Method for decoupling error correction from privacy amplification

In a standard quantum key distribution (QKD) scheme such as BB84, two procedures, error correction and privacy amplification, are applied to extract a final secure key from a raw key generated from quantum transmission. To simplify the study of protocols, it is commonly assumed that the two procedures can be decoupled from each other. While such a decoupling assumption may be valid for individual attacks, it is actually unproven in the context of ultimate or unconditional security, which is the Holy Grail of quantum cryptography. In particular, this means that the application of standard efficient two-way error-correction protocols like Cascade is not proven to be unconditionally secure. Here, I provide the first proof of such a decoupling principle in the context of unconditional security. The method requires Alice and Bob to share some initial secret string and use it to encrypt their communications in the error correction stage using one-time-pad encryption. Consequently, I prove the unconditional security of the interactive Cascade protocol proposed by Brassard and Salvail for error correction and modified by one-time-pad encryption of the error syndrome, followed by the random matrix protocol for privacy amplification. This is an efficient protocol in terms of both computational power and key generation rate. My proof uses the entanglement purification approach to security proofs of QKD. The proof applies to all adaptive symmetric methods for error correction, which cover all existing methods proposed for BB84. In terms of the net key generation rate, the new method is as efficient as the standard Shor-Preskill proof.

As an application of the proposed method, I consider a rather general class of classical error correction methods-the so-called symmetric stabilizer-based 1 schemes-which may involve either one-way or two-way classical communications. I show that any symmetric stabilizer-based scheme can be modified and subsequently combined with any symmetric stabilizer-based privacy amplification procedure into an unconditionally secure protocol for QKD. This means that one can study the two processes-error correction and privacy amplification-independently. Such a decoupling of error correction from privacy amplification allows one to simplify the analysis of security of a general error correction scheme.
As an application, I prove the unconditional security of a modified version of the Cascade scheme [12] for error correction invented by Brassard and Salvail, (followed by, for example, a random hashing procedure for privacy amplification [6]). This is the first time such a computationally efficient scheme has been proven to be secure. Therefore, the result is of practical interest.
Finally, note that the proposed method can be employed as a sub-routine in concatenated entanglement purification procedures, including those involving two-way classical communications, as studied by [13] and those involving degenerate codes [14].

II. MOTIVATION
A key motivation of this work is to provide a rigorous proof of security of interactive protocols for error correction in QKD. Let me explain in detail. In QKD, one often has to perform error correction at a rather high bit error rate of say a few percents, which is much higher than the typical value of say 10 −5 in conventional communications. Moreover, one would like the key generation rate to remain high. As a rule of thumb, the fewer bits are exchanged between Alice and Bob, the higher the key generation rate. Furthermore, one would like to implement a QKD scheme efficiently. That is to say with a minimal amount of computational power. In a general implementation of QKD, it is a highly complex question what the trade-off between the various parameters-tolerable error rate, key generation rate, computational power-would be the best.
Forward error correction is commonly employed in conventional communications and works efficiently at low error rates. Unfortunately, QKD has a high bit error rate. If forward error correction is employed in QKD, a very large block size of order 10 5 would probably be needed. This translates to a large amount of computing power. 2 Two-way communications between Alice and Bob are useful in reducing the required computing power for error correction. In the literature, several interactive protocols such as "BBBSS" [15] and "Cascade" [12] have been proposed for error correction in QKD. 3 The Cascade protocol, invented by Brassard and Salvail, for instance, has the advantages of being computationally highly efficient and also being one of the best methods in minimizing the number of exchanged bits between Alice and Bob. It works very well in a few percents bit error rate. Therefore, Cascade is well suited for implementations. Unfortunately, up till now, a proof of unconditional security of a QKD scheme based Cascade (and followed by, for example, standard Shor-Preskill [8] or Mayers [6] privacy amplification procedure) has been missing. A key contribution of this paper is to provide such a proof. The proof of security applies not only to Cascade, but to any (interactive or non-interactive) protocols for error correction that are based on parity computations in QKD.
Another motivation for this work is to demonstrate the decoupling of error correction from privacy amplification. On the conceptual level, a QKD scheme consists of several steps-"advantage distillation" [16], error correction and privacy amplification. Entanglement purification has recently been proposed by Shor and Preskill [8] as a useful framework for dealing with BB84. The work of Shor and Preskill built on earlier work in [7] and has been subsequently extended in [13] to protocols involving two-way communications and in [14] to the six-state [17] QKD scheme.
Nonetheless, an important constraint remains in those works: The measurement operators employed by Alice and Bob must commute locally. This local commutability constraint ensures that those observables are simultaneous observables. Therefore, the measurement of one observable does not introduce any "back-reaction" to the measurement of any other observables. Such a local commutability constraint means that in analyzing QKD, one has to study both error correction and privacy amplification together and ensure that the observables that Alice and Bob measure do commute locally. Therefore, this constraint complicates the analysis.
Analysis of protocols of QKD would be greatly simplified if one could divide up its procedure into different components and analyze each component independently. A main contribution of this paper is to show that such a decoupling is, in fact, possible for error correction and privacy amplification. The upshot is that, one can study error correction and pick the best that one can find. Then, one studies privacy amplification and pick the best that one can find. Finally, one puts the two together and the composite will remain good. This result is reminiscient of the decoupling of source coding from error correction in classical coding theory. 4

