speed truly random numbers.

i) Discovering security loophole in a commercial QKD system: One key assumption in

QKD is that the sender (Alice) can prepare the required quantum states without errors.

However, such an assumption may be violated in a practical QKD system. I perform a

proof-of-principle experiment to demonstrate a technically feasible quantum attack that

exploits such a security loophole in a commercial QKD system. The attack I utilize is

called phase-remapping attack.

ii) Generating high-speed truly random numbers: An essential element in QKD is a

quantum random number generator (QRNG), which can generate true randomness by

exploiting the indeterminism of quantum mechanics. However, due to the difficulties

of measuring quantum effects in real setups, most approaches to QRNG are limited in

speed. Here, I propose and experimentally demonstrate an ultrafast QRNG at a rate

over 6 Gb/s, which is based on the quantum phase fluctuations of a laser. Moreover, I

consider a potential adversary who has partial knowledge of the raw data and discuss

how one can rigorously remove such partial knowledge with post-processing.

ii

Acknowledgements

I would like to take this opportunity to thank various people for making my M.A.Sc.

study in the University of Toronto an exciting experience. First and foremost, I owe my

deepest gratitude to my supervisor, Prof. Hoi-Kwong Lo, who has supported me with

his patience and knowledge during the past two years. I am grateful to him for many

useful discussions that motivated me.

I would extend my thanks to Dr. Bing Qi, who is my experimental supervisor and

kindly teaches me everything in our quantum information technology lab. It has been

a great honor to work with him. I am also deeply appreciate the help and advice from

Prof. Li Qian and Dr. Xiongfeng Ma, who provide many invaluable suggestions for my

research as well as for my future career. Special thanks are extended to Prof. Joyce

Poon, Prof. Ben Liang, and Prof. Ashish Khisti for their time and willingness to serve

on my thesis committee.

Next, it is a pleasure to thank a friendly and cheerful group of fellow students, He

Xu, Jiancheng Xuan, Haoxuan Zheng, Viacheslav Burenkov, Zhiyuan Tang, Wei Cui,

Dongpeng Kang, Fei Ye, Chao Zhuang, Xiaofeng Xu, David Lynall for many stimulating

discussions. I have also largely benefited from the inspiring discussions with many out-

standing scientists. In particular, I would like to thank Dr. Christian Weedbrook, Dr.

Eric Chritambar, Dr. Vadim Makarov, Dr. Chi-Hang Fred Fung, Dr. Kiyoshi Tamaki,

Dr. Richard Hughes and Dr. Zhiliang Yuan.

Finally and most importantly, I am very grateful to my family for their endless en-

couragement and support. This thesis is dedicated to my dear Alice.

iii

Contents

1 Introduction 1

1.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

1.1.1 Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

1.1.2 Quantum cryptography . . . . . . . . . . . . . . . . . . . . . . . . 3

1.1.3 Imperfections of practical quantum cryptography . . . . . . . . . 4

1.1.4 Truly random number generator . . . . . . . . . . . . . . . . . . . 4

1.2 Highlight and Outline . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

1.3 Publications and Presentations . . . . . . . . . . . . . . . . . . . . . . . 6

2 Elements of Practical Quantum Key Distribution (QKD) 8

2.1 BB84 protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

2.2 Intercept-and-resend attack . . . . . . . . . . . . . . . . . . . . . . . . . 10

2.3 Security proofs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

2.4 QKD implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

2.4.1 Basic components . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

2.4.2 Plug-and-Play QKD system . . . . . . . . . . . . . . . . . . . . . 16

2.5 Quantum hacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

2.5.1 Attacks on quantum state detection . . . . . . . . . . . . . . . . . 17

2.5.2 Attacks on quantum state preparation . . . . . . . . . . . . . . . 19

3 Experimental Phase-Remapping Attack 21

3.1 Practical attack strategy . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

3.2 Experiment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

3.2.1 Experimental setup . . . . . . . . . . . . . . . . . . . . . . . . . . 22

3.2.2 Polarization control . . . . . . . . . . . . . . . . . . . . . . . . . . 24

3.2.3 Minimized quantum bit error rate . . . . . . . . . . . . . . . . . . 26

3.3 Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

iv

3.3.1 Theoretical quantum bit error rate . . . . . . . . . . . . . . . . . 29

3.3.2 Experimental quantum bit error rate . . . . . . . . . . . . . . . . 30

3.4 Discussions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

3.4.1 Optimization of the attack . . . . . . . . . . . . . . . . . . . . . . 31

3.4.2 Countermeasures . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

3.5 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

4 High-speed quantum random number generator 34

4.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

4.2 Experimental demonstration . . . . . . . . . . . . . . . . . . . . . . . . . 37

4.2.1 Physical model . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

4.2.2 Parameters optimization . . . . . . . . . . . . . . . . . . . . . . . 39

4.2.3 Experimental procedures . . . . . . . . . . . . . . . . . . . . . . . 40

4.3 Quantum min-entropy evaluation . . . . . . . . . . . . . . . . . . . . . . 42

4.4 Randomness extraction . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

4.4.1 Extraction schemes: Review . . . . . . . . . . . . . . . . . . . . . 45

4.4.2 Toeplitz-hashing extractor . . . . . . . . . . . . . . . . . . . . . . 47

4.4.3 Trevisan’s extractor . . . . . . . . . . . . . . . . . . . . . . . . . . 49

4.5 Randomness verification . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

4.5.1 Statistic test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

4.5.2 Autocorrelation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

4.6 Discussions and conclusions . . . . . . . . . . . . . . . . . . . . . . . . . 51

5 Conclusion and Outlook 55

5.1 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

5.1.1 Phase-remapping attack . . . . . . . . . . . . . . . . . . . . . . . 55

5.1.2 Quantum random number generator . . . . . . . . . . . . . . . . 56

5.2 Outlook . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

5.2.1 Detector-control attack . . . . . . . . . . . . . . . . . . . . . . . . 56

5.2.2 Other quantum attacks . . . . . . . . . . . . . . . . . . . . . . . . 57

5.2.3 Quantum random number generator . . . . . . . . . . . . . . . . 59

5.2.4 Practical QKD . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

5.3 Thoughts on future QKD . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

v

A Temperature control 62

A.1 Temperature accuracy . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

A.2 Temperature controller . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

B Laser Noise Characterization in Frequency Domain 65

B.1 Parameters quantification . . . . . . . . . . . . . . . . . . . . . . . . . . 65

B.2 Quantum and classical phase noise . . . . . . . . . . . . . . . . . . . . . 67

C Statistic test 70

C.1 Statistic test suits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

C.2 Test results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Bibliography 71

vi

Chapter 1

Introduction

1.1 Motivation

The introduction of the Internet has enriched many lives by offering users a plethora of

information and convenience. One of the many conveniences is online shopping and the

ability to make purchases and other financial transactions online. However, Internet se-

curity has become an increasingly important issue and many people question whether or

not the information they divulge when making online purchases is really secure. Although

current technology protects this vital information from hackers and identity theft, this

information will indeed be vulnerable once a super-computer, such as a quantum com-

puter, is developed. In current secure communication system, the key component that

can be compromised by future technology is the encryption algorithm. The most widely

used modern encryption algorithm is the public-key algorithm. However, the security of

all public-key algorithms relies on unproven computational assumptions. Hence, there is

a potential loophole of a fast algorithm compromising its security. Indeed, a quantum

computer can easily break standard public-key systems via Shor’s quantum algorithm.

In contrast to the public-key encryption algorithm, quantum cryptography (QC) is

the unbreakable encryption algorithm based on the laws of quantum physics. In the past

decade, the unconditional security of QC has been rigorously proven and various QC

networks have been demonstrated in USA, Europe, China, and Japan. Unfortunately,

a crucial problem in QC is the big gap between its theory and practice due to the

imperfections in real-life implementation. An adversary may exploit these imperfections

and launch specific attacks. In this thesis, my primary interest is to address some of

these imperfections and their security consequences in a practical QC system.

1

Chapter 1. Introduction 2

1.1.1 Cryptography

Cryptography is the art of secret writing and reading. More generally, it is about con-

structing and analyzing protocols that overcome the influence of adversaries. Cryptogra-

phy plays a key role in our life ranging from computer passwords to electronic commerce

to national military security. Modern cryptography can be divided into two categories,

asymmetric and symmetric cryptography, depending on whether the encoding and de-

coding keys are the same or different.

Asymmetric or public-key cryptography involves the use of different keys for encryp-

tion and decryption. The principle was proposed in 1976 by W. Diffie and M. Hellman

[1]. The first real implementation was then developed by R. Rivest, A. Shamir, and L.

Adleman in 1978 [2], which is commonly known as RSA. In fact, RSA is the most popular

algorithm in current applications of cryptography. However, the security of public-key

cryptosystems rely on unproven computational assumptions. For example, the security

of a standard RSA system is based on the difficulty of factoring a large composite num-

ber. So far, it has not been possible to prove whether factoring is really difficult or not.

This implies the potential existence of a fast algorithm for factorization. Indeed, a quan-

tum computer can easily break standard RSA system via Shor’s quantum algorithm (a

polynomial algorithm allowing efficient factoring) [3].

Symmetric cryptography, on the other hand, requires a single key for both encryption

and decryption. In symmetrical cryptosystems, an unbreakable code does exist. It is

called the one-time-pad (OTP), invented by Gilbert Vernam in 1917 [4]. The principle

of OTP is the following. The sender (Alice) and the receiver (Bob) first share a private

random key. The message (plain-text) is converted into a binary form by a public method,

and then combined with the random key to achieve the cipher-text, where the most typical

method is an XOR1 operation between the message and the key. For OTP to be secure,

it is important that the key must be as long as the message and used only once. Three

decades after OTP was proposed, Shannon proved that OTP can provide perfect secrecy:

the cipher-text does not give any additional information on the message [5].

The OTP method is unbreakable, but it has a serious drawback: Alice and Bob

must initially share a secure key that is the same length as the message. Is there an

efficient way for Alice and Bob to share such a secure key? This is the so-called key

1The logical operation exclusive disjunction, also called exclusive or, is a logical operation on twological values, typically the values of two propositions, that produces a value of true only in cases wherethe truth value of the operands differ.


distribution problem. One solution to this problem is by trusted couriers. Unfortunately,

trusted couriers can be easily bribed or compromised in real life. Another solution is

by public-key cryptosystem. Nonetheless, as mentioned earlier, the security of public-

key cryptography is only based on unproven computational assumptions. Therefore, the

security of its whole implementation can be compromised. If classical communication

and classical physics can not provide an optimal way to the key distribution problem,

quantum mechanics, or more precisely, quantum cryptography would constitute the only

solution.

1.1.2 Quantum cryptography

The idea of using quantum physics to achieve missions impossible in classical information

was first mentioned in the early 1970s by Stephen Wiesner. He proposed an idea of

counterfeit-free quantum money. However, his paper was rejected and could not be

published until a decade later [6]. In 1984, Charles H. Bennett and Gilles Brassard

applied Wiesner’s idea to solve the key distribution problem in classical cryptography

and published the famous Bennett-Brassard-1984 (BB84) protocol [7].

Quantum cryptography, or quantum key distribution (QKD) [8, 9, 10, 11] enables

an unconditionally secure means of distributing secret keys between Alice and Bob. Its

security is rigorously based on the fundamental laws of quantum physics. In QKD, an

encryption key is generated randomly by using quantum states. In contrast to classical

physics, in quantum mechanics there is a quantum no-cloning [12] theorem: an unknown

quantum state cannot be perfectly copied. This theorem is closely related to another

important theorem: information gain implies disturbance. More specifically, given one

state of a quantum system chosen from distinct nonorthogonal states, any operation that

can gain information about the state necessarily disturbs the state.

Now, we describe the picture of how QKD works as follows. If an eavesdropper (Eve)

attempts to learn information about some signals (quantum states, for instance photons)

sent through a quantum channel, she will have to perform some measurements on the

signals. These measurements will generally disturb the state of those signals. Alice

and Bob can catch an eavesdropper by searching for traces of this disturbance, such

as checking the bit error rate of a random sample of the raw transmission data. The

absence of disturbance ensures to Alice and Bob that Eve does not have any information

about the transmitted quantum signals. Therefore, the security of QKD is rigorously

guaranteed by the quantum no-cloning theorem. The best-known QKD protocol is the


BB84 protocol [7], which will be discussed in Section 2.1.

1.1.3 Imperfections of practical quantum cryptography

The unconditional security of QKD is based on the laws of quantum mechanics and has

been rigorously proven during the past decade [13, 14, 15]. Nevertheless, owing to the

imperfections in the real-life implementations of QKD, there is still a large gap between

its theory and practice. To connect the theory with practice, security proofs of QKD have

already considered some of these imperfections, such as weak coherent pulses, detector

dark counts [16, 17] and detector efficiency mismatch [18]. Unfortunately, a practical

QKD system has many other imperfections. Eve may try to exploit these imperfections

and launch quantum hacking not covered by the original security proofs. Is it possible

that a small unnoticed imperfection spoils the security of the otherwise carefully designed

QKD system? This question has drawn a lot of attention.

Various quantum attacks, including the Trojan-horse attack [19, 20], the faked-state

attack [21], the time-shift attack [22, 23], and the detector-control attack [24], have

been proposed. Meanwhile, the time-shift attack [23] and the detector-control attack

[24] have already been successfully demonstrated against commercial QKD systems. To

close the gap between the theory and the practice of QKD, it is important to inves-

tigate these hacking strategies. Nonetheless, previous studies are largely concentrated

on the imperfections in the quantum-state-detection stage of a QKD process. For in-

stance, both the faked-state attack [21] and the time-shift attack [22, 23] exploit the

imperfection of the detection-efficiency mismatch between the two detectors in a stan-

dard QKD system. Hence, a natural question is: Are there any security loopholes in the

quantum-state-preparation stage of QKD? In this thesis, one of my primary interests is

addressing such a security loophole in a practical QKD system with imperfect quantum

state preparations. We experimentally investigate a specific quantum hacking strategy,

called phase-remapping attack, against a widely-used commercial QKD system. Fig. 1.1

shows the commercial ID-500 QKD system (manufactured by ID quantique) I cracked in

our lab.

1.1.4 Truly random number generator

Another potential imperfection in QKD is the requirement for a truly random number

generator (RNG). A RNG is an essential element because most QKD protocols require


Figure 1.1: ID-500 commercial QKD system in our lab (manufactured by ID quantique).

Alice and Bob to actively choose random basis/signals. Moreover, in all security proofs

of QKD, the fundamental assumption is that Alice and Bob can generate perfectly ran-

dom numbers. Traditionally, pseudo-RNG based on computer algorithms has long been

used for applications. However, due to its deterministic nature, it cannot generate truly

random numbers with theoretically provable randomness. In contrast, quantum-RNG

can generate true randomness by exploiting the fundamental indeterminism of quantum

physics [25]. In the past decade, several quantum-RNGs based on different schemes have

already been demonstrated [25, 26, 27, 28, 29, 30, 31] and commercial products have

appeared on the market [32]. Intel usually integrates an analog-hardware quantum-RNG

based on thermal noise in some of its chips [33, 34]. Unfortunately, due to the difficulties

of measuring quantum effects in real setups, most approaches to quantum-RNG are lim-

ited in speed (typically near 20 Mbits/s). Furthermore, in practice, quantum randomness

may be compromised due to the mixing with classical noise, which may be observed or

even controlled by Eve.

In this thesis, an ultrafast and unique quantum-RNG is proposed and experimentally

demonstrated. A rigorous method to remove the contamination of classical noise is

implemented. Our approach is based on measuring the quantum phase fluctuations of a

laser operating near its threshold.


1.2 Highlight and Outline

• In Chapter 2, the preliminaries of QKD, including the BB84 QKD protocol, security

proofs, real-life QKD implementations, and quantum hackings, are presented.

• In Chapter 3, one of the first successful quantum attacks, called phase-remapping

attack, against a widely-used commercial QKD system is experimentally demon-

strated. This work has been published in Ref. [35], and I was the first author. The

demonstration highlights not only the vulnerabilities of practical QKD systems,

but also the importance for QKD researchers to re-double their efforts on the study

of the imperfections of QKD and their counter-measures. After the publication of

this work, it has been widely reported in the news media including new articles in

Nature, The Economist, New Scientist, Physics World, MIT Technology Review,

and so forth. It has been cited 24 times by Google Scholar.

• In Chapter 4, the world’s fastest truly random number generator is presented.

A preprint version of this work has been been posted [36], and I was the first

author. The approach is by measuring the quantum phase fluctuations of a laser.

The key advantages of our approach are simplicity, high-speed and information-

theoretically provable randomness. This work not only demonstrates the large

potential for random number generations by quantum phase fluctuations as the true

entropy source, but also highlights the importance on the rigorous quantification

and distillation of quantum randomness in a practical quantum-RNG.

• In Chapter 5, I conclude my thesis with a summary and an outlook.

1.3 Publications and Presentations

Journal papers

• Feihu Xu, Bing Qi, and Hoi-Kwong Lo, “Experimental demonstration of phase-

remapping attack in a practical quantum key distribution system”, New Journal of

Physics, 12, 113026, 2010.

• Feihu Xu, Bing Qi, Xiongfeng Ma, He Xu, Haoxuan Zheng, and Hoi-Kwong Lo,

“An ultrafast quantum random number generator based on quantum phase fluctu-

ations”, submitted, 2011. [preprint arXiv:1109.0643]


Refereed conference proceedings

• Feihu Xu, Bing Qi, Xiongfeng Ma, He Xu, Haoxuan Zheng, and Hoi-Kwong Lo,

“A high-speed quantum random number generator based on quantum phase fluc-

tuations”, in Proceedings of the 11th Asian Conference on Quantum Information

Science (11th AQIS), 2011.

Conference talks

• Feihu Xu, “An ultrafast quantum random number generator with quantum phase

fluctuations”, contributed talk (25 min), QCRYPT 2011: First Annual Conference

on Quantum Cryptography, Zurich, Switzerland (Sep. 2011)

• Feihu Xu, Bing Qi, “A high speed quantum random number generator based on

quantum phase noise”, contributed talk (20 min, presented by Bing Qi), 11th AQIS,

Busan, Korea (Aug. 2011)

• Bing Qi, Feihu Xu, Viacheslav Burenkov, et al., “Security of practical quantum

key distribution system”, invited talk (presented by Bing Qi), Updating Quantum

Cryptography and Communications (UQCC), Tokyo, Japan (Oct. 2010)

Poster presentations and Conference attending

• Feihu Xu, “A high speed quantum random number generator based on quan-

tum phase noise”, poster presentation, Conference on Quantum Information and

Quantum Control IV (CQIQC IV), Toronto, Canada (Aug. 2011)

• Feihu Xu, “Experimental demonstration of phase-remapping attack in a practi-

cal quantum key distribution system”, poster presentation, 10th Canada Research

Chairs Conference (10th CRC), Toronto, Canada (Nov. 2010)

• Feihu Xu, “Experimental demonstration of phase-remapping attack in a practical

quantum key distribution system”, poster presentation, 10th International Confer-

ence on Quantum Communication, Measurement and Computation (10th QCMC),

Brisbane, Australia (Jul. 2010)

• Feihu Xu, attending, Tropical QKD conference, Institute for Quantum Comput-

ing, Waterloo, Canada (Jun. 2010)

Chapter 2

Elements of Practical Quantum Key

Distribution (QKD)

“A theory is acceptable to us only if it is beautiful.” - Albert Einstein

The first quantum information task to reach the level of practical applications is

quantum key distribution (QKD). In the past decade, QKD has experienced a dramatic

development in both theoretical study and experimental demonstration. In theory, the

principle of QKD has been rigorously proven based on the laws of quantum physics and

information theory [13, 14, 15]. In experiment, QKD has achieved a key generation rate

of over 1 Mbits/s [37] and a transmission distance of over 200 km [38]. Various QKD

networks have already been built in USA [39], Europe [40], China [41, 42], and Japan [37].

There have also been demonstrations of QKD in a Swiss election and the 2010 World

Cup. Moreover, commercial QKD products, for instance the ID Quantique system [32]

and the MagiQ system [43], have appeared on the market. These products have been

used by a number of Swiss banks to encrypt critical traffic. There are excellent up-to-date

reviews [8, 9, 10, 11] summarizing this development. In this chapter, we only focus on a

few basics of QKD that are relevant to this thesis.

