Secret Key Generation from Channel Noise with the Help of a Common Key
11 Secret Key Generation from Channel Noise with the Help of a Common Key
Tatsuya TOMARU † SUMMARY
Information-theoretically secure communications are possible when channel noise is usable and when the channel has an intrinsic characteristic that a legitimate receiver (Bob) can use the noise more advantageously than an eavesdropper (Eve). This report deals with the case in which the channel does not have such an intrinsic characteristic. Here, we use a pre-shared common key as a tool that extrinsically makes Bob more advantageous than Eve. This method uses error-correcting code in addition to the common key and noise, and manages the three components in random-number transmission. Secret keys are generated from noise, and messages are encrypted with the secret keys in a one-time pad manner. As a result, information leaks meaningful to Eve are restricted to the parity-check symbols for the random numbers. It is possible to derive the candidates of the common key from the parity check symbols, and the security of this method is quantified in terms of the amount of computations needed for an exhaustive search of the candidates, where we evaluate the security by assuming that all parity check symbols leak to Eve without bit errors. Noise contributes to not only generating secret keys but also enhancing the security because the candidates of the common key increase with it. key words:
Channel, noise, error-correcting code, common key, secret key, bit error
1. Introduction
Highly confidential information, e.g., government and military secrets, must be communicated with maximum security between a limited number of parties. This kind of information might affect national fortunes 50 or even 100 years hence, and therefore, its security must be long term. This report proposes a method that meets this requirement. It discusses security under the following three conditions: (1) only technologies available at present can be used; (2) communication is world-wide; (3) only a limited number of parties communicate with each other. The method of Wyner [1] using channel noise is one way of maximizing security, and it achieves information-theoretic security. When the bit-error rate (BER) of an eavesdropper (Eve) is higher than that of a legitimate receiver (Bob), this difference generates a secrecy capacity [1,2]. Wyner assumed that Bob receives signals at a lower bit-error rate than Eve, but this assumption was later loosened. That is, so long as some of Eve’s received errors are different from Bob’s, Bob’s receiving conditions don’t have to be better than Eve’s, and the amount of information corresponding to Eve’s unique errors can be transformed into secret keys through public discussions between the sender (Alice) and Bob [3,4]. The method using channel noise has since been widely studied, and the researches can classified into ones on channel-type models and ones on source-type models [4]. The former model is one in which Alice and Bob share randomness from the channel noise. It requires bit errors that only Eve suffers from in order to generate secret keys from the noise [5]. A broadcast channel is usually assumed to conform to this situation [2,4]. The latter model is one in which both Alice and Bob receive randomness from a source, and when the randomness is correlated between Alice and Bob, independently of Eve, secret keys are generated [6]. Approaches that take both models into consideration have also been studied [7–9]. The noisy channel method can achieve information-theoretic security. Another method that does so is quantum cryptography [10–12]. Quantum cryptography similarly possesses the concept of channel-type and source-type models. The BB84 protocol, wherein single photons are transmitted and received, corresponds to a channel-type model [10]. Quantum entanglement-related methods correspond to source-type models [13,14]. While methods having information-theoretic security are achievable in principle, they are difficult to apply to long-haul optical fiber transmissions. Optical fibers cause transmission losses of 0.2 dB/km, and as a result, quantum cryptography using single photons is limited to about 100 km. The noisy channel method faces another difficulty. Eavesdropping is easy in fiber communications if there is a preinstalled photo-coupler that divides the light. In particular, if the photo-coupler is near the transmitter, Eve can receive signals without being affected by channel noise. In this case, it cannot be As a result of public discussions, Bob gains an advantage over Eve. † The author is with Center for Exploratory Research, Research & Development Group, Hitachi, Ltd., Hatoyama, Saitama, 350-0395 Japan. Email: [email protected] assumed that Eve will have unique errors, and thus, the noisy channel model cannot be applied. Both the noisy channel method and quantum cryptography have an important mechanism wherein Bob can become more advantageous than Eve; the noisy channel method uses a broadcast channel or correlated randomness for this, and quantum cryptography uses a quantum-mechanics-based characteristic that measurement changes the quantum state. How these characteristics can be used has been the subject of extensive discussion. However, long-haul fiber transmissions do not possess such characteristics; another mechanism is needed in this case. We will turn our attention to the fact that the number of the communication parties is limited. For this specific case, we can assume a system wherein Alice and Bob share a common key consisting of random numbers with a uniform distribution (true random numbers) with a fixed length beforehand. The common key could be securely passed by hand, for example. Generally, the common key-sharing method is unprescribed as long as the security is higher than that discussed in this report. The common key gives Bob an advantage over Eve. Here, the common key is not used as a seed key, but is instead used as a tool for transforming the entropy of noise into that of secret keys. For this reason, the information of the common key is not reflected in the information on the transmission channel, and thus, the common key can be repeatedly used. The phase noise of a laser diode’s (LD) output, for example, can be used as a noise source (See section 7.4). Phase noise is always present in LD output, and it is sufficiently random [15]. There is a method called the αη (Y00) protocol that uses channel noise and a common key [16,17]. This method is basically a stream cipher with quantum fluctuations that uses a common key as a seed key, and it uses multiple bases. However, the method in this report is not a stream cipher, but secret-key generation. Messages are encrypted with the secret keys by one-time pad. A common key is used only inside the transmitter and receiver, and the information on the transmission channel does not reflect the common key-related information. The two methods hence belong to different concepts. The method in this report is not resistant to brute force attacks because a common key is used. However, the secret keys are continuously generated from noise, and the messages are encrypted by using a one-time pad. Thus, information leaks are restricted in the random-number transmission stage for key agreement. To evaluate the security, Eve is assumed to exactly obtain parity check symbols of an algebraic error-correcting code that is used to transmit the random numbers. Even if the assumption is advantageous to Eve, she must decode the error-correcting code, which is a block code. To do this, she must list the candidates of information symbols by using parity check symbols and list the candidates of the common key. In other words, Eve has no other decrypting method that is more efficient than listing the candidates of information symbols. In addition, the number of candidates increases because of the existence of bit errors, and thus, security is strengthened even more. Computational security is generally achieved by relying on some sort of mathematical difficulty. For example, the security of Diffie-Hellman key agreement is founded on the existence of a difficult computation in number theory [18]. There is no assurance that the difficulty will never be overcome. An efficient algorithm for overcoming that difficulty might be found. However, our method does not assume any mathematical difficulties, and therefore, there is no threat that an efficient decrypting algorithm might be found. The method requires an exhaustive search for the candidates of the common key in decryption. The security of our method does not reach the level of information theoretic security, but it falls into some range of computational security. However, thanks to there being no salient threat, we do not need to be anxious about any unexpected decryptions. Our method will be useful for protecting highly confidential information like government and military secrets. Cryptography generally has a trade-off between security and convenience. Methods with information-theoretic security have high security but their message transmission rate R m , defined by R m = n m / n all , where n all is the total number of transmitted bits and n m is the message part, is low ( R m << 1), and long-haul transmissions using them are generally difficult. In contrast, methods with computational security achieve R m ∼
1, but generally face the threat that an efficient decrypting method might be found. Supposing we interpret these two kinds of methods as being at opposite ends of a trade-off, our method is located in the middle, because it achieves computational security that removes the threat. However, in so doing, the message transmission rate is reduced to R m << 1.
2. Framework
This report concerns key agreement consisting of random-number transmission and secret key generation using the transmitted random numbers. Messages are transmitted with a one-time-pad using the generated secret keys. This section describes the framework of the key agreement and defines the security of the method. The notation is such that when a character style like X , Y , Z designates sets, the corresponding random variables are described with capital letters, like X , Y , Z , and corresponding elements are described with small letters, like x , y , z . Bold letters like x , y , z designate row vectors of x , y , z . Letters like X n designate successive n letters. Let us assume that there is noise in the transmission channel used for the key agreement. Therefore, there are generally bit errors in the signals received by Bob and Eve. Let s kA be the secret keys to be shared between Alice and Bob. Generally in a key agreement protocol using a noisy channel, Alice encodes s kA such that E g : {0, 1} n r → {0, 1} n , s kA ⟼ x and sends them to Bob; he receives and decodes them such that D g : {0, 1} n →{0, 1} n r , y ⟼ s kB [1-3]. Because of bit errors, generally x ≠ y . The mapping E g has two purposes: one is to make the information leaking to Eve meaningless; the other is to achieve accurate communications. The former purpose requires n r < n , and thus E g is probabilistically performed. However, even if E g itself is simple, its inverse, i.e., D g , is not easy. Therefore, the probabilistic encoding E g is not preferable for real systems. Deterministic encoding is better. For this reason, let us invert the process on Alice’s side such that E g ’: {0, 1} n →{0, 1} n r , x ⟼ s kA [19]. In this case, all processes of the method can be made deterministic and thereby practical. Now, we divide E g ’ ( E g ) into two stages, i.e., the encoding E and the secret key generation S , as in Definition 1 below. Figure 1 shows the framework discussed in this report. As mentioned above, noisy channel models generally have an intrinsic characteristic to make Eve disadvantageous. For example, the broadcast model assumes that Eve suffers from bit errors independent of Bob’s ones. However, we do not assume such an intrinsic characteristic. Instead, we assume a common key k e that Alice and Bob share beforehand to make Eve disadvantageous. The following Definition 1 defines the key agreement protocol discussed in this report. Definition 1 [Key agreement protocol] : Let us assume that there is noise in the transmission channel. Alice and Bob share beforehand a common key k e {0, 1} N K consisting of a random N K -bit string with uniform distribution over {0, 1} N K . Alice encodes a random n l -bit string x {0, 1} n l with a uniform distribution over {0, 1} n l by using an ( n , k ) block code of code length n and information length k ( n > k ), where x {0, 1} k are information symbols and x {0, 1} n - k is redundant information of x ; and she sends x and x to Bob. Bob receives y and y and obtains y that are error-corrected using k e . Alice and Bob respectively generate secret keys s kA and s kB {0, 1} n r from x and y . Encoding E : {0, 1} n l ×{ k e } → {0, 1} k ×{0, 1} n - k , x × k e ⟼ x × x Decoding D : {0, 1} n l ×{0, 1} n - k ×{ k e } → {0, 1} k , y × y × k e ⟼ y Secret key generation S : {0, 1} k → {0, 1} n r , x ⟼ s kA and y ⟼ s kB Encoding E uses the common key k e . Decoding D requires k e and decoding is difficult without k e . A concrete coding method is described in section 5.2. As long as Bob does not fail in decoding, x = y and s kA = s kB . In evaluating security, we assume that authentication has been executed and that Eve does not tamper with the channel by inserting or modifying messages. Moreover, we assume that Eve is an outsider. Let z , z , and z be Eve’s information corresponding to x , x , and x ( y , y , and y ) for Alice (Bob). Eve’s final aim is to eavesdrop on messages. Because the secret key s kA is used with a one-time pad, Eve needs to derive s kA from z and z to achieve her aim. For simplicity, we assume that all n r bits of s kA is used in message transmissions. Let z * and z * be another pair of z and z , and let s kA * be the secret key generated from z * and z *. If Eve uses a chosen-plaintext attack against the message transmissions, she can obtain any number of s kA *. Here, to simplify the description, all the secret keys that Eve obtains will be represented by s kA *. In accordance with these premises, we assume that Eve’s attack and aim are as follows. Eve’s attack: (1) Eve can passively obtain all of the information. (2) Eve can obtain any number of s kA *. (3) Eve cannot control the equipment inside the transmitter and receiver or the environmental noise. Attack aim:
Eve’s aim is to guess at least one bit of the secret key s kA . EveAlice E : x × k e ⟼ x × x S : x ⟼ s kA Bob D : y × y × k e ⟼ y S : y ⟼ s kB x , x y , y z , z Noisy channelNoiseless s kA * Fig. 1
Framework discussed in this report.
