AUSTRIAN INSTITUTE
OF TECHNOLOGY
Fundamental Finite Key Limits for Information Reconciliation in Quantum Key Distribution arXiv:1401.5194
Marco Tomamichel 1
1
Jesús Martínez-Mateo 2 David Elkouss 4
Centre for Quantum Technologies, National University of Singapore School of Physics, The University of Sydney 2
3
Christoph Pacher 3
Universidad Politécnica de Madrid
Safety & Security Department, AIT Austrian Institute of Technology 4
Universidad Complutense de Madrid
1
AUSTRIAN INSTITUTE
OF TECHNOLOGY
Outline
1
Quantum Key Distribution
2
Information Reconciliation
3
Motivation
4
Fundamental Limits for Information Reconciliation Theoretical Results Simulation Results
5
Conclusions / Open Questions
2
AUSTRIAN INSTITUTE
OF TECHNOLOGY
Outline
1
Quantum Key Distribution
2
Information Reconciliation
3
Motivation
4
Fundamental Limits for Information Reconciliation Theoretical Results Simulation Results
5
Conclusions / Open Questions
3
AUSTRIAN INSTITUTE
OF TECHNOLOGY
Quantum Key Distribution (QKD)
Cryptographic primitive for key agreement Two honest parties: Alice and Bob; dishonest party (eavesdropper): Eve. Achievement: Alice and Bob create an information-theoretic secure (composable) key.
4
AUSTRIAN INSTITUTE
OF TECHNOLOGY
Quantum Key Distribution (QKD)
Cryptographic primitive for key agreement Two honest parties: Alice and Bob; dishonest party (eavesdropper): Eve. Achievement: Alice and Bob create an information-theoretic secure (composable) key.
Information-theoretic security (informally) The success probability of any (active or passive) attack is upper bounded by a (tiny) constant, regardless of the (quantum) computing resources used by the attacker.
4
AUSTRIAN INSTITUTE
OF TECHNOLOGY
QKD protocol steps Prerequisites: Public Channel
Alice
Bob
X
Y Quantum Channel
Authentic classical channel (Eve can listen) Quantum channel (Eve introduces noise while listening)
5
AUSTRIAN INSTITUTE
OF TECHNOLOGY
QKD protocol steps Prerequisites: Public Channel
Alice
Bob
X
Y Quantum Channel
1
Authentic classical channel (Eve can listen) Quantum channel (Eve introduces noise while listening)
quantum phase (A prepares N quantum systems, transmits, and B measures )
5
AUSTRIAN INSTITUTE
OF TECHNOLOGY
QKD protocol steps Prerequisites: Public Channel
Alice
Bob
X
Y Quantum Channel
Authentic classical channel (Eve can listen) Quantum channel (Eve introduces noise while listening)
1
quantum phase (A prepares N quantum systems, transmits, and B measures )
2
parameter estimation (A and B estimate correlation between X and Y )
5
AUSTRIAN INSTITUTE
OF TECHNOLOGY
QKD protocol steps Prerequisites: Public Channel
Alice
Bob
X
Y Quantum Channel
Authentic classical channel (Eve can listen) Quantum channel (Eve introduces noise while listening)
1
quantum phase (A prepares N quantum systems, transmits, and B measures )
2
parameter estimation (A and B estimate correlation between X and Y )
3
sifting (A and B remove uncorrelated systems, produce raw keys of length n),
5
AUSTRIAN INSTITUTE
OF TECHNOLOGY
QKD protocol steps Prerequisites: Public Channel
Alice
Bob
X
Y Quantum Channel
Authentic classical channel (Eve can listen) Quantum channel (Eve introduces noise while listening)
1
quantum phase (A prepares N quantum systems, transmits, and B measures )
2
parameter estimation (A and B estimate correlation between X and Y )
3
sifting (A and B remove uncorrelated systems, produce raw keys of length n),
4
information reconciliation (exchanging messages on the classical channel Bob estimates Alice’s raw key),
