1. Introduction
Private communication is of critical importance in the present time, which is raising the demand for developing secure methods for message delivery. Encryption by means of secret keys, which is at the core of cryptography, allows a secure exchange of messages through a public channel when a potential adversary exists. Modern cryptography [
1,
2,
3] not only practices but also studies secure communication techniques between two distant users in the presence of third parties. Its protocols exhibit unidentifiable messages, which are readable only to the sender and the recipient, assuring that an encrypted message sent through a public channel is indecipherable by a third party.
Prior to the digital age [
4,
5,
6], cryptography has focused on message conversion into an indecipherable form, making it unreadable to interceptors. These days, the field is expanded not only to communication and military secrecy [
6,
7], but also to integrity checking, identity authentication, secure computation and more [
2].
A secure key is required for the sender to encrypt the message and for the recipient to decrypt it [
8]. In modern cryptography, the security of a key is based either on complex underlying algorithms, or on practical constraints, such as the factorization of large numbers [
3]. One example is the Diffie Hellman key exchange protocol [
9,
10], which was implemented by using prime numbers and their primitive root modulo. Although key decryption calculations can take an unrealistic period of time for modern computers, there is no way to ensure that a key has not been decrypted by a third party, and so become readable to an eavesdropper.
As computers gain the ability to perform complex calculations, along with the development of quantum computers [
11], the decryption of cryptographic algorithms is becoming simpler. This makes former cryptographic protocols irrelevant and strengthens the threat to information security. Nonetheless, many recent studies claim that this issue can be resolved by the utilization of quantum key distribution [
12,
13]. In other words, secure communication can be achieved with quantum cryptography [
11,
14].
One of the basic principles of quantum physics states that the measurement of a photon’s state necessarily changes it [
12,
13]. When using a single photon in a specific state to carry an information bit, it cannot be copied without causing an alteration in its state. This phenomenon is known as the no-cloning theorem in quantum mechanics [
15]. Therefore, two users that are willing to exchange a random binary message through a public channel can recognize whether a third party is intercepting this channel before sending the message, that is, any attempt at interception can be identified before the message is sent. Furthermore, by using random number generation [
16] that dictates the photon’s state, it is possible to generate a random key that will be known only to the sender and the recipient.
This application of quantum cryptography is known as quantum key distribution (QKD) [
8], which is the utilization of quantum communication for establishing a key shared between two users, without allowing a third party to learn anything about it. The security of QKD can be proven mathematically [
17], without any restrictions on the eavesdropper’s ability, unlike in classical key distribution.
Practically, there are some challenges in this technique [
18,
19] due to transmission distances, rate limitations and accuracy. Nowadays, quantum cryptography is at the forefront of research, and suggests many other applications, such as quantum coin tossing [
11].
The first quantum cryptography protocol was developed by Charles Bennet and Gilles Brassard under the name of BB84 [
1]. This quantum key distribution scheme is usually referred to as a secure method of sending a private key from one user to another in a one-time pad encryption. Based upon two conditions, this protocol is known to be provably secure [
17]; there is an authenticated public classical channel and information gain is possible by interfering with the signal in attempts to distinguish the two states only if they are not orthogonal (i.e., the no-cloning theorem).
Quantum technologies have been implemented rapidly into industry in the past two decades. However, the implementation of quantum cryptography in the market remains limited, as several obstacles prevent the industrial transfer of classical cryptography into quantum cryptography. Previous processes of implementation concepts in optics, such as optical fibers and adaptive optical systems, rely on the development of devices in the industrialization of any optical technology. In fact, quantum key distribution (QKD) devices are no different as there are high costs involved in the integrability of such devices. Current QKD devices often include an optical table, superconducting wire detectors, expensive and fragile single photons sources and precision optics. These components require extensive and constant maintenance and can be operated only by trained experts. Therefore, QKD has many challenges when implemented in standard educational laboratories.
In this paper, an educational experiment for the study of the BB84 quantum cryptography protocol is presented which can be performed without a single photon source or special training for senior undergraduate laboratories. Instead of individual photons, this experiment is carried out with a pulsed laser and while it cannot truly be employed as a perfect encryption system, the sequence of the BB84 protocol is completely identical to a true quantum encryption system. The major difference between this emulation experiment and a true quantum cryptography setup is that genuine safety from interception can only be guaranteed if a single photon source is used. This means that the information of a bit must be transported only by a single photon. If any classical light source is used instead of a single photon source, then Eve cannot be detected. For eavesdropping, all that is required is that Eve separates a portion of the transmitted light for detection, while sending the remainder to Bob unnoticed. The core principle in our emulation is based on the fact that every single light pulse cannot be split into smaller portions and travels as a single quantity of light. Under this condition, the simulation for single photons completely replicates the experimental results.
