Secret Key Agreement by Soft-decision of Signals in Gaussian Maurers Model

IEICE TRANS. FUND AMENT ALS, VOL.Exx–??, NO.xx XXXX 200x 1 P APER Secret Key Agreement b y Soft-deci sion o f Signals in Gaussian Maurer’s Mo del ∗ Masashi NAITO † a) , Nonmemb er , Sh un W A T ANABE †† b ) , Ryutaroh MA TSUMOTO †† c ) , and T omohi k o UYEMA TSU †† d) , Memb ers SUMMAR Y W e consider the problem of secret k ey agree- men t in Gaussian Maurer’s Mo del. In Gaussian Maurer’s mo del, legitimate receiv ers, Ali ce and Bob, and a wire-tapp er, Eve , r e- ceiv e signals randomly generated by a satellite through three i n- dependent memoryless Gaussian c hannels resp ectiv ely . Then Al- ice and Bob generate a common s ecret k ey from their receive d signals. In this mo del, we prop ose a proto col for generating a common s ecret ke y by using the r esult of s of t-decision of Al ice and Bob’s received signals. Then, we calculate a low er bound on the secret k ey rate in our prop osed protocol. As a result of comparison w i th the proto col that only uses hard-decision, we found that th e higher rate i s obta ined by using our proto col. key wor ds: advantage distil lation, A WGN, information the o- r etic security, key agr e e me nt , privacy amplific ation, public dis- cussion 1. In tro d uctio n As o ne of fundamen tal pro blems in cryptogra phy , we will co nsider the pr oblem of secret key agreement in this paper. That is to say , w e will cons ide r how to gen- erate a co mmon se c ret key b y tw o parties not shar ing such a key initia lly in the situation that a wir e-tapp er has acces s to the communication channel b etw een tw o parties. Man y mo dels o f this pr oblem were presented and and analyzed in the literatur e s [1]–[4]. Recently , key a greement ov er wir e less c hannel is exp erimentally studied [6 ]. Maurer [5] a nd Ahlsw ede a nd Cs is´ zar [7] consid- ered the interactive model of se c ret key agr eement from an initially shared pa rtially secr et string by communi- cation over a public channel. Maurer [5] co nsidered the following mo del. Two parties, Alice and Bob, who w ant to share a secret key , and the wire-tapp er, Ev e , receiv e the bits randomly Man uscript receiv ed Ap ril 1, 2008. Man uscript revised Jan uary 1, 2003. Final man u script receiv ed January 1, 2003. † The author is with the Department of Media Science Graduate School of Information Science, Nagoy a Universit y †† The auth ors are with the Department of Communica- tions and Integrated Sysmtems, T oky o Institute of T ec h nol- ogy a) E-mail: m-naito@sp.m.is.nago ya-u.ac.jp b) E-mail: shun-w ata@it.ss.titec h.ac.jp c) E-mail: ryutaroh@rmatsumoto.org d) E-mail: uyematsu@ieee.org ∗ A part of this pap er will b e presented at 2008 I EEE In- ternational Symp osium on Information Theory in T oronto, Canada. generated b y a s atellite o ver indep endent binary sym- metric channels (BSC) respectively . W e call this mo del Maurer’s mo del. Maurer [5] prop osed an int eractive proto col in his model, a nd he showed a lo wer b ound on key ra tes at which Alice and Bob can agre e a secret key . Note that the key rate is defined as leng th of the secret key generated by Alice and Bob p er channel us e by the satellite. In Maur er’s orig inal mo del and proto co l, c hannels are assumed to b e BSC, and received signals are as- sumed to be digita l signals. How ever, sig nals in pr ac- tical channels ar e analogue. Recently , key a greement ov er wireless channel is exp er iment ally studied by Aono et al. [6]. Howev er, informa tion theoretic analysis of the key a greement o ver analog ue channels has not suf- ficient ly co nducted. In order to close the gap b etw een Maurer’s results and the exp er iment al study , we will mo dify Maurer ’s mo de l to use Gaussian channels in- stead of BSC, which we call Gaussian Maurer ’s model. In Gaussian Maurer’s model, Alice a nd Bo b can use the res ults of soft-decision of a nalogue r eceived sig- nals. They can determine the r eliability information from this re s ults and use it for genera ting a common secret key . In this pa pe r, we will propo se a proto col for secret k e y agreement using the reliability infor mation. Then, we calculate key r ates a t which Alice and Bob can ag ree a sec r et key in o ur prop o sed proto col. Considering the situatio n that Alice, Bob, and Eve hard-detect the signals that are sen t out by the sa tel- lite, Maurer ’s original mo del can b e seen as the specia l case of Gaussian Maurer ’s mo del. Thus, w e can com- pare the pro to col in Gaussian Maurer ’s model and one in BSC Ma urer’s mo del. In order to s how adv antage to use relia bilit y info r mation, we will compare the key rate in our prop osed protoco l a nd the k ey rate in Ma u- rer’s pro to col in whic h Alice and Bob us e only hard- decision. that uses only hard-decision. F rom the result of this co mparison, we will sho w that the higher k ey rate is obtained by using our prop os ed proto col than the pro to col that only uses hard- decision. Rest of this pap er is or g anized as follows. In sec- tion 2, we will introduce Maurer ’s mo del mo dified to use Gaussian c ha nnels instead of BSC. In section 3 , we will show our pro po sed pro to col using relia bilit y infor - mation. In sectio n 4, we will compare our pr op osed proto col and Maur er’s proto col with hard-decision. In 2 IEICE TRANS. FUNDAMENT ALS, VOL.Exx–??, NO. xx XXXX 200x app endices, we will prov e the lemmas that is needed for the proof o f theor em that derives a low er b ound on key rates a t which Alice a nd Bob c a n agr ee a secr et key . 