AUSTRIAN INSTITUTE

OF TECHNOLOGY

Fundamental Finite Key Limits for Information Reconciliation in Quantum Key Distribution arXiv:1401.5194

Marco Tomamichel 1

1

Jesús Martínez-Mateo 2 David Elkouss 4

Centre for Quantum Technologies, National University of Singapore School of Physics, The University of Sydney 2

3

Christoph Pacher 3

Universidad Politécnica de Madrid

Safety & Security Department, AIT Austrian Institute of Technology 4

Universidad Complutense de Madrid

1

AUSTRIAN INSTITUTE

OF TECHNOLOGY

Outline

1

Quantum Key Distribution

2

Information Reconciliation

3

Motivation

4

Fundamental Limits for Information Reconciliation Theoretical Results Simulation Results

5

Conclusions / Open Questions

2

AUSTRIAN INSTITUTE

OF TECHNOLOGY

Outline

1

Quantum Key Distribution

2

Information Reconciliation

3

Motivation

4

Fundamental Limits for Information Reconciliation Theoretical Results Simulation Results

5

Conclusions / Open Questions

3

AUSTRIAN INSTITUTE

OF TECHNOLOGY

Quantum Key Distribution (QKD)

Cryptographic primitive for key agreement Two honest parties: Alice and Bob; dishonest party (eavesdropper): Eve. Achievement: Alice and Bob create an information-theoretic secure (composable) key.

4

AUSTRIAN INSTITUTE

OF TECHNOLOGY

Quantum Key Distribution (QKD)

Cryptographic primitive for key agreement Two honest parties: Alice and Bob; dishonest party (eavesdropper): Eve. Achievement: Alice and Bob create an information-theoretic secure (composable) key.

Information-theoretic security (informally) The success probability of any (active or passive) attack is upper bounded by a (tiny) constant, regardless of the (quantum) computing resources used by the attacker.

4

AUSTRIAN INSTITUTE

OF TECHNOLOGY

QKD protocol steps Prerequisites: Public Channel

Alice

Bob

X

Y Quantum  Channel

Authentic classical channel (Eve can listen) Quantum channel (Eve introduces noise while listening)

5

AUSTRIAN INSTITUTE

OF TECHNOLOGY

QKD protocol steps Prerequisites: Public Channel

Alice

Bob

X

Y Quantum  Channel

1

Authentic classical channel (Eve can listen) Quantum channel (Eve introduces noise while listening)

quantum phase (A prepares N quantum systems, transmits, and B measures )

5

AUSTRIAN INSTITUTE

OF TECHNOLOGY

QKD protocol steps Prerequisites: Public Channel

Alice

Bob

X

Y Quantum  Channel

Authentic classical channel (Eve can listen) Quantum channel (Eve introduces noise while listening)

1

quantum phase (A prepares N quantum systems, transmits, and B measures )

2

parameter estimation (A and B estimate correlation between X and Y )

5

AUSTRIAN INSTITUTE

OF TECHNOLOGY

QKD protocol steps Prerequisites: Public Channel

Alice

Bob

X

Y Quantum  Channel

Authentic classical channel (Eve can listen) Quantum channel (Eve introduces noise while listening)

1

quantum phase (A prepares N quantum systems, transmits, and B measures )

2

parameter estimation (A and B estimate correlation between X and Y )

3

sifting (A and B remove uncorrelated systems, produce raw keys of length n),

5

AUSTRIAN INSTITUTE

OF TECHNOLOGY

QKD protocol steps Prerequisites: Public Channel

Alice

Bob

X

Y Quantum  Channel

Authentic classical channel (Eve can listen) Quantum channel (Eve introduces noise while listening)

1

quantum phase (A prepares N quantum systems, transmits, and B measures )

2

parameter estimation (A and B estimate correlation between X and Y )

3

sifting (A and B remove uncorrelated systems, produce raw keys of length n),

4

information reconciliation (exchanging messages on the classical channel Bob estimates Alice’s raw key),

