1: \documentclass[prl,superscriptaddress,twocolumn]{revtex4}

2: \usepackage[latin1]{inputenc}  % Eingabe von Umlauten

3: %\usepackage{type1ec}          % fonts werden nach belieben skaliert (nur fuer EC schriften)

4: \usepackage[T1]{fontenc}       % verwendung europäischer Schriftarten

5: \usepackage[austrian,english,french]{babel}

6: \usepackage{graphicx}

7: \usepackage{amsmath}

8: \usepackage{amssymb}

9: \usepackage{amscd}

10: \usepackage[sort&compress]{natbib}

11: 

12: 

13: \begin{document}

14: \selectlanguage{english}

15: 

16: \title{Exploiting the randomness of the measurement basis in quantum

17: cryptography: Secure Quantum Key Growing without Privacy

18: Amplification}

19: \author{Hannes R. Böhm}

20: \email{hannes.boehm@exp.univie.ac.at}

21: \author{Paul S. Böhm}

22: \author{Markus Aspelmeyer}

23: \author{\v{C}aslav Brukner}

24: \affiliation{Institut für Experimentalphysik, Universität Wien,

25: Boltzmanngasse 5, 1090 Wien, Austria}

26: \author{Anton Zeilinger}

27: \affiliation{Institut für Experimentalphysik, Universität Wien,

28: Boltzmanngasse 5, 1090 Wien, Austria} \affiliation{Institute for

29: Quantum Optics and Quantum Information, Austrian Academy of

30: Sciences, Boltzmanngasse 3, 1090 Wien, Austria}

31: \date{\today}

32: 

33: \begin{abstract}

34: We suggest that the randomness of the choices of measurement basis

35: by Alice and Bob provides an additional important resource for

36: quantum cryptography. As a specific application, we present a

37: novel protocol for quantum key distribution (QKD) which enhances

38: the BB84 scheme by encrypting the information sent over the

39: classical channel during key sifting. We show that, in the limit

40: of long keys, this process prevents an eavesdropper from

41: reproducing the sifting process carried out by the legitimate

42: users. The inability of the eavesdropper to sift the information

43: gathered by tapping the quantum channel reduces the amount of

44: information that an eavesdropper can gain on the sifted key. We

45: further show that the protocol proposed is self sustaining, and

46: thus allows the growing of a secret key.

47: \end{abstract}

48: \maketitle

49: 

50: 

51: \section{Introduction}

52: Quantum cryptography \cite{gisin02} was first described by Bennett

53: and Brassard \cite{bennett84} in 1984. Their protocol, commonly

54: called BB84, is still the most widely used protocol for quantum

55: cryptography today. Its simplicity, its proven

56: security\cite{fuchs97} and its possibility to be extended to

57: entangled photons

58: \cite{ekert91a,bennett92b,jennewein00,naik00,tittel00} has

59: contributed to its widespread use.

60: 

61: BB84 describes a protocol for growing a large secret key between

62: two communicating parties starting from a smaller shared secret.

63: The processing of the raw data found in BB84 requires several

64: steps including key sifting, error correction and privacy

65: amplification. In BB84 privacy amplification \cite{bennett88}

66: allows to generate a secure key starting from a key that might be

67: partially known by a possible eavesdropper. This increase in

68: security comes at the expense of the final key length.

69: 

70: The basic idea of the present paper is to exploit a resource

71: which, though present in all existing protocols, has sofar not

72: been utilized to the full extent. The randomness of the basis

73: choices of both legitimate parties is an important resource as it

74: is a sequence of perfect random numbers. In current quantum

75: cryptography protocols it is simply used to choose the basis for

76: both, preparation and measurement of quantum states. We suggest

77: that this sequence can be further exploited. For example it might

78: be used for the encryption of data transmitted between the

79: legitimate parties.

80: 

81: As an explicit example of the idea, we present here a modification

82: to the BB84 protocol that reduces the information the eavesdropper

83: can obtain on the sifted key. It seems that this reduction scales

84: with the length of the raw key, which would imply that the

85: information of an eavesdropper on the sifted key can be made

86: arbitrarily small. Even though a complete security proof is not

87: given, we suspect that our protocol can work at higher quantum bit

88: error rate (QBER) compared to privacy amplification at the same

89: security level. This advantage is gained by further exploiting the

90: randomness of the measurement basis choices, more than has been

91: done in BB84.

92: 

93: 

94: \section{The Protocol}

95: Our protocol can be seen as an extension of the BB84 protocol in

96: the sense that the production of the raw key is identical to the

97: production in the original BB84. This makes it applicable to both,

98: QKD based on single photons, as well as entangled state QKD

99: \cite{ekert91a}. In the analysis of our protocol, we start with

100: from the original BB84 scheme. However, our protocol can easily be

101: extended to the case of entangled qubit quantum cryptography, and

102: probably many other quantum cryptography systems.

103: 

104: The two legitimate communicating parties, called Alice and Bob,

105: establish a common secret key in the following way. Alice prepares

106: a state in a two dimensional Hilbert space using one of two

107: mutually conjugate basis sets and sends it to Bob. In each basis,

108: one basis vector is attributed to the classical bit value ``0'',

109: the other to the bit value ``1''. The choice of the basis used,

110: and the bit value sent, are both assumed to be completely random.

111: 

112: Upon reception of the state, Bob randomly measures the state in

113: one of the two bases and stores the result together with his

114: choice of basis used. Now both parties possess a table consisting

115: of entries for each state transmitted. This table is called the

116: raw key. Up to this point, our protocol is identical to the BB84

117: protocol described in \cite{bennett84}.

118: 

119: Once the raw key is produced it is sifted, which was done in BB84

120: by publicly announcing the measurement basis on a classical

121: channel and keeping only the measurement results where Alice and

122: Bob happened to have chosen the same basis (see Figure

123: \ref{fig:protocol}a). We have strong indications, that this public

124: announcement of the measurement bases reveals more information

125: about the sifted key to an eavesdropper than is necessary for

126: establishing a secure key between the two legitimate parties. To

127: overcome this potential weakness of the existing protocols, a

128: modification of the basis reconciliation process, which does not

129: publicly announce the measurement basis, is necessary. Note that unlike in

130: other protocols that omit a public basis announcement

131: \cite{hwang98}, here the encoding and receiving bases have been chosen

132: randomly for every transmitted qubit.

133: 

134: Now consider the following situation: The two legitimate communicating

135: parties, Alice and Bob, have just produced a raw key of length

136: $n$. Thus, Alice possesses a list containing her random

137: preparation basis and the random value of the qubit transmitted at

138: each particular basis choice. Likewise Bob possesses a list

139: containing his random measurement basis and the corresponding

140: random measurement result for each qubit received. Every entry in

141: these lists represent a single transmitted qubit and can be

142: expressed in two bits of classical information, one for the basis

143: that has been used ($B_i$), the other ($K_i$) for the prepared bit

144: value or the outcome of the measurement. Every entry of the list

145: can thus be written as

146: \begin{equation}

147: \left( B_{p,i},K_{p,i} \right)  \,\,\,\,\,

148: p=\mathrm{Alice},\mathrm{Bob} \,\,\,\,\,i=0,1,\ldots,n

149: \end{equation}

150: with $B_{p,i}$ and $K_{p,i}$ being single bit values. Additionally

151: Alice and Bob share a classical secret $S_{1\dotsc 2n}$. This $2n$

152: bit secret string has to be available to Alice and Bob before the

153: protocol starts.  For the further usage it is split into two parts

154: of equal length $S_{\mathrm{Alice}, {1 \dotsc n}}$ and

155: $S_{\mathrm{Bob},{1 \dotsc n}}$.

156: 

157: The sifting process now works as follows (see Figure

158: \ref{fig:protocol}b). Alice and Bob each apply an XOR operation

159: between their local list $B_{\mathrm{Alice},i}$

160: ($B_{\mathrm{Bob},i}$) and $S_{\mathrm{Alice},i}$

161: ($S_{\mathrm{Bob},i}$) to produce a message $M_{\mathrm{Alice},i}$

162: ($M_{\mathrm{Bob},i}$), in other words

163: \begin{equation}

164: M_{p,i} = B_{p,i} \mathrm{\,\,XOR\,\,} S_{p,i}

165: \end{equation}

166: The two computed messages ($M_{p,i}$) are then exchanged over a

167: classical channel. Upon reception, Alice and Bob can decode the

168: message of their communication partner and regain the original

169: list of bases by applying the inverse operation

170: \begin{equation}

171: B_{p,i} = M_{p,i} \mathrm{\,\,XOR\,\,} S_{p,i}

172: \end{equation}

173: After this decoding step, Alice and Bob both have information on

174: both lists of bases $B_{\mathrm{Alice},i}$ and

175: $B_{\mathrm{Bob},i}$. Thus, they can now remove all entries of

176: their record where

177: \begin{equation}

178: B_{\mathrm{Alice},i} \ne

179: B_{\mathrm{Bob},i}\hspace{10pt}\hspace{.1mm}.\label{eqn:sifting-unequal-bases}

180: \end{equation}

181: The eavesdropper, called Eve from now on, can not reproduce this

182: step, because she does not have the shared secret $S_{p,i}$. This

183: means that even if she has done some sort of eavesdropping on the

184: quantum channel, her information on the sifted key is less than in

185: the case of the original BB84 protocol, as she can not correctly

186: sift the key with certainty.

187: 

188: Once the sifting process is completed, Alice and Bob share a

189: sifted key, which usually contains errors. In order to generate a

190: secure key, which can in turn be used for secure transmission of

191: data, this error has to be estimated and

192: corrected\cite{brassard94}. After error estimation and error

193: correction, a secure key is generated from the error-free sifted

194: key. In BB84 this is done by using a classical privacy

195: amplification protocol, which washes out the information a

196: possible eavesdropper could have obtained on the key by

197: measurements on the quantum channel. In this step the final key is

198: reduced in length depending on the amount of information an

199: eavesdropper could possess of the error corrected sifted key.

200: 

201: We will show that in our case the encryption of the classical

202: channel during basis reconciliation reduces the amount of

203: information an eavesdropper can get on the sifted key. Even though

204: we do not have a complete quantitative description of this

205: reduction of information accessible to Eve, we suspect that the

206: additional privacy amplification step might not be required under

207: certain conditions. One has to keep in mind, that the presharing

208: of a secret string does not represent a disadvantage compared to

209: BB84, where a shared key is required for authentication of the

210: classical channel \cite{luetkenhaus99}.

211: 

212: After the secret key has been established between Alice and Bob,

213: the protocol starts anew with the transmission and measurement of

214: qubits over the quantum channel. During the new run of the

215: protocol, the shared secret ($S_{p,i}$) used to encrypt the basis

216: exchange has to be reused. It is therefore necessary to quantify

217: the amount of information an eavesdropper can gain about the

218: shared secret during a single run of the protocol. In general the

219: upper bound for this information gain depends on the quantum bit

220: error rate (QBER) as we will discuss in the next section. To

221: sustain the secrecy of the shared secret it is therefore necessary

222: to subsequently refresh the secrecy of the initial shared secret

223: after every run of the protocol.

224: 

225: \begin{figure*}[ht]\vspace{0.1cm}

226: \center

227: \includegraphics[width=16 cm, keepaspectratio, clip=true, draft=false]{protocol4.eps}

228: \caption[The Protocol]{\textbf{(a)} Sketch of the original BB84

229: sifting method. The bases used to encode and measure the qubits

230: are transmitted unencrypted over the classical channel. Using the

231: list of bases received from their respective communication

232: partners, they can decide which qubits were encoded and

233: measured in compatible bases and therefore contribute to the

234: sifted key. \textbf{(b)} Sketch of the protocol proposed in this

235: paper. (1) Additionally to the lists of BB84, Alice and Bob both

236: possess a preshared secret that is split into two parts,

237: $S_{\mathrm{Alice}}$, and $S_{\mathrm{Bob}}$. (2) The information

238: which basis was used during each individual measurement is

239: encrypted before it is sent over the classical channel using the

240: shared secret. This is done by applying a logic XOR between the

241: list of bases and a part of the shared secret. This encryption of

242: the encoding and measurement bases renders it impossible for a

243: third party to correctly sift measurement results obtained from

244: eavesdropping on the quantum channel. For the protocol to be

245: secure it is mandatory that Alice and Bob use different parts of

246: the shared secret and that for successive runs of the protocol,

247: the secrecy of the shared secret has to be continuously

248: refreshed.} \label{fig:protocol}

249: \end{figure*}

250: 

251: 

252: \section{Security Considerations}

253: The protocol presented in the last section reduces the possible

254: knowledge an eavesdropper can obtain on the sifted key that is

255: established between Alice and Eve. In this section we try to

256: quantify this reduction of information accessible to the

257: eavesdropper. In the limiting case of long key length we find a

258: strong indication that our protocol has an advantage over the

259: existing combination of BB84 and privacy amplification.

260: Considering that we use a resource that has not been used to the

261: full extent in existing protocols, namely the randomness of the

262: basis choices, it is reasonable that such an advantage exists.

263: 

264: The security analysis is split in two parts. First we analyze the

265: amount of information about the shared secret that can be

266: extracted from a single cycle of the protocol. If this amount of

267: information is smaller than the final sifted key, then it is

268: possible to grow a longer shared key with our protocol. In the

269: second part, we analyze the case where Eve has no information on

270: the shared secret and thus has to sift her measurement results

271: without any knowledge on the basis used by Alice and Bob.

272: 

273: \subsection{Plaintext Attack}

274: For the security of the proposed protocol, it is important that

275: the shared secret can not be determined by analysis of the

276: messages $M_{\mathrm{Alice},i}$ and $M_{\mathrm{Bob},i}$ and any

277: resources that are accessible to an eavesdropper.

278: This includes the ciphertext ($C_i$) that is finally sent by Alice to Bob after

279: a secret key has been established and full knowledge of the

280: plaintext ($P_i$) that has been transmitted with this key. These

281: two resources enable Eve to gain full knowledge of the key that

282: has been used to send the message. This can be seen by the fact

283: that, using the Vernam cipher \cite{vernam26}, the ciphertext is

284: usually created from the plaintext by

285: \begin{equation}

286: C_i = P_i\hspace{2mm} \mathrm{XOR}\hspace{2mm}

287: K_i^{\mathrm{sifted}}

288: \end{equation}

289: and thus,

290: \begin{equation}

291: P_i = C_i\hspace{2mm} \mathrm{XOR}\hspace{2mm}

292: K_i^{\mathrm{sifted}}\hspace{2mm}.

293: \end{equation}

294: 

295: To simplify the further treatment, we assume that Eve has full

296: information on the raw key. This can be written as

297: \begin{equation}

298: B_{\mathrm{Eve},i}=B_{\mathrm{Alice},i} \hspace{.5cm} \mathrm{or}

299: \hspace{.5cm} B_{\mathrm{Eve},i}=B_{\mathrm{Bob},i} \hspace{.2cm}

300: \label{eqn:eve-basis-assumption}

301: \end{equation}

302: and

303: \begin{equation}

304: B_{\mathrm{Bob},i} = B_{\mathrm{Alice},i} \Longrightarrow \\

305: K_{\mathrm{Eve},i} = K_{\mathrm{Alice},i} =

306: K_{\mathrm{Bob},i}\hspace{1mm}. \label{eqn:eve-raw-key}

307: \end{equation}

308: 

309: Note that this assumption provides Eve with more information than

310: she could obtain with any eavesdropping scheme. For a detailed

311: security analysis one would have to drop this assumption and

312: introduce a quantum bit error rate dependent probability for Eve

313: to have correct bit value for each position in the raw key.

314: However in our proof of principle analysis is suffices to assume

315: that Eve has complete knowledge of the raw key.

316: 

317: We now assume that the sifted key consists of exactly half the

318: number of bits of the raw key, as this is the case with the

319: highest probability. In this case there exist

320: $\binom{n}{\frac{n}{2}}$ functions\,\footnote{If the length of the

321: sifted key is kept secret by Alice and Bob, the assumption that

322: the sifted key consists of exactly $\frac{n}{2}$ bits gives a

323: lower estimate for the number of sifting functions.} that

324: represent a possible sifting method (see Figure

325: \ref{fig:sifting}):

326: \begin{multline}

327: f^{k}: (K_{p,1},\ldots,K_{p,n}) \longrightarrow \

328: (K_1^{\mathrm{sifted}},\ldots,K_{\frac{n}{2}}^{\mathrm{sifted}} ) \\

329: k=1,\ldots,\binom{n}{\frac{n}{2}}

330: \end{multline}

331: It is easy to see that knowledge on the sifting function $f$ that

332: was used to create the sifted key, is equivalent to knowledge of

333: shared secret $S_j$ that has been used during basis

334: reconciliation.

335: 

336: Without any knowledge of the raw key, thus in the case where Eve

337: does not extract any information form the quantum channel, Eve can

338: gain no information about the used sifting function and therefore

339: about the shared secret.

340: 

341: \begin{figure}[ht]\vspace{0.1cm}

342: \center

343: \includegraphics[width=7 cm, keepaspectratio, clip=true, draft=false]{sifting2.eps}

344: \caption[Sifting without basis information]{There exist

345: $\binom{n}{\frac{n}{2}}$ sifting functions that map an $n$-bit raw

346: key to a $\frac{n}{2}$-bit sifted key. } \label{fig:sifting}

347: \end{figure}

348: 

349: However, if Eve has maximal information on the raw key as assumed

350: in (\ref{eqn:eve-basis-assumption}) and (\ref{eqn:eve-raw-key}),

351: she can try out all possible sifting functions with her own raw

352: key, and exclude all functions $f^k$ that do not reproduce the

353: sifted key, she knows from her plaintext analysis. This reduces

354: the number of possible sifting functions to

355: \begin{equation}

356: k_{\mathrm{max}}=\frac{\binom{n}{\frac{n}{2}}}{2^{\frac{n}{2}}}

357: \sim e^{\alpha n} \hspace{.5cm} 0 < \alpha < 1

358: \end{equation}

359: which is still exponentially growing with the key length $n$.

360: 

361: This reduction in the number of sifting functions can be written

362: as a gain of information $I$ on the shared secret, by calculating

363: the difference in the Shannon entropy with and without ruling out

364: the sifting functions that do not reproduce the final sifted key:

365: \begin{equation}

366: I = H^{\mathrm{apriori}}-H^{\mathrm{aposteriori}}

367: \end{equation}

368: with

369: \begin{equation}

370: H = - \sum_i p_i \log_2 p_i \hspace{0.5cm}.

371: \end{equation}

372: Assuming that all sifting functions are equally likely,

373: \begin{equation}

374: p_i = p \hspace{1cm} \forall p_i

375: \end{equation}

376: this reduces to

377: \begin{equation}

378: H = - \log_2 p

379: \end{equation}

380: and we get an information gain of

381: \begin{equation}

382: H = \log_2\binom{n}{\frac{n}{2}} - \log_2

383: \frac{\binom{n}{\frac{n}{2}}}{2^{\frac{n}{2}}} = \frac{n}{2}

384: \end{equation}

385: 

386: Because this information gain has been derived for the case where

387: the eavesdropper has full information on the raw key, this

388: represents the upper bound on the information an eavesdropper can

389: gain on the shared secret. To sustain the secrecy of the shared

390: secret, the legitimate parties have to use this amount of bits

391: from the generated sifted key to refresh the shared secret. In our

392: case this would leave the legitimate parties not a single bit for

393: secret communication. However, this derivation is based on the

394: unrealistic assumption that Eve possesses full information on the

395: raw key. One can therefore conclude that the maximal amount of

396: information on the shared secret in a realistic eavesdropping

397: scheme is less than the value obtained here. This strongly

398: suggests that it is possible to use the protocol proposed in this

399: paper for secure quantum key growing.

400: 

401: Again, we would like to stress that the security analysis

402: presented is based on

403: assumption\,(\ref{eqn:eve-basis-assumption}), which gives the

404: eavesdropper much more information on the raw key than is possible

405: for any eavesdropping strategy.

406: 

407: \subsection{Sifting without Basis Information}

408: In the last section we showed that even under the assumption that

409: Eve has maximal knowledge on the raw key and the transmitted

410: plaintext, the produced sifted key is sufficiently large to

411: sustain the secrecy of the shared secret. We now want to show that

412: the unavailability of the basis information can drastically reduce

413: the probability to obtain the correct sifted key.

414: 

415: Let us now consider the case where Eve does a simple

416: \emph{intercept and resend} eavesdropping strategy

417: \cite{huttner94} on all qubits transmitted from Alice to Bob. If

418: she uses the same two basis sets as Alice and Bob, the probability

419: for having a correct final key bit is 75\%, given that she has

420: full basis information which is needed to sift her measurement

421: results key. In our protocol, this information is not available to

422: Eve, and thus a qubit intercepted in a compatible basis does not

423: necessarily lead to a correct bit in the sifted key. This

424: reduction in the probability to obtain a correct final key bit

425: reduces the information accessible to Eve (see Figure

426: \ref{fig:siftcontrib}).

