To simplify matters, we will be generous to Eve and assume that in all cases where she would do a SIR, DIR or SOR attack, she will instead give the pulse to a third party called Big Brother (BB). We assume that BB knows all Alice's random choices. BB will then return the bit sent in the pulse to Eve, and will forward a strong pulse to Bob in a state constructed such that if Bob measures in the right basis, his error probability will be 0.1243. Of course, no such BB could exist in real life, he is only created for the analysis, and the point is that by the arguments above, Eve can do no better in real life than what she can with the help of BB: Eve always gets the bit in attacked pulses with certainty, and the error on Bob's side caused by this is the smallest among the three attacks considered (which is provided by the DIR attack).
Let us consider the situation just after the bases have been announced and the raw key has been computed. Out of the bits in this key, a fraction are known to Eve, and these bits are all correctly measured by Bob. Moreover, the fraction of the bits comes from SO attacked pulses, and finally the fraction comes from pulses that Eve attacked using BB.
This means that the error rate observed by Bob is
. In order not to be caught, Eve must make sure
that this is (at most) approximately . From this, we easily
Next we look at the information available to Eve, in order to estimate the effect of privacy amplification. By assumption on multi-photon pulses and on BB, Eve knows a fraction of the bits with certainty. For the pulses subjected to the SO attack, it is clear that Eve does not know (all) the corresponding bits with certainty, since here she has to measure a single photon before the bases are announced. According to the discussion in , the optimal strategy for Eve, in order to resist privacy amplification, is to measure each photon in the Breidbart basis, such that she learns each bit with probability 85%. Then (as argued in , based on the results from ), we can compute as if Eve knew with certainty a fraction 0.585 of the bits attacked this way4. We may therefore continue assuming that the fraction of bits known by Eve in the raw key is at most
Finally, we look at the effect of error estimation and correction: a fraction of errors must be corrected. This requires that at least a fraction of the bits are revealed, by a bound of Shannon, here is the binary entropy function, . The interactive method (CASCADE) that we use comes very close to this bound, when is as small as what we consider here.
So if we let
be the number of bits in the raw key, then (as far as privacy
amplification is concerned) Eve knows deterministic bits of
information about the raw key after error correction. If we use
standard methods for privacy amplification  to distill
bits of final key, then Eve's expected
information about the final key is exponentially small in , in fact
at most bits. Thus for a particular desired bound on
Eve's information on the final key and large , the fraction of bits
we can distill out is essentially
It is clear that this analysis was very generous to Eve in many places. There is no doubt that a better bound can be achieved by a less generous but more complex analysis.
Note that we have earlier derived an expression for
(3), as a function of the parameters in the experiment,
It is therefore interesting to study what the optimal choices are for . For this optimization, we have chosen to look at the secrecy capacity, i.e., the length of the final key divided by the number of pulses sent. This will on average be . The figure 1 shows this quantity, plotted as a function of and .
Although we made an effort to optimize the secrecy capacity based on the above security analysis, the real time speed of our system is only about 14 secure bits per second, limited mainly by a relatively low number of pulses sent per second (70.000 pulses/second on average). This number can certainly be increased by means of suitable electronics. The limiting factor of the speed is the computer cards combined with the ratio between the storage line and the line between Alice and Bob. It should be noted, however, that the main bottleneck slowing down our execution of the BB84 scheme is not the speed of the quantum line, but rather the fact that all classical communications take place over a low bandwidth channel (the Internet). We used the Internet because it offers a flexible communication link, but at the cost of efficiency. In real life applications dedicated hardware can easily be used to improve the efficiency.