WO2008140291A2

WO2008140291A2 - Deterministic rendering for practical quantum cryptography

Info

Publication number: WO2008140291A2
Application number: PCT/MY2008/000039
Authority: WO
Inventors: Mohamed Ridza Wahidin; Jesni Bin Shamsul Shaari; Marco Lucamarni; Stefano Mancini
Original assignee: Mimos Berhad; International Islamic University Malaysia
Priority date: 2007-05-11
Filing date: 2008-05-09
Publication date: 2008-11-20
Also published as: WO2008140291A3

Abstract

The present invention relates to a quantum key distribution (QKD) protocol in order to make it deterministic. The present invention more particularly relates to a method and system for deterministic quantum key distribution for rendering practical quantum cryptography.

Description

DETERMINISTIC RENDERING FOR PRACTICAL QUANTUM

CRYPTOGRAPHY

FIELD OF THE INVENTION

BACKGROUND OF THE INVENTION

In the prior art it is possible to convey information from one site to another with perfect fidelity. This reliable transmission of information is suitable for certain like an informal telephone call but not enough security when the information should be kept confidential. Quantum mechanics provides a solution for unsolved difficulties of the distribution of a secret key, a fundamental step in the frame of a private communication.

As per to date, several quantum key distribution (QKD) methods have been made available. One example which is the most popular method is the BB84 and has been implemented in fiber based setups well beyond the limit of lOOKM.

In the prior art methods and systems, there is provided therein a step known as

"basis reconciliation" in which at least 2 users would discard all the qubits measured along different bases. The intention of such step is to made available to the users with only correlated results, in which could be eventually utilized for the distillation of the final secret key.

However, the basic reconciliation implies the average waste of partial of the total quantum resources used for the quantum communication. Moreover, due to the basis reconciliation's intrinsic randomness, it is not possible to affirm that the final key is distributed from one user to another, but rather that it is generated during the protocol itself in a random way. In other words it would be said that the usual BB84 is not deterministic. This feature is not necessarily a disadvantage, but it prevents even in principle the possibility of a quantum "direct communication' with the BB84.

In the present invention, there are a relevant number of protocols which are deterministic. None of them however attempts a comparison with a nondeterministic scheme in terms of the rate of secure bits distilled by two different users. One of the reasons is that usually the newly proposed deterministic schemes are quite different from the already existing nondeterministic ones, thus creating an objective difficulty in the comparison. For the BB84 the argument is different though. The possibility of a deterministic rendering of the BB84 is a common knowledge but nevertheless it has been considered highly unfeasible so far, thus remaining only a theoretical resource.

In the present invention there would be described herein how to modify the theoretical deterministic BB84 protocol in order to make it practical, without altering its security. A direct comparison with done with the new protocol with the traditional BB84 in terms of the rate of secure key bits.

Therefore, it is an objective of the present invention to introduce a realistic QKD more particularly since the resulting rate of distilled bits is a nontrivial increase for reasonable distance between two users. It is yet another objective of the present invention to increase the rate obtained and further improve the rate when the users are part of a QKD network.

SUMMARY OF THE INVENTION

The present invention relates to a deterministic rendering for practical quantum cryptography for conveying information from one site to another site with security wherein the steps for deteπninisting BB84 comprises of:

(i) Data bit choice wherein U2 chooses a random (4 + η_c + T_]1n) N-bit string d (data string), Basis bit choice and encoding wherein U2 chooses a random (4 + η_c

+ Tj_m) N-bit string b (basis string) and wherein U2 encodes each bit of d on the qubits as {K)>, ll>} or {l+>, l->}and wherein U2 sends the resulting states to Ul, (iii) Storage wherein Ul receives on average (4 + T]_1n) N qubits and stores them in a quantum memory.

Receipt wherein Ul announces the completion of step (iii) on a classical channel.