2.1 BB84 protocol

BB84 [7] is the best-known protocol of QKD. The basic tool of BB84 protocol is a quan-

tum channel (such as optical fiber) connecting Alice and Bob, and an authenticated public

8

Chapter 2. Elements of Practical Quantum Key Distribution (QKD) 9

classical channel (such as Internet)1. The quantum channel represents that information

through this channel is encoded on the quantum state of photons. Eve is allowed to fully

control the quantum channel, but she is not allowed to sneak into Alice’s or Bob’s local

laboratory to steal information. For public channel, Eve is allowed to listen passively,

but not change the transmitted message.

Before introducing the procedure of BB84 protocol, it is important to be aware that

the quantum no-cloning theorem [12] cannot be applied to a set of orthogonal states. In

other words, at least two non-orthogonal bases should be employed to perform a secure

quantum communication. Basis represents how Alice encodes the random bits on the

quantum states. For instance, Alice can randomly choose two state bases, rectilinear

basis + and diagonal basis ×. In rectilinear basis, she uses horizontal polarization state

to represent bit 0 and vertical polarization state to represent bit 1. In diagonal basis, she

uses 45 degree polarization to represent bit 0 and 135 degree polarization to represent bit

1. In quantum mechanics, these two bases are complementary bases, whose measurement

operators do not commute with each other2. Hence, it is impossible to measure in both

basis simultaneously and measuring in one basis automatically disturbs the outcome in

the other basis.

In BB84 protocol, for each transmission between Alice and Bob, Alice randomly

chooses to use either rectilinear or diagonal basis to encode her random number. The

polarization of each photon is randomly chosen from a set of {horizontal, vertical, 45

degree, 135 degree}. Therefore, it is impossible for Eve to determine its polarization

state without knowing the encode basis chosen by Alice. If Eve uses a polarization beam

splitter to project the input photon into either horizontal or vertical polarization state,

which is called a measurement in rectilinear basis, then she will destroy information

encoded in diagonal basis, since a 45 degree or 135 degree polarized photon has the same

chance to be projected into either horizontal or vertical polarization state. As a result,

any operation by Eve to randomly choose the basis and perform the measurement will

introduce some errors, and these errors can be statistically calculated by Alice and Bob.

1An authenticated classical channel is essentially required in QKD. In classical cryptography, aninformation-theoretically secure authentication algorithm does exist, for instance the Wegman-Carteralgorithm [44], where authentication can be done with a rather short key. Authentication of an m-bit classical message requires only logarithmic in m-bit of an authentication key. Note that withoutauthentication by a pre-shared secret between Alice and Bob, Eve can disguise herself as Bob, whichleads the scheme not secure. Therefore, the goal of QKD is to allow Alice and Bob with a small amountof pre-shared secret to expand it into a much longer one.

2In linear algebra, it corresponds to two no-commuting matrices, which generally cannot be simulta-neously diagonalized.


This is the essence of the security of BB84 protocol. The full procedure of BB84 protocol

is stated as follows (see Table 2.1).

1. Alice randomly selects a sequence of photons from one of the four polarizations,

vertical, horizontal, 45-degrees and 135-degrees, and sends the sequence to Bob.

2. For each photon, Bob randomly chooses one of the two measurement bases (rec-

tilinear basis and diagonal basis) to perform a measurement and records his mea-

surement basis and results3.

3. Alice and Bob both broadcast their basis of measurements.

4. Alice and Bob discard all events where they use different basis for a signal. The

remaining results are called “sifted data”.

5. Alice randomly chooses a fraction of remaining events as testing events, and she

publicly broadcasts the testing events’ positions and polarizations. Bob then broad-

casts the measured polarizations of the testing events.

6. Alice and Bob compute the quantum bit error rate (QBER) of the testing events.

If the computed error rate is larger than some prescribed threshold value, they stop

the process. Otherwise, they proceed to the next step.

7. Alice and Bob convert all remaining data into a binary string. They perform clas-

sical post-processing such as error correction and privacy amplification to generate

a final key.

2.2 Intercept-and-resend attack

Let us see what happens if an eavesdropper (Eve) launches a simple “intercept and

resend” attack: For each photon sent from Alice, Eve performs a measurement in a

randomly chosen basis and re-sends a new photon to Bob according to her measurement

result. Let us focus on those cases when Alice and Bob happen to use the same basis

since they will throw away other cases. If Eve happens to use the correct basis (50%),

then both she and Bob will decode Alice’s bit value correctly. No error is introduced

3Rectilinear and diagonal are two conjugate basis, where measurement in one basis randomizes theoutcome of a measurement in the other basis.


Alice’s encoding bits 0 1 0 1 1 1 0 1

Alice’s basis × × + + + × + +

Alice’s photon polarization ր տ ↔ l l տ ↔ l

Bob’s measurement basis × × × + × + + +

Bob’s measured result ր ◦ ր l l ↔ ↔ l

Bob’s raw data 0 - 0 1 1 0 0 1

Bob’s sifted data 0 - - 1 - - 0 1

Table 2.1: Schematics of BB84 protocol. +, rectilinear basis; ×, diagonal basis; ◦, photon

lost.

by Eve. On the other hand, if Eve uses the wrong basis (50%), then both she and Bob

will have random measurement results. This suggests that if Alice and Bob compare a

subset of the sifted key, they will see a significant amount of errors, called quantum bit

error. Here, for these bits, the photons will be passed on to Bob in the wrong basis, so

regardless of Eve’s measurement result, Bob will have a 50% probability of measuring the

opposite of Alice’s bit value. In other words, Eve’s attack will introduce 50% quantum

bit error rate (QBER) for half of the total bits, and thus a total of 25% QBER. This

example illustrates the basic principle behind QKD: Eve can only gain information at

the cost of introducing errors, which will expose her existence.

2.3 Security proofs

The basic idea of the BB84 protocol is beautiful and its security can be intuitively

understood from the quantum no-cloning theorem [12] as following. Non-orthogonal

quantum states cannot be perfectly distinguished. Thus, it is impossible for Eve to find

out which state has been sent by Alice without knowing the basis. However, proving the

security of QKD in a practical implementation is an extremely difficult problem, because

it is very hard to take all possible Eve’s attacks into account.

It took a long time after BB84 was proposed, but finally, the unconditional security

of QKD was proven [13, 14, 15]. Among the security proofs, the one by Shor and Preskill

[15] is very simple. Their proof essentially converts an entanglement distillation protocol

(EDP)-based QKD protocol proposed by Lo and Chau [14] to the BB84 protocol by using

the quantum error correction idea. With one-way classical communication between Alice

and Bob, Shor and Preskill’s proof shows that BB84 is secure whenever the QBER is less


than 11% [15]. If allowing two-way classical communications, Gottesman-Lo proof [45]

has improved the tolerable QBER to 18.9%, which has been further improved by Chau to

20% [46]. Note that the above QBER bounds apply only to perfect single-photon sources

and in the asymptotic limit of infinite signals.

Security proofs of QKD were further extended to explicitly accommodate some im-

perfections in practical QKD settings [16, 17, 18]. One important imperfection is that

the laser source used in practice is weak coherent pulse (WCP), which occasionally con-

tains more than one photon in each signal (see subsection 2.4.1). Hence, it is not a

single-photon source that the other security proofs [13, 14, 15] assumed. In particular,

BB84 may become insecure when WCP with strong intensity is used. For instance, Eve

can launch a so called photon-number-splitting (PNS) attack [47], in which she blocks

all single-photon pulses and splits multi-photon pulses. She keeps one photon of each

of the split pulses to herself and forwards the rest to Bob through a lossless channel.

After the basis announcement by Alice and Bob, Eve can unambiguously identify the

bit values of the multi-photon signals of which she has kept copies, thereby learning the

entire secret key. Refs. [16, 17] have shown that secure QKD is still possible even with

a WCP source. However, the drawback is that the PNS attack puts severe limits on the

distance and the key generation rate of QKD. A novel solution to this problem is the

decoy-state QKD protocol [48, 49, 50], which uses extra test states, called “decoy states”,

to learn the properties of the channel (channel transmission) and the eavesdropping on

the key-generating signal states.

2.4 QKD implementation

2.4.1 Basic components

The basic components in a typical QKD setup are stated as follows.

• Random number generator: Random number generator (RNG) is an essential

element for QKD because most QKD protocols require Alice and Bob to actively

choose random basis/signals. Moreover, in all security proofs of QKD, the funda-

mental assumption is that Alice and Bob can generate perfectly random numbers.

Traditionally, pseudo-RNG based on computer algorithms has long been used for

applications. Recently, physical-RNG based on chaotic behaviors of semiconductor

lasers has been proposed to generate fast random bits [51, 52, 53, 54]. However, due


to their deterministic nature, both of the schemes cannot generate truly random

numbers with information-theoretically provable randomness. Quantum-RNG, on

the other hand, can generate true randomness from the fundamentally probabilistic

nature of quantum processes. In the past decade, several Quantum-RNG schemes,

such as single-photon detections [25, 26, 27], quantum non-locality [28, 29], and

vacuum state fluctuations [30, 31], have been demonstrated. Meanwhile, commer-

cial ones, like ID Quantique system [32], have already appeared on the market.

Unfortunately, due to the difficulties of measuring quantum effects, previous imple-

mentations have been limited to a relatively slow rate (typically near 20 Mbits/s).

In 2009, Qi et al. proposed and built a fast QRNG by measuring the quantum phase

fluctuations of a laser, which yields a speed of 500 Mb/s [55, 56]. A similar scheme

at a lower speed has also been demonstrated by Guo et al. [57]. Nonetheless, the

key point is, the generation rates of all previous QRNGs are still too low for many

applications, such as high-speed QKD operating over gigahertz [58]. Furthermore,

in practice, some imperfections in the numbers generated by a quantum-RNG are

inevitable [29]. The theoretical foundation of QKD is still at risk because security

proofs (discussed above) all assume the existence of perfect RNGs and do not apply

to imperfect RNGs.

• Source: In most QKD implementations, the attenuated laser is commonly used as

the source due to its simplicity and low-cost. Attenuated laser source is essentially

the same as the laser source used in classical optical communication except for

that heavy attenuation is applied on it (usually attenuated to below 1 photon per

pulse). The output state from a laser is a coherent state, which can be expressed

as a Poissonian mixture of the different number states:

ρ =

∞∑

n=0

e−µµn

n!|n〉〈n| (2.1)

where n is the number state4, µ is the mean number of photons in a pulse, and

phase-randomization has been assumed. Attenuated lasers were considered to be

non-ideal for BB84 as they always have the probability of emitting multi-photon

pulses. Fortunately, as discussed in the subsection 2.3, the discovery of decoy-

state method [48, 49, 50] made weak coherent lasers much more appealing without

significant losses on the performance of a BB84 QKD system.

4In quantum mechanics, a physical state is represented by a state vector in a complex vector space. |•〉(called ket) and 〈•| (called bra) are two physical-states notations following Dirac in quantum mechanics.


Another important class of QKD sources is entangled photon source, which is used

in the Ekert915 [59] and the BBM92 [60] QKD protocols, and is an essential ingre-

dient in quantum computing [61]. A widely used entangled photon source is based

on parametric down-conversion, where a high energy photon propagates through a

highly non-linear crystal, producing two entangled photons with frequency halved.

• Quantum channel: The fundamental requirements for a quantum channel are

low-loss and preservation of quantum state (avoiding de-coherence from the en-

vironment). In practice, two types of channels have these desirable properties:

single-mode optical fiber and free-space.

Standard optical fibers have been developed and used in telecommunication for

four decades. Currently, standard optical fiber is the most popular choice for QKD

implementations, because it can easily connect two arbitrary points and be extended

to a network. The loss α of an optical fiber is usually measured in dB/km. The

probability for a single photon to be transmitted through an optical fiber of length

l, is given by 10−αl/10. The losses depend heavily on the wavelength of the photons,

and are minimal in the two “telecom window wavelengths”: around 0.35 dB/km

at 1330nm, and 0.21 dB/km at 1550nm. In QKD, since loss is critical for the

transmission range and key generation rate, the 1550nm wavelength is usually used.

The main disadvantage of optical fiber is its birefringence. The strong polarization

dispersion made it hard to implement polarization-coding system. Moreover, it has

strong spectral dispersion, which affects the high-speed QKD systems heavily as

the pulses are broadened and overlap with each other. Therefore, the loss in fibers

puts an limit on the longest distance that a fiber-based QKD system can reach

(typical, less than 400 km).

Free-space links have negligible dispersions on the polarization and the frequency.

There are “atmospheric transmission windows” that have small loss (α < 0.1

dB/km) in clear weather. It is an ideal link for the polarization-coding QKD. Re-

cently, free-space QKD has attracted more attention [62, 63, 64, 65]. Nonetheless,

over long distance communication, atmospheric fluctuations make it challenging to

predict the arrival point of a photon and align the optical beams. Another disadvan-

tage of the free-space link is that it requires a line-of-sight between Alice and Bob.

Buildings and mountains are serious obstacles for free-space QKD systems. The

5This QKD protocol is essentially connected to the fundamental testing of Bell’s inequality.


greatest motivation for open-air QKD scheme is the hope for ground-to-satellite and

satellite-to-satellite quantum communications [63, 64, 65]. As there is negligible op-

tical absorption in the outer space, we may be able to achieve an inter-continental

quantum communication with free-space QKD. Indeed, many countries, including

USA, Japan, China and Canada, have proposed to build the satellite-based quan-

tum communications.

• Detector: In QKD, the most popular type of single-photon detector is InGaAs

avalanche photodiode (APD) [66]. Single-photon detectors are typically threshold

detectors, i.e. the detector output is binary and distinguishes between “0” and

“one or more photons”. InGaAs-APD utilizes the avalanche effect of semiconduc-

tor diodes. A strong biased voltage is applied on the InGaAs diode. The incident

photon will trigger the avalanche effect, generating a voltage pulse. The narrow

band gap of InGaAs makes it possible to detect photons at telecom wavelengths.

They normally work below -50 ◦C to lower the dark count rate (i.e. the event that

the detector generates a detection click while no actual photon hits it). This tem-

perature can be easily achieved by thermal-electric coolers. The quantum efficiency

(detection efficiency) of InGaAs-APDs is usually around 10%.

During an avalanche, carriers are trapped in impurities in the semiconductor.

Hence, there is a high dark count probability due to the decay of trapped car-

ries after an avalanche. This is called after-pulse effect. To reduce the after-pulse

effect, the detector is usually set to be deactivated for a time period, which is

called the “dead time”, after a detection event. The dead time should be set to

long enough so that when the detector is re-activated, the after-pulse effect is neg-

ligible 6. Moreover, in a practical QKD system, the APDs are often operated at a

gating mode, where the detectors are only activated when the photons are expected

to hit them. This activated time period is called a gate. The gates are usually ap-

plied at a high repetition rate and a number of gates is removed after a detection

event, such as the id Quantique system [32]. Gating mode indeed reduces the dark

count rate by several orders and is thus used in most InGaAs APDs. However,

it may open up a security loophole, such as the time-shift attack [22, 23] and the

detector-control attack [24, 67, 68] (to be introduced below). For more details of

6The dead time is typically in the order of microseconds. At a lower temperature, it takes a longertime for the trapped carries to decay, and therefore low temperature effectively reduces the detectionrate. Typically, the InGaAs-APDs work no faster than several megahertz.


single-photon detectors, see Ref. [69].

2.4.2 Plug-and-Play QKD system

There are excellent reviews of different QKD implementation schemes [8, 9, 10]. So, this

section only contains a brief review of the QKD scheme relevant to this thesis: “Plug-

and-Play” QKD system.

Besides the polarization-coding BB84 protocol described in Section 2.1, BB84 can be

implemented with any two-level quantum system (qubits). Indeed, other coding meth-

ods, particularly phase-coding, also exist. In phase-coding BB84, a signal consists of a

superposition of two time-separated pulses, known as the reference pulse and the signal

pulse. The information is encoded in the relative phase between the two pulses. Hence,

the encoded relative phases of {0, π/2, π, 3π/2} in the phase-coding BB84 are essentially

equivalent to the encoded polarizations of {Horizon, 45 degree, Vertical, 135 degree} in

the polarization-coding BB84. They are simply different embodiments of the same BB84

protocol. The phase-coding BB84 has been practically implemented based on various

schemes, and one specific scheme is “Plug-and-Play” QKD implementation.

Practical limitations associated with phase and polarization instabilities over long

distance fibers have led to the development of bidirectional QKD schemes, such as the

plug-and-play [70] and the Sagnac QKD structure [71]. Specially, the plug-and-play

BB84 structure is widely used in commercial QKD systems [32]. Its schematic is shown

in Fig. 2.1. We can see that it employs the phase-coding QKD shceme, which is an

improved version of the double Mach-Zehnder interferometer scheme [72]. It has only

one Mach-Zehnder interferometer and the light propagates through the same channel

and interferometer twice due to the faraday mirror on Alice’s side. This system works

as follows. Bob first sends two strong laser pulses (signal pulse and reference pulse) to

Alice. Alice uses the reference pulse as a synchronization signal to activate her phase

modulator. Then Alice modulates the phase of the signal pulse only, attenuates the two

pulses to single photon level, and sends them back to Bob. Bob randomly chooses his

measurement basis by modulating the phase of the returning reference pulse.

Owing to its good phase and polarization stability, the “Plug-and-Play” QKD system

has attracted much scientific attention. However, in plug-and-play system, since Alice

allows signals to go in and go out of her device, this opens a potential back door for Eve


to launch various attacks [19, 20], such as the Trojan-horse attack 7. One specific attack

is the phase-remapping attack [73] (to be discussed below).D e t 1 P M B C D P M AL D D e t 2 P B S F MB o b A l i c eC D LFigure 2.1: Schematic for “plug-and-play” BB84 QKD system. LD, laser diode.

Det1/Det2, single-photon detector; PMA/B, phase modulator; C, circulator. PBS, polar-

ization beam splitter; CD, classical photodetector; DL, delay line; FM, Faraday mirror.

2.5 Quantum hacking

Owing to the imperfections in a real-life QKD system, there is still a large gap between

the theory and practice of QKD. Particularly, Eve may try to exploit these imperfections

and launch specific attacks, called quantum hacking, not covered by original security

proofs [13, 14, 15]. In this section, a number of well-known quantum hacking strategies

that are outside of standard security proofs are reviewed.

2.5.1 Attacks on quantum state detection

In 2005, Makarov et al. proposed a faked-state attack, which exploits the efficiency

mismatch of two detectors in a practical QKD system [21]. As discussed in subsec-

tion 2.4.1, in practice, the standard single-photon detectors (such as InGaAs APDs) are

often operated in a gated mode. Therefore, the detection efficiency of each detector is

7Trojan-horse attack employs the unwanted internal reflection from a phase modulator [19, 20]. Thisattack is more vulnerable in a “Plug-and-Play” QKD system, because Alice allows signals to go in and goout of her device. In Alice’s system, the phase modulator setting contains the bit and basis value. Theback-reflections passing the phase modulator in a phase-coding QKD implementation reveal the settingof the phase modulator. It is also called large-pulse attack. In this attack [20], Eve sends a strong laserpulse to Alice’s laboratory to try to read off Alice’s phase modulator setting from a reflected signal. Asa result, Eve may learn which BB84 state Alice is sending to Bob.


time-dependent. Since QKD systems require the detection of two different bit values,

they require at least two detectors. Then it is inevitable that finite manufacturing preci-

sion in the detector and the electronics, and difference in optical path length will slightly

misalign the two detector gates, and cause detector-efficiency mismatch. This problem

often exist in practical QKD systems, and it will leave a back door for Eve to launch the

faked-state attack as follows.

A conceptual schematic of this attack is shown in Fig. 2.2. At the expected arrival

time T, the detection efficiencies of the two detectors are similar. However, if the signal

is chosen to arrive at some unexpected times (such as t1 and t2 in Fig. 2.2), it is possible

that the detector efficiencies of the two detectors differ greatly.

T i m et 2t ₁E f f i c i e n c y S P D ₂S P D ₁

TFigure 2.2: Schematic of detection efficiency mismatch. SPD, single-photon detector. At

the expected arrival time T, the detection efficiencies of SPD1 (represent the event of

bit 0) and SPD2 (represent the event of bit 1) are the same. However, at time t1, SPD1

is more sensitive to the incoming photon than SPD2.

