1. Post-processing for
quantum key distribution
Xiongfeng Ma
CQIQC, University of Toronto
Institute for Quantum Computing
Chi-Hang Fred Fung, Jean-Christian Boileau, Hoi Fung Chau
Computers & Security 30, 172 – 177 (2011)
Phys. Rev. A 81, 012318 (2010)
1
4. Private key cryptosystem
Alice and Bob share two identical keys
secretly: one-time pad
Encode Decode
Message 10010110101 10101100001 Code
XOR XOR
Key 00111010100 00111010100 Key
Code 10101100001 10010110101 Message
Alice
Bob
Key Distribution
4
5. Quantum key distribution
BB84 (Bennett & Brassard 1984)
Alice Bob
0101100 110100 0101110
01X11X0 11X10X0 01X11X0
Eve
0:
1: 1110100
5
6. Biased basis choice
Standard BB84
Alice and Bob choose X- and Z-basis with equal
probabilities (50/50)
Basis sift factor: 1/2
Efficient BB84
Alice and Bob choose X- and Z-basis with different
probabilities, i.e., with a bias
Basis sift factor: approaches to 1 asymptotically
Trade-off
In practice, a larger bias leads to less accurate phase
error rate estimation. Think about the extreme case.
H.-K. Lo, H. F. Chau, and M. Ardehali, J. Crypto. 18, 133 (2005).
6
7. In practice
Biased basis ratio, e.g., 90% for Z-basis
and 10% for X-basis
Bit reconciliation
Error correction: straightforward*
Authentication and error verification
Privacy amplification
Amount: phase error rate estimation
Efficiency: hash matrix construction
Confidence level on the final key
Security parameters
7
8. Objectives
Link between security analyses and
experiments
Infinite-key analysis to finite-key analysis
Post-processing
From raw key to final key, step by step
Parameter optimization
Biased basis choice
Security parameter vs. secure-key cost
Towards a security analysis standard
Security claim
Final key size evaluation
Underlying assumptions
8
9. Take-home messages
A practical post-processing scheme: step by step
Basis independent source
Squashing model compatible detection system
Biased basis ratio
Typically, 90:10
Authentication: can be done efficiently in practice
Error verification: essentially an authentication scheme
Phase error estimation: a strict bound
Main contribution to the finite-key effect
Efficiency of privacy amplification: high
Other sources and protocols: yet to be done
Decoy state, COW, DPS, …
X. Ma, C.-H. F. Fung, J.-C. Boileau, H. F. Chau, Computers &
Security 30, 172 – 177 (2011) 9
11. A quick review
Prepare-and-measure protocols
BB84, six-state…
Entanglement based protocols
Ekert91, BBM92
Unconditional security proof
Mayers (1996)
Lo and Chau (1999)
Shor and Preskill (2000)
Devetak and Winter (2003), Renner (2005)
Security analysis for QKD with imperfect devices
E.g. Mayers, Lütkenhaus, ILM
Koashi-Preskill
Gottesman-Lo-Lütkenhaus-Preskill (GLLP)
11
12. Entanglement based protocols
Alice (or Eve) prepares an EPR pair
Ψ AB
= 1
2
( 00 + 11 )
Alice and Bob each measures one half of the
pair
Estimate bit and phase error rates
Z basis measurement (bit)
|0> or |1>
X basis measurement (phase)
|0>+|1> or |0>-|1>
C. H. Bennett, D. P. DiVincenzo, J. A. Smolin, and W. K. Wootters,
PRA 54, 3824 (1996). 12
13. Entanglement distillation protocol
Entanglement distillation (Lo & Chau 99)
1. Bit error correction
2. Phase error correction
3. Share (almost) pure EPR pairs
4. Measure in Z basis to get final key
Reduce to prepare-and-measure schemes
(Shor & Preskill 00)
Put the final key measurement ahead by moving 4
ahead of 1
Error correction
Privacy amplification
13
14. Underlying assumptions
Characterized source or basis-independent source
Single photon (qubit) source
Coherent state source: decoy state
Entangled source
Detection system: compatible with the squashing model
Threshold detector
No efficiency mismatch
Classical accessories
authentication; error correction; classical communication;
random number generators; key management;
Secure key cost: asymptotically negligible
Infinite key limit
Rates → probabilities
Failure probability → 0
N. J. Beaudry, T. Moroder, and N. Lütkenhaus, Phys. Rev. Lett. , 101,
093601, (2008). 14
15. Basis independent setup
BBM92 (Bennett, Brassard & Mermin 1992)
One can assume
Eve has a full
control of the
source.
The basis choice is
independent of the
state in the channel.
The source can be
treated as a perfect
single photon (qubit)
Eve
or EPR source.
M. Koashi and J. Preskill, Phys. Rev. Lett. , 90, 057902, (2003).
X. Ma, C.-H. F. Fung, and H.-K. Lo, PRA 76, 012307 (2007). 15
17. Finite-key issues
Initial key
Authentication: man-in-the-middle attack
Other uses: encryption of classical communication in the post-
processing
Composability
Generated key may be used for the next round of QKD
Key growth rather than key distribution
No perfect key in real-life
Identical: Alice and Bob share the same key
Real-life: no perfect error correction code, i.e., any error
correction code can only guarantee with a certain confidence
interval
Private: Eve knows nothing about the final key
Real-life: Eve can just guess the bit values of the initial key with
a successful probability, ε=2-k
17
18. Naïve security definitions
Secure key cost in post-processing
Key cost (k) < key generation (n)
A fixed failure probability for an arbitrary number of
rounds, ε, [too strong]
With Eve’s simple guess + man-in-the-middle attack: ε=2-k, for
each round
The failure probability for n rounds (potentially n attacks) is at
least n2-k, linear dependence
Small portion of the initial key known by Eve, [too weak]
Even exponentially small is not strong enough due to continuous
use of the QKD system
Requirement of composability
18
19. Composable security
Confidence interval / Failure probability
Confidence interval: the probability that the final key is identical
and private, 1-ε
The failure probability for n rounds: nε, linear dependence
Exponentially decreasing with key cost k
A rough guess: ε=2-O(k) per round
Smaller than a certain threshold determined by some practical
use of the key, say 10-10
Remark: it does not mean Eve knows nε-bit information about
the final key
Composable security definition
Failure probability is smaller than the pre-determined threshold
for all rounds of QKD system usages
M. Ben-Or et al, in TCC (2005), 386.
R. Renner and R. König, in TCC (2005), 407. 19
20. Security measures
Fidelity: failure probability
Lo, Chau and other prior works
M. Hayashi
M. Koashi
Trace distance
R. Canetti (2001)
M. Ben-Or, M. Horodecki, D. W. Leung, D. Mayers, and J.
Oppenheim (2005)
R. Renner and R. König (2005)
Workshop, Finite-Size Effects in QKD (Singapore,
2008)
Two approaches are equivalent
Renner: we should use trace distance
20
21. To-do list
Re-exam security proofs
Underlying assumptions
Formulas from asymptotic security analyses should be re-
derived
Note: all the security analyses are about privacy amplification
Calculate failure probability and secure-key cost
For each step: basis sift, error correction, authentication, error
verification, and phase error rate estimation
Efficiency of privacy amplification
Parameter optimization
Biased basis choice
secure-key cost for each step
We have all the recipes ready: put them together
21
23. Underlying assumptions
A single photon (qubit) source or a basis-
independent source
Coherent state (e.g., with decoy state) QKD:
in progress
A detection system: compatible with the
squashing model
Classical communication
Random number generator and key
management
23
24. Flow chart
M. Hayashi, D. W. Leung,
H.-K. Lo, N. Lütkenhaus,
M. Koashi, X. Mo, B. Qi,
R. Renner, V. Scarani, D.
Stebila, K. Tamaki, W.
Tittel
Workshop, Quantum
Works QKD Meeting
(Waterloo, Canada)
Workshop, Finite-Size
Effects in QKD
(Singapore)
N. Lütkenhaus, Phys.
Rev. A 59, 3301 (1999):
using error verification to
replace error testing.
