Stream privacy amplification for quantum cryptography

Privacy amplification is the key step to guarantee the security of quantum communication. The existing security proofs require accumulating a large number of raw key bits for privacy amplification. This is similar to block ciphers in classical cryptography that would delay the final key generation since an entire block must be accumulated before privacy amplification. Moreover, any leftover errors after information reconciliation would corrupt the entire block. By modifying the security proof based on quantum error correction, we develop a stream privacy amplification scheme, which resembles the classical stream cipher. This scheme can output the final key in a stream way, prevent error from spreading, and hence can put privacy amplification before information reconciliation. The stream scheme can also help to enhance the security of trusted-relay quantum networks. Inspired by the connection between stream ciphers and quantum error correction in our security analysis, we further develop a generic information-theoretic tool to study the security of classical encryption algorithms.


I. INTRODUCTION
As one of the first applications of quantum-information science, quantum key distribution (QKD) aims at establishing an information-theoretic secure key between two distant parties, Alice and Bob [1,2].It applies fundamental laws of quantum physics to guarantee secure communication.The procedures of QKD can be divided into two parts: quantum operation and data postprocessing.Quantum operation includes the preparation, transmission, and measurement of quantum states for Alice and Bob to share raw key bits.The purpose of postprocessing is to extract an identical and private key from the raw data.This can be guaranteed by information reconciliation and privacy amplification, where the former guarantees the identity of key strings and the latter removes any potential information leakage to a possible eavesdropper, Eve [3,4].
Over the past three decades of development, QKD has experienced tremendous advancement from initial demonstrations in laboratories to practical implementation [5].In fiber, the communication distance has been pushed over 500 km [6,7].Using quantum satellites, the communication distance has reached an intercontinental level [8].Researchers have also pushed QKD to a secret key rate of more than 10 Mbits/s [9].In addition to point-to-point linking, a number of field-test QKD networks have been conducted in many countries [10][11][12][13][14][15].In particular, China has recently successfully completed the 2000-km-long fiber-optic backbone link between Beijing and Shanghai [16].Therefore, QKD is already a mature technique for real-life applications [17].
With the exciting developments on the experimental side, improving the practicality of QKD systems has become one of the essential issues in the field.Among all the stages in a QKD session, privacy amplification is one of the bottlenecks, which might still be technically difficult to implement in some realistic conditions.Existing privacyamplification methods run as follows.After information reconciliation, Alice randomly chooses a hash function and sends it to Bob via a public classical channel.Both users hash their reconciled key strings with the hash function and obtain the final key.In practice, the family of Toeplitz-matrix hashing is widely adopted.Due to the matrix multiplication, privacy amplification can only process a block of reconciled key bits at a time.Though recent security-analysis techniques have shown that the key rate can still be positive, with critical block sizes on the order of kilobits [18], smaller block sizes tend to make privacy amplification inefficient, resulting in lower key rates.To guarantee the efficiency of privacy amplification, the block size is normally large in practice, typically on the order of megabits [18].Alice and Bob cannot perform privacy amplification until they accumulate an entire block of a reconciled key.This block feature of privacy amplification would cause unpleasant delays in some practical scenarios.For instance, in the satellite case, since the quantum signals can be transferred only when the ground station can "see" the satellite with a clear atmosphere, it may take the satellite several orbits to accumulate enough data for one block of privacy amplification.Due to the unpredictable condition of the atmosphere, such a delay could take as long as days [19].
There are other cases where block privacy amplification could cause problems.If the ratio of the reconciled key to the final key is extremely large, the computational cost for the hash function can be very heavy.Such an issue has been encountered in randomness extraction of quantum random number generation (QRNG) as well, especially in the device-independent case [20].Due to the similarity between the definitions of randomness extraction and privacy amplification [21], randomness extractors can be constructed by using universal hashing functions [22,23] and have the same block feature as existing privacy-amplification schemes.The problem of the heavy computational cost is more serious in QRNG due to the larger amount of data and it restricts further improvement of the real-time generation speed.
Moreover, with block privacy amplification, the leftover error in information reconciliation would spread out to the entire block.Information reconciliation is normally done by bilateral error correction.For some error-correction schemes, there is a small probability of leaving some errors uncorrected.If Alice's and Bob's two strings are not exactly the same, the output strings from block privacy amplification will be totally different due to the universal property of the hash family.
Furthermore, existing quantum network implementations rely on trusted relays for key distribution [16], due to the limited transmission distance of point-to-point QKD links.Trusted QKD networks have been widely used in building intercity or backbone QKD communication links, such as the Hefei network [24] and the Beijing-Shanghai backbone link [16].In the trusted-network scenario, all intermediate relays must be trusted because each of the relays can produce the final key.If one relay becomes compromised, the security of the whole network will be seriously threatened.In practice, it is challenging and expensive to guarantee high-level secure relays, which hinders the further commercialization and application of QKD.There are some attempts to reduce the dependence on trusted relays.Unfortunately, these solutions either require duplicate resources [25] or still assume that the intermediate relays do not attack the network intentionally [26].
To address these issues, we reexamine the security proof for QKD based on quantum error correction [27], where privacy amplification is reduced from phase-error correction [28].As a clear and simple showcase, we mainly focus on the Bennett-Brassard-1984 QKD protocol (BB84) [1] and go back to the original Lo-Chau security proof [27].By rearranging the phase-error-correcting gates and error-syndrome measurement, we divide privacy amplification into two steps: (a) generate pseudorandom bits from a preshared key seed and a hash function; and (b) XOR the pseudorandom string from (a) and the reconciled key.We also prove that the hashing matrix in (a) can be reused.Then, Alice and Bob can generate pseudorandom bits offline.For real-time privacy amplification, they only need to perform the XOR operation in a bitwise manner.In the spirit of stream ciphers, the new scheme is conceptually different from the existing block privacy-amplification schemes.Such an essential difference guarantees the new scheme with the following practical features: (1) it can output final key bits in a stream way; (2) it will not spread the errors of the input bit stings; and (3) it can be carried out ahead of information reconciliation.
The rest of this paper is organized as follows.In Sec.II, we review QKD protocols and recap the security proof based on quantum error correction and its reduction to the prepare-and-measure case.In Sec.III, we reduce quantum phase-error correction to a new privacy-amplification procedure with a stream output and introduce its possible combination with delayed privacy amplification, classical cryptography, and QRNG.Finally, we conclude the paper and discuss possible future directions in Sec.IV.

