1.INTRODUCTIONVarious encryption technologies have been developed to meet the fundamental needs to transmit information to a specific person at a distance without being known by a third party. Nowadays, various information is encrypted, from credit card-based personal identification numbers (PINs) to social networking service (SNS) conversations. However, the security of current encryption technologies is based on the assumption of computational resources available to eavesdroppers, and it is concerned that the decryption will be available by the progress of computer technology. Quantum key distribution (QKD) [1, 2], on the other hand, is a key establishment method that does not require any assumptions on the eavesdropper’s computational resources. In QKD, a key is generated from a random number shared between the sender and the receiver via photon transmission. Because an eavesdropper cannot attack without destroying the photon’s quantum state, the trace of attack is left in the quantum bit error rate (QBER). This makes key establishment secure against all physically allowable attacks. Although QKD has already been studied for practical use [3, 4], fiber-based terrestrial QKD systems suffer from photon absorption in the fiber, limiting the key generation rate and the transmission distance. Recently, satellite-based QKD systems [5] are attracting much attention to overcome the bottleneck., continental-scale QKD can be realized by employing a satellite as a trusted node. However, there is a concern that the atmospheric effects, which affect the performance of satellite laser communications, such as fading-induced burst errors, may also have some impact on satellite-based QKD. Therefore, error-correction schemes exploited in satellite-based QKD are required for robust transmission against such atmospheric-induced effects. As such an error-correction scheme appropriate for free-space optical (FSO) links, we have studied polar codes [6] because of their capacity-achieving performance and low computational complexity in encoding and decoding. Our past transmission experiment over the 7.8-km terrestrial FSO link between the University of Electro-Communications in Chofu, Tokyo, and the National Institute of Information and Communications Technology (NICT) in Koganei, Tokyo revealed that polar codes have high performance in real FSO channels [7]. Motivated by our previous experiments, we propose a new high-efficiency error correction method based on polar codes for free-space QKD systems. Unlike the uni-directional message transmission, QKD aims to share random numbers, and error correction is performed in the post-processing manner. This means that the code rate of polar codes can be finely configurated by adding or deleting parity bits. Although the application of polar codes to QKD has been studied in [8], a rate-variable error correction based on polar codes is firstly proposed in this paper. In this paper, as a basic study for applying polar codes to QKD, we derive a relation between code rate and QBER by numerical simulation to optimize the error correction efficiency. We then numerically compare the performance of our proposed scheme to that of LDPC codes. As a result, we reveal that polar codes have an advantage over LDPC codes in the short-code-length regime, in information reconciliation for free-space QKD. The rest of this paper is organized as follows; Sections II and III review the encoding and decoding methods in polar codes and QKD basics, respectively. Section IV shows the description of the proposed method and the experimental results by numerical simulation. Finally, Section V gives the conclusions. 2.POLAR CODES2.1EncodingPolar code is an error-correcting code (ECC) introduced by E. Arikan in 2009 [6]. It is shown that polar code achieves encoding and decoding with low complexity of O(N log N) for a code length of N = 2n, where n is a natural number. The encoding exploits a property called channel polarization, which is outlined below. We consider that we input a sequence with a length of N = 2n bits into a stationary memoryless binary symmetric channel (BSC) W. Let I(W) denote the mutual information of the BSC. The input sequence is subject to the following matrix operations: where IN is the identity matrix of order N, ⨂ denotes the Kronecker product, and RN is a reverse shuffle matrix that rearranges the input bit sequence with even numbers in the first half and odd numbers in the second half. The matrix F is defined by By applying the inverse operation of GN onto the