Because Definition 1 uses a common key, the security of Definition 1 is computational. Thus, we give the following definition.
Definition 2 [Computational security in key agreement] : Let us suppose a game in which Eve runs a probabilistic polynomial algorithm to try to guess one bit at any position of s kA from z ( z *), z ( z *), and s kA * in one arbitrary trial. Let s kE be the guessed one-bit secret key. Let the probability of s kA = s kE be p s , which is called the probability of successfully guessing secret key. A key agreement method is called computationally secure if there exists k ∈ such that p s < K NP is satisfied at a common key length N K ≥ k for every polynomial equation P ( N K ). The security of the framework of Definition 1 is based on the fact that decoding D is difficult without k e . Therefore, let us define the difficulty of decoding along the lines of Definition 2. Definition 3 [Computational security in encoding] : Let us define an encoding E a by x = E a ( x , k e ) in accordance with Definition 1. Let us suppose a game in which Eve runs a probabilistic polynomial algorithm to try to guess x ( x *) from z ( z *), z ( z *), and s kA * in one arbitrary trial. Let z ( z *) be the guess of x ( x *). Let the probability of x = z ( x * = z *) be p d , which is called the probability of successfully guessing information symbols. E a is called computationally secure if there exists k ∈ such that p d < K NP k is satisfied at a common key length N K ≥ k for every polynomial equation P ( N K ). The security of an encryption using a common key is computational; it has no resistance against a brute-force attack on the common key. However, if there is no efficient decrypting method except for a brute-force attack, sufficient security is still obtainable by choosing a sufficiently long key. The issue in computational security is not the lack of resistance against a brute-force attack but the threat that an efficient decrypting method might be found. Therefore, if it is assured that there is no efficient decryption method in an encryption system, the system is sufficiently secure. Definition 2 corresponds to that assurance, but what is assumed in order to achieve the security of Definition 2 is important. If Definition 2 is achieved without assuming any mathematical difficulties such as that in the Diffie-Hellman key agreement, there is no threat that an efficient decryption algorithm might be found. The protocol of Definition 1 ensures the security of Definition 2 by using noise in addition to the common key k e . It does not assume any mathematical difficulties. If the amount of information of secret keys generated in the protocol of Definition 1 is limited to the entropy of noise, the generated secret keys are fresh., Computational security in the sense of Definition 2 can be achieved using this freshness, as will be shown in Theorem 1.
3. Concrete method based on Definition 1
The code length n and information symbol length k are generally assumed to be sufficiently long in any key-agreement protocol using noise. However, a practical system might limit the range of n and k . Hence, we introduce a parameter u and use uk symbols as a unit of the key generation to overcome the limit. The following Method 1 makes the framework of Definition 1 specific from the viewpoint of an actual system, including the introduction of the parameter u . (See Fig. 2). Method 1:
The noise-assisted key-agreement protocol based on Definition 1 consists of algorithms ( R X , E a , E b , S ) in the transmitter and algorithms ( F t ( F c ), D a , D b , S ) in the receiver. Transmitter: (1) x ← R X (2a) E a : {0, 1} n l ×{ k e } → {0, 1} k , x × k e ⟼ x (2b) E b : {0, 1} k →{0, 1} n - k , x ⟼ x (3) S : {0, 1} uk → {0, 1} n r , x u ⟼ s kA Receiver: (1’) y ← F t ( F c ( x )) (2a’) D : {0, 1} n l ×{ k e } → {0, 1} k , y × k e ⟼ y ’ (2b’) D : {0, 1} k ×{0, 1} n - k →{0, 1} k , y ’× y ⟼ y (3’) S : {0, 1} uk → {0, 1} n r , y u ⟼ s kB Here, x u and y u are respectively x and y of u blocks. x is generated from x with permutations in E a , and n l > k . Let u ≥ 1, uk , and uk > n r . Here, n r is chosen to satisfy n r / un ≤ C s0 , where C s0 is introduced in the next section. This choice makes E a computationally secure in the sense of Definition 3, as shown in Lemma 11, and makes Method 1 computationally secure in the sense of Definition 2, as shown in Theorem 1. In process (1), x is output from a random-number generator R X in the transmitter and is transmitted to a receiver. In process (1’), y is received by a receiver, where y includes transmission-carrier noise and environmental noise in F c and F t , respectively. Here, the symbol “←” is used to show that x is a probabilistic output and y contains a probabilistic bit error. We assume a memory-less binary symmetric channel (BSC) with a BER of p E as a model of the noise source F c in the transmitter. An example of system conforming to this model is optical-fiber communications. Light already has fluctuations (noise) that cause bit errors at the moment it is emitted from its source. Another example is noise added on purpose. Processes (2a) and (2b) are the encoding E in Definition 1 and processes (2a’) and (2b’) are decoding D in Definition 1. x is generated from x by using the common key k e in E a , and y ’ is similarly generated from y by using k e in D a . A concrete example is described in section 5.2. E b and D b are respectively encoding and decoding to achieve errorless communications between Alice and Bob. Thus, x = y as long as Bob does not fail in decoding. Redundant information x is transmitted through an errorless public channel, and thus, x = y . Summarizing what has been covered so far, one sees that x and x are transmitted from the transmitter and y and y are received at the receiver. x and y are only used inside the transmitter and receiver and they are not transmitted. Processes (3) and (3’) describe the secret key generation S in Definition 1, which is achieved through privacy amplification [19,20] using universal hashing. S is performed in units of u blocks. If x u = y u , then s kA = s kB . Thus, s kA can be shared by Alice and Bob and used in encrypted communications of messages. Figure 2 summarizes the algorithms in the form of a block diagram. Eve is assumed to be able to receive signals in the best condition; i.e., she receives z ← F c ( x ) for x without environmental noise. Let p E ( p E ≤ 1/2) be Eve’s bit-error rate, and let p B ( p B ≤ 1/2) be Bob’s bit-error rate. Because Bob’s signals are affected by environmental noise F t , generally p B ≥ p E , where equality corresponds to the case of a noiseless channel. Redundant information x is openly transmitted through an errorless public channel in Method 1. This is because this setup makes the security analysis easy. When x is transmitted through a channel with errors, the setup makes Eve disadvantageous. Thus, even if x is transmitted through the same channel as x is, the security assured for Method 1 is kept (see section 6.2). R X : Random numbers D b : Error correction s kA Transmitter Receiver
Public channelRandom-number transmission channel F c x Eve p E p B F t y = x x y z z E a :Encoding E b :Error-correcting coding x S : Privacy amplification x S : Privacy amplification D a :Decoding s kB y ’ y s kA * k e k e Fig. 2
Block diagram of Method 1.