A. QKD protocols and security definition
Here, we introduce the first and probably the most well-known QKD protocol, BB84 [1], and its entanglement version, Bennett-Brassard-Mermin-1992 (BBM92) [29].Then, we show how their security can be established.
The procedures of the BB84 protocol are listed in Box 1. Alice and Bob have a quantum channel for state transmission and an authenticated classical channel for data postprocessing.In practice, photons are widely used as the information carrier in quantum communication.Various degrees of freedom of a photon can be used for qubit encoding.For example, the four BB84 states {|0 , |1 , |+ , |− } can be encoded into four polarization states of a photon, namely, vertical, horizontal, 45 • , and 135 • , respectively.
Box 1: BB84 protocol [1], a prepare-and-measure protocol.(2) State transmission and measurement: Alice sends the encoded qubits to Bob through a quantum channel.Bob measures each received qubit in the Z or X basis randomly.
(3) Key sifting: Alice and Bob announce their choices of bases publicly through an authenticated classical channel.They keep only the bits where they use the same bases and discard the rest.They accumulate n sifted key bits.
(4) Key distillation: Alice and Bob perform classical postprocessing, including information reconciliation and privacy amplification, to generate a secret key from the n-bit sifted key.
When Alice prepares a qubit in the Z basis and Bob measures in the same basis, an error occurs when their bit values are different.The errors in the Z basis are called bit errors.Similarly, when they operate in the X basis, a phase error occurs when their bits are different.Let us denote the bit-and phase-error rates by e b and e p , respectively: number of bit errors n , e p = number of phase errors n . ( Measurements on the two bases are noncommuting.Due to quantum mechanics, with any attempt to extract nontrivial information from the qubits, Eve would inevitably introduce disturbance, such as errors, making e b , e p = 0. (2) State storage: Upon receiving a qubit, Bob stores the state in quantum memories.If the qubit has been lost in the channel or the quantum storage fails, they discard the pair.
(3) Quantum error correction: Alice and Bob measure a random sample of the stored qubit pairs to estimate the quantum bit-and phase-error rates, e b and e p .They apply quantum error correction to the remaining stored qubit pairs.They share n (almost) perfect EPR pairs.
(4) Key measurement: Both Alice and Bob measure the EPR pairs in the local Z basis to obtain the final key.
For the key-distribution task, Alice and Bob need to make sure that their key bit strings are identical and uniformly random from Eve's point of view.To satisfy these two requirements, the ideal key state shared by Alice and Bob, and any outside adversary Eve, is defined to be the following classical-classical-quantum state: where systems A, B are keys held by Alice and Bob and system E is held by Eve.In the ideal key state, Alice's and Bob's key bit strings are identical.Eve's system ρ E is independent of the key k, which brings her no more information about the key string than a random guess.This definition follows the works of Ben-Or et al. [30] and Renner and König [31].
In practice, however, Alice and Bob cannot generate an ideal key.It is reasonable to allow for a small failure probability.That is, Alice and Bob can generate a key state that is very close to an ideal one.To put the idea into a rigorous form, if the realistic key state satisfies the protocol will be ε secure.Here, the distance measure is the trace distance.For two density matrices ρ, σ, the measure is defined as where λ i are eigenvalues of the operator ρ − σ.The choice of the trace-distance measure is that it satisfies the requirements of a composable-security framework [30,31].
Definition 1 (QKD ε security).A QKD protocol is ε secure if the generated state ρ key given in Eq. (3) is ε close to the ideal key state ρ ideal given in Eq. (2) with respect to the trace-distance definition.
This definition, usually referred to as soundness, guarantees that once the protocol is not aborted, the generated key is private with a high probability.In the composable-security framework, there is another security parameter, completeness-i.e., the protocol success probability-which guarantees that one protocol is not trivial and that it does not always abort.For most protocols, completeness can be easily established, so we do not discuss the completeness parameter in this work.To connect the security definition and the EPR pairs, we employ the following lemma.
Lemma 1 (Lemma 1 in [18]).If Alice and Bob share a quantum state ρ AB that is ε f close to the ideal key state before projective measurements onto |Φ + ⊗n , i.e.
then the QKD protocol is Combining Lemma 1 and the security definition, we can conclude that if the state ρ AB shared by Alice and Bob before the measurement of a QKD protocol satisfies Eq. ( 6) with a small ε f , this protocol is ε secure.Therefore, the security of QKD is closely related to entanglement and the purpose of the security proof is to realize Eq. ( 6).

