Multi-Matrix Post-Processing for Quantum Key Distribution
Chaohui Gao, Dong Jiang, Liangliang Lu, Yu Guo, Lijun Chen

TL;DR
This paper introduces a multi-matrix post-processing scheme for quantum key distribution that enhances error correction efficiency and error rate estimation, leading to higher secure key rates without compromising security.
Contribution
It proposes a multi-low-density parity-check codes based reconciliation scheme with multi-syndrome error estimation, improving efficiency over traditional methods.
Findings
More accurate error rate estimation compared to single-syndrome methods
Significant increase in reconciliation efficiency
Maintains security while improving key rate
Abstract
Post-processing is a significant step in quantum key distribution(QKD), which is used for correcting the quantum-channel noise errors and distilling identical corrected keys between two distant legitimate parties. Efficient error reconciliation protocol, which can lead to an increase in the secure key generation rate, is one of the main performance indicators of QKD setups. In this paper, we propose a multi-low-density parity-check codes based reconciliation scheme, which can provide remarkable perspectives for highly efficient information reconciliation. With testing our approach through data simulation, we show that the proposed scheme combining multi-syndrome-based error rate estimation allows a more accurate estimation about the error rate as compared with random sampling and single-syndrome estimation techniques before the error correction, as well as a significant increase in the…
| Iteration number | Soft-decision value of | Soft-decision value of | Result |
|---|---|---|---|
| 1 | -0.753772 | 0.753772 | fail |
| 2 | 0.753772 | -0.753772 | fail |
| 3 | -0.728434 | 0.728434 | fail |
| 4 | -0.728434 | 0.728434 | fail |
| 5 | -0.704088 | 0.704088 | fail |
| 96 | 0.166115 | -0.166115 | fail |
| 97 | -0.160981 | 0.160981 | fail |
| 98 | 0.160981 | -0.160981 | fail |
| 99 | -0.156007 | 0.156007 | fail |
| 100 | 0.156007 | -0.156007 | fail |
| Iteration number | Soft-decision value of in | Soft-decision value of in | Soft-decision value of in | Soft-decision value of | Soft-decision value of in | Soft-decision value of in | Soft-decision value of in | Soft-decision value of | Result |
|---|---|---|---|---|---|---|---|---|---|
| 1 | -0.753772 | -0.753772 | -0.753772 | -5.0339 | 0.753772 | -2.01882 | -1.38629 | 0.121249 | fail |
| 2 | 0.753772 | -3.46963 | -2.56496 | -8.0534 | -0.753772 | -2.77259 | -3.52636 | -4.28013 | success |
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Multi-Matrix Post-Processing for Quantum Key Distribution
Chao-hui Gao
Dong Jiang
State Key Laboratory for Novel Software Technology, Nanjing University, Nanjing, 210046, P.R.China
Liang-liang Lu
School of Physics, Nanjing University, Nanjing, 210093, P. R. China
Yu Guo
Li-jun Chen
State Key Laboratory for Novel Software Technology, Nanjing University, Nanjing, 210046, P.R.China
(March 17, 2024)
Abstract
Post-processing is a significant step in quantum key distribution(QKD), which is used for correcting the quantum-channel noise errors and distilling identical corrected keys between two distant legitimate parties. Efficient error reconciliation protocol, which can lead to an increase in the secure key generation rate, is one of the main performance indicators of QKD setups. In this paper, we propose a multi-low-density parity-check codes based reconciliation scheme, which can provide remarkable perspectives for highly efficient information reconciliation. With testing our approach through data simulation, we show that the proposed scheme combining multi-syndrome-based error rate estimation allows a more accurate estimation about the error rate as compared with random sampling and single-syndrome estimation techniques before the error correction, as well as a significant increase in the efficiency of the procedure without compromising security and sacrificing reconciliation efficiency.
pacs:
I Introduction
Quantum Key Distribution (QKD) is a class of protocols where the two separated users, Alice and Bob, can share identical secret keys which are secure from the eavesdropper (Eve) Gisin et al. (2002). Since it provides unconditional security guaranteed by laws of quantum mechanics Scarani et al. (2009), QKD has attracted wide attention and many advanced works have been published over recent years Lo et al. (2005, 2012); Liao et al. (2017); Wang (2005). Generally, a QKD protocol can be divided into quantum and classical parts. In the former part, Alice generates and transmits a set of raw key through the quantum channel. Due to Eve’s attacksBennet and Brassard (1984), channel noise, and device imperfection Gerhardt et al. (2010); Weier et al. (2011); Jain et al. (2011), the keys are weakly correlated and partially secure, and Eve may obtain some information about the keys. The classical part, also known as post-processing, is used to correct the errors, and to remove information leakage.
