1: \documentclass[prl,aps,graphicx,color]{revtex4}

2: %\documentstyle[amsfonts,amssymb,prl,aps,multicol,graphicx,color]{revtex4}

3: \usepackage{amsmath}

4: %\usepackage{amsgen}

5: %\usepackage{amscd} 

6: \usepackage{multicol}

7: \usepackage{epsfig}

8: 

9: \newcommand{\opr}[1]{\operatorname{#1}}

10: \newcommand{\Card}[1]{|#1|}

11: \newcommand{\bea}{\begin{eqnarray}}

12: \newcommand{\eea}{\end{eqnarray}}

13: \newcommand{\be}{\begin{equation}}

14: \newcommand{\ee}{\end{equation}}

15: \newtheorem{prop}{Proposition}[section]

16: \newtheorem{definition}[prop]{Definition}

17: \newtheorem{cor}[prop]{Corollary}

18: \newtheorem{lemma}[prop]{Lemma}

19: \newtheorem{thm}[prop]{Theorem}

20: 

21: \newtheorem{Axiom}{Axiom}[section]

22: \newtheorem{example}{Example}[section]

23: 

24: %\voffset .55in

25: 

26: \def\gp{g^\prime}

27: \def\gpp{g^{\prime\prime}}

28: \def\lsim{\mathrel{\lower2.5pt\vbox{\lineskip=0pt\baselineskip=0pt

29:           \hbox{$<$}\hbox{$\sim$}}}}

30: 

31: \title{Privacy Amplification in Quantum Key Distribution:\\

32: Pointwise Bound {\it versus} Average Bound}

33: \author{G. Gilbert,$^{\dag}$ M. Hamrick$^{\ddag}$ and F.J. Thayer$^{\ast}$\\

34: {\em The MITRE Corporation, McLean, Virginia 22102, USA}}

35: 

36: 

37: 

38: \begin{document}      

39: 

40: % Cover page for MTR 01W0000056

41: %------------------------------------------------------------------

42: \begin{titlepage}

43: \begin{trivlist}

44: \item

45: \vspace*{4.0ex}

46: {\Large \textsf{MTR 01W0000056}}\\[-0.8ex]

47: \hrule ~\\[1.8ex]

48: {\Large \textsf{ MITRE TECHNICAL REPORT}}\\[2.5cm]

49: %

50: \begin{center}

51: {\huge \textsf{\textbf{Privacy Amplification in Quantum Key Distribution:}}}\\[0.5ex]

52: {\huge \textsf{\textbf{Pointwise Bound {\it versus} Average Bound}}}\\[3.5cm]

53: \end{center}

54: %

55: {\Large \textsf{G. Gilbert}}\\[0.8ex]

56: {\Large \textsf{M. Hamrick}}\\[0.8ex]

57: {\Large \textsf{F.J. Thayer}}\\[-.4ex]

58: ~\\

59: {\Large \textsf{\textbf{July 2001}}}\\[3.4cm]

60: %

61: \begin{tabular}{@{\hspace{-0.15in}} l l l l}

62: 

63: {\normalsize \textsf{\textbf{~~~Sponsor:}}} &

64: {\normalsize \textsf{MITRE \& DOD}} \hspace{2.22in} &

65: {\normalsize \textsf{\textbf{Contract No.:}}} \phantom{sp} &

66: {\normalsize \textsf{DAAB07-01-C-C201}} \\[0.2ex]

67: 

68: {\normalsize \textsf{\textbf{~~~Dept. No.:}}} \phantom{sp} &

69: {\normalsize \textsf{W072}} &

70: {\normalsize \textsf{\textbf{Project No.:}}}  &

71: {\normalsize \textsf{51MSR837 \& 0701N020-QC}} \\[0.3cm]

72: 

73: \end{tabular}

74: 

75: \begin{tabular} {@{\hspace{-0.15in}} l l}

76: 

77: \textsf{The views, opinions and/or findings contained in this} &

78:    \textsf{Approved for public release;} \\

79: 

80: \textsf{report are those of The MITRE Corporation and should not be} \phantom{spospo} &

81:    \textsf{distribution unlimited.}  \\

82: 

83: \textsf{construed as an official Government position, policy, or} \\

84: 

85: \textsf{decision, unless designated by other documentation.} \\[0.3cm]

86: 

