Security Bounds for Quantum Cryptography with Finite Resources
aa r X i v : . [ qu a n t - ph ] J un Security Bounds for Quantum Cryptographywith Finite Resources
Valerio Scarani and Renato Renner Centre for Quantum Technologies and Department of Physics, National Universityof Singapore, Singapore Institute for Theoretical Physics, ETH Zurich, Switzerland
Abstract.
A practical quantum key distribution (QKD) protocol nec-essarily runs in finite time and, hence, only a finite amount of communi-cation is exchanged. This is in contrast to most of the standard results onthe security of QKD, which only hold in the limit where the number oftransmitted signals approaches infinity. Here, we analyze the security ofQKD under the realistic assumption that the amount of communicationis finite. At the level of the general formalism, we present new resultsthat help simplifying the actual implementation of QKD protocols: inparticular, we show that symmetrization steps, which are required bycertain security proofs (e.g., proofs based on de Finetti’s representationtheorem), can be omitted in practical implementations. Also, we demon-strate how two-way reconciliation protocols can be taken into account inthe security analysis. At the level of numerical estimates, we present thebounds with finite resources for “device-independent security” againstcollective attacks.
Quantum key distribution (QKD) is one of the most mature fields ofquantum information science, both from the theoretical and the experi-mental point of view [1,2,3]. This does not mean, however, that the openquestions are merely technical ones: in this paper, we are concerned withan issue that is in fact rather crucial for the assessment of security of realdevices.Most unconditional security proofs of QKD have provided an asymp-totic bound for the secret key rate r , valid only in the limit of infinitelylong keys [4,5,6,7,8]. This reads in general [9] r = S ( X | E ) − H ( X | Y ) , (1)where S ( X | E ) := S ( XE ) − S ( E ) and H ( X | Y ) := H ( XY ) − H ( Y ) are theconditional von Neumann and Shannon entropies, respectively, evaluatedor the joint state of Alice and Bob’s raw key and the system controlledby Eve (after the sifting step).In real experiments, obviously, finite resources are used. As a matter offact, the need for finite key analysis was recognized several years ago [10].In early security proofs though, the security parameter “Deviation from the ideal case” ≤ ε . (2)was defined in terms of “accessible information”. This measure of devi-ation had two shortcomings, namely (i) it does not provide composablesecurity, as proved in [11], and (ii) it has no operational interpretation.It turns out that both shortcomings are not problematic for asymptoticbounds , but for finite-key analysis a different definition must be used.A correct definition was used for the first time in [13], but the authorsconsidered only a restricted class of attacks. While partial, these andother studies [14,15,16] triggered the awareness that a large N would berequired for a QKD experiment to produce a secure key.More recently, Hayashi used a valid definition (although the concernfor composable security is not addressed explicitly) in his analysis of theBB84 protocol with decoy states [17]. Hayashi’s bound has been appliedto experimental data [18]. Apart from being possibly the first creation ofa truly unconditional secure key, this experiment provides an instructiveexample of how critical finite key analysis is. Indeed, for the observederror rate Q ≈
5% and the choice ε = 2 − , 4100 secret bits could beextracted from each raw key block of n ≈ N = 10 bit: in other words,the final secret key rate was r ≈ r ≈
43% predicted bythe asymptotic bound. Security bounds for finite resources are definitelyone of the most urgent tasks for practical QKD [3].Recently we have shown that the theoretical tools developed by oneof us [19] can be used to provide a compact approach to security proofsin the non-asymptotic limit [20]. Our formalism leads to a generalizedversion of the secret key rate that reads r = ( n/N ) [ S ξ ( X | E ) − ∆ − leak EC /n ] . (3)Comparing with (1), four modifications should be noticed: (i) only a frac-tion n of the signals contributes to the key, the rest must be used for The absence of an operational interpretation of ε is not a problem since any devia-tion is supposed to vanish for asymptotically long keys. Furthermore, the fact thatasymptotic bounds can be “redeemed” for composability is a consequence of the re-sult of [12] saying that keys obtained by two-universal hashing provide composablesecurity. arameter estimation; (ii) the parameter estimation has finite precision ξ ; (iii) the task of privacy amplification itself has a security parameter ∆ ;and (iv) the error correction protocol may not reach the Shannon limit,so leak EC ≥ nH ( X | Y ).In this paper, we revisit our previous