Cryptography is the art of encrypting a message so that two partners can exchange a message that they understand, while an adversary who has obtained a copy of the message cannot decrypt it. It has become a tradition to name the two partners Alice and Bob. The adversary, the eavesdropper, is usually named Eve, a cheap joke, I must admit, but I am not responsible for the joke. Cryptography goes back to antiquity, and has a rich history. It is important for diplomacy and for military affairs, and in the recent period, it has found major applications for the security of the exchange of information on Internet. The one-time pad technique was invented in the 19th century by Frank Miller and Joseph Mauborgne, and patented in 1919 by Gilbert Vernam, who used an encoding/decoding key read from a punched tape. The key can be a list of numbers on a pad and reduced to a microscopic size as popularized by movies or novels. One-time pad cryptography uses two identical encoding/decoding key, that is to say two copies of a series of random characters in the hands of the two partners, Alice and Bob. Here we will only consider two possible values, zero and one. One partner, for instance, Alice, encodes her message by adding to each bit of the message, the random bit coming from the key. Bob, who has an exact copy of the encoding key, can easily decipher the message by adding the random bit of the key to the corresponding encoded bit. In that scheme, Alice and Bob must have the encoding/decoding keys in advance and keep them secret. But the encoded message can be sent on a public channel. Even if the eavesdropper gets a copy of the encoded message, he or she will not be able to decode it. In contrast to most cryptography methods, one-time pad has been proven absolutely secure by Claude Shannon, the father of information theory. His demonstration is purely mathematical and has the solidity of a mathematical theorem. But this absolute security is based on a strict condition: the message cannot be longer than the key. Otherwise, as there are many historical examples, it would be possible for crypto-analysts to use regularities to decipher the messages. So when a message as long as a key has been sent, the key must be renewed. In order to exchange a new message, Alice and Bob need to obtain a new pair of identical encoding/decoding keys. This exchange of key must be absolutely secure, that is to say Alice and Bob need to be sure that no eavesdropper has been able to obtain a third copy of the key they have just shared. It turns out that quantum technology can be used to solve that problem of secure key sharing. The technology named quantum key distribution, QKD, consists of writing the key on a quantum support and send it on a channel that should remain confidential. The fundamental idea of QKD, is that after sharing the key, Alice and Bob can make a test to check that nobody has been able to eavesdrop the information traveling on the quantum channel. If the test fails they renounce to use the key. But if the test is passed they have a new key they can use whenever they want. The fundamental reason why quantum physics ensures the security of the key distribution is that any measurement on an individual quantum object leaves a trace, a footprint. In other words, it is impossible for Eve to read the information written on a quantum object without perturbing it. This perturbation can be detected by Alice and Bob, who can also communicate on a channel that can be a classical public channel, which does not need to be secure. Among several methods of quantum key distribution, I present here the celebrated scheme called BB84 which was described by its inventors, Charles Bennet and Gilles Brassard, in 1984. The theoretical scheme is general and could use any quantum object with a two valued observable. In practice, the polarization of a photon turns out to be the privileged support of quantum key distribution. In order to generate the key that will be sent to Bob, Alice has a source of polarized photons, and she can choose the polarization of each photon among four possibilities associated with two different linear polarization basis. Two are along the axes x and y, and are often noted V and H for vertical and horizontal. The two other polarizations are at 45 degrees and are usually noted R and L for right and left. Each set corresponds to two orthogonal polarizations, that is to say, the two output channels of a polarizing beam splitter conveniently oriented. The two sets correspond to two polarizing beam splitters at 45 degrees from each other: they are associated with two non-commuting observables, as you can check using the expressions I have given above. When Bob receives a photon, he analyzes its polarization with a polarization beam splitter, of which it chooses randomly the orientation between the two possibilities, either vertical or at 45 degrees. If his choice corresponds to a polarization sent by Alice, he obtains the result corresponding to the value chosen by Alice. This is the case, for instance, if Alice sends a photon with a V or an H polarization, and if he puts his beam splitter at zero degree from