87: \textsf{\copyright 2001 The MITRE Corporation}

88: 

89: \end{tabular}

90: ~\\[0.5cm]

91: 

92: 

93: \hspace{-0.2in} {\huge \textsf{\textbf{MITRE}}}\\[0.5ex]

94: {\large \textsf{\textbf{Washington ${\mathbf C^3}$ Center}}}\\[0.5ex]

95: {\large \textsf{\textbf{McLean, Virginia}}}\\

96: \clearpage

97: \end{trivlist}

98: \end{titlepage}

99: %------------------------------------------------------------------

100: 

101: \begin{abstract}$\\$~$\\$

102: In order to be practically useful, quantum cryptography must not only provide a

103: guarantee of secrecy, but it must provide this guarantee with a useful,

104: sufficiently large throughput value.

105: The standard result of generalized privacy amplification yields

106: an upper bound only on the {\it average value} of the mutual

107: information available to an eavesdropper. Unfortunately this result

108: by itself is inadequate for cryptographic applications.

109: A naive application of the standard result leads one to {\it incorrectly}

110: conclude that an acceptable upper bound on the mutual information has been achieved.

111: It is the {\it pointwise value} of the bound on the mutual information, associated with

112: the use of some specific hash function, that corresponds to actual implementations.

113: We provide a fully rigorous mathematical derivation that shows how to obtain a

114: cryptographically acceptable upper bound on the actual, pointwise

115: value of the mutual information. Unlike the bound on the average

116: mutual information, the value of the upper bound on the pointwise mutual

117: information and the number of bits by which the secret key is compressed are specified

118: by two different parameters,

119: and the actual realization of the bound in the pointwise

120: case is necessarily associated with a specific failure probability.

121: The constraints amongst these parameters, and the effect of their values on the

122: system throughput, have not been previously analyzed.

123: We show that the necessary shortening of the key dictated

124: by the cryptographically correct, pointwise bound, can still produce

125: viable throughput rates that will be useful in practice.

126: \end{abstract}

127: 

128: \maketitle 

129: \begin{multicols}{2}\raggedcolumns

130: 

131: \section{Introduction}

132: Quantum cryptography has been heralded as providing an important advance in secret

133: communications because it provides a guarantee

134: that the amount of mutual information available to an eavesdropper

135: can unconditionally be made arbitrarily small.

136: Any {\it practical} realization of quantum key

137: distribution that consists only of sifting, error correction and authentication

138: will allow some information leakage, thus necessitating privacy amplification.

139: Of course, one might contemplate carrying out privacy

140: amplification after executing a classical key distribution protocol.

141: In the absence

142: of any assumed {\it conditions} on the capability of an eavesdropper, it is not

143: possible to deduce a provable upper bound on

144: the leaked information in the classical case, so that the subsequent implementation

145: of privacy amplification would produce nothing, {\it i.e.,} the ``input"

146: to the privacy amplification algorithm cannot be bounded, and as a result neither

147: can the ``output." In the case of quantum key distribution,

148: however, the leaked information

149: associated with that string which is the input to the privacy amplification algorithm

150: can be bounded,

151: and this can be done in the absence of any assumptions about the capability of an

152: eavesdropper. This bound is not good enough for cryptography, however. Nevertheless,

153: this bound on the input allows one to prove a bound on the output of privacy

154: amplification, so that one deduces a final, unconditional upper bound on the

155: mutual information available to an eavesdropper. Moreover this bound can be made

156: arbitrarily small, and hence good enough for cryptography, at the cost of

157: suitably shortening the final string.

158: \vskip .075in

159: \noindent{Except that as usually presented this is not exactly true.}

160: \vskip .075in

161: \noindent The above understanding is usually presented in connection with the standard

162: result of generalized privacy amplification given in \cite{BBCM}, which

163: applies only to the

164: {\it average} value of the mutual information. The average is taken with respect

165: to a set of elements, namely, the $universal_2$ class of hash functions

166: introduced by Carter and Wegman \cite{WC}. The actual implementation of privacy

167: amplification, however, will be executed by software and hardware that selects a

168: {\it particular} hash function. The bound on the average value of the mutual information

169: does not apply to this situation: it does not directly measure the amount of mutual

170: information available to an eavesdropper in practical quantum cryptography.