B. Security analysis based on quantum error correction
In establishing the security analysis of QKD, important tools such as entanglement distillation [32] and quantum error correction have been proposed and developed.A profound discovery is the connection between key privacy and entanglement.The number of generated keys can be elegantly linked with distillable entanglement under local operations and classical communication [27].One can distill almost perfect entanglement via quantum bit-and phase-error correction before measuring the quantum state to obtain the final key.Though security can be proven via entanglement distillation, one does not need to carry out this procedure in reality.Quantum bit-and phase-error correction can be carried out using classical means once the parameters are well estimated in the virtual quantum scenario [28].In this framework, quantum bit-error correction corresponds to information reconciliation and quantum phase-error correction is transformed into privacy amplification.Below, we briefly introduce the security analysis based on quantum error correction [27,28].In the following discussions, we call a state transmission and measurement that generates a pair of raw key bits a QKD round.After many rounds, Alice and Bob accumulate enough raw key bits as a block for postprocessing, which we call a QKD session.
Alice and Bob aim to establish a perfect Einstein-Podolsky-Rosen (EPR) pair |Φ + = (|00 + |11 )/ √ 2 for each round, where |0 and |1 are the eigenstates of the Pauli operator σ z .Due to channel disturbance or Eve's interference, the EPR pairs shared by Alice and Bob after n rounds of state transmission are usually imperfect.We denote the state of these data pairs as ρ AB .The difference between ρ AB and |Φ + Φ + | ⊗n can be seen as disturbance and can be characterized by bit-error rate e b and the phase-error rate e p : where σ x is another Pauli operation and we take the Z basis for key generation.The values of e b and e p can be obtained by parameter estimation.Here, the bit-and phase-error rates defined in Eq. ( 7) are consistent with those in Eq. ( 1).Note that Eq. ( 1) defines error frequencies, while Eq. ( 7) defines error probabilities.Strictly speaking, these two definitions are only the same in the infinite-data-size limit, n → ∞.In the finite-data-size regime, there is a deviation between them, caused by statistical fluctuations.For simplicity, we ignore the difference for the moment and we take it into account in the evaluation of the failure probability of quantum error correction.
If e b = e p = 0, this means that for the pair of qubits ρ in each round, which indicates that ρ = |Φ + Φ + |.To realize Eqs. ( 8) and ( 9), Alice and Bob can apply the quantum circuit shown in Figure 1 to do the quantum bit-and phase-error correction.Quantum bit-error correction guarantees Eq. ( 8) and quantum phase-error correction guarantees Eq. ( 9).The cost of quantum error correction comes from the ancillary EPR pairs used during the procedure.As an analog to the cost in classical error correction, the number of ancillary EPR pairs equals the number of parity check bits.Then, bit-and phase-error correction will cost t b = nh(e b ) and t p = nh(e p ) ancillary EPR pairs, respectively, where h(x) = −x log(x) − (1 − x) log(1 − x) is the binary entropy function.Throughout this work, all logarithms are base 2.These costs can be derived from the cost in classical error correction, the details of which we leave to Appendix A. Therefore, the net generation rate of EPR pairs is given by [28], We can further reduce the procedure to a prepare-and-measure one by moving the final measurement to the front of quantum error correction.The reduction of quantum bit-error correction is straightforward, since all the operations can be done equivalently on classical data bits and it finally becomes information reconciliation.In contrast, the final measurement cannot be moved ahead of the quantum phase-error correction directly.Alice and Bob can replace the final measurements with a properly chosen joint measurement, which can be moved ahead of quantum phase-error correction [28].Then the joint measurement becomes a classical operation called privacy amplification.Finally, quantum error correction is reduced to a "measurement + postprocessing" procedure.The reduction is in the spirit of the Shor-Preskill security proof [28].We leave the details to Appendix C and D.
Due to the joint measurement, each final key bit depends on the measurement results from all the n data qubits.Hence, for privacy amplification, Alice and Bob need to wait for all the quantum states to be transmitted and measured in a QKD session.We call this block privacy amplification.

A. Reduction of quantum error correction
In the aforementioned reduction, Alice and Bob cannot move the final key measurement ahead of phase-error correction directly.The main obstacle is that the Hadamard gate does not commute with the dephasing operation caused by the final key measurement, where ρ A denotes the state that Alice holds and the dephasing operation is defined with respect to the key-measurement basis Z ⊗n with outcomes k.The operation on Bob's side is similar.In the Shor-Preskill reduction, Alice and Bob essentially construct a joint Z-basis measurement that commutes with hash operations to circumvent this problem.As a result, this makes privacy amplification operate in blocks.Here, we rearrange the reduction of the phase-errorcorrecting gates and keep the individual Z-basis measurements in the quantum phase-error correction.Consequently, we can render stream privacy amplification.
The key idea of the new reduction is to cancel all the Hadamard gates in quantum phase-error correction, shown in Figure 1.The controlled-NOT (CNOT) gate in the circuit always appears in pairs on Alice's and Bob's sides.We focus on one pair of CNOT gates in the quantum phase-error-correction part, as depicted in Figure 2(a).First, noting that H 2 = I, we add two consecutive Hadamard gates after each output qubit of the CNOT gate.Then, the four Hadamard gates before and after each CNOT gate exchange the roles of the control and target qubits, H ⊗2 C αβ H ⊗2 = C βα , where C αβ denotes a CNOT gate with control qubit α and target qubit β and C βα is the other way around.For Bob's data qubit, the phase-error-correcting operator I/σ x becomes I/σ z since σ z = Hσ x H. Hence, we prove that circuits (a) and (b) in Figure 2 are equivalent.Since the new phase-error-correcting operator I/σ z does not affect the Z-basis measurement, this step can be skipped along with the error-syndrome measurements on the ancillary qubits.The remaining operations commute with the dephasing operation, ∆ Z ⊗n .Alice and Bob can add Z-basis measurements on ancillary qubits after the CNOT gates, since they are irrelevant at that point.Finally, they can move the final measurement ahead of quantum error correction, as shown in Figure 2(c).So far, we have only considered one CNOT gate.The hash operation in phase-error correction shown in Figure 1 is composed of many CNOT gates.This reduction also works for the general hash-operation case.With this argument, by inserting consecutive Hadamard gates H 2 = I after each CNOT gate of the phase-error-correction part in Figure 1, we can reduce the whole quantum error-correction circuit to the "measurement + postprocessing" case, as shown in Figure 2(d).
With the new reduction, the final key is determined by single-qubit measurements plus bit flips.The Z-basis measurement on the ancillary EPR pairs will provide Alice and Bob with a secure key seed.The bit flips are controlled by the seed and the hashing matrix.Then, the ith final key bit, extracted from the ith data qubit, is independent of the other data qubits.Hence, the new procedure can output the final key in a stream, i.e., the users can obtain a secure key bit once a pair of raw key bits is reconciled successfully between Alice and Bob.Following the term "stream cipher" in classical cryptography, we call this stream privacy amplification, as presented in Box 3. The hashing matrix M in step (1) is the transpose of the original hashing matrix used in the quantum phase-error-correction phase of Figure 1, because the original hashing matrix acts on X basis while M acts on the Z basis.The cost of stream privacy amplification lies in step (2), where nh(e p ) preshared secure bits are consumed.The final key rate matches Eq. (10).Note that we consider the infinite-data-size limit here.The finite data-size effects due to statistical fluctuations have been well considered in the literature and are shown in Appendix A. the dot product between the row vector and the matrix needs to take modulo 2 addition.