Basis Revelation wherein U2 announces (ii), (vi) Deterministic Measurement wherein Ul retrieves on average 4N qubits from the memory and measures each of them in the X or Z basis according to the disclosed value of b and wherein the outcome of Ul measure is deterministic and U2 and Ul do not discard any bits and wherein after the public announcement by Ul of the addresses of the lost qubits, U2 and Ul will get on the average 4N pairs of correlated bit, a fraction of which contains errors due to the possible noise on the channel,

U2 selects a subset of 2N bits that will serve as a check on User 3's

(U3) interference, and tells Ul which bits U2 selected. (viii) U2 and Ul announce and compare the values of the 2N check bits and wherein if more than an acceptable number disagree, they abort the transmission, (ix) U2 and Ul perform error correction and privacy amplification on the remaining 2N bits to obtain 2M private key bits and wherein steps (iii), (iv) and (v) makes the protocol deterministic.

The present invention also relates to a deterministic rendering for practical quantum cryptography for a practical deterministic BB84, wherein the steps comprises of:

(i) Preliminaries wherein U2 and Ul measure the time that an intense light pulse employs to cover the distance between them and wherein they use the classical channel to declare the measured time and to established the value of a positive security parameter which is used later for security analysis. (U) Data bit choice wheiein U2 chooses a random (4 + η_c + X]_1n) N-bit string d, (iii) Basis bit choice wherein U2 chooses a random (4 + η_c + η_m) N-bit string b,

(iv) Encoding and transm ssion of quantum information, (v) Transmission of chssical information without waiting for Ul's receipt.

(vi) Acquisition of classic al information, (vii) Deterministic Measurement.

After Ul's public announcement of the lost bits the users should share on average 4N pairs of correlated bits, U2 selects a subset of 2N bits of d and 2N bits of b that will serve as a check on U3's interference, and tells Ul the addresses of the selected bits and wherein Ul selects the same addresses from the strings B and D. U2 and Ul announce on the classical channel the v dues of the selected 2N pairs of bits from b and

B and wherein if any of them does not coincide they abort the transmission. Further to this U 2 and Ul perform error correction and privacy amplification on the remaining 2N bits to obtain 2M private key bits. U2 1 ansmits the information about the basis without waiting for Ul's receipt and wherein Ul does not send the receipt in the very moment Ul receives the photon.

BRIEF DESCRIPTION OF THE FIGURES

Figure 1 shows a diagram of a possible Implementation of BB84'

Figure 2 shows 4 different graphs shoei inngg a secure rate of BB84' and BB84 optimized for distances between U2 and Ul for 2, Φ, 8 and 16 KM. DETAILED DESCRIPTION OF THE PRFSKNT INVENTION

Since the BB84, it has been known how to remove from it the resource- consuming procedure of basis reconciliation. For example if User 1 (hereinafter would be referred as Ul in the rest of the specification, including claims and abstract) is endowed with a quantum memory that could store the received qubit until a User's 2 (hereinafter would be referred as U2 in the rest of the specification, including claims and abstract) public disclosure of the basis. This possibility lets Ul to measure always in the right basis and makes the BB84 deterministic.

A similar version of the BB84 has been recently formalized and assumed the name of BB84'. It is shown that the BB84' and BB84 are equivalent; this result is further exploited to provide a stronger security proof for the BB84 protocol. It is reported that a basic version of a deterministic BB84, very much relying on the protocol to which the present invention is referred in the detailed description, and on the BB84 reported according to what said above.

Deterministic of BB84 (basic version)

(a) Data bit choice.

U2 chooses a random (4 + η_c + η_m) N-bit string d (data string). The factor η_c accounts for the losses of the channel while η_m accounts for the losses of Ul's storage memory.

(b) Basis bit choice and encoding.

U2 chooses a random (4 + η_c + η_m) N-bit string b (basis string). U2 encodes each bit of d on the qubits as { K)>, ll>} if the corresponding bit of b is 0 (Z basis) or {l+>, l->} if the corresponding bit of b is 1 (X basis). U2 sends the resulting states to Ul. (c) Storage.

Ul receives on average (4 + η,n) N qubits and stores them in a (imperfect) quantum memory. (Ci) Receipt.