171: 

172: In this paper we calculate cryptographically acceptable pointwise

173: bounds on the mutual information which can be achieved while still

174: maintaining sufficiently high throughput rates. In contrast to a

175: direct application of the privacy amplification result

176: of \cite{BBCM}, we must

177: also consider and bound a probability of choosing an unsuitable

178: hash function and relate this to cryptographic properties of the

179: protocol and the throughput rate. The relation between average bounds

180: and pointwise bounds of random variables is not new and follows from

181: elementary probability theory, as was also noticed in \cite{lutkenhaus-practical}.

182: 

183: 

184: \section{Privacy Amplification}

185: 

186: In ideal circumstances, the outcome of a $k$-bit key-exchange protocol

187: is a $k$-bit key shared between Alice and Bob which is kept secret

188: from Eve. Perfect secrecy means that from Eve's perspective the shared

189: key is chosen uniformly from the space of $k$-bit keys. In practice,

190: one can only expect Eve's probability distribution for the shared key

191: be close to uniform in the sense that its Shannon entropy is close to

192: its largest possible value $k$.  Moreover, because quantum

193: key-exchange protocols implemented in practice {\it inevitably}

194: leak information to Eve, Eve's distribution of

195: the key is too far from uniform to be usable for cryptographic

196: purposes. Privacy amplification is the process of obtaining a nearly

197: uniformly distributed key in a keyspace of smaller bitsize.

198: 

199: We review the standard assumptions of the underlying probability model

200: of~\cite{BBCM}:

201: %

202: $\Omega$ is the underlying sample space with probability measure

203: $\mathbf{P}$.  Expectation of a real random variable $X$ with respect

204: to $\mathbf{P}$ is denoted $\mathbf{E} X$.  $W$ is a random variable

205: with key material known jointly to Alice and Bob and $V$ is a random

206: variable with Eve's information about $W$.  $W$ takes values in some

207: finite keyspace $\mathcal{W}$. The distribution of $W$ is the function

208: $\mathbf{P}_{\mathcal{W}}(w) = \mathbf{P}(W = w)$ for $w \in

209: \mathcal{W}$. Eve's distribution having observed a value $v$ of $V$ is

210: the conditional probability $\mathbf{P}_{\mathcal{W}}|_{V = v}(w) =

211: \mathbf{P}(W = w | V = v)$ on $\mathcal{W}$.  In the the discussion

212: that follows, $v$ is fixed and accordingly we denote Eve's

213: distribution of Alice and Bob's shared key given $v$ by

214: $\mathbf{P}_{\mathrm{Eve}}$. $\opr{H}$ and $\opr{R}$ denote Shannon and Renyi

215: entropies of random variables defined on $\mathcal{W}$ relative to

216: $\mathbf{P}_{\mathrm{Eve}}$.

217: 

218: \begin{definition} Suppose $\mathcal{Y}$ is a keyspace.  If $\alpha$

219: is a positive real number, a mapping $\gamma: \mathcal{W} \rightarrow

220: \mathcal{Y}$ is an $\alpha$ strong uniformizer for Eve's distribution iff

221: %

222: $\opr{H}(\gamma) = \sum_{y \in \mathcal{Y}} \mathbf{P}_{\mathrm{Eve}}(\gamma^{-1}(y))

223: \log_2 \mathbf{P}_{\mathrm{Eve}}(\gamma^{-1}(y)) \geq \log_2 \Card{\mathcal{Y}} -

224: \alpha$.

225: %

226: \end{definition}

227: %

228: 

229: If $\gamma$ is an $\alpha$ strong uniformizer, then we obtain a bound on the mutual 

230: information between Eve's data $V$ and the image of the hash transformation $Y$ as 

231: follows:

232: 

233: \begin{equation}

234: \label{E:alphastrong}

235: I(Y,V) = I(Y) - H(Y|V) = \log_2\Card{\mathcal{Y}} - \opr{H}(\gamma) \leq \alpha~.

236: \end{equation}

237: 

238: \begin{definition}

239: %

240: Let $\Gamma$ be a random variable with values in $\mathcal{Y}^\mathcal{W}$

241: (space of functions $\mathcal{W} \rightarrow \mathcal{Y}$) which is

242: conditionally independent of $W$ given $V = v$ i.e.

243: %

244: $

245: %

246: \mathbf{P}(\Gamma = \gamma \mbox{ and }

247: W = w | {V=v}) = \mathbf{P}(\Gamma = \gamma | {V=v}) \, \mathbf{P}( W = w |

248: {V=v}).

