Optimization and Implementation of Efficient and Universal Quantum Key Distribution

,


Introduction
Quantum key distribution (QKD), invented by Bennett and Brassard in 1984 [1], is a technology for sharing keys between two legitimate users, Alice and Bob. Since the quantum mechanics laws guarantee that the keys are perfectly secret from the eavesdropper, Eve [2], it has attracted widespread attention, and many advanced works have been proposed over recent years [3,4]. Especially, the successful launch of the Micius quantum satellite [5] proves the arrival of the global quantum communication era. Despite these developments, the bit rates of existing QKD systems cannot meet the requirements of high-speed applications [6]. Many research communities are dedicated to solve this problem, and some advanced protocols have been proposed in recent years [7,8]. However, these protocols are neither efficient enough to fit the modern applications nor compatible with different QKD protocols or optical platforms.
To solve these problems, recently, Jiang et al. proposed an efficient and universal quantum key distribution (EUQKD) protocol [9] based on chaotic cryptography and middleware techniques. It uses a chaotic pseudorandom bit generator (PRBG) as a middleware, directly deploying on a QKD platform. e middleware initially takes the bits generated by the platform as input, periodically updates the chaotic systems, and efficiently generates the bit strings. By employing PRBG, EUQKD improves the bit rate of the underlying QKD system, resulting in higher efficiency. And by using the middleware technologies, it divides the cryptosystem to different layers and isolates the details of QKD platform from the users, leading to better compatibility. And EUQKD can be easily realized by software or hardware.
However, we find that EUQKD does not consider the bit errors. Due to the impact of channel noise or Eve's attacks, errors are common in the generated bits. If Alice and Bob use a set of bits to update their input-sensitive middleware, even though there is only one error bit in these bits, the execution results will be completely different, resulting in the failure of the communication. To solve this problem, in this paper, we optimize EUQKD protocol and provide it with the ability to resist bit errors by checking part of the execution results.
en, we deploy a polarized state-based QKD platform and realize the optimized protocol. e experimental results present that compared with the original version, the proposed scheme achieves better performance in terms of error resistance. We also use different approaches to assess the statistical properties of the generated bits. e evaluation results show that the optimized protocol can efficiently output bits with outstanding properties. is paper is organized as follows: we first give a brief review of EUQKD protocol, followed by analyzing the problem of the protocol, introducing the optimized scheme, and realizing it on a BB84 QKD platform. en, the statistical properties of the generated bits are evaluated by different methods. Finally, a brief conclusion is given.

Review of EUQKD
As shown in Figure 1(a), EUQKD can be divided into three layers. e bottom layer is a QKD platform, the middle layer is a chaos-based PRBG, and the top layer is a software application which implements encrypting, decrypting, and communicating components to transmit messages between two legitimate users. e core of EUQKD protocol is the middle layer; it contains two piecewise linear chaotic maps (PLCMs) defined as follows: where x ∈ [0, 1] is referred to as the initial condition and p ∈ (0.0.5) is referred to as the control parameter. e bit strings can be generated by iterating the PLCM according to x n � F(x n− 1 , p). As plotted in Figure 1(b), the middle layer runs as follows: (1) Alice randomly selects initial conditions x 1 0 , x 2 0 and control parameters p 1 , p 2 , encrypts them with QKD bits, and sends the ciphertext to Bob. en, Alice and Bob initialize their PLCMs with the selected parameters.
(2) Alice and Bob iterate their PLCMs to generate two sets of iteration results R 1 r 1 36 , . . . , r 1 m , R 2 r 2 36 , . . . , r 2 m ( r 1 , . . . , r 35 are discarded for security), where m is the upper bound of iterations. en, they construct two integers z, z ′ with QKD bits, act XOR on mantissa parts of r 1 z and r 2 z′ to obtain a set of bits (Cbits). Alice and Bob repeat this step n times, and then they jump to the next step.
e middle layer isolates the bottom layer to achieve compatibility; it can be easily realized by both software and hardware and can be rapidly deployed on any QKD platform. It also takes QKD bits as input and efficiently outputs Cbits, resulting in higher efficiency.