work and improve it by twoimportant observations (Lemmas 1 and 2 below), then we present a newexample of explicit calculation (Section 4.2). In the existing literature on QKD, not only the analysis, but also thevery definition of security is mostly limited to the asymptotic case; andwe therefore need to revisit it here. Most generally, the security of a key K can be parametrized by its deviation ε from a perfect key , which isdefined as a uniformly distributed bit string whose value is completelyindependent of the adversary’s knowledge. In an asymptotic scenario, akey K of length ℓ is commonly said to be secure if this deviation ε tendsto zero as ℓ increases. In the non-asymptotic scenario studied here, how-ever, the deviation ε is always finite. This makes it necessary to attributean operational interpretation to the parameter ε . Only then is it possibleto choose a meaningful security threshold (i.e., an upper bound for ε )reflecting the level of security we are aiming at. Another practically rele-vant requirement that we need to take into account is composability of thesecurity definition. Composability guarantees that a key generated by aQKD protocol can safely be used for applications, e.g., as a one-time-padfor message encryption. Although this requirement is obviously crucialfor practice, it is not met by most security definitions considered in theliterature [11].Our results are formulated in terms of a security definition that meetsboth requirements, i.e., it is composable and, in addition, the parameter ε has an operational interpretation. The definition we use was proposedin [21,12]: for any ε ≥
0, a key K is said to be ε -secure with respect to anadversary E if the joint state ρ KE satisfies12 (cid:13)(cid:13) ρ KE − τ K ⊗ ρ E (cid:13)(cid:13) ≤ ε , (4)where τ K is the completely mixed state on K . The parameter ε can beseen as the maximum probability that K differs from a perfect key (i.e.,a fully random bit string) [12]. Equivalently, ε can be interpreted as the aximum failure probability , where failure means that “something wentwrong”, e.g., that an adversary might have gained some information on K . From this perspective, it is also easy to understand why the definitionis composable. In fact, the failure probability of any cryptosystem thatuses a perfect secret key only increases by (at most) ε if we replace theperfect key by an ε -secure key. In particular, because one-time pad en-cryption with a perfect key has failure probability 0 (the ciphertext giveszero information about the message), it follows that one-time-pad encryp-tion based on an ε -secure key remains perfectly confidential, except withprobability at most ε . Although most practical quantum key distribution protocols are prepare-and-measure schemes, for analyzing their security it is often more con-venient to consider an entanglement-based formulation. In fact, such aformulation can be obtained by simply replacing all classical random-ness by quantum entanglement and postponing all measurements. In thefollowing, we describe the general type of protocol our analysis appliesto.1.
Distribution of quantum information:
Alice and Bob communicateover an (insecure) quantum channel to generate N identical and inde-pendent pairs of entangled particles. The joint state of the N particlepairs together with the information that an adversary might have onthem (e.g., acquired by eavesdropping) is denoted by ρ A N B N E N .2. Parameter estimation:
Alice and Bob apply a LOCC-measurement to m particle pairs selected at random (using the authentic commu-nication channel). We denote the resulting statistics by λ m and thejoint state of the remaining (not measured) particles and Eve’s systemby ρ A N − m B N − m E N . If the statistics λ m fails to satisfy certain criteria,Alice and Bob abort the protocol.3. Measurement and advantage distillation:
Alice and Bob apply block-wise measurements E A b B b on their remaining particles to get raw keys X n and Y n , respectively. More precisely, E A b B b is an arbitrary LOCC-measurement applied sequentially to blocks A b of b particles on Alice’s We use the term particle here only for concreteness. More generally, they might bearbitrary subsystems. A LOCC-measurement is a measurement on a bipartite system that can be per-formed by local measurements on the subsystems combined with classical commu-nication. ide and the corresponding particles B b on Bob’s side. In a protocolwithout advantage distillation, E A b B b = E A ⊗ E B simply consists oflocal measurements on single particles, i.e., b = 1. However, E A b B b might describe any operation that can be performed by Alice and Bobon a finite block of particle pairs. The resulting state is then given by ρ X n Y n E N = ( E ⊗ nA b B b ⊗ id E N )( ρ X bn Y bn E N ), where n is the number ofblocks, i.e., nb ≤ N − m .4. Error correction:
