Quantum-Inspired Secure Wireless Communication Protocol Under Spatial and Local Gaussian Noise Assumptions

Inspired by quantum key distribution, we consider wireless communication between Alice and Bob when the noise generated in the intermediate space between Alice and Bob is controlled by Eve. Our model divides the channel noise into two parts, the noise generated during the transmission and the noise generated in the detector. Eve is allowed to control the former, but is not allowed to do the latter. While the latter is assumed to be a Gaussian random variable, the former is not assumed to be a Gaussian random variable. In this situation, using backward reconciliation and random sampling, we propose a protocol to generate secure keys between Alice and Bob under the assumption that Eve’s detector has a Gaussian noise and Eve is not so close to Alice’s transmitting device. In our protocol, the security criteria are quantitatively guaranteed even with finite block-length code based on the evaluation of error of the estimation of the channel.

to use public channel and they do not detect the existence of Eve.At least, even when Eve has much powerful performance than Alice and Bob, e.g., the intermediate space between Alice and Bob might be controlled by Eve, Alice and Bob can generate secure keys.Its security evaluation has been done even with finite-length including second order analysis [27], [28], [29], [30], [31], [32].In QKD, after the quantum communication from Alice to Bob, Alice and Bob check whether the secure keys can be distilled from random variables generated by the initial quantum communication via public channel.Also, Fung [33] et al proposed to use error verification to guarantee the reliability of the final keys for QKD.In addition, as pointed in several papers [76], [77], [78], when Eve cannot access the noise in Bob's detector, information reconciliation with backward can improve the asymptotic key generation rate.In this way, in the context of QKD, they proposed several advanced methods to generate secure keys after the initial transmission.However, QKD requires more expensive devices even for Alice and Bob.Hence, it is not so easy to implement QKD.Therefore, it is required to propose an alternative secure-key generation protocol of quantum key distribution under a reasonable assumption by using cheaper devices.
In this paper, inspired from these advanced techniques in QKD, we propose a protocol to generate quantitatively secure keys between Alice and Bob under a reasonable assumption advantageous to Eve when Alice and Bob do not detect the existence of Eve.In this analysis, Eve is allowed to control the intermediate space between Alice and Bob, however, she is not allowed to access the noise in Bob's detector in a similar way to the analysis in [76], [77], [78].The biggest difference from the above analysis in QKD is the assumption that Eve's detector has non-negligible noise, which cannot be accessed by Eve.This assumption is stronger than that in QKD, but enables us to generate secure key without use of quantum communication.Since quantum key distribution assumes public channel, Alice and Bob are allowed to use public channel in the first step of this paper.However, Eve might override the signals to Bob or the public channel for spoofing [10].We explain a method to avoid such attack, which requires shared secret randomness with small size.Further, for efficient realization of the protocol, we additionally impose the following requirements.
(R1) The security of final keys is guaranteed quantitatively based on acceptable criterion even for cryptography community (e.g. the variational distance criterion [35] or the modified mutual information criterion) even though Eve takes the optimal strategy under the above assumption.Additionally, the formula to derive the security evaluation has sufficiently small calculation complexity.(R2) The calculation complexity of the whole protocol (Protocol 1 given in Section V-A) is sufficiently small.This paper is organized as follows.Firstly, we rigorously explain our purpose and our assumption in Section II.Then, we compare our formulation with existing jamming attacks in Section III-B.As the next step, before proceeding to our protocol, we discuss the mathematical structure of our model in Section IV.In Section V, we give our concrete secure protocol by assuming the public channel.In particular, the end of Subsection V-C2, we briefly explain the solution for spoofing.Section VI analyzes the security of the given protocol, and numerically evaluates the security in a typical case.Section VII is devoted to two kinds of extensions, multiple antenna attack and complex number case.Section VIII consider the relation of a model with interference to the additional noise of the eavesdropper channel so that we clarify how our model contain such a interference channel.Section IX gives proofs of statements given above.

II. PURPOSE AND ASSUMPTIONS
Recall that the aim of this paper is to propose a protocol to generate quantitatively secure keys between Alice and Bob under a reasonable assumption advantageous to Eve.Here, our aim is not to always generate secure keys, but is to detect the existence of eavesdropping with high probability when it exists.That is, when they consider there is no eavesdropper, their keys are required to be matched and secret.In other word, it is required to discard their keys when an eavesdropper exists.Here, the case without eavesdropper means the case when the operation of the eavesdropper cannot be distinguished from the natural phenomena.So, the natural case, i.e., the case with the natural phenomena, is very important in our analysis.
In the real setting, it is difficult to identify where Eve attacks the communication between Alice and Bob except for Alice's neighborhood and Bob's detector.To guarantee the security of the final keys in such a setting, it is natural to assume the following conditions when Alice sends the i-th signal A i .
(A1) The intermediate space between Alice and Bob might be controlled by Eve while Eve's operation is restricted to satisfy the following conditions.That is, the information Y i can be injected by Eve as Fig. 1 so that Eve knows the noise Y i + e B added to Bob's detection during transmission in the intermediate space.Here, we choose the variable Y i such that its average is 0. Hence, the average of the noise is e B . e B is independent of i to due to Assumption (A4).(A2) When Bob and Eve detect the i-th receiving signal B i and E i , independent Gaussian noises b B X 1,i and b E X 2,i are added, respectively, where X 1,i and X 2,i are subject to the stranded Gaussian distribution and independent of X 1,i ′ and X 2,i ′ for i = i ′ .Alice and Bob know the lower bounds of the powers b B and b E of their noise.This assumption is called the local Gaussian noise assumption.Since no detector has no detection noise, this assumption is reasonable.Nobody can control these noises.(A3) Alice and Bob know the lower bound of the attenuation a E for Alice's signal in Eve's detection.
When Eve is out of Alice's neighborhood, this condition holds.This assumption is called the spatial assumption for Eve.(A4) The wireless communication between Alice and Bob is quasi static.That is, the channel between Alice and Bob is almost constant during a specific time interval so called the coherent time [34,Section 5.4.1].In other words, during the coherent time, the noise can be considered to be independently and identically distributed and to be independent of other variables.Also, the attenuation a B for Alice's signal in Bob's detection.and the attenuation a E for Alice's signal in Eve's detection can be considered to be constants.It means that Eve does not has ability to change the added nose dependently of the signal transmitted by Alice 1 .Therefore, the variable Y i is independent of A i and the distribution of Y i does not depend on i.Also, the average e B is independent of i and A i .We also assume that we can send one block of our protocol during the coherent time 2 .In the natural case, the noise in the channel from Alice to Bob is a Gaussian noise.(A5) Noiseless public channel between Bob and Alice is assumed.In practice, it can be realized by a combination of error correcting code and noisy wireless channel between Bob and Alice.This assumption can be confirmed by authentication as explained in Subsection V-C2.In summary, when we have m transmissions from Alice to Bob, there is the following relation among Alice's i-th sending real variable A i , Bob's i-th receiving real variable B i , and Eve's i-th receiving real variable E i .
Here, the coefficients a B , b B , e B , a E , b E , and e E are constants with physical meaning as Table I.To discuss the situation advantageous to Eve, we assume that Eve's detection has no noise except for the noise inside of her detector as Eq. ( 2).Even though we put e E to be 0, there is no information loss.So, 1 This assumption means that the noise added by Eve cannot be adaptively controlled.This assumption is natural because such an adaptive noise operation requires much advanced technology.In fact, in the early stage of studies of QKD, they assume that the errors is subject to an identical and independent distribution.The attack under this condition is called the collective attack in the QKD [75].Hence, it is natural to assume this kind of assumption at the first paper of our setting. 2In various protocols, a set of pulses or bits treated as one block is called a coding block.The number of such pulses or bits is called a block length.For example, in RSA cryptography, since the arithmetic is based on the public composite m, log m is a block length.Our protocol is composed of an error correcting code like an LDPC code.Since the block length of an LDPC code is from 10000 to 100000, the block length of our protocol is from 10000 to 100000 when we employ a LDPC code.
we consider only the case when e E is 0 for simplicity.Also, due to Assumption (A1), Eve knows the value of Y as well as E.Then, additionally we assume the following assumption.
(A6) Eve knows all the channel parameters, which are given in ( 1) and (2) as well as the value of Y i Since the information Y i can be injected by Eve as Fig. 1, the attack under Assumptions (A1)-(A6) is called noise injecting attack.When Eve is closer to Alice than Bob and the performance of Eve's detector is the same as that of Bob's, the signal-noise ratio of Eve is not smaller than that of Bob so that secure communication by one-way wire-tap channel is impossible.We discuss this problem in Section VI-B3.
To overcome this problem, this paper considers two-way protocol like QKD.In the two-way protocol, the performance depends on the direction of information reconciliation (error correction).When we employ the forward reconciliation, the performance is the same as the case with one-way wire-tap channel, as explained in Section VI-B3, then, it cannot realize secure communication in the above case.Our protocol employs the reverse reconciliation after the above information transmission, as will be given in Section V.
Here, we discuss the meaning of coefficients a B and a E more deeply.The coefficients a B and a E express the attenuation.The intensities a 2 E and a 2 B behave as Cd −α with positive constants C and α when the distance from Alice's transmitting antenna is d, and have stochastic behavior as fading in long time span [34,Section 5.4.1].For example, the free space with no obstacle has the constant α = 2 [34].Due to spatial assumption (Assumption (A3)), Eve's detector is sufficiently far from Alice's transmitting antenna.So, the relation d ≥ d 0 holds with a certain constant d 0 Under this assumption, we can guarantee that a 2 E ≤ Cd −α 0 .On the other hand, the coefficients b B and b E can be lower bounded by the performance of their detectors due to Assumption (A2).As explain in Section V-A, our protocol contains random sampling.
Hence, the coefficient a B can be estimated as covariance c AB between A and B in the random sampling, which provides a better estimate than the method based spatial relation between Alice and Bob.Thus, the meaning of these parameters can be summarized in Table I, while the parameter v Y will be introduced in Section IV.Some of these parameters are estimated from covariance c AB between A and B, variance v B of B, and variance v Y of Y .

