### Citations

496 |
Elements of Information Theory, 2nd ed
- Cover, Thomas
- 2006
(Show Context)
Citation Context ...r correction and privacy amplification procedures. The asymptotic convergence rate for various criteria yields the actual (asymptotic) key rate for fixed levels of d or p1 [2,25], and is not given in =-=[24]-=- for its mutual information criterion. In this connection, we would like to bring out a common misconception concerning QKD security. Since [30] it is often thought that as long as the key rate is bel... |

191 | How to recycle random bits
- Impagliazzo, Zuckerman
- 1989
(Show Context)
Citation Context .... At present, step (i) is almost resolved (apart from Eve’s general bit error rate) in one way through the criterion d via (2)-(5) above. Step (v) can be resolved by the classical Leftover Hash Lemma =-=[29]-=-. We will discuss the other three steps in turn, the main impediment to progress in security proof is from steps (iii) and (iv). Historically the Shor-Preskill proof [30] is most influential and widel... |

185 |
Unconditional security in quantum cryptography
- Mayers
(Show Context)
Citation Context ...information about it when K is used, for example from a known-plaintext attack. In raw security, the ideal situation occurs when K has the uniform distribution U to Eve. Since the earlier days of QKD =-=[12]-=-, “unconditional security” means the security result holds against all attacks allowed by the laws of quantum physics, with quantitative information theoretic security level that can be made arbitrari... |

173 | Security of quantum key distribution
- Renner
(Show Context)
Citation Context ...he error comes from the interpretation of the variational distance δ(P,Q), δ(P,Q) = 1 2 ∑ i |Pi −Qi| (6) between two classical probability distributions P and Q which is given to Proposition 2.1.1 in =-=[7]-=-, that “the two settings described by P and P ′, respectively, cannot differ with probability more than ǫ.” In our present notation or that of [8], P ′ = Q, and d is interpreted equivalently from Lemm... |

71 | Universally composable privacy amplification against quantum adversaries”,
- Renner, Konig
- 2005
(Show Context)
Citation Context ...utions P and Q which is given to Proposition 2.1.1 in [7], that “the two settings described by P and P ′, respectively, cannot differ with probability more than ǫ.” In our present notation or that of =-=[8]-=-, P ′ = Q, and d is interpreted equivalently from Lemma 1 of [8] as the “probability that two random experiments described 4 by P and Q, respectively, are different”. We would not repeat the reasons a... |

52 |
Everlasting security in the bounded storage model
- Aumann, Ding, et al.
- 2002
(Show Context)
Citation Context ...plays no role except for one-time pad. Thus, the claim of [1] that classical cryptography is compromised without a small enough d is false, for this and the following reasons. The bound storage model =-=[28]-=- with controllable information theoretic security is not used in practice while it has a criterion related to d, but there is a security parameter in [28] that could make it arbitrarily small which is... |

51 | The universal composable security of quantum key distribution
- Ben-Or, Horodecki, et al.
- 2005
(Show Context)
Citation Context ... correctly addressed. The mutual (accessible) information was used from the beginning but was found to contain a major loophole [21,22] and is by now largely abandoned. The trace distance criterion d =-=[23,7-8]-=- is at present nearly universally employed in QKD security analysis which is cited in [1] as the criterion that leads to “UC secrecy”. What is the level of d needed for UC secrecy? While one can disti... |

50 | The security of practical quantum key distribution.” arXiv:0802.4155v2 [quant-ph
- Scarani, Bechmann-Pasquinucci, et al.
- 2008
(Show Context)
Citation Context ...te protocols under general attack. In the meantime, the ECC information leak expression leakEC = h(QBER) (7) where h(·) is the binary entropy function, is employed by him [36] and in fact universally =-=[9,13,37]-=- to account for such leak. It is pointed out [15] that there is the possibility of information leak from ECC similar to quantum information locking leak [15] that undermines inadequate values of acces... |

47 | Efficient quantum key distribution scheme and proof of its unconditional security
- Lo, Chau, et al.
(Show Context)
Citation Context ...it be small 6 enough. (In contrast to the impression from [21,22], the Ia criterion is actually fine if its level is at or below 2−l for an l-bit key K [31].) The transfer of QBER is later amended in =-=[32]-=- for general joint attacks, which is still incorrect because it involves classical counting instead of qubit counting. It appears that correct quantum counting can be developed [33], which gives wider... |