2. Secret K ey Rate in Gauss ian Maurer’s Mo del Consider the following key agreement problem, which we call Ga us sian Maure r ’s mo del. Assume that a satel- lite ra ndomly g enerates signals and se nds it to tw o par- ties Alice and Bob who wan t to share secr et key and the wir e-tapp er Ev e ov er thr ee independent memory- less Gaussian c hannels. Their nois es at time i , denoted N ( i ) A , N ( i ) B , and N ( i ) E , are dr awn from indep endently ident ically distributed (i.i.d.) Gaussian distributio ns with mean 0 a nd v ariance s V A , V B , and V E resp ec- tively . A sequence of signals that the satellite gener- ates at time 1 to n , deno ted U n = [ U (1) , . . . , U ( n ) ], is dr awn from a distribution P U n on a signal set in R n and this sequence of sig nals satisfies power con- straint 1 n P n i =1 ( u ( i ) ) 2 ≤ 1 for all seq ue nce s u n . Alice, Bob, a nd Eve receive X n = [ X (1) , . . . , X ( n ) ], Y n = [ Y (1) , . . . , Y ( n ) ],and Z n = [ Z (1) , . . . , Z ( n ) ], as outputs of these three channels at time 1 to n resp ectively . They are assumed to know the distributio n P U n and noise v ariances V A , V B , and V E . No te that capital letters de- note random v aria bles and corr esp onding small letters denote r ealizations in this pap er . After Alice, Bob, and Eve receive signals, Alice and Bob communicate ov er a public channel. This channel is a ssumed to b e no iseless a nd discr ete, and its capacity is finite. Every messa ges co mm unicated b etw een Alice and Bo b can be in terc e pted by E ve, but it is ass umed that Ev e cannot fraudulent messa ges nor mo dify mes- sages on this public channel without b eing detected. Let C b e the entire communication held over this public channel. After enough co mmu nication over the public channel, Alice co mputes a s e c ret key S on a key al- phab et S a s a function o f he r received signals X n and all informa tio n C ov er the public channel. In a similar wa y , Bob co mputes a secr et key S ′ on S as a function of Y n and C . The se c r et k ey rate in this model is defined as follows. Note tha t we will take all log a rithms to b e base 2, a nd hence all the entropies will b e measure d in bits. Definition 1 F o r given noise v ariances V A , V B , and V E , a rate R is said to b e achievable if for every ǫ > 0 there exists a proto col for s ufficiently large n satisfying Pr[ S 6 = S ′ ] ≤ ǫ, (1) H ( S | C Z n ) ≥ log |S | − ǫ (2) and 1 n log |S | ≥ R − ǫ, (3) where |S | denotes the num b er o f the elements in S . Definition 2 The se cr et key r ate for g iven noise v ari- ances V A , V B , a nd V E , denoted R S ( V A , V B , V E ), is the supremum of all a chiev a ble rate. 3. Secret Key Ag reemen t by Soft-Decision of Signals In this section, we will prop ose a pr oto col that uses reliability informa tion of signals and calculate a lo wer bo und on the se cret key rate in this proto co l. In our pr op osed proto co l, the s a tellite se le c ts input signal U ( i ) i.i.d. according to a distribution P U (1) = P U ( − 1) = 1 2 . Th us, the rec e ived sig nals X ( i ) , Y ( i ) , Z ( i ) are a lso i.i.d. resp ectively . Let a 1 , . . . , a K be a p ositive monotonica lly incr eas- ing s equence, and let E 1 , . . . , E K be sets, where j th level set is defined as E j = [ − a j , a j ] ( j = 1 , . . . , K ). The pr o cedures o f our prop os e d proto co l is as fol- lows. 1. F rom the received signa l X ( i ) at time i , Alice de- termines reliability information W ( i ) A as W ( i ) A =      0 if X ( i ) ∈ E 1 j if X ( i ) ∈ E c j \ E c j +1 ( j = 1 , . . . , K ) K if X ( i ) ∈ E c K , where the s et E c j is the co mplementary set of the set E j in the set o f real num b er s R , and E c j \ E c j +1 = E c j ∩ E j +1 is the difference set. Simila r ly , fro m the received signal Y ( i ) at time i , Bo b determine reliability information W ( i ) B as W ( i ) B =      0 if Y ( i ) ∈ E 1 j if Y ( i ) ∈ E c j \ E c j +1 ( j = 1 , . . . , K ) K if Y ( i ) ∈ E c K . 2. Alice and Bob send sequences W n A = [ W (1) A , . . . , W ( n ) A ] and W n B = [ W (1) B , . . . , W ( n ) B ] over the public c han- nel. F ro m these messages, they can know the sets containing their r eceived signals. 