A. Comparison with other attacks
Most of existing studies for secure wireless communication were done in the context of wire-tap channel.First, Wyner proposed the model of wire-tap channel [14].Then, Csiszár and K 'orner extended the model to the broadcast channel with confidential messages (BCC) [15], in which the source node also has a common message for both receivers in addition to the confidential message for only one receiver.Also, Leung-Yan-Cheong and Hellman applied the wire-tap channel to the Gaussian channels [1].The recent paper [73, Appendix D-C] showed the strong security in this model.Liang et al extended these analyses to fading channel [2].Then, many preceding papers [2], [3], [4], [5], [6], [7], [8], [9], [10], [11], [12], [13] studied physical layer security by using wire-tap model.That is, most of studies for physical layer security in the community of information theory fall in this framework.However, if we adopt wire-tap model, in order to realize secure communication, we need to assume that the mutual information between Alice and Bob is greater than the mutual information between Alice and Eve.However, it is usual that Eve is closer to Alice than Bob.Hence, it is unnatural to assume such a assumption.
In order to remove this strong assumption, we employ a two-way protocol, in which, after receiving the signal from Alice, Bob sends a modified information to Alice.We make detailed comparison between our method and the one-way case like the wire-tap channel in Section VI-B3.
In the one-way case, it is sufficient to discuss the relation between the above two types of mutual information.That is, even when Eve makes various types of attacks, the security analysis are reduced to the analysis to the two channels, the channel from Alice to Bob and the channel from Alice to Eve.This characterization holds even when both channels have memory because asymptotic capacity formula was shown only with the form of these two channels for a general sequence of channels [74].However, when we employ a two-way protocol, we need to be careful to the correlation between the added noise in the channels from Alice to Bob's and Eve's signals.Therefore, we compare our model with other attacks in the next subsection.

B. Comparison with other attacks
Here, we compare our model with the elementary jamming attack [36].In the elementary jamming attack, Eve inserts her artificial noise to Bob's detection.However, she does not know the value of the added noise.The purpose of jamming attack is to interrupt the communication between Alice and Bob, and is not to eavesdrop the secret information between Alice and Bob.Hence, in the jamming attack, Eve makes the artificial noise so large that the error correction by Alice and Bob does not work.That is, the jamming attack might make their final keys mismatched.Since our protocol contains the the process of estimation of channel parameters, when Eve makes the elementary jamming attack, Alice and Bob can detect such a large noise, i.e., the existence of the elementary jamming attack.
In our noise injecting attack model, Eve is allowed to know the value of the added noise.Hence, even when the artificial noise is as small as the natural case, she might obtain a part of information of the final keys.Hence, it is difficult for Alice and Bob to find the existence of the noise injecting attack.That is, Eve in our noise injecting attack model is more powerful than Eve in jamming attack.In such a scenario, Alice and Bob need to prepare their protocol so that their information transmission is secure against the most powerful Eve within the scope of their assumption.Now, we compare our model with channel-hopping jamming attack.In channel-hopping jamming attack, Eve overrides the signal from Alice to Bob for spoofing [12], [10], [37].However, such an attack can be prevented by the authentication between Alice and Bob.That is, our protocol is secure even against channel-hopping jamming attack by equipping authentication.
Next, we explain how our assumption covers the case when Eve can change her strategy dynamically.Alice and Bob can choose the detailed parameter of the secure key distillation protocol (Protocol 2 given in Section V-A) depending on the coding block because our secure key distillation protocol will be done as post processing.Assumption (A4) means that Eve cannot change her strategy during the coherent time interval.That is, she can change her strategy only in the next coherent time interval.Since we estimate channel parameters for each coherent time interval, our protocol properly reflects such a dynamical change.In this way, our assumption is more general than existing attacks and covers various types of attacks.