5
AUSTRIAN INSTITUTE
OF TECHNOLOGY
QKD protocol steps Prerequisites: Public Channel
Alice
Bob
X
Y Quantum Channel
Authentic classical channel (Eve can listen) Quantum channel (Eve introduces noise while listening)
1
quantum phase (A prepares N quantum systems, transmits, and B measures )
2
parameter estimation (A and B estimate correlation between X and Y )
3
sifting (A and B remove uncorrelated systems, produce raw keys of length n),
4
information reconciliation (exchanging messages on the classical channel Bob estimates Alice’s raw key),
5
privacy amplification
5
AUSTRIAN INSTITUTE
OF TECHNOLOGY
QKD protocol steps Prerequisites: Public Channel
Alice
Bob
X
Y Quantum Channel
Authentic classical channel (Eve can listen) Quantum channel (Eve introduces noise while listening)
1
quantum phase (A prepares N quantum systems, transmits, and B measures )
2
parameter estimation (A and B estimate correlation between X and Y )
3
sifting (A and B remove uncorrelated systems, produce raw keys of length n),
4
information reconciliation (exchanging messages on the classical channel Bob estimates Alice’s raw key),
5
privacy amplification (ensures secrecy).
5
AUSTRIAN INSTITUTE
OF TECHNOLOGY
Outline
1
Quantum Key Distribution
2
Information Reconciliation
3
Motivation
4
Fundamental Limits for Information Reconciliation Theoretical Results Simulation Results
5
Conclusions / Open Questions
6
AUSTRIAN INSTITUTE
OF TECHNOLOGY
One Way Information Reconciliation Alice and Bob hold raw keys X n , Y n distributed according to (PXY )×n .
7
AUSTRIAN INSTITUTE
OF TECHNOLOGY
One Way Information Reconciliation Alice and Bob hold raw keys X n , Y n distributed according to (PXY )×n . Xn
ENC
Yn
M
DEC
X˜ n
Alice first computes a compressed version M ∈ M of her raw key X n , and sends it to Bob (leakage to Eve).
7
AUSTRIAN INSTITUTE
OF TECHNOLOGY
One Way Information Reconciliation Alice and Bob hold raw keys X n , Y n distributed according to (PXY )×n . Xn
ENC
Yn
M
DEC
X˜ n
Alice first computes a compressed version M ∈ M of her raw key X n , and sends it to Bob (leakage to Eve). Bob uses M together with his own raw key Y n to construct an estimate ˜ n of X n . X
7
AUSTRIAN INSTITUTE
OF TECHNOLOGY
One Way Information Reconciliation Alice and Bob hold raw keys X n , Y n distributed according to (PXY )×n . Xn
ENC
Yn
M
DEC
X˜ n
Alice first computes a compressed version M ∈ M of her raw key X n , and sends it to Bob (leakage to Eve). Bob uses M together with his own raw key Y n to construct an estimate ˜ n of X n . X One Way IR = Source Coding with Side Information
7
AUSTRIAN INSTITUTE
OF TECHNOLOGY
One Way Information Reconciliation Alice and Bob hold raw keys X n , Y n distributed according to (PXY )×n . Xn
ENC
Yn
M
DEC
X˜ n
Alice first computes a compressed version M ∈ M of her raw key X n , and sends it to Bob (leakage to Eve). Bob uses M together with his own raw key Y n to construct an estimate ˜ n of X n . X One Way IR = Source Coding with Side Information Asymptotic limit it is sufficient to send nH(X |Y ) bits
7
AUSTRIAN INSTITUTE
OF TECHNOLOGY
Outline
1
Quantum Key Distribution
2
Information Reconciliation
3
Motivation
4
Fundamental Limits for Information Reconciliation Theoretical Results Simulation Results
5
Conclusions / Open Questions
8
AUSTRIAN INSTITUTE
OF TECHNOLOGY
Motivation for finite-length studies in QKD The secret key length ` of a QKD protocol is reduced by leakIR , the amount of information leaked to an eavesdropper during IR.