249: %

250: $

251: %

252: $\Gamma$ is an $\alpha > 0$ average uniformizer for Eve's distribution

253: iff

254: %

255: \begin{equation}

256: %

257: \mathbf{E}( \opr{H} \Gamma) \geq \log_2

258: \Card{\mathcal{Y}} - \alpha \, 

259: %

260: \end{equation}

261: %

262: where $ \opr{H} \Gamma = \opr{H} \Gamma(z) = \opr{H}(\Gamma(z))$.

263: \end{definition}

264: %

265: 

266: If $\Gamma$ is an $\alpha$ average uniformizer, the bound is on the mutual 

267: information averaged over the set $\Gamma$:

268: 

269: \begin{equation}

270: \label{E:alphaaverage}

271: I(Y,\Gamma V) = I(Y) - H(Y|\Gamma V) = \log_2\Card{\mathcal{Y}} - \mathbf{E}( \opr{H}

272: \Gamma) \leq \alpha~.

273: \end{equation}

274: 

275: Uniformizers are produced stochastically. Notice that by the

276: conditional stochastic independence assumption, $z$ can be assumed to

277: vary independently of $w \in \mathcal{W}$ with the law

278: $\mathbf{P}_{\mathrm{Eve}}$.

279: 

280: \begin{prop}

281: %

282: \label{P:strongresult}

283: Suppose $\Gamma$ is an $\alpha$ average uniformizer.  Then for every $\beta

284: > 0$, $\Gamma(\omega)$ is a $\beta$ strong uniformizer for $\omega$ outside a set

285: of probability $\frac{\alpha}{\beta}$.

286: %

287: \end{prop}

288: %

289: {\sc Proof.} Note that for any $\gamma:\mathcal{W} \rightarrow

290: \mathcal{Y}$, $\opr{H}\gamma$ is at most $\log_2 \Card{\mathcal{Y}}$.  Thus

291: $\log_2 \Card{\mathcal{Y}} - \opr{H}\Gamma$ is a nonnegative random

292: variable. Applying Chebychev's inequality to $\log_2

293: \Card{\mathcal{Y}} - \opr{H}\Gamma$, it follows that for every $\beta>0$,

294: %

295: \begin{eqnarray*}

296: %

297: \mathbf{P}\bigl( \log_2 \Card{\mathcal{Y}} - \beta \geq

298: \opr{H}\Gamma\bigr) & \leq &

299: %

300:  \frac{1}{\beta} \mathbf{E}(\log_2 \Card{\mathcal{Y}} -

301: \opr{H}\Gamma) \\

302: %

303: &  = & \frac{1}{\beta} \bigl( \log_2 \Card{\mathcal{Y}} - \mathbf{E}

304: (\opr{H}\Gamma) \bigr)  \\ & \leq & \frac{1}{\beta} \alpha.

305: %

306: \end{eqnarray*}

307: %

308: The random variable $\Gamma$ is strongly $\mathrm{universal}_2$ iff for all

309: $x \neq x' \in X$,

310: %

311: \begin{equation} \mathbf{P}\{z: \Gamma(z)(x) = \Gamma(z)(x')\} \leq

312: \frac{1}{\Card{\mathcal{Y}}}.

313: \end{equation}

314: %

315: The following is the main result of~\cite{BBCM}:

316: %

317: \begin{prop} {\bf (BBCM Privacy Amplification)}.

318: %

319: \label{P:averageresult}

320: Suppose $\Gamma$ is a $\mathrm{universal}_2$ family of mappings

321: $\mathcal{W} \rightarrow \mathcal{Y}$ conditionally independent of

322: $W$. Then $\Gamma$ is a

323: %

324: $\frac{2^{\log_2 \Card{\mathcal{Y}} - \opr{R}(X)}}{\ln 2}$ 

325: %

326: average uniformizer for $X$.

327: %

328: \end{prop}

329: 

330: 

331: \section{Practical Results}

332: 

333: We will refer to the inequality that provides the upper bound on the average

334: value of the mutual information as the {\it average privacy amplification bound}, or

335: APA, and we will refer

336: to the inequality that provides the upper bound on the actual, or pointwise

337: mutual information as the {\it pointwise privacy amplifcation bound}, or PPA.