5

AUSTRIAN INSTITUTE

OF TECHNOLOGY

QKD protocol steps Prerequisites: Public Channel

Alice

Bob

X

Y Quantum  Channel

Authentic classical channel (Eve can listen) Quantum channel (Eve introduces noise while listening)

1

quantum phase (A prepares N quantum systems, transmits, and B measures )

2

parameter estimation (A and B estimate correlation between X and Y )

3

sifting (A and B remove uncorrelated systems, produce raw keys of length n),

4

information reconciliation (exchanging messages on the classical channel Bob estimates Alice’s raw key),

5

privacy amplification

5

AUSTRIAN INSTITUTE

OF TECHNOLOGY

QKD protocol steps Prerequisites: Public Channel

Alice

Bob

X

Y Quantum  Channel

Authentic classical channel (Eve can listen) Quantum channel (Eve introduces noise while listening)

1

quantum phase (A prepares N quantum systems, transmits, and B measures )

2

parameter estimation (A and B estimate correlation between X and Y )

3

sifting (A and B remove uncorrelated systems, produce raw keys of length n),

4

information reconciliation (exchanging messages on the classical channel Bob estimates Alice’s raw key),

5

privacy amplification (ensures secrecy).

5

AUSTRIAN INSTITUTE

OF TECHNOLOGY

Outline

1

Quantum Key Distribution

2

Information Reconciliation

3

Motivation

4

Fundamental Limits for Information Reconciliation Theoretical Results Simulation Results

5

Conclusions / Open Questions

6

AUSTRIAN INSTITUTE

OF TECHNOLOGY

One Way Information Reconciliation Alice and Bob hold raw keys X n , Y n distributed according to (PXY )×n .

7

AUSTRIAN INSTITUTE

OF TECHNOLOGY

One Way Information Reconciliation Alice and Bob hold raw keys X n , Y n distributed according to (PXY )×n . Xn

ENC

Yn

M

DEC

X˜ n

Alice first computes a compressed version M ∈ M of her raw key X n , and sends it to Bob (leakage to Eve).

7

AUSTRIAN INSTITUTE

OF TECHNOLOGY

One Way Information Reconciliation Alice and Bob hold raw keys X n , Y n distributed according to (PXY )×n . Xn

ENC

Yn

M

DEC

X˜ n

Alice first computes a compressed version M ∈ M of her raw key X n , and sends it to Bob (leakage to Eve). Bob uses M together with his own raw key Y n to construct an estimate ˜ n of X n . X

7

AUSTRIAN INSTITUTE

OF TECHNOLOGY

One Way Information Reconciliation Alice and Bob hold raw keys X n , Y n distributed according to (PXY )×n . Xn

ENC

Yn

M

DEC

X˜ n

Alice first computes a compressed version M ∈ M of her raw key X n , and sends it to Bob (leakage to Eve). Bob uses M together with his own raw key Y n to construct an estimate ˜ n of X n . X One Way IR = Source Coding with Side Information

7

AUSTRIAN INSTITUTE

OF TECHNOLOGY

One Way Information Reconciliation Alice and Bob hold raw keys X n , Y n distributed according to (PXY )×n . Xn

ENC

Yn

M

DEC

X˜ n

Alice first computes a compressed version M ∈ M of her raw key X n , and sends it to Bob (leakage to Eve). Bob uses M together with his own raw key Y n to construct an estimate ˜ n of X n . X One Way IR = Source Coding with Side Information Asymptotic limit it is sufficient to send nH(X |Y ) bits

7

AUSTRIAN INSTITUTE

OF TECHNOLOGY

Outline

1

Quantum Key Distribution

2

Information Reconciliation

3

Motivation

4

Fundamental Limits for Information Reconciliation Theoretical Results Simulation Results

5

Conclusions / Open Questions

8

AUSTRIAN INSTITUTE

OF TECHNOLOGY

Motivation for finite-length studies in QKD The secret key length ` of a QKD protocol is reduced by leakIR , the amount of information leaked to an eavesdropper during IR.

