Practical free-space quantum key distribution over 10 km in daylight and at night

We have demonstrated quantum key distribution (QKD) over a 10-km, 1-airmass atmospheric range during daylight and at night. Secret random bit sequences of the quality required for the cryptographic keys used to initialize secure communications devices were transferred at practical rates with realistic security. By identifying the physical parameters that determine the system's secrecy efficiency, we infer that free-space QKD will be practical over much longer ranges under these and other atmospheric and instrumental conditions.

required for the cryptographic keys used to initialize secure communications devices were transferred at practical rates with realistic security. By identifying the physical parameters that determine the system's secrecy efficiency, we infer that free-space QKD will be practical over much longer ranges under these and other atmospheric and instrumental conditions. Cryptography allows two parties ("Alice" and "Bob") to render their communications unintelligible to a third party ("Eve"), provided they both possess a secret random bit sequence, known as a cryptographic key, which is required as an initial parameter in their encryption devices [2]. Secure key distribution is then essential; Eve must not be able to obtain even partial knowledge of the key. Key distribution using a secure channel ("trusted couriers") is effective but cumbersome in practice, potentially vulnerable to insider betrayal and may not even be feasible in some applications. In contrast quantum key distribution (QKD) [1] uses single-photon communications to generate and transfer new keys on-demand with security based on fundamental quantum principles in concert with information-theoretically secure protocols [3]; Eve can do no better than to guess the key. QKD offers long-term security superior to public-key based key transfer systems [4]. QKD would be especially useful if it could be performed reliably across line-of-sight paths through the atmosphere [4,5]. Free-space QKD has previously been demonstrated over laboratory [6,7] and modest outdoor [8,9,10] distances. More recently, the feasibility of free-space QKD over kilometer-scale distances has been demonstrated in both daylight [11] and at night [11,12]. In this paper we report the first demonstration of the transfer of cryptographic quality secret keys at practical rates during both day and night using QKD across a 10-km air path whose extinction, optics and background are representative of potential applications. We also develop a methodology for extrapolating these results to other ranges under other atmospheric and instrumental conditions. In our realization of the "BB84" QKD protocol [1] Alice (the transmitter) sends a sequence of random bits over a "quantum channel" to Bob (the receiver) that are randomly encoded as linearly polarized single photons in either of two conjugate polarization bases with (0, 1) = (H, V), where "H" ("V") denotes horizontal (vertical) polarization (respectively), in the "rectilinear" basis, or (0, 1) = (+45º, -45º), where "+45º" and "-45º" denote the polarization directions in the "diagonal" basis. Bob randomly analyzes the polarization of each arriving photon in either the (H, V) or the (+45º, -45º) basis, assigning the corresponding bit value to detected photons. Then using a "public channel", which is authenticated but assumed to be susceptible to passive monitoring by Eve, he informs Alice in which time slots he detected photons, but without revealing the bit value he assigned to each one. The sequence of bits detected by Bob and the corresponding bit sequence transmitted by Alice form partially correlated "raw" keys. (See Figure 1

.) Then
The atmosphere is not birefringent at optical wavelengths and so can function as a quantum channel for the transmission of BB84 polarized single-photon states. Atmospheric transmittance and the availability of high-efficiency, low-noise single-photon detectors (SPDs) strongly constrain the operational wavelength, with 772-nm offering the highest secret bit rates with current technology [5]. Challenges to implementing free-space QKD include the background radiance, which is a strong error source even at night [11], that varies over several orders of magnitude on time scales of the order of hours, and atmospheric turbulence which introduces random variations in the quantum channel transmission on 10-100-ms time-scales. These features of the free-space quantum channel also present challenges to extrapolating the performance of QKD from results at one range and one time-of-day to other ranges and other times-of-day. Our implementation of free-space QKD effectively deals with the physics challenges of the atmospheric quantum channel and we have developed a formalism that allows system performance to be extrapolated into other regimes.