4. Conditional Secrecy Capacity
The framework of Definition 1 (Method 1) aims to achieve the security of Definition 2 by limiting the entropy of the generated secret keys to that of noise. The idea is the same as that of secrecy capacity [1-4]. However, the secrecy capacity is defined for cases in which secret keys are generated from noise without a common key. It is not defined for the case of using a common key. For this reason, we define the conditional secrecy capacity C s as a similar quantity. This quantity is defined under the assumption that the common key k e is secret, and the quantity expresses how many secret keys are generated from noise under the assumption, where “secret” means that Eve has no information about the common key. The number of bit errors originating from noise statistically fluctuates. n and k should be sufficiently large to reduce the statistical fluctuations in each block. However, their range might be limited in actual systems. Therefore, we define C s that is applicable even to n and k of limited size by introducing the parameter u . The following definition 4 assumes that Alice and Bob share a common key k e and it is kept secret from Eve. The prerequisite is expressed as “ | k e ← K e ” in the following. Definition 4 [Conditional secrecy rate and capacity] : In Method 1, the common key k e is assumed to be kept secret from Eve, and the encoding E a is assumed to be computationally secure in the sense of Definition 3. Under the assumptions, if the following four conditions are satisfied for a given γ > 0, R s is called the conditional secrecy rate for a given γ . The maximum of R s is C s and is called the conditional secrecy capacity for the given γ . (1) Pr{ S kA n r ≠ S kB n r | k e ← K e } < γ (2) Pr{ I ( S kA n r | k e ← K e ; S kE n r )/ n r < γ } > (1 – γ ){1 – 1/2 k – 1/ P ( N K )} (3) log | S kA n r |/ n r < H ( S kA n r | k e ← K e )/ n r + γ (4) Pr{ H ( S kA n r | k e ← K e )/ un > R s – γ } > 1 – γ Here, S kE n r are secret keys of n r bits generated from Z n l and Z u ( n - k ) through Eve’s arbitrary guess. Item (1) assures that Alice and Bob can communicate with each other with a sufficiently small error probability. Item (2) assures that the leaks of secret keys to Eve are sufficiently small. The factor (1 – γ ) in Pr{…} > (1 – γ ){1 – 1/2 k – 1/ P ( N K )} considers the rare case where the number of bit errors in un symbols is extremely small, owing to statistical fluctuations. The factor {1 – 1/2 k – 1/ P ( N K )} reflects the assumption that the encoding E a is computationally secure in the sense of Definition 3. Item (3) assures the uniformity of S kA n r . Item (4) indicates the condition that R s should satisfy in accordance with items (1) – (3). The description Pr{…} > 1 – γ considers the rare case where the number of bit errors is extremely small, similar to Item (2). Reference [19] describes the theory of privacy amplification as methods of generating the secret key S . Let Alice’s and Bob’s information be a random n A -bit string with a uniform distribution over {0, 1} n A and let Eve’s corresponding information be n E -bits. Let any n s of 0 < n s < n A – n E be a safety parameter, and let n r = n A – n E – n s . Theorem 3 and corollary 5 of Ref. [19] respectively give H ( S kA n r ) = A1 nr XRnr n and sr kEkA nnn r SSI when Alice and Bob generate an n r -bit string from an n A -bit string by universal hashing [19]. Here, R ( X n A ) is the Rényi entropy for the collisions in two independent trials, and it is given by R ( X n A ) = –log P c ( X n A ) and P c ( X n A ) = AA1 n P x x by letting P o ( x ) be the occurrence probability of x {0, 1} n A ; r kE n S is the result of Eve’s arbitrary guess. Eve’s information is n E bits, but it is not restricted to n E -bit strings. The claims of Theorem 3 and Corollary 5 in ref. [19] are applicable to Method 1 under the condition that the common key k e is secret. The parameters n and k in Method 1 are determined such that signals with a bit-error rate of p B are error-correctable. Let t c be the number of bit errors definitely correctable per block, which is the lower limit of the maximum number of errors that can be corrected. Let t m be the upper limit of the maximum number of errors that can be corrected per block, in which bit errors have the possibility of being corrected but the possibility is indefinite. The numbers t c and t m are characteristic parameters of the used code. Definition 4 considers the statistical fluctuations of the bit errors. Now, let us define some quantities as preparation. Let the number of Eve’s bit errors per u blocks of information symbols be n u e , and let its average be e u n = ukp E and standard deviation be σ u . Let >0 = { r | r > 0}. Lemma 1:
In Method 1, the common key k e is assumed to be kept secret from Eve. Let the transmission channel be a memory-less binary symmetric channel (BSC). Let p σ E = e2eE uuu nrnp by using an r >0 that satisfies Pr{ n u e < e u n – rσ u } < γ for a small given γ > 0. Let n s be the safe parameter in the secret key generation S . If encoding E a is computationally secure in the sense of Definition 3, the four conditions in Definition 4 can be satisfied by appropriately selecting the parameters n , k , u , and n s for the small given γ > 0. The conditional secrecy capacity for the given γ is C s ≥ ( k – t m ) /n · h ( p σ E ) – n s / un when using the binary entropy function h ( p ) = – p log p – (1 – p )log (1 – p ) (See Fig. 3). The whole secret key S kA n r is assumed to be used for message transmissions. Proof: (1) Let n eb be the number of Bob’s bit errors per block of code. Let ε > 0 be a parameter that satisfies 1 – (1 – ε ) u ≤ γ . The parameters n and k are determined such that Pr{ n eb > t c } < ε for the small given ε > 0. Bob can generate Y k from Y n l by using the common key k e , and he can correct all the errors except for a small probability Pr{ n eb > t c } < ε . In this case, Pr{ S kA n r ≠ S kB n r | k e ← K e } = 1 – [1 – Pr{ n e > t c }] u < 1 – (1 – ε ) u ≤ γ . Thus, Definition 4(1) is satisfied. (2) According to the assumption, the probability with which Eve successfully generates X k without k e in one arbitrary trial is bounded by K NP k . Let us suppose that Eve does not succeed in generating X k . Even in the case, she obtains Z n l and Z n - k . Because all of S kA n r is used in the message transmissions in accordance with the assumption, the X k -related information obtainable by Eve is restricted to Z n l and Z n - k . First, let us consider the information that Eve obtains from only Z n l . Because Eve does not have k e , H ( X | Z ) ≤ H (( X | k e ← K e )| Z ) is satisfied. Here, let “ X | k e ← K e ” denote “ X ” for simplicity. Then, H ( X | Z ) ≤ H ( X | Z ). If Eve’s information is only Z n l , even though Z k is generated from Z n l , the amount of information she gets is unchanged, i.e., H ( X | Z ) = H ( X | Z Z ). H ( X | Z Z ) ≤ H ( X | Z ) is generally satisfied. Thus, H ( X | Z ) ≤ H ( X | Z ). Because X is a binary random number with a uniform distribution, X generated from X n l with permutations also has such a property, i.e., H ( X ) = H ( X ) = 1. Thus, I ( X ; Z ) = H ( X ) – H ( X | Z ) ≥ H ( X ) – H ( X | Z ) = I ( X ; Z ). Next, let us consider the information that Eve obtains from Z n-k as well as Z n l . When Z k , a permutation of Z n l , and the Z n-k function as a code, Z k is error-corrected and Eve obtains X k . This case is included in the case in which Eve succeeded in generating X k . Because we are discussing the case in which Eve does not succeed in generating X k , Z k and Z n - k do not function as a code. In this case, Eve cannot correct errors, but Z n - k involves redundant information for correcting t m bits of the errors of Z k at maximum, where t m is a characteristic parameter of the used code. If the function of Z n - k is evaluated most advantageously from the Eve’s standpoint, the effect of Z n - k is to repair H ( X ) – H ( X | Z ) back to H ( X ) for t m symbols of Z k at maximum (see Fig. 3(c)). For the remaining ( k – t m ) symbols, the mutual information H ( X ) – H ( X | Z ) is unchanged because of the correction limit of the used code. Hence, when Eve does not succeed in generating X k , the amount of information per u blocks is n E ≤ ut m H ( X ) + u ( k – t m )[ H ( X ) – H ( X | Z )] ≤ ut m H ( X ) + u ( k – t m )[ H ( X ) – H ( X | Z )]. Because H ( X ) = H ( X ) = 1, n E ≤ ut m + u ( k – t m )[1 – H ( X | Z )]. H ( X | Z ) is H ( X | Z ) = h ( p E ) using the average bit-error rate. However, if the actual number of bit errors in one block is less than the average number of bit errors determined by p E , Eve actually obtains more information than the average amount of information. Therefore, we must take Eve`s situation into account by considering the statistical fluctuations of the bit errors. In particular, we will consider the statistical fluctuations for u blocks in the bit sequence because the unit of the secret key generation is u blocks. Because H ( X | Z ) is described using a bit-error rate, we describe the statistical fluctuations by using those of the bit-error rate that is evaluated for every u blocks of the bit sequence. Because p σ E = E2eE uuu nrnp is defined using r that satisfies Pr{ n u e < e u n – rσ u } < γ , H ( X | Z ) in each sequence of u blocks satisfies H ( X | Z ) ≥ h ( p σ E ) except for a small probability Pr{ n u e < e u n – rσ u } < γ . In this case, n E ≤ ut m + u ( k – t m )[1 – h ( p σ E )]. Because Alice’s information per u blocks is n A = uk , we have n A – n E ≥ u ( k – t m ) h ( p σ E ). Let n r = n A – n E – n s for any positive safe parameter n s < n A – n E . According to Corollary 5 in ref. [19], sr kEeekA nnn r SSI Kk can be achieved by universal hashing. Because of n A – n E = O ( u ), n s and n r can be also chosen to be O ( u ). Thus, rnn nSSI r kEeekA ; r Kk ≤ r s n n < γ can be satisfied In this report, notations O ( u ) and O (1/ u ) are used for u → ∞. for the given γ by appropriately choosing u . This relation is satisfied except for the small probability Pr{ n u e < e u n – rσ u } < γ and for the case that Eve does not succeed in generating X k . p d in Definition 3 is the probability of successfully guessing information symbols for one block. Let p d u be this probability for u blocks. Generally, 1 – p d u ≥ 1 – p d , and from the assumption, 1 – p d > 1 – 1/2 k – 1/ P ( N K ). Thus, 1 – p d u > 1 – 1/2 k – 1/ P ( N K ). According to the above-mentioned two conditions, Pr{ I ( S kA n r | k e ← K e ; S kE n r )/ n r < γ } > (1 – γ )(1 – p d u ). Hence, Pr{ I ( S kA n r | k e ← K e ; S kE n r )/ n r < γ } > (1 – γ ){1 – 1/2 k – 1/ P ( N K )}, and Definition 4(2) is satisfied. (3) According to Theorem 3 in Ref. [19], H ( S kA n r | k e ← K e ) ≥ A1 nr XRnr n is obtained. Definition 1 assumes that P o ( x ) has a uniform probability, and thus P c ( X n A ) = AA1 n P x x = 2 - n A and R ( X n A ) = –log P c ( X n A ) = n A . Thus, H ( S kA n r | k e ← K e ) ≥ A nnr r n . Because n r – n A = – n E – n s , and n s and n r are chosen to satisfy r s n n , the relation H ( S kA n r | k e ← K e )/ n r ≥ r sE n nn ≥ r s n n > 1 – γ is obtained. Because of | S kA n r | = n r , log | S kA n r |/ n r = 1 is obtained. Thus, H ( S kA n r | k e ← K e )/ n r > log | S kA n r |/ n r – γ is satisfied. Hence, Definition 4(3) is satisfied. (4) Using H ( S kA n r | k e ← K e ) ≥ A nnr r n , n r = n A – n E – n s , and n A – n E ≥ u ( k – t m ) h ( p σ E ), which is satisfied except for the small probability Pr{ n u e < e u n – rσ u } < γ , we obtain H ( S kA n r | k e ← K e )/ un + γ ≥ A ununn nnr r + γ ≥ ( k – t m ) /n · h ( p σ E ) – n s / un + ( γ – E un nn s ). Using γ > r s n n > un s n > E un nn s , we obtain ( γ – E un nn s ) > 0. Therefore, H ( S kA n r | k e ← K e )/ un + γ > ( k – t m ) /n · h ( p σ E ) – n s / un . Definition 4 (4) requires H ( S kA n r | k e ← K e )/ un + γ > R s except for the small probability Pr{ n u e < e u n – rσ u } < γ . If R s = ( k – t m ) /n · h ( p σ E ) – n s / un is selected, it satisfies Definition 4 (4). As long as R s is less than that, Definition 4 (4) is satisfied. Therefore, the selected value is the lower bound of C s , where C s is the maximum of R s . Thus, if n , k , u , and n s are appropriately selected in accordance with the above discussion, the conditional secrecy capacity for the given γ is C s ≥ ( k – t m ) /n · h ( p σ E ) – n s / un .□ Let C s0 be the lower bound of C s in Lemma 1, i.e., C s0 = ( k – t m ) /n · h ( p σ E ) – n s / un . The conditional secrecy capacity originates from the entropy h ( p σ E ) of bit errors, as shown in Fig. 3. The common key is used only for transforming the entropy h ( p u E ) of bit errors into that of secrecy keys. Therefore, the conditional secrecy capacity maintains C s > 0 for repeated use of k e . Method 1 restricts the secret key-generation rate to C s0 in order to repeatedly use the common key k e . Lemma 1 assumes that Method 1 is computationally secure in the sense of Definition 3, and it is in Lemma 11 that security is proved. The reason why Lemma 1 is shown here prior to Lemma 11 is to determine the amount of S kA n r , i.e., n r ≤ unC s0 . For simplicity, Lemma 1 assumes that all of S kA n r is used in message transmissions. On the other hand, the case in which only part of S kA n r is used in message transmissions is as follows. For example, when n r ’ bits are used in message transmissions and ( n r – n r ’) bits are leaked to Eve, C s0 is transformed into C s0 ’ = ( unC s0 – n r + n r ’)/ un . Although the conditional secrecy capacity varies depending on the amount of leaked information, the fact that unC s0 ’ indicates the capacity actually needed in message transmissions does not change. For this reason, Lemma 1 assumed that all of S kA n r is used in message transmissions. k e ( k - t m ) h ( p σ E ) - n s / u Privacy
Amp. k k (b) Bob (a) Eve (d) Error corrected
Common key (c) (f) (e) n - k k - t m t m k - t m t m Delete … k n - k u k - t m t m … u k - t m t m Delete … k … u k - t m t m Delete k - t m t m Delete … h ( p E ) k n - k … k n - ku u uh ( p σ E ) h ( p σ E ’) h ( p B ) Fig. 3
Amount of information in the key-agreement protocol. Colored areas indicate information that Eve and Bob have. Faded colors indicate the range of statistical fluctuations. Blank areas indicate no information. u is the unit of secret key generation. (a) Eve’s received amount of information, evaluated in terms of the BER of p E information theoretically. Here, p σ E = E2EE uuu nrnp and p σ E ’ = E2EE uuu nrnp . (b) Bob’s received amount of information. (c) Eve’s amount of information after considering the redundant information. (d) Bob can correct errors using the common key k e . (e), (f) Eve’s amount of information is deleted in the privacy amplification, where the statistical fluctuations of bit errors are considered. The remaining amount of information is secret. The term related to the safe parameter n s is not drawn because it is so small.