3. Alice a nd Bob qua ntize X n and Y n int o discr ete random v ariables ˜ X n ∆ and ˜ Y n ∆ , wher e ˜ X ( i ) ∆ is de- fined as ˜ X ( i ) ∆ = ( 1 if X ( i ) ≥ 0 , 0 if X ( i ) < 0 , (4) and ˜ Y ( i ) ∆ is similar ly defined as ˜ Y ( i ) ∆ = ( 1 if Y ( i ) ≥ 0, 0 if Y ( i ) < 0. (5) F or given ( W ( i ) A , W ( i ) B ) = ( w A , w B ), if Eve’s ambiguit y H ( ˜ X ∆ | Z, W A = w A , W B = w B ) ab out ˜ X ( i ) ∆ is smalle r than Bo b’s ambiguit y H ( ˜ X ∆ | Y , W A = NAITO et al.: SE CRET K EY AGREEMENT BY SOFT-DECISION OF SIGNALS IN GAUSSIAN MAURER’S MODEL 3 w A , W B = w B ) ab out ˜ X ( i ) ∆ , then we should dis- card ˜ X ( i ) ∆ in our pro to col. Indeed, if we keep ˜ X ( i ) ∆ for such ( W ( i ) A , W ( i ) B ) = ( w A , w B ), then a nega tive term is added to the low er bound o n a secret key rate shown in Eq . ( 12). F urthermor e, if the differ- ence b etw een E ve and Bob’s ambiguity ab out ˜ X ( i ) ∆ is smaller than the difference b etw een Eve’s ambiguit y H ( ˜ Y ∆ | Z, W A = w A , W B = w B ) ab out ˜ Y ( i ) ∆ and Al- ice’s amb iguity H ( ˜ Y ∆ | X , W A = w A , W B = w B ) ab out ˜ Y ( i ) ∆ , we sho uld generate a s ecret key from ˜ Y ( i ) ∆ in- stead of ˜ X ( i ) ∆ . F or this purp ose, we co nsider the se ts A, B ⊂ { 1 , . . . , K } × { 1 , . . . , K } , which are defined as A = { ( w A , w B ) | H ( ˜ X ∆ | Z, W A = w A , W B = w B ) − H ( ˜ X ∆ | Y , W A = w A , W B = w B ) ≥ max { 0 , H ( ˜ Y ∆ | Z, W A = w A , W B = w B ) − H ( ˜ Y ∆ | X , W A = w A , W B = w B ) }} , B = { ( w A , w B ) | H ( ˜ Y ∆ | Z, W A = w A , W B = w B ) − H ( ˜ Y ∆ | X , W A = w A , W B = w B ) > max { 0 , H ( ˜ X ∆ | Z, W A = w A , W B = w B ) − H ( ˜ X ∆ | Y , W A = w A , W B = w B ) }} . If given ( W ( i ) A , W ( i ) B ) is in the s et A , we use ˜ X ( i ) ∆ for gen- erating a secr e t key , other wise w e discard ˜ X ( i ) ∆ . Simi- larly , if giv en ( W ( i ) A , W ( i ) B ) is in the set B , we use ˜ Y ( i ) ∆ for generating a sec r et key , otherw is e we dis card ˜ Y ( i ) ∆ . Thu s, we determine discrete ra ndom v aria bles X ( i ) ∆ = ( ˜ X ( i ) ∆ if ( W ( i ) A , W ( i ) B ) ∈ A , 0 otherwise, (6) and Y ( i ) ∆ = ( ˜ Y ( i ) ∆ if ( W ( i ) A , W ( i ) B ) ∈ B , 0 otherwise, (7) and we use them for generating a secr et key instead of ˜ X ( i ) ∆ and ˜ Y ( i ) ∆ . 4. Acco rding to the rule in E q. (6), Alice determines X n ∆ from W n A , W n B , and ˜ X n ∆ . Similarly , Bob deter- mines Y n ∆ from W n A , W n B , a nd ˜ Y n ∆ . 5. Alice sends partial information of X n ∆ as a public message M A on M A in order to share X n ∆ with Bob. Similarly , Bob sends pa rtial information o f Y n ∆ as a public mess age M B on M B . 6. Alice deco des M B , X n , and the r eliability informa- tion ( W A , W B ) into the es tima tion ˆ Y n ∆ . Similarly , Bob deco des M A , Y n , a nd the reliability informa- tion ( W A , W B ), into the estimation ˆ X n ∆ . 7. L e t F b e a set o f tw o- universal ha sh function [8] (see also App endix B.1) from { 0 , 1 } n × { 0 , 1 } n to S . Alice randomly choose a hash function f ∈ F , and publicly tells the choice to Bob. Then, Alice and B ob’s final keys ar e S = f ( X n ∆ , ˆ Y n ∆ ) and S ′ = f ( ˆ X n ∆ , Y n ∆ ) re s pe c tively . In or der to g uarantee that Alice and Bob c a n com- pute the same key in step 6 , w e set the rate 1 n log |M A | and 1 n log |M B | of public messa ges accor ding to the fol- lowing lemma, whic h is derived by mo difying “Slepian- W olf Co ding” [9 ] for contin uous r andom v ariables . Lemma 1 Suppose that we set 1 n log |M A | > H ( X ∆ | Y W A W B ) (8) and 1 n log |M B | > H ( Y ∆ | X W A W B ) , (9) then there ex is t enco ders a nd deco ders such that the de- co ding err or probabilities Pr { ˆ X n ∆ 6 = X n ∆ } and P r { ˆ Y n ∆ 6 = Y n ∆ } tend to 0 as n → ∞ . Thu s, Eq. (1) is sa tisfied for sufficient ly la rge n . In o r der to guarantee the security of the pr oto col, we set the k ey rate 1 n log | S | according to the follow- ing lemma, whic h is derived by mo difying the so-ca lled “left ov er hash lemma” [10]–[12] for contin uous ra ndom v ariables. Lemma 2 Suppose that we set 1 n log | S | < H ( X ∆ Y ∆ | Z W A W B ) − 1 n log |M A ||M B | , (10) then H ( S | Z n W n A W n B M A M B F ) ≥ log | S | − ǫ (11) is s atisfied for sufficiently large n . Note that F is a ra ndom v a riable o n F , and all in- formation C ov er the public c ha nnel corres po nd t o ( W n A , W n B , M A , M B , F ) in this case. F rom Eqs. (8)–(1 0), w e o btain the following the- orem that gives a lower bo und on secret key r ate R S ( V A , V B , V E ) in this proto col. Theorem 1 By us ing our prop osed pro to col, we achiev e the low er b ound on the secret key r ate R S ( V A , V B , V E ) as R S ( V A , V B , V E ) ≥ H ( X ∆ Y ∆ | Z W A W B ) − H ( X ∆ | Y W A W B ) − H ( Y ∆ | X W A W B ) . (1 2 ) Note that fr om the rule in Eqs. (6)–(7). ,we can rewr ite the Eq . (12) a s 4 IEICE TRANS. FUNDAMENT ALS, VOL.Exx–??, NO. xx XXXX 200x -4 -2 2 4 6 8 10 0. 1 0. 2 0. 3 0. 4 0. 