Security of the Bennett-Brassard Quantum Key Distribution Protocol against Collective Attacks

The theoretical Quantum Key-Distribution scheme of Bennett and Brassard (BB84) has been proven secure against very strong attacks including the collective attacks and the joint attacks. Though the latter are the most general attacks, collective attacks are much easier to analyze, yet, they are conjectured to be as informative to the eavesdropper. Thus, collective attacks are likely to be useful in the analysis of many theoretical and practical schemes that are still lacking a proof of security, including practical BB84 schemes. We show how powerful tools developed in previous works for proving security against the joint attack, are simplified when applied to the security of BB84 against collective attacks whilst providing the same bounds on leaked information and the same error threshold.


Introduction
Quantum Theory allows us to have new cryptographic protocols of which we can prove security.Those protocols are secure against adversaries with unlimited power * .One of those protocols is the Quantum Key Distribution (QKD) protocol which is named BB84 after its inventors Bennett and Bras-sard [1].In this protocol, two users (conventionally named Alice and Bob) wish to set up a common random key, using a quantum channel and a classical (insecure) authenticated channel.Their adversary (named Eve) is trying to eavesdrop on both of those channels in order to have as much information as possible about the agreed key.
The goal of Alice and Bob is to use a protocol that can be proven secure, potentially even unconditionally secure, against powerful eavesdropping.In this paper we discuss the security of the BB84 protocol against the collective attacks [2][3][4], that form a subclass of the joint attacks (which are the most powerful theoretic attacks).This subclass is conjectured † to contain the strongest joint attacks and therefore, to be as informative to Eve as the joint attack [2,3].In addition, analyzing the collective attack is much simpler than analyzing the joint attack.Thus, analyzing the collective attack might be highly relevant for practical setups of QKD where proving security is still a hard task.
We improve the analysis done in [4] to the BB84 scheme against all collective attacks.The analysis shown in [4] bounds the information in a non-optimal way which adds a factor of 2 r 2 m to the information bound, where r is the amount of error-correction bits revealed during the protocol, and m is the final-key length.Our proof uses methods that are used in [5] for the joint attack, in order to achieve an optimized bound for the collective attack.
Let H 2 be the 2-dimensional Hilbert space with standard (or computational) basis |0 0 , |1 0 .Let with probability 1/2 and 1 with probability 1/2.This is the principle underlying the BB84 quantum key distribution protocol [1].Alice sends Bob qubits (2-dimensional systems), each qubit in one of the four state |i b with i, b ∈ {0, 1}.In order to send a bitstring i = i 1 . . . . .i t , with H 0 = I and H 1 = H.In the conventional setting, Bob measures each qubit in one of those two bases, and whenever they used the same basis they obtain the same bit i.Using classical error correction and privacy amplification protocols, Alice and Bob reach a final key of length m < t bits.In this paper, bitstrings of (an arbitrary) length t are denoted by a bold letter (e.g.we use below the 2n bits string i = i 1 . . .i 2n with i 1 , . . ., i 2n ∈ {0, 1}) and are identified to elements of the t-dimensional F 2 -vector space F t 2 .
code C with parity check matrix P C of order r × n.They agree as well on a linear key-generation function (privacy amplification) represented by a matrix P K of order m × n.Those matrices can be publicly known beforehand or they can be determined during the protocol and sent over the classical channel.The (r + m) × n matrix whose rows are those of P C and P K put together is required to be of rank r + m.We denote by i B the string measured by Bob.If there is no noise and no eavesdropping, he gets exactly the bitstring i sent by Alice.
4. Alice randomly chooses n-bits that will be used to detect eavesdropping.This is done by choosing a 2n-bit string that has exactly n ones.Formally, Alice chooses s ∈ F 2n 2 such that |s| = n.Alice publicly sends Bob s.
The bits indexed by j ∈ [1 . .2n] such that s j = 0 are used for testing, while the rest are used for generating the final key (via error correction and privacy amplification).We denote the appropriate substrings of i, b that are relevant for the testing by i s and b s, while the substrings relevant for creating the key are denoted i s and b s . 5. For each j ∈ [1 . .2n] such that s j = 0, Alice and Bob publish the value of the jth-bit.Bob and Alice compare those bit values, and if more than np a bits mismatch, they abort the protocol.The pre-fixed protocol parameter p a is actually the ratio of allowed bit-flips on the testing bits.
6. Alice and Bob keep the values of the remaining n bits secret.Alice's string is denoted x = i s and named the information string.The corresponding bitstring on Bob's side is denoted x B .
7. Alice sends Bob the r-bit error-correction string ξ = xP T C (where P T C is the transpose of the parity check matrix).Bob uses ξ to correct his string x B .The string ξ is called the syndrome of the string x (with regard to P C ).
8. Alice and Bob compute the m-bit final key k = xP T K .§ Here we assume that Bob delays measuring each qubit till after learning its basis.In the more realistic case in which Bob cannot wait with his measurement, or in case some qubits are lost, Alice needs to send more qubits to make sure that 2n qubits are obtained (in Alice's bases) as required.