5. Coding
The conditional secrecy capacity in Lemma 1 includes a parameter t m that is the upper limit of the maximum number of errors that can be corrected per block. Therefore, we need to clarify t m in Method 1. For this purpose, an ( n , k ) linear code like Reed-Solomon (RS) code can be used [22,23]. We cannot use recent high-performance codes that use “probabilistic” characteristics like Low Density Parity Check (LDPC) code instead of algebraic codes [22,23], because their performance is near the Shannon limit, and the upper limit of their maximum number of errors that they can correct is not definite. t mc that an algebraic code can correct is determined by the Hamming distance between code word vectors. Here, the algebraic code is not limited to a binary code, and t mc is defined for a general code. When the coding is binary, t mc = t m , and when it is over GF(2 m ), t m = mt mc . There is a theorem called the Singleton bound for an ( n , k ) linear code, i.e., d ≤ n – k + 1, where n is the code word length, k is information symbol length, and d is minimum distance [22,23]. When equality is satisfied in this theorem, the corresponding code is called a maximum distance separable (MDS) code. Reed-Solomon is the most practical such code. When the Hamming weight w H ( e ) of an error e is w H ( e ) ≤ ( d –1)/2, the error can be exactly corrected. This is a classical bound in error correction. When ( d –1)/2 < w H ( e ) ≤ d –1, the candidates for the code word vectors can be listed, and the error has the possibility of being corrected (list decoding). However, when w H ( e ) is beyond d –1, the code word vector with the error usually enters the region of another code word vector and the error is not correctly detected. MDS codes have this characteristic for almost all errors, and the upper limit of the maximum number of errors that the codes can correct is given by the distance t mc = d –1. This distance is equal to n – k in MDS codes, i.e., t mc = n – k , and this is intuitively understandable because n – k is the number of redundant code words. The estimate of t mc = n – k for the upper limit of the maximum number of errors that the codes can correct has a sufficient margin, because although recent studies have shown the possibility of list decoding [24,25], correctability is restricted to the relatively nearby region of ( d –1)/2 for practical choices of n and k . The above paragraph describes the case of hard-decision decoding. There is also soft-decision decoding. However, soft-decision decoding extends the classical bound only by one or a few code words depending on the code employed [26,27]. This quantity is sufficiently small compared with the t mc = d –1 bound described above for list decoding for sufficiently large d . As described above, MDS codes are excellent from the viewpoint of clarifying the upper limit of the maximum number of errors t mc that the codes can correct. For that reason, any practical system would use MDS codes. The example shown in sections 6.1.2 and 7.2 is a case of using MDS codes. 5.2 Concrete coding method This section describes a concrete example of the encoding E a and E b . Encoding E a divides x ( N K ) {0, 1} N k into b I( N ) {0, 1} N and b II( N ) {0, 1} N by using k e {0, 1} N K . E b encodes b I and b II independently by using an ( n , k ) linear code over GF(2 m ). Here, N and N satisfy N + N = N K . The following is a concrete example of E a and E b . Coding 1 [with common key] : E a : {0, 1} N k ×{ k e } → {0, 1} N ×{0, 1} N , x ( N K ) × k e ⟼ b I( N ) × b II( N ) , where x → b I for k e = 1 and x → b II for k e = 0. E b [Systematic ( n , k ) coding over GF(2 m )]: {0, 1} mk → {0, 1} m ( n - k ) , b I ⟼ c I and b II ⟼ c II Here, c I and c II are respectively parity check symbol vectors of b I and b II . N and k satisfy - r σ ≤ N – N ≤ r σ and N + r σ ≤ mk for r >0 , typically r = 3, where N = N K /2 and σ = N K /4. k e is repeatedly used. The above restrictions on N and k are to prevent Eve from deriving the common key k e part-by-part, as will be described in section 5.3. N and N respectively denote the numbers of “1”s and “0”s in k e {0, 1} N K . Figure 4 schematically shows Coding 1. The random number sequence x {0, 1} n l is divided into two groups depending on “0” and “1” in k e . The first bit of k e is “1” in Fig. 4, and the first bit of x is allocated to group I. The second bit of k e is “0,” and the second bit of x is allocated to group II. Subsequent bits are similarly allocated. Random numbers in each group are error-correcting coded independently group-by-group. Because the coding is group-by-group, if the grouping is not correctly done in the receiver, parity check symbols cannot be used. Because Eve does not know the common key, she cannot divide the random number sequence into groups or correct the bit errors. This impossibility makes secret communications possible. The common key needs to be extended to handle a long random number sequence x . However, we will simply use k e repeatedly to evaluate the basic performance of this method. Of course, were there an extension that used k e as a seed key of pseudo-random numbers, its cryptographic power would be computationally strengthened. The reason why the notations x ( N K ) , b I( N ) , and b II( N ) are introduced is to differentiate them from x {0, 1} n l and b I & b II {0, 1} mk , respectively.
1 1 0 1 1 1 0 0 0 0 0 0 1 1 1 …
0 1 1 0 1 1 0 0 0 …1 0 1 0 1 1 0 1 1 0 1 0 1 1 0 1 1 0 1 0 1 1 0 1 …Parity check symbol x Common keyRandom number sequence x {0, 1} n l Group I: b I Group II: b II InformationSymbol x Group I: c I Group II: c II k e k e k e One block ( n = 8, k = 6, m = 1) Fig. 4
Coding 1 schematically described. A random number sequence is divided into two groups in accordance with the “0s” and “1s” in the common key. Each group is independently error-correcting coded. In this figure, the key length is N K = 8, the information symbol length is k = 6, the parity check symbol length is n – k = 2, and m = 1. k e , the random number sequence x itself consists of true random numbers, and it never reflects k e . However, because Eve can get redundant information z = x (the parity check symbols c I and c II in Coding 1), she can possibly derive k e from it. The restrictions on N and k imposed in Coding 1 are to minimize this possibility. In this section, we discuss these restrictions. Lemma 2:
In Coding 1 using a common key k e , if max( N , N ) ≤ mk , then all information of the common key k e is needed even when coding one block. Proof:
When each symbol of x of N K bits is allocated to b I or b II using k e in accordance with Coding 1, if max( N , N ) ≤ mk , the numbers of b I and b II are less than or equal to mk . Therefore, all information of the common key is needed even when coding one block. □ When a block code is used, the k e -deriving process using parity check symbols must be performed in units of one block. If max( N , N ) > mk , there is part of k e that is not used for forming one block, and deriving part of k e becomes possible. Therefore, N K and k should be determined under the condition of max( N , N ) ≤ mk . Let us describe N and N as functions of k e , i.e., N ( k e ) and N ( k e ). If we wholly consider {0, 1} N K as k e , e2e1 ,max e kk k NN = N K . However, many cases satisfy N ( k e ) ~ N ( k e ) ~ N K /2; therefore, we will restrict the set of common keys to the case satisfying N ( k e ) ~ N ( k e ) ~ N K /2 as follows. [Set of common keys k e ] : The set K e of common keys k e of length N K is restricted to K e ={ k e {0, 1} N K | - r σ ≤ N ( k e ) – N ≤ r σ }. Here, r is a design parameter that is typically chosen to be 3. Because N ( k e ) + N ( k e ) = N K , if - r σ ≤ N ( k e ) – N ≤ r σ , then automatically - r σ ≤ N ( k e ) – N ≤ r σ . Therefore, if k e K e , then e2e1 ,max e kk k NN = rN , where x denotes the maximum integer ≤ x . Thus, if k is determined according to rN ≤ mk , all of k e is used to form one block in accordance with Lemma 2. The restrictions imposed on N and k in Coding 1 are for the above reasons. Pr{ k e ’ K e } for k e ’ {0, 1} N K is estimated as follows. The probability that each bit of a randomly chosen k e ’ is 0 or 1 is p = 1/2. Thus, N j ( K e ’) ( j = 1 and 2) obeys a binomial distribution ' e K j NP ''e ee KKK K K jj NNNj ppN N . The average is N = N K /2 , and the variance is ppN K . Thus, Pr{ k e ’ K e } =
110 110 rN rNN j j NP , where x denotes the minimum integer ≥ x . Let δ = Pr{ k e ’ {0, 1} N K ∖ K e }. δ is given by δ = 1 – Pr{ k e ’ K e }. For example, when r = 3 and the binomial distribution is approximated with a normal distribution, Pr{ k e ’ K e } = 0.9973, and δ = 0.0027.
