Practical post-processing for quantum-key-distribution experiments
ABSTRACT Quantum key distribution (QKD) promises unconditionally secure key generation
between two distant parties by wisely exploiting properties of quantum
mechanics. In QKD, experimental measurements on quantum states are transformed
to a secret key and this has to be done in accordance with a security proof.
Unfortunately, many theoretical proofs are not readily implementable in
experiments and do not consider all practical issues. Therefore, in order to
bridge this "practical gap", we integrate a few existing theoretical results
together with new developments, in effect producing a simple and complete
recipe for classical post-processing that one can follow to derive a secret key
from the measurement outcomes in an actual QKD experiment. This integration is
non-trivial and our consideration is both practical and comprehensive in the
sense that we take into account the finiteness of the key length and consider
the effects on security of several essential primitives (including
authentication, error handling, and privacy amplification). Furthermore, we
quantify the security of the final secret key that is universally composable.
We show that the finite-size effect mainly comes from phase error estimation.
Our result is applicable to the BB84 protocol with a single or entangled photon
arXiv:0904.1994v1 [quant-ph] 13 Apr 2009
Practical post-processing for quantum-key-distribution
Xiongfeng Ma,1, ∗Chi-Hang Fred Fung,2Jean-Christian Boileau,3and H. F. Chau2
1Institute for Quantum Computing and Department of Physics and Astronomy,
University of Waterloo, 200 University Ave W., Waterloo, ON, Canada N2L 3G1
2Department of Physics and Center of Theoretical and Computational Physics,
University of Hong Kong, Pokfulam Road, Hong Kong
3Center for Quantum Information and Quantum Control,
Department of Electrical & Computer Engineering and Department of Physics,
University of Toronto, Toronto, Ontario, Canada, M5S 1A7
Quantum key distribution (QKD) promises unconditionally secure key generation between two
distant parties by wisely exploiting properties of quantum mechanics. In QKD, experimental mea-
surements on quantum states are transformed to a secret key and this has to be done in accordance
with a security proof. Unfortunately, many theoretical proofs are not readily implementable in ex-
periments and do not consider all practical issues. Therefore, in order to bridge this “practical
gap”, we integrate a few existing theoretical results together with new developments, in effect
producing a simple and complete recipe for classical post-processing that one can follow to derive
a secret key from the measurement outcomes in an actual QKD experiment. This integration is
non-trivial and our consideration is both practical and comprehensive in the sense that we take
into account the finiteness of the key length and consider the effects on security of several essential
primitives (including authentication, error handling, and privacy amplification). Furthermore, we
quantify the security of the final secret key that is universally composable. We show that the
finite-size effect mainly comes from phase error estimation. Our result is applicable to the BB84
protocol with a single or entangled photon source.
∗Electronic address: firstname.lastname@example.org
Quantum key distribution (QKD) [1, 2] allows two distant users to generate a secret key
that is guaranteed to be unconditionally secure by the laws of quantum mechanics. Initial
work on QKD has been focused on the investigation of its unconditional security and a few
QKD protocols, such as the well-known BB84 protocol , have been proven to be secure
in the last decade [3, 4, 5]. Since then, many QKD experiments have been performed (see,
e.g., references in Refs. [6, 7]). In general, a QKD experiment involves a quantum state
transmission step (where quantum states are transmitted and measured) and a classical
post-processing step (where the measurement outcomes are processed classically with the
help of classical communication to generate a final secret key). Although standard security
proofs (such as Ref. ) imply a procedure for distilling a final secret key from measurement
outcomes, direct application to an actual QKD experiment is unfit. This is because many
of these security proofs focus on the case that the key is arbitrarily long, which does not
hold in practice. It is precisely this finite-size effect that leads to reduced confidence in the
security of the final key (mediated by the uncertainty in the post-processing tasks such as
error rate estimation and error correction). Therefore, it is imperative to quantify the finite-
size effect and to provide a precise post-processing recipe that one can follow for distilling
final secret keys with quantified security in real QKD experiments. This is the purpose of
this paper. We note that, recently, lots of efforts have spent on the finite-key effect in QKD
post-processing, such as Refs. [8, 9].
When the key size is finite, inference on error rates and error correction can no longer be
perfect as they do in the infinite-size case. More specifically, the inferred error rates could
be different from the true values and there could be leftover errors after error correction.
Consequently, a finite-length secret key generated by a QKD system cannot be perfect in the
sense that Alice and Bob do not share the same key and/or Eve possesses some information
about the key. Nevertheless, the fact that the key is imperfect does not preclude it from
being used in a subsequent task requiring a perfect key. In fact, if one can assign a probability
that the key can be regarded as an ideal one, the use of the nonideal key as an ideal one is
justified. Indeed, this notion of security is captured by the composable security definition of
QKD [10, 11], which is widely adopted in the field. QKD is composable in the sense that the
final key generated is indistinguishable from an ideal secret key except with a small failure
probability. Thus, the QKD key can be used for any subsequent cryptographic application
(for instance, later rounds of QKD) requiring a perfect secret key, and the total failure
probability is the sum of that of the individual composable cryptographic components. In
QKD, Alice and Bob may run a QKD system many rounds. They share a certain amount
of secure key prior to each round, which can be used in the data post-processing step. The
key generated by one round could be used for the next round. Composabiblity requires
the key generated by all the rounds of the QKD system to be secure. In other words, an
eavesdropper, Eve, knows limited amount of information about the key (if there is any) even
after attacking all the rounds.