Alice and Bob exchange classical messages, summa-rized by C , which allow Bob to compute a guess ˆ X bn for Alice’s string X bn .5. Privacy amplification:
Alice and Bob generate the final key by ap-plying an appropriately chosen hash function to X bn and ˆ X bn , re-spectively. The requirement on the hash function is that it mapsstrings with sufficiently high min-entropy to uniform strings of a cer-tain length ℓ (such functions are sometimes called strong (quantum)extractors ). A typical (and currently the only known) class of func-tions satisfying this requirement are two-universal hash functions (seeSection 3.4 for examples of two-universal function families). An attack is said to be collective if the interaction of Eve with the quan-tum channel during the distribution step is i.i.d. This implies that thestate after the distribution step is i.i.d., too, that is, ρ A N B N E N = σ ⊗ NABE ,where σ ABE is the density operator describing a single particle pair to-gether with the corresponding ancilla E held by Eve.The following analysis is subdivided into four parts. Each part givesrise to separate errors, denoted by ε PE , ¯ ε , ε EC , and ε PA , respectively.These sum up to ε = ε PE + ¯ ε + ε EC + ε PA , (5)where ε is the security of the final key (cf. (4) for the definition of security).Making the individual contributions smaller comes at the cost of reducingother parameters that, eventually, result in a reduction of the size of thefinal key (see equations (6), (8), (10), and (11)). – Parameter estimation (minimize set of compatible states Γ and num-ber of sample points m vs. minimize failure probability ε PE ). arameter estimation allows Alice and Bob to determine properties of σ AB . We express this by defining a set Γ ε PE containing all states σ AB that are compatible with the outcomes of the parameter estimation.For concreteness, we assume here that Alice and Bob—depending onthe statistics of their measurements—either continue with the exe-cution of the protocol or abort. The set Γ ε PE is then defined as theset of states σ AB for which the protocol continues with probabilityat least ε PE (i.e., the states from which a key will be extracted withnon-negligible probability). The quantity ε PE corresponds thereforeto the probability that the parameter estimation passes although theraw key does not contain sufficient secret correlation. In particular, ifAlice and Bob continue the protocol whenever they observe a statis-tics λ m using a POVM with d possible outcomes then (Lemma 3 of[20]) Γ ε PE ⊆ (cid:26) σ AB : k λ m − λ ∞ ( σ AB ) k ≤ q /ε PE )+ d ln( m +1) m (cid:27) (6)where λ ∞ ( σ AB ) denotes the (perfect) statistics in the limit of infinitelymany measurements. – Calculation of the min-entropy (minimize decrease of min-entropy δ vs. minimize error probability ¯ ε ). Under the assumption of collective attacks, the joint state of Alice andBob’s as well as the relevant part of Eve’s system after the measure-ment and advantage distillation step is of the form ρ X n Y n E bn = σ ⊗ nXY E b where σ XY E b := ( E A b B b ⊗ id E b )( σ ⊗ bABE ) (7)This property allows to compute a lower bound on the smooth min-entropy of X n given Eve’s overall information E N (before error cor-rection), which will play a crucial role in the analysis of the remainingpart of the protocol. More precisely, the min-entropy can be expressedin terms of the von Neumann entropy S evaluated for the state σ XE b , H ¯ ε ∞ ( X n | E N ) ≥ n ( S ( X | E b ) σ XEb − δ ) (8)where δ := 7 q log (2 / ¯ ε ) n . – Error correction (information leakage leak vs. failure probability ε EC ). Error correction necessarily involves communication C between Aliceand Bob. The maximum leakage of information to an adversary isxpressed in terms of min- and max-entropies,leak := H ( C ) − H ∞ ( C | X n Y n ) . While H ( C ) corresponds to the total number of relevant bits ex-changed during error correction, we subtract H ∞ ( C | X n Y n ) which isthe number of bits that are independent of the raw key pair ( X n , Y n ).Note the formal resemblance of this expression to the mutual informa-tion I ( C : X n Y n ). Indeed, the quantity leak counts the number of bitsof C that are correlated to the raw key. In particular, any informa-tion that is independent of the raw key, such as the description of anerror correcting code, does not contribute. Also, in a protocol whereredundant messages are exchanged (this is for instance the case fortwo-way error correction schemes such as the Cascade protocol [22]),the quantity leak is generally much smaller than the total number ofcommunicated bits.Typically, there is a trade-off between the leakage leak and the failureprobability, i.e., the maximum probability that ˆ X = X (where themaximum is taken over all possible states in Γ ε PE ), which we denoteby ε EC . This trade-off depends strongly on the actual error correctionscheme that is employed, but typically has the formleak ε EC = f H ( X | Y ) + log ε EC (9)where f is a constant larger than 1. In theory, there are error correctionschemes with f arbitrarily close to 1, but the decoding is usually notfeasible due to computational limitations. In practice, f ≈ . − . – Privacy amplification (maximize final key length ℓ vs. minimize failureprobability ε PA ). To evaluate the final key size, we need to bound the decrease of min-entropy after the leakage of information that occurred in error correc-tion. It follows from Lemma 2 below that the smooth min-entropy of X n given Eve’s information after error correction is bounded by H ¯ ε ∞ ( X n | E N C ) ≥ H ¯ ε ∞ ( X n | E N ) − leak ε EC . (10)The security of the final key only depends on this quantity and theefficiency of the hash function used for privacy amplification. Moreprecisely, if two-universal hashing is used then, for any fixed ε PA > ℓ of the final key is bounded by ℓ ≤ H ¯ ε ( X n | E N C ) − ε PA . (11) Two-universal hashing is the procedure normally used for privacy amplification. ombining (8), (10) and (11), we conclude that the final key is ε -secure, for ε = ε PE + ¯ ε + ε EC + ε PA as in (5), if ℓ ≤ n (cid:20) min σ ABE ∈ Γ ε PE S ( X | E b ) σ XEb − δ (¯ ε ) (cid:21) − leak ε EC − ε PA (12)where σ XE b is related to σ AB via (7) applied to a purification of σ AB andwhere δ (¯ ε ) = 7 q log (2 / ¯ ε ) n . A general method to turn a proof against collective attacks into a proofagainst the most general coherent attacks is to introduce additional sym-metries. Here we highlight two aspects that have been dealt with onlypartially in previous works.
A Lemma on symmetrization.
The following lemma states that the smoothmin-entropy of the state before the symmetry operations have been ap-plied is lower bounded by the smooth min-entropy of the symmetrizedstate.
Lemma 1.
Let ρ XE be a cq-state and let { f R } be a family of functionson X . Then, for any ε ≥ and R chosen at random H ε ∞ ( X | E ) ≥ H ε ∞ ( f R ( X ) | ER ) . Proof.
The statement is proved by sequentially applying rules of thesmooth entropy calculus. H ε ∞ ( X | E ) = H ε ∞ ( X | E ) + H ∞ ( R | R )= H ε ∞ ( XR | ER )= H ε ∞ ( f R ( X ) XR | ER ) ≥ H ε ∞ ( f R ( X ) | ER ) . The first equality holds because H ∞ ( R | R ) = 0 (there is no certaintyabout R if R is known), and the second is a consequence of the additivityof the min-entropy (Lemma 3.1.6 of [19]). The third equality is a simplyconsequence of the fact that the computation of the value f R ( X ) whilekeeping the input is a unitary operation, under which the min-entropyis invariant. Finally, the inequality holds because tracing out the clas-sical systems X and R can only decrease the smooth min-entropy (seeLemma 3.1.9 of [19]).n important practical consequence of this Lemma is that the sym-metrization needs not be actually implemented . Indeed, the smooth min-entropy is basically the only quantity that is relevant for the securityof the final key: then, the statement of the Lemma implies that, if thesymmetrized version of the protocol is secure, the original version is alsosecure. Permutation symmetry.
Lemma 1 above is valid for any symmetrization.Typically, one considers permutation symmetry. This can be achieved,for instance, by randomly permuting the positions of the bits [19] (moreprecisely, Alice and Bob both apply the same, randomly chosen, reorder-ing to their bitstring). The symmetric states can then be shown to haveproperties similar to those of i.i.d. states, e.g. via the quantum de Finettitheorem [23]. This in turn leads to a bound of the form (8), with a differentdefinition of the parameter δ (cf. Theorem 6.5.1 in [19], referring to Table6.2 for the parameters; the corrections due to the de Finetti theorem arethe terms that involve the quantities k and r ). Thus, a lower bound forsecurity using finite resources can be computed for any discrete-variableprotocol.Such a bound turns out to be very pessimistic: this is the price to payfor its generality . When considering some specific protocols, there canbe other, more efficient ways to obtain i.i.d. Specifically, for the BB84 [24]and the six-state protocol [25,26,27], suitable symmetries can be imple-mented in the protocol itself by random but coordinated bit- and phaseflips [28,29]. Security bounds against general attacks can be computed byconsidering i.i.d. states just because of these symmetries, thus by-passingthe need for the de Finetti theorem. An essential part of the technical security proof presented above is thefollowing lemma, which provides a bound on the decrease of the min-entropy by information leakage in the error correction step. The statementshown here is a generalization of a corresponding statement in [19], whichhas been restricted to one-way error correction. Also, it is an open question whether the existing de Finetti theorem provides tightestimates, or if the bounds can be improved. emma 2.
