Joint QKD-Post-Quantum Cryptosystems

To extend the transmission distance and/or improve secret-key rate of QKD protocols, we propose to employ the joint QKD-post-quantum cryptosystems in which QKD is used for raw-key transmission while the post-quantum cryptography (PQC) subsystem to transmit parity bits for information reconciliation. We also describe a run-time configurable spatially coupled (SC)-LDPC code, derived from template quasi cyclic (QC)-LDPC, suitable for use in both information reconciliation and McEliece crypto-subsystem. For twin-field (TF)-QKD subsystem, the proposed joint cryptosystem, which takes the complexity of algorithm used to break the PQC subsystem into account, is able to achieve record distance of 1238 km over ultra-low-loss fiber.


I. INTRODUCTION
Quantum communication (QuCom) employs the quantum information theory concepts to realize the distribution of keys with verifiable security, commonly referred to as quantum key distribution (QKD) [1], [2]. The theorems on no-cloning and indistinguishability of non-orthogonal quantum states give rise to QKD, where security is ensured by fundamental laws of physics as opposed to unproven mathematical assumptions employed in computational security-based cryptography. Despite the appealing features of QuCom, there are some fundamental and technical challenges that need to be addressed prior to its widespread applications. For instance, both rate and distance of QuCom are fundamentally limited by the channel loss, which is specified by the rate-loss tradeoff. To overcome the rate-distance limit of discrete variable (DV)-QKD protocols, two approaches have been pursued recently: (i) development of quantum relays [3] and (ii) the employment of the trusted relays [4]. Unfortunately, the quantum relays require the use of long-duration quantum memories and high-fidelity entanglement distillation, which are still out of reach with current technology. On the other hand, the trusted-relay methodology assumes that the relay between two users can be trusted; unfortunately, this assumption is difficult to verify in practice. The measurement device independent (MDI)-QKD approach [5], was able to close the detection loopholes and extend the transmission distance, however, its secret-key rate (SKR) is still bounded by O(T )dependence of the upper limit (with T being transmissivity). Recently, the twin-field (TF) QKD has been proposed to The associate editor coordinating the review of this manuscript and approving it for publication was Sukhdev Roy. overcome the rate-distance limit [6]. The authors in [6] have shown that TF-QKD upper limit scales with the square-root of transmittance, that is r ∼ O( √ T ), which represents a promising approach to extend the transmission distance. However, given that TF-QKD, similar to MDI-QKD, relies on partial Bell state measurements by Charlie (Eve), the Bell states |φ ± = 2 −1/2 (|00 + |11 ) cannot be distinguished resulting in low overall SKRs at extended distances.
To overcome these key challenges for DV-QKD, we propose a different strategy. To increase the generation rate of the secret key and to extend the transmission distance we propose to limit the information revealed during the error reconciliation phase by transmitting the parity bits by using the post-quantum cryptography (PQC) algorithms [7]. The PQC is typically referred to various cryptographic algorithms that are thought to be secure against any quantum computer-based attack. Unfortunately, the PQC is also based on unproven assumptions and some of the QPC algorithms might be broken in future by developing more sophisticated quantum algorithms. For instance lattice-based cryptography algorithms often rely on so called collision resistance hash functions, such as u = Ax, where x is Alice private vector and u is the public vector, with A being m × n public matrix with columns representing the lattice basis vectors. To determine the Alice's private vector x Eve will need to do matrix inversion to get x = A −1 u. By using the quantum computer designed to perform Harrow-Hassidim-Lloyd (HHL)-like algorithm [8], Eve can get the exponential speed-up compared to corresponding classical algorithm, and the security of lattice-based cryptography cannot be guaranteed anymore. This is the reason why we propose here to use the PQC algorithms only in information reconciliation phase to limit the leakage due to transmission of parity bits over an authenticated classical channel (in conventional QKD). Even though the best quantum algorithms can provide the exponential speed-up over corresponding classical algorithms, the complexity of quantum algorithms cannot be ignored, and it can be still expressed in terms of number of quantum gates required. So the number of security bits is still proportional to the log 2 (L), where L is the number of operations needed for an attack to be successful [9]. When quantum algorithm is used to break-up the PQC protocol the number of security bits log 2 (L) is typically not sufficient for perfect security algorithms, such as one-time pad. However, when an (N , K ) LDPC code of high rate is used in information reconciliation, with the number of parity bits N − K n (the codeword length used in PQC subsystem), the QPC security is sufficient to eliminate the leakage during the error correction stage. In related paper [10], we proposed to use the covert channel for information reconciliation; however, the corresponding rigorous security proof has not been derived yet. In conventional QKD, it is commonly assumed that Eve is an all-powerful eavesdropper and the complexity of quantum algorithms used to break the classical cryptography algorithms is ignored. Unfortunately, this omnipotent assumption is often too restrictive and not realistic in practical applications. The proposed joint QKD-cryptosystem scheme belongs to the class of realistic cryptography schemes when Eve is not omnipotent in the sense that it assumes that algorithms used to break the protocols have complexity that cannot be ignored. Moreover, the proposed joint QKD-PQC scheme exploits the complexity of corresponding quantum algorithms. The security of this scheme is wholly dependent on still unproven security of its weakest link, namely the protection of the parity bits transmitted over PQC channel. As such, this scheme cannot claim the security consistent with full-scale QKD, but rather it represents an alternative to both full-scale QKD and PQC.