Our free-space QKD system uses spectral, spatial and temporal filtering to render the background tractable [4,5,10,11]. It has no active polarization switching elements, both as a security feature and for design simplicity, and can operate across ranges up to 30 km (limited by the range of our 1 Mbit s -1 wireless Ethernet "public channel"). On each cycle of a 1-MHz clock the transmitter (Alice) emits a ~ 1-ns, few mW, 1,550-nm timing pulse. After a 100-ns delay, two secret random bits generated by a cryptographic monolithic randomizer [16] determine which one of four temperature-controlled "data" diode lasers emits a ~ 1-ns, 772-nm optical pulse with one of the BB84 polarizations [1] and an average photon number, µ, (we assume Poissonian photon number statistics and µ < 1 throughout) that is launched towards the receiver (Bob). (See Figure 2.) At Bob the timing pulse is detected by a photodiode, to set up an ~ 1-ns timing "slot" in which a QKD data pulse is expected. An 18-cm Cassegrain telescope, whose field of view is restricted to ~ 220-µrad by a spatial filter, collects the 772-nm data pulse, passes it through a 0.1-nm wide interference filter (transmission η filt ~ 0.6), and directs it into an optical system where its polarization is randomly analyzed in one of the BB84 bases. SPDs, one for each of the four BB84 polarizations, register the result. (The SPDs are based on passively-quenched EG&G model #C30902S silicon avalanche photodiodes operated at a temperature of -20°C, with a single-photon detection efficiency of η det ~ 0.61, and a dark count rate of ~ 1.6 kHz. Lower dark count rates ~ 100 Hz would be possible with other detectors.) After a 1-s quantum transmission of 10 6 bits, a 6-s public channel communication is required to produce the sifted key. Cameras in Alice and Bob provide rudimentary visual authentication to protect against a "man-in-the-middle" attack. Cryptographic authentication [2,14,17] would be included in a complete QKD-enabled secure communications system.
We located Alice at an elevation of 2,760 m on Pajarito Mountain, Los Alamos, NM, (35° 53.489' N, 106° 22.647' W) with Bob located near to our laboratory (35° 52.222' N, 106° 16.312' W), at an elevation of 2,153 m, pointing towards Alice (azimuthal direction = 284° true, elevation angle = 3.5°). The 9.81-km Alice-Bob air path had an average beam height above the terrain of ~ 140 m and a calculated atmospheric transmittance of η trans = 0.81 [18]. We operated the system for several hours on each of several days during both full daylight, with 0.2 < <µ> day < 0.8, and at night with 0.1 < <µ> night < 0.2. During a 1-s quantum LA-UR-02-449 transmission, the probability for a transmitted bit to enter the sifted key, P sif , depends on the average photon number of the optical pulses, µ, the efficiency of the atmospheric transmission and the receiver's detection efficiency. In the regime in which we operate, where the signal-to-background ratio is large and the probability of multi-detection events is much less than the probability of single-detection events, we may is the 1-s average geometric capture efficiency of data pulses by Bob, and η rec ~ 0.47 is the transmission of Bob's receiver optics with the exception of the 50/50 beamsplitter that provides the random choice of QKD polarization measurement basis, whose transmission/reflection coefficient is η BB84 = 0.5. Taking into account the 1-MHz clock rate, the system produced n = 10 6 P sif ~ 100 -2,000 sifted key bits per 1-s quantum transmission. Errors in Bob's sifted key were overwhelmingly caused by (unpolarized) background photons in daylight and by detector dark noise at night. We quantified these sources of errors by operating the system at µ = 0 (zero transmitted photon number) to produce a "sifted key" formed entirely from detections of background photons and detector dark counts at Bob's receiver. We found that in each 1-s, µ = 0 transmission, each of Bob's four detectors registered approximately equal numbers of detections, of which approximately one half were in the "wrong" basis, and the balance of the detections contributed bits to a sifted key that were divided roughly equally between "correct bits" and "errors". With both transmitter and receiver in afternoon sunlight we observed C ~ 50 sifted key errors per detector in a 1-s, µ = 0 transmission, corresponding to a radiance of ~ 2 mW cm -2 µm -1 str -1 . (Under these conditions Alice and Bob produced background-generated sifted keys containing ~ 400 bits of which ~ 200 of the bits in Bob's sifted key were errors.) In "reduced daylight" (transmitter in shadow, receiver in direct sunlight) this dropped to C ~ 5 . At night, even