Free space QKD

--------------------------------------------------
Ben Catchpole
(000-499-444)
Free-space QKD
--------------------------------------------------
PHYS5820M Coursework – Prof. Tim Spiller

Cryptography is a long-established approach to information
security which was being applied in ancient Mesopotamia at
least 3500 years ago in the name of secrecy [40]; the process
involves encoding a message such that only sanctioned
recipients are able to retrieve the private information,
cryptographic techniques are therefore critical to military
and governmental functioning, as well as in many other
information-sensitive industries in the corporate sphere, such
as the financial sector [45].
The system offers security through the process of encryption,
whereby a cipher algorithm is applied to transform (or
encrypt) the chosen information - often referred to as a ‘plain
text message’ (PTM) - to produce a ‘ciphertext’ [41]. The
process also requires a key, both for the production of the
ciphertext (or cryptogram), and subsequent information
retrieval, the cryptographic key can either be ‘symmetric’, or
‘asymmetric’, depending on the specific implementation.
Symmetric encryption represents the more long-standing
approach, whereby a secret key (which could be a word,
number or random alpha-numeric string) is applied to
encrypt some information, and the same (hence ‘symmetric’)
key is used for decryption by the recipient. The issue with
this approach is that the problem of security is not genuinely
resolved, rather shifted from a question of information
security to a question of key security – as anyone able to
access (or deduce) the secret key is able to decrypt the
message.
An illustrative example of this weakness is provided by the
infamous ENIGMA cipher invented by the German engineer
Arthur Scherbius, which was widely adopted before and
during the second world war by Nazi Germany for the
purposes of secret correspondence. The inherent flaw in the
ENIGMA system is true of all classical encryption
techniques; the system is only as secure as the cryptographic
key itself. This was demonstrated by Alan Turing, largely
considered to be responsible for modern computer science,
who conceived and built the electromechanical ‘bombe’ to
decrypt the German ciphertext via what is now known as a
‘brute-force’ approach. His achievements illustrate the fact
that whether a key is compromised through old-fashioned
theft or computational techniques the underlying principle is
the same: symmetric key cryptography is fundamentally
unsafe.
Anti-symmetric encryption provides a solution to this
problem with the generation of distinct (hence ‘asymmetric’)
‘public’ and ‘private’ cryptographic keys, the public
encryption key can be readily shared in the public domain
without compromising the secret decryption key.
Unfortunately, the system relies upon computational
difficulty as the source of security – as a result, absolutely no
protection is offered against inevitable advances in hardware
and processing power, or the discovery of more efficient
decryption algorithms. Consequently asymmetric techniques
also represent a fundamentally flawed approach to the
problem of information security, whilst they may offer short-
term security the information can always (potentially) be
compromised, to make things worse, there is no way of
determining when a breach has occurred, as with symmetric
techniques.
The only truly unbreakable (robust to ‘brute-force’) classical
cipher is the Vernam cipher [42], which is also known as the
one-time-pad (OTP). The approach ensures maximal
security (as it is able to withstand infinite computational
power [39]) from any unwanted third party (‘Eavesdropper’)
when a random and unique cryptographic key as long as the
message itself is used for a single encryption only. As such,
the most efficient approach to for any unsanctioned
decryption (without a key) is an exhaustive search over all
possible cryptographic keys [41,42,43].
Initially proposed in 1917, the scheme requires a random
binary bit sequence for encryption, it is this randomness that
provides the intrinsic security, as there are no patterns to
subsequently identify. During research at Bell Labs Claude
Shannon concluded that the OTP offered genuine
information security in his classified report: ‘A Mathematical
Theory of Cryptography’ [44]. He demonstrated that any
unbreakable system must comprise of the same essential
characteristics as the OTP: the key must be truly random, as
large as the plaintext, never reused, and kept entirely secret
[47]. Shannon’s findings, which were later published openly
were independently reached by Vladimir Kotelnikov, in a still
classified report [48].
Whilst the condition of a random unique key for each bit of
information provides the inherent strength of the system, it is
also the principal limitation: as there is no classical solution
for sharing the key-string without making it susceptible to
eavesdropping, the need to securely distribute extensive key-
strings means the standard problem of key-security has
largely prevented its wider use [39].
The need to resolve the limitations associated with
exchanging secret keys, whether for use in OTP systems or
otherwise, has led to the widespread implementation of
‘asymmetric’ key systems. A technique known as public-key
encryption utilises two distinct, but mathematically linked
keys, that are related in an asymmetric manner to provide a
‘one-way’ function. This asymmetry provides the (supposed)
security of the scheme and crucially removes the need to
agree upon a shared key beforehand.
A freely available ‘public’ key can be used to encrypt
information, whilst the secret, mathematically linked ‘private’
key allows the decryption of anything encoded with the
associated public key. The fact that the public key can be
openly shared means that (supposedly) secure communication
can take place repeatedly over a non-encrypted public
channel, with the same public key used by an arbitrarily large
number of people. The considerable increase in throughput
offered by this approach (and corresponding reduction in
logistical and financial complexity) explains why use of
public-key cryptography is so prevalent, despite its inherent
weakness.
The security of the public-key system relies upon the
computational difficulty of what are known as ‘one-way
functions’, first highlighted by W.S. Jevons in 1874 when he
outlined the application to cryptography, in particular the
problem of prime factorisation [49]. The asymmetry is used
to create a ‘trapdoor function’ (the feature which provides the
security in the widely-used RSA cryptographic system),
alternative approaches that also make use of asymmetric
problems include the EIGamal and digital signature
algorithm (DSA) cryptosystems, which employs the discrete
logarithm problem to ensure security. As there is no classical
algorithm to effectively compute discrete logarithms, the
running time of the most efficient (known-about) algorithm
scales proportionally to the size of the specific group under
consideration. An efficient quantum algorithm exists
however, proposed by Peter Shor in 1995 [52], in a seminal
paper that went on to encourage the rapid growth of
quantum computing.
In addition to the DSA system, which was initially developed
by the NSA but has since been adopted by NIST as a national
standard, there is also elliptic curve cryptography [51],
which was developed simultaneously by Koblitz and Miller in
the 1980s. The scheme, based on the algebraic structure of
elliptic curves over finite fields has provided powerful new

public key algorithms, which have facilitated much faster operations due to the use of smaller keys. The technique is sufficiently
robust that it is used by the NSA for their encryption requirements; at www.nsa.gov it states that ‘elliptic curve public key
cryptography using the 256-bit prime modulus elliptic curve…is appropriate for protecting classified information up to the
SECRET level. Use of the 384-bit prime modulus elliptic curve is necessary for the protection of TOP SECRET INFORMATION
[57].”
The most familiar ‘flavour’ of asymmetric key distribution is the RSA system [28], a scheme which takes the names of its creators:
Rivest, Shamir and Adleman, who were working together at MIT at the time of development in 1978. However, the encryption
algorithm was actually developed by Ellis, Cocks and Williamson at GCHQ in the 60s and early 70s, as it was classified information
at the time it was not publically disclosed until 1997 [51]. Interestingly, they developed the system completely independently of
Diffie and Hellman, who reported public key cryptography in 1976 and Merkle who also invented the technique in 1974 and
published his work in 1978 [51].
The security of the RSA scheme derives from the fact that is computationally insignificant to multiply large prime numbers
together but the inverse operation of finding the prime factors is far from trivial, even for powerful computers. This is due to the
fact that the time taken to find the prime factors of a large integer increases exponentially with the number of digits [45] - hence
the reason 2048-bit encryption is currently in-use, and should be sufficient until 2030 (after which 3072-bit encryption will be
required)
The RSA scheme is used to provide security for a range of critical infrastructure, for example, the algorithm is built into all current
operating systems manufactured by Microsoft, Apple, Sun and Novell, it can be found in phone hardware, in Ethernet network
cards, as well as being incorporated into all major internet security protocols and being used by numerous branches of the U.S.
government and major corporations [58]. Despite this, the specific extent of the security provided by the system is frequently
overlooked or intentionally disregarded; crucially, RSA encryption is only very difficult to decipher, not impossible - a critical
distinction when it comes to highly sensitive information [45].
The security of the scheme is illusory for a number of reasons: firstly, the message is only secure for a finite period - as it is not an
impossible task to find the prime factors, it just takes time (proportional to the computing power applied), therefore the supposed
security lies in the fact that any information encrypted is contextually insignificant by the time the prime factors have been
computed. The ‘security’ also presupposes that an eavesdropper is limited to applying commercially available computing power, it
makes no allowances for the possibility of an adversary with greatly enhanced processing power (utilising a supercomputer, a large
network of computers or even an early undeclared quantum computer), or perhaps an unrevealed algorithm that allows prime
factors (or the equivalent for alternative schemes) to be found more efficiently on commercially-available processors.
Significantly, there is no definitive mathematical proof that the process of prime factor multiplication cannot be readily inverted, it
could easily be the case that a much more efficient algorithm for finding the prime factors of a large number has been formulated but
not publically announced [45], a situation that would allow an eavesdropper real-time access to supposedly secure information.
Irrespective of whether a security lapse arises from the existence of a more efficient algorithm, an adversary with exceptionally
large computational resources, or simply an eavesdropper that is in no particular rush, the outcome is the same: the information is
not fundamentally secure. Consequently it is only a matter of time before the approach becomes completely obsolete, either through
the application of a more efficient reverse-factorisation algorithm, or the realisation of quantum computation in a manner that
would enable the application of Shor’s algorithm (which can efficiently factor the product of two large primes and as such threatens
to undermine the security of global military and commercial communication) [45].
As cryptography constitutes a fundamentally important and widely-applied solution to information security that exhibits critical
weaknesses, irrespective of the specific implementation (even the OTP technique suffers from the same drawbacks as any symmetric
key system – the key is never entirely secure as it can always be stolen), it is not surprising that the field of quantum cryptography
has received so much attention in recent years.
The improvements offered by ‘going quantum’ are considerable; quantum cryptography offers the only genuinely secure method of
achieving private key distribution [19,25,45], security is guaranteed by the laws of quantum mechanics [19,25,] which are
universally accepted to be phenomenally accurate. Importantly, the process provides a failsafe indication as to the presence of an
unwanted eavesdropper, directly contrasting schemes where security arises from the (perceived!) intractability of specific problems
in number theory [10,15], and offer no indication of a security-breach.
Quantum cryptography is able to provide a reliable method for transmitting a secret key and knowing categorically whether the
transmission has been intercepted - the process of sharing a secret key with the secrecy protected by the laws of quantum mechanics
is known as quantum key distribution (QKD). A range of approaches have been implemented in the realisation of QKD, but they
can generally be grouped into two principal mechanisms; one which utilises the properties of entanglement and simpler approaches
which make utilise quantum-measurement principles [45]. Alternative schemes have also been developed, which modify the more
established protocols, such as the use of orbital angular momentum [29], in a revision of the BB84 protocol that encoded
information in the spatial modes of propagating photons. The approach, which does not require reference frame alignment,
achieved a substantial increase in key generation rates by increasing the bits per photon that can be sent [29].
Since the demonstration of a free-space (as opposed to fibre-based distribution) QKD proof-of-principle, over a 32cm tabletop path
in 1989 [6] the field has experienced rapid growth, to the extent where a global system of QKD distribution utilising satellites and
ground stations is now a serious proposition [11,14,18,19,20,21,26,35,36,39]. Phenomenal distribution rates and distances have
subsequently been realised with the demonstration of sifted key-rates of up to Mbit s-1 rates [23], and transmissions over 144km
distances [34,36]. The utility of QKD schemes for applications in built-up urban areas was also demonstrated with the 8km
distribution of entangled photons over the city of Vienna, demonstrating QKD capabilities in a location that would undoubtedly see
an exceptionally large amount of usage due to the nature of the Swiss banking industry [27].
In addition to this QKD setups have been demonstrated that can be left unattended for long periods of time (up to four days), due to
the incorporation of closed-loop tracking techniques [33], as well as QKD systems that could be miniaturised to allow portable

