Quantum Key Distillation Using Binary Frames

Abstract

We introduce a new integral method for Quantum Key Distribution to perform sifting, reconciliation and amplification processes to establish a cryptographic key through the use of binary matrices called frames which are capable to increase quadratically the secret key rate. Since the eavesdropper has no control on Bob’s double matching detection events, our protocol is not vulnerable to the Intercept and Resend (IR) attack nor the Photon Number Splitting (PNS) attack. The method can be implemented with the usual optical Bennett–Brassard ($BB84$) equipment allowing strong pulses in the quantum regime.

1. Introduction

Quantum cryptography has emerged as a promissory theoretical and technological paradigm for the quantum computing era. This is because the presence of an eavesdropper in QKD protocols produces a detectable disturbance on the quantum communication. Unfortunately, some technological loopholes have been found in the photo-detection system which have imposed new challenges to QKD systems.

Due to those technological loopholes most of the QKD systems have failed to be secure against some of the most challenging attacks: the Intercept-Resend with Faked States (IRFS) attack [1,2,3,4,5,6,7,8,9,10] and the Photon Number Splitting (PNS) attack [11]. IRFS attacks can be partially solved by monitoring the photo intensity at the receiver.

Previously, we have introduced the ack-state protocol in [12,13]. In addition, the nack-state protocol was first discussed in [14]. Such protocols constitute a generalization of the BB84 to resist the PNS attack [13] and the IRFS attack [14], respectively. Both methods are conceived under the basis of a new theoretical approach called quantum flows, denoted by Q [13,15].

In this work, we extend the Q approach to introduce a new distillation method based on binary matrices called frames. It is known that the distillation process generate a few secret bits after a high number of quantum pulses are transmitted from Alice (the sender) to Bob (the receiver).

Several algorithms are applied during the distillation process: sifting, error correction and privacy amplification among others. However, some of them have been developed from other research fields to attend specific requirements. Error correction algorithms are described in [16,17,18,19] and privacy amplification is analyzed in [20]. Up to our knowledge there is no integral method capable to perform the QKD distillation in a single process.

We will introduce here the frame distillation as an integral method for QKD to perform sifting, error correction and privacy amplification just in one process. Surprisingly, we have found that at least theoretically, this technique increases quadratically the size of the secret key allowing to raise up the secret key rate.

2. Related Work

We will describe briefly some reconciliation methods used in QKD, a summary of them is shown in

Table 1. Comparison of reconciliation methods as presented in [22].

Reconciliation	Method	Advantages	Disadvantages
Interactive	Binary [16]	Easy and simple	Large communication overhead
	Cascade [17]	Easy and simple
		Strong ability of error correction
Code based	Winnow [18]	Communication time depending on the rate	Additional errors (Hamming)
			Great Efficiency
	LDPC [19]	Correction of errors as Cascade
		Improvement of the safety of the protocol

:

• Binary protocol [16] is a reconciliation method that find and correct errors after the transmission of quantum pulses caused by the noise in the channel and possibly from the eavesdropper. After Alice and Bob obtain an error estimation based on a portion of their sifted key, they determine whether the error failure threshold has been breached. If the error rate is in excess of the fail threshold, Alice and Bob begin the raw key step again. If the estimated error rate is acceptable, Alice and Bob begin the first of a number of passes and use a predetermined random permutation, applying it to the sifted key bits.
• Cascade [17] is a reconciliation method that has become the de-facto standard for all QKD practical implementations. After a number of passes, permutations and cascades, the protocol finishes with low probability that errors still remain [21]. However, large communication overhead have raised methods based on error correcting codes which are more practical.
• The Winnow algorithm [18] is a reconciliation method based on Hamming codes which introduces additional errors because the Hamming algorithm can only reveal one single error in each block.
• LDPC [19] is a linear error correcting code that uses iterative decoding using the sum product soft decision decoder to correct transmission errors.

We conclude this section pointing out some of the challenges of interactive methods that could be summarized from [21] as follows:

• Cascade exhibits great efficiency at low error rates but is still robust up to $18\%$ error rate if required.
• Effective estimation of the error rate in the quantum channel.
• Interactivity could be high intensive in the number of passes to check parity.
• The number of required permutations of the shared bits could demand a persistent computational effort.

3. BB84 Protocol

Figure 1 shows the quantum states and measurement bases of BB84 protocol. Here, Alice sends one of the following qubits: $|0_X\rangle$, $|0_Z\rangle$, $|1_X\rangle$ and $|1_Z\rangle$. On the other side, Bob detects the incoming state choosing randomly the X or Z measurement basis. Bob’s station is equipped with four optical detectors, one for each qubit. If Bob chooses X to measure $|0_X\rangle$ or $|1_X\rangle$ he obtains 0 or 1, respectively and it is said that Bob has performed a compatible measurement because Bob’s measurement basis matches Alice’s preparation basis. Otherwise, if Bob chooses Z to measure $|0_X\rangle$ or $|1_X\rangle$, the measurement is not compatible, the result is ambiguous and it must be discarded. States $|0_Z\rangle$ or $|1_Z\rangle$ behave according to the same principle.

In the BB84 protocol, when a single matching detection event is produced at Bob’s station, the information is derived from the compatible quantum measurement, otherwise the measurement result is ambiguous and it must be discarded.

4. Quantum Flows

Let us introduce the simplest case of quantum flows approach [13,14]. Here, Alice sends to Bob a pair of quantum states, parallel or non-orthogonal (see Figure 2). The selection between parallel or non-orthogonal pair is performed randomly. On the other side, Bob measures the two quantum states with the same measurement basis, X or Z. If after Bob has measured the pair of quantum states he obtains the same result, a single bit has been successfully transmitted from Alice to Bob. This implies that two quantum states are used to encode a single bit.

After several rounds, pairs of non-orthogonal qubits are interleaved with pairs of parallel qubits. We define that a non-orthogonal quantum flow is interleaved with a parallel quantum flow. This scheme can be generalized to multiple parallel or non-orthogonal states [13,14].

In quantum flows approach, the basic mechanism to transfer information from Alice to Bob is that Alice encodes one bit through a pair of non-orthogonal quantum states. On the other side, the bit is received successfully if a double matching detection event is produced at Bob’s optical station after he measures the pair of non-orthogonal quantum states with the same measurement basis (X or Z), so that the same detector clicks twice (see Figure 3).

Since the two qubits sent by Alice are non-orthogonal and Bob used the same measurement basis, necessarily Bob performs one compatible measurement (the measurement basis that matches the preparation basis chosen by Alice). Although the other measurement is non-compatible, that is, Bob’s measurement basis does not match Alice’s preparation basis, it has $\frac{1}{2}$ probability to produce click at the same detector chosen by Bob. Therefore, in case of a double matching detection event, the transferred bit comes from the compatible measurement. Here, the order between the compatible and the non-compatible measurement is irrelevant for our purposes.

4.1. Measurement of Non-Orthogonal Quantum States

Consider Alice sends to Bob a pair of the non-orthogonal states depicted in Figure 2: ($|0_X\rangle$, $|0_Z\rangle$), ($|0_X\rangle$, $|1_Z\rangle$), ($|1_X\rangle$, $|0_Z\rangle$), ($|1_X\rangle$, $|1_Z\rangle$). One of the following detection events will be registered at Bob’s optical system:

• Single detection: One of the two qubits is detected at Bob’s station. It could be processed as usually in BB84 protocol. However, in our context, this kind of detection will not be included as part of the distillation process.
• Double detection: The two non-orthogonal states are detected at Bob’s station.

In the matching case, the same detector produces a click for a given pair of non-orthogonal qubits. In the current protocol only this case will be exploited to derive secret bits.

In the non-matching case the qubits are registered at different photo detectors. These kind of results are ambiguous and they are not useful to derive secret bits.

3.

No detection: No pulse is registered.

In case a double matching detection event is produced at Bob’s side, the shared bit comes from the compatible measurement (see

Table 2. Measurement results after a double detection event (matching and non-matching). In the matching case, Bob measures the two quantum states with coincident results. Only double matching events encode a bit. The shared bit comes from the compatible measurement.