The faked-state attack is an intercept-and-resend attack. For each signal, Eve ran-

domly chooses one of the two BB84 basis (rectilinear or diagonal) to perform a measure-

ment and obtain a measurement result. Then, she re-sends the opposite bit value from

her measurement result in the opposite basis, at a time when the detector for the opposite

bit has a lower detection efficiency than the other detector. As shown in Ref. [21], Eve

introduces less than 11% QBER if the detection efficiency η ≤ 0.066.

The faked-state attack, while conceptually interesting, is hard to implement in a real-

life QKD system. This is because it is an intercept-resend attack and as such involves

finite detection efficiency in Eve’s detectors and precise synchronization between Eve

and Alice-Bob’s system. Therefore, the faked state attack has never been implemented


in practice. A typical countermeasure against detector-efficiency mismatch is the four-

state QKD protocol [21].

In 2007, Qi et al. [22] proposed the time-shift attack, which is also based on the

detection-efficiency mismatch in the time domain, but is much easier to implement than

the faked-state attack. Let us suppose Fig. 2.2 illustrates the detection efficiencies of

the two single-photon detectors in a real-life QKD system. Eve can simply shift the

arrival time of each pulse sent from Alice by employing a variable optical delay line. For

example, Eve randomly shifts the pulse from Alice to arrive at t1 or t2 through a shorter

path or a longer path of optical line. This shifting process can partially reveal the bit

value of Bob: if the pulse arrived at t1 (or t2) and Bob announces receipt, the bit value is

more likely to be 0 (1). Moreover, Eve can carefully set how many bits should be shifted

forward and how many should be shifted backward to ensure that the distribution of bit

0 and bit 1 received by Bob is balanced. Hence, the time-shift attack does not make any

measurement on the quantum state, and quantum information is not destroyed.

Since Eve does not need to make any measurement or state preparation, the time-shift

attack is practically feasible with current technology. In 2007, it has been successfully

implemented on a commercial QKD system by Zhao et al. [23]. This is the first suc-

cessful demonstration of quantum hacking on a widely-used commercial QKD system.

In their experiment [23], Eve got an information-theoretical advantage in around 4% of

her attempts. It shows that a practical QKD system has non-negligible probability to be

vulnerable to the time-shift attack.

2.5.2 Attacks on quantum state preparation

Previous studies of quantum attacks are largely concentrated on the imperfections in

the quantum-state-detection stage of a QKD process. For instance, both the faked-

state attack [21] and the time-shift attack [22, 23] exploit the imperfection of detection-

efficiency mismatch in a standard QKD system. Hence, a substantial question is: Is it

really secure in the quantum-state-preparation stage of QKD?

Fung et al. [73] answered this question negative, and proposed a novel quantum attack,

called phase-remapping attack, exploiting such a security loophole. In fiber-based phase-

coding “Plug-and-Play” BB84 QKD system (see Fig. 2.1), LiNbO3 waveguide phase

modulator is commonly used to encode random bits. In practice, a phase modulator

has finite response time, as shown in Fig. 2.3. Ideally, Bob’s signal pulse passes through

Alice’s phase modulator in the middle of the modulation signal and undergoes a proper

Chapter 2. Elements of Practical Quantum Key Distribution (QKD) 20P Mt i m et .t /

0 .0 /Phase shift

Figure 2.3: Diagram of phase modulation (PM) signal. t0 is the original time location

where Bob’s signal pulse is properly modulated to have phase φ0. Eve time shifts the

signal pulse from t0 to t1. This pulse will undergo a new modulated phase φ1. Reproduced

from [35] with permission. c©2010 IOP.

modulation (time t0 in Fig. 2.3). However, if Eve changes the time difference between the

reference and the signal pulse, the signal pulse will pass through the phase modulator at

a different time (time t1 in Fig. 2.3), and the encoded phase will be different. Originally,

Alice uses {0, π/2, π, 3π/2} to encode {01(bit “0” in basis1), 02(bit “0” in basis2),

11(bit “1” in basis1), 12(bit “1” in basis2)}. Now, after Eve’s remapping process, Alice’s

encoded phases will be mapped to {0, φ1, φ1 +φ2, φ1 +φ2 +φ3}, where φi (i=1,2,3) is the

new phase difference between two adjacent states. This phase-remapping process allows

Eve to launch a novel “intercept-and-resend” attack: phase-remapping attack [73].

The theory of the phase-remapping attack was first proposed in 2007. Nonetheless,

it did not draw much scientific attention at that time. In my first year of M.A.Sc study,

I experimentally demonstrated this attack on top of a widely-used commercial QKD

system, “Plug-and-Play” QKD system. The resulting quantum bit error rate is 19.7%,

which is substantially lower than the well-known 25% error rate for an intercept-and-

resend attack in BB84. The success of my demonstration has attracted more attention

from both the QKD community and the public. This work not only has been cited 24

times by Google Scholar but also has been widely reported in the news media including

new articles in Nature, The Economist, New Scientist, Physics World, MIT Technology

Review and so forth. The details of my demonstration are stated in the following section.

Chapter 3

Experimental Phase-Remapping

Attack

“If you think cryptography is the answer to your problem, then you don’t know what your

problem is.” - Peter G. Neumann

In this chapter, we present the experimental investigation of the phase-remapping

attack in a commercial QKD system. In our experiment, we found that the phase-

remapping process in a practical QKD system was much more complicated than the

theoretical model described in Ref. [73]. To adapt to this complexity, we modified the

original phase-remapping attack into type I and type II practical attacks. It is well

known that in a standard BB84 QKD system, a simple “intercept-and-resend” attack

will introduce a quantum bit error rate (QBER) of 25%, which alarms the users that

no secure keys can be generated. Our experimental results show that by performing the

phase-remapping attack, Eve can gain the full information at the cost of only introducing

a QBER of 19.7%. Hence, a key assumption in the security proof of QKD has been

substantially violated by this attack. The content of this chapter is heavily based on

Ref. [35].

3.1 Practical attack strategy

We implement the phase-remapping attack on top of a Plug-and-Play QKD system. In

our experiment, the practical attack strategy is stated as follows.

1. Eve intercepts Bob’s strong pulse and sends a time-shifted pulse to Alice via her

21

Chapter 3. Experimental Phase-Remapping Attack 22

own device. Note that Eve can change the actual values of φi (i=1,2,3) by changing

the time displacement. However, she cannot change φ1, φ2, and φ3 independently.

2. Eve’s strategy is to either distinguish {01} from {02, 11, 12} or {12} from {01,

02, 11} with minimal errors. To distinguish {01}, Eve introduces a phase shift of

{φ1 + φ2} by using her phase modulator on the reference pulse sent back by Alice

and performs an interference measurement. If detector1 (Det1) has a click 1, Eve

sends a standard BB84 state {01} to Bob. Otherwise, Eve simply discards it. A

similar procedure is performed to distinguish {12}, where Eve introduces a phase

shift of {φ1}. Here, we define Eve’s phase shift {φ1} as Basis X, {φ1 + φ2} as Basis

Y.

Now, assume that Eve uses Y to distinguish {01}; given Alice sends different states

{01, 02, 11, 12}, Det1’s detecting probabilities {P01, P02

, P11, P12

} are {sin2(φ1+φ2

2),

sin2(φ2

2), 0, sin2(φ3

2)}. After Eve’s attack, the error probabilities introduced are {0, 1/2,

1, 1/2}. The analysis in X can be carried out similarly. So, the QBERs are

Y : QBERY =

sin2(φ2

2)

2+

sin2(φ3

2)

2

sin2(φ1+φ2

2) + sin2(φ2

2) + sin2(φ3

2)

(3.1)

X : QBERX =

sin2(φ1

2)

2+

sin2(φ2

2)

2

sin2(φ2+φ3

2) + sin2(φ2

2) + sin2(φ1

2)

(3.2)

Ref [73] assumed φ1 = φ2 = φ3 = φ, then the overall QBER is given by

QBER =QBERX + QBERY

2=

sin2(φ2)

sin2(φ) + 2 sin2(φ2)

(3.3)

As shown in Fig. 3.1, there is a range of “φ” that allows QBER to go below 20.0%,

which is tolerable in the BB84 protocol [45, 46]. Hence, if Eve remaps the phase small

enough into this range, she can successfully apply this “intercept-and-resend” attack.

3.2 Experiment

3.2.1 Experimental setup

We implemented the phase-remapping attack in a commercial ID-500 QKD system (man-

ufactured by id Quantique), as shown in Fig. 3.2. Bob’s (replaced by Eve) signal pulse,

1After the Mach-Zehnder interferometer, if the phase difference between reference and signal pulse isπ (0), detector1 (detector2) clicks.


0 /16 /8 3 /16 /40.16

0.17

0.18

0.19

0.2

0.21

0.22

0.23

0.24

0.25

Phase difference

QB

ER

Figure 3.1: QBER of phase-remapping attack. Eve remaps the four BB84 states with

the same new phase difference (φ1 = φ2 = φ3 = φ).

reference pulse and Alice’s phase modulation signal of the original QKD system are shown

in Fig. 3.3. Note that in Fig. 3.3, since Alice uses the reference pulse as a trigger signal,

the time delay ∆t1 is determined by the internal delay of Alice’s system and can’t be

controlled by Eve. On the other hand, since Alice doesn’t monitor the arrival time of the

signal pulse, Eve can change the time delay ∆t3 without being detected. Furthermore,

the rising edge time (10-90%) of the phase modulation signal is around 6ns, while the

width of the laser pulse is about 500ps (FWHM). Eve can easily place her pulse on the

rising edge to get partial phase modulation 2. This specific QKD design opens a security

loophole which allows Eve to launch the phase-remapping attack.

In our experiment, Eve utilized the same setup as Bob to launch her attack. Eve

modified the length of the short arm of her Mach-Zehnder interferometer by adding a

variable optical delay line (VODL in Fig. 3.2) to shift the time delay between the reference

pulse and the signal pulse. To remap the phase small enough into the low QBER range,

the optimal strategy we found is: by using VODL, Eve shifts the forward signal pulse

out and only the backward signal pulse in the phase modulation range (see Fig. 3.4(b));

by using polarization controller (PC in Fig. 3.2), Eve aligns the polarization direction of

2Eve could also use a laser source with a much narrower pulse width to launch this attack.

Chapter 3. Experimental Phase-Remapping Attack 24D e t 1 P M B C D P M AL D D e t 2 P B S P CV O D L4 8 n s

1 2 k m D L F ME v e A l i c eC

Figure 3.2: (Color online). Experimental implementation of the phase-remapping attack

in a commercial ID-500 QKD system. Original QKD system: LD, laser diode. Det1/Det2,

single photon detector; PMA/B, phase modulator; C, circulator. PBS, polarization beam

splitter; CD, classical photodetector; DL, delay line; FM, Faraday mirror. Our modifica-

tions: Eve replaces Bob; VODL, variable optical delay line; PC, polarization controller.

Reproduced from [35] with permission. c©2010 IOP.

the backward signal pulse orthogonal to the principal axis [74] of the phase modulator.

3.2.2 Polarization control

One crucial issue in our experiment is polarization control. Practical phase modulator, for

instance the one in Alice’s system, is polarization dependent and has one principle axis.

When the voltage is applied on the phase modulator, photons with different polarization

directions will be phase-modulated differently. Photons with polarization aligned with

the principle axis will undergo a large phase modulation, while photons with orthogonal

polarization state will undergo a small phase modulation [74]. In our experiment, we

find the relative modulation magnitude ratio of the two polarizations is about 1:3 3. In

the original “plug and play” system, the signal pulse will be modulated twice as it passes

through Alice’s phase modulator back and forth (see Fig. 3.4(a)). Because of the Faraday

mirror, the total phase shift is independent of the polarization state of the signal pulse.

However, since Eve’s signal pulse will pass through the modulator at a different time and

3The relative magnitude ratio is experimentally tested by appling different voltages on Alice’s phasemodulator (PMA in Fig. 3.2) to modulate the signal pulses with the two polarization directions (adjustedby PC in Fig. 3.2). From the data of applied voltages and modulating phases, we got the relative ratio isabout 1:3. Ref. [74] gives the parameters of LiNbO3 phase modulator and the relations between phasemodulation and the parameters. The relative ratio is 9.6 : 30.9 (see Section 9.2 and Table 9.2 of Ref[74]).


Figure 3.3: (Color online). Time patterns of the reference pulse (Ref), the signal pulse

(Sig) and the phase modulation signal in the commercial ID-500 QKD setup. Here,

Alice’s encoding phase is {π} and we only show the forward pulses. Reproduced from

[35] with permission. c©2010 IOP.

be modulated only once (see Fig. 3.4(b)), the above auto-compensating method will not

work. Eve has to control the polarization direction either aligned with or orthogonal to

the principal axis of the phase modulator when her signal pulse is modulated. This is

achieved by adding a polarization controller (PC in Fig. 3.2) and adjusting it carefully.

Here, Eve can assume that the polarization has been aligned properly by maximizing the

total counts of D1+D2 (D1 and D2 denote the counts of Det1 and Det2) 4.

By combining variable shifting time and two different polarization directions, Eve can

apply two types of practical phase-remapping attack:

• Type I practical attack is shown in Fig. 3.4(b). Eve shifts the forward signal pulse

out of the phase modulation signal and the backward pulse to the rising edge, and

adjusts the PC to control the backward pulse’s polarization direction aligned with

the modulator’s principal axis. Here, we remark that if the width of laser pulse is

comparable with the rising time of the modulation signal, type I attack will cause

4If the polarization is not properly controlled by PC, after Alice’s modualtion, the original linearpolarization state of the signal pulse will change to circular or ellipse polarization state. So, when thesignal pulse returns back and passes through Eve’s PBS (see Fig. 3.2), part of it will wrongly go to thelong arm instead of the short arm. Since the Detector (Det in Fig. 3.2) is gated, this part will hit theDetector at a wrong time and thus cannot be detected.


R e fR e f S i g P M

P M tR e f P M tS i g

(a)

(b) S i g t(c)

Figure 3.4: Time pattern of practical phase-remapping attack. Sig: signal pulse. Ref:

reference pulse. PM: phase modulation signal. (a) Normal QKD operation. (b) Type I

practical phase-remapping attack. (c) Type II practical phase-remapping attack; here,

even if we assume Alice has a perfect phase modulator with strictly sharp rising and

following edge, type II attack still works. Reproduced from [35] with permission. c©2010

IOP.

an unreasonably high QBER, thus it is easy for Alice and Bob to detect the attack.

• Type II practical attack is shown in Fig. 3.4(c). Eve shifts the backward pulse

to the plateau region of the phase modulation signal, and aligns its polarization

direction orthogonal to the principal axis. Since the orthogonal direction has the

smallest phase modulation, Eve can successfully remap the phase small enough into

the low QBER range. One important advantage is: even if Alice’s phase modulator

is good enough with strictly sharp rising and following edge (force type I attack

noneffective), Eve can still apply type II attack in practical QKD systems.

3.2.3 Minimized quantum bit error rate

Fung et al. [73] assumed that Eve could remap Alice’s encoded phase with φ1 = φ2 = φ3.

However, in our experiment, the relation among φ1, φ2, and φ3 is more complicated. As

shown in Fig. 3.5, Alice’s phase modulation signals {π/2, π, 3π/2} not only start at

different times but also have different average rising times. Furthermore, there is also

an overshoot after the rising edge, and the time of the overshoot is different from each

other. So, if we use different lengths of VODL to shift the pulse either to the rising edge


or to the overshooting range, the pulse will not undergo a proportional phase modulation.

Eve’s remapping phase will be φ1 6= φ2 6= φ3. These complicated phases will thus cause

an effect of QBER, as shown in equations (3.1) and (3.2). In our experiment, the optimal

length of VODL was determined by minimizing the resulting QBER. We finally applied

two optimal VODL (see Fig. 3.5(b)) to launch two types of practical phase-remapping

attack: VODL I: 5.8m and VODL II: 4.65m. Our attack strategy was the one discussed

in Subsection 3.1. We finally remark two experimental details: (i) from the time pattern

graph in Fig. 3.3, the laser pulse is narrow enough to allow us to apply type I attack;

(ii) in type I attack, to make the remapping phase small enough, we still control the

polarization of the backward signal pulse orthogonal to the principal axis of the phase

modulator.

20 40 60 80 100 120 140−0.5

0

0.5

1

1.5

2

2.5

3

Time (ns)

App

lied

Vol

tage

(V

)

π/2π3π/2

(a)

50 52 54 56 58 60 62 64 66

0

0.5

1

1.5

2

2.5

Time (ns)

App

lied

Vol

tage

(V

)

VODL BVODL A

(b)

Figure 3.5: (Color online). (a) Alice’s phase modulation signals, π/2, π, and 3π/2,

respectively. (b) The zoomed rising edge of each modulation signal and the approximate

time of the optimal VODL used in our attack. Reproduced from [35] with permission.

c©2010 IOP.

3.3 Results

Some experimental parameters of our ID-500 commercial QKD system, including dark

count rate Y0, detector error rate edet, Bob’s overall quantum efficiency ηBob (including

the detection efficiency of single photon detector) and mean photon number µ are listed

in Table 3.1. Our transmission distance was a few meters. We repeated the measurement


10 million times5 for each state sent by Alice and the experimental results are shown in

Table 3.2.

Y0 edet ηBob µ

2.11 × 10−5 0.38 × 10−2 5.82 × 10−2 1.39

Table 3.1: Experimental parameters. c©2010 IOP.

Z X Y

State φA φE D1 D2 D1 D2 D1 D2

01 0◦ 0◦ 734 171851 6617 166671 16311 158479

02 90◦ 23.9◦ 7435 165402 928 169814 2772 169669

11 180◦ 35.9◦ 16474 157385 3545 166427 1348 168924

12 270◦ 46.3◦ 26879 146917 8434 161575 2672 168078

(a)

Z X Y

State φA φE D1 D2 D1 D2 D1 D2

01 0◦ 0◦ 617 168910 7068 174061 24841 156007

02 90◦ 21.1◦ 5843 167206 1074 179218 8557 170786

11 180◦ 37.8◦ 18096 153962 5285 174161 1239 176091

12 270◦ 52.7◦ 33260 135616 19770 160300 3530 173428

(b)

Table 3.2: Experiment results. φA is Alice’s original standard BB84 phase. φE is the

new phase remapped by Eve. D1 (D2) is the counts number of Det1 (Det2). Here, Eve

introduced phase {0} (Basis Z), {φ1} (Basis X), and {φ1 + φ2} (Basis Y), respectively

on the reference pulse to measure each state, and repeated the measurement 10 million

times for each state. (a) Variable Optical Delay Line I (5.8m). (b) Variable Optical

Delay Line II (4.65m). Reproduced from [35] with permission. c©2010 IOP.

5This data size is large enough to converge the statistical error rate in our experiment.


3.3.1 Theoretical quantum bit error rate

We calculate QBER from the theoretical model discussed in Section 3.1. The detecting

probability of phase-coding BB84 is

Det1 : P1 =1 − cos(φA − φB)

2= sin2(

φA − φB

2) =

D1 − NY0

D1 + D2 − 2NY0(3.4)

Det2 : P2 =1 + cos(φA − φB)

2= cos2(

φA − φB

2) =

D2 − NY0

D1 + D2 − 2NY0

(3.5)

where N denotes the gating number 6. Here, we subtract the dark counts number NY0

from each detector’s counts number to get the theoretical detecting probability.

If Eve introduces phase shift {0} (Basis Z) on the reference pulse to measure each

state, the remapping phase φE and phase difference φi (i=1,2,3) are

φE = 2 tan−1(

√

D1 − NY0

D2 − NY0) (3.7)

φi = φE(i) − φE(i−1) (3.8)

Using data in Table 3.2, from Eqns. (3.8), (3.1) and (3.2), we obtain

V ODL I : φ1 = 23.9◦ ± 1.2◦ φ2 = 12◦ ± 1.2◦ φ3 = 10.4◦ ± 1.2◦ (3.9)

QBERX(I) = 29% ± 1% QBERY (I) = 8% ± 1% (3.10)

V ODL II : φ1 = 21.1◦ ± 1.1◦ φ2 = 16.7◦ ± 1.1◦ φ3 = 14.9◦ ± 1.1◦ (3.11)

QBERX(II) = 21% ± 1% QBERY (II) = 13% ± 1% (3.12)

The phase error fluctuations are mainly due to the imperfections of our experimental

QKD system. From the results in Table 3.2, we can see that even though Eve uses

Basis Z to measure state {01}, it still has about “600 ∼ 700” counts on Det1. These

error counts are mostly from the imperfect interference between the signal pulse and the

reference pulse. Hence, Eqns. (3.12) and (3.10) give the theoretical QBERs introduced

by Eve with perfect detection system.

