Cryptography Reference
In-Depth Information
7.3.3 Application of Pointwise Bound
Operationally, it will usually be the case in practice that end users of quantum
key distribution systems will be first and foremost constrained to ensure that
a given upper bound on the pointwise mutual information available to the
enemy is realized.
To appreciate the significance of the distinction between the PPA and APA
results, we will consider an illustrative example that shows how reliance on
the APA bound can lead to complete compromise of cryptographic security.
We begin with the APA case. As noted above, in the case of APA, the privacy
amplification subtraction parameter, which we will now denote by
g
APA
to
emphasize the nature of the bound, directly specifies both the upper bound
on
and the number of bits by which the key needs to be shortened to
achieve this bound. Without loss of generality we take the value of the privacy
amplification subtraction parameter to be given by
g
APA
=
I
30, which means
that, in addition to the compression by the number of bits of information
that were estimated to have been leaked, the final length of the key will be
further shortened by an additional 30 bits. This results in an upper bound on
the average mutual information given by
10
−
9
, which
we take as the performance requirement for this example. While this might
appear to be an acceptable bound, the fact that it applies only to the average of
the mutual information of course means that it is not the quantity we require.
We turn to the PPA case, with respect to which we will now refer to the
privacy amplification subtraction parameter as
g
PPA
. In order to discuss the
PPA bound we must select appropriate values amongst
g
PPA
,
g
and
g
. In the
APA case discussed above, the bound on the (average) mutual information
and the number of subtraction bits are both specified by the same parame-
ter
g
APA
. In the PPA case, the number of subtraction bits and the parameter
that specifies the bound on the (pointwise) mutual information are not the
same. To achieve the same value for the upper bound on
I
as we discussed
for the upper bound on
2
−
30
I
≤
/
ln 2
1
.
34
×
above, we must select
g
=
30 as the value of the
pointwise bound parameter. From Equation (7.32), this indeed yields the re-
quired inequality
I
I
10
−
9
. However, with respect to this
requirement on the value on the mutual information, i.e., the required final
amount of cryptographic secrecy, there are a denumerable set (since bits are
discrete) of different amounts of compression of the key that are possible to se-
lect, each associated with a corresponding failure probability,
P
f
, in the form
≤
2
−
30
/
ln 2
1
.
34
×
of ordered pairs
g
PPA
,g
that satisfy the constraint given by
g
PPA
=
g
+
g
(Equation (7.31)).
Our starting point was the secrecy performance requirement that must
be satisfied. On the basis of the APA analysis above, one might conclude
that in order to achieve the required secrecy performance constraint it is suf-
ficient to shorten the key by 30 bits. However in the PPA case, satisfying
the same performance requirement
and
shortening the key by 30 bits means
choosing identical values for the privacy amplification subtraction parameter
(
g
PPA
30) and the pointwise bound parameter (
g
=
=
30). However, we note