9

AUSTRIAN INSTITUTE

OF TECHNOLOGY

Motivation for finite-length studies in QKD The secret key length ` of a QKD protocol is reduced by leakIR , the amount of information leaked to an eavesdropper during IR. Since leakIR is hard to determine, the length of the IR messages log |M| is often used as a bound leakIR ≤ log |M|.

9

AUSTRIAN INSTITUTE

OF TECHNOLOGY

Motivation for finite-length studies in QKD The secret key length ` of a QKD protocol is reduced by leakIR , the amount of information leaked to an eavesdropper during IR. Since leakIR is hard to determine, the length of the IR messages log |M| is often used as a bound leakIR ≤ log |M|. Motivated by the asymptotic limit, the amount of information that is required to perform one-way IR is usually written as log |M| = ξ · nH(X |Y )P , where ξ > 1 is the reconciliation (in)efficiency.

9

AUSTRIAN INSTITUTE

OF TECHNOLOGY

Motivation for finite-length studies in QKD The secret key length ` of a QKD protocol is reduced by leakIR , the amount of information leaked to an eavesdropper during IR. Since leakIR is hard to determine, the length of the IR messages log |M| is often used as a bound leakIR ≤ log |M|. Motivated by the asymptotic limit, the amount of information that is required to perform one-way IR is usually written as log |M| = ξ · nH(X |Y )P , where ξ > 1 is the reconciliation (in)efficiency. In the literature on QKD it is often assumed that ξ ∈ [1.05, 1.20] for all scenarios.

9

AUSTRIAN INSTITUTE

OF TECHNOLOGY

Motivation for finite-length studies in QKD The secret key length ` of a QKD protocol is reduced by leakIR , the amount of information leaked to an eavesdropper during IR. Since leakIR is hard to determine, the length of the IR messages log |M| is often used as a bound leakIR ≤ log |M|. Motivated by the asymptotic limit, the amount of information that is required to perform one-way IR is usually written as log |M| = ξ · nH(X |Y )P , where ξ > 1 is the reconciliation (in)efficiency. In the literature on QKD it is often assumed that ξ ∈ [1.05, 1.20] for all scenarios. However, this choice should depend on the distribution PXY , the frame length n, and the frame error rate ε.

9

AUSTRIAN INSTITUTE

OF TECHNOLOGY

Motivation for finite-length studies in QKD The secret key length ` of a QKD protocol is reduced by leakIR , the amount of information leaked to an eavesdropper during IR. Since leakIR is hard to determine, the length of the IR messages log |M| is often used as a bound leakIR ≤ log |M|. Motivated by the asymptotic limit, the amount of information that is required to perform one-way IR is usually written as log |M| = ξ · nH(X |Y )P , where ξ > 1 is the reconciliation (in)efficiency. In the literature on QKD it is often assumed that ξ ∈ [1.05, 1.20] for all scenarios. However, this choice should depend on the distribution PXY , the frame length n, and the frame error rate ε. What are the fundamental / practical limits of log |M| as a function of PXY , n, and ε? 9

AUSTRIAN INSTITUTE

OF TECHNOLOGY

Outline

1

Quantum Key Distribution

2

Information Reconciliation

3

Motivation

4

Fundamental Limits for Information Reconciliation Theoretical Results Simulation Results

5

Conclusions / Open Questions

10

AUSTRIAN INSTITUTE

OF TECHNOLOGY

State of the art of log |M| IR / Source coding with side information Xn

ENC

Yn

M

DEC

X˜ n

Bounds on the asymptotic expansion up to second order (Hayashi 2008 and Tan and Kosut 2012)

11

AUSTRIAN INSTITUTE

OF TECHNOLOGY

State of the art of log |M| IR / Source coding with side information Xn

ENC

Yn

M

DEC

X˜ n

Bounds on the asymptotic expansion up to second order (Hayashi 2008 and Tan and Kosut 2012)