The final key is given by
With the above deduction, the failure probability of privacy amplification ε is given by that of quantum phase-error correction.Given a phase-error pattern from a typical set determined by parameter estimation, a randomly chosen hash function can identify it with a high probability 1 − ε.This is the reason why Alice and Bob need a random hashing matrix in step (1) of Box 3. Details of error correction and its failure probability are presented in Appendix A.
Note that the phase-error pattern must be set before choosing the random hash function.That is, Eve cannot know the hashing matrix before Alice and Bob obtain the raw key bits.Naively, Alice can randomly pick up a matrix and send it to Bob via an authenticated but nonencrypted channel, as in the conventional case in block privacy amplification.Since this public transmission of the hashing matrix must be done after quantum measurement, Alice and Bob have to wait for the whole block to be transmitted and measured.Then, they lose the "stream" property in privacy amplification.
To solve this problem, we apply a different approach, in which Alice and Bob generate an identical random hashing matrix locally with a preshared key and never reveal it in public.Then, they can prepare this matrix [step (1)] and the pseudorandom string [step (2)] before quantum transmission.A naive implementation of this approach, in which Alice and Bob generate M and d in each run of the privacy amplification, could consume too many preshared secure bits, as for most of the universal hashing matrices, the number of random bits required to generate the matrix is larger than the data size n.Fortunately, with the following theorem, Alice and Bob can reuse the private hashing matrix in multiple QKD sessions with a failure probability that increases linearly, satisfying the composable-security definition [30,31].Since the failure probability can be exponentially small, the same hashing matrix can be used for many QKD sessions.Therefore, the cost of generating this hashing matrix is shared with these sessions, making the average cost negligible.
Theorem 1 (Reuse of hashing matrix in privacy amplification).Given a QKD session, the failure probability of a randomly chosen hashing matrix for privacy amplification is upper bounded by ε.Then, for m QKD sessions, if Alice and Bob apply the same randomly chosen matrix for each session, the probability that privacy amplification fails in at least one session is upper bounded by mε.
Proof.Following the aforementioned deduction of quantum error correction, the failure probability of privacy amplification is determined by phase-error correction.Now, the question becomes that given m phase-error patterns, if Alice and Bob randomly pick a hash function to correct all the errors, what is the failure probability that at least one phase-error pattern is unsuccessfully corrected?In Appendix B, we provide the failure probability of reusing hash functions for error correction, as given by Lemma 4. Using this result, the answer to the above question is mε.
Note that this conclusion is consistent with lemma III.1 in [22], which can obtain similar findings in randomness extraction.Theorem 1 in [31] also implies the reuse of seeds in QKD schemes.
Before running QKD sessions, Alice and Bob can perform steps (1) and (2) in Box 3 and prepare the pseudorandom string in advance.They only need to run step (3) in privacy amplification during real-time QKD, which is essentially composed of simple XOR operations and much faster than hash operations.In block privacy amplification, the computational complexity of the matrix multiplication with Toeplitz hashing is O(n log n) with the fast-Fouriertransform algorithm, where n is the length of the reconciled key string [23,33].In contrast, the computational complexity of step (3) is n and hence stream privacy amplification is faster in real-time QKD, especially when the data size is large.
In reality, Alice and Bob need parameter estimation before privacy amplification.This might restrict the "stream" feature since the parameters cannot be accurately estimated until the whole data block is accumulated.Nevertheless, when the link between Alice and Bob is stable, they can foresee the parameters and apply them to stream privacy amplification.In practice, it is not difficult to maintain stability in a quantum communication network [16].In addition, the users can double check the parameters after the transmission of the whole block.If the predicted parameters are within a reasonable range, they keep the key.Otherwise, if the actual parameters show that the implemented privacy amplification cannot guarantee security, this implies that the length of the seed chosen in step (2) of Box 3 is inefficient.Alice and Bob can then choose another seed, according to the difference between the predicted and actual parameters, to carry out additional privacy amplification on the key to make it secure.
Note that the stream scheme can work for any block size in QKD implementations.In order to make privacy amplification efficient, Alice and Bob can employ a large data size without causing delays in real-time key generation.Compared with the previous ones, the unique feature of the new scheme-stream output-can make QKD more practical in scenarios such as the satellite-to-ground link [8].
Moreover, the bit-error locations in the input string will remain the same after stream privacy amplification, since the final key bit is only determined by the pseudorandom bit and the raw key bit at the same location.As a result, the errors will not spread out, and then privacy amplification can even be performed ahead of information reconciliation.This feature increases the flexibility of data postprocessing.For example, privacy amplification and information reconciliation can be performed in parallel.The recently proposed scenario of distributed private randomness distillation [34] is also a potential application of the new scheme.