output sequence results, a I(W) fraction of the sequence is retrieved correctly, whereas a 1 – I(W) fraction will results in an error with a probability 1/2 in the limit of N → ∞. This phenomenon, known as channel polarization, allows polar codes to achieve error correction performance close to the Shannon limit. A sender allocates the transmission data into the I(W) fraction of the sequence (message bits). She fills the 1 – I(W) fraction of the sequence (frozen bits) with random bits, and announces their values and locations to the receiver in advance. The code rate, the ratio of the message bits to the total bits, becomes I(W), which is the channel capacity of BSC. 2.2DecodingThe decoding method for polar codes is called successive cancellation decoding (SCD). In SCD, recursive estimation of codewords based on the log-likelihood ratio (LLR) is performed in the ascending order of every bit. When the vertical index is φ, and the horizontal index is Λ, the LLR at each point is and the estimated bit is . Here, φ and Λ satisfy the following conditions: The first step of decoding is to convert the received value of each bit rφ into the LLR λφ. For a BSC with crossover probability Pe, λφ is given as Then, the LLR at each point can be computed as follows where α, β, and и are defined by Finally, the estimated bit at each point is calculated by where Ф denotes (φ mod 2⋀+1) and 𝓕φ returns 1 if the index φ is a frozen bit, and 0 otherwise. After LLR calculations, the estimated codeword is outputted. For the decoding of polar codes, SCD was first proposed, and its improved version, successive cancellation list decoding (SCLD) [9], was also proposed. In addition, CRC-aided SCLD (CA-SCLD) [10], which is concatenated with cyclic redundancy check (CRC) codes, has been proposed as an improved version of SCLD, and it can outperform low-density parity-check (LDPC) codes. 3.QUANTUM KEY DISTRIBUTION3.1The flow of the QKD protocolWe briefly review the flow of QKD based on the Bennett-Brassard 1984 protocol (BB84) [1], which was the first proposed QKD protocol. In BB84, random numbers are encoded into a single photon’s polarization state. A sender (Alice) generates a random bit sequence, selects one of two pairs of polarization directions, (0, π/2) or (π/4, 3π/4), and rotates the photon polarization to the corresponding direction. For example, to transmit bit 0, the photon polarization is rotated to 0 or π/4. Bob also randomly selects the basis from (0, π/2) or (π/4, 3π/4) when he receives a photon from Alice. If the Alice’s and Bob’s basis match, the bit is retrieved correctly, but if a different basis is selected, an error occurs with a probability of 50%. Such random selection of basis is necessary to ensure security against Eve. For example, Eve would tap a photon sent by Alice, obtain the random bit from it, and retransmit a copy of the photon to Bob. However, Eve needs to select Alice’s basis randomly, just as Bob does. Therefore, even if Alice and Bob’s bases are identical, this operation will induce errors in the bit values. After completing random number transmission, the sifted-keys are created by notifying the receiving time and matching Alice’s and Bob’s bases via an authenticated public channel. When this operation is performed, the bit positions that were in different bases between the sender and receiver are notified, and the bits are eliminated. If the protocol is implemented under ideal conditions, the sifted-keys are identical, but errors are caused by imperfections in the optical system, bit errors due to dark counting in photon detectors, and Eve’s attack. Therefore, by exchanging information over the authenticated public channel, the error is corrected and the leakage information is removed. This sequence of operations is called the key-distillation processing. The key-distillation processing roughly consists of (A) QBER estimation, (B) information reconciliation, and (C) privacy amplification. First, in (A), the QBER is estimated using a test bit sequences composed by random sampling from the sifted-keys. If the error rate exceeds the specified value, the session is discarded because the information leakage to Eve is too large to be removed by this key-distillation process. Then, in (B), the sifted-keys of Alice and Bob are error-corrected. Alice and Bob calculate the parity bits for error correction from their sifted-keys and exchange them on the public channel. Finally, in (C), privacy amplification, the final key is obtained by compressing the sifted-key after information