6. Deriving the common key
The process by which Eve tries to derive the common key k e is equivalent to her trying to derive x ( x *) of one block as described in this section. To derive secret key s kA in Method 1, u blocks of x are needed. Therefore, the computational complexity of deriving s kA is at least that of deriving k e as shown in Lemma 10. Thus, we first evaluate the computational complexity of deriving k e . The information obtainable by Eve is z ( z *), c I ( c I *), c II ( c II *), and s kA * that is not used in message transmissions, where c I * and c II * are the parity check symbol vectors corresponding to z *. First, we will consider that only z ( z *), c I ( c I *), and c II ( c II *) are leaked and estimate the computational complexity of deriving k e . Section 6.1.1 considers the case without bit errors, and section 6.1.2 considers the case with bit errors. Next, section 6.2 takes s kA * into consideration, and it is shown that the computational complexity of deriving k e does not decrease even if s kA * is taken into consideration (Lemma 8). Using these results, the computational complexity of deriving k e is quantified (Lemma 9), and Method 1 using Coding 1 is proved to be computationally secure in the sense of Definition 2 (Theorem 1). c I and c II in Method 1, if x ( y ) is transmitted without bit errors ( z = x ), she can derive k e . Let us estimate the computational complexity of deriving k e . The routine of Coding 1 is “ x ( N K ) × k e b I( N ) × b II( N ) , b I × b II c I × c II .” The information that Eve can obtain is z and c I × c II . Because z itself has no information, the derivation of k e is based on c I × c II . Here, b I × b II are derived from c I × c II , and then k e is derived by comparing b I × b II and z . Figure 5 shows the relation between the random number sequence and the first block of group I. Let G be the set of all elements over GF(2 m ). Let b G k be an information symbol vector in the first block of group I that is obtained from a random number sequence x using k e . We will describe x b as b = f ( x | k e ), where b is a row vector with k components over GF(2 m ). Let c (p0) G n – k be the parity check symbol vector corresponding to b . c (p0) is given by c (p0) = b G p , where G p is the parity check symbol generating part of the generator matrix G . The following lemma states a quantitative property about c (p0) . Lemma 3:
When only a parity check symbol vector is given in an ( n , k ) linear code over GF(2 m ), 2 mk /2 m ( n – k ) kinds of information symbol vectors exist for each parity check symbol vector. Proof:
An ( n , k ) linear code over GF(2 m ) consists of mk bits of information symbols and m ( n – k ) bits of parity check symbols. When the information symbols are derived from only parity check symbols, mk – m ( n – k ) bits cannot be determined. Therefore, 2 mk – m ( n – k ) kinds of information symbols exist for each parity check symbol vector. □ Let us define the set B for the 2 mk /2 m ( n – k ) kinds of information symbol vectors that are associated with c (p0) : B ={ b ’ | c (p0) = b ’ G p }. Of course, b B . Next, we define the set K e0 by using B and K e : K e0 ={ k e ’ K e | b ’= f ( x | k e ’) B }. The elements of K e0 are the candidates of the common key. The number of candidates can be determined as follows: Lemma 4:
Suppose a common key k e K e is used according to Coding 1. A random number sequence and a parity check symbol vector for the first block of group I or II are exactly given, and one of the positions of the random number sequence corresponding to the first bit of the common key is given to form the first block. The number of the candidates for the common key in this case is N cand = 2 N K – m ( n – k ) (1– δ ) on average. Here, (1– δ ) is a factor due to k e {0, 1} N K ∖ K e . Proof:
Let the random number sequence be x , and let the parity check symbol vector be c (p0) , where the parity check symbol vector is represented by that of the first block of group I. The candidates of the common key are obtained by listing the elements of B , comparing the elements with x , and listing the elements of K e0 . The parity check symbol vectors are of 2 m ( n – k ) kinds, and the number of elements of K e is 2 N K (1– δ ). In this case, when a parity check symbol vector c (p0) is given, the number of candidates of the common key is N cand = 2 N K – m ( n – k ) (1– δ ) on average. □ The information obtainable by Eve about the first block of group I is z = x and c (p0) . According to Lemma 4, Eve can narrow down the candidates of k e to N cand on average. This number can be made tremendously large if we appropriately choose N K , m , n , k , and δ . However, a listing is possible in principle even though no memory with a high enough capacity exists. Eve can check each of the listed elements by decoding the blocks of group II and other blocks of group I, and she can continue this process until the candidates of k e have been narrowed down to one. Corollary 1:
Let us assume that only a random number sequence and parity check symbols are given in Method 1 using Coding 1. It is impossible to derive only part of the common key.
Proof:
This claim is apparently true from the fact that deriving the common key is processed in units of one block and that one block is constructed using all the information about the common key, due to the condition N + r σ ≤ mk . □ Corollary 2:
Let us assume that only a random number sequence and parity check symbols are given in Method 1 using Coding 1. The computational complexity of deriving at least one bit of the common key is O ( N cand ) under the condition that no bit errors exist. In other words, an exhaustive search of N cand is needed. Proof:
Because deriving only part of the common key is impossible according to Corollary 1, the whole common key needs to be derived even for only one bit. In this case, the computational complexity is O ( N cand ) because the process in narrowing down the candidates of the common key based on Lemma 4 involves the complexity of O ( N cand ).□ x b b ’ x e b b ’ b i b i ’ Random numbers
Information symbols(2 m ) k Parity check symbols (2 m ) n – k B B B i c (p0) k e k e i k e1 e e i c (p1) c (p i ) b j b j ’ B j c (p j ) f k e ’ K e0 K e1 K e i e j Fig. 5
Relation between random number sequence and information symbols + parity check symbols in the first block of group I. Here, z = x e . n , k ) code over GF(2 m ) is mk bits, and the average number of bit errors is e n = p E mk in one block. The number of bit-error patterns is e nmk , and it can be approximated using Stirling’s formula, n ! ≃ nn enn , as e nmk ≃ ee eeee nnmk nmknmkmknnmkmk . The parameters n and k are determined so as to correct errors with a sufficient margin; e.g., the 3 σ region is included inside the error-correctable region with a sufficient margin, where σ is the standard deviation of the bit-error distribution. An MDS code is error-correctable for code word errors satisfying w H ( e ) ≤ ( n – k )/2, as described in section 5.1; therefore, the bit errors up to ( n – k )/2 are exactly correctable, and e n +3 σ < ( n – k )/2 is the condition for determining k . For example, Let us consider the case of m = 8, n = 2 m – 1 = 255, k = 167, and p eff = 0.1, where p eff is the code-error rate given by p eff = 1 – (1 – p E ) m . In this case, e n ≃ 、 σ ≃ 、 e n +3 σ = 29.95 < ( n – k )/2 = 44, and e nmk ≃ (1.0 × 2 ). Lemma 5:
Let us assume that only a random number sequence and parity check symbols are given in Method 1 using Coding 1. Let N ep be the number of error patterns in one block. When bit errors exist, the computational complexity of deriving at least one bit of the common key is O ( N ep · N cand ). Proof:
Let us choose the first block of group I as a representative (see Fig. 5). Let e i be an error vector in the first block of group I, where the Hamming weights satisfy w H ( e i ) ≤ ( d – 1)/2, i = 1, 2, 3, … We define b i ’ = b ’ + e i for b ’ B . Given b i = b + e i and c (p i ) = b i G p , then b i ’ G p = ( b ’ + e i ) G p = ( b ’ + b i – b ) G p = b i G p = c (p i ) , and B B i = for B i ={ b i ’ | c (p i ) = b i ’ G p }. Let x e be a random number sequence with bit errors. Moreover, if we define K e i ={ k e i K e | b i ’= f ( x e | k e i ) B i }, the elements of K e i are the candidates of the common key in error pattern e i . Similarly, if we define b j = b + e j , c (p j ) = b j G p , B j ={ b j ’ | c (p j ) = b j ’ G p }, and K e j ={ k e j K e | b j ’= f ( x e | k e j ) B j } for another error vector e j ( w H ( e j ) ≤ ( d – 1)/2, j ≠ i ), then B B j = and B i B j = . Because b i ’= f ( x e | k e i ) is a single-valued function, K e i K e j = . Thus, there is no overlap between the candidates of the common key for different error vectors. Because the occurrence of each error pattern is probabilistic, Eve must consider all such patterns when deriving the common key and there are candidates of the common key described in Lemma 4 for every pattern. Thus, the computational complexity of deriving at least one bit of the common key is O ( N ep · N cand ) according to Corollary 2. □. For the parameters described in this section, when only the error patterns for the average number e n ≃ O (2 · N cand ) according to Lemma 5. This estimation considers only the error patterns for the average number of errors, while the actual number of bit errors is distributed with a standard deviation of σ around e n . We need to consider all possible error patterns, and their probabilities of occurring as well. The number of patterns when each probability is different can be estimated using the Shannon entropy. For example, an entropy of 131 bits effectively corresponds to 2 error patterns. The parameters used in coding are controlled such that Bob can correct any errors. The number of bit errors is in the error-correctable region, i.e., Pr{ n e > ( d – Lemma 6:
Let us assume that only a random number sequence and parity check symbols are given in Method 1 using Coding 1. Let n e be the number of bit errors in one block. If Pr{ n e > ( d – 1)/2} << 1 is satisfied, the computational complexity of deriving at least one bit of the common key is O ( cand p N H ), where H p ≃ mk · h ( p E ). Proof:
The number of error patterns in one block is e nmk for n e bit errors, and the occurrence probability of each error pattern is p n = ee EE nmkn pp . The Shannon entropy of the error-correctable region, i.e., 0 ≤ n e ≤ ( d – 1)/2, is H p =
210 2e e log dn nn ppnmk . If Pr{ n e > ( d – 1)/2} << 1 is satisfied,
210 2e e log dn nn ppnmk >> mkdn nn ppnmk