secrecy for everyday consumer applications [32]. Compact transmitters could be incorporated into hand-held devices such as a
smart cards or mobile phones, to provide on-demand, portable secrecy over short ranges (a few metres), that could be ‘topped up’
like phone credit [32]. Low cost QKD manifestations have also been demonstrated, which utilise ‘off the shelf’ components and
run-off LabVIEW to provide a low cost, DIY quantum cryptography system for anyone on a budget [37].
The rapid growth of the field is also attributable to the development of post-transmission protocols, as much as it is to technical
developments on the practical side. Once a key-string has been shared by two parties it is necessary (in most implementations) to
discuss specific experimental details and parameters – this produces a shorter ‘sifted’ key which (in an ideal scenario) is identical for
both parties. Any deviations can be attributed to a range of environmental disruption mechanisms and experimental limitations,
however common practice is to attribute all errors to the presence of an eavesdropper (Lütkenhaus approach [24]). In order to
reduce (or eliminate) the partial knowledge of the key that an eavesdropper could potentially hold, the technique of privacy
amplification [4] is performed; this produces a new, shorter key, of which Eve has negligible information. The technique was
specifically introduced in 1988, shortly after a similar paper [3] two years earlier, in which it was outlined how a compromised
channel could be salvaged through distillation of a shorter bit-string [4].
The concept of quantum cryptography was initially formulated by Stephen Wiesner in the late 1960s when he wrote ‘Conjugate
Coding’ [1], initially unpublished, his ideas went unnoticed by the wider scientific community for an unduly long time, and his
manuscript was not even published until 1983 [1]. Wiesner envisioned that quantum mechanics could be applied to the
production of ‘quantum money’, utilising the laws of nature as the ultimate anti-counterfeiting measure. This was considered to be
pure science-fiction [6], as any usable quantum currency (‘quantum bank notes’ [1]) would require the ability to store a polarised
photon or spin-1/2 particle, whilst keeping the information resistant to depolarisation, absorption or general environmental
interaction [6]. Real progress was made when Bennett and Brassard began to consider photonic information transfer rather than
photons information storage, and Bennett introduced the quantum key distribution channel [2,3,6]
QKD means that information can be encoded with what is essentially an unconditionally secure OTP cipher, when two
communicating parties have shared a sufficient amount of private key material a private message can be encrypted and sent across
public channels at high rates with maximal security. Providing a fresh key is used for each communication a OTP cipher is being
implemented, and the message is completely robust to eavesdropping strategies [45]. Classically, a OTP key would have to be
physically shared (making it susceptible to theft), however with QKD the key is instantaneously shared – meaning secure
communication can take place before key becomes vulnerable, in addition, the technique is extremely sensitive to the presence of an
unwanted eavesdropper during communication.
In classical data transmission systems there is no way that Alice or Bob could be aware of the presence of Eve (simply through
analysis of what has been transmitted) as there is no physical law prohibiting Eve from making a perfect copy of the data. In
conventional cryptography and information theory it is therefore implicitly accepted that digital communications can always be
passively monitored, without either Alice or Bob being aware of any eavesdropping taking place. [6] Quantum mechanically things
are very different, the ‘no-cloning’ theorem [60] dictates that it is not possible to make an arbitrarily good copy of a quantum state,
consequently, when digital information is encoded into quantum systems (such as photons) a secure communications channel is
produced, whereby any eavesdropper not privy to specific experimental parameters cannot successfully intercept the key
transmission without giving their actions away [6]. More specifically, it is not possible to make a quantum measurement without
affecting the state - after detection of a photon Eve cannot transmit an exact copy of what she received. This constitutes the
principal tenant and source of strength for the QKD system and quantum cryptography in general; if the key data is encoded
quantum mechanically any eavesdropper will give away their presence through the process of measurement. (These key bits can
subsequently be discarded in favour of secure key bits) [45]
The specific property of quantum mechanics that is utilised is Heisenberg’s uncertainty principle, which describes how certain pairs
of properties have an uncertainty associated with them and how the act of measuring one property randomises the value of the other,
and vice versa, familiar examples are energy/time and position/momentum, but it is also true for different orthogonal basis states
[6]. For example, measuring the linear polarisation of a photon will completely randomise it circular polarisation, and vice versa,
quantum indeterminacy means that the state cannot be measured in a chosen orthogonal basis set without disturbing the conjugate
basis set.

Figure 1. Measurement of the linear polarisation of a single Figure 2. Block diagram depicting the QKD process (taken from [22])
photon in two different coordinate frames (taken from [9])
Generally, any pair of orthogonal polarisation states are
referred to as a basis if they correspond to a measurable
property of a photon, the bases are said to be conjugate if the
measurement of one property completely randomises the
other [6]. The polarisation state pairs used in the first-
developed QKD scheme (the BB84 protocol) are the
rectilinear basis of horizontal and vertical polarisation (|H>
and |V>), the diagonal basis of 45° and 135° and the circular
basis of left- or right-handed circularly polarisation (lhcp and
rhcp), of these three bases any two are conjugate to each
other. A useful illustration of this process is seen in Figure 1
(taken from [9]), which demonstrates the fact that a
quantum mechanical measurement of one set of variables will
introduce uncertainty into another set of variables [9].
In Figure 1 the measurement of the linear polarisation of a
photon can be measured in either the x-y or the x’-y’
coordinate frame (which corresponds to the rectilinear and
diagonal bases respectively), if the photon is initially
polarised along the x’ axis in the diagonal basis, a
measurement of its polarisation in the x-y basis will produce
two possible outcomes: polarisation along the x or y axis,
consequently the polarisation in the x’-y’ coordinate frame
becomes completely randomised [9] – it is precisely this
disturbance that can be used to identify the presence of an
eavesdropper during key distribution.
Perhaps the most well known method for achieving QKD is
based on transmitting attenuated laser pulses, where the
polarisation of each photon is used to encode the information
according to the BB84 protocol. The scheme uses four
distinct quantum states, which arise from two conjugate
Hilbert-space bases - meaning each basis set is capable of
being encoded with two bit values [2,41].
Whilst an ideal scenario would involve the use of genuine
single photon states the drawbacks and restrictions
associated with trying to incorporate a single photon source
(SPS) into a QKD scheme means that single photon states are
usually approximated by highly attenuated laser pulses,
known as a weak coherent pulse (WCP). Encoding is
achieved using a random number generator (RNG), this
allows Alice to transmit a random sequence of polarised
photons to Bob (as depicted in Figure 2), who also randomly
chooses which basis to measure each received photon in,
producing an associated bit value for each measurement
[6,41]. This produces an uncorrelated ‘raw’ key, as there are
multiple discrepancies caused by instances where Alice and
Bob chose a different basis, to reconcile these differences the
two parties subsequently perform ‘basis reconciliation’ to
remove the erroneous bits, once achieved the two strings are
expected to be perfectly correlated, provided the channel is
noise-free and there is no active eavesdropper [41].
For each key bit Bob only has to publically inform Alice the
measurement basis that was applied, without having to
discuss the specific bit-value obtained in each case. Alice’s
response reveals when similar bases where used, allowing the
identification of correlated bits in what is known as ‘basis
reconciliation’, a procedure that results in a ‘sifted key’ (see
Figure 2) [41] - when coincidental bases are used the
assigned bit value is retained, whereas all other bits are
discarded. This produces a bit string that is typically half the
length of the raw transmission bit string, as Bob will guess
the correct basis 50% of the time on average. As basis
reconciliation reveals no useful information to an
Eavesdropper, the classical channel used to refine the data
need not be secure, it merely has to be ‘authentic’ [3,4,41]
The presence of an eavesdropper is always revealed by errors
contained within these (ideally) correlated bit strings; this is
usually discussed in terms of a quantum bit error rate, or
QBER (the ratio of the number of erroneous bits to the total
number of bits), an additional error rate of between 25-50%
would be introduced into the QBER of the ideally correlated
system, dependent on how lucky Eve was with her basis
choices [41]. Consequently Alice and Bob only need to
publically compare a random subset of the sifted key string to
identify Eve’s presence. In practice, even without the
presence of an eavesdropper a sifted key will contain a non-
zero QBER, with bit errors attributable to transmission
channel noise, or issues with the sender/receiver apparatus
[24,41]. Following the approach of Lütkenhaus all errors
(including those associated with photodiode dark counts) are
attributed to an eavesdropper [24,39], applying this
extremely stringent assumption enables the calculation of
upper bounds for Eve’s potential information from QBER
values, which in turn allows inferences to be made regarding
the amount of joint secrecy shared between Alice and Bob
[24].
Using well-established error-correction techniques Alice and
Bob are able to ‘distil’ a smaller keystring from the sifted key
that contains almost perfect secrecy [6,22,41]. Overall
system performance is generally characterised by the secrecy