though the background radiance is at least a factor of one million less than in daylight, we found C ~ 1 -2, owing to detector dark noise. Therefore, for µ ≠ 0 transmissions, the sifted key bit error rate (BER) can be written as 4 We note that the sifted key BER, which is one of the relevant quantities in determining the overall QKD system performance, is a function of: the average photon number, µ, which is characteristic of the transmitter; the quantity η opt /C, which characterizes the quality of the atmospheric quantum channel; and the constant, receiver-dependent quantity, D. In what follows we will find that µ and η opt /C are particularly useful independent variables for predicting system performance. (The quantity η opt /C is proportional to the signal-tonoise ratio that the system would have for producing sifted bits, scaled to a notional photon number of µ = 1. We have chosen to use η opt /C as an independent variable because this quantity isolates the dependence of the system's performance on the atmospheric channel properties, which are not under our direct control, into a single quantity whose value is determined from measured quantities.)  Table 1 for an example of a daylight sifted key.) Then between 18:44 MDT and 19:29 MDT from a further 236 1-s quantum transmissions with an average photon number of <µ> night ≈ 0.14 with a standard deviation of 0.02, a channel efficiency of <η opt > night = 6.6%±1.8%, and channel parameter <η opt /C> night = 0.017±0.007, we obtained 192,925 sifted key bits (<P sif > night = (0.82±0.21)×10 -3 ), with an average BER of <ε> night = 2.1%±0.7%. (See Figure 3.) Alice and Bob reconcile their n-bit sifted keys from each 1-s quantum transmission using the interactive "bisective search" algorithm [6,13] to correct Bob's errors by dividing the sifted key from each 1-s quantum transmission into words and the parity of each word is publicly communicated. Words whose parities do not match are then repeatedly sub-divided and the parity of the subwords publicly communicated to locate and LA-UR-02-449 correct an error. The key is then randomly shuffled and the process repeated until no parity mismatches occur on two successive rounds. Alice and Bob then possess n-bit reconciled keys that agree with very high probability; they have a reliable estimate of the BER of the sifted key, but they have revealed parity ("side") information about the sifted key that is approximately 19% greater than the Shannon limit of ( ) ( ) ( bits per bit of sifted key, on sifted keys of ~ 10 4 bits for the BERs we encounter. Our first line of defense for Alice and Bob against eavesdropping is similar to that of Reference [6]. To protect against opportunities presented by multi-photon signals [19] (e.g. a beamsplitting attack) Alice and Bob assume that the fraction ( µ ≈ of sifted key bits in each 1-s transmission that originated from the transmitter as multi-photon pulses could have been faithfully identified by Eve [6]. They attribute all Bob's errors to Eve having performed an intercept/resend attack in the Breidbart basis on the portion ( ) of sifted key bits that originated as single-photon pulses [6]. The number of secret bits that Alice and Bob can extract from n reconciled key bits is then ( [20], where s is a safety factor [3,14], and ( ) ( ) is Eve's collision entropy per bit [3] of the sifted key.
(If the reconciled key has any "bias" -more "zeroes" than "ones" or vice-versa -they also reduce the collision entropy appropriately to compensate for the information that this would provide to Eve.) From each positive-F 1-s quantum transmission Alice and Bob produce an F-bit final secret key using privacy amplification by public communications [3]. They form the elements of their final secret keys as the parities of F random (but publicly specified) subsets of their n-bit reconciled keys. i The protocol fails to produce a secret key if F < 0. Eve's expected (Shannon) information on the final key ( ) is < 10 -6 bits for s = 20, independent of the length of the final key. We define two figures of merit: the "privacy amplification efficiency" (the number of secret bits per sifted bit), P sif→secret = F/n, for F > 0, and 0 otherwise; which characterizes the efficiency of the information-theoretic parts of the QKD procedure, and the "secrecy efficiency" (the number of final secret bits per transmitted bit), P secret = P sif P sif→secret for F > 0, and 0 otherwise, which characterizes the performance of the entire QKD system. (See Figure 1.) In our system, which operates at a 1-MHz clock rate, the total number of secret bits that can be produced from a 1-s quantum transmission is therefore 10 6 P secret .