Description of Eve's attack and its properties
To each qubit |φ j (j ∈ [1 . .2n]) sent by Alice, Eve attaches a separate probe that we assume to be in a pure state |0 E j and applies a unitary transform U j to the composite system |0 E j |φ j .She then keeps her probes in a quantum memory for subsequent measurement and sends Bob his part of the system.For each qubit there is thus a particular Hilbert probe space, and a particular U j ; they are decided beforehand by Eve and are thus fixed for all possible choices of i, b and s.

Eve's attack on a single qubit
Since the attack is bitwise, we now concentrate the analysis on some fixed qubit, drop momentarily the subindex j, and express the global effect of Eve's action on this particular qubit with respect to the basis |0 b , |1 b :

Extending the attack to multiple qubits -the collective attack
For each qubit j ∈ [1 . .2n], Eve applies the unitary U j on the space H E j ⊗ H 2 where H E j is her probe space and H 2 is the qubit space.Eve's view expressed with respect to basis b j is obtained by tracing out Bob from the states |φ b j 0 j and |φ b j 1 j , resulting with the respective density matrices If Alice sends the string i using bases b, then Eve's global state is the tensor product of all those states (ρ b j i j ) j .After the test bits are revealed, Eve needs only those (ρ b j i j ) j for which s j = 1.The set {j | s j = 1} has n elements; let us denote it {j 1 , . . ., j n }, so that s j l = 1 for 1 ≤ l ≤ n.Eve's global state corresponding to s, b and x can now be written We can rewrite Eq. ( 8) using the n-bit strings x and b = b s with the index l running from 1 to n (instead of the 2n strings i and b indexed by {j 1 , . . ., j n }), It is the state ρ bs x (or a mixture of such states) that Eve measures collectively to guess the string x (or directly the final key k) once b, s and the information for error correction and privacy amplification is known to her.

The probability of error
Assuming a qubit is attacked by U as defined by ( 1) and ( 2), an error occurs if Alice sends 0 and Bob measures 1 or if Alice sends 1 and Bob measures 0. Let k be the value measured by Bob, i the value sent by Alice for a specific qubit, and b the basis used by Alice to encode i.The probability of Bob measuring an error is then given by and we denote

