5. Security in QKD

#### 5.1. Security definition

A good definition of security would allow the key generated by a QKD protocol to deviate by a small parameter ε, from a perfect key [2]. This definition should be able to bound Eve's knowledge about the final key. A perfect key refers to a uniformly distributed bit string whose value is completely independent and remains unknown to an eavesdropper [16]. The main requirement that the definition of security must fulfil is composability [5]. The composable definition characterises the security of a protocol with respect to the ideal functionality. This means that the security of the key generated could be used in any subsequent cryptographic task such as the one-time pad for message encryption, where an ideal key is expected. However, there always exist some challenges in constructing security proofs without making any assumptions either about the devices or the parties. For example, attacks against practical schemes exist, such as photon-number-splitting attacks (PNS) [37], time-shift attacks [38], large pulse attacks [17, 39], blinding attacks [40] and high-power damage attack [41]. Some of the assumptions made in the definition of QKD security are as follows:

other information to the outside world, in which it is not supposed to do (i.e. devices work

where rSE = ∑s∈<sup>S</sup> Ps(s)|s⟩⟨s| ⊗ r<sup>E</sup> |S = s is the actual state that contains some correlations between the final key and Eve and ε gives the maximum failure probability of the key extraction process. The state r<sup>U</sup> = ∑s∈<sup>S</sup> |s⟩⟨s||S| is the completely mixed state on S and |S|

probability of distinguishing between the two quantum states (r0,r1), this composable security definition naturally gives rise to the operational meaning that the protocol is εsecure, that is, S is identical to an ideal key U except with probability ε [5]. Again, according to Helstrom's Theorem, the probability of distinguishing between the two

<sup>2</sup> + <sup>1</sup>

3. Robustness: A QKD protocol is said to be "not robust" if the protocol aborts even though the eavesdropper is inactive. While correctness and secrecy are difficult to prove, robust-

Over the last decade, a lot of work in QKD has been devoted to the derivation of unconditional security proofs [8, 16, 44–47]. One of the main problems is that Eve has the power to perform any type of eavesdropping strategy. In particular, she can evade detection by attributing noise caused by her eavesdropping attack to normal noise in the channel. Therefore, it remains difficult to accurately bound the amount of information that Eve may obtain from the communication channel. The most important resource which should be determined when constructing security proofs for QKD protocols is the secret key rate. Therefore, all QKD protocols must be able to provide a clear expression for the secret key rate. In the asymptotic limit, the secret key

r ¼ limn!<sup>∞</sup>

where l is the length of the final secret key and n is a list of symbols called r raw keys [2]. This rate was established by Devetak and Winter [18]. The secret key rate against collective attacks

where I(X: Y) = H(X) � (X|Y) quantifies the amount of bits need to be satisfied for error correction. The term χ(X: E) = H(X) + S(E) � S(X, E) refers to the Holevo quantity, where H is

l

<sup>4</sup> tr|r<sup>0</sup> � r1| [43].

tr∣rSE � r<sup>U</sup> ⊗ σE∣ ≤ ε, (1)

<sup>2</sup>tr|r<sup>0</sup> � r1| refers to the maximum

Security of Quantum Key Distribution Protocols http://dx.doi.org/10.5772/intechopen.74234 9

<sup>n</sup> , (2)

r ¼ I Xð Þ� : Y χð Þ X : E (3)

2. Secrecy: A random variable S drawn from the set S is said to be ε-secure with respect to an

according to their specification),

eavesdropper holding a quantum system E, if.

is the size of S. Since the trace distance, that is, <sup>1</sup>

ness can simply be proven by running the protocol.

was derived by Kraus, Gisin and Renner [48] and is expressed as

quantum states r<sup>0</sup> and r<sup>1</sup> is bounded by <sup>1</sup>

5.3. Infinite-length key security in QKD

rate is expressed as

min<sup>∈</sup>σ<sup>E</sup>

1 2


If there is randomness and quantum theory is correct, then this leads to completion of the security proofs. However, in classical cryptography, the security is based on the difficulty or complication of a certain mathematical algorithm to afford security of the protocol. Therefore, the security is mainly based on the failure to solve the algorithm. This can fail in four ways that are as follows:


#### 5.2. Security requirements

In this section, we follow closely the definitions in [5, 42]. A QKD protocol outputs a key SA on Alice's side and also a key SB on Bob's side. The length of the key is l > 0, otherwise no key is extracted. The length of the key depends on the noise level of the communication channel as well as security and on the correctness requirements of the protocol. Depending on the deviation of the output key from the ideal one, the protocol aborts in which case SA = SB = ⊥ [42].