5 Proposed NNR=6 Proposed NNR=2 Proposed NNR=-2 rate [bit/channel] SNR [dB] Fig. 1 The relation b etw een SNR and the key rate in our pro- posed protocol for several NNR. H ( X ∆ Y ∆ | Z W A W B ) − H ( X ∆ | Y W A W B ) − H ( Y ∆ | X W A W B ) = X w A ,w B P W A W B ( w A , w B ) × max { 0 , H ( ˜ X ∆ | Z, W A = w A , W B = w B ) − H ( ˜ X ∆ | Y , W A = w A , W B = w B ) , H ( ˜ Y ∆ | Z, W A = w A , W B = w B ) − H ( ˜ Y ∆ | X , W A = w A , W B = w B ) } . F or fixed ( W A , W B ) = ( w A , w B ), H ( ˜ X ∆ | Z, W A = w A , W B = w B ) − H ( ˜ X ∆ | Y , W A = w A , W B = w B ) is low er b ound on the s ecret key r ate when we use only ˜ X n ∆ for g enerating a secret key , H ( ˜ Y ∆ | Z, W A = w A , W B = w B ) − H ( ˜ Y ∆ | X , W A = w A , W B = w B ) is lo wer bo und on the secre t key ra te when we us e only ˜ Y n ∆ for gener- ating a secret k ey , and 0 is trivial lo wer b ound on the secret key . B y the rule in Eqs. (6)–(7), w e c ho ose the maximum among these lower b o unds on se c ret key rate for eac h ( w A , w B ) in order to make the low er bound on the secr et key rate a s high a s p ossible. Note that enco ding in step 5 and deco ding in s tep 6 are implement able by using low-density parity chec k co des [13 ], [14]. 4. Comparison t o a Proto col wi th Hard- Decision In this section, we will show the rela tion b e tw een signa l- to-noise ra tio (SNR) a nd the key rate a chiev ed by our pro p osed proto col for s everal noise-to-noise ratio (NNR). W e will also show the compariso ns betw een the key rate achiev e d by our propos ed proto co l and the key rate a chiev ed by the pro to col that Alice a nd Bob use only har d-decision for generating a secr et key . The relatio n betw e e n (SNR) and the key rate achiev ed by our propo sed proto col for several NNR is presented in Fig. 1, where sets E 1 , E 2 , and E 3 are de- -4 -2 2 4 6 8 10 0.3 0.4 0.5 Maurer’s Proposed rate [bit/channel] 0.2 0.1 (a) SNR= 1[dB] -4 -2 2 4 6 8 10 0. 1 0. 2 0. 3 0. 4 0. 5 Maurer’s Proposed NNR [dB] rate [bit/channel] (b) SNR= 5[dB] -4 -2 2 4 6 8 10 0. 1 0. 2 0. 3 0. 4 0. 5 Maurer’s Proposed rate [bit/channel] NNR [dB] (c) SNR= 7[dB] Fig. 2 The key rates ac hieved by our prop osed pr otocol and Maurer’s protocol. termined fro m fixed a 1 = 1 3 , a 2 = 2 3 , a 3 = 1 in our prop osed proto col. Note tha t SNR is defined as 1 V A and NNR is defined as V E V B , a nd we a ssume V A = V B . F rom this figur e, we observe that we do no t o btain a high key rate when SNR is to o high or to o low. NAITO et al.: SE CRET K EY AGREEMENT BY SOFT-DECISION OF SIGNALS IN GAUSSIAN MAURER’S MODEL 5 In order to show adv antage to use soft-decision, w e compare the key rate a chiev ed by our prop osed pro to col and the key r ate achieved by Maurer’s pr oto col in which Alice and Bo b use only hard-decis ion for genera ting a secret key . The r esult of this comparis on is presented in Figs. 2(a)–2 (c). In this c omparison sets E 1 , E 2 , and E 3 are determined fro m fixe d a 1 = 1 3 , a 2 = 2 3 , a 3 = 1 in our prop o sed proto co l, and the block length o f rep- etition co de used in Maurer’s proto col is optimally se- lected fro m 1 to 10 for eac h NNR. F rom these figures, we o bserve that we obtain a larger k ey rate by o ur pro- po sed proto c o l tha n by Maur er’s pr o to col with a ll v alue of NNR. Note that in Gaussian Maurer ’s mo del, w e should ca lculate the k ey rate by Maurer’s pr oto col for Eve who can use con tin uous random v ariables Z n to guess the secr e t key . How ever, the numerical calcula- tion of the k ey rate b y Maurer’s proto col in Gaussian Maurer’s mo del is difficult when the blo ck length of rep- etition co de used in his proto col is 2 or la r ger. Thus, we calculate the k ey rate in BSC Ma urer’s mo del instead of Gaussian Maurer ’s mo del when the blo ck length o f rep etition co de used in his proto co l is 2 o r larger . In the calculation o f the key rate in BSC Ma ur er’s mo del, we consider the situatio n that Alice, Bob, and Eve hard- detect rece ived s ignals accor ding to the s imilar rule a s in Eqs. (4) and (5). In this situa tio n, we ca n conv ert three Gaussian channels in to indep endent binary sym- metric channels with erro r pro babilities ǫ A , ǫ B , ǫ E given by ǫ A = 1 2 erfc  r 1 V A  , ǫ B = 1 2 erfc  r 1 V B  , ǫ E = 1 2 erfc  r 1 V E  , (13) where the complementary error function erfc ( z ) is de- fined as erfc ( z ) = 2 √ π Z ∞ z e − t 2 . (14) Note that this wa y of the compar ison g ives Ma urer’s proto col a dv antage b eca use a wire-tapp er in Gaussian Maurer’s mo del is more p ow er ful than in BSC Mau- rer’s mo del. † Hence, the key rate ac hieved by Maur e r ’s proto col in Gaussian Maurer ’s mo del is lower than that presented in Figs. 2(a)–2(c). 