6We repeated the measurement 10 million times for each state. Notice that, in order to reduce theafter-pulsing probability, an external dead time has been introduced to both detectors after the detectionof a photon by a detector. On average, after each detection event, the following around 46 gating signalswill be blocked. So, the total gating number N can be estimated by

N ≈ 107 − (D1 + D2) × 46 ≈ 2.1 × 106 (3.6)


3.3.2 Experimental quantum bit error rate

We calculate QBER via our direct experimental results. From Table 3.2, we can see the

total counts (D1+D2) for each state is almost identical, so Det1’s detecting probability

for each state is proportional to D1. Using data in Table 3.2, the QBERs are

X : QBERX =

D101

2+

D111

2+ D102

D101+ D102

+ D111+ D112

(3.13)

Y : QBERY =

D102

2+

D112

2+ D111

D101+ D102

+ D111+ D112

(3.14)

V ODL I : QBERX(I) = 30.8% QBERY (I) = 17.6% (3.15)

V ODL II : QBERX(II) = 21.8% QBERY (II) = 19.1% (3.16)

If Eve utilizes the optimal strategy to combine two types of attack together and

carefully chooses the probability of each attack to ensure the distribution of bit “0” and

bit “1” received by Bob is balanced, the overall QBER is

QBER =QBERX(II) + QBERY (I)

2= 19.7% (3.17)

Note that we used a weak coherent pulse (WCP) source in our experiment. Before

calculating the QBERs for single-photon (SP) source, we emphasize two facts: (i) the

phase shift introduced by the phase modulator is independent of the source. If the source

is a SP, the phase will be also remapped to {0, φ1, φ1 + φ2, φ1 + φ2 + φ3}. (ii) Eve’s

interference visibility is the same for SP and WCP. Now, assuming that Eve uses Basis1

to launch attack and Det1’s detecting probability for each state is Pstate, i.e. {P01, P02

,

P11, P12

}, Det1’s overall gain and QBERs for the two different sources are:

SP : Qsp = ηBobPstate + Y0

QBERsp =ηBob(

P01

2+

P11

2+ P02

) + 2Y0

ηBob(P01+ P02

+ P11+ P12

) + 4Y0

(3.18)

WCP : Qwcp =

∞∑

i=0

(Y0 + 1 − (1 − ηBobPstate)i)

µi

i!e−µ (3.19)

= (1 − e−µηBobPstate) + Y0 (3.20)

QBERwcp =2 − e

−µηBobP01

2− e

−µηBobP11

2− e−µηBobP02 + 2Y0

4 − e−µηBobP01 − e−µηBobP02 − e−µηBobP11 − e−µηBobP12 + 4Y0

(3.21)


Using Eqn. (3.18), (3.21) and data in Table 3.1 and 3.2, the overall QBER differ-

ence between SP and WCP for Eve’s optimal strategy (combine two types of attack as

Eqn. (3.17)) is:

∆QBER = QBERsp − QBERwcp = 0.1% (3.22)

Therefore, in a practical SP BB84 QKD system, we can expect the QBER is

QBERsp=19.8%, which is substantially below the bound of 25% for an intercept-and-

resend attack in BB84. This shows clearly that an important assumption (Alice prepares

her states correctly) in a security proof has been violated. So, the security proofs can

not be directly applied to a practical QKD system.

3.4 Discussions

3.4.1 Optimization of the attack

Our attack can be further improved to lower the QBER: (i) in our experiment, we only

use off-the-shelf imperfect detectors and other components. If some adversaries, such

as KGB or NSA, have better detectors (e.g. low dark counts and misalignment), lasers

(narrow pulse width) and other components, the QBER of phase-remapping attack will

be decreased further. So, we can assume that under attack real Bob will introduce the

same additional errors as our Eve introduces in our experiment, while Eve will introduce

zero (or negligible) errors through the use of better more expensive components. (ii)

as shown in Fig. 3.5(a), in principle, Eve can move the signal pulse to the falling edge

regain to distinguish 3π/2 with a very low error probability, and thus reduce the QBER.

(iii) if Eve launches her attack not on every signal but only on a subset of signals, the

introduced QBER will be much lower. (iv) Eve can also maximize her ability to eavesdrop

by combining various attacks. For instance, she may combine the phase-remapping attack

with the time-shift attack to exploit both the imperfections of Alice’s encoding system

and Bob’s detection system. If she does so, her attacking power will be amplified and

the QBER can be reduced further. So, we remark that, it is impossible to remove all

imperfections completely in practice. Instead of removing them, what we can do is to

quantify them carefully. Once quantified, those imperfections may be taken care of in

security proofs [16]. As an example, mismatch in detection efficiency has been taken into

account in the security proof of [18].


Unfortunately, our research-version of QKD system from ID Quantique does not per-

form privacy amplification. Therefore, it is unclear what key rate formula or error thresh-

old should be used. We cannot find any detailed public information about the key rate

formula for a commercial-user version of ID Quantique systems. Since it is unclear what

privacy amplification is performed, whether decoy state is used and finite-key effects have

been considered, we cannot comment on its security neither. For future security research,

it would be very useful if the QKD manufacturers could provide these details.

Regardless, one might ask “As commercial QKD systems might abort at lower QBER

such as 10% rather than 20%, does it mean that those commercial QKD systems are se-

cure without patching?” In our opinion, the answer is no. Setting a lower error rate is

a technological requirement (we could always improve the attack to get lower QBER as

discussed above) rather that a guarantee of the laws of physics. More importantly, people

are using commercial QKD systems because they are expected to be good implementa-

tions of the QKD theory, which offers unconditional (i.e. information-theoretic) security.

The very fact that one fundamental assumption—correct encoding of signal—has been

seriously violated means that such systems are very far from offering such type of secu-

rity. Without patching, those systems only offer ad hoc security, in direct contradiction

to the spirit of QKD. Indeed, it is important for manufacture to provide a clear security

parameter epsilon for a QKD system and back it up with a clear statement and proof of

security with a list of testable assumptions.

3.4.2 Countermeasures

In the “plug-and-play” QKD system, one specific countermeasure is the following: Alice

carefully checks the arrival time of the reference pulse and the signal pulse by monitoring

with her classical detector (CD in Fig. 3.2). From the time delay between the two pulses,

she can find whether the time difference has been shifted by Eve, and thus counter Eve’s

attack. Moreover, in our attack, Eve only sends two states to Bob. Alice and Bob can

detect this attack by estimating the statistics of the four BB84 states. Note that, once a

security loophole has been found, it is often easy to develop countermeasures. However,

the unanticipated attacks are the most fatal ones.

What is more, this work mainly focuses on one key assumption in unconditional secu-

rity proofs, i.e. Alice prepares the required states correctly. From a simple experimental

demonstration, we show this assumption can be violated by our attack. So, we emphasize

that, in a practical QKD system, Alice needs to experimentally verify she is applying


the correct modulations on her states. One possible way in a general QKD system is:

after encoding her random bits, Alice uses a beam splitter to split part of each strong

modulated signal, and then use a classical detector, such as a high speed photo detector

(rather than a single-photon detector), to implement a local measurement to directly

verify whether she has performed the correct modulation. In order to achieve uncondi-

tional security with a practical QKD system, it is useful to perform such a verification

experimentally. In the long term, it is important to work towards QKD with testable

assumptions.

One might wonder whether publishing results like ours on experimentally attacking

a commercial QKD system will in some way aid a hacker and undermine the confidence

in the security of QKD. In our opinion, the answer is no. The theory of the phase-

remapping attack was published three years ago [73]. An interested hacker could have

performed our attack with public information three years ago already. Our work only

serves to remind people of the importance of implementing appropriate counter-measures

and battle-testing the security of the improved system in future.

3.5 Conclusions

We have experimentally demonstrated one of the first successful “intercept-and-resend”

attacks on top of a widely used QKD implementation in commercial QKD systems, where

Eve can get full information and only introduces a QBER of 19.7%. The success of our

attack highlights not only the importance for Alice to verify that she is encoding the right

state during the encoding process, but also, more generally, the importance of verification

of the correctness of each step of an implementation of a QKD protocol in a practical

QKD system.

By finding security loopholes and fixing them early, we hope that our work will make

practical QKD systems more secure.

Chapter 4

High-speed quantum random

number generator

“The generation of random numbers is too important to be left to chance.” - Robert R.

Coveyou

“Anyone who considers arithmetical methods of producing random digits is, of

course, in a state of sin.” - J. von Neumann

In this chapter, we propose and experimentally demonstrate an ultrafast quantum

random number generator (QRNG) at a rate over 6 Gbits/s. The approach is by mea-

suring the quantum phase fluctuations of a laser, which is operated near its threshold.

Moreover, we consider a potential adversary who has partial knowledge on the raw data

and discuss how one can rigorously remove such partial knowledge with post-processing.

The simplicity and high-speed of our experimental setup shows the feasibility of a robust,

low-cost, high-speed QRNG. The content of this chapter is largely based on Ref. [36].

4.1 Introduction

Random numbers play a key role in many areas, such as statistical analysis, computer

simulations [75] and cryptography [7, 76]. Traditionally, pseudo-random number gener-

ator (pseudo-RNG) based on computer algorithms has long been used for various appli-

cations. Recently, physical-RNG based on chaotic behaviors of semiconductor lasers has

been proposed to generate fast random bits [51, 52, 53, 54]. Generally speaking, due to

34

Chapter 4. High-speed quantum random number generator 35

their deterministic nature1, both of the schemes cannot generate truly random numbers

with information-theoretically provable randomness.

Quantum random number generator (QRNG), on the other hand, can generate true

randomness by exploiting the fundamental indeterminism of quantum physics [25]. As

a simple example, we consider the polarization measurement of a polarization quantum

state, 1√2(|H〉+ |V 〉), in the rectilinear basis of {|H〉, |V 〉}. It will yield the unbiased and

thus completely unpredictable outcomes |H〉 and |V 〉. Then by assigning the classical

bit values “0” and “1” to these outcomes, a sequence of truly random numbers can be

generated. As shown in Fig. 4.1, this scheme can be easily realized by a single-photon

source followed by a polarization beam splitter (PBS), and two single-photon detectors

(SPDs), one for each output arm of the PBS. Indeed, this scheme has drawn much

scientific attention [25, 26], where commercial QRNGs, like ID Quantique system [32],

have already appeared on the market.

Figure 4.1: QRNG based on polarization measurement. A single-photon source generates

a 45◦ single photon, which passes through a polarization beam splitter (PBS) projecting

the photon into either horizontal (|H〉) or vertical (|V 〉) polarization state. The single-

photon is consequently detected by two single-photon detectors (SPDs) assigned with bit

“0” (|H〉) and bit “1” (|V 〉).

Besides polarization measurement, several QRNGs based on the single-photon de-

tection technology, such as the photon arrival time [27, 77, 78, 79, 80] and the photon

number counting [81, 82, 83], have been demonstrated. Another promising approach is

relied on Vacuum state fluctuations [30, 31, 84], where a homodyne detection is typically

applied to measure the electrical field fluctuation of Vacuum state. Recently, a QRNG

1For chaotic-laser RNG [51, 52, 53, 54], since the signal of chaotic-laser has a periodicity originatedfrom the photon round trip time, it is essentially not a truly random source.


−6 −4 −2 0 2 4 60

0.02

0.04

0.06

0.08

0.1

0.12

0.14

0.16

0.18

0.2

voltage

Pro

ba

bili

ty

Accurate functioning

−6 −4 −2 0 2 4 60

0.02

0.04

0.06

0.08

0.1

0.12

0.14

0.16

0.18

0.2

voltage

Pro

ba

bili

ty

Eve shifting

bit ’0’bit ’1’bit ’0’

(a) (b)

bit ’1’

Eveshift

Figure 4.2: Eve’s attack on QRNG. (a) The quantum source follows a Gaussian distri-

bution, which is sampled by a comparator to generate random bit “0” or “1”. (b) The

adversary (Eve) controls the classical noise to shift the mean value of quantum source,

and then guesses random bit “1” to acquire information.

based on quantum non-locality has also been proposed [28, 29].

Unfortunately, due to the difficulties of measuring quantum effects in real experiments,

previous implementations of QRNG have been limited to a relatively slow rate (typically

below 20 Mbits/s)2. In 2009, Qi et al. proposed and built a fast QRNG by measuring

the quantum phase fluctuations of a laser, which yields a speed of 500 Mbits/s [55, 56].

A similar scheme at a lower speed has also been demonstrated by Guo et al. [57].

Nonetheless, the key point is, the generation rates of all previous QRNGs are still too

low for many applications, such as high-speed QKD [58].

On the other hand, in real experiments, the quantum randomness is inevitably mixed

with the classical noise, which may be observed or even controlled by a potential adver-

sary, Eve. If we consider a scenario where Eve tries to guess the outcomes from a QRNG,

then she could take advantage of the side information due to classical noise. Fig. 4.2

illustrates an example about how Eve can control the classical noise to acquire the in-

formation on the generated random numbers. This consideration is directly relevant to

applications of randomness, specially those in cryptography, such as authentication, one-

time pad encryption and QKD. With the exception of Refs. [29, 31], the possibility of

such a potential adversary has rarely been considered in previous QRNGs.

2Very recently, a 2 Gbits/s QRNG based on vacuum state fluctuations has appeared [85].


The approach based on quantum non-locality [29] can produce information-

theoretically provable randomness. However, the generation rate is very low (on the

order of 1 bit/s) and thus unsuitable for practical applications. Gabriel et al. proposed

a practical post-processing method to remove Eve’s information [31]. It is important to

perform such post-processing on the raw data to distill out a shorter, but more secure,

string of random numbers. Unfortunately, the discussion there is based on Shannon en-

tropy, which does not take finite-size effects into consideration. That is, the number of

executions of a random process used for generating randomness is always finite in any

real experiment. Thus, its randomness is not information-theoretically proven.

In theoretical computer science, there has also been a lot of interest in randomness

post-processing methods, which is called randomness extractors [44, 86, 87]. The random-

ness from many extractors has been information-theoretically proven, such as Trevisan’s

extractor [86]. Nevertheless, none of these extractors have been implemented in a real

QRNG experiment. Therefore, there is a large gap between theory and experiment.

4.2 Experimental demonstration

It is well known that the fundamental phase fluctuations (or noise) of a laser can be

attributed to spontaneous emission, which is quantum mechanical by nature [88]. The

quantum phase fluctuations are inversely proportional to the laser output power [88].

By operating the laser at a low intensity level, the quantum phase fluctuations can be

dominant over classical phase noise and is readily extracted to generate truly random

numbers.

We have developed a delayed self-heterodyning system to measure the phase fluctu-

ations. The schematic diagram of the experimental setup is shown in Fig. 4.3. A 1.55

µm single mode cw DFB diode laser (ILX lightwave) operating at a low intensity level

is the source of quantum phase fluctuations. A PLC-MZI with a 500ps delay difference

(manufactured by NTT) is employed to convert the phase fluctuations to intensity fluc-

tuations, which is subsequently detected by a 5GHz InGaAs photodetector (Thorlab).

Note that to achieve a high interference visibility, a polarization maintaining fiber is used

to connect the laser and the PLC-MZI. A temperature controller (TC) is used to stabilize

the phase difference of PLC-MZI. More discussions of temperature control are shown in

Appendix A. The photodetector output is further digitized by an 8-bit analog-to-digital

convertor (ADC) to generate random bits.


Laser ADC

TC

PLC-MZI

PD

Figure 4.3: Experimental setup. Laser, 1550nm cw DFB laser diode (ILX Lightwave);

PLC-MZI, planar lightwave circuit Mach-Zehnder interferometer with a 500ps delay dif-

ference (manufactured by NTT); TC, temperature controller (PTC 5K from Wavelength

Electronics Inc.); PD, 5GHz InGaAs photodetector (Thorlabs SIR5-FC); ADC, 8-bit

analog-to-digital convertor inside an oscilloscope (Agilent DSO81204A).

4.2.1 Physical model

By stabilizing the phase difference of the MZI at [2mπ + π/2] (where m is an integer),

the output voltage V (t) from the photodetector (after removing a DC background) can

be described by [88, 89]

V (t) ∝ 2E(t)E(t + τ) sin(∆θ(t)) ∝ P∆θ(t) (4.1)

where E(t) is the electric field of input light, τ is the time delay difference between the two

arms of the MZI, ∆θ(t) is total phase fluctuations and P is the laser output power. Here,

∆θ(t) is sufficiently small such that sin(∆θ(t)) ≈ ∆θ(t) 3. We have assumed that the

intensity noise of the laser is negligible [88], which has also been verified experimentally

(see discussion below).

It is convenient to further separate the total phase fluctuations into a quantum part

and a classical part. While the quantum phase fluctuations are inversely proportional to

laser output power and can be treated as Gaussian white noise [89], the classical phase

noise is laser power independent and could be controlled by Eve. Thus, the total phase

fluctuations can be written as

〈∆θ(t)2〉 =Q

P+ C (4.2)

where QP

and C represent quantum phase fluctuations and classical phase noise respec-

3In our system, we measure that ∆θ(t) is around 0.19. The assumption, sin(∆θ(t)) ≈ ∆θ(t), intro-duces a error of 0.6 %, which is acceptable in our experiment.


tively.

In practice, the detection system will also contribute a laser power independent back-

ground noise F . Using Eqs. (4.1) and (4.2), the variance of output voltage of a practical

system Vpr(t) is given by

〈Vpr(t)2〉 = AQP + ACP 2 + F (4.3)

where A is a constant determined by detection system.

4.2.2 Parameters optimization

In Eq. (4.3), the term AQP is quantum fluctuations part, from which true random-

ness can be extracted. We name it as quantum signal. On the other hand, the term

ACP 2 +F quantifies classical noise due to technical imperfections that potentially could

be controlled by an eavesdropper. In principle, the amount of extractable quantum ran-

domness is independent of the magnitude of classical noise. However, in practice, it is

challenging to extract a small quantum signal on top of a large classical noise background.

To generate high-quality random numbers, we would like to maximize the quantum signal

while keep the classical noise as low as possible.

One commonly used figure of merit in signal processing is the signal-to-noise ratio

(SNR), which can be defined as γ = AQP/(ACP 2 + F ) in our QRNG system. Given

parameters AQ, AC, and F , we can choose a suitable laser power P to maximize γ.

To determine the parameters AQ, AC, and F experimentally, we have measured the

variance of Vpr(t) under different optical power level and then fit the experimental data

(with least square estimation fitting) using Eq. (4.3). The experimental results and the

corresponding confidence intervals (level α = 0.99) are shown in Table 4.1.

F (mV 2) AQ (mV 2/mW ) AC (mV 2/mW 2)

0.36 ± 0.06 16.12 ± 0.49 0.40 ± 0.16

Table 4.1: Experimental results (with 0.99 confidence intervals) of parameters in

Eq. (4.3).

Using the data given in Table 4.1, we calculate the SNR γ as a function of laser

power. The results are shown in Fig. 4.4. At low and high power range, either the

background noise F or the classical phase noise ACP 2 will dominate over the quantum

signal. The optimal ratio γ = 21 is achieved at P = 0.95 mW . As discussed in next


0 1 2 3 4 5 6 7 8 90

5

10

15

20

25

Laser output power (mW)

Qua

ntum

sig

nal t

o cl

assi

cal n

oise

rat

io γ

of r

aw d

ata

ExperimentTheory

0.95 mW

21

Figure 4.4: Quantum signal to classical noise ratio. The theoretical curve of signal to

noise ratio γ = AQP/(ACP 2 + F ) is acquired from the results given in Table 4.1, and

the experimental results are measured with an oscilloscope under different laser powers.

At low and high power range, either the background noise F or the classical phase noise

ACP 2 will dominate over the quantum signal. The optimal ratio γ = 21 is achieved at

P = 0.95 mW .

Section, by operating the laser at this power, the extractable quantum randomness is

also maximized. Therefore, we choose 0.95 mW as the laser working point.