First we consider P sif→secret , which depends only on µ and η opt /C in the regime in which we operate where the safety factor, s, is much less than the number of sifted key bits, n. Remarkably, only certain ranges of µ and η opt /C values allow any secret bits to be extracted from the corresponding sifted keys [11]: no secret bit yield is possible for channel parameters smaller than η opt /C = 0.0016 for any value of µ with our system. (See For larger values of η opt /C there is a range of µ-values, µ min < µ < µ max , (where µ min and µ max are functions of η opt /C) consistent with non-zero secret bit yield. For µ < µ min the sifted key BER is so large that no secret bits can be extracted because of the large amount of information potentially leaked to correct errors and through intercept/resend eavesdropping. As µ increases from µ min the sifted key BER decreases, and the yield of secret bits initially increases, but as µ increases further so much information is potentially available to Eve through multi-photon pulses that the secret bit yield starts to decrease, reaching zero at some value µ max . The remaining 113 of our daylight 1-s transmissions and all of our night transmissions lie in this allowed region, which shrinks to zero for η opt /C = (η opt /C) min = 0.0016 at µ ≈ 0.45 with ε ≈ 5.7%. This observation allows us i With very small probability, two errors may remain in Bob's reconciled key after error correction. Privacy amplification then has the effect of producing final keys in which half of Bob's bits disagree with Alice's. Obviously, such keys cannot be used. Fortunately, this rare occurrence can be detected with high probability by performing a final key check, in which we sacrifice a few final key bits and compare them to ensure that the keys agree, leading to a small reduction in the overall secrecy efficiency. This key check would be included in the authentication procedure [17] in a complete system [14], but this was not implemented when the data in this paper was taken.
LA-UR-02-449 to specify the limiting atmospheric channel conditions under which QKD is possible with this system (and for other systems by scaling the relevant parameters) and as we will see later, to infer the maximum range under different background conditions. The average privacy amplification efficiencies for extracting secret bits from the 4 October sifted keys were: <P sif→secret > day = 0.26±0.12 for the non-zero secret bit yield daylight transmissions only; <P sif→secret > day = 0.06±0.25 when the zero-yield daylight transmissions were included; and <P sif→secret > night = 0.64±0.07 for the night transmissions.
The secrecy efficiency P secret , is the most relevant figure of merit for overall system performance. This quantity determines the total number of secret bits that Alice and Bob can produce per unit time, and through its dependence on the relevant independent parameters we can determine how to optimize its value. In daylight we achieved a maximum secrecy efficiency of P secret, max = 7.0×10 -4 , an average value of <P secret > day = (3.2±1.4)×10 -4 for the non-zero yield transmissions, and <P secret > day = 1.5×10 -4 including all daylight transmissions. The corresponding values at night were P secret, max = 8.0×10 -4 and <P secret > night = (4.2±1.4)×10 -4 . (See Figure 5 and Table 1 for an example of a final secret key.) The total 50,783 of daylight final secret key bits, and the total 118,064 of night final secret key bits passed the FIPS 140-2 cryptographic randomness tests [21] as well as the 5-bit version of the Maurer universal statistical test for cryptographic random numbers [22]. The FIPS tests, which we also apply to the random numbers produced by Alice's randomizer, require samples containing 20,000 bits and specify statistical significance levels for: the proportions of 1's ("monobit test"); the frequencies with which all possible four-bit groups occur ("poker test"); and the frequencies with which consecutive sequences of 0's ("gaps") and 1's ("runs") occur ("runs test"). Maurer's test, which requires large samples of bits, sets statistical significance levels for the intervals between repetitions of m-bit blocks of bits. Our 4 October 2001 data provided enough secret bits to perform this test for m = 5.