The probability of error in the conjugate basis
We are now interested in p b e where b = 1 − b (i.e.0 = 1 and 1 = 0) corresponds to the basis conjugate to that given by b.The attack U is always the one described by ( 1) and ( 2) in the b basis but, in order to calculate the probability or error when Alice encodes i j as |i b j instead of |i b j , we now need to express U in the b basis.From (10), we know that the probability of error for this situation is given by Using the fact that and using the linearity of U , we deduce directly from ( 1) and ( 2) that Replacing |0 b and |1 b on the right-hand sides with their values in terms of |0 b and where the terms for |E b 01 and |E b 10 are parenthesized so that we can easily see that We expand this result by using the identities φ|ψ = ψ|φ and z + z = 2Re(z) for z ∈ C (here the overline indicates the complex conjugate).Using equalities ( 3) and ( 4) we get This Formula will be used to connect the disturbance induced by Eve when Alice encodes in the b j basis bits i j such that s j = 1 to the information Eve can get when Alice encodes them in the b j basis.Following the "Information versus Disturbance" [6] principle we will show that the more information Eve gets when the encoding is in the b basis, the more disturbance she causes when the bits are encoded and tested in the conjugate basis.Hence, we can bound Eve's knowledge about the key by bounding the allowed error-rate in the protocol.

Flat attacks with respect to basis b
Assume now that Eve's attack U is fixed, and that P b e is given by Eq. ( 15).We will present a virtual attack that is proven to be better for Eve, as it induces a smaller error-rate.This virtual attack cannot be executed by Eve since it requires knowledge of the basis b used by Alice (a knowledge that, of course, Eve does not have at the stage in which she chooses her transformation U ).Still, the existence of such an attack that is proven to be better for Eve, allows us to derive bounds on Eve's knowledge when the original attack (actually used by Eve) is applied.Proposition 1.For each attack U with ρ b 0 , ρ b 1 and p b e given by (6), ( 7) and (10), that satisfy there exists U b with the same ρ b 0 , ρ b 1 and p b e as U , which satisfy From those equalities it follows that ρ b 0 and ρ b 1 are left unchanged as can be seen from equations ( 6) and (7).In the same way, the right hand side of ( 10) is also clearly left unchanged and so p b e is left unchanged.Finally The attack U b provides the same "view" ρ b 0 , ρ b 1 to Eve, and the same probability of being detected if the b basis is used.However, from Eq. ( 15) we see that it reduces p b e to the minimum value (15) can take, because Re(z) ≤ |z| for any z ∈ C.This means that by replacing U by U b Eve's probability of being detected had the other basis been chosen can only decrease; U b is thus better for Eve, since she needs to take into account all possible bases used by Alice.U b will be coined the "flat" attack associated to U with respect to basis b.Since Eve is not aware of the basis b used, the flat attack is merely a mathematical tool.Moreover it depends on b.However, by bounding Eve's information when that basis is used we will eventually get a bound on Eve's information under the original attack.
In the more general case of bitstrings, since Eve's view comes from the tensor product of density matrices on individual qubits, using the flat attacks on all qubits does not change Eve's global view, nor the probability of error in the b basis.A flat attack will thus be flat for each qubit.In a flat attack (one qubit case), there exist r ∈ R + such that A short summary: we consider two possible cases for a specific qubit sent by Alice to Bob that is attacked by Eve with a flat unitary transform U :

A purification
We now assume the attack is flat, i.e. it satisfies equations (3)-( 5), (20), and also, as a result, equation As a consequence, we get Since Using this basis, we can re-write the purification for x ∈ {0, 1}, as 3. Proof of security of BB84 against collective attacks

Parity strings for the code and the key
We recall that bitstrings of length n are identified with elements of F n 2 .Vector addition thus corresponds to component-wise sum modulo 2 and thus to the eXclusive-OR of the corresponding bitstrings.We denote a • b the scalar product (modulo 2) of the two strings a and b of the same length, e.g., for n-bit strings, a For any r let V r denote the span of {v 1 , . . ., v r } and V c r the span of {v r +1 , . . ., v n }; it is clear that This property is normally summarized by saying that F n 2 is the direct sum of V r and V c r , i.e., V r + V c r = F n 2 and V r ∩ V c r = {0}.The vectors v 1 , . . ., v r are used as the rows of P C , the parity check matrix for the error correcting code which yields the syndrome ξ = xP T C ; the vectors v r+1 , . . ., v r+m are used as the rows of a privacy amplification matrix P K such that if x is the string sent by Alice, then the m-bit key is xP T K .Let This parameter on which security depends relates in terms of Hamming distance the parity strings used to generate the key k to the parity strings used to generate the error correction information ξ.A large value of d r,m will be shown to imply little information for Eve on the key k, given she knows ξ (Theorem 8).