1. Correctness: A QKD protocol is called "correct", if, for any strategy by the eavesdropper SA = SB. This occurs whenever Alice and Bob output the classical keys SA and SB, respectively, such that Pr[SA 6¼ SB] ≤ εcor. The term εcor is the maximum probability that the protocol deviates from the behaviour of the correct protocol. In order for correctness to be achieved, the QKD devices must perform what they are supposed to do according to a specified model. The devices generate the correct correlations which they are supposed to output, otherwise the protocol aborts. In other terms, the devices should not send any other information to the outside world, in which it is not supposed to do (i.e. devices work according to their specification),

2. Secrecy: A random variable S drawn from the set S is said to be ε-secure with respect to an eavesdropper holding a quantum system E, if.

$$\min\_{\mathbf{r}\in\sigma\to} \frac{1}{2} \text{tr}|\rho\_{\text{SE}} - \rho\_{\text{U}} \otimes \sigma\_{\text{E}}| \le \varepsilon,\tag{1}$$

where rSE = ∑s∈<sup>S</sup> Ps(s)|s⟩⟨s| ⊗ r<sup>E</sup> |S = s is the actual state that contains some correlations between the final key and Eve and ε gives the maximum failure probability of the key extraction process. The state r<sup>U</sup> = ∑s∈<sup>S</sup> |s⟩⟨s||S| is the completely mixed state on S and |S| is the size of S. Since the trace distance, that is, <sup>1</sup> <sup>2</sup>tr|r<sup>0</sup> � r1| refers to the maximum probability of distinguishing between the two quantum states (r0,r1), this composable security definition naturally gives rise to the operational meaning that the protocol is εsecure, that is, S is identical to an ideal key U except with probability ε [5]. Again, according to Helstrom's Theorem, the probability of distinguishing between the two quantum states r<sup>0</sup> and r<sup>1</sup> is bounded by <sup>1</sup> <sup>2</sup> + <sup>1</sup> <sup>4</sup> tr|r<sup>0</sup> � r1| [43].

3. Robustness: A QKD protocol is said to be "not robust" if the protocol aborts even though the eavesdropper is inactive. While correctness and secrecy are difficult to prove, robustness can simply be proven by running the protocol.

#### 5.3. Infinite-length key security in QKD

definition characterises the security of a protocol with respect to the ideal functionality. This means that the security of the key generated could be used in any subsequent cryptographic task such as the one-time pad for message encryption, where an ideal key is expected. However, there always exist some challenges in constructing security proofs without making any assumptions either about the devices or the parties. For example, attacks against practical schemes exist, such as photon-number-splitting attacks (PNS) [37], time-shift attacks [38], large pulse attacks [17, 39], blinding attacks [40] and high-power damage attack [41]. Some of the

a. there should be no side channels. Side channels are basically discrepancies between the theoretical model and a practical implementation. They always exist if some information about the raw key is encoded in degrees of freedom not considered in the theoretical model. Therefore, this leads to a wrong assessment of the dimension of the Hilbert space

If there is randomness and quantum theory is correct, then this leads to completion of the security proofs. However, in classical cryptography, the security is based on the difficulty or complication of a certain mathematical algorithm to afford security of the protocol. Therefore, the security is mainly based on the failure to solve the algorithm. This can fail in four ways that

In this section, we follow closely the definitions in [5, 42]. A QKD protocol outputs a key SA on Alice's side and also a key SB on Bob's side. The length of the key is l > 0, otherwise no key is extracted. The length of the key depends on the noise level of the communication channel as well as security and on the correctness requirements of the protocol. Depending on the deviation of the output key from the ideal one, the protocol aborts in which case SA = SB = ⊥ [42]. 1. Correctness: A QKD protocol is called "correct", if, for any strategy by the eavesdropper SA = SB. This occurs whenever Alice and Bob output the classical keys SA and SB, respectively, such that Pr[SA 6¼ SB] ≤ εcor. The term εcor is the maximum probability that the protocol deviates from the behaviour of the correct protocol. In order for correctness to be achieved, the QKD devices must perform what they are supposed to do according to a specified model. The devices generate the correct correlations which they are supposed to output, otherwise the protocol aborts. In other terms, the devices should not send any

b. there should be access to perfect or almost perfect randomness (locally) and

b. underlying computation model could be wrong or could be unphysical,

assumptions made in the definition of QKD security are as follows:

which describes the protocol,

8 Advanced Technologies of Quantum Key Distribution

are as follows:

c. quantum theory is correct and complete.

a. conjecture of hardness/difficulty in this case is wrong,

c. the algorithm is easy for many instances and.

d. the computation could be small.