338: 

339: In carrying out privacy amplification we must shorten the key by the number of

340: bits of information that have potentially been leaked to the

341: eavesdropper \cite{GH_large}. Having

342: taken that into account, we denote by $g$ the additional number of bits by which the

343: key length will be further shortened to assure sufficient secrecy, {\it i.e.}, the

344: additional bit subtraction amount,

345: and we refer to $g$ as the {\it privacy amplification subtraction parameter}.

346: With this definition of $g$, Bennett {\it et al.\/} \cite{BBCM} show as a corollary of 

347: \ref{P:averageresult} that the set of Carter-Wegman hash functions is an

348: $2^{-g}/\ln 2$ average uniformizer. We thus have

349: for the APA bound on $\langle I\rangle$, the average value of the

350: mutual information, the inequality

351: 

352: \begin{equation}

353: \label{APA}

354: \langle I\rangle\equiv I(Y,\Gamma V)\leq {2^{-g}\over\ln 2}~.

355: \end{equation}

356: 

357: \noindent In the case of APA the quantity $g$ plays a dual role:

358: in addition to representing the number of additional subtraction bits,

359: for the APA case $g$ also directly determines the upper bound on the

360: average of the mutual information. 

361: 

362: In the case of PPA we again employ the symbol $g$ to denote

363: the number of subtraction bits, as above

364: for APA, but the upper bound on the pointwise

365: mutual information is now given in terms of a different quantity $\gp$, which

366: we refer to as the

367: {\it pointwise bound parameter}. Also in the case of PPA we need the parameter

368: $\gpp$, which we refer to as the {\it pointwise probability parameter}, in terms of

369: which we may define the failure probability $P_f$.

370: This definition is motivated by \ref{P:strongresult}, 

371: from which we find that the Carter-Wegman hash functions are $2^{-\gp}/\ln 2$

372: strong uniformizers except on a set of probability 

373: 

374: \begin{equation}

375: P_f\equiv {2^{-g}\over\ln 2}{\Big /}{2^{-\gp}\over\ln 2}~.

376: \end{equation}

377: 

378: \noindent We therefore define the pointwise probability parameter as

379: 

380: \begin{equation}

381: \label{CE}

382: \gpp \equiv g - \gp ~.

383: \end{equation}

384: 

385: \noindent Thus the quantities $g$, $\gp$ and $\gpp$

386: are not all independent, and are constrained by equation \ref{CE}.

387: %\begin{equation}

388: %\label{CE}

389: %g=\gp+\gpp~.

390: %\end{equation}

391: In terms of these parameters we have for the PPA bound on $I$, the actual

392: value of the mutual information, the inequality

393: 

394: \begin{equation}

395: \label{PPA}

396: I\equiv I(Y,V)\leq {2^{-\gp}\over\ln 2}={2^{-\left(g-\gpp\right)}\over\ln 2}

397: \end{equation}

398: 

399: \noindent where the associated failure probability $P_f$ is given by

400: 

401: \begin{equation}

402: \label{FP}

403: P_f=2^{-\gpp}~.

404: \end{equation}

405: 

406: \noindent The failure probability is

407: not even a defined quantity in the APA case, but it plays a crucial role in the PPA case.

408: Thus, the bound on the pointwise mutual information is directly determined by the value

409: of the parameter $\gp$, with respect to which one finds a tradeoff between $g$,

410: the number of additional compression bits by which the key is shortened,

411: and $\gpp$, the negative logarithm of the

412: corresponding failure probability.

413: 

414: 

415: \section{Application of Pointwise Bound}

416: 

417: Operationally, it will usually be the case in practice that end-users of

418: quantum key distribution systems will be first and foremost

419: constrained to ensure that a given upper bound on the pointwise

420: mutual information available to the enemy is realized.

421: 

422: To appreciate the significance of the distinction between the PPA and APA results,

423: we will consider an illustrative example that shows how reliance on the APA bound

424: can lead to complete compromise of cryptographic security.

425: We begin with the APA case.

426: As noted above, in the case of APA the privacy

427: amplification subtraction parameter, which we will now denote by $g_{APA}$ to emphasize

428: the nature of he bound, directly specifies both the upper bound on

429: $\langle I\rangle$ and also the number of bits by which the key needs to be shortened

430: to achieve this bound.