The Shannon distinguishability
We shall use SD(α, β) as it is defined in [4,5] to denote the Shannon Distinguishability between the state (or density matrix) α and the state (or density matrix) β.Consider the following protocol: Sam chooses '0' or '1', randomly with equal probability.If Sam chooses '0', he sends the state α over to Rachel.Otherwise, he sends β.SD(α, β) is by definition Rachel's accessible information i.e. the maximum mutual information between Sam's encoded bit and Rachel's measurement of the state she received.Notice that when α and β are orthogonal (thus they form a basis), Rachel can always distinguish between them, and has information of exactly 1 bit about Sam's chosen bit.On the other hand, if α = β, Rachel can never distinguish between those states, and she has 0 bits of information.Important result of the SD function are summarized in the following lemma:

Representing states for bitstrings
Let s be a fixed string of length 2n with a 1 in positions j 1 , . . ., j n corresponding to the n information bits.As in Eq. ( 9 H corresponding to the attack U j l on the j l -th qubit (the l-th information qubit).If for c = c 1 . . .c n ∈ {0, 1} n we define where |c stands for |1 l as defined above, and d c = cos(α 1 ) sin(α 2 ) cos(α 3 ) cos(α 4 ).We notice that the factors of d 2 c can be interpreted as probabilities, and from (24) we deduce where p b l l is the probability of an error on the bit of index j l (the l-th information bit) when encoded and measured in the conjuguate basis and q b l l = 1 − p b l l is the probability of no error on the same bit under the same conditions.Due to the above, d 2 c is the probability of having exactly the error string c on the bits i j such that s j = 1 when those bits are encoded and measured in the other basis.Since, according to the protocol, the bits such that s j = 1 are the "information bits", we will say, by abuse of language, that this is the probability of error on information bits.If we represent by C I the random variable corresponding to the error in Bob's measurement of the information bits, and by B I the random variable giving the corresponding basis string chosen by Alice then we can write, for c ∈ {0, 1} n , b ∈ {0, 1} 2n and s ∈ {0, 1} 2n such that |s| = n, where b s = b = b 1 . . .b n .This probability is not conditional on the syndrome ξ; all possible errors are taken into account here, even with values of x inconsistent with ξ.

Case of a one-bit key
We begin with proving the security of a 1-bit key, and then extend our proof to an arbitrary m-bit length key.This case corresponds to m = 1 and the key (when not discarded) is x • v r+1 where x is the string sent by Alice (that is, P K has only one row, which equals v r+1 ).Let ξ = xP T C be the r bit syndrome announced publicly by Alice and let us denote ρ 0 and ρ 1 Eve's states corresponding to key 0 and key 1 respectively.Those states are obtained by normalizing the operators ¶ x and, since tr(ρ 0 ) = tr(ρ 1 ) = 2 n−r−1 , ρ 0 and ρ 1 are equally likely, and Changing the attack to a flat one, does not change ρ b l x l , and therefore does not change ρ k .Moreover, since is a lift-up of ρ k .According to lemma 2, SD( ρ 0 , ρ 1 ) ≤ SD( ρ 0 , ρ 1 ) and SD( ρ 0 , ρ 1 ) 3.5.Calculating and bounding the trace norm for one bit: the Biham basis.
We now wish to bound 1 2 tr | ρ 0 − ρ 1 | according to the specific attack Eve has performed.Taking advantage of the fact that V r + V c r = F n 2 and V r ∩ V c r = {0} (i.e. the sum is "direct"), equation (30) ¶ State ρ b x is defined by ( 9) and ( 8).rewrites as For each ξ ∈ {0, 1} r , let i ξ be a fixed n-bit string such that i ξ P T C = ξ.By definition of the syndrome, ξ = xP T C and thus (x − ξ)P T C = 0, i.e. (x − i ξ ) is a code word of C. Since every string v in the dual code C ⊥ = V r is orthogonal to every code word, we get that v (x − i ξ ) = 0 and thus v x = v i ξ .It follows that