5.2. Security requirements

Over the last decade, a lot of work in QKD has been devoted to the derivation of unconditional security proofs [8, 16, 44–47]. One of the main problems is that Eve has the power to perform any type of eavesdropping strategy. In particular, she can evade detection by attributing noise caused by her eavesdropping attack to normal noise in the channel. Therefore, it remains difficult to accurately bound the amount of information that Eve may obtain from the communication channel. The most important resource which should be determined when constructing security proofs for QKD protocols is the secret key rate. Therefore, all QKD protocols must be able to provide a clear expression for the secret key rate. In the asymptotic limit, the secret key rate is expressed as

$$r = \lim\_{n \to \infty} \frac{l}{n'} \tag{2}$$

where l is the length of the final secret key and n is a list of symbols called r raw keys [2]. This rate was established by Devetak and Winter [18]. The secret key rate against collective attacks was derived by Kraus, Gisin and Renner [48] and is expressed as

$$\mathbf{r} = \mathbf{I}(\mathbf{X} : \mathbf{Y}) - \chi(\mathbf{X} : \mathbf{E}) \tag{3}$$

where I(X: Y) = H(X) � (X|Y) quantifies the amount of bits need to be satisfied for error correction. The term χ(X: E) = H(X) + S(E) � S(X, E) refers to the Holevo quantity, where H is the Shannon entropy and S is the von Neumann entropy [49, 50]. The Holevo quantity refers to the amount of privacy amplification required in order to eliminate Eve's information.

The upper bound on the secret key rate r, can be expressed as.

$$\mathbf{r} \le \mathbf{I}(\mathbf{A} : \mathbf{B} \Downarrow \mathbf{E}), \tag{4}$$

numerically. The square-root term corresponds to the speed of convergence of the smooth-min entropy, which is used to measure the key length of an identical and independently distributed (i.i.d) state toward the von Neumann entropy. In the asymptotic limit, the smooth-min entropy of an i.i.d state is equal to the von Neumann entropy. The second term εPA is directly linked to the failure probability of the privacy amplification procedure. Finally, leakEC/n corresponds to the amount of information which needs to be exchanged by Alice and Bob during the reconciliation phase. This quantity may not reach the Shannon limit, so leakEC ≥ nH(X|Y). Typically,

where fEC > 1 depends on the code and εEC refers to the failure probability of the error

Unlike in the asymptotic scenario, one needs to fix an overall security parameter ε for the QKD protocol. The parameter ε corresponds to the maximum probability failure that is tolerated on the key extraction protocol. This can be expressed as ε = εPE + εEC + ε ̄+ εPA, where εPE is the error in the parameter estimation step and the other terms are as previously defined. All the

As a result, the overall security parameter ε can be chosen arbitrarily small, to a value corresponding to Alice and Bob's wishes, but this comes at a cost of decreasing the final secret key rate. If m signals have been used to estimate the parameter λ, then the deviation of measurement outcomes λ<sup>m</sup> obtained from measuring the m samples from the ideal estimate

The objective of the privacy amplification step is to minimise the quantity of correct information which the eavesdropper may have obtained about Alice and Bob's reference raw key.

where Hmin (X |E) expresses Eve's uncertainty and εPA is the error in the privacy amplification

In the general philosophy of proving the security of QKD protocols, standard methods are known to exist. However, these seem to fail for other classes of protocols, for example, the distributed phase reference protocols. In this chapter, we discussed that QKD is a technique, which uses the power of quantum mechanics to establish a string of random bits called a key. We also showed how the secret key is generated and shared between Alice and Bob. Since the key is random and unknown to an eavesdropper, Eve, she is unable to learn anything about

parameters, εPE, εEC, ε ̄, εPA, can be independently fixed at arbitrarily low values.

λ<sup>∞</sup> can be quantified by using the law of large numbers resulting [5, 59].

After privacy amplification, the length of the raw key that remains will be.

correction procedure.

step.

