Perfect Reconciliation in Quantum Key Distribution with Order-Two Frames

: We present an error reconciliation method for Quantum Key Distribution (QKD) that corrects 100% of errors generated in regular binary frames transmitted over a noisy quantum channel regardless of the quantum channel error rate. In a previous investigation, we introduced a novel distillation QKD algorithm whose secret key rate descends linearly with respect to the channel error rate. Now, as the main achievement of this work, we demonstrate an improved algorithm capable of retaining almost all the secret information enclosed in the regular binary frames. Remarkably, this technique increases quadratically the secret key rate as a function of the double matching detection events and doubly quadratically in the number of the quantum pulses. Furthermore, this reconciliation method opens up the opportunity to use less attenuated quantum pulses, would allow greater QKD distances at drastically increased secret key rate. Since our method can be implemented as a software update, we hope that quantum key distribution technology would be fast deployed over global data networks in the quantum era.


Introduction
The arrival of the quantum era and quantum computers in the short term is imminent. One of the most profound consequences of the quantum era is that the security of digital data as we know it today must be radically changed due to the power of computers to break the security of asymmetric key cryptographic methods and at the same time must increase the sizes of the symmetrical keys.
Countermeasures to address the threat of quantum computers have been led by NIST, which launched a selection process for new cryptographic algorithms for the quantum era in 2017 [1]. However, it is to be expected that it will take years to implement and technologically adapt the new methods to be used in global data networks [2].
Fortunately, the quantum cryptographic key distribution (QKD) is a cryptographic scheme that appeared almost four decades ago that has been widely evaluated and discussed by the scientific community. In addition, QKD can be implemented through satellite links or already installed fiber optic networks. Quantum Key Distribution (QKD) allows the establishment of a secret key between two remote entities taking advantage of the principles of quantum physics and therefore theoretically secure. Unfortunately, the transmission of quantum states through a noisy quantum channel causes errors to appear in the received information, severely limiting the deployment of QKD technology as it reduces the secret bit rate and the distance achievable by the QKD system. For this reason, error correction algorithms have been developed to detect and correct errors during the post-processing phase, which includes sifting, error reconciliation, and privacy amplification. The reconciliation algorithm must be carried out preserving the secrecy of the cryptographic key [3].

Alice's frame
Bob's frame A two order frame, as it can be seen in Figure 1, is a 2 × 2 matrix, structured by two rows and two columns. One row represents a pair of non-orthogonal states where the first column of the frame contains the base X encoded quantum bit |i X or |(1 − i) X and the second column the base Z quantum bit, that is |i Z or |(1 − i) Z where i = 0, 1. Once Bob measures a pair of non-orthogonal states and provided he gets a DMDE (Double Matching Detection Event), he obtains the encoded bit in the first or second column of the first row of the frame, as shown in Figures 1 and 2. Bob's frame is complete once he gets the second DMDE.
In fact, the two rows of a frame are not received sequentially, instead Bob must inform Alice about the DMDE that he obtained, then Alice responds to Bob how to arrange the rows to construct the frames as illustrated in the message exchange in Figure 3. For this reason, each DMDE is labelled by an index that has the form (CSS, i 1 , i 2 ) where i 1 is the number of the first NO-QP and i 2 is the number of the second NO-QP. The index is assigned during transmission, so is known by Alice and Bob, CSS will be explained shortly.
This article is focused on the discussion and explanation of the reconciliation method, rather than on a detailed discussion of the attacks over the system. So, Section 2 contains a detailed discussion of the reconciliation method. In Section 3 we derive the relation for the secret throughput of the frame-based method. Finally, Section 4 contains a brief discussion about the main quantum attacks. But before going to the details of the reconciliation method, let us succinctly state the research problem and the general idea of the new method. (|0 X , |1 Z ) and (|1 X , |1 Z ). Bob's gets two events of double matching detection events: (|0 X , +) and (+, |1 Z ).
The frame f 15 = 0 X 1 Z 0 X 1 Z and the frame f 16 = 1 X 0 Z 1 X 0 Z are not used in this context. Bob obtains the conjugate frames by inverting the measured bits so they are not obtained from the channel measurements.