B. Application I: Enhancing the security of trusted-relay QKD network
The major issue of a trusted-relay QKD network lies in the trustworthiness of the intermediate nodes.There are some attempts to reduce the requirement on trusted relays, one of which is delayed privacy amplification [35,36].In the normal case, all the QKD links between two end users, Alice and Bob, will generate secure keys between neighboring nodes.Then, the intermediate relays swap the keys by announcing the XOR results of two keys generated with two neighbors.In the delayed privacy amplification case, the relays swap the key right after information reconciliation.Then, Alice and Bob perform privacy amplification without the relays.In this case, they can eliminate the relays from the final key generation process.That is, the relays do not obtain the final key directly.Of course, if the relays listen to classical communication to obtain privacy amplification matrices, they can still obtain the whole final key string.Therefore, the delayed privacy amplification scheme only works for honest but curious relays.Now, we can combine stream privacy amplification with delayed privacy amplification to further reduce the trustworthiness of the intermediate relays.After information reconciliation, all relays swap their keys by announcing the XOR results of two neighboring keys.Then, Alice and Bob will share a reconciled key string a, which is also known to the relays.Note that Alice and Bob perform the steps in Box 3 locally.In particular, in step (2), they generate the pseudorandom string d • M privately.Hence, the relays cannot know the final key without d • M .If the relays want to learn the final key, they need to figure out d and M .The seed d is private and changes in every QKD session.The hashing matrix M , on the other hand, is reused for many sessions in stream privacy amplification, so the relays might figure it out from final and reconciled key strings in past sessions by methods such as differential cryptanalysis.These analysis methods often consume a lot of computational resources.For an even higher security level with fewer assumptions on the relays, we can add another layer of security based on the computational complexity on the intermediate nodes.In practice, this combined scheme further reduces the requirement of the trustworthiness of the relays and enhances the security of trusted-relay QKD networks.

C. Application II: Information-theoretic toolbox for classical encryption analysis
There is an interesting property of the pseudorandom string d • M generated in step (2) of Box 3. On the one hand, parameter estimation provides an upper bound on the information leakage of nh(e p ) bits about the raw key string a.On the other hand, the security proof guarantees that the information leakage is removed via the simple XOR operation k = d • M ⊕ a.This implies that d • M has at least an nh(e p )-bit uncertainty to Eve.In the security analysis, we do not assume in advance which part of the nh(e p )-bit information on a is known by Eve.Then, for any nh(e p ) bits from d • M , the corresponding nh(e p )-bit substring will be uniformly distributed from Eve's point of view, as shown in Figure 3.This property is called k-wise independence in classical cryptography and is an essential requirement of many stream ciphers [37].The above observation inspires a new tool for the security analysis of classical encryption based on quantum phaseerror correction.First, we note that the hash function for phase-error correction is not necessarily linear.Alice and Bob can employ an arbitrarily nonlinear code to extend the seed to a pseudorandom string in step (2) of Box 3, as shown in Figure 4(a).This extension operation can be treated as a pseudorandom number generator.Second, we can further generalize this stream privacy amplification as a joint function of the reconciled key and the seed, as shown in Figure 4(b).The joint operation can be treated as a classical encryption box.Alice and Bob can employ sophisticated schemes here, such as the advanced encryption standard (AES) and lattice-based encryption algorithms.Third, we can express the classical operation in the quantum form, as a joint operation Λ acting on data and ancillary qubits, as shown in Figure 4(c).Since the operation is classical, Λ commutes with the dephasing operation in Eq. ( 11): Λ[∆ Z ⊗n (ρ)] = ∆ Z ⊗n [Λ(ρ)].By definition, Λ is a dephasing incoherent operation (DIO) [38].At last, we can move Λ ahead of measurement.Since phase-error correction is virtual in the security analysis, Alice and Bob can add an extra operation Ω on the ancillary qubits if necessary, as shown in Figure 4(d).Bob exchange the measurement results of ancillary qubits as a phase-error syndrome which should give information about the phase errors of data qubits.According to the security analysis, Alice and Bob do not need to actually correct phase errors since this will not affect the final key.Then, Alice and Bob can add an extra virtual operation Ω on the ancillary qubits between Λ and measurement.They can optimize Ω to maximize the error-correction capability led by Λ.The security of the final output of the classical encryption will be determined by the phase-error-correction capability of the corresponding code.Since we consider the most general attacks in QKD, the method provides a generic information-theoretic analysis tool for classical encryption algorithms.

D. Application III: Stream randomness extraction
Besides QKD, privacy amplification also plays a vital role in many other quantum cryptographic tasks, such as QRNG.In general, the raw data generated from a practical QRNG system are not uniformly random.Due to device imperfection, some information about the raw data might even be leaked and might lead to potential security loopholes.Thus, user Alice needs to apply randomness extraction to the raw data.By definition, randomness extraction is essentially the same as privacy amplification.As a result, the stream privacy-amplification technique can also be directly applied to QRNG-stream randomness extraction.
In QRNG, the amount of intrinsic randomness in the raw data is usually quantified in terms of min-entropy [39].This randomness measure can be converted to the number of phase errors in a virtual quantum error-correction protocol [40].Then, one can convert common block randomness extraction to a stream manner, as presented in Box 4.

Box 4: Stream randomness extraction
Alice generates a raw bit string from the QRNG device, denoted as a ∈ {0, 1} n , the min-entropy of which is H min .
1. Alice randomly chooses a hashing matrix M of size (n − H min ) × n.
2. Alice uses an (n − H min )-bit seed, d ∈ {0, 1} n−Hmin , to generate a pseudorandom string, d • M , where the dot product between the row vector and the matrix needs to take modulo 2 addition.

The final random bit string is given by
For the data postprocessing of practical QRNG, stream randomness extraction can be a favored choice.In this context, Alice can fully characterize the quantum devices in use and hence has good empirical knowledge of the randomness generation rate.In other words, the min-entropy of output randomness can be well predicted in advance.With this property, steps (1) and (2) in Box 4 can be done separately in advance without access to the raw data.This enables the main steps of postprocessing to be carried out in parallel with the generation of raw data, which can reduce the storage requirements and modularize quantum random number generators.In addition, the computational complexity of real-time postprocessing [step (3)] is only n and hence helps to solve the current bottleneck of real-time random number generation-slow extraction.

