Open AccessArticle

Reverse Reconciliation for Optimal Error Correction in Quantum Key Distribution

Luis Adrián Lizama-Perez

Departamento de Electrónica, Universidad Técnica Federico Santa María, Campus San Joaquín. Av. Vicuña Mackenna 3939, San Joaquín, Santiago 8940897, Chile

Symmetry 2023, 15(3), 710; https://doi.org/10.3390/sym15030710

Submission received: 6 February 2023 / Revised: 28 February 2023 / Accepted: 8 March 2023 / Published: 12 March 2023

Download

Browse Figures

Versions Notes

Abstract

In this work, we introduce a new method for the establishment of a symmetric secret key through the reconciliation process in QKD systems that, we claim, is immune to the error rate of the quantum channel and, therefore, has an efficiency of 100% since it does not present losses during the distillation of secret keys. Furthermore, the secret rate is scaled to the square of the number of pulses on the destination side. The method only requires a single data exchange from Bob over the classic channel. We affirmed that our results constitute a milestone in the field of QKD and error correction methods at a crucial moment in the development of classical and quantum cryptanalytic algorithms. We believe that the properties of our method can be evaluated directly since it does not require the use of complex formal-theoretical techniques. For this purpose, we provide a detailed description of the reconciliation algorithm. The strength of the method against PNS and IR attacks is discussed. Furthermore, we define a method to analyze the security of the reconciliation approach based on frames that are binary arrays of

2 \times 2

. As a result, we came to the conclusion that the conjugate approach can no longer be considered secure, while we came up with a way to increase the secret gain of the method with measured bits.

Keywords:

QKD; distillation; reconciliation; sifting

1. Introduction

In the era of quantum technologies, cryptography based on the quantum cryptographic key distribution (QKD) emerges as one of the most-promising methods for establishing secret symmetric keys to achieve the confidentiality of communications [1,2,3]. The QKD stands out, together with post-quantum cryptography [4], as one of the most-secure schemes to face the threat posed by quantum computers capable of executing cryptanalytic algorithms such as the algorithm of Shor for integer factorization of large primes [5,6].

As research results indicate [7,8], the QKD reconciliation protocols do not tolerate high noise rates in the quantum channel, which will have a negative impact on the link distance of the QKD system. This is explained by the fact that the reconciliation methods used by the QKD have not shown error correction beyond 25% [9,10,11,12]. Discrete reconciliation has been achieved by BBBSS [13], Cascade [14], Winnow [15], Liu [12], polar codes [16,17], and frame reconciliation [18]. Unfortunately, interactive protocols requires a high number of message exchanges [19,20], and worse still, they do not guarantee the complete elimination of errors. The QKD also uses other reconciliation techniques developed in the field of telecommunication technologies, among which LDPC [21,22] stands out; however, its computational complexity is very demanding and requires transmitting redundant information [23]. Consider the following two scenarios:

Alice prepares and sends a message to Bob adding redundant information. Then, with the help of the auxiliary information, he seeks to recover the original message by identifying and correcting the errors in the message. This is the approach of correction methods used in telecommunications such as turbo codes and LDPC.
Alice seeks to establish a key of random bits with Bob, i.e., there is no predefined message, then Alice must identify the bits that Bob has obtained after quantum pulses were transferred over the quantum channel and errors have occurred.

In the Cascade algorithm, Bob reveals some bits and sends them to Alice, who evaluates the results, then tells Bob what to do with the remaining bits. If necessary, Alice and Bob use and sacrifice other bits until they obtain the same set of bits.

By contrast, in our approach, Bob computes some sifting bits over small binary information structures called frames that he sends to Alice, who determines the bits on Bob’s side. It is not necessary to send more bits: all the errors are corrected, and all the pulses received by Bob are used, that is there is no loss of bits. How can this be possible? Shannon’s limit establishes that, when the probability of error in a channel denoted as e reaches 0.5, information transfer cannot be established.

First of all, our reconciliation approach constitutes a reverse reconciliation method, so it does not correct errors; instead, Alice identifies them and, together with Bob, builds the key based on Bob’s final results, which include the errors produced in the channel and the optical detection system [24,25]. Second, in our approach, we used

2 \times 2

frames, and in particular, we used as the starting point those in which the probability of error is

e^{2}

. By evaluating the results that most of these instances produce, we can run the entire error correction process. In our previous works, we handled the following frame-based schemes:

Distill the key by means of the frames in which errors are detectable using the sifting bits and adding the bits obtained from the measurements [18,26].
To avoid the waste of frames, the inverse of the measured bits is used instead of the measured bits, that is the conjugated bits [27].
In this new approach, we only used the sifting bits of those frames that produce unitary results, since, as we will see, they are more visible from Alice’s point of view.

Before discussing the new approach (Section 3), in the next section (Section 2), we present a way to evaluate the security of these methods and discuss the results obtained. As a result of this analysis, we found a method to increase the secret rate in the approach that uses the measured bits, and these results are presented in the Appendix A. Therefore, we analyzed the security and performance of the new method. However, let us continue by providing a brief explanation of the BB84 protocol followed by a discussion of pairs of quantum states.

1.1. BB84

Historically, the first protocol for the quantum cryptographic key distribution (QKD) was conceived of by Bennett and Brassard in 1984; hence, it is known as BB84 [28]. The BB84 protocol encodes a bit in a pair of non-orthogonal states, so it uses four quantum states, as shown in Figure 1, where

i

is the bit (

i = 0, 1

) encoded in the pair of non-orthogonal states represented by

i_{X}

and

i_{Z}

In BB84, the bits are transmitted by individual photons or quantum multiphotonic pulses, which upon arrival at the receiving station, are measured in one of the bases

X

Z

, which Bob chooses randomly. If the measurement basis matches the quantum state of the photon, for example if Bob measures

1_{X}

with the basis

X

, the result is predictable and useful for establishing a shared secret key. Otherwise, if Bob measures

1_{X}

with the

Z

basis, the result is ambiguous and should be discarded.

BB84 is vulnerable to the PNS attack in which the attacker separates and stores the photons coming from the multiphotonic quantum pulses that traverse the channel. Then, once Bob publishes the bases used in his measurements, Eve applies those bases, and from here, she is capable of deriving the secret key.

1.2. Pairs of Quantum States

The frame-based schemes that we have previously published are based on the following scheme: Alice sends pairs of non-orthogonal quantum states to Bob, who measures both states by applying the same measurement basis

X

Z

that he actively chooses. Suppose Alice sends the pair of states (

0_{X}

0_{Z}

). Bob measures the first state

0_{X}

with

X

, which produces

0_{X}

. He then measures the second state

0_{Z}

with

X

, but produces

0_{X}

. Although the basis does not match the quantum state, the event is useful because it produces the same result as the previous measurement.

However, in particular, if a double-matching detection event occurs in the other basis

Z

, the result can also be exploited. This implies that we have two communication channels: along the

X

basis and another through the

Z

basis, which gives us an additional advantage for the transmission of information through pairs of non-orthogonal states: they always produce a double-matching detection event. On the other hand, if the results of the two measurements are different, the result is ambiguous and cannot be used in the production of secret bits.

Figure 2 shows us the three categories that pairs of quantum states can fall into: orthogonal, non-orthogonal, and parallel. However, for the first time in the context of frame-based reconciliation, we now also took advantage of not only non-orthogonal state pairs, but also pairs of parallel states. Furthermore, as we will see in Section 3, to carry out the reconciliation, we are only interested in double-matching detection events, regardless of their origin: non-orthogonal states, parallel states, or error states, which may include orthogonal states. The only thing that really matters is that the double-matching event occurs; it does not matter whether it comes from the measurement of two erroneous states or the erroneous measurement of the states.

As a final remark, frame-based reconciliation does not reveal the bases used in Bob’s measurements. Therefore, if Eve has copies of the sent quantum states, she must perform measurements on both bases hoping to obtain double-matching detection events on both bases, which is not guaranteed if Eve has only a few copies of the states.

2. Security of Frame-Based Reconciliation Methods

2.1. Clarifications about the Symbology Used

With the aim of being clearer in the exposition of the later sections, let us introduce here some examples of the symbology that we used:

—: ${0_{X}}^{i}$ , ${0_{Z}}^{j}$ , ${1_{X}}^{k}$ , and ${1_{Z}}^{l}$ are examples of quantum states where the upper index $i, j, k, l$ denotes the sequence number in which it was transmitted from Alice to Bob. As can be seen, we did not use the quantum ket notation, but rather, bold letters, in order to facilitate the discussion about the reconciliation methods. When necessary, we changed the numerical label, representing it as follows $i \to 0_{X_{i}}, j \to 0_{Z_{j}}, k \to 1_{X_{k}}, l \to 1_{Z_{i}}$ , so states look like ${0_{X}}^{{0_{X}}_{i}}$ , ${0_{Z}}^{{0_{Z}}_{j}}$ , ${1_{X}}^{{1_{X}}_{k}}$ , and ${1_{Z}}^{{1_{Z}}_{l}}$ . At Bob’s side, the received states, also called the detection events, are written as ${0_{X}}^{ε_{i}}$ , ${0_{Z}}^{ϖ_{j}}$ , ${1_{X}}^{ϵ_{k}}$ , and ${1_{Z}}^{π_{l}}$ . Furthermore, depending on the specific context, the upper index could be omitted (in the case that the index would not be strictly necessary), or it could consist of two sequence numbers to refer to a double-matching detection event.
—: $(-, {1_{Z}}^{π_{l 1}, π_{l 2}})$ is a double-matching detection event at Bob’s side: in this example, two detection events with the $Z$ basis that produced $1_{Z}$ . We write between rectangular brackets the sequential numerical indices of such events, which in this case are $[π_{l 1}, π_{l 2}]$ , where the position of the labels $π_{l 1}, π_{l 2}$ between brackets $[π_{l 1}, π_{l 2}]$ does not matter. However, in a double-matching detection event, we write the $X$ basis to the left as $({1_{X}}^{ϵ_{k 1}, ϵ_{k 2}}, -)$ and the $Z$ basis to the right as $(-, {1_{Z}}^{π_{l 1}, π_{l 2}})$ .
—: ${({1_{X}}^{1_{X_{k}}}, {0_{Z}}^{0_{Z_{j}}}), ({0_{X}}^{0_{X_{i}}}, {1_{Z}}^{1_{Z_{l}}})}$ is a frame at Alice’s side. In fact, it corresponds to the frame $f_{5}$ , one of the 16 possible $2 \times 2$ frames (for the complete list of frames, please see [27]). We commonly represent the frames in the form of a matrix, with the purpose of facilitating the visualization of the sifting bits (SSs) or the measurement results (MRs). However, when it comes to discussing the reconciliation methods, we used the notation introduced here. For a useful reference, consider that $f_{1} = {({0_{X}}^{0_{X_{i}}}, {1_{Z}}^{1_{Z_{l}}}), ({1_{X}}^{1_{X_{k}}}, {0_{Z}}^{0_{Z_{j}}})}$ because $f_{1}$ and $f_{5}$ are symmetrically equivalent.
—: ${({1_{X}}^{ϵ_{k 1}, ϵ_{k 2}}, -), (-, {1_{Z}}^{π_{l 1}, π_{l 2}})}$ is a frame at Bob’s side (also referred to as an instance) denoting two double-matching detection events, where $[ϵ_{k 1}, ϵ_{k 2}]$ and $[π_{l 1}, π_{l 2}]$ are the corresponding sequential numerical indices of such events. Provided this frame comes from Alice’s $f_{5}$ , it implies that $1_{X_{k}} = ϵ_{k 1}$ , $0_{Z_{j}} = ϵ_{k 2}$ , $0_{X_{i}} = π_{l 1}$ , and $1_{Z_{l}} = π_{l 2}$ . From the numerical labels, we could establish that Alice sends $[1_{X_{k}}, 0_{Z_{j}}]$ ; Bob measures them as $[ϵ_{k 1}, ϵ_{k 2}]$ ; then, during reconciliation, Alice represents them as $[1_{X_{k}}, *]$ . The last expression makes sense, because as we will see later, our algorithms focus on bits equal to one.

