Quantum key exchange

from Wikipedia, the free encyclopedia

As quantum key exchange is referred to several methods of quantum computer science and quantum cryptography , the properties of quantum mechanics use a common two parties random number to provide. This number is used in cryptography as a secret key in order to transmit messages in a tap-proof manner using classic symmetric encryption methods . For example, the demonstrably secure one-time pad can be used, which is usually not used without quantum key exchange due to the high expenditure for secure key exchange. Since quantum key exchange is the best-known method in quantum cryptography, it is sometimes also referred to as quantum cryptography.

technical realization

No quantum computer is required for the quantum key exchange , but quantum mechanical coherence of the transmitted signals . The necessary technical requirements already exist; An example: In April 2004, a money transfer encrypted with quantum cryptography was triggered from the City Hall in Vienna to a bank based in the city.

When using fiber optic technologies, however, the distance between transmitter and receiver is limited, since the usual signal amplifiers cannot be used because of the required coherence . The highest distance (as of 2008) bridged by fiber optic cable at which a quantum key was exchanged is 184.6 km, carried out in 2006. In 2017, a quantum key was successfully transmitted from a satellite to earth (approx. 1200 km). This is possible because empty space, like the universe, hardly weakens the photons and shows almost no decoherence .

Advantage of quantum key exchange

The advantage of the quantum key exchange compared to classic key distribution methods is that the security achieved is based on known physical laws and not on assumptions about the performance of computers and algorithms or about the reliability of trusted persons. The security of the various methods of quantum key exchange arises from the fact that an attacker who is eavesdropping on the key transmission is noticed. If it is found that the transmission has been overheard, the transmitted key is discarded (in practice when an error tolerance value is exceeded) and the key generation and transmission begins again.


There are two classes of methods for quantum key exchange. Some , like the BB84 protocol , use individual photons for transmission. An attacker can not copy them due to the no-cloning theorem and can therefore be recognized by changes in the measurement result. Other methods, such as the Ekert protocol , use entangled states . If an attacker listens to the key transmission here, the system loses part of its quantum entanglement . This loss can then be determined and thus the attack can be exposed.

BB84 protocol

The BB84 protocol is a method of quantum cryptography in which the replacement of the key possible. The name comes from the fact that the protocol was proposed in 1984 by the two scientists Charles H. Bennett and Gilles Brassard . It is currently the best-known method in quantum cryptography, but other important methods now exist that are currently being further developed.

The procedure is basically as follows: The information is transmitted by means of photons. Photons can be polarized horizontally or vertically (- or |): A horizontally polarized photon is not allowed to pass through a vertical filter, but certainly through a horizontal filter. In addition, photons can be diagonally polarized in different ways (/, "right diagonal", or \, "left diagonal"). This can be measured by simply rotating the filter 45 °. It should be noted that if the receiver ( Bob ) uses a differently polarized filter ( or base) than the transmitter ( Alice ), there is only a 50 percent probability that the measurement result will be correct.

First, Alice generates a photon with a polarization of her choice (- or |, or / or \) and sends it to Bob. This measures it in a filter chosen by him at random (the same four possibilities, but chosen independently). This procedure is repeated until Alice and Bob have received a sufficient number of values ​​that they can convert into a bit sequence (see the following example). During the process Alice has to make sure that she generates all four polarization possibilities with the same probability, and Bob should also select his filter with the same probability (see eavesdropping ).

In order to generate a key from the values ​​obtained, Alice and Bob agree after the photon transmission via an authenticated line in which cases they have used the same "base" (horizontal / vertical base, + or diagonal base, ). For these so-called “relevant bits” you can be sure that you have measured the same polarization directions, and only you know which they are (there are two possibilities for each basis). A "spy" ( Eve , who would carry out an eavesdropping attack in classic cryptography, see below) only knows the fact that the polarization directions for the relevant bits are the same, i.e. H. the associated “base”, but which these polarization directions are, Eve cannot spy on without betraying herself.

Alice and Bob now assign different bit values ​​to the possible polarizations: for example 0 for horizontal (-) or left diagonal (\) polarization, 1 for vertical (|) or right diagonal (/) polarization. You could even save yourself this step: The selected assignment may also be specified in advance and publicly known, because the spy cannot determine the actual polarization direction without giving himself away, but only knows that Alice and Bob have it for the relevant bits is equal to.

The polarizations for which they used the same filter provide Alice and Bob with the same bit, so they can be used for a key or for a one-time pad . The remaining bits are only correct with a 50 percent probability and are therefore discarded. On average, Alice and Bob can use half of all bits for key generation.

An example

polarization sent by Alice / / / \ \ \ - - -
base used by Bob
Polarization measured by Bob / - \ - \ / - \ /
Base same? Yes No No Yes No No No No Yes No No Yes
used key 1 · · 0 · · · · 0 · · 1

Note: The above table should clarify the principle of the protocol. In practice, the basis used will be the same in approx. 50% of the measurements.

