Shannon-Limit Approached Information Reconciliation for Quantum Key Distribution

Information reconciliation (IR) corrects the errors in sifted keys and ensures the correctness of quantum key distribution (QKD) systems. Polar codes-based IR schemes can achieve high reconciliation efficiency, however, the incidental high frame error rate decreases the secure key rate of QKD systems. In this article, we propose a Shannon-limit approached (SLA) IR scheme, which mainly contains two phases: the forward reconciliation phase and the acknowledgment reconciliation phase. In the forward reconciliation phase, the sifted key is divided into sub-blocks and performed with the improved block checked successive cancellation list (BC-SCL) decoder of polar codes. Afterwards, only the failure corrected sub-blocks perform the additional acknowledgment reconciliation phase, which decreases the frame error rate of the SLA IR scheme. The experimental results show that the overall failure probability of SLA IR scheme is decreased to $10^{-8}$ and the efficiency is improved to 1.091 with the IR block length of 128Mb. Furthermore, the efficiency of the proposed SLA IR scheme is 1.055, approached to Shannon-limit, when quantum bit error rate is 0.02 and the input scale of 1Gb, which is hundred times larger than the state-of-art implemented polar codes-based IR schemes.


Introduction
Quantum key distribution (QKD), can generate information-theoretical secure keys between distant communication parties (Alice and Bob) [1][2][3]. Assume the sifted keys are K A s and K B s with length of n in both sides (Alice and Bob) after the quantum physical communication phase, K A s = K B s with the quantum bit error rate (QBER) E µ , which introduced by imperfect implementations of QKD systems and potential attacks.
Information reconciliation (IR), a critical procedure of the post-processing phase in QKD systems, aims at reconciling K A s and K B s to an equally weak secure key K IR , by exchanging the minimized extra syndrome information [1,4,5]. IR ensures the correctness of QKD systems and is the precondition to generate the final secure keys.
Initially, IR procedure is implemented performing interactive methods known as BBBSS [5,6] and Cascade [7]. Though high efficiency achieved by several improvements of Cascade algorithms, multiple rounds of communication are still required, resulting in significant heavy latency and authentication cost of QKD systems. Nowadays, IR is performed with forward error correction (FEC) codes, such as low-density paritycheck (LDPC) codes [8,9] and polar codes [10][11][12], where only one message contains a syndrome is exchanged between Alice and Bob, called as one-way IR scheme. Recently, most IR research focuses on performing with polar codes, for the advantage of the low computational complexity O(n log n) and high efficiency with potential to reach the Shannon limit, when the block size of a sifted key becomes as large as possible [13][14][15].
Though several improvements of polar decoders achieves higher IR efficiency with certain input scale (∼ 10 6 bits), the correctness of QKD systems ε is increased to the level of 10 −3 [10][11][12]16]. The state-of-art efficiency of polar codes-based IR scheme, reaches to 1.176 with the input block size of 1 Mb when E µ = 0.02, while ε still stays to 0.001 [11]. Actually, ε should be decreased as low as possible (usually < 10 −6 ), when performing polar codes into the IR procedure of QKD systems. Therefore, in this article, we propose a Shannon-limit approached (SLA) IR scheme performing improved polar codes, which mainly composes of a forward reconciliation phase and an acknowledgment reconciliation phase. In the forward reconciliation procedure, a novel block checked successive cancellation list (BC-SCL) decoder was proposed to reduce the ε-correctness and error sub-blocks by remaining the successfully decoded sub-blocks with cyclic redundancy check (CRC) values in advance. Meanwhile, existed errors in sub-blocks after the forward reconciliation procedure, can be found by calculating the CRC values. For failure corrected sub-blocks, an additional acknowledgment reconciliation procedure is performed to decrease the ε to the desired level. Finally, the corrected key K IR is achieved. The experimental results show that our SLA IR scheme achieves correctness ε to 10 −8 and the reconciliation efficiency is better than 1.091 while the input block size is 128 Mb. In principle, the efficiency and the SLA IR scheme can close to the Shannon-limit as the block length increases as large as possible. We achieved an efficiency of 1.055 with the E µ = 0.02, when the input scale of SLA IR is increased to 1 Gb. Meanwhile, our SLA IR scheme with large-scale block size will benefit a lot in performing the rigorous statistical fluctuation analysis to remove the finite-size key effects [17,18] on the final secure key. Thus, SLA IR scheme can be efficiently implemented in practical QKD systems.