121 2e e log ; therefore, we obtain H p ≃ mkn nn ppnmk e log by extending the region of the sum to mk . This quantity considers all error patterns for an mk bit sequence. In this case, it is equal to the equivocation for mk bits, and H p ≃ mk · h ( p E ). Thus, the computational complexity of deriving at least one bit of the common key is O ( cand p N H ), and H p ≃ mk · h ( p E ). □ This computational complexity can be checked by making the following rough estimate. Suppose m = 8, k = 167, and p eff = 0.1 ( p E ≃ H p ≃ σ ≃ e nmk ≃ , we find that e nmk ≃ p H , and p H is surely the effective number of error patterns. The truth or falseness of each candidate can be judged by decoding a sufficient number of blocks with the candidate common key as follows: When a candidate is true, the number of bit errors is distributed around e n in all blocks, and parity check symbols are never an error. In contrast, parity check symbols can be an error when a candidate is false. Moreover, in this case, because the information symbols become a haphazard sequence, the code word vector for it is probabilistically uniformly spread out over the code word vector space, and the number of bit errors is uniformly distributed throughout the correctable error numbers. Thus, each candidate can be judged as being true or false from the distribution of errors if a sufficient number of blocks are checked. Lemma 7:
Let us assume that only random number sequence and parity check symbols are given in Method 1 using Coding 1. The computational complexity of deriving the information symbols of one block, i.e., x ( x *), is equal to that of deriving at least one bit of the common key. Proof:
As shown in the proof of Lemma 4 and the following paragraph, the process of deriving the common key k e consists of listing the candidates of information symbols and k e , checking each candidate k e using other blocks, and obtaining the final solution. The process of deriving the information symbols of a target block also consists of listing the candidates of information symbols and checking them. To check them, the candidates of k e are listed and each candidate k e is checked using other blocks. It is when the final solution of k e is confirmed that the candidate of the information symbols is confirmed. According to Corollary 1, it is impossible to derive only part of the common key. Thus, Lemma 7 is satisfied. □ 6.2 Deriving the common key by using s kA * According to the assumption, Eve obtains not only z ( z *), c I ( c I *), and c II ( c II *) but also s kA * that is not used message transmissions. Can s kA * ease deriving the common key k e ? The following Lemma 8 sweeps away this concern. The conditional secrecy capacity is C s ≥ C s0 = ( k – t m ) /n · h ( p σ E ) – n s / un for binary coding from Lemma 1. When the coding is over GF(2 m ), n and k are translated into mn and mk , and t m = mt mc . Therefore, C s ≥ C s0 = ( k – t mc ) /n · h ( p σ E ) – n s / umn when the coding is over GF(2 m ). The condition for n r in Method 1 is translated into n r / unm ≤ C s0 . Thus, n r / u ≤ nmC s0 = m ( k – t mc )· h ( p σ E ) – n s / u . Let H s ’ = n r / u and H s = nmC s0 ; then, H s ’ ≤ H s . H s ’ is the number of secret keys generated per block. In Method 1, u ≥ 1. Secret keys are generated from noise. There is a rare case where the number of bit errors is extremely small owing to the statistical fluctuations of noise. We assume that the rare case is bounded with a small quantity γ , i.e., Pr{ n u e < e u n – rσ u } < γ . In addition, we assume that Eve’s residual information after the secret key generation is also bounded by the small quantity γ , i.e., I ( S kA n r | k e ← K e ; S kE n r )/ n r < γ . Lemma 8:
In Method 1 using Coding 1, the computational complexity of Eve’s deriving at least one bit of the common key is equal to that of deriving it only from a random number sequence and parity check symbols if the effects of Pr{ n u e < e u n – rσ u } < γ and I ( S kA n r | k e ← K e ; S kE n r )/ n r < γ are negligible, where γ is a small quantity. Proof:
According to the assumption, Eve can obtain s kA * that is not used for message transmissions. Let us assume that s kA * is generated from the block Eve wants to analyze. If the inverse operation of universal hashing used in generating secret keys were easy for Eve, the information symbols x * in that block could be derived, and the number N s of candidates would satisfy N s ≥ 2 mk – H s’ , where equality corresponds to the case of u = 1. When the information symbols are derived by using one block of parity check symbols, the number of candidates is N p = 2 mk – m ( n – k ) according to Lemma 3. When the error-correcting code works correctly, the amount of redundant information m ( n – k ) exceeds the entropy of the bit errors mk · h ( p E ), i.e., m ( n – k ) ≥ mk · h ( p E ). Because of H s = m ( k – t mc )· h ( p σ E ) – n s / u , mk · h ( p E ) > H s is satisfied. Because H s ≥ H s ’, m ( n – k ) > H s ’. Thus, N p < N s . Next, let us assume that Eve tries to correlate the information in the random-number transmission stage with s kA *. However, because s kA * is generated in the capacity of n r / u ≤ nmC s0 , as long as Eve fails to derive x *, the information in the random-number transmission stage is uncorrelated with s kA * if the effects of Pr{ n u e < e u n – rσ u } < γ and I ( S kA n r | k e ← K e ; S kE n r )/ n r < γ are negligible. (See Fig. 3 and proof (2) of Lemma 1.) Without any correlation, it is advantageous for Eve to use the information in the random-number transmission stage when trying to derive the common key, but not to use s kA * because of N p < N s . Therefore, Eve will use the information in the random-number transmission stage until she succeeds in deriving x *. Thus, Lemma 8 is satisfied. □ Pr{ n u e < e u n – rσ u } can be made exponentially small, as follows. The number of bit errors obeys a binomial distribution. When it is approximated with a normal distribution, Pr{ n u e < e u n – rσ u } ≃ r t dte = reO r , where t = ( n u e – e u n )/ σ u . Thus, Pr{ n u e < e u n – rσ u } is exponentially small if r is appropriately chosen. I ( S kA n r | k e ← K e ; S kE n r )/ n r can be also exponentially small. As described in the proof of Lemma 1, I ( S kA n r | k e ← K e ; S kE n r )/ n r ≤ r s n n . Because n s and n r can be chosen to be O ( umn ), when umn is sufficiently large, r s n n is exponentially small. Thanks to these characteristics, we can choose a sufficiently small γ . Corollary 3:
In Method 1 using Coding 1, the computational complexity of Eve’s deriving x * is equal to that of deriving it only from a random number sequence and parity check symbols if the effects of Pr{ n u e < e u n – rσ u } < γ and I ( S kA n r | k e ← K e ; S kE n r )/ n r < γ are negligible, where γ is a small quantity. Proof:
The corollary is apparent from the proof of Lemma 8. □ Lemma 9 follows from Lemmas 6 and 8.
Lemma 9:
In Method 1 using Coding 1, the computational complexity of Eve’s deriving at least one bit of the common key k e is O ( cand p N H ) if the effects of Pr{ n u e < e u n – rσ u } < γ and I ( S kA n r | k e ← K e ; S kE n r )/ n r < γ are negligible, where γ is a small quantity. Corollary 4:
The effective key length in Method 1 using Coding 1 is N K – m ( n – k ) + mk · h ( p E ) + log (1 – δ ). Proof : The corollary is apparent from cand2 p N H = N K – m ( n – k ) + mk · h ( p E ) + log (1 – δ ). □ Corollary 5:
In Method 1 using Coding 1, the computational complexity of Eve’s deriving x ( x *) is O ( cand p N H ) if the effects of Pr{ n u e < e u n – rσ u } < γ and I ( S kA n r | k e ← K e ; S kE n r )/ n r < γ are negligible, where γ is a small quantity. Proof : The corollary is apparent from Corollary 3 and Lemmas 7 and 9. □
Lemma 10:
In Method 1 using Coding 1, the computational complexity of Eve’s deriving at least one bit of the secret key s kA is at least O ( cand p N H ) if the effects of Pr{ n u e < e u n – rσ u } < γ and I ( S kA n r | k e ← K e ; S kE n r )/ n r < γ are negligible, where γ is a small quantity. Proof : Because secret keys are generated from x in units of u blocks, when Eve derives at least one bit of the secret key s kA , she needs x for u blocks; moreover, she needs to perform algorithm S for generating the secret keys. From Corollary 5, the computational complexity of only deriving one block of x is O ( cand p N H ) if the effects of Pr{ n u e < e u n – rσ u } < γ and I ( S kA n r | k e ← K e ; S kE n r )/ n r < γ are negligible. To derive at least one bit of s kA , algorithm S must be analyzed moreover. Thus, Lemma 10 is satisfied. □ Lemma 11:
In Method 1 using Coding 1, encoding E a is computationally secure in the sense of Definition 3. Proof:
Let η = 1/ γ . From Corollary 5, the computational complexity of Eve’s deriving x ( x *) is { O ( cand p N H )[1 – O (1/ η )] + O (1/ η )} by taking into account Pr{ n u e < e u n – rσ u } < γ and I ( S kA n r | k e ← K e ; S kE n r )/ n r < γ , where γ is a small quantity; the term O (1/ η ) comes from those rare cases, and the term O ( cand p N H )[1 – O (1/ η )] comes from the other cases. Thus, the probability of successfully guessing information symbols, p d in Definition 3, is p d ≤ 1/2 k + cand p OONO H . The parameter mk is determined such that it satisfies rN ≤ mk , and thus, mk = O ( N K ). Moreover, mn = O ( mk ). Thus, N K – m ( n – k ) = O ( N K ). As is apparent from N cand = 2 N K – m ( n – k ) (1– δ ), the parameters N K , m , n and k are chosen such that N K – m ( n – k ) > 0. In summary, N K – m ( n – k ) = O ( N K ) > 0. Hence, N cand = 2 N K – m ( n – k ) (1– δ ) > P ( N K ) is satisfied at N K → ∞ for every polynomial equation P ( N K ). In addition, γ → 0 can be chosen for N K → ∞. Therefore, when k is chosen sufficiently large, p d < 1/2 k + 1/ P ( N K ) is satisfied for N K ≥ k . Thus, encoding E a in Method 1 using Coding 1 is computationally secure in the sense of Definition 3. □ The following theorem is obtained from Lemma 10. Theorem 1:
Method 1 using Coding 1 is computationally secure in the sense of Definition 2.
Proof:
Let η = 1/ γ . From Lemma 10, the computational complexity of Eve’s deriving any one bit of the secret key s kA is at least { O ( cand p N H )[1 – O (1/ η )] + O (1/ η )} by taking into account Pr{ n u e < e u n – rσ u } < γ and I ( S kA n r | k e ← K e ; S kE n r )/ n r < γ , where γ is a small quantity. Therefore, the probability of successfully guessing the secret key, p s in Definition 2, is p s ≤ 1/2 + cand p OONO H . The parameter mk is determined such that it satisfies rN ≤ mk , and thus, mk = O ( N K ). Moreover, mn = O ( mk ). Thus, N K – m ( n – k ) = O ( N K ). As is apparent from N cand = 2 N K – m ( n – k ) (1– δ ), the parameters N K , m , n and k are chosen such that N K – m ( n – k ) > 0. In summary, N K – m ( n – k ) = O ( N K ) > 0. Hence, N cand = 2 N K – m ( n – k ) (1– δ ) > P ( N K ) is satisfied at N K → ∞ for every polynomial equation P ( N K ). In addition, γ → 0 can be chosen for N K → ∞. Therefore, when k is chosen sufficiently large, p s < 1/2 + 1/ P ( N K ) is satisfied for N K ≥ k . Thus, Method 1 using Coding 1 is computationally secure in the sense of Definition 2. □ The redundant information x is transmitted through a public channel in Method 1. This is to make the security analysis easy. However, an actual system might transmit x through the same channel as that for x . For this reason, the following Method 2 is defined. Method 2:
In this modification of Method 1, x is transmitted through the same channel as x (See Fig. 6). In this case, bit errors occur in x , and deriving the common key is more difficult than that in Method 1. Therefore, the claim of Theorem 1 is true for Method 2. Corollary 6:
Method 2 using Coding 1 is computationally secure in the sense of Definition 2.
