Cryptography Reference
In-Depth Information
The inequality above furnishes an
average
bound defined with respect to
hash functions of a certain type. In specific applications one is necessarily
interested in
pointwise
bounds associated with particular hash functions. This
is further discussed below.
The fundamental expression for the secrecy capacity may now be written
in the limit of small dark count,
r
d
1:
1
r
d
1
2
f
2
S
=
ψ
≥
1
(ηµα)
·
(
1
−
fr
c
)
+
−
−
ν
˜
g
pa
+
a
−
,
(7.22)
m
where we have defined
f
≡
1
+
Q
+
T,
(7.23)
and
max
ν
≡
˜
2
ν
/
m,
(7.24)
so that the rescaled quantity ˜
is independent of
m
.
Note that the pulse intensity parameter
ν
µ
can be chosen to maximize
the secrecy capacity
. A detailed
investigation of the optimum pulse intensity under various conditions of
practical interest and the resulting secrecy capacities and rates can be found
in Ref. [7] and Ref. [13].
S
and thus also the key generation rate
R
7.2.1 Secrecy Capacity for Keys of Finite Length
Most of the terms appearing in Equation (7.4) for the length of the secret key,
L
, are directly proportional to the length of the block of raw key material,
m
. After dividing through by
m
(cf Equation (7.1)), the contributions of these
terms to the secrecy capacity
are independent of
m
. Three of the terms in
L
are not proportional to
m
, namely
g
pa
,a,
and
t
. They result in contributions
to the effective secrecy capacity that retain explicit dependence on
m
.
The third contribution,
t
, requires additional explanation. Its
m
depen-
dence arises from a precise application of the privacy amplification result,
Equation (7.21), derived by Bennett et al. [12]. The bound on Eve's knowl-
edge of the final key is obtained by assuming she has obtained a specific
amount of Renyi information prior to privacy amplification. Starting from
this point, Slutsky et al. [10] explicitly introduce a security parameter
S
(see
Equation (7.13)) to bound the probability that Eve has obtained more than
t
bits of Renyi information as a result of her attacks on single-photon pulses.
By contrast, the analysis of L utkenhaus [3] introduces no parameter anal-
ogous to
. Furthermore, the expression for the amount of privacy amplifica-
tion compression given in Ref. [3] is
linear
in the block size, thus resulting in
a contribution to the secrecy capacity that is independent of the block size.
While this approach, as developed in Ref. [3], does yield a bound on Eve's in-
formation about the key shared by Alice and Bob
after
privacy amplification,
explicit results pertaining to the amount of information Eve obtains on the key