IV. MATHEMATICAL STRUCTURE A. General case
Before proceeding to our protocol, we discuss the mathematical structure of our model when Alice independently generates her random variables A i subject to the standard Gaussian distribution.That is, we discuss how to simplify Eve's knowledge for B in this setting.Then, we discuss how to estimate the distribution of the variable describing Eve's knowledge for B. For this aim, since the variables A i , Y i , X 1,i , and X 2,i are independent, we consider the single-system description as follows.
In this section, we assume the models (3) and ( 4), in which the random variables A, X 1 , and X 2 are independent standard Gaussian random variables and Y is an independent variable with average 0. In this subsection, we introduce variables E ′ , E ′′ , A c , U. When we employ the multiple-system description like (1) and (2), these variables with i-th transmission are written to be The variables are summarized in Table II.
When we discuss the cumulative distribution function of a real valued variable X, we denote it by F X and treat it.In fact, under the condition Y = y, we denote the cumulant distribution function of X by F X|Y =y .In the following discussion, Φ v expresses the cumulant distribution function of Gaussian variable with variance v. Firstly, we prepare the following theorem.
Theorem 1: Using the variable we have the following relation where e + y, and P X|E ′ =e ′ is the conditional distribution for X when E ′ is e ′ .Also, P B|E ′ =e ′ is the Gaussian distribution with average e ′ + e B and variance v B|E ′ := . This theorem implies that the noise injecting attack can be reduced to the attack only with the random variable E ′ .Proof.We introduce the random variable which is a Gaussian random variable independent of Y and X 1 .Also, since the covariance between U and E is zero, Since B and is independent of E and Y , we have which implies the desired statement.
To evaluate the amount of the information leaked to Eve, we need to estimate the distribution P E ′ of the random variable E ′ from the variables A and B accessible to Alice and Bob.For this aim, we introduce the random variable which is the total noise in B and can be directly estimated by Alice and Bob in the protocol given in Section V.That is, we discuss how to derive the distribution P E ′ from the distribution P A c of A c .For this discussion, we employ the convolution F 1 * F 2 for given two distribution functions F 1 and F 2 , which is defined In particular, we utilize Gaussian convolution G v defined as Since Y is independent of other variables, the distributions of P A c and P E ′ of A c and E ′ are given as When , we can estimate the distribution P E ′ by applying the Gaussian convolution to the distribution P A c as However, when we cannot apply this method.Indeed, we can estimate the distribution P E ′ by applying the Gaussian deconvolution, which is the inverse operation of the Gaussian convolution (11).But, it is quite difficult to estimate the amount of the error of our estimate of the distribution P E ′ when we employ the Gaussian deconvolution.Since our evaluation of the amount of leaked information requires the evaluation of the amount of error in the estimation of the distribution, we employ the distribution P A c instead of the distribution P E ′ as follows.In this case, we introduce two independent standard Gaussian random variables Hence, instead of (8), we have Since and is independent of Y , the variable satisfies . Fortunately, it is sufficient to know the cumulative distribution function F E ′′ in this case instead of F E ′ because E ′′ is more informative with respect to B than E ′ due to the Markovian chain which follows from (15).In fact, when Eve knows the random variable Z 1 as well as the random variables E and Y , E ′′ can be considered as Eve's knowledge with respect to B due to the following corollary of Theorem 1.
Corollary 2: Assume ( 14).(Otherwise, we cannot define the variable E ′′ .)Then, we have the Markovian chain where which implies all the desired statements.
Total noise Non-Gaussian ( 10) Gaussian case Now, as a typical case, we assume that Y is also a Gaussian random variable with variance v Y while we do not assume this assumption except for this subsection.In this case, the possibility of secure key generation can be discussed by comparison of the correlation coefficient ρ A between B and A and the correlation coefficient ρ E between B and E. That is, when ρ 2 E < ρ 2 A , we can distill secure keys from A and B with backward reconciliation.By using variance v Y of Y , the former correlation coefficient ρ A is calculated as Since the variance of E ′ is B and the covariance between E ′ and B is , by using covariance c AB between A and B and variance v B of B, the correlation coefficient ρ E ′ between E ′ and B can be calculated as When we find that the distribution P E ′ is sufficiently close to the Gaussian distribution, the security can be approximately evaluated by the above formula.That is, the comparison between ( 20) and ( 21) clarifies whether secure keys can be distilled.Now, we have the following lemma.
Lemma 3: The inequality Proof.The condition ).This condition is equivalent to 1 + Instead of (21), we calculate the correlation coefficient ρ E ′′ between E ′′ and B can be calculated as follows.Since the variance of B and the covariance between , the correlation coefficient ρ E ′′ between E ′′ and B can be calculated as

V. PROTOCOL A. Description of protocol
The whole protocol for noise injecting attack is given as Protocol 1, which runs Protocol 2 (backward secure key distillation protocol) as a subprotocol.Before Protocol 2, we discuss secure key distillation protocols.Although there exist several methods to asymptotically attain the optimal one way key distillation (The common choices in the following steps can be done as follows.For example, Alice randomly decides the choices of the sample data, and she sends the information with respect to these choices to Bob via the noiseless public channel.Also, they exchange common chosen samples data via the noiseless public channel.)STEP 1: [Initial key transmission] Alice generates her n+2l variables A 1 , . . ., A n+2l according to standard Gaussian distribution independently, and she sends them to Bob by using the given channel n+2l times.STEP 2: [Estimation 1] After initial communication, Alice and Bob randomly choose common l samples data ( Ā1 , B1 ), . . ., ( Āl , Bl ) from (A 1 , B 1 ), . . ., (A n+2l , B n+2l ).They obtain the estimates êB , vB , and ĉAB of the average of B, the variance of B and the covariance of A and B by using the average, the unbiased variance, and the unbiased covariance of the common l samples data, respectively.STEP 3: [Estimation 2] Alice and Bob randomly choose another l common samples data ( Ã1 , B1 ), . . ., ( Ãl , Bl ) from the remaining n + l data.Based on êB , vB , and ĉAB , they obtain the estimates PA c and PE ′ of the distributions P A c and Otherwise, they obtain only the estimate PA c of the distribution P A c , which works as the estimate PE ′′ of P E ′′ as well.Here, they redefine the random variables E ′ := E ′ + e B − êB and E ′′ := E ′′ + e B − êB .STEP 4: [Secure key distillation] Based on the above estimates, Alice and Bob apply the backward secure key distillation protocol for n data, which will be explained as Protocol 2. For Protocol 2, they redefine (A 1 , B 1 ), . . ., (A n , B n ) as the remaining n pairs of Alice's and Bob's variables.
rate from Gaussian random variables by using suitable discretization [42], [43], [44], [45], there is no protocol to distill secure keys from Gaussian random variables satisfying the following conditions3 .(B1) The whole calculation complexity is not so large.(B2) A security evaluation of the final key is available with finite block-length.
Since the difficulty of its efficient construction is caused by the continuity, we employ very simple discretization in our protocol.Before describing the secure key distillation protocol, we prepare notations for hash functions.We consider a randomized function , where H is the random variable identifying the function f H , and m 1 := n 1 − n 2 and n 2 are called the sacrifice bit length and the output length, respectively.Alice and Bob need to prepare random seeds H to identity the function f H .The seeds H is allowed to be leaked to Eve.A randomized function f H is called a universal2 hash function when the collision probability satisfies the inequality for any distinct elements c = c ′ ∈ F n 1 2 [46], [47].In the above equation, Pr expresses the probability with respect to the choice of H.Under these preparations, we give our protocol satisfying the above conditions (B1) and (B2) as Protocol 2. Notice that the choice of the sacrifice bit length m 1 given in (65) ((66)) does not assume that Y is Gaussian.
Finally, we discuss the effects of the stochastic behaviors of the coefficients a B and a E due to fading.Even though this condition does not necessarily hold even in the average case with respect to this stochastic behavior, Alice and Bob might be able to efficiently generate secure keys.In this case, Alice and Bob need to assign a E to the maximum value among possible values.On the other hand, by random sampling, they can observe whether each coding block can generate secure keys.Hence, there might be a possibility that a part of coding blocks can generate secure keys.That is, they can apply the backward secure key distillation Protocol 2 Backward secure key distillation protocol for n data Before stating the following steps, Alice and Bob prepare the estimates PE ′ (or PE ′′ ), PA c , êB , and ĉAB .In the following steps, all communications between Alice and Bob are done via the noiseless public channel.STEP 1: [Discretization] Bob converts his random variable B i − êB to 1 or 0 by taking its sign, i.e., he obtains the new bit random variable B ′ i in F 2 as (−1) Alice and Bob prepare an error correcting code C ⊂ F n 2 , whose choice will be explained in Subsection V-B. Bob computes the syndrome as an element Here, the error correction is based on the channel {W Z|0 , W Z|1 }.STEP 3: [Privacy amplification] Based on PE ′ or PE ′′ in addition to êB and ĉAB , Alice and Bob decide the sacrifice bit length m 1 , whose choice will be given in (65) or (66).Then, they apply universal2 hash function to their bits in C with sacrifice bit length m 1 .They obtain the keys K with length dim C − m 1 .
Here, Alice (or Bob) generates the random seeds locally and can send it to Bob (or Alice) via public channel.STEP 4: [Error verification] Alice and Bob choose the bit length m 2 for error verification, whose choice will be discussed in Subsection V-C2.They apply another universal2 hash function to the keys with output length m 2 .They exchange their output of the universal2 hash function.If they are the same, discarding their final m 2 bits from their keys, they obtain their final keys.If they are different, they discard their keys.
protocol only to the coding blocks that can generate secure keys.Such a selection of advantageous events to Alice and Bob is called post selection.