Ul announces the completion of step (c) on the (authenticated or unjammable) classical channel. |

(e) Basis Revelation. U2 announces b.

(f) Deterministic Measurement. Ul retrieves on average 4N qubits from thejmemory and measures each of them in the X or Z basis according to the dijsclosed value of b. In this way the outcome of Ul measure is deterministic jand U2 and Ul do not discard any bits. After the public announcement by |U1 of the addresses of the lost qubits, U2 and Ul will get on the average^{^} 4N pairs of correlated bit, a fraction of which contains errors due to the possible noise on the channel.

(g) U2 selects a subset of 2N bits that will servje as a check on User 3's (U3) interference, and tells Ul which bits U2 selected.

(h) U2 and Ul announce and compare the valuefs of the 2N check bits. If more than an acceptable number disagree, they abort the transmission.

(i) U2 and Ul perform error correction and privacy amplification on the remaining 2N bits to obtain 2M private key bi ts (M = N).

It should be noted that step c, e and d of the above protocol makes it deterministic, because they let Ul always measure in the right basis. T us would enable the possibility of a direct communication in case of a noiseless and loss less channel between the users. However it was reported that even for an imperfect chahnel and quantum memory, the coefficient in front of the final number of distilled bits is 2 for BB84' while in the BB84 it is 1. This is due to the determinism of the new protocc 1, and entails an increase of the secure-bit-rate, at least on small distances between U2 ind Ul. For long distances the loss-rate becomes important eventually suppressing the advantage given by the determinism.

A crucial point that makes the deterministic protocol as secure as the original BB84 is which the receipt by Ul of the qubits sent by U2. Without it there's a risk that an eavesdropper U3 delays the qubits until the public disclosure of the basis by U2, thus gaining for U3 the possibility of a deterministic measurement. In such a case U2 and Ul would have no chance to detect U3.

Despite its relevance for security, the main obstacle toward a practical implementation of a deterministic BB84 does appear. In fact, to send a receipt, Ul must acknowledge that a given number of signals (for example photons) entered bis station. The only way to do that without altering the information carried by the photons is represented by a quantum non-demolition measurement (QND). It is noted that this QND should be deterministic (i.e. working in all the occurring instances) and should count the exact number of photons (a single click when at least one photon is there is not sufficient), otherwise the protocol aborts. These are unavailable requirements in the current technology.

The problem could be alleviated by considering a qubit-by-qubit version of the above protocol, in which Ul gives one receipt for each of the 4N qubits, and U2 reveals the basis for each qubit. This step does not change the overall amount of resources used, and maintains the equivalence with BB84. Yet it makes the protocol far more practical. Thus hereafter, only run-by-run protocols is considered. Nevertheless, the QND described above remains challenging even in this case.

In another related problem Ul must store the qubit until U2's basis revelation. If consider a run-by-run protocol, the minimum storage time for the deterministic BB84 with a receipt's transmission is 2T. Here T is the time for a signal to cover the distance between U2 and Ul: one T is to let Ul 's receipt reach U2, and one T is to let U2 transmit the basis to Ul (we assume for simplicity that U2 and Ul use the same channel, hence the two times are equal in both directions). The most practical example of a quantum memory is a fiber loop of length L that allows to store a photon for a time nL=c, with n the refractive index of the fiber, c the velocity of light in vacuum. At least in this simple case it is apparent that the longer the photons are stored, the lower the probability to recover. Then, it would be necessary to keep the storage time as lower as possible.

Now would be described herein how to remove this point from the protocol without affecting its security, thus realizing a practical deterministic BB84, which is hereinafter referred as BB84". Despite some steps in the following protocol might result unusual (like clock synchronization and the initial measurement of the time delay), they have already been considered elsewhere and are actually standard implicit tools of any QKD protocol.

BB84" protocol

(a) Preliminaries.

U2 and Ul measure the time T that an intense light pulse employs to cover the distance between them. Then they use the (authenticated or unjammable) classical channel to declare the measured time T and to established the value of a positive security parameter, Δ, used later for security analysis.