27 |
Leftover hashing against quantum side information.
- Tomamichel, Schaffner, et al.
- 2010
(Show Context)
Citation Context ...s from (4) after Markov inequality is applied. In [13] the best d = 10−14 or d1/3 > 10−5, and in [14] Ia/l ∼ 10 −6 equivalent to d1/3 ∼ 10−2. One can relax uniform K to ǫ-secrecy via ǫ-smooth entropy =-=[40]-=-. Intuitively, one cannot expect much would be accomplished when ǫ is only moderately larger than 2−l. In fact, even for very large d for a given l, the results of [13] shows the key rate is still ver... |

21 | Quantum cryptography with finite resources: Unconditional security bound for discrete-variable protocols with oneway postprocessing - Scarani, Renner - 2008 |

12 | Tight finitekey analysis for quantum cryptography
- Tomamichel, Lim, et al.
- 2012
(Show Context)
Citation Context ...wn [2-5] that Renner’s interpretation of d is incorrect and in fact K is not uniform with probability 1 when d > 0, i.e., p = 0. Furthermore, the levels of d obtained in concrete protocols, in theory =-=[13]-=- not to say in experiment [14], imply K is very poor compared to U [2-6], for both raw and known-plaintext attack security and for both Eve’s sequence success probabilities and BER. (3) What Renner Cl... |

11 |
Continuous operation of high bit rate quantum key distribution
- Yuan, Dynes, et al.
(Show Context)
Citation Context ...system capability, with no mention of the criterion and its quantitative level. Equally significantly, Shor-Preskill only claimed to have established such rate for a joint CSS code as ECC and PAC. In =-=[38]-=-, for example, the cascade reconciliation protocol is used for error correction which has numerous problems [39] and universal hashing is used for PAC. However, it has never been shown that the Shor-P... |

9 |
Full-field implementation of a perfect eavesdropper on a quantum cryptography system
- Gerhardt, Liu, et al.
(Show Context)
Citation Context ...nerally overlooked is to what extent the users could accurately determine the various system parameters such as loss, a serious robustness issue for security. The well known detector blinding attacks =-=[41]-=- shows detailed detector behavior has to be explicitly represented in a real security proof [17], but so far it has not been done. V COMMON MISCONCEPTIONS ON QKD SECURITY The list in the following cor... |

8 |
Reply to recent scepticism about the foundations of quantum cryptography.
- Renner
- 2012
(Show Context)
Citation Context ...issues are touched upon to bring out further the present precarious state of quantum key distribution security proofs. I INTRODUCTION In this paper we will respond to the recent Reply paper by Renner =-=[1]-=- that the criticisms of Yuen [2-5] and Hirota [6] on the security of quantum key distribution (QKD) protocols are derived from a logical error. While Hirota could speak for himself, some related point... |

8 |
Incompleteness and limit of quantum key distribution theory.
- Hirota
- 2012
(Show Context)
Citation Context ...present precarious state of quantum key distribution security proofs. I INTRODUCTION In this paper we will respond to the recent Reply paper by Renner [1] that the criticisms of Yuen [2-5] and Hirota =-=[6]-=- on the security of quantum key distribution (QKD) protocols are derived from a logical error. While Hirota could speak for himself, some related points in his paper would be included in our discussio... |

7 |
Experimental Decoy State Quantum Key Distribution with Unconditional Security Incorporating Finite Statistics,” General theory for decoy-state quantum key distribution 26 arXiv:0705.3081
- Hasegawa, Hayashi, et al.
(Show Context)
Citation Context ...the original key rate threshold [2,15]. It turns out the convergence rate λ in (8) is very small for d in [13], and not evaluated for Ia/l in other proofs except [27] which leads to an even smaller λ =-=[14]-=-. With d = 10−20 and l = 106, λ ∼ 2 3 × 10−4 resulting in 66 bits guarantee of (2)-(3) for 106 bits, or just 22 bits from (4) after Markov inequality is applied. In [13] the best d = 10−14 or d1/3 > 1... |

6 |
Key generation: Foundations and a new quantum approach. http://arxiv.org/abs/0906.5241
- Yuen
- 2009
(Show Context)
Citation Context ...intext attacks have to be included in QKD security proofs. As discussed in [3], the raw security of conventional symmetric-key ciphers is far better than that of concrete QKD systems. As explained in =-=[2]-=-, Eve derives from her probe measurement a whole distribution P on all the 2l possible K values. A single-number criterion merely expresses a constraint on P , but P itself should be compared to U for... |