2. Theory of Experiment
2.1. One-Time Pad
The one-time pad [
20,
21] is a classical encryption technique, which is assisted by quantum physics to meet the method’s requirements, and is considered
secure in principle. While the desired message consists of a non-random sequence of 0 s and 1 s, the one-time pad is a single-use key consisting of a random sequence of 0 s and 1 s. A binary addition [
22,
23] of the message to the key results in another sequence of random bits, which is then sent as the encrypted message. The addition rules for the bits are:
When applying a binary addition with the secure key, which is generated by the BB84 protocol, to the original message, the sender can encrypt the message. By applying a binary addition with the secure key to the encrypted message, the receiver can decrypt it and obtain the original message. An example is shown in
Figure 1.
If the encrypted message is intercepted, the eavesdropper requires the key to decode the message, otherwise the random sequence cannot be interpreted. The binary sequence can be converted to strings using ASCII (American Standard Code for Information Interchange) symbols [
24].
While computer-generated pseudo-random numbers are not truly (
) random [
25], the one-time pad requires a completely random selection of the encryption key. Nonetheless, quantum physics offers numerous possibilities for true randomness [
16], such as radioactive decay. Quantum random number generators are a key component in quantum cryptography data networks. In practice, a photon that is reflected by a beam-splitter can be interpreted as 1 and a photon that is transmitted by a beam-splitter can be interpreted as 0. Therefore, for conventional light sources with the same intensity [
26,
27], photon distribution on two single photo-detectors can be considered truly random.
Generally, the BB84 protocol core purpose is generating a secure key between the sender and the receiver.
2.2. Key Distribution
The sending unit ‘Alice’ consists of a pulsed laser source [
26,
27], which is polarized in a specific direction, and a half-wave plate (
with
being the wave length), which rotates the polarization of the incident light by double the physical rotation angle of the plate; see
Table 1. It must be noted that the angle mentioned in here refers to the rotation angle of the polarization, and not of the plate.
The receiving unit ’Bob’ consists of a half-wave plate (), a polarizing beam-splitter (PBS) and two detectors that indicate whether the light sent by Alice was either reflected or transmitted from the PBS.
Before Alice can send a message to Bob, a secure key must to be generated. If Alice’s pulsed source is polarized horizontally, two bases can be defined, “+” and “
”, where each contains two light polarizations. Alice can send a random bit of 0 or 1 in the following manner, as shown in
Figure 2.
The “+” basis consists of and polarizations, whereas the “” basis consists of and polarizations. In this scheme, either basis can be used to represent a binary bit: “0” for and , and “1” for and .
To create a secure key, Alice randomly selects a basis and a bit, then sends it to Bob by using the scheme above, while rotating the polarization plate accordingly. Bob randomly selects a basis and rotates the polarization plate accordingly ( or ), while recording with the detectors which bit was received.
In this manner, the PBS reflects the component of the incident light, while transmitting the component. Thus, if the polarization of the light sent by Alice is at and her polarization plate is at , the incident pulsed beam will be at , thus transmitted through the beam splitter (designated as event “0”). If Alice’s polarization plate is set to rotate the polarization by , the pulsed beam will be reflected by the beam splitter (designated as event “1”). Similarly, Alice can send bits in the “” basis.
If Bob selects the “+” basis and Alice sends the bit in the “+” basis, Bob obtains an unequivocal result. However, if Bob selects a different basis than Alice, a result polarized by
will be sent to the beam-splitter; half of the beam is transmitted and half is reflected by the PBS. Hence, there is a
chance that Bob will detect either 0 or 1 for a pulsed beam, and the result is ambiguous. The different cases are shown in
Table 2.
After sending the entire random sequence, Alice and Bob compare only the randomly chosen bases through the public channel. If their two bases differ, the measurement is discarded. As can be seen from
Table 2, the result is unequivocal only when the bases are the same. The encryption key is derived only from the measurements in which Alice and Bob chose the same basis.
