next up previous
Next: Bibliography Up: Security Previous: Three-or-more-photon pulses

Putting things together

To simplify matters, we will be generous to Eve and assume that in all cases where she would do a SIR, DIR or SOR attack, she will instead give the pulse to a third party called Big Brother (BB). We assume that BB knows all Alice's random choices. BB will then return the bit sent in the pulse to Eve, and will forward a strong pulse to Bob in a state constructed such that if Bob measures in the right basis, his error probability will be 0.1243. Of course, no such BB could exist in real life, he is only created for the analysis, and the point is that by the arguments above, Eve can do no better in real life than what she can with the help of BB: Eve always gets the bit in attacked pulses with certainty, and the error on Bob's side caused by this is the smallest among the three attacks considered (which is provided by the DIR attack).

Let us consider the situation just after the bases have been announced and the raw key has been computed. Out of the bits in this key, a fraction $f_3=\frac{\lambda ^2}{6 F \eta_B}$ are known to Eve, and these bits are all correctly measured by Bob. Moreover, the fraction $f_{SO}$ of the bits comes from SO attacked pulses, and finally the fraction $f_{BB}$ comes from pulses that Eve attacked using BB.

This means that the error rate observed by Bob is $0.1243f_{BB} + (1-f_{BB}-f_3)\epsilon$. In order not to be caught, Eve must make sure that this is (at most) approximately $\epsilon$. From this, we easily derive that

\begin{displaymath}f_{BB}\leq \frac{f_3\epsilon}{0.1243-\epsilon}\end{displaymath}

Note that this bound is of interest, only if $\epsilon < 0.1243$.

Next we look at the information available to Eve, in order to estimate the effect of privacy amplification. By assumption on multi-photon pulses and on BB, Eve knows a fraction $f_3+f_{BB}$ of the bits with certainty. For the pulses subjected to the SO attack, it is clear that Eve does not know (all) the corresponding bits with certainty, since here she has to measure a single photon before the bases are announced. According to the discussion in [2], the optimal strategy for Eve, in order to resist privacy amplification, is to measure each photon in the Breidbart basis, such that she learns each bit with probability 85%. Then (as argued in [2], based on the results from [11]), we can compute as if Eve knew with certainty a fraction 0.585 of the bits attacked this way4. We may therefore continue assuming that the fraction of bits known by Eve in the raw key is at most

f_3 + f_{BB}+ 0.585 f_{SO} &\leq&
f_3 + \frac{f_3\epsilon}{0.1...
...c{\epsilon}{0.1243-\epsilon}) +
0.585 \frac{\lambda}{2F_{fiber}}

Of course, bits in un-attacked pulses are completely unknown to Eve.

Finally, we look at the effect of error estimation and correction: a fraction of $\epsilon$ errors must be corrected. This requires that at least a fraction $h(\epsilon)$ of the bits are revealed, by a bound of Shannon, here $h()$ is the binary entropy function, $h(\epsilon) =
\epsilon \log1/\epsilon + (1-\epsilon)\log1/(1-\epsilon)$. The interactive method (CASCADE) that we use comes very close to this bound, when $\epsilon$ is as small as what we consider here.

So if we let $f_{Eve}= f_3 + f_{BB}+ 0.585f_{SO} + h(\epsilon)$ and $n$ be the number of bits in the raw key, then (as far as privacy amplification is concerned) Eve knows $nf_{Eve}$ deterministic bits of information about the raw key after error correction. If we use standard methods for privacy amplification [11] to distill from this $n(1-f_{Eve}) -s$ bits of final key, then Eve's expected information about the final key is exponentially small in $s$, in fact at most $2^{-s}/\ln 2$ bits. Thus for a particular desired bound on Eve's information on the final key and large $n$, the fraction of bits we can distill out is essentially

1-f_{Eve} \geq
1- h(\epsilon) -
...{\epsilon}{0.1243-\epsilon}) -

As an example, in one of the runs of our experiment, we had $F\simeq \lambda \simeq \eta_B \simeq 0.1, F_{fiber}\simeq 0.25$ and $\epsilon \simeq 0.055$. Then $1-f_{Eve}$ is about 17%.

It is clear that this analysis was very generous to Eve in many places. There is no doubt that a better bound can be achieved by a less generous but more complex analysis.

Note that we have earlier derived an expression for $\epsilon$ (3), as a function of the parameters in the experiment, namely

\epsilon= \frac{\eta_BF\lambda P_e^{signal} + P_{det}^{dark}}{\eta_BF\lambda +

where we have inserted $\kappa = 1/2$. This expression can be inserted into our bound above for $1-f_{Eve}$. Moreover, it turns out that the parameters $\eta _B$ and $P_{det}^{dark}$ are connected: the detector can be configured such that $\eta _B$ is higher, but then the dark count rate will be up as well. More specifically, from our experimental data we have approximately that $P_{det}^{dark}= 1.6 \cdot 10^{-3} \eta _B^{3/2}$ Inserting this as well, we get a lower bound on $1-f_{Eve}$ that depends only on the parameters $\lambda, \eta_B,
F, F_{fiber}$ and $P_e^{signal}$. Of these, the first two can be easily varied independently of each other, while the rest are more or less fixed by the setup, in our case to $F\simeq 0.1, F_{fiber}\simeq
0.25, P_e^{signal}\simeq 0.01$.

It is therefore interesting to study what the optimal choices are for $\eta_B, \lambda$. For this optimization, we have chosen to look at the secrecy capacity, i.e., the length of the final key divided by the number of pulses sent. This will on average be $\lambda F\eta_B (1-
f_{Eve})/4$. The figure 1 shows this quantity, plotted as a function of $\lambda $ and $\eta _B$.

Figure 1: The secure bit rate plotted as function of $\lambda $ and $\eta _B$. The dependence of the dark count probability and the detector efficiency is modeled by $P_{det}^{dark}= 1.6 \cdot 10^{-3} \eta _B^{3/2}$

It can be seen that the optimal choice is $\lambda $ close to 0.1, and the largest value of $\eta _B$ that is available (current detectors do not allow larger values than about 0.25), i.e. the largest bias voltage of the detector. With such choices, we get the secrecy capacity of about $0.0002$. As an example, we note that if we choose the bias voltage of the detector such that the quantum efficiency is around 0.1 (with the corresponding decrease in the dark count rate), the secrecy capacity goes down by a factor of 2-3, i.e. the reduction in dark counts does not compensate for the reduced efficiency. An increased detector efficiency helps because it decreases the effect of attacks of multi-photon pulses (Eve can block fewer one-photon pulses). On the other hand, if we could increase the detector efficiency arbitrarily, this would ultimately bring down the secrecy capacity, because the increased dark counts would require more error correction and hence more bits would be lost. However, with the detectors we used, this does not happen within the range of $\eta _B$ that can be realized.

Although we made an effort to optimize the secrecy capacity based on the above security analysis, the real time speed of our system is only about 14 secure bits per second, limited mainly by a relatively low number of pulses sent per second (70.000 pulses/second on average). This number can certainly be increased by means of suitable electronics. The limiting factor of the speed is the computer cards combined with the ratio between the storage line and the line between Alice and Bob. It should be noted, however, that the main bottleneck slowing down our execution of the BB84 scheme is not the speed of the quantum line, but rather the fact that all classical communications take place over a low bandwidth channel (the Internet). We used the Internet because it offers a flexible communication link, but at the cost of efficiency. In real life applications dedicated hardware can easily be used to improve the efficiency.

next up previous
Next: Bibliography Up: Security Previous: Three-or-more-photon pulses
Louis Salvail 2001-06-15