6 |
Security analysis of decoy state quantum key distribution incorporating finite statistics
- Hasegawa, Hayashi, et al.
- 2007
(Show Context)
Citation Context ...ted for [4]. The effective d1/3 value of > 10−7 for d = 10−20 is already very large for l = 103, not to say l = 106. The only concrete experimental protocol with quantified security level is given in =-=[14,27]-=- with effectively d = 10−6. Then d1/3 = 10−2 from [14] may entail a very drastic breach of security. Note that the d = 10−20 level cannot even be achieved for a positive key rate in a “tight finitekey... |

6 |
Simple Proof of Security
- Shor, Preskill
- 2000
(Show Context)
Citation Context ...classical Leftover Hash Lemma [29]. We will discuss the other three steps in turn, the main impediment to progress in security proof is from steps (iii) and (iv). Historically the Shor-Preskill proof =-=[30]-=- is most influential and widely quoted, but it is incomplete/incorrect for all five steps. Here it will be used as a representative and the other security approaches and proofs other than [13] will no... |

5 | Composability in quantum cryptography
- Müller-Quade, Renner
- 2009
(Show Context)
Citation Context ...ceivable applications as stated in [15]. Note that no composition security argument from the mere form of d [23] can guarantee pb under known-plaintext attacks [4], while the wrong interpretation can =-=[11]-=-, because K is U with a high probability p ≥ 1− d. III THE INCORRECT INTERPRETATION OF d AND CLASSICAL CRYPTOGRAPHY The prevalent interpretation is that d gives the probability that K is different fro... |

4 |
Concise and Tight Security Analysis of the Bennett-Brassard 1984 Protocol with Finite Key Lengths
- Hayashi, Tsurumaru
- 2012
(Show Context)
Citation Context ...et to be evaluated for concrete protocols under general attack. In the meantime, the ECC information leak expression leakEC = h(QBER) (7) where h(·) is the binary entropy function, is employed by him =-=[36]-=- and in fact universally [9,13,37] to account for such leak. It is pointed out [15] that there is the possibility of information leak from ECC similar to quantum information locking leak [15] that und... |

3 |
Problem of Cascade Protocol and Its Application to Classical and Quantum key Generation
- Yamazaki, Nair, et al.
- 2007
(Show Context)
Citation Context ...kill only claimed to have established such rate for a joint CSS code as ECC and PAC. In [38], for example, the cascade reconciliation protocol is used for error correction which has numerous problems =-=[39]-=- and universal hashing is used for PAC. However, it has never been shown that the Shor-Preskill key rate applies to such error correction and privacy amplification procedures. The asymptotic convergen... |

2 |
Locking Classical Information, arxiv: quantph 1011.1612v1
- Dupuis, Florjanczyk, et al.
- 2010
(Show Context)
Citation Context ...tive security level and why? In the literature this issue has never been correctly addressed. The mutual (accessible) information was used from the beginning but was found to contain a major loophole =-=[21,22]-=- and is by now largely abandoned. The trace distance criterion d [23,7-8] is at present nearly universally employed in QKD security analysis which is cited in [1] as the criterion that leads to “UC se... |

1 | Fundamental Quantitative Security in Quantum Key Distribution, Phys - Yuen - 2010 |

1 |
Security Significance of the Trace distance Criterion
- Yuen
- 2012
(Show Context)
Citation Context ...uarantee in the security proofs is converted to individual guarantee necessary for security claim on an individual system, the level is reduced from d to d1/3 for Eve’s sequence success probabilities =-=[4]-=-. Thus, d = 10−20 [1] reduces to d1/3 > 10−7. For d = 10−14 [13], d1/3 > 10−5 and for d = 10−6 [14], d1/3 = 10−2. These are poor to very poor security guarantees for any application, and they remain s... |

1 | Problem of Security Proofs and Fundamental Limit on Key Generation Rate in Quantum Key Generation, arXiv: 1205.3820v2
- Yuen
- 2012
(Show Context)
Citation Context ... in [5] but with no reference. The BER meaning is not given. These two interpretations of UC secrecy in [1] are contradictory, as indicated in point (2) above. By an arbitrary stipulation in footnote =-=[15]-=-, it is declared in [1] that d = 10−20 for an l = 106 bit key is sufficiently secure. Together with distorting our correct claim that the condition (HY) means the key is near-uniform to that it is nec... |