9
AUSTRIAN INSTITUTE
OF TECHNOLOGY
Motivation for finite-length studies in QKD The secret key length ` of a QKD protocol is reduced by leakIR , the amount of information leaked to an eavesdropper during IR. Since leakIR is hard to determine, the length of the IR messages log |M| is often used as a bound leakIR ≤ log |M|.
9
AUSTRIAN INSTITUTE
OF TECHNOLOGY
Motivation for finite-length studies in QKD The secret key length ` of a QKD protocol is reduced by leakIR , the amount of information leaked to an eavesdropper during IR. Since leakIR is hard to determine, the length of the IR messages log |M| is often used as a bound leakIR ≤ log |M|. Motivated by the asymptotic limit, the amount of information that is required to perform one-way IR is usually written as log |M| = ξ · nH(X |Y )P , where ξ > 1 is the reconciliation (in)efficiency.
9
AUSTRIAN INSTITUTE
OF TECHNOLOGY
Motivation for finite-length studies in QKD The secret key length ` of a QKD protocol is reduced by leakIR , the amount of information leaked to an eavesdropper during IR. Since leakIR is hard to determine, the length of the IR messages log |M| is often used as a bound leakIR ≤ log |M|. Motivated by the asymptotic limit, the amount of information that is required to perform one-way IR is usually written as log |M| = ξ · nH(X |Y )P , where ξ > 1 is the reconciliation (in)efficiency. In the literature on QKD it is often assumed that ξ ∈ [1.05, 1.20] for all scenarios.
9
AUSTRIAN INSTITUTE
OF TECHNOLOGY
Motivation for finite-length studies in QKD The secret key length ` of a QKD protocol is reduced by leakIR , the amount of information leaked to an eavesdropper during IR. Since leakIR is hard to determine, the length of the IR messages log |M| is often used as a bound leakIR ≤ log |M|. Motivated by the asymptotic limit, the amount of information that is required to perform one-way IR is usually written as log |M| = ξ · nH(X |Y )P , where ξ > 1 is the reconciliation (in)efficiency. In the literature on QKD it is often assumed that ξ ∈ [1.05, 1.20] for all scenarios. However, this choice should depend on the distribution PXY , the frame length n, and the frame error rate ε.
9
AUSTRIAN INSTITUTE
OF TECHNOLOGY
Motivation for finite-length studies in QKD The secret key length ` of a QKD protocol is reduced by leakIR , the amount of information leaked to an eavesdropper during IR. Since leakIR is hard to determine, the length of the IR messages log |M| is often used as a bound leakIR ≤ log |M|. Motivated by the asymptotic limit, the amount of information that is required to perform one-way IR is usually written as log |M| = ξ · nH(X |Y )P , where ξ > 1 is the reconciliation (in)efficiency. In the literature on QKD it is often assumed that ξ ∈ [1.05, 1.20] for all scenarios. However, this choice should depend on the distribution PXY , the frame length n, and the frame error rate ε. What are the fundamental / practical limits of log |M| as a function of PXY , n, and ε? 9
AUSTRIAN INSTITUTE
OF TECHNOLOGY
Outline
1
Quantum Key Distribution
2
Information Reconciliation
3
Motivation
4
Fundamental Limits for Information Reconciliation Theoretical Results Simulation Results
5
Conclusions / Open Questions
10
AUSTRIAN INSTITUTE
OF TECHNOLOGY