Optimization and Realization of EUQKD
3.1. Optimization of EUQKD. EUQKD significantly improves the efficiency of the physical layer; however, it does not consider bit errors. Generally, a QKD protocol consists quantum and classical parts [10]. In the former part, Alice and Bob generate a set of bits (raw key) by preparing and measuring photon states. en, they broadcast their basis choices. For each bit of the generated raw key, if Alice's basis is the same as Bob's, it is stored as the sifted key; otherwise, it is discarded. Due to the channel noise and Eve's attacks, there may exist some errors in the sifted key, and part of the information of the sifted key may be leaked.
us, Alice and Bob need to execute the classical part, i.e., postprocessing [11], to correct the errors and cover the information leakage. ey first run the first step known as the parameter estimation [12] to estimate the error rate of the sifted key. e second step, i.e., the key reconciliation [13], uses the estimated error rate as input to correct the errors. Finally, they run the privacy amplification [14] step to cover the leaked information.
Existing key reconciliation algorithms, e.g., belief propagation [15,16], shuffled belief propagation [17], layer belief propagation [18,19], etc., use a piecewise function to extract useful information from Alice's syndrome to correct Bob's QKD bits. To avoid information leakage, such information is not accurate and reliable. us, there may be some bit errors after key reconciliation. According to EUQKD protocol, if an error bit affects the second step, it will cause 52-bit errors in the Cbits (IEEE 754 standard represents a double-precision float number in the form (− 1) 1 × mantissa(52 bits) × 2 11 ). We know that chaotic system is sensitive to initial condition and control parameter. As shown in Figure 2, the iteration results of PLCM (1) with very close initial conditions and control parameters are totally different. us, if the error bit affects the third step, it will lead to the failure of the protocol. To solve this problem, we optimize EUQKD protocol as follows: (1) Alice randomly selects initial conditions x 1 0 , x 2 0 and control parameters p 1 , p 2 , encrypts them with QKD bits, and sends the ciphertext to Bob. en, Alice and Bob initialize their PLCMs with the selected parameters.

2
Journal of Electrical and Computer Engineering (2) Alice and Bob iterate their PLCMs to generate two sets of iteration results R 1 r 1 36 , . . . , r 1 m , R 2 r 2 36 , . . . , r 2 m . en, they broadcast part of the results over the classical channel and calculate the error rate. If the error rate exceeds the threshold, they jump to step 1.
(3) ey construct two integers z, z ′ with QKD bits. If the selected iteration result r 1 z or r 2 z′ has been broadcasted, they select the next iteration result until they find an iteration result that has not been broadcasted. en, they act XOR on mantissa parts of the two iteration results to obtain a set of Cbits. Alice and Bob repeat this step n times, and then they jump to the next step. (4) Alice and Bob use QKD bits to construct four in- to update their PLCMs. (5) Alice and Bob repeat steps 2, 3, and 4 until they generate enough Cbits for encrypting and decrypting the secret message.
Clearly, in each round of the optimized protocol, Alice and Bob check part of the iteration results. Since PLCM (1) is sensitive to the initial condition and the control parameter, they can easily detect the failure. And if the protocol fails, they will randomly select a set of parameters to synchronize their PLCMs. is can avoid the failure of the protocol and guarantee that the users can generate enough bits for encryption and decryption, even if there exist error bits in QKD bits. Compared with the original protocol, the optimized scheme, therefore, achieves higher robustness. Although the legitimate users broadcast part of their iteration results to resist bit errors, these iteration results are not used to generate the secret key. And many papers have proved that the eavesdropper cannot break digital chaotic PRBG, even if he obtains part of the iteration results [20][21][22]. erefore, the eavesdropper cannot obtain useful information during the communication.

Realization of EUQKD.
In this paper, a BB84 QKD platform based on polarization states is deployed as the physical layer. e optical setup of the platform is shown in Figure 3. Alice can control four lasers to send horizontal, vertical, +45°, and − 45°polarization pulses, which are denoted as H, V, +, and − , respectively. Because the intensity of these pulses may be different, we first attenuate them to the same level.
en, the pulses are combined by two    Journal of Electrical and Computer Engineering polarizing beam splitters (PBSs) to guarantee the orthogonality between H and V pulses and the orthogonality between + and − pulses. e manual polarization controllers adjust the angle between H and + pulses and the angle between V and − pulses to 45°. Finally, all pulses are combined by a beam splitter (BS), attenuated to single photon level, and sent to Bob over the quantum channel. In Bob's optical platform, the state first passes a 50/50 BS to randomly select a measurement basis. Since the optical fiber may change the state of the photon, two manual polarization controllers are used to adjust the state. In our platform, only one single photon detector (SPD) is deployed. Since the four states |H〉, |V〉, |+〉, |− 〉 { } are distinguished by delay lines of different lengths, SPD can determine the state according to the time tag of the measurement.
We run BB84 protocol on our optical platform and generate 30 sets of sifted keys. en, we use the postprocessing algorithm proposed in Ref. [23] to process the generated sifted keys. e error rates of the generated sifted keys and the results of parameter estimation are plotted in Figure 4(a). e error rates of the generated QKD bits are shown in Figure 4(b).
Because the bit error rates of the generated QKD bits are very low, we slightly change Bob's QKD bits and use the QKD bits to update Alice's and Bob's PLCMs. We simulate this process for 10,000 times, and all errors are detected in the second step of the optimized protocol. Our protocol, thus, provides the ability to resist bit errors.