efficiency as it describes the total number of secret bits
produced per unit time [22,24], although with the eventual
incorporation of a SPS the BB84 protocol would be
unconditionally secure following the implementation of
privacy amplification [22].
The specific approach to QKD described above has been
widely implemented by many groups since it was first
formulated by Bennett and Brassard in 1984 [54]. The
principle was demonstrated experimentally shortly after,
with the first successful QKD exchange occuring in October
1989 [6,55]. This development signified ‘the dawn of a new
era’ for the field of quantum cryptography with transmission
over a free air optical path of ~32cm, in a setup that was
heralded to be secure (after application of post-transmission
protocols) against an enemy with ‘unlimited computational
power’ [6]. A more rigorous (in that it was performed over
a more realistic distance) proof of principle of the QKD
system was given a few years later over a 10km optical fibre,
whilst this was demonstrated with a transmission channel
largely unsuited for global key distribution, the ability to
produce effective secret key rates (~16kbit s-1) over extended
distances was demonstrated [7], it was around this time that
Bennett and Brassard published another key paper on privacy
amplification [8] - an essential and frequently used
component of the QKD toolkit. Shortly after the 32cm
tabletop transmission channel was shown to be effective, free
space distribution protocols were successfully demonstrated
in more realistic conditions and over much greater distances,
with a 150m indoor transmission and an outdoor daylight
transmission over 75m outdoors reported in 1996 [9],
successful key distribution was reported for an indoor optical
path of 205m in April 1998 [11] and the first 1km night-
time transmission over outdoor folded paths (to a mirror and
back) was reported in October 1998 [10].
The close co-location of the transmitter and receiver in the
‘folded-path’ approach is not necessarily representative of
real-world practical applications and can therefore mis-
represent the effects of turbulence (and other atmospheric
effects) on beam transmission [15]. The first point to point
demonstration of free-space QKD over an extended distance
was reported in 2000 at the University of California, with a
1.6km daylight transmission [15], shortly after a group in
India reported a free space point to point distance of 0.5km
[14]. Since breaching the 1km milestone in 2000 the field
progressed just as rapidly as the preceding 16 years, with
considerable improvements realised both in key distribution
rates, and the transmission distances that are attainable, to
the point where many of the crucial requirements for global
QKD have now been satisfied [18]. Long distance free-space
QKD was demonstrated at night over a 23.4km distance
between two mountaintops in southern Germany in 2002
[20], which after sifting and error correction produced key
exchange rates of the order of hundreds of bits per second.
In the same year the group at Los Alamos reported day and
night transmission over a 10km distance [22], with slightly
better rates of secure key generation, reporting up to 2000
sifted key bits per second.
With more recent developments, free-space QKD has
demonstrated an attainable range of hundreds of kilometres
[34,36] and key distribution rates routinely in the kHz-MHz
range, as well as reliable setups designed to work with ‘off
the shelf’ components [37]. Free space links have been
demonstrated in a wide range of settings, over mountaintops
[19,20], crowded urban areas [27] and even between two of
the Canary Islands [34,36], demonstrating that QKD
techniques are versatile enough to be applied around the
world in shorter point-to-point links, as well as in a ground-
satellite global network.
The pioneering work performed by Bennet and Brassard in
1989 (using the apparatus pictured in Figure 3) implemented
the BB84 protocol to perform the first free-space key
transmission; their specific realisation used the conjugate
rectilinear and circular bases for the experiment, which they
conducted inside a light-tight box ~1.5m long. The source
(Alice) on the left hand side of the bench consisted of a green
LED that produced incoherent flashes, these were collimated
by a pinhole and lens and passed through a 550nm
interference filter to reduce the spectral width and intensity
of the beam, and select a specific region of the spectrum for
which the photomultipliers had optimal quantum efficiency
[6].
The LED, after collimation, filtration and polarisation
produced a beam intensity of ~0.1 photons per pulse, half of
which were emitted during the first 500 ns. This low light
intensity is a crucial component in the eavesdropper-
prevention strategy, as any adversary could try to exploit the
statistical nature of the pulses, implementing a photon
splitting attack on any pulses containing two or more
photons [6].
Figure 3. Photograph of the experimental apparatus described in [6]. Incoherent light flashes produced by a LED on the left are collimated by a pinhole and lens,
and subsequently passed through a 550nm filter and horizontal polariser. Pockel’s cells are used to convert the horizontal polarisation to an arbitrary polarisation
state, after the 32cm transmission the beam passes through another Pockel’s cell before detection on the right hand side (Figure taken from [6])

Modulation of the polarisation was achieved with two
Pockels cells (operated at ± the quarter-wave voltage), which
allowed a choice of four polarisations: horizontal, vertical,
lhcp and rhcp. Diagonal polarisations could also be
generated with the apparatus but it required twice as much
voltage to be applied to the Pockels cell [6]. The receiver
(Bob) consisted of another Pockels cell and a beamsplitter
which divided the beam into |H> and |V> beams before they
were passed into two photomultiplier tubes, as these cells
were also operated at quarter-wave voltage, ‘Bob’ was able to
measure in either the rectilinear or circularly polarised basis
simply by switching the voltage on/off [6].
In order to achieve maximal effectiveness a 500ns coincidence
time window was utilised, this ensured that the most intense
region of each light pulse was targeted and avoiding the
excessive dark counts that inevitably accumulate if the
window was open for the entire 5μs duration of the pulse [6].
Utilising the post-transmission techniques detailed above a
total of 754 bits of perfectly correlated secret key were
‘distilled’ from an original 2000 bits; Eve’s expected
information was calculated to be less than 10-6 bits, according
to privacy amplification theory and the probability of a 5
sigma deviation [6].
This early milestone in free-space key transmission was
hugely significant, both for the field of quantum
cryptography in general, but more specifically for the
development of a global system of free-space QKD. The
integrity of the physical medium used to transmit key bits
between Alice and Bob (known as the transmission channel),
and its associated quantum transmission efficiency is
extremely significant - the channel must be able to accurately
and reliably preserve the quantum states during the process
of transmission [39]. Whilst a large number of applications
make use of optical fibres for key distribution, there are
significant distance limitations introduced by dark count
detector noise and photon absorption and decoherence in the
transmission channel [9]; these factors (along with others)
limit the attainable range of fibre-based schemes to between
100-200km [9,26,39]. Progress has been made towards the
realisation of a ‘quantum repeater’ scheme in an attempt to
remove this crucial obstacle for fibre optic systems -
combining the emerging fields of entanglement swapping,
entanglement purification and quantum memory [21,26] to
enable entanglement sharing over extended distances,
however the scheme has yet to be translated to any kind of
integrated, usable system [39].
In the mean-time free-space QKD holds much greater
potential for secure long distance communication, exploiting
a network of satellites and ground stations it would be
possible to distribute single photons and entangled photon
pairs around the world [11,14,18,19,20,21,26,35,36,39],
creating a system that would allow secure, high bandwidth
global communication [14,26].
For many reasons, free-space key distribution represents a
more promising approach to long-distance key transmission
and the eventual realisation of a global QKD network, the
atmosphere does not significantly perturb the polarisation of
a photon as it is essentially non-birefringent at optical
wavelengths [10,14,22,39], and the existence of a low
absorption window near 800nm means that free-space
systems do not require compensatory or amplification
schemes, as is the case with optical fibres [39]. A surface-to-
space transmission of 80% was recorded for 772nm photons
in 1998 [10], whilst in 2011 atmospheric attenuation was
measured to be as little as <0.1 dB km-1 between 780nm and
850nm [39], at these optical wavelengths the depolarising
effects of Faraday rotation are also negligible [14]. In
addition, absorption and depolarising effects play a negligible
role in outer space, another factor that further indicative of
the feasibility of a ground-satellite global QKD system (along
with many other adverse atmospheric influences that subside
with increasing altitude).
An equally useful application of free-space QKD is likely to
be for short-distance ground-ground communication in high-
density urban areas with high bandwidth demand [27,39],
many metropolitan fibre-optic networks often suffer from
what is known as a ‘connectivity bottleneck’, an effective
solution to this bandwidth shortage would be the application
of free-space communication techniques [39]. Free space
links are also financially preferable to fibre-optic cables as
they can be installed between any two arbitrary points
without concerns regarding the logistics of the associated
cabling, thereby allowing rapid deployment and high bit-rate
secure communication between locations in a built-up
metropolitan area [39].
Whilst free-space key distribution undoubtedly offers a
superior transmission channel to that offered by fibre-optic
schemes, there are drawbacks that are specific to free-space
techniques. Challenges include beam divergence [39],
background radiance (which is significant even during night
time operation), beam wander and turbulence [22]. Of these
concerns, the role played by sunlight and ambient light is
particularly significant, as unwanted photons are registered
by the photo-detectors in addition to the signal, thereby
increasing the error rate. Fortunately, many techniques exist
to counteract these effects, a combination of which can
largely render the problem tractable. These include
(amongst others) spatial filtering (the use of small solid
angles for photon acceptance) [10,11], spectral filtering
(application of narrow wavelength filters – such as rubidium
vapour filters) [31], adaptive optics [10], and the (almost
universal) use of narrow time sub-ns windows, known as
temporal filtering [39].
As each photon carries a bit of information (as opposed to
classical communication where binary values are represented
by >1 photon) QKD receivers are required to function as
single photon detectors. They are characterised by three
inter-dependent properties, the quantum efficiency (the
probability of a detector response given a photon), the dead
time of the detector (time to reset after a response) and the
dark count rate (instances when the detector gives a response
with no photon) [39]; although generally, the maximum
achievable repetition rate for a given detector is dictated by
the dead time.
Following the initial breakthrough in 1989, the next crucial
milestone was reached in 1996 with the demonstration that
free-space QKD was possible outside of the carefully
controlled environment of Bennett and Brassard’s light tight
box - and therefore robust to the adverse effects of ambient
photons. Single photons were transmitted over a 75m
distance in bright daytime conditions [9], in what represents
the first successful transmission of qubits in an uncontrolled
environment. This work confirmed that genuine free-space
QKD (rather than indoor free-space) was indeed possible, and
could offer a feasible key-distribution system that would not
be significantly hindered by the intense ambient photonic
background. Consequently, as the first outdoor free-space
quantum transmission, the experiment represents a highly
significant milestone towards the realisation of a global QKD
system [9].