Physical and technical aspects

More generally, one can say that Alice and Bob use qubits to generate a key. This is the quantum mechanical equivalent of the bit , i.e. the smallest possible unit of information. Furthermore, they agree on two complementary bases of their qubit system, which can be called - and - base (this name refers to the coordinate axes of the Bloch sphere ). Each of these two bases consists of two base states: the base of and , the base of and (in Bra-Ket notation).

When exchanging quantum keys, photons are used almost exclusively as qubits. The polarization of the photons can be identified with the base states: For example, one chooses the linear polarization in vertical and horizontal direction for the base and the diagonal polarization for the base, as used in the section above.

However, the technical implementation of the protocol poses a challenge. For example, errors caused by the measuring devices and noise (birefringence in the fiber optic channel, interaction with other particles) must be expected. In spite of this, Charles H. Bennett himself succeeded in a quantum mechanical key transfer in 1989.

An eavesdropping

Quantum mechanical effects are used to detect eavesdropping: According to the laws of quantum mechanics, Eve , an attacker, would very likely change the base state sent by Alice through her measurement.

Ideally, Alice and Bob should receive a secure key through the procedure described. However, it is not guaranteed that no eavesdropper has overheard. A simple way of listening would be as follows: Eve intercepts each qubit, measures it in one of the two possible bases and then sends the measured result on to Bob. Since Alice and Bob only continue to use the bits for which they used the same base, there are two possible cases here:

  • Eve measures in the same basis that Alice sent: in this case Alice and Bob don't notice anything and Eve knows the bit.
  • Eve measures in the other base: In this case, Eve interferes with Bob's measurement as it changes the state of the qubit so that there is a 50% chance that it will receive a wrong bit.

At the time of her measurements, Eve didn't know either Alice's or Bob's base, so both cases are equally common. One can therefore assume that on average 25 percent of all bits are incorrect. To determine this, Alice and Bob select some of their bits and compare them over the insecure channel. You can thus obtain an estimate of the error rate (using statistical tests ). If this is too high (e.g. 25%), you have to fear that it has been eavesdropped and should start again with the key transmission.

Instead of the one mentioned above, Eve can also choose other methods: for example, she can only measure every second qubit, which (as before) leads to an error rate of 12.5 percent, or she can make a copy of the qubit, which is due to the no- Cloning theorem is only possible with one error. But it can also be that nobody has listened and only the transmission is disturbed or the measuring equipment is misaligned. Alice and Bob can use error correction methods and hash functions to generate a key even when the error rates are present but not too high .

Also, man-in-the-middle attacks can be excluded when quantum key exchange when the channel used is authenticated. Otherwise, an active attacker could take measurements during key exchange and modify the messages during later exchange of the bases actually used. He carries out the protocol with Alice as if he were Bob. He poses as Alice to Bob and forwards the bases in which he has measured. Then he shares a key with Alice and Bob.

However, there is the theoretical approach of using an active medium ( laser medium as an optical amplifier ) to create quantum mechanical copies (including phase and polarization) with the help of the stimulated emission and thereby (statistically) to listen unnoticed.

In August 2010, scientists from the Norwegian University of Science and Technology published that they had succeeded in eavesdropping on the transmission of the key in two commercial systems by "blinding" the detector, without causing interference or interruptions and without leaving any clues.

Quantum key exchange using entanglement

A protocol for the exchange of quantum keys with so-called entangled states was developed in 1991 by Artur Ekert . The functionality is similar to that of the BB84 protocol, but the unusual properties of such photons given in quantum mechanics are used:

  • After measuring the polarization of one of the two photons of the entangled pair, the polarization of the other is clearly determined ("complementary" to the polarization of the first, i.e. with singlet entanglement, this is the most common case when using the same base, e.g. the Diagonal base, once “right diagonal” or the complementary time “left diagonal”). So Alice and Bob measure with complementary filters (they can communicate about them publicly), so they can define a common key.
  • However, if Alice measures a photon in horizontal polarization (i.e. with the base ) and Bob then the entangled photon using the diagonal base ( ), Bob will in any case receive one of the two diagonal polarization directions (/ or \) with a 50% probability, thus a random value 0 or 1. This case cannot be used for the transmission of communications, but, as we will see in a moment, is important for checking security against espionage.

In the Ekert protocol, Alice and Bob first create independent photon statistics in order to rule out that the photons are generated “in the classic way” by a third party. As with the BB84 protocol, horizontal / vertical or diagonal filters are used with the same probability. If Alice and Bob have received enough photons, they again compare their respective bases via an unnecessarily secured and authenticated channel or quite openly. In other words, unlike Bob and Alice, a spy again does not know the associated polarization . There are two options:

  1. The bases were set exactly the same. Then Bob and Alice, but not the spy, know the state of the photon at the other partner's (0 or 1) and can use these bits for coding.
  2. With the bits that are generated by different bases, it is possible to check Bell's inequality . It gives a limit for the correlation of the information about the first and second photon in classical physics and is violated in a significant way by quantum mechanics:

In order to find out whether someone has eavesdropped using this method, one checks the data in which Alice and Bob used different bases for this violation. If the inequality is fulfilled , the photons were not   entangled, so the communication was overheard.