Statistical Evaluation
In this section, we evaluate the statistical properties of the generated Cbits from aspects of uniformity and correlation. Cbits should show perfect uniformity; otherwise, Eve may extract some information from the ciphertext. To evaluate the uniformity, we set the rounds to 100, set the upper bound of iterations to 1000, and run the proposed protocol 100 times. e distribution of iteration results, control parameters, and initial conditions is plotted in Figures 5(a)-5(c), respectively. Obviously, the results show perfect uniformity.
To evaluate the correlation of the generated bits, first, the Hamming distance and Pearson's correlation coefficient are calculated [24]. For two binary sequences can be calculated as follows: where I 1 and I 2 are the average values of S 1 I and S 2 I , respectively. If S 1 I and S 2 I are uncorrelated, P(S 1 I , S 2 I ) should approach 0. We generate 20 pairs of Cbits. e Hamming distances of each pair of Cbits are shown in Figure 6(a). en, we generate 20 pairs of Cbits and construct 20 pairs of integer sequences. Pearson's correlation coefficient of each pair of integer sequences is plotted in Figure 6(b).
Second, we calculate the autocorrelation of generated Cbits, and the cross correlation of two pair of Cbits generated with very close initial conditions. e results are drawn in Figures 6(c) and 6(d), respectively. Clearly, the results prove that the generated Cbits have outstanding correlation properties.

Image Encryption and Decryption
In this section, we use image encryption to further evaluate the statistical properties of Cbits. First, the histogram where w and h are the width and the height of the image, g i is the number of pixels with a gray value equal to i, and G � g 1 , g 2 , . . . , g 256 is the gray value vector of the image. e higher value of variance indicates the lower uniformity of the image. e variances of the plain and the cipher images are 66200 and 272.53, respectively. e generated Cbits, thus, show perfect uniformity properties.
Generally, two adjacent pixels in an image show strong correlation. erefore, we analyze the correlation between two adjacent pixels in the plain and cipher images to evaluate the correlation properties of the generated Cbits. We randomly choose 1000 pairs of two horizontally, vertically, and diagonally adjacent pixels. Figures 8(a)-8(c) plot the distribution of two horizontally, vertically, and diagonally adjacent pixels selected in the plain image. And  Figures 8(d)-8(f ) present the distribution of two horizontally, vertically, and diagonally adjacent pixels selected in the cipher image. Obviously, the plain image is decorrelated by the generated bits.
Pearson's correlation coefficient of adjacent pixels is shown in Table 1. Obviously, the adjacent pixels selected from the plain image are highly correlated. And there is negligible correlation between the adjacent pixels selected from the cipher image. e generated bits, therefore, show outstanding correlation properties.
For a well-designed cryptosystem, high key sensitivity is also required, i.e., Eve cannot obtain any information of the plain image, even if she uses a key which is very close to the correct key to decrypt the plain image. To evaluate the key sensitivity, we select a set of initial conditions and control parameters as the key to synchronize Alice's and Bob's PLCMs, use a set of QKD bits to generate Cbits to encrypt the plain image, and plot the cipher image in Figure 9(a). en, we use the correct key and QKD bits to generate Cbits, decrypt the cipher image, and show the decrypted image in Figure 9(b). Finally, we slightly change the key, use the changed key and QKD bits to generate Cbits, decrypt the cipher image, and draw the decrypted image in Figure 9(c).
Pearson's correlation coefficient between encrypted and decrypted images is shown in Table 2. Obviously, Eve cannot obtain any information even if she obtains a key which is very close to the correct key, thus proving the high key sensitivity of our protocol.

Conclusion
EUQKD efficiently improves the efficiency of the underlying QKD platform; however, it does not consider the bit errors, which may lead to the failure of the protocol. In this paper, we optimize EUQKD against bit errors and realize the protocol with a BB84 QKD platform. Experimental results show that the optimized protocol significantly reduces the impact of error bits and efficiently generates Cbits with outstanding statistical properties.

Data Availability
All data generated or analyzed during this study are included within this article.

Conflicts of Interest
e authors declare that there are no conflicts of interest regarding the publication of this article.