Once Alice and Bob have gone through all measurements, the secret key is achieved. Consequently, Alice can encrypt the message and send it in the “+” basis, so that Bob receives it in the “+” basis and decrypts it. If there is no eavesdropper, the number of matching bases should be identical to the number of matching bits. Therefore, the amount of matching bits out of the total bits sent by Alice is .
2.3. Detection of an Eavesdropper
The eavesdropper unit ’Eve’ is placed between Alice and Bob, as seen in
Figure 3, consisting of the same components but in reverse sequence. It is placed in a position that allows to measure the light coming from Alice and transmits the same information to Bob.
As Eve cannot copy the pulsed beam transmitted by Alice without altering its state, it must randomly select the basis in which it will transmit it to Bob. Besides that, another random basis should be selected for the bit that is received from Alice. Thus, two random selections are required for Eve’s bases.
There are four possible scenarios in which Alice and Bob can choose the same basis (otherwise, the measurement is discarded):
Eve chooses the same basis as Alice and transmits the bit to Bob using the same basis. In this case, Eve correctly measures the signal sent by Alice, thus, Bob receives the bit initially transmitted by her. Eve’s presence is undetected in this case;
Eve chooses the same basis as Alice and transmits the bit to Bob in a different basis. In this case, Eve correctly measures the signal sent by Alice, yet transmits it to Bob in a different basis, meaning that he has a 50% chance to detect the original bit that was sent by Alice;
Eve chooses a different basis than Alice and transmits the bit to Bob in this basis. In this case, one of Eve’s detectors will randomly respond to the bit transmitted by Alice, meaning that Bob has a 50% chance to detect the original bit that was sent by Alice;
Eve chooses a different basis than Alice and transmits the bit to Bob in another different basis. In this case, Eve detects a random bit from Alice, and Bob detects a random bit from Eve, having only 25% chance to detect the original bit that was sent by Alice.
Cases 2–4 produce an error, which allows Alice and Bob to detect Eve’s presence. The measurement is not discarded, since both Alice and Bob sent/received the signal on the same basis. However, in cases 2 and 3, one of Eve’s basis differs from Alice or Bob, hence one random detection takes place. In case 4, Eve’s basis differs and two random detections take place. Either way, Bob can obtain a different bit than the one sent by Alice in the same basis. Such event is impossible without a third party interference. Let us note that in this approach the time interval is 1 s between each bit transmission.
The test for an eavesdropper’s presence is carried out following a similar procedure: Alice and Bob compare bases and choose a certain sequence of bits with matching bases to compare in a public channel. If the test bits are identical, there was no eavesdropper in the system. However, if errors occur in approximately of events, the communication was intercepted. In this case, the message was not yet sent, thus Alice and Bob should follow the same procedure in a different channel to generate a new secure key. to note is that in part one, where Alice and Bob are present, it takes only one second to send the pulse from Alice to Bob. In part two, which involves two pulsed lasers and two pulsed laser detections, it takes one second to send the pulse from Alice to Eve; then, Eve prepares the second pulse by mechanically rotating a half wave plate, which takes about two seconds and then it takes another second to send the bit to Bob, resulting in a total time of four seconds.
2.4. Mathematical Description in Dirac Notation
The four polarization states in this experiment are symbolized as
,
,
,
, where
are the states of the + basis and
are the states of the
basis. They are defined using Dirac’s notation [
28] (i.e., bra-ket notation), where
denotes a vector that represents a quantum state, and
denotes a linear map that maps a vector to a number in the complex plane. Consequently, the linear functional acting on a vector is written as
, as corresponds to a scalar product for two states [
12,
13]. It is important to note that the scalar product of two orthogonal states is:
, whereas the squared absolute value of the scalar product represents the probability that a
polarized pulsed beam passes through a polarizer oriented in a
direction. The scalar product of the same two states is:
.
These states can be expressed as linear combinations of the other basis:
. According to the fact that the scalar product must be normalized:
, all four states can be expressed by a superposition of the others:
Hence, for example, the probability of a
polarized pulsed beam passing a
oriented polarizer is
:
The probability for the other states and bases can be derived similarly.
The base operators, which are are linear maps that input a ket
and output a ket
, are introduced to describe a measurement in either one of the bases.