We also consider protecting Alice and Bob from two eavesdropping attacks in which Eve would take complete control of the atmospheric quantum channel. First, we consider the possibility that Eve could perform a technologically-feasible version of an unambiguous state discrimination (USD) attack [6,23,24] to uniquely identify the polarization of a portion of the optical pulses containing three photons emerging from Alice's transmitter. Eve could couple all of Alice's optical pulses with perfect optical efficiency into a lossless version of Bob's receiver. Whenever precisely three of Eve's single-photon detectors are triggered, she can uniquely identify the pulse's polarization as the polarization associated with the single detector that was triggered in one of the bases. Using a conventional channel Eve could then communicate the polarization to a transmitter similar to Alice's located adjacent to Bob's receiver, and fabricate an optical pulse of the same polarization. Eve would simply block all other data pulses. Eve would then know precisely every bit in Alice's sifted key and would be able to evade detection provided she did not reduce Bob's raw key rate below the expected value. This is only possible if the emission rate of three-photon pulses from the transmitter that Eve can identify is larger than the expected single-photon arrival rate at the receiver: 2 32 opt µ η > 2 . None of our positive secrecy efficiency data lies in this region and so our data is secure against this attack. (Our system can tolerate up to 21dB of atmospheric channel loss at µ = 0.5, and up to 31dB of loss for µ = 0.15 while maintaining security against this form of eavesdropping.) Second, we consider the possibility of an even stronger, photon number splitting (PNS) attack. In the version of the attack that we consider Eve would block all single photon pulses from Alice, split off and store one photon from each multi-photon pulse while sending on the remaining photons to Bob over a lower-loss channel, and then measure the polarization of her stored photon once Alice announces her basis choices. (We do not consider the possibility that Eve could increase the efficiency of Bob's detectors [25].) As with the USD attack considered above, Eve would then know precisely every bit in Alice's sifted key and would be able to evade detection provided she did not reduce Bob's raw key rate below the expected value. This would be feasible if the emission rate of multiphoton pulses from the transmitter is larger than the single-photon arrival rate at the receiver ( opt µ η > ) [25], which imposes a stronger limit on the allowable photon numbers than for the USD attack. However, Eve would require yet-to-be-invented technology: an optical-photon-number quantum non-demolition measurement capability, a quantum memory and a lower-loss quantum channel to Bob. Nevertheless, approximately half of the 4 October, 2001 night 1-s transmissions (whose 107,250 sifted bits yielded 70,577 final secret bits) are secure against this version of the PNS.

LA-UR-02-449
We have demonstrated that free-space QKD is possible in daylight or at night, protected against intercept/resend, beamsplitting and USD eavesdropping (and even PNS eavesdropping at night), over a 10-km, 1-airmass path, which is representative of potential ground-to-ground applications and is several times longer than any previously reported results. Our system provided cryptographic quality secret key transfer with a number of secret bits per 1-s quantum transmission that would support practical cryptosystems such as the Advanced Encryption Standard, AES [26], or "one-time pad" encryption for short messages. (See Figure 6 for an example.) We have also developed a methodology that allows us to deduce the secrecy efficiency for other transmission distances, instrumental conditions, atmospheric properties and radiances by scaling the η opt /C parameter from its 10-km values, and by noting that the quantity P secret /η opt is a function of µ and η opt /C only. (See Figure 7.) First, since no secret bits can be produced for η opt /C < (η opt /C) min = 0.0016, we infer that free-space QKD would be feasible with this system, at reduced rates, over high-desert groundto-ground atmospheric paths of up to 15 km in full daylight, 30 km in "reduced daylight" (transmitter in shadow) and 45 km at night. Second, optimal secrecy efficiency is attained for µ ~ 0.5, independent of range and time-of-day when the USD and PNS eavesdropping possibilities are not considered. Third, our methodology allows us to infer the performance gains that could be expected from various instrumental changes. Implementation of fast pointing beam control at the transmitter is likely to increase the value of η opt , and hence η opt /C which would increase the number of secret bits that could be created per unit time at a given range and the system's maximum range. In contrast, although increasing the receiver aperture would also increase the value of η opt , and hence the secret bit rate at a given range, it would not increase the maximum daylight range because the value of η opt /C would be unchanged. This is because in daylight the quantity C is background dominated, and the increased receiver aperture would increase this quantity in proportion to the increase in η opt . However, an increased receiver aperture would increase the maximum range of our system at night, because C is then dominated by detector dark noise, which would not be altered by the aperture increase. The use of lower-noise SPDs would also allow higher secret bit yields and longer ranges at night because of the reduction in C and increase in η opt /C. An improvement in the error correction efficiency would allow modest improvements in both the secret bit yield and range. Finally we believe that the methodology that we have developed for relating the overall system performance to instrumental and quantum channel properties may also be applicable to other QKD systems, including optical-fiber based ones.