5. Conclusion In this pap er , we have prop o sed Gaussian Maure r ’s mo del and the proto c ol with reliability information based on the result of the soft-decisio n in this mo del. As a res ult, we hav e obtained a higher key r ate than Maurer’s proto col. This is because that the co r relation † The wire-tapp er in BSC Maurer’s model can use con- tinuous random v ariables Z n to guess the secret k ey , b ut one in BS C Maurer’s mod el can only use q uantized versio ns of them. betw een X ∆ in Eq. (6) and Y and b e t ween Y ∆ in E q. (7) and X obta ined by us ing the reliability information is stronger than the correla tion b etw een ˜ X ∆ in Eq. (4) and ˜ Y ∆ in Eq. (5) obtained b y using the hard-decisio n. How ever, we do not know the optimal w ay to de- termine sets E 1 , . . . , E K and its num b er K . Intuitiv ely , one may think that the more s ets we use, the higher rate w e obtain. Howev er, this intuition do es not seem to b e alwa ys tr ue. Actually , there exists the case that we cannot obtain higher key rate though we use many sets. F urthermo r e, we have to find the optimal s ig nal constellation used by the satellite. These problems a re future r esearch agenda. Ac knowledgmen ts W e would like to thank Dr. Jun Muramatsu for v a lu- able discuss io ns. This res earch also partly supp or ted by the Japan Society for the Pro motion o f Science under Grants-in-Aid No. 001 97137 . App endix A: Pro of of lemm a 1 W e only prov e that if we set the ra te 1 n log |M A | of pub- lic message accor ding to Eq. (8), then there exist e n- co ders a nd decoders suc h tha t the deco ding error prob- abilities Pr { ˆ X n ∆ 6 = X n ∆ } tends to 0 as n → ∞ . The pro of for the rate 1 n log |M B | of public message follows by symmetry . W e use the so-called “bin c o ding” prop osed by Cov er [15] in this pro of. The proce dures o f bin c o d- ing is as fo llows. Assign every x n ∆ ∈ X n ∆ to o ne of |M A | bins in- depe ndently acco rding to the uniform dis tr ibution on M A . Alice sends the index i of the bin to which x n ∆ belo ngs. Then let ¯ ϕ n ( x n ∆ ) = i . F or each ( y n , w n ), we define the set S n ( y n , w n ) ⊂ X n ∆ as S n ( y n , w n ) :=  x n ∆ : 1 n log 1 P X n ∆ | Y n , W n ( x n ∆ | y n , w n ) ≤ H ( X ∆ | Y W ) + γ  , where γ > 0 is a n arbitra ry fixed sma ll co nstant, and we denote the pair ( W n A , W n B ) as W n . Then, for given y n , w n , a nd the received index i , declar e ¯ ψ n ( i, y n , w n ) = x n ∆ if there is one and only one pair ( x n ∆ , y n , w n ) such that ¯ ϕ n ( x n ∆ ) = i and x n ∆ ∈ S n ( y n , w n ). Otherwise, declare a n erro r. W e will ev aluate the decoding error pr obability av- eraged ov er r andomly chosen enco der s as follows. W e hav e an er ror if X n ∆ is not in S n ( Y n , W n ) o r if there is a nother sy mbo l ˆ x n ∆ ∈ X n ∆ in the same bin. Thus, we can define the e ven ts of error 6 IEICE TRANS. FUNDAMENT ALS, VOL.Exx–??, NO. xx XXXX 200x E (0) n := { X n ∆ / ∈ S n ( Y n , W n ) } , E (1) n :=  ∃ ˆ x n 6 = X n ∆ : ¯ ϕ n ( ˆ x n ∆ ) = ¯ ϕ n ( X n ∆ ) and ˆ x n ∆ ∈ S n ( Y n , W n )  , Then the deco ding err or pro bability av eraged ov er r an- domly chosen e nc o ders P r { X n ∆ 6 = ¯ ψ n ( ¯ ϕ n ( X n ∆ ) , Y n , W n ) } is upp er b ounded a s Pr { X n ∆ 6 = ¯ ψ n ( ¯ ϕ n ( X n ∆ ) , Y n , W n ) } = Pr { E (0) n ∪ E (1) n } ≤ Pr { E (0) n } + Pr { E (1) n } . (A · 1) Pr { E (0) n } is ev aluated as Pr { E (0) n } = Pr { X n ∆ / ∈ S n ( Y n , W n ) } = P r  1 n log 1 P X n ∆ | Y n W n ( X n ∆ | Y n W n ) > H ( X ∆ | Y W ) + γ  = P r  1 n n X i =1 log 1 P X ∆ | Y W ( X ( i ) ∆ | Y ( i ) W ( i ) ) > H ( X ∆ | Y W ) + γ  , (A · 2) which tends to 0 as n → ∞ by the weak la w of lar ge nu mbers. T o b ound P r { E (1) n } , w e rewr ite it a s Pr { E (1) n } = Pr  ∃ ˆ x n ∆ 6 = X n ∆ : ¯ ϕ n ( ˆ x n ∆ ) = ¯ ϕ n ( X n ∆ ) and ˆ x n ∆ ∈ S n ( Y n , W n )  = Z Y n p Y n ( y n ) X ( x n ∆ , w n ) ∈X n ∆ ×W n A ×W n B P X n ∆ W n | y n ( x n ∆ , w n ) g n ( x n ∆ , y n , w n ) dy n , (A · 3) where g n ( x n ∆ , y n , w n ) = Pr  ∃ ˆ x n ∆ 6 = x n ∆ : ¯ ϕ n ( ˆ x n ∆ ) = ¯ ϕ n ( x n ∆ ) and ( ˆ x n ∆ ) ∈ S n ( y n , w n )  . (A · 4) F urthermor e, we can rewr ite (A · 4) as g n ( x n ∆ , y n , w n ) = X ˆ x n ∆ 6 = x n ∆ ˆ x n ∆ ∈ S n ( y n , w n ) Pr { ¯ ϕ n ( ˆ x n ∆ ) = ¯ ϕ n ( x n ∆ ) } = X ˆ x n ∆ 6 = x n ∆ ˆ x n ∆ ∈ S n ( y n , w n ) 1 |M A | ≤ X ˆ x n ∆ ∈ S n ( y n , w n ) 1 |M A | = | S n ( y n , w n ) | |M A | (A · 5) If ˆ x n ∆ ∈ S n ( y n , w n ), then from the definition of S n ( y n , w n ), we hav e P X n ∆ | y n , w n ( ˆ x n ∆ ) ≥ 2 − n ( H ( X ∆ | Y W )+ γ ) . Thu s, we hav e 1 ≥ X ˆ x n ∆ ∈ S n ( y n , w n ) P X n ∆ | Y n W n ( x n ∆ | y n , w n ) ≥ | S n ( y n , w n ) | 2 − n ( H ( X ∆ | Y W )+ γ ) . Hence, we hav e | S n ( y n , w n ) | ≤ 2 n ( H ( X ∆ | Y W )+ γ ) . (A · 6) F rom Eqs.