The decrease of the smooth min-entropy by the leakage ofinformation in the error correction step is given by H ε ∞ ( X | EC ) ≥ H ε ∞ ( X | E ) − leak . Proof. H ε ∞ ( X | EC ) ≥ H ε ∞ ( XC | E ) − H ( C ) ≥ H ε ∞ ( X | E ) + H ∞ ( C | XE ) − H ( C ) ≥ H ε ∞ ( X | E ) + H ∞ ( C | XY E ) − H ( C )= H ε ∞ ( X | E ) + H ∞ ( C | XY ) − H ( C )The first two inequalities are chain rules and the third is the strong sub-additivity for the smooth min-entropy. The last equality follows from thefact that E ↔ ( X, Y ) ↔ C is a Markov chain, because the communication C is computed by Alice and Bob. As explained above, privacy amplification is usually done by two-universalhashing.
Definition 1.
A set F of functions f from X to Z is called two-universal if Pr f ∈F (cid:2) f ( x ) = f ( x ′ ) (cid:3) ≤ |Z| , for any distinct x, x ′ ∈ X and f chosen at random from F according tothe uniform distribution. To perform the privacy amplification step, the two parties simply haveto choose at random a function f from a two-universal set F of functionsthat output strings of length ℓ , where ℓ is chosen such that it satisfies (12).As shown below, there exist constructions of two-universal sets F of func-tions that are both easy to describe (the description length is equal tothe input length) and that can be efficiently evaluated.Examples of two-universal function families have first been proposedby Carter and Wegman [30,31]. One of the constructions mapping n -bitstrings to ℓ -bit strings, for any ℓ ≤ n , only involves addition and multi-plication in the field GF(2 n ). It is defined as the family F = { f r } r ∈ GF(2 n ) of functions f r that, on input x , output the ℓ least significant bits of r · x (where · denotes the multiplication in GF(2 n )), i.e., f r : GF(2 n ) −→ GF(2 ℓ ) x [ r · x ] ℓ . Computing security bounds
Let us re-phrase the results obtained above in a more operational way.An experiment is characterized by the following parameters: – The protocol, in particular d the number of outcomes of the measure-ments; – The number of exchanged quantum signals N ; – The estimates of the channel parameters; – The performances of the error correction protocol, in particular ε EC and f (recall that these are functions of the parameters); – The desired level of security ε .We have found above the bound (12) for the extractable secret key length ℓ , which is valid for collective attacks, and also for general attacks in thecase of the BB84 and the six-state protocols. By setting r = ℓN , one getsthe announced expression (3) for the secret key rate.The expression for r is thus a function of the parameters listed aboveand several others, namely: – n , b and m , subject to the constraint nb + m ≤ N ; – ε PE , ¯ ε and ε PA , subject to the constraint ε = ε PE + ¯ ε + ε EC + ε PA .The best value for r is therefore obtained by optimizing (12) over the freeparameters , for a given experiment.In Ref. [20], we have presented such an optimization for the BB84and the six-state protocols implemented with single photons, under therestriction that f is a constant and b = 1 (one-way error correction). Here,we present the computation of the security bound with finite resourcesfor another protocol. In 1991, Ekert noticed that the security of QKD could be related tothe violation of Bell’s inequalities [32]. This remark provided him withthe basic intuition, but it remained purely qualitative. Only recently, ona modified version of the Ekert protocol [33], it has been possible to Note that a parameter may be free a priori but be fixed in a given experiment. Forinstance, if in BB84 the choice of the basis is made passively through a 50-50 beamsplitter, one has the additional constraint m = nb . rovide a quantitative bound on Eve’s information that depends onlyon the violation of a particular Bell-type inequality [34]. The remarkableproperty of this study is that this bound is “device-independent”: theknowledge of (i) the dimension of the Hilbert space in which Alice’s andBob’s signals are encoded and of (ii) the details of the measurementsthat are performed, is not required. The price to pay for such generalityis that there is, as of today, no argument to conclude to unconditionalsecurity : the bound has been proved only for collective