6. Conclusion

leakEC ≈ fECH Xð Þþ jY 1=n log <sup>2</sup>ð Þ 2=εEC , (7)

Security of Quantum Key Distribution Protocols http://dx.doi.org/10.5772/intechopen.74234 11

∣λ<sup>m</sup> � λ∞∣ ≤ ξð Þ¼ m; d √½ � ln 1ð Þþ =εPE dln mð Þ þ 1 =2 m (8)

<sup>l</sup> <sup>≤</sup> Hmin<sup>ε</sup> ð Þ� <sup>X</sup>j<sup>E</sup> 2log2 ð Þ <sup>1</sup>=εPA , (9)

where I(A: B ↓ E) is the intrinsic conditional mutual information (intrinsic information for short) between two information sources held by Alice and Bob after Eve has performed an optimal individual attack [51]. The intrinsic information between two information sources A and B given E ̄is defined as, I(A : B ↓ E) = infE ̄I(A : B|E ̄), where the infimum is taken over all discrete random variables E such that AB ! E ! E ̄is a Markov chain [52]. It has been shown that I(A: B ↓ E) is an upper bound on the rate S = S(A;B||E) at which such a key can be extracted [51].

#### 5.4. Finite-length key security

Many efforts have been made to improve the bounds on the secret key rates for a finite amount of resources [5, 16, 53–58]. Since the tools for analysing the security under non-asymptotic regime have become available, there is need to provide new security definitions. In this section, we follow closely the techniques demonstrated in [16] to discuss some of the parameters used in the security of QKD for finite-length key limit. The main goal of finite-length key security is to obtain a secret key rate r, based on a certain number of signals, a security parameter ε, and certain losses from the error correction without making any assumptions about the post processing (sifting, error correction and privacy amplification). For example, one can recognise that the limit in this expression of Eq. (2) is unrealistic because in all implementations of QKD protocols finite resources are used. This is because in this scenario, N is assumed to be large, that is, it approaches infinity, while in practice Alice and Bob exchange a limited number of symbols or signals. In the non-asymptotic limit, the secret key rate can be expressed as.

$$\mathbf{r} = \mathbf{n} / \mathbf{N} [\mathbf{S}\_{\xi}(\mathsf{X}|\mathbf{E}) - \triangle - \text{leak}\_{\mathrm{EC}} / \mathbf{n}].\tag{5}$$

This shows that only a fraction of n out of N signals exchanged contributes to the key. This is because of the fact that m = N � n is used for parameter estimation thus leading the presence of a pre-factor of n/N. The expression S<sup>ξ</sup> (X |E) takes into account the finite precision of the parameter estimation. Eve's information is calculated by using measured parameters, for example, error rates. In the finite-key scenario, these parameters are estimated on samples of finite length. The parameter △ is related to the security of privacy amplification. Its value is given by.

$$
\triangle \equiv (2\log \mathbf{d} + 3) \bigvig [\log 2(2/\varepsilon)/\mathbf{n}] + 2/\mathbf{n} \log\_2 1/\varepsilon\_{\text{PA}} \tag{6}
$$

where d is the dimension of the Hilbert space, ε ̄is a smoothing parameter and εPA is the failure probability of the privacy amplification procedure. Eve's uncertainty is quantified by a generalised conditional entropy called the smooth min-entropy and is denoted as Hmin<sup>ε</sup> ̄ (X(n)| E(N)) [5]. The smoothing parameters, ε ̄and εPA, are parameters which should be optimised numerically. The square-root term corresponds to the speed of convergence of the smooth-min entropy, which is used to measure the key length of an identical and independently distributed (i.i.d) state toward the von Neumann entropy. In the asymptotic limit, the smooth-min entropy of an i.i.d state is equal to the von Neumann entropy. The second term εPA is directly linked to the failure probability of the privacy amplification procedure. Finally, leakEC/n corresponds to the amount of information which needs to be exchanged by Alice and Bob during the reconciliation phase. This quantity may not reach the Shannon limit, so leakEC ≥ nH(X|Y). Typically,

$$\text{leak}\_{\text{EC}} \approx \text{f}\_{\text{EC}} \text{H}(\text{X}|\text{Y}) + 1/\text{n} \, \log\_2(2/\varepsilon\_{\text{EC}}),\tag{7}$$

where fEC > 1 depends on the code and εEC refers to the failure probability of the error correction procedure.

