We developed a modified version of a conventional (BB84) quantum key distribution protocol that can be understood and implemented by students at a pre-university level. We intentionally introduce a subtle but critical simplification to the original protocol, allowing the experiment to be assembled at the skill level appropriate for the students, at the cost of creating a security loophole. The security vulnerability is then exploited by student hackers, allowing the participants to think deeper about the underlying physics that makes the protocol secure in its original form.

1.
N.
Gisin
,
G.
Ribordy
,
W.
Tittel
, and
H.
Zbinden
, “
Quantum cryptography
,”
Rev. Mod. Phys.
74
,
145–195
(
2002
).
2.
R. L.
Rivest
,
A.
Shamir
, and
L.
Adleman
, “
A method for obtaining digital signatures and public-key cryptosystems
,”
Commun. ACM
21
(
2
),
120
126
(
1978
).
3.
M. A.
Nielsen
and
I.
Chuang
,
Quantum Computation and Quantum Information
(
Cambridge U. P
.,
Cambridge
,
2000
).
4.
P. W.
Shor
and
J.
Preskill
, “
Simple proof of security of the BB84 quantum key distribution protocol
,”
Phys. Rev. Lett.
85
,
441–444
(
2000
).
5.
R.
Renner
,
N.
Gisin
, and
B.
Kraus
, “
Information-theoretic security proof for quantum-key-distribution protocols
,”
Phys. Rev. A
72
,
012332
(
2005
).
6.
C. H.
Bennett
and
G.
Brassard
, “
Quantum cryptography: Public key distribution and coin tossing
,”
Theor. Comput. Sci.
560
,
7
11
(
2014
).
7.
W. K.
Wootters
and
W. H.
Zurek
, “
A single quantum cannot be cloned
,”
Nature
299
(
5886
),
802
803
(
1982
).
8.
D. G. B. J.
Dieks
, “
Communication by EPR devices
,”
Phys. Lett. A
92
(
6
),
271
272
(
1982
).
9.
Artur K.
Ekert
, “
Quantum cryptography based on Bell's theorem
,”
Phys. Rev. Lett.
67
,
661–663
(
1991
).
10.
R.
Horodecki
,
P.
Horodecki
,
M.
Horodecki
, and
K.
Horodecki
, “
Quantum entanglement
,”
Rev. Mod. Phys.
81
,
865–942
(
2009
).
11.
John S.
Bell
, “
On the Einstein Podolsky Rosen paradox
,”
Phys. Phys. Fiz.
1
(
3
),
195–200
(
1964
).
12.
T.
Schmitt-Manderbach
et al, “
Experimental demonstration of free-space decoy-state quantum key distribution over 144 km
,”
Phys. Rev. Lett.
98
,
010504
(
2007
).
13.
C. Z.
Peng
et al, “
Experimental long-distance decoy-state quantum key distribution based on polarization encoding
,”
Phys. Rev. Lett.
98
,
010505
(
2007
).
14.
J.
Yin
et al, “
Satellite-based entanglement distribution over 1200 kilometers
,”
Science
356
(
6343
),
1140
1144
(
2017
).
15.
D. S.
Lemelle
,
M. P.
Almeida
,
P. H.
Souto Ribeiro
, and
S. P.
Walborn
, “
A simple optical demonstration of quantum cryptography using transverse position and momentum variables
,”
Am. J. Phys.
74
,
542
546
(
2006
).
16.
A. L. P.
Camargo
,
L. O.
Pereira
,
W. F.
Balthazar
, and
J. A. O.
Huguenin
, “
Simulation of the BB84 protocol of quantum cryptography by using an intense laser beam
,”
Rev. Bras. Ensino Fís.
39
,
e2305
(
2017
).
17.
Karl
Svozil
, “
Staging quantum cryptography with chocolate balls
,”
Am. J. Phys.
74
,
800
803
(
2006
).
18.
A.
López-Incera
and
W.
Dür
, “
Entangle me! A game to demonstrate the principles of quantum mechanics
,”
Am. J. Phys.
87
(
2
),
95
101
(
2019
).
19.
A.
Kohnle
and
A.
Rizzoli
, “
Interactive simulations for quantum key distribution
,”
Eur. J. Phys.
38
,
035403
(
2017
).
20.
S.
DeVore
and
C.
Singh
, “
Interactive learning tutorial on quantum key distribution
,”
Phys. Rev. Phys. Educ. Res.
16
(
1
),
010126
(
2020
).
21.
Eleni
Diamanti
et al, “
Practical challenges in quantum key distribution
,”
NPJ Quantum Inf.
2
(
1
),
1
12
(
2016
).
22.
Charles H.
Bennett
et al, “
Experimental quantum cryptography
,”
J. Cryptol.
5
(
1
),
3
28
(
1992
).
23.
Won-Young
Hwang
, “
Quantum key distribution with high loss: Toward global secure communication
,”
Phys. Rev. Lett.
91
,
057901
(
2003
).
24.
The codes and technical documentation for this project are available at <https://github.com/HelpMeFinishPhD/Qcamp2019 >.
25.

The QWP converts linear-polarized light from the laser diode to circular-polarized light, which is subsequently projected into one of the four polarization states (H, V, D, A) with equal intensities using a motorized polarizer.

26.

Visibility measurement: First, Alice chooses an arbitrary rotation angle for her polarizer to fix the orientation of H-polarization. Then, she transmits a macroscopic beam with this polarization to Bob as a reference. To arrive on a common coordinate system with Alice, Bob rotates his polarizer and identifies the position that maximises the transmission of the reference beam with the H-polarization.

27.
We generate random numbers using the Entropy library, available at <https://sites.google.com/site/astudyofentropy >.
28.
To generate each polarization “qubit,” Alice's microcontroller rotates her polarizer to the corresponding angle, and transmits through it a 200 ms-long laser diode pulse. The overall duration required to generate each “qubit” (1.5 s) is limited by our stepper motors (see  Appendix B), which have a maximum rotation speed of about 10 rpm.
29.

Synchronization procedure: Alice transmits a sequence of 16 “qubits.” She precedes each transmission with a prearranged laser pulse sequence—a header—marking the beginning of each “qubit” sequence. Due to the clock-stability of the microcontroller (104), the uncertainty of the transmission time for each “qubit” is less than 2.4 ms. The uncertainty is small compared to the duration of each “qubit,” allowing Bob to predict the arrival times of the “qubits” after receiving the header pulse sequence.

30.
Arduino IR Remote Library, available at <https://z3t0.github.io/Arduino-IRremote/ >.
31.

We aim to perform the key comparison step in future iterations of the setup, as it allows students to verify that their key was not corrupted by Eve using an intercept-resend attack. In our workshop, Eve intercepts, but does not resend “qubits,” rendering her eavesdropping attempt immune to detection by the key comparison step. Consequently, the impact of her success will be greater on the students who may have considered the key to be private given that they have performed key comparison but might have forgotten about the role that single quanta plays in the security of the protocol.

32.

Each transmission sequence is 16 “qubits” long and generates an 8-bit key K on average. Thus, we repeated the sequence about four times to obtain a key 32-bit long. This process takes about 2.5 min.

33.
Steven M.
Bellovin
, “
Frank Miller: Inventor of the one-time pad
,”
Cryptologia
35
(
3
),
203
222
(
2011
).
34.

Eve could have performed the polarization calibration procedure along with Alice and Bob, which allows her to select the best polarization measurement for distinguishing and identifying the intercepted polarization states. However, given the limited time for the workshop, it was difficult to prepare the students in team Eve in time for the calibration procedure as they would then have to learn calibration, principles of the quantum channel, using two polarization measurements to extract the polarization from the intercepted photons, and the clustering algorithm—the latter two concepts that Alice and Bob did not have to learn.

35.

There are several eavesdropping noise sources. First, the laser intensity fluctuates (20%) with the position of the polarizer sheet, which is sensitive to mechanical disturbances (e.g., wind, students' movements). Moreover, the current to the laser diode was also not feedback-stabilized. These noise sources affect the result if the measurement is only performed in one basis (see, e.g., Photodiode 1 histogram in Fig. 8). To optimally distinguish between the various polarization states, Eve projects each state in two measurement basis, each separated by about 45° from each other, and subsequently measures the corresponding intensity.

36.
Richard O.
Duda
,
Peter E.
Hart
, and
David G.
Stork
,
Pattern Classification
(
John Wiley & Sons
,
New Jersey
,
2012
).
37.
QCamp, hosted by Centre for Quantum Technologies. Visit us at <https://qcamp.quantumlah.org >.
38.
V.
Scarani
,
C.
Lynn
, and
S.
Liu
,
Six Quantum Pieces: A First Course in Quantum Physics
(
World Scientific, Singapore
,
2010
).
39.
D. L.
Haury
and
P.
Rillero
,
Perspectives of Hands-on Science Teaching
(
ERIC Clearinghouse for Science, Mathematics, and Environmental Education
,
Columbus, OH
,
1994
).
40.
R. M.
Ryan
and
E. L.
Deci
, “
Intrinsic and extrinsic motivations: Classic definitions and new directions
,”
Contemp. Educ. Psychol.
25
,
54
67
(
2000
).
41.
B. J.
Guzzetti
,
T. E.
Snyder
,
G. V.
Glass
, and
W. S.
Gamas
, “
Promoting conceptual change in science: A comparative meta-analysis of instructional interventions from reading education and science education
,”
Reading Res. Q.
28
,
117
159
(
1993
).
42.
M.
Limón
, “
On the cognitive conflict as an instructional strategy for conceptual change: A critical appraisal
,”
Learn. Instruction
11
(
4–5
),
357
380
(
2001
).
43.
A.
Antonio
et al, “
Device-independent security of quantum cryptography against collective attacks
,”
Phys. Rev. Lett.
98
,
230501
(
2007
).
44.
R.
Arnon-Friedman
,
R.
Renner
, and
T.
Vidick
, “
Simple and tight device-independent security proofs
,”
SIAM J. Comput.
48
(
1
),
181
225
(
2019
).
45.
V.
Scarani
and
C.
Kurtsiefer
, “
The black paper of quantum cryptography: Real implementation problems
,”
Theor. Comput. Sci.
560
,
27
32
(
2014
).
46.
M. J.
Robshaw
, “
Stream ciphers
,”
RSA Laboratories Technical Report
(
1995
).
47.
M.
Matsumoto
and
T.
Nishimura
, “
Mersenne twister: A 623-dimensionally equidistributed uniform pseudo-random number generator
,”
ACM Trans. Modeling Comput. Simul. (TOMACS)
8
(
1
),
3
30
(
1998
).
48.
Python implementation of Mersenne Twister PRNG, available at <https://docs.python.org/3/library/random.html >.
49.

The “leaks” of the expanded key can, for example, be obtained by examining the structure of the message. For the ASCII or UTF-8 schemes which are widely used to represent characters in a message, the two leading bits of an English alphabet is 01. This could be used to deduce the leading bits of every byte of the expanded key by sampling the ciphertext.

50.
G.
Argyros
and
A.
Kiayias
, “
I forgot your password: Randomness attacks against PHP applications
,”
Presented as part of the 21st USENIX Security Symposium (USENIX Security 12)
(
2012
).
51.
Makoto
Matsumoto
et al, “
CryptMT stream cipher version 3,” eSTREAM, ECRYPT Stream Cipher Project
,
Report No. 28
(
2007
).
52.
New Stream Cipher Designs: The eSTREAM Finalists
, Lecture Notes in Computer Science Vol. 4986, edited by
M.
Robshaw
and
O.
Billet
(Vol. 4986). (
Springer
,
Berlin
,
2008
).
53.

For any message length m, this operation results in only 232 possible combinations of decoded messages. If the message is much longer than the key (m32), it is likely that only a few decoded messages are coherent. This contrasts with the scenario where the message is as long as the key (m = 32, one-time pad scenario), as this results in as many coherently decoded messages as possible. Students can perform this brute-force attack with modern computers—if each combination requires 1μs to be computed and checked for coherence, it would only take 1.2 h to exhaust all possibilities.

54.
C.
Paar
and
J.
Pelzl
,
Understanding Cryptography: A Textbook for Students and Practitioners
(
Springer Science & Business Media
,
New York
,
2009
).
AAPT members receive access to the American Journal of Physics and The Physics Teacher as a member benefit. To learn more about this member benefit and becoming an AAPT member, visit the Joining AAPT page.