B. Choice of code and its calculation complexity
Now, we discuss the calculation complexity of our protocol.In Protocol 1 except for Protocol 2, we calculate only the averages of the obtained data and its square.So, their calculation complexity is not so large.Protocol 2 contains the calculation of syndrome, the decoding of the given error correction code, and universal2 hash function.For Information reconciliation, we need to choose a suitable code, e.g.LDPC codes to satisfy the following condition.
(C1) The calculation of syndrome and the decoding of the given error correction code are have been already implemented with reasonable calculation complexity.In fact, so many codes satisfy this condition [62, p. 228].(C2) The code can decode the message under the channel W A|B , which is given in the Protocol 2. If we use such a code, we can exploit existing algorithms for Step of Information reconciliation.
To achieve a larger key generation rate, we need to choose an error correction code C ⊂ F n 2 whose coding rate is close to the capacity.For this purpose, we employ an LPDC code with the brief propagation method, whose block length is around 2 16 ∼ = 65, 000 [62,Chap. 4].However, we do not necessarily choose the block length of the error correcting code to be the block length n of our protocol.That is, we can consider the concatenation of our error correcting code.When the block length of our error correcting code is n k , k blocks of our error correcting code is treated as one block of our of our protocol, i.e., we apply one hash function to k blocks of corrected keys of error correction.That is, our LDPC code Since the agreement between Alice and Bob can be checked by error correction, we do not need to evaluate the error of estimation PA c .That is, to decide the block length n of our protocol, we need to care about only the calculation complexity of hash function.

C. Privacy amplification, verification, and their calculation complexity 1) Privacy amplification:
For Privacy amplification, we can use a modified Toeplitz matrix as a typical example of a universal2 hash function, whose detail construction and evaluation of the complexity of its construction are summarized in the recent paper [48,Appendix].Its calculation complexity is O(m log m) when m is the input length.Indeed, it was reported in paper [48] that the above type hash function practically implemented with m = 1000000 by a conventional personal computer.So, the part of privacy amplification has only calculation complexity O(n log n).
Here, we need to calculate the size of the sacrifice bit length in privacy amplification.This length should be chosen so that the security criterion (32) or/and ( 33) is less than a given threshold, which shows the security level.This calculation can be done by using the formulas (34) or/and (35) in Lemma 5, whose calculation complexity does not depend on the numbers of input and output lengths, as explained in Subsection VI.So, this process also can be done efficiently.
2) Verification of correctness and public channel: The error verification is also done by a universal2 hash function.When we employ the above example, it has only calculation complexity O(m 2 log m 2 ).Due to this step, we can guarantee the correctness with probability 1 − 2 −m 2 , which is called the significance level [33,Section VIII].So, it is enough to choose m 2 depending on the required significance level.Hence, we do not need to evaluate the decoding error probability for the step of information reconciliation.That is, we do not need to care about the estimation error in the step of information reconciliation.In contrast, we need to be careful for the estimation error in the step of privacy amplification because no method can evaluate the amount of information leaked to Eve in the final keys without use of the estimation error.
Rigorously, in this protocol, Eve might override the signals to Bob or the public channel for spoofing [12], [10].To avoid Eve's spoofing, Alice and Bob needs verification of their public channel, i.e., they need to authenticate each other [46], [47], [49], [50].Alice and Bob can authenticate each other by using universal2 hash function.This authentication consumes a small number of secret keys between Alice and Bob.Since the length of the keys for the authentication is smaller than the length of generated keys, Alice and Bob can increase the length of the secret keys efficiently.When we consume k bits for the authentication for n-bit transmission, the authentication scheme is secure with a failure probability of n2 −k+1 [49, Theorem 9].So, If Alice and/or Bob find disagreement, they consider that there exists spoofing and discard the obtained random variable.Then, this protocol well works totally.

VI. SECURITY ANALYSIS AND SACRIFICE BIT LENGTH A. Finite-length case with known parameters and distribution
We analyze the security when the distribution of P Y and the parameters a B , a E , v Y , b B , b E and e B are known to Alice and Bob.Since Eve knows the exchanged information via public communication, she knows êB , i.e., she knows e B − êB .
1) Single-system description: First, we discuss this problem with the single-system description, in which B ′ is defined as B ′ := sgn(B − êB ).So, due to a similar analysis to Theorem 1, Eve's knowledge for Bob's random variable In this section, we derive general security formulas by using the true probability density function P E ′ of the random variable E ′ .For this purpose, we introduce the functions H[P E ′ , v] and φ[P E ′ , v](t) as and where the base of the logarithm is chosen to be 2 in this paper.
Using the parameter v, we introduce the joint probability density function P B ′ ,E ′ of the random variables B ′ and E ′ as So, the functions H[P E ′ , v] and φ[P E ′ , v](t) are rewritten as where Here, this definition can be applied to a general pair of a binary variable B ′ and a real variable E ′ .Notice that we have Using the property of this type of information quantity given in [57], we have the following properties for the function φ[P E ′ , v](t).
Lemma 4: The function φ[P E ′ , v](t) is convex for t ∈ (0, 1).This lemma is shown in Subsection IX-A.Since the limit lim t→0 equals the conditional entropy, H[P E ′ , v] is monotone decreasing for ρ.
2) Multiple-system description: To evaluate the security, we discuss the multiple-system description, in which the variables E i , E ′ i , E ′′ i , A c i , U i are defined in the same way as A i and B i .All of Eve's knowledge is written as E. As shown below, in the privacy amplification, we need to choose the sacrifice but rate where n is the block length before information reconciliation and v B|E ′ was defined to be the variance To show this fact, we make more precise analysis on the leaked information as follows.Using the relative entropy D(P Q) := x P (x)(log P (x) − log Q(x)) and the variational distance d(P, Q) := x |P (x) − Q(x)|, we adopt the conditional modified mutual information I ′ (K : E|H) [51], [40] between Bob and Eve and the variational distance measure d(K : E|H) [52] conditioned with H as where P Uni,K is the uniform distribution for the final key.It is known that the latter satisfies the universal composable property [35].Remember hat H is the random variable to describe the choice of hash function.
Here, we give security formulas with true parameters.So, the discussions in [38], [39], [40], [41] yield the following lemma, whose detail derivations are available in Subsection IX-A.
Lemma 5: We have Since the function t is computable by the bisection method [53, Algorithm 4.1], which gives the RHS of (35).Since s → − log s is convex, the function s → (s(n is computable in the same way.That is, we can calculate the RHS of (34) in Lemma 5. When the sacrifice bit length m 1 n is greater than there exists s ∈ (0, 1  2 ] such that (s(1 So, both upper bounds go to zero exponentially for n. Our condition for the random hash function f H can be relaxed to ǫ-almost universal dual hash function [54].( [40] contains its survey with non-quantum terminology.)The latter class allows more efficient random hash functions with less random seeds [48].Even when the random seeds H is not uniform random number, we have similar evaluations by attaching the discussion in [48].While it is possible to apply left over hashing lemma [55], [56] and smoothing to the min entropy [52], our evaluation is better than such a combination even in the asymptotic limit, as is discussed in [38], [40].

B. Asymptotic case 1) Asymptotic case with known parameters and distribution:
Next, from the theoretical viewpoint, we discuss the asymptotically achievable rate when the distribution of P Y and the parameters a B , a E , v Y , b B , b E , and e B are known to Alice and Bob.For simplicity, we consider the case when the information reconciliation asymptotically generates agreed keys between Alice and Bob with the mutual information rate Since our focus in this section is limited to the asymptotic analysis with independent and identical distributed setting, it is sufficient to discuss the single-system description as Subsection VI-A1.The analysis in Section VI-A guarantees that the rate 1−H[P E ′ , v B|E ′ ] is asymptotically sufficient for the rate of of sacrificed keys.Hence, the above method yields the asymptotic key generation rate , where (x) + := max(x, 0).Using the existing results of secure key generation [71], [72], [51], we have the following theorem.
Theorem 6: (i) When there exists a cumulative distribution function F such that the distribution corresponding to F is not the delta measure and we have and there is no protocol to generate secure keys between Alice and Bob from the sequence of B ′ and A whose asymptotic key generation is greater than (ii) Conversely, when there exists a cumulative distribution function F such that Alice and Bob cannot distill secure key from A and B ′ .
Proof.First, we show (i).As mentioned in the previous section, Eve's information for B − êB is summarized to E ′ .Let V 1 be a random variable such that the cumulative distribution function is F and it is independent of E ′ .Condition (36) guarantees which implies that the variable E ′ + V 1 is subject to the same distribution as a B A. Let V 2 be a random variable independent of E ′ and V 1 that is subject to the same distribution as Y + b B X 1 .Then, the joint distribution is the same as the joint distribution P a B A,B between a B A and B. Similarly, the joint distribution is the same as the joint distribution P E ′ ,B between E ′ and B. Thus, we stochastically have the Markovian chain ).Since the variable V 2 takes values from −∞ to ∞ with non-zero probability, and for any real number e ′ , which implies that I(B ′ ; A|E ′ ) > 0. Therefore, the optimal key generation rate is calculated as [71], [72], [51] Next, we show (ii).When (37) holds, we have Let V 3 be a random variable such that the cumulative distribution function is F and it is independent of a B A. Let V 4 be a random variable independent of a B A and V 3 that is subject to the Gaussian distribution with average 0 and variance Then, the joint distribution P a B A+V 3 ,a B A+V 3 +V 4 between a B A+ V 3 and a B A + V 3 + V 4 is the same as the joint distribution P E ′ ,B between E ′ and B. Similarly, the joint distribution P a B A,a B A+V 3 +V 4 between a B A and a B A + V 3 + V 4 is the same as the joint distribution P a B A,B between a B A and B. Thus, we stochastically have the Markovian chain Hence, it is impossible to distill secure keys from A and B ′ [71], [72], [51].
To discuss more detail, we assume that Y is subject to a Gaussian distribution with variance v Y .For the analysis under this assumption, we define H(v) is strictly increasing for v. Since we have where α B := . Hence, we have the key generation rate (H . This value is strictly positive if and only equivalent to the condition of Part (i) ((ii)) of Theorem 6 in this case.
2) Asymptotic case with estimation: We consider the case when the distribution of P Y and the parameters a B , a E , v Y , b B , b E , and e B are known to Alice and Bob.We assume the asymptotic case, in which l goes to infinity but l n goes to zero.In this case, they estimate these parameters by Steps 1 and 2 pf Protocol 1.The estimation errors for these parameters go to zero.Also, as discussed in Section VI-C2, the estimation error for the distribution of P Y goes to zero.Therefore, they can achieve the asymptotic key generation rate 3) Comparison with one-way case: To compare our protocol with the one-way wire-tap channel, we assume that the distribution of P Y and the parameters a B , a E , v Y , b B , b E , and e B are known to Alice, Bob, and Eve.In fact, the following modified protocol can be reduced to the one-way case.In Step 1 of Protocol 2, Alice makes the random variable A ′ i := sgn A i .Then, we make information reconciliation (Step 2 of Protocol 2) with the opposite direction (Alice sends the syndrome to Bob via public channel).This modification is called forward reconciliation.Sending Alice's syndrome is equivalent to restricting Alice's variables to a special coset with respect to C. Hence, the analysis with forward reconciliation can be reduced to the one-way wire-tap channel.Then, using existing results of wire-tap channel [15], we have the following lemma.
Lemma 7: (i) When a B b B > a E b E and there exists a cumulative distribution function F such that the distribution corresponding to F is not the delta measure and there exists a secure wire-tap code for the wire-tap channel (3) and ( 4).
(ii) Conversely, assume that a B b B < a E b E or there exists a cumulative distribution function F such that the wire-tap channel (3) and (4) cannot transmit secure information from Alice to Bob.
Proof.First, we show (i).Let V 1 be a random variable such that the cumulative distribution function is F and it is independent of E ′ .Condition (36) guarantees has the same conditional distribution as that of the channel from A to E. Hence, the channel from Alice to Eve can be regarded as a degraded channel of the channel from Alice to Bob.Hence, the capacity is given as the maximum of with respect to the choice of the distribution of A [15], In this case, the conditional distribution P A|B=b is different from P A|B=b ′ when b = b ′ .The assumption for F guarantees that V 1 is not a deterministic value.Hence, the conditional distribution P B|E=e has probability at least two points.Hence, we find that Therefore, the value ( 43) is strictly positive.Hence, we obtain the statement (i).
Next, we show (ii).Let V 2 be a random variable such that the cumulative distribution function is F and it is independent of X 2 .Then, we have a E E + V 2 has the same conditional distribution as that of the channel from A to B. Hence, the channel from Alice to Bob can be regarded as a degraded channel of the channel from Alice to Eve.Thus, the wire-tap channel (3) and ( 4) cannot transmit secure information from Alice to Bob [15], which is the statement (ii).Now, we compare the conditions of Part (i) of Theorem 6 and Lemma 7. When B , the condition of Part (i) of Theorem 6 is weaker than the condition of Part (i) of Theorem 7. Since this condition is equivalent to Since α E and α B are the ratios between the signal power and the power of detector noise of Eve and Bob, respectively, it is natural to assume that this ratio of Eve is equal to or larger that that of Bob, which implies the inequality (45).Hence, when this inequality holds, the condition of Part (i) of Theorem 6 is weaker than the condition of Part (i) of Lemma 7.That is, our method has a higher possibility to generate secure keys.
To discuss more details, we assume that Y is subject to a Gaussian distribution with variance v Y .Then, Theorem 6 shows that Alice and Bob can distill secure keys from A and B ′ by using our method if and only if Lemma 7 shows that Alice can send secure information to Bob via the one-way protocol based on the wire-tap channel ( 3) and ( 4) if and only if Therefore, under the natural condition (45), our method has weaker condition to distill secure keys than the condition for secure communication in the one-way protocol.In fact, in the natural setting, Eve's ratio α E is equal to or larger that Bob's ratio α B , which implies that the condition (47) does not holds for any v ′ Y .However, even under this case, we have a possibility to satisfy the condition (46) for our method.
To discuss the detail, we consider the secure capacity for the wire-tap channel ( 3) and ( 4) under the energy constraint .When Alice the wire-tap channel n times, we denote the set of codewords by M n ⊂ R n .For M n , we impose the condition n i=1 x 2 i ≤ n with any sequence (x 1 , . . ., x n ) ∈ M n .Under this condition, the secure capacity is calculated as [1] With this rate, the strong security also holds [73, Appendix D-C].This quantity is strictly positive if and only if the condition (47) holds.