	Bob’s Basis Measurement
Alice’s Non-Orthogonal Pairs	Matching Event		Non-Matching Event
	X	Z	X	Z
($|0_X\rangle$, $|0_Z\rangle$)	($|0_X\rangle$, $|0_X\rangle$)	($|0_Z\rangle$, $|0_Z\rangle$)	($|0_X\rangle$, $|1_X\rangle$)	($|1_Z\rangle$, $|0_Z\rangle$)
($|0_X\rangle$, $|1_Z\rangle$)	($|0_X\rangle$, $|0_X\rangle$)	($|1_Z\rangle$, $|1_Z\rangle$)	($|0_X\rangle$, $|1_X\rangle$)	($|0_Z\rangle$, $|1_Z\rangle$)
($|1_X\rangle$, $|0_Z\rangle$)	($|1_X\rangle$, $|1_X\rangle$)	($|0_Z\rangle$, $|0_Z\rangle$)	($|1_X\rangle$, $|0_X\rangle$)	($|1_Z\rangle$, $|0_Z\rangle$)
($|1_X\rangle$, $|1_Z\rangle$)	($|1_X\rangle$, $|1_X\rangle$)	($|1_Z\rangle$, $|1_Z\rangle$)	($|1_X\rangle$, $|0_X\rangle$)	($|0_Z\rangle$, $|1_Z\rangle$)

). Therefore, non-matching results are ambiguous and they are not usable to distill secret bits.

For example, Figure 3 shows that Alice prepares and sends to Bob the pair of non-orthogonal states $(|0_X\rangle ,|1_Z\rangle )$. He chooses randomly to measure both pulses with the X basis (or Z). The two possible double matching detection events are illustrated at right of Figure 3. First, we see the case when Bob chooses X and the double matching detection event produces $|0_X\rangle$. The other possibility is that Bob chooses Z and the double matching detection event gives $|1_Z\rangle$.

This is equivalent to say that exists one bit encoded at each quantum measurement basis, however the transferred bit comes from the measurement basis chosen by Bob that matches the preparation basis chosen by Alice. This kind of quantum measurement is just possible with pairs of non-orthogonal qubits since measurement of parallel qubits using the non-compatible measurement basis will produce ambiguity.

4.2. Quantum Photonic Gains

Not taking into account losses in the quantum channel and the efficiency of optical detection system we can compute the gains of double pulses. In this context, $Q_{(+,+)}$ represents the photonic gain of two non-empty pulses, $Q_{(\pm ,\mp )}$ is the gain of the pulses in which is produced a non-empty pulse and one vacuum pulse (whatever the order between them) and $Q_{(-,-)}$ is the gain of two consecutive vacuum pulses [15]. Since the gains follow a Poisson’s distribution we can write them in Equation (1).

$$\begin{array}{cc}\hfill Q_{(+,+)}& ={(1-e^{-\mu })}^2\hfill \\ \hfill Q_{(\pm ,\mp )}& =2e^{-\mu }(1-e^{-\mu })\hfill \\ \hfill Q_{(-,-)}& =e^{-2\mu }\hfill \end{array}$$

(1)

For example, for $\mu =0.1$ we have $Q_{(-,-)}=0.8187$, $Q_{(\pm ,\mp )}=0.1722$ and $Q_{(+,+)}=0.01$. Therefore, the gain of double pulses reduces considerably. Increasing $\mu$ to $0.5$ raises $Q_{(+,+)}$ to $0.15$. However, the detection system sometimes requires a recuperation time after it can register another detection event, so the probability to get two consecutively pulses reduces even more. Fortunately, quantum states inside a pair of non-orthogonal states can be sent temporally separated as it is represented in Figure 4 (for details see Section 4.2 of [14]).

5. Distillation Based in Non-Orthogonal Quantum States

To explain the distillation process to produce secret bits between Alice and Bob using non-orthogonal quantum states we must introduce a new concept based on binary matrices called frames.

5.1. Frames

Binary frames or simply frames, are binary matrices conceived to implement the sifting, error correction and amplification processes for non-orthogonal quantum states based QKD. We introduced the set of $2\times 2$ frames enumerated from 1 to 14 in

Table 3. There are 6 useful frames: $f_i$, where $i=1,\dots ,6$ and 8 useless frames $f_j$, where $j=7,\dots ,14$.

Useful Frames		Useless Frames
$f_1=$$\left(\begin{array}{cc}|0_X\rangle & |1_Z\rangle \\ |1_X\rangle & |0_Z\rangle \end{array}\right)$	$f_2=$$\left(\begin{array}{cc}|1_X\rangle & |0_Z\rangle \\ |1_X\rangle & |1_Z\rangle \end{array}\right)$	$f_7=$$\left(\begin{array}{cc}|0_X\rangle & |0_Z\rangle \\ |0_X\rangle & |0_Z\rangle \end{array}\right)$	$f_{11}=$$\left(\begin{array}{cc}|1_X\rangle & |1_Z\rangle \\ |1_X\rangle & |1_Z\rangle \end{array}\right)$
$f_3=$$\left(\begin{array}{cc}|0_X\rangle & |1_Z\rangle \\ |1_X\rangle & |1_Z\rangle \end{array}\right)$	$f_4=$$\left(\begin{array}{cc}|1_X\rangle & |1_Z\rangle \\ |0_X\rangle & |1_Z\rangle \end{array}\right)$	$f_8=$$\left(\begin{array}{cc}|0_X\rangle & |0_Z\rangle \\ |1_X\rangle & |1_Z\rangle \end{array}\right)$	$f_{12}=$$\left(\begin{array}{cc}|1_X\rangle & |1_Z\rangle \\ |0_X\rangle & |0_Z\rangle \end{array}\right)$
$f_5=$$\left(\begin{array}{cc}|1_X\rangle & |0_Z\rangle \\ |0_X\rangle & |1_Z\rangle \end{array}\right)$	$f_6=$$\left(\begin{array}{cc}|1_X\rangle & |1_Z\rangle \\ |1_X\rangle & |0_Z\rangle \end{array}\right)$	$f_9=$$\left(\begin{array}{cc}|0_X\rangle & |1_Z\rangle \\ |0_X\rangle & |0_Z\rangle \end{array}\right)$	$f_{13}=$$\left(\begin{array}{cc}|0_X\rangle & |0_Z\rangle \\ |0_X\rangle & |1_Z\rangle \end{array}\right)$
		$f_{10}=$$\left(\begin{array}{cc}|1_X\rangle & |0_Z\rangle \\ |0_X\rangle & |0_Z\rangle \end{array}\right)$	$f_{14}=$$\left(\begin{array}{cc}|0_X\rangle & |0_Z\rangle \\ |1_X\rangle & |0_Z\rangle \end{array}\right)$

. We have classified the frames into useful and useless frames but such distinction will be explained later. Each row of a frame contains the qubits of the non-orthogonal pair sent by Alice, basis X to the left, basis Z to the right (see Table 3).

After Bob measures a pair of non-orthogonal qubits and provided he get a double matching detection event, he obtains a bit from the corresponding detector. It means that Bob can obtain just one bit per row inside a frame, thus two bits per frame.

A double detection events is illustrated at right of Figure 3. Each double detection event has its own Matching Results (MR) code. A Matching Result represents the final configuration of the Alice’s frame after Bob has measured it. In the example of Figure 5, the four possible results are $(|0_Z\rangle ,|1_Z\rangle )$, $(|0_X\rangle ,|0_Z\rangle )$, $(|1_X\rangle ,|1_Z\rangle )$ and $(|1_Z\rangle ,|0_Z\rangle )$.

5.2. Matching Results (Mr)

We can see the overall purpose of the protocol saying that Alice transfers a specific frame to Bob. Then, after two matching detection events are produced at Bob’s station, the frame ends in a configuration we call Matching Result (MR). We list in

Table 4. There exist four possible Matching Results (MR) for $2\times 2$ frames. The bit produced by a double matching event is represented inside the ket notation with the symbol •. Additionally, each MR has been identified with a binary code left to each frame. After the sifting process such MR code will become part of the secret key.

MR=00 $\left(\begin{array}{cc}|{•}_X\rangle & -\\ |{•}_X\rangle & -\end{array}\right)$	MR=10 $\left(\begin{array}{cc}|{•}_X\rangle & -\\ -& |{•}_Z\rangle \end{array}\right)$
MR=01 $\left(\begin{array}{cc}-& |{•}_Z\rangle \\ -& |{•}_Z\rangle \end{array}\right)$	MR=11 $\left(\begin{array}{cc}-& |{•}_Z\rangle \\ |{•}_X\rangle & -\end{array}\right)$

the four possible Bob’s Matching Results. Table 4 shows that each Matching Result contains two bits that encode Bob’s MR. The sifting process, we will introduce next, is intended to Alice would be capable to identify successfully Bob’s MR.

5.3. Sifting Protocol

Let us enumerate the first steps of the sifting protocol based on frames:

• Alice prepares and sends to Bob a pair of non-orthogonal qubits over the quantum channel. She chooses a pair randomly between $({|0\rangle }_X,{|0\rangle }_Z)$, $({|0\rangle }_X,{|1\rangle }_Z)$, $({|1\rangle }_X,{|0\rangle }_Z)$ and $({|1\rangle }_X,{|1\rangle }_Z)$.
• Bob chooses randomly the measurement basis (X or Z) to measure the incoming pair of non-orthogonal qubits.
• After several rounds, using a classical channel, Bob announces to Alice the non-orthogonal pairs that produce double matching detection event (remember that Bob obtains a distribution of single and double detection events, which can be matching or non-matching). As indicated before, the states inside a quantum pair are temporally separated each other, so users must agree previously on the time difference.

These steps are not enough to distill secret bits. Alice needs a method to identify Bob’s Matching Results. Now, let us introduce the sifting bits.

5.4. Sifting Bits Based in the Xor Function

To compute the sifting bits it must be applied the usual xor function to the vertical bits inside each column of the frame, taking the vacuum state as a zero bit. The sifting bits are written at the bottom of each Matching Result (MR) in

Table 5. To the left we see the 6 usable frames that Alice can prepare to be sent over the quantum channel. Provided Bob obtains the two (required) Matching Results he computes the sifting bits applying the xor function to each column (they are written at the bottom of each frame). The sifting bits which are publicly announced, conform the set $\{00,01,10,11\}$ that does not contain redundancy, so that Alice can identify without ambiguity Bob’s Matching Results.

Alice	Bob
$f_1=$$\left(\begin{array}{cc}|0_X\rangle & |1_Z\rangle \\ |1_X\rangle & |0_Z\rangle \end{array}\right)$	$\begin{array}{c}\left(\begin{array}{cc}|0_X\rangle & -\\ |1_X\rangle & -\end{array}\right)\\ 10\end{array}$	$\begin{array}{c}\left(\begin{array}{cc}-& |1_Z\rangle \\ -& |0_Z\rangle \end{array}\right)\\ 01\end{array}$	$\begin{array}{c}\left(\begin{array}{cc}-& |1_Z\rangle \\ |1_X\rangle & -\end{array}\right)\\ 11\end{array}$	$\begin{array}{c}\left(\begin{array}{cc}|0_X\rangle & -\\ -& |0_Z\rangle \end{array}\right)\\ 00\end{array}$
$f_2=$$\left(\begin{array}{cc}|1_X\rangle & |0_Z\rangle \\ |1_X\rangle & |1_Z\rangle \end{array}\right)$	$\begin{array}{c}\left(\begin{array}{cc}|1_X\rangle & -\\ |1_X\rangle & -\end{array}\right)\\ 00\end{array}$	$\begin{array}{c}\left(\begin{array}{cc}-& |0_Z\rangle \\ -& |1_Z\rangle \end{array}\right)\\ 01\end{array}$	$\begin{array}{c}\left(\begin{array}{cc}-& |0_Z\rangle \\ |1_X\rangle & -\end{array}\right)\\ 10\end{array}$	$\begin{array}{c}\left(\begin{array}{cc}|1_X\rangle & -\\ -& |1_Z\rangle \end{array}\right)\\ 11\end{array}$
$f_3=$$\left(\begin{array}{cc}|0_X\rangle & |1_Z\rangle \\ |1_X\rangle & |1_Z\rangle \end{array}\right)$	$\begin{array}{c}\left(\begin{array}{cc}|0_X\rangle & -\\ |1_X\rangle & -\end{array}\right)\\ 10\end{array}$	$\begin{array}{c}\left(\begin{array}{cc}-& |1_Z\rangle \\ -& |1_Z\rangle \end{array}\right)\\ 00\end{array}$	$\begin{array}{c}\left(\begin{array}{cc}-& |1_Z\rangle \\ |1_X\rangle & -\end{array}\right)\\ 11\end{array}$	$\begin{array}{c}\left(\begin{array}{cc}|0_X\rangle & -\\ -& |1_Z\rangle \end{array}\right)\\ 01\end{array}$
$f_4=$$\left(\begin{array}{cc}|1_X\rangle & |1_Z\rangle \\ |0_X\rangle & |1_Z\rangle \end{array}\right)$	$\begin{array}{c}\left(\begin{array}{cc}|1_X\rangle & -\\ |0_X\rangle & -\end{array}\right)\\ 10\end{array}$	$\begin{array}{c}\left(\begin{array}{cc}-& |1_Z\rangle \\ -& |1_Z\rangle \end{array}\right)\\ 00\end{array}$	$\begin{array}{c}\left(\begin{array}{cc}-& |1_Z\rangle \\ |0_X\rangle & -\end{array}\right)\\ 01\end{array}$	$\begin{array}{c}\left(\begin{array}{cc}|1_X\rangle & -\\ -& |1_Z\rangle \end{array}\right)\\ 11\end{array}$
$f_5=$$\left(\begin{array}{cc}|1_X\rangle & |0_Z\rangle \\ |0_X\rangle & |1_Z\rangle \end{array}\right)$	$\begin{array}{c}\left(\begin{array}{cc}|1_X\rangle & -\\ |0_X\rangle & -\end{array}\right)\\ 10\end{array}$	$\begin{array}{c}\left(\begin{array}{cc}-& |0_Z\rangle \\ -& |1_Z\rangle \end{array}\right)\\ 01\end{array}$	$\begin{array}{c}\left(\begin{array}{cc}-& |0_Z\rangle \\ |0_X\rangle & -\end{array}\right)\\ 00\end{array}$	$\begin{array}{c}\left(\begin{array}{cc}|1_X\rangle & -\\ -& |1_Z\rangle \end{array}\right)\\ 11\end{array}$
$f_6=$$\left(\begin{array}{cc}|1_X\rangle & |1_Z\rangle \\ |1_X\rangle & |0_Z\rangle \end{array}\right)$	$\begin{array}{c}\left(\begin{array}{cc}|1_X\rangle & -\\ |1_X\rangle & -\end{array}\right)\\ 00\end{array}$	$\begin{array}{c}\left(\begin{array}{cc}-& |1_Z\rangle \\ -& |0_Z\rangle \end{array}\right)\\ 01\end{array}$	$\begin{array}{c}\left(\begin{array}{cc}-& |1_Z\rangle \\ |1_X\rangle & -\end{array}\right)\\ 11\end{array}$	$\begin{array}{c}\left(\begin{array}{cc}|1_X\rangle & -\\ -& |0_Z\rangle \end{array}\right)\\ 10\end{array}$

.

A simple example about the execution of the framed distillation can be found in the Appendix of this article. The most important property of the sifting bits is that they must not be redundant, otherwise they will become ambiguous. Therefore, the sifting bits of a given frame must not be derived from distinct Matching Results (MR). This condition can be verified in Table 5, where is evident that the sifting bits defines a complete set (no repetitions) over the xor function applied to the frame. At this point, it must result logical that not all the $2\times 2$ frames can be used during the sifting process. Actually there are only 6 usable frames which are shown in Table 3. Now, we can enumerate all the steps of the sifting framed protocol:

• Alice prepares and sends to Bob a pair of non-orthogonal qubits over the quantum channel. She chooses a pair randomly between $({|0\rangle }_X,{|0\rangle }_Z)$, $({|0\rangle }_X,{|1\rangle }_Z)$, $({|1\rangle }_X,{|0\rangle }_Z)$ and $({|1\rangle }_X,{|1\rangle }_Z)$.
• Bob chooses randomly the measurement basis (X or Z) to measure the incoming pair of non-orthogonal qubits.
• After several rounds, using a classical channel, Bob announces to Alice the double matching detection events.
• Alice computes the usable frames $f_i$ where $i=1\dots 6$ (see Figure 3) and sends to Bob the required information to construct such frames (Alice knows which pairs of qubits are paired into a frame).
• Bob constructs the frames grouping the pairs of qubits, then he computes the sifting bits of each frame and sends them back to Alice over a public channel.
• Using the sifting bits and looking up Table 5 Alice identifies Bob’s Matching Results. Given a frame, the sifting bits are correlated with a unique MR because they conform a complete binary set $\{00,01,10,11\}$, thus Alice is allowed to recognize Bob’s MR. Then, Table 4 is used to derive the secret bits.
• On the other side, Bob uses Table 4 to get the shared bits.

As a result, the bits Alice and Bob share are the bits that encode each Matching Result, according to Table 4.

5.5. Security of the Sifting Bits

For security reasons, the sifting bits must not be correlated with a unique Matching Result. This property must be achieved to avoid an attacker derives the secret bits from the sifting bits. The security property is demonstrated in

Table 6. The sifting bits obtained by Bob (written at the bottom of each frame) must be produced from at least two different Matching Results. At the right of each frame we have indicated the corresponding original Alice’s frame.

$\begin{array}{c}\left(\begin{array}{cc}|0_X\rangle & -\\ -& |0_Z\rangle \end{array}\right)\\ 00\end{array}$$\begin{array}{c}{f}_1\end{array}$	$\begin{array}{c}\left(\begin{array}{cc}-& |0_Z\rangle \\ |0_X\rangle & -\end{array}\right)\\ 00\end{array}$$\begin{array}{c}{f}_5\end{array}$	$\begin{array}{c}\left(\begin{array}{cc}|1_X\rangle & -\\ |1_X\rangle & -\end{array}\right)\\ 00\end{array}$$\begin{array}{c}{f}_2,f_6\end{array}$	$\begin{array}{c}\left(\begin{array}{cc}-& |1_Z\rangle \\ -& |1_Z\rangle \end{array}\right)\\ 00\end{array}$$\begin{array}{c}{f}_3,f_4\end{array}$
$\begin{array}{c}\left(\begin{array}{cc}-& |1_Z\rangle \\ -& |0_Z\rangle \end{array}\right)\\ 01\end{array}$$\begin{array}{c}{f}_1,f_6\end{array}$	$\begin{array}{c}\left(\begin{array}{cc}|0_X\rangle & -\\ -& |1_Z\rangle \end{array}\right)\\ 01\end{array}$$\begin{array}{c}{f}_3\end{array}$	$\begin{array}{c}\left(\begin{array}{cc}-& |0_Z\rangle \\ -& |1_Z\rangle \end{array}\right)\\ 01\end{array}$$\begin{array}{c}{f}_2,f_5\end{array}$	$\begin{array}{c}\left(\begin{array}{cc}-& |1_Z\rangle \\ |0_X\rangle & -\end{array}\right)\\ 01\end{array}$$\begin{array}{c}{f}_4\end{array}$
$\begin{array}{c}\left(\begin{array}{cc}|1_X\rangle & -\\ |0_X\rangle & -\end{array}\right)\\ 10\end{array}$$\begin{array}{c}{f}_4,f_5\end{array}$	$\begin{array}{c}\left(\begin{array}{cc}|0_X\rangle & -\\ |1_X\rangle & -\end{array}\right)\\ 10\end{array}$$\begin{array}{c}{f}_1,f_3\end{array}$	$\begin{array}{c}\left(\begin{array}{cc}-& |0_Z\rangle \\ |1_X\rangle & -\end{array}\right)\\ 10\end{array}$$\begin{array}{c}{f}_2\end{array}$	$\begin{array}{c}\left(\begin{array}{cc}|1_X\rangle & -\\ -& |0_Z\rangle \end{array}\right)\\ 10\end{array}$$\begin{array}{c}{f}_6\end{array}$
$\begin{array}{c}\left(\begin{array}{cc}-& |1_Z\rangle \\ |1_X\rangle & -\end{array}\right)\\ 11\end{array}$$\begin{array}{c}{f}_1,f_3,f_6\end{array}$	$\begin{array}{c}\left(\begin{array}{cc}|1_X\rangle & -\\ -& |1_Z\rangle \end{array}\right)\\ 11\end{array}$$\begin{array}{c}{f}_2,f_4,f_5\end{array}$

.

Before closing this section, we depict in Figure 6 the overall required exchange of messages of the (error-free) framing-based protocol. In this scenario Bob gets the shared bits according to Table 4 while Alice uses the sifting bits, Table 4 and Table 5 to derive Bob’s MR.

6. Error Correction Method

The method discussed so far does not include an error detection mechanism to discard erroneous bits produced by the quantum channel or the optical detection system. To make the frame distillation protocol capable to identify erroneous bits we will proceed in the following manner: In addition to the sifting bits, Bob will reveal to Alice the measured bits obtained from detectors.

We define the Sifting String (SS) as a binary string composed by the sifting bits and the measured bits. Given a frame, a Sifting String SS is constructed as follows, sifting bits are written from left to right while measured bits from top to bottom.

$$SS=1^{st}\mathrm{sifting}\mathrm{bit}\left|\right|2^{nd}\mathrm{sifting}\mathrm{bit},1^{st}\mathrm{measured}\mathrm{bit}\left|\right|2^{nd}\mathrm{measured}\mathrm{bit}$$

To preserve security, the Sifting String must be correlated at least to two Matching Results (MR). Then, a secret bit (denoted as sb) can be assigned to each MR as represented in

Table 7. The Sifting String (SS) which is publicly announced is constructed with the sifting bits and the measured bits. To achieve a secret bit (sb) each SS must be correlated at least to two Matching Results (MR).

SS		MR	Frame	sb	MR	Frame	sb
Sifting	Measured	(See Table 4)	(See Table 3)		(See Table 4)	(See Table 3)
00	00	10	$f_1$	0	11	$f_5$	1
00	11	00	$f_2,f_6$	0	01	$f_3,f_4$	1
01	10	01	$f_1,f_6$	0	11	$f_4$	1
01	01	10	$f_3$	0	01	$f_2,f_5$	1
10	01	00	$f_1,f_3$	0	11	$f_2$	1
10	10	00	$f_4,f_5$	0	10	$f_6$	1
11	11	11	$f_1,f_3,f_6$	0	10	$f_2,f_4,f_5$	1

. For example, consider that Bob announces the Sifting String 00,00, then there are two possible MR for this SS: 10 and 11, we have sb = 0 for the first case and sb = 1 for the second one (see Table 7).

The Sifting String allows Alice to detect the erroneous bits because SS reveals the sifting bits but also the measured bits. Provided Alice has sent an specific frame to Bob, he returns the SS which must be one of the valid SS listed in

Table 8. We list the set of valid Sifting Strings (SS) for each frame $f_i$. Provided Alice has sent an specific frame to Bob, he returns the SS which must be one of the listed here, otherwise an error is detected. We analyze if an error is detectable when occurs in the 1st (or 2nd) measured bit.

Frame	Valid Sifting Strings (SS)	MR	1st Bit	Detection	2nd Bit	Detection	1st and 2nd Bits	Detection
$f_1$	SS${}_{11}=00,00$	10	10,10	yes	01,01	yes	11,11	no
	SS${}_{12}=01,10$	01	00,00	no	00,11	yes	01,01	yes
	SS${}_{13}=10,01$	00	00,11	yes	00,00	no	10,10	yes
	SS${}_{14}=11,11$	11	10,01	no	01,10	no	00,00	no
$f_2$	SS${}_{21}=00,11$	00	10,01	no	10,10	yes	00,00	yes
	SS${}_{22}=01,01$	01	00,11	no	00,00	yes	01,10	yes
	SS${}_{23}=10,01$	11	11,11	no	00,00	yes	01,10	yes
	SS${}_{24}=11,11$	10	01,01	no	10,10	yes	00,00	yes
$f_3$	SS${}_{31}=00,11$	01	01,01	no	01,10	yes	00,00	yes
	SS${}_{32}=01,01$	10	11,11	no	00,00	yes	10,10	yes
	SS${}_{33}=10,01$	00	00,11	no	00,00	yes	10,10	yes
	SS${}_{34}=11,11$	11	10,01	no	01,10	yes	00,00	yes
$f_4$	SS${}_{41}=00,11$	01	01,01	yes	01,10	no	00,00	yes
	SS${}_{42}=01,10$	11	00,00	yes	11,11	no	10,01	yes
	SS${}_{43}=10,10$	00	00,00	yes	00,11	no	10,01	yes
	SS${}_{44}=11,11$	10	01,01	yes	10,10	no	00,00	yes
$f_5$	SS${}_{51}=00,00$	11	01,10	yes	10,01	yes	11,11	no
	SS${}_{52}=01,01$	01	00,11	yes	00,00	no	01,10	yes
	SS${}_{53}=10,10$	00	00,00	no	00,11	yes	10,01	yes
	SS${}_{54}=11,11$	10	01,01	no	10,10	no	00,00	no
$f_6$	SS${}_{61}=00,11$	00	10,01	yes	10,10	no	00,00	yes
	SS${}_{62}=01,10$	01	00,00	yes	00,11	no	01,01	yes
	SS${}_{63}=10,10$	10	00,00	yes	11,11	no	01,01	yes
	SS${}_{64}=11,11$	11	10,01	yes	01,10	no	00,00	yes

, otherwise an error is detected. Table 8 shows Bob’s SS when the error is in the first (or second) bit of the measured bits. Although it is included detection when the two bits are erroneous, this case will be corrected taking them as two separated single errors. We will return soon to this point.

Despite Bob’s SS allows Alice to identify erroneous bits because a given SS is invalid, some errors keep undetected because the SS falls within the set of valid SS. In the following section we will demonstrate an strategy to detect and correct all the errors produced in the channel and detection system.

6.1. Picking up Undetected Errors

Before we describe the complete method to achieve error correction let us advertises that Alice generates all possible useful frames combining Bob’s double matching detection events. Thanks to this procedure (see privacy pre-amplification in the next section) double errors can be treated as single errors because each error is combined with the rest of the detection events.

Now, we can introduce the method to identify undetected errors written in Table 8. We separate such cases into two types (here the quantum state in ket notation represents a double matching detection event):

• $|0_X\rangle$ is detected as $|1_X\rangle$ or $|0_Z\rangle$ results in $|1_Z\rangle$.
• $|1_X\rangle$ is detected as $|0_X\rangle$ or $|1_Z\rangle$ results in $|0_Z\rangle$.

As an example consider Alice sends $f_2$ to Bob who reads it using MR=01 (see 6th row of Table 8). He must respond with SS${}_{22}=01,01$ which represents in ket notation SS${}_{22}=01,|0_Z\rangle |1_Z\rangle$ because MR=01. In Equation (2) Alice’s frame is represented as $f_{2a}$. At Bob’s side it is written as $f_{2b}$ while the erroneous case is denoted as ${f_{2b}}^{\prime }$.

$$\begin{array}{c}\hfill f_{2a}=\left(\begin{array}{cc}|1_X\rangle & |0_Z\rangle \\ |1_X\rangle & |1_Z\rangle \end{array}\right)\\ \hfill f_{2b}=\begin{array}{c}\left(\begin{array}{cc}-& |0_Z\rangle \\ -& |1_Z\rangle \end{array}\right)\end{array}\\ 01\\ \hfill {\mathrm{SS}}_{22}=01,01\\ \hfill {f_{2b}}^{\prime }=\begin{array}{c}\left(\begin{array}{cc}-& |1_Z\rangle \\ -& |1_Z\rangle \end{array}\right)\end{array}\\ 00\\ \hfill {\mathrm{SS}}_{21}=00,11\end{array}$$

(2)

The error in the first (double matching) detection event is produced when $|0_Z\rangle$ is detected as $|1_Z\rangle$, as a result Bob responds $00,11$ which corresponds to SS${}_{21}$ a valid SS for $f_2$ when MR=00, so the error pass undetected.

As we will demonstrate soon, only errors of type I. can be detected. For this purpose, we will use the auxiliary quantum pair ($|0_X\rangle ,|0_Z\rangle$) to construct frames $f_9$ and $f_{10}$ (see Table 3). Frames $f_9$ will be used to identify errors produced when $|0_X\rangle$ is detected as $|1_X\rangle$. Similarly, frames $f_{10}$ will be useful to detect errors when $|0_Z\rangle$ results in $|1_Z\rangle$.

In

Table 9. Bob measures the quantum pair ($|0_X\rangle ,|1_Z\rangle$), but $|0_X\rangle$ produces $|1_X\rangle$. This error is identified half of the times using $f_9$. Similarly, Bob receives ($|0_X\rangle ,|0_Z\rangle$) but $|0_Z\rangle$ results in $|1_Z\rangle$. This error is successfully managed half of the times using $f_{10}$. The second and fourth rows show the erroneous cases. The errors are represented with bars above the bits: $|{\overline{0}}_X\rangle$ in $f_9$ and $|{\overline{0}}_Z\rangle$ in $f_{10}$.

Alice	Bob
$f_9=$$\left(\begin{array}{cc}|0_X\rangle & |1_Z\rangle \\ |0_X\rangle & |0_Z\rangle \end{array}\right)$	$\begin{array}{c}\left(\begin{array}{cc}|0_X\rangle & -\\ |0_X\rangle & -\end{array}\right)\\ 00\\ \mathrm{SS}=00,00\end{array}$	$\begin{array}{c}\left(\begin{array}{cc}-& |1_Z\rangle \\ -& |0_Z\rangle \end{array}\right)\\ 01\\ \mathrm{SS}=01,10\end{array}$	$\begin{array}{c}\left(\begin{array}{cc}-& |1_Z\rangle \\ |0_X\rangle & -\end{array}\right)\\ 01\\ \mathrm{SS}=01,10\end{array}$	$\begin{array}{c}\left(\begin{array}{cc}|0_X\rangle & -\\ -& |0_Z\rangle \end{array}\right)\\ 00\\ \mathrm{SS}=00,00\end{array}$
$f_9=$$\left(\begin{array}{cc}|{\overline{0}}_X\rangle & |1_Z\rangle \\ |0_X\rangle & |0_Z\rangle \end{array}\right)$	$\begin{array}{c}\left(\begin{array}{cc}|1_X\rangle & -\\ |0_X\rangle & -\end{array}\right)\\ 10\\ \mathrm{SS}=10,10\end{array}$	$\begin{array}{c}\left(\begin{array}{cc}-& |1_Z\rangle \\ -& |0_Z\rangle \end{array}\right)\\ 01\\ \mathrm{SS}=01,10\end{array}$	$\begin{array}{c}\left(\begin{array}{cc}-& |1_Z\rangle \\ |0_X\rangle & -\end{array}\right)\\ 01\\ \mathrm{SS}=01,10\end{array}$	$\begin{array}{c}\left(\begin{array}{cc}|1_X\rangle & -\\ -& |0_Z\rangle \end{array}\right)\\ 10\\ \mathrm{SS}=10,10\end{array}$
$f_{10}=$$\left(\begin{array}{cc}|1_X\rangle & |0_Z\rangle \\ |0_X\rangle & |0_Z\rangle \end{array}\right)$	$\begin{array}{c}\left(\begin{array}{cc}|1_X\rangle & -\\ |0_X\rangle & -\end{array}\right)\\ 10\\ \mathrm{SS}=10,10\end{array}$	$\begin{array}{c}\left(\begin{array}{cc}-& |0_Z\rangle \\ -& |0_Z\rangle \end{array}\right)\\ 00\\ \mathrm{SS}=00,00\end{array}$	$\begin{array}{c}\left(\begin{array}{cc}-& |0_Z\rangle \\ |0_X\rangle & -\end{array}\right)\\ 00\\ \mathrm{SS}=00,00\end{array}$	$\begin{array}{c}\left(\begin{array}{cc}|1_X\rangle & -\\ -& |0_Z\rangle \end{array}\right)\\ 10\\ \mathrm{SS}=10,10\end{array}$
$f_{10}=$$\left(\begin{array}{cc}|1_X\rangle & |{\overline{0}}_Z\rangle \\ {|0\rangle }_X& {|0\rangle }_Z\end{array}\right)$	$\begin{array}{c}\left(\begin{array}{cc}|1_X\rangle & -\\ |0_X\rangle & -\end{array}\right)\\ 10\\ \mathrm{SS}=10,10\end{array}$	$\begin{array}{c}\left(\begin{array}{cc}-& |1_Z\rangle \\ -& |0_Z\rangle \end{array}\right)\\ 01\\ \mathrm{SS}=01,10\end{array}$	$\begin{array}{c}\left(\begin{array}{cc}-& |1_Z\rangle \\ |0_X\rangle & -\end{array}\right)\\ 01\\ \mathrm{SS}=01,10\end{array}$	$\begin{array}{c}\left(\begin{array}{cc}|1_X\rangle & -\\ -& |0_Z\rangle \end{array}\right)\\ 10\\ \mathrm{SS}=10,10\end{array}$

we demonstrate the effectiveness of the method. Here, Bob’s $|0_X\rangle$ yields $|1_X\rangle$, then Bob responds SS = 10,10 but Alice finds the error because this is an invalid SS. Similarly, when $|0_Z\rangle$ results in $|1_Z\rangle$, Alice identifies the error in $f_{10}$ because Bob’s SS = 01,10 is not valid. As shown in Table 9, these errors are detected half of the time but only one detection is sufficient to reveal the error. Provided we have several instances of the null quantum pair and provided a double detection event is combined with all of them, it is guaranteed that an error in such a double detection event will be found.

This procedure is consistent as long as the null quantum pair ($|0_X\rangle ,|0_Z\rangle$) does not contain error. However, correctness of null quantum pairs can be easily confirmed by Alice using several others null quantum pairs. A convenient method to catch this type of error is constructing several frames $f_7$ (see Table 3) that always yield SS = 00,00 otherwise such null quantum pairs are useless and must be discarded. Once an error is detected inside $f_7$ all the frames that contain these two null quantum pairs must be discarded. Then, the null pairs can be used to detect errors by means of frames $f_9$ and $f_{10}$. Is important to note that Eve cannot separate individually Alice’s frames. Only Alice is capable to identify auxiliary frames among reconciliation frames. To the final she only says to Bob what cases must be discarded including $f_9$, $f_{10}$ and some instances of $f_2$, $f_3$, $f_4$ and $f_6$ (see

Table 10. Error correction map for undetected errors. From Table 8 we list all erroneous cases that keep undetected. The bit underlined in the ket notation flips into the the bit underlined in the Sifting String. Some errors are identified using the auxiliary frames $f_9$ and $f_{10}$. If detection of error is not possible the frame must be removed. For this reason frame $f_1$ is ambiguous and must be removed.

Frame	Quantum Pair	Sifting String	Detection Frame	Sifting String	Error-Bit	Correction Code
$f_1$	$\left(|0_X\rangle ,|{\underline{1}}_Z\rangle \right)$	$00,\underline{0}0$	-	-	1st	remove
		$10,\underline{0}1$
	$\left(|{\underline{1}}_X\rangle ,|0_Z\rangle \right)$	$00,0\underline{0}$	-	-	2nd	remove
		$01,1\underline{0}$
$f_2$	$\left(|{\underline{1}}_X\rangle ,|0_Z\rangle \right)$	$10,\underline{0}1$	-	-	1st	remove
		$01,\underline{0}1$
	$\left(|1_X\rangle ,|{\underline{0}}_Z\rangle \right)$	$00,\underline{1}1$	$f_{10}$	01,10	1st	SS${}_{22}$
		$11,\underline{1}1$				SS${}_{23}$
$f_3$	$\left(|0_X\rangle ,|{\underline{1}}_Z\rangle \right)$	$01,\underline{0}1$	-	-	1st	remove
		$10,\underline{0}1$
	$\left(|{\underline{0}}_X\rangle ,|1_Z\rangle \right)$	$11,\underline{1}1$	$f_9$	10,10	1st	SS${}_{32}$
		$00,\underline{1}1$				SS${}_{33}$

and

Table 11. Error correction map for undetected errors (cont). Frame $f_5$ is ambiguous and will be discarded.

Frame	Quantum Pair	Sifting String	Detection Frame	Sifting String	Error-Bit	Correction
$f_4$	$\left(|0_X\rangle ,|{\underline{1}}_Z\rangle \right)$	$01,1\underline{0}$	-	-	2nd	remove
		$10,1\underline{0}$
	$\left(|{\underline{0}}_X\rangle ,|1_Z\rangle \right)$	$11,1\underline{1}$	$f_9$	10,10	2nd	SS${}_{42}$
		$00,1\underline{1}$				SS${}_{43}$
$f_5$	$\left(|{\underline{1}}_X\rangle ,|0_Z\rangle \right)$	$00,\underline{0}0$	-	-	1st	remove
		$01,\underline{0}1$
	$\left(|0_X\rangle ,|{\underline{1}}_Z\rangle \right)$	$00,0\underline{0}$	-	-	2nd	remove
		$10,1\underline{0}$
$f_6$	$\left(|1_X\rangle ,|{\underline{0}}_Z\rangle \right)$	$00,1\underline{1}$	$f_{10}$	01,10	2nd	SS${}_{62}$
		$11,1\underline{1}$				SS${}_{63}$
	$\left(|{\underline{1}}_X\rangle ,|0_Z\rangle \right)$	$10,1\underline{0}$	-	-	2nd	remove
		$01,1\underline{0}$

).

Errors of type II. cannot be detected because, generally speaking (a detailed analysis as type I. can be done), bit 1 flips into bit 0 and it does not produce a visible alteration in the Sifting String, so these cases must be removed. Therefore, effective auxiliary frames are $f_7$, $f_9$ and $f_{10}$. Our analysis shows that frames $f_8$ does not increase the error correction information. Frames $f_{12}$ contain the same rows of $f_8$ but inverted, so they do not increase information. Similarly, $f_9$ contains the rows of $f_{13}$ but inverted and $f_{10}$ the rows of $f_{14}$, so they do not add useful information to correct errors. Finally, frames $f_{11}$ are useless because their qubits are all $|1_X\rangle$ or $|1_Z\rangle$.

6.2. Error-Correction Security Model

Since not all undetected errors in Table 7 can be identified as it is shown in Table 10 and Table 11 we define the error-correction security model as the method capable to achieve error correction completely while it preserves the security property stated from the beginning: frames are only known by Alice while she can deduce Bob’s MRs. The SS in the public channel can be correlated equally to a bit 0 or 1.

Before we define the security model, let us introduce the framing gain (FG) as the ratio between usable frames (4) and the total frames (14), so FG = $\frac{2}{7}$.

–

To distill secret bits, Alice will use only 4 types of frames: $f_2$, $f_3$, $f_4$ and $f_6$ which are represented in

Table 12. We list usable (4) frames, it must be included (4) frames $f_7$, $f_8$, $f_9$ and $f_{10}$ to verify errors by means of the null quantum pairs.

$f_2=$$\left(\begin{array}{cc}|1_X\rangle & |0_Z\rangle \\ |1_X\rangle & |1_Z\rangle \end{array}\right)$

$f_3=$$\left(\begin{array}{cc}|0_X\rangle & |1_Z\rangle \\ |1_X\rangle & |1_Z\rangle \end{array}\right)$

$f_4=$$\left(\begin{array}{cc}|1_X\rangle & |1_Z\rangle \\ |0_X\rangle & |1_Z\rangle \end{array}\right)$

$f_6=$$\left(\begin{array}{cc}|1_X\rangle & |1_Z\rangle \\ |1_X\rangle & |0_Z\rangle \end{array}\right)$

. Alice will incorporate 3 auxiliary frames: $f_7$, $f_9$, $f_{10}$.

–

In case of errors, SS are correctable as demonstrated in Table 10 and Table 11. As implied from these tables, half of the SS must be removed. After Alice informs to Bob which cases must be eliminated (those that come from $\mathrm{SS}=(10,01),(01,01),(01,10),(10,10)$), they keep $\frac{1}{7}$ of the total frames, half of the framing gain. Thus, we say that the secret framing gain is $\frac{1}{7}$. In addition, frames $f_7$, $f_9$ and $f_{10}$ must be discarded because they are used to detect errors and they do not add up secret bits.

–

Since each SS comes from two different frames it can be correlated to one secret bit, this property is demonstrated in

Table 13. If an error is detected using $f_9$ or $f_{10}$, then Alice corrects the error according to Table 10 and Table 11. If no error is found Alice uses the secret bits listed here.

SS	MR	Frame	sb	MR	Frame	sb
${\mathrm{SS}}_{21}={\mathrm{SS}}_{31}={\mathrm{SS}}_{41}={\mathrm{SS}}_{61}=00,11$	00	$f_2,f_6$	0	01	$f_3,f_4$	1
${\mathrm{SS}}_{24}={\mathrm{SS}}_{34}={\mathrm{SS}}_{44}={\mathrm{SS}}_{64}=11,11$	11	$f_3,f_6$	0	10	$f_2,f_4$	1
${\mathrm{SS}}_{42}={\mathrm{SS}}_{62}=01,10$	01	$f_6$	0	11	$f_4$	1
${\mathrm{SS}}_{22}={\mathrm{SS}}_{32}=01,01$	10	$f_3$	0	01	$f_2$	1
${\mathrm{SS}}_{23}={\mathrm{SS}}_{33}=10,01$	00	$f_3$	0	11	$f_2$	1
${\mathrm{SS}}_{43}={\mathrm{SS}}_{63}=10,10$	00	$f_4$	0	10	$f_6$	1

.

7. Privacy Pre-Amplification

If Bob informs Alice the positions of N double matching detection events she can pair the qubit pairs into all possible useful frames. Thus, she can generate $\left(\genfrac{}{}{0pt}{}{N}{2}\right)$ frames. Since this procedure enhances the shared information during the reconciliation phase of the distillation process we call it privacy pre-amplification. Normally, amplification occurs as a separated stage after sifting and reconciliation have been performed.

Since $\left(\genfrac{}{}{0pt}{}{N}{2}\right)=\frac{N(N-1)}{2}$, it implies that the shared information from the double matching detection events grows quadratically with N, the number of double detection events.

In the next section we will derive the secret key rate but before, let us introduce some important properties of the frame-based reconciliation protocol:

Throughput. The throughput of the framed reconciliation can be computed as $\left(\genfrac{}{}{0pt}{}{N}{2}\right)=\frac{N(N-1)}{2}$. The throughput of the protocol varies quadratically $O\left(N^2\right)$ with the number of the double matching detection events N.

Effective Throughput Speed. As discussed in the previous section, the secret framing gain is $\frac{1}{7}$, so the number of secret bits will be $\frac{1}{7}\left(\genfrac{}{}{0pt}{}{N}{2}\right)=\frac{1}{14}N(N-1)\sim N^2$. A running example of the framed reconciliation is shown in Appendix A. If $N=1000$, the number of secret bits is around 10${}^5$. Since the errors can be removed in no more than tens of milliseconds, the throughput speed achieves 10${}^6$ bps. Such speed can be further enhanced applying a bigger N and using more computational resources as shown in

Table 14. Simulation of the protocol when have been registered 1000 double matching detection events. Tests were performed in an Intel Core i7-8750H 2.2 GHz, 12GB RAM.

QBER	Time (ms)	Secret Bits	Throughput (Kbps)
$5\%$	54.0146	59,873.7	1108.90435
$10\%$	57.6022	58,911.2	1025.13229
$15\%$	54.0614	52,630.1	972.532054
$20\%$	55.6709	48,830.9	877.799205
$25\%$	60.9381	46,706.4	773.520113
$30\%$	78.4297	40,960.0	522.251137

(see also Figure 7).

Efficiency. The minimum number of required bits to reconcile the shared frames is $2(n^2-n)$ bits (because there are four publicly revealed bits per frame), but also the total number of revealed bits is $2(n^2-n)$, so the efficiency of the protocol achieves unity.

Round Trips. Although this protocol is an interactive reconciliation protocol, it only requires four rounds to be completed. Just a single transmission (from Alice to Bob) is needed for correction bits (the indices of events that must removed and those of the erroneous detection events). No redundant information is required. Other protocols require tens of parity check passes [21]. No extra permutation or interleaving is required to achieve reconciliation.

Qber. As we will show in the security analysis section, the protocol remains secure although the eavesdropper could be equipped with unlimited quantum memory and multiple copies of Bob’s quantum states. It is known that the Photon Number Splitting attack (PNS) can be detected when the QBER of the channel is beyond $25\%$ due to Eve’s erroneous basis selection. By contrast, the security of the framed reconciliation method is invariant despite the number of copies that Eve obtains from the quantum channel therefore immune to the PNS attack. In this case, no estimation of the QBER from the quantum channel is needed. Remarkably, we do not see any limit in the QBER of the channel because a single auxiliary null quantum pair is enough to detect all the errors. Remember that each double detection event is combined with each other.

Since the gain of frames $f_7$ is $\frac{1}{14}$ there are $\frac{1}{14}\left(\genfrac{}{}{0pt}{}{N}{2}\right)$ frames of this type. To detect errors it must be at least one (error free) frame $f_7$, thus we have $\frac{1}{14}\left(\genfrac{}{}{0pt}{}{N}{2}\right)(1-e)\ge 1$ where e is the error rate of the quantum channel. From here, we derived $e\le 1-\frac{14}{\left(\genfrac{}{}{0pt}{}{N}{2}\right)}$. Suppose $N=10$, then errors can be detected if $e\le 0.68$.

8. The Intercept and Resend (IR) Attack

In the Intercept and Resend (IR) attack, Eve firstly measures each pair of non-orthogonal quantum pulses in the quantum channel, then she sends another pair of quantum pulses to Bob prepared according to the same quantum states. Let us explain the IR attack over the framing protocol using the following example:

–

Alice sends to Bob the pair $(|0_X\rangle ,|0_Z\rangle )$ over the quantum channel. Eve measures them and let us assume she obtains a double matching detection event say $(|0_Z\rangle ,|0_Z\rangle )$.

–

Eve prepares and sends to Bob the quantum pair $(|0_Z\rangle ,|0_Z\rangle )$.

–

Suppose Eve makes sure that both quantum pulses arrive to Bob’s optical station. There are five possible outcomes: $\left\{\right(|0_Z\rangle ,|0_Z\rangle ),(|0_X\rangle ,|0_X\rangle ),(|1_X\rangle ,|1_X\rangle ),(|1_X\rangle ,|0_X\rangle ),(|0_X\rangle ,|1_X\rangle \left)\right\}$. Since only one case matches Eve’s double detection event, the probability to get the same result is $\frac{1}{5}$ (the same probability is present when Eve obtains $(|0_Z\rangle ,|1_Z\rangle )$ and she resends those states to Bob).

As a consequence, Eve’s chance to impose her measurement results to Bob is $\frac{1}{5}$. However, Bob can still recover the correct measurement sent by Alice with 0.2 probability. In the example above, the correct outcome corresponds to $(|0_Z\rangle ,|0_Z\rangle )$. Unfortunately for Eve she cannot distinguish (from the public discussion) if Bob got $(|0_Z\rangle ,|0_Z\rangle )$ or $(|0_X\rangle ,|0_X\rangle )$, thus she is forced to guess this outcome. Moreover, the double detection event $(|0_Z\rangle ,|0_Z\rangle )$ is combined with Bob’s remaining double detection events thus Eve’s information reduces even more.

Let us discuss the numerical rates. Suppose we have N double detection events, $0.2N$ are captured by Eve. Half of the rest, that is $0.4N$, can be processed by Alice and Bob (the other half corresponds to useless double non-matching detection events). Thus, we have $I_{ab}=\frac{1}{7}\left(\genfrac{}{}{0pt}{}{0.6N}{2}\right)=0.025N^2-0.028N$ while $I_{ae}=\frac{1}{7}\left(\genfrac{}{}{0pt}{}{0.4N}{2}\right)=0.011N^2-0.042N$ where $\frac{1}{7}$ is the secret framing gain. The secret throughput speed $\mathsf{\Delta }I=I_{ab}-I_{ae}$ is written in Equation (3).

$$\mathsf{\Delta }I=0.0142N^2+0.0142N$$

(3)

As can be seen in Equation (3), the shared secret information $\mathsf{\Delta }I$ does not depend on the distance between the two remote stations because Eve has no control on Bob’s double matching detection event. This idealized situation could be altered if Eve mounts an Intercept and Resend attack with Faked States (IRFS) where Eve forces the measurement results on Bob’s detectors. In the IRFS attack, Eve remains undetected provided she adjusts the gains of single and double detection events simultaneously, as indicated by Equations (4) and (5) and discussed in [14].

$$2(e^{-\mu {\eta }_{BT}}-Y_0)(Y_0+1-e^{-\mu {\eta }_{BT}})=(e^{-\mu {\eta }_{ET}}-Y_0)(Y_0+1-e^{-\mu {\eta }_{ET}})$$

(4)

$${(Y_0+1-e^{-\mu {\eta }_{BT}})}^2=\frac{1}{2}{(Y_0+1-e^{-\mu {\eta }_{ET}})}^2$$

(5)

where $\mu$ is the expected photon number of the source and $Y_0$ is the background noise. Here, ${\eta }_{BT}$ and ${\eta }_{ET}$ are the overall efficiency of Bob and Eve, respectively. Solving the system for ${\eta }_{ET}$, we obtain $\frac{ln{Y}_0}{-\mu }$ and $\frac{ln(1+Y_0)}{-\mu }$, which cannot satisfied in practice [14].

Returning to the IR attack, the error rate introduced by Eve is $\frac{1}{5}$. In BB84 and most QKD protocols, the attacker hides as noise in the quantum channel (assuming she implements a quantum channel substitution). Typically, the next step would be computing the distance allowed by the error rate caused by the eavesdropper. In our case, the IR attack cannot be completed successfully by Eve because she has no control over the double detection events produced at Bob’s station.

9. The Photon Number Splitting Attack

Suppose Eve has a copy of all the quantum states that arrives to Bob’s station because Alice sends attenuated (multi-photon) quantum pulses and Eve is equipped with a sufficiently large quantum memory. Since the sifting process does not reveal Bob’s bases choices, the following factors affects unfavorably to Eve:

–

$\frac{1}{2}$ because of the probability to get a double matching detection event.

–

$\frac{1}{2}$ due to basis matching. Eve must measure choosing between two different measurement basis (X or Z).

Therefore, the total matching ratio for Eve is $\frac{1}{4}$ and $\frac{1}{2}$ for Bob (see Figure 8). Assuming Bob’s station registers N double matching detection events, then we have $I_{ab}=0.5N$ and $I_{ae}=0.25N$, thus $\mathsf{\Delta }I=0.25N$. Since $\mathsf{\Delta }I>0$, the shared information between Alice and Bob remains secret.

Secret Throughput Speed. Let us represent the shared information between Alice and Bob after they executed privacy pre-amplification as $I_{ab}=\frac{1}{7}\left(\genfrac{}{}{0pt}{}{N}{2}\right)=0.0714N^2-0.0714N$ where N is the number of double matching detection events. As discussed previously, Eve can obtain $25\%$ of the shared secret information, so Eve can distill $I_{ae}=\frac{1}{7}\left(\genfrac{}{}{0pt}{}{\frac{N}{4}}{2}\right)=0.0044N^2-0.01785N$, now we can derive the secret throughput speed $\mathsf{\Delta }I=I_{ab}-I_{ae}$ as indicated by Equation (6).

$$\mathsf{\Delta }I=0.0669N^2-0.0535N$$

(6)

9.1. Quantum Measurement Bases Choice Attack

Eve would decide to apply other quantum measurement bases to gain more information, then she uses the measurement bases $X+Z$ or $X-Z$ as depicted at right in Figure 9. Assuming Bob has registered a double matching detection event and Eve has a copy of those states sent by Alice, she can capture that information with 0.28125 probability. To see that, first consider that Eve chooses between the measurement bases ($X+Z$ or $X-Z$) with 0.5 probability. Then, as shown in Figure 9 non-matching detection events are ambiguous for Eve, which occur with 0.375 probability. By contrast, she gets a double matching event with 0.5625 probability. As a result, the chance to get Bob’s information is 0.28125.

Secret Throughput Speed

We know that the information shared between Alice and Bob is $I_{ab}=\frac{1}{7}\left(\genfrac{}{}{0pt}{}{N}{2}\right)=0.0714N^2-0.0714N$. If we consider the optimal quantum measurement case as discussed previously, Eve can extract $\frac{9}{32}$ of double matching events represented as N, so $I_{ae}=\frac{1}{14}\left(\genfrac{}{}{0pt}{}{\frac{9N}{32}}{2}\right)=0.0056N^2-0.0200N$. Therefore, we can compute the secret throughput speed $\mathsf{\Delta }I$ as written in Equation (7).

$$\mathsf{\Delta }I=0.0657N^2-0.0513N$$

(7)

In view of the above results, we deduced that IR and PNS attacks cannot be successfully implemented over the framing protocol. Moreover, it might be feasible to evaluate the use of less attenuated quantum pulses between the two remote stations. From here, our approach could be used in continuous quantum variable (CV) QKD because it does not require multiple matching detection events.

Other attacks are still under analysis and will be presented in a future work. In individual attacks the photons sent by Alice are intercepted and measured by Eve independently. IR attack is a case of an individual attack. Eve can entangle each qubit over the quantum channel with an auxiliary quantum state and then she measured them individually. In collective attacks, Eve prepares auxiliary independent states which then interact with the qubits individually but they are measured collectively. Furthermore, in coherent attacks, Eve performs a joint measurement on the auxiliaries after Alice and Bob have concluded their public discussion [23,24].

As a final comment, individual attacks are more realistic than coherent attacks and a complete theory of coherent attacks is not yet available. Moreover, it has been argued that coherent attacks are no more efficient than individual attacks [25,26].

10. Conclusions

We have introduced a new method for QKD distillation. The framed reconciliation approach integrates the sifting, reconciliation and amplification stages in a unique process. The method can be implemented as a software level over the usual optical equipment of a BB84 system.

The protocol produces at least theoretically fast secret bits, convergence of the method is guaranteed, the method works under any QBER in the channel while the key is distilled secretly. So far functionality of the method has been demonstrated computationally. The key grows quadratically in the number of the double detection events. The method does not require additional bits to estimate channel’s parameters. Since Eve has no control on Bob’s double matching detection events, our analysis indicates that the protocol is not vulnerable to the IR attack neither the PNS attack. We leave for future work other attacks as the Intercept and Resend with Faked States (IRFS). This approach opens the possibility to use less attenuated quantum pulses in the context of continuous variable (CV) QKD.