Content uploaded by Hugo Zbinden
Author content
All content in this area was uploaded by Hugo Zbinden
Content may be subject to copyright.
Experimental demonstration of quantum secret sharing
W. Tittel, H. Zbinden, and N. Gisin
Group of Applied Physics, University of Geneva, CH-1211, Geneva 4, Switzerland
共Received 23 June 2000; published 6 March 2001兲
We present a setup for quantum secret sharing based on energy-time entanglement. In opposition to known
implementations using three particle Greenberger-Horne-Zeilinger 共GHZ兲states, our idea takes advantage of
only two entangled photons created via parametric down conversion. However, the system comprising the
pump plus the two down-converted photons bare the same quantum correlation and can be used to mimic three
entangled qubits. The relatively high coincidence count rates found in our setup enable for the first time an
application of a quantum communication protocol based on more than two qubits.
DOI: 10.1103/PhysRevA.63.042301 PACS number共s兲: 03.67.Hk, 03.67.Dd
I. INTRODUCTION
Entangled particles play the major role both as candidates
for tests of fundamental physics 关1–4兴as well as in the
whole field of quantum communication 关5兴. Until recently,
most work has been focused on two-particle correlations. For
a couple of years, however, the interest in multi-particle
entanglement—which we identify in this article with
n⬎2—is growing rapidly. From the fundamental side, par-
ticles in so-called GHZ states enable new tests of nonlocality
关6兴. From the side of quantum communication, more and
more ideas for applications 关7兴like quantum secret sharing
共QSS兲关8–11兴emerge. However, a major problem still is the
lack of multi-photon sources. Nonlinear effects that enable
one to ‘‘split’’ a pump photon into more than two entangled
photons have extremely low efficiency, and experiments still
lie in the future. Recently Bouwmeester et al. could demon-
strate a different approach where they started with two pairs
of entangled photons and transformed them via a clever mea-
surement into three photons in a GHZ state and a fourth
independant trigger photon 关12兴. In this article we demon-
strate the feasibility of QSS using what we term pseudo-
GHZ states. In opposition to ‘‘true’’ GHZ states, our states
do not consist of three down-converted photons but only of
two down-converted ones plus the pump photon. However,
and essential for QSS, they bare the necessary GHZ quantum
correlation. Moreover, thanks to much higher coincidence
count rates, they enable us for the first time to realize a
multi-particle application of quantum communication.
The outline of this article is the following: After a short
review of GHZ states 共Sec. IIA兲, we will explain the QSS
protocol 共Sec. IIB兲—first based on GHZ states and then us-
ing pseudo-GHZ states. Section III is dedicated to the experi-
mental setup 共Sec. IIIA兲and to the results 共Sec. IIIB兲.A
brief discussion concerning some interesting security aspects
and its relation to the maximum transmission distance is fi-
nally given in Sec. IV, followed by a short conclusion.
II. THEORETICAL PART
A. GHZ states
Entangled states of more than two qubits, so-called GHZ
states, can be described in the form
兩
典
GHZ⫽1
冑
2共
兩
0
典
1
兩
0
典
2
兩
0
典
3⫹
兩
1
典
1
兩
1
典
2
兩
1
典
3), 共1兲
where
兩
0
典
and
兩
1
典
are orthogonal states in an arbitrary Hil-
bert space and the indices label the particles 共in this case
three兲. As shown by Greenberger, Horne, and Zeilinger in
1989 关6兴, the attempt to find a local model able to reproduce
the quantum correlations faces an inconsistency. In the
multi-particle case, the contradiction occurs already when
trying to describe the perfect correlations. Thus, demonstrat-
ing these correlations directly shows that nature cannot be
described by local theories. However, since it will never be
possible to experimentally demonstrate perfect correlations,
the question arises whether there is some kind of threshold,
similar to the one given by Bell inequalities for two-particle
correlations 关1兴, that enables one to separate the ‘‘nonlocal’’
from the ‘‘local’’ region. Indeed, the generalized Bell in-
equality for the three-particle case 关13兴,
S3
⫽
兩
E共
␣
⬘,