IV. DISCUSSION AND CONCLUSIONS
In this work, we propose a stream privacy-amplification scheme, where Alice and Bob locally generate a pseudorandom bit string and XOR it with the reconciled key to obtain the final key.This scheme has a stream output feature and hence can prevent unpleasant delay and error spreading in practice.In contrast to conventional block schemes, stream privacy amplification can be carried out ahead of information reconciliation, which makes the data postprocess more flexible.In addition, stream privacy amplification can enhance the security of a trusted-relay QKD network and improve the practicality of randomness extraction for quantum number generators.
We need to emphasize that although we reduce the stream privacy amplification from the Lo-Chau security proof, the technique is independent of security proofs.Other security-proof methods, such as Koashi's complementarity approach [41], can also be easily extended to the stream privacy-amplification case.Moreover, the concept is rather generic and can be applied to other QKD schemes, such as six-state, continuous-variable, measurement-deviceindependent, two-way communication postprocessing, and decoy-state [5] schemes.The practical issues, including realistic circumstances, hardware imperfections, and statistic fluctuations, will affect the parameter settings of stream privacy amplification, especially the length of the seed string and the size of the hashing matrix.One can combine with existing analysis methods to deal with these practical issues.In Appendix E, we give an example of employing stream privacy amplification in the Gottesman-Lo-Lütkenhaus-Preskill (GLLP) framework [42].The further applications of stream privacy amplification in other quantum cryptographic tasks like quantum oblivious transfer [43,44] are also worth studying.
Here, our proof is mainly based on phase-error correction.According to Ref. [40], in general, this approach is equivalent to the one based on the quantum leftover hashing lemma [45].An interesting direction is to reconsider the new scheme from the entropic approach point of view.
Our security analysis provides a new perspective to examine classical encryption algorithms information theoretically through quantum-information theories.Rigorous assessment of classical encryption algorithms, such as AES and lattice-based encryption, is often a formidable challenge.To the best of our knowledge, there has been little consideration to date in the context of the information-theoretic study of these encryption algorithms.
We remark that the result holds even when the random variables, E i , associated with the set D(c) are arbitrarily correlated, not necessarily i.i.d.. Alice and Bob can use Lemma 2 to bound the cardinality of ε-smallest probable set if they can estimate r and c.Before error correction, they can estimate the error rate with a failure probability of ε, say, via the random sampling method.Suppose they obtain an error frequency of r in the test samples.Without loss of generality, we assume r ≤ 1/2.In the asymptotic case n → ∞, the number of errors in the data is given by nr.With a finite data size, the rate fluctuates around r. Alice and Bob can bound the number of errors, wt( e) ≤ nr + c, via the random sampling method, where c/n represents the deviation of the error rate from the test samples.The deviation c/n is usually related to the failure probability of parameter estimation ε and typically has an order of 1/ √ n [18].With r, c, and n, they can apply Lemma 2 to determine the error cardinality.
Here, we introduce another method to upper bound the cardinality of typical error sets, which is tighter under more restricted conditions [18].Lemma 3 ([18]).Given constants c, r ≥ 0 and n ∈ Z + satisfying r + c/n ≤ 1 3 , the cardinality of the n-bit string set, can be upper bounded by Proof.By definition, we have The first inequality holds when r ≤ 1 3 .
This lemma provides a tight bound because in Eq. (A16), and the last inequality in Eq. (A16) is also tight in the logarithm sense.When the error rate deviation is small, c/n 1, we can take the Taylor series expansion of h(r + c n ) at r, we can get By comparing Eqs.(A6), (A15), and (A18), one can see that Lemma 2 is a first-order approximation of Lemma 3. Since h (r) < 0, Lemma 3 provides a tighter bound than Lemma 2. On the other hand, Lemma 2 does not require r ≤ 1 3 , so it can be applied to more general cases.Now, we show how to locate the errors given the probable error set T ε , where ε is the failure probability for parameter estimation, e∈T ε p( e) ≥ 1 − ε.In the following, we shall introduce error correction based on universal hash functions.Definition 3 (Universal Hash family).A family of functions F mapping elements e in a space T to another space S is called a universal hash family if the probability of a randomly chosen hash function outputting the same hashing result for any two different strings is upper bounded by 2. Alice and Bob decide the hash function randomly by consuming some preshared private randomness and keep the hash function secret from Eve.In later error correction, they can reuse the same matrix at the cost that the total failure probability increases linearly with the number of sessions.We state the result formally in Lemma 4.
Lemma 4. Given a set of error strings T ε and a family of hash functions F, ∀ e ∈ T ε , suppose the failure probability of a randomly chosen hash function to identify e is upper bounded by ε ec .For any m error strings in T ε , the failure probability of a randomly chosen hash function to simultaneously identify all the m error strings in each session is upper bounded by mε ec .
Proof.∀ e ∈ T ε , the failure probability of error correction is given by Eq. (A21), where the probability is defined in the hashing family.Then, the failure probability of identifying m error strings simultaneously is given by, where the first inequality follows the union bound and e i ∈ T ε is the error string in the ith session.
Here, we note that Eve does not know the hash function f before she determines the error patterns e i .That is, her choices of e i should be independent of Alice and Bob's choice of f ∈ F. Otherwise, the failure probability bound might not hold.Interestingly, this is not the case if Alice and Bob can verify the leftover errors in corrected strings, say, by exchanging an authentication tag [18].Then, the failure probability is determined by the error verification process, but not the property of the hashing family.In this case, the hash function can be fixed in the beginning and known to Eve.

