Cryptography Reference
In-Depth Information
eavesdropping, namely that Eve herself is allowed to prepare and deliver
all the pairs that Alice and Bob will subsequently use to establish a key. This
way we take the most conservative view, which attributes all disturbance
in the channel to eavesdropping, even though most of it (if not all) may be
due to innocent environmental noise. This approach also applies to the pre-
pare and measure protocols because they can be viewed as special cases of
entanglement-based protocols, e.g., the source of entangled particles can be
given either to Alice or to Bob. It is prudent to assume that Eve has dispro-
portional technological advantage over Alice and Bob. She may have access
to unlimited computational power, including quantum computers; she may
monitor all the public communication between Alice and Bob in which they
reveal their measurement choices and exchange further information in order
to correct errors in their shared key and to amplify its privacy. In contrast,
Alice and Bob can only perform measurements on individual qubits and
communicate classically over a public channel. They do not have quantum
computers, or any sophisticated quantum technology, apart from the ability
to establish a transmission over a quantum channel.
The search for good security criteria under such stringent conditions led to
early studies of quantum eavesdropping [17,28] and finally to the first proof
of the security of key distribution [12]. The original proof showed that the
entanglement-based key distributions are indeed secure and noise-tolerant
against an adversary with unlimited computing power as long as Alice and
Bob can implement quantum privacy amplification. In principle, quantum
privacy amplification allows us to establish a secure key over any distance,
using entanglement swapping [29] in a chain of quantum repeaters [2,14].
However, this procedure, which distills pure entangled states from corrupted
mixed states of two qubits, requires a small-scale quantum computation. Sub-
sequent proofs by Inamori [21] and Ben-Or [4] showed that Alice and Bob can
also distill a secret key from partially entangled particles using only classical
error correction and classical privacy amplification [6,7].
Quantum privacy amplification was also used by Lo and Chau to
prove the security of the prepare and measure protocols over an arbitrary
distance [22]. A concurrent proof by Mayers showed that the protocol can
be secure without Alice and Bob having to rely on the use of quantum com-
puters [23]. The same conclusion, but using different techniques, was subse-
quently reached by Biham et al. [8]. Although the two proofs did not require
quantum privacy amplification, they were rather complex. A nice fusion of
quantum privacy amplification and error correction was proposed by Shor
and Preskill, who formulated a relatively simple proof of the security of the
BB84 [5] protocol based on virtual quantum error correction [25]. They showed
that a protocol that employs quantum error-correcting code to prevent Eve
from becoming entangled with qubits that are used to generate the key re-
duces to the BB84 augmented by classical error correction and classical pri-
vacy amplification. This proof has been further extended by Gottesman and
Lo [20] for two-way public communication to allow for a higher bit error rate
in BB84 and by Tamaki et al. [26] to proof the security of the B92 protocol.