Unlike in the asymptotic scenario, one needs to fix an overall security parameter ε for the QKD protocol. The parameter ε corresponds to the maximum probability failure that is tolerated on the key extraction protocol. This can be expressed as ε = εPE + εEC + ε ̄+ εPA, where εPE is the error in the parameter estimation step and the other terms are as previously defined. All the parameters, εPE, εEC, ε ̄, εPA, can be independently fixed at arbitrarily low values.

As a result, the overall security parameter ε can be chosen arbitrarily small, to a value corresponding to Alice and Bob's wishes, but this comes at a cost of decreasing the final secret key rate. If m signals have been used to estimate the parameter λ, then the deviation of measurement outcomes λ<sup>m</sup> obtained from measuring the m samples from the ideal estimate λ<sup>∞</sup> can be quantified by using the law of large numbers resulting [5, 59].

$$|\lambda\_{\mathbf{m}} - \lambda\_{\mathbf{m}}| \le \xi(\mathbf{m}, \mathbf{d}) = \sqrt{[\ln \left(1/\varepsilon\_{\rm PE}\right) + \text{dln}(\mathbf{m} + 1)/2\,\,\text{m}]} \tag{8}$$

The objective of the privacy amplification step is to minimise the quantity of correct information which the eavesdropper may have obtained about Alice and Bob's reference raw key. After privacy amplification, the length of the raw key that remains will be.

$$\mathbf{M} \leq \mathbf{H}\_{\text{min}} \; ^{\varepsilon} \left( \mathbf{X} | \mathbf{E} \right) - 2 \log\_2 \left( \mathbf{1} / \varepsilon\_{\text{PA}} \right), \tag{9}$$

where Hmin (X |E) expresses Eve's uncertainty and εPA is the error in the privacy amplification step.

#### 6. Conclusion

the Shannon entropy and S is the von Neumann entropy [49, 50]. The Holevo quantity refers to

where I(A: B ↓ E) is the intrinsic conditional mutual information (intrinsic information for short) between two information sources held by Alice and Bob after Eve has performed an optimal individual attack [51]. The intrinsic information between two information sources A and B given E ̄is defined as, I(A : B ↓ E) = infE ̄I(A : B|E ̄), where the infimum is taken over all discrete random variables E such that AB ! E ! E ̄is a Markov chain [52]. It has been shown that I(A: B ↓ E) is an upper bound on the rate S = S(A;B||E) at which such a key can be

Many efforts have been made to improve the bounds on the secret key rates for a finite amount of resources [5, 16, 53–58]. Since the tools for analysing the security under non-asymptotic regime have become available, there is need to provide new security definitions. In this section, we follow closely the techniques demonstrated in [16] to discuss some of the parameters used in the security of QKD for finite-length key limit. The main goal of finite-length key security is to obtain a secret key rate r, based on a certain number of signals, a security parameter ε, and certain losses from the error correction without making any assumptions about the post processing (sifting, error correction and privacy amplification). For example, one can recognise that the limit in this expression of Eq. (2) is unrealistic because in all implementations of QKD protocols finite resources are used. This is because in this scenario, N is assumed to be large, that is, it approaches infinity, while in practice Alice and Bob exchange a limited number of symbols or signals. In the non-asymptotic limit, the secret key rate can be expressed as.

This shows that only a fraction of n out of N signals exchanged contributes to the key. This is because of the fact that m = N � n is used for parameter estimation thus leading the presence of a pre-factor of n/N. The expression S<sup>ξ</sup> (X |E) takes into account the finite precision of the parameter estimation. Eve's information is calculated by using measured parameters, for example, error rates. In the finite-key scenario, these parameters are estimated on samples of finite length. The

where d is the dimension of the Hilbert space, ε ̄is a smoothing parameter and εPA is the failure probability of the privacy amplification procedure. Eve's uncertainty is quantified by a generalised conditional entropy called the smooth min-entropy and is denoted as Hmin<sup>ε</sup> ̄

E(N)) [5]. The smoothing parameters, ε ̄and εPA, are parameters which should be optimised

parameter △ is related to the security of privacy amplification. Its value is given by.

r ≤ I Að Þ : B↓E , (4)

<sup>r</sup> <sup>¼</sup> <sup>n</sup>=N S½ � <sup>ξ</sup>ð Þ� <sup>X</sup>j<sup>E</sup> △ � leakEC=<sup>n</sup> : (5)

△ � ð Þ 2log d <sup>þ</sup> <sup>3</sup> <sup>√</sup><sup>½</sup> log 2 2ð Þ <sup>=</sup><sup>ε</sup> <sup>=</sup>n� þ <sup>2</sup>=nlog2 <sup>1</sup>=εPA, (6)

(X(n)|

the amount of privacy amplification required in order to eliminate Eve's information.