(A · 3 )–(A · 6), we upp er b o und P r { E (1) n } as Pr { E (1) n } ≤ Z Y n p Y n ( y n ) X ( x n ∆ , w n ) ∈X n ∆ ×W n A ×W n B P X n ∆ W n | y n ( x n ∆ , w n ) 2 n ( H ( X ∆ | Y W )+ γ ) |M A | dy n ≤ 2 n ( H ( X ∆ | Y W )+ γ ) |M A | = 2 − log |M A | 2 n ( H ( X ∆ | Y W )+ γ ) , (A · 7) which expo nent ially tends to 0 as n → ∞ if 1 n log |M A | > H ( X ∆ | Y W ) + γ . Since the dec o ding erro r proba bilit y Pr { X n ∆ 6 = ¯ ψ n ( ¯ ϕ n ( X n ∆ ) , Y n , W n ) } of rando mly chosen co de tends to 0 a s n → ∞ , there ex is t at least one pair o f an enco der and a deco der s uch that the decoding error probability Pr { ˆ X n ∆ 6 = X n ∆ } tends to 0 as n → ∞ . App endix B: Pro of of lem m a 2 In this Appendix, we will show the pro o f of lemma 2 . In sec tion B.1, w e introduce a tw o - universal hash fam- ily , whic h is used for computation of a secret key . In section B.2, we define the security of the proto col in the sense of the v aria tional distance, a nd we sho w the re- lation b etw een the security of the proto co l in the sens e of the v a riational distance and the condition Eq. (2). This relation implies that if the security of the pro to- col in the sense o f the v aria tional distance is satisfied, then the c o ndition Eq. (2) is satisfied. In section B.3, we relate the size |S | of a secret key S and the size |M A × M B | of public message s M = ( M A , M B ) to the security of the proto col, and we show that if we set 1 n ln |S | < H ( X ∆ Y ∆ | Z W A W B ) − 1 n ln |M A × M B | , then there exis ts at least one hash function f that sat- isfy E q. (2) for sufficie ntly larg e n . F or the s implicit y o f no tation, we denotes the integral ov er R n as R unless o therwise sp eci- fied, and we abbrevia tes P R n M n | Z n W n ( · , ·| z n , w n ) as P R n M n | z n , w n ( · , · ). The v a riational dis tance k P 1 − P 2 k betw een the probability distribution P 1 and P 2 on V is defined a s NAITO et al.: SE CRET K EY AGREEMENT BY SOFT-DECISION OF SIGNALS IN GAUSSIAN MAURER’S MODEL 7 k P 1 − P 2 k := X v ∈ V | P 1 ( v ) − P 2 ( v ) | . (A · 8) B.1 t wo-universal hash family In order to extract an almost secr et string (secret key S ) from a partially secret strings (a pair R n of random v ariables X n ∆ and Y n ∆ ), we use a tw o-universal hash fam- ily F . A set F of functions f : X n ∆ × Y n ∆ → S is said to be a two-universal hash family if we have P F  { f ∈ F | f ( r n ) = f ( r ′ n ) }  ≤ 1 |S | (A · 9) for any r n 6 = r ′ n ∈ X n ∆ × Y n ∆ , wher e F denotes a random v ariable on F and P F denotes the uniform distr ibution on F . F or given E ve’s received s ig nals z n ∈ R n and re- liability information w n ∈ W A × W B , the jointly con- ditional distribution P S M | z n , w n ( s, m ) o f a secret key S = f ( R n ) and public message M is given by P S M | z n , w n ( s, m ) := X r n ∈ f − 1 ( s ) P R n M | z n , w n ( r n , m ) = P R n M | z n , w n ( f − 1 ( s ) , m ) , where f − 1 ( s ) := { r n ∈ X n ∆ × Y n ∆ | f ( r n ) = s } is the subset of a set X n ∆ × Y n ∆ such that f ( r n ) = s . Note that since S dep ends o n a hash function f , it should be refer r ed a s S f . But, we use the ab ov e no ta tion for conv enience in this pap er. B.2 The secur it y of the proto col in the sense of the v ariational dista nce In order to pr ov e lemma 2, we define the s ecurity of the proto col in the sense of the v ariational dista nce in this section. If a secret k ey S is indep e ndent of Eve’s infor - mation and its distribution P S is close to the uniform distribution P ¯ S on S , we decide that the secret k ey S is se c ure in the se nse o f the v ar iational dista nce. In the other words, we define the security of the proto co l as ∆ f := Z p Z n ( z n ) X w n ∈W n A ×W n B P W n | z n ( w n ) k P S M | z n , w n − P ¯ S × P M | z n , w n k dz n , (A · 10) where P M | z n , w n is the margina l distr ibution o f P S M | z n , w n , and P ¯ S × P M | z n , w n is the pro duct distri- bution o f P ¯ S and P M | z n , w n As an extension of [16 , Lemma 1] to cont inu ous random v aria ble, the fo llowing lemma relates the se- curity of the pro to col in the sense o f the v a r iational distance to the security of the proto col in the sense of the entropy s hown in Eq. (2 ). Lemma 3 The conditional en tro py H ( S | Z n W n M F ) is low er bo unded by H ( S | Z n W n M F ) ≥ (1 − E f [∆ f ]) ln |S | − E f [∆ f ] log 1 E f [∆ f ] . (A · 1 1 ) Note that since W n = ( W n A , W n B ) and M = ( M A , M B ), the conditional entrop y H ( S | Z n W n M F ) equiv alent to H ( S | Z n W n A W n B M A , M B F ) in Eq. (11). F rom this lemma, if E f [∆ f ] is sufficiently small, a secret key S is secure in the sense o f the entropy . Pr o of. Let ∆ f , m ,z n , w n := k P S | m ,z n , w n − P ¯ S k . (A · 1 2 ) Then, we can r ewrite ∆ f as ∆ f = Z p Z n ( z n ) X m , w n P MW n | z n ( m , w n )∆ f , m ,z n , w n dz n (A · 1 3 ) F or given z n ∈ R n , w n ∈ W n A × W n B , and m ∈ M A × M B , we obtain H ( S | M = m , Z n = z n , W n = w n , F = f ) ≥ log |S | − ∆ f , m ,z n , w n log |S | ∆ f , m ,z n , w n , (A · 1 4 ) which follows fr om the contin uity of entrop y [15] in the similar way a s [16 , Lemma 1]. The second term of Eq. (A · 14) is upper bo nded as follow. Since t log 1 t is a concav e function, we obtain X m , w n P MW n | z n ( m , w n )∆ f , m ,z n , w n log |S | ∆ f , m ,z n , w n ≤ ∆ f ,z log |S | ∆ f ,z (A · 1 5 ) from Jensen’s inequa lit y for w n , m , where we let ∆ f ,z n := P m , w n P MW n | z n ( m , w n )∆ f , m ,z n , w n . Aver- aging Eq. (A · 1 5) ov er z n , we obtain Z p Z n ( z n )∆ f ,z n log |S | ∆ f ,z dz n ≤ ∆ f log |S | ∆ f (A · 1 6 ) from Jensen’s inequality for z n . Moreover, averaging Eq. (A · 16) ov er f , we obtain E f  ∆ f log |S | ∆ f  ≤ E f [∆ f ] log |S | E f [∆ f ] (A · 1 7 ) from Jense n’s inequality for f .  