2.2. The Sifting String

The sifting string (SS) is a bit string prepared by Bob consisting of the sifting bits and the correction bits. In the absence of errors in the quantum channel, the sifting bits are enough to derive the secret key. However, when the channel or the optical detection system produces errors, then the correction bits are required to derive an identical key on both sides of the communication link.

To derive the sifting string (SS), the XOR logical function ⊕ between the bits of the columns of Bob’s frame must be computed, where the symbol − represents the vacuum state and is computed as a zero bit. The different bit configurations within Bob’s frames are shown below: above each frame, we write the bits corresponding to the measurement result (MR), and at the bottom of each frame is the sifting bits, where

| |

denotes concatenation.

\begin{matrix} 00 & 01 & 10 & 11 \\ (\begin{matrix} b_{11} & - \\ b_{21} & - \end{matrix}), & (\begin{matrix} - & b_{12} \\ - & b_{22} \end{matrix}), & (\begin{matrix} b_{11} & - \\ - & b_{22} \end{matrix}), & (\begin{matrix} - & b_{12} \\ b_{21} & - \end{matrix}), \\ b_{11} \oplus b_{21} | | 0 & 0 | | b_{12} \oplus b_{22} & b_{11} b_{22} & b_{21} b_{12} \end{matrix}

To perform error detection and depending on the approach used, some bits must be added: the measured bits or the conjugate bits:

—: Measured bits: The bits detected at Bob’s optical station must be appended, so SS= sifting bits $| |$ measured bits. It should be noted that the secret bits are derived from the geometric arrangement (MR) of the bits within Bob’s frame, rather than the bits themselves obtained from the detection bases.
—: Conjugate bits: The inverted bits of the measured bits are added, so SS= sifting bits $| |$ conjugate bits. The purpose of the conjugate bits is to detect errors where $1_{X}$ is detected as $0_{X}$ or $1_{Z}$ as $0_{Z}$ , which cannot be detected using the measured bits.
—: XOR bits: This will be detailed in this work and does not require additional bits.

2.3. Problem Statement

The bits that go into the secret key are derived from the double-matching detection events. The rate of such events has a squared decay with respect to the photon mean of the source quantum states. Furthermore, there are inherent challenges in the optical detection of two consecutive quantum states. Due to the above, we proposed in previous works that the states should not be transmitted consecutively from Alice to Bob, but interleaved between the states of other pairs. Therefore, we suggested a fixed window time between the two non-orthogonal states.

We established the research problem by questioning whether it will be possible to develop a QKD reconciliation algorithm using only the sifting bits, which is the minimum, string since it is built only with the sifting bits. We claim that the answer is affirmative, so in the new scheme we are proposing here, Alice sends a collection of quantum states defined as

S_{a} = ⋃_{i = 1}^{a} {0_{X}}^{0_{X_{i}}}, ⋃_{j = 1}^{b} {0_{Z}}^{0_{Z_{j}}}, ⋃_{k = 1}^{c} {1_{X}}^{1_{X_{k}}}, ⋃_{l = 1}^{d} {1_{Z}}^{1_{Z_{l}}}

in any order, with no predefined conditions or restrictions, except to send a similar amount of each of the four types of quantum states, in order to obtain a uniform distribution between them, so

a \sim b \sim c \sim d

. At the other side, Bob obtains a distribution of measurements that can be specified as

S_{b} = ⋃_{i = 1}^{a^{'}} {0_{X}}^{ε_{i}}, ⋃_{j = 1}^{b^{'}} {0_{Z}}^{ϖ_{j}}, ⋃_{k = 1}^{c^{'}} {1_{X}}^{ϵ_{k}}, ⋃_{l = 1}^{d^{'}} {1_{Z}}^{π_{l}}

. Due to losses in the quantum channel

a > a^{'}

b > b^{'}

c > c^{'}

d > d^{'}

, it is still lossless and error free

a \neq a^{'}

b \neq b^{'}

c \neq c^{'}

, and

d \neq d^{'}

because the results of Bob’s quantum measurements depend on the quantum basis he chooses to use, which is performed actively.

Now, Bob groups the results

1_{X}

into pairs; similarly, he groups the results

1_{Z}

into pairs; symbolically, this is written as

⋃_{k = 1}^{r} (-, {1_{X}}^{ϵ_{k 1}, ϵ_{k 2}}), ⋃_{l = 1}^{s} (-, {1_{Z}}^{π_{l 1}, π_{l 2}})

provided there are r pairs of

1_{X}

and s pairs of

1_{Z}

. After Bob sends the necessary information to Alice and she identifies the errors in the transmitted states, they repeat the process with the remaining events, but changing

({0_{X}}^{ε_{i 1}, ε_{i 2}}, -)

and

(-, {0_{Z}}^{ϖ_{j 1}, ϖ_{j 2}})

({1_{X}}^{ϵ_{k 1}, ϵ_{k 2}}, -)

and

(-, {1_{Z}}^{π_{l 1}, π_{l 2}})

, respectively. The protocol will be described in detail in Section 3. It is worth mentioning that, in frame-based error correction schemes, Alice identifies the errors produced during the transmission, and she adapts herself to what Bob received; that is why this constitutes a reverse reconciliation scheme [24,25].

As shown in Figure 3, there are ten types of sifting strings SS

_{i}

, so

i = 1 \dots 10

, which are computed at Bob’s side taking two double-matching detection events as their input. Table 1 shows the resulting sifting string (SS) for each frame-based reconciliation scheme: XOR bits, conjugate bits [27], and measured bits [18,26].

The reconciliation information (SS) that Bob publicly shares with Alice remains in the hands of the spy Eve, so in the following subsections, we analyze whether, given the information in Eve’s possession, she is capable of breaking the secret of the frames, that is if she can derive the MR of each frame. Then, in the next section, we describe in detail the new reconciliation method based on the XOR function and provide a description of its security. Finally, in the Conclusions, we compare the results obtained. In advance, we can claim that the new method is safe and more efficient than the previous ones.

2.4. Security of the Measured-Bit Approach

By using measured bits as correction bits, there are seven types of SSs that Bob can send to Alice (see Table 2). Item 7 of the list shows that Eve knows that, behind SS

_{9} = 1111

instances, there is an event

({1_{X}}^{t}, -)

(-, {1_{Z}}^{t})

in one of her rows. However, Items 2, 3, 4, and 5 of Table 2 show that this information does not allow Eve to infer the location of

{0_{X}}^{i}

{0_{Z}}^{j}

in the other row of the frame because it appears to both sides (left/right) under the same SS.

From the above analysis, we can conclude that the measured bits approach remains secure against this eavesdropping strategy. In our previous work [27], we derived a total secret gain reaching

(\binom{n}{2}) (\frac{2}{16} - \frac{1}{12} e^{'})

taking the gain of the frame classes

f_{2}

f_{3}

f_{4}

, and

f_{6}

, where

e^{'}

is the error rate of the frames computed as the number of erroneous frames over the amount of total frames at Bob’s side. However, by taking the error rate e of the quantum channel, then the probability of two errors in a frame is

e^{2}

, then we obtain a gain that amounts to

(\binom{n}{2}) (\frac{2}{16} - \frac{1}{16} e)

. Moreover, in the Appendix, we show that is possible to enhance such gain adding the frames

f_{i}

, where

i = 1, 2, 5, 9, 10, 13, 14, 15, 16

, thus increasing the secret gain up to

(\binom{n}{2}) (\frac{1}{16} + \frac{1}{16} e^{2})

2.5. Security of the Conjugate Bit Approach

By using conjugate bits as correction bits, there are seven types of SS that Bob can send to Alice (see Table 3). Item 7 of this list shows that Eve knows that, behind SS

_{9} = 1100

instances, there is an event

({1_{X}}^{t}, -)

(-, {1_{Z}}^{t})

in one of her rows. Unfortunately, Items 2, 3, 4, and 5 of Table 3 show that this fact allows Eve to infer the location of

{0_{X}}^{i}

{0_{Z}}^{j}

in the other row of the frame because it appears at the same side (left/right) under the same SS.

Given the results obtained in the previous analysis, we must state that this conjugated bits approach cannot be considered secure as a reconciliation method.

3. Frame Reconciliation with XOR Bits

In this section, we provide a detailed explanation of the new reconciliation method that uses only the sifting bits without the need for the correction bits. For a more fluent explanation, we present first the general method (see Figure 4), which includes the quantum transmission stage and the distillation process by means of the classical channel, leaving separately the additional algorithms that are required for error detection.

3.1. General QKD Protocol

The main idea behind this protocol is to first take advantage of the fact that the MRs behind SS = 11 are well hidden (see Section 3.5). Second, within those frames, it is possible to synthesize an algorithm for error identification by testing the combinations of events that should produce SS = 00 (see Test T.1). Third, there are fewer errors in

f_{1}

frames because it takes two errors in a frame

f_{1}

to produce an erroneous SS = 11; in fact, the error rate for them reduces to

e^{2}

(see Section 3.3). This becomes relevant to evaluate what establishes the majority of the results computed in Algorithm A.2.

In this protocol, it is assumed that the optical stations of Alice and Bob are synchronized and that they have a quantum channel (air or fiber optic), and they also use a classical communication channel.