If we define |η
Lemma 3. The non normalized states |η v for v ∈ V c r are orthogonal. Proof.
The |η v thus provide an orthogonal (but not orthonormal) basis with which we can simply represent |ψ b x , as shown in (36).Using (33) we get The set of elements {x | xP T C = ξ} is the code coset containing the string i ξ , namely, {c + i ξ | c ∈ C}, where for every different element c, the string c + i ξ represents a different possible x.Moreover, the final key bit k can be written as (c + i ξ ) • v r+1 and using (36), we get which can be written as Lemma 4. For every Linear Code C, Lemma 5. Let I be any set, s : I → I be such that s 2 = 1 I and p i ≥ 0 with i∈I p i ≤ 1.Let I ⊆ I and E ⊆ I such that I ∩ s(I ) = ∅ and This function is well defined because i and s(i) cannot be both in I .Moreover h(h(i)) = i and h is thus 1-1 on I .
the first inequality being justified by Schwartz inequality.
We now use the lemma.Let 2} where d r,1 was defined as the smallest Hamming distance between v r+1 and the elements of V r .For the lemma to apply, we need to show that Using Lemma 2 (Eq.34), we get Note that this result is identical to the bound derived in [5, Lemma 4.5 (Eq.D.8)].This result is much better than the loose bound [5, Lemma D.2 (Eq.D. 3)] which is based on the methods of [4].As a consequence, using (31) we get

Bounding Eve's accessible information
We now rewrite more carefully inequality (41) so as to be able to take into account all the parameters that were fixed and that we will now let vary in order to average Eve's information on the entire range of these parameters.Let c = i + i B , the exclusive-or of the 2n-bit string sent by Alice and of the one measured by Bob.Each index 1 ≤ l ≤ 2n such that c l = 1 corresponds to a mismatch in Bob's bit value with respect to the value sent by Alice.If s l = 1 the bit is an "information bit" and if s l = 0 it is a "test bit".The corresponding "error on the information bits" is thus c s and the error on the test bits is c s .The random variable corresponding to c s and c s are denoted C I and C T respectively; they depend on b and s.In order to lighten the notation, we will write P [C I = c s | b, s] to mean the probability that the error string on the bits such that s i = 1 be c s conditional to Alice having used the basis string b and the selection string s.As a consequence, P [C I = c s | b + s, s] denotes the probability that the error string on information bits be c s if the selection string is s and the basis string is b + s, i.e. is just the same as b but all the bases corresponding to the positions selected by s (of the information bits) are replaced by their conjuguates.Equations ( 31) and (41) can now be rewritten more cleanly as where in the right hand side of (42) we use the fact that qubits are attacked independently, the error on information bits thus being independent of the error c s on test bits.Equation ( 43) was derived for a (virtual) flat attack associated to b.That flat attack had the same ρ 0 and ρ 1 as the original attack, and could only give a lower error rate in the conjuguate bases.As a consequence equation ( 43) also holds for the original attack U and from now on, the probability of error on the right-hand side will be understood to be the one induced by the original attack U = U 1 ⊗ . . .⊗ U 2n .
For any such fixed attack U , Eve's information depends only on the syndrome ξ, the characteristic string s for the information bits, and the corresponding bases of the information string b s (yet, as said, we use the entire 2n-bit string b).Corollary 6.For a 1-bit key k, where K is the random variable giving as output key k and E is the random variable corresponding to the outputs of Eve's (optimal) measurement.
Proof.This follows from the fact that SD( ρ 0 , ρ 1 ) is Eve's accessible information on k if she holds ρ k given by (32).These states correspond to Eve's state when Alice encodes the key-bit k assuming Eve learns ξ, b and s.Eve's information also depends in principle on c s but since her attack on a qubit is independent of the other qubits, the bits of c s have no influence on her state and may be omitted from the parameters on which Eve's information I depends.
Proposition 7.For an m-bit key k, Proof.This follows from Corollary 6 by applying the chain rule for mutual information.Details of the proof can be found in [5,Section 4.5].
The value we want to bound is Eve's expected information, assuming Eve gets no information if the test fails, which happens when |c s| n > p a .If we let then the accessible information to bound, denoted * * I (pa) Eve , is given by Theorem 8.
where |C T | n is the random variable corresponding to the error rate on test bits and |C I | n is the random variable corresponding to the error rate on the information bits.
Proof.The function x 2 is convex, i.e. ( i p i x i ) 2 ≤ i p i x 2 i for p i ≥ 0, i p i = 1.We apply this to the square I Since the test bits are unaffected by replacing the basis of the information bits: which implies 2(X − µ) > and using Hoeffding's theorem (Theorem 10) The above discussion gives the following Theorem 9. Let us be given δ > 0, R > 0 and, for infinitely many values of n, a family {v n 1 , . . ., v n rn+mn } of linearly independent vectors in F n 2 such that δ ≤ dr n,mn n and mn n ≤ R. Then for any p a > 0 and sec > 0 such that p a + sec ≤ δ 2 , Eve's accessible information satisfies the following bound All we need to guarantee security is thus vectors {v n 1 , . . ., v n rn+mn } satisfying the conditions of the theorem.Such families were proven to exist in [5].