In this paper, a security definition with a failure probability (or confidence interval) is
used. Our result quantifies the security of the final key generated in a QKD experiment with
a failure probability, i.e., except with this probability the final key can be treated as an ideal
secret key (identical and private). This is a natural security definition for experiments and
the aforementioned composability requirement [10, 11] is fulfilled. For instance, Alice and
Bob run a QKD system 106times and keep the failure probability under ε for each round.
Then the total failure probability is no larger than 106ε. As long as they keep ε well below
10−6, the key generated in this million rounds is secure. The value of ε is determined by the
usage of the key in a real application. Note that we use probability, which is more meaningful
for experiments, instead of the trace distance , to quantify the security. Throughout the
paper, ε’s with various footnotes stand for various failure probabilities.
Let us start by examining the underlying assumptions and definitions used here. We
emphasize that in order to apply the scheme to a QKD system, one needs to compare these
assumptions with the real setup. The assumptions used in the paper are listed as follows:
1. Alice and Bob perform the BB84 protocol with a perfect single photon source or a
basis-independent photon source [12, 13].
2. The detection system is compatible with the squashing model [14, 15, 16], i.e., the
input to Bob’s system is assumed to be a qubit. For example, detection efficiency
mismatch is not considered in this paper .
3. Alice and Bob use perfect random number generators.
4. Alice and Bob use perfect key management. They share a certain amount of secure
key prior to running their QKD system.
The post-processing scheme is based on a modified Shor-Prekill’s security proof , which
is essentially Koashi’s complimentary argument . In this approach, the secure key gen-
eration is equivalent to an entanglement distillation protocol, which involves bit and phase
error correction. In the post-processing, the bit error correction becomes classical error
correction and the phase error correction becomes privacy amplification. We remark that
our result is applicable to any physical QKD implementations that comply with the above
assumptions, and it does not depend on the implementation details.
The motivation of this paper is to give a guideline for QKD data post-processing. We
start from raw data from measurements and some pre-shared secure key bits, and produce
a secret key with a quantified security definition. This can be a stepping stone for a QKD
standard. In this paper, we only present the results but not the technical details of the
derivations, which will be presented in Ref. .
The finite key analysis is important not only from a theoretical point view, but also for
experiments. For example, the efficient BB84  is proposed to increase the key generation
rate. The optimal bias between the two bases, X and Z, approaches 1 in the long key limit
. In order to choose an optimal bias in the finite key case, Alice and Bob need to consider
statistical fluctuations. We remark that the proposed post-processing scheme ties up a few
existing results with some new developments. Note that this integration is non-trivial and
our contributions are as follows:
1. A security definition with a failure probability is used.
2. A strict bound for the phase error estimation is derived.
3. An authentication scheme is applied for the error verification.
4. The efficiency of the privacy amplification is investigated.
5. The parameter optimization is studied.
Classical communication is assumed to be free in many security analyses of QKD. In prac-
tice, heavy classical communication may lead to a low key generation speed, especially for
high-speed QKD setups. Moreover, some classical communication need to be authenticated
(or even encrypted) in the post-processing, which means that it is not entirely free. Here,
we study which part of the classical communication need to be authenticated or encrypted.
For the authentication part, we rely on the LFSR-based Toeplitz matrix construction .
The secure key used in the post-processing comes from a pre-shared secure key between
Alice and Bob. For each step, we investigate the secure-key cost, kxx, and the failure
The post-processing procedure is listed as follows. Note that none of following classical
communication is encrypted unless otherwise stated.
1. Key sift [not authenticated]: Bob discards no-click events and obtains n-bit raw key
by randomly assigning  the double clicks . Note that other key sift procedures
might be applied as well, see for example, Ref. .
2. Basis sift [authenticated]: Alice and Bob send each other n-bit basis information. Due
to the symmetry, we can assume they pick up the same failure probability for this
Here, Alice and Bob use a 2kbs-bit secure key to construct a Toeplitz matrix with a size
of (n×kbs) by a LFSR. The authenticated tag is generated by multiplying the matrix
and the message. Then they encrypt the two tags by two kbs-bit secure keys. Since
the tags are encrypted by a one-time pad, the 2kbs-bit key used for the Toeplitz matrix
construction is still private . Hence, the total secure-key cost in this step is 2kbs
and the corresponding failure probability is 2εbs. Note that when Alice and Bob use
a biased basis choice , they can exchange less than n-bit classical information for
basis sift by data compression. Since the secure-key cost only logarithmically depends
on the length of the message, we simply use n for the following discussion. In the end
of this step, Alice and Bob obtain nx(nz)-bit sifted key in X (Z) basis. Define the
biased ratio to be qx≡ nx/(nx+ nz).
3. Error correction [not authenticated but encrypted ]: the secure-key cost is given
kec= nxf(ebx)H2(ebx) + nzf(ebz)H2(ebz)