HAL Id: hal-00270517
https://hal.archives-ouvertes.fr/hal-00270517
Submitted on 5 Apr 2016
HAL is a multi-disciplinary open access
archive for the deposit and dissemination of sci-
entic research documents, whether they are pub-
lished or not. The documents may come from
teaching and research institutions in France or
abroad, or from public or private research centers.
L’archive ouverte pluridisciplinaire HAL, est
destinée au dépôt et à la diusion de documents
scientiques de niveau recherche, publiés ou non,
émanant des établissements d’enseignement et de
recherche français ou étrangers, des laboratoires
publics ou privés.
Multidimensional reconciliation for continuous-variable
quantum key distribution
Anthony Leverrier, Romain Alleaume, Joseph Boutros, Gilles Zemor, Philippe
Grangier
To cite this version:
Anthony Leverrier, Romain Alleaume, Joseph Boutros, Gilles Zemor, Philippe Grangier. Multidimen-
sional reconciliation for continuous-variable quantum key distribution. Physical Review A, American
Physical Society, 2008, 77 (4), pp.042325. �10.1103/PhysRevA.77.042325�. �hal-00270517�
Multidimensional reconciliation for a continuous-variable quantum key distribution
Anthony Leverrier,
1
Romain Alléaume,
1
Joseph Boutros,
2
Gilles Zémor,
3
and Philippe Grangier
4
1
Institut Télécom/Télécom ParisTech (École Nationale Supérieure des Télécommunications), CNRS LTCI, 46, rue Barrault,
75634 Paris Cedex 13, France
2
Texas A&M University at Qatar, Doha, Qatar
3
Institut de Mathématiques de Bordeaux, Université de Bordeaux 1, Bordeaux, France
4
Laboratoire Charles Fabry, Institut d’Optique, CNRS, Université Paris-Sud, Campus Polytechnique, RD 128,
91127 Palaiseau Cedex, France
共Received 22 December 2007; published 30 April 2008
兲
We propose a method for extracting an errorless secret key in a continuous-variable quantum key distribu-
tion protocol, which is based on Gaussian modulation of coherent states and homodyne detection. The crucial
feature is an eight-dimensional reconciliation method based on the algebraic properties of octonions. Since the
protocol does not use any post-selection, it can be proven secure against arbitrary collective attacks by using
well-established theorems on the optimality of Gaussian attacks. By using this coding scheme with an appro-
priate signal-to-noise ratio, the distance for a secure continuous-variable quantum key distribution can be
significantly extended.
DOI: 10.1103/PhysRevA.77.042325 PACS number共s兲: 03.67.Dd, 42.50.⫺p
I. INTRODUCTION
A major practical application of quantum-information sci-
ence is the quantum key distribution 共QKD兲关1兴, which al-
lows two distant parties to communicate with absolute pri-
vacy, even in the presence of an eavesdropper. Most QKD
protocols encode information on discrete variables such as
the phase or the polarization of single photons and are cur-
rently facing technological challenges, especially the limited
performances of photodetectors in terms of speed and effi-
ciency in the single-photon regime. A way to relieve this
constraint is to encode information on continuous variables
such as the quadratures of coherent states 关2兴 which are eas-
ily generated and measured with remarkable precision by
standard optical telecommunication components. In such a
protocol, Alice draws two random values X
A
and P
A
with a
Gaussian distribution N共0,V
A
兲 and sends a coherent state
centered on 共X
A
, P
A
兲 to Bob. Bob then randomly chooses one
of the two quadratures and measures it with a homodyne
detection. After the measurement, he informs Alice of his
choice of quadrature. Alice and Bob then share correlated
continuous variables from which a secret key can in principle
be extracted, provided that the correlation between the
shared data is high enough. This condition is the equivalent
of the maximal error rate allowed for the BB84 protocol for
example 关3兴.
Currently, the main bottleneck of continuous-variable pro-
tocols lies in the classical post-processing of information,
more precisely in the reconciliation step which is concerned
with extracting all the available information from the corre-
lated random variables shared by the legitimate parties at the
end of the quantum part of the protocol. This classical step
must not be underestimated since an imperfect reconciliation
limits both the rate and the range of the protocol.
Two different approaches have been used so far to extract
binary information from Gaussian variables. Slice reconcili-
ation 关4,5兴 consists in quantizing continuous variables and
then correcting errors on these discrete variables. It allows
one in principle to transmit more than 1 bit per pulse and to
extract all the information available, but only if the quanti-
zation takes place in R
d
with dⰇ1, which results in an un-
acceptable increase of complexity in practice. Therefore the
present protocols use d= 1, resulting in finite efficiency,
which limits the range to about 30 km. The second approach
uses the sign of the continuous variable to encode a bit, and
it has the advantage of simplicity. It can also be efficient, at
least in the case where the signal-to-noise ratio is low
enough, so that less than 1 bit per pulse can be expected. But
since the Gaussian distribution is centered around 0 and most
of the data have a small absolute value, it becomes difficult
to discriminate the sign when the noise is important. As a
consequence, it has been proposed to use post-selection
关6–11兴 to get rid of the “low-amplitude” data and keep only
the more meaningful “large-amplitude” data. However, this
approach has a major drawback: since the optimal attack
against such a post-selected protocol is unknown, the secret
rate can be calculated only for certain types of “restricted”
attacks 关7,11兴. So the security is significantly weaker than the
initial “non-