Thereby, the operators act on a given state; if an operator acts on a basis similar to the polarized state, the eigenvalue is the state itself. Note that the eigenvalue of corresponds to the transmission and is assigned as bit 0.
The same derivation can be done for
, operating on the
base. However, if an operator acts on the opposite basis, it is possible to show that the transmission probability of a pulsed beam through a polarizer is
:
Similarly, for the other cases:
Figure 4 and
Figure 5 exhibit different cases for Alice and Bob with and without an eavesdropper, respectively.
3. Experimental Procedure
The light source in the experimental system is a pulsed laser and not a single photon source, meaning that the prevention of an interception cannot be fully guaranteed. Therefore, in order to eavesdrop, Eve must separate a portion of the light transmitted from Alice, then analyze a part of it while sending the remainder to Bob, imperceptibly. However, the sequence of the protocol in this experiment is completely identical to a true quantum encryption system. It must be noted that in order to avoid unbiased randomization, all bases and bits (for Alice, Bob and Eve) should be generated simultaneously. The complete experiment setup is shown in
Figure 6.
3.1. Calibration
The model of the lasers in the system is CPS635R from Thorlabs [
29]; collimated laser diode module: 635 nm, 1.2 mW, Gaussian profile beam. The detectors models are EDU-QCRY1/M by Thorlabs [
30].
Before conducting the experiment, the light source and the detectors were calibrated [
26,
27]. The pulsed laser was calibrated by a polarizer to a horizontal polarization of
. The bit detectors, both for Eve and Bob, were aligned so that the transmitted and reflected light would reach the desirable detector. The detectors were tested both for Eve and Bob for each base and bit.
3.2. Key Transmission—Without Eve
Alice chooses a random basis (+ or ) and a random bit (0 or 1), while Bob randomly chooses his basis (+ or ), and they both set their wave plates accordingly. The random basis and bits were chosen by means of a computational script that is explained later in the paper. Then, the laser pulse is sent through the setup and Bob records whether he measured a 0 or 1 bit.
Next, Alice and Bob compare their bases through a public channel, keeping only the bits that were measured with the same bases, which then define the secret encryption key between them. Using the generated key, Alice can encrypt the message and send it publicly to Bob. Bob can decrypt the message by means of the same generated key.
This experimental Section was conducted on sequences of 18 bits for a 2 letter word, and 52 bits for a 4 letter word. It is important to note that if the generated key is longer than the message, it should be shortened to the message’s length in order to allow the binary addition for its encryption.
3.3. Key Transmission—With Eve
Alice chooses a random basis (+ or ) and a random bit (0 or 1), while Bob randomly chooses his basis (+ or ).
Eve randomly chooses two bases (+ or ), the “incident basis” which corresponds to the bit sent by Alice, and the “transmitted basis,” which corresponds to the bit sent by Eve to Bob. All units set their wave plates accordingly. First, a laser pulse is sent from Alice, and Eve records whether it measured a 0 or 1 bit. Next, Eve sends the bits received in the randomly chosen base to Bob, who records whether he measured a 0 or 1 bit.
For example: Alice sent bit 1 by choosing basis for the state (the polarized light passes a polarization plate with ), Eve intercepted it by using the basis + (polarization plate with ), and then sent the state . Bob measured this state by using basis + (polarization plate with ) then had the measured bit 1.
Alice and Bob compare their bases again through a public channel and keep only the bits that were measured in the same base. In this Section, Alice and Bob compare a sample of the transmitted bits that were measured. If errors occur in approximately of events, the eavesdropper is detected and the secure key is erased.
The goal of this Section is to confirm the existence of Eve and it was conducted in sequences of and 52 bits.
A step-by-step evaluation of the experiment shown in
Figure 6 and includes the following steps:
Step 1: The pulsed laser is polarized to using a polarizer.
Step 2: Alice turns her polarization plate to , which is the x base, and sends a pulsed laser, emulating a single photon source. Alice sends a randomly chosen bit, simulated by the pulsed laser, which can be chosen using the python simulation. Let us assume Alice sends the bit “0”.
Step 3: Eve randomly turns her incident base. The random base can be chosen using the python simulation explained in the computational procedure
Section 4. Let us assume Eve’s incident base is +, which is
opposite to Alice’s base.
Step 4: There is a 50% chance for Eve’s detector to show bit “1” or bit “0”. For this scenario let us assume that Eve receives the bit “1”.