24
25. Procedures I
Key sift [neither authenticated nor encrypted]
Discard all no-clicks and randomly assign double-
clicks
Other sift scheme might be applied, e.g., Ma, Moroder
and Lütkenhaus, arXiv:0812.4301 (2008)
tkenhaus
Basis sift [authenticated but not encrypted]
Use a 2k-bit secure key to generate a Toeplitz matrix
Calculate the tag by multiply the matrix with her/his
basis string
Send each other the basis string with the tag
Discard those bits that used different bases
Other sift scheme might be applied, e.g., SARG’04
25
26. Procedures II
Error correction [not authenticated but encrypted]
Any error correction scheme can be applied here
Count the number of bits in the classical
communication
Error verification [essentially an authentication
problem]
Alice sends an encrypted tag to Bob
Bob verify the tag
If failed, they can go back to error correction again
26
27. Procedures III
Phase error rate estimation
Prob.{phase error} = Prob.{bit error}
Asymptotically, rates → probabilities
A simple random sampling problem
27
28. Procedure IV
Privacy amplification [authenticated but
not encrypted]
Alice generates an nx+nz+l-1bit random bit
string and sends it to Bob through an
authenticated channel
They use this random bit string to generate a
Teoplitz matrix to do privacy amplification
28
29. Final key rate
Key rate formula
Finite-key effect
Phase error rate estimation, which determines the
biased basis choice
k3: cost of authentication, error verification, efficiency
of privacy amplification
29
30. Optimization
Parameters to be optimized
Failure probabilities:
Key costs:
Finite-key effect
Net key growth: NR≥l-kec-k3
Failure probability: ε=εph + ε3
The contribution of ε3 is negligible, when the
final key length >> 37 bits
30
31. Finite-key effects
Error correction [fixed]
Phase error Other parts
rate estimation: Authentication
The amount of Error
privacy verification
amplification Efficiency of
Optimal basis privacy
bias amplification
31
32. Quick results
An extreme example
Raw key size n=1030 and ε=10-30;
k3=947 bits and ε3<10-32
A typical example
n=107, ε=10-7;
k3=202 bits and ε3<10-9
Observation
Main effect comes from phase error estimation
The efficiency of privacy amplification is close to 1
The costs of authentication and error verification are
negligible in a normal (say, data size >10k)
experiment
32
33. 1
0.95
0.9
0.85
0.8
ex=ez=4%
Bias
0.75 ε=10-7
100% error correction efficiency
0.7
0.65
0.6
px set by Alice
0.55 qx obtained by Bob
0.5 2 4 6 8 10 12
10 10 10 10 10 10
Raw key data size 33
35. 5
10
min data size to yield a positive key minimun data size
4
10
3
10
ex=ez=4%
100% error correction efficiency
2
10 -100 -80 -60 -40 -20 0
10 10 10 10 10 10
failure probability ε 35
36. Conclusion
A practical post-processing scheme with
failure probability as the security definition
Error verification: essentially an
authentication scheme
Phase error estimation: a strict bound
Efficiency of privacy amplification: high
Parameter optimization: main finite-key
effect comes from phase error rate
estimation
36
37. Further discussion
Further improvement in the privacy amplification
step: no classical communication needed?
Efficiency: failure probability, secure-key cost
Extractors for privacy amplification
Detector efficiency mismatch
Squashing model
Finite-key analysis for the decoy-state QKD
Statistics (software)
Hardware
Computational complexity
On-line post-processing
Random number consumption
Extractors
37
38. References
X. Ma, C.-H. F. Fung, J.-C. Boileau, H. F. Chau, Computers &
Security 30, 172 – 177 (2011)
C.-H. F. Fung, X. Ma, and H. F. Chau, Phys. Rev. A 81, 012318
(2010)
H. Krawczyk, in Advances in Cryptology - CRYPTO'94 (Springer-
Verlag, 1994), 893, 129-139.
N. Lütkenhaus, Phys. Rev. A 59, 3301 (1999).
M. Koashi and J. Preskill, Phys. Rev. Lett. , 90, 057902, (2003).
M. Ben-Or et al, in TCC (2005), 386.
R. Renner and R. König, in TCC (2005), 407.
M. Hayashi, Phys. Rev. A 74, 022307 (2006).
X. Ma, C.-H. F. Fung, and H.-K. Lo, PRA 76, 012307 (2007).
V. Scarani and R. Renner, Phys. Rev. Lett. 100, 200501 (2008).
T. Tsurumaru and K. Tamaki, Phys. Rev. A 78, 032302 (2008).
N. J. Beaudry, T. Moroder, and N. Lütkenhaus, Phys. Rev. Lett. 101,
093601 (2008).
38
39. Another interesting topic
Efficiency loophole
Long existing problem in Bell’s inequality tests
QKD system
Detector efficiency mismatch
Dead time / after pulse
Attacks
Time-shift attack
Other freedoms: space, frequency, …
Even practical one-time encryption
Efficiency-loophole free QKD
X. Ma, T. Moroder, and N. Lütkenhaus, arXiv:0812.4301, (2008).
39