The group were able to generate secret key-bits at rates of
~1kHz, producing over107 error-free bits during their total
transmission over the 150m indoor path (which was
illuminated with fluorescent lighting) and 75m path in bright
daylight conditions [9]. They recorded a reasonably large
error rate (pre-reconciliation) of 2% due to an abnormally
high dark count of one of the photodetectors (600 Hz),
however the single channel error rate of the alternative
detector was 0.7%, a rate more typical of fiber-optic systems
[9]. In order to reduce the background a wide range of
techniques were applied, including the use of a narrow time
coincidence window, combined with the use of a small
acceptance angle, filters and etalons, it was deduced that
these procedures reduced the background by a factor of 1010,
102 and 105, respectively [9].
Before transmission a computer at each end of the channel
made a randomised choice between the x-y or x’-y’ basis, as
with the 32-cm implementation, Pockels cells were
subsequently used to implement each specific choice of
polarisation; after transmission bases were compared and
only correlated choices were retained. As discussed, this
procedure established a secure, and (ideally) identical random
bit string that could be used to realise OTP encryption [9].
A narrow-band (1nm) interference filter and two Fabry-Perot
etalons were incorporated into the setup to reduce the effects
of background radiation and detector shot noise, whilst
neutral-density filters (NDFs) were used to attenuate the
laser light such that there was a negligible (~2%) probability
of a pulse containing >1 photon.
Whilst the work undeniably represents a key development in
free-space QKD, the experimental set-up was simplified
somewhat by the application of a ‘folded-path’ approach. As
the primary focus of the experiment was demonstrating the
ability to send and receive key bits securely in free-space, the
group chose to locate the transmitting and receiving optics in
the same position. The result of this is that the transmission
channel was not subject to many of the disturbing influences
that would be manifest in a real world free-space application,
such as turbulence and other atmospheric effects [9]
Another folded-path free-space QKD transmission was
demonstrated over a 1km distance in 1998, at Los Alamos
National Laboratory. In this instance the alternative B92
protocol was implemented in a scheme that allowed for
efficient key distribution, even under turbulent
environmental conditions. The paper reported a QBER
(defined as the ratio of the bits received in error to the total
number of received bits) of ~1.5% when the system was
transmitting <0.1 photons per pulse, and an impressive ~0.7%
was recorded as the QBER for a smaller 240m folded-path
[10].
The ability to produce strongly attenuated photon pulses is
an essential component of the vast majority of QKD
implementations [39], it represents the most frequently used
source of ‘single’ photons for QKD applications, and will
undoubtedly remain so, despite the inherent security flaws,
until a reliable and cost-effective SPS becomes readily
available [39]. The technique is relatively simple, reliable,
and offers the possibility of much higher repetition rates
[39], despite this the technique is known to be
fundamentally insecure due to the possibility of a range of
attacks, the most formidable being the photon-number
splitting (PNS) attack. If an eavesdropper were able to
perform quantum non-demolition (QND) measurements on
the transmission channel they would simply have to wait for
Poissonian photon statistics to deliver key bits to them free of
charge – as multi-photon pulses transmitted along the
channel contribute to the key but also are also completely
susceptible to eavesdropping [34,39].
Whilst attenuation of the laser produces a situation where
the average photon number per pulse <1, the Poissonian
distribution of this number means that there is always a non-
zero probability of transmitting >1 photon, i.e attenuation
reduces rather than prohibits the transmission of multi-
photon pulses [14,39]. This non-zero probability means an
eavesdropper has opportunities to ‘syphon-off’ photons;
additionally, there is always a higher probability of vacuum
transmission than anything else, particularly when pulses are
attenuated to <0.1 photons per pulse [39]. Although
privacy amplification is a widely applied and efficient solution
to the problem, the only way to truly protect against the
threats of emerging technology is the incorporation of a SPS
technology in a QKD protocol.
Despite the clear disadvantages, the application of WCPs is
widespread throughout the field of QKD, as they can be
realised with little more than a calibrated attenuator and a
semiconductor laser [14,39]. Alternative approaches to key
distribution have also been successfully employed, such as the
use of parametric down conversion (PDC) techniques,
whereby a laser beam is used to pump a nonlinear crystal,
and produce an entangled pair of photons. Using the
detection of one of these entangled photons as a trigger for
the second detector provides an efficient solution to the
problem of empty pulses and coincidence windows, whilst the
issues associated with a Poissonian distribution are negated
simply through the use of genuine single photons. Despite
this, pair creation is an extremely inefficient process [39], a
drawback which effectively undermines many advantages
offered by the technique.
The use of a true SPS presents a well-established advantage
over all WCP schemes, a SPS-scheme is completely secure
against PNS and other significant attacks, and offers much
better bit-secrecy rates, a significant advantage for high-loss
applications such as ground-satellite QKD [24]. The
superiority of SPS based QKD is repeatedly asserted
throughout the literature [24], and the technology has
become steadily more attainable as the 21st century has
progressed. For example, a pulsed SPS was demonstrated in
2004, based on the fluorescence of a single-colour nitrogen
vacancy centre in a diamond nanocrystal [24]. In addition,
WCPs have been experimentally assessed for increasing
propagation losses, with the results quantitatively
demonstrating that QKD with a SPS offers measurable
advantages over WCP QKD, particularly when transmission
losses exceed 10 dB. [24]
The transmitter in the 1998 1km folded-path experiment at
Los Alamos consisted of a temperature-controlled single-
mode diode laser, tuned to 772nm (therefore operating in ~
optimal transmission window) and pulsing at 105 photons per
ns. The experiment incorporated a bandwidth interference
filter, a variable optical attenuator, and (as with previous
realisations) a low-voltage Pockels cells [10]. Whilst the
rudimentary scheme was not yet sophisticated enough for
real-world applications (as the transmission was conducted
over a folded-path and key generation rates were not
sufficiently high), the demonstrated results were strongly
indicative of the inherent potential of free-space QKD
schemes for 21 century communication, with the authors
asserting they “believe that it will be feasible to use free-space
QKD for rekeying satellites in low-earth orbit from a ground
station” in the near future [10].
They calculated that in a real ground-satellite transmission
scenario a key generation rate of 35-450 Hz would be