,
␥
兲⫹E共
␣
,

⬘,
␥
兲⫹E共
␣
,

,
␥
⬘兲
⫺E共
␣
⬘,

⬘,
␥
⬘兲
兩
⭐2共2兲
with E(
␣
,

,
␥
) the expectation value for a correlation mea-
surement with analyzer settings
␣
,

,
␥
, can be violated by
quantum mechanics, the maximal value being
S3
qm⫽4. 共3兲
For instance, finding a correlation function of the form
E(
␣
,

,
␥
)⫽Vcos(
␣
⫹

⫹
␥
) with visibility Vabove 50%
shows that the correlations under test cannot be described by
a local theory. Note that this value is much lower than in the
two-particle case where the threshold visibility is ⬇71%.
B. Quantum secret sharing
Quantum secret sharing 关8–10兴is an expansion of the
‘‘traditional’’ quantum key distribution to more than two
parties. In this new application of quantum communication, a
sender, usually called Alice, distributes a secret key to two
other parties, Bob and Charlie, in a way that neither Bob nor
Charlie alone have any information about the key, but that
together they have full information. Moreover, an eavesdrop-
PHYSICAL REVIEW A, VOLUME 63, 042301
1050-2947/2001/63共4兲/042301共6兲/$20.00 ©2001 The American Physical Society63 042301-1
per trying to get some information about the key creates
errors in the transmission data and thus reveals her presence.
The motivation for secret sharing is to guarantee that Bob
and Charlie must cooperate—one of them might be
dishonest—in order to do some task, one might think for
instance of accessing classified information.
1. QSS using GHZ states
As pointed out by Z
˙ukowski et al. 关8兴and by Hillery
et al. 关9兴, this protocol can be realized using GHZ states.
Assume three photons in a GHZ state of the form 共1兲with
兩
0
典
and
兩
1
典
being different modes of the particles 共Fig. 1兲.
After combining the modes at beamsplitters located at Al-
ice’s, Bob’s and Charlie’s, respectively, the probability to
find the three photons in any combination of output ports
depends on the settings
␣
,

,
␥
of the phase shifters:
Pi,j,k⫽1
8共1⫹ijkcos共
␣
⫹

⫹
␥
兲兲 共4兲
with i,j,k⫽⫾1 labeling the different output ports. Before
every measurement, Alice, Bob and Charlie choose ran-
domly one out of two phase values (0,
/2). After a sufficient
number of runs, they publicly identify the cases where all
detected a photon. All three then announce the phases chosen
and single out the cases where the sum adds up either to 0 or
to
. Note that the probability function 关Eq. 共4兲兴 yields 1/4
for these cases. Denoting l⫽cos(
␣
⫹

⫹
␥
)⫽⫾1 and using
Pi,j,k⫽1/4, Eq. 共4兲leads to
ijkl⫽1. 共5兲
At this point, each of them knows two out of the values
i,j,k,l. If now Bob and Charlie get together and join their
knowledge, they know three of the four parameters and can
thus determine the last one, which is also known to Alice.
Identifying ‘‘⫺1’’ with bit value ‘‘0’’ and ‘‘⫹1’’ with ‘‘1,’’
the correlated sequences of parameter values can then be
turned into a secret key.
2. QSS using pseudo-GHZ states
We now explain how to implement quantum secret shar-
ing using our source 共see Fig. 2兲. The idea is based on a
recently developed novel source for quantum communica-
tion, creating entangled photons in energy-time Bell states
关14,15兴. A short light pulse emitted at time t0enters an in-
terferometer having a path length difference which is large
compared to the duration of the pulse. The pulse is thus split
FIG. 1. Schematics for quantum secret sharing using GHZ
states. Note that in a real implementation, the source would be part
of Alice setup and not of a fourth, independent party.
FIG. 2. Principle setup for quantum secret
sharing using energy-time entangled pseudo-
GHZ states. Here shown is a fiber optical realiza-
tion.
W. TITTEL, H. ZBINDEN, AND N. GISIN PHYSICAL REVIEW A 63 042301
042301-2
into two pulses of smaller, equal amplitude, following each
other with a fixed phase relation. The light is then focused
into a nonlinear crystal where some of the pump photons are
downconverted into photon pairs. The pump energy is as-
sumed to be such that the possibility to create more than one
pair from one initial pump pulse can be neglected. This first
part of the setup is located at Alice’s. The downconverted
photons are then separated and sent to Bob and Charlie, re-
spectively. Both of them are in possession of a similar inter-
ferometer as Alice, introducing exactly the same difference
of travel times. The two possibilities for the photons to pass
through any device lead to three time differences between
emission of the pump pulse at Alice’s and detection of the
photons at Bob’s and Charlie’s, as well as between the de-
tection of one downconverted photon at Bob’s and the cor-
related one at Charlie’s 共Fig. 2兲. Looking for example at the
possible time differences between detection at Bob’s and
emission of the pump pulse (tB⫺t0), we find three different
terms. The first one is due to ‘‘pump pulse traveled via the
short arm and Bob’s photon traveled via the short arm’’ to
which we refer as
兩
s
典
A,
兩
s
典
B. Please note that this notation
considers the pump pulse as being a single photon 共now
termed ‘‘Alice’s photon’’兲, stressing the fact that only one
pump photon is annihilated to create one photon pair. More-
over, the fact that this state is not a product state is taken into
account by separating the two kets by ‘‘,’’. The second time
difference is either due to
兩
s
典
A,
兩
l
典
B,orto
兩
l
典
A,
兩
s
典
B, and the
third one to
兩
l
典
A,
兩
l
典
B. Similar time spectra arise when look-
ing at the time differences between emission at Alice’s and
detection at Charlie’s (tC⫺t0), as well as between the detec-
tions at Bob’s and Charlie’s (tC⫺tB). Selecting now only
processes leading to the central peaks 关16兴, we find two pos-
sibilities. If both of them are indistinguishable, the process is
described by
兩
典
⫽1
冑
2共
兩
l
典
A,
兩
s
典
B
兩
s
典
C⫹ei(
␣
⫹

⫹
␥
)
兩
s
典
A,
兩
l
典
B
兩
l
典
C), 共6兲
with phases
␣
,

,
␥
in the different interferometers. The
maximally entangled state 共6兲is similar to the GHZ state
given in Eq. 共1兲, the difference being that the three photons
do not exist at the same time 共remember the ‘‘,’’兲. Therefore,
our state is obviously of no significance concerning GHZ-
type tests of nonlocality. To stress this difference, we call it
pseudo-GHZ state. However, the probability function de-
scribing the triple coincidences 关Eq. 共4兲兴—in our case be-
tween emission of a pump pulse and detection at Bob’s and
Charlie’s—is the same as the one originating from a true
GHZ state, therefore allowing QSS. To avoid the complica-
tion of switching the pump laser randomly between one of
the two input ports—equivalent to detecting a photon in one
or the other output port—we let Alice choose between one of
four phase values
␣
⬘(0,
/2,
,3
/2). To map the choice of
phases on the initial scheme where the information of Alice,
Bob, and Charlie is given by a phase setting and a detector
label, we assign a different notation to characterize Alice
phases 共Table I兲. Using this convention, we can implement
the same protocol as given above, the advantage being the
fact that our setup circumvents creation and coincidence de-
tection of triple photons. Indeed, the emission of the bright
pump pulse can be considered as detection of a photon with
100% efficiency, and only photon-pair generation is neces-
sary. This leads to much higher triple coincidence rates, en-
abling the demonstration of a multi-qubit application of
quantum communication. Note as well that the same setup
can also be used for two-party quantum key distribution
based energy-time Bell states 关15兴.
Like in two-party quantum cryptography, the security of
quantum secret sharing using GHZ states is given by the fact
that the measurements are made in noncommuting bases
关9,10,17兴. An eavesdropper, including a dishonest Alice, Bob
or Charlie, is thus forced to guess about the bases that will be
chosen. The fact that she will guess wrong in half of the
cases then leads to detectable errors in the transmission data
which reveal her presence. However, as discussed in 关10兴,
the order of releasing the public information to verify the
security of the transmitted data is important in the three-party
case, where one must face the situation of an internal eaves-
dropper.
One might question the security of our setup, the weak
point being the channel leading from Alice’s interferometer
to the crystal. Here, the light is classical and the phase could
be measured without modifying the system. However, since
this part is controlled by Alice and the parts physically ac-
cessible to an eavesdropper carry only quantum systems, our
realization does not incorporate any loophole. Note as well
that in the schemes presented in Figs. 1 and 2, not only Alice
but any of the three can force the two others to collaborate.
However, it is not clear yet whether Alice’s special position
of having access to the source might give her an advantage
concerning internal eavesdropping. In this case, the symme-
try for key distribution might be broken. Being beyond the
scope of this article, problems arising from external and in-
ternal eavesdropping are certainly worth further theoretical
investigation.
III. EXPERIMENTAL REALIZATION
A. Experimental setup
To generate the short pump pulse, we use a pulsed diode
laser 共Pico-Quant PDL 800兲, emitting 600 ps 共FWHM兲
pulses of 655 nm wavelength at a repetition frequency of 80
MHz. The small amount of also emitted infrared light is
prevented from entering the subsequent setup by means of a
dispersive prism. After passing a polarizing beamsplitter
共PBS兲serving as optical isolator, the pump is focused into a
single mode fiber and guided into a fiber-optical Michelson
interferometer made of a 3 dB fiber coupler and chemically
deposited silver end mirrors. The path-length difference cor-
responds to a difference of travel time of ⬇1.2 ns, splitting
TABLE I. Mapping of the four possible phases
␣
⬘at Alice’s on
two phase values
␣
and the parameter i.
␣
⬘0
/2
3
/2
␣
0
/2 0
/2
i11⫺1⫺1
EXPERIMENTAL DEMONSTRATION OF QUANTUM .. . PHYSICAL REVIEW A 63 042301
042301-3
the pump pulse into two well separated pulses. The tempera-
ture of the whole interferometer is maintained stable. To
change the phase difference, we elongate the fiber of the long
arm by means of a piezo-electric actuator. Three polarization
controllers enable us to control the evolution of the polariza-
tion state within the different parts of the interferometer. By
these means, we ensure that the evolutions of polarization in
the long and the short arm are identical. Besides, the light
being back-reflected is prevented from impinging onto the
laser diode by means of the PBS. Finally, the horizontally
polarized light leaving the interferometer by the second out-
put fiber is focused into a 4⫻3⫻12 mm KNBO3crystal,
cut and oriented in order to ensure colinear, degenerate
phasematching, hence creating photon pairs at 1310 nm
wavelength. Behind the crystal, the red pump light is ab-
sorbed by a filter 共RG1000兲, and the photon pairs are focused
into a fiber coupler, separating them in half of the cases. The
average pump power before the crystal is ⬇1 mW, and the
energy per pulse is—remember that each initial pump pulse
is now split into two—⬇6 pJ. To characterize the perfor-
mance of our source, we connect the coupler’s output fibers
to single-photon counters—passively quenched germanium
avalanche photodiodes, operated in Geiger-mode and cooled
to 77 K. They feature quantum efficiencies of ⬇5% at dark
count rates of 30 kHz. We find net single-photon rates of 20
and 27 KHz, respectively, leading to 420 coincidences per
second ina1nscoincidence window.
The down-converted photons are finally guided into fiber
optical Michelson interferometers, located at Bob’s and
Charlie’s, respectively. The interferometers, consisting of a 3
dB fiber coupler and Faraday mirrors, have been described in
detail in 关18兴. To access the second output port, usually co-
inciding with the input port for this kind of interferometer,
we implement three-port optical circulators. The interferom-
eters incorporate equal path length differences, and the travel
time difference is the same as the one introduced by the
interferometer acting on the pump pulse. To control their
phases, the temperature of Alice and Bob’s interferometers
can be varied or can be maintained stable.
The output ports are connected to single-photon counters,
operated as discussed before. Due to 6 dB additional losses
in each interferometer, the single-photon detection rates drop
to 4–7 kHz. The electrical output from each detector is fed
into a fast AND gate, together with a signal, coincident with
the emission of a pump pulse. We condition the detection at
Bob’s and Charlie’s on the central peaks (
兩
s
典
P,
兩
l
典
Aand
兩
l
典
P,
兩
s
典
A, and
兩
s
典
P,
兩
l
典
Band
兩
l
典
P,
兩
s
典
B, respectively兲. Look-
ing at coincident detections between two AND gates—
equivalent to triple coincidences—we finally select only the
interfering processes for detection.
B. Results
To demonstrate the feasibility of quantum secret sharing,
we verify whether the quantum correlations are correctly de-
scribed by the sinusoidal function given in Eq. 共4兲. Linearly
changing the phase in Alice’s 共as well as in Bob’s兲interfer-
ometer we observe sinusoidal fringes in the triple coinci-
dence rates 共see Fig. 3兲. Maximum count rates are around
800 in 50 s and minimum ones around 35. Visibilities are in
between 89.3% and 94.5% for the different detector combi-
nations, leading to a mean visibility of 92.2⫾0.8% and a
quantum bit error rate RQBER—the ratio of errors to detected
events—of (3.9⫾0.4)%. The RQBER can directly be obtained
from the visibility: RQBER⫽(1⫺V)/2. Figure 4 shows the
same results, now taking into account that Alice may have
chosen a phase value larger than
/2 and that the mapping
given in Table I applies. In these cases, the new global phase
yields
⫽
⬘⫺
/2 and the value for ichanges from ⫹1to
⫺1. Figure 4 depicts the modified data around
⫽0共i.e.,
l⫽⫹1); the 共similar兲figure for
⫽
共i.e., l⫽⫺1) is not
shown here. For better presentation, the data is divided into
two graphs, one focusing on the detector combinations show-
ing constructive interference, the other one on the combina-
tions showing destructive interference. If, e.g., Bob and
Charlie both detect a photon in the ‘‘⫹’’-labeled detectors in
the case
⫽0共i.e., j,k,l⫽⫹1), they know that Alice value
imust be ⫹1 as well since this is the only detector combi-
nation showing constructive interference.
FIG. 3. Result of the measurement when changing the global
phase
⬘by varying the phase
␣
⬘in Alice interferometer. The
different mean values are due to nonequal quantum efficiencies of
the single photon detectors.
FIG. 4. Interpreting the obtained results for QSS 共corresponding
to Table I兲. The figure shows the data around
⫽0共i.e., l⫽⫹1).
If, e.g., Bob and Charlie both detect a photon in the ‘‘⫹’’-labeled
detectors in this case, they know that Alice value imust be ⫹1as
well.
W. TITTEL, H. ZBINDEN, AND N. GISIN PHYSICAL REVIEW A 63 042301
042301-4
IV. DISCUSSION AND CONCLUSION
Like in all experimental quantum key distribution, the
RQBER is nonzero, even in the absence of any eavesdropping.
The observed 4% can be divided into two different parts. The
first one—the so-called RQBER
opt —originates from nonperfect
localization of the pump pulse, limited resolution of the
single-photon detectors and nonperfect interference. Note
that the number of errors is due to wrongly arriving photons
at Alice’s and Bob’s. Therefore, it decreases with transmis-
sion losses—at the same rate as does the number of trans-
mitted photons. Hence, these errors do not engender an in-
crease of the RQBER with distance. The other part—the
RQBER
acc —is caused by wrong counts from accidentally corre-
lated counts at the single-photon counters. In opposition to
the errors mentioned before, these errors are independent of
losses, since, in our experiment, they are mostly due to 共con-
stant兲detector noise. Therefore, the RQBER
acc increases linearly
with losses. However, since it causes only 10% of the total
RQBER in our laboratory demonstration, the RQBER will in-
crease only at a small rate. From our results we can estimate
the RQBER as a function of losses of the quantum channel:
RQBER共L兲⫽RQBER
opt ⫹1
1⫺LRQBER
acc 共0兲共7兲
with RQBER
opt ⫽3.6%, and RQBER
acc (0)⫽0.4% being the detector
induced RQBER as measured in the lab. Lcharacterizes the
additional losses during transmission, where L⫽0 denotes
no losses and L⫽1 means that all photons have been ab-
sorbed.
Let us briefly elaborate on the obtained visibilities with
respect to the critical visibility that can still be tolerated. Its
value is given by the point where the information that might
have been obtained by an eavesdropper cannot be made ar-
bitrarily small using classical error correction and privacy
amplification any more. In case of two-party quantum key
distribution using the Bennett-Brassard 1984 共BB84兲proto-
col 关19兴, it corresponds exactly to a violation of two-particle
Bell inequalities 关17兴. In the three-party case, the critical vis-
ibility in the context of external eavesdropping is not known
yet. However, it is reasonable to assume a similar connec-
tion. Therefore, we compare our mean visibilitiy to the value
given by generalized Bell inequality 关Eq. 共2兲兴, even if our
setup does not incorporate GHZ-type nonlocality 关20兴: The
found visibility of 92.2⫾0.8% is more than 50 standard de-
viations (
) higher than the the threshold visibility of 50%
for the three-particle case. Moreover, it is more than 25
above 71%, the value given by standard 共two-particle兲Bell
inequalities—possibly important in the context of internal
eavesdroping by one of the legitimated users. Within this
respect, it is also interesting to calculate Sexp : We find
Sexp⫽3.69, well above S3
⫽2关Eq. 共2兲兴. Therefore, the per-
formance of our source is good enough to detect any eaves-
dropping and to ensure secure key distribution. Moreover,
the bit-rate of ⬇15 Hz underlines its potential for real ap-
plications. To compare our coincidence rate to an experiment
using true GHZ states 关12兴, Bouwmeester et al. found one
GHZ state per 150 s. However, in order to really implement
our setup for quantum secret sharing, an active phase stabi-
lization compensating small interferometric drifts in Alice’s
interferometer as well as fast phase modulators still have to
be incorporated 关21兴.
Let us finally comment on the possibility to extend our
experiment to longer distances. As discussed before, the
maximum achievable distance is likely to be limited either
by a minimum visibility of V⫽50%, hence a RQBER of 25%
共external eavesdropping兲,orbyVmin⬇71%, hence a RQBER
of ⬇15% 共internal eavesdropping兲. From Eq. 共7兲,wefind
that losses of 96%, equivalent to 14 dB, or 98% 共17 dB兲,
respectively, can still be tolerated. Using the typical fiber
attenuation of 0.35 dB/km at a wavelength of 1310 nm, this
translates into a respective maximum transmission distance
of 40 km in case of internal eavesdropping, or 50 km in case
of external eavesdropping. Finally, taking into account that
phase modulators, typically featuring losses of ⬇3 dB, must
still be implemented, we find a maximum span of 30–40 km.
In conclusion, we demonstrated the feasibility of quantum
secret sharing using energy-time entangled pseudo-GHZ
states in a laboratory experiment. We found bit-rates of
around 15 Hz and quantum bit error rates of 4%, low enough
to ensure secure key distribution. The advantage of our
scheme is the fact that neither triple-photon generation nor
coincidence detection of three photons is necessary, enabling
for the first time an application of a multi-particle quantum
communication protocol. Moreover, since energy time en-
tanglement can be preserved over long distances 关3兴, our
results are very encouraging for realizations of quantum se-
cret sharing over tens of kilometers.
ACKNOWLEDGMENTS
We would like to thank J.-D. Gautier for technical support
and Picoquant for fast delivery of the laser. Support by the
Swiss FNRS and the European QuCom 共IST-1999-10033兲
project is gratefully acknowledged.
关1兴J.S. Bell, Physics 共Long Island City, N.Y.兲1, 195 共1964兲.
关2兴A. Aspect, P. Grangier, and G. Roger, Phys. Rev. Lett. 47, 460
共1981兲.
关3兴W. Tittel, J. Brendel, H. Zbinden, and N. Gisin, Phys. Rev.
Lett. 81, 3563 共1998兲.
关4兴G. Weihs, T. Jennewein, C. Simon, H. Weinfurter, and A.
Zeilinger, Phys. Rev. Lett. 81, 5039 共1998兲.
关5兴Physics World, March 1998, special issue in quantum commu-
nication. Introduction to Quantum Computation and Informa-
tion, edited by H.K. Lo, S. Popescu, and T. Spiller 共World
Scientific, Singapore, 1998兲.
关6兴D.M. Greenberger, M.A. Horne, A. Shimony, and A.
Zeilinger, Am. J. Phys. 58, 1131 共1990兲.
关7兴S. Bose, V. Vedral, and P.L. Knight, Phys. Rev. A 57, 822
共1998兲.
关8兴M. Z
˙ukowski, A. Zeilinger, M.A. Horne, and H. Weinfurter,
EXPERIMENTAL DEMONSTRATION OF QUANTUM .. . PHYSICAL REVIEW A 63 042301
042301-5
Acta Phys. Pol. A 93, 187 共1998兲.
关9兴M. Hillery, V. Buzek, and A. Berthiaume, Phys. Rev. A 59,
1829 共1999兲.
关10兴A. Karlsson, M. Koashi, and N. Imoto, Phys. Rev. A 59, 162
共1999兲.
关11兴R. Cleve, D. Gottesman, and H.-K. Lo, Phys. Rev. Lett. 83,
648 共1999兲.
关12兴D. Bouwmeester, J.-W. Pan, M. Daniell, H. Weinfurter, and A.
Zeilinger, Phys. Rev. Lett. 82, 1345 共1999兲.
关13兴N.D. Mermin, Phys. Rev. Lett. 65, 1838 共1990兲; D.N. Kly-
shko, Phys. Lett. A 172, 399 共1993兲; N. Gisin and H.
Bechmann-Pasquinucci, ibid. 246,1共1998兲.
关14兴J. Brendel, N. Gisin, W. Tittel, and H. Zbinden, Phys. Rev.
Lett. 82, 2594 共1999兲.
关15兴W. Tittel, J. Brendel, H. Zbinden, and N. Gisin, Phys. Rev.
Lett. 84, 4737 共2000兲.
关16兴The desired processes are thus postselected, leading to a de-
crease of count rates. It is in principle possible to create only
the events in the central peaks using switches instead of pas-
sive couplers 关14兴.
关17兴C. Fuchs, N. Gisin, R.B. Griffiths, C.S. Niu, and A. Perez,
Phys. Rev. A 56, 1163 共1997兲; I. Cirac and N. Gisin, Phys.
Lett. A 229,1共1997兲.
关18兴W. Tittel, J. Brendel, N. Gisin, and H. Zbinden, Phys. Rev. A
59, 4150 共1999兲.
关19兴C.H. Bennett and G. Brassard, in Proceedings of IEEE
International Conference on Computers, Systems and Signal
Processing, Bangalore, India 共IEEE, New York, 1984兲,
p. 175.
关20兴Note that it is only important that the obtained data violates
the Bell inequality and that this criterion applies even to crypto
systems based on single photons. Nonlocality is not an issue in
this context 关17兴!
关21兴Stability is a common problem in all quantum key distribution
schemes, the only exception being A. Muller, T. Herzog, B.
Huttner, W. Tittel, H. Zbinden, and N. Gisin, Appl. Phys. Lett.
70, 793 共1997兲; G. Ribordy, J.-D. Gautier, N. Gisin, O. Guin-
nard, and H. Zbinden, J. Mod. Opt. 47, 517 共2000兲.
W. TITTEL, H. ZBINDEN, AND N. GISIN PHYSICAL REVIEW A 63 042301
042301-6