III. BB84
The best-known QKD scheme is BB84, in which the sender, Alice, prepares and sends to the receiver, Bob, a sequence of single photons randomly in one of the four polarizations, horizontal, vertical, 45-degrees and 135-degrees. Bob then performs a measurement ran-domly one of the two polarization bases-rectilinear and diagonal. BB84 is an example of standard "prepare-and-measure" protocols, which can be executed without quantum computers. Proving the security of BB84 against the most general attack by the eavesdropper, Eve, turned out to be a hard problem.
A. entanglement purification based QKD Entanglement purification [3] has become a useful proof technique. Consider the following entanglement purification based QKD scheme. Alice prepares a sequence of say 2N EPR pairs and sends half of each pair to Bob. Owing to channel noises and eavesdropping attacks, those pairs will be corrupted. Alice and Bob randomly sample say N of their pairs to estimate the error rates in the two bases. If the error rates are too high, they abort. Otherwise, they now apply a so-called entanglement purification protocol (EPP) C, which distills from the N remaining impure pairs a smaller number, say m, of almost perfectly entangled EPR pairs. They then measure those pairs to generate a secure key.
First of all, suppose Alice and Bob share m nearly perfect EPR pairs and generate a key by measuring them. The following theorem shows that Eve cannot have much information on the key.