The paper is organized as follows. The proposed joint QKD-post-quantum cryptosystems are described in Section II. In Section III, the proposed joint TF-QKD-McEliece cryptosystem is described in detail. The illustrative secret-key rate results are provided in Sec. IV. Concluding remarks are provided in Sec. V.

II. JOINT QKD-POST-QUANTUM CRYPTOSYSTEMS
The proposed joint QKD-post-quantum encryption concept is applicable to any QKD scheme. Let us describe the joint cryptosystem for DV-QKD subsystem, in which reverse reconciliation is employed. The QKD subsystem is used for raw key transmission. After the sifting procedure and quantum bit-error rate (QBER) estimation, as shown in Fig. 1, Bob employs an (N , K ) LDPC code with parity-check matrix H of size (N − K ) × N to create the syndrome vector p = xH T , where x is the Bob's vector after the sifting procedure. In conventional information reconciliation, Bob would transmit the syndrome vector over an (error-free) authenticated public channel to which Eve has access. In our proposed joint encryption scheme, we will encrypt the syndrome vector by employing a properly chosen post-quantum cryptography algorithm. The popular PQC schemes include [7]: the codebased cryptography, lattice-based cryptography, hash-based cryptography, and multivariate cryptography. This work has gained greater attention from academics and industry through the PQCrypto conference series since 2006. In particular, the McEliece cryptosystem [12] based on quasi cyclic (QC) LDPC coding [13] is straightforward to implement. In this version, the adaptive LDPC code can be used for both information reconciliation and PQC-based encryption. Unfortunately, as mentioned in introduction already, similarly to computational cryptography, the PQC is based on unproven assumptions. Namely, some of the QPC algorithms might be broken in future by developing more advanced quantum algorithms. Further, the complexity of decryption algorithm in PQC dictates the number of secure bits, which is insufficient for perfect security, such as one-time pad. By using the PQC algorithms only to protect the transmission of syndrome vector of length N − K , which for high-rate LDPC codes is much shorter than the codeword length n used in PQC, we can achieve the perfect security. So the key idea of our proposal is to reduce leakage of information during error correction. On the other hand, by employing the QKD subsystem for raw-key transmission, we can identify the presence of the Eve. By limiting information leakage due to information reconciliation we can significantly extend the transmission distance, as shown in Section IV. As an illustration, the secret fraction r for decoy-state-BB84 protocol can be represented as follows [2], [11]: where we used the subscript 1 to denote the single-photon pulses and µ to denote the pulse with the mean photon number µ. In (1) q (Z) denotes the probability of declaring a successful result (''the gain'') when Alice sent a single-photon and Bob detected it in the Z-basis, f e denotes the error correction inefficiency (f e ≥1), e (X) [e (Z) ] denotes the QBER in the X-basis (Z-basis), and h 2 (x) is the binary entropy function. The second term q (Z) h 2 [e (X) ] corresponds to the amount of information Eve was able to learn during the raw key transmission. The third term q (Z) f e h 2 [e (Z) ] denotes the amount of information reveled during the information reconciliation stage, typically related to the parity-bits transmitted over an authenticated (noiseless) public channel. Now by transmitting the parity bits using the PQC, with number of parity bits lower than the number of security bits in PQC, the last term can be eliminated, which results in significant improvement in transmission distance (see Section IV). This is particularly true when the second term is close to the first term [see Eqn. (1)], which corresponds to the high attenuation regime. VOLUME 8, 2020 The quantum algorithms to be developed (not yet known), capable of breaking the PQC algorithms will have certain complexity expressed in terms of number of operations L. By ensuring that the number of parity bits N − K is shorter than the number of secure PQC bits log 2 L, the proposed cryptographic scheme will be secure. Evidently, the proposed cryptographic scheme exploits the complexity of corresponding quantum algorithms used to break the PQC protocols. On the other hand, the conventional QKD algorithms assume that Eve is all-powerful and ignore the complexity of different quantum attacks. Therefore, the proposed cryptographic scheme belongs to the class of cryptographic schemes in which Eve is not omnipotent.