attainable - considering that photons arrive at the detector at
a rate of between 1-10,000 Hz, and given a laser pulse rate of
10 MHz, an average of one photon per pulse, atmospheric
transmission of 80%, a 65% detector efficiency, and the 25%
intrinsic efficiency of the B92 protocol (amongst other
considerations). Whilst rates of this order are certainly not
sufficient for commercial applications, the authors assert that
this could be significantly increased (by a factor of 100) with
the application of adaptive tilt correction, leading to secure
key generation at a rate of 3.5–45 kHz for the B92 scheme;
although using the BB84 protocol would see the rate double
[10].
The B92 protocol is similar in many ways to the earlier BB84
approach, as with other quantum cryptography techniques
the security arises from the in-distinguishability of non-
orthogonal quantum states and the inescapable disturbances
that arise from the quantum measurement process [41]. The
four-state solution implemented in BB84 is more than is
actually necessary for secure key distribution, as such the B92
protocol [61] encodes with just two orthogonal pure states
[41,61] (A complex 6-state protocol has also been proposed,
which has the advantage of greater symmetry within the
Bloch sphere [41]). A typical BB92 procedure involves Alice
generating a random binary sequence, and transmitting a
single photon, chosen from a set of possible (non-orthogonal)
states for each generated bit. Upon detection of a photon,
Bob attempts to identify the specific transmitted bit value in
each instance [10]. As with the BB84 protocol, Alice and
Bob are completely free to discuss the decisions they made
over an unencrypted, public channel.
Whenever Bob’s choice of basis is not coincidental to the
choice made by Alice the associated key bit is disregarded,
this leaves only secure, identical key-strings (which are
subsequently verified through parity checks of the two
strings). A useful technique for monitoring the removal of
pulses involves analysis of the interference generated
between a macroscopic bright laser pulse and the dim pulse
(with <1 photon on average), as removing a dim pulse
significantly alters the resultant interference effects [41].
As discussed, ‘folded-path’ implementations, such as those
described in [9,10] can overly simplify the experimental
landscape (specifically in terms of turbulence and other
atmospheric hindrances), and they are therefore not
necessarily indicative of practical real-life applications. The
ability to perform key distribution over a free-space ‘point to
point’ quantum channel was demonstrated with distances of
0.5km [14] and 1.6km [15] in 2000, with the scheme
described in [15] reporting a ‘novel’ QKD system with no
active polarisation switching elements [15].
A critical weakness of the original form of the B92 protocol is
the vulnerability to what is known as a ‘man in the middle’
attack, whereby Eve takes control of both the public and the
quantum channels simultaneously (allowing her to
masquerade as Bob to Alice and vice-versa) [14]. The
consequence of this is that Alice and Bob will both
unknowingly exchange keys with Eve, meaning she is
effectively invisible and can read all their subsequently
encrypted communications [14]. It has subsequently been
discovered, however, that the incorporation of a short, secret
key to initiate the protocol can offer effective protection
against such an attack [14].
A year after [10] was published a challenging response
appeared in Physical Review Letters, suggesting that the
experimental setup for the 1km folded-path transmission was
not adequately “protected against a peculiar type of opaque
(Bennett) attack.” The criticism (which was refuted on the
next page of the journal by Buttler et al [13]), argued that
the implementation described in [10] was fundamentally
insecure, on the basis of hypothetical technology that could be
developed at some point in the future [12].
In their response [13] the authors highlight the important
distinction between attacks that are currently feasible, and
attacks that could become possible at some point, and are
limited only by the laws of physics [13]. More importantly
they emphasise that the intention of the work detailed in [10]
was not to introduce a fully secure, fully optimised and
definitive QKD protocol, rather to simply demonstrate the
potential offered by free-space QKD [13]. Indeed, they re-
iterated the claim that a properly implemented B92 protocol
could form the basis of a ground-satellite QKD system,
secure against all currently “feasible attacks without any
additional physical security requirements [13].”
Furthermore, if the scheme implemented the BB84 protocol
instead of B92 (a relatively trivial modification) the setup
would also be secure against the hypothetical Bennett attack,
and if a SPS were to be incorporated the approach would be
unconditionally secure, even against QND attacks [13].
Additionally, the specific attack considered in [12] would
require the eavesdropper to produce non-Poissonian photon
states; as this is clearly not an option the best approach for an
eavesdropper would be to retransmit a WCP, however this
would be revealed through an increase in ‘dual-fire’ errors
which occur when both detectors fire simultaneously [13].
One sensible comment made in [12] is regarding the use of a
true SPS, they concede that the experimental procedure
described in [10] adequately demonstrates the potential of
free-space QKD schemes, but insist that the development of a
SPS is required before truly secure QKD can be realised [12]
as it is the only way to thoroughly safeguard against the
plethora of attack strategies open to Eve (although it is
pointed out in [10,13] that simply switching to a BB84
protocol would protect against the hypothetical Bennett
(non-Poissonian) attack [10,13]).
The group at Los Alamos also demonstrated the ability to
operate free-space QKD systems under the disruptive effects
of fluorescent lighting [11], reporting the successful
transmission over a 205m indoor optical path in 1998. As
with previous work the transmitter and receiver were
collocated, meaning that the transmission was conducted
over a folded optical path – with the beam transmitted up and
down a 17m hallway [11]. The experiment incorporated a
‘corner cube’, identical to those found on LEO satellites of the
time (such as LAGEOS-I and LAGEOS-II) to demonstrate
the feasibility of ground-satellite QKD.
The setup was able to achieve key-bit generation at rates of
up to 50Hz when the transmitter was pulsed at a rate of
20kHz, with an average of ~0.7 photons per pulse, along with
a QBER of 6% [11]. This disappointing rate can be
attributed to an atrocious coupling efficiency, 𝜂, between the
transmitter and receiver of ~2% (where 𝜂 accounts for losses
between the transmitter and the power coupled into the
single-mode fibers preceding the detector at the receiver);
this poor coupling efficiency prevented the group from
operating below values of 0.7 photons per pulse [11]. As
part of the protocol a two-dimensional parity check was
implemented to enable the generation of error-free key
material, however, the important step of ‘privacy
amplification’, used to reduce the partial knowledge of any

eavesdropper to less than 1 bit of information was not
incorporated into the scheme [11].
The QKD scheme described in [14] was the first successful
demonstration of point-to-point free-space QKD outside of a
lab environment, it was operated for several days, both
through the day and night, over a 500m distance [14].
Achieving an impressive rate of secure key distribution
(~5kHz), this important proof-of-concept free-space
transmission represents a crucial milestone. The ability to
realise usable key-distribution rates, in realistic operating
conditions, gave an extremely strong indication that ground-
satellite QKD was genuinely feasible [14]. The setup was
able to achieve much better attenuation than previous
implementations, with an average photon number of ~ 0.3,
there was a 22% probability of each pulse containing exactly
one photon, 25.9% containing at least one photon, and15%
containing more than one photon [14].
Whilst the transmission was performed over a relatively
insignificant 0.5km distance, the result clearly evidenced the
fact that a secure key could be shared, either other a ground-
satellite or satellite-satellite link (meaning a satellite could be
rekeyed an arbitrary number of times whilst remaining in
orbit [14] - a highly significant development). Shortly after
this, a point-to-point free-space transmission was successfully
demonstrated over a slightly more useful 1.6km distance
[15].
This use of horizontal terrestrial transmission paths [14,15]
constitutes a sufficiently convincing proof-of-principle, as the
detrimental effects of turbulence (one of the principal hurdles
in free-space QKD schemes) are most prevalent over the
lowest 2km of the atmosphere [14]. Consequently, the
successful realisation of a 1.6km ‘horizontal’ transmission
strongly suggests that secure QKD is possible, both with
low-earth orbit (LEO) and geostationary (GEO) satellites.
Atmospheric turbulence represents the by far the most
serious limitation to free-space schemes, as it can cause ‘jitter’
in the photon arrival time, along with a significant amount of
beam wander, through variations in the refractive index (RI).
In order to negate issues associated with arrival times the
scheme incorporated the use of a bright timing pulse (which
carries no information). Transmitted at an alternative
wavelength immediately before each key-bit the arrival of the
timing pulse ~100ns before the key-bit triggers an avalanche
photodiode detector to set up a narrow (~5ns) time window,
thereby allowing spurious detection events from the ambient
background to be disregarded [14,15].
Beam wander makes a more significant contribution to the
QBER, fortunately the effects can be compensated for with
the application of active beam steering (known as ‘tip-tilt
control’) techniques. It is possible to derive an error signal
from a reflected component of the timing pulse to generate a
feedback-loop - this provides a reliable and effective stability
mechanism that is able to keep the beam tightly locked into
position [14]. Another serious consideration for any free-
space QKD scheme is the unavoidable background of ambient
light, both during the day, and at night - as single photon
detectors are easily saturated by rogue photons.
The effects of this ambient background can largely be
counteracted through the use of nano-second coincidence
windows (achieved with ‘temporal filtering’), narrow
wavelength filters to specifically select the signal of interest,
and spatial filtering at the receiver, achieved through the
application of a small solid angle for photon acceptance [14]
In addition, the scheme implemented the critical technique of
privacy amplification to obtain an optimal number of secure
key bits; the use of such protocols rendered the scheme secure
against all possible attacks (according to acknowledged
technology). The author’s accept that the system is
vulnerable to a QND attack, in which Eve makes use of non-
destructive measurements to ascertain which pulses are
multi-photonic, an attack that facilitates non-detectable
eavesdropping (QND measurement techniques however, are
still very much in their infancy). The inclusion of a SPS,
however, would remove the susceptibility to a QND attack,
meaning that by the time such an attack is possible there
should almost certainly be an efficient coping mechanism (a
SPS) [14].
The 1.6km transmission demonstrated shortly after at Los
Alamos [15] was similarly robust to simple beam-splitting
and intercept-resend attacks, and would have been equally
‘future-proof’ with the addition of a SPS. Achieving
successful key-distribution over a free-space optical path
which is comparable in distance to the effective turbulent
atmospheric thickness, the scheme added further credence to
the feasibility of ground-satellite QKD - particularly
considering that secret bit rates of several kHz were
routinely achieved with the setup [15]. During the course of
the experiment a total of 1.6 Mbit of data was sent in 40 data
exchanges, this led to the generation of significant quantities
of secure sifted key material (>17kbit) with a respectfully low
QBER of <3% for low average photon number (𝑛̅) pulses of
𝑛̅~0.2 [15].
The transmitter was able to operate at MHz clock rates,
controlling two temperature-controlled dim-pulse diode
lasers, which were both capable of emitting 1ns attenuated
optical pulses on demand. As per the B92 protocol, polarisers
arranged the output of one laser to be 450 and the other to be
vertically polarised; the randomised choice in this instance
was determined by the random bit-value generated by
discriminating electrical noise [15].
The intense Los Alamos sunshine means the effects of
turbulence are always a significant consideration; turbulence
induced beam-spreading can substantially increase the QBER
and severely limit system efficiency. With an average
efficiency of 0.13, fluctuations of ~30% caused by turbulence
induced beam spreading and beam wander constituted a
serious concern for the setup in [15]. The most significant
contribution to the QBER of the system came from the
ambient solar background, accounting for 5.9% of the 7.8%
BER (for 𝑛̅=0.2). Imperfections and misalignment of
polarising elements produced the second largest contribution,
with values as high as ~2% (significantly previous results
have suggested this component could be reduced to 0.5%
[15]). Detector noise, produced by ‘dark-counts’ made a
minute contribution of <0.1% to the QBER [15].
With numerous groups addressing the challenges and
requirements of free-space QKD the years post-2000 saw a
‘flurry’ of interest in the academic literature regarding the
development of satellite-based global QKD schemes. The
possibility of ground-satellite QKD was comprehensively
demonstrated by Rarity et al [18] in 2002, with an extensive
feasibility study concluding that no significant ‘technical
obstacle’ remained to prevent the realisation of a global key-
distribution system, capable of operating between any two
arbitrary points on the globe [18].
The group anticipated the system would involve the
exchange of a secure key-string between a ground station
and satellite, which could then be exchanged with another
chosen ground station, as and when required; thereby
enabling secure OTP-quality cryptographic communication