427: 

428: \begin{figure}[ht]\vspace{0.1cm}

429: \center

430: \includegraphics[width=7 cm, keepaspectratio, clip=true, draft=false]{siftcontrib.eps}

431: \caption[]{Without the complete basis information, the

432: eavesdropper is presented with the following situation: For every

433: bit of the sifted key, there is a certain probability that it was

434: derived from a specific bit of the raw key. With increasing key

435: length $n$, more and more raw key bits contribute with

436: non-vanishing probability to the specific sifted key bit. This

437: reduces the probability to conduct a valid sifting process and

438: therefore reduces the information on the sifted key accessible to

439: the eavesdropper.}\label{fig:siftcontrib}

440: \end{figure}

441: 

442: The probability that a single bit $K_l^{\mathrm{sifted}}$ of the

443: sifted key is derived from a specific bit $K_i$ in the raw key can

444: be written by the binomial distribution

445: \begin{equation}

446: P(K_l^{\mathrm{sifted}} \leftrightarrow K_{\mathrm{Eve},i}) =

447: \binom{i-1}{l-1} \left(\frac{1}{2}\right)^i\vspace{.1cm}.

448: \label{eqn:siftprob}

449: \end{equation}

450: For a large number of $l$, this distribution can be approximated

451: by a Gaussian distribution centered at $i=2l$ and

452: $\sigma=\frac{\sqrt{i}}{2}$.

453: 

454: The full width of half-maximum of this distribution can be seen as

455: the number of basis pairs that contribute with a significant

456: probability to the given sifted key value $K_l^{\mathrm{sifted}}$.

457: By increasing the length $n$ of the raw key, the information that

458: Eve can extract from her measurement results can be in principle

459: reduced arbitrarily.

460: 

461: \subsection{Authentication}

462: Until now we did not specify the requirements of the classical

463: channel used in the proposed protocol. One of the important

464: features of the classical channel in BB84 is message

465: authentication. There, the authentication of the classical channel

466: is crucial for the security of the protocol. Without

467: authentication, a selective modification of the basis

468: reconciliation process would allow an eavesdropper to decrease the

469: detectable QBER and thus to hide the quantum error he introduced

470: during the measurements on the quantum channel.

471: 

472: In our protocol, this selective modification of the basis

473: reconciliation process is not possible as the bases are encrypted

474: with the shared secret and therefore completely random. The

475: plaintext attack does not work to gain information on the shared

476: secret, because the basis exchange takes place before the transmission of a

477: ciphertext. However, any modification to a randomly encrypted

478: message $M_{p,i}$ randomly changes the bases information $B_{p,i}$

479: and can therefore, in average, not lead to a decreased QBER. This

480: is an indication, that our protocol could also work without

481: authentication of the basis reconciliation process. However, until a proof

482: is found for this argument we have to assume an authenticated classical channel.

483: 

484: \section{Conclusion}

485: We shown that the random basis choice in quantum cryptography is an important

486: resource and can exploited more than has been done in existing protocols. Furthermore

487: we have presented a novel protocol for quantum key growing that

488: makes use more extensively of the inherent randomness of basis

489: choices already present in the case of the classical BB84

490: protocol. By encrypting the information on the classical channel

491: during the sifting process, it is possible to arbitrarily reduce

492: the mutual information between a possible eavesdropper and the

493: legitimate parties. This is due to the fact, that the eavesdropper

494: can not reproduce the sifting process even in the case where he

495: has maximal information on the raw key, and partial knowledge of

496: the final secret key. A complete security proof and comparison

497: with the full BB84 protocol including error correction and privacy

498: amplification has still to be constructed. However we suspect that

499: our method has significant advantages in cases where the QBER is

500: high and secure bit rates suffer from a heavy decrease due to

501: privacy amplification.

502: 

503: \section{acknowledgements}

504: We would like to thank Norbert Lütkenhaus for helpful comments and

505: Rupert Ursin and Rainer Kaltenbaek for their input in many discussion.

506: This work was supported by the Austiran Science Foundation (FWF),

507: Spezialforschungsbereich (SFB) 015 P20, ARC Seibersdorf Research

508: GmbH (ARCS), by the European Commission, contract no.

509: IST-2001-38864 RAMBOQ and the Alexander von Humboldt Foundation.

510: 

511: 

512: \bibliographystyle{unsrt}

513: \bibliography{crypto}

514: 

515: \end{document}

516: