Abstract
We analyze the fundamental security significance of the quantitative criteria on the final generated key in quantum key generation including the quantum criterion , the attacker’s mutual information on , and the statistical distance between her distribution on and the uniform distribution. For operational significance a criterion has to produce a guarantee on the attacker’s probability of correctly estimating some portions of from her measurement, in particular her maximum probability of identifying the whole . We distinguish between the raw security of when the attacker just gets at before it is used in a cryptographic context and its composition security when the attacker may gain further information during its actual use to help get at . We compare both of these securities of to those obtainable from conventional key expansion with a symmetric key cipher. It is pointed out that a common belief in the superior security of a quantum generated is based on an incorrect interpretation of which cannot be true, and the security significance of is uncertain. Generally, the quantum key distribution key has no composition security guarantee and its raw security guarantee from concrete protocols is worse than that of conventional ciphers. Furthermore, for both raw and composition security there is an exponential catch-up problem that would make it difficult to quantitatively improve the security of in a realistic protocol. Some possible ways to deal with the situation are suggested.
- Received 30 August 2010
- Corrected 15 December 2010
DOI:https://doi.org/10.1103/PhysRevA.82.062304
©2010 American Physical Society
Corrections
15 December 2010