V. Vovk, “Competitive on-line statistics,” Int. Stat. Rev., vol. 69, pp. 213–248, 2001.  M. H. Wegkamp, “Model selection in nonparametric regression,” Ann. Statist., vol. 31, pp. 252–273, 2003.  K. Yamanishi, “Minimax relative loss analysis for sequential prediction algorithms using parametric hypotheses,” in Proc. COLT 98, 1998, pp. 32–43, ACM Press.  Y. Yang, “Adaptive estimation in pattern recognition by combining different procedures,” Statistica Sinica, vol. 10, pp. 1069–1089, 2000.  Y. Yang, “Adaptive regression by mixing,” J. Amer. Statist. Assoc., vol. 96, pp. 574–588, 2001.  Y. Yang, “Aggregating regression procedures for a better performance,” Bernoulli, vol. 10, pp. 25–47, 2004.  Y. Yang, “Combining forecasting procedures: Some theoretical results,” Econometric Theory, vol. 20, pp. 176–222, 2004.
Security Aspects of the Authentication Used in Quantum Cryptography Jörgen Cederlöf and Jan-Åke Larsson
Abstract—Unconditionally secure message authentication is an important part of quantum cryptography (QC). In this correspondence, we analyze security effects of using a key obtained from QC for authentication purposes in later rounds of QC. In particular, the eavesdropper gains partial knowledge on the key in QC that may have an effect on the security of the authentication in the later round. Our initial analysis indicates that this partial knowledge has little effect on the authentication part of the system, in agreement with previous results on the issue. However, when taking the full QC protocol into account, the picture is different. By accessing the quantum channel used in QC, the attacker can change the message to be authenticated. This, together with partial knowledge of the key, does incur a security weakness of the authentication. The underlying reason for this is that the authentication used, which is insensitive to such message changes when the key is unknown, becomes sensitive when used with a partially known key. We suggest a simple solution to this problem, and stress usage of this or an equivalent extra security measure in QC. Index Terms—Authentication, quantum cryptography (QC), quantum key distribution, quantum key growing (QKG).
I. INTRODUCTION Quantum cryptography (QC), or more accurately quantum key growing (QKG), uses properties of quantum mechanical systems to share a secret key between two sites. QKG was ﬁrst proposed in 1984  and there are several variations on the theme today –. Because there are excellent descriptions of these systems elsewhere (e.g., ), we will only outline the generic steps of a QKG algorithm here, and then focus on the authentication used. The security of QKG is based on laws of nature – rather than computational complexity as is usually the case for key-sharing systems , and therefore, we will here not assume that there are any bounds to the computational capacity of the attacker. Manuscript received October 31, 2006; revised September 7, 2007. J. Cederlöf was with the Department of Mathematics, Linköping University, SE-581 83 Linköping, Sweden. He is now with Google Inc., Mountain View, CA 94043 USA (e-mail: email@example.com). J.-A. Larsson is with the Department of Mathematics, Linköping University, SE-581 83 Linköping, Sweden (e-mail: firstname.lastname@example.org). Communicated by A. Winter, Associate Editor for Quantum Information Theory. Digital Object Identiﬁer 10.1109/TIT.2008.917697
We will use common-practice terminology and refer to the sender, receiver, and eavesdropper as Alice, Bob, and Eve, respectively. To set up a QKG system Alice and Bob need a “quantum channel” between them where they can send and receive, or share, quantum systems, e.g., “quantum bits” (qubits). One example is an optical ﬁber carrying single photons with the qubit coded in the photon’s polarization, but there are many other possibilities. In a perfect...