General Idea of the Method
It is our goal to demonstrate that using the Composed Sifting String (CSS) is possible that Alice reconciliate 100% of the errors produced in received Bob's DMDE.
-Just to bring it in context, the Sifting String (SS) as stated in [20] is constructed using the sifting bits and the measured bits into Bob's frames. The sifting bits are obtained applying the XOR function to the bits within the columns (from the left to the right column) of Bob's frames, where a vacuum bit is taken as a zero bit. The measured bits are taken directly from the bits inside Bob's frame. This is so because the secret bit is derived from the final configuration of Bob's frames, that we call Measurement Results (MR) as represented in Table 1. The sifting bits are written first into SS while the measured bits are placed next: SS = 1st sifting bit || 2nd sifting bit, 1st measured bit || 2nd measured bit Unfortunately, using SS as designed in [20] is impossible to detect the errors 0 X , 1 Z , 1 X , 0 Z , 1 X , 1 Z and 1 X , 1 Z .
-Now, in this new reconciliation method we introduce the Composed Sifting String (CSS) which is constructed taken the sifting bits of Bob's frame but also the sifting bits of Bob's conjugate frame, that is: CSS = 1st sifting bit || 2nd sifting bit || 1st sifting bit of conjugate frame || 2nd sifting bit of conjugate frame We will demonstrate that using CSS and without compromising the security of the scheme, is possible to detect the errors 0 X , 0 Z , 0 X , 0 Z , 0 X , 1 Z , 0 X , 1 Z , 1 X , 0 Z , 1 X , 0 Z , 1 X , 1 Z and 1 X , 1 Z .

Perfect Reconciliation Using Order-Two Binary Frames
We begin this section by establishing the general steps of the reconciliation method which we will justify throughout the section. To simplify notation, throughout this document we will represent a quantum state using a bold letter instead of the usual ket notation, so we denote |i X as i X . 1. Alice creates NO-QPL (the Non-Orthogonal Quantum Pair List) and sends, one by one, each NO-QP (the Non-Orthogonal Quantum Pair) across QC (the Quantum Channel). We call step 3 of the protocol privacy pre-amplification, in this step Alice performs all the combinations of the DMDE to form the frames that she is going to use in order to successfully carry out the error correction process. Then, the number of possible frames is given by the combination formula ( n 2 ) = n! 2!(n−2)! where n is the number of DMDE. The general diagram showing the protocol message exchange is shown in Figure 3.

Regular and Conjugate 2 × 2 Frames
Conjugate frames are derived from regular frames thus they are not obtained from the physical quantum channel. They are used just to derive a useful complementary set of sifting bits. Below we will show each one of the regular frames, each one with its respective conjugated frame and we will add its corresponding CSS each MR. 0 X 1 Z 1 X 0 Z : CSS : 0101 0000 1100 1001 ( f 2 ) 0 X 1 Z 1 X 1 Z : CSS : 0101 1010 1100 0011 ( f 5 ) 1 X 1 Z 1 X 0 Z : The sifting algorithm can also be applied to the remaining regular frames f 8 , f 12 , f 9 , f 10 , f 14 , f 14 which we do not show here to facilitate the exposition of the method. The security property or frame-based model states that each CSS must map to at least two MR because the secret bit is derived from MR. The results are presented in Table 2. As can be seen there, the cases CSS 1010 and 0101 should be removed because they map a single MR: 00 and 01, respectively.

CSS
Frame MR Sb Action Now, we proceed to demonstrate which errors can be detected inside a frame. Due to their structure, is convenient to see the frames grouped as: In the following equations, the top line contains the frame under MR while the second line shows the conjugated frame. The bottom line hold the computed CSS in each case. The error detection illustrated depends on an error-free NO-QP, so we will solve this point as the error correction pre-processing.
1. The error 1 X , 0 Z is detected with an error-free NO-QP (1 X , 1 Z ), as the second row in f 2 because the CSS that is produced by the error is none of the possible error-free CSS.
CSS : 0101 0000 1100 1001 2. The error 1 X , 0 Z is detected with an error-free NO-QP (1 X , 1 Z ), as the first row in f 6 because the CSS that is produced by the error is none of the possible error-free CSS.
CSS : 0101 0000 1001 1100 1 X 1 Z 1 X 0 Z : 3. The error 0 X , 1 Z is detected with an error-free NO-QP (1 X , 1 Z ), as the second row in f 3 because the CSS that is produced by the error is none of the possible error-free CSS. 0 X 1 Z 1 X 1 Z : CSS : 0000 1010 0110 1100 0 X 1 Z 1 X 1 Z : 4. The error 0 X , 1 Z is detected with an error-free NO-QP (1 X , 1 Z ), as the first row in f 4 because the CSS that is produced by the error is none of the possible error-free CSS.
1 X 1 Z 0 X 1 Z : CSS : 0000 1010 1100 0110 1 X 1 Z 0 X 1 Z : 5. The error 0 X , 1 Z is detected with an error-free NO-QP (0 X , 0 Z ), as the second row in f 9 because the CSS that is produced by the error is none of the possible error-free CSS. 0 X 1 Z 0 X 0 Z : CSS : 0101 1010 1001 0110 ( f 9 ) 6. The error 1 X , 0 Z is detected with an error-free NO-QP (0 X , 0 Z ), as the second row in f 10 because the CSS that is produced by the error is none of the possible error-free CSS.

Error Correction Pre-Processing
In the error-detection cases exhibited above we have assumed that the non-orthogonal quantum pairs (NO-QP) (0 X , 0 Z ) and (1 X , 1 Z ) are error-free, which implies being able to detect any error in these NO-QP. In this section, we explain how to detect such errors using null-frames f 7 and unitary-frames f 11 . To achieve this we must note that in the absence of error, f 7 produce CSS that only contain zeros while f 11 produces 0000 and 1100 under MRT.

Null-Frame Errors
The error can arrive in several ways and we need a method to detect them, so the following cases can occur: -Single error: Non-orthogonal error, two errors in different basis: Parallel error, two errors in the same basis: As we will see right away, single and parallel errors will be detected as if they were non-orthogonal error using the algorithm for Detection of Parallel-Pair Errors (DPPE) that we explain next: -Alice separates CSSL from null frames into the error-detected-null-frames and the error-free-null-frames just checking that CSS = 0000. The last list contain, however, frames with hidden (parallel) errors. For example, consider Alice's null frame 0 X 0 Z 0 X 0 Z . If Bob's frame contains two errors, say 1 X + 1 X + then the errors kept hidden since (1100, x 1 , x 2 ). Alice takes the row-indices x 1 and x 2 and she looks for them into the error-detected list (see Table 3).
-Two cases in the error-detected list reveals the errors in x 1 and x 2 . The frame 1 X + 0 X + with (1010, x 1 , * ) where the first row is x 1 , reveals an error in the frame but the result it is ambiguous because the frame 0 X + 1 X + also produces CSS = 1010. Thus, the result is inconclusive because the CSS does not indicate if the error is in the first or the second row. However, Alice keeps searching into the list of errors and she finds (1100, x 1 , * ) which comes from the frame 1 X + + 1 X where the first row contains x 1 and the second row also contains an error. Interestingly, this CSS reveals the presence of a non-orthogonal error. Similarly, Alice finds another label that exhibits x 2 and the parallel error is detected using a non-orthogonal error which applies for single errors too.
The following aspects must be remarked here: 1. Given an error rate in the quantum channel, it is to be expected that about half of the errors will occur in the first quantum state of 0 X , 0 Z and the other half in the second state 0 X , 0 Z . Therefore, the method described to detect single and parallel errors in null-frames is completely feasible. 2. The algorithm detailed above allows finding all the errors in the null frames, but it does not tell us which of the two non-orthogonal states is the error. To find the position of the error, Alice must use an error free NO-QP say y 1 = (0 X , 0 Z ) from the list of error-free-null-frames. Then she finds (0101, x 1 , y 1 ) which reveals the error is in the first state while (1010, x 1 , y 1 ) unveils the error in the second state (see Table 3).
How should it be clear, in all cases, Alice must be able to identify the position of the error to perform reconciliation successfully. Importantly here is that detecting the position of the error also allows Alice to find MR when using this error-row inside a frame. For this purpose and assuming Alice has detected all the errors, consider the following frame cases: 1. First and second rows without errors. Alice applies the usual frame-based sifting algorithm identifying MR in each case. 2. First and second rows with errors. Since error-detection reveals the position of the error, Alice identifies MR straightforward. 3. Error-free (first/second) row and error-detected (second/first) row. In the next lines we discuss this case.
Suppose Alice has detected all the errors and she must guess MR when she sends 0 X 1 Z 0 X 0 Z and Bob gets + 1 Z 1 X + thus he returns to Alice CSS = 1100. But Alice knows the following facts: The first row is error-free but the first state of the second row is error-detected, that is 0 X , 0 Z .
Then Alice tests f 9 under MRT (see Table 1) given 0 X , 0 Z and CSS = 1100, thus she concludes that the unique MR that matches CSS is under MR = 11. Table 3. Analysis of f 7 frame set. Separate lists of error-detected-null-frames and error-free-null-frames. The symbol * represents an arbitrary NO-QP index.