Lemma
11, Theorem 1, and Corollary 6 can be proved without assuming any mathematical difficulties. This means that Methods 1 and 2 using Coding 1 face no threat that an efficient decrypting algorithm might be found. R X : Random numbers D b : Error correction s kA Transmitter Receiver
Random-number transmission channel F c x Eve p E p B F t y = x E a :Encoding E b :Error-correcting coding x S : Privacy amplification x S : Privacy amplification D a :Decoding s kB y ’ ys kA * k e x k e y z , z Fig. 6
Block diagram of Method 2.
7. Design example rN ≤ mk in order to prevent Eve from deriving the common key part-by-part. For example, given a (255, 167) linear code over GF(2 ) and N K = 2496, then N =1248, mk = 1336, and σ ≃ rN = 1335 < mk is satisfied for r = 3.5. In other words, we can choose N K = 2496 in this code. The computational complexity of deriving the common key is proportional to cand p N H ≃ knmNphmk E K ≃ (1– δ ) for p E ≃ complexity of the analysis for one block. This is because the common key is repeatedly used. However, if pseudo-random numbers are used instead, the number of blocks needed to derive the common key increases. Let the needed number of blocks be N T . In this case, the entropy of noise that affects the analysis is N T · mk · h ( p E ), and the effective key length increases. This effect is powerful because it is information theoretic. For the above example, where m ( n – k ) = 704 and H p ≃ cand p N HN T > 2 N K (1– δ ) is satisfied for N T ≥ 6. In this case, an exhaustive search of K e is needed for deriving the common key. Moreover, the following observations can be made. We assumed that parity check symbols exactly leak to Eve in Method 1. However, when we use Method 2, it adds bit errors to the parity check symbols, and consequently, its security increases. Moreover, x and x are transmitted without encryption in Methods 1 and 2. If x and x are encrypted with pseudo-random numbers, security increases computationally, although another key is needed. Table 1
Summary of Method 1 using Coding 1
Example (0) Share common key K e ={ k e {0, 1} N K | - r σ ≤ N ( k e ) – N ≤ r σ } N + N = N K N K = 2496 N =1248 r = 3.5 σ ≃ x ← R X (2a) Divide random number sequence x ( N K ) × k e ⟼ b I( N ) × b II( N ) Fig. 1 (2b) Perform ( n , k ) block coding: b I ⟼ c I and b II ⟼ c II N + r σ ≤ mk RS code over GF(2 m ) n = 255 k = 167 m = 8 (3) Generate secret key (Privacy amplification) Table II ), and P eff = 0.1 ( p E ≃ m ), C s ≥ ( k – t mc ) /n · h ( p σ E ) – n s / umn . If u = 1 and r = 3, then e u n = umkp E ≃ σ u = EE pumkp ≃ p σ E = e2eE uuu nrnp ≃ h ( p σ E ) ≃ C s ≥ ( k – t mc ) /n · h ( p σ E ) – n s / umn ≃ n s / umn . If we choose n s = 10, then C s ≥ 0.00615 and n r ≥ 12.5. Here, “≥” is used to indicate a lower bound. Let us determine γ by referring to the above values, although this process is the inverse of that from the viewpoint of the meaning that γ should be given first. The condition in Definition 4 (1) is Pr{ S kA n r ≠ S kA n r | k e ← K e } < γ . Let n cb be the number of Bob’s code errors in one block. When u =1, then Pr{ S kA n r ≠ S kB n r | k e ← K e } = Pr{ n cb > ( n – k )/2}. The method in this report works efficiently when p B – p E << p E (see section 7.5). Therefore, let us assume p B = p E as an example. In this case, Pr{ n cb > ( n – k )/2} < 4.70×10 -10 , where the third decimal place is rounded up. Definition 4 (2) requires I ( S kA n r | k e ← K e ; S kE n r )/ n r < γ , except for the rare case of n u e / umk < p σ E . The probability of the rare case is Pr{ n u e / umk < p σ E } < 4.48×10 -4 for P eff = 0.1, and I ( S kA n r | k e ← K e ; S kE n r )/ n r ≤ r s n n < 1.13×10 -4 . From the above three kinds of small values, γ ≤ max(4.70×10 -10 , 4.48×10 -4 , 1.13×10 -4 ) = 4.48×10 -4 . Table I summarizes these values. C s increases as u increases, and γ can be decreased as r and n s are increased. If u = 10 and r = 5, then e u n = umkp E ≃ σ u = EE pumkp ≃ p σ E = e2eE uuu nrnp ≃ h ( p σ E ) ≃ C s ≥ 0.0212 – n s / umn . Here, if n s = 16, then C s ≥ 0.0204, n r ≥ 416. Table I lists γ –related values. It also shows the case of u = 10, r = 3, and n s = 10. When u →∞, then h ( p E ) ≃ C s ≥ 0.0312. Table 2
Lower bound of conditional secrecy capacity and related quantities at ( n , k ) = (255, 167), m = 8, and P eff = 0.1 ( p E ≃ n cb denotes the number of Bob’s code errors in one block. n u e denotes the number of Eve’s bit errors in u blocks. u
1 10 10 r
3 3 5 n s
10 10 16 (1) Pr{ n cb > ( n – k )/2} < 4.70×10 -10 -9 -9 (2.1) Pr{ n u e / mk < p σ E } < 4.48×10 -4 -4 -8 (2.2) 2 - n s / n r ln2 < 1.13×10 -4 -6 -8 γ ≤ 4.48×10 -4 -4 -8 C s ≥ 0.00615 0.0248 0.0204 n r / u ≥ 12.5 50.6 41.6 N b blocks of groups I and II, of a sequence coded using k e are shuffled, and the shuffled sequence is then coded using another common key k ed . The parameters for the two codes do not need to be the same. Decoding is possible from either the k e - or k ed -related code, and this double coding is resistant to burst errors. For example, let us decode the k e -related code first and assume there are residual errors. Because the random number sequence is shuffled, the residual errors are distributed over multiple blocks in the k ed -related code. They can be corrected through k ed -related error correction. Here, although the shuffling process becomes computationally expensive, N b should be as large as possible. The value of N b should be determined on the basis of the processing performance of the transmitter and receiver. The double coding is for complete error correction, but there is a possibility that all errors will be corrected in one decoding. The security of this method, therefore, is quantified by the complexity of the decryption process of one of the two codes. An important thing in double coding is to prevent the parity check symbols in one of the two codes from affecting the complexity of the decryption process in the other code. As mentioned in section 6.1.1, the process of deriving the common key includes listing the candidates of the information symbols for one block as a basic component. Because this listing is a closed process for one block, the parity check symbols in the k e ( k ed )-related code do not contribute to the process of listing the candidates of the information symbols in the k ed ( k e )-related code. Therefore, the security of this method is determined by the complexity of deriving only one of the common keys. However, the conditional secrecy capacity changes. Here, let the block size be the same for both codings. Because redundant information on the k e ( k ed )-related code can correct t m ( t md ) bits at maximum, the conditional secrecy capacity is C s ≥ ( k – t m – t md ) /n · h ( p σ E ) – n s / un . Here, t m and t md can be set less than those of single coding thanks to double coding. 7.4 Noise source The output of an LD used in optical communications includes noise; the phase of the output light is especially noisy and is sufficiently random [15]. Coding methods like Phase-Shift Keying (PSK) or Differential Phase-Shift Keying (DPSK) use the phase of light. Thus, the method in this report can use phase noise-related bit errors as a resource that is always available in optical communications. 7.5 BER in random-number transmission channel As mentioned in the preceding subsection, the phase noise of an LD output is directly usable in optical communications. However, when the environmental noise F t in a transmission channel is large, the condition p E ≃ p B ( p B – p E << p E ) is not satisfied, where much redundant information is required and the conditional secrecy capacity decreases. One solution in this case is to code the transmitter output F c ( X ) with an error-correcting code and to build a pseudo-errorless channel ( p E = p B ). Because the purpose of this coding is to transmit a random number sequence with errors correctly, the decoded sequence has errors, and Eve does not obtain any new information.
8. Summary
Secure communications using noise generally need a mechanism to make Eve less advantageous than Bob. However, such a mechanism does not always exist intrinsically. This report described an extrinsic method that makes Eve disadvantageous by using a common key. The common key, error-correcting code, and noise are managed in a cooperative manner, and the secret keys are generated from noise. Messages are encrypted with the secret keys by using a one-time pad. As a result, information leaks that are meaningful to Eve are restricted to the parity-check symbols for the random numbers. It is possible to derive the candidates of the common key from the parity check symbols, and the security of this method can be quantified in terms of the computations needed for an exhaustive search of the candidates. We calculated the number of the candidates of the common key by assuming all parity check symbols were leaked to Eve without bit errors. The number is cand p N H , and it determines the security of this method. Its logarithm N K – m ( n – k ) + mk · h ( p E ) + log (1 – δ ) corresponds to the effective key length. Methods with computational security generally face the threat that an efficient decryption method might be found. However, this method does not rely on any mathematical difficulties, and therefore, there is no threat that a more efficient decryption method than an exhaustive search might be found. The method requires listing the information symbols from the parity check symbols followed by listing the candidates of the common key in decryption. This threat-less form of security can be used to protect highly confidential information like government and military secrets, although its security level is computational. However, it requires privacy amplification to assure high security, and this reduces the message transmission rate to R m << 1. Acknowledgments
The author thanks Hisayoshi Sato, Keisuke Hakuta, Tomohiko Uyematsu, and Masashi Ban for their insightful comments.