(b) Data bit choice.

U2 chooses a random (4 + η_c + η,,,) N-bit string d (data string). It is indicate with di, wherein (i = 1 ,...., (4 + η_c + η,,,) N) the i-th bit of the string d.

(c) Basis bit choice.

U2 chooses a random (4 + η_c + η_m) N-bit string b (basis string). It is indicate with bi, wherein (ι = 1,...., (4 + η_c + r\_m) N) the ι-th bit of the string b.

(d) Encoding and transmission of quantum information. Beginning with i = 1. U2 encodes the data d, into the qubit q,. U2 encodes each bit of d as {IO>, ll>} if the corresponding bit of b is 0 (Z basis) or {l+>, l->} if the corresponding bit of b is 1 (X basis). At time t^qi U2 starts the transmission of the qubits to Ul . At the generic time t^qi U2 will send out the qubit q,-. It should be noted that the times ^₁ (included the initial time t^q0 need not to follow any particular prescription.

(e) Transmission of classical information without waiting for U 1 's receipt.

At time t^bi = (t^qi + T + Δ) U2 starts the transmission of the basis bits using the classical channel. At the generic time t^bi = t^q _\ + T + Δ, U2 will send out the bit b,. It should be noted that T and Δ have been declared on the authenticated channel during step (a).

(f) Acquisition of classical information.

At certain times T₁ U2 acquires the (4 + η_c + η_m) N basis bits bj, and labels them as Bi. This step is very similar to receiving a normal telephone call. Ul records both the values of the B,'s and their times of arrival T₁-. The expected times of arrival is T, = (t^q, +2T +Δ+δ), wherein δ > 0 is a certain unavoidable temporal delay due to the electronics of Ul's apparatus.

(g) Deterministic Measurement.

As soon as the values B₁ are available to Ul, Ul uses them to perform a deterministic measure on the qubits. The timing of this new measure is given by T₁ + δ') + ε, wherein δ' > δ = d is another temporal delay, known to Ul, due to the imperfectness of his apparatus and ε « Δ is the temporal acquisition window of Ul's detectors. Ul labels the outcomes of this measure as D₁ and builds up the data string D. (h) After Ul's public announcement of the lost bits the users should share on average 4N pairs of correlated bits. U2 selects a subset of 2N bits of d and

2N bits of b that will serve as a check on U3's interference, and tells Ul the addresses of die selected bits. Ul selects the same addresses from the strings B and D.

(i) U2 and Ul announce on the classical channel the values of the selected 2N pairs of bits from b and B. If any of them does not coincide they abort the transmission. The times of arrival t*, and T₁ corresponding to the selected 2N pairs of bits from b and B. If any of them does not fulfill the relation T₁ = t*,-

+ 2 D + Δ + δ within experimental error they abort the transmission (note that for this step the clocks of the users are assumed to be synchronized). The values of the selected 2N pairs of check bits from d and D. If more than an acceptable number of these values disagree, they abort the transmission.

(j) U2 and Ul perform error correction and privacy amplification on the remaining 2N bits to obtain 2M private key bits (M < N).

It is apparent that BB84" removes the problem of Ul's receipt, relying much more on the classical communication. The main ingredient is a kind of "post-selected" receipt by Ul. U2 transmits the information about the basis without waiting for Ul's receipt. Ul does not send the receipt in the very moment Ul receives the photon. Yet Ul final measurement will reveal whether the photon was there at the expected time. Thus the main problem of a QND measurement is removed at the roots.

Another advantage of the above protocol is that the storage time at Ul's site is reduced from 2T to T + Δ, which is almost the half of the previous one, as we will see. This reduces considerably the losses due to the storage in Ul's quantum memory, thus allowing for a practical rendering of the deterministic BB84. SECURITY OF BB84"

Apart from the removal of Ul's receipt of the qubits, BB84" is entirely equivalent to the first protocol we described in this work, which, in turn, has been shown to be secure and equivalent to the original BB84. Hence the security analysis as in the present invention is aimed at showing the security of BB84" against attacks based on the potential weakness created by the Ul's receipt removal. It can also be seen as a new security argument in the frame of "sequential" QKD protocols. For the moment it is consider Ul's measuring apparatus is ideal, and we do not include in the proof the experimental parameters δ, δ' and ε.