reconciliation by the amount of leakage information estimated from the QBER. 3.2Information ReconciliationIn this paper, we apply polar codes to (B) information reconciliation step in the above key-distillation processing. Although there are several methods for calculating the parity bits disclosed in this step, we adopt Dodis’s method [11]. In this method, a codeword cEC is randomly generated by an ECC encoder of CEC, and the exclusive-OR (XOR) of the codeword and the sifted-key is transmitted to the other party via the public channel. This method has been implemented in various systems [12, 13] because of its simplicity. Also, the cost of authentication is low because the authenticated public channel is used only once. Figure 1 shows the flowchart of Dodis’s method. First, Bob determines an appropriate code rate R’ based on the QBER Pe’ and transmits R’ value to Alice. Next, Bob generates a random bit sequence of K(= [NR’]) bits, where [·] is the ceiling function and N is the length of the sifted-key. Then, these К bits are encoded into N bits codeword cEC by an ECC with the code rate of R’, and XORed into Bob’s sifted-key kb as kb ⨁ cEC. Alice obtains the bit sequence (kB ⨁ cEC) ⨁ kA by XORing her sifted-key kA with the received codeword, resulting in the error pattern kA ⨁ kB onto cEC. This error can be removed by decoding the received sequence (kA ⨁ kв) ⨁ cEC because of R’ encoding, and the random number generated at Bob can be correctly transmitted to Alice. This [NR’] bits are the reconciled key. Note that we consider the case where Bob transmits the parity bits, and this method is generally called reverse reconciliation. It can generate keys more efficiently than the case of direct reconciliation in which Alice transmits keys. Therefore, it is widely used in continuous-variable QKD [14, 15] and other similar protocols [12, 16] as well as BB84. Figure 1.Flow chart for information reconciliation. 4.NUMERICAL RESULTS OF PROPOSED METHOD4.1Performance indicatorIn this paper, we construct an efficient transmission scheme that makes the ratio of the length of the successfully information-reconciled bit sequence Ncorr to the length of the sifted-key Nsift, Ncorr/Nsift, as large as possible. At first, instead of encoding a random bit sequence of length Nsift with a single codeword, we consider dividing it into В blocks of length NB and encoding them. The following equation holds: Then, we define block error rate (BLER) as the ratio of unsuccessful decoding to В expressed by where Bfail is the number of unsuccessfully decoded blocks. Because Ncorr is the product of the information length KB and the number of successfully transmitted blocks, it can be denoted by Then, Ncorrr/NSift can be transformed as follows. where R is the code rate defined by KB/NB. In this paper, we specify R(1 – BLER) as the evaluation function called throughput. In numerical simulations, we assumed that the errors in the sifted-key are symmetric for the bit 0 or 1, that is, BSC. Furthermore, the QBER estimation is assumed to be perfect. 4.2Performance of polar codesWe simulated the polar code transmission in information reconciliation described in Section 3, in which the simulation conditions are shown in Table 1. Figure 2 shows the results of the throughput performances when the code rate Rpolar(= R in (12)) and the crossover probability Pe are changed. It can be seen that the throughput performances of high-rate polar codes are superior when Pe is small, and those of low-rate polar codes are superior in high Pe region. As shown in the figure, the crossover probability region with superior throughput differs depending on the code rate, and it is necessary to change the code rate according to Pe for more efficient transmission. Figure 2.Throughput performances of polar codes. Table 1.Simulation conditions of polar codes. Code length NB | 2048 |
---|
Information length KB | 768 to 1536 | Code rate Rpolor | 0.375 to 0.75 | Decoding | Successive cancellation list decoding[9, 10] | Parity length of cyclic | 24 | redundancy check |
