One-way information reconciliation schemes of quantum key distribution

With the rapid improvement of quantum computing technology, quantum key distribution(QKD) is a hot technology. Information reconciliation is a key step of QKD which is useful for correcting key error. Classical message interaction is necessary in a practical information reconciliation scheme, which makes the efficiency of these protocols decreased. Therefore, some one-way information reconciliation schemes based on low-density parity-check(LDPC) codes and polar codes are proposed. Here we propose a concatenated method of IR schemes which can achieve any given error rate level without the need of interactions. Compared with the one-way IR schems based on LDPC codes and polar codes, the IR schemes based on the proposed concatenated method can get lower bit error rates after error correction, which can also reduce the communication delay and system complexity of QKD, improve the final key generation rate and enhance the practicability of QKD system.


Introduction
After physical signal transmission, unconditionally secure key distribution protocol [1,2] can be divided into three parts: advantage distillation [3], information reconciliation(IR) [4] and privacy amplification [5,6,7].Quantum key distribution(QKD) is a mature unconditionally secure key distribution scheme with three phases: quantum signal transmission, raw key distillation(or advantage distillation), and classical data post-processing.IR is a basic step of classical data post-processing.Several IR protocols have been presented.In 1992, Bennett et al. [8] proposed an IR protocol called Binary.Binary is simple and easy to operate, but it needs frequent interactive communication.It cannot find even errors in a block.In 1993, Brassard et al. [9] proposed an IR protocol called Cascade, which can correct two errors in a block.Though its error correction ability is stronger than Binary, its computation and communication complexity is bigger.In 1999, Biham et al. [10] proposed an IR scheme based on syndrome error correction.After that, Mayers et al. [11] proposed an IR scheme based on error correcting code.Yang et al. [12] suggested a key redistribution scheme for IR.These three IR protocols are non-interactive ones.In 2003, Buttler et al. [17] proposed a IR scheme called Winnow.The number of the error correction rounds of Winnow is fewer than Binary and Cascade, but the error correction ability is limited.
It is clear that an IR needs to employ multi-round error correction to make the error rate arrive at an acceptable level in a practical QKD system.Since the problem an IR protocol deals with is not the errors of a bit string, but the bit inconsistence between two bit strings, we cannot use the well known concatenating error correction code directly.Binary, Cascade, and Winnow are all multi-rounds protocols.They adopt interactive communication to achieve an acceptable error rate level.However, the interactive communication causes extra time consuming, and becomes a bottleneck of the QKD's development.The non-interactive IR protocols such as that presented in [10,11,12] are all one round error correction.They cannot achieve the practically acceptable low error rate.Thus it is necessary to construct new IR protocol.Here we propose a concatenating procedure for IR.The IR protocols designed based on this idea can reduce the error rate to any given level via only one time one-way communication, then they may improve the efficiency of a QKD's post-processing.
The techniques used in the construction of concatenated IR schemes are introduced in Sec.2.Some selection criterias of the error correction code in the concatenated method under a certain error rate of the channel is given in Sec.3.The construction method of a concatenated IR scheme with three examples is given in Sec.4.Some discussions and the conclusion are given in Sec.5 and Sec.6, respectively.

Wire link permutation
Wire link permutation(WLP) is a simple and fast digital circuit bitpermutation technique, without the help of gate circuits.There are many different WLPs.We can see that, in an IR protocol, it is necessary to do a random bit-permutation between any two successive error correction rounds.The permutation used in an IR protocol should be as uniform as possible, that means the bits in a block should be dispersed uniformly into different blocks after a permutation.A proper WLP is shown in Fig. 1.
The wire link permutation W adopted in our scheme.
We can see that after the permutation W the first bit of the first block (a 11 , a 12 , ..., a 1n ) is put in the first position in the new round; The first bit of the second block (a 21 , a 22 , ..., a 2n ) is put in the second position in the new round, etc.; Go on like this until the last block (a m1 , a m2 , ..., a mn ): the first bit a m1 is put in the m th position in the new round, etc..The WLP should be done between each pair of successive error correction rounds.The i th permutation W i is as follows, (a We can rearrange the data string (a mn ) into a matrix as It can be seen that every row is a codeword before the permutation, and every column is a codeword after the permutation.Since the W (i) changes the rows to the columns, it is just a transpose operation of the matrix A (i) .Thus,

Non-interactive IR schemes
There are three kinds of non-interactive IR schemes.The first one is the syndrome IR scheme [10].In this scheme, Alice sends syndromes to do error correction.Bob uses the equation s A ⊕ s B = H(K A ⊕ K B ) to correct his raw key K B to Alice's raw key K A .The second one is the IR scheme of Mayers [11].In this scheme, Alice encodes a local random string x to get the codeword c, and uses her raw key K A to do one time pad with it to get c ⊕ K A .Then she sends it to Bob. Bob adds his raw key K B to it to get the (c ⊕ K A ) ⊕ K B = c ⊕ e, and decodes it to get the codeword c.Then he adds it to the receiving c ⊕ K A to get K A .The third one is the key redistribution scheme [12].The basic idea of this scheme is: Alice first encodes a local random bit string with an error correcting code, then she uses her raw key to do one time pad with the codeword and transmits it to Bob. Bob adds his raw key to the received bit string and decodes the error correcting code to get Alice's local random bit string, then takes it as the secret key between them.The whole protocol can be summarized as follows.
1. Alice generates a random bit string x. 2. Alice uses a generator matrix g to encode x and gets the code word c, where g is a globe public parameter.3. Alice uses the raw key K a to do bitwise XOR operation with the code string c to get K a ⊕ c.Then she transmits it to Bob. 4. Bob does the same operation to the received string with K b and gets (c ⊕ K a ) ⊕ K b = c ⊕ e.He uses check matrix h and c ⊕ e to calculate the syndrome s.Using s, he gets the error vector e and the codeword c.Then he gets the random bit string x by decoding c, and takes it as the secret key between them.
If the generator matrix is kept secret, the key redistribution protocol may generate a secure final key.It can also realize group oriented key distribution, personal identification, and message authentication for non-broadcast channel via key-controlled error-correcting code.Thus the key redistribution protocol may realize the IR and the privacy amplification in one step.[13,14] CRC-based MAC designed for stream cipher is a scheme with informationtheoretic security based on cyclic redundancy code(CRC).LFSR can be used to realize rapid polynomial division in a CRC authentication scheme.This kind of authentication scheme can authenticate large amount of messages by consuming a few bits of the key.For this reason, we suggest using it to authenticate the classical channel of QKD.The CRC based authentication scheme is as follows.

Classical message authentication using CRC-based MAC
Denote the n bits message to be authenticated as Denote the CRC hash function as h, and the MAC value as aut.The output of h is an m bit string.

Alice and Bob secretly preshare a binary irreducible polynomial p(x)
of degree m, and a m-bit random string K as their one time pad key.

Alice calculates
3. Alice gets the m-bit aut of M by calculating h(M) ⊕ K. 4. Alice sends aut and M to Bob 5. Bob uses the received M ′ to calculate a aut ′′ , and checks whether it is equal to the aut ′ he received.
The successful attack probability is n+m 2 m−1 [13] for any n and m > 1.

Hamming code[15]
[n, n−k, 3]Hamming code over F 2 with n = 2 k −1 has fast error correction algorithm for its special structure.Given a serial number from 1 to n to denote the position of each bit in a codeword.The check bits are inserted into 2 l th positions, where 0 ≤ l < k.The left positions are information bits.Its generator matrix is obtained by exchanging the 2 l th column with the (n − l)th column of the corresponding systematic code respectively, where 0 ≤ l < k.The decoding method is multiplying the receiving bit-string with the parity check matrix to get the syndrome s = (s 1 , ..., s k ), then the binary number (s 1 ...s k ) 2 indicates just the position of an error bit in the codeword.
Consider of the fast decoding algorithm of Hamming code, we choose it as the error-correcting code to be concatenated in our concatenated IR scheme.