Alice sends the collection of quantum states $⋃_{i = 1}^{a} {0_{X}}^{0_{X_{i}}}, ⋃_{j = 1}^{b} {0_{Z}}^{0_{Z_{j}}}, ⋃_{k = 1}^{c} {1_{X}}^{1_{X_{k}}}, ⋃_{l = 1}^{d} {1_{Z}}^{1_{Z_{l}}}$ to Bob, where the bold symbols $0_{X}, 0_{Z}, 1_{X}, 1_{Z}$ denote the quantum states, while $0_{X_{i}}, 0_{Z_{j}}, 1_{X_{k}}, 1_{Z_{l}}$ are Alice’s sequential numerical indices of the transmitted quantum states, whose record is kept at her side. Of course, due to the noise and losses of the quantum channel, of the states sent, not all the states arrive at Bob’s station and not all the ones that arrive are free of error.
Bob measures each received state applying randomly the quantum basis $X$ or $Z$ . Bob obtains the distribution $⋃_{i = 1}^{a^{'}} {0_{X}}^{ε_{i}}, ⋃_{j = 1}^{b^{'}} {0_{Z}}^{ϖ_{j}}, ⋃_{k = 1}^{c^{'}} {1_{X}}^{ϵ_{k}}, ⋃_{l = 1}^{d^{'}} {1_{Z}}^{π_{l}}$ , where $ε_{i}, ϖ_{j}, ϵ_{k}, π_{l}$ are the sequential numerical indices of the quantum measurements at Bob’s side. We write $[ϵ_{k 1}, ϵ_{k 2}]$ to denote Bob’s sequential numerical indices of two states measured by him with the $X$ basis in which both measurements yield $1_{X}$ , then we represent it symbolically as the event $[ϵ_{k 1}, ϵ_{k 2}] \to ({1_{X}}^{ϵ_{k 1}, ϵ_{k 2}}, -)$ , where $k = 1 \dots r$ . In addition, we define the event of two quantum $Z$ measurements that produces $1_{Z}$ as $[π_{l 1}, π_{l 2}] \to (-, {1_{Z}}^{π_{l 1}, π_{l 2}})$ , where $[π_{l 1}, π_{l 2}]$ are the sequential numerical indices of the two measurements and $l = 1 \dots s$ .
A double-matching detection event as described before can be generated from a pair of non-orthogonal states, a pair of parallel states, or as a result of one or two errors in the channel and/or optical detection system. Furthermore, the double-matching detection events are chosen after performing the measurements, that is a posteriori, so the rate of those events is linear and not quadratic, as was the case in our previous works. As a result, there is no fixed time window separating the two quantum states. For the purposes of this protocol and the identification of the errors produced, the origin of those events is not relevant. Now, going back to the algorithm, Bob sends two lists $L_{1}$ and $L_{2}$ to Alice, which can be specified as follows:

$\begin{matrix} L_{1} = ⋃_{k = 1, l = 1}^{k = r, l = s} \{[ϵ_{k 1}, ϵ_{k 2}], [π_{l 1}, π_{l 2}]\}, \\ L_{2} = ⋃_{k = 1, k^{'} > k}^{k, k^{'} = r} \{[ϵ_{k 1}, ϵ_{k 2}], [ϵ_{k^{'} 1}, ϵ_{k^{'} 2}]\}, ⋃_{l = 1, l^{'} > l}^{l, l^{'} = s} \{[π_{l 1}, π_{l 2}], [π_{l^{'} 1}, π_{l^{'} 2}]\} \end{matrix}$

The list $L_{1}$ allows two instances: (1) ${[ϵ_{k 1}, ϵ_{k 2}], [π_{l 1}, π_{l 2}]}$ or (2) $\{[π_{l 1}, π_{l 2}], [ϵ_{k 1}, ϵ_{k 2}]\}$ . The instance is randomly chosen by Bob; see the example of Table 4. The specific instance (1) or (2) will determine the shared secret bit (see T.2 below). For this reason, an instance contains two specific pairs of events that cannot be applied more than once to an instance. $L_{2}$ is an auxiliary list that does not contribute secret bits, but contains auxiliary information that allows Alice to detect errors. The ordering between $\{[ϵ_{k 1}, ϵ_{k 2}], [ϵ_{k^{'} 1}, ϵ_{k^{'} 2}]\}$ and $\{[π_{l 1}, π_{l 2}], [π_{l^{'} 1}, π_{l^{'} 2}]\}$ in $L_{2}$ is randomly performed by Bob. As a result of the above description, $L_{1}$ contains the frames where SS = 11, while $L_{2}$ has those where SS = 00. The pairing process is performed on an even number of events, which may require the removal of an event. An example of these lists in the frame notation can be seen in Figure 5 and Table 4:
After Alice receives $L_{1}$ and $L_{2}$ , she performs the following algorithms:
- A.1 to choose from $L_{1}$ the ones that belong to the frame class $f_{1}$ (or equivalently to $f_{5}$ ).
- A.2 to detect the errors in $L_{1 a}$ .
- A.3 to detect the remaining errors in $L_{1}$ , which includes T.2, to determine the secret bits. Note that Bob obtains the secret bits by direct application of T.2.
Bob inverts the results of $({0_{X}}^{ε_{i 1}, ε_{i 2}}, -)$ and $(-, {0_{Z}}^{ϖ_{j 1}, ϖ_{j 2}})$ to $({1_{X}}^{ϵ_{k 1}, ϵ_{k 2}}, -)$ and $(-,$ ${1_{Z}}^{π_{l 1}, π_{l 2}})$ , respectively. Post-processing is then repeated: Step 2 (without quantum measurement) and Step 3.

Of course, Step 4 can be performed within Step 2, but we prioritized the simplest explanation of the protocol. Using T.2, Alice and Bob derive the secret key bits from the MRs of all the frames that are built. Let us look at this more carefully in Section 3.2. The final task of the protocol would require a successful confirmation from Bob once Alice sends the hash code (from a secure cryptographic hash family, e.g., SHA-256) of the distilled key to ensure that both have established the same key.

At this point, we can highlight the following observation: in the previously published protocols (measured bits and conjugate bits), Alice defines the pairs of non-orthogonal quantum states a priori (using a time window between the non-orthogonal states). On the contrary, in the current scheme, it is Bob who determines, a posteriori, the pairs of states (by pairing the measurements that return a bit of 1), so a temporary separation between the states is not required, which implies that Alice chooses the quantum states to be sent randomly and without time separation constraints. On the other side, Bob measures, one by one, as they arrive, sequentially, the quantum states using a quantum basis that he chooses at random.

3.2. Auxiliary Algorithms

3.2.1. Algorithm A.1

For each element in

L_{1}

, identify the ones that belong to the frames

f_{1}

(or equivalently to

f_{5}

1.: If ${[π_{l 1}, π_{l 2}], [ϵ_{k 1}, ϵ_{k 2}]} = = {[0_{X_{i}}, 1_{Z_{l}}], [1_{X_{k}}, 0_{Z_{j}}]}$ , then it belongs to $f_{1}$ ; thus, write it in $L_{1 a}$ . Similarly, if ${[ϵ_{k 1}, ϵ_{k 2}], [π_{l 1}, π_{l 2}]} = = {[1_{X_{k}}, 0_{Z_{j}}], [0_{X_{i}}, 1_{Z_{l}}]}$ , then it belongs to $f_{5}$ ; thus, write it in $L_{1 a}$ . Additionally, store each $[ϵ_{k 1}, ϵ_{k 2}]$ as $F_{i}$ in the list F and each $[π_{l 1}, π_{l 2}]$ as $G_{j}$ in the list G.
2.: Find which of the Cartesian elements $F_{i} \times F_{j}$ , $F_{i} \times G_{j}$ , and $G_{i} \times G_{j}$ are in $L_{1}$ or $L_{2}$ , where $i \neq j$ . The symbol $F_{i} \times G_{j}$ does not imply a specific ordering between the two sets, so it must be equally taken $G_{j} \times F_{i}$ . Write the identified cases in the auxiliary list $L_{2 a}$ . Informally speaking, we can say that this list contains the results of the self-references $[ϵ_{k 1}, ϵ_{k 2}]$ and $[π_{l 1}, π_{l 2}]$ , which will be useful in A.2.

We denote

{[ϵ_{k 1}, ϵ_{k 2}], [π_{l 1}, π_{l 2}]}

{[1_{X_{k}}, *], [*, 1_{Z_{l}}]}

, where

1_{X_{k}}

is the sequential numerical index that is in the

X

basis, and

1_{Z_{l}}

is the sequential numerical index along the

Z

basis. The symbol * represents the other sequential index, which we are not interested in focusing on. Conventionally, we write to the left-hand side the

X

basis numerical index, while the

Z

basis numerical index to the right-hind side. Furthermore, we refer to

{[π_{l 1}, π_{l 2}], [ϵ_{k 1}, ϵ_{k 2}]}

{[*, 1_{Z_{l}}], [1_{X_{k}}, *]}

. To distinguish between two different

1_{X_{k}}

events, we used the overdot symbol, so we write

1_{X_{\dot{k}}}

. For the same purpose, we write

1_{Z_{l}}

and

1_{Z_{\dot{l}}}

3.2.2. Algorithm A.2

Let us write

L_{1 a}

L_{1 a} = ⋃_{i = 1}^{r^{'}} {[1_{X_{k}}, *], [*, 1_{Z_{l}}]}_{i} : 11

. Take the instances

{[1_{X_{k}}, *], [*, 1_{Z_{l}}]}_{i}

and

{[*, 1_{Z_{\dot{l}}}], [1_{X_{\dot{k}}}, *]}_{j}

. For

j = 1 \dots r^{'}

and

i \neq j

, apply

T_{1}

using

L_{2 a}

. In the cases described below, the symbol

< i, j >

denotes the evaluation of the instances sub-indexed as

i, j

under the rule

T_{1}

. The symbol ↑ means compliance with

T_{1}

, while the symbol ↓ is used to denote that it is not fulfilled. Finally, the symbol

| |

denotes cardinality:

(a): $| < i, j > : ↓ | ≫ | < i, j > : ↑ |$ , then all $i, j$ instances in $< i, j > : ↑$ are inverted; thus, correct them in $L_{1 a}$ .
(b): $| < i, j > : ↓ | ≪ | < i, j > : ↑ |$ , then all j instances in $< i, j > : ↓$ are inverted; thus, correct them in $L_{1 a}$ .

In simple words, what establishes Case (a) is that, if the majority says that you are wrong, while the minority says that you are right, in attention to the majority, you and the minority are wrong. Case (b) establishes that, if the majority says that you are right, while the minority says that you are wrong, in attention to the majority, then those who say that you are wrong are wrong.

3.2.3. Algorithm A.3

Let us write

L_{1}

L_{1} = ⋃_{k = 1, l = 1}^{k = r, l = s} {[ϵ_{k 1}, ϵ_{k 2}], [π_{l 1}, π_{l 2}]}

1.

From

L_{1 a}

, choose a pivot, say

[1_{X_{k}}, *]

—: If ${([1_{X_{k}}, *], [ϵ_{k 1}, ϵ_{k 2}]} : 11$ , then write $[*, 1_{Z_{l}}]$ for $[ϵ_{k 1}, ϵ_{k 2}]$ and $[1_{X_{k}}, *]$ for $[π_{l 1}, π_{l 2}]$ .
—: If ${([1_{X_{k}}, *], [ϵ_{k 1}, ϵ_{k 2}]} : 00$ , then write $[1_{X_{k}}, *]$ for $[ϵ_{k 1}, ϵ_{k 2}]$ and $[*, 1_{Z_{l}}]$ for $[π_{l 1}, π_{l 2}]$ .