Appendix C: Quantum error correction with hashing
As mentioned in the main text, we can use Eq. ( 6) to further derive Eqs. ( 8) and (9), which are related to bit and phase error, respectively, and these two equations can be achieved by quantum error correction.We divide the procedure of quantum error correction into two steps, bit error correction to guarantee Eq. ( 8) and phase-error correction to guarantee Eq. (9).
Quantum error correction can be seen as an extension of classical error correction and accomplished by using universal hashing [46][47][48].In the classical case, Alice and Bob each possess a bit string.The differences between these two strings are called "errors".The main job of classical bilateral error correction is to figure out the error locations.Alice hashes her string and sends the parity information to Bob.With the same hash function, Bob hashes his string and compares it to Alice's.After enough times of this procedure, Bob can figure out the error locations and flip his corresponding bits to correct the errors.In the end, Bob's bit string is reconciled with Alice's.The number of parity-check bits is given by nh(e) in the Shannon limit, where n is the bit string length and e is the error rate.For the case of a finite data size, there is the possibility that error correction fails.Details of error correction along with analysis of finite size effect and failure probability are presented in Appendix A.
In the following discussions, we consider linear hash functions, which can be represented by hashing matrices, for simplicity.One of the most widely used linear hash families is the family of Toeplitz matrices.The elements in a Toeplitz matrix M satisfies ∀i − j = i − j , M ij = M i j and there are m + n − 1 free bits in a Toeplitz matrix of size m × n.We give an example of the Toeplitz hashing matrix as follows, As shown before, if Alice and Bob randomly choose a Toeplitz matrix of size nh(e) × n for error correction, the efficiency converges to the Shannon limit very fast when n is large.Now, we can apply classical error correction to the quantum case.Let us start with quantum bit error correction.The parity hashing on the raw key bit strings can be implemented by a series of CNOT gates between the data qubits and ancillary EPR pairs, as shown in Figure 5, which is a concrete example of the quantum bit error correction part in Figure 1(a).Alice and Bob can get the parity information by measuring the ancillary qubits.The measurement result of one ancillary qubit will reflect 1 bit of parity information of the data qubits.The measurement results on the ancillary pair of Alice and Bob will be different if there is an odd number of errors in these control qubits, and the results will be the same if there is no error or an even number of errors.Alice sends the parity information to Bob, who then figures out the error syndromes and corrects the errors.The property of the universal hash family guarantees that Bob can correct all the errors with a small failure probability.A similar approach can be employed for quantum phase-error correction, with additional Hadamard gates before hash operations and measurements.FIG. 5. Illustration of quantum bit error correction.As an example, the circuit corresponds to the hashing matrix M in Eq. (C1).The ith row of M corresponds to the CNOT control data qubits targeting on the ith ancillary qubit, and the jth column of M corresponds to the CNOT target ancillary qubits controlled by the jth data qubit.The measurement result of one ancillary qubit equals to the XOR sum of the Z-basis measurement results of the ancillary qubit and its controlling data qubits.By comparing the measurement results, Bob can learn 1-bit parity information of the data qubits.After knowing enough parity information on the data qubits, Bob can locate the bit errors and correct them with the quantum gate σx.A similar circuit can be applied for quantum phase-error correction with additional Hadamard gates according to Figure 1(a).
In entanglement distillation, both bit and phase-error correction should be successfully implemented.The two quantum error correction procedures are carried out sequentially.Hence, we need to make sure that these two error correction procedures do not interfere with each other.Fortunately, by using ancillary EPR pairs, we can decouple these two steps with the following lemma.
Lemma 5 (Bit and phase-error correction decoupling [49]).By using EPR pairs as ancillary qubits, bit error correction has no effect on phase errors and vice versa.
Proof.Let us first show that the phase-error measurement results are the same with or without the bit error correcting operations.The phase error is evaluated when both Alice and Bob perform the X-basis measurement on the data qubits, denoted by the measurement of the joint observable σ x ⊗ σ x .From Figure 1(a), we can see that the bit error correcting operations on data qubits are essentially I, σ x , and σ z .The operations I and σ x would not change the X-basis measurement outcomes.The operation σ z comes from the CNOT gate between the data and ancillary qubits.Since Alice's and Bob's hash functions are the same, the CNOT gates always appear in pairs.That is, if there is a CNOT between Alice's share of a data qubit pair and an ancillary EPR pair, there will be a CNOT between Bob's share of the data qubit pair and the ancillary EPR pair.From the circuit equivalency shown in Figure 6, we can see that the σ z operation always appear in pairs on Alice's and Bob's data qubits.That is, the σ z operation will simultaneously flip Alice's and Bob's X-basis measurement results, which leaves the measurement results of σ x ⊗ σ x on data qubit pairs unchanged.Therefore, quantum bit error correction does not affect phase errors.In the showcase, we take a pair of CNOT gates as an example.In the figures we only depict the circuit on Alice's side and the circuit is the same on Bob's side.Here, the control qubit is one of the data qubits and the target qubit is one of the ancillary qubits, as shown in Figure 5.
With the duality between the X and Z bases, we can also prove that the phase-error correction would not affect bit errors with the same arguments.measures the observable where v i is the element values of v. Here, we require vs to be linearly independent so that the final key is still secure after phase-error correction.Note that since the key measurements differ from the ones in Figure 8(a), the obtained key bits may be different.
The effect of hash operations on the n data qubits is either identity when the measurement outcome of the ancillary qubit is 0 or a serious of n-qubit operations consisting of σ z and I when the outcome is 1.For example, the hash operation corresponding to the first row vector m 1 of the matrix in Eq. (C1) is an identity or In general, we represent the operation corresponding to the ith row vector m i of the matrix M as follows, where M ij is the value of the element in the ith row and the jth column of the matrix.Normally, the operators in Eqs.(D1) and (D3) do not commute because [σ x , σ z ] = 0. Fortunately, we have [σ x ⊗ σ x , σ z ⊗ σ z ] = 0. To make sure that a joint X-basis measurement commutes with a serious of Z operations, we only need to design the joint X-basis measurement such that the number of qubits having been applied with the σ z operation and measured in the X basis is even.That is, m i • v = 0 holds, ∀i ∈ {1, 2, 3, ..., nh(e p )}.This is equivalent to finding the kernel of M .The kernel of the matrix M is defined as the set of vectors such that ker M = { v : M v = 0}. (D4) In phase-error correction, the hashing matrix we use has a full rank.Therefore, the rank of ker M is n − nh(e p ), or, ker M can be constructed from [n − nh(e p )] linearly independent vectors.We arrange these vectors in columns and form a matrix, V , which is of the size n × [n − nh(e p )].We call the matrix V the dual matrix of M .Then, we can design joint X-basis measurements according to this dual matrix, where each joint measurement corresponds to a column vector of V according to the correspondence in Eq. (D1).By construction, these joint measurements all commute with the hash operation.Finally, the commuting property shows that the hash operation would not affect the results of the joint X-basis measurements.Then, Alice and Bob can remove the hash operation along with the ancillary qubits.The joint Xbasis measurements can be further combined with the Hadamard gate and become the joint Z-basis measurements, as shown in Figure 8(c).The measurement results of the joint Z-basis measurements give an [n − nh(e p )]-bit secret key.
With the reduction, one can see that the ancillary EPR pairs are unnecessary for phase-error correction, as shown in Figure 8(c).Does that mean, there is no cost of shared private randomness in phase-error correction?Unfortunately, the answer is no.The cost is reflected in the joint Z-basis measurement.The number of final key bits is determined by the number of joint Z-basis measurements, which is limited by the kernel of the hashing matrix for phase-error correction.
Meanwhile, the joint Z-basis measurement is compatible with bit error correction reduction.After considering the cost of shared private randomness in bit error correction, the net gain of secret key is n[1 − h(e b ) − h(e p )] bits, which matches the key rate in Eq. (10).
There are a few notes on information reconciliation and privacy amplification.

