Cryptography Reference
In-Depth Information
medium. The analysis addresses an extremely important set of eavesdrop-
ping attacks on individual photons rather than collective attacks in general.
Of particular importance is our derivation of the
necessary and sufficient
amount
of privacy amplification compression to ensure secrecy against the loss of key
material that occurs when an eavesdropper makes optimized direct (USD),
indirect (PNS), and combined individual attacks on pulses containing multi-
ple photons. It is shown that only a fraction of the information in the multiple
photon pulses is actually lost to the eavesdropper. We also provide a careful
analysis of the use of privacy amplification in quantum cryptography. In or-
der to be practically useful, quantum cryptography must not only provide
a guarantee of secrecy but also provide this guarantee with a useful, suffi-
ciently large throughput value. The standard result of generalized privacy
amplification yields an upper bound only on the
average value
of the mutual
information available to an eavesdropper. Unfortunately this result by itself
is inadequate for cryptographic applications. A naive application of the stan-
dard result leads one to conclude
incorrectly
that an acceptable upper bound
on the mutual information has been achieved. It is the
pointwise value
of the
bound on the mutual information, associated with the use of some specific
hash function, that corresponds to actual implementations. We provide a fully
rigorous mathematical derivation that shows how to obtain a cryptograph-
ically acceptable upper bound on the actual, pointwise value of the mutual
information. Unlike the bound on the average mutual information, the value
of the upper bound on the pointwise mutual information and the number of
bits by which the secret key is compressed are specified by two different pa-
rameters, and the actual realization of the bound in the pointwise case is nec-
essarily associated with a specific failure probability. The constraints among
these parameters, and the effect of their values on the system throughput,
have not been previously analyzed. We show that the necessary shortening
of the key dictated by the cryptographically correct, pointwise bound, can
still produce viable throughput rates that will be useful in practice.
7.1 Introduction
The use of quantum cryptographic protocols to generate key material for
use in the encryption of classically transmitted messages has been the sub-
ject of intense research activity. The first such protocol, known as BB84 [1],
can be realized by encoding the quantum bits representing the raw crytpo-
graphic key as polarization states of individual photons. The protocol results
in the generation of a shorter string of key material for use by two individ-
uals, conventionally designated Alice and Bob, who wish to communicate
using encrypted messages that cannot be deciphered by a third party, con-
ventionally called Eve. The unconditional secrecy of BB84 has been proved
under idealized conditions, namely, on the assumption of pure single-photon
sources and in the absence of various losses introduced by the equipment
that generates and detects the photons or by the quantum channel itself [2].
The conditions under which secrecy can be maintained under more realistic