Theorem 1 ( [7])
If a density matrix ρ has high fidelity F to a state of m perfect EPR pairs, and Alice and Bob produce their key by measuring individual qubits of ρ, then with high probability, Alice and Bob have identical m-bit strings k with a uniform distribution, and Eve has essentially no information about k. In fact, if F → 1 exponentially with m, then Eve's information approaches 0 exponentially with m as well. 5 Definition: Bell-basis. Given a pair of qubits, a convenient basis to use is the Bell-basis, which has Bell states as its basis vectors. The Bell states are of the form: and It is convenient to label them by two bits such that: Definition: N-Bell basis and BDSW notations. Suppose Alice and Bob share N pairs of qubits. A convenient basis to use the N-Bell basis. That is to say, each basis vector is the tensor product state of N Bell basis vectors. Following Eq. 3, it is convenient to label an N-basis vector by 2N bits. This is the notation employed by Bennett, DiVincenzo, Smolin and Wootters (BDSW) [3].
Definition: Pauli operator. A Pauli operator, P, is defined as a tensor product of singlequbit operators of the form I (the identity), X, Y and Z where X = 0 Definition: Stabilizer. An Abelian group whose generators are Pauli operators is called a stabilizer group.
Definition: Correlated Pauli strategies. An eavesdropper, Eve, is said to be employing a correlated Pauli strategy if she applies a Pauli operator, P i , to the quantum signals with some probability p i .
Definition: Symmetric stabilizer-based EPP. An EPP is called symmetric, stabilizerbased if it involves Alice and Bob measuring operators that are the generators of some stabilizer group.
While Eve may use any eavesdropping strategy, the following theorem states essentially that, to consider security, one only needs to consider correlated Pauli strategies.
Theorem 2 (Adapted from [7]) Suppose Alice creates M EPR pairs and sends half of each to Bob. Alice and Bob then test the error rates, p X and p Z , along the X and Z bases for randomly chosen disjoint subsets, s 1 and s 2 , each of m ≪ M objects respectively. If the error rate is too high, they abort. Otherwise, they peform an EPP C on the remaining N = M −2m pairs to try to distill out k EPR pairs of high fidelity. Suppose, the EPP C can correct up to N(p X + ε) phase errors and up to N(p Z + ε) bit-flip errors. Define a Hilbert subspace H good of the N EPR pairs to be the subspace spanned by N-Bell-states with good error patterns. (i.e., with up to N(p X + ε) phase errors and up to N(p Z + ε) bit-flip errors). Let us denote the projection operator into H good by Π. Then, we have the following: Given any eavesdropping strategy, S 1 , by Eve, there exists a correlated Pauli strategy, S 2 , by Eve that will yield exactly the same values to the following two important quantitites: (i) P (verification test is passed by the test sample | s 1 , s 2 ) and (ii) tr(Πρ), for all choices of s 1 , and s 2 .
Sketch of Proof: The "commuting observables" idea in [7] is employed. An eavesdropping strategy is defined by the choice of an ancilla and the unitary transformation between the combined system of the ancilla and the N EPR pairs. Given any eavesdropping strategy S 1 by Eve, let us consider a fixed but arbitrary choice of sampling subsets, s 1 , and s 2 . Let O s 1 ,s 2 be the observable that determines whether the verification test is passed. Recall that Π is defined as the projection operator into the good (i.e., correctable) Hilbert space. Consider also W , the observable that gives the 2M-bit string respresenting the state w in the BDSW notation. Since all the observables, O s 1 ,s 2 's, Π's and W are simultaneously diagonalizable in the M-Bell basis, they all commute with each other. Therefore, it is mathematically consistent to assign probabilities to the simultaneous eigenvalues of those observables, thus giving rise to the two quantities P (verification test is passed by the test sample | s 1 , s 2 ) and tr(Πρ) for all possible choices of s 1 , and s 2 . Now, imagine applying a hypothetical measurement W to Alice and Bob's state before the measurements of O s 1 ,s 2 's and Π's. Given that W commutes with O s 1 ,s 2 's and Π's, a prior measurement of W in no way effects the outcomes of measurements of O s 1 ,s 2 's and Π's. In other words, if Eve pre-measures the state in the N-Bell-basis (i.e., measures W ), neither the probability of passing the verification test, nor the probability of being in the good Hilbert space will be affected by such a prior measurement. However, with such a prior measurement, Eve has reduced her eavesdropping strategy S 1 to a correlated Pauli's strategy, S 2 .
Remark: This commuting observables idea applies to all symmetric stabilizer-based EPPs including ones that involve two-way classical communications.
Theorem 2 is telling us that one can treat the two important quantities-i) the probability of passing a verification test and ii) the probability of being in a good Hilbert space, tr(Πρ)as classical. In essence, one can apply classical sampling theory to a quantum problem. Furthermore, tr(Πρ) provides a bound to the fidelity of the corrected EPR pairs: Theorem 3 ( [8,19]) Consider a stabilizer-based EPP C which distills m EPR pairs from n impure pairs. Suppose C works perfectly in a Hilbert subspace H good , which is spanned by Bell-states with good error patterns (i.e., correctable by C). Denote the projection operator onto H good by Π. If we apply the EPP C to an initial state ρ, then the fidelity of the recovered state as m EPR pairs is bounded below by Here, ρ rec. is the recovered state after error correction,Φ (m) is the m-EPR pair state.
Proof: This Theorem follows from standard stabilizer quantum error correcting code (QECC) theory. An explicit proof of essentially the same result can be found in [19]. Q.E.D.