Post-processing consists of base sifting Bennet and Brassard (1984), error estimation Wang (2005); Treeviriyanupab et al. (2014); Kiktenko et al. (2018), key reconciliation Luby et al. (1998) and privacy amplification Bennett et al. (1988, 1995). During base sifting, the bits measured with correct measurement bases in the raw key are kept and constitute the sifted key. Subsequently, Bob uses a key reconciliation algorithm to correct the errors in the sifted key based on the estimated error rate. Finally, Alice and Bob implement privacy amplification to remove information leakage and obtain the final key, which is secure from Eve.
In error estimation, the accuracy of the estimated quantum bit error rate(QBER) effects the operational efficiency of post-processing. If the actual QBER for a given block is larger than the estimate, Bob might end up with a wrong final key. A common method to obtain the QBER for legitimate users is to exchange and compare random sampled sifted key, which can lower the key generation rate due to disclosed bits. Recently, Kiktenko Kiktenko et al. (2018) proposed a distinct approach based on the use of syndromes of low-density parity-check (LDPC) codes to obtain the QBER for each block of the sifted key, allowing more accurate estimation. The suggested algorithm is also suitable for irregular LDPC codes.
In parallel, key reconciliation is the most crucial step of post-processing, which is responsible for correcting the errors in Bob’s sifted key, in such a way that it ensures consistency between Alice’s and Bob’s sifted keys. Belief Propagation (BP) Luby et al. (1998) is the most widely used key reconciliation algorithm, and has attracted intensive study Kou et al. (2001); Zhang and Fossorier (2002); Hocevar (2004); Sharon et al. (2004); Zhang and Fossorier (2004); Chang et al. (2008); Park et al. (2008); Wu et al. (2010); Aslam et al. (2017). There are three criteria for judging a key reconciliation algorithm, namely, convergence speed, bit error rate (BER) and success rate. However, it is hard to meet the three criteria at the same time, which often appears if the syndrome decoding, based on an iterative BP algorithm, fails to converge within the predefined number of iterations (e.g., it could be caused by an inappropriate choice of the LDPC parity-matrices relative to the actual errors in raw keys). This makes key reconciliation the bottleneck of QKD and severely affects the key generation rate for industrial QKD systems.
In this paper, we extend the blind information reconciliation Kiktenko et al. (2017) to multiple LDPC codes and estimate the QBER more accurately by virtue of multiple syndromes without disclosing redundant bits. Experimental results show that a significant increase in the efficiency of the procedure, i.e. faster convergence speed with higher success rate. To prevent extra information leakage in our post-processing scheme, we also give a multiple LDPC codes construction method. Security analysis shows that our key reconciliation scheme does not reveal extra information.
The rest of the paper is organized as follows: in Section II, a briefly review of error estimation and key reconciliation is given, followed by a detail description of the process and advantages of our scheme. Section III provides the novel multi-matrix post-processing approach for error estimation and correction. In Section IV a set of data simulation are carried out to fully evaluate these advantages. The proposed construction method of multiple matrices and the security analysis of the proposed scheme are given in the appendix.
II Preliminaries
In this section, we will first review error estimation and reconciliation. Other parts of post-processing can be referred to Bennet and Brassard (1984); Bennett et al. (1988, 1995).
II.1 Error Estimation
We assume that Alice and Bob possess random sifted keys of equal length, and Bob needs to estimate the error rate of the sifted keys before executing key reconciliation, since is an important input parameter of reconciliation algorithms. The estimation accuracy of directly effects the operational efficiency of post-processing. If is overestimated, Alice will place superfluous information on her syndrome, i.e., more leakage needed to be removed during privacy amplification, leading to relatively low key generation rate. On the contrary, if is underestimated, less information is provided, so Bob spends more time to correct errors during key reconciliation or even end up with wrong final key.
Error estimation can be executed in the several ways. The most well-known method is the random sampling Wang (2005). But its drawback is that if Alice and Bob want to estimate more accurate error rate, they inevitably sacrifice key bits. To solve this problem, P.Treeviriyanupab et al. proposed a new method Treeviriyanupab et al. (2014). In this protocol, Alice and Bob use their syndromes and as input to calculate the maximum likelihood estimation of error rate. Syndromes are generated from a kind of data structure, LDPC code Gallager (1962), which can be presented by a matrix or a Tanner Graph (TG) Tanner (1981). In Fig. 1 (a), an example of binary LDPC matrix is given. The variable nodes (blue circles ) and check nodes (yellow squares) represent bits of key and parity-check equations, respectively Gallager (1962). TG corresponding to this matrix is shown in Fig. 1 (b). An edge connecting a variable node and a check node indicates that the variable node participates in the parity-check equation. In a LDPC code, the degree of a variable node (or check node) is the number of check nodes (or variable nodes) connected to it.
The syndromes, (or ), are simply obtained by multiplying a LDPC matrix and Alice’s (or Bob’s) sifted key. But the method Treeviriyanupab et al. (2014) is applicable only to regular LDPC code, in which all of the variable nodes have the same degrees and so does all check nodes. So Kiktenko et al. extend the scope of application Kiktenko et al. (2018) (hereinafter referred to as the single-syndrome error estimation), which is also suitable for irregular LDPC code.
II.2 Key Reconciliation
BP Luby et al. (1998), also known as the Sum Product (SP) algorithm, can be used for error-correction. Due to its relatively high decoding efficiency and low executing complexity, BP has been widely adopted in QKD to correct the key errors caused by Eve’s attacks, channel noise, etc.
In QKD, if Bob uses BP to correct his sifted key , he first needs to initializes , and variable-to-check (V2C) information as follows,
[TABLE]
[TABLE]
[TABLE]
where is the prior probability of the candidate value of , is the result of error estimation, represents the log likelihood ratio of .
Secondly, as shown in Fig. 2 (a), he generates and propagates check-to-variable (C2V) information by
[TABLE]
where denotes the Alice’s syndrome Mackay (1999), which is the product of and Alice’s sifted key, is the hyperbolic tangent function, is the inverse function of , represents the set of adjacent variable nodes of check nodes except , is a sign function defined as follows:
[TABLE]
Thirdly, as plotted in Fig. 2 (b), Bob updates and propagates V2C information by substituting the generated C2V information into the following equation.
[TABLE]
where, represents the set of adjacent check nodes of except . All of and contain information of posterior probabilities of .
Finally, he calculates the soft-decision value of every variable node as follows,
[TABLE]
then performs the decoding decision on every variable node according to the following equation,
[TABLE]
Bob iterates the last three steps until the decoding is successful (i.e., the equation is satisfied) or the number of iterations reaches the pre-set upper limit.
In each iteration, BP can use different scheduling strategies, which can be divided into three categories Casado et al. (2007): Flooding, Shuffled, and Layer. Flooding first goes through all the check nodes and generates C2V information, then traverses all the variable nodes and updates V2C information. Shuffled uses variable nodes as the traversal sequence, sequentially updates C2V and V2C information between variable nodes and their adjacent check nodes. Layer, on the contrary, uses check nodes as the traversal sequence, sequentially updates C2V and V2C information between check nodes and their adjacent variable nodes. In practical applications, BP, Shuffled Belief Propagation (SBP) Zhang and Fossorier (2002), and Layer Belief Propagation (LBP) Hocevar (2004); Sharon et al. (2004) are the typical representatives of the above three scheduling strategies. For convenience, the algorithms based on single matrix are hereinafter referred to as the single-matrix reconciliation.
III Multi-matrix Post-processing
In this section, we propose a post-processing scheme where users estimate error rate with multiple syndromes and correct errors with multiple matrices (hereinafter referred to as the multi-matrix post-processing). In the multi-matrix post-processing, base sifting and privacy amplification are the same as the original post-processing (hereinafter referred to as the single-matrix post-processing). Here we introduce only error estimation and key reconciliation in the frame of multiple syndromes.
III.1 Multi-syndrome Error Estimation
Each bit of a syndrome represents the relationship of the parity-check equation and the key. By comparing Alice’s syndrome and his own syndrome, Bob can extract some information about error rate. If he uses multiple matrices, he can obtain multiple syndromes, which can be used to estimate the error rate more accurately.
Above all, Bob obtains syndromes from Alice and performs XOR as follows,
[TABLE]
where is the XOR operation, and is the syndromes of Alice and Bob respectively. Then Bob calculates the maximum likelihood estimation of by,
[TABLE]
where is a possible value that may take, . In equation (10), can be obtained via,
[TABLE]
[TABLE]
where is the likelihood function of , is the priori probability of that and are different, is the bit of , is the bit of , is the bit of , is the degree of check node of matrix. As shown in equation (10), evaluates to that maximizes . The “threshold” Richardson and Urbanke (2001); Richardson et al. (2001) is the upper limit of error rate that can be acceptable. If exceeds the “threshold”, the sifted key will be abandoned.
Our method (hereinafter referred to as the multi-syndrome error estimation) is based on the single-syndrome error estimation, but can bring out higher accuracy of estimation. Meanwhile, compared with the random sampling, our method doesn’t need to discard any key bit.
III.2 Multi-matrix Key Reconciliation
Although, theoretical analysis and simulation results show that the single-matrix reconciliation can correct the errors to some extent Sharon et al. (2007), the performances of convergence speed and BER are still limited Casado et al. (2007, 2010), and the success rate is decreased when LDPC code is not cycle-free Tanner (1981); Yazdani et al. (2004). To overcome these problems, we propose a new reconciliation strategy that uses two or more matrices to correct errors in parallel. Let us take multi-matrix BP (MBP) as an example to show the detailed process and advantages of our strategy.
Suppose Alice and Bob have prepared and shared LDPC codes . After obtaining the sifted key , Alice calculates syndromes according to the following equation:
[TABLE]
and sends them to Bob over the classical channel. Because of Eve’s attacks, channel noise, or device imperfection, Bob inevitably obtain different sifted keys with Alice, denoted as .
In our strategy, Bob first initializes the prior probabilities , log likelihood ratios and V2C information for all matrices according to equations (1), (2) and (3), respectively.
Secondly, Bob generates and propagates C2V information according to equation (4).
Thirdly, by substituting C2V information into equation (6), Bob updates and propagates V2C information.
Finally, he goes through all variable nodes to obtain their soft-decision values by
[TABLE]
and makes decoding decisions according to equation (8). Because once Bob’s key is corrected, i.e. is equal to , all his syndromes satisfy . Thus he randomly selects a matrix , and judges whether is equal to . If so, Bob terminates the algorithm and stores . Otherwise, he starts another iteration. The reconciliation is considered as a failure when the number of iterations exceeds the upper limit.
There is an important figure called the reconciliation efficiency Kiktenko et al. (2017). It shows the ratio of practical information leakage to theoretical floor for successful reconciliation. It serves to imply the efficiency and security of a reconciliation strategy and help privacy amplification to remove information leakage. For the single-matrix reconciliation, the reconciliation efficiency is represented as
[TABLE]
where m and n are the numbers of check nodes and variable nodes of the LDPC code, e is the result of error estimation, h is the Shannon binary entropy:
[TABLE]
For the multi-matrix reconciliation, however, is given by
[TABLE]
where is a constant which is relative to and the structures of matrices. Fortunately, if the construction method of multiple matrices (see Appendix B) is used, it can be proved that the practical information leakage is equal to (see Appendix A), i.e., is equal to , without sacrificing the reconciliation efficiency compared with single-matrix post-processing.
Obviously, our strategies is portable, it can be easily applied to SBP, LBP (see Appendix C), and other algorithms to achieve the following improvements:
Faster Convergence Speed In our strategy, when Bob generates C2V and updates V2C information, all matrices operate in parallel. And as shown in equation (14), Bob obtains the soft-decision value of each variable node by gathering all the C2V information sent to in every matrix. The amount of C2V information gathered within one iteration in the multi-matrix reconciliation is equal to information gathered in numerous iterations in the single-matrix reconciliation. 2. 2.
Higher Success Rate Once C2V and V2C information of a matrix are trapped in a cycle, the other matrices without this cycle can help the trapped matrix jump out the cycle, leading to higher success rate. 3. 3.
Lower BER The value of each key bit is determined according to the information provided by multiple matrices. The accuracy of error-correction is effectively improved, resulting in lower BER.
IV Experimental Evaluation
To fully evaluate the above advantages of multi-matrix post-processing, in this session we first give some detailed comparisons among three methods of error estimation. Then for the other three parts, the experiments about the three criteria of key reconciliation algorithms are carried out. All simulation data used in our experiments are generated by real random number generator IDQ EasyQuantis 2.1. For comparison, we also set the upper limit of iterations to , which is similar to existing implementations Zhang and Pfister (2012); Djordjevic et al. (2012), and the code rate and code length of LDPC codes are set to and , respectively.
IV.1 Error Estimation
We have described the three methods of error estimation hereinbefore, including the random sampling, the single-syndrome error estimation and the multi-syndrome error estimation. To compare these three methods, we generate 2000 sets of keys at error rates of , , and , respectively. The sampling rate of random sampling is set to 0.5. For any set of key, we use these methods to get three error rates. As shown in Fig. 3, it is clear that our method (black lines) is more accurate and stable than the random sampling (magenta lines) and the single-syndrome error estimation (red lines).
IV.2 Convergence Speed
For key reconciliation, since the faster the convergence speed is, the smaller the average number of iterations becomes, we evaluate the convergence speed of different algorithms by calculating their average numbers of iterations under different error rates. We first prepare a matrix for the single-matrix algorithms, then add four more matrices for the multi-matrix algorithms (see the next section for the detailed method of generating LDPC codes). At a certain error rate, we generate 100 sets of keys, perform each algorithm on the keys, and calculate the average number of iterations. The results are shown in Fig. 4. Clearly, under different error rates, the average numbers of iterations of the multi-matrix algorithms are significantly decreased compared with their single-matrix versions. MBP cuts down 43.1546.06% of average iteration number of BP, while MLBP is 38.1640.21% and MSBP is 47.8753.38%.
We can further increase the convergence speed of the multi-matrix algorithms by adjusting two factors. One is the number of matrices used in reconciliation. We generate 100 sets of keys with error rate 0.0246, run the multi-matrix algorithms with different number of matrices to correct these keys. The relationship between the average number of iterations and the number of matrices is plotted in Fig. 5. Clearly, the average number of iterations and the number of matrices are inversely proportional.
Another factor is the number of waves. The variable nodes with larger degrees can get more information, thus can be corrected earlier and can provide useful information to help other variable nodes. This process spreads from large-degree to small-degree variable nodes, behaving like a wave, so it is called the wave effect Luby et al. (2001). For a multi-matrix algorithm, the multiple waves can be formed simultaneously to correct errors. We refer this phenomenon as the multi-wave effect, which obviously leads to faster convergence speed. However, if the waves are close to each other, they spread as one wave. This greatly discounts the performance of the multi-wave effect. On the contrary, if the large-degree variable nodes are dispersed in different matrices, the multiple waves spread and correct errors at the same time, resulting in faster convergence speed. We construct matrices with close waves to compare with matrices with separated ones, and plot the results in Fig. 6. Clearly, the algorithms using matrices with separated waves outperform the others.
Therefore, our strategy can significantly improve the convergence speed compared with the single-matrix reconciliation, and the speed can be further improved if Bob uses more or designs better matrices.
IV.3 Success Rate
The success rate of reconciliation may be negatively impacted by the cycles. For example, suppose Alice’s sifted key is , Bob’s sifted key is , the error rate is 0.2, LDPC code has variable nodes labeled as and check nodes denoted as . As shown in Fig. 7 (a), in LDPC code there is a 4-member cycle which is represented by a blue circle and red edges, respectively. If Bob uses BP algorithm to correct the key, the reconciliation is failed in each iteration. It is because that there is always a difference between the signs of soft-decision values of and . Therefore, they cannot be decoded as at the same time. The 4-member cycle makes new information always be excluded and old information always loop in the cycle. Thus, as recorded in Tab. 1, no matter how large the upper limit of iterations is, the single-matrix reconciliation always fails.
However, as shown in Fig. 7 (b), if Bob adds two matrices to correct the key, since there are no cycle between and in the new matrices, the data of the new matrices help and break out of the 4-member cycle, resulting in a successful reconciliation. As shown in Tab. 2, MBP correct the error within two iterations.
We carry out a test to fully represent the performance of reducing the impact of cycles. In this test, we generate 1000 sets of keys with error rate 0.0275, perform the 6 reconciliation algorithms on the generated keys, and calculate the success rate. As shown in Fig. 8, the average success rate of the multi-matrix algorithms is 96.33%, nearly double that, 48.83%, of the single-matrix algorithms.