Unitary-Frame Errors
Frames f 11 behave similarly as frames f 7 , so we present the summary results in Table 4.
As far as we go, we are able to detect 0 X , 0 Z , 0 X , 0 Z , 1 X , 1 Z , 1 X , 1 Z errors. Table 4. Analysis of f 11 frame set. Separate lists of error-detected-unitary-frames and error-free-unitary-frames. The symbol * represents an arbitrary NO-QP index.

Reconciliation Algorithm
To close this section let us summarize the steps of the reconciliation algorithm. Table 5 shows the error detection results using regular frames.
1. Identify (0 X , 0 Z ) and 0 X , 0 Z , 0 X , 0 Z errors in the set of f 7 . Identify single and parallel errors using DPPE algorithm.
2. Identify (1 X , 1 Z ) and 1 X , 1 Z , 1 X , 1 Z errors in the set of f 11 . Identify single and parallel errors using DPPE algorithm.

The Throughput of Frame Reconciliation
Not all the frames are converted into secret bits. In [21] we derived the throughput as  Table 2, we arrive to the throughput Equation (1) of frame reconciliation T where n is the number or Double Matching Detection Events.
Computing the photonic gain of double detection events at Bob's side as Q (+,+) = (1 − e −µ ) 2 (neglecting the losses generated by the quantum channel and the losses of the optical detection system), we derived Equation (2) where N is the total number of quantum pulses sent by Alice to Bob. As a result, the number of secret bits grows doubly quadratically as a function of the number of quantum pulses N.
One of the biggest challenges posed by the Photon Number Splitting (PNS) attack is that the number of photons per pulse (µ) should not be increased because an attacker can split the pulse and store a copy of it. However, in frame-based reconciliation, the secret bits do not result only from the quantum pulses that arrive to Bob's detector, but from the double detection events that occur at Bob's station. So the security of our approach does no depend on the photon mean µ of the quantum pulse neither the channel error-rate e.

Immunity to Quantum Attacks
Produce a double detection event does not depend on the transmittance of the quantum channel but in the quantum probability. This property gives immunity to the quantum key distribution protocol when it relies on double detection event as the vehicle to transmit a secret bit. Since the reconciliation efficiency does not depend on the quantum channel error rate, we will start this section by looking at the effect of quantum channel noise on error production. Later we explain why the frame-based QKD is immune to the Intercept-Resend attack (IR), the Photon Number Splitting attack (PNS) and the Quantum Bases Choice attack (BC). Our research work is still in progress to extend the discussion and demonstrate security of our method over other more general quantum attacks as collective attacks.

