As discussed in Section 2.3 before, a post-processing algorithm based on CAS-CADE [14] has been realised as part of this thesis. Details as well as the source code can be found in the master thesis of Robert Riemann [175] and can also be publicly downloaded (www.physik.hu-berlin.de/de/nano). Here, a brief summary of the most important ideas and their implementation shall be given.
5.3.1 Error correction
For error correction codes, there are three different important characteristics [14].
An error correction code can be (i) robust, (ii) optimal and (iii) efficient.
(i) An error correction codeRbeingϵ-robust withϵ∈[0,1] expresses its probab-ility of successfully conciliating to strings A and B of lengthn, thus producing a secret messageS while exchanging informationE. The process is described as R(A,B) = (S, E). An ϵ-robust code fulfills the following:
(∃N0(ϵ))(∀n≥N0(ϵ))
α,β∈{0,1}n
prob(A =α,B =β)·prob(R(α, β) = [⊥,·])≤ϵ where ⊥ indicates a failed run to generate a secret key.
(ii) An optimal code is anϵ-robust code that does not exchange more information than necessary given an error probability p of each bit in B with respect to the original A:
n→∞lim
IE(S|E)
nh(p) = 1 +ζ (95)
with IE(S|E) being the information Eve has on S given E. If a code is op-timal, then ζ = 0.
(iii) The efficiency of an error correction code is concerned with its run time: If there exists a polynomial t(n) such that ¯T(n)< t(n) for n sufficiently large, where ¯T(n) is the expected run time of R acting on messages of length n, the code R is said to be efficient.
An ideal code is a code which is both optimal and efficient. There are unfortunately no known suited ideal codes for QKD. The resort are so-called almost ideal codes.
Those are ϵ-robust and efficient codes with a ζ >0.
Such a code is realised in the CASCADE protocol. The realisation presented here works with parities of blocks of bits. A parity of block of bits is found by the sum of the bits modulo 2 or the XOR of these bits. In CASCADE, it works in the following way: first of all, an error estimation is done by taking 2% of the final key and comparing it publicly. By this, a suitable initial block size k1 for comparing parities between Alice and Bob can be chosen such that there is on average maximally one error per block. The reason for that is that a parity check does not find an even number of errors. Of course, Alice’s parity is the reference to which Bob’s should agree. If the parity check on the block shows a disagreement, an error finding code calledBinary is started. It subdivides the block successively
into blocks of half the length than the previous one and compares parities until the erroneous bit is found and flipped. Then, the block size is doubled, as is done right away if the parities of the initial block match. To detect an even number of errors undetected before, the bit order is randomized every time a block size is doubled. If for the larger block an error is found and corrected, the original block is checked again so that a previously even number of errors in it can now be detected. The same is done with the block of doubled size for the same reason.
Every time the parities of two blocks match, their size is doubled until a final predetermined block size is reached. Then the error correction is terminated. The scheme of the algorithm is shown in Figure 27.
Error estimation
Determination of k1
Parity check Choose sorting for k1
Binary correction yes Found corrupt blocks?
no
Protocol finished Used block size
k1? Final block size
reached?
Reset to block size k1 Double block size yes
no no
yes
Figure 27: The error correction code based on CASCADE. Taken from [175]
5.3.2 Privacy amplification
The privacy amplification is supposed to vanish the information Eve has on the key from eavesdropping on the quantum channel and from the information distributed during error correction. This info IE can be quantified (supposing single photon BB84) ast =f(Q)·n·h(Q)−n·h(Q), (cf. Equation 85) and has to be subtracted from the sifted key. This is accomplished by using compression functionsg chosen at random from a set of functions G:
g :{0,1}n → {0,1}r, r=n−t−s (96) wherenis the sifted key length (see Section 2.3 for the concept of sifting) andsis a security parameter. It can be shown [15] that Eve’s knowledge of the resulting bit stringK is bounded by 2ln2−s even if Eve knows the compression function (after the quantum transmission) ifg belongs to a so-called universal2 class of hash functions [40].
A possible set of functions fulfilling this requirement is the following:
H = {gx :x→[(c·x)mod2r]∈ {0,1}r|x, c∈ {0,1}r, c odd} (97) This set of functions is practical to implement in soft- and hardware and has another advantage: the odd random number c can be taken to be Alice’s and Bob’s basis choice, which is absolutely random and communicated only after the quantum transmission [15].
5.3.3 Authentication
All of the public communication steps beginning with sifting have to be authentic-ated. The underlying principle is to build checksums, or tokens, out of the message to be authenticated and a private random key as a digital signature. If the same private random key is possessed by the receiver, he can verify the checksum. It is very important to use an efficient algorithm for authentication which consumes as few bits as possible of the private key. This is fulfilled by a scheme proposed by Wegman and Carter [120] in which universal2 hash functions are used. The scheme is depicted in Figure 28. The function itself used in every step of the scheme for compression is the same as for privacy amplification above, only adapted for the length of the message to be compressed and the resulting token. It could be shown that the scheme only consumes O(log a) private key bits for authenticating a message ofa bits opposed to O(a) for other schemes.
Message
k1
SU2 SU2 k1 SU2 k1 SU2 k1 SU2 k1 SU2 k1
SU2 SU2 SU2
k1
k2 k2 k2
0
k2
k3 k3
k3
k4
SU2 SU2
SU2
Tag K
EY
k4
2s
Figure 28: The authentication scheme. The message to be authenticated is split into parts of lengths 2swiths=b+log2log2a, wherebis the length of the authentication token andathe length of the message. If necessary, zero-padding is added. The blocks of length 2sare then all compressed to lengthsusing the appropriate function defined by the secret key k1. Two resulting blocks are then concatenated and again compressed using a new key k2. This is continued until a block of length s remains. The authentication tag is then simply the lower order bbits of this block. Taken from [15].
A typical scenario could be that an adversary has intercepted one message and the corresponding token and now tries to slip his own message to the designated receiver with a corresponding token guessed from his knowledge. It can be shown that the probability pguess for the adversary to guess the token of size b correctly is [120]
pguess < 2 2b = 1
2b−1. (98)
The software is implemented using C++ and the cross-platform application frame-work Qt 4.7.4 provided by the Qt Project (http://qt-project.org). It is thus ap-plicable on all major desktop platforms. Even though this experiment is controlled
by a single FPGA and thus there are no separated senders and receivers, the whole program is realised as two separate units for Alice and Bob which could be run on different platforms and which could communicate via TCP/IP. More details can be found in [175].