Cryptography Reference
In-Depth Information
prior
to privacy amplification are not presented. Such results have important
practical consequences. For example, Eve's likelihood of obtaining more than
a given fraction of the raw key from her attacks on single photons increases
as the block size of the key material is reduced. One therefore expects that the
amount of privacy amplification compression required to ensure secrecy will
increase as well. However, since this conclusion is strictly a consequence of
the information Eve obtains
prior
to privacy amplification, it cannot
directly
be inferred from the analysis of Ref. [3]. In contrast, the approach of Ref. [10],
which we adopt in our analysis, relates the privacy amplification compres-
sion directly to the amount of information leaked to Eve
prior
to privacy
amplification. This makes it possible to analyze the effect of the block size
on the amount of privacy amplification compression, and it concomitantly
introduces an explicit security parameter,
, as a bound on Eve's chances of
mounting a successful attack on strings of finite length.
7.3 Privacy Amplification: Pointwise
Bounds and Average Bounds
Quantum cryptography has been heralded as providing an important ad-
vance in secret communications because it provides a guarantee that the
amount of mutual information available to an eavesdropper can uncondi-
tionally be made arbitrarily small. Any
practical
realization of quantum key
distribution that consists only of sifting, error correction, and authentication
will allow some information leakage, thus necessitating privacy amplification.
Of course, one might contemplate carrying out privacy amplification after ex-
ecuting a classical key distribution protocol. In the absence of any assumed
conditions
on the capability of an eavesdropper, it is not possible to deduce
a provable upper bound on the leaked information in the classical case, so
that the subsequent implementation of privacy amplification would produce
nothing, i.e., the “input” to the privacy amplification algorithm cannot be
bounded, and as a result neither can the “output.” In the case of quantum
key distribution, however, the leaked information associated with the string
that is the input to the privacy amplification algorithm can be bounded, and
this can be done in the absence of any assumptions about the capability of
an eavesdropper. This bound is not good enough for cryptography, however.
Nevertheless, this bound on the input allows one to prove a bound on the
output of privacy amplification, so that one deduces a final, unconditional
upper bound on the mutual information available to an eavesdropper. More-
over, this bound can be made arbitrarily small and hence good enough for
cryptography, at the cost of suitably shortening the final string. Except that
as usually presented this is not exactly true.
The above understanding is usually presented in connection with the
standard result of generalized privacy amplification given by Bennett et al.
[12], which applies only to the
average
value of the mutual information. The
average is taken with respect to a set of elements, namely, the
universal
2
class