State of the art of log |M| IR / Source coding with side information Xn
ENC
Yn
M
DEC
X˜ n
Bounds on the asymptotic expansion up to second order (Hayashi 2008 and Tan and Kosut 2012)
11
AUSTRIAN INSTITUTE
OF TECHNOLOGY
State of the art of log |M| IR / Source coding with side information Xn
ENC
Yn
M
DEC
X˜ n
Bounds on the asymptotic expansion up to second order (Hayashi 2008 and Tan and Kosut 2012)
This work
11
AUSTRIAN INSTITUTE
OF TECHNOLOGY
State of the art of log |M| IR / Source coding with side information Xn
ENC
Yn
M
DEC
X˜ n
Bounds on the asymptotic expansion up to second order (Hayashi 2008 and Tan and Kosut 2012)
This work 1
For an arbitrary (PXY )×n we provide the asymptotic expansion up to third order for the converse bound
11
AUSTRIAN INSTITUTE
OF TECHNOLOGY
State of the art of log |M| IR / Source coding with side information Xn
ENC
Yn
M
DEC
X˜ n
Bounds on the asymptotic expansion up to second order (Hayashi 2008 and Tan and Kosut 2012)
This work 1
2
For an arbitrary (PXY )×n we provide the asymptotic expansion up to third order for the converse bound For a special case we provide a non-asymptotic converse bound
11
AUSTRIAN INSTITUTE
OF TECHNOLOGY
State of the art of log |M| IR / Source coding with side information Xn
ENC
Yn
M
DEC
X˜ n
Bounds on the asymptotic expansion up to second order (Hayashi 2008 and Tan and Kosut 2012)
This work 1
For an arbitrary (PXY )×n we provide the asymptotic expansion up to third order for the converse bound
2
For a special case we provide a non-asymptotic converse bound
3
We compare these bounds to implementations of one-way IR using low-density parity-check codes. 11
AUSTRIAN INSTITUTE
OF TECHNOLOGY
Fundamental Limits For Information Reconciliation Definition An IR protocol is ε-correct on PXY if ˜ n ] ≤ ε. Pr[X n 6= X
12
AUSTRIAN INSTITUTE
OF TECHNOLOGY
Fundamental Limits For Information Reconciliation Definition An IR protocol is ε-correct on PXY if ˜ n ] ≤ ε. Pr[X n 6= X
Theorem (Converse bound (Normal approximation)) Let 0 < ε < 1. Then, for large n, any ε-correct IR protocol on PXY satisfies log |M| ≥ nH(X |Y ) +
p 1 nV (X |Y ) Φ−1 (1 − ε) − log n − O(1) , 2
12
AUSTRIAN INSTITUTE
OF TECHNOLOGY
Fundamental Limits For Information Reconciliation Definition An IR protocol is ε-correct on PXY if ˜ n ] ≤ ε. Pr[X n 6= X
Theorem (Converse bound (Normal approximation)) Let 0 < ε < 1. Then, for large n, any ε-correct IR protocol on PXY satisfies p 1 nV (X |Y ) Φ−1 (1 − ε) − log n − O(1) , 2 where H(X |Y ) := Exp log PPY is the conditional entropy, XY V (X |Y ) := Var log PPY is the conditional entropy variance, and Φ is the XY cumulative standard normal distribution. log |M| ≥ nH(X |Y ) +
12
AUSTRIAN INSTITUTE
OF TECHNOLOGY
Special Case: Quantum Bit Error Rate Q Q PXY results from measurements on a channel with (independent) qber Q:
PXQ (0) = PXQ (1) = PYQ (0) = PYQ (1) = 1/2, Q Q PXY (0, 0) = PXY (1, 1) = (1 − Q)/2, Q Q PXY (0, 1) = PXY (1, 0) = Q/2.
13
AUSTRIAN INSTITUTE
OF TECHNOLOGY
Special Case: Quantum Bit Error Rate Q Q PXY results from measurements on a channel with (independent) qber Q:
PXQ (0) = PXQ (1) = PYQ (0) = PYQ (1) = 1/2, Q Q PXY (0, 0) = PXY (1, 1) = (1 − Q)/2, Q Q PXY (0, 1) = PXY (1, 0) = Q/2.
Definition Q An IR protocol is (ε, Q)-correct if it is ε-correct on PXY .
13
AUSTRIAN INSTITUTE
OF TECHNOLOGY
Special Case: Quantum Bit Error Rate Q Q PXY results from measurements on a channel with (independent) qber Q:
PXQ (0) = PXQ (1) = PYQ (0) = PYQ (1) = 1/2, Q Q PXY (0, 0) = PXY (1, 1) = (1 − Q)/2, Q Q PXY (0, 1) = PXY (1, 0) = Q/2.
Definition Q An IR protocol is (ε, Q)-correct if it is ε-correct on PXY .
Theorem (Non-asymptotic converse bound for (ε, Q)-correct prot.) √ 1−Q log |M| ≥ nh(Q) + n(1 − Q) − F −1 ε 1 + 1/ n ; n, 1 − Q − 1 log Q 1 1 − log n − log . 2 ε where F −1 ( · ; n, p) is the inverse of the CDF of the binomial distribution. 13
AUSTRIAN INSTITUTE
OF TECHNOLOGY
Special Case: Quantum Bit Error Rate Q Theorem (Converse bound (Normal approximation)) log |M| ≥ nH(X |Y ) +
p 1 nV (X |Y ) Φ−1 (1 − ε) − log n − O(1) . 2
14
AUSTRIAN INSTITUTE
OF TECHNOLOGY
Special Case: Quantum Bit Error Rate Q Theorem (Converse bound (Normal approximation)) log |M| ≥ nH(X |Y ) +
p 1 nV (X |Y ) Φ−1 (1 − ε) − log n − O(1) . 2
Corollary (Converse bound for (ε, Q)-correct protocol) Let 0 < ε < 1 and let 0 < Q < 12 . Then, for large n, any (ε, Q)-correct IR protocol satisfies log |M| ≥ ξ(n, ε; Q) · nh(Q) −
1 log n − O(1), 2
where
14
AUSTRIAN INSTITUTE
OF TECHNOLOGY
Special Case: Quantum Bit Error Rate Q Theorem (Converse bound (Normal approximation)) log |M| ≥ nH(X |Y ) +
p 1 nV (X |Y ) Φ−1 (1 − ε) − log n − O(1) . 2
Corollary (Converse bound for (ε, Q)-correct protocol) Let 0 < ε < 1 and let 0 < Q < 12 . Then, for large n, any (ε, Q)-correct IR protocol satisfies 1 log |M| ≥ ξ(n, ε; Q) · nh(Q) − log n − O(1), 2 p v(Q) −1 1 ξ(n, ε; Q) := 1 + √ Φ (1−ε), h(Q) n
where
14
AUSTRIAN INSTITUTE
OF TECHNOLOGY
Special Case: Quantum Bit Error Rate Q Theorem (Converse bound (Normal approximation)) log |M| ≥ nH(X |Y ) +
p 1 nV (X |Y ) Φ−1 (1 − ε) − log n − O(1) . 2
Corollary (Converse bound for (ε, Q)-correct protocol) Let 0 < ε < 1 and let 0 < Q < 12 . Then, for large n, any (ε, Q)-correct IR protocol satisfies 1 log |M| ≥ ξ(n, ε; Q) · nh(Q) − log n − O(1), 2 p v(Q) −1 1 ξ(n, ε; Q) := 1 + √ Φ (1−ε), h(Q) n
where
h(x) := −x log x − (1 − x) log(1 − x) and v(x) := x(1 − x) log2 x/(1 − x) .