This work

11

AUSTRIAN INSTITUTE

OF TECHNOLOGY

State of the art of log |M| IR / Source coding with side information Xn

ENC

Yn

M

DEC

X˜ n

Bounds on the asymptotic expansion up to second order (Hayashi 2008 and Tan and Kosut 2012)

This work 1

For an arbitrary (PXY )×n we provide the asymptotic expansion up to third order for the converse bound

11

AUSTRIAN INSTITUTE

OF TECHNOLOGY

State of the art of log |M| IR / Source coding with side information Xn

ENC

Yn

M

DEC

X˜ n

Bounds on the asymptotic expansion up to second order (Hayashi 2008 and Tan and Kosut 2012)

This work 1

2

For an arbitrary (PXY )×n we provide the asymptotic expansion up to third order for the converse bound For a special case we provide a non-asymptotic converse bound

11

AUSTRIAN INSTITUTE

OF TECHNOLOGY

State of the art of log |M| IR / Source coding with side information Xn

ENC

Yn

M

DEC

X˜ n

Bounds on the asymptotic expansion up to second order (Hayashi 2008 and Tan and Kosut 2012)

This work 1

For an arbitrary (PXY )×n we provide the asymptotic expansion up to third order for the converse bound

2

For a special case we provide a non-asymptotic converse bound

3

We compare these bounds to implementations of one-way IR using low-density parity-check codes. 11

AUSTRIAN INSTITUTE

OF TECHNOLOGY

Fundamental Limits For Information Reconciliation Definition An IR protocol is ε-correct on PXY if ˜ n ] ≤ ε. Pr[X n 6= X

12

AUSTRIAN INSTITUTE

OF TECHNOLOGY

Fundamental Limits For Information Reconciliation Definition An IR protocol is ε-correct on PXY if ˜ n ] ≤ ε. Pr[X n 6= X

Theorem (Converse bound (Normal approximation)) Let 0 < ε < 1. Then, for large n, any ε-correct IR protocol on PXY satisfies log |M| ≥ nH(X |Y ) +

p 1 nV (X |Y ) Φ−1 (1 − ε) − log n − O(1) , 2

12

AUSTRIAN INSTITUTE

OF TECHNOLOGY

Fundamental Limits For Information Reconciliation Definition An IR protocol is ε-correct on PXY if ˜ n ] ≤ ε. Pr[X n 6= X

Theorem (Converse bound (Normal approximation)) Let 0 < ε < 1. Then, for large n, any ε-correct IR protocol on PXY satisfies p 1 nV (X |Y ) Φ−1 (1 − ε) − log n − O(1) , 2   where H(X |Y ) := Exp log PPY is the conditional entropy, XY   V (X |Y ) := Var log PPY is the conditional entropy variance, and Φ is the XY cumulative standard normal distribution. log |M| ≥ nH(X |Y ) +

12

AUSTRIAN INSTITUTE

OF TECHNOLOGY

Special Case: Quantum Bit Error Rate Q Q PXY results from measurements on a channel with (independent) qber Q:

PXQ (0) = PXQ (1) = PYQ (0) = PYQ (1) = 1/2, Q Q PXY (0, 0) = PXY (1, 1) = (1 − Q)/2, Q Q PXY (0, 1) = PXY (1, 0) = Q/2.

13

AUSTRIAN INSTITUTE

OF TECHNOLOGY

Special Case: Quantum Bit Error Rate Q Q PXY results from measurements on a channel with (independent) qber Q:

PXQ (0) = PXQ (1) = PYQ (0) = PYQ (1) = 1/2, Q Q PXY (0, 0) = PXY (1, 1) = (1 − Q)/2, Q Q PXY (0, 1) = PXY (1, 0) = Q/2.

Definition Q An IR protocol is (ε, Q)-correct if it is ε-correct on PXY .

13

AUSTRIAN INSTITUTE

OF TECHNOLOGY

Special Case: Quantum Bit Error Rate Q Q PXY results from measurements on a channel with (independent) qber Q:

PXQ (0) = PXQ (1) = PYQ (0) = PYQ (1) = 1/2, Q Q PXY (0, 0) = PXY (1, 1) = (1 − Q)/2, Q Q PXY (0, 1) = PXY (1, 0) = Q/2.