2.

Use T.2 to determine the MR of all the elements of

L_{1}

3.2.4. Test T.1

There are four configurations for this rule, which are illustrated in Figure 6. The rule establishes the following implications:

(a): ${[1_{X_{k}}, *], [*, 1_{Z_{l}}]}, {[1_{X_{\dot{k}}}, *], [*, 1_{Z_{\dot{l}}}]} : 11$ implies ${[1_{X_{k}}, *], [1_{X_{\dot{k}}}, *]}, {[*, 1_{Z_{l}}], [*, 1_{Z_{\dot{l}}}]} : 00$ and ${[1_{X_{k}}, *], [*, 1_{Z_{\dot{l}}}]}, {[*, 1_{Z_{l}}], [1_{X_{\dot{k}}}, *]} : 11$ .
(b): ${[1_{X_{k}}, *], [*, 1_{Z_{l}}]}, {[*, 1_{Z_{\dot{l}}}], [1_{X_{\dot{k}}}, *]} : 11$ implies ${[1_{X_{k}}, *], [*, 1_{Z_{\dot{l}}}]}, {[*, 1_{Z_{l}}], [1_{X_{\dot{k}}}, *]} : 11$ and ${[1_{X_{k}}, *], [1_{X_{\dot{k}}}, *]}, {[*, 1_{Z_{l}}], [*, 1_{Z_{\dot{l}}}]} : 00$ .

3.2.5. Test T.2

The rule that is represented in Table 5 is used for the so-called measurement result (MR) code, according to which Alice and Bob derive the bits of the shared secret key.

3.3. The Error Probability in the Quantum Channel

In the general QKD algorithm of Section 3.1, we used

f_{1} = {({0_{X}}^{0_{X_{i}}}, {1_{Z}}^{1_{Z_{l}}}), ({1_{X}}^{1_{X_{k}}}, {0_{Z}}^{0_{Z_{j}}})}

and

f_{5} = {({1_{X}}^{1_{X_{k}}}, {0_{Z}}^{0_{Z_{j}}}), ({0_{X}}^{0_{X_{i}}}, {1_{Z}}^{1_{Z_{l}}})}

, which produced MR = 11. Here are two possibilities about what happened: the error-free instance

f_{1} = [*, 1_{Z_{l}}], [1_{X_{k}}, *]}

(or

f_{5} = {[1_{X_{k}}, *], [*, 1_{Z_{l}}]}

, respectively) was produced. The other explanation is that the erroneous instance

f_{5} = {[1_{X_{k}}, *], [*, 1_{Z_{l}}]}

instead of

f_{1}

was produced (or

f_{1} = {[*, 1_{Z_{l}}], [1_{X_{k}}, *]}

instead of

f_{5}

, respectively). In the last case, two errors occurred. Let us see the

f_{1}

case:

—: ${0_{X}}^{0_{X_{i}}}$ is erroneously detected as ${1_{X}}^{1_{X_{\ddot{k}}}}$ , while ${1_{Z}}^{1_{Z_{l}}}$ is (error-free) measured as ${1_{Z}}^{1_{Z_{\dot{l}}}}$ .
—: ${1_{X}}^{1_{X_{k}}}$ is (error-free) measured as ${1_{X}}^{1_{X_{\ddot{k}}}}$ , but ${0_{Z}}^{0_{Z_{j}}}$ is erroneously detected as ${1_{Z}}^{1_{Z_{\ddot{l}}}}$ .

This is similar for

f_{5}

. However, what happens when the error probability in the quantum channel reaches values of 50% or more? When

e = 0.5

, the error rate in the frames

f_{1}

e^{2}

, that is 0.25. In this case, there is an error-free majority, since most of the events are correct and the minority are incorrect. However, when

e = \frac{1}{\sqrt{2}} \sim 0.7

, then the number of correct instances grows to 50%, equaling the number of incorrect instances. In this situation, we cannot identify the errors in the frames

f_{1}

and

f_{5}

. To overcome this drawback, the pair of frames

(f_{2}, f_{6})

or the pair

(f_{3}, f_{4})

can be used. We list such pairs:

—: $f_{2} = {({1_{X}}^{1_{X_{k}}}, {0_{Z}}^{0_{Z_{j}}}), ({1_{X}}^{1_{X_{\dot{k}}}}, {1_{Z}}^{1_{Z_{l}}})}$ , $f_{6} = {({1_{X}}^{1_{X_{\dot{k}}}}, {1_{Z}}^{1_{Z_{l}}}), ({1_{X}}^{1_{X_{k}}}, {0_{Z}}^{0_{Z_{j}}})}$ .
—: $f_{3} = {({0_{Z}}^{0_{Z_{j}}}, {1_{X}}^{1_{X_{k}}}), ({1_{X}}^{1_{X_{\dot{k}}}}, {1_{Z}}^{1_{Z_{l}}})}$ , $f_{4} = {({1_{X}}^{1_{X_{\dot{k}}}}, {1_{Z}}^{1_{Z_{l}}}), ({0_{Z}}^{0_{Z_{j}}}, {1_{X}}^{1_{X_{k}}})}$ .

Because, in order to produce MR = 11, such frames require either no error or only one error that occurred when

{0_{Z}}^{0_{Z_{j}}}

is detected as

{1_{Z}}^{1_{Z_{\dot{l}}}}

, now, the error rate is e and not

e^{2}

, most of the cases are incorrect, and the fewest cases are correct, so the errors can be identified. Of course, for this to work, it is necessary to invert the majority rule A.2. Therefore, if during the execution of the reconciliation algorithm it is detected that there is no majority in the results, it must be changed to use the pair

(f_{2}, f_{6})

instead of

(f_{1}, f_{5})

3.4. Privacy Amplification Performance

Assuming that the attacker Eve can somehow obtain the bits of some of the double-matching detection events, then the rate of such information will be reduced when Alice and Bob proceed to derive the bits of all the frames that can be constructed. In this context, we call this process privacy amplification.

If Alice and Bob derive the secret bits from the double-execution of Step 3 of the general QKD algorithm, with say m and n instances (or frames), respectively, they obtain

(\binom{m}{2}) + (\binom{n}{2}) = \frac{m^{2} + n^{2} - m - n}{2}

bits. However, they can increase the number of secret bits by combining the instances of those rounds.

Let

[α_{1}^{s}, ω_{1}^{s}] = {[1_{X_{k}}, *]}^{s} ‖ {[*, 1_{Z_{l}}]}^{s}

, where

s = 0

is related to the first round and

s = 1

to the second round of Step 3 of the QKD protocol. Then, Alice and Bob perform the combinations indicated in the matrix below:

[\begin{matrix} [α_{11}^{01}, ω_{11}^{01}] & [α_{12}^{01}, ω_{12}^{01}] & \dots & [α_{1 n}^{01}, ω_{1 n}^{01}] \\ α_{21}^{01}, ω_{21}^{01}] & [α_{22}^{01}, ω_{22}^{01}] & \dots & [α_{2 n}^{01}, ω_{2 n}^{01}] \\ ⋮ \\ α_{m 1}^{01}, ω_{m 1}^{01}] & [α_{m 2}^{01}, ω_{m 2}^{01}] & \dots & [α_{m n}^{01}, ω_{m n}^{01}] \end{matrix}]

As a result, the number of bits is increased until reaching

(\binom{m + n}{2}) = \frac{(m + n) (m + n - 1)}{2}

. However,

(\binom{m + n}{2}) = (\binom{m}{2}) + (\binom{n}{2}) + m n

; thus, the added gain is

m n

Now, let us compute the size (in the number of events) of

L_{1}

and

L_{2}

\begin{matrix} | L_{1} | = r \cdot s, \\ | L_{2} | = (\binom{r}{2}) + (\binom{s}{2}) \end{matrix}

The size of the key is

| L_{1} |

, while the amount of information sent by Bob amounts to

| L_{1} | + | L_{2} |

, so the ratio between them is

\frac{| L_{1} |}{| L_{1} | + | L_{2} |} \sim 1 + \frac{1}{2} (\frac{r}{s} + \frac{s}{r}) = 2

provided

r = s

and neglecting the linear terms. Therefore, the amount of data transmitted over the classical channel tends to be twice the size of the secret key.

3.5. Security of the XOR Bit Approach

Contrary to the measured bit and the conjugate bit approaches, by using the XOR bit approach, there are only two types of SS that Bob sends to Alice: SS

_{1} = 00

, which comes from the instances

{({1_{X}}^{k}, -), ({1_{X}}^{k}, -)}, {-, {1_{Z}}^{l}), (-, {1_{Z}}^{l})}

, and SS

_{2} = 11

, which comes from

{({1_{X}}^{k}, -), (-, {1_{Z}}^{l})}, {(-, {1_{Z}}^{l}), ({1_{X}}^{k}, -)}

. Item 2 of Table 6 shows that Eve knows that, behind SS

_{2} = 11

instances, there is an event

({1_{X}}^{t}, -)

(-, {1_{Z}}^{t})

in one of her rows. However, Item 1 of Table 6 shows that this information does not allow Eve to infer the location of

{1_{X}}^{k}

{1_{Z}}^{l}

in the other row of the frame because it appears to both sides (left/right) under SS

_{1} = 00

3.6. Strength of the System against Attacks

Let us discuss the strength of the protocol against PNS and IR attacks. For this, consider that, in addition to the quantum channel, Bob’s optical detection system also produces errors when performing the measurements of the states sent by Alice. Security is based on two facts: (a) The key is distilled towards Bob’s errors. (b) The bases with which Bob performs the measurements are not revealed, only the sifting bits:

1.

The photon number splitting attack (PNS): Eve cannot obtain a copy of the key for two reasons:

—: Although Eve captures some of the photons contained in the multiphotonic pulses, nothing guarantees she can produce the required double-matching detection events.
—: Alice and Bob distill the key according to the errors produced in the channel and the optical detection system, but Eve is unable to reproduce the errors of Bob’s detection system.

2.

The intercept and resend attack (IR): Eve’s behavior can be seen as noise in the quantum channel (measure/resend), which alters the quantum state of half of the states sent by Alice because Eve’s basis is correct 50% of the time:

—: However, Alice and Bob obtain the key according to the final results obtained by Bob, which Eve cannot replicate. As long as the reconciliation process is confidential, Eve will not be able to derive the secret key.

One of the potentially most-relevant consequences of this strength is that it would allow the use of higher power quantum pulses and extend the total link distance of the QKD system.