C. Estimation with confidence level in finite-length case 1) Estimation of parameters:
To estimate the average e B , the variance v B , the covariance c AB between A and B, and the distribution P E ′ , we set the confidence level 1 − ǫ.Due to the quasi static assumption, the random variables A, B, and E ′ are is subject to an identical and independent distribution.Since the distribution of B is unknown, if the number l of samples is not so large, it is not easy to give the confidence interval for the estimation of e B .However, when the number l is sufficiently large (e.g., more than 10 4 ), it is allowed to apply Gaussian approximation for a given confidence level 1 − ǫ.When the variance is unknown, we need to employ the t-distribution of degree l − 1.However, since the number l is sufficiently large, it can be well approximated by the Gaussian distribution.Now, we use the ǫ percent point Z ǫ (the quantile) of the standard Gaussian distribution.The confidence interval of the average e B is ] by using the sample mean êB and the unbiased variance vB .However, due to the largeness of l, the unbiased variance vB can be replaced by the sample variance because the difference is almost negligible.
Next, we estimate the variance v B .When B is subject to the Gaussian distribution, we need to employ the χ 2 distribution of degree l − 1 unless the number l is sufficiently large.Now, we can apply Gaussian approximation because the number l is sufficiently large.To estimate the variance of (B − e B ) 2 , we define the estimate wB : ]. Now, we estimate the covariance c AB between A and B by using the sample mean ĉAB of A(B − êB ).To get the confidence interval of the covariance c AB , we employ the unbiased variance vAB of (A − êA )(B − êB ), which approximates the variance of the sample mean ĉAB .So, the confidence interval of the covariance
To show define l ǫ,δ , we employ Kolmogorov-Smirnov test [58], [59], whose detail is the following.We consider the independent random variables X1 , . . ., Xl subject to the distribution P X , whose cumulative distribution function is F X (x).Then, we define the empirical distribution function where I [−∞,x] (X) is the indicator function, equal to 1 if X ≤ x and equal to 0 otherwise.We define the random variable Then, we have the following lemma.Proposition 9 (Kolmogorov-Smirnov test [60]): The equation holds.
For two real numbers ǫ, δ > 0, we define the integer l ǫ,δ as The above Proposition guarantees the finiteness of l ǫ,δ .Thus, the estimate F Āc for F Āc satisfies the relation with confidence level 1 − (ǫ + δ) when l ≥ l ǫ,δ .

D. Security analysis with estimation in finite-length case
In our protocol given in Section V-A, in addition to the choice of hash functions, there are other random variables that are publicly transmitted.For example, the information for error estimation is publicly transmitted between Alice and Bob.So, the collection of them are denoted by C, and its distribution is denoted by P C , which depends on the distribution P Y and the parameters a B and e B .In this case, the length of sacrifice bit length m 1 depends on C. So, it is denoted by m 1 (C).The distribution P H of the choice of the hash function also depends m 1 (C).So, it is given by the conditional distribution P H|m 1 (C) .Since the length of final keys also depends on C, the uniform distribution is given by the conditional distribution P Uni,K|C .Thus, the security criteria ( 32) and ( 33) are modified to where P Uni,K|C=c is the uniform distribution of K with the length determined by C = c.For given public information C, we define where Hence, using Proposition 9 (Kolmogorov-Smirnov test [60]), we obtain the following lemma and theorem, which will be shown in Subsection IX-C.
Combining Lemmas 5 and 10 with Theorem 1 and (17), we obtain the following theorem.
Theorem 11: The function φ(C, ǫ) satisfies the inequality with confidence level 1 − 2(ǫ + δ) when l ≥ l ǫ,δ .When we focus on the security criterion I ′ (K : E|HC), by using Theorem 11, given a security level κ and the observed values, the sacrifice bit length m 1 is chosen as When we focus on the other security criterion d(K : E|HC), the sacrifice bit length m 1 is chosen as That is, when we choose the sacrifice bit length m 1 based on (65) or (66), the leaked information is less than κ with confidence level 1 − 2(ǫ + δ) when l ≥ l ǫ,δ .

E. Typical case
To treat our model more concretely, in the following typical case, we consider the key generation rate when the sacrifice bit length is decided by the formulas ( 65) and (66).In this subsection, for simplicity, we discuss only the case when Y is a Gaussian random variable and e B = êB = 0 while the employed formulas ( 65) and (66) do not assume that Y is a Gaussian random variable.First, we assume that there is no error between the true values and our estimations.That is, êB = e B , ĉAB = a B , vB = a 2 B + v B + b 2 B , and PA c = P A c .By using the probability density function ϕ of the standard Gaussian variable and the correlation coefficient, the quantity H[P Ē , v B|E ′ ] can be written to be H[ϕ, ], which is mutual information between E ′ and B ′ .On the other hand, the mutual information I( PA c , ĉAB ) between A and B ′ is calculated to be 1−H[ ] under the reverse information reconciliation.Now, we consider the following special case.Eve's detector has the same performance as Bob' detector, i.e., b E = b B , which will be denoted by b.The coefficients a B and a E for attenuations equals the same value √ 2b.By using the variance of the noise Y , the correlation coefficients ρ A and ρ E are calculated as . If the noise Y generated in the transmission is not zero, the mutual information between A and E is larger than that between A and B. So, the forward information reconciliation cannot generate any keys.However, when we employ the reverse information reconciliation, there is a possibility to generate secure keys.When v Y < 2b 2 3 , we have ρ 2 A > ρ 2 E , i.e., the secure key generation rate is the positive value 2 ] under the reverse information reconciliation, which is numerically calculated as Fig. 2. In particular, when 2 ] is 0.108, and the mutual informations ] are 0.372 and 0.264.In this special case, the coding rate of error correcting code needs to be less than 0.372, and the sacrifice bit rate needs to be greater than and 0.264.However, when we care about the finiteness of the block length of our code, the amount of leaked information of our final keys is not zero even though the key generation rate is less than 2 ].To discuss this issue, we need to care about estimation error.In the following, we assume the same assumption as the above discussion except for the relation between the true values and our estimations.For this purpose, we briefly discuss the upper bounds ( 63) and ( 64) by taking account into estimation error.To keep a high precision, we set the confidence level to be 1 − 10 −4 , i.e., ǫ = 5 × 10 −5 .So, Z ǫ = 4.06 and L −1 (1 − ǫ) = 2.30 [61].For example, we employ block length n = 1, 000, 000.So, it is natural to choose the number of sampling to be the same value1, 000, 000, i.e., l = 500, 000.In graph 3, we numerically calculate the logarithm s(n − m 1 ) + n φ(C, ǫ)(s) + log 3 of the upper bounds appeared in and (64) as a function of s when v Y = b 2 5 and the sacrifice bit length m 1 is 0.30 × 1, 000, 000 = 300, 000.The minimum value is −867 and is realized when s = 0.07.That is, when the required security level κ is chosen to be 2 −867 , the sacrifice bit length given in ( 66) is 300, 000.Here, the logarithm s(n − m 1 ) + n φ(C, ǫ)(s) − log s of the upper bounds appeared in (63) has almost the same behavior as that in (64).
In this numerical calculation, we need the value vAB .When Y is a Gaussian random variable, the expectation of vAB is