14
AUSTRIAN INSTITUTE
OF TECHNOLOGY
Special Case: Quantum Bit Error Rate Q Theorem (Converse bound (Normal approximation)) log |M| ≥ nH(X |Y ) +
p 1 nV (X |Y ) Φ−1 (1 − ε) − log n − O(1) . 2
Corollary (Converse bound for (ε, Q)-correct protocol) Let 0 < ε < 1 and let 0 < Q < 12 . Then, for large n, any (ε, Q)-correct IR protocol satisfies 1 log |M| ≥ ξ(n, ε; Q) · nh(Q) − log n − O(1), 2 p v(Q) −1 1 ξ(n, ε; Q) := 1 + √ Φ (1−ε), h(Q) n
where
h(x) := −x log x − (1 − x) log(1 − x) and v(x) := x(1 − x) log2 x/(1 − x) . Numerically, this simple bound matches the non-asymptotic bound very well. 14
AUSTRIAN INSTITUTE
OF TECHNOLOGY
Efficiency ξ(n, ε; Q) The efficiency of IR is the value multiplying the asymptotic limit
15
AUSTRIAN INSTITUTE
OF TECHNOLOGY
Efficiency ξ(n, ε; Q) The efficiency of IR is the value multiplying the asymptotic limit We obtain a forbidden region by plotting ξ(n, ε; Q)
15
AUSTRIAN INSTITUTE
OF TECHNOLOGY
Efficiency ξ(n, ε; Q) The efficiency of IR is the value multiplying the asymptotic limit We obtain a forbidden region by plotting ξ(n, ε; Q) ξ as a function of the blocksize n 1.5
Q=1.0%, ε=10-2
1.4
ξ(n,ε,Q)
Q=2.5%, ε=10-2 Q=5.0%, ε=10-2
1.3
1.2
1.1
1
103
104
105 n
106
107 15
AUSTRIAN INSTITUTE
OF TECHNOLOGY
Efficiency ξ(n, ε; Q) The efficiency of IR is the value multiplying the asymptotic limit We obtain a forbidden region by plotting ξ(n, ε; Q)
ξ as a function of the frame error rate ε 2
1.5
1.8
1.4
1.6
1.3
1.4
1.2
ξ(n,ε,Q)
Q=2.5%, n=104
1.2
Q=1.5%, n=103
Q=4.0%, n=104
1.1
Q=3.0%, n=103 1 -4 10
10-3
10-2 ε
1 10-1 10-5
10-4
10-3
10-2
10-1
ε
16
AUSTRIAN INSTITUTE
OF TECHNOLOGY
But what about realistic IR codes? Theoretical Bound p v(Q) −1 log |M| 1 ≈ ξ(n, ε; Q) := 1 + √ Φ (1−ε) nh(Q) n h(Q)
17
AUSTRIAN INSTITUTE
OF TECHNOLOGY
But what about realistic IR codes? Theoretical Bound p v(Q) −1 log |M| 1 ≈ ξ(n, ε; Q) := 1 + √ Φ (1−ε) nh(Q) n h(Q) 1 10-1
10-3
boun d
ε
10-2
10-4
R=0.6, n=103 R=0.6, n=104 R=0.8, n=103 R=0.8, n=104
10-5 10-6 0
0.02
0.04
0.06
0.08
0.1
Q
17
AUSTRIAN INSTITUTE
OF TECHNOLOGY
But what about realistic IR codes? Theoretical Bound p v(Q) −1 log |M| 1 ≈ ξ(n, ε; Q) := 1 + √ Φ (1−ε) nh(Q) n h(Q) 1 10-1
10-3
boun d
ε
10-2
10-4
R=0.6, n=103 R=0.6, n=104 R=0.8, n=103 R=0.8, n=104
10-5 10-6
Sum-product algorithm Maximum 200 decoding iterations
0
0.02
0.04
0.06
0.08
0.1
Q
17
AUSTRIAN INSTITUTE
OF TECHNOLOGY
But what about realistic IR codes? Conjecture for LDPC codes p v(Q) −1 log |M| ˆ ε; Q) ≈ ξ1 + ξ2 · √1 =: ξ(n, Φ (1 − ε) nh(Q) n h(Q)
18
AUSTRIAN INSTITUTE
OF TECHNOLOGY
But what about realistic IR codes? Conjecture for LDPC codes p v(Q) −1 log |M| ˆ ε; Q) ≈ ξ1 + ξ2 · √1 =: ξ(n, Φ (1 − ε) nh(Q) n h(Q) Simulations of LDPC codes and fits
1 10-1
boun
d
10-3 10-4 10-5 10-6
R=0.6, n=103 R=0.6, n=104 R=0.8, n=103 R=0.8, n=104
fit
ε
10-2
Sum-product algorithm Maximum 200 decoding iterations
0
0.02
0.04
0.06
0.08
0.1
Q
18
AUSTRIAN INSTITUTE
OF TECHNOLOGY
But what about realistic IR codes? Conjecture for LDPC codes p v(Q) −1 log |M| ˆ ε; Q) ≈ ξ1 + ξ2 · √1 =: ξ(n, Φ (1 − ε) nh(Q) n h(Q) Simulations of LDPC codes and fits
1 10-1
3
boun
d
10-3 10-4
R=0.6, n=103 R=0.6, n=104 R=0.8, n=103 R=0.8, n=104
fit
ε
10
10-5 10-6
log |M|
n
-2
Sum-product algorithm Maximum 200 decoding iterations
0
0.02
0.04
0.06
0.08
10 103 103 104 104 104
2
4 · 10 3 · 102 2 · 102 4 · 103 3 · 103 2 · 103
ξ1
ξ2
1.11 1.12 1.13 1.07 1.08 1.11
1.39 1.45 1.69 1.41 1.44 1.89
0.1
Q
18
AUSTRIAN INSTITUTE
OF TECHNOLOGY
But what about realistic IR codes? 2
1.5 R=0.79 R=0.78
Q=2.5%, n=104
R=0.8
1.8
R=0.81
R=0.68
R=0.68
ξ(n,ε,Q)
R=0.69 R=0.7
1.6
Q=4.0%, n=104
1.4
R=0.71 R=0.82
R=0.78
R=0.69
1.3
R=0.79
R=0.7
R=0.8 1.4
R=0.72 Q=1.5%, n=103
1.2
1.2 R=0.71 R=0.72
1.1
R=0.81
Q=3.0%, n=103 1 -4 10
10-3
10-2
10-1
1 -5 10
10-4
10-3
ε
n
Q 3
10 103
0.015 0.030
ξ1 1.16 1.16
10-2
10-1
ε
ξ2 1.52 1.31
n 4
10 104
Q
ξ1
ξ2
0.025 0.040
1.14 1.07
1.26 1.58
19
AUSTRIAN INSTITUTE
OF TECHNOLOGY
Outline
1
Quantum Key Distribution
2
Information Reconciliation
3
Motivation
4
Fundamental Limits for Information Reconciliation Theoretical Results Simulation Results
5
Conclusions / Open Questions
20
AUSTRIAN INSTITUTE
OF TECHNOLOGY
Conclusions / Open Questions Conclusions Fundamental limits for information reconciliation in the finite key regime Commonly used approximation log |M| ≈ 1.1nh(Q) is often too optimistic for one-way IR Numerical simulations for LDPC codes → approximation that can be used for the design of QKD systems
21
AUSTRIAN INSTITUTE
OF TECHNOLOGY
Conclusions / Open Questions Conclusions Fundamental limits for information reconciliation in the finite key regime Commonly used approximation log |M| ≈ 1.1nh(Q) is often too optimistic for one-way IR Numerical simulations for LDPC codes → approximation that can be used for the design of QKD systems
Open Questions Behaviour for different code families Joint consideration of fundamental limits for finite-length reconciliation and privacy amplification
21
AUSTRIAN INSTITUTE
OF TECHNOLOGY
Conclusions / Open Questions Conclusions Fundamental limits for information reconciliation in the finite key regime Commonly used approximation log |M| ≈ 1.1nh(Q) is often too optimistic for one-way IR Numerical simulations for LDPC codes → approximation that can be used for the design of QKD systems
Open Questions Behaviour for different code families Joint consideration of fundamental limits for finite-length reconciliation and privacy amplification
THANK YOU! 21