Reliability
For the key to be reliable, we need to be sure that the error rate on the information bits is less than the maximal rate that the error correcting code can handle.The maximum number of errors for our code will be fixed to n(p a + rel ).For the code to be reliable with exponentially small probability of failure, we need For any fixed set of used bits, the test bits and the information bits is a random partition with two subsets of size n and the argument used in the previous section applies.The same requirement figures in [5].

Conclusions and Discussion
In this paper we have analyzed the security of the BB84 protocol against any collective attack using the methods and tools used in proving security against the more powerful joint attack.By doing this we maintain the security proof relatively simple, yet we achieve a far more meaningful result than previously achieved for the collective attack [4].The basic idea of this paper can also be found in a presentation given by one of us (M.B.), at the Technion [7].
The same theorems (8 and 9) proven in this paper, are also obtained by [5] for the joint attack.This result leads to an asymptotic error-rate threshold of 7.56% † † , the same asymptotic result obtained for the joint attack in [5,8].Note that these results are not just asymptotical but also explicit in the sense that for every and every threshold smaller than (7.56 − ), a sufficiently large number n can explicitly be calculated such that the final key is reliable and secure.Explicit numbers expressing the reliability and security can also be obtained.To the best of our knowledge, such explicit results were not obtained via the methods shown in [9].The threshold of 7.56% obtained here and in [5,8] still has a gap from the asymptotical threshold of 11% reported by [9].This gap can be explained by the different choice of privacy amplification, see for instance [5,10,11].
Other researchers also reached very interesting results regarding the collective attack and its relations to the joint attack, via other methods.See for instance [12,13] in which it is proven that security against collective attacks implies security against joint attacks.However, their definition of the collective attack is not identical to the definition given in [2], which is used in [3,4] and in the current paper.Furthermore, the conjecture that the strongest joint attack is a collective attack is not addressed by [12,13] and remain an open problem.We leave the comparison of our result to the results obtained via these other methods for a future research.