3.7. Properties of the XOR Bit Approach

To close Section 3, in this subsection, we list the main advantages of the QKD distillation protocol based on XOR bits:

—: It has no losses and exhibits 100% efficiency.
—: It is immune to the error rate of the quantum channel; in other words, it is invariant with respect to the noise in the quantum channel.
—: It requires just one data exchange between Alice and Bob through the classical channel.
—: The secret key rate is $\frac{w^{2} - w}{2}$ , where w is the number of double-matching detection events and amounts to half of the pulses received at Bob’s station.
—: Security against the photon number splitting attack (PNS) and intercept and resend (IR) attack is guaranteed.
—: No bits of the shared (raw) key are revealed, just the sifting XOR bits.

It should be emphasized here that the secret rate scales up to the square of the number of pulses received by Bob (actually, half of them). In previous publications, the secret rate amounted to the square of the number of double-matching detection events, which decays quadratically with respect to the mean photon emission of the laser source.

4. Conclusions

We presented a new reverse reconciliation method for QKD systems that, at least theoretically, is immune to quantum channel errors, does not present losses at the time of key distillation, and therefore, has 100% efficiency. The analysis of the previous properties was achieved without high formal-theoretical resources, so it can be evaluated without difficulty. It only requires a single reconciliation data transfer by Bob over the classical channel, while the secret rate scales to the square of the number of pulses at the receiving station.

We analyzed the resistance of the method to PNS and IR attacks, but we will seek to demonstrate the resistance of the protocol to other attacks in future works; for now, we focused on the detailed description of the reconciliation algorithms.

On the other hand, after performing the security analysis of the frame-based reconciliation methods, we concluded that reconciliation by means of the XOR bits and the measured bits preserve security, while the conjugated bits can no longer be assumed as secure. Furthermore, as a result of this research, we found a way to enhance the secret gain of the method using the measured bits to a total value that depends on the square of the quantum channel error rate.

Funding

This research received no external funding.

Conflicts of Interest

The authors declare no conflict of interest.

Appendix A. Secret Gain with Measured Bits

In Table A2, Table A3, Table A4, Table A5, Table A6, Table A7, Table A8 and Table A9 of Appendix B, we derive the secret gain of frames with measured bits. Then, in Equation (A1), we sum up the gain of each frame where the subindex i denotes the frame class, so

c_{i}

refers to

f_{i}

. Here, e denotes the error rate of the quantum channel, while in Table A1, we refer to the error rate of frames as

e^{'}

\begin{matrix} c_{i} & = \frac{1}{2} (1 - e) + \frac{1}{2} e + \frac{1}{2} e^{2} for i = 1, 5, 15, 16 \\ c_{j} & = \frac{1}{2} e + e^{2} for j = 9, 10, 13, 14 \\ c_{k} & = (1 - e) + \frac{1}{2} e for k = 2, 3, 4, 6 \\ \sum_{i = 1}^{16} c_{i} & = 1 + e^{2}, where i \neq 7, 8, 11, 12 \\ g & = \frac{1}{16} (\binom{n}{2}) (1 + e^{2}) \end{matrix}

(A1)

Table A1 shows a comparison of the secret gain computed applying the error rate of the frames

e^{'}

and summing the gains

c_{i}

, where

i = 2, 3, 4, 6

, then summing those gains, but with the error rate of the quantum channel e, and finally, summing the gains when

i = 1, \dots 16

, but

i \neq 7, 8, 11, 12

Table A1. We deduced the partial gain

g_{p} = \frac{1}{16} (\binom{n}{2}) c_{i}

, where

i = 2, 3, 4, 6

. The total gain is computed under the same formula

i = 1, \dots 16

, but

i \neq 7, 8, 11, 12

Table A1. We deduced the partial gain

g_{p} = \frac{1}{16} (\binom{n}{2}) c_{i}

, where

i = 2, 3, 4, 6

. The total gain is computed under the same formula

i = 1, \dots 16

, but

i \neq 7, 8, 11, 12

g	$g_{p}$	[18]
$(\binom{n}{2}) (\frac{1}{16} + \frac{1}{16} e^{2})$	$(\binom{n}{2}) (\frac{2}{16} - \frac{1}{16} e)$	$(\binom{n}{2}) (\frac{2}{16} - \frac{1}{12} e^{'})$

Appendix B. Secret Gain of the Frames

We derived the secret gain of all the frames where security is preserved. The results showed us that

c_{1} = c_{5} = c_{15} = c_{16} = \frac{1}{2} (1 - e) + \frac{1}{2} e + \frac{1}{2} e^{2}

. Furthermore, we derived the gains

c_{9} = c_{10} = c_{13} = c_{14} = \frac{1}{2} e + e^{2}

. In addition,

c_{2} = c_{6} = c_{3} = c_{4} = (1 - e) + \frac{1}{2} e

Table A2. Secret gain of the frames

f_{1} = {(0_{X}, 1_{Z}), (1_{X}, 0_{Z})}

and

f_{5} = {(1_{X}, 0_{Z}), (0_{X}, 1_{Z})}

, which are symmetrically equivalent, against the position error: 0 errors = 00, 1 error (first = 01/second bit = 10), 2 errors (both bits = 11). Detectable cases {(MR, error), (MR’, error’)} are {(00-01),(01-10)} and {(10-11),(11-00)}. The secret gain is

\frac{1}{4} (1 - e) + \frac{1}{4} e + \frac{1}{4} e^{2}

Table A2. Secret gain of the frames

f_{1} = {(0_{X}, 1_{Z}), (1_{X}, 0_{Z})}

and

f_{5} = {(1_{X}, 0_{Z}), (0_{X}, 1_{Z})}

\frac{1}{4} (1 - e) + \frac{1}{4} e + \frac{1}{4} e^{2}

MR	00	01	10	11
00	${(0_{X}, -), (1_{X}, -)} : 1001$	${(1_{X}, -), (1_{X}, -)} : 0011$	${(0_{X}, -), (0_{X}, -)} : 0000$	${(1_{X}, -), (0_{X}, -)} : 1010$
01	${(-, 1_{Z}), (-, 0_{Z})} : 0110$	${(-, 0_{Z}), (-, 0_{Z})} : 0000$	${(-, 1_{Z}), (-, 1_{Z})} : 0011$	${(-, 0_{Z}), (-, 1_{Z})} : 0101$
10	${(0_{X}, -), (-, 0_{Z})} : 0000$	${(1_{X}, -), (-, 0_{Z})} : 1010$	${(0_{X}, -), (-, 1_{Z})} : 0101$	${(1_{X}, -), (-, 1_{Z})} : 1111$
11	${(-, 1_{Z}), (1_{X}, -)} : 1111$	${(-, 0_{Z}), (1_{X}, -)} : 1001$	${(-, 1_{Z}), (0_{X}, -)} : 0110$	${(-, 0_{Z}), (0_{X}, -)} : 0000$

Table A3. Secret gain of the frames

f_{15} = {(0_{X}, 1_{Z}), (0_{X}, 1_{Z})}

and

f_{16} = {(1_{X}, 0_{Z}), (1_{X}, 0_{Z})}

, which are symmetrically equivalent, against the position error: 0 errors = 00, 1 error (first = 01/second bit = 10), 2 errors (both bits = 11). Detectable cases {(MR, error), (MR’, error’)} are {(00-11),(01-00)} and {(10-01),(11-10)}. The secret gain is

\frac{1}{4} (1 - e) + \frac{1}{4} e + \frac{1}{4} e^{2}

Table A3. Secret gain of the frames

f_{15} = {(0_{X}, 1_{Z}), (0_{X}, 1_{Z})}

and

f_{16} = {(1_{X}, 0_{Z}), (1_{X}, 0_{Z})}

, which are symmetrically equivalent, against the position error: 0 errors = 00, 1 error (first = 01/second bit = 10), 2 errors (both bits = 11). Detectable cases {(MR, error), (MR’, error’)} are {(00-11),(01-00)} and {(10-01),(11-10)}. The secret gain is

\frac{1}{4} (1 - e) + \frac{1}{4} e + \frac{1}{4} e^{2}

MR	00	01	10	11
00	${(0_{X}, -), (0_{X}, -)} : 0000$	${(1_{X}, -), (0_{X}, -)} : 1010$	${(0_{X}, -), (1_{X}, -)} : 1001$	${(1_{X}, -), (1_{X}, -)} : 0011$
01	${(-, 1_{Z}), (-, 1_{Z})} : 0011$	${(-, 0_{Z}), (-, 1_{Z})} : 0101$	${(-, 1_{Z}), (-, 0_{Z})} : 0110$	${(-, 0_{Z}), (-, 0_{Z})} : 0000$
10	${(0_{X}, -), (-, 1_{Z})} : 0101$	${(1_{X}, -), (-, 1_{Z})} : 1111$	${(0_{X}, -), (-, 0_{Z})} : 0000$	${(1_{X}, -), (-, 0_{Z})} : 1010$
11	${(-, 1_{Z}), (0_{X}, -)} : 0110$	${(-, 0_{Z}), (0_{X}, -)} : 0000$	${(-, 1_{Z}), (1_{X}, -)} : 1111$	${(-, 0_{Z}), (1_{X}, -)} : 1001$

Table A4. Secret gain of the frames

f_{9} = {(0_{X}, 1_{Z}), (0_{X}, 0_{Z})}

and

f_{10} = {(1_{X}, 0_{Z}), (0_{X}, 0_{Z})}

, which are symmetrically equivalent, against the position error: 0 errors = 00, 1 error (first = 01/second bit = 10), 2 errors (both bits = 11). Detectable cases {(MR, error), (MR’, error’)} are {(00-11),(01-10)} and {(10-11),(11-10)}. The secret gain is

\frac{1}{2} e + \frac{1}{2} e^{2}

Table A4. Secret gain of the frames

f_{9} = {(0_{X}, 1_{Z}), (0_{X}, 0_{Z})}

and

f_{10} = {(1_{X}, 0_{Z}), (0_{X}, 0_{Z})}

, which are symmetrically equivalent, against the position error: 0 errors = 00, 1 error (first = 01/second bit = 10), 2 errors (both bits = 11). Detectable cases {(MR, error), (MR’, error’)} are {(00-11),(01-10)} and {(10-11),(11-10)}. The secret gain is

\frac{1}{2} e + \frac{1}{2} e^{2}

MR	00	01	10	11
00	${(0_{X}, -), (0_{X}, -)} : 0000$	${(1_{X}, -), (0_{X}, -)} : 1010$	${(0_{X}, -), (1_{X}, -)} : 1001$	${(1_{X}, -), (1_{X}, -)} : 0011$
01	${(-, 1_{Z}), (-, 0_{Z})} : 0110$	${(-, 0_{Z}), (-, 0_{Z})} : 0000$	${(-, 1_{Z}), (-, 1_{Z})} : 0011$	${(-, 0_{Z}), (-, 1_{Z})} : 0101$
10	${(0_{X}, -), (-, 0_{Z})} : 0000$	${(1_{X}, -), (-, 0_{Z})} : 1010$	${(0_{X}, -), (-, 1_{Z})} : 0101$	${(1_{X}, -), (-, 1_{Z})} : 1111$
11	${(-, 1_{Z}), (0_{X}, -)} : 0110$	${(-, 0_{Z}), (0_{X}, -)} : 0000$	${(-, 1_{Z}), (1_{X}, -)} : 1111$	${(-, 0_{Z}), (1_{X}, -)} : 1001$