VII. EXTENSIONS A. Multi-antenna attack
As a more powerful Eve, we assume that, instead of (4), Eve can prepare k antennas that receiving E j (j = 1, . . ., k) under Assumptions (A1)-(A6) as Bob receives B given in (3), and X 2,i are subject to the standard Gaussian distribution independently of other random variables That is, Eve knows E 1 , . . ., E k as well as Y .Now, we convert the random variables E 1 , . . ., E k to the random variable a E,j X 2,j and its orthogonal complements Êj (j = 1, . . ., k − 1).The orthogonal complements Êj are orthogonal to B as well as to E. Thus, all of Eve's information for B are converted to the pair of E and Y .Therefore, we can apply Theorem 1.Notice that . When all of a E,j and all of b E,j are the same values a E and b E , E can be written as kA + b E a E √ kX 2 by using another standard Gaussian variable X 2 .That is, E has the same information as We can apply the above analysis with replacement of b E by b E √ k .Hence, even when there is a possibility that Eve prepares plural antennas, when Alice and Bob set the constant b E to be a sufficiently small number, they can prevent the multi-antenna attack.When Eve prepares infinitely many antennas, Alice and Bob cannot disable Eve to access their secret information.However, considering the constraint for Eve's budget, Alice and Bob can assume a reasonable value for the constant b E .

B. Complex number case
In the real wireless communication, all of number numbers are given as complex numbers.In this case, the random variables A, X j , and Y are given as A R + iA I , X j,R + iX j,I , and Y R + iY I , where the random variables A R , A I , X j,R and X j,I are independently subject to the standard Gaussian distribution.and Y R and Y I are independently of other random variables.So, the noise injecting attack model with Assumptions (A1)-(A6) can be written as where a B , a E , b B , and b E are positive real numbers.Now, we choose B R and B I (E R and E I ) to be the real and imaginary parts of e −iθ B B (e −iθ E E), respectively.We introduce the new random numbers X ′ 1,R and X ′ 1,I as the real and imaginary parts of e i(θ 1 −θ B ) X 1 , and X ′ 2,R and X ′ 2,I as those of e i(θ 2 −θ E ) X 2 .In the same way, we introduce Y ′ R and Y ′ I as the real and imaginary parts of e i(θ Y −θ B ) Y .Then, these random numbers are also independently subject to the standard Gaussian distribution.Thus, the noise injecting attack model with real random variables can be applied as VIII.INTERFERENCE MODEL In this section, to understand the model of this paper, we discuss another model, in which, Eve is weaker than Eve of the present model.we consider a different situation as a preparation for our analysis of noise injecting attack.That is, we replace Assumption (A1) by the following assumption (A1)', and keep the quasi static assumption (Assumption (A4)) for both channels.
(A1)' Bob's and Eve's detections B and Ẽ are written by using Alice's signal A as where the random variables X j are subject to the standard Gaussian distribution independently and a B , b B , e B , a E , b E , b E are constants during the coherent time, i.e., they can be regarded for one block length for our code.The remaining random variables Y and Y 2 are independent of X j .Due to the quasi static assumption (Assumption (A4)) for both channels, the variables X 1 , X 2 , Y , and Y 2 are independent in each transmission.Eve is not allowed to know the value of Y and Y 2 , but she knows their distribution.Hence, Assumption (A6) is replaced by the following.
(A6)' Eve knows all the channel parameters, which are given in (74) and (75).Also, she knows the forms of the distributions of Y and Y 2 .Since there is no assumption for the relation between Y and Y 2 , this model contains the case with interference.Under this model, the second terms express the noise during transmission over the space between Alice and Bob, and the third terms express thermal noises in the individual detectors due to the local Gaussian noise assumption (Assumption (A2)), whose sizes are reflected in the constants b E , and b E .
As discussed in Section IV, when Eve is closer to Alice than Bob and the performance of Eve's detector is the same as that of Bob's, secure communication with forward reconciliation is impossible.Since there is a possibility of secure communication with backward reconciliation, this section also discusses this type of secure key generation.Hence, we consider the same protocol with backward reconciliation, as given in Section V.
Under Assumptions (A1)', (A2)-(A5), (A6)', Alice and Bob can estimate the coefficients a B , b B , e B , a E , and b E in the same way as in the model discussed above.Also, they can estimate the distribution of Y .However, it is impossible for them to estimate the distribution of Y 2 , i.e., type of interference during transmission.To evaluate the security of this case, we focus on the Markov chain Hence, Eve of this model is not stronger than Eve in Section II.Therefore, it is sufficient to evaluate the information leakage to Eve in Section II.That is, the security evaluation in Section VI is sufficient for the model of this section.
In fact, when

B. Proof of Lemma 8
Next, we prepare the following two lemmas Lemma 12: When a distribution function F 1 is differentiable, three distribution functions F 1 , F 2 , and dx (y ′ − x)dy ′ = 1 with y ′ = y, we have Lemma 13: When a < 1, Proof.The derivative of Φ When which implies (82).Now, we show (52) under the condition We discuss the first term.Since we have where (a) follows from Lemma 12 and (b) does from the combination of (82) and the following derivation; where (a) follows from Lemma 12. So, when l ≥ l ǫ,δ , the second term is upper bounded by 1 Combining these two discussion, we obtain (52) with confidence level 1 − 2(ǫ + δ).Since the relation l Z ǫ holds with confidence level 1 − (ǫ + δ) when l ≥ l ǫ,δ , combining (58), we obtain (52).Now, we show (53).We notice that Since and the first term is evaluated as where (a) and (b) follow from Lemma 12 and (82), respectively.Thus, in the same way, we obtain (53).