Errors in the Quantum Channel
Whatever the type of the noise in the quantum channel, be it rotation noise or dephasing noise [22], it can be interpreted as a Bloch sphere rotation axis causing a variation in the polarization of the quantum state [23], thus producing errors in the information encoded in it. Suppose, for example, that due to the effect of channel noise, state |0 Z moves to |1 X and state |0 X becomes |1 Z as represented in Figure 4. If Bob uses the basis X to measure the pair of non-orthogonal states (|0 X , |0 Z ), there are two probable outcomes: -|1 X as a result of a double matching detection event which according to the reconciliation method is taken as an error. -(|0 X , |1 X ) caused by a double non-matching detection event that is useless to perform reconciliation.
The same result applies for the Z basis (see Figure 4). The most important conclusion from this analysis is that |0 X can never be accepted as |1 X since it is interpreted as an error. Such behavior comes from the fact that a pair of orthogonal states hold a single bit of information. Let us now proceed to the analysis of the behavior of the protocol in the presence of attacks on the QKD system.

The Intercept and Resend Attack (IR)
Eve must measure each pair of non-orthogonal quantum pulses that crosses the quantum channel and produce a double matching detection event, then according to the result obtained from her measurement, Eve sends another pair of non-orthogonal quantum pulses to Bob. In addition, Eve must ensure that both states that she forwards to Bob's station are not lost on the quantum channel, but assuming she can overcome this difficulty, Eve's final gain, as indicated in Table 6 is 0.25. Table 6. Eve is forced to produce a double detection event, then she must guess Bob's basis which occurs with 0.5 probability, so Eve's final probability is 0.25.

Alice
Eve Bob Eve obtains a copy of the quantum states that Bob receives in his optical station and stores them in a quantum memory. However, the probability that Eve gets a double matching detection event as registered by Bob is 0.5. In addition, Eve must measure by choosing between two different measurement bases (X or Z), so the final gain of the attack is 0.25 (see Table 7). The attacker could use other quantum measurement bases to gain more information, for example Eve could use the pair of measurement bases X + Z, X − Z. Now, suppose Bob has registered a double matching detection event and Eve has a copy of those states then she could get Bob's information with a probability of 0.28. This is so because Eve chooses one of the measurement bases X + Z or X − Z with a probability of 0.5. But the non-matching detection events are ambiguous for Eve, which occurs with a probability of 0.37. Rather, she gets a double matching event with probability 0.56. As a result, the probability of getting Bob's information is 0.28 (see Table 8). Table 8. Eve is required to produce a double matching detection event as Bob with probability 0.56. In addition, Eve must choose the appropriate basis which occurs with probability of 0.5, so Eve's final probability is 0.28.

Alice
Bob Eve Q (+,+) 0.56 DMDE 0.5 X basis 0.5 Z basis We must highlight that one the main advantages of the immunity to described quantum attacks, is that the mean photon value µ in Equation (2) can be properly increased in the quantum regime, so that longer distance can be achieved in QKD link. Further on, the number of secret bits grows doubly quadratic in the number of quantum pulses. Table 9 shows according to [24] a general comparison between some of the most representative reconciliation algorithms where we have included the introduced method. Although we are currently working in the software implementation of the algorithm, we base our evaluation in the following criteria: the algorithm requires only four message exchanges as can be seen in Figure 3. The effectiveness of the protocol is perfect since all errors are corrected regardless of the quantum channel error rate.

Discussion
The QKD protocol runs in a single process that includes quantum communication and classical post-processing based on two-order frames. The throughput grows doubly quadratically as a function of the number of quantum pulses and the runtime requires only milliseconds as demonstrated in our previous software implementation. Furthermore, our method does not require redundant bits to be sent, and there is no need to estimate quantum channel error rate while is invariant against burst errors. We present an appendix that describes the execution of the QKD protocol and the frame-based reconciliation algorithm (see Appendix A). Table 9. Comparison of main reconciliation algorithms based on [24]. Complexity refers to computational or communication complexity. Effectiveness is the corrective percentage efficiency of the protocol. Throughput is the secret key rate measured in bits per second. Runtime is the number of seconds required to execute the algorithm.

Algorithm
Complexity Effectiveness Throughput Runtime Table A1. Alice's reconciliation process. Error detection is indicated with an overbracket symbol.