IV.4 Bit Error Rate
Compared with the single-matrix reconciliation, the multi-matrix algorithms decode the key according to information provided by multiple matrices. The decoding results are more accurate and reliable. We generate 100 sets of keys with error rate 0.0267, perform BP and MBP on the generated keys to calculate the number of corrected bits and the number of misjudged bits in each iteration, and plot the valid number of corrected bits in Fig. 9. We can see that MBP can correct more errors in each iteration, and most of the errors are corrected at the beginnings of the iterations. It achieves faster convergence speed and lower BER compared with BP.
To further evaluate the BER performances of the multi-matrix algorithms, five QBER values ranging from 0.0202 to 0.0256 are selected. At each error rate, we generate 1000 sets of keys, perform 5-matrix algorithms and their single-matrix versions on these generated keys. After 5 iterations, we calculate BERs of different algorithms according to the following equation,
[TABLE]
and draw the results in Fig. 10. It is obvious that all three multi-matrix algorithms achieve lower BERs under different error rates compared with their single-matrix versions. For example, the BER of SBP is 0.0030832 when the error rate is 0.0202, while MSBP is 0.0000045, between which there is a difference of 3-order magnitude.
V Conclusion
In this paper, a highly efficient error reconciliation protocol for QKD is proposed, whose core is using likelihood of multiple syndromes obtained from multiple LDPC codes for QBER estimation and correction. Security analysis and multi-matrix construction method are provided. Evaluation results show that the proposed approach allows improving the accuracy of QBER estimation in contract to previous works. Additionally, the scheme can greatly increase the convergence speed, success rate, and significantly improve the BER performance during key reconciliation without compromising the reconciliation efficiency and significant expenditure of authentication and time resources. Our findings can lower the complexity for post-processing procedure, thus will promote the commercialization of QKD.
VI Acknowledgements
This research is financially supported by the Major Program of National Natural Science Foundation of China (No. 11690030, 11690032, 11804153), the National Key Research and Development Program of China (No. 2017YFA0303700), the National Natural Science Foundation of China (No. 61771236), and the Excellence Research Program of Nanjing University. The authors are grateful to Wen-yuan Wang for valuable contribution.
Appendix A Appendix A
Security Analysis
The security of single-matrix reconciliation is guaranteed by the following theorems.
Theorem 1: Let and be Alice’s sifted key and syndrome, respectively. is the matrix used in reconciliation. Once Eve gets , she can extract at most bits of information about , i.e.,
[TABLE]
Proof of Theorem: The amount of information that Eve can obtain from about is
[TABLE]
Assuming that Eve knows , she would obtain if she knows , i.e.,
[TABLE]
When a random variables are in the equal probability distribution, the discrete entropy can reach the maximum value, so
[TABLE]
Theorem 2: If the random variable of Alice’s sifted key obeys uniform distribution, i.e.,
[TABLE]
then there are at least bits of information about unknown to Eve, even though she has obtained , i.e.,
[TABLE]
where .
Proof of Theorem: The random variable of Alice’s sifted key obeys uniform distribution, so
[TABLE]
From equations (19), (20), and (21), we derive
[TABLE]
According to Theorem 1 and Theorem 2, Eve can get at most bits information. Thus, if the bits is discarded during privacy amplification, the security of the key can be guaranteed.
Generally, Alice and Bob can use the following method to abandon the bits information leakage. If the matrix has the following structure,
[TABLE]
where is a matrix which has rows and columns, is an m-order identity matrix, then is called a system code. In other words, vectors of are linearly independent in . Under this circumstance, Alice can calculate and send the syndrome by
[TABLE]
From Theorem 1, we know that Eve can obtain at most bits of information about . Assume these bits of information is bits of . And for Eve, it is in her best interests if the bits of are . Then Eve has to solve a underdetermined system of equation, which has no unique solution. Moreover, after Alice and Bob discard the bits key , Eve cannot even form the system of equation and get any information about , even if she knows and .
If the matrix is a non-system code, a system code can be formed by a series of elementary row transformations and column exchanges based on
[TABLE]
where A is a m-order invertible square matrix representing a whole train of primary row transformation. B is a n-order square matrix representing a series of column exchanges. Denote and , then
[TABLE]
Similarly, after Alice and Bob abandon the bits key , even if Eve knows and , she will not be able to get any information about .
From the above analysis, we can see that if we first select linearly independent columns in , then discard the corresponding bits of these columns, the bits information leakage can be removed, thus ensuring the security of the key. Therefore, we design a multiple matrices construction method as shown in the Appendix B. And all matrices used in the simulation are prepared according to the the method.
Through the above method, we can construct a series of matrices of the same size. Let and denote any two matrices from . They can be represented as follows:
[TABLE]
[TABLE]
Their syndromes and can be represented as:
[TABLE]
[TABLE]
More precisely, , , , and . From the above matrices construction method, we can see that and are not equal, but their corresponding variable nodes sets are the same. Similarly, assume Eve knows and , then she has to solve the system of equation. Because and are construct with the method in the Appendix B, the two sets of underdetermined systems of equation in equations (33) and (34) are the same. In other word, it is impossible to form a determined or overdetermined system of equation. After Alice and Bob discard those bits, even if Eve knows , , , and , she cannot obtain any information about and . In fact, any two matrices constructed by this method will not reveal extra information during reconciliation. Accordingly, in the case of reconciliation with more than two matrices, because the discarded bits information is corresponding to the same linearly independent columns, multiple syndromes transmitted through the classical channel do not reveal extra information, i.e.
[TABLE]
then we get
[TABLE]
where . Therefore, if Alice and Bob use our method to construct matrices, they can guarantee the security of the key, i.e., guarantee the security of the multi-matrix post-processing.
Appendix B Appendix B
Multiple Matrices Construction Method
The first LDPC matrix called is constructed; 2. 2.
By a series of elementary row transformation and column exchanges, is transformed into a system code, such that linearly independent columns can be determined. These columns correspond to variable nodes in . Let the remaining variable nodes be ; 3. 3.
The rest parity check matrices can be constructed based on : First, rearrange the columns of the variable nodes in . Then rearrange the columns of the variable nodes in . It’s clear that the set of the positions of linearly independent columns, in this way, is identical to each other for all of the matrices.
Appendix C Appendix C
Pseudocode of MBP, MSBP and MLBP
MBP algorithm
1:
2:for do
3: for to do
4: for do
5:
6: end for
7: end for
8: for to do
9: for do
10:
11: end for
12: end for
13:end for
14:
15:if then
16:
17:end if
MSBP algorithm
1:
2:for do
3: for to do
4: for do
5:
6: end for
7: for do
8:
9: end for
10: end for
11:end for
12:
13:if then
14:
15:end if
MLBP algorithm
1:
2:for do
3: for to do
4: for do
5:
6: for do
7:
8: end for
9: end for
10: end for
11:end for
12:
13:if then
14:
15:end if
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1Gisin et al. (2002) N. Gisin, G. Ribordy, W. Tittel, and H. Zbinden, Quantum cryptography, Rev. Mod. Phys. 74 , 145 (2002).
- 2Scarani et al. (2009) V. Scarani, H. Bechmann-Pasquinucci, N. J. Cerf, M. Dušek, N. Lütkenhaus, and M. Peev, The security of practical quantum key distribution, Rev. Mod. Phys. 81 , 1301 (2009).
- 3Lo et al. (2005) H.-K. Lo, X. Ma, and K. Chen, Decoy state quantum key distribution, Phys. Rev. Lett. 94 , 230504 (2005).
- 4Lo et al. (2012) H.-K. Lo, M. Curty, and B. Qi, Measurement-device-independent quantum key distribution, Phys. Rev. Lett. 108 , 130503 (2012).
- 5Liao et al. (2017) S.-K. Liao, W.-Q. Cai, W.-Y. Liu, L. Zhang, Y. Li, J.-G. Ren, J. Yin, Q. Shen, Y. Cao, Z.-P. Li, et al. , Satellite-to-ground quantum key distribution, Nature 549 , 43 (2017).
- 6Wang (2005) X. B. Wang, Beating the photon-number-splitting attack in practical quantum cryptography, Phys. Rev. Lett. 94 , 230503 (2005).
- 7Bennet and Brassard (1984) C. H. Bennet and G. Brassard, in 1984 IEEE International Conference on Computers, Systems, and Signal processing, Bangalore, India (IEEE, 1984), p. 175.
- 8Gerhardt et al. (2010) I. Gerhardt, Q. Liu, A. Lamas-Linares, J. Skaar, C. Kurtsiefer, and V. Makarov, Full-field implementation of a perfect eavesdropper on a quantum cryptography system, Nat. Commun. 2 , 349 (2010).
