# For the conception of the first key agreement protocol whose security is derived from the validity of quantum physics

Writing is a very powerful means for the distribution of information to many people and over large distances, and for preserving the knowledge over time. Creating a network of potential readers was a primary challenge at the beginning. As literacy increased, the need to limit the access to information to selected readers developed.

Julius Cesar protected orders to his troops by permuting the letters of the alphabet in his messages. He specifically shifted the letters by three positions to the left, i.e., he substituted D by A, E by B and so on. This cipher had no explicit key. The associated transformation became known over time and lost its protective power. Thus, more complex substitutions were developed. The Arab scientist Al Kindi applied statistical analysis to break ciphers in the 9th century already. Letter-by-letter substitutions were thus not secure anymore. More complex transformations were needed, and they had to be controlled by keys from a space large enough to prevent exhaustive search. These keys had to be agreed beforehand, which is not very practical.

Public key cryptography opened a new approach with everyone being able to encrypt a message using a recipient’s public key. Only the recipient, who knows the corresponding secret key, would be able to decrypt it. So, there would be two keys one for encryption, which is public, and one for decryption, which is kept secret by its owner. The public key cryptosystems most widely used today are RSA, Diffie-Hellman, and elliptic curves. Koblitz and Miller received the Eduard Rhein Technology Award 2020 for conceiving elliptic curve public key cryptography. At the present, these schemes enable our digital society. They rely on the expected complexity of inverting the encryption function without knowledge of the secret key. In the long term these schemes are threatened by future capabilities of quantum computers. New post-quantum schemes are thus being developed. They depend on the difficulty of inverting certain functions both on classical and on quantum computers. Currently, there is no theoretical basis to derive bounds on the associated complexity and thus the security of such schemes.

The conception of the first quantum key distribution (QKD) protocol by Bennett and Brassard – this year’s recipients of the Eduard Rhein Technology Award – stands out in this respect. Their scheme is secure due to specific properties of quantum mechanics rather than due to an expected computational complexity. Quantum mechanics is one of the best-established physical theories. If it holds and if the scheme is implemented correctly, QKD is provably secure. This is a qualitative difference – there is no classical equivalence.

Let us develop this somewhat: in classical physics every observable quantity can take any value, independent of any other observables. Furthermore, a sufficiently careful measurement was believed not to change the value of the observable. In quantum physics, this is no more the case. Observables often take discrete values and measurements typically impact the states themselves. The measurement of a photon’s polarization may be horizontal or vertical. This can be represented by states, i.e., vectors in a two-dimensional plane – the Hilbert space. In that plane, the vector associated with the horizontal polarization points in the x-direction and the vector associated with the vertical polarization points in the y-direction. Every single photon can be in either of the states as well as in a superposition of the two states, with its state vector pointing anywhere in that plane. A measurement of the horizontal/vertical polarization for such a single photon state provides the result “horizontal” or “vertical”. The information about the superposition itself is lost. No eavesdropper can thus reconstruct the state itself. The rigorous “no cloning theorem” prevents the generation of copies of states in general. This is the basis for QKD, typically described with Alice preparing single-photon states that are transmitted to Bob, who analyzes them. Both use two arrangements of their apparatuses: the horizontal/vertical arrangement described already as well as an arrangement rotated by 45 degrees (in counter-clock direction). The projections of the states produced by the latter systems on those produced by the former system have equal lengths. If Alice prepares her state in the original system, with the horizontal state representing a 0 and the vertical state representing a 1 and if Bob measures using the rotated system, he will obtain a result that does not depend on the values transmitted by Alice. If he used the same orientation, he obtains identical values.

The protocol is as follows: Alice and Bob randomly choose their bases, i.e. the orientation of their apparatus (non-rotated or rotated) and perform a sequence of prepare and measure steps. In a subsequent classical and public discussion, they identify the instances in which they used the same setting and for which Bob received a photon. As long as Alice does not transmit multiple copies of her photons, the disturbances introduced by Eve will ultimately disclose her presence. This ensures that Alice and Bob share a key string that provably no-one else can know, except by chance. Alice and Bob must, however, prove to each other who they are. Charles H. Bennett and Gilles Brassard used the provably secure Wegman-Carter authentication for that purpose. Their protocol – called BB84 – in the meantime has opened the completely new possibility of agreeing on keys in a provably secure manner.

Frank Miller in 1882 and Gilbert Vernam in 1917 had proposed to XOR the message bits with key bits. Joseph Oswald Mauborgne understood that this scheme was secure if every key bit was obtained from an independent coin flip experiment. Claude Shannon published a proof for the perfect security of that scheme in 1949. The present BB84 protocol provides a bit sequence with the required statistics and thus enables perfect secrecy.