Definition Q An IR protocol is (ε, Q)-correct if it is ε-correct on PXY .

Theorem (Non-asymptotic converse bound for (ε, Q)-correct prot.)     √  1−Q log |M| ≥ nh(Q) + n(1 − Q) − F −1 ε 1 + 1/ n ; n, 1 − Q − 1 log Q 1 1 − log n − log . 2 ε where F −1 ( · ; n, p) is the inverse of the CDF of the binomial distribution. 13

AUSTRIAN INSTITUTE

OF TECHNOLOGY

Special Case: Quantum Bit Error Rate Q Theorem (Converse bound (Normal approximation)) log |M| ≥ nH(X |Y ) +

p 1 nV (X |Y ) Φ−1 (1 − ε) − log n − O(1) . 2

14

AUSTRIAN INSTITUTE

OF TECHNOLOGY

Special Case: Quantum Bit Error Rate Q Theorem (Converse bound (Normal approximation)) log |M| ≥ nH(X |Y ) +

p 1 nV (X |Y ) Φ−1 (1 − ε) − log n − O(1) . 2

Corollary (Converse bound for (ε, Q)-correct protocol) Let 0 < ε < 1 and let 0 < Q < 12 . Then, for large n, any (ε, Q)-correct IR protocol satisfies log |M| ≥ ξ(n, ε; Q) · nh(Q) −

1 log n − O(1), 2

where

14

AUSTRIAN INSTITUTE

OF TECHNOLOGY

Special Case: Quantum Bit Error Rate Q Theorem (Converse bound (Normal approximation)) log |M| ≥ nH(X |Y ) +

p 1 nV (X |Y ) Φ−1 (1 − ε) − log n − O(1) . 2

Corollary (Converse bound for (ε, Q)-correct protocol) Let 0 < ε < 1 and let 0 < Q < 12 . Then, for large n, any (ε, Q)-correct IR protocol satisfies 1 log |M| ≥ ξ(n, ε; Q) · nh(Q) − log n − O(1), 2 p v(Q) −1 1 ξ(n, ε; Q) := 1 + √ Φ (1−ε), h(Q) n

where

14

AUSTRIAN INSTITUTE

OF TECHNOLOGY

Special Case: Quantum Bit Error Rate Q Theorem (Converse bound (Normal approximation)) log |M| ≥ nH(X |Y ) +

p 1 nV (X |Y ) Φ−1 (1 − ε) − log n − O(1) . 2

Corollary (Converse bound for (ε, Q)-correct protocol) Let 0 < ε < 1 and let 0 < Q < 12 . Then, for large n, any (ε, Q)-correct IR protocol satisfies 1 log |M| ≥ ξ(n, ε; Q) · nh(Q) − log n − O(1), 2 p v(Q) −1 1 ξ(n, ε; Q) := 1 + √ Φ (1−ε), h(Q) n

where

 h(x) := −x log x − (1 − x) log(1 − x) and v(x) := x(1 − x) log2 x/(1 − x) .

14

AUSTRIAN INSTITUTE

OF TECHNOLOGY

Special Case: Quantum Bit Error Rate Q Theorem (Converse bound (Normal approximation)) log |M| ≥ nH(X |Y ) +

p 1 nV (X |Y ) Φ−1 (1 − ε) − log n − O(1) . 2

Corollary (Converse bound for (ε, Q)-correct protocol) Let 0 < ε < 1 and let 0 < Q < 12 . Then, for large n, any (ε, Q)-correct IR protocol satisfies 1 log |M| ≥ ξ(n, ε; Q) · nh(Q) − log n − O(1), 2 p v(Q) −1 1 ξ(n, ε; Q) := 1 + √ Φ (1−ε), h(Q) n

where

 h(x) := −x log x − (1 − x) log(1 − x) and v(x) := x(1 − x) log2 x/(1 − x) . Numerically, this simple bound matches the non-asymptotic bound very well. 14