Note that when w e use Je ns en’s inequalit y fo r a contin uous random v a riable, the c o ndition o f a bsolutely int egrable Z p Z n ( z n ) | ∆ f ,z n | dz n < ∞ (A · 18) m ust be satisfied [17 ]. In this case, from the fact that 0 ≤ ∆ f ,z n ≤ 2, this condition is satisfied. 8 IEICE TRANS. FUNDAMENT ALS, VOL.Exx–??, NO. xx XXXX 200x B.3 The rela tio n betw een the size of a s ecret key and the secur ity of the proto col The follo w ing lemma relates the size |S | of a secret k ey S and the size |M A × M B | o f public mes s ages M to the secur ity of the pro to col. Lemma 4 F o r the size |S | o f a secret key S , the size |M A × M B | of public messages M , and the security of the pro to col ∆ f , we hav e E f [∆ f ] ≤ r |S ||M A × M B | 2 αn +2 Z p n Z ( z n ) X w n P W n | z n ( w n ) × P R n | z n w n ( { r n ∈ X n ∆ × Y n ∆ | − 1 n log P R n | z n w n ( r n ) < α  dz n , (A · 1 9) where E f denotes exp ecta tion for a uniform distribu- tion o n F . Pr o of. This pr o of is bas ed on the tec hniques in [18, Chapter 5]. In the following, we will pr ov e E f [∆ f ,z n , w n ] ≤ r |S ||M A × M B | 2 αn +2 P R n | z n w n ( { r n ∈ X n ∆ × Y n ∆ | − 1 n log P R n | z n w n ( r n ) < α  , (A · 2 0 ) where ∆ f ,z n , w n = k P S M | z n w n − P ¯ S × P M | z n w n k , (A · 21) Averaging Eq. (A · 20) ov er z n and w n , we obtain Eq. (A · 19). F or given z n ∈ R n and w n ∈ W n A × W n B , we define the set A n ⊂ X n ∆ × Y n ∆ as A n :=  r n ∈ X n ∆ × Y n ∆ | − 1 n log P R n | z n w n ( r n ) ≥ α  , and we define the set A c n as the complement of A n on X n ∆ × Y n ∆ . Then, ∆ f ,z n , w n for given f ∈ F is upp er bo unded by k P S M | z n w n − P ¯ S × P M | z n w n k = X s, m | P R n M | z n w n ( f − 1 ( s ) , m ) − P ¯ S ( s ) P M | z n w n ( m ) | (A · 2 2 ) = X s, m | P R n M | z n w n ( f − 1 ( s ) ∩ A n , m ) − P ¯ S ( s ) P M | z n w n ( A n , m ) + P R n M | z n w n ( f − 1 ( s ) ∩ A c n , m ) − P ¯ S ( s ) P M | z n w n ( A c n , m ) | (A · 2 3 ) ≤ X s, m h n ( s, m ) + X s, m P R n M | z n w n ( f − 1 ( s ) ∩ A c n , m ) + X s, m P ¯ S ( s ) P R n M | z n w n ( A c n , m ) (A · 2 4 ) = X s, m h n ( s, m ) + 2 P R n | z n w n ( A c n ) . (A · 2 5 ) where h n ( s, m ) = | P R n M | z n w n ( f − 1 ( s ) ∩ A n , m ) − P ¯ S ( s ) P R n M | z n w n ( A n , m ) | . (A · 2 6 ) Eq. (A · 22) follows from the definition of the v ar ia tional distance and f − 1 ( s ). Eq. (A · 23) follows from the fact that ( f − 1 ( s ) ∩ A n ) ∩ ( f − 1 ( s ) ∩ A c n ) = ∅ , f − 1 ( s ) = ( f − 1 ( s ) ∩ A n ) ∪ ( f − 1 ( s ) ∩ A c n ), and P M | z n w n ( m ) = P R n M | z n w n ( A n , m ) + P R n M | z n w n ( A c n , m ). E q . (A · 24) follows from the tr iangle inequalit y . Eq . (A · 25) follows from the fact that ∪ s ∈S f − 1 ( s ) = X n ∆ × Y n ∆ . B y reg a rd- ing the first term in Eq. (A · 2 5 ) as an inner pro duct, and by using the Cauch y- Sch warz inequality , we can upper b ound the first term in Eq. (A · 25) by X s, m h n ( s, m ) ≤ s |S ||M A × M B | X s, m h n ( s, m ) 2 (A · 2 7 ) F urthermor e, we ca n rewrite the inside of the ro ot of E q. (A · 2 7) as X s, m h n ( s, m ) 2 = X s, m  P R n M | z n w n ( f − 1 ( s ) ∩ A n , m ) 2 − 2 P R n M | z n w n ( f − 1 ( s ) ∩ A n , m ) P ¯ S ( s ) P R n M | z n w n ( A n , m ) + P ¯ S ( s ) 2 P R n M | z n w n ( A n , m ) 2  = X s, m P R n M | z n w n ( f − 1 ( s ) ∩ A n , m ) 2 − X m 1 |S | P R n M | z n w n ( A n , m ) 2 , (A · 2 8 ) where Eq. (A · 28) follows from the fact that NAITO et al.: SE CRET K EY AGREEMENT BY SOFT-DECISION OF SIGNALS IN GAUSSIAN MAURER’S MODEL 9 P ¯ S ( s ) = 1 |S | and P s P R n M | z n w n ( f − 1 ( s ) ∩ A n , m ) = P R n M | z n w n ( A n , m ). Then, w e can r ewrite the first term o f Eq. (A · 28 ) as X s, m P R n M | z n w n ( f − 1 ( s ) ∩ A n , m ) 2 = X s, m X r n , r ′ n ∈ f − 1 ( s ) ∩ A n P R n M | z n w n ( r n , m ) P R n M | z n w n ( r ′ n , m ) = X m X r n , r ′ n ∈ A n δ f ( r n ) ,f ( r ′ n ) P R n M | z n w n ( r n , m ) P R n M | z n w n ( r ′ n , m ) , (A · 2 9 ) where δ f ( r n ) ,f ( r ′ n ) is Kr oneck er ’s delta. On the o ther hand, we can rewrite the second term o f Eq. (A · 28 ) as X m 1 |S | P R n M | z n w n ( A n , m ) 2 = X m X r n , r ′ n ∈ A n 1 |S | P R n M | z n w n ( r n , m ) P R n M | z n w n ( r ′ n , m ) . (A · 30) Thu s, av eraging Eq. (A · 28) ov er f , we obtain X m X r n , r ′ n ∈ A n E f  δ f ( r n ) ,f ( r ′ n ) − 1 |S |  P R n M | z n w n ( r n , m ) P R n M | z n w n ( r ′ n , m ) . (A · 31) Since f is c hosen from a universal-hash-family , we ob- tain E f  δ f ( r n ) ,f ( r ′ n ) − 1 |S |  ≤  1 for r n = r ′ n 0 for r n 6 = r ′ n from its definition (shown in Eq. (A · 9 )). Th us, Eq. (A · 31) is upp er b ounded by X m X r n ∈ A n P R n M | z n w n ( r n , m ) P R n M | z n w n ( r n , m ) ≤ X m X r n ∈ A n P R n M | z n w n ( r n , m ) 1 2 αn (A · 3 2 ) ≤ X r n , m P R n M | z n w n ( r n , m ) 1 2 αn (A · 3 3 ) = 1 2 αn , (A · 3 4 ) where Eq. (A · 32) follows from the fact that P R n M | z n w n ( r n , m ) ≤ P R n | z n w n ( r n ) ≤ 1 2 αn for any r n ∈ A n . Since the ro ot function √ · is concav e func- tion, by combinin g Eqs.