Information gain in quantum eavesdropping

We analyse the information obtained by an eavesdropper during the various stages of a quantum cryptographic protocol associated with key distribution . We provide both an upper and a lower limit on the amount of information that may have leaked to the eavesdropper at the end of the key distribution procedure . These limits are restricted to intercept/resend eavesdropping strategies . The upper one is higher than has been estimated so far, and should be taken into account in order to guarantee the secrecy of the final key, which is subsequently obtained via the so-called privacy amplification . 1 . Introduction Quantum cryptography is a new branch of physics and cryptology which relies on quantum phenomena such as quantum entanglement and the impossibility of ascribing definite values to noncommuting observables in order to perform certain cryptographic tasks . The principles of quantum cryptography have been extensively described in various journals [1, 2, 3] (for a pedagogical introduction, see also [4]) ; we refer to these publications and omit a comprehensive introduction and the history of the field . Current theoretical and experimental research efforts in this area have been mainly concentrated on the protection of the so-called key distribution which is defined as a procedure allowing two legitimate users of a communication channel to establish two exact copies, one copy for each user, of a random and secret sequence of bits. This random sequence, meaningless as such, is called a key and can subsequently be used as a basis for encrypting messages between the two users . The security of any further encrypted communication depends directly on the security of the key distribution . Conventional cryptography (see for example [5, 6] for an introduction to conventional methods) provides no tools for provable security of the key distribution and any classical transmission channel is vulnerable to passive interception . This inability to achieve perfect security is of purely physical origin . Consider a specific example, an eavesdropper trying to monitor a communication channel by tapping a telephone line . Any measurement performed by the eavesdropper disturbs the communication and so leaves traces . Legitimate users can try to guard against this 0950-0340/94 $1000 © 1994 Taylor & Francis Ltd . 2456 B. Huttner and A. K. Ekert by making their own measurements on the line, to detect the effects of tapping . However, the tappers will be on the safe side provided they can make measurements that produce smaller disturbances than the legitimate users can detect . Classical physics allows this kind of `arms race' of increasingly sensitive measurements to go ad infinitum . Failure to detect a noise in the channel does not necessarily imply the lack of eavesdropping, it could also imply better technology on the eavesdropper side. The two legitimate users can never be sure that there exist only two and no more copies of the key . In contrast, in quantum cryptography, the two legitimate users (conventionally known as Alice and Bob) distribute the key through a quantum channel, which has the property that any attempt at monitoring by a third party (the eavesdropper Eve) will create irreducible and detectable errors in the transmission [1, 2, 4] . By a subsequent exchange of messages over a public channel, which can be monitored by Eve, and therefore cannot be used to distribute the key, Alice and Bob can discover the errors introduced by Eve, and deduce that their quantum channel was monitored and is unsafe . In principle, this makes passive interception of a quantum channel impossible . Unfortunately, quantum channels are very sensitive devices, and even in the absence of any eavesdropper, there will some errors in the transmission (for example, in all the existing optical realizations of quantum cryptosystems such errors could be due to dark counts in photodetectors) . Alice and Bob, in general, cannot distinguish between errors caused by an eavesdropper and errors caused by the environment. In order to obtain provable security, they have to assume that all the errors are due to a potential eavesdropper, and use the obtained channel error rate to estimate the maximal information available to this eavesdropper. They can then decide if this is low enough to make the transmission safe . Preferably, they can use a procedure termed privacy amplification, which was developed by Bennett, Brassard and Robert [8] and enables them to obtain a shorter but more secret key . Unfortunately, to our knowledge, a good estimate of the maximum information leaked as a function of the error rate has not yet been found . In this work, we go one step in this direction. We analyse the information available to Eve during the various stages of the key distribution protocol, and provide both an upper and a lower limit on the information she could have obtained on the key . However, these are restricted to the so-called intercept/resend type of eavesdropping strategies . It is possible that different strategies would achieve better results for Eve . We concentrate on the protocol developed by Bennett and Brassard [1, 2] and which is referred to as the BB84 protocol . We present the main features of this protocol in section 2 . In section 3 we restrict the discussion to the subset of the bits in the key on which Eve eavesdropped and show that the amount of information available to Eve on these bits increases during the public discussion between Alice and Bob . In section 4, we give an upper and a lower estimate of the information on the corrected key available to Eve . Proper estimation of this is essential for the final step of the protocol, namely the privacy amplification [8] . A limitation concerning our approach is that it applies only to one particular type of error detection technique, namely error detection via public discussion and reconciliation (see section 2). Other techniques, based on the work of Wyner and Csiszar and Korner [9], may provide more efficient ways of performing the same task; however, we do not consider them here as it is still not clear how practical they are . Information gain in quantum eavesdropping 2457