Problems of the CASCADE Protocol and Renyi Entropy Reduction in Classical and Quantum Key Generation

Similar documents
Security Issues Associated With Error Correction And Privacy Amplification In Quantum Key Distribution

Error Reconciliation in QKD. Distribution

ASPECIAL case of the general key agreement scenario defined

Privacy Amplification Theorem for Noisy Main Channel

Practical quantum-key. key- distribution post-processing

arxiv:quant-ph/ v1 25 Dec 2006

Privacy Amplification Theorem for Noisy Main Channel

Deep Random based Key Exchange protocol resisting unlimited MITM

Calculation of the Key Length for Quantum Key Distribution

Simulation of BB84 Quantum Key Distribution in depolarizing channel

arxiv:quant-ph/ Jan 2000

Reconciliation of a Quantum-Distributed Gaussian Key

Simulations for Deep Random Secrecy Protocol

Final Report. Grant/Contract Title: PHYSICAL CRYPTOGRAPHY: A NEW APPROACH TO KEY GENERATION AND DIRECT ENCRYPTION

Common Randomness Principles of Secrecy

Realization of B92 QKD protocol using id3100 Clavis 2 system

Cryptography CS 555. Topic 25: Quantum Crpytography. CS555 Topic 25 1

arxiv:quant-ph/ v2 11 Jan 2006

Secret-Key Agreement over Unauthenticated Public Channels Part I: Definitions and a Completeness Result

Research, Development and Simulation of Quantum Cryptographic Protocols

FUNDAMENTAL AND PRACTICAL PROBLEMS. OF QKD SECURITY-THE ACTUAL AND THE arxiv: v4 [quant-ph] 4 Jun 2012 PERCEIVED SITUATION

Concurrent Error Detection in S-boxes 1

Quantum Cryptography and Security of Information Systems

protocols such as protocols in quantum cryptography and secret-key agreement by public discussion [8]. Before we formalize the main problem considered

Simple and Tight Bounds for Information Reconciliation and Privacy Amplification

Fundamental Security Issues in Continuous Variable Quantum Key Distribution

arxiv: v1 [quant-ph] 6 Jun 2013

Universally composable and customizable post-processing for practical quantum key distribution

Bell inequality for qunits with binary measurements

A Genetic Algorithm to Analyze the Security of Quantum Cryptographic Protocols

Quantum key distribution: theory for application

arxiv: v1 [cs.it] 14 May 2018

An Introduction. Dr Nick Papanikolaou. Seminar on The Future of Cryptography The British Computer Society 17 September 2009

Security Implications of Quantum Technologies

INFORMATION-THEORETICALLY SECURE STRONG VERIFIABLE SECRET SHARING

Stop Conditions Of BB84 Protocol Via A Depolarizing Channel (Quantum Cryptography)

Key Generation: Foundations and a New Quantum Approach

is expensive, we would like to minimize the information that a reconciliation protocol divulges. A quantum public key distribution protocol is describ

Reconciliation of a Quantum-Distributed Gaussian Key

3-7 Error Detection and Authentication in Quantum Key Distribution

LECTURE NOTES ON Quantum Cryptography

Quantum Cryptography : On the Security of the BB84 Key-Exchange Protocol

Practical Quantum Key Distribution

Why is Deep Random suitable for cryptology

Efficient Quantum Key Distribution. Abstract

Investigation of System Performance of Quantum Cryptography Key Distribution in Network Security

Perfectly secure cipher system.

Entropy Accumulation in Device-independent Protocols

A Simulative Comparison of BB84 Protocol with its Improved Version

In [5] for instance, a general model for secret-key agreement by public communication over an authentic channel was described. Here, two parties Alice

Oblivious Transfers and Privacy Amplification

Rate Compatible Protocol for Information Reconciliation: An application to QKD

Efficient Protocols Achieving the Commitment Capacity of Noisy Correlations

High Fidelity to Low Weight. Daniel Gottesman Perimeter Institute

Quantum Information Transfer and Processing Miloslav Dušek

A FRAMEWORK FOR UNCONDITIONALLY SECURE PUBLIC-KEY ENCRYPTION (WITH POSSIBLE DECRYPTION ERRORS)

Quantum Cryptography. Areas for Discussion. Quantum Cryptography. Photons. Photons. Photons. MSc Distributed Systems and Security