Peter Dickson and the board of the Los Alamos Ski Club and the National Forest Service are thanked for providing access to their property for this experiment. National Reconnaissance Office Director's Innovation Initiative funding administered by Col. John Comtois and Peter Hendrickson is gratefully acknowledged. It is a pleasure to thank George Morgan and Christopher Wipf for helpful discussions.

LA-UR-02-449
Alice generates a secret random bit sequence Alice transmits the sequence to Bob using the BB84 protocol Bob reveals which photons he detected; Alice and Bob form their "raw" keys Alice reveals her basis choices; Bob reveals on which detected photons he used the same basis; they form their "sifted keys" Alice and Bob perform "privacy amplification" to produce an errorfree, final secret key Alice and Bob correct Bob's errors, forming partially secret, error-free "reconciled keys" P sif→secret P sif P secret Alice generates a secret random bit sequence Alice transmits the sequence to Bob using the BB84 protocol Bob reveals which photons he detected; Alice and Bob form their "raw" keys Alice reveals her basis choices; Bob reveals on which detected photons he used the same basis; they form their "sifted keys" Alice and Bob perform "privacy amplification" to produce an errorfree, final secret key Alice and Bob correct Bob's errors, forming partially secret, error-free "reconciled keys" P sif→secret P sif P secret Figure 1. This figure shows the sequence of events in a QKD procedure leading to a cryptographic key shared by Alice and Bob on which they agree with overwhelming probability and on which Eve knows very much less than one bit of information. Also shown are three figures-of-merit for characterizing the process: P sif , which characterizes the efficiency with which sifted bits are produced from the initial bit sequence; P sif→secret , which characterizes the efficiency of extracting secret bits from the sifted bits; and P secret , which characterizes the overall efficiency for generating final secret bits. (See text for details.) LA-UR-02-449 At Bob data pulses pass through an IF and onto a BS where they are randomly transmitted or reflected. Along the reflected path, a data pulse's polarization is analyzed in the rectilinear basis, using a polarization controller (PC) and a polarizing beamsplitter (PBS). If one of the SPDs in the PBS output ports fires within the timing window (and no other SPD fires) Bob assigns a bit value to the data pulse. An analogous procedure occurs for data pulses taking the transmitted path where they are polarization analyzed according to Bob's conjugate (diagonal) basis. (We estimate that the probability for a photon produced in the SPD breakdown "flash" [27] to emerge from the receiver telescope is < 10 -9 .) Multi-detection events, in which more than one SPD fires, are recorded but not used for key generation.