the X axis. But if he makes a wrong choice, that is to say if he puts his polarizer at 45 degrees from X when Alice has sent a H or V photon, then he obtains a random result, uncorrelated with the initial choice of Alice. So he gets the right information in half the cases only. It may seem a poor result, but, in fact, there is a simple way for him and Alice to know what are the right choices, and keep these ones only. This is called reconciliation. In order for Alice and Bob to know what were the right choices, it suffices that Bob announces on the public channel what were his choices of basis, and then, Alice replies which ones were correct, again on the public channel. Alice and Bob now know what were the situations when the choice of Bob was the right one and they keep these cases only. They have now two identical encoding/decoding keys. The exchange of information between Alice and Bob about the chosen orientations is done on the public channel. It can be listened to by Eve, but we will see now that this is not detrimental. When presenting the QKD scheme, I told you that Alice and Bob can be sure that there is no spy who has obtained a copy of this key. Can we demonstrate that it is indeed the case? In order to answer such a question, let us put ourselves in the position of the eavesdropper, and try to get some information about the key sent by Alice to Bob at the end of the reconciliation procedure. What would you do? Pause the video and think about it. Let us pretend we are Eve and try to obtain the same information as Bob without being detected. To get information we must intercept the polarized photon and make a polarization measurement on it. But then Bob will receive nothing, and thus, this photon will not be used for the reconciliation procedure. So we must be a smarter Eve. After doing the measurement we will use a one photon source to resend the photon towards Bob with the polarization we have just found. Bob will then receive a photon with a polarization that we know. So if this is photon is used for the key, an information we will get on the public channel, we will know that value of a bit in the key. Let us now take the point of view of Alice and Bob, who are as smart and know as much quantum optics as Eve. They understand that Eve could do what we have just been describing. Measuring a photon polarization and resending a photon with the result they have just found. Can they detect such a maneuver? The answer is yes. Can you find how? You did not find yet? I'll give you a hint. What Alice and Bob can do is sacrifice a subset of the key they have established after reconciliation. More precisely, Bob will choose randomly some of the cases where they agreed, and tell on the public channel what he found in these cases. With this information, Alice can tell that there is an eavesdropper if there is one. Can you tell why? I am sure most of you have found the answer. Let us describe it in detail, since it will allow us to fully appreciate where the quantum nature of the signal plays a role. The series of cases shown here allow us to understand. There are cases when Eve does not choose the same polarization orientation as the one decided by Alice. Here it is cases number two three and five. In these cases, the result found by Eve is random, but this is not the point. The fact is that in these cases Bob will find a random result, which means that in half these cases, he finds the wrong direction as shown here in cases two and five. So when receiving the results found by Bob in cases two and five, Alice will observe that they are wrong although Bob had chosen the right basis. She will thus conclude that there is a spy on the channel and warn Bob that this key must not be used. Can you tell what is the fraction of the cases where Bob gets a wrong result although he had chosen the right basis? Did you like that game where you have to put yourself alternatively in the position of Alice and Bob, then of Eve, then again Alice and Bob? If you like it, you may want to work in cryptography, but you must know that we have only sketched the kind of reasoning that professional cryptographers have to do to evaluate the security of a scheme. Nevertheless, this simple scheme is enough to understand the fundamental reason why a quantum scheme can be absolutely secure. It is the impossibility to find the polarization of a single photon. If you do not know what is the basis of polarization that was used to polarize the photon, you cannot find what is the polarization. In fact, this property is a general property in quantum physics. It is impossible to determine the full quantum state of a single quantum object. Any measurement amounts to projecting the quantum state on a basis depending on your measurement, so all you can get is a value of the projection of the quantum state on the basis you choose. Many physicists tried to find a way to overcome this impossibility to fully determine the quantum state of a single quantum object. This stimulated the discovery of a very important theorem, the no cloning theorem, which plays a fundamental role in proofs of the security of quantum key distribution.