The attackable point of our protocol is the lack of a qubit receipt from Ul to U2. The risk is that U3 uses the disclosed basis bit to measure the qubit without perturbing it. Any other kind of eavesdropping is tantamount to U3 attacking a qubit just as she would do against a normal BB84 system. To do that U3 can either delay the qubit until the basis is disclosed or delay both the qubit and the basis. Any delay of the basis bits is detected during the check of the arrival times performed at point of (i), thus ruling out the latter strategy. The former attack is instead slightly more subtle and is analyzed below. We notice finally that U3 can not alter the values of the bases decided by U2 in a kind of ^vman-in-the-middle' attack, because they are declared at point of (i).

Then it is assumed that U3 controls opportunely the length of the channel between U2 and Ul in order to intercept the qubit q*, wait for the basis information b,, measure the qubit without perturbing it, and forward it to Ul without being detected. Let us examine the timing of the protocol:

Alice transmits the qubit qi at time t,- at time t⁹,, and the basis information at time: t⁶, = t* + T + Δ (1) Ul waits for the basis and deterministically measures the qubit at T₁ = r*, + 2T +

Δ (if mis last relation is not a posteriori satisfied the protocol is aborted, according to point of (i)). It is easy to see that U3 would go undetected if and only if she is able to do her attack without changing the time signature represented by T₁. Therefore, since the storage time of Ul's quantum memory is T + Δ, U3 must let the qubit enter l's station at time

T, = (T + Δ) = t⁹, + 2T + Δ - (T + Δ) = t«, + T (2)

to go undetected. But this time is always less than that at which the basis is revealed (Eq.1), as long as. Δ > 0. In other words when U3 knows the basis from U2, U3 does not get the qubit anymore. This completes the security argument for BB84".

Now the experimental delays δ, δ' and ε of Ul ¹S apparatus in relation to the security issue will be described now. The crucial quantity is the parameter Δ: how big should it be to maintain the security of the protocol? The quantity ε represents a kind of experimental error in determining the exact time of arrival of the photons at Ul's site. For example when the BB84 is implemented using weak pulses as a photon source e is the time window of Ul ¹S "gated mode" detectors (Le. detectors which are open only when a photon is expected to be there); otherwise, when the photons are generated through the spontaneous parametric down conversion, ε is the time window of the coincidence counts. In both cases typical values of e are less than 10 ns. In order to maintain the security of our protocol, we required that ε < Δ. But it descends from our security argument that actually the condition ε < Δ is still sufficient to guarantee the security of the protocol. Hence, for all practical purposes, t could be set that Δ = lOε D 100 ns; this time is equivalent to a free-space distance of 30 m, far smaller than any reasonable distance on which QKD is going to be employed. Reference should be made to Figure 1 wherein is shown therein a possible implementation of BB84".

FEASIBILITY OF THE PRACTICAL BB84"

The feasibility of BB84" would be described in detail now. We consider a fiber- based configuration with weak pulses as a photon source. For the purpose of comparison we make our proposal very similar to the scheme by Gobby et al. used recently to achieve a long-distance QKD with BB84. The experimental realization of the BB84" requires a fast and precise synchronization: fast enough to reduce the storage times, and precise enough to fulfill the security criteria. More precisely points 4-7 require a precise synchronization between the line carrying the quant im information (the qubit) and the line carrying the classical information (the basis).