431: Without loss of generality we take the value of the

432: privacy amplification subtraction parameter to be given by $g_{APA}=30$, which means that,

433: in addition to the compression by the number of bits of information that were

434: estimated to have been leaked, the final length of the key will be further shortened by

435: an additional 30 bits. This results in

436: an upper bound on the average mutual information given by

437: $\langle I\rangle\leq 2^{-30}/\ln 2\simeq 1.34\times 10^{-9}$, which

438: we take as the performance requirement for

439: this example. While this might appear to be an acceptable

440: bound, the fact that it applies only to the average of the mutual information of

441: course means that it is not the quantity we require. 

442: 

443: We turn to the PPA case, with respect to which

444: we will now refer to the privacy amplification subtraction

445: parameter as $g_{PPA}$.

446: In order to discuss the PPA bound we must select

447: appropriate values amongst $g_{PPA}$, $\gp$ and $\gpp$.

448: In the APA case discussed above,

449: the bound on the (average) mutual information and the number of subtraction bits are

450: both specified by the same parameter $g_{APA}$.

451: In the PPA case, the number of subtraction bits

452: and the parameter that specifies the bound on the (pointwise) mutual information are

453: not the same. To achieve the same value for the upper bound on $I$ as we discussed

454: for the upper bound on $\langle I\rangle$ above, we must select $\gp=30$ as the value

455: of the pointwise bound parameter. From eq.(\ref{PPA}) this indeed yields the

456: required inequality $I\leq 2^{-30}/\ln2\simeq 1.34\times 10^{-9}$.

457: However, with respect to this requirement on the value on the mutual

458: information, {\it i.e.}, the required final amount of cryptographic secrecy, there are a

459: denumerable set (since bits are discrete) of different amounts of compression of

460: the key that are possible to select, each associated with a corresponding failure

461: probability, $P_f$, in the form of ordered pairs $\left(g_{PPA},\gpp\right)$ that satisfy

462: the constraint given by $g_{PPA}=\gp+\gpp$ ({\it cf} eq.(\ref{CE})).

463: 

464: Our starting point was the secrecy performance requirement that must be satisfied.

465: On the basis of the APA analysis above, one might conclude that in order to achieve

466: the required secrecy performance constraint it is sufficient to shorten the key by

467: 30 bits. However in the PPA case, satisfying the same performance requirement

468: {\it and} shortening the key by 30 bits means choosing identical values for the

469: privacy amplification subtraction parameter ($g_{PPA}=30$) and the pointwise bound

470: parameter ($\gp=30$). However, we note from eq.(\ref{CE}) that in the case of the PPA

471: bound, $g_{PPA}$ and $\gp$ become the same only when $\gpp=0$, which corresponds to 100\%

472: failure probability on the upper bound. This is clearly cryptographically useless!

473: 

474: This example emphasizes the importance of assuring a sufficiently small failure

475: probability in addition to a sufficiently small upper bound on the mutual information.

476: As we see from the above example, the APA result provides no information about the

477: correct number of subtraction bits that are required in order to achieve a specified

478: upper bound on the pointwise mutual information with a suitable failure probability,

479: for which it is essential to use the

480: PPA result instead. In Figure 1 we have plotted the failure probability as a function of

481: the upper bound on the mutual information, for a family of choices of $g_{PPA}$ values.

482: Returning to the example discussed above for the APA bound, we see that if we need

483: to achieve an upper bound on $I$ of about $10^{-9}$, we may do so

484: with a failure probability

485: of about (coincidentally) $10^{-9}$, at the cost of shortening the final key by 60 bits:

486: the secrecy is dictated by the pointwise bound parameter value of $\gp=30$,

487: which is effected by choosing $g_{PPA}=60$, corresponding to $P_f\simeq 10^{-9}$.

488: Smaller upper bounds can obviously be obtained, with suitable values of the failure

489: probability, at the cost of further shortening of the key.

490: 

491: \begin{center}

492: 

493: \epsfig{file=ppafig1.eps,width=9cm}

494: {\bf Figure 1}

495: 

496: \end{center}

497: 

498: In Figure 2 we plot the throughput of secret Vernam

499: cipher material in bits per second, as a function of bit cell period, for the

500: two bit subtraction amounts $g_{PPA}=30$ and $g_{PPA}=60$.

501: The example chosen is a representative scenario for applied quantum cryptography.

