Quantum crypto broken?

Greg Troxel gdt at ir.bbn.com
Mon May 13 08:42:06 EDT 2002

Quantum Key Distribution involves a step called "Privacy
Amplification", which is essentially hashing down the bits that were
received to a smaller number to account for the possibility that an
eavesdropper knows some of them.  The essential point is that the two
parties must estimate the amount of information that could have been
gained by an eavesdropper; errors are one component of this estimation
process.  Another component is the probability that the "single
photon" sent was really more than one photon --- typical "weak
coherent" links send multiple photons signifcantly often.

It is important to realize that eavesdropping is a probabilistic
operation --- when an attacker who measures a photon and retransmits
it there is some probability (as much as 50% in a noise-free system)
that no error will be induced.  (Essentially, this happens when the
attacker's choice of basis matches the sender's choice of basis.)
Thus, there can be no absolute guarantee of security, only probability
bounds.  This is really no different from traditional cryptography, as
an attacker has a 1 in 2^1024 chance of guessing a 1024 bit RSA key
with a trivial strategy.

Slutsky et al discuss the issue of deciding how many bits to hash down
in the context of desiring to bound the probability that an attacker
will have gained some amount of information about the bits that remain
after privacy amplification.  Slutsky's paper can be found at


See reference 11 for a discussion of privacy amplification.

This paper addresses "individual attacks", in which a probe interacts
with each photon and then a measurement is made on the probe.
"Collective" and "joint" attacks in which multiple (sequential)
photons are measured together are more complicated.

        Greg Troxel <gdt at ir.bbn.com>

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list