between any given locations across the planet. The
fundamental importance of a worldwide QKD scheme for the
security of global data is emphasised throughout [18], given
the inherent weakness of conventional public-key
cryptography, the promise of unconditional security which is
(theoretically) future-proof against the relentless evolution of
computational power is extremely alluring, particularly given
the ‘exponential expansion of electronic commerce’ [18].
A range of possible methodologies and different
arrangements of the transmitter, encoder and detector are
explored in what is termed the ‘satellite key exchange
problem’. Usefully, the paper defines ‘key performance
metrics’ with which they systematically evaluate specific
configurations and system designs according to their
suitability for ground-satellite key exchange. The group
directly compare three alternative key-exchange methods: (i)
Laser/encoding on the ground, detector on the satellite, (ii)
Laser/encoding on the satellite, detector on the ground, and
(iii) Laser/detector on the ground, retro-reflector and
polariser on the satellite.
Their analysis concluded that all three variations could be
used to successfully exchange key-bits with LEO (0.8-1.6km)
satellites and ground stations, during night-time, or (with the
addition of narrow-band filtering) daytime operation, and
similar conclusions were independently reached in a parallel
US-based study published in 2002 [62]. Generally payloads
of a couple of kg and tens of watts power consumption were
considered possible, in addition to key exchange rates of up
to 10kbit s-1 (during the closest approach to the ground
station), leading to megabits of uploaded key per satellite
pass (satellite in range for 100-200s) [18]. In terms of
suitability, the second option was favoured, whereby a top-
down transmitter system is utilised; in this configuration
expected key rates were up to 7kbit s-1 at 100 MHz repetition
rates [18].
A handful of groups had already successfully demonstrated
free-space QKD over multiple-km distances by the time the
paper was being written, whilst experiments being conducted
at the same time demonstrated that ranges of 10km [22] and
23km [20] were readily attainable. In many instances
important developments were being made to reduce the size,
mass and power consumption of the systems, to allow
portability in the short term and fully automated remote
operation in the long term [18]. Lightweight transmitter
and receiver designs were emerging as early as 2002 [20],
these generally avoided active optical elements to reduce size
and complexity, and were instead based on combining or
splitting the light in passive beam-splitters [18].
Comprehensive system design analysis for satellite-based
QKD was also offered in [21]. As in [18], it was suggested
that the most sensible location for the transmitter module is
on-board the satellite, with the receiver module in an easily
accessible ground-based location [21]. Additional
significant considerations include the fact that the majority of
QKD experiments require higher flexibility at the receiver
due to active polarisation control and data analysis; and the
fact that the atmosphere causes a larger footprint in an uplink
than in a downlink, due to the more significant influence of
turbulence [21]. The paper also concluded that LEO-LEO
satellite transmission links were entirely feasible according to
the currently demonstrated technologies
.
Figure 4. Experimental Overview: Four separate lasers were used at the transmission module to encode the four random polarisation states. They were combined in
a spatial filter before the 23.4 km transmission between the mountain peaks. A telescope at the receiver collected and filtered the light before it was passed to four
separate photon-counting detectors. (Figure taken from [20])
Another significant experimental development, depicted in
Figure 4, reported in 2002 was the 23.4km key exchange
between two mountain-tops in Southern Germany. To avoid
the effects of turbulence the transmission was conducted at a
highly-elevated altitude, whilst this achieved the desired
effect, the approach introduced a new range of obstacles and
considerations due to temperature changes and extreme
weather conditions. The apparatus demonstrated reassuring
(considering the temperature of space!) stability despite
ambient temperatures ranging from 5 to -250C [19,20].
The transmitter unit (Alice) was located at a small
experimental facility (Max Planck Institute for Extraerrestial
Physics) located on the summit of Zugspitze (2.96km), whilst
Bob was located on the neighbouring mountain of
Karwendelspitze (2.24km), 23.4km away [19,20]. The semi-
portable free-space QKD system was used to carry out
multiple night transmissions between September 2001 and
January 2002, with a final trial involving a three-day key
exchange, at a selection of pulse intensities ranging from 0.4

to 0.08 photons per bit (operating with 𝑛̅=0.08 led to optical
losses of ~ 18dB) [19]. In associated experiments the group
also demonstrated that key exchange could be carried out
even with transmission losses up to 27 dB, and argued that
with proposed improvements to receiver efficiency this could
exceed 33dB, meaning key-exchange to near-Earth orbit
(500-1,000 km) satellites would be achievable [20].
Whilst the group were typically enthusiastic about the
implications of their QKD scheme, asserting that their
“experiment paves the way for the development of a secure
global key-distribution network based on optical links to
LEO satellites [20]”, the reality is the setup described in [20]
is still a long way from the standard required. Despite
achieving an impressive transmission efficiency and distance,
key generation rates offered by the setup were far from
competitive. After sifting and error correction the scheme
was only able to produce a secret key string at the rate of
hundreds of bits per second.
This weak performance is partly attributable to a number of
factors; ambient background rates were particularly high due
to scattered light from snow cover (which made a large
contribution to the error rate), whilst the low bit rate (9.8kb)
of the classical mobile telephone link was also a limiting
factor in the sifting and error correction process [19]. The
group anticipated significantly improved performance could
be achieved with a combination of improved spatial filtering
at the receiver, a narrow band-pass filter tuned to the correct
wavelength, and accurate temperature control of the
transmitter lasers.
A 10km transmission using the BB84 protocol was also
demonstrated in 2002, with the system operating
continuously for several-hour periods both during the night
and day [22]. The authors reported the generation of secret
key-bit sequences at ‘practical’ rates and of a sufficient quality
to enable secure communications. The 772nm QKD system
utilised spectral, spatial and temporal filtering techniques to
extract a usable signal despite the adverse effects of
atmospheric turbulence and an ever-present background
radiance (with rogue ambient photons presenting a
significant source of error even through the night) [22].
The authors assert that the setup described in [22] would be
entirely capable of realising ground-to-ground cryptographic
applications, with the realisation of distribution rates that
would support practical cryptosystems such as the Advanced
Encryption Standard (AES) or even short OTP encryption.
With Alice sited at an altitude of 2760m on Pajarito
Mountain, Los Alamos, and Bob at an altitude of 2153m,
9.81km away the scheme was operated successfully for many
hours over several days. Crucially, the scheme was reported
to be secure against intercept/resend, beamsplitting and an
unambiguous state discrimination (USD) attacks, as well as
night-time PNS attacks [22]. In order to improve security
and reduce the complexity of the system the specific
implementation described in [22] included no active
polarisation switching elements. During each successful
cycle of the 1MHz clock a nanosecond, ~mW timing pulse
was emitted at 1550nm, this caused two secret random bits to
be generated by a cryptographic monolithic randomiser,
which in turn determined which of four 772nm diode lasers
fire (thereby selecting 1 of 4 polarisations) [22].
Understanding of the factors that parameterise free space
QKD was greatly enhanced as a result of the development of
a precise methodology in [22] to deduce the ‘secrecy
efficiency’ for alternative transmission distances,
instrumental conditions, atmospheric properties and
alternative radiances, through scaling of the defined ηopt/C
parameter from the values obtained over a 10km distance.
Their analysis was crucially able to deduce the lower
threshold for values of secrecy efficiency, below which no
secret bits can ever be extracted from a sifted key, shared
between Alice and Bob. The secrecy efficiency Psecret is
perhaps the most significant parameter when categorising
overall system performance; as the quantity determines the
total number of secret bits that can be exchanged per unit
time. The group were able to achieve an average daytime
efficiency of Psecret =(3.2±1.4)x10-4, and a maximum value of
Psecret,max =7x10-4. At nighttime the system was slightly more
efficient, with an average of Psecret =(4.2±1.4)x10-4 and a
maximum efficiency of Psecret =8x10-4.
For larger values of ηopt/C there are a specific range of
optimal values known to consistently produce a non-zero bit
yield, i.e when the average photon number per pulse (μ), μmin
< μ < μmax [22]. For situations where μ < μmin the bit error
rate (BER) of the sifted key is overwhelmingly large, to the
extent that no secret bits can be extracted whatsoever – due
to the large amount of information potentially leaked to
errors and through intercept/resend eavesdropping
strategies. Overall they were able to conclude that free-space
QKD would be more than feasible with the system, either
over 15km daylight paths or 45km paths at night,
additionally they deduced that optimal secrecy efficiency is
attained for values of μ=0.5, independent of range and time of
day [22].
Figure 4. A histogram of the secrecy efficiency Psecret (the number of secret bits produced per transmitted bit) versus the average photon number and the atmospheric
quantum channel parameter. In the region below the red line no secret bits can be transferred with the system. Even thiough these transmissions yield a large
number of sifted bits no secrecy could be produced from them after reconciliation and privacy amplification due to the large amount of info acquired by an
eavesdropper. The night transmissions marked with an asterisk are PNS-resistant (Figure taken from [22])

Another significant benchmark for free-space QKD was
realised in 2004 with the demonstration that free space
quantum transmission rates of up to 1.25 Gbps were possible
over ~1km distances, in conjunction with phenomenally
large sifted key rates of 1.0 Mbps. The scheme described in
[23] operated a 1550nm classical channel in parallel with an
845 nm quantum channel, this development facilitated a
phenomenal increase in system performance, with sifted
cryptographic key rates two orders of magnitude faster than
anything previously recorded [23]. Incredibly the authors
insisted that with improved detector resolution their setup
would be able to achieve an order of magnitude increase in
performance” [23].
As with many other successful implementations, the strategy
utilised narrow temporal gates to improve the SNR, however
instead of operating in asynchronous mode, with a timing
pulse immediately preceding the signal to trigger a specific
coincidence window the scheme in [23] was able to operate
in ‘synchronous’ mode, through the 1.25 Gbps clock rate and
the use of 8B/10B encoding [23]. The transmission board
(Alice) generated and stored two (1.25 Gbps) randomised bit-
streams for the selected quantum channel basis and a bit
value (as per the BB84 protocol), random data was generated
by a pseudo-RNG [23].
The experiment constitutes a phenomenal increase to secure
encryption capabilities in general, with the demonstration of
unprecedented transmission and sifted key rates. As there is
no commercially-available SPS capable of operating at GHz
repetition rates the setup was forced to employ attenuated
laser pulses, with a mean photon number μ= 0.1. It has been
calculated that with such values, approximately 9% of the
pulses transmitted contain a single photon, 1% contain two
or more photons and the remaining 90% will (statistically) be
empty pulses [23]. The downside of this approach, however,
is that is leads to a ten-fold reduction in throughput –
meaning when a high speed on-demand SPS becomes
available there will be an order of magnitude improvement in
key generation rates [23].
Figure 5. Sifted key bit rate and QBER plotted against mean photon number (Figure taken from [23])
In addition to offering a revolutionary increase in
transmission speed and sifted key rates, the 2004 paper
presented a useful analysis of the response of the sifted key
rate (kbps) and the QBER to varying photon number; both
values were plotted as a function of mean photon number in
Figure 5 (the QBER is the percentage of sifted key bits,
produced per 60 seconds of key generation, for which Alice
and Bob do not have the same value) [23]. Clear trends can
be identified in their experimental data: the sifted key rate
(marked in black) clearly increases with mean photon number
before plateauing at 1Mbps, the plot also allows
instantaneous related values to be determined, for example,
for a value of μ<0.2, the group recorded nearly 900kb of
sifted key data per second of transmission, and an error rate
of 1.0% [23]. The principal limitation of [23] can also
clearly be seen - their software was unable to successfully
process bit rates greater than 900kbps, causing the sifted key
rate to flatten out. This limitation greatly reduced the
throughput of the system, causing the sifted-key rate to max-
out at ~1Mbps once the mean photon number increased past
0.2 [23].
Whilst the 1.25Gbps transmission rate demonstrated in [23]
was undoubtedly impressive, the transmission speed is a less
significant consideration than security - the use of inherently
insecure attenuated laser pulses, rather than a SPS, is a
significant limitation of any QKD scheme. The inevitable
transmission of multi-photon pulses provides an ‘open door’
for any eavesdropper; to recover as much secrecy as possible,
attenuated pulse (WCP) schemes seek to employ ever weaker
pulses, leading ultimately to a compromise between security
and transmission rates [50].
Whilst operating nowhere near the 1.25 Gbps transmission
speed demonstrated in [23] the incorporation of a SPS into a
free-space QKD scheme in 2002 [50] represents a crucial
milestone, the paper reported the first complete
implementation of single-photon quantum cryptography
using a reliable room temperature SPS [50]. Using the
fluorescence of a single nitrogen-vacancy (NV) colour centre
inside a diamond nano-crystal the group were able to
successfully emit photon pulses on-demand to distribute key-
bits over a 50m distance, at a rate of 7,700 secret key bits per
second, and with a QBER of 4.6% [50].
Despite much shorter transmission distances and lower key
generation rates the scheme is fundamentally much more
secure than those making use of attenuated laser pulses. In
addition to enhanced security “the overall performance of the
system reached a ‘domain’ where the use of single photons
demonstrate da measurable advantage over an equivalent
setup based on attenuated pulses,” emphasizing the fact that
single photon QKD is a realistic candidate for long distance
QKD applications. [50]”.

The scheme implemented a BB84 protocol to achieve four-
state encoding and decoding, through the application of an
electro-optical modulator (EOM) unit, driven by a pseudo-
RNG and capable of switching 500V in 30ns to achieve a
5.3MHz SPS repetition rate [50]. Unfortunately, after
travelling down the short corridor, polarised photons were
detected at only a fraction of the 5.3 MHz source rate, despite
transmission via a 2cm-diameter beam to minimise the effects
of diffraction. A rate of 7x104 Hz was recorded after the 50m
transmission, while this represents an order of magnitude
decrease from the 5.3MHz source such a valuable is more
than tolerable for such a pioneering experiment.
The complete secret key transmission was achieved through
the use of error correction and privacy amplification (using
the public domain software QUCRYPT), these techniques led
to an average of 77 secret bits shared between Alice and Bob
for each 10ms transmission [50], and an associated QBER of
4.6% ±1%. The paper proceeds to offer a comparison of the
performance of their single photon BB84 implementation
with more traditional WCP approached, in terms of detection
efficiencies and Bob’s dark count rates They demonstrate
that the SPS approach has a patent advantage over even the
very-best WCP setups; irrespective of the type of attack that
is implemented, the specific scheme implemented in [50] also
offers a much higher secure bit rate than alternative
entangled-photon QKD schemes [50].
Another strong indication as to the superiority of SPS QKD
implementations was offered by [56], when a photon
turnstile device, where a quantum dot trapped in a micropost
cavity is optically excited by a pulsed laser, was used to
realise the BB84 protocol, facilitating “completely secure
communication in circumstances under which would
normally be impossible with an attenuated laser [56].”
Whilst transmission was only demonstrated over a trivial 1m
distance the group were able to achieve secure
communication rates of 25 kbits per second [56], and a
QBER of 2.5% in this important proof of principle.
The group used the exchanged key bits to implement a OTP
encryption of the message seen in Figure 6 (a picture of the
memorial church at Stanford University). Alice and Bob
were able to exchange a 20-kbyte key, with which Alice
performed an XOR operation on each individual bit of the
information. The result of this is something that looks very
much like white noise to any unwanted recipients without the
secret key bits. Bob is able to faithfully recover the
information simply by using his version of the key to XOR
the received message (as seen in Figure 6) [56].
Figure 6. Illustration of a cryptographic encoding and decoding process, the message, a (140x141) 256-pixel bitmap of Stanford University’s memorial church was
encoded by a secure quantum key in a OTP encryption process. The encrypted image appears as noise to a third party, not in possession of the key. The recipient
(Bob) is able to faithfully recover the contents of the message by decoding with the shared secret key. (Figure taken from [56])
Whilst the initial SPS proof-of-principle QKD setups [50,56]
were crucial milestones in the progression of free-space SPS
QKD, the experiments were both performed over a relatively
insignificant distances at least in terms of the requirements
for real-world applications. Whilst this is similarly true of
the 30m transmission distance demonstrated in [24], the
scheme was operated under open-air experimental conditions
and consequently represents a much more robust proof-of-
principle as the realisation is much closer to a genuine
practical setup with environmental hazards. Additionally,
the authors claim that the setup could readily be extended to
km distances [24]
As with [50] the SPS was provided by the pulsed excitation
of a single nitrogen-vacancy colour centre (NVCC) in a
diamond nano-crystal. Single photons were subsequently
transmitted from window to window over a 30m distance,
between two wings of the Institut d’Optiques building in
open air at night-time. As such, the QKD scheme was
implemented with a realistic ambient background and with
the two communicants completely removed from each other.
The scheme reported an average of 3200 secure bits
exchanged within a typical 0.2s transmission sequence,
corresponding to a 16kbit s-1 key generation rate [24], a
value well over double that demonstrated in [50]. The
scheme utilised the BB84 protocol, using a KDP EOM to
obtain the 4 random polarisation states through the
randomly choice of either the rectilinear or the circular
polarisation bases; after transmission over the 30m channel
(at rates of up to 16kbits-1) the key bits were subjected to
error correction and privacy amplification {ref 37 in
24}techniques to ensure maximal information security.
The authors are keen to highlight the importance of SPS
schemes, since first proposals {ref 16-18 in 24}, a diverse
range of approaches have been investigated, although all are
essentially based on controlling fluorescence from various
emitters, such as molecules {ref 19-22 in 24}, atoms {ref 23
in 24}, colour centres {24 in 24} and semi-conductors. The
use of a NVCC in a diamond nanocrystal offers many
practical advantages over alternative solutions as it can be
operated at room temperature (as with molecule emission),
and is perfectly photo-stable for both pulsed and continuous-
wave (cw) laser excitations [24].
The relative advantages offered by SPS implementations are
clearly outlined in [24], along with a quantitative
demonstration that the use of pure single-photon states
provides a significant advantage over the use of WCPs in the
strong attenuation regime (when transmission losses exceed
10dB) [24]. The efficiency of a specific QKD
implementation in terms of secure key bit distribution is best

characterised by the mean amount of secure information
exchanged on each transmitted pulse [24]. Through
comparison of experimental data (recorded for a range of
quantum-channel attenuations) with numerical simulations
based on analytical derivation of mean number of bits per
pulse (after privacy amplification and error correction) the
group were able to verify the superiority of SPS
implementations over long distances and large attenuations
[24].
A significant milestone was reached in 2005 with the
demonstration of free-space entangled photon distribution
over the more realistic (in terms of practical applications)
distance of 13km, entangled photons were produced by type-
II parametric down-conversion [26]. For the first time a
group was able to conclusively demonstrate key distribution
over distances far greater than the effective thickness of the
atmosphere, and were able to achieve link efficiencies well
beyond the threshold required for satellite-based QKD,
thereby verifying the feasibility of a global QKD network
utilising satellites and ground stations [26].
Performed in Hefei, China the sender was located at the top
of Dashu mountain (with an elevation of 281m) and two
receivers (Alice and Bob) were located at the west campus of
USTC and at Feixi, in Hefei. The distance between the two
receivers was approximately 10.5km, whilst the distances
from the sender to Alice and Bob were 7.7 and 5.3 km,
respectively [26]. One of the entangled photons was made
to pass through the a challenging cityscape (traversing
nearly half of the city of Hefei), according to the cityscape the
two receivers were not in direct sight of each other – due to
the presence of many buildings between them [26]
Whilst the system made use of the popular BB84 protocol,
the key was instead distributed using entangled photons as
opposed to attenuated laser pulses, consequently, when Alice
and Bob happen to choose the same basis set their private
keys are perfectly anti-correlated [26], this represents a
trivial obstacle as it simply requires one party to convert all
of their key bits. Following these procedures the group were
able to demonstrate coincidence events at rates of nearly
7,500 per minute [26].
Discarding events where Alice and Bob selected
contradictory bases led to a total of nearly 7,956 sifted key-
bits, and a QBER of 5.83%. After the process of error
correction the number of key-bits was considerably reduced
to 4,869 bits and a QBER of 1.47%, after performing privacy
amplification they finally obtained a secure key-string that
was 2,435 bits in length. This value corresponds to an
average key distribution rate of 10 bits s-1, however the
authors point out the this figure could be significantly
enhanced, with the incorporation of a high-intensity
entangled photon source key distribution rates in the region
of 100s bits s-1 could comfortably be achieved [26].
Crucially, the group were able to show that entanglement
was able to withstand the 13km transmission through the
noisy atmosphere (well beyond the effective thickness of the
atmosphere), despite being strongly influenced by
atmospheric pollution and background light - even at night
background count rates are as high as 30,000 per second
without interference filters. Their achievement was
confirmed by recording a spacelike-separated violation of a
Bell inequality of 2.45±0.09 [26], with the “strong violation
more than sufficient to guarantee the absolute security of the
QKD scheme, thereby closing the eavesdropping loophole.”
The scheme described in [26] utilised an argon ion laser to
pump a beta-barium-borate crystal with a wavelength of
350nm; for a pump power of 300mW (and with the use of a
narrow bandwith (2.8nm) interference filter) the group
recorded 10,000 pairs of entangled photons per second. With
the application of the interference filters the average
background count was reduced from 30,000+ per second to
as little as 400 per second and with perfect weather
conditions they were able to achieve coincident count rates of
up to 300 counts per second [26]. The group also applied
the technique of laser-pulse synchronisation to achieve a 20ns
coincidence window, thereby reducing the effect of ambient
photons and detector dark counts [26]. With the eventual
addition of a pulsed and gateable entangled photon source,
and with the application of high precision spatial and spectral
filtering the methods outlined in [26] would also allow for
free-space QKD in daylight conditions [26].
Another important proof-of-principle for entangled-photon
free-space QKD was published in the same year [27], when
entangled photons were distributed over a 7.8km distance, at
nightime, over the city of Vienna. The result was
particularly significant given that the transmission was over
the centre of Vienna, demonstrating quantum cryptography
in a location with a long-standing requirement for secrecy
(due to the nature of the Swiss banking industry), and to a
market that would have great need for QKD services when
they become commercially available. The group were able to
conclusively demonstrate the high-fidelity transfer of
entangled photons over sufficiently long distances, however,
with no provision for spectral filtering, the scheme was only
suited for night-time operation [27]. Despite this, the
scheme was able to clearly demonstrate the feasibility of
sending entangled photons through free-space optical links
given realistic atmospheric conditions, with entanglement
distribution confirmed by the violation of a Bell inequality by
14 standard deviations [27].
The source was located inside a 19th century observatory
located on top of a hill, with the receiving station nearly 8km
away on the 46th floor of a modern skyscraper, as such, the
majority of the transmission path was at an altitude of 150m.
The entangled pairs of photons were produced by PDC
techniques, which ensure extremely tight temporal
correlations, in addition to polarisation entanglement. The
utility of such time correlations is well-recognised, as the
narrow coincidence windows allow for low-noise operation,
even when the background is greater than the signal
intensity [27]. During the course of a 40-minute
transmission a total of 60,000 coincident detection events
were recorded, however this was reduced by a factor of ten
following bases reconciliation, error correction and privacy
amplification. The group were able to infer a QBER of ~10%
(which would correspond to a drop in average visibility from
93% at the source to 80% at the receiver), of which they
attributed 3.5% to the source, 1.5% to accidental coincidence
counts, and the rest to polarisation misalignments.
The challenge of transmitting through a busy city
environment is a far from trivial proposition, pollution and
atmospheric turbulence cause significant scattering rates,
beam fluctuations and wander – all of which adversely affect
link stability and efficiency [27]. The group were able to
demonstrate secure key distribution over a distance that
corresponds to just over one airmass, as the characteristic
thickness of the atmosphere is just over 7 km [27], as the
scattering loss experienced by a vertical transmission is
represented by a 4.5km horizontal transmission the
experiment comfortably surpassed the required threshold for
successful atmospheric transmission [27].

Typically with entangled photon QKD schemes coincidence
events are identified through the direct comparison of
detection events over a time-stable public channel; this most
commonly occurs via a direct cable connection, however for
transmissions over longer distances bright optical pulses can
be used to transmit detection and timing information [27].
The scheme described in [27] was able to identify
coincidences without the use of a time-stable channel, instead
each detection event is locally recorded with time tags shared
later over a public internet channel. Detection coincidences
were identified by looking for cross-correlations in 64-bit
binary time stamps, which were able to record the time of
each event with a precision of 125ps. The time-stamping
cards were stabilised by Rubidium oscillators, which are
known to drift by approximately 1ns every 20s. The
polarisation correlations obtained in [27] were sufficient to
convincingly violate a CHSH-Bell inequality (by 14 standard
deviations), and demonstrate entanglement between the two
locations.
A radical departure was made in 2006 when photon orbital
angular momentum was utilised in a new BB84
implementation. The protocol encoded information in
different spatial modes (that span a d-dimensional Hilbert
space) of propagating photons that have a definite value of
orbital angular momentum (OAM) [29]. In the specific
implementation described in [29] each transmitted state was
encoded in a subspace of spatial modes with zero orbital
angular momentum (although a subspace with a definite
value of orbital angular momentum could also be utilised)
[29].
The technique offers two principal advantages; by encoding
in a d-dimensional space a logarithmic increase in the key
generation rate can be achieved - as each transmitted photon
is able to hold log d-bits of information the approach offers
greatly increased rates. In addition, the fact that the
transmitted states are eigenstates of OAM means they are
rotationally-invariant about the propagation direction of the
beam. As a consequence the relative sender-receiver
alignment is completely irrelevant (an appealing advantage in
free-space QKD), meaning the protocol can be implemented
without reference frame alignment [29] - “By encoding the
information in rotationally invariant states they were able to
decouple the alignment between preparation and measuring
devices” [29].
This property is particularly useful in the case of ground-
satellite, or satellite-satellite communication. As such
systems facilitate secure key distribution between moving
parties, the need to maintain a strict alignment with
polarisation-based implementations adds significant
complexity to any scheme. These limitations are obviously
negated by the use of techniques detailed in [29],
additionally, as no information is encoded in photon arrival
times the scheme is also able to avoid significant problems
introduced by transmission through turbulent environments,
such as beam wander and time-of-arrival jitter [29].
Whilst impressive transmission distances and high secure
key distribution rates have been repeatedly demonstrated, the
majority of implementations tend to record relatively small
time periods of key distribution. The specific free-space
implementation detailed in [30] was left to run continuously
for 10 hours through the night. Based on the BB84 protocol
with polarisation-entangled photons, the scheme was able to
generate an average secure key at a rate of 630 bits s-1 (after
error correction and privacy amplification) over a distance of
1.5km (between the rooftops of two University of Singapore
buildings), and with the application of a long-pass filter they
were able to achieve up to 850 bits s-1 over a period of 6 hours
[30].
Using a PDC source and compact detection modules, a free-
space wireless internet protocol link and a software-based
coincidence identification scheme the setup represents a
robust and efficient approach to extended key distribution
sessions. The use of software-based coincidence
identification removed the need for a dedicated
synchronisation hardware channel. During the experiment
the detection time of all photoevents was registered with a
time stamp unit, which was locked to a Rubidium oscillator
[30]; the scheme also implemented typical interference and
spatial filtering techniques for the purposes of background
suppression [30].
Additional advantages offered by [30] are that the scheme
doesn’t require an explicit RNG, as well as the ability to
perform error correction and privacy amplification techniques
‘on the fly’, enabling the production of a continuous stream of
secure key bits [30]. The authors argue that the setup could
also be successfully deployed for daytime key distribution if
the accidental coincidence rate could be reduced by an order
of magnitude - a reduction that could potentially be realised
through the application of stronger spectral and spatial
filtering and reduced coincidence windows [30].
The use of Rubidium (Rb) filters is widespread in QKD
implementations; in [31], for example, in a system designed
to operate at a 780nm wavelength, homemade Rb vapour
filters were operated on the D2 transition line to successfully
suppress strong background light. Based on the Faraday
anomalous dispersion effect the filters act as an ‘ultra-narrow’
spectral-filtering device, capable of efficiently removing the
strong, broadband solar background and greatly increasing
the signal-to-noise ratio (SNR). This use of atomic filters
allowed for the transmission of sifted and corrected key bits
at rates as high as 3.14 and 1.56 kbits s-1, respectively [31] -
whilst an error rate of around 5.1% was maintained
throughout [31].
The widespread use of quantum cryptography for everyday
consumers was advocated in 2006 with the demonstration of
a short-range, low-cost QKD system. Both transmitter and
receiver modules were constructed from inexpensive, off-the-
shelf components and were able to generate and renew
secrecy (an impressive 4,000 secret keybits s-1), over short
distances of a few metres in shaded daylight conditions [32].
Whilst the traditional market base for QKD technologies are
high-level organisations such as the military, and financial
and academic institutions, the system described in [32]
represents more of a ‘ground-up’ implementation designed
for use on a regular day-to-day basis by the general public, in
a variety of short-range consumer applications that could
incorporate OTP and authentication protocols [32]. With a
compact transmitter the system was designed to be
eventually incorporated into a hand-held device such as a
smart card or a mobile phone [32], leading to a range of
promising potential short-range consumer applications. A
frequently imagined scenario describes a consumer utilising a
‘secrecy’ allowance (for use with a portable OTP encryption
device) and where necessary buying a ‘top-up’ for the account,
as with a pre-pay mobile phone.
The paper proposes a method of protecting against card-
fraud, with an Alice module incorporated into a mobile phone
and the Bob module located in a fixed device such as a bank
ATM, known as a ‘quantum ATM’ (QATM). A typical usage
scenario envisaged by the authors would involve “registered

Free space QKD

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Free space QKD

Similar to Free space QKD (20)

Recently uploaded

Recently uploaded (20)

Free space QKD