FIG. 1 .
FIG. 1.(a) Quantum bit-and phase-error correction.The measurements in all the figures are Z-basis measurements by default."CC" is short for classical communication.The ⊕ operation means XOR operations on classical bit strings.H represents the Hadamard gate applied to each of the involved qubits.I/σx represents an identity or σx operation on the qubits, depending on the error syndrome.(b) In the linear case, the hash functions can be represented by matrices and realized by a series of controlled-NOT (CNOT) gates between the data (as control) and ancillary (as target) qubits.The measurement outcomes of ancillary qubits would give the parity information of the data qubits.

FIG. 2 .
FIG. 2. Circuit (a) is derived from the quantum phase-error-correction phase in Figure 1 by adding Hadamard gates in dashed boxes that form identity operations.We take one pair of CONT operations for illustration.Circuit (b) is equivalent to circuit (a) by considering the following facts: H ⊗2 C αβ H ⊗2 = C βα , H 2 = I, and HσxH = σz.Since neither the identity nor the σz gate affects the Z-basis measurement, the operations in the dashed box of circuit (b) are redundant and can be removed.Then by moving the Z-basis measurement on ancillary qubits ahead of the hash operation and changing quantum-control flips to classical-control flips, circuit (b) turns into circuit (c), a "measurement + postprocessing" case.Circuit (d) shows the case of multiple CNOT pairs, taking the hashing circuit in Figure 1 (b) as an example.In the end, both Alice and Bob employ circuit (d) to obtain final key strings.

Box 3 :
Stream privacy amplificationAfter information reconciliation, denote Alice's and Bob's reconciled key as a ∈ {0, 1} n .1.Alice and Bob randomly choose a hashing matrix M of size nh(e p ) × n. 2. Alice and Bob use an nh(e p )-bit seed, d ∈ {0, 1} nh(ep) , to generate a pseudorandom string, d • M , where

FIG. 3 .
FIG.3.An illustration of the pseudorandomness property of d • M .The red-shaded area in the reconciled key denotes the nh(ep)-bit information leakage to Eve.This leaked information can be the bit values of the key or the parity information about the key.After the XOR of the reconciled key and the pseudorandom string d • M , the reconciled key becomes the final secure key and is uniformly distributed from Eve's point of view.That is, Eve's knowledge about the key is removed.As a corollary, the corresponding yellow-shaded area in the pseudorandom string should be uniform to Eve as well.

FIG. 4 .
FIG. 4. (a) A schematic diagram for stream privacy amplification.The process of extending the seed can be treated as a pseudorandom number generator in step (2) of Box 3. (b) The generalization of the extension and XOR operations as a joint operation, which can be seen as a classical encryption box.(c) The quantum form of (b).The classical joint operation becomes a DIO Λ.(d) Changing the order of Λ and measurement.The final measurement on ancillary qubits can be arbitrary with an extra operation Ω.

FIG. 6 .
FIG.6.A diagram showing the reason why bit error correction does not change phase errors.In the showcase, we take a pair of CNOT gates as an example.In the figures we only depict the circuit on Alice's side and the circuit is the same on Bob's side.Here, the control qubit is one of the data qubits and the target qubit is one of the ancillary qubits, as shown in Figure5.The equivalence of (a), (b) and (c) comes from the facts that σx = HσzH and H ⊗2 Φ + = Φ + .

FIG. 8 .
FIG. 8. (a) Reduced circuit from the phase-error correction part in Figure 1 by considering the following two facts: Hadamard+Z-basis measurement = X-basis measurement; neither the identity nor the σx gate affects the X-basis measurement.Now, Alice and Bob's circuits become the same.(b) Reduction of Alice's circuit: remove the measurement on ancillary qubits since the results do not affect the measurement on data qubits; replace individual X-basis measurements with joint X-basis measurements on data qubits; and explicitly express the hash operation with CNOT gates shown in Figure 1(b) as an example.If the joint X-basis measurements commute with the hash operation, the circuit in the red dashed box will not affect the measurements and hence can be removed.(c) Further reduction of Alice's circuit: remove the redundant circuit in the red dashed box and combine joint X-basis measurements with the Hadamard gates which become joint Z-basis measurements.Finally, Alice can get an n[1 − h(ep)]-bit secure key from the joint Z-basis measurements in a QKD session.
Intuitively, Alice and Bob share a private key if e b = e p = 0. Before the security analysis, we introduce an entanglement-based protocol with EPR pairs, BBM92, in Box 2. The BBM92 protocol can be reduced to the BB84 protocol if Alice measures her half of the state in the Z or X basis.Based on her measurement result, Alice equivalently sends a qubit in |0 , |1 , |+ , or |− to Bob.