4.2.3 Experimental procedures

The experimental procedures for random number generation are as follows. The laser

output power is set to 0.95 mW by adjusting its driving current. The TC 4 is carefully

adjusted to stabilize the phase difference of PLC-MZI at [2mπ+π/2]. The photodetector

output is sampled by an 8-bit ADC at a sampling rate of 1 GSample/s 5. Fig. 4.5 shows

the sampling results acquired in 5 ms. As a comparison, in the same figure, we also show

the background noise acquired when the laser is turned off. The histograms (Gaussian

fit) of the sampling results are shown in Fig. 4.5(b).

We also perform measurements in the frequency domain by using an RF spectrum

4The measured accuracy of temperature controller is 0.01◦C, and the fluctuations of the set-pointtemperature of PLC-MZI are smaller than 0.01◦C during a few hours. Details are shown in Appendix A.

5The sampling time (1 ns) is larger than the addition of MZI time difference (500 ps) and detectorresponse time (200 ps), which reduces the correlations between adjacent samples [56].


0 1 2 3 4 5

x 106

−0.02

−0.015

−0.01

−0.005

0

0.005

0.01

0.015

0.02Time domain of raw data

Time (ns)

Vol

tage

(v)

0 1 2 3 4 5 6

x 104

−0.02

−0.015

−0.01

−0.005

0

0.005

0.01

0.015

0.02Fitted Histogram

Points

Total phase fluctuationBackground noise

(a) (b)

Figure 4.5: (Color online) (a) Time domain of the raw data. The total phase fluctuations

are measured at the optimal laser power 0.95 mW , while the background noise is acquired

by blocking the laser output. (b) Histogram. Gaussian fit.

analyzer. Three different power spectra have been acquired: (1) the total phase fluctu-

ations spectrum under the normal working conditions (0.95 mW ); (2) the background

noise spectrum acquired by turning off the laser; (3) the intensity noise spectrum ac-

quired by connecting the laser (at 0.95 mW ) output directly to the photodetector. The

measurement results are shown in Fig. 4.6. We can see that under the normal operating

condition, the intensity noise is negligible comparing to the phase fluctuations. This re-

sult supports our previous assumption. As we expect from a perfect white noise source,

the spectrum of phase fluctuations itself is flat over the whole measurement frequency

range. There are a few spectral lines in the spectrum of background noise which could

be environmental EM noise picked up by our detector 6.

6There are mainly five spikes around 0, 100, 200, 500, and 650 MHz. These frequencies are all withinpractical broadcast radio bands (see http://www.fcc.gov/oet/spectrum).


0 100 200 300 400 500 600 700 800 900 1000−90

−85

−80

−75

−70

−65

−60

−55

Frequency (MHz)

Pow

er D

ensi

ty (

dBm

)

Total phase fluctuationIntensity noiseBackground noise

Figure 4.6: (Color online) Noise spectrums. The spectral power density of total phase

fluctuations (blue), intensity noise (green), and background noise (red).

4.3 Quantum min-entropy evaluation

As mentioned in the above Section, the raw data from our QRNG is a mixture of the quan-

tum signal and the classical noise, and the quantum fluctuations follow a non-uniform

(Gaussian) distribution. In order to extract out an uniform-quantum randomness, we ap-

ply a post-processing scheme that is composed of two main parts, quantum min-entropy

evaluation and randomness extraction. In this Section, we focus on discussing quantum

min-entropy evaluation.

A physical model is employed to evaluate the quantum randomness (min-entropy

defined in Eq. (4.4)) of the raw data. Our assumptions are as follows.

1. Quantum signal is independent of classical noise;

2. Quantum signal follows a Gaussian distribution [89];

3. Quantum signal to classical noise ratio can be calculated (see Fig. 4.4);

4. Total phase fluctuations, the mixture of quantum signal and classical noise, can be

characterized by random sampling.

5. The sequence of the raw data is independent and identically distributed (IID).

The quantum randomness of the raw data is evaluated by the min-entropy, defined

as below.


Definition 4.3.1 (min-entropy) The min-entropy of a distribution X on {0, 1}n is de-

fined by

H∞(X) = − log

(

maxv∈{0,1}n

Pr[X = v]

)

. (4.4)

Based on our physical model, we can calculate the quantum min-entropy of the raw

data by the following procedures.

1. Determine the sampling range and evaluate the total variance: the working range

of sampling system (see ADC in Fig. 4.3) is determined by the total fluctuations

of raw-analogy data. From random sampling, we can obtain the variance of total

fluctuations, AQP + ACP 2 + F .

2. Measure signal to noise ratio: from experimental measurements, we derive the

quantum signal to classical noise ratio (AQP/(ACP 2 + F ) as shown in Fig. 4.4).

3. Evaluate the quantum variance: from step 1 and 2, we can calculate the variance

of quantum signal, AQP . Then we can derive the whole Gaussian distribution of

the quantum signal.

4. Calculate the quantum min-entropy: given the ADC range, we evaluate the maxi-

mal probability from the Gaussian distribution derived from Step 3, which follows

the min-entropy of the quantum signal7.

From our QRNG, we lower bound the min-entropy of the quantum signal at different

laser optical powers, as shown in Fig. 4.7. We can see that the optimal laser power is

around 0.95 mW and the corresponding min-entropy of the quantum signal is 6.7 bits per

sample (8 bits, sampled by an 8-bit ADC). The quantum min-entropy is stable for a laser

power larger than 0.9 mW . Here, in Step1 of min-entropy calculation, we determine the

practical ADC range as that either the first or the last bin of the 256 bins (8-bit ADC)

has a 1/256 probability. We remark that, in practice, the ADC range could indeed effect

the lower bound value of min-entropy. We perform a mathematical simulation to analyze

this assumption as shown in Fig. 4.8. It will be interesting to further investigate how

to determine the optimal ADC range and maximize the quantum min-entropy in a real

QRNG setup.

7Given a specific value of classical noise, the quantum signal will be a shifted Gaussian distribution;If the quantum signal is shifted in a small range, the quantum min-entropy is lower bounded as thequantum signal is shifted to the center of any digital bins of sampling system.


0 1 2 3 4 5 6 7 80

1

2

3

4

5

6

7

8

Laser optical power P (mW)

Low

er b

ound

of q

uant

um m

in−

entr

opy

(bits

)

0.95 mW

6.7 bits

Figure 4.7: Lower bound of the quantum min-entropy of raw data. The optimal laser

power is around 0.95 mW and the corresponding quantum min-entropy is 6.7 bits per

raw sample (8 bits, sampled by an 8-bit ADC in Fig. 4.3).

Figure 4.8: The relation of quantum min-entropy (Z axis) with ADC range (X axis).

There is no single optimality, but a range of ADC and laser power matching conditional

optimality.

To show how much room left for further improvement in post-processing, we also

upper-bound the min-entropy. As the setup given in Fig. 4.3, the quantum signal is


measured by a PD. In the ideal case, the PD can resolve the photon numbers of the

optical signal. The laser power used in our setup is 0.95 mW , and the time-constant of

our PD is around 200 ps (5 GHz PD in Fig. 4.3). It corresponds to 1.5×106 photons with

a wavelength of 1550 nm within 200 ps. Thus, the maximal entropy of a sample from

the PD is given by log2(1.5 × 106) = 20.5 bits, which is the upper bound of min-entropy

of our QRNG source.

In our experimental demonstration, we use an 8-bit ADC in the end, which results a

min-entropy of 6.7 bits per sample. Therefore, a factor of 3 improvement on the random

number generation rate can be potentially achieved by a better resolution ADC (such

as a 16-bit ADC). Nonetheless, this min-entropy is ultimately bounded by 20.5 bits per

sample as shown above.

4.4 Randomness extraction

After quantifying the quantum randomness, randomness extraction is applied to distill

uniform-quantum random numbers from the raw data. In this section, we first briefly re-

view various extraction schemes in QRNG, for instance least significant bits (LSB), XOR

(exclusive-OR) and Hashing, and then present our extraction scheme: strong randomness

extractor. We implement two strong randomness extractors, Toeplitz-hashing [44] and

Trevisan’s extractor [86], both of which are proven to be information-theoretically secure.

4.4.1 Extraction schemes: Review

A random extraction is an algorithm that generates nearly perfect random numbers from

the output of high entropy source. Various randomness extraction schemes have been

employed in the implementation of QRNG. The widely-used one is the least significant

bits (LSB), which has been used in the QRNG of Refs. [30, 51, 53, 54, 57, 85]. An m-bit

LSB takes the last m bits of a bit string and simply discards the rest. Applying LSB

effectively flats out a non-uniform distribution to make it more uniform. Intuitively, LSB

essentially operates a “re-binning” by combining certain digital bins. For example, if

the pdf (probability density function) of the raw data (sampled by an 8-bit ADC) is a

Gaussian curve, a 7-bit LSB is cutting the curve into two halves and super-positioning

the second half onto the first. A 6-bit LSB is cutting the resulting pdf from 7-bit LSB

into two halves and super-positioning again. The procedure repeats a few times till m-bit

LSB.


50 100 150 200 250

10

20

30

40

50

XOR

0 20 40 60 80 100 1207 bit numbers

0.002

0.004

0.006

0.008

p

XOR - 7 LSB

0 10 20 30 40 50 606 bit numbers

0.002

0.004

0.006

0.008

0.010

0.012

0.014

p

XOR - 6 LSB

0 5 10 15 20 25 305 bit numbers

0.005

0.010

0.015

0.020

0.025

0.030

p

XOR - 5 LSB

Figure 4.9: The resulting distributions of different XOR (exclusive-OR) and LSB (Least

Significant Bits) extractions. The Histogram of the raw data follows a Gaussian distri-

bution. XOR combined with 6-LSB has processed the original Gaussian distribution to

a Uniform distribution.

To reduce the bias and possible correlations of the raw data, another popular ran-

domness extraction scheme is XOR (exclusive-OR or mod 2 addition). For instance, in

the QRNGs [55, 57, 79], XOR is applied to eliminate correlations between consecutive

samples and improve the quality of randomness.

Here, we have also tested XOR and LSB scheme on our raw data, which is generated

as the procedures discussed in Section 4.2. The resulting distributions of different LSB

are shown in Fig. 4.9. We also applied XOR with 6-bit LSB on our 1 Gbits raw data.

The extracted results successfully passed the random test suits of Diehard [90] and NIST

[91]. We remark however that since we cannot provide an information-theoretical proof of

the XOR-LSB procedure, it is arguable that XOR-LSB can indeed extract out perfectly

uniform-random bits.

Another promising extraction scheme is hashing. In computer science, various hashing

functions have been proposed to realize randomness extraction [92]. Hence, we can build

the software algorithm and apply it on QRNG. Indeed, more recent scientific attention

has been shifted to the hashing functions, for instance the SHA512 function [31], the

Bose-Chaudhuri-Hocquenghen function [80] and the Wirhlpool [84].

Among these hashing implementations, the one proposed by Gabriel et al. [31] to-

gether with their entropy evolution method is interesting. Their data processing can be


essentially divided into two steps, “binning” and “hashing”. In the “binning” process,

they start with a 16-bit ADC, and combine some of the bins to form the equal bin area

between each other. Then they calculate the Shannon entropy of classical noise and to-

tal noise (quantum signal and classical noise) separately given each bit value, and show

that the difference of those two entropies plateaus at 5 bits. After determining that the

Shannon entropy of the quantum signal is lower bounded by 3.25 bits, they applied the

SHA-512 algorithm as the hashing function to extract out 3 bits/sample. In general,

this algorithm is carefully developed and can be easily realized by hardware. We remark

that it is important to perform such post-processing on the raw data to distill out a

shorter but more secure string of random numbers. Unfortunately, the discussion there

[31] is based on Shannon entropy, which does not take finite-size effects (i.e., the number

of times of executions of a random process used for generating randomness is always

finite in any real experiment) into consideration. The entropy evaluation method there

is also not efficient. In fact, it costs at least one random bit per sample8. Furthermore,

a non-universal hashing function, SHA-512 function, is not an information-theoretically

provable randomness extractor. Therefore, the random numbers generated there could

not be theoretically verified as random and unique.

In summary, up to now, none of the randomness extraction schemes, including XOR,

LSB and hashing, can strictly offer a randomness extractor [44, 86, 87]. Fortunately,

in theoretical computer science, there indeed exists information-theoretically proven ex-

tractors, such as Trevisan’s extractor [86]. However, these extractors have never been

implemented in a real QRNG experiment. Therefore, there is a large gap between theory

and experiment. Here, we close the gap by implementing two information-theoretically

secure extractors, Trevisan’s extractor [86] and Toeplitz-hashing [44].

4.4.2 Toeplitz-hashing extractor

Due to the similarity between the definitions of extractors [44] and privacy amplification

[93], any privacy amplification scheme can be used as an extractor in principle. In privacy

amplification, the widely-used function is universal-hashing defined as

Definition 4.4.1 (Universal-hashing) A class G of functions A → B is universal2 (uni-

versal for short) if, for any distinct x1 and x2 in A, the probability that g(x1) = g(x2) is

at most 1/|B| when g is chosen at random from G according to the uniform distribution.

8The scheme [31] does also not work when classical noise is larger than quantum noise.


Among the universal-hashing functions, Toeplitz-hashing [94, 95] has the advantages

of shorter random-seed (the random bits to construct a hashing function) length and

computation simplicity in hardware, thus it is the popular one in privacy amplification.

Nonetheless, in practice, the random-seed is assumed to be free in the QKD privacy

amplification task [93]. A direct transplant of privacy amplification schemes may not

work for randomness extraction. In fact, for Toeplitz-hashing [94, 95], the random-seed

used to construct a Toeplitz matrix is longer than the output string. To overcome this,

one needs to prove that the privacy amplification scheme constructs a strong extractor.

The definition of strong extractor is the following.

Definition 4.4.2 (Strong extractor) A (k,ε,n,d,m)-strong extractor Ext(X, Ud) is an

extractor such that the distribution Ext(X, Ud) ◦Ud is ε-close to the uniform distribution

on {0, 1}m+d.

Fortunately, the extractors constructed by universal hashing functions [96] can be

easily proven to be strong extractors by the Leftover Hash Lemma [97].

Lemma 4.4.3 (Leftover Hash Lemma [97]) Let H = {h1, h2, . . . , h2d} be a universal

hashing family, mapping from {0, 1}n to {0, 1}m, and X be a distribution on {0, 1}n with

H∞(X) ≥ k. Then for x ∈ X and hy ∈ H where y ∈ Ud, the distribution formed by

hy(x) ◦ y is ε = 2(m−k)/2-close to Um+d. That is, it forms a (k,2(m−k)/2,n,d,m)-strong

extractor.

We use Toeplitz matrices for universal hashing function construction [94, 95, 98]. A

Toeplitz matrix of dimension n×m requires only the specification of the first row and the

first column, and the other elements of the matrix is determined by descending diagonally

down from left to right. Thus, the total random bits required to construct (choose) a

Toeplitz matrix is n + m − 1.

The procedure of Toeplitz-hashing extractor is given as follows.

1. Given raw data of size n with the min-entropy of k and a security parameter ε,

determine output length to be

m = k − 2 log ε. (4.5)

2. Construct a Toeplitz matrix with an n + m − 1 random-seed. For demonstration

purpose, we use pseudo random numbers in this step.


3. The extracted random bit string is obtained by multiplying the raw data with the

Toeplitz matrix.

As calculated in the Section 4.3, the min-entropy of our raw data is bounded by 6.78

bits per sample (8 bits). With the input bit-string length of 212 = 4096, the output

bit-string length is (4096× 6.7)/8 ≥ 3471. Thus, we use a 4096-by-3471 Toeplitz matrix

for randomness extraction. Our implementation of Toeplitz-hashing is based on MatLab

in a standard PC. The generation rate is 441 kb/s 9. However, the availability of 64-bit

computer with more than 4 GBytes of memory extends the input size from 212 = 4096 to

214 = 16, 384. Although cost effective in terms of seed length, the increased input length

do entail speed penalty due to O(n2) complexity of matrix multiplication.

We finally discuss how to generate the random-seed for Toeplitz-hashing. Even though

the seed length (n+m−1) to specify a Toeplitz matrices is short, it is still longer than the

output length m. Therefore, if we want to use a secure quantum source to randomly pick

the seed, we cannot afford picking a new seed for every extraction. Fortunately, reusing

the seeds will only increase the deviation of the actual average entropy from Uniform

distribution [94, 98]. We could reuse the seeds at a rate that keeps the deviation negligible

and the average entropy for each extraction small compared to extracted entropy. One

secure scheme to construct the random-seed is using the pre-extracted random bits. In

a real setup, using small portion of extracted bits as successive key can be realized

by software or hardware. However, we recognize that it is not easy to construct such

a hardware circuit that can operate over a GHz range. The solution to this problem

is using pseudo-RNG for seed generation. As long as the pseudo-RNG produces desired

uniformity, it can be used to generate the random-seed. In our demonstration, we employ

the pseudo-RNG of MatLab to generate the random-seed on every 4096-bits input. The

extracted bit sequence successfully passes all the statistical test suites of Diehard [90],

NIST [91] and TestU01 [99] (Small Crush). The test results are shown in Section 4.5.1.

4.4.3 Trevisan’s extractor

Trevisan proposed an approach to construct extractors based on pseudo-RNGs [86]. Here,

we implement its improved version by Raz, Reingold and Vadhan [100]. There are two

main steps to construct a Trevisan extractor: error correction code and combinatorial

design. The error correction code is constructed by concatenating a Reed-Solomon code

9Toeplitz-hashing can be implemented much faster with hardware implementation [95].


with a Hadamard code [101]. For the combinatorial design part, we implement a refined

version of Nisan-Wigderson design [102, 103].

In our implementation, the top generation rate of our extractor is 706.8 bits/s. This

low speed is a consequence of the lack of efficient implementation of finite field opera-

tions. While slow in speed, the Travisan’s Extractor do provide more stringent passing of

statistical tests (see Section 4.5.1). Although Travisan’s Extractor may be more secure

than Toeplitz-hashing, the severe restriction on speed has limited its usage in real-time

applications. One conclusive result is to use Hashing in speed-critical applications, while

Travisan’s Extractor in security-critical applications where the speed can be sacrificed to

trade for secureness. Furthermore, Our implementation is done on mere personal com-

puter (PC), but a mainframe computer can crunch number-theoretical operations much

faster than a PC. As a future perspective, once we tackle the implementation on any

graphical processing unit (GPU) platforms, the architecture of GPU will allow us to ex-

ploit the intrinsic parallelism of the extractor much more efficiently via multi-threading

capability.

4.5 Randomness verification

4.5.1 Statistic test

We employ three statistic test suits, Diehard [90], NIST [91] and TestU01 [99], to evaluate

the randomness of our extracted results from Toeplitz-hashing and Trevisan’s extractor.

Each test suits contain many individual tests and one individual test evaluates one aspect

of randomness (i.e. bias, repetition and so on). The implementation details of these test

suits are shown in Appendix C.1. Given the constraint of computational power, we

only perform Diehard test on the Trevisan’s extractor. Without post-processing, the

raw data cannot pass any statistic tests, which is mainly due to the classical noises

mixed in the raw data, and the fact that the measured quantum fluctuations follow

Gaussian distribution instead of uniform distribution. It demonstrates the requirement of

effective post-processing in our QRNG. After Toeplitz-hashing and Trevisan’s extractor,

the outputs successfully pass all the standard statistic tests.

We also perform the statistic tests on a pseudo-RNG, MatLab2007 internal RNG. It

generates uniformly random numbers from 0 to 255 (as emulation of 8-bits ADC output).

After converting the 255-valued integer to bits, the bit sequence is written to a binary file,

which is fed into the tests suites. It cannot pass all tests without exposing the underlying


determinism. This result has further confirmed the effectiveness of our extractors. The

test results are shown in Tables C.2, C.3,and C.4 of Appendix C.1.

4.5.2 Autocorrelation

Another approach to verify randomness is to evaluate the autocorrelation, and check the

absence or periodic correlation. The autocorrelation R of a sequence X is defined as

R(τ) =E[(Xi − µ)(Xi+τ − µ)]

σ2(4.6)

where E is the expected value operator, τ is the sample delay, µ is the mean and σ is

the standard derivation of X.

The autocorrelation results of our raw data are shown in Fig. 4.10(a) to Fig. 4.10(d).