Once again, Alice and Bob can work together to determine with certainty the existence of a spy.


The use of quantum effects for the exchange of one-time pad was under the name "Conjugate Coding" ( conjugated coding ) pioneered by Stephen Wiesner proposed to 1969-70, but in 1983 only SIGACT News published. Charles H. Bennett and Gilles Brassard developed the first quantum mechanical protocol for the transmission of keys at IBM at the same time and published it in 1984; this explains the name BB84 .

In 1989, IBM carried out the first practical experiment with quantum cryptography in Yorktown. In 1991, the BB84 protocol was successfully demonstrated for the first time when a distance of 32 cm was bridged with it. In the meantime, the quantum key exchange has already been tried out in the Alps : Individual photons were sent through 23 km of air from one station to another and a key was generated with an error rate of around 5%.

The technically more complex quantum key exchange with entangled photons was first implemented in 1999 by Anton Zeilinger's employees at the University of Vienna . Bit rates of up to 800 bits / s with an error rate of around 3% were achieved over a distance of 360 m.

At the end of April 2004, a money transfer was secured using quantum cryptography for the first time. The fiber optic cable for transmitting the entangled photons was around 1500 m long and led from Bank Austria Creditanstalt through the Vienna sewer network to Vienna City Hall.

In November 2006, two students from the Massachusetts Institute of Technology , Taehyun Kim and Ingo Stork called Wersborg, under the direction of Franco NC Wong and Jeffrey H. Shapiro, managed to intercept a message encrypted using the BB84 protocol in the laboratory for the first time. During this interception process, an optical CNOT logic gate was used to read out the secret quantum bits, which was noticeable to the recipient through an increased error rate. The attack makes it clear that the security of the protocol requires the use of privacy amplification with the help of a hash function in order to eliminate possible knowledge of an attacker from the generated keys.

For the Swiss parliamentary elections on October 21, 2007, data from polling stations in the canton of Geneva were transmitted over a distance of approx. 100 km to the federal city of Bern.


Elementary introductions can be found in:

  • Dagmar Bruß: Quantum Information. Fischer Taschenbuch Verlag, Frankfurt am Main 2003 ISBN 3-596-15563-0 .
  • Matthias Homeister: Understanding Quantum Computing. Vieweg, Wiesbaden 2005, ISBN 3-528-05921-4 .

A popular scientific presentation can be found in:

  • Anton Zeilinger: Einstein's Veil - The New World of Quantum Physics , 2003, ISBN 978-3-442-15302-2 , p. 112 ff.

Web links

Individual evidence

  1. World Premiere: Bank Transfer via Quantum Cryptography Based on Entangled Photons ( Memento from February 11, 2015 in the Internet Archive ) (PDF; 105 kB). Press release, Vienna, April 21, 2004.
  2. PA Hiskett, D. Rosenberg, CG Peterson, RJ Hughes, S. Nam, AE Lita, AJ Miller, JE North Holt: Long-distance quantum key distribution in optical fiber . In: New Journal of Physics . tape 8 , no. 9 , 2006, p. 193 , doi : 10.1088 / 1367-2630 / 8/9/193 .
  3. Jian-Wei Pan , Jian-Yu Wang, Cheng-Zhi Peng, Rong Shu, Chao-Yang Lu: Satellite-to-ground quantum key distribution . In: Nature . tape 549 , no. 7670 , September 2017, ISSN  1476-4687 , p. 43–47 , doi : 10.1038 / nature23655 ( nature.com [accessed July 23, 2019]).
  4. Hacking commercial quantum cryptography systems by tailored bright illumination
  5. Hackers blind quantum cryptographers (in Nature News August 29, 2010)
  6. T. Kim, I. Stork called Wersborg, FNC Wong, JH Shapiro: Complete physical simulation of the entangling-probe attack on the Bennett-Brassard 1984 protocol . In: Physical Review A . tape 75 , no. 4 , 2007, p. 42327 , doi : 10.1103 / PhysRevA.75.042327 , arxiv : quant-ph / 0611235 .
  7. Taehyun Kim, Ingo Stork called Wersborg, Franco NC Wong, Jeffrey H. Shapiro: Complete physical simulation of the entangling-probe attack on the BB84 protocol . In: Quantum Electronics and Laser Science Conference, 2007. QELS'07 . 2007, p. 1–2 , doi : 10.1109 / QELS.2007.4431646 , arxiv : quant-ph / 0611235v1 .
  8. Frank Patalong: Quantum Cryptography: The Most Secure Data Line in the World . On: Spiegel-Online. October 12, 2007. (Article on the use of quantum cryptography in the 2007 Swiss parliamentary elections)