All the QKD realizations known so far use three lines for comhiunication : the quantum channel, the timing signal, or trigger, and the classical channe 1. For example, in the quantum channel is a pulsed attenuated laser at the wavelength < f 1500 ran, the trigger is a pulsed bright laser at the wavelength of 1300 nm, which is used to synchronize the whole optical acquisition, and the classical channel is the Internet, which is employed to transfer the information about the bases and about error correction and privacy amplification. Now it is plain that to obtain the synchronizatji on between the qubit and the basis mentioned above one can not rely on the Internet, because it can be unpredictably slow and random in the delivery of the TCP/IP packets . Actually the solution is very easy, as in every setup the trigger pulse is already synchi onized with the quantum line. Hence the only necessary step is to move the basis revelation from the internet to the trigger pulse. To do that one can for example modulate the intensity of the trigger pulse: ^* no-pulse' can represent a ^v0', while ^v pulse-there' can r spresent a ^v 1\ It can be shown that by choosing adequately the encoding of the l's and O's in the sequence of the bright pulses it is possible to convey both the timing re ference and the basis information from U2 to Ul.

Referring to Figure 1, the start pulse from the computer drives the two laser sources (Ll @ 1500 nm, the quantum signal, and L2@1300 nm, the trigger) and the phase modulator which encodes the information in the relative phaφ of the pulses generated by Ll and split in two time bins by U2's interferometer.

The random number generator (RNG) is drawn as detached fro n the computer for simplicity. The phase encoded on the pulses is determined by the suim of the values of the basis (0 or π/2) and that of the state (0 or π). The important feature is that the basis is also written on the bright pulse @ 1300 nm, which now has a twofold role: time reference for U2 and carrier of the basis information. Along the bright j raise path there is a delay line, represented by a number of fiber loops, of length L •♦ Λ. To use the parameters given in BB84" we set L = TcM, and Λ = Δc/n, with n the refractive index of the fiber and c the speed of light in vacuum.

On the other hand, at Ul ¹S site the WDM selects the bright pulse, which is directed at a PIN photodiode detector. This acts as a trigger for the gate of the avalanche photodiode detectors APDl and APD2. Moreover the value read by the detector (Le. the basis used by U2) acts as an input to the electro-optical phase modulator represented by φB in the figure, thus allowing the deterministic measurement by Ul. On the other hand, the path followed by the quantum carrier (photon from laser Ll) is the same. The only difference is the delay on Ul's site, which is equal to the one at U2's. This delay represents the simplest quantum memory and allows Ul to wait for the information about the basis before Ul's final measurement, making it deterministic. So in the whole, with respect to the usual BB84, no additional material other than some electronics is required for the implementation of BB84".

COMPARISON WITH THE BB84

Now the comparison between the original BB84 protocol and the BB84" protocol will be described in terms of the rate of secure key bits per time slot, R_sec- This rate needs to be multiplied with the repetition rate of the considered setup to obtain the true rate per second. The secure rate for the BB84 implemented with weak pulses is defined:

It represents the fraction of secure bits that can be distilled from the transmitted bits after the procedures of error correction and privacy amplification. The coefficient 1/2 comes from the basis reconciliation procedure, in which the users' bases coincide with an average probability of 1/2. Pe₉, is the signal of the experiment, which is given by the formula:

p _ psignal , pdark _ p signal pdark . .. Wherein P^ is the probability Ul gets a dark count in bis detectors, while P^"¹ is the probability that Ul's detector fires because of a photon emitted by U2's source. This probability decreases with the distance between the users according to the formula:-

Pg* = l-exp(-7Bτ/T//) (5)

where ηB is the quantum efficiency of Ul's detectors, μ is the average number of photons per pulse, and ηT is the transmission probability of the channel, given by:

ηT = iθ-^(αt+^^)/10 (6)

α is the absorption coefficient of the fiber, L₀ is the loss rate at receiver's station and L is the distance between the users, as shown in Figure 1. Furthermore in Equation. (3) β is defined as:

⁷^ ^{" 5}"- ₍₇

with S_n, the probability that U2 photon source emits more than a single photon per pulse, β is a sort of security parameter: until it is positive the protocol is secure against the so-called PNS attacks. / is a function defined herein that takes into account a imperfect (although efficient) error correction procedure. h(e) is the Shannon entropy for the QBER e. Finally T is the fraction of the error-corrected key which has to be discarded during privacy amplification when only single-photon pulses are taken into account; it is a function of the QBER and amounts to:T(e) = log₂(l + 4e-e² for 0 < e ≤ Y₂ and T(e) = 1 for I for 1/ 2(e<l