Some selection criteria of concatenated IR schemes
Usually, after one error correction round, we can hardly reduce the error rate to an acceptable level, thus we have to do more error correction rounds.Binary, Cascade and Winnow include multi-round error correction, and need a parity check before every round to determine whether a block needs to be corrected.The necessary interactive communication makes the efficiency of these protocols decreased.The original scheme of Biham [10], Mayers [11] and key redistribution [12] employ only one-round error correction, which cannot reduce the error rate to an acceptable level in practical system.In order to realize both one time one-way communication and an acceptable error rate level simultaneously, we suggest a concatenating method of IR.All the three one round IR protocols can be reconstructed based on this idea.In this section, we will prove some selection criteria for choosing the number of round and the error correcting code under a given error rate of the channel.
Definition 1 [16].Let C be a linear code of length n and let A i be the number of codewords of weight i, then For binary Hamming code of length n, the weight enumerator It should be noticed that, for Hamming code, n = 2 k − 1 is an odd number.From Eq.( 3), compare the polynomial coefficients of the two sides of Eq.( 3), we get that and all other coefficients are non-zero integers.For example, for the code [7,4,3], n = 7, we get A(z, 7) = 1+7z 3 +7z 4 +z 7 .For the code [15,11,3], n = 15, we get A(z, 15) = 1+35z Compare the coefficients with A(z, n) = n k=0 A k z k , we get .
Definition 2 [16].Let C ⊆ Q n be a code with M words.We define The sequence (A i ) n i=0 is called the distance distribution or inner distribution of C.
Note that if C is linear, the distance distribution is weight distribution.Thus, for Hamming code, the weight distance and the distance distribution are the same.With the weight distribution of Hamming code calculated in Eq.( 2), we get that its distance distribution is (A k ) n k=0 , here This means, for any Hamming code c of length n, the number of the codewords at distance i from c is Suppose using Hamming code of length n, bit error probability is p, the expected number of errors per block before decoding is np.
(a)If one error occurs, the number of error bits is zero after error correction.
(b)If k, (2 ≤ k ≤ n − 1) errors occur, there are two situations when executing error correction: 1.The k errors turn one codeword into another codeword.In this situation, we cannot use error-correcting code to correct any bit of errors.
There are still k errors after error correction.For any Hamming codeword c of length n, the number of the codewords at distance k from c is A k .Thus, the probability of this situation is This means there will be still k errors with probability A k p k (1 − p) n−k after error correction.2. The k errors do not turn the code into another code.In this situation, the error correction may correct only one error to reduce the number of error to k − 1.But also, this may cause a new error to increase the number of error to k + 1.This means we can get a new codeword at distance k − 1 from codeword c or a new codeword at distance k + 1 from codeword c.For any codeword c, the number of the codewords whose distance with c is k − 1 or k + 1 are separately A k−1 , A k+1 .Thus, after error correction we can get one of the A k−1 + A k+1 codewords.Suppose each codeword can be gotten with the same probability in the error correction.After error correction the probability of reducing the error number to k − 1 is

and the probability of increasing the error number to k + 1 is
The probability that k errors do not turn the codeword c to another codeword is (C k n − A k )p k (1 − p) n−k because the number of the codewords at distance k from c is A k .Thus, the probability that k errors cannot turn a codeword to another codeword and the number of errors is reduced to The probability that k errors cannot turn a codeword to another codeword and the number of errors is increased to When n errors occur, for A n = 1, this means the number of the codewords at distance n with c is 1.The length of the codeword is n, thus if all of the n bits are wrong, there is only C n n = 1 situation.Thus n errors can only turn a codeword to another codeword.In this situation after error correction there are still n errors.The probability of this situation is p n .
From the above analysis, we can calculate the mathematical expectation of the errors in each block after error correction.Let the bit error probability is p 1 after error correction.Thus after error correction the mathematical expectation of errors in each block is np 1 .
Here, denote From the above equation, we can get Thus, p 1 < p equals the following equation For the Hamming code of length n = 7, we have From p 1 < p, we get This means we can use error-correcting code to reduce the error rate if and only if the bit error probability p satisfies 0 < p < From Fig. 2 we can see there are five points of intersection between the curve and X-axis.They are 0, )], p 1 will go forwards to 1 2 after error correction.In this situation we cannot correct the errors.The interval of p where we can use this code is [0, Compare Fig. 3 with Fig. 2 we can see the effective interval of Hamming code [15,11,3] is less than that of Hamming code [7,4,3].
Lemma 1.Let C be the [n, n − k, 3] Hamming code over F 2 , where n = 2 k − 1. Suppose the upper bound of the average number of errors within per block after one error correction round with C is χ, then we have where p is the bit error rate of the channel.
When C is used as the error correcting code, if bit error rate p satisfies the condition p < , then the concatenated error correction scheme can achieve any given error rate level.
Corollary 1.If bit error rate p < p th = 2 3(n−1) , the concatenated error correction scheme can reduce the error rate to any given level.
Table 1 and 2 show the concatenating results based on Eq.( 8), which are useful for choosing the proper error correcting code and the concatenating depth l.Parameter η is the information rate of the concatenated IR algorithm.α is the final error rate of the concatenated IR algorithm.It is required that after l rounds error correction the final error rate α should be below 1 × 10 −9 .According to this criterion, the required error correction round l and the final left bit rate are determined.The results based on Hamming code [15,11,3] and [7,4,3] are given in Table 1 and Table 2, respectively.If the channel error rate p, the final error rate α and the error correcting code are given, the concatenating depth l will be determined.

The construction of concatenated IR schemes
Based on the selection criteria given in Sec. 3, three IR scheme [10,11,12] are constructed with the concatenating method as follows.I. Firstly we consider the reconstruction of Biham's syndrome error correction protocol [10].Follow Winnow [17], we choose [n, n − k, 3] Hamming code.Currently a typical error rate for a QKD IR protocols to deal with is less than 5%.According to Theorem 1, we can choose [15,11,3] Hamming code as the basic code, whose error correction ability is 6.7%.The protocol is as follows.
1. Alice divides the raw key string into 15-bit length blocks and then performs the permutation W on it.Alice calculates the syndromes s Ai , and discards the check bits of each block, here i is the serial number of the block, and j is the serial number of the round.Alice repeats above operations from j = 1 to j = l, to get the syndromes s Ai , ..., s (l) Ai , Bob uses the CRC authentication algorithm and the one time pad key K to check whether the message is coming from Alice and has not been changed.If the authentication is passed, Bob uses the wire link permutation W to transform his raw key and calculates the syndrome s Bi of every block.Then he calculates the i th syndrome s Bi , and does error correction to the i th block, i = 1, • • • , n.After the error correction of the first round he discards all the check bits.Bob repeats above operation to get the syndromes s (j) i , i = 1, • • • , n and performs error correction from j = 1 to j = l.Finally he gets the key of Alice after l rounds error correction.
Error rate estimation via public channel is another basic step of QKD.It is usually an interactive process.We can leave it out by using concatenating IR scheme.For a given error rate of the raw key, after the first round syndrome calculating, the rate of non-zero syndromes should be less than a threshold.e.g., if the given error rate is p, the non-zero rate of syndromes of the first error correction round is less than (1 − p) n .If the rate is beyond this threshold, Bob simply informs Alice to give up this packet.Otherwise, Bob continues his process.In QKD, after the base sifting step, the classical data post-processing, together with error estimation using our method, can be constructed into a single protocol with almost one-way classical communication.
We can see that there are at least three interactions in a BB84 QKD protocol.The first one is quantum signal transmission from Alice to Bob; The second one is measurement information transmission from Bob to Alice: Bob informing Alice the positions of qubits received and the bases of his measurement; The third one is a classical packet from Alice to Bob: a bit string representing the positions of raw key bits she selected, and a sequence of syndromes, Alice puts them in a packet and sends it to Bob.Then Bob does the error rate check and the post-processing described above.If Bob finds the non-zero rate of syndrome is bigger than (1 − p) n , he has to do the fourth interaction to inform Alice abandoning that packet.
The concatenated IR method cannot reduce the information leakage rate.Because the adversary cannot predict the positions of his eavesdropped bits in the raw key, the eavesdropped bits are uniformly located in both the information digits and the check digits of the raw key's codewords.After each error correction round, the left bit string is permuted by wire link permutation.Thus the left leaking bits will be uniformly distributed in both the information digits and the check digits of the next round's blocks.Suppose the eavesdropping rate of the adversary is η.After abandoning the check bits in each error correction round, the length of the block is decreased from n bits to k bits.After l rounds error correction, there are ( k n ) l ηn bits information leakage left.Thus, after l rounds reconciliation, the final information leakage rate is still η, and the parameters of privacy amplification remains the same.

Conclusion
we suggest a concatenating way to improve the efficiency of IR schemes, and construct three one-way concatenated IR schemes for QKD.The IR schemes designed based on this idea can work with only one time one-way communication and achieve any given error rate level, thus may improve the efficiency of a QKD's post-processing.In addition, a QKD scheme with this kind of IR may omit a special interaction of error rate estimation.Proof.Hamming code can correct one-bit error without failure.When there are more errors, the correction process may add 1 bit error.Here we consider the upper bound of the average number of errors, thus we assume the number of errors will increase by 1 after error correcting.When there are n bits errors, the number of errors will be reduced by 1 after error correction.Then Thus, when p < 2 3(n−1) , the condition Eq.(D.1) holds.Let p th = 2 3(n−1) .Thus if p < p th , according to Theorem 1, the concatenated error correction scheme can reduce the error rate to any given level.

Figure 3 :
Figure 3: The error rate after error-correction p 1 varies with the inial error rate p when n = 15.

1 , 1 )
• • • , n, where l is the predetermined number of the correction rounds.The Alice's final bit-string is the common random string to be privacy amplified.2. Alice takes the syndromes s Ai , ..., s (l) Ai (i = 1, • • • , n) as her message to be sent.She uses CRC authentication algorithm to calculate the MAC of the message and sends the MAC and the message to Bob. 3.After receiving the sequence s (Ai , s

Table 1 :
[15,11,3]ted IR based on[15,11,3]code.p represents the channel error rate.l represents the needed error correction rounds.α represents the final error rate.η represents the left bit rate.

Table 2 :
[7,4,3]nated IR based on[7,4,3]code.p represents the channel error rate.l represents the needed error correction rounds.α represents the final error rate.η represents the left bit rate.