LA-UR-02-449 LA-UR-02-449 Figure 4. A surface plot showing the privacy amplification efficiency P sif→secret , with which secret bits can be extracted from a sifted key for our system, which is a function of two independent variables: the average photon number, µ, and the atmospheric quantum channel parameter, η opt /C. The locations of 1-s, 10-km quantum transmissions from 4 October, 2001 are marked on this surface, which is color coded by the sifted key BER. The privacy amplification efficiency for other ranges and conditions is given by the point on this surface, whose location is specified by the η opt /C value, which may be obtained by scaling from the 10-km values, and the average photon number, µ. Where P sif→secret drops to zero, no secret bits can be extracted from the sifted key. (See text for details.) Figure 5. A histogram of the secrecy efficiency, P secret , (the number of secret bits produced per transmitted bit) versus the average photon number, µ, and the atmospheric quantum channel parameter, η opt /C, values color-coded by the sifted key BER, ε, of 1-s, 10-km quantum key transmissions on 4 October, 2001. Several 1-s transmissions are grouped into each vertical column. The key transmission marked with the red arrow is described in Table 1. In the region below the red line no secret bits can be transferred with this system. For example, we see that a portion of our daylight data (with η opt /C < 0.0016) lies in this region. Even though these transmissions yielded a large number of sifted bits (see Figure 3), no secret bits could be produced from them after reconciliation and privacy amplification (see Figure 4) Figure 6. An example of secure communications using a one-time pad constructed from cryptographic key material produced by 10-km free-space QKD. The digital image at left, which shows two of the authors (RJH and CGP) standing next to the free-space QKD transmitter (Alice) at one end of the 10-km range, is composed of 140x94 12-bit color pixels. Each bit of the image was encrypted by XOR-ing it with a secret key bit produced by QKD to produce an encrypted image, which was then communicated to Bob over a public channel, requiring 157,920 key bits in total. Eve would not be able to discern the original image through the randomization introduced by the encryption, but Bob can recover the image by XOR-ing each bit of the encrypted image with the appropriate bit of his secret key. Alice's and Bob's keys are represented as random images in which each pixel is the RGB representation of 12 bits of key. This one-time pad encryption is unconditionally secure but requires as many secret key bits as message bits. Practical cryptosystems would only need a few hundred secret key bits to encrypt large quantities of data.
LA-UR-02-449 Figure 7. A surface plot of the secrecy efficiency, P secret , scaled by the atmospheric quantum channel's efficiency, η opt , versus the average photon number, µ, and the quantum channel parameter, η opt /C, for our system. The locations of 1-s, 10-km quantum transmissions from 4 October, 2001 are marked on this surface, which is color coded by the sifted key BER. The data indicated by the red arrow ("File 331") is described in detail in Table 1. The secrecy efficiency for other ranges and conditions is given by the point on this surface, whose location is specified by the η opt /C value, which may be obtained by scaling from the 10-km values, and the average photon number, µ. , which had an average photon number, µ = 0.29, and an atmospheric quantum channel efficiency, η opt = 2.4%, resulting in 1,349 raw key bits, from which 651 bits were sifted, composed of 331 bits from the rectilinear basis and 320 bits from the diagonal basis. (The average photon numbers of each BB84 polarization state transmitted were, µ = 0.291, 0.288, 0.291, and 0.288 for the "H", "V", "+45º", and "-45º" polarizations respectively.) Bob's sifted key contains 21 errors (shown in red), corresponding to C ≈ 5, with 2 "H" errors ("H" transmitted but "V" received), 7 "V" errors, 7 "+45º" errors and 5 "-45º" errors, giving a sifted BER of ε = 3.2%, which translates to a background radiance ~ 0.2 mW cm -2 µm -1 str -1 . Alice and Bob estimate that Eve's collision entropy on the sifted key is reduced from maximal by 40 bits to compensate for potential interceptresend eavesdropping in the Breidbart basis on single-photon events, and by 170 bits to compensate for potential eavesdropping on multi-photon events, to 440 bits. This is further reduced by 155 bits to compensate for side information revealed to correct Bob's errors, by 2 bits of side information corresponding to a slight 47/53-bias towards 0s in the sifted key, and by a 20-bit safety factor to give a 264-bit final, error-free secret key on which Eve's expected information is < 10 -6 bits. During this transmission there was one multi-detector event, consistent with a data-background coincidence, which was discarded. We attribute the tendency for errors to cluster to atmospheric scintillation.