Analogously is now define the secure rate for BB84" as:

RT^' h{e)} (8)

It should be noticed that in the above equation enters a transmission probability ηT that is different from the one in Equation (6). In fact in the present invention the photon is stored in the fiber loops at Ul's site, whose length is L + Λ. Then the transmission probability is:

η'T = io-t^α<^2L+Λ)+£*^1/10 (9)

This entails that the secure rate of BB84" should be less than that of BB84 at big distances. However at small distances it is the opposite. Ih fact in Equation (8) the coeffcient before P^ is always one. This descends from the determinism of the scheme which allows to remove the basis reconciliation procedure. Hence, the result for the rate is given by the nontrivial tradeoff of the two opposite circumstances described above. It is worthwhile noting that for every fixed distance L between the users the secure rate has a different maximum in the average photon number μ. hi the numerical simulation we chose the value of μ as such as to maximize the secure rate of both BB84 and BB84" at given lengths L. These values are reported in Table 1 and used to plot Figure 2. All the experimental parameters have been extrapolated by the BB84 implementation described herein.

_**-

TABLE 1 : Values used for the numerical calculation of the secure key rates of BB84 and BB84" protocols. For each distance and for each protocol the average photon number μ has been optimized to maximize the rate. Reference now is made to Figure 2 wherein the secure rate is plotted for BB84 (Equation 3) and BB84" (Equation 8) as a function of L. Only the average photon number μ is different, according to what just explained. The diagrams (a), (b), (c) and (d) of Figure 2 have been obtained by fixing four values of L (Ll = 2, L2 = 4, L3 = 8, L4 = 16) KM and finding the values μ, that maximize R_sec (μ«IL,,l separately for BB84 and BB84". Vertical lines have been drawn at the crucial distances Lj.

It can be seen that in the plots (a) and (b) the secure rate provided by the BB84" is higher than that pertaining to BB84. After that, in plot (c), the rates provided by the two protocols are almost the same. Finally in plot (d), the usual BB84 provides a higher rate. In other words, for distances up to about 8 Km the BB84" provides a better rate than the non-deterministic BB84. For distances of less than 2 km the improvement factor is more than 1.65, nearing the final value of 2 for very short distances and for a lossless setup.

It should be noted that the rate of distilled secure bits is one of the figures of merit of a QKD setup, and it is not a trivial task to increase it. The rate of transmission in any fiber-based setup is currently limited by the low efficiency of detectors, and in particular by their dead times, which are of the order of microseconds for a standard APD detector. This is a technological limitation that can be surpassed only by improving the detection mechanism.

All the same, in the setups working at the single-photon level it is of course not possible to increase the signal on demand. The improvement brought about by the BB84" works in both the situations as it concerns the protocol itself, not the way it is implemented: it avoids the bit-consuming procedure of basis reconciliation which occurs after the whole transmission is complete. We mention here that the possibility of a high-rate QKD on very short distances has attracted recently renewed interest because of its closeness to the credit-card security issue.

Furthermore the quite modest increase of the rate obtained can generate dramatic improvements of the rate when the users are part of a network. For example, if the secret key has to be transmitted from the user Ul to the user U3 through the user U2, with Ul and U3 on a straight line 4 Km far apart (a network with one node), the rate rises up from 1.6587 to 2. 7513; for a network with two nodes it becomes 4. 5636; and so forth. We also remark that the performances of BB84" we have studied are of course not the best possible. On a practical ground it is conceivable that by choosing different experimental parameters the gain can be increased further. Possibly a free-space setup with a better detection efficiency and a lower loss rate at the receiver's station can perform better. More importantly, we assumed the worst possible efficiency for the storage of the photons at Ul's site, i.e. an optical-fiber loop with the same transmission as the one used to connect the users. The maximum distance over which the BB84" outperform the BB84 directly depends on this storage mechanism: the better it is the longer the distance.