Step 5: Eve randomly turns her transmitted base. The random base can be chosen using the python simulation explained in the computational procedure
Section 4. Let us assume Eve’s transmitted base is
.
Step 6: Another pulsed laser, transmitted by Eve, emulates Eve sending bit “1” to Bob.
Step 7: Bob chooses his base randomly, as explained above. Let us assume Bob’s base is . Bob assumes that the received bit was from Alice. Bob’s base is the same as Eve’s transmitted base, so Bob receives the bit “1”.
Step 8: Alice continues sending bits by proceeding back to step 1 for every assigned bit in her message.
4. Computational Procedure
To compare the experimental results with the theory, a Python script was computed for the simulation of the BB84 protocol, using modules such as numpy, endecrypt and more; see
Appendix A for general functions of the simulation and code, and for full script at GitHub, see available materials.
For a genuine comparison between the experimental results and the simulation, all the randomly generated bits and bases (Alice: bits and base, Eve: incident and transmitted bases, Bob: base) were generated using the Python script. Consequently, the key simulation and the experimental procedure had the same randomly chosen bits and bases for the units.
In the presence of an eavesdropper, the code performs the sequence to detect whether Eve is eavesdropping by using randomly chosen bits, in case the bases chosen by the corresponding units are different. If an eavesdropper is not detected, a random key is generated, and the encryption/decryption is computed by the simulation.
In addition to that, a simulation with large numbers of random bits was executed: for , , and bits using the Python code. The convergence of matching bits in the presence of Eve should be roughly of the total bits sent by Alice to Bob. For each sequence, the average simulation running time was measured for 10 different executions and recorded for the analysis of its complexity.
6. Discussion
Quantum key distribution is a secure communication method which implements a cryptographic protocol involving components of quantum mechanics. It enables two parties to produce a shared random secret key known only to them, which can then be used to encrypt and decrypt messages. The proposed experimental apparatus illustrates the key principles of quantum key distribution [
1]. In both experiment and simulations, the eavesdropper can be detected. Nonetheless, if there is no eavesdropper, an encrypted message can be sent via a public channel between two parties, using the same procedure.
The experimental procedure does not require any special training and can be conduced by undergraduate students. Furthermore, the experimental setup is affordable and can be built using commercially available optical components. The computational simulation can help students worldwide, especially in developing countries.
The measurements for 18 and 52 bits without an eavesdropper showed an accuracy of approximately of matching bits from the total number of bits sent. This corresponds to the theory according to which Alice and Bob create a secure key for encryption. The measurements for different sequences of bits with an eavesdropper showed an accuracy of roughly of matching bits from the total number of bits sent. As explained previously, such accuracy alerts Alice and Bob that an eavesdropper is present in the system, hence they need to create a new key. Eve’s measurements are shown in the results table for educational purposes, and, even without knowing them, it is possible to detect an eavesdropper.
A computer simulation was written along the experiment in order to compare the results. Although the complexity of this simulation is not ideal and at around ∼, we believe it introduces quantum cryptography principles, mainly in terms of eavesdropper detection. Rounding errors and computed pseudo-random numbers might affect the accuracy of the simulation, hence we anticipate an accuracy of around 20–30% with the presence of an eavesdropper. Nonetheless, for educational purposes, the script reliably simulates the presence of an eavesdropper as well as key distribution. Let us note that the major difference between this analogous experiment and a true quantum cryptography setup is that genuine security from interception can only be guaranteed if a single photon source is used. Hence, the information of a bit has to be transported only by a single photon. If any classical light source (even a weakened laser) is used instead of a single photon source, Eve cannot be detected. All that is required to eavesdrop is for Eve to separate a portion of the transmitted light for detection/analysis while sending the remainder to Bob unnoticed. Since the detailed experiment in the paper uses a pulsed light source (not a single photon source), it cannot truly be employed as a perfect encryption system. However, the sequence of the protocol is completely identical to a true quantum encryption system.
We believe that this experimental protocol can be easily adapted in other higher education facilities, using the same experimental procedure and simulation. It is worth mentioning that similar experiments have been carried out in the past [
31,
32,
33], yet due to their complexity were fairly challenging for repetition in undergraduate laboratories. A simplified experimental setup along with the user-oriented computational simulation, described here, can assure an easy implementation while maintaining high educational standards.