AUSTRIAN INSTITUTE

OF TECHNOLOGY

Efficiency ξ(n, ε; Q) The efficiency of IR is the value multiplying the asymptotic limit

15

AUSTRIAN INSTITUTE

OF TECHNOLOGY

Efficiency ξ(n, ε; Q) The efficiency of IR is the value multiplying the asymptotic limit We obtain a forbidden region by plotting ξ(n, ε; Q)

15

AUSTRIAN INSTITUTE

OF TECHNOLOGY

Efficiency ξ(n, ε; Q) The efficiency of IR is the value multiplying the asymptotic limit We obtain a forbidden region by plotting ξ(n, ε; Q) ξ as a function of the blocksize n 1.5

Q=1.0%, ε=10-2

1.4

ξ(n,ε,Q)

Q=2.5%, ε=10-2 Q=5.0%, ε=10-2

1.3

1.2

1.1

1

103

104

105 n

106

107 15

AUSTRIAN INSTITUTE

OF TECHNOLOGY

Efficiency ξ(n, ε; Q) The efficiency of IR is the value multiplying the asymptotic limit We obtain a forbidden region by plotting ξ(n, ε; Q)

ξ as a function of the frame error rate ε 2

1.5

1.8

1.4

1.6

1.3

1.4

1.2

ξ(n,ε,Q)

Q=2.5%, n=104

1.2

Q=1.5%, n=103

Q=4.0%, n=104

1.1

Q=3.0%, n=103 1 -4 10

10-3

10-2 ε

1 10-1 10-5

10-4

10-3

10-2

10-1

ε

16

AUSTRIAN INSTITUTE

OF TECHNOLOGY

But what about realistic IR codes? Theoretical Bound p v(Q) −1 log |M| 1 ≈ ξ(n, ε; Q) := 1 + √ Φ (1−ε) nh(Q) n h(Q)

17

AUSTRIAN INSTITUTE

OF TECHNOLOGY

But what about realistic IR codes? Theoretical Bound p v(Q) −1 log |M| 1 ≈ ξ(n, ε; Q) := 1 + √ Φ (1−ε) nh(Q) n h(Q) 1 10-1

10-3

boun d

ε

10-2

10-4

R=0.6, n=103 R=0.6, n=104 R=0.8, n=103 R=0.8, n=104

10-5 10-6 0

0.02

0.04

0.06

0.08

0.1

Q

17

AUSTRIAN INSTITUTE

OF TECHNOLOGY

But what about realistic IR codes? Theoretical Bound p v(Q) −1 log |M| 1 ≈ ξ(n, ε; Q) := 1 + √ Φ (1−ε) nh(Q) n h(Q) 1 10-1

10-3

boun d

ε

10-2

10-4

R=0.6, n=103 R=0.6, n=104 R=0.8, n=103 R=0.8, n=104

10-5 10-6

Sum-product algorithm Maximum 200 decoding iterations

0

0.02

0.04

0.06

0.08

0.1

Q

17

AUSTRIAN INSTITUTE

OF TECHNOLOGY

But what about realistic IR codes? Conjecture for LDPC codes p v(Q) −1 log |M| ˆ ε; Q) ≈ ξ1 + ξ2 · √1 =: ξ(n, Φ (1 − ε) nh(Q) n h(Q)

18

AUSTRIAN INSTITUTE

OF TECHNOLOGY

But what about realistic IR codes? Conjecture for LDPC codes p v(Q) −1 log |M| ˆ ε; Q) ≈ ξ1 + ξ2 · √1 =: ξ(n, Φ (1 − ε) nh(Q) n h(Q) Simulations of LDPC codes and fits