In this direction continuous technological progresses are reported, and values of storage time up to microseconds have been achieved. On a theoretical ground other schemes, hybrid of BB84 and BB84" are possible. For example U 1 could measure a part of the qubits without waiting for the basis, like in the usual BB84, and a part using the basis information. In this way the net rate decreases but the maximum distance for secure transmission increases.

Claims

1. A deterministic rendering for practical quantum cryptography for conveying information from one site to another site with security characterized in that wherein the steps for deterministing BB84 comprises of:

(i) Data bit choice wherein U2 chooses a random (4 + η_c + ηm) N-bit string d (data string),

(ii) Basis bit choice and encoding wherein U2 chooses a random (4 + η_c + I_m) N-bit string b (basis string) and wherein U2 encodes each bit of d on the qubits as {IO>, ll>} or {l+>, l->}and wherein

U2 sends the resulting states to Ul, (iii)Storage wherein Ul receives on average (4 + η_m) N qubits and stores them in a quantum memory. (iv)Receipt wherein Ul announces the completion of step (in) on a classical channel.

(v) Basis Revelation wherein U2 announces (ii), (vi) Deterministic Measurement wherein Ul retrieves on average 4N qubits from the memory and measures each of them in the X or Z basis according to the disclosed value of b and wherein the outcome of Ul measure is deterministic and U2 and Ul do not discard any bits and wherein after the public announcement by

Ul of the addresses of the lost qubits, U2 and Ul will get on the average 4N pairs of correlated bit, a fraction of which contains errors due to the possible noise on the channel,

(vii) U2 selects a subset of 2N bits that will serve as a check on

User 3's (U3) interference, and tells Ul which bits U2 selected, (viii) U2 and Ul announce and compare the values of the 2N check bits and wherein if more than an acceptable number disagree, they abort the transmission.

(ix)U2 and Ul perform error correction and privacy amplification on the remaining 2N bits to obtain 2M private key bits (M = N).

2. A deterministic rendering for practical quantum cryptography as claimed in Claim 1 wherein steps (Ui), (iv) and (v) makes the protocol deterministic.

3. A deterministic rendering for practical quantum cryptography for a practical deterministic BB84, characterized in that wherein the steps comprises of:

(i) Preliminaries wherein U2 and Ul measure the time that an intense light pulse employs to cover the distance between them and wherein they use the classical channel to declare the measured time and to established the value of a positive security parameter which is used later for security analysis.

(ϋ) Data bit choice wherein U2 chooses a random (4 + η_c + η_m) N-bit string d, (iii)Basis bit choice wherein U2 chooses a random (4 + η_c + η_m) N-bit string b

(iv)Encoding and transmission of quantum information, (v) Transmission of classical information without waiting for Ul's receipt, (vi) Acquisition of classical information. (vii) Deterministic Measurement.

4. A deterministic rendering for practical quantum cryptography as claimed in Claim 3 wherein after Ul's public announcement of the lost bits the users should share on average 4N pairs of correlated bits, U2 selects a subset of 2N bits of d and 2N bits of b that will serve as a check on U3's interference, and tells Ul the addresses of the selected bits and wherein Ul selects the same addresses from the strings B and D.

5. A deterministic rendering for practical quantum cryptography as claimed in Claim 3 wherein U2 and Ul announce on the classical channel the values of the selected 2N pairs of bits from b and B and wherein if any of them does not coincide they abort the transmission.

6. A deterministic rendering ΌΓ practical quantum cryptography as claimed in Claim 3 wherein U2 and U perform error correction and privacy amplification on the remaining 2N bits to )btain 2M private key bits

7. A deterministic rendering ft r practical quantum cryptography as claimed in any of the preceding claims wherein U2 transmits the information about the basis without waiting for Ul's receipt and wherein Ul does not send the receipt in the very moment Ul receives the photon.