The raw data from our QRNG is digitalized by an 8-bit ADC, therefore, the autocorre-

lation between bits (Fig. 4.10(a)) is only significant up to the 7th bit delay and, beyond

that, the autocorrelation is negligible. The low values of autocorrelation between sam-

ples (Fig. 4.10(b)) support the assumption of IID raw sequence, where a slightly large

coefficient at the 2nd delay sample can be attributed to the finite bandwidth of our

photodetector. We remark that the correlation among samples cannot reach zero for a

practical detector with finite bandwidth. Eve might explore this correlation and gain

partial information on the generated random numbers. In principle, we can removed

Eve’s information by using the same randomness extractor developed in this paper.

After post-processing, the autocorrelation of the outputs from both extractors is sub-

stantially improved, as shown in Fig. 4.11(a) to Fig. 4.11(d). Here, in theory, for an

infinite IID sequence as random process, the autocorrelation is a broadband white curve.

However, in practice, due to the inevitable presence of bias and finite data size, the au-

tocorrelation of data sequence can never reach 0. A back-of-envelope calculation [104]

shows the effect of truncation on the autocorrelation coefficient. From central limit the-

orem, one standard deviation will result a range of autocorrelation, [−1√n, 1√

n], where n is

the data size.

4.6 Discussions and conclusions

In post-processing, we find that our implementations of randomness extractors with

MatLab on a standard laptop computer are not fast enough (with a maximal speed of

441 kbit/s) for a real-time high-speed QRNG. In practice, this might restrict the random


bit generation speed. It will be interesting for future investigations to create a real-time

extractor (by a better software or hardware implementation) for our high-speed QRNG.

Our system can be further improved as follows. The sensitivity of the detection

system can be further improved by replacing the photodetector with a balanced detector

followed by an electrical substraction circuit. The DFB laser used could be replaced by

a combination of a broadband light source and a narrowband optical filter. In this case,

the linewidth is determined by the bandwidth of the filter. The real-time oscilloscope

can be replaced by a fast and high-resolution ADC.

In conclusion, we have successfully demonstrated an ultrafast QRNG at a generation

rate of over 6 Gb/s. The randomness is generated from the intrinsic quantum phase

fluctuations of a laser. Our work not only highlights the importance on the quantification

of quantum randomness and the consideration of possible Eve’s attacks in a practical

QRNG, but also demonstrates the large potential for random number generations by

quantum phase fluctuations as the true entropy source.


0 10 20 30 40 50 60 70 80 90 10010

−5

10−4

10−3

10−2

10−1

100

Delay (bits)

Positive value

Negative value

(a) Raw data between bits (100 delay)

0 10 20 30 40 50 60 70 80 90 10010

−6

10−5

10−4

10−3

10−2

10−1

100

Delay (sample)

Positive value

Negative value

(b) Raw data between samples (100 delay)

0 100 200 300 400 500 600 700 800 900 100010

−7

10−6

10−5

10−4

10−3

10−2

10−1

100

Delay (bits)

Auto−correlation coefficient

Positive value

Negative value

(c) Raw data between bits (1000 delay)

0 100 200 300 400 500 600 700 800 900 100010

−6

10−5

10−4

10−3

10−2

10−1

100

Delay (sample)

Positive value

Negative value

(d) Raw data between samples (1000 delay)

Figure 4.10: Autocorrelation of the raw data. All normalized correlation is evaluated

from a 10 Mb record of the raw data. (a) The average value is 9.5 × 10−4. The most

significant correlations are within 8 bits (from one sample digitalized by an 8-bit ADC).

(b) The average value is 4.9×10−4. The correlation among samples cannot reach zero for

a practical detector with finite bandwidth. (c) The average value is −9.2×10−5. (d) The

average value is 1.2 × 10−4. It demonstrates the absence of long period autocorrelation.


0 10 20 30 40 50 60 70 80 90 10010

−6

10−5

10−4

10−3

10−2

10−1

100

Delay (bits)

Positive value

Negative value

(a) Toeplitz-hashing (100 delay)

0 10 20 30 40 50 60 70 80 90 10010

−7

10−6

10−5

10−4

10−3

10−2

10−1

100

Delay (bits)

Positive value

Negative value

(b) Trevisan’s extractor (100 delay)

0 100 200 300 400 500 600 700 800 900 100010

−7

10−6

10−5

10−4

10−3

10−2

10−1

100

Delay (bits)

Positive value

Negative value

(c) Toeplitz-hashing (1000 delay)

0 100 200 300 400 500 600 700 800 900 100010

−7

10−6

10−5

10−4

10−3

10−2

10−1

100

Delay (bits)

Positive value

Negative value

(d) Trevisan’s extractor (1000 delay)

Figure 4.11: Autocorrelation after randomness extraction (Toeplitz-hashing or Trevisan’s

extractor). The data size is 10 × 106 bits for each case. In theory, for a truly random

10× 106 bit string, the average normalized correlation is 0 and the standard deviation is

2.2 × 10−5. (a) The average value is −1.0 × 10−5. (b) The average value is 1.6 × 10−5.

(c) The average value is 1.1 × 10−6. (d) The average value is 1.5 × 10−5.

Chapter 5

Conclusion and Outlook

“There is no royal road to science ,and only those who do not dread the fatiguing climb

of gaining its numinous summits.” - Karl Marx

5.1 Conclusion

In this thesis, I intensively studied two imperfections in practical quantum cryptosystems

- phase-remapping attack and quantum random number generator - and their security

consequences.

5.1.1 Phase-remapping attack

Unconditional security proofs of various QKD protocols are built on idealized assump-

tions. However, a real-life QKD system may contain overlooked imperfections, which can

violate some of these assumptions. An adversary could exploit these imperfections and

launch specific quantum attacks in a practical implementation of QKD. In this thesis, I

investigated one of these imperfections in a commercial “plug-and-play” system and per-

formed a proof-of-principle experiment to demonstrate a technologically feasible attack,

known as a phase-remapping attack. In our attack, Eve could get full information and

only introduced a quantum bit error rate of 19.7%.

The success of our attack shows clearly an imperfection in the practical QKD imple-

mentation. Specifically, this is the first successful “intercept-and-resend” attack on top

of a commercial bidirectional QKD system, and it highlights not only the importance

for Alice to verify that she is encoding the right state during the encoding process, but

also, more generally, the importance of verification of the correctness of each step of an

55

Chapter 5. Conclusion and Outlook 56

implementation of a QKD protocol in a practical QKD system.

5.1.2 Quantum random number generator

A quantum random number generator (QRNG) can generate true randomness by ex-

ploiting the fundamental indeterminism of quantum mechanics. Several QRNGs, includ-

ing commercial products, have already been proposed and demonstrated. Nevertheless,

due to the difficulties of measuring quantum effects in real setups, most approaches to

QRNG are limited in speed. Moreover, in real experiments, the quantum randomness is

inevitably mixed with classical noise, which may be controlled by Eve.

In this thesis, I proposed and experimentally demonstrated a fast QRNG at a rate of

over 6 Gbits/s. Our approach was based on the quantum phase fluctuations of a laser,

which was operated near its threshold. Furthermore, we presented and implemented a

rigorous method to remove the contamination of classical noise by modeling our system,

quantifying randomness through min-entropy and employing a post-processing function

- randomness extractor- to distill randomness. A key advantage of our approach is that

its security is theoretically provable based on information theory. The simplicity and

high-speed of our experimental setup shows the feasibility of a robust, low-cost, high-

speed QRNG. Our work not only highlights the importance of the rigorous quantification

and distillation of quantum randomness in a practical QRNG, but also demonstrates the

potential for random number generation using quantum phase fluctuations of a laser as

a true entropy source.

5.2 Outlook

5.2.1 Detector-control attack

The detector-control attack [24] has drawn much scientific attention, and has been suc-

cessfully demonstrated on most types of practical QKD systems [24, 105, 106]. A full

implementation of the attacking strategy has been investigated in Ref. [106]. The key

concept of detector-control attack is the following. By sending a strong optical pulse

to Bob, Eve can force Bob’s single-photon detectors to always work in a Linear mode

instead of Geiger mode. In the Linear mode, the single-photon detector, such as the one

based on InGaAs APDs, is only sensitive to bright illumination. This detector state is

called “detector blinding”. Then, Eve sends a bright pulse with tailored power level such


that Bob’s detector always reports a detection event from the bright pulse, but never

reports a detection event from a pulse with half power. As a result, Eve can successfully

launch an intercept-and-resend attack without increasing QBERs. For example, when

Eve uses the same basis as Bob to measure the quantum state from Alice, Bob gets a

detection event as if there is no eavesdropper. And if Eve uses the opposite basis from

Bob to measure the quantum state from Alice, her bright pulse will strike both of Bob’s

detectors with half power, and neither detector will report a detection event. In prac-

tice, a simple detector-control attack will introduces a 50% total loss. However, Eve can

place her intercept-unit close to Alice’s laboratory while compensating the loss in the

remaining fiber by re-sending brighter states.

The detector-control attack is applicable to various types of single-photon detectors,

such as gated APDs [24], passively or actively quenched APDs [107, 108], and SSPDs

[109]. How to remove such an attack is still a big challenge for QKD researchers. One

proposed countermeasure is carefully operating the single-photon detectors inside Bob’s

system [67, 68] and monitoring the photocurrent for anomalously high values [110]. How-

ever, such a countermeasure may lead away from provable security models of QKD and

can often be defeated by advanced hacking technologies. Hence, the eventual solution

to this attack may develop a QKD system with free detection loopholes. The device-

independent QKD protocol [111] can be a perfect candidate to such a task. However, the

strict requirement of the detection efficiency of single-photon detector (larger than 83%)

makes it still unmature for practical demonstrations (typically, the detection efficiency

of a practical single-photon detector is around 10%). Very recently, a promising counter-

measure to this attack is the so called measurement-device-independent QKD protocol

proposed by Lo et al. [112], which in principle can remove all detector side channels

automatically. It is important to demonstrate and verify this scheme in a real setup in

the future.

5.2.2 Other quantum attacks

Recently, Sun et al. have studied the imperfections of Faraday mirror and proposed

the passive Faraday-mirror attack in a “plug-and-play” system [113]. Jain et al. have

experimentally demonstrated that the calibration routine of a commercial QKD system

can be tricked into setting a large detector efficiency mismatch, and proposed an attack

strategy on such a compromised system with a QBER less that 7% [114]. Very recently,

Li et al [115] have studied the imperfection of a practical beam splitter and demonstrated


a wavelength-dependent quantum attack on top of a polarization-coding QKD system. A

substantial question is thus raised: How to counter such an Eve that she combines various

quantum attacks together? For instance, in a commercial “plug-and-play” QKD system,

Eve can perform a quantum attack as follows. Eve employs the phase-remapping attack

and the Faraday-mirror attack on Alice’s encoding stage, tricks the calibration process

to set a large detector efficiency mismatch between Bob’s two detectors, and applies the

fake-state attack or the time-shift attack on Bob’s detection stage. If she does so, the

resulting QBER will dramatically reduce. Furthermore, if Eve launches her attack not

on every signal but only on a subset of signals, the introduced QBER will be much lower.

How to remove such attacks will be a notoriously hard problem. Therefore, we remark

that instead of removing the attacks, what we can do is to quantify them carefully. Once

quantified, those imperfections may be taken care of in the further security proofs of

QKD.

Besides the loopholes discussed above, other imperfections of a practical QKD system

should also be carefully investigated. In most phase-coding based QKD systems, the

polarization component of quantum state is often used to optimize the system design.

A natural question is: Is it still secure if Eve actively introduces some polarization

redundances into such a QKD system? Moreover, the potential developments of QKD

technology are long distances and high bit rates. Therefore, another question is: Will

more unnoticed imperfections appear in a long-distance and high-speed QKD system?

For example, the detector dead-time issue in a high-speed QKD system has recently been

studied in Refs. [116, 117, 118]. Furthermore, there also exists another type of QKD,

continuous variable QKD [10, 119], whose security is based on the uncertainty principle

of the amplitude quadrature and the phase quadrature of a coherent state. However,

the practical security of continuous variable QKD is still unclear and deserves future

investigations.

Up to now, most of the imperfections that have been studied are in fiber-based QKD

systems. Hence, it is still unclear about the practical security of the free-space-based QKD

systems. Indeed, the imperfection due to non-single-mode quantum signals is a crucial

issue in free-space QKD. Eve can exploit this imperfection and launch the spatial-mode

attack against a free-space QKD system [62, 63, 64, 65], such as a satellite-based QKD

implementation.


5.2.3 Quantum random number generator

A novel approach to generate and post-process random numbers has been demonstrated

in Chapter 4. We can improve the system (Fig. 4.3) by making it more compact and

robust. A proposed new system design is shown in Fig. 5.1. Compared to the previous

setup (see Fig. 4.3), the improvements are the following.

• The DFB laser is replaced by a compact OEM laser diode.

• The photodetector is replaced by a balance detection system with two photodetec-

tors (PD1/2 in Fig. 5.1) followed by a differential amplifier (DA in Fig. 5.1).

• The real-time oscilloscope is improved by a high-speed (with a sampling rate of

over GHz) and high-resolution analog-to-digital convertor (ADC)1.

Furthermore, it is important to create a real-time hardware-based randomness extractor

in a practical QRNG system for future investigations. By implementing the above new

system design, it will be easy to build a compact, low-cost, high-speed, and robust

QRNG system with USB port in the future. A commercial QRNG with USB port and a

generation rate of 4 Mbits/s has already appeared on the market (see Fig. 5.2) [32].

OEM Laser ADC

TC

PLC MZI

PD1

Power

supply Clock

DA.

PD2

PC

Figure 5.1: New system design of QRNG based on quantum phase fluctuations of a laser.

PC, polarization controller; PLC-MZI, planar lightwave circuit Mach-Zehnder interfer-

ometer; TC, temperature controller; PD1/2, photodetector; DA, differential amplifier;

ADC, analog-to-digital convertor;

1Optimization of the ADC range is also an interesting direction for future research.


Figure 5.2: Commercial QRNG with USB port at a rate of 4 Mbits/s [32].

Recently, based on a different type of laser and system design, the intensity fluctua-

tions of a laser have been studied to generate fast random bits [120]. An improved system

with a super-luminescent LED has also been demonstrated [121]. Since the fundamental

physical origin of both the phase fluctuations and the intensity fluctuations of a laser is

amplified spontaneous emissions, it will be interesting to demonstrate a QRNG exploiting

both fluctuations.

5.2.4 Practical QKD

One potential development of practical QKD technology is long-distance transmission

and global communication. However, as discussed in subsection 2.4.1, the propagation

loss in fibers puts a limit on the longest-distance fiber-based quantum communication

(typical, less than 400 km). To extend the transmission distance without relying the

intermediate nodes, quantum repeater has been proposed [122]. A quantum repeater

relys on the concept of entanglement swapping, which allows Alice and Bob to distill

out a number of entangled states over long distance. Currently, the main challenge in

building a quantum repeater is the limited technology for a quantum memory. Hence, it

will be interesting for future research to develop a feasible quantum repeater and thus

achieve secure QKD over long distances.

A natural way to build a practical QKD network is by using the standard optical

fibers, which have been developed and used in daily telecommunication, as the quantum

channels. Therefore, an important future topic is the wavelength division multiplexing

between QKD (quantum communication) and classical optical communication. Moreover,

when QKD is widely used in real-life applications, it is also important to design and build


the standardization of QKD.

5.3 Thoughts on future QKD

QKD has experienced the stages of theoretical foundations (1970-1993) and initial imple-

mentations (1993-2000). The gap between its theory and experiment is currently being

closed (2000-now). QKD has achieved a key generation rate of over 1 Mbits/s [37] and

a transmission distance of over 200 km [38]. Various QKD networks have been built in

USA [39], Europe [40], China [41, 42], and Japan [37]. There have also been demonstra-

tions of QKD in a Swiss election and the 2010 World Cup. Moreover, commercial QKD

products [32, 43] have appeared on the market. These OKD products have been used by

a number of Swiss banks to encrypt critical traffic.

Thanks to the quantum no-cloning theorem, the principle of QKD is rigorously guar-

anteed by the laws of quantum physics. Hence, QKD can be considered as an uncondition-

ally secure means of information transmission. However, when it is applied in a real-life

implementation, even a small unnoticed imperfection can easily break the security of an

otherwise carefully designed QKD system. The recent successes of the quantum hacking

strategies once again highlight the large gap between its theory and practice. How can

we bridge this gap?

In my opinion, the answer is working on security proofs of QKD with testable assump-

tions. Every assumption in a security proof should be written down and experimentally

verified. For instance, one fundamental assumption in all QKD protocols, including the

device-independent QKD protocol [111], is that Alice and Bob can generate perfectly

random numbers. Unfortunately, as discussed in Chapter 4, most random number gen-

erators cannot generate truly random numbers. Hence, it is important to battle-test the

local random number generators of Alice and Bob. Once this assumption is verified, we

can move to test other assumptions. This is a long-term research program, which is the

superposition of a quantum future and a classical present. We need to focus our atten-

tion on the study of the imperfections of QKD and their counter-measures. Only through

battle-testing can we gain confidence about the security of a practical QKD system, and

thus the security of a future cryptosystem.

Appendix A

Temperature control

In our experimental system (see Fig. 4.3), one requirement is precisely controlling the

PLC-MZI to a fixed temperature, thus stabling its phase difference. Alternatively, our

PLC-MZI (500 ps by NTT elctronics corporation) provides a so called long/short arm

heater (adjusted by an external DC power supply) to control the temperature. However,

heating the thermal resistance inside PLC-MZI by arm heater usually costs a long time

(around 1 ∼ 3 min), and the arm heater can only increase but not cool down the temper-

ature. Therefore, it is experimentally difficult to control the temperature by arm heater.

Temperature controller (TC)1, which uses the Peltier process to control the temperature,

on the other hand, can precisely stabilize and control the temperature of the PLC-MZI.

One important parameter to determine a TC is the temperature accuracy.

A.1 Temperature accuracy

n λ ∆n

1.446 1.55µm 1.0 × 10−5/◦C

Table A.1: Basic experimental parameters.

Some experimental parameters, including the fiber reflective index n (quartz glass),

laser wavelength λ, and index fluctuation (with temperature) ∆n/◦C are listed in Ta-

ble A.1. The relation between the time fluctuation (∆τ) and the phase fluctuation (∆θ)

1TC also provides feedback control. If the PLC-MZI experiences a phase shift (by classical noise,such as environment fluctuations), TC can automatically feedback control the temperature and stabilizeits phase.

62

Appendix A. Temperature control 63

of the PLC-MZI is described by

∆τ =∆n

nτ

∆θ =∆n

nτω0 =

∆n

nτ2πc

λ

(A.1)

Using the data in Table A.1, the phase fluctuation is ∆θ = 1.33π/◦C.

To achieve a 1% accuracy of relative power density, the voltage accuracy is 0.1 and

the voltage fluctuation ∆V is given by ∆V2V0

= 0.1, where V0 is the amplitude of the voltage

drift as V = V0 sin θ (see Eqn. 4.1). Therefore, the average phase fluctuation is described

by

〈sin(∆θ)〉 =∆V

V0= 0.2 ≈ ∆θ (A.2)

where the required temperature accuracy is 0.05 0C.

On the other hand, when the laser (see Fig. 4.3) is operated below 3 mW , its linewidth

is larger than 6.5 MHz. Hence, based on Refs. [74, 56], the variance of phase fluctuation

is given by

〈∆θ2)〉 = 2πτ∆f ≥ 0.02 (A.3)

where τ=500ps is the time difference of PLC-MZI, and ∆f is the laser linwidth. The

required temperature accuracy is ∆T = 0.03 ◦C.

In summary, the required temperature accuracy of temperature controller is in the

order of 0.01 ◦C.

A.2 Temperature controller

The temperature sensor of our PLC-MZI is Thermistor and the control device is Peltier.

Thus, the requirements of TC can be summarized as follows. The input supports Ther-

mistor and the output current is high enough to drive the Peltier (Imax = 4A). Meanwhile,

the resolution is in the order of 0.01 ◦C. We finally choose PTC-5K, manufactured by

Wavelength Electronics Inc., as our TC.