Security of Quantum Key Distribution with Imperfect Devices

PERFECTLY secure key agreement has been studied recently

arxiv:quant-ph/ v1 12 Nov 1999

arxiv:quant-ph/ v2 2 Jan 2007

arxiv:quant-ph/ v1 10 Dec 1997

On the (Im)possibility of Non-interactive Correlation Distillation

Unconditional Security of the Bennett 1992 quantum key-distribution protocol over a lossy and noisy channel

arxiv:quant-ph/ v2 18 Jan 1999

Quantum Cryptography

Realization of Finite-Size Continuous-Variable Quantum Key Distribution based on Einstein-Podolsky-Rosen Entangled Light

Hidden Number Problem Given Bound of Secret Jia-ning LIU and Ke-wei LV *

5th March Unconditional Security of Quantum Key Distribution With Practical Devices. Hermen Jan Hupkes

Quantum key distribution for the lazy and careless

Context: Theory of variable privacy. The channel coding theorem and the security of binary randomization. Poorvi Vora Hewlett-Packard Co.

Secure Modulo Zero-Sum Randomness as Cryptographic Resource

MiMC: Efficient Encryption and Cryptographic Hashing with Minimal Multiplicative Complexity

Round-Efficient Perfectly Secure Message Transmission Scheme Against General Adversary

arxiv:quant-ph/ v3 12 Jul 2006

Optimal Reductions between Oblivious Transfers using Interactive Hashing

A DPA attack on RSA in CRT mode

arxiv:quant-ph/ v1 26 Mar 2001

Efficient reconciliation protocol for discrete-variable quantum key distribution

Ideals over a Non-Commutative Ring and their Application in Cryptology

CPSC 467b: Cryptography and Computer Security

Benes and Butterfly schemes revisited

DEVELOPMENT OF MECHANISM FOR ENHANCING DATA SECURITY IN QUANTUM CRYPTOGRAPHY.

arxiv:quant-ph/ v2 11 Jan 2006

Quantum Error Correcting Codes and Quantum Cryptography. Peter Shor M.I.T. Cambridge, MA 02139

Key distillation from quantum channels using two-way communication protocols

Research Article Novel Quantum Encryption Algorithm Based on Multiqubit Quantum Shift Register and Hill Cipher

Maximum Correlation Analysis of Nonlinear S-boxes in Stream Ciphers

Computing the RSA Secret Key is Deterministic Polynomial Time Equivalent to Factoring

Quantum key distribution with 2-bit quantum codes

Quantum Setting with Applications

APPLICATIONS. Quantum Communications

Privacy Amplification Secure Against Active Adversaries

arxiv:quant-ph/ v2 17 Mar 2003

Quantum Cryptographic Network based on Quantum Memories. Abstract

during signature generation the secret key is never reconstructed at a single location. To provide fault tolerance, one slightly modies the above tech

Statistical and Linear Independence of Binary Random Variables

A Correct Security Evaluation of Quantum Key Distribution

A Generic Algorithm for Small Weight Discrete Logarithms in Composite Groups

A Security Real-time Privacy Amplification Scheme in QKD System

Transcription:

arxiv:quant-ph/0703012v1 1 Mar 2007 Problems of the CASCADE Protocol and Renyi Entropy Reduction in Classical and Quantum Key Generation Koichi Yamazaki 1,2, Ranjith Nair 2, and Horace P. Yuen 2 1 Department of Media-Network Sciences, Tamagawa University, 6-1-1, Tamagawa gakuen, Machida, Tokyo, 194-8610, Japan 2 Department of Electrical Engineering and Computer Science, Northwestern University, Evanston, IL 60208, USA June 29, 2018 Abstract It is shown that the interactive error correction protocol CASCADE should be analyzed taking the correlation between passes and finite length of sequence into account. Furthermore we mention some problems in quantifying the reduction of Renyi entropy by information announced during the error correction process. 1 Introduction The CASCADE protocol for error correction was studied by Brassard and Salvail [1] who gave asymptotic estimates of its success probability and the number of information bits leaked during protocol execution. In a practical implementation of CASCADE, with a fixednumberofpasses andafinitelengthsequence, weshowthatcalculationofthesuccess probability and number of information bits leaked are very involved problems which have not been properly addressed so far. Even the estimates in [1] are made under what may be called an independent pass approximation because the correlation between operations taking place at different passes of the protocol has been neglected. On the implementation side, we study practically important parameters such as the communication complexity and the round-trip delay time of CASCADE. For cryptographic purposes, in both classical and quantum protocols, one is interested in the Renyi information leakage from public discussion during the error correction process. This is because the standard privacy amplification theorem [2] requires the Renyi entropy before privacy amplification to be known. Such estimates of Renyi entropy reduction, especially for the case of identical individual attacks by Eve, have been studied by Cachin and Maurer [3], who claimed to show that for linear error-correcting codes, the Renyi entropy reduction is roughly equal to the number of announced bits. We explain

why this claim is incorrect. However, we suggest that covering the announced bits with a pre-shared secret key would result in no Renyi entropy reduction and can be used as long as the net key generation rate remains positive. For CASCADE, for which the Renyi entropy reduction has not been studied, we suggest a similar procedure. In doing so, we find that, unlike the case of linear error-correcting codes, there is still an entropy reduction that is difficult to quantify. 2 CASCADE PROTOCOL 2.1 Independent Pass and Infinite-length Sequence Approximation The CASCADE protocol proceeds in several passes in which block-parity conparison and binary-search-type error correction are executed. CASCADE uses correlation between the sequences of passes, so that it performs better as to the number of announced bits during the error correction process than the BBBSS protocol[4] which is also based on parity check and binary search, but does not use the correlation of sequences. Upper bounds on the number of announced bits were derived in [1]. The number of announced bits seems to depend heavily on error patterns and permutation functions used to produce sequences of all passes. Furthermore the process is nonlinear. Therefore, the expected value should be obtained by averaging the number of announced bits of all specific error patters and permutation functions. However, the upper bound on the number of announced bits was derived by calculating expected amount of announced bits pass by pass. That is, the correlation of sequences was not considered. We performed computer simulation 1,000,000 times to analyze the performance of CASCADE. The number of announced bits during the error correction process obtained by the computer simulation is shown in Tab.1. The upper bound derived in [1] is also shown in the bracket. It is found that the upper bound is very close to the simulation brackets. In the case that the private channel error probability ε is 0.05 and 0.1, the simulation results are larger than the upper bound. This indicates that a nonrigorous method was used to derive the upper bound. In [1], the size of a block for each pass was designed so that the number of errors containedinablockoftheinitialpassreducestolessthanhalfaspassesproceed. However, the success probability was discussed in [1] on the basis of 100 empirical tests in which all errors were corrected at the end of the protocol. Analysis of the success probability is very complicated. Only a slight difference of error positions may determine whether the protocol succeeds or fails. We have not derived the probability that CASCASE protocol succeeds. In this situation, the results of a large number of computer simulations may help us to understand its properties. The protocol failure probability obtained by averaging the results of 1,000,000 computer simulation is shown in Tab.2. It is found that the protocol failure probability reduces as the sequence length becomes longer. Furthermore it is found that the failure probability decreases as the error probability of the private channel increases. According to our computer simulation, we found that the average number of errors remaining after pass 2 is almost the same in the range from 0.3 to 0.37. As the error probability of the private channel decreases, block sizes become longer and

the number of blocks decreases, so that the probability that two or more of the remaining errors move to the same block in the next pass becomes large. Then, the protocol failure probability increases. From this result, the protocol failure probability should be analysed for sequences with finite length and asymptotic limits are not reliable. Table 1: Number of Announced Bits during Error Correction n ε = 0.01 0.05 0.1 0.15 100 13.43(9.33) 35.37(33.14) 59.3(57) 77.56(82.4) 200 20.64(18.66) 69.3(66.29) 117.39(114) 153.86(164.8) 500 45.93(46.64) 170.12(165.71) 288.67(285) 384.76(412) 1000 90.99(93.29) 339.01(331.43) 576.53(570) 768.19(824) 2000 182.16(186.58) 677.25(662.86) 1151.7(1140) 1536.02(1648) 5000 454.38(466.44) 1692.09(1657.14) 2878.41(2850) 3839.52(4120) 10000 906.18(932.88) 3382.11(3314.29) 5753.93(5700) 7678.68(8240) ε: error probability of private channel, n: sequence length. The upper bound [1] is given in parentheses. Table 2: Protocol Failure Probability of CASCADE ε n=100 200 500 1000 2000 5000 10000 0.01 0.023603 0.056623 0.078354 0.044117 0.011357 0.002677 0.001005 0.05 0.072621 0.038288 0.005492 0.001657 0.000355 0.000075 0.000066 0.1 0.032161 0.009446 0.001129 0.000349 0.000119 0.000009 0.000011 0.15 0.016245 0.006394 0.000415 0.000158 0.000039 0 0.00001 ε: error probability of private channel, n: sequence length. 2.2 Communication Complexity For interactive error correction like CASCADE, a round-trip is necessary for comparing block and sub-block parities. From a practical viewpoint, time for the round-trips should be considered in evaluating the net key generation rate. The number of round-trips is shown in Tab.3 for CASCADE and BBBSS protocol which does not use the correlation between sequences[4]. It is found in Tab.3 that the number of the round-trip increases as error probability of the private channel becomes large and the sequence length becomes longer, and it is almost proportionally to the sequence length in CASCADE, while that of BBBSS protocol is almost constant. The difference comes from the fact that each error has to be corrected one by one after pass two in CASCADE, while errors can be corrected simultaneously in each pass in BBBSS protocol. It is found that as sifted key generation rate over a private channel increases, error correction process would dominate the net key generation rate, especially for CASCADE.

Table 3: Number of Round Trips CASCADE BBBSS n ε0.01 0.05 0.1 0.14 0.01 0.1 0.1 0.15 500 26.12 58.66 81.95 105.21 26.08 36.04 38.77 38.57 1000 42.70 107.41 154.89 202.34 33.26 44.16 47.60 47.56 2000 74.86 205.09 300.89 396.46 42.47 54.17 57.87 57.17 5000 170.21 498.91 739.75 979.01 56.20 68.58 72.29 71.17 10000 329.23 987.53 1470.49 1949.51 67.42 80.14 82.73 82.27 3 REDUCTION OF RENYI ENTROPY BY ERROR CORRECTION The amount of information leaked during the error correction process would reduce Eve s Renyi entropy about the legitimate users sequence. The precise estimation of the amount of this reduction is very important for evaluating the key generation rate. It was shown in Th. 9 of [3] that in the case where the raw key is generated by many independent repetitions of a random experiment, each bit leaked during the error correction process reduces Eve s Renyi entropy by only about one. The properties of the so-called ǫ-strongly typical sequences defined below are used to prove this result. Definition 1 (ǫ-strongly typical set[3]) Let X be a random variable distributed according to P X over some finite set X where it is assumed that P X (x) > 0 for all x X. Let x n = [x 1,...,x n ] be a sequence of n digits of X and define N a (x n ) to be the number of occurrences of the symbol a X in the sequence x n. A sequence x n X n is called ǫ-strongly typical if and only if (1 ǫ)p X (a) Na(xn ) (1+ǫ)P n X (a) for all a X. It was claimed that the occurrence probability of each sequence in the ǫ-strongly typical set is asymptotically identical, and this property was used to prove Th. 9 in [3]. This claim is wrong, however the ratio of the maximum occurrence probability of a sequence in the ǫ-strongly typical set to the minimum one increases as the sequence length becomes longer[5]. For the binary case, assuming that P X (0) = p( 1/2), the ratio is ( 1 p p )2npǫ. As an example, let us consider the case that n=100,000, P X (0)=0.1, ǫ=0.01. The minimum occurrence probability PX min n (xn ) = 2.52 10 14214, the maximum PX max n (xn ) = 1.78 10 14023, then the ratio PX max n (xn )/PX min n (xn ) = 7.06 10 190. In this case, the probability Pr[X n S n (ǫ)] that the sequence is in a ǫ-strongly typical set S n (ǫ) is 0.711. Therefore, Th. 9 does not apply to this case. The amount of information additional to that predicted by Th. 9 can be obtained by Th. 6 of [3]. We find the upper bound on the reduction of Eve s Renyi entropy is 2485 bits more than that predicted by Th. 9. Next, let us consider the case that the legitimate users cover the announced bits by a pre-shared secret key. The covered announced bits never reduces Eve s Renyi entropy for error correction by non-interactive linear code. This is because the pre-shared secret key and the announced bits are mutually independent. Then, the reduction of the size of the

final key by the error correction process is just as the same as the number of announced bits. In the case of interactive error correction, however, it is not apparent whether the announced bits reduce Eve s Renyi entropy or not, because interactive error correction reveals possible information on the positions of all errors, which could help Eve. Thus, it should be verified that this problem is addressed in, e.g., [6], where the security of CASCADE using the above method of covering the parity information has been studied. References [1] G. Brassard and L. Salvail, Advances in Cryptology - EUROCRYPT 93, Lecture Notes in Computer Science, 765, pp. 410-423, Springer-Verlag, 1994. [2] C. Bennett, G. Brassard, C. Crepeau, and U.M. Maurer, IEEE Transactions on IT, 41, pp. 1915-1923, 1995. [3] C. Cachin and U.M. Maurer, Journal of Cryptology, 10, pp. 97-110, 1997. [4] C. H. Bennet, F. Bessette, G. Brassard, L. Salvail and J. Smolin, J. of Cryptology, 5, pp. 3-28, 1992. [5] R. G. Gallager, IEEE, Trans. Inform. Theory, 47, pp. 2681-2695, 2001. [6] H.-K. Lo, New J. Phys., 5, pp. 36.1-36.24, Apr 2003.

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback