Quantum Key Distillation using Binary Frames

. We introduce a new integral method for Quantum Key Distribution to perform sifting, reconciliation and ampliﬁcation processes to establish a cryptographic key through the use of binary structures called frames which are capable to increase quadratically the secret key rate. The method can be implemented with the usual optical Bennett-Brassard ( BB 84) equipment allowing strong pulses in the quantum regime.


Introduction
Quantum cryptography has emerged as a promissory theoretical and technological paradigm for the quantum computing era. This is so because the presence of an eavesdropper in QKD protocols produces a detectable disturbance on the quantum communication. Unfortunately, some technological loopholes have been found in the photo-detection system which have imposed new challenges to QKD systems.
Due to those technological loopholes most of the QKD systems have failed to be secure against some of the most challenging attacks: the Intercept-Resend with Faked States (IRFS) attack [1,2,3,4,5,6,7,8,9,10] and the Photon Number Splitting (PNS) attack [11]. IRF S attack can be partially solved by monitoring the photo intensity at the receiver.
Previously, we have introduced the ack − state protocol in [12,13]. In addition, the nack − state protocol was first discussed in [14]. Such protocols constitute a generalization of the BB84 to resist the P N S attack [13] and the IRF S attack [14], respectively. Both methods are conceived under the basis of a new theoretical approach called quantum flows, denoted by Q [13,15].
In this work, we extend the Q approach to introduce a new distillation method based on binary structures called frames. It is known that the distillation process generate a few secret bits after a high number of quantum pulses are transmitted from Alice (the sender) to Bob (the receiver).
Several algorithms are applied during the distillation process: sifting, error correction and privacy amplification among others. However, some of them have been developed from other research fields to attend specific requirements. Error correction algorithms are described in [16,17,18,19] and privacy amplification is analyzed in [20]. Up to our knowledge there is no an integral method capable to perform the QKD distillation in a single process.
We will introduce here the frame distillation as an integral method for QKD to perform sifting, error correction and privacy amplification just in one process. Surprisingly, we have found that at least theoretically, this technique increases quadratically the size of the secret key allowing to raise up the secret key rate.

Related work
We will describe briefly some other reconciliation methods used in QKD: 1. Binary [16] is a reconciliation protocol that find and correct errors after the transmission of quantum pulses caused by the noise in the channel and possibly from the eavesdropper. After Alice and Bob obtain an error estimation based on a portion of their sifted key, they determine whether the error failure threshold has been breached. If the error rate is in excess of the fail threshold, Alice and Bob begin the raw key step again. If the estimated error rate is acceptable, Alice and Bob begin the first of a number of passes and use a predetermined random permutation, applying it to the sifted key bits. 2. Cascade [17] is a reconciliation method that has become the de-facto standard for all QKD practical implementations. After a number of passes, permutations, and cascades, the protocol finishes with low probability that errors still remain [21]. However, large communication overhead have raised methods based on error correcting codes which are more practical. 3. The Winnow algorithm [18] is a reconciliation method based on Hamming codes which introduces additional errors because the Hamming algorithm can only reveal one single error in each block. 4. LDPC [19] is a linear error correcting code that uses iterative decoding using the sum product soft decision decoder to correct transmission errors.
We conclude this section pointing out some of the challenges of interactive methods that could be summarized from [21] as follows: . Cascade exhibits great efficiency at low error rates but is still robust up to 18% error rate if required. . Effective estimation of the error rate in the quantum channel. . Interactivity could be high intensive in the number of passes to check parity. . The number of required permutations of the shared bits could demand a persistent computational effort.

Quantum Pulses
In the quantum flows approach [13,14], Alice prepares n quantum states, parallel or non-orthogonal which are randomly interleaved to produce a photonic gain at each quantum flow. On the other side, Bob measures the n quantum states with the same measurement basis, X or Z. Fig. 1 shows the quantum states and measurement bases of BB84 and Fig. 2 the quantum states and measurement bases used in quantum flows.

Quantum information
The basic mechanism to transfer information from Alice to Bob is that one bit is codified at Alice's photonic source through a pair of non-orthogonal quantum states. On the other side, the bit is received successfully if a double matching detection event is produced at Bob's detectors.
Since the two states prepared by Alice are non-orthogonal and Bob uses the same basis to measurement them, it is produced one compatible measurement (the measurement basis matches one of the quantum states) and one non-compatible measurement (with 50% chance to be detected at the same detector). Therefore, if the quantum states are detected at the same detector, the transferred bit comes from the compatible measurement. As long as a double matching event is produced at Bob's station, the order between the compatible and the non-compatible measurement is irrelevant for our purposes. Consider Alice sends to Bob some pairs of non-orthogonal states which are depicted in Fig. 2: (|0 X , |0 Z ), (|0 X , |1 Z ), (|1 X , |0 Z ), (|1 X , |1 Z ). One of the following detection events can be registered at Bob's optical system: 1. Single detection: One of two the pulses is detected at Bob's station. They could be processed as usual BB84 quantum pulses. However, in our context, they have not be included as part of the distillation process. 2. Double detection: The two non-orthogonal states are detected at Bob's station.
-In the matching case both states are detected at the same photo-detector. In the current protocol this unique case will be exploited to derive secret bits.
-In the non-matching case the states are registered at different detectors. These results are ambiguous and they are not useful to derive secret bits. 3. No detection: No pulse is registered.
In the BB84 protocol, when a single matching detection event is produced at Bob's station, the information is derived from the compatible quantum measurement cases, otherwise results are ambiguous and must be discarded, see Tab.2.
On the other hand, if a double detection event is produced at Bob's station, the information is also derived from the matching cases (see Tab.3). In this case, non-matching results are ambiguous and not usable to distill secret bits. Bob's basis measurement Alice's non-orthogonal Matching event Non-matching event pairs

Quantum photonic gains
Not taking into account losses in the quantum channel and the efficiency of optical detection system we can compute the gains of double pulses. In this context, Q (+,+) represents the photonic gain of two non-empty pulses, Q (±,∓) is the gain of the pulses in which is produced a non-empty pulse and one vacuum pulse (whatever the order between them) and Q (−,−) is the gain of two consecutive vacuum pulses [15]. Since the gains follow a Poisson's distribution we can write them as: For example, for µ = 0.1 we have Q (−,−) = 0.8187, Q (±,∓) = 0.1722 and Q (+,+) = 0.01. So the gain of double pulses reduces considerably. Increasing µ to 0.5 raises Q (+,+) to 0.15. However, the detection system sometimes requires a recuperation time after it can register another detection event, so the probability to get two consecutively pulses reduces even more. Fortunately, quantum states inside a pair of non-orthogonal states can be sent temporally separated as it is represented in Fig. 3 (for details see section 4.2 of [14])

Fig. 3:
Quantum states are separated temporally to avoid losses due to consecutive detection events. The order between two non-orthogonal states is not relevant for the present discussion.

Non-orthogonal measurement
Consider the following scenario: Alice prepares two non-orthogonal states (of those depicted in Fig. 2) and transmits them to Bob. Let us assume that a double matching detection has been produced in Bob's optical system (as stated before, a double matching detection event actives the same detector at the optical receiver system).
For example, Fig. 4 shows that Alice prepares and sends to Bob the pair of non-orthogonal states (|0 X , |0 Z ). He chooses randomly to measure both pulses with the X basis (or Z). The double detection event could be |0 X or |0 Z as can be seen in the bottom of This is equivalent to say that exists one bit codified at each quantum basis. This kind of quantum measurement is just feasible in the case of non-orthogonal states since measurement of parallel states produces ambiguity. For example, consider that Alice sends (|0 X , |0 X ) to Bob. If he measures them with the (incompatible) Z basis and he obtains a double matching detection event, Bob would register |0 Z or |1 Z with the same probability.

Non-orthogonal distillation
To explain the distillation process for non-orthogonal states we must introduce a new concept based on binary structures called frames.

Fig. 4:
Alice sends the non-orthogonal pair |0 X , |0 Z to Bob. After a double matching detection event is produced, Bob's optical system could register |0 X or |0 Z .

Frames
Binary frames or simply frames, are binary structures conceived to implement the sifting, error correction and amplification processes for non-orthogonal based QKD. We introduced the set of 2 × 2 frames enumerated from 1 to 6 in Tab. 4. Each row of a frame contains the bits that could be registered at each basis (X or Z) after a double matching detection event is produced at Bob's station (basis X at the left, basis Z at the right) as it is shown in Tab. 4. Briefly, we can say that each row corresponds to a pair of Alice's non-orthogonal states. The same row represents a double detection event at Bob's side. valid frames invalid frames f1 As can be deduced, Bob can obtain just one bit per row, the row that corresponds to the basis that Bob chose to measure the two non-orthogonal states sent by Alice. Just to be clearer, Fig. 8 show (at left) how are related the non-orthogonal states sent by Alice to the corresponding frame. At the right of Fig. 8 it is represented the four possible Matching Results (MR) at Bob's station.

Matching Results (MR)
Now, we will define the Matching Results, denoted as MR produced at Bob's station which are required for the sifting process. Tab. 5 illustrate the possible Matching Results for 2 × 2 frames. After Bob obtains a Matching Result a bit will replace the symbol • in Tab. 5. Each matching case has been identified with a binary code written at the top of each frame. The purpose of the sifting process is that Alice will realize Bob's Matching Results, so that they will share the corresponding binary code as secret bits. Table 5: There exist four possible Matching Results (MR) for 2 × 2 frames. The double matching event is represented inside the frame with the symbol •. Additionally, each case has been identified with a binary code left to each frame. After the sifting process such code will become part of the secret key.
Now, let us enumerate the first steps of the sifting process which is based on frames: send them to Bob over the quantum channel (it was indicated that the pairs of quantum states are temporally separated each other, so users must agree previously the separating window). 2. Using a classical channel, Bob announces to Alice the double matching detection events.

Sifting bits based in the xor function
To complete the sifting process we will define the sifting bits as they are written at the bottom of each matching result (MR) in Tab. 7. To compute the sifting bits it must be applied the usual xor function to the vertical bits inside each column of the frame, taking a vacuum state as a zero bit. A simple example about the execution of the framed distillation can be found in the Appendix of this article.
The most important property of the sifting bits is that they cannot be derived from two distinct Matching Results as can be verified in Tab. 7. In other words, the sifting bits defines a complete set (without collisions) over the xor function.
At this point, it must result logical that not all the 2 × 2 frames can be used to establish a sifting process. Actually there are just 6 valid frames which are shown in Tab. 4. Now, we can complete the sifting process: 1. Alice prepares a number of non-orthogonal states (0 X , 0 Z ), (0 X , 1 Z ), (1 X , 0 Z ) and (1 X , 1 Z ) and send them to Bob over the quantum channel. 2. Using a classical channel, Bob announces to Alice the cases of double matching detection events.
3. Through the classical channel Bob reveals the sifting bits of each frame to Alice who derive the code of the Matching Result using Tab. 7 and Tab. 5. Since the sifting bits conform a complete binary set {00, 01, 10, 11} Alice is allowed to identify Bob's Matching Results. 4. The secret bits they share are the bits that identify each matching result (according to Tab. 5).

Security of the sifting bits
For security reasons, the sifting bits cannot be correlated with a unique matching result. This property must be achieved to avoid an attacker derives the secret bits. The security property is demonstrated in Tab. 6.

Alice Bob
First pair Second pair The required exchange of messages of the (error-free) framing-based protocol is illustrated in Fig.9.

Error correction
The method discussed so far does not allow error detection to discard erroneous transmissions produced in the quantum channel or the optical detection system. To make the frame distillation capable to identify erroneous detections we will proceed in the following manner: In addition to the sifting bits, Bob will reveal to Alice the measured bits obtained from the optical measurement system.
We define the Sifting String (SS) as a binary string composed by the sifting bits and the measured bits. A Sifting String SS is constructed as follows: SS= 1 st sifting bit || 2 nd sifting bit, 1 st measured bit || 2 nd measured bit.
As commented before, to preserve security, the Sifting String must be correlated to two Matching Results (MR). Then, a secret bit (denoted as sb) can be assigned to each MR as represented in Tab. 8. For example, consider that Bob announces the Sifting String (00,00), then the eavesdropper knows that there are two possible MR: 10 and 11. We have sb=0 for the first case and sb=1 for the second one (see Tab. 8).
The Sifting String allows Alice to detect the erroneous bits because SS reveals the sifting bits but also the measured bits. Provided Alice has sent an specific frame to Bob, he returns the SS which must be one of the listed in Tab. 9, otherwise an error is detected. However, some errors keep undetected because the SS falls within the set of valid SS. In the following section we will demonstrate an strategy to detect and correct all the errors produced in the channel and detection system.
As a final comment, double errors can be taken as single errors since, as we discuss next, every double detection event is combined with the rest of events.

Picking up undetected errors
Consider the undetected errors in Tab. 9 where the error is produced when 0 X is detected as 1 X or 0 Z as 1 Z . We describe here a method to identify them using an auxiliary quantum pair. We use for this purpose the auxiliary quantum pair (0 X , 0 Z ) that we call null quantum pair. Suppose Alice sends several pairs of null quantum pairs to Bob. After she receives the information about double matching detection events she can take advantage from the frames f i where i = 8, 9, 10 and i = 12, 13, 14 of Tab. 4. Consider the instances (0 X , 1 Z ), (1 X , 0 Z ), if measurement of 0 X yields error, it can be easily detected using the auxiliary null pair (0 X , 0 Z ). For the (0 X , 1 Z ) Alice finds the error if Bob responds SS=10,10 while the error in (1 X , 0 Z ) is identified with SS=01,10. The result is consistent as long as the null pair has been correctly measured by Bob which can be easily verified by Alice using several others null pairs. A convenient method to remove errors in null pairs instances is to use frames f 7 (see Tab. 4) that always yield SS=00,00 otherwise such null pairs are useless and must be discarded. On the other hand, if after measurement of 1 Z in (0 X , 1 Z ) or (1 X , 0 Z ) yields error, it does not alter the explained method because in such cases we have SS=00,00 that does not produce any conflict (see Tab. 10).
As a final remark, instances where the error is produced when 1 X is detected as 0 X or 1 Z is measured as 0 Z cannot be detected and must be eliminated along with the null pairs. In the following section we synthesize the error correction model.

Error-correction security model
Since not all undetected errors in Tab. 8 are detectable as it is shown in Tab. 11 and Tab. 12 we define the error-correction security model as the method capable to correct all the errors while it preserves the security property: frames are only known by Alice and MRs known by Bob, while Bob's SS is assigned a bit 0 or 1.
-To distill secret bits, Alice will use only 4 frames which are listed in Tab. 13. To verify errors she will use 4 frames: f 7 , f 8 , f 9 , f 10 so we have that 1 2 of the frames will be useful to be distilled. -In case of errors, SS are correctable as demonstrated in Tab. 11 and Tab. 12. As implied from tables, half of the SS must be removed. So, after Alice informs to Bob which cases must be removed, those that come from SS = (10, 01), (01, 01), (01, 10), (10, 10), they keep 1 4 of the total frames (considering that 1 2 of frames are usable). Also, frames f j where j = 7, . . . , 10 must be discarded because they are used to detect errors in the null quantum pairs and they do not add up secret bits.
-Since each SS comes from two different frames it can be related to one secret bit, this property is demonstrated in Tab. 14.

Privacy pre-amplification
If Bob informs Alice the positions of N double matching detection events she can construct N 2 frames. Since  Table 10: If an error exists in 0 X when measuring the quantum pair (0 X , 1 Z ) or 0 Z in (1 X , 0 Z ) it can be easily detected using the auxiliary pair (0 X , 0 Z ). The first and third rows represent the error-free scenario (frames f 9 and f 10 ). The second and fourth rows show the erroneous behavior (the error occurs in the bit underlined).  Table 11: Error correction map for undetected errors. From Tab. 9 we list all erroneous cases that keep undetected. In case an error is detected, the correcting code is represented. If no detection is found the item must be removed. As defined in the security model, the frame f 1 is useless and will not be computed.     computed during the reconciliation phase of the distillation process. Normally, amplification occurs as a separated stage after sifting and reconciliation have been performed.

Alice Bob
In the next section we will derive the secret key rate but before, let us introduce some important properties of the frame-based reconciliation protocol: Throughput. The throughput of the framed reconciliation can be computed as Effective throughput speed. We have 1 2 of the frames are usable and 1 2 is the correction gain. Therefore, the number of secret bits is 1 A running example of the framed reconciliation is shown in Appendix A. If N = 1000, the number of secret bits is around 10 5 . Since the errors can be removed in no more than tens of milliseconds, the throughput speed achieves 10 6 bps. Such speed can be further enhanced applying a bigger N and using more computational resources as shown in Tab. 15.
Efficiency. The minimum number of required bits to reconcile the shared frames is 2(n 2 − n) bits (because there are four reveled bits per frame), but also the total number of revealed bits is 2(n 2 − n), so the efficiency of the protocol achieves unity.

Round trips.
Although this protocol is an interactive reconciliation protocol, it only requires four rounds to be completed. Just a single transmission (from Alice to Bob) is needed for correction bits (the indices of events that must removed and those of the erroneous detection events). No redundant information is required. Other protocols require tens of parity check passes [21]. No extra permutation or interleaving is required to achieve reconciliation.

QBER.
As we will show in the security analysis section, the protocol remains secure although the eavesdropper could be equipped with unlimited quantum memory and multiple copies of Bob's quantum states. It is known that the photon number splitting attack (PNS) can be detected when the QBER of the channel is beyond 25% due to Eve's erroneous basis selection. By contrast, the security of the framed reconciliation method is invariant despite the number of copies that Eve obtains from the quantum channel therefore immune to the PNS attack. In this case, no estimation of the QBER from the quantum channel is needed. Remarkably, we do not see any limit in the QBER of the channel because a single auxiliary null quantum pair is enough to detect all the errors. Remember that each double detection event is combined with each other.
Since the matching basis of frames f 7 is 1 2 , in order to detect erroneous f 7 we have (1 − e) N 2 ≥ 1 where e is the error rate and N is the number of frames f 7 . Therefore, detection of erroneous null quantum pairs is possible if e ≤ 1 − 2 N . Suppose N = 10, then errors can be detected if e ≤ 0.8.

The Photon Number Splitting Attack
Suppose Eve has a copy of all the quantum states that arrives to Bob's station. We realize that Eve can achieve just 25% of secret information. This is so because, from the captured pulses Eve   Fig. 10: Alice sends a pair of non-orthogonal states to Bob who obtains a double matching detection at his optical detectors. Eve has a copy of such states, however he has a 0.5 chance to choose the correct measurement basis. Furthermore, she has a 0.5 probability to get a double matching detection event. So, Eve's probability to get Bob's result is just 0.25. must guess first the correct measurement basis which occur half of the times (see Fig. 10). Next, Eve must produce the corresponding double matching detection event.
For example, consider the eighth double detection events produced by Bob's station which are shown in Tab. 16 of Appendix A. Eve can produce just half of the double detection events, in this case four double detections. Then, due to basis matching she can derive only two successful results. In other words, Eve can capture just 25% of Alice and Bob secret information.