C. Proof of Lemma 10
To show Lemma 10, we prepare the following lemmas.Lemma 14: Proof.The function p → p 1  2 ] and is monotone increasing in Lemma 15: When a non-negative valued function f is monotone decreasing in (−∞, 0] and is monotone increasing in [0, ∞), we have Lemma 15 will be shown in Subsection IX-D.When l is sufficiently large, Lemma 8 and its proof guarantee (52) and l Z ǫ with confidence level almost 1 − 2ǫ.In the following discussion, we give a statement with confidence level almost 1 − 2ǫ.Thus, Lemma 14 guarantees that Now, we apply Lemma 15 to the case when f (95) Thus, we have So, combining (95) and (96), we obtain (62) when Using the same discussion of the proof of the above case and the Markovian chain B − • − E ′′ − • − E ′ shown as (17), we can show (62) when

D. Proof of Lemma 15
To show Lemma 15, we prepare the following lemma.
we have Proof of Lemma 16: We first show Item (D1).We assume that G is C 1 -continuous.We assume that there are points a = a 1 , a 2 , . . ., a 2n = b such that g(x) ≤ 0 for a 2i < x < a 2i+1 and g(x) ≥ 0 for a 2i+1 < x < a 2i+2 .So, the assumption of this lemma implies that
X. DISCUSSION We have proposed the noise injecting attack as a very strong attack to secure wireless communication, in which, Eve can control everything except for the neighborhood of Alice and Bob's detector.Under a reasonable assumption (A1)-(A6) for the performance of Eve's detector, i.e., under the model ( 1) and ( 2), we have constructed a secure key generation protocol by using backward reconciliation over the noise injecting attack.For this analysis, as Theorem 1, in the noise injecting attack we have shown that Eve's information can be reduced to the single random variable E ′ as Theorem 1.
Also, as Lemma 3, when the additive noise generated during the transmission is subject to a Gaussian distribution, we have derived a necessary and sufficient condition (22) of the coefficients a B a E , and b E and the variance of its Gaussian random variable for realizing greater correlation coefficient, i.e., greater mutual information between Alice and Bob than that between Bob and Eve under a spatial condition for Eve.Even when it is difficult to realize the condition (22), we have proposed the post selection method, in which, we choose only the case when the condition (22) holds by utilizing the stochastic behavior of the LHS of (22).
To identify the channel between Alice and Bob, our protocol contains the estimation of channel.In particular, we do not assume that the additive noise generated during transmission is a Gaussian random variable.So, we need a non-parametric estimation, which has been resolved by Kolmogorov-Smirnov test [58], [59].Combining a suitable exponential upper bound for the leaked information and the above error evaluation, we derived finite-length security analysis as Theorem 11.As Fig 3, we give a numerical calculation for the upper bound given in (64) in a typical example.
When Eve breaks the quasi static condition, she can change the artificial noise dependently of the pulse.In this case, if Alice and Bob pre-agree which pulses are used for samples, Eve can insert the large artificial noise only to the non-sampling pulses so that the condition (22) does not hold in the nonsampling pulses without detection by Alice and Bob.Then, Eve can succeed in eavesdropping without detection by Alice and Bob.Currently, we might not have such a technology, however, we cannot deny such an eavesdropping in future.Fortunately, in our protocol, Alice and Bob do not fix the sampling pulse priorly, they choose the sample pulse after the transmission from Alice to Bob as the random sampling, whose security guaranteed by authentication.Then, Eve cannot selectively insert the artificial noise.The same effect is utilized in BB84 protocol of quantum key distribution (QKD) [26].However, the errors in Bob's observations is not necessarily subject to an identical and independent distribution.
In the case of QKD, in the early stage of their analysis, they assume that the errors is subject to an identical and independent distribution.The attack under this condition is called the collective attack in the QKD [75].Later, they removed this assumption by using hypergeometric distribution [63], [64] because the behavior of this random sampling in the discrete variables case can be discussed by hypergeometric distribution.However, since our system employs the continuous variable, this type evaluation is not so easy.Therefore, removing this assumption in our case is beyond the focus of this paper and is an interesting future problem.
Section VI-E made numerical calculations only when Y is subject to the Gaussian distribution.In a practice, there is a possibility that Y does not obey the Gaussian distribution.Hence, it is another interesting future study to make numerical calculations for another type of distribution for Y like Section VI-E.
Further, there still exits a possibility that Eve can break the assumptions of our model.Such a possibility might be realized in the following two cases.(i) Eve can concentrate her resource to break the assumptions.If Eve prepares a very expensive measurement device or too many expensive measurement devices, the assumptions are broken.(ii) Eve luckily gets a very large value of a E due to the interference effect.To resolve this problem, the forthcoming paper [70] proposes to combine secure network coding [65], [66], [67], [68], [69] and secure wireless communication.That is, we consider secure network coding whose communications on the edges are realized by our secure wireless communication.In this case, for an eavesdropping, Eve has to break the assumptions of our model in multiple wireless communication channels.For the case (i), Eve has to distribute her devices in these communication channels.This combination increases the difficulty of the eavesdropping.For the case (ii), Eve needs to be lucky in multiple wireless communication channels.Usually, the event of a large value a E might be regarded to be independent of the same event with the different point.Hence, the above possibility becomes very small.Therefore, we can decrease the possibility that Eve makes eavesdropping by combining secure network coding with our result.

Protocol 1
Whole protocol Before the protocol, Alice and Bob need to know the values of b B , b E , and a E based on Assumptions (A2) and (A3).In the following steps, Alice and Bob are allowed to use the noiseless public channel.

Fig. 3 .
Fig. 3. Logarithm of upper bound of leaked information

EẼ.Fig. 4 .
Fig. 4. Interference model: This figure shows the case when Eve has the same interference as that in Bob's detection.

Lemma 16 :
Let f be a continuous function defined on [a, b], and G be a bounded function defined on [a, b].We assume that G is differentiable except for a finite number of discontinuous points.(D1) When the function f is monotone decreasing in [a, b] and the function G satisfies max y∈[a,b] When the function f is monotone increasing in [a, b] and the function G satisfies min y∈[a,b] (G(y) − G(a)) = G(b) − G(a), When the function f is monotone increasing in [a, b] and the function G satisfies max y∈[a,b] (G(b) − G(y)) = G(b) − G(a), When the function f is monotone decreasing in [a, b] and the function G satisfies min y∈[a,b] (G(b) − G(y)) = G(b) − G(a),

g 1 f
(x) ≥ 0 for a 2n−3 < x < b.Rewriting a 2n by a 2n−2 , we repeat the above process for g 1 and denote the resultant function by g 2 .Repeating this procedure, we define g 1 , g 2 , . . ., g n .So,g n satisfies g n (x) ≥ 0 on (a, b) and b a f (x)g(x)dx ≤ b a f (x)g n (x)dx.(x)g n (x)dx ≤ f (a) b a g n (x)dx,(108)we obtain the desired statement of Item (D1) when G is C 1 -continuous.In the general case, G can be approximated by a C 1 -continuous function satisfying the desired conditions.So, we obtain the desired statement of Item (D1) in the general case.Applying −f and −g to Item (D1), we obtain Item (D2).Applying f (a + b − x) and g(a + b − x) to Items (D1) and (D2), we obtain Items (D3) and (D4), respectively.

TABLE I SUMMARY
OF PARAMETERS.cAB IS COVARIANCE BETWEEN A AND B. vB IS VARIANCE OF B. vY IS VARIANCE OF Y .THESE PARAMETERS ARE KNOWN TO BE EVE.
B a A E a A Fig. 1.Eve injects artificial noise to Bob's observation.eB = e ′ B + e ′′ B .
Also, P B|E ′′ =e ′′ is the Gaussian distribution with average e ′′ + e B and variance a 2 B .Proof.We use the same notations as Theorem 1.Since a B b E