1 √ 2 [
|1 1 is an orthonormal basis ‡ ; it is called the Hadamard basis.The unitary map H such that H|0 0 = |0 1 and H|1 0 = |1 1 is called the Hadamard transform.Due to linearity, H|0 1 = H|0 0 + H|1 0 ] = |0 0 and similarly, H|1 1 = |1 0 i.e.H • H = I (the identity).Those bases are used for measurements in the BB84 scheme; measuring a state represented as the density matrix ρ in the b basis returns output 0 with probability 0 b |ρ|0 b and 1 with probability 1 b |ρ|1 b .Thus if the state |0 b (or |1 b ) is measured in the b basis, it results with output 0 (1) with certainty.Yet, when |0 b or |1 b is measured in the b = 1 − b basis, the output is random, i.e. 0 i t to Bob, Alice first draws randomly a bitstring b = b 1 . . .b t and then sends the state |i b = |i b 1 1 . . .|i bt t = H b |i where H b = H b 1 ⊗ . . .⊗ H bt and |i = |i 1 .

1 .b e = 1 2 E b 01 |E b 01 + E b 10 |E b 10 . 2 . 1 2 1 −E b 01 |E b 10 = 1 2 ( 1
Alice and Bob use the b basis.Eve's attack causes a bit-flip with probability p However, if Alice and Bob use the b basis, Eve's attack causes a bit-flip with probability p b e = Re E b 00 |E b 11 + − r).

1 ψ b 1 ||ψ b 1 0
(21).Still working on a single qubit let us now define |ψ b 0 and |ψ b 1 as|ψ b 0 = |E b 00 |0 + |E b 01 |1 ; |ψ b 1 = |E b 11 |0 + |E b 10 |1 .(22)where the (normalized and orthogonal) states |0 and |1 live in some Hilbert space H that need not correspond to any physical reality (they are useful mathematical entities).If we trace states |ψ b 0 ψ b 0 | and |ψ b over the span of |0 and |1 in H , we get the states ρ 0 and ρ 1 respectively.The states |ψ b 0 and |ψ b 1 are thus called lift-ups of ρ 0 and ρ 1 .Since they are also pure, they are said to be purifications of ρ 0 and ρ 1 .Moreover they are normalized and by Eq. (20) their overlap is ψ b 0 |ψ b 1 = E b 00 |E b 11 + E b 01 |E b 10 = r.(23) This establishes a direct relation between the overlap of |ψ b 0 and |ψ b 1 and the probability of error p b e .Since the overlap r is real and positive, with 0 ≤ r ≤ 1, there is an angle α such that cos(2α) = r = ψ b 0 ≤ α ≤ π/4.

p
(b, s, c s) = p(c s | b, s)p(b, s) = p(c s | b + s, s)p(b, s) = p(c s | b + s, s)p(b + s, s) = p(c s, b + s, s), and, letting b = b + s, I (pa) Eve 2 ≤ 4m 2 b,|s|=n, |c s| n ≤pa |C I | ≥ d r,m 2 | c s, b, s p(c s, b, s) * * The notation in [5] is I Eve , the value p a being fixed.
2. Alice randomly chooses 2n-bit strings i, b ∈ F 2n 2 , where F 2 denotes the two element field, with elements {0, 1}, i.e. the field of integers modulo 2. Alice encodes the state |i b = |i b 1 1 . . .|i b 2n 2n and sends it to Bob over the quantum channel, one qubit at a time.Each time Bob receives a qubit he informs Alice, yet he doesn't measure it § .3. Alice publicly sends Bob the string b. Bob applies H b = H b 1 ⊗ . . .⊗ H b 2n to his state, so that if Bob had the state |i b , once he performs H b he possesses the state |i = |i 1 . . .i 2n .Bob then measures these qubits in the computation basis.
For each particular string c 1 ...c 2n corresponding to a measurement of all qubits in some admissible basis b we can apply Hoeffding's sampling (Theorem 10).Let X = |C I | n be the average of the sample corresponding to erroneous information bits; µ= |C I |+|C T | 2n is the expectancy of X. |C T |n ≤ p a is equivalent to 2µ − X ≤ p a , or equivalently, to X − µ ≥ µ − p a .For the population c 1 , . . ., c 2n the