Table A5. Secret gain of the frames

f_{3} = {(0_{X}, 1_{Z}), (1_{X}, 1_{Z})}

and

f_{4} = {(1_{X}, 1_{Z}), (0_{X}, 1_{Z})}

\frac{1}{2} (1 - e) + \frac{1}{2} e

Table A5. Secret gain of the frames

f_{3} = {(0_{X}, 1_{Z}), (1_{X}, 1_{Z})}

and

f_{4} = {(1_{X}, 1_{Z}), (0_{X}, 1_{Z})}

\frac{1}{2} (1 - e) + \frac{1}{2} e

MR	00	01	10	11
00	${(0_{X}, -), (1_{X}, -)} : 1001$	${(1_{X}, -), (1_{X}, -)} : 0011$	${(0_{X}, -), (0_{X}, -)} : 0000$	${(1_{X}, -), (0_{X}, -)} : 1010$
01	${(-, 1_{Z}), (-, 1_{Z})} : 0011$	${(-, 0_{Z}), (-, 1_{Z})} : 0101$	${(-, 1_{Z}), (-, 0_{Z})} : 0110$	${(-, 0_{Z}), (-, 0_{Z})} : 0000$
10	${(0_{X}, -), (-, 1_{Z})} : 0101$	${(1_{X}, -), (-, 1_{Z})} : 1111$	${(0_{X}, -), (-, 0_{Z})} : 0000$	${(1_{X}, -), (-, 0_{Z})} : 1010$
11	${(-, 1_{Z}), (1_{X}, -)} : 1111$	${(-, 0_{Z}), (1_{X}, -)} : 1001$	${(-, 1_{Z}), (0_{X}, -)} : 0110$	${(-, 0_{Z}), (0_{X}, -)} : 0000$

Table A6. Secret gain of the frames

f_{2} = {(1_{X}, 0_{Z}), (1_{X}, 1_{Z})}

and

f_{6} = {(1_{X}, 1_{Z}), (1_{X}, 0_{Z})}

, which are symmetrically equivalent, against the position error: 0 errors = 00, 1 error (first = 01/second bit = 10), 2 errors (both bits = 11). Detectable cases {(MR, error), (MR’, error’)} are {(00-00),(01-01)} and {(10-00),(11-01)}. The secret gain is

\frac{1}{2} (1 - e) + \frac{1}{2} e

Table A6. Secret gain of the frames

f_{2} = {(1_{X}, 0_{Z}), (1_{X}, 1_{Z})}

and

f_{6} = {(1_{X}, 1_{Z}), (1_{X}, 0_{Z})}

, which are symmetrically equivalent, against the position error: 0 errors = 00, 1 error (first = 01/second bit = 10), 2 errors (both bits = 11). Detectable cases {(MR, error), (MR’, error’)} are {(00-00),(01-01)} and {(10-00),(11-01)}. The secret gain is

\frac{1}{2} (1 - e) + \frac{1}{2} e

MR	00	01	10	11
00	${(1_{X}, -), (1_{X}, -)} : 0011$	${(0_{X}, -), (1_{X}, -)} : 1001$	${(1_{X}, -), (0_{X}, -)} : 1010$	${(0_{X}, -), (0_{X}, -)} : 0000$
01	${(-, 0_{Z}), (-, 1_{Z})} : 0101$	${(-, 1_{Z}), (-, 1_{Z})} : 0011$	${(-, 0_{Z}), (-, 0_{Z})} : 0000$	${(-, 1_{Z}), (-, 0_{Z})} : 0110$
10	${(1_{X}, -), (-, 1_{Z})} : 1111$	${(0_{X}, -), (-, 1_{Z})} : 0101$	${(1_{X}, -), (-, 0_{Z})} : 1010$	${(0_{X}, -), (-, 0_{Z})} : 0000$
11	${(-, 0_{Z}), (1_{X}, -)} : 1001$	${(-, 1_{Z}), (1_{X}, -)} : 1111$	${(-, 0_{Z}), (0_{X}, -)} : 0000$	${(-, 1_{Z}), (0_{X}, -)} : 0110$

Table A7. Secret gain of the frames

f_{8} = {(0_{X}, 0_{Z}), (1_{X}, 1_{Z})}

and

f_{12} = {(1_{X}, 1_{Z}), (0_{X}, 0_{Z})}

, which are symmetrically equivalent, against the position error: 0 errors = 00, 1 error (first = 01/second bit = 10), 2 errors (both bits = 11). There are no detectable cases.

Table A7. Secret gain of the frames

f_{8} = {(0_{X}, 0_{Z}), (1_{X}, 1_{Z})}

and

f_{12} = {(1_{X}, 1_{Z}), (0_{X}, 0_{Z})}

, which are symmetrically equivalent, against the position error: 0 errors = 00, 1 error (first = 01/second bit = 10), 2 errors (both bits = 11). There are no detectable cases.

MR	00	01	10	11
00	${(0_{X}, -), (1_{X}, -)} : 1001$	${(1_{X}, -), (1_{X}, -)} : 0011$	${(0_{X}, -), (0_{X}, -)} : 0000$	${(1_{x}, -), (0_{X}, -)} : 1010$
01	${(-, 0_{Z}), (-, 1_{Z})} : 0101$	${(-, 1_{Z}), (-, 1_{Z})} : 0011$	${(-, 0_{Z}), (-, 0_{Z})} : 0000$	${(-, 1_{Z}), (-, 0_{Z})} : 0110$
10	${(0_{X}, -), (-, 1_{Z})} : 0101$	${(1_{X}, -), (-, 1_{Z})} : 1111$	${(0_{X}, -), (-, 0_{Z})} : 0000$	${(1_{X}, -), (-, 0_{Z})} : 1010$
11	${(-, 0_{Z}), (1_{X}, -)} : 1001$	${(-, 1_{Z}), (1_{X}, -)} : 1111$	${(-, 0_{Z}), (0_{X}, -)} : 0000$	${(-, 1_{Z}), (0_{X}, -)} : 0110$

Table A8. Secret gain of the frames

f_{7} = {(0_{X}, 0_{Z}), (0_{X}, 0_{Z})}

against the position error: 0 errors = 00, 1 error (first = 01/second bit = 10), 2 errors (both bits = 11). There are no detectable cases.

Table A8. Secret gain of the frames

f_{7} = {(0_{X}, 0_{Z}), (0_{X}, 0_{Z})}

against the position error: 0 errors = 00, 1 error (first = 01/second bit = 10), 2 errors (both bits = 11). There are no detectable cases.

MR	00	01	10	11
00	${(0_{X}, -), (0_{X}, -)} : 0000$	${(1_{X}, -), (0_{X}, -)} : 1010$	${(0_{X}, -), (1_{X}, -)} : 1001$	${(1_{X}, -), (1_{X}, -)} : 0011$
01	${(-, 0_{Z}), (-, 0_{Z})} : 0000$	${(-, 1_{Z}), (-, 0_{Z})} : 0110$	${(-, 0_{Z}), (-, 1_{Z})} : 0101$	${(-, 1_{Z}), (-, 1_{Z})} : 0011$
10	${(0_{X}, -), (-, 0_{Z})} : 0000$	${(1_{X}, -), (-, 0_{Z})} : 1010$	${(0_{X}, -), (-, 1_{Z})} : 0101$	${(1_{X}, -), (-, 1_{Z})} : 1111$
11	${(-, 0_{Z}), (0_{X}, -)} : 0000$	${(-, 1_{Z}), (0_{X}, -)} : 0110$	${(-, 0_{Z}), (1_{X}, -)} : 1001$	${(-, 1_{Z}), (1_{X}, -)} : 1111$

Table A9. Secret gain of the frames

f_{11} = {(1_{X}, 1_{Z}), (1_{X}, 1_{Z})}

against the position error: 0 errors = 00, 1 error (first = 01/second bit = 10), 2 errors (both bits = 11). There are no detectable cases.

Table A9. Secret gain of the frames

f_{11} = {(1_{X}, 1_{Z}), (1_{X}, 1_{Z})}

against the position error: 0 errors = 00, 1 error (first = 01/second bit = 10), 2 errors (both bits = 11). There are no detectable cases.

MR	00	01	10	11
00	${(1_{X}, -), (1_{X}, -)} : 0011$	${(0_{X}, -), (1_{X}, -)} : 1001$	${(1_{X}, -), (0_{X}, -)} : 1010$	${(0_{X}, -), (0_{X}, -)} : 0000$
01	${(-, 1_{Z}), (-, 1_{Z})} : 0011$	${(-, 0_{Z}), (-, 1_{Z})} : 0101$	${(-, 1_{Z}), (-, 0_{Z})} : 0110$	${(-, 0_{Z}), (-, 0_{Z})} : 0000$
10	${(1_{X}, -), (-, 1_{Z})} : 1111$	${(0_{X}, -), (-, 1_{Z})} : 0101$	${(1_{X}, -), (-, 0_{Z})} : 1010$	${(0_{X}, -), (-, 0_{Z})} : 0000$
11	${(-, 1_{Z}), (1_{X}, -)} : 1111$	${(-, 0_{Z}), (1_{X}, -)} : 1001$	${(-, 1_{Z}), (0_{X}, -)} : 0110$	${(-, 0_{Z}), (0_{X}, -)} : 0000$

References

Alléaume, R.; Branciard, C.; Bouda, J.; Debuisschert, T.; Dianati, M.; Gisin, N.; Godfrey, M.; Grangier, P.; Länger, T.; Lütkenhaus, N.; et al. Using quantum key distribution for cryptographic purposes: A survey. Theor. Comput. Sci. 2014, 560, 62–81. [Google Scholar] [CrossRef]
Hong, K.W.; Foong, O.M.; Low, T.J. Challenges in quantum key distribution: A review. In Proceedings of the 4th International Conference on Information and Network Security, Kuala Lumpur, Malaysia, 28–31 December 2016; pp. 29–33. [Google Scholar]
Bacco, D.; Da Lio, B.; Cozzolino, D.; Da Ros, F.; Guo, X.; Ding, Y.; Sasaki, Y.; Aikawa, K.; Miki, S.; Terai, H.; et al. Boosting the secret key rate in a shared quantum and classical fibre communication system. Commun. Phys. 2019, 2, 140. [Google Scholar] [CrossRef] [Green Version]
Alagic, G.; Apon, D.; Cooper, D.; Dang, Q.; Dang, T.; Kelsey, J.; Lichtinger, J.; Miller, C.; Moody, D.; Peralta, R.; et al. Status Report on the Third Round of the Nist Post-Quantum Cryptography Standardization Process; US Department of Commerce, NIST: Washington, DC, USA, 2022.
Shor, P.W. Algorithms for quantum computation: Discrete logarithms and factoring. In Proceedings of the 35th Annual Symposium on Foundations of Computer Science, Santa Fe, NM, USA, 20–22 November 1994; pp. 124–134. [Google Scholar]
Yan, B.; Tan, Z.; Wei, S.; Jiang, H.; Wang, W.; Wang, H.; Luo, L.; Duan, Q.; Liu, Y.; Shi, W.; et al. Factoring integers with sublinear resources on a superconducting quantum processor. arXiv 2022, arXiv:2212.12372. [Google Scholar]
Diamanti, E.; Lo, H.K.; Qi, B.; Yuan, Z. Practical challenges in quantum key distribution. NPJ Quantum Inf. 2016, 2, 1–12. [Google Scholar] [CrossRef] [Green Version]
Sasaki, T.; Yamamoto, Y.; Koashi, M. Practical quantum key distribution protocol without monitoring signal disturbance. Nature 2014, 509, 475–478. [Google Scholar] [CrossRef] [PubMed]
Mehic, M.; Niemiec, M.; Siljak, H.; Voznak, M. Error Reconciliation in Quantum Key Distribution Protocols. In Reversible Computation: Extending Horizons of Computing; Springer International Publishing: Cham, Switzerland, 2020; pp. 222–236. [Google Scholar]
Mink, A.; Nakassis, A. LDPC error correction for Gbit/s QKD. In Proceedings of the Quantum Information and Computation XII, Baltimore, MD, USA, 5–9 May 2014; Volume 9123, pp. 19–31. [Google Scholar]
Yan, H.; Ren, T.; Peng, X.; Lin, X.; Jiang, W.; Liu, T.; Guo, H. Information reconciliation protocol in quantum key distribution system. In Proceedings of the 2008 Fourth International Conference on Natural Computation, Jinan, China, 18–20 October 2008; Volume 3, pp. 637–641. [Google Scholar]
Liu, S.; Van Tilborg, H.C.; Van Dijk, M. A practical protocol for advantage distillation and information reconciliation. Des. Codes Cryptogr. 2003, 30, 39–62. [Google Scholar] [CrossRef]
Bennett, C.H.; Bessette, F.; Brassard, G.; Salvail, L.; Smolin, J. Experimental quantum cryptography. J. Cryptol. 1992, 5, 3–28. [Google Scholar] [CrossRef]
Brassard, G.; Salvail, L. Secret-key reconciliation by public discussion. In Advances in Cryptology—EUROCRYPT’93, Proceedings of the Workshop on the Theory and Application of of Cryptographic Techniques, Lofthus, Norway, 23–27 May 1993; Springer: Berlin/Heidelberg, Germany, 1993; pp. 410–423. [Google Scholar]
Buttler, W.T.; Lamoreaux, S.K.; Torgerson, J.R.; Nickel, G.; Donahue, C.; Peterson, C.G. Fast, efficient error reconciliation for quantum cryptography. Phys. Rev. A 2003, 67, 052303. [Google Scholar] [CrossRef] [Green Version]
Jouguet, P.; Kunz-Jacques, S. High performance error correction for quantum key distribution using polar codes. arXiv 2012, arXiv:1204.5882. [Google Scholar] [CrossRef]
Arikan, E. Channel polarization: A method for constructing capacity-achieving codes for symmetric binary-input memoryless channels. IEEE Trans. Inf. Theory 2009, 55, 3051–3073. [Google Scholar] [CrossRef]
Lizama-Perez, L.A.; López, J.M. Quantum key distillation using binary frames. Symmetry 2020, 12, 1053. [Google Scholar] [CrossRef]
Limei, G.; Qi, R.; Di, J.; Duan, H. Qkd iterative information reconciliation based on ldpc codes. Int. J. Theor. Phys. 2020, 59, 1717–1729. [Google Scholar] [CrossRef]
Johnson, J.S.; Grimaila, M.R.; Humphries, J.W.; Baumgartner, G.B. An analysis of error reconciliation protocols used in quantum key distribution systems. J. Def. Model. Simul. 2015, 12, 217–227. [Google Scholar] [CrossRef]
Gallager, R.G. Low-density parity-check codes. Inf. Theory Ire Trans. 1962, 8, 21–28. [Google Scholar] [CrossRef] [Green Version]
Mink, A.; Nakassis, A. LDPC for QKD reconciliation. arXiv 2012, arXiv:1205.4977. [Google Scholar]
Johnson, J.S. An Analysis of Error Reconciliation Protocols for Use in Quantum Key Distribution. Master’s Thesis, Air Force Institute of Technology, Montgomery County, OH, USA, 2012. [Google Scholar]
Grosshans, F.; Grangier, P. Reverse reconciliation protocols for quantum cryptography with continuous variables. arXiv 2002, arXiv:0204127. [Google Scholar]
Grosshans, F.; Van Assche, G.; Wenger, J.; Brouri, R.; Cerf, N.J.; Grangier, P. Quantum key distribution using gaussian-modulated coherent states. Nature 2003, 421, 238–241. [Google Scholar] [CrossRef] [PubMed] [Green Version]
Lizama-Pérez, L.A.; López R., J.M.; Samperio, E.H. Beyond the limits of Shannon’s information in quantum key distribution. Entropy 2021, 23, 229. [Google Scholar] [CrossRef] [PubMed]
Lizama-Pérez, L.A.; López-Romero, J.M. Perfect Reconciliation in Quantum Key Distribution with Order-Two Frames. Symmetry 2021, 13, 1672. [Google Scholar] [CrossRef]
Bennett, C.; Brassard, G. Quantum cryptography: Public key distribution and coin tossing. In Proceedings of the International Conference on Computer System and Signal Processing, Bangalore, India, 10–19 December 1984. [Google Scholar]

Figure 1. The quantum states of the BB84 protocol and the two measurement bases

X

and

Z

are represented through the bi-dimensional Bloch sphere. A bit is encoded by means of a pair of non-orthogonal states.

Figure 1. The quantum states of the BB84 protocol and the two measurement bases

X

and

Z

are represented through the bi-dimensional Bloch sphere. A bit is encoded by means of a pair of non-orthogonal states.

Figure 2. The pairs of quantum states are separated as orthogonal, non-orthogonal, and parallel states.

Figure 3. The diagram shows the sifting strings (SSs) for the different instances at Bob’s side, which are represented as SS

_{i}

labels with

i = 1 \dots 10

. The resulting labels depend on the specific approach that is used, and they are shown in Table 1.

Figure 3. The diagram shows the sifting strings (SSs) for the different instances at Bob’s side, which are represented as SS

_{i}

labels with

i = 1 \dots 10

. The resulting labels depend on the specific approach that is used, and they are shown in Table 1.

Figure 4. General QKD protocol based on XOR bits. The final step is for Alice and Bob to confirm that they have both set the same secret key because Alice sends the hash code of the distilled key to Bob and obtains a positive confirmation from him.

Figure 5. An example of the labels contained in the lists

L_{1} = {[ϵ_{11}, ϵ_{12}], [π_{11}, π_{12}]}, {[π_{21}, π_{22}], [ϵ_{21}, ϵ_{22}]}

and

L_{2} = {[ϵ_{11}, ϵ_{12}], [ϵ_{21}, ϵ_{22}]}, {[π_{11}, π_{12}], [π_{21}, π_{22}]}

. At the bottom of each frame, we have written the XOR bits.

Figure 5. An example of the labels contained in the lists

L_{1} = {[ϵ_{11}, ϵ_{12}], [π_{11}, π_{12}]}, {[π_{21}, π_{22}], [ϵ_{21}, ϵ_{22}]}

and

L_{2} = {[ϵ_{11}, ϵ_{12}], [ϵ_{21}, ϵ_{22}]}, {[π_{11}, π_{12}], [π_{21}, π_{22}]}

. At the bottom of each frame, we have written the XOR bits.

Figure 6. There are four configurations for T.1: the inputs are written in the left-hand corners (top, bottom), while the test cases appear in the right-hand corners. The implicit SSs are written above the arrows. The (c,d) configurations are just the reflection of the (a,b) ones, respectively.

Table 1. The list shows the sifting string (SS) for each frame-based reconciliation method. As previously indicated, the first two bits of the SS are the sifting bits, while the last two bits are the correction bits: measured or conjugated. Measured bits can produce different SSs depending on the ordering position of the double-matching detection events taken, as can be seen below when

i = 3, 4, 6, 7

i = 3, 4, 6, 7

SS $_{i}$	XOR	Conjugate	Measured
SS $_{1}$	00	0000	0000
SS $_{2}$	00	0011	0000
SS $_{3}$	01	0101	0110, 0101
SS $_{4}$	10	1001	1010, 1001
SS $_{5}$	00	0000	0000
SS $_{6}$	01	0110	0110, 0101
SS $_{7}$	10	1010	1010, 1001
SS $_{8}$	00	0000	0011
SS $_{9}$	11	1100	1111
SS $_{10}$	00	0000	0011

Table 2. Security test of the measured bits approach. Suppose Eve intercepts instances where SS

_{9} = 1111

, but she knows that they are composed by the events

({1_{X}}^{t}, -)

and

(-, {1_{Z}}^{t})

. The cases presented below show that, although Eve is provided with this information, she cannot identify other outcomes. For example, Case 2 demonstrates that Eve cannot differentiate between

({0_{X}}^{i}, -)

and

(-, {0_{Z}}^{j})

since they both produce the same SS

_{4, 7} = 1001

, so this eavesdropping strategy becomes useless for Eve.

Table 2. Security test of the measured bits approach. Suppose Eve intercepts instances where SS

_{9} = 1111

, but she knows that they are composed by the events

({1_{X}}^{t}, -)

and

(-, {1_{Z}}^{t})

. The cases presented below show that, although Eve is provided with this information, she cannot identify other outcomes. For example, Case 2 demonstrates that Eve cannot differentiate between

({0_{X}}^{i}, -)

and

(-, {0_{Z}}^{j})

since they both produce the same SS

_{4, 7} = 1001

, so this eavesdropping strategy becomes useless for Eve.