Information Reconciliation
Information reconciliation (IR), as the critical post-processing procedure of QKD systems, corrects the errors in the sifted keys introduced by the implementation imperfectness and various attacks [1,19,20], so as to ensure the correctness of QKD systems [21]. Assume the sifted key is K A s (K B s ) with length of n on Alice's (Bob's) side, the quantum bit error rate (QBER) is E µ , the error corrected key is K A IR and K B IR , then the ε−correctness is equivalent to the requirement that the outputs of IR procedure, K A IR and K B IR , differ only with small probability [21], Assume the key information learned by eavesdroppers is S, then the reconciliation efficiency is defined as where H 2 (x) is the binary Shannon entropy, calculated by The average yield of IR scheme is given by

Polar codes-based IR schemes
Given any binary-input discrete memoryless channel (B-DMC), E. Arikan first proposed a Shannon limit approached information reconciliation scheme with complexity O (N log N ), named as polar codes in 2009 [13,14]. In 2014, P. Jouguet and S. Kunz-Jacques performed the polar codes in the IR procedure in QKD systems, furthermore, they showed that polar codes have an equivalent efficiency below 1.12 for given upper bound ε = 0.1 and block length starting from 64 Kb to 16 Mb [10]. Afterwards, A. Nakassis and A. Mink described flexible polar codes-based IR approaches for QKD systems and showed the potential to approach to the Shannon limit with a more efficient decoder when the location and values of the frozen bits were known at the design time [12]. S. Yan et al. improved the polar codes-based IR scheme with successive cancellation list (SCL) decoding and optimized coding structures, which decreased the ε to the level of 10 −3 and the equivalent efficiency reached to 1.176 [11]. The detailed performance of above IR schemes is described in Table.1.

Shannon-limit approached IR scheme
In principle, lower ε and Shannon-limit f of polar codes-based IR schemes can be approached with increased input block size and improved decoders [22][23][24][25][26][27][28][29]. Moreover, IR schemes with large-scale input block size benefit much in performing the rigorous statistical fluctuation analysis to remove the finite-size key effects on the final secure keys. However, ε of state-of-art polar codes-based IR schemes still stays on the level of 10 −3 , which reduces the final secure key rates of QKD systems.
In this article, we propose an improved Shannon-limit approached (SLA) IR scheme for QKD, and the schematic diagram is shown in Fig. 1. The proposed SLA IR scheme mainly contains two phases: the forward reconciliation phase and the acknowledgment reconciliation phase. In the forward reconciliation phase, Alice constructs the encoding vector U with true random numbers and the optimal frozen vector V , chosen from the frozen vector library with the quantum bit error rate E µ . Then, Alice calculates the syndrome Z of K A

Forward Reconciliation
Before Alice and Bob start the SLA IR scheme, optimized multi-rate frozen vectors of polar codes and parity-check matrix of LDPC codes are shared between each other.
First of all, Alice and Bob will calculate the required CRC length d and choose the appropriate number of sub-blocks m to achieve expected correctness ε. Given E µ , Alice selects the optimized frozen vector V of polar codes, where frozen bits are set to "0" and the rest are set to "-1". Then, k bits of true random numbers are used to replace the elements of V , whose value equals to "-1", marked as the vector U . Then, split U to m sub-blocks with length n = n/m. For each sub-block U i , i ∈ [0, m) and i ∈ N, calculate the CRC tag value T i = CRC (U i ) and combined to T , T = (T 0 |T 1 | . . . |T m−1 ).
Meanwhile, the vector U is encoded to Z by where G n is the bit-reversal invariant matrix, defined as G n = BF ⊗ log n , B is the permutation matrix At Bob's side, with Bob's sifted key K B s , received T and Z, we can get the decoded vector U with failure probability ε f by performing our improved novel block checked (BC) SCL decoder, detailed described in Section 3.3. Additionally, a status vector σ also given for indicating which sub-block U i is failure decoded.
Each element of σ is defined as Thus, in total r sub-blocks are failure decoded, r = σ i . The position vector of these failure corrected sub-blocks is defined as E

Acknowledgment Reconciliation
After the forward reconciliation phase, we have to perform the acknowledgment reconciliation phase to correct the remained errors in partial sub-blocks.
Here, Bob distinguishes two cases according to the value of r.
Case I. If r = 0, Bob performs the permutation operation to K B s , then, divide Y to m sub-blocks with length n = n/m. Then Bob calculates the syndrome S from Y E by performing the LDPC encoding scheme with chosen optimized parity- Then, Bob sends σ and S to Alice. Alice performs the bit-reversal operation to K A s , then divide X into m sub-blocks with length n = n/m. Alice corrects the error bits in X E with S , In the end of acknowledgment reconciliation phase, Bob gets the error corrected key K B IR with failure probability ε, whose i-th sub-block can be represented by Alice performs similar procedure shown in equation (9) to the identical and weak secure key K A IR . Case II. If r = 0, Bob sets S = Ø. Then, σ and S are transmitted to Alice. Afterwards, Alice and Bob gets K A IR = U and K B IR = U as the error corrected key, respectively.