1 |
Effect of Transmission Loss on the Fundamental Security of Quantum Key Distribution
- Yuen
- 2011
(Show Context)
Citation Context ... type protocols. In QKD security proofs there are numerous problems associated with physical modelling that have been ignored or neglected. We may point out the case of general lossy channel security =-=[16]-=-, photon number splitting attacks on multi-photon sources and decoy states [18], and heterodyne-resend attack in CV-QKD [19]. Security is seriously undermined in the last two situations against the pr... |

1 | Fundamental Insecurity of MultiPhoton Sources under Photon-Number Splitting Attacks
- Yuen
- 2012
(Show Context)
Citation Context ...with physical modelling that have been ignored or neglected. We may point out the case of general lossy channel security [16], photon number splitting attacks on multi-photon sources and decoy states =-=[18]-=-, and heterodyne-resend attack in CV-QKD [19]. Security is seriously undermined in the last two situations against the prevalent security claims on them. In particular, a grave issue that has been gen... |

1 |
Fundamental Security Issues
- Yuen
- 2012
(Show Context)
Citation Context ...rect claim that the condition (HY) means the key is near-uniform to that it is necessary for security, a “logical error” on Yuen and Hirota is manufactured in [1] through a counterexample in footnote =-=[19]-=-. This counter-example itself is infused with error and confusion, including the same conceptual confusion that leads to the error described in (1) above. (4) What Is Wrong With The Security Claim In ... |

1 |
our condition (2)-(3) is just appropriated in footnote [14] of [1], apparently because it gives the correct operational significance of d while [711] give an incorrect one
- Thus
(Show Context)
Citation Context ...n security proofs [4,5]. Our averaged conditions [5] are obtained for the classical variational distance [24] which is bounded by d upon measurement from Eve. They do not seem to have appeared before =-=[26]-=- in either the classical or quantum literature other than deterministic bit leak in raw security brought up in [3]. Probabilistic bit leaks of any level are covered in (2)-(3), and such leaks must als... |

1 |
Problem of Existing Unconditional Security
- Yuen
- 2012
(Show Context)
Citation Context ...ible information criterion Ia without insisting it be small 6 enough. (In contrast to the impression from [21,22], the Ia criterion is actually fine if its level is at or below 2−l for an l-bit key K =-=[31]-=-.) The transfer of QBER is later amended in [32] for general joint attacks, which is still incorrect because it involves classical counting instead of qubit counting. It appears that correct quantum c... |

1 |
Sampling in a Quantum Population
- Bouman, Fehr
- 2012
(Show Context)
Citation Context ...s later amended in [32] for general joint attacks, which is still incorrect because it involves classical counting instead of qubit counting. It appears that correct quantum counting can be developed =-=[33]-=-, which gives wider fluctuation or lower security level with a factor of two reduction in the exponent. The major difficulty in QKD security proof arises from the correlation between key bits that are... |

1 |
Classical and Qauntum Security Analysis Via Smoothing of Reny Entropy of Order 2
- Hayashi
- 2012
(Show Context)
Citation Context ...n Eve has on the chosen ECC and PAC are not accounted for in the Shor-Preskill proof. In a direct development of the Shor-Preskill approach, Hayashi has recently incorporated such information for ECC =-=[34]-=- and PAC [35], which are yet to be evaluated for concrete protocols under general attack. In the meantime, the ECC information leak expression leakEC = h(QBER) (7) where h(·) is the binary entropy fun... |

1 |
Precie Evaluation of Leaked Information with Universal Privacy Amplification
- Hayashi
- 2012
(Show Context)
Citation Context ...the chosen ECC and PAC are not accounted for in the Shor-Preskill proof. In a direct development of the Shor-Preskill approach, Hayashi has recently incorporated such information for ECC [34] and PAC =-=[35]-=-, which are yet to be evaluated for concrete protocols under general attack. In the meantime, the ECC information leak expression leakEC = h(QBER) (7) where h(·) is the binary entropy function, is emp... |

1 |
QKD: A Million Signal Task, arXiv
- Scarani
- 2010
(Show Context)
Citation Context ...te protocols under general attack. In the meantime, the ECC information leak expression leakEC = h(QBER) (7) where h(·) is the binary entropy function, is employed by him [36] and in fact universally =-=[9,13,37]-=- to account for such leak. It is pointed out [15] that there is the possibility of information leak from ECC similar to quantum information locking leak [15] that undermines inadequate values of acces... |