Cryptography Reference
In-Depth Information
may typically exhibit attenuation values of
α
.
01 (or worse), which yields a
value of
y
005 (at most), squarely within Region II.
The expressions for
.
represent upper bounds on the information that is
leaked to Eve by attacks on the individual photons of multiphoton pulses. In
Ref. [7] it is shown that Eve can always choose an eavesdropping strategy to
achieve this upper bound as long as Bob does not counterattack by monitoring
the statistics of multiple detection events that occur at his device. Even with
this proviso, the upper bounds are only a fraction of the information contained
in the multiphoton pulses. This indicates that the assumption, common in the
literature, that Alice and Bob must surrender all this information to Eve is
overly restrictive.
The next two terms are grouped together at the end of the expression
because their effect on
ν
vanishes in the limit of large
m
. The first of these,
a
,
is the authentication cost. This is the number of secret bits that are sacrificed as
part of the authentication protocol to ensure that the classical transmissions for
sifting and error correction occur between Alice and Bob without any “man-
in-the-middle” spoofing by Eve. For the authentication protocols described
in Ref. [7], the authentication cost is
S
a
(
n, m
)
=
4
{
g
auth
+
log
2
log
2
[2
n
(
1
+
log
2
m
)
]
}
·
log
2
[2
n
(
1
+
log
2
m
)
]
+
4[
g
auth
+
log
2
log
2
(
2
n
)
] log
2
(
2
n
)
+
4
(
g
EC
+
log
2
log
2
n
)
log
2
n
+
4
(
g
auth
+
log
2
log
2
g
EC
)
log
2
g
EC
+
g
EC
+
4
(
g
auth
+
log
2
log
2
g
EC
)
log
2
g
EC
.
(7.20)
The first term above is not strictly necessary for security, but is useful in iden-
tifying situations in which the authentication process has been compromised.
The security parameters
g
auth
,g
EC
,
and
g
EC
are adjusted to limit the probability
that some phase of the authentication fails to produce the desired result. For
instance, the probability that Eve can successfully replace Alice's transmis-
sions to Bob with her own transmissions is bounded by 2
−
g
auth
. The probability
that Alice's and Bob's copies of the key do not match after completion of the
protocol is bounded by 2
−
g
EC
2
−
g
EC
.
The last term,
g
pa
, is a security parameter that characterizes the effective-
ness of privacy amplification. It is the number of bits that must be sacrificed to
limit the average amount of information,
+
, about Alice's and Bob's shared
key that Eve can obtain to an exponentially small number of bits [12]:
I
2
−
g
pa
ln 2
I
≤
.
(7.21)