#	SS $_{i}$	i	Bob’s Instances
1	0000	1,2,5	${({0_{X}}^{t}, -), ({0_{X}}^{i}, -)}, {({0_{X}}^{t}, -), (-, {0_{Z}}^{j})}$ ${(-, {0_{Z}}^{t}), ({0_{X}}^{i}, -)}, {(-, {0_{Z}}^{t}), (-, {0_{Z}}^{j})}$
2	1001	4,7	${({0_{X}}^{i}, -), ({1_{X}}^{t}, -)}, {(-, {0_{Z}}^{j}), ({1_{X}}^{t}, -)}$
3	0101	3,6	${({0_{X}}^{i}, -), (-, {1_{Z}}^{t})}, {(-, {0_{Z}}^{j}), (-, {1_{Z}}^{t})}$
4	1010	4,7	${({1_{X}}^{t}, -), ({0_{X}}^{i}, -)}, {({1_{X}}^{t}, -), (-, {0_{Z}}^{j})}$
5	0110	3,6	${(-, {1_{Z}}^{t}), ({0_{X}}^{i}, -)}, {(-, {1_{Z}}^{t}), (-, {0_{Z}}^{j})}$
6	0011	8,10	${({1_{X}}^{t}, -), ({1_{X}}^{k}, -)}, {(-, {1_{Z}}^{t}), (-, {1_{Z}}^{l})}$
7	1111	9	${({1_{X}}^{t}, -), (-, {1_{Z}}^{l})}, {(-, {1_{Z}}^{t}), ({1_{X}}^{k}, -)}$

Table 3. Security test of the conjugate bits approach. Suppose Eve intercepts instances where SS

_{9} = 1100

, but she knows that they are composed by the events

({1_{X}}^{t}, -)

and

(-, {1_{Z}}^{t})

. Using conjugated bits, such events allow Eve to identify other outcomes. Case SS

_{7} = 1010

(a) and case SS

_{6} = 0110

(a) show that

({0_{X}}^{i}, -)

can be located. Case SS

_{3} = 0101

(a) and case SS

_{4} = 1001

(a) show that

(-, {0_{Z}}^{j})

can be located. Case SS

_{7} = 1010

(b) and case SS

_{4} = 1001

(b) show that

({1_{X}}^{k}, -)

can be located. Case SS

_{6} = 0110

(b) and case SS

_{3} = 0101

(b) show that

(-, {1_{Z}}^{l})

can be located.

Table 3. Security test of the conjugate bits approach. Suppose Eve intercepts instances where SS

_{9} = 1100

, but she knows that they are composed by the events

({1_{X}}^{t}, -)

and

(-, {1_{Z}}^{t})

. Using conjugated bits, such events allow Eve to identify other outcomes. Case SS

_{7} = 1010

(a) and case SS

_{6} = 0110

(a) show that

({0_{X}}^{i}, -)

can be located. Case SS

_{3} = 0101

(a) and case SS

_{4} = 1001

(a) show that

(-, {0_{Z}}^{j})

can be located. Case SS

_{7} = 1010

(b) and case SS

_{4} = 1001

(b) show that

({1_{X}}^{k}, -)

can be located. Case SS

_{6} = 0110

(b) and case SS

_{3} = 0101

(b) show that

(-, {1_{Z}}^{l})

can be located.

#	SS $_{i}$	i	Case	Bob’s Instances
1	0000	1,5,8,10	(a) (b)	${({0_{X}}^{i}, -), ({0_{X}}^{t}, -)}, {(-, {0_{Z}}^{j}), (-, {0_{Z}}^{t})}$ ${({1_{X}}^{k}, -), ({1_{X}}^{t}, -)}, {(-, {1_{Z}}^{l}), (-, {1_{Z}}^{t})}$
2	1010	7	(a) (b)	${({0_{X}}^{i}, -), ({1_{X}}^{t}, -)}$ ${({1_{X}}^{k}, -), ({0_{X}}^{t}, -)}$
3	0110	6	(a) (b)	${({0_{X}}^{i}, -), (-, {1_{Z}}^{t})}$ ${(-, {1_{Z}}^{l}), ({0_{X}}^{t}, -)}$
4	0101	3	(a) (b)	${(-, {0_{Z}}^{j}), (-, {1_{Z}}^{t})}$ ${(-, {1_{Z}}^{l}), (-, {0_{Z}}^{t})}$
5	1001	4	(a) (b)	${(-, {0_{Z}}^{j}), ({1_{X}}^{t}, -)}$ ${({1_{X}}^{k}, -), (-, {0_{Z}}^{t})}$
6	0011	2	(a)	${(-, {0_{Z}}^{j}), ({0_{X}}^{t}, -)}, {({0_{X}}^{i}, -), (-, {0_{Z}}^{t})}$
7	1100	9	(a)	${({1_{X}}^{k}, -), (-, {1_{Z}}^{t})}, {(-, {1_{Z}}^{l}), ({1_{X}}^{t}, -)}$

Table 4. A portion of the quantum states (QS) sent by Alice is illustrated. At the receiving station, Bob randomly chooses the measurement basis

X

Z

to perform each measurement. Then, he groups the obtained results into randomly chosen pairs:

[ϵ_{11}, ϵ_{12}], [ϵ_{21}, ϵ_{22}], [π_{11}, π_{12}], [π_{21}, π_{22}]

. It should be noted that

{[ϵ_{11}, ϵ_{12}], [π_{11}, π_{12}]}

is an

f_{5}

frame, while

{[π_{21}, π_{22}], [ϵ_{21}, ϵ_{22}]}

is an

f_{1}

frame. Bob obtains the shared bits by the direct application of T.2, which in this example, produces

{[ϵ_{11}, ϵ_{12}], [π_{11}, π_{12}]} \to 1, {[π_{21}, π_{22}], [ϵ_{21}, ϵ_{22}]} \to 0

Table 4. A portion of the quantum states (QS) sent by Alice is illustrated. At the receiving station, Bob randomly chooses the measurement basis

X

Z

to perform each measurement. Then, he groups the obtained results into randomly chosen pairs:

[ϵ_{11}, ϵ_{12}], [ϵ_{21}, ϵ_{22}], [π_{11}, π_{12}], [π_{21}, π_{22}]

. It should be noted that

{[ϵ_{11}, ϵ_{12}], [π_{11}, π_{12}]}

is an

f_{5}

frame, while

{[π_{21}, π_{22}], [ϵ_{21}, ϵ_{22}]}

is an

f_{1}

frame. Bob obtains the shared bits by the direct application of T.2, which in this example, produces

{[ϵ_{11}, ϵ_{12}], [π_{11}, π_{12}]} \to 1, {[π_{21}, π_{22}], [ϵ_{21}, ϵ_{22}]} \to 0

User	Task	XOR Bit QKD Protocol
Alice	Time Slot	…	8	7	6	5	4	3	2	1
Alice	QS	…	$0_{X}$	$0_{Z}$	$1_{Z}$	$1_{Z}$	$0_{X}$	$0_{Z}$	$1_{X}$	$1_{X}$
Bob	Basis	…	$Z$	$X$	$Z$	$Z$	$Z$	$X$	$X$	$X$
	Result		$1_{Z}$	$1_{X}$	$1_{Z}$	$1_{Z}$	$1_{Z}$	$1_{X}$	$1_{X}$	$1_{X}$
	Label		$π_{22}$	$ϵ_{12}$	$π_{12}$	$π_{21}$	$π_{11}$	$ϵ_{22}$	$ϵ_{21}$	$ϵ_{11}$

Table 5. Secret bits are obtained as follows. Each frame contributes one bit to the secret key.

Frame	Alice	Bob	Secret Bit
$f_{1}$	${[, 1_{Z_{l}}], [1_{X_{k}}, ]}$	${[π_{l 1}, π_{l 2}], [ϵ_{k 1}, ϵ_{k 2}]}$	0
$f_{5}$	${[1_{X_{k}}, ], [, 1_{Z_{l}}]}$	${[ϵ_{k 1}, ϵ_{k 2}], [π_{l 1}, π_{l 2}]}$	1

Table 6. Security test of the XOR bit approach. Suppose Eve intercepts instances where SS

_{2} = 11

, but she knows that they are composed by the events

({1_{X}}^{t}, -)

and

(-, {1_{Z}}^{t})

. Although Eve is provided with this information, she cannot differentiate between

({1_{X}}^{k}, -)

and

(-, {1_{Z}}^{l})

, since they both produce the same SS

_{1} = 00

; therefore, it does not reveal to Eve the MR of Bob.

Table 6. Security test of the XOR bit approach. Suppose Eve intercepts instances where SS

_{2} = 11

, but she knows that they are composed by the events

({1_{X}}^{t}, -)

and

(-, {1_{Z}}^{t})

. Although Eve is provided with this information, she cannot differentiate between

({1_{X}}^{k}, -)

and

(-, {1_{Z}}^{l})

, since they both produce the same SS

_{1} = 00

; therefore, it does not reveal to Eve the MR of Bob.

#	SS	Bob’s Instances
1	00	${({1_{X}}^{k}, -), ({1_{X}}^{t}, -)}, {(-, {1_{Z}}^{l}), (-, {1_{Z}}^{t})}$
2	11	${(-, {1_{Z}}^{l}), ({1_{X}}^{t}, -)}, {({1_{X}}^{k}, -), (-, {1_{Z}}^{t})}$

Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

© 2023 by the author. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).

Share and Cite

MDPI and ACS Style

Lizama-Perez, L.A. Reverse Reconciliation for Optimal Error Correction in Quantum Key Distribution. Symmetry 2023, 15, 710. https://doi.org/10.3390/sym15030710

AMA Style

Lizama-Perez LA. Reverse Reconciliation for Optimal Error Correction in Quantum Key Distribution. Symmetry. 2023; 15(3):710. https://doi.org/10.3390/sym15030710

Chicago/Turabian Style

Lizama-Perez, Luis Adrián. 2023. "Reverse Reconciliation for Optimal Error Correction in Quantum Key Distribution" Symmetry 15, no. 3: 710. https://doi.org/10.3390/sym15030710

APA Style

Lizama-Perez, L. A. (2023). Reverse Reconciliation for Optimal Error Correction in Quantum Key Distribution. Symmetry, 15(3), 710. https://doi.org/10.3390/sym15030710

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Menu

Reverse Reconciliation for Optimal Error Correction in Quantum Key Distribution

Abstract

1. Introduction

1.1. BB84

1.2. Pairs of Quantum States

2. Security of Frame-Based Reconciliation Methods

2.1. Clarifications about the Symbology Used

2.2. The Sifting String

2.3. Problem Statement

2.4. Security of the Measured-Bit Approach

2.5. Security of the Conjugate Bit Approach

3. Frame Reconciliation with XOR Bits

3.1. General QKD Protocol

3.2. Auxiliary Algorithms

3.2.1. Algorithm A.1

3.2.2. Algorithm A.2

3.2.3. Algorithm A.3

3.2.4. Test T.1

3.2.5. Test T.2

3.3. The Error Probability in the Quantum Channel

3.4. Privacy Amplification Performance

3.5. Security of the XOR Bit Approach

3.6. Strength of the System against Attacks

3.7. Properties of the XOR Bit Approach

4. Conclusions

Funding

Conflicts of Interest

Appendix A. Secret Gain with Measured Bits

Appendix B. Secret Gain of the Frames

References

Share and Cite

Article Metrics

Article Access Statistics

Further Information

Guidelines

MDPI Initiatives

Follow MDPI