Optimal quantum measurement attack
Suppose Eve decide to measure looking for an optimal quantum measurement then she uses the measurement bases X + Z or X − Z as depicted at right in Fig. 11. Assuming Bob has registered a double matching detection event and Eve has a copy of those states sent by Alice, she can capture that information with 0.28125 probability. To see that, first consider that Eve choose the optimal measurement basis (X + Z or X − Z) with 0.5 probability. Then, as shown in Fig.11 non-matching detection events are ambiguous for Eve, which occur with 0.375 probability. By contrast, she gets a double matching event with 0.5625 probability. As a result, the chance to get Bob's information is 0.28125. Fig. 11: Alice sends a pair of non-orthogonal states to Bob who obtains a double matching detection at his optical detectors. Eve has a copy of such states, however he has a 0.5 chance to choose the optimal measurement basis, in this case the X − Z basis. Despite Eve choose the optimal quantum measurement basis, the chance to guess Bob's result is 9 16 = 0.5625 while she obtains an inconclusive result with 6 16 = 0.375. So the probability for Eve to get Bob's result is 0.28125.
Although is not our purpose to discuss here other possible optimal quantum attacks, this specific case shows that Eve's information increase is just residual.

The Secret Key Rate
In this section we will derive the mathematical relation to compute the secret bits gained by Alice and Bob in the presence of an attacker with unlimited quantum memory capacity.
The framed protocol involves measuring two pairs of non − orthogonal states because frames has two rows. However, since the sifting process does not involve reveling bases Eve does not know Bob's measurement bases. So, the factors that affects unfavorably to Eve are: - 1 2 due to basis matching. Eve must measure using two different measurement basis (X or Z). - 1 2 because of the chance to get a double matching detection event.
Therefore, the total matching ratio for Bob is 1 2 and 1 4 for Eve. Suppose Eve obtains a copy of each state capturing the multi-photon pulses emitted by Alice equipped with a photonic source that follows a Poisson distribution. Eve behaves according to the following strategy: -Eve uses the announced information about Bob's pairs, therefore she arranges her states in the corresponding pairs, say Q (i,j) . -Assume that Eve has at least one copy of all Bob's pairs so that Q (i,j) = 1 2 Q (+,+) . -Eve measures her quantum pairs to produce double matching events. However, as indicated before Eve's matching ratio is 1 4 .
Let ∆i ab be the secret key rate between Alice and Bob, so we deduced the relation of Eq. 1.
To ensure secrecy of the shared bits it must full filed ∆i > 0, in Eq. 2 we have indicated such condition: Which indicates that Eve subtracts 25% of the shared information. In view of this result, we deduced that the eavesdropper cannot implement the PNS attack, then she could opt for a channel substitution attack. Thus, it could be better to implement this method across a wireless transmission medium. Up to our knowledge this the first QKD protocol capable to distill secret bits applying less attenuated quantum pulses between the two remote stations. An interesting opportunity for this scheme is to use quantum continuous variables (CV-QKD) because it does no require multiple matching detection events.

Secret throughput speed
Let us represent the shared information between Alice and Bob after they executed privacy preamplification as I ab = 1 where N is the number of double matching detection events. As discussed in the previous section, Eve can obtain 25% of the shared secret information, so Eve can distill I ae = 1

Throughput speed with optimal quantum measurement
We know that the information shared between Alice and Bob is I ab = 1 4 N 2 = 1 8 N (N − 1). If we consider the optimal quantum measurement case as discussed previously, Eve can extract 9 32 of double matching events represented as N , so I ae =

Conclusions
We have introduced a new method for QKD distillation. The framed reconciliation approach integrates the sifting, reconciliation and amplification stages in a unique process. The method can be implemented as a software level over the usual optical equipment of a BB84 system. The protocol produces fast the secret bits, convergence of the method is guaranteed, the method works under any QBER in the channel while the key is distilled secretly.
So far functionality of the method has been demonstrated computationally. The key grows quadratically in the number of the double detection events. The method does not require additional bits to estimate channel's parameters. Our analysis indicates that the protocol is not vulnerable to the PNS attack. Moreover, it opens the possibility to use less attenuated quantum pulses in the context of continuous variable QKD. Bob's Bob's public Alice's detection announcement original pair Preprints (www.preprints.org) | NOT PEER-REVIEWED | Posted: 14 April 2020 doi:10.20944/preprints202004.0222.v1