attacks. It isalso worth stressing that, as long as the detection loophole remains open,device-independent security cannot be assessed on real setups [34,35].Using our approach, we are going to obtain the non-asymptotic boundfor device-independent security against collective attacks. We can use (12)directly. Two elements depend on the protocol and must be discussed: – The relation between n and m depends on the measurements specifiedby the protocol (here we set b = 1). The protocol specifies that Aliceperforms three measurements A , A and A , while Bob performstwo measurements B and B . The key is extracted out of the events( A , B ). Coherence in the channel is checked by the Clauser-Horne-Shimony-Holt (CHSH) inequality [36] using ( A , A ; B , B ), i.e. fromthe quantity C = E ( A B ) + E ( A B ) + E ( A B ) − E ( A B ) (13)where E ( A i B j ) = Prob( a i = b j ) − Prob( a i = b j ) is the correlationcoefficient for bits. We suppose that Alice chooses A with probability p a and the other settings with equal probability p a = p a = (1 − p a ) /
2; and that Bob chooses B with probability p b and B withprobability 1 − p b . Therefore n = p a p b N , m ij = 12 (1 − p a ) p bj N (14)and the other events are discarded. – In (12), only S ξ ( X | E ) ≡ max σ ABE ∈ Γ ε PE S ( X | E b ) σ XEb depends on theprotocol, and this quantity contains only the imprecision of the pa-rameter estimation as a finite-key effect — indeed, the other three This is in particular true because one does not bound the dimension of the Hilbertspace; so the available de Finetti theorem cannot be used. It is important to stressthat the usual unconditional security bounds do rely on the assumption that thedimension of the Hilbert space is known — and this is actually more serious thanjust a technical assumption for the proofs: most protocols, like BB84 and six-state,become provably insecure if one cannot rely on the fact that a meaningful fractionof the measurements are done on two-qubit signals. odifications due to the finite resources, listed in Section 3.1, giverise to the other terms in (12) that are independent of the protocol.Therefore, we only have to allow a deviation of the measured parame-ters by the quantity ξ ( m, d ) = q /ε PE )+ d ln( m +1) m as defined in (6).The asymptotic version [34] S ξ =0 ( X | E ) = 1 − h p ( C / − ! (15)depends only on C given in (13). Now, the deviation on the estimate of E ( A i B j ) is ξ ( m ij ,
2) because a correlation coefficient can be measuredby a POVM with d = 2 outcomes (“equal bits” and “different bits”).The most unfavorable case being obviously the one when the truevalue of C is lower than the estimated one, we obtain S ξ ( X | E ) = 1 − h p [( C − ξ ) / − ! (16)with ξ = P i,j =1 ξ ( m ij , r for any N and for some chosen values of ε , ε EC , f and the observed parameters ( C and the error rate Q ). The result isplotted in Fig. 1. Similarly to what observed for BB84 and six-states [20],no key can be extracted for N . , and the asymptotic value is reachedonly for N & . By monitoring the parameters of the optimization, onefinds also that p a and p b tend to 1 in the limit N → ∞ , as expected. In this paper, we have built on our previous work on finite-key analysis[20] and completed it with some important remarks. Lemma 1 shows thatthe symmetrization of the data, although required to achieve securityproofs, does not need to be done actively, because the min-entropy ofthe symmetrized data provides a bound for the min-entropy of the non-symmetrized ones. Lemma 2 extends our formalism to include two-wayinformation reconciliation. After completing the general formalism withthese Lemmas, we have applied it to derive a finite-key bound for device-independent security against collective attacks (Section 4.2).
Acknowledgments. — This work is supported by the National ResearchFoundation and Ministry of Education, Singapore. r Q = 5%Q = 2%
Fig. 1.
Finite-key bound for device-independent security against collec-tive attacks: secret key rate r as a function of the number of exchangedquantum signals N , for two values of the observed error rate Q ; we haveassumed the relation C = 2 √ − Q ), which implies C ≈ .
715 for Q = 2% and C ≈ .
546 for Q = 5%. We have fixed ε = 10 − , ε EC = 10 − and f = 1 .