1 10-1

boun

d

10-3 10-4 10-5 10-6

R=0.6, n=103 R=0.6, n=104 R=0.8, n=103 R=0.8, n=104

fit

ε

10-2

Sum-product algorithm Maximum 200 decoding iterations

0

0.02

0.04

0.06

0.08

0.1

Q

18

AUSTRIAN INSTITUTE

OF TECHNOLOGY

But what about realistic IR codes? Conjecture for LDPC codes p v(Q) −1 log |M| ˆ ε; Q) ≈ ξ1 + ξ2 · √1 =: ξ(n, Φ (1 − ε) nh(Q) n h(Q) Simulations of LDPC codes and fits

1 10-1

3

boun

d

10-3 10-4

R=0.6, n=103 R=0.6, n=104 R=0.8, n=103 R=0.8, n=104

fit

ε

10

10-5 10-6

log |M|

n

-2

Sum-product algorithm Maximum 200 decoding iterations

0

0.02

0.04

0.06

0.08

10 103 103 104 104 104

2

4 · 10 3 · 102 2 · 102 4 · 103 3 · 103 2 · 103

ξ1

ξ2

1.11 1.12 1.13 1.07 1.08 1.11

1.39 1.45 1.69 1.41 1.44 1.89

0.1

Q

18

AUSTRIAN INSTITUTE

OF TECHNOLOGY

But what about realistic IR codes? 2

1.5 R=0.79 R=0.78

Q=2.5%, n=104

R=0.8

1.8

R=0.81

R=0.68

R=0.68

ξ(n,ε,Q)

R=0.69 R=0.7

1.6

Q=4.0%, n=104

1.4

R=0.71 R=0.82

R=0.78

R=0.69

1.3

R=0.79

R=0.7

R=0.8 1.4

R=0.72 Q=1.5%, n=103

1.2

1.2 R=0.71 R=0.72

1.1

R=0.81

Q=3.0%, n=103 1 -4 10

10-3

10-2

10-1

1 -5 10

10-4

10-3

ε

n

Q 3

10 103

0.015 0.030

ξ1 1.16 1.16

10-2

10-1

ε

ξ2 1.52 1.31

n 4

10 104

Q

ξ1

ξ2

0.025 0.040

1.14 1.07

1.26 1.58

19

AUSTRIAN INSTITUTE

OF TECHNOLOGY

Outline

1

Quantum Key Distribution

2

Information Reconciliation

3

Motivation

4

Fundamental Limits for Information Reconciliation Theoretical Results Simulation Results

5

Conclusions / Open Questions

20

AUSTRIAN INSTITUTE

OF TECHNOLOGY

Conclusions / Open Questions Conclusions Fundamental limits for information reconciliation in the finite key regime Commonly used approximation log |M| ≈ 1.1nh(Q) is often too optimistic for one-way IR Numerical simulations for LDPC codes → approximation that can be used for the design of QKD systems

21

AUSTRIAN INSTITUTE

OF TECHNOLOGY

Conclusions / Open Questions Conclusions Fundamental limits for information reconciliation in the finite key regime Commonly used approximation log |M| ≈ 1.1nh(Q) is often too optimistic for one-way IR Numerical simulations for LDPC codes → approximation that can be used for the design of QKD systems

Open Questions Behaviour for different code families Joint consideration of fundamental limits for finite-length reconciliation and privacy amplification

21

AUSTRIAN INSTITUTE

OF TECHNOLOGY

Conclusions / Open Questions Conclusions Fundamental limits for information reconciliation in the finite key regime Commonly used approximation log |M| ≈ 1.1nh(Q) is often too optimistic for one-way IR Numerical simulations for LDPC codes → approximation that can be used for the design of QKD systems

Open Questions Behaviour for different code families Joint consideration of fundamental limits for finite-length reconciliation and privacy amplification

THANK YOU! 21

Fundamental Finite Key Limits for Information ...

1Centre for Quantum Technologies, National University of Singapore ... a (tiny) constant, regardless of the (quantum) computing resources used by ... Page 7 ...

985KB Sizes 3 Downloads 172 Views

Recommend Documents

Fundamental Finite Key Limits for Information ...
Abstract—The security of quantum key distribution protocols is guaranteed by the laws of quantum mechanics. However, a precise analysis of the security properties requires tools from both classical cryptography and information theory. Here, we empl

Fundamental limits on adversarial robustness
State-of-the-art deep networks have recently been shown to be surprisingly unstable .... An illustration of ∆unif,ϵ(x; f) and ∆adv(x; f) is given in Fig. 1. Similarly to ...

New Limits on Coupling of Fundamental Constants to ...
Apr 9, 2008 - electron-proton mass ratio , and light quark mass. ... 87Sr as the fourth optical atomic clock species to enhance constraints on yearly drifts of ...

New Limits on Coupling of Fundamental ... - Columbia University
Apr 9, 2008 - New Limits on Coupling of Fundamental Constants to Gravity Using 87Sr ... School of Physics, The University of New South Wales, Sydney, New South .... 1 (color online). .... edited by G.W.F. Drake (Springer, New York, 2005),.

pdf-1499\fundamental-performance-limits-in-cross-layer-wireless ...
... the apps below to open or edit this item. pdf-1499\fundamental-performance-limits-in-cross-lay ... and-energy-foundations-and-trendsr-in-communicat.pdf.

FINITE FIELDS Contents 1. Finite fields 1 2. Direct limits of fields 5 ...
5. References. 6. 1. Finite fields. Suppose that F is a finite field and consider the canonical homomorphism. Z → F. Since F is a field its kernel is a prime ideal of Z ...

Fundamental tone of minimal hypersurfaces with finite ...
Seo Journal of Inequalities and Applications (2016) 2016:127 .... mark that the finite index condition can be omitted, since the finiteness of the L norm.

On the Information Theoretic Limits of Learning Ising ...
IIS-1320894, IIS-1447574, and DMS-1264033. K.S. and A.D. acknowledge the support of NSF via. CCF 1422549, 1344364, 1344179 and DARPA ... lower bounds for distributed statistical estimation with communication constraints. In Ad- vances in Neural Infor

Information-Theoretic Limits of Dense Underwater ...
Research Laboratory of Electronics, Massachusetts Institute of Technology, Cambridge, MA 02139, USA. 4. ECE Department, Northeastern ... sum throughput in large-scale wireless radio networks. They showed that the total throughput ... underwater syste

Product-Use Information and the Limits of Voluntary ...
Jan 31, 2012 - American Law and Economics Review V0 N0 2012 (1–36) by guest on January ...... vide information on proper care (16 C.F.R. § 423). The FDA ...

Computation of Information Rates from Finite-State ... - ETH Zürich
[email protected]. Hans-Andrea Loeliger [email protected]. Pascal O. Vontobel [email protected]. Signal & Information Proc. Lab. (ISI). ETH Zentrum. CH-8092 Zürich, Switzerland. Allerton 2002. Abstract. It has recently become feasibl

Campaign Limits
regulation ranging from information and disclosure requirements to limits on campaign contribu- tions and/or ... addition, few countries provide information on the characteristics and campaign spending of both ...... that are correlated with our poli

Quantity Freeze Limits for Indices - NSE
Feb 28, 2018 - ... file available on extranet path faoftp/faocommon before trading on March 01, 2018. Details of quantity freeze in respect of each underlying shall be available on the website. For and on behalf of. National Stock Exchange of India L

Requests for exemption from position limits for ... - Bourse de Montréal
Jun 16, 2011 - P.O. Box 61, 800 Victoria Square, Montréal, Quebec H4Z 1A9. Telephone: (514) 871-2424. Toll-free within Canada and the U.S.A.: 1 800 361-5353. Website: www .... services and to goods that are physically deliverable or that are, at some

Fundamental C++ for Java Programmers
certain that it was well up to the task, as long as I used a carefully chosen subset .... told, OS X on an Apple Mac). The main text of this book will assume that you are using MinGW Developer ..... C# is superficially even closer to C++ (the similar

Limits and Continuity
Sep 2, 2014 - Secant to a Curve. A line through two points on a curve is a secant to the curve. Marjorie Lee Browne. (1914–1979). When Marjorie Browne.