B. reduction to BB84 via CSS codes
Because of Theorem 3, EPP based QKD schemes are particularly convenient to analyze. Unfortunately, they are difficult to implement because they generally require Alice and Bob to possess quantum computers. A key insight of Shor and Preskill is to remove the requirement of quantum computers by showing that, in fact, the security of a special class of EPP based QKD schemes implies the security of BB84. More concretely, they considered a special class of quantum error-correcting codes, called Calderbank-Shor-Steane (CSS) [20,21] codes (see below for properties of CSS codes) and proved the following theorem:

Theorem 4 ( [8])
Given an EPP-based QKD scheme that is based on a CSS code and a verification procedure that involves only two bases, its security implies the security of a BB84 scheme.
Remark: Similarly, when the verification procedure involves three bases, an analogous Theorem shows that the security of an EPP-based QKD scheme that is based on a CSS code implies the security of the six-state scheme.
We shall refer the readers to [8,19] for details of the proof of Theorem 4. A CSS code is a stabilizer-based quantum code with generators that are either i) tensor products of the identities and Z's only or ii) tensor products of the identities and X's only. It has the advantage that the phase and bit-flip error correction procedures are totally decoupled from each other. 6 More concretely, a CSS code is defined as follows: Consider a binary linear classical code C 1 and its subcode C 2 . A codeword of a CSS code is an equal superposition of codewords of C 1 that are in the same coset of C 2 : Note that, if u 1 − u 2 ∈ C 2 , then |φ u 1 = |φ u 2 . Therefore, the codeword of a CSS code is in one-one correspondence with the cosets of C 2 in C 1 . Suppose both C 1 and the dual of C 2 , C ⊥ 2 , can correct up to t errors. Then, the CSS code based on C 1 and C 2 can correct up to t bit-flip errors and t phase errors.
On reduction from EPP to BB84, the EPP leaves its mark as an error correction/privacy amplification protocol in the following manner. Alice sends a random quantum state |w to Bob. Owing to noises in the channel and eavesdropping actions, Bob receives it as a corrupted string w + e. Afterwards, Alice picks a random codeword u ∈ C 1 and broadcasts w + u. Bob substracts this from his string to obtain u + e. He then corrects the error to obtain u. Finally, he generates the key as the coset u + C 2 . Notice that, the cosets of a code, say C 2 , is in one-one correspondence with the error syndromes. Indeed, the value of the key is given by the error syndrome of the subcode C 2 for a codeword in C 1 .
Using CSS codes and Theorem 4, BB84 is proven to be secure up to an error rate of 11 percents. By using two-way classical communications, BB84 can be made secure at a much higher error rate of about 17 percents. 7 This is due to the following theorem by Gottesman and myself [13], hich generalizes Theorem 4. 6 Applying an operator X to a state will introduce a bit-flip error to the state. Similarly, applying an operator Z to a state will introduce a phase error. Finally, applying an operator Y will lead to both a bit-flip and a phase error. The intuitive reason why an EPP-based QKD can be reduced to BB84 is that Alice and Bob do not need to compute or announce their phase error syndromes. This is because the phase errors do not affect the value of the final key. Roughly speaking, randomizing the state over all possible phase error syndromes, one recovers BB84. In other words, provided that, from Eve's point of view, Alice and Bob could have performed the QKD scheme by quantum computers, the resulting BB84 scheme is secure. Alice and Bob do not really have to use quantum computers. 7 Note that it has been shown that BB84 with only one-way classical communications is necessarily insecure at an error rate of about 15% [22,23]. Therefore, this result in [13] shows clearly that BB84 with two-way classical communications is definitely better than BB84 with only one-way classical communications. Let us call such a protocol a reducible protocol. Claim: a reducible protocol can be converted to a standard "prepare-and-measure" QKD scheme with security equal to the EPPbased QKD scheme.
Remark: Here, the notation has been slightly abused. By a products of Z's only, I actually mean a product of the identities and the Z's only. Similarly, for X's.
Remark: If the verification stage involves two bases, then the "prepare-and-measure" QKD scheme is BB84. If it involves three bases, then the "prepare-and-measure" QKD scheme is the six-state scheme.
We will refer the readers to [13] for the details of the proof of Theorem 5.

IV. CONSTRAINT ON LOCAL COMMUTABILITY
Theorem 5 is a strong result in QKD. Nonetheless, the constraint 3 in Theorem 5 seriously restricts its applicability. In the EPP picture, the constraint demands that all the local measurement operators that Alice and Bob employ must commute locally with each other. Therefore, one is not at liberty to choose the bit-flip and phase error correction measurement operators independently.
I remark that the local commutability constraint is a big obstacle in the application of Theorem 5 to prove the security of interactive Cascade scheme [12] for error correction proposed by Brassard and Salvail. Recall the Cascade protocol involves a binary search subroutine, "BINARY", by Alice and Bob, which allows them to identify the location of an error. The binary search subroutine, BINARY, involves the computation of the parity of a set and subsequently dividing it into two sets and computing the parity of each subset, etc, until the location of the error is found. Note that at the end of BINARY, the size of a subset is reduced to a single object, which means Alice (and also Bob) has to announce the eigenvalue Z i of a single qubit at location i (i.e., the i-th qubit). Now, any quantum error correcting procedure that corrects the phase error of the announced bit must contain a measurement operator M with a component X i for also the i-th qubit. This means that M anti-commutes, rather than commutes with Z i . In conclusion, with Cascade protocol, it would be impossible to correct all the phase errors. Therefore, the application of Theorem 5 to the Cascade protocol looks problematic.

A. Using ancillary EPR pairs
To resolve this problem of local non-commutability, notice that a) all symmetric measurement operators, M i = M A i ⊗ M B i do commute globally and b) in many cases, only this relative error syndrome between Alice and Bob is of interest. For instance, in BINARY, Alice and Bob are interested in only whether their corresponding parities agree or disagree, but not in the actual values of the individual parities. A simple method to bring two distant quantum systems together and allow a global operator to be measured is teleportation. To achieve teleportation, some ancillary EPR pairs must be shared by Alice and Bob. This motivates the basic insight of the current paper-to use ancillary EPR pairs to compute the relative error syndrome.
Instead of teleportation, a more efficient way of measuring the global error syndrome will be employed. Here is a main theorem of the current paper.
Theorem 6 Suppose Alice and Bob share a number of impure EPR pairs and they would like to compute r symmetric global operators each of the form M i = M A i ⊗M B i (As before, by symmetric, it means that M A i is the same as M B i except that they act on Alice's and Bob's Hilbert spaces respectively) and M A i is a Pauli operator. Suppose further that they would like to know only the eigenvalues of M i 's, but otherwise leave the state unchanged. The claim is that they can do so with r ancillary EPR pairs. Sketch of Proof: The notation is such that an EPR pair is an eigenstate of ZZ and XX, with eigenvalue +1 for both. Let us call the two qubits of the j-th EPR pair shared by Alice and Bob, A ′ j and B ′ j respectively. For each operator, and broadcasts her outcome and Bob measures M B i ⊗ Z B ′ i and broadcasts his outcome. The relative outcome, the product of gives the eigenvalue of the operator M i (because the state of the ancillary EPR pair gives an eigenvalue +1 for the operator Z A ′ i ⊗Z B ′ i ). More importantly, by an explicit calculation analogous to the argument in teleportation, one can show that no disturbance to the state is made except for the determination of the eigenvalue of M i = M A i ⊗ M B i . Q.E.D. The above theorem employs a generalization of the so-called breeding method for EPP, studied in [4] (see also [3]). In [3], the breeding method was only mentioned on passing because it had been superseded by the standard hashing method, which can be performed without ancillary EPR pairs. Let me call a general EPP that involves ancillary EPR pairs a generalized breeding protocol/method. In contrast to prior art, here I notice that the generalized breeding protocol is, in general, not reducible to a non-breeding protocol. In fact, it is more powerful because it allows the decoupling of error correction from privacy amplification. In summary, the decoupling of error correction from privacy amplification is achieved at the price of introducing ancillary EPR pairs shared by Alice and Bob.
I remark that the calculation of M A i ⊗ Z A ′ i (and similarly M B i ⊗ Z B ′ i ) in Theorem 6 can, indeed, be done by local quantum gates. The actual quantum circuit diagram is very similar to the ones discussed in for example, [3] and [4]. Since the actual construction is outside the main theme of this paper, the details will be skipped here.

B. Reduction to BB84
Using ancillary EPR pairs in a generalized breeding protocol, the above subsection shows that one can decouple error correction from privacy amplification in a QKD scheme. However, such a scheme generally requires a quantum computer to implement. So, the next question is: how to reduce the above protocol to standard BB84? Here is the second main Theorem of the current paper. Then the protocol can be converted to a standard "prepare-and-measure" QKD scheme with security equal to the EPP-based QKD scheme, provided that Alice and Bob initially share an r-bit secret string and use it to encode the measurement outcome of M Z 's of the non-commuting set in Condition 3. 89 Sketch of Proof: Combine the proofs of Theorems 5 and 6. In other words, the proof of Theorem 6 can be used to relax the constraint of local commutability in Theorem 5, thus giving Theorem 7.
We have the following Corollary: Corollary 8 Consider the purification of N impure EPR pairs. Suppose one is given a symmetric stabilizer-based bit-flip (interactive or one-way) error correction procedure with s operators M Z 's and also a symmetric stabilizer-based phase error correction procedure with t operators M X 's acting on the N pairs. 8 Note that the same key is used to encode the measurement outcomes in both Alice and Bob's sides. This is because the relative error syndrome is allowed to be disclosed to Eve. 9 Note that the final key is now a coset of C 2 in F n 2 , whereas in Shor-Preskill's proof, the key is a coset of C 2 in C 1 . The difference is due to the fact that, in Theorem 9, an ancillary secret is sacrified. The net key generation rate is the same if Theorem 9 is applied in lieu of Shor-Preskill's proof.
Claim: The combined error correction/privacy amplification protocol can be reduced to a standard prepare-and-measure QKD protocol, provided that Alice and Bob initially share an s-bit secret string. Having sacrificed the initial s-bit string, the output of the procedure is an N − t-bit secret string. 10 Remark: As an application of the above Corollary, the following protocol for error correction/privacy amplification of QKD is unconditional secure: Step 1: the Cascade scheme for error correction, modified by the one-time-pad encryption of its bit-flip error syndrome, followed by Step 2: a random hashing procedure [6,8]. Notice that this is a rather efficient protocol in terms of both the key generation rate and computational power.
For schemes involving concatenation, there is the following Corollary: Corollary 9 Suppose an EPP, C is a concatenation of two subroutines, S 1 and S 2 , where the first subroutine, S 1 satisfies all the conditions in Theorem 5 (i.e., symmetric, CSSlike, locally-commuting and conditional on Z's only) and the second subroutine, S 2 satisfies Theorem 9 as an r-locally-noncommuting (symmetric, CSS-like, conditional on Z's only) EPP. Then, the protocol C can be converted to a prepare-and-measure QKD protocol with the same security, provided that Alice and Bob initially share an r-bit secret string and use it for one-time-pad encryption of the measurement outcomes of the r pairs 11 of measurement outcomes in the non-commuting set.
The upshot of the above Corollary is that the decoupling result remains valid even when there are two way classical communications [13] and even when concatenated codes are employed.

V. CONCLUDING REMARKS
In summary, I have considered a rather general class of entanglement purification schemes, more specifically, symmetric, stabilizer-based schemes and their reduction to BB84. It was shown that in those schemes, the procedure for error correction can be decoupled from the procedure for privacy amplification. The decoupling is achieved by requiring Alice and Bob to share a modest initial string and use it for the one-time-pad encryption of the bit-flip error syndrome. This is no change in the net key generation rate because the loss of this initial string will be exactly compensated by the generation of a longer key. (See footnotes 8 and 9.) As a corollary, I prove the security of the Cascade scheme, modified by one-time-pad encryption of error syndrome, followed by a random hashing privacy amplification procedure. This is an efficient scheme in terms of both key generation rate and computational power.

VI. ACKNOWLEDGEMENT
I particularly thank Norbert Lütkenhaus for bringing to my attention the question of the security proof of the Cascade scheme and for many enlightening discussions. Helpful conversations with colleagues including Daniel Gottesman, Tsz-Mei Ko, John Preskill and Peter Shor are also gratefully acknowledged.