4.3Optimization of information reconciliation applied polar codesBased on the discussion in the previous section, we derive an equation relating the code rate Rpolar and the crossover probability Pe to obtain the best throughput for polar codes. First, Figure 3 shows the throughput performances when Rpolar is changed by gradually increasing the number of frozen bits with a fixed crossover probability. This figure shows that for each crossover probability, there is an optimal code rate that maximizes throughput. Figure 4 shows a graph rearranging these points, with the crossover probability on the horizontal axis and the code rate on the vertical axis. We derived the following approximation equation as the selection rule for the code rate Rpolar from the curve in Figure 4. Figure 3.Throughput performances versus code rate Rpolar. Figure 4.Proposing rule to select the optimal code rate of polar codes. 4.4Application of LDPC codes in the conventional methodAs a benchmark against polar codes, we calculated LDPC codes’ performance under the conditions shown in Table 2. Figure 5 shows the throughput performances of the LDPC codes versus Pe with the parameter of code rate RLDPC(= R in(12)). Using the five LDPC codes shown in the figure, the selection rule for the code rate RLDPC optimizing the throughput performances can be derived as Table 2.Simulation conditions of LDPC codes. Code length NB | 2048 |
---|
Information length KB | 512 | 768 | 1024 | 768 | 1536 | Code rate RLDPC | 0.25 | 0.375 | 0.5 | 0.625 | 0.75 | Decoding | Sum-product decoding | Weighting of parity-check matrices | (3,4) | (5,8) | (3,6) | (3,8) | (3,12) | The maximum number of reprising decoding | 20 |
Figure 5.Throughput performances of LDPC codes. It can be seen that the throughput performances are superior for high-rates in the small crossover probability region and low-rates in the large crossover probability region, as well as in Figure 2. 4.5Performance comparison of the proposed method to LDPC codesFigure 6 compares the throughput performances of LDPC codes and polar codes based on the selection rules obtained above. It is shown that the throughput performances of polar codes are higher than those of LDPC codes in all areas. Therefore, the application of polar codes to satellite QKD is expected to improve information reconciliation efficiency. LDPC codes can also have finer coding ratios, but it is necessary to share the parity-check matrices for all code rates in advance. However, polar codes have the advantage that no matrix share is needed. Figure 6.The comparison of optimized throughput performances. 5.CONCLUSIONIn this paper, we proposed applying polar codes to the information reconciliation step to increase the efficiency of key distribution in QKD and evaluated its performances. First, we chose the throughput as the measure of the efficiency of information reconciliation. Then, we derived the throughput performances for different code rates and crossover probabilities by numerical simulations. From these results, we derived a selecting rule of code rate that maximizes throughput for each crossover probability, constructed a polar code with the best throughput performances for information reconciliation, and confirmed the improvement of its performances. Then, We compared the polar codes with the LDPC codes in the region where the crossover probability is less than 10% and confirmed the superiority of the polar codes in all regions. In the future, we plan to study concatenating with rateless codes in order to improve the performance of the system, including (A) QBER estimation in addition to (B) information reconciliation. REFERENCESC. H. Bennett and G. Brassard,
“Quantum cryptography: Public Key Distribution and Coin Tossing,”
in Proc. IEEE Int’l Conf. on Computers, Systems and Signal Proc., Bangalore India,
175
–179
(1984). Google Scholar
S. Fujita, K. Ito, E. Okamoto, H. Takenaka, H. Kunimori, H. Endo, M. Fujiwara, M. Kitamura, R. Shimizu, M. Sasaki, and M. Toyoshima,
“Experimental evaluation of polar code transmission in terrestrial free space optics,”
in Proc. IEEE Int’l Conf. on Commun.,
(2019). https://doi.org/10.1109/ICSOS45490.2019 Google Scholar
P. Jouguet and S. K. Jacques,
“High Performance Error Correction for Quantum Key Distribution using Polar Codes,”
Quantum Information and Computation, 14
(3&4),
(2013). https://doi.org/10.26421/QIC Google Scholar
Y. Dodis, L. Reyzin, and A. Smith,
“Fuzzy extractors: How to generate strong keys from biometrics and other noisy data,”
in International Conf. on the Theory and Applications of Cryptographic Techniques,
523
–540
(2004). Google Scholar
H. Endo, M. Fujiwara, M. Kitamura, O. Tsuzuki, T. Ito, R. Shimizu, M. Takeoka, and M. Sasaki,
“Free space optical secret key agreement,”
Optics Express, 26
(18), 23305
–23332
(2018). https://doi.org/10.1364/OE.26.023305 Google Scholar
H. Endo and M. Sasaki,
“Secret key agreement for satellite laser communications,”
in Proc. 37th Int’l Commun. Satellite Systems Conf. (ICSSC),
(2019). Google Scholar
|