502: In calculating the rate we follow the method described in reference \cite{GH_large}.

503: We assume the use of an attenuated, pulsed laser, with Alice located on a low earth orbit

504: satellite at an altitude of 300 kilometers and Bob located at mean sea level,

505: with the various system parameters corresponding to those for Scenario ({\it i}) in

506: Section 5.3.2 in \cite{GH_large}, except that here the source

507: of the quantum bits operates at a pulse repetition frequency (PRF) of 1 MHz,

508: and we specifically assume that the enemy does

509: not have the capability to make use of prior shared entanglement in

510: conducting eavesdropping attacks.

511: We see that the additional cost incurred in subtracting

512: the amount required to achieve the required mutual information bound and failure

513: probability reduces the throughput rate by an amount that is likely to be acceptable for

514: most purposes. For instance, for a source PRF of 1 MHz we find that

515: the throughput rate with a value of $g_{PPA}=30$ is 5614 bits per second. With

516: a subtraction amount of $g_{PPA}=60$ the throughput rate drops to 5563 bits per second

517: \cite{blocksize}.

518: 

519: \begin{center}

520: 

521: \epsfig{file=ppafig2.eps,width=9cm}

522: {\bf Figure 2}

523: 

524: \end{center}

525: 

526: 

527: \section{Conclusions}

528: 

529: The significance and proper implementation of privacy amplification in quantum

530: cryptography are clarified by our analysis.

531: By itself the bound on the average value of the mutual information presented in

532: \cite{BBCM} does not allow one to determine the values of parameters required

533: to bound the actual, pointwise value of the mutual information. Those parameters

534: must satisfy a constraint, which in turn implies a constraint on

535: the final throughput of secret key material. We have

536: rigorously derived the cryptographically meaningful upper bound on the pointwise

537: mutual information associated with the use of some specific privacy

538: amplification hash function, and shown that the corresponding requirements on

539: the shortening of the key still allow viable throughput values.

540: 

541: %\bibliographystyle{plain}

542: \vspace*{.175in}

543: {\footnotesize

544: $\!\!\!\!\!\!\!\!\!\!$

545: %\ast$ This research was supported by MITRE under MITRE Sponsored

546: %Research Grant

547: %51MSR837  and by the xxx under MITRE Task 0701N020-QC.\\

548: \dag ~ggilbert@mitre.org\\

549: \ddag ~mhamrick@mitre.org\\

550: $\ast$ jt@mitre.org}

551: \begin{thebibliography}{1}

552: 

553: \bibitem{BBCM}

554: C. H. Bennett, G. Brassard, C. Cr\'epeau, and U. Maurer, 

555: ``Generalized Privacy Amplification," IEEE Trans. Inf. Th. {\bf 41}, 1915 (1995).

556: 

557: \bibitem{WC}

558: J. L. Carter and M. N. Wegman, ``Universal classes of hash functions," 

559: J. Comp. Syst. Sciences {\bf 18}, 143 (1979).

560: 

561: \bibitem{GH_large}

562: G. Gilbert and M. Hamrick, ``Practical Quantum Cryptography: A Comprehensive 

563: Analysis (Part One)," {\it arXive e-print}  quant-ph/0009027 (2000).  

564: 

565: \bibitem{lutkenhaus-practical}

566: N. L\"utkenhaus, ``Estimates for practical quantum cryptography,"

567: Phys. Rev. {\bf A59}, 3301-3319 (1999).

568: The effect on the viability of throughput rates caused by changing the number of

569: subtraction bits associated with replacing the average bound with the pointwise bound

570: is not analyzed in \cite{lutkenhaus-practical},

571: and the tradeoffs between the security parameters that define the pointwise

572: bound are not numerically studied. Also,

573: the complete loss of cryptographic security that is caused by naive application of

574: the result given in \cite{BBCM} is not presented in \cite{lutkenhaus-practical}.

575: (See Section IV of the present paper.)

576: 

577: \bibitem{blocksize}

578: The difference between the two throughput values is about 50 bits per second,

579: because an additional 30 bits are subtracted per processing block, and in

580: the example presented there are about 1.6 blocks per second.

581: See reference \cite{GH_large} for a discussion of processing block size.

582: 

583: \end{thebibliography}

584: 

585: \setcounter{unbalance}{15}

586: \end{multicols}

587: 

588: 

589: \end{document}

590: