# QKD parameter estimation by two-universal hashing leads to faster convergence to the asymptotic rate

This paper proposes and proves security of a QKD protocol which uses two-universal hashing instead of random sampling to estimate the number of bit flip and phase flip errors. For this protocol, the difference between asymptotic and finite key rate decreases with the number n of qubits as cn^-1, where c depends on the security parameter. For comparison, the same difference decreases no faster than c'n^-1/3 for an optimized protocol that uses random sampling and has the same asymptotic rate, where c' depends on the security parameter and the error rate.

## Authors

• 2 publications
• ### Adaptive FEM for parameter-errors in elliptic linear-quadratic parameter estimation problems

We consider an elliptic linear-quadratic parameter estimation problem wi...
11/05/2021 ∙ by Roland Becker, et al. ∙ 0

• ### Recursive parameter estimation in a Riemannian manifold

This report states and proves a set of propositions concerning the conve...
05/17/2018 ∙ by Jialun Zhou, et al. ∙ 0

• ### HalftimeHash: Modern Hashing without 64-bit Multipliers or Finite Fields

HalftimeHash is a new algorithm for hashing long strings. The goals are ...
04/18/2021 ∙ by Jim Apple, et al. ∙ 0

• ### Toward Efficient Quantum Key Distribution Reconciliation

In this paper, we propose how to construct a reconciliation method for t...
02/12/2020 ∙ by Nedra Benletaief, et al. ∙ 0

• ### On the Resilience of a QKD Key Synchronization Protocol for IPsec

This paper presents a practical solution to the problem of limited bandw...
01/05/2018 ∙ by Stefan Marksteiner, et al. ∙ 0

• ### Parameter estimation for SPDEs based on discrete observations in time and space

Parameter estimation for a parabolic, linear, stochastic partial differe...
10/02/2019 ∙ by Florian Hildebrandt, et al. ∙ 0

##### This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

## 1 Introduction

Quantum Key Distribution allows two users, Alice and Bob, to agree on a shared secret key using an authenticated classical channel and a completely insecure quantum channel. There are information theoretic security proofs for QKD protocols (for example [15, 14, 1, 18] among many others). Quantum key distribution has also been realized experimentally and is commercially available. The rare combination of information theoretic security and practical achievability has attracted considerable attention to QKD.

An important parameter for a QKD protocol and security proof is the key rate: the number of final secret key bits produced divided by the number of qubits used in the quantum phase of the protocol. Previous works consider the key rate in two regimes: asymptotic and finite. The asymptotic key rate is the limit of the key rate as the number of qubits go to infinity, while the finite key rate is given as a formula that is valid for all, or almost all, positive integer numbers of qubits. The finite key rate is less than the asymptotic rate; therefore, the faster the convergence, the better.

As an example, consider [18], which gives a QKD protocol and security proof optimized for the finite key regime. In [18, Section Discussion], the authors argue that for an instance of their protocol that can tolerate error rate , the asymptotic key rate is , where is the binary Shannon entropy. For the finite key rate, the authors give a fairly complex formula that has to be maximized over the choice of parameters, subject to the fairly complex constraint that the protocol does not needlessly abort in the absence of the adversary. Other than the general argument for convergence to , [18] gives only numerical results, so the speed ot convergence remains unclear. However, the present paper shows that the difference between asymptotic and finite key rate for the protocols [18] is at least where is a constant that depends on the error rate and security parameter and is the number of qubits for which Alice and Bob choose the same basis.

The phenomenon that the key rate of a QKD protocol deteriorates significantly for small block sizes has been called finite size effect [11, Sections II-C and IX]. This effect holds not just for the example protocol [18], but for all QKD protocols known so far. In fact, in [18], the authors express a belief that the finite size effect is due to unavoidable statistical fluctuations in the parameter estimation step, and argue that their protocol is essentially optimal in the finite key regime.

The present paper proposes a QKD protocol whose key rate converges to the asymptotic rate much faster than previous QKD protocols. Specifically, this is an entanglement based QKD protocol where Alice and Bob each use qubits, can tolerate any bit flip errors and any phase flip errors, and at the end extract secret key bits, that are close to an ideal secret key in the sense of the Abstract Cryptography framework for composable security. For fixed error rate and fixed security parameter , the asymptotic rate of this protocol is , and the deviation of finite from asymptotic rate is between and .

The main novelty in the QKD protocol proposed here is that it uses two universal hashing instead of random sampling to estimate the number and position of both bit flip and phase flip errors. By avoiding random sampling altogether, the protocol also avoids statistical fluctuations.

The present paper builds on a number of previous ideas. The idea that two universal hashing can be used to estimate the number of errors is partially present in the protocol [18]. This protocol estimates the number of errors in one of the measurement bases by random sampling, while for the other basis there is a two-universal hash in the information reconciliation phase that is used to ensure correctness. This builds on an earlier observation [2, Theorem 6],[14, Section 6.3.2] that two-universal hash functions can be used to achieve information reconciliation with minimum leakage.

A combination of several ideas leads to the extension of the use of two-universal hashing from information reconciliation to a full QKD protocol. Specifically, these ideas are: random matrices over the field with two elements are a two-universal hash family [5], and they are also parity check matrices of classical linear error-correcting codes. Classical linear codes can be used to construct quantum CSS codes [4, 16], and CSS codes can be used to design and prove security of QKD protocols [15]. The present paper also uses a number of technical lemmas related to the stabilizer formalism [6, 3].

Finally, [1] translates the guarantees of classical random sampling to the quantum case. This served as inspiration for the present paper, which translates the guarantees of classical two-universal hashing to the quantum case.

The rest of this paper is structured as follows: Section 2 revisits the use of two-universal hashing to obtain an optimal information reconciliation protocol and gives a number of useful lemmas about random matrices over the field with two elements. Section 3 presents the two-universal hashing QKD protocol and shows that the transformation applied by the protocol is close to an ideal transformation. Section 4 uses this result to establish the security of the protocol in the Abstract Cryptography framework for composable security. Section 5 compares the key rate of the present protocol to the key rate of the protocol in [18], and proves the lower bound on the difference between finite and asymptotic rate for the protocol [18]. Section 6 concludes and gives some open problems.

## 2 Approximately computing certain functions from only a two-universal hash of the input

Let denote the field with two elements and the

-dimensional vector space over this field. Take any subset

. Consider the function given by

 fS(α)={αif α∈S⊥otherwise

If specifies errors, then computes whether belongs to a set of acceptable errors, if so computes the entire string , and otherwise outputs an error message. It is very convenient to have functions of this form when constructing QKD protocols and security proofs.

It turns out that it is possible to approximately compute given only a two universal hash of the input. Recall [5, 19]:

###### Definition 1.

A family of functions from finite set to finite set

is two-universal with collision probability at most

if for all ,

 Prh←H(h(x)=h(x′))≤ϵ

where the probability is taken over chosen uniformly from . If no explicit value is specified for the collision probability bound, then the default value is taken.

Now, let be a two-universal family from to some finite set with collision probability bound . Let . Consider the function given by the deterministic algorithm:

1. On input ,

2. For , if , output and stop.

3. Output .

Then:

###### Theorem 1.

For all , for all , for all two-universal families with collision probability bound , for all subsets , for all ,

 Prh←H(fS(α)≠gS(h,h(α)))≤ϵ|S|
###### Proof.

The event

 fS(α)≠gS(h,h(α))

implies the event

 ∃s∈S∖{α}:h(s)=h(α)

The union bound and Definition 1 give

 Prh←H(fS(α)≠gS(h,h(α)))≤ϵ|S|

The remainder of this section specializes Theorem 1 to the case that the family is a family of matrices over , and the set is a Hamming Ball.

First, consider the following useful lemmas about random matrices over the field with two elements. Let to denote the space of by matrices over .

Recall a property of random linear functions that was observed in [5]:

###### Lemma 1.

Let be uniformly random in , and take any fixed . Then, .

###### Proof.

Take such that . Then, , where is the -th column of and where are formed from by omitting the -th column and -th entry respectively. Now, is uniform over and independent from , so is also uniform over . ∎

Thus, for all , , so random linear functions are two-universal.

Later on, it will be more convenient to select matrices not from all of , but from the subset consisting of those matrices of rank . This subset also satisfies the two-universal condition, as the following two lemmas show.

###### Lemma 2.

For all integers , the number of rank matrices in is

###### Proof.

Given linearly independent rows, there are ways to choose the -th row outside their span. ∎

###### Lemma 3.

Take , let be a uniformly random rank matrix in and take any . Then

###### Proof.

Take invertible such that . Then . Now, find the probability that the first column of is zero. Note that

is also uniformly distributed over the rank

matrices in , so the probability its first column is zero is the number of rank matrices in divided by the number of rank matrices in . Lemma 2 implies:

 Pr(LM−1Mx=0)=∏ki=1(2n−1−2i−1)∏ki=1(2n−2i−1)=2n−k−12n−1<2−k

completing the proof of Lemma 3. ∎

Interestingly, the collision probability bound achieved by the full rank matrices is the lowest possible for a two-universal family . This follows from a slight strengthening of [5, Proposition 1]:

###### Lemma 4.

For every family (not necessarily two-universal) of functions from finite set to finite set , there exist such that

 Prh←H(h(x)=h(x′))≥|X||Y|−1|X|−1
###### Proof.

Follow the same proof as [5] until the point they apply the pigeonhole principle. At that point, observe that the number of non-zero terms in the sum is not only less than , as they say there, but is in fact at most .

In more detail, for , define

 δh(x,x′)={1if x≠x′∧h(x)=h(x′)0otherwise

For every partition then observe that

 ∑x,x′∈Xδh(x,x′)=∑y∈Y|h−1(y)|(|h−1(y)|−1)≥|X|2|Y|−|X|

by the quadratic mean-arithmetic mean inequality. Now, sum over :

 ∑h∈H∑x,x′∈Xδh(x,x′)=∑x,x′∈X∑h∈Hδh(x,x′)≥|H|(|X|2|Y|−|X|)

Now, is non-zero only when . Then, there exist such that

 ∑h∈Hδh(x,x′)≥|H||X||Y|−1|X|−1

Later results will also use the fact that a row submatrix of a random invertible matrix has the uniform distribution over full rank matrices:

###### Lemma 5.

Take any integers , and any of size . Let be uniformly distributed over invertible matrices in . Let denote the matrix formed by rows of with indices in . Then, is uniformly distributed over full rank matrices in .

###### Proof.

Pick any fixed full rank . Compute as the number of ways to choose the remaining rows of , which is divided by the number of invertible matrices in , which is . Thus,

 Pr(LS=Λ)=∏n−ki=1(2n−2k+i−1)∏ni=1(2n−2i−1)=1∏ki=1(2n−2i−1)

Thus, is uniform over the full rank matrices in . ∎

Applying Theorem 1 when the set is a Hamming ball requires a bound on the size of Hamming balls. For , let denote the Hamming distance between them. Let denote the Hamming ball of radius around . Then:

###### Lemma 6.

For all such that , for all ,

###### Proof.
 |Bn(x,r)|2−nh(r/n)=r∑i=0(ni)(rn)r(n−rn)n−r≤r∑i=0(ni)(rn)i(n−rn)n−i

From Theorem 1, Lemma 3 and Lemma 6 deduce:

###### Corollary 1.

For all with and , for all ,

 PrL(fBn(0,r)(α)≠gBn(0,r)(L,Lα))<2−k+nh(r/n)

where is chosen uniformly from the full rank matrices in .

## 3 The two-universal hashing QKD protocol and its security

Consider the following family of entanglement-based QKD protocols, parameterized by . The interpretation of the parameters is the following: is the number of qubits that each of Alice and Bob receive, is the size of each of their syndrome measurements and is the size of their output secret key, and is the maximum number of bit flip or phase flip errors on which the protocol does not abort. The protocols output a secret key with security guarantees when .

It will be clear throughout that the size of the two syndrome measurements can vary independently, and so can the maximum number of tolerated bit flip and phase flip errors, but that would lead to overly complex notation, with five parameters , so it is not pursued explicitly below.

1. Alice and Bob each receive an qubit state from Eve, and they inform each other that the states have been received.

2. Alice and Bob publicly choose a random invertible . Let be the matrices formed by the first rows, the second rows, and the last rows of . Let , and let be the matrices formed by the first , second , and last rows of . , are the parity check matrices of a CSS code. contain information about the logical and operators on the codespace.

3. Alice applies the isometry and Bob applies the isometry . This can be done by preparing ancilla qubits in state and applying a CNOT gate for each entry that equals 1.

4. Alice and Bob measure all qubits in registers in the basis, obtaining outcomes . Alice and Bob measure all qubits in registers in the computational basis, obtaining outcomes .

5. Alice and Bob compute , , , .

6. Alice and Bob discard registers .

7. Alice and Bob discard , keeping only . Thus, in effect, Alice and Bob erase . Note that the post measurement states in registers , as well as have to be discarded in such a way that Eve cannot get them.

8. Alice and Bob announce . Alice and Bob compute and .

9. If both of these are not , then Alice takes to be the output secret key, and Bob takes to be the output secret key.

As is usual in the literature on QKD, the protocol assumes that classical communication takes place over an authenticated channel. Unconditionally secure message authentication with composable security in the Abstract Cryptography framework can be obtained from a short secret key [12], or using an advantage in channel noise [10].

If it is desired that the classical communication is minimized, then the following exchange of messages suffices: Bob confirms to Alice that he has received the qubits, Alice sends to Bob , Bob informs Alice whether both of are not . However, the initial formulation above better emphasizes the symmetry of the protocol, and makes clear that it is not important to keep the values secret.

Now, consider the security of this protocol. The following notation is needed to state the main result. Denote the Pauli matrices by

 σ1=(0110),σ2=(0−ii0),σ3=(100−1)

For a row vector , denote

 σu1=σu11⊗…σun1,σu3=σu13⊗⋯⊗σun3

The maximally entangled state in is

 |ψ⟩=2−n/2∑z∈Fn2|zz⟩

The collection

 |ψαβ⟩=I⊗σαT1σβT3|ψ⟩,α,β∈Fn2

is the Bell basis of .

Without loss of generality, assume that Eve prepares a pure tri-partite state and gives to Alice and Bob their parts. Any strategy for Eve that prepares a mixed state can be thought of as an equivalent strategy that prepares a purification of and then ignores register . Any input state can be expanded in terms of the Bell basis for Alice and Bob:

 |ϕ⟩ABE=∑α,β∈Fn2|ψαβ⟩AB⊗|γαβ⟩E

where are vectors in Eve’s space that satisfy

 ∑α,β∈Fn2⟨γαβ|γαβ⟩=1

The first eight steps of protocol take as input a quantum state in registers

and output a classical probability distribution in registers

; let be the completely positive trace preserving map that captures this transformation. Let

 ΠacceptST=∑α,β∈Bn(0,r)|α,β⟩⟨α,β|ST

be the projection on the case that both are not and so Alice and Bob accept.

The main result on the security of the QKD protocol demonstrates that the transformation is close to an ideal transformation:

###### Theorem 2.

Take any such that . Then, there exists a completely positive trace preserving map with input registers and output registers such that for all input states

 |ϕ⟩ABE=∑α,β∈Fn2|ψαβ⟩AB⊗|γαβ⟩E

the following two statements hold:

1. The states and are close in trace distance

2. equals

 ∑L∈Fn×n2;uA,vA∈Fk2;wA∈Fn−2k2;α,β∈Bn(0,r)|γαβ⟩⟨γαβ|E⊗pL|L⟩⟨L|L⊗|α,β⟩⟨α,β|ST⊗2−n|uA,vA,wA⟩⟨uA,vA,wA|UAVAWA⊗|uA+L1α,vA+M2β,wA+M3β⟩⟨uA+L1α,vA+M2β,wA+M3β|UBVBWB

where denotes the probability of choosing matrix .

Section 4 shows that Theorem 2 implies that the protocols are secure in the Abstract Cryptography framework for composable security. For now, focus on proving Theorem 2. The proof uses a number of lemmas related to the stabilizer formalism; these are in subsection 3.1. The proof of Theorem 2 is in subsection 3.2.

### 3.1 The Pauli group and the Bell basis

The Pauli group on qubits is

 Gn={ωσu1σv3:ω∈{±1,±i},u,v∈F1×n2}

Matrix multiplication of elements of can be performed in terms of :

 (ωσu1σv3)(ω′σu′1σv′3)=ωω′(−1)v⋅u′σu+u′1σv+v′3

This also shows that the map given by

 F(ωσu1σv3)=(uv)

is a group homomorphism.

Any element of the Pauli group squares to either or ; any two elements of the Pauli group satisfy

 gg′=(−1)F(g)SF(g′)Tg′g

where is the matrix with block form

 S=(0InIn0)

Say that a tuple of elements of the Pauli group

 →g=⎛⎜ ⎜⎝g1⋮gm⎞⎟ ⎟⎠

is independent if the row vectors are linearly independent. Given such an independent tuple and given any , it is possible to find such that

 ∀i,ggi=(−1)xigig

by solving the corresponding linear system of equations over .

A tuple of independent commuting self-adjoint elements of the Pauli group

defines a projective measurement on its joint eigenspaces. The measurement outcomes can be indexed by

and the corresponding projections are given by

 P(→g,x)=2−mm∏j=1(I+(−1)xjgj)

The projections form a complete set of orthogonal projections. The elements of the Pauli group map these projections to each other under conjugation, as can be seen from Lemma 7 below. Therefore, the projections all have the same rank .

###### Lemma 7.

For all tuples of independent commuting self-adjoint elements of , for all , for all ,

 P(→g,x)h=hP(→g,x+F(→g)SF(h)T)

where

 F(→g)=⎛⎜ ⎜⎝F(g1)⋮F(gm)⎞⎟ ⎟⎠

is the matrix with rows .

###### Proof.
 P(→g,x)h=2−m(m∏j=1(I+(−1)xjgj))h=2−mh(m∏j=1(I+(−1)xj+F(gj)SF(h)Tgj))=hP(→g,x+F(→g)SF(h)T)

Now, take a tuple of independent commuting self-adjoint elements, take and take a full rank matrix . The matrix transforms the tuple to the -tuple

 L→g=L⎛⎜ ⎜⎝g1⋮gm⎞⎟ ⎟⎠=⎛⎜ ⎜ ⎜ ⎜⎝∏mj=1gL1jj⋮∏mj=1gLkjj⎞⎟ ⎟ ⎟ ⎟⎠

The tuple also consists of independent commuting self-adjoint elements. The transformation of to satisfies

 M(L→g)=(ML)→g

for any , , of compatible size. The matrix can be expressed in terms of the matrix :

 F(L→g)=⎛⎜ ⎜ ⎜ ⎜⎝F(∏mj=1gL1jj)⋮F(∏mj=1gLkjj)⎞⎟ ⎟ ⎟ ⎟⎠=⎛⎜ ⎜ ⎜⎝∑mj=1L1jF(gj)⋮∑mj=1LkjF(gj)⎞⎟ ⎟ ⎟⎠=LF(→g)

The measurement projections of can be expressed in terms of the measurement projections of .

###### Lemma 8.

For all , for all tuples of independent commuting self-adjoint elements of , for all full rank , for all ,

 P(L→g,y)=∑x∈Fm2:Lx=yP(→g,x)
###### Proof.

Take any , any such that . Then,

 (m∏j=1gLijj)P(→g,x)=(m∏j=1gLijj)(2−mm∏j=1(I+(−1)xjgj))=(−1)∑mj=1LijxjP(→g,x)=(−1)yiP(→g,x)

Then, for any such that , holds. Since is a collection of orthogonal projections of rank and since has rank , the lemma follows. ∎

Next, consider the Bell basis. First, the maximally entangled state has the properties:

###### Lemma 9.

For all matrices , and .

###### Proof.

Follows by expanding in the computational basis. ∎

Pauli group measurements acting on Bell basis states satisfy the following:

###### Lemma 10.

For all tuples of independent self-adjoint commuting elements of such that the associated projections have only real entries when expressed as matrices in the computational basis, for all , for all ,

 (P(→g,x)⊗P(→g,y))|ψαβ⟩=1(x=y+F(→g)S(αβ))P(→g,x)⊗I|ψαβ⟩

where for an expression that takes the values true or false, takes the corresponding values 1 or 0.

###### Proof.

Follows from Lemma 7 and the relation

The QKD security proof also uses the following lemma. It gives two equivalent expressions for the projection on the subspace of that corresponds to a specific pattern of bit flip errors or a specific pattern of phase flip errors.

###### Lemma 11.

For all , for all ,

 ∑β′∈Fn2|ψαβ′⟩⟨ψαβ′| =∑zA∈Fn2|zA,zA+α⟩⟨zA,zA+α| ∑α′∈Fn2|ψα′β⟩⟨ψα′β| =∑xA∈Fn2H⊗2n|xA,xA+β⟩⟨xA,xA+β|H⊗2n
###### Proof.

Let denote the standard basis of . For and , let denote the tuple acting on register , and let denote the tuple . Note that for all ,

 |αβ⟩⟨αβ|AB=P((→σA3→σB3),(αβ));|ψαβ⟩⟨ψαβ|=P((→σAB3→σAB1),(αβ))

The first relation of Lemma 11 now follows from

and Lemma 8. The second relation follows similarly. ∎

### 3.2 Proof of Theorem 2

The main idea of the proof of Theorem 2 is that the real values and computed during the protocol can be replaced by the corresponding ideal values . From now on, use shorthand notation and skip the subscript , thus writing for and for .

The steps of the proof of Theorem 2 are the propositions below. Start by writing the action of the protocol as an isometry followed by a partial trace.

###### Proposition 1.

For all input states to the protocol, the output state of the classical registers and the quantum register of Eve equals

 TrABL′S′T′U′AU′BV′AV′BW′AW′BWVrealUreal(|ϕ⟩⟨ϕ|⊗|L⟩⟨L|)U†realV†realW†

where

 |L⟩=∑L√pL|LL⟩LL′

is a purification of the choice of random matrix

, where

 UReal=∑L,zA,zB|L⟩⟨L|L⊗|zAzB⟩⟨zAzB|AB⊗|L1zA,L1zA,L1zB,L1zB,g(L1,L1(zA+zB)),g(L1,L1(zA+zB))⟩UAU′AUBU′BSS′

is an isometry that captures the measurement through which Alice and Bob obtain the values and as well as the subsequent computation of the value , where

 VReal=∑L,xA,xB|L⟩⟨L|L⊗(H⊗2n|xAxB⟩⟨xAxB|H⊗2n)AB⊗|M2xA,M2xA,M2xB,M2xB,g(M2,M2(xA+xB)),g(M2,M2(xA+xB))⟩VAV′A