After implementing the TC in our system (Fig. 4.3), we analyze the temperature

stability in the following. By adjusting the temperature from 24 ◦C to 26 ◦C, the mea-

sured phase drift is shown in Fig. A.1. We can see that the phase drift follows a sin/cos

function. A 1.5 ◦C temperature change will cause a 2π phase drift, which is consistent

to the theoretical calculations in Section A.1. The TC can be adjusted to either 25.39◦C or 24.72 ◦C to stabilize the phase difference of PLC-MZI at ωτ = 2mπ + π/2. The

Appendix A. Temperature control 64

24.4 24.6 24.8 25.0 25.2 25.4 25.6 25.8 26.0 26.20

5

10

15

20

25

Pha

se d

rift o

f PLC

MZI

(mV

)

Temperature (Centi Degree)

Figure A.1: Phase drift of the PLC-MZI. By adjusting the temperature controller in

Fig. 4.3, the temperature is scanned from 24 ◦C to 26 ◦C and the phase drift is measured

by an Oscilloscope.

measured temperature resolution is around 0.02 ◦C, which is mainly determined by the

resolution of our digital voltmeter (with a resolution of 1 mV ). A better temperature

resolution can be achieved with a higher-resolution digital voltmeter.

We stabilize the TC to 24.72 ◦C and set the laser power at 0.95 mW. By a real-time

oscilloscope, we measured the standard deviation (i.e. square root of voltage variance in

Eqn. 4.3) of the interferometric signal as Vrms = 2.28 ± 0.01mV , which is corresponding

to a phase fluctuation variance of 〈∆θ2〉 = 0.035. Furthermore, the measured voltage

fluctuation during a few hours is in the range of 0.3 mV, which is equal to a temperature

fluctuation of 0.01 ◦C and thus shows a good phase stability of our system.

Appendix B

Laser Noise Characterization in

Frequency Domain

In this chapter, we discuss our approach to characterize laser noise in frequency domain.

B.1 Parameters quantification

The parameters in Eq. (4.3) are quantified in frequency domain by measuring the noise

spectrums with a spectrum analyzer (model HP8564) in the frequency range of [0Hz,

1GHz] (Sampling rate is 1 GHZ). Fig. 4.6 shows the measurement results when the laser

power is set at 0.95 mW . We can see that the intensity noise is insignificant, and can be

neglected [88, 89]. We further measured the intensity noise of our laser in a wide band

up to 10 GHz. The laser was operated at 0.18 mW (right above threshold), in which we

can detect the strongest intensity noise. The measurement result is shown in Fig. B.1.

It shows that the intensity noise spectrum presents a peak value in a certain frequency

(around 1.5 GHz), and on average it is 4 dB higher than the electrical background

noise floor. Therefore, we conclude that the intensity noise is not as good as the phase

fluctuations to be a randomness entropy source. Note however that by employing some

optical filters and post-processing, it is still possible to generate random numbers from

the intensity noise.

To quantify the parameters of AQ, AC, and F in Eq. (4.3), we operate the laser

under different optical power levels and measure the total noise (the addition of quantum

noise and classical noise) spectrums. Since each spectrum presents a flat response (see

Fig. 4.6 for an example), we then calculate the area of each spectrum (in the range of

65

Appendix B. Laser Noise Characterization in Frequency Domain 66

0 100 200 300 400 500 600 700 800 900 1000−86

−84

−82

−80

−78

−76

−74

−72

−70

−68

−66

Frequency (MHz)

Pow

er D

ensi

ty (

dBm

)

8 mA9 mA10 mA15 mAElectrical Noise

Figure B.1: Intensity noise of the DFB laser at 9.4 mA (0.18 mW). The intensity noise

presents a peak value in a certain frequency (around 1.5 GHZ) and on average it is 4 dB

higher than the electrical background noise floor. All of these responses indicate that the

intensity noise of our laser is not as good as the phase noise to be a randomness source.

[0Hz, 1GHz]), which is proportional to the voltage variance Vpr(t) in Eq. (4.3). The

experimental results are shown in Fig. B.2, where the laser power and voltage variance

have negligible systematic errors. The expectation of each measurement result is used for

statistical inference of fitting (2-order polynomial fitting with least square estimation).

The fitting results and the corresponding confidence intervals (level α = 0.99) are shown

in Table B.1. We remark that the confidence intervals are relatively small to contain

statistical variations in different trials of inference. To validate our model, we further

employ the standard analysis of variance (ANOVA) F test [123]. The resulting p-value

(or probability of mis-fit) is smaller than 10−5, which shows that our model essentially

captures all statistical nature of the underlying relationship.

F AQ AC

4.75 ± 0.83 194.50 ± 6.65 4.85 ± 1.94

Table B.1: Experimental results of parameters in Eq. (4.3) (Arb. Units). The parameters

are quantified in frequency domain.

Using the data given in Table B.1, we calculate the quantum signal to classical noise

ratio γ = AQP/(ACP 2 + F ) as a function of laser power. The results are shown in


0 2 4 6 8 10 120

100

200

300

400

500

600

Laser output power P (mW)

Vol

tage

fluc

tuat

ion

varia

nce

<V2 >

(A

rb. U

nits

)

ExperimentFitting

Figure B.2: Voltage variance measured in frequency domain. The experimental results

are measured by a spectrum analyzer, which contains negligible systematic errors. The

expectations of the experimental results are fitted by a quadratic polynomial function.

Fig. B.31. The optimal ratio γ = 20 is achieved at P = 0.99 mW . The difference

between time-domain results (γ = 21 and P = 0.95 mW ) and frequency-domain results

stems from the discrepancy of the electrical noise of oscilloscope and that of spectrum

analyzer. It is tolerable in our experiment.

B.2 Quantum and classical phase noise

As shown in Eq. (4.3), the detected signal consists of both quantum signal and classical

noise. In real experiment, they are mixed together and cannot be separated. In this

section, we propose an approach to experimentally derive an upper bound of classical

noise in a practical QRNG system.

For a laser, the quantum signal is laser power-dependant, while the classical noises are

1The experimental data is determined as follows. At each laser power P , we measure the totalnoise (quantum and classical noise) spectrum by a spectrum analyzer and calculate the voltage variance(spectrum area) as V ar1 = 〈V 2

pr〉 = AP 2(Q

P+C)+E. Then we apply the method discussed in Section B.2

to quantify the classical noise by operating the laser at at its highest power 19.63mW , and measure thevoltage variance as V ar2 = AP 2( Q

19.63 + C) + E. From V ar1 and V ar2, we can get γ = AQP

ACP 2+F=

V ar1−V ar2

1−P/19.63

V ar1−V ar1−V ar2

1−P/19.63

= V ar1−V ar2

(1− P19.63 )(V ar2−

V ar1P

19.63 ), which is the experimental data shown in Fig. B.3.


0 1 2 3 4 5 6 7 8 90

2

4

6

8

10

12

14

16

18

20

22

Laser output power (mW)

Qua

ntum

sou

rce

vers

us c

lass

ical

noi

ses

ratio

γ of

raw

dat

a

ExperimentTheory

Figure B.3: Quantum signal to classical noise ratio measured in frequency domain. The

theoretical curve is acquired from the ratio γ = AQP/(ACP 2 + F ), and the parameters

in Table B.1. The experimental results are measured by a spectrum analyzer.

power-independent [88, 89], which can be treated as a constant. Therefore, by operating

the laser under different optical power level, the quantum signal and classical noise can

be experimentally bounded.

As shown in Eq. (4.3), after interference, the signal detected by the photodetector is a

function of laser optical power. Here, we further distinguish the power of the interference

signal (i.e. the input of the PLC-MZI in Fig. 4.3, denoted as Pi) from the laser emission

power (denoted as Plaser). Eq. (4.3) is given by

〈V 2〉 = AP 2i (

Q

Plaser+ C) + E (B.1)

Fig. B.4 shows the experimental setup to quantify the bound of classical noise. To

measure the phase noises of the laser, Pi is fixed when the laser is operated at different

emission power (Plaser). This is achieved by an optical attenuator (JDS Uniphase HA1)

and a power multimeter (Agilent 8163A). A spectrum analyzer (SA in Fig. B.4) is applied

to measure the noise spectrums. In our experiment, the driving current of the DFB laser

is operated from 12 mA (0.85 mW ) to its maximum, 89 mA (19.63 mW )2, while Pi is

fixed at 0.85 mW. The results of laser total phase noises (quantum signal and classical

2The relation of laser optical power p (mW) and driving current I (mA) is described by P = 0.256(I−8.7), where 8.7 mA is the threshold of the DFB laser.


Laser

SA

TC

PLC MZI

PD1

Att

PM

Figure B.4: Experimental setup to quantify the phase noises. Laser, 1550nm cw DFB

laser diode; PLC-MZI, planar lightwave circuit Mach-Zehnder interferometer (500ps delay

by NTT); TC, temperature controller (PTC 5K by Wavelength); PD1, photodetector

(5GHz InGaAs photodetector); Att, optical attenuator (JDS Uniphase HA1); PM, power

multimeter (Agilent 8163A); SA, spectrum analyzer (HP 8564).

0 100 200 300 400 500 600 700 800 900 1000−85

−80

−75

−70

−65

Frequency (MHz)

Power Density (dB)

Figure B.5: (Color online) Laser phase noise spectrums. As shown in Fig. B.4, the

interference signal power Pi is fixed at 0.85 mW when the laser is operated at different

emission power (Plaser). With the increase of Plaser, the phase noise is decreasing [88, 89].

noise) are shown in Fig. B.5. We can see that with the increase of laser optical power,

the total phase noise is decreasing. We remark that if the laser emission power can be

operated arbitrarily high, then the spectrum of laser phase noise (Fig. B.5) will approach

to a constant, which is the upper bound of classical noise. In our system, since the highest

power of the laser is around 20 mW, the phase noise at this power level can be defined

as the upper bound of classical noise.

Appendix C

Statistic test

C.1 Statistic test suits

We implement three standard statistic test suits, Diehard, NIST and TestU01, to test

our extracted results. The minimal requirements of the input data sizes for the three test

suits are summarized in Table C.1. A brief description of these suits is the following.

Test Suite Data size

TestU01 (smallCrush) 907 MByte

TestU01 (Crush) 180 GByte

TestU01 (bigCrush) over 1 Tbyte

Diehard 8 MByte

Nist 470 MByte

stream size 6.5 Mbit

number of stream 500

Table C.1: Minimal data-size requirements of TestU01, Diehard and NIST.

1. Diehard [90]: Diehard, containing 20 tests, provides options for output file, and

the output file, [.txt], consists of all the resulting P-values for interpretation of

its 20 tests. For the test with multiple P-values, a Kolmogorov-smirnov (KS) test

is usually used to obtain a final P-value, which measures the uniformity of the

multiple P-values. Diehard is successful if all final P-values satisfy 0.01 ≤ P ≤ 0.99

2. NIST [91]: NIST, which consists of 15 tests, does not require a fixed input data

size. There are two parameters - number of stream (NoS) and stream size (SS) -

70

Appendix C. Statistic test 71

determining the test results. The minimum number of NoS to give useful result in

terms of uniformity of P-values is 500. A smaller NoS will result in incapability

of discrimination of uniformity and non-uniformity. SS is empirically taken as 6.5

Mbits, which ensures that the probabilistic dependency between the random bits

within a stream is washed-out. A smaller size of SS will lead non-passing of many of

the tests due to the statistical independency between bits. To pass NIST, P-value

should be larger than the lowest significant level α = 0.01, and the proportion of

sequences satisfying P > α should be greater than a value β.

3. TestU01 [99]: TestU01 consists of three test batteries, known as SmallCrush, Crush

and BigCrush, where SmallCrush and Crush are subsets of BigCrush. Storage and

processing limitations only allow the execution of SmallCrush in our implementa-

tion. SmallCrush has 15 tests, where the P-value of falling a test converges to 0 or

1 (eps or 1-eps).

C.2 Test results


Pseudo-RNG Trevisan’s Hashing

Statistical test Result p-value result p-value result

Birthday Spacings [KS] success 0.82263 success 0.340863 success

Overlapping permutations success 0.679927 success 0.403824 success

Ranks of 31x31 matrices success 0.419095 success 0.349441 success

Ranks of 31x32 matrices success 0.715705 success 0.816752 success

Ranks of 6x8 matrices [KS] success 0.195485 success 0.408573 success

Bit stream test success 0.048260 success 0.281680 success

Monkey test OPSO success 0.027300 success 0.892600 success

Monkey test OQSO success 0.023200 success 0.267200 success

Monkey test DNA failure 0.038000 success 0.736700 success

Count 1’s in stream of bytes success 0.380162 success 0.639691 success

Count 1’s in specific bytes failure 0.020417 success 0.373149 success

Parking lot test [KS] failure 0.629013 success 0.151689 success

Minimum distance test [KS] success 0.019499 success 0.688780 success

Random spheres test [KS] success 0.488703 success 0.939227 success

Squeeze test success 0.238004 success 0.155403 success

Overlapping sums test [KS] success 0.022339 success 0.909675 success

Runs test (up) [KS] failure 0.403504 success 0.181024 success

Runs test (down) [KS] success 0.119132 success 0.668512 success

Craps test No. of wins success 0.757521 success 0.826358 success

Craps test throws/game success 0.179705 success 0.862986 success

Table C.2: Diehard. Data size is 240 Mb. For the cases of multiple P-values, a

Kolmogorov-smirnov (KS) test is used to obtain a final P-value, which measures the

uniformity of the multiple P-values. The test is successful if all final P-values satisfy

0.01 ≤ P ≤ 0.99.


Pseudo-RNG Hashing

Statistical test Result p-value Proportion Result

Frequency success 0.373625 0.9900 success

Block-frequency success 0.310049 0.9960 success

Cumulative sums success 0.422638 0.9980 success

Runs success 0.703417 0.9900 success

LongestRun success 0.013569 0.9880 success

Rank success 0.411840 0.9940 success

FFT success 0.987079 0.9860 success

NonOverlappingTemplate failure 0.727851 0.9820 success

overlappingTemplate success 0.110083 0.9780 success

Universal success 0.962688 0.9880 success

ApproximateEntropy success 0.674543 0.9920 success

Random-excursions success 0.409207 0.9900 success

Random-excursions Variant success 0.426358 0.9840 success

Serial success 0.217570 0.9860 success

Linear-complexity success 0.657833 0.9940 success

Table C.3: NIST. Data size is 3.25 Gbits (500 sequences with each sequence around

6.5 Mbits). To pass the test, P-value should be larger than the lowest significant level

α = 0.01, and the proportion of sequences satisfying P > α should be greater than 0.976.

Where the test has multiple P-values, the worst case is selected.


Raw data Hashing

Statistical Test Result p-value Result

BirthdaySpacings failure 0.5300 success

Collision failure 0.1500 success

Gap Chi-square failure 0.8900 success

SimpPoker Chi-square failure 0.3500 success

CouponCollector Chi-square failure 0.6700 success

MaxOft Chi-square failure 0.6900 success

MaxOft Anderson-Darling failure 0.9500 success

WeightDistrib Chi-square failure 0.5600 success

MatrixRank Chi-square failure 0.5100 success

Hammingindep Chi-square failure 0.1000 success

RandomWalk1 H Chi-square failure 0.9931 success

RandomWalk1 M Chi-square failure 0.8300 success

RandomWalk1 J Chi-square failure 0.9400 success

RandomWalk1 R Chi-square failure 0.7000 success

RandomWalk1 C Chi-square failure 0.6600 success

Table C.4: TestU01 (Small Crush). Given the constraint of the data size and computa-

tional power of Crush and Big Crush, we only perform Small Crush test. Data size is 8

Gbits. The P-value of falling a test converges to 0 or 1 (eps or 1-eps). Where the test

has multiple P-values, the worst case is selected.

Bibliography

[1] W. Diffie and M. Hellman, “New directions in cryptography,” IEEE Transactions

on Information Theory, vol. 22, no. 6, pp. 644–654, 1976.

[2] R. Rivest, A. Shamir, and L. Adleman, “A method for obtaining digital signa-

tures and public-key cryptosystems,” Communications of the ACM, vol. 21, no. 2,

pp. 120–126, 1978.

[3] P. Shor, “Polynomial-time algorithms for prime factorization and discrete loga-

rithms on a quantum computer,” SIAM J.Sci.Statist.Comput., vol. 26, p. 1484,

1997.

[4] G. Vernam, “Cipher printing telegraph systems for secret wire and radio telegraphic

communications,” Transactions of the American Institute of Electrical Engineers,

vol. 45, pp. 295–301, 1926.

[5] C. Shannon, Communication theory of secrecy systems. AT & T, 1949.

[6] S. Wiesner, “Conjugate coding,” ACM Sigact News, vol. 15, no. 1, pp. 78–88, 1983.

[7] C. Bennett, G. Brassard, et al., “Quantum cryptography: Public key distribution

and coin tossing,” in Proceedings of IEEE International Conference on Computers,

Systems and Signal Processing, vol. 175, Bangalore, India, 1984.

[8] N. Gisin, G. Ribordy, W. Tittel, and H. Zbinden, “Quantum cryptography,” Re-

views of modern physics, vol. 74, no. 1, pp. 145–195, 2002.

[9] H.-K. Lo and Y. Zhao, “Quantum cryptography,” Encyclopedia of Complexity and

Systems Science, vol. 8, pp. 7265–7289, 2009.

[10] V. Scarani, H. Bechmann-Pasquinucci, N. Cerf, M. Dusek, N. Lutkenhaus, and

M. Peev, “The security of practical quantum key distribution,” Reviews of Modern

Physics, vol. 81, no. 3, p. 1301, 2009.

75

Bibliography 76

[11] B. Qi, L. Qian, and H.-K. Lo, “A brief introduction of quantum cryptography for

engineers,” Arxiv preprint arXiv:1002.1237, 2010.

[12] W. Wootters and W. Zurek, “A single quantum cannot be cloned,” Nature, vol. 299,

no. 5886, pp. 802–803, 1982.

[13] D. Mayers, “Unconditional security in quantum cryptography,” Journal of the ACM

(JACM), vol. 48, no. 3, pp. 351–406, 2001.

[14] H.-K. Lo and H. Chau, “Unconditional security of quantum key distribution over

arbitrarily long distances,” Science, vol. 283, no. 5410, p. 2050, 1999.

[15] P. Shor and J. Preskill, “Simple proof of security of the bb84 quantum key distri-

bution protocol,” Physical Review Letters, vol. 85, no. 2, pp. 441–444, 2000.

[16] D. Gottesman, H.-K. Lo, N. Lutkenhaus, and J. Preskill, “Security of quantum key

distribution with imperfect devices,” Quant. Inf. Comput., vol. 4, no. 325, 2004.

[17] H. Inamori, N. Lutkenhaus, and D. Mayers, “Unconditional security of practical

quantum key distribution,” The European Physical Journal D-Atomic, Molecular,

Optical and Plasma Physics, vol. 41, no. 3, pp. 599–627, 2007.

[18] C. Fung, K. Tamaki, B. Qi, H.-K. Lo, and X. Ma, “Security proof of quantum

key distribution with detection efficiency mismatch,” Quant. Inf. Comput., vol. 9,

p. 131, 2009.

[19] A. Vakhitov, V. Makarov, and D. Hjelme, “Large pulse attack as a method of

conventional optical eavesdropping in quantum cryptography,” Journal of modern

optics, vol. 48, no. 13, pp. 2023–2038, 2001.

[20] N. Gisin, S. Fasel, B. Kraus, H. Zbinden, and G. Ribordy, “Trojan-horse attacks on

quantum-key-distribution systems,” Physical Review A, vol. 73, no. 022320, 2006.

[21] V. Makarov, A. Anisimov, and J. Skaar, “Effects of detector efficiency mismatch on

security of quantum cryptosystems,” Physical Review A, vol. 74, no. 022313, 2006.

[22] B. Qi, C. Fung, H.-K. Lo, and X. Ma, “Time-shift attack in practical quantum

cryptosystems,” Quant. Inf. Comput., vol. 7, no. 73, 2007.

Bibliography 77

[23] Y. Zhao, C. Fung, B. Qi, C. Chen, and H.-K. Lo, “Quantum hacking: Experimen-

tal demonstration of time-shift attack against practical quantum-key-distribution

systems,” Physical Review A, vol. 78, no. 042333, 2008.

[24] L. Lydersen, C. Wiechers, C. Wittmann, D. Elser, J. Skaar, and V. Makarov,

“Hacking commercial quantum cryptography systems by tailored bright illumina-

tion,” Nature photonics, vol. 4, no. 10, pp. 686–689, 2010.