In applications BB84 and most other QKD-protocol implementations use optical transmission, due to the capability of reliably detecting single photons in the optical domain. The state of these photons is not much perturbed in optical fibers as long as there are no amplifiers or repeaters. Bennett and Brassard incidentally performed a demonstration of principles over a distance of 30 centimeters. Today, fibers are used in selected applications for governments, banks as well as in data centers. The distances involved are typically rather short. Attenuation limits the distances to a few 100 km. Some key rates have been shown up to 1000 km with an intermediate receiver. In general, maintaining security over larger distances requires genuine quantum repeaters. They create a chain of quantum entanglements, which permits the teleportation of photonic states from Alice to Bob with a similar observability of eavesdropping as with single hop systems. Building quantum repeaters in practice is difficult and still subject to further research.

Low Earth Orbiting (LEO) satellites provide an alternative to fiber optical links. Free-space propagation is associated with a much lower attenuation and enables QKD with reasonable apertures on the satellites and on the ground. China demonstrated QKD over satellites with its Micius mission launched in 2016. Several other missions are in preparation, also in Europe. The most prominent one is Eagle-1, which aims at substantial key rates using a LEO satellite. Other missions consider satellites down to the size of CubeSats, e.g., the German QUBE2 project. A network of such satellites could provide a key distribution service between distant nodes. Efficiency considerations typically make the satellite a trusted node. This is seen as acceptable for dedicated satellites in trusted hands, since they can be very well protected against cyber-attacks. Besides satellite payload developments, several projects aim at extending terrestrial links by developing quantum repeaters.

Achieving security in networked QKD systems is another important task. It is addressed by all interested parties. China runs a network of QKD-secured systems with metropolitan networks in Beijing, Shanghai as well as Jinan and Hefei, which are all connected. The latter network spans a distance of 2000 km. It is successively expanded to include additional cities. Furthermore, two satellite links allow for the integration of terminals separated by as much as 7600 km. The EuroQCI-Initiative also comprises a terrestrial network and a space segment (SAGA). Furthermore, a number of regional QKD network initiatives in Europe are in various states of planning and initial operations. Initiatives focused on technologies and their application, like OPENQKD at European Level and QuNET in Germany promote the development and industrialization of QKD technologies, as well as their adoption by governments, infrastructures and in the financial, industrial and medical sector.

In view of the dependency of modern society on information technology in governmental, infrastructural, medical, industrial and many other application areas, the capability of establishing provably secure keys is vital to our society. This was our motivation to award the Eduard Rhein Technology Award 2023 to Dr. Charles H. Bennett and Prof. Gilles Brassard.

Dr. Bennett studied in Harvard. He is an IBM fellow at IBM Research. Besides his seminal work on quantum cryptography, he is a co-inventor of quantum teleportation and significantly contributed to the use of entanglement in information theory. He has co-founded and significantly shaped quantum information theory. Charles H. Bennett is a Fellow of the National Academy of Sciences and of the American Physical Society. In 2022, he became a member of the Royal Society. He is the recipient of the Harvey Prize (Technion, 2008), of the Dirac Medal (International Center for Theoretical Physics, 2017), of the Wolf Prize in Physics (Israel, 2018), of the “BBVA Foundation Frontiers of Knowledge Award in Basic Science” (Banco Bilbao Viscaya Argentaria, 2019), of the Micius Quantum Prize in 2019, and of the Claude E. Shannon Award (IEEE, 2020). In parallel to the Eduard Rhein Technology Award in 2023, he received the prestigious “Breakthrough Prize in Fundamental Physics.”

Prof. Gilles Brassard studied computer science at Cornell University. He is a full Professor at the University of Montreal since 1988. He was a Canada Research Chair from 2001 to 2021. He is a fellow of the Royal Society of Canada and of the Royal Society in London. He won the Prix Marie-Victorin and was elected Fellow of the “International Association of Cryptologic Research”. He also became an officer of the order of Canada. Since Gilles Brassard and Charles H. Bennett worked closely together, they share the merits of shaping quantum information theory and also share some of the awards, including in particular the Wolf Prize in Physics (2018), the “BBVA Foundation Frontiers of Knowledge Award in Basic Science” and the Micius Quantum Prize as well as the “Breakthrough Prize in Fundamental Physics” as well as the Eduard Rhein Technology Award in 2023.

**Prof. Christoph Günther**