2; we have supposed symmetric errors Prob( a = b ) = Q , sothat H ( X | Y ) in (9) is replaced by h ( Q ). eferences
1. N. Gisin, G. Ribordy, W. Tittel, H. Zbinden, Rev. Mod. Phys , 145 (2002).2. M. Duˇsek, N. L¨utkenhaus, M. Hendrych, Progress in Optics, Edt. E. Wolf (Elsevier)vol. 49, 381 (2007).3. V. Scarani, H. Bechmann-Pasquinucci, N.J. Cerf, M. Duˇsek, N. L¨utkenhaus, M.Peev, arXiv:0802.4155v14. P.W. Shor, J. Preskill, Phys. Rev. Lett. , 441 (2000).5. D. Mayers, Journal of the ACM , 351 (2001); and quant-ph/9802025.6. H.-K. Lo, H. F. Chau, Science , 2050 (1999)7. M. Koashi, quant-ph/05051088. M. Ben-Or, Security of BB84 QKD Protocol, Slides available at
9. I. Devetak and A. Winter, Proc. R. Soc. Lond. A , 207 (2005).10. H. Inamori, N. L¨utkenhaus, D. Mayers, Eur. J. Phys. D , 599 (2007), andquant-ph/0107017.11. R. K¨onig, R. Renner, A. Bariska, and U. Maurer, Phys. Rev. Lett. , 140502,(2007).12. R. Renner and R. K¨onig, in Second Theory of Cryptography Conference TCC (Springer, 2005), vol. 3378 of
Lecture Notes in Computer Science , pp. 407–425,and quant-ph/0403133.13. T. Meyer, H. Kampermann, M. Kleinmann, D. Bruß, Phys. Rev. A , 042340(2006).14. H.-K. Lo, H. F. Chau, M. Ardehali, J. Cryptology , 133 (2005), and quant-ph/9803007 .15. X.Ma, B. Qi, Y. Zhao, H.-K. Lo, Phys. Rev. A , 012326 (2005).16. X.-B. Wang, Phys. Rev. Lett. , 230503 (2005).17. M. Hayashi, Phys. Rev. A , 012329 (2007).18. J. Hasegawa, M. Hayashi, T.Hiroshima, A. Tanaka, A. Tomita, arXiv:0705.3081.19. R. Renner, Security of Quantum Key Distribution , PhD thesis, Diss. ETH No16242, quant-ph/0512258.20. V. Scarani, R. Renner, arXiv:0708.0709v121. M. Ben-Or, M. Horodecki, D. W. Leung, D. Mayers, and J. Oppenheim, in
SecondTheory of Cryptography Conference TCC (Springer, 2005), vol. 3378 of
LectureNotes in Computer Science , pp. 386–406, and quant-ph/0409078.22. G. Brassard, L. Salvail, in:
Advances in Cryptology - EUROCRYPT ’93 , LectureNotes in Computer Science Vol. 765 (Springer Verlag, Berlin, 1994), pp. 410-423.23. R. Renner, Nature Physics , 645 (2007).24. C. H. Bennett, G. Brassard, in Proceedings IEEE Int. Conf. on Computers, Systemsand Signal Processing, Bangalore, India (IEEE, New York, 1984), pp. 175-179.25. C.H. Bennett, G. Brassard, S. Breidbart, S. Wiesner, IBM Technical DisclosureBulletin , 4363 (1984).26. D. Bruß, Phys. Rev. Lett. , 3018 (1998).27. H. Bechmann-Pasquinucci, N. Gisin, Phys. Rev. A , 4238 (1999).28. D. Gottesman, H.-K. Lo, IEEE Trans. Inf. Theory , 457 (2003).29. B. Kraus, N. Gisin, R. Renner, Phys. Rev. Lett. , 080501 (2005); R. Renner, N.Gisin, B. Kraus, Phys. Rev. A , 012332 (2005).30. J. L. Carter, M. N. Wegman, Journal of Computer and System Sciences , 143(1979)1. M. N. Wegman, J. L. Carter, Journal of Computer and System Sciences , 265(1981)32. A.K. Ekert, Phys. Rev. Lett. , 661 (1991)33. A. Ac´ın, S. Massar, S. Pironio, New J. Phys. , 126 (2006)34. A. Ac´ın, N. Brunner, N. Gisin, S. Massar, S. Pironio, V. Scarani, Phys. Rev. Lett. , 230501 (2007)35. Y. Zhao, C.-H. F. Fung, B. Qi, C. Chen, H.-K. Lo, arXiv:0704.325336. J.F. Clauser, M.A. Horne, A. Shimony, R.A. Holt, Phys. Rev. Lett.23