References [1] A. D. Wyner, “The wire-tap channel,” Bell Syst. Tech. J., vol. 54, no. 8, pp. 1355–1387, October 1975. [2] I. Csiszár and J. Körner, “Broadcast channels with confidential messages,” IEEE Trans. Inf. Theory, vol.IT-24, no. 3, pp. 339–348, May 1978. [3] U. M. Maurer, “Secret key agreement by public discussion from common information,” IEEE Trans. Inf. Theory, vol. 39, no. 3, 733–742, May 1993. [4] R. Ahlswede and I. Csiszàr, “Common randomness in information theory and cryptography – part I: secret sharing,” IEEE Trans. Inf. Theory, vol. 39, no. 4, 1121–1132, July 1993. [5] S. Venkatesan and V. Anantharam, “The common randomness capacity of a pair of independent discrete memoryless channels,” IEEE Trans. Inf. Theory, vol. 44, no. 1, pp. 215–224, January 1998. [6] I. Csiszár and P. Narayan, “Common randomness and secret key generation with helper,” IEEE Trans. Inf. Theory, vol. 46, no. 2, pp. 344–366, March 2000. 7 [7] A. Khisti, S. N. Diggavi, and G. Wornell, “Secret-key generation with correlated sources and noisy channels,” IEEE International Symposium Information Theory, Toronto, Canada, pp. 1005–1009, July 2008. [8] V. M. Prabhakaran, K. Eswaran, and K. Ramchandram, “Secrecy via sources and channels – A secret key – Secret message rate tradeoff region,” IEEE International Symposium Information Theory, Toronto, Canada, pp. 1010–1014, July 2008. [9] H. Ahmadi and R. S.-Naini, “Secret keys from channel noise,” in Advances in Cryptology –EUROCRYPT 2011, ed. K. G. Paterson, Springer, Berlin Heidelberg, vol. 6632, pp. 266–283, May 2011. [10] C. H. Bennett and G. Brassard, “Quantum cryptography: Public key distribution and coin tossing,” IEEE International conference on computers, systems and signal processing, Bangalore, India, pp. 175–179, December 1984. [11] B. Kraus, N. Gisin, and R. Renner, “Lower and upper bounds on the secret-key rate for quantum key distribution protocols using one-way classical communication,” Phys Rev. Lett., vol. 95, no. 8, 080501, August 2005. [12] R. Renner, N. Gisin, and B. Kraus, “Information-theoretic security proof for quantum-key-distribution protocols,” Phys. Rev. A, vo. 72, no. 1, 012332, July 2005. [13] A. Ekert, “Quantum cryptography based on Bell’s theorem,” Phys. Rev. Lett., vol. 67, no. 6, pp. 661–663, August 1991. [14] C. H. Bennett, G. Brassard, and N. D. Mermin, “Quantum cryptography without Bell’s theorem,” Phys. Rev. Lett., vol. 68, no. 5, pp. 557–559, February 1992. [15] B. Qi, Y.-M. Chai, H.-K. Lo, and L. Qian, “High-speed quantum random number generation by measuring phase noise of a single-mode laser” Opt. Lett., vol. 35, no. 3, pp. 312–314 (2010). [16] H. P. Yuen, “KCQ: A new approach to quantum cryptography I. General principles and key generation,” http://arxiv.org/abs/quant-ph/0311061v2, accessed Jun. 3.2015. [17] G. A. Barbosa, E. Corndorf, P. Kumar, and H. P. Yuen, “Secure communication using mesoscopic coherent states,” Phys. Rev. Lett., vol. 90, no. 22, 227901, June 2003. [18] W. Diffie and M. E. Hellman, “New directions in cryptography,” IEEE Trans. Inf. Theory vol. 22, no. 6, pp. 644 – 654, November 1976. [19] C. H. Bennett, G. Brassard, C. Crépeau, and U. M. Maurer, “Generalized privacy amplification,” IEEE Trans. Inf. Theory, vol. 41, no. 6, pp. 1915–1923, November 1995. [20] J. L. Carter and M. N. Wegman, “Universal class of hash functions,” J. Comput. Syst. Sci. vol. 18, no. 2, pp. 143–154, April 1979. [21] C. H. Bennett, G. Brassard, and J. M. Robert, “Privacy amplification by public discussion,” SIAM J. Cmput., vol. 17, no. 2, pp. 210–229, April 1988. [22] For example, W. C. Huffman and V. Pless, Fundamentals of Error-Correcting Codes, Cambridge, New York, 2003. [23] For example, J. Justesen and T. Høholdt, A Course in Error-Correcting Codes, European Mathematical Society, Zürich, 2004. [24] V. Guruswami and M. Sudan, “Improved decoding of Reed–Solomon and algebraic-geometry codes,” IEEE Trans. Inf. Theory, vol. 45, no. 6, pp. 1757–1767, September 1999. [25] Y. Wu, “New list decoding algorithms for Reed–Solomon and BCH codes,” IEEE Trans. Inf. Theory, vol. 54, no. 8, pp. 3611–3630, August 2008. [26] E. Berlekamp, “Bounded distance +1 soft-decision Reed-Solomon decoding,” IEEE Trans. Inf. Theory vol. 42, no. 3, pp. 704–720, May 1996. [27] N. Kamiya, “On algebraic soft-decision decoding algorithms for BCH Codes,” IEEE Trans. Inf. Theory vol. 47, no. 1, pp. 45–58, January 2001.[1] A. D. Wyner, “The wire-tap channel,” Bell Syst. Tech. J., vol. 54, no. 8, pp. 1355–1387, October 1975. [2] I. Csiszár and J. Körner, “Broadcast channels with confidential messages,” IEEE Trans. Inf. Theory, vol.IT-24, no. 3, pp. 339–348, May 1978. [3] U. M. Maurer, “Secret key agreement by public discussion from common information,” IEEE Trans. Inf. Theory, vol. 39, no. 3, 733–742, May 1993. [4] R. Ahlswede and I. Csiszàr, “Common randomness in information theory and cryptography – part I: secret sharing,” IEEE Trans. Inf. Theory, vol. 39, no. 4, 1121–1132, July 1993. [5] S. Venkatesan and V. Anantharam, “The common randomness capacity of a pair of independent discrete memoryless channels,” IEEE Trans. Inf. Theory, vol. 44, no. 1, pp. 215–224, January 1998. [6] I. Csiszár and P. Narayan, “Common randomness and secret key generation with helper,” IEEE Trans. Inf. Theory, vol. 46, no. 2, pp. 344–366, March 2000. 7 [7] A. Khisti, S. N. Diggavi, and G. Wornell, “Secret-key generation with correlated sources and noisy channels,” IEEE International Symposium Information Theory, Toronto, Canada, pp. 1005–1009, July 2008. [8] V. M. Prabhakaran, K. Eswaran, and K. Ramchandram, “Secrecy via sources and channels – A secret key – Secret message rate tradeoff region,” IEEE International Symposium Information Theory, Toronto, Canada, pp. 1010–1014, July 2008. [9] H. Ahmadi and R. S.-Naini, “Secret keys from channel noise,” in Advances in Cryptology –EUROCRYPT 2011, ed. K. G. Paterson, Springer, Berlin Heidelberg, vol. 6632, pp. 266–283, May 2011. [10] C. H. Bennett and G. Brassard, “Quantum cryptography: Public key distribution and coin tossing,” IEEE International conference on computers, systems and signal processing, Bangalore, India, pp. 175–179, December 1984. [11] B. Kraus, N. Gisin, and R. Renner, “Lower and upper bounds on the secret-key rate for quantum key distribution protocols using one-way classical communication,” Phys Rev. Lett., vol. 95, no. 8, 080501, August 2005. [12] R. Renner, N. Gisin, and B. Kraus, “Information-theoretic security proof for quantum-key-distribution protocols,” Phys. Rev. A, vo. 72, no. 1, 012332, July 2005. [13] A. Ekert, “Quantum cryptography based on Bell’s theorem,” Phys. Rev. Lett., vol. 67, no. 6, pp. 661–663, August 1991. [14] C. H. Bennett, G. Brassard, and N. D. Mermin, “Quantum cryptography without Bell’s theorem,” Phys. Rev. Lett., vol. 68, no. 5, pp. 557–559, February 1992. [15] B. Qi, Y.-M. Chai, H.-K. Lo, and L. Qian, “High-speed quantum random number generation by measuring phase noise of a single-mode laser” Opt. Lett., vol. 35, no. 3, pp. 312–314 (2010). [16] H. P. Yuen, “KCQ: A new approach to quantum cryptography I. General principles and key generation,” http://arxiv.org/abs/quant-ph/0311061v2, accessed Jun. 3.2015. [17] G. A. Barbosa, E. Corndorf, P. Kumar, and H. P. Yuen, “Secure communication using mesoscopic coherent states,” Phys. Rev. Lett., vol. 90, no. 22, 227901, June 2003. [18] W. Diffie and M. E. Hellman, “New directions in cryptography,” IEEE Trans. Inf. Theory vol. 22, no. 6, pp. 644 – 654, November 1976. [19] C. H. Bennett, G. Brassard, C. Crépeau, and U. M. Maurer, “Generalized privacy amplification,” IEEE Trans. Inf. Theory, vol. 41, no. 6, pp. 1915–1923, November 1995. [20] J. L. Carter and M. N. Wegman, “Universal class of hash functions,” J. Comput. Syst. Sci. vol. 18, no. 2, pp. 143–154, April 1979. [21] C. H. Bennett, G. Brassard, and J. M. Robert, “Privacy amplification by public discussion,” SIAM J. Cmput., vol. 17, no. 2, pp. 210–229, April 1988. [22] For example, W. C. Huffman and V. Pless, Fundamentals of Error-Correcting Codes, Cambridge, New York, 2003. [23] For example, J. Justesen and T. Høholdt, A Course in Error-Correcting Codes, European Mathematical Society, Zürich, 2004. [24] V. Guruswami and M. Sudan, “Improved decoding of Reed–Solomon and algebraic-geometry codes,” IEEE Trans. Inf. Theory, vol. 45, no. 6, pp. 1757–1767, September 1999. [25] Y. Wu, “New list decoding algorithms for Reed–Solomon and BCH codes,” IEEE Trans. Inf. Theory, vol. 54, no. 8, pp. 3611–3630, August 2008. [26] E. Berlekamp, “Bounded distance +1 soft-decision Reed-Solomon decoding,” IEEE Trans. Inf. Theory vol. 42, no. 3, pp. 704–720, May 1996. [27] N. Kamiya, “On algebraic soft-decision decoding algorithms for BCH Codes,” IEEE Trans. Inf. Theory vol. 47, no. 1, pp. 45–58, January 2001.