Block Checked SCL Decoder
In the article, we improve the successive cancellation list (SCL) decoder to reduce the ε-correctness by performing cyclic redundancy check (CRC) to divided sub-blocks, called as block checked (BC) SCL decoder [22].
In the BC-SCL decoder, we assume the list size is l, P is the list of decoded vectors, P ∈ P with length of n, P k j is a sub-vector of P ∈ P , where P k j = [P[j], · · · , P[k]], 0 ≤ j ≤ k < n and the outcome of the decoder is U which can be split into the sub-blocks U i of length n , 0 ≤ i < m. Definition 1. M(P, i) is the path metric of the decoded vector P i 0 , calculated as [30] M (P, i) = − ln Pr where i ∈ [0, n).   if v in +j = −1 then Fork(P, in + j) 6: Prune (P, in + j, l)

Performance of the SLA IR scheme
Let W i be the corresponding bit-channel of polar codes performed in our forward reconciliation phase of the SLA IR scheme, P e (W i ) is the probability of error on the ith bit-channel, where i = 0, 1, · · · , n − 1. The union upper bound of correctness ε f of forward reconciliation phase is estimated as [31] Then, we analyze the total correctness of the SLA IR scheme in two cases.
Case I. r = 0. In this case, the total correctness ε I can be calculated as where ε a is the failure probability of the acknowledgment reconciliation phase and 1 − 1 − l 2 d m−i is the probability of error on i sub-blocks which passed the CRC check in the forward reconciliation phase.
Case II. r = 0. In this case, all outcome sub-blocks of the BC-SCL decoder will pass the CRC check in the forward reconciliation phase, and the total correctness ε II can be calculated as Thus, the total correctness ε of SLA IR scheme can be calculated as With optimized construction of polar codes and LDPC codes [8,31], we set ε a ≤ 10 −6 and ε f ≤ 10 −2 .
The analyzed results of ε versus d of the SLA IR scheme is shown in Fig. 2, according to equation (14), here l = 16, m = 1, 8, 32, 128 and d ≥ log 2 l. As shown in Fig. 2, the value of ε becomes higher with larger m and approaches to the lower bound of 10 −8 when d ≥ 36.
Assume P U j is error probability of the decoded sub-block in the forward reconciliation and the error probability threshold of a sub-block is , where j = 0, 1, · · · , m − 1. Thus, the upper bound of P U j can be estimated by P e (W i ) as and the upper bound of the decoded sub-blocks with error bits in forward reconciliation r can be estimated as With the implementation of upgrading and degrading channel construction of polar codes [31,32], the upper bound of P e (W j ) is calculated, and the estimated upper bound of r is shown in Fig.3 with different m when = 10 −3 , E µ = 0.02, d = 32 and md < nH(E µ ). Assume the efficiency of polar codes as f I , the efficiency of the LDPC codes as f II . After the acknowledgment reconciliation, the total efficiency of SLA IR scheme is where md is the upper bound of leaked information to Eve from the transmitted CRC tag values, extra m bits information may leaked to Eve from the vector σ and ε f rn f II H 2 (E µ ) is the syndrome information leaked in the acknowledgment reconciliation.
In the proposed SLA IR scheme, we divide the error correction block to m sub blocks, which will increase the overall efficiency. Without block partition strategy, we have m = 1 and the efficiency f m=1 can be calculated as Thus, given the fixed f I , the increased efficiency yield Y(m) of SLA IR scheme with divide the error correction block into m sub blocks can be calculated as The estimation results of Y(m) are shown in Fig.4, where E µ = 0.02, m = 32. The yield of efficiency increases as block length and ε f increase and approaches to 0.01 when ε f equals 0.1 and block length is larger Figure 3: The upper bound of r with different m when QBER is 0.02 and md < nH(E µ ) than 10 8 . According to equation (4), the yield of efficiency will lead to higher final secure key rates of QKD systems.

Results
We     resulting the efficiency of 1.055 and ε f less than 10 −2 . As we shown, performance of polar codes-based IR schemes can be improved by increasing the block lengths, however, the implementation of large-scale decoders will result in huge computational complexity, which may destroys the system availability. Therefore, with limited block lengths, our SLA IR scheme can be performed to further improve both the reconciliation efficiency and the correctness of QKD systems.

Conclusion
In this article, we propose a Shannon-limit approached (SLA) information reconciliation (IR) scheme based on polar codes in quantum key distribution systems, which achieves high reconciliation efficiency and decreases the overall IR failure probability to 10 −8 . The proposed SLA IR scheme mainly consists of two phase: the forward reconciliation phase and the acknowledgment reconciliation phase. In the forward reconciliation phase, the sifted key is divided into sub-blocks and performed with the improved block checked successive cancellation list (BC-SCL) decoder, where errors can be efficient located and corrected in each sub-block.
Afterwards, the additional acknowledgment reconciliation phase is performed to the failure corrected subblocks. The experimental results show that the overall failure probability of SLA IR scheme is decreased to 10 −8 and the efficiency is improved to 1.091 with the IR block length of 128 Mb. Therefore, with limited block lengths, our SLA IR scheme can be performed to further improve both the reconciliation efficiency and the correctness of QKD systems. The SLA IR scheme achieves the efficiency of 1.055 with quantum bit error rate of 0.02, when the input scale length increased to 1 Gb, which is hundred times larger than the state-of-art implemented polar codes-based IR schemes.