(A · 22 )– (A · 32) and a veraging ov er f , we obtain E f [∆ f ,z n , w n ] ≤ s |S ||M A × M B | X s, m h n ( s, m ) 2 +2 P R n | z n w n ( { r n ∈ X n ∆ × Y n ∆ | − 1 n log P R n | z n w n ( r n ) < α } ) ≤ r |S ||M A × M B | 2 αn +2 P R n | z n w n ( { r n ∈ X n ∆ × Y n ∆ | − 1 n log P R n | z n w n ( r n ) < α } ) . (A · 3 5)  Corollary 1 Suppose that w e set 1 n log |S | = H ( R | Z W ) − 1 n log |M A × M B | − 2 δ , E f [∆ f ] is expo - nent ially small for sufficiently large n . Pr o of. Suppo se that we s et α = H ( R | Z W ) − δ for δ > 0 , the second ter m of Eq. (A · 1 9) e x po nen- tially tends to 0 as n → ∞ by using the Cher noff bo und [15]. On the other hand, suppo se that w e set 1 n log |S | = H ( R | Z W ) − 1 n log |M A × M B | − 2 δ , the firs t term of E q. (A · 19) is e − δn and tends to 0 as n → ∞ . Thus, suppo se tha t we set 1 n log |S | = H ( R | Z W ) − 1 n log |M A × M B | − 2 δ , E f [∆ f ] exp onen- tially tends to 0 as n → ∞ .  If E f [∆ f ] is exp onentially small, then the s ecurity of the proto co l in the se ns e of entropy is guara nt eed by lemma 3 . F r om this fact a nd cor ollary 5, supp ose that we set 1 n log |S | < H ( X ∆ Y ∆ | Z W A W B ) − 1 n log |M A × M B | , E q. (2) is satisfied for sufficiently lar ge n . References [1] A. D. Wyner, “The wi re-tap channe l,” Bel l Syst. T e ch. J. , v ol. 54, no. 8, pp. 1355–1387, 1975. [2] S. K. Leung-Y an-Cheong, “Multi-user and wire-tap chan- nels including feedbac k,” Ph.D. disser tation, Stanford Uni- v ersity , 1976. [3] S. K. Leung-Y an-Cheong and M. E. Hellman, “The Gaus- sian wire-tap c hannel,” IEEE T r ans. Inform. The ory , v ol. 24, no. 4, pp. 451–456, July 1978. [4] I. Csisz´ a r and J. K¨ orner, “Broadcast channels with confi- den tial messages,” IEEE T r ans. Inform. The ory , vo l. 24, no. 3, pp. 339 –348, M a y 1979. [5] U. Maurer, “Secret key agreement by public discussion from common information,” IEEE T r ans. Inform. The ory , v ol. 39, no. 3, pp. 733–742, Ma y 1993 . [6] T. Aono, K. Higuchi, T. Ohira,‘ B. Komiya ma, and H. Sasaok a, “Wireless Secret Key Generation Exploiting Reactance -Domain Scalar Resp onse of Multipat F ading Channel,” IEEE T r ans. Antennas and Pr op agation , vol. 53, no. 11, pp. 3776–3 784, 2005. [7] R. Ahlsw ede and I. Csiszar, “Common r andomness in infor- mation theory and cryptograph y–part 1: Secret sharing,” 10 IEICE TRANS. FUNDAMENT ALS, VOL.Exx–??, NO. xx XXXX 200x IEEE T r ans. Inform. The ory , vol. 39, no. 4, pp. 1121–1132, 1993. [8] J. L. Carter and M. N. W egman, “Univ ersal classes of hash functions,” Journal of Computer and Syst em Sci- enc es , vol. 18, pp. 143– 154, 1979. [9] D. Slepian and J. K. W olf , “Noiseless coding of correlated information sources,” IEEE T r ans. Inform. The ory , vol. 19, no. 4, pp. 471 –480, July 1973. [10] C. H. Bennett, G. Brassard, and J. M . Robert, “Priv acy am- plification by publi c discussion,” SIAM Journal on Com- puting , vol. 17, no. 2, pp. 210–229, Apr. 1988. [11] R. Impagliazzo, L. A. Levin, and M. Luby , “Pseudo-random generation f rom one-w ay function,” in Pr o c ee dings of the 21st A nnual ACM Symp osium on The ory of Computing (STOC ’89) . ACM press, 1989, pp. 12–24. [12] C. H. Bennett, G. Br assard, C. Cr epeau, and U. Maurer, “Generalized pr iv acy amplification,” IEEE T r ans. on In- form. The ory , vol. 41, no. 6, pp. 1915–1923 , Nov . 1995. [13] J. M uramatsu, T. Uyematsu, and T. W aday ama, “Low- densit y parity -che c k matrices for co di ng of corr elated sources,” IEEE T r ans. Inform. The ory , vol. 51, no. 10, pp. 3645–365 4, 2005 . [14] T. P . Coleman, A. H. Lee, M. M´ edard, and M. Effros, “Lo w - complexit y approaches to Slepian-W olf near-lossl ess distributed date compression,” IEEE T r ans. Inform. The- ory , vol. 52, no. 8, pp. 3546–3561, 2006. [15] T. M. Co v er and J. A. Thomas, Elements of Information The ory , 2nd ed. John Wil ey & Sons, 2006. [16] I. Csisz´ ar and P . Nara yan, “Secrecy cap acities for multiple terminals,” IEEE T r ans. Inform. The ory , v ol. 50, no. 12, pp. 3047–3061, December 2004 . [17] K. Ito, Intr o duction to pr ob ability the ory . Cambridge Uni- v ersity Press, 1984. [18] R. Renner, “Security of quan tum k ey distri bution,” Ph.D thesis, Dipl. Phys. ETH, Switzerland , 2005, arXiv:quan t- ph/051225 8.