The upper bound on the secret key rate r, can be expressed as.

extracted [51].

5.4. Finite-length key security

10 Advanced Technologies of Quantum Key Distribution

In the general philosophy of proving the security of QKD protocols, standard methods are known to exist. However, these seem to fail for other classes of protocols, for example, the distributed phase reference protocols. In this chapter, we discussed that QKD is a technique, which uses the power of quantum mechanics to establish a string of random bits called a key. We also showed how the secret key is generated and shared between Alice and Bob. Since the key is random and unknown to an eavesdropper, Eve, she is unable to learn anything about the message simply by intercepting the ciphertext. This phenomenon is beyond the ability of classical information processing.

[11] Gottesman D, Preskill J. Quantum Information with Continuous Variables. Amsterdam:

Security of Quantum Key Distribution Protocols http://dx.doi.org/10.5772/intechopen.74234 13

[12] Inamori H, Lütkenhaus N, Mayers D. The European Physical Journal D-Atomic, Molecu-

[13] Ben-Or M, Horodecki M, Leung D, Mayers D, Oppenheim J. In: Kilian J, editor. Theory of Cryptography: Second Theory of Cryptography Conference TCC 2005; vol. 3378 of Lec-

[17] Makarov V, teknisk-naturvitenskapelige universitet Institutt for elektronikk og telekommunikasjon N. Quantum Cryptography and Quantum Cryptanalysis. Department of Electronics and Telecommunications, Faculty of Information Technology, Mathematics and Electrical Engineering, Norwegian University of Science and Technology; 2007. ISBN

[18] Devetak I, Winter A. Proceedings of the Royal Society A: Mathematical, Physical and

[20] Audretsch J. Entangled Systems: New Directions in Quantum Physics. New York: Wiley-VCH;

[21] Deutsch D. Physical Review Letters. 1983;50(9):631-633. DOI: 10.1103/PhysRevLett.50.631

[27] Bennett CH. Physical Review Letters. 1992;68(21):3121-3124. DOI: 10.1103/PhysRevLett.68.

[28] Meyer T. Finite key analysis in quantum cryptography [PhD Thesis]. Heinrich Heine University, Dsseldorf; 2007. http://d-nb.info/987330772. URL: http://docserv.uni-duesseldorf.

[29] Stucki D, Fasel S, Gisin N, Thoma Y, Zbinden H. Society of Photo-Optical Instrumenta-

[23] Wooters W, Zurek W. A single quantum cannot be cloned. Nature. 1982;299:802 [24] Bruss D, Leuchs G. Lectures on Quantum Information. New York: Wiley; 2007

ture Notes in Computer Science. Springer Verlag; 2005. pp. 386-406

[15] Christandl M, König R, Renner R. Physical Review Letters. 2009;102:20504

[19] Nielsen M, Chuang I, Grover L. American Journal of Physics. 2002;70:558

[22] Fuchs CA, Peres A. Physical Review A. 1996;53:2038-2045

[25] Peres A, Wootters W. Physical Review Letters. 1991;66:1119-1122

de/servlets/DerivateServlet/Derivate-6444/thesis\_noextras.pdf

tion Engineers (SPIE) Conference Series, vol. 6583; 2007. p. 18

Springer; 2003. pp. 317-356

824711478X

2007

3121

lar, Optical and Plasma Physics. 2007;41:599-627

[14] Renner R, Cirac J. Physical Review Letters. 2009;102:110504

[16] Scarani V, Renner R. Physical Review Letters. 2008;100:200501

Engineering Science. 2005;461:207-235

[26] Dieks D. Physics Letters A. 1982;92:271-272

In this chapter, we provided a background study of QKD and also defined the basic notion of security in QKD protocols. In particular, the tools for analysing the security proofs for both infinite- and finite-key QKD protocols were discussed and demonstrated. Further, we discussed that the finite-key analysis offers more realistic results than the infinite-key one, while the infinite-key analysis provides more simplicity.