[25] T. Jennewein, U. Achleitner, G. Weihs, H. Weinfurter, and A. Zeilinger, “A fast and

compact quantum random number generator,” Review of Scientific Instruments,

vol. 71, p. 1675, 2000.

[26] A. Stefanov, N. Gisin, O. Guinnard, L. Guinnard, and H. Zbinden, “Optical quan-

tum random number generator,” Journal of Modern Optics, vol. 47, no. 4, pp. 595–

598, 2000.

[27] J. Dynes, Z. Yuan, A. Sharpe, and A. Shields, “A high speed, postprocessing free,

quantum random number generator,” Applied Physics Letters, vol. 93, no. 031109,

2008.

[28] R. Colbeck and A. Kent, “Private randomness expansion with untrusted devices,”

Journal of Physics A: Mathematical and Theoretical, vol. 44, p. 095305, 2011.

[29] S. Pironio, A. Acın, S. Massar, A. Boyer de la Giroday, D. N. Matsukevich,

P. Maunz, S. Olmschenk, D. Hayes, L. Luo, T. A. Manning, and C. Monroe, “Ran-

dom numbers certified by bell’s theorem.,” Nature, vol. 464, no. 7291, p. 1021,

2010.

[30] Y. Shen, L. Tian, and H. Zou, “Practical quantum random number generator

based on measuring the shot noise of vacuum states,” Physical Review A, vol. 81,

no. 063814, 2010.

[31] C. Gabriel, C. Wittmann, D. Sych, R. Dong, W. Mauerer, U. Andersen, C. Mar-

quardt, and G. Leuchs, “A generator for unique quantum random numbers based

on vacuum states,” Nature Photonics, vol. 4, pp. 711–715, 2010.

[32] http://www.idquantique.com

[33] http://www.intel.com/design/software/drivers/platform/security

Bibliography 78

[34] http://spectrum.ieee.org/computing/hardware/behind-intels-new-randomnumber

generator

[35] F. Xu, B. Qi, and H.-K. Lo, “Experimental demonstration of phase-remapping

attack in a practical quantum key distribution system,” New Journal of Physics,

vol. 12, no. 113026, 2010.

[36] F. Xu, B. Qi, X. Ma, H. Xu, H. Zheng, and H.-K. Lo, “An ultrafast quantum

random number generator based on quantum phase fluctuations,” Arxiv preprint

arXiv:1109.0643, 2011.

[37] M. Sasaki et al., “Field test of quantum key distribution in the tokyo qkd network,”

Optics Express, vol. 19, no. 11, pp. 10387–10409, 2011.

[38] D. Stucki, N. Walenta, F. Vannel, R. Thew, N. Gisin, H. Zbinden, S. Gray, C. Tow-

ery, and S. Ten, “High rate, long-distance quantum key distribution over 250 km

of ultra low loss fibres,” New Journal of Physics, vol. 11, p. 075003, 2009.

[39] C. Elliott et al., “Current status of the darpa quantum network,” in Proceedings of

SPIE, the International Society for Optical Engineering, pp. 138–149, 2005.

[40] M. Peev et al., “The secoqc quantum key distribution network in vienna,” New

Journal of Physics, vol. 11, p. 075001, 2009.

[41] F. Xu et al., “Field experiment on a robust hierarchical metropolitan quantum

cryptography network,” Chinese Science Bulletin, vol. 54, no. 17, pp. 2991–2997,

2009.

[42] T.-Y. Chen et al., “Field test of a practical secure communication network with

decoy-state quantum cryptography,” Opt. Express, vol. 17, no. 8, pp. 6540–6549,

2009.

[43] http://www.magiqtech.com/MagiQ/Home

[44] M. Wegman and J. Carter, “New hash functions and their use in authentication and

set equality,” Journal of computer and system sciences, vol. 22, no. 3, pp. 265–279,

1981.

[45] D. Gottesman and H.-K. Lo, “Proof of security of quantum key distribution with

two-way classical communications,” IEEE Transactions on Information Theory,

vol. 49, no. 2, pp. 457–475, 2003.

Bibliography 79

[46] H. Chau, “Practical scheme to share a secret key through a quantum channel with

a 27.6% bit error rate,” Physical Review A, vol. 66, no. 060302, 2002.

[47] G. Brassard, N. Lutkenhaus, T. Mor, and B. Sanders, “Limitations on practical

quantum cryptography,” Physical Review Letters, vol. 85, no. 6, pp. 1330–1333,

2000.

[48] W. Hwang, “Quantum key distribution with high loss: Toward global secure com-

munication,” Physical Review Letters, vol. 91, no. 57901, 2003.

[49] H.-K. Lo, X. Ma, and K. Chen, “Decoy state quantum key distribution,” Physical

review letters, vol. 94, no. 230504, 2005.

[50] X. Wang, “Beating the photon-number-splitting attack in practical quantum cryp-

tography,” Physical review letters, vol. 94, no. 230503, 2005.

[51] A. Uchida, , et al., “Fast physical random bit generation with chaotic semiconductor

lasers,” Nature Photonics, vol. 2, no. 12, pp. 728–732, 2008.

[52] T. Murphy and R. Roy, “Chaotic lasers: The world’s fastest dice,” Nature Photon-

ics, vol. 2, no. 12, pp. 714–715, 2008.

[53] I. Reidler, Y. Aviad, M. Rosenbluh, and I. Kanter, “Ultrahigh-speed random num-

ber generation based on a chaotic semiconductor laser,” Physical Review Letters,

vol. 103, no. 24102, 2009.

[54] I. Kanter, Y. Aviad, I. Reidler, E. Cohen, and M. Rosenbluh, “An optical ultrafast

random bit generator,” Nature Photonics, vol. 4, no. 1, pp. 58–61, 2009.

[55] B. Qi, Y.-M. Chi, H.-K. Lo, and L. Qian, “High-speed quantum random number

generation by measuring phase noise of a single-mode laser,” in Proceedings of The

9th Asian Conference on Quantum Information Science (AQIS), pp. 64–65, 2009.

[56] B. Qi, Y.-M. Chi, H.-K. Lo, and L. Qian, “High-speed quantum random number

generation by measuring phase noise of a single-mode laser,” Opt. Lett., vol. 35,

no. 3, pp. 312–314, 2010.

[57] H. Guo, W. Tang, Y. Liu, and W. Wei, “Truly random number generation based

on measurement of phase noise of a laser,” Physical Review E, vol. 81, no. 051137,

2010.

Bibliography 80

[58] H. Takesue, S. Nam, Q. Zhang, R. Hadfield, T. Honjo, K. Tamaki, and Y. Ya-

mamoto, “Quantum key distribution over a 40-db channel loss using supercon-

ducting single-photon detectors,” Nature Photonics, vol. 1, no. 6, pp. 343–348,

2007.

[59] A. Ekert, “Quantum cryptography based on bells theorem,” Physical Review Let-

ters, vol. 67, no. 6, pp. 661–663, 1991.

[60] C. Bennett, G. Brassard, and N. Mermin, “Quantum cryptography without bells

theorem,” Physical Review Letters, vol. 68, no. 5, pp. 557–559, 1992.

[61] T. Ladd, F. Jelezko, R. Laflamme, Y. Nakamura, C. Monroe, and J. OBrien,

“Quantum computers,” Nature, vol. 464, no. 7285, pp. 45–53, 2010.

[62] W. Buttler, R. Hughes, P. Kwiat, S. Lamoreaux, G. Luther, G. Morgan, J. Nord-

holt, C. Peterson, and C. Simmons, “Practical free-space quantum key distribution

over 1 km,” Physical Review Letters, vol. 81, no. 15, pp. 3283–3286, 1998.

[63] R. Hughes, W. Buttler, P. Kwiat, S. Lamoreuax, G. Morgan, J. Nordholt, and

C. Peterson, “Quantum cryptography for secure satellite communications,” in IEEE

Aerospace Conference Proceedings, vol. 1, pp. 191–200, IEEE, 2000.

[64] C. Kurtsiefer, P. Zarda, M. Halder, H. Weinfurter, P. Gorman, P. Tapster, and

J. Rarity, “A step towards global key distribution.,” Nature, vol. 419, no. 6906,

p. 450, 2002.

[65] C. Peng et al., “Experimental free-space distribution of entangled photon pairs over

13 km: towards satellite-based global quantum communication,” Physical review

letters, vol. 94, no. 15, p. 150501, 2005.

[66] S. Cova, M. Ghioni, A. Lotito, I. Rech, and F. Zappa, “Evolution and prospects for

single-photon avalanche diodes and quenching circuits,” Journal of Modern Optics,

vol. 51, no. 9-10, pp. 1267–1288, 2004.

[67] Z. Yuan, J. Dynes, and A. Shields, “Avoiding the blinding attack in qkd,” Nature

Photonics, vol. 4, no. 12, pp. 800–801, 2010.

[68] L. Lydersen, C. Wiechers, C. Wittmann, D. Elser, J. Skaar, and V. Makarov,

“Avoiding the blinding attack in qkd,” Nature Photonics, vol. 4, no. 12, p. 801,

2010.

Bibliography 81

[69] R. Hadfield, “Single-photon detectors for optical quantum information applica-

tions,” Nature Photonics, vol. 3, no. 12, pp. 696–705, 2009.

[70] A. Muller, T. Herzog, B. Huttner, W. Tittel, H. Zbinden, and N. Gisin, “plug and

play systems for quantum cryptography,” Applied Physics Letters, vol. 70, no. 793,

1997.

[71] T. Nishioka, H. Ishizuka, T. Hasegawa, and J. Abe, “Circular type quantum key

distribution,” IEEE Photonics Technology Letters, vol. 14, no. 4, pp. 576–578, 2002.

[72] P. Townsend, “Secure key distribution system based on quantum cryptography,”

Electronics Letters, vol. 30, no. 10, pp. 809–811, 1994.

[73] C. Fung, B. Qi, K. Tamaki, and H.-K. Lo, “Phase-remapping attack in practical

quantum-key-distribution systems,” Physical Review A, vol. 75, no. 3, p. 032314,

2007.

[74] A. Yariv and P. Yeh, Photonics: Optical electronics in modern communications.

Oxford University Press, 2007.

[75] N. Meteopolis and S. Ulam, “The monte carlo method,” Journal of the American

Statistical Association, vol. 44, no. 247, pp. 335–341, 1949.

[76] B. Schneier and P. Sutherland, Applied cryptography: protocols, algorithms, and

source code in C. John Wiley & Sons, NY, USA, 1995.

[77] M. Wayne, E. Jeffrey, G. Akselrod, and P. Kwiat, “Photon arrival time quantum

random number generation,” Journal of Modern Optics, vol. 56, no. 4, pp. 516–522,

2009.

[78] M. Wayne and P. Kwiat, “Low-bias high-speed quantum random number generator

via shaped optical pulses,” Opt. Express, vol. 18, no. 9, pp. 9351–9357, 2010.

[79] L. Yu, M. Yang, P. Wang, and S. Kawata, “Note: A sampling method for quantum

random bit generation,” Review of Scientific Instruments, vol. 81, p. 046107, 2010.

[80] M. Wahl, M. Leifgen, M. Berlin, T. Rohlicke, H. Rahn, and O. Benson, “An ul-

trafast quantum random number generator with provably bounded output bias

based on photon arrival time measurements,” Applied Physics Letters, vol. 98,

pp. 171105–171105, 2011.

Bibliography 82

[81] M. Furst, H. Weier, S. Nauerth, D. Marangon, C. Kurtsiefer, and H. Weinfurter,

“High speed optical quantum random number generation,” Optics Express, vol. 18,

no. 12, pp. 13029–13037, 2010.

[82] M. Ren, E. Wu, Y. Liang, Y. Jian, G. Wu, and H. Zeng, “Quantum random-

number generator based on a photon-number-resolving detector,” Physical Review

A, vol. 83, no. 023820, 2011.

[83] Y. Jian, M. Ren, E. Wu, G. Wu, and H. Zeng, “Two-bit quantum random num-

ber generator based on photon-number-resolving detection,” Review of Scientific

Instruments, vol. 82, no. 7, pp. 073109–073109, 2011.

[84] M. Jofre, M. Curty, F. Steinlechner, G. Anzolin, J. Torres, M. Mitchell, and

V. Pruneri, “True random numbers from amplified quantum vacuum,” Optics Ex-

press, vol. 19, no. 21, pp. 20665–20672, 2011.

[85] T. Symul, S. Assad, and P. Lam, “Real time demonstration of high bitrate quantum

random number generation with coherent laser light,” Applied Physics Letters,

vol. 98, pp. 231103–231103, 2011.

[86] L. Trevisan, “Extractors and pseudorandom generators,” Journal of the ACM,

vol. 48, p. 2001, 1999.

[87] R. Shaltiel, “Recent developments in explicit constructions of extractors,” Current

Trends in Theoretical Computer Science: The Challenge of the New Century, 2004.

[88] C. Henry, “Theory of the linewidth of semiconductor lasers,” IEEE Journal of

Quantum Electronics, vol. 18, no. 2, pp. 259–264, 1982.

[89] K. Petermann, Laser diode modulation and noise. Springer, 1988.

[90] http://www.stat.fsu.edu/pub/diehard

[91] http://csrc.nist.gov/groups/ST/toolkit/rng

[92] N. Nisan and A. Ta-Shma, “Extracting randomness: A survey and new construc-

tions,” Journal of Computer and System Sciences, vol. 58, no. 1, pp. 148–173,

1999.

Bibliography 83

[93] C. Bennett, G. Brassard, C. Crepeau, and U. Maurer, “Generalized privacy ampli-

fication,” IEEE Transactions on Information Theory, vol. 41, no. 6, pp. 1915–1923,

1995.

[94] Y. Mansour, N. Nisan, and P. Tiwari, “The computational complexity of universal

hashing,” Theoretical Computer Science, vol. 107, pp. 235–243, 2002.

[95] H. Krawczyk, “LFSR-based hashing and authentication,” in Advances in Cryp-

tology - CRYPTO’94, Lecture Notes in Computer Science, vol. 893, pp. 129–139,

Springer-Verlag, 1994.

[96] M. N. Wegman and J. L. Carter, “Universal classes of hash functions,” Journal of

Computer and System Sciences, vol. 18, pp. 143–154, 1979.

[97] R. Impagliazzo, L. A. Levin, and M. Luby, “Pseudo-random generation from one-

way functions,” in Proceedings of the twenty-first annual ACM symposium on The-

ory of computing, STOC ’89, (New York, NY, USA), pp. 12–24, ACM, 1989.

[98] X. Ma, C.-H. F. Fung, J.-C. Boileau, and H. Chau, “Universally composable and

customizable post-processing for practical quantum key distribution,” Computers

and Security, vol. 30, no. 4, pp. 172 – 177, 2011.

[99] P. L’Ecuyer and R. Simard, “Testu01: Ac library for empirical testing of ran-

dom number generators,” ACM Transactions on Mathematical Software (TOMS),

vol. 33, no. 4, pp. 22–es, 2007.

[100] R. Raz, O. Reingold, and S. Vadhan, “Extracting all the randomness and reduc-

ing the error in trevisan’s extractors,” in Proceedings of the 31st Annual ACM

Symposium on Theory of Computing, pp. 149–158, 1999.

[101] R. Raz, O. Reingold, and S. Vadhan, “Extracting all the randomness and reduc-

ing the error in trevisan’s extractors,” Journal of Computer and System Sciences,

vol. 65, no. 1, pp. 97 – 128, 2002.

[102] N. Nisan and A. Wigderson, “Hardness vs randomness,” J. Comput. Syst. Sci.,

vol. 49, pp. 149–167, 1994.

[103] X. Ma and X. Tan, “An explicit combinatorial design,” Arxiv preprint

arXiv:1109.6147, 2011.

Bibliography 84

[104] D. E. Knuth, The art of computer programming: seminumerical algorithms. Boston,

MA, USA: Addison-Wesley Longman Publishing Co., Inc., 1997.

[105] L. Lydersen, J. Skaar, and V. Makarov, “Tailored bright illumination attack on

distributed-phase-reference protocols,” Journal of Modern Optics, vol. 58, no. 8,

pp. 680–685, 2011.

[106] I. Gerhardt, Q. Liu, A. Lamas-Linares, J. Skaar, C. Kurtsiefer, and V. Makarov,

“Perfect eavesdropping on a quantum cryptography system,” Nature communica-

tions, vol. 2, no. 349, 2011.

[107] V. Makarov, “Controlling passively quenched single photon detectors by bright

light,” New Journal of Physics, vol. 11, no. 065003, 2009.

[108] S. Sauge, L. Lydersen, A. Anisimov, J. Skaar, and V. Makarov, “Controlling

an actively-quenched single photon detector with bright light,” Arxiv preprint

arXiv:0809.3408, 2008.

[109] L. Lydersen, M. Akhlaghi, A. Majedi, J. Skaar, and V. Makarov, “Controlling a su-

perconducting nanowire single-photon detector using tailored bright illumination,”

Arxiv preprint arXiv:1106.2396, 2011.

[110] Z. Yuan, J. Dynes, and A. Shields, “Resilience of gated avalanche photodiodes

against bright illumination attacks in quantum cryptography,” Applied Physics

Letters, vol. 98, no. 231104, 2011.

[111] A. Acın, N. Brunner, N. Gisin, S. Massar, S. Pironio, and V. Scarani, “Device-

independent security of quantum cryptography against collective attacks,” Physical

Review Letters, vol. 98, p. 230501, 2007.

[112] H.-K. Lo, M. Curty, and B. Qi, “Measurement device independent quantum key

distribution,” Arxiv preprint arXiv:1109.1473, 2011.

[113] S. Sun, M. Jiang, and L. Liang, “Passive faraday-mirror attack in a practical two-

way quantum-key-distribution system,” Physical Review A, vol. 83, no. 062331,

2011.

[114] N. Jain, C. Wittmann, L. Lydersen, C. Wiechers, D. Elser, C. Marquardt,

V. Makarov, and G. Leuchs, “Device calibration impacts security of quantum key

distribution,” Physical Review Letters, vol. 107, no. 110501, 2011.

Bibliography 85

[115] H. Li, S. Wang, J. Huang, W. Chen, Z. Yin, F. Li, Z. Zhou, D. Liu, Y. Zhang,

G. Guo, W. Bao, and Z. Han, “Attacking practical quantum key distribution system

with wavelength dependent beam splitter and multi-wavelength sources,” Arxiv

preprint arXiv:1110.4574, 2011.

[116] D. Rogers, J. Bienfang, A. Nakassis, H. Xu, and C. Clark, “Detector dead-time

effects and paralyzability in high-speed quantum key distribution,” New Journal

of Physics, vol. 9, p. 319, 2007.

[117] V. Burenkov, B. Qi, B. Fortescue, and H. Lo, “Security of high speed quantum key

distribution with finite detector dead time,” Arxiv preprint arXiv:1005.0272, 2010.

[118] H. Weier, H. Krauss, M. Rau, M. Fuerst, S. Nauerth, and H. Weinfurter, “Quantum

eavesdropping without interception: An attack exploiting the dead time of single

photon detectors,” New Journal of Physics, vol. 13, p. 073024, 2011.

[119] C. Weedbrook, S. Pirandola, R. Garcia-Patron, N. Cerf, T. Ralph, J. Shapiro, and

S. Lloyd, “Gaussian quantum information,” Arxiv preprint arXiv:1110.3234, 2011.

[120] C. Williams, J. Salevan, X. Li, R. Roy, and T. Murphy, “Fast physical random

number generator using amplified spontaneous emission,” Optics Express, vol. 18,

no. 23584–23597, 2010.

[121] X. Li, A. Cohen, T. Murphy, and R. Roy, “Scalable parallel physical random num-

ber generator based on a superluminescent led,” Optics Letters, vol. 36, no. 6,

pp. 1020–1022, 2011.

[122] L. Duan, M. Lukin, J. Cirac, and P. Zoller, “Long-distance quantum communication

with atomic ensembles and linear optics.,” Nature, vol. 414, no. 6862, p. 413, 2001.

[123] D. Wackerly, W. Mendenhall, and R. Scheaffer, Mathematical statistics with appli-

cations. Thomson, Brooks/Cole, 2008.

practical issues in quantum cryptography · 2012-11-03 · used modern encryption algorithm is the...

Documents