Quantum Key Distribution involves a step called "Privacy Amplification", which is essentially hashing down the bits that were received to a smaller number to account for the possibility that an eavesdropper knows some of them. The essential point is that the two parties must estimate the amount of information that could have been gained by an eavesdropper; errors are one component of this estimation process. Another component is the probability that the "single photon" sent was really more than one photon --- typical "weak coherent" links send multiple photons signifcantly often.
It is important to realize that eavesdropping is a probabilistic operation --- when an attacker who measures a photon and retransmits it there is some probability (as much as 50% in a noise-free system) that no error will be induced. (Essentially, this happens when the attacker's choice of basis matches the sender's choice of basis.) Thus, there can be no absolute guarantee of security, only probability bounds. This is really no different from traditional cryptography, as an attacker has a 1 in 2^1024 chance of guessing a 1024 bit RSA key with a trivial strategy. Slutsky et al discuss the issue of deciding how many bits to hash down in the context of desiring to bound the probability that an attacker will have gained some amount of information about the bits that remain after privacy amplification. Slutsky's paper can be found at http://kfir.ucsd.edu/papers/defense.pdf See reference 11 for a discussion of privacy amplification. This paper addresses "individual attacks", in which a probe interacts with each photon and then a measurement is made on the probe. "Collective" and "joint" attacks in which multiple (sequential) photons are measured together are more complicated. Greg Troxel <[EMAIL PROTECTED]> --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]