In incoming section we describe, the joint TF-QKD-McEliece cryptosystem with more details. In the rest of this section, we describe an adaptive LDPC coding scheme to be used in both information reconciliation and McEliece crypto subsystem. The starting point is the QC-LPDC code with the template parity-check matrix: where I and P are identity and permutation matrices of size b×b, and integers S[i]∈ {0, 1, . . . , b−1} (i = 0, 1, . . . , r −1; r < b) are properly chosen to satisfy the girth (the largest cycle in corresponding bipartite graph representation of H QC ) constrains, as described in [14]. We can incorporate many QC-LDPC codes using this design. As an illustration, the column -weight-3 code of girth-10 can be designed to be a scubcode of girth-8, column weight-4 code. Lower-rate code of the same girth should be a scubcode of higher-rate code. This architecture allows run-time reconfiguration on codeword-by-codeword basis. Its operation has been demonstrated over a free-space optical channel in the presence of time-varying atmospheric turbulence in our recent paper [15]. Finer granulation in code rate adaptation can be implemented by shortening. For application of QC-LDPC code design in McEliece cryptosystem, we propose to generate many sets of integers {S[i]} satisfying run-time configurability conditions and select them at random. By using this QC-LDPC code as a template design, we create a spatially coupled (SC)-LDPC code as illustrated in Fig. 2(left). The codeword length of this SC-LDPC code will be b × (l × c − m × (l − 1)), where l is the number of coupled template QC-LDPC codes and m is the coupling length expressed in terms of number of blocks. Because there are r × c × l non-empty submatrices in the parity-check matrix of the SC-LDPC code, we can introduce the layer index (l.i.) and reduce the memory requirements as illustrated in Fig. 2(right). In such a way we do not need to memorize the all-zeros submatrices. For fullrank parity-check matrix of the template QC-LDPC code, the code rate of SC-LDPC code will be simply: .
Therefore, for fixed l, by increasing the coupling length m we can reduce the code rate and thus improve the error-correction capability of the code. For FPGA implementation of decoders for SC-LDPC codes an interested reader is referred to our previous paper [16]. To adjust for error correction strength, depending on time-varying channel conditions, we can adapt both the template QC-LDPC code and parameters of corresponding SC-LDPC code. For application in McEliece crypto-subsystem, we propose to randomly select parameters of both QC-and SC-LDPC designs.

III. JOINT TF-QKD-McEliece CRYPTOSYSTEM
The proposed TF-QKD scheme with information reconciliation based on McEliece cryptosystem is provided in Fig. 3. The stabilized CW lasers of low linewidth are used on Alice and Bob sides to generate the global phase stabilized optical pulses with the help of amplitude modulator. Alice and Bob choose the random phases φ A ∈ [0, 2π ] and φ B ∈ [0, 2π ], respectively, with corresponding phase modulators. The random phase difference between Alice and Bob are discretized so that: wherein the phase-bin φ k is discretized by k A,B ∈ {0, 1, . . . , M − 1}. Alice (Bob) then randomly select whether to use Z-basis or X-basis. When Z-basis is selected, the phase-randomized coherent state is sent with intensity either µ or 0. When X basis encoding is selected, Alice and Bob employ corresponding phase and amplitude modulators to randomly select 0 (π /2) and π (3π /2) representing logic bits 0 and 1, and such phase-encoded pulses are sent with randomly selected intensities. The corresponding quantum states, generated by Alice and Bob, are sent towards Charlie over the ultra-low-loss fiber link. The polarization controllers (PCs) ensure that Alice and Bob's pulses have the same polarization. Charlie performs the Bell state measurements (BSMs) and announces the results. Alice and Bob then disclose their phase information, that is k A,B and intensities, and these are used for parameter estimation. They keep the information related to Z-basis confidential to Charlie, and these data are used for raw key. Alice and Bob then perform McEliece encryption-based information reconciliation described below, followed by the privacy amplification, to get the common secure key. Given that the McEliece cryptosystem [12] based on quasi cyclic (QC)-LDPC coding is straightforward to implement as shown in [13], while the corresponding LDPC encoders and decoders have been already implemented in FPGAs [15], it represents an excellent candidate to use for transmission of parity bits in TF-QKD scheme. In particular, rate-adaptive spatially coupled LDPC code derived from an QC-LDPC code, introduced in Fig. 2, is very flexible for use in both information reconciliation and McEliece cryptosystem to encrypt the parity bits. In reverse reconciliation, based on channel conditions Bob selects the block-columns in template QC-LDPC code, coupling length for spatial LDPC coding design, and the number of spatially coupling blocks and provides to Alice the details of the spatially coupling (N , K ) LDPC code design. Bob further encodes the information bits u obtained during sifting procedure by employing the selected spatially coupling LDPC code to get the parity bits (syndrome) p.
Regarding the McEliece encryption subsystem, Alice randomly chooses the number of block-columns in template parity-check matrix of corresponding QC-LDPC code as well as the coupling length m and number of template QC-LDPC codes l to be used in McEliece encryption scheme. She generates the generator matrix G based on [15], [16] and publishes the public key G' determined by G' = S −1 GP' −1 , where S is the non-singular scrambling matrix and P' is the permutation matrix, different from P in Eqn. (2). Bob will then encode the parity bits (syndrome vector) p as follows r = pG' + e, where e is the error pattern (vector) of low weight. Upon receiving r Alice will perform the transformation r' = rP' = pS −1 G + eP', followed by decoding based on the parity-check matrix to obtain p' = pS −1 , and will recover p by multiplication of p' by S. Alice will further use this parity bits p to perform the error reconciliation and get u.
The privacy amplification is further performed to distill from the corrected key a smaller set of bits whose correlation with Eve's string falls below the desired threshold, through the use of the universal hash functions. Assuming that Eve employs the quantum information set decoding (QISD) attack [9], the number of parity bits N − K to be encrypted by (n, k) LDPC coding based McEliece encryption scheme is upper bounded by: where t is the maximum number of errors that can be corrected by the LDPC code used in McEliece encryption subsystem. For high-rate QC-and spatially coupled LDPC codes used in information reconciliation this condition is much less stringent compared to using McEliece encryption to protect the information sequence instead.

IV. ILLUSTRATIVE SKR RESULTS
In Figure 4 we provide comparisons of the proposed joint TF-QKD-McEliece encryption scheme against the corresponding QKD subsystems employing phase-matching (PM) TF-QKD protocol introduced in [17], the MDI-QKD protocol [18], and decoy-state-based BB84 protocol [11]. The system parameters are selected as follows: the detector efficiency η d = 0.25, reconciliation inefficiency f e = 1.15, the dark count rate p d = 8 × 10 −8 , misalignment error e d = 1.5%, and the number of phase slices for PM TF-QKD is set to M = 16. Regarding the transmission medium, it is assumed that recently reported ultra-low-loss fiber of attenuation 0.1419 dB/km (at 1560 nm) is used [19]. Both PM TF-QKD and joint TF-QKD-McEliece encryption schemes outperform the decoy-state BB84 protocol for distances larger than 162 km, while simultaneously outperforming MDI-QKD protocol for all distances. The PM TF-QKD protocol can achieve the maximum distance of 623 km. The proposed joint TF-QKD-McEliece encryption scheme, under QISD attack, is able to achieve the distance of even 1127 km thus significantly outperforming all other schemes. As expected, the improvement at higher normalized SKRs, such as 10 −8 , is moderate (122 km). To improve the SKR further we propose to employ parallel joint TF-QKD-McEliece encryption systems by employing multiple photon degrees of freedom including polarization, wavelength, OAM, and spatial modes, and similar fashion as it was done in [20].
To determine what is the maximum possible transmission distance using this scheme, in Fig. 5 we study SKR vs. transmission distance of joint MP-TF-QKD-McEliece cryptosystem, under QISD attack, for different detector efficiencies, assuming M = 16, f e = 1.05, and p d = 10 −8 . Clearly, for detector efficiency 0.5 the transmission distance can be  extended to 1238 km. For almost ideal system parameters (η d = 0.95, f e = 1.01, and p d = 10 −9 ), the maximum possible transmission distance for normalized SKR of 10 −13 is 1355 km.

V. CONCLUDING REMARKS
The DV-QKD protocols are fundamentally limited by the channel loss, which is specified by the rate-loss tradeoff. To solve for this problem, we have proposed to employ the joint QKD-post-quantum cryptosystems in which QKD has been used for raw-key transmission, while the post-quantum cryptography subsystem has been used to transmit parity bits needed in information reconciliation. The proposed scheme is applicable to the realistic scenarios when Eve is not an omnipotent eavesdropper ignoring the complexity of algorithms used to break the protocol. We also have described a run-time configurable spatially coupled-LDPC code, derived from template quasi cyclic-LDPC code, suitable for use in McEliece-based information reconciliation. We have demonstrated by simulations that the joint twin-field-QKD-McEliece cryptosystem, under QISD attack, is able to achieve record distance over ultra-low-loss fiber of 1238 km.
The proposed scheme represents an alternative to both full-scale QKD and PQC. The extension of QKD range can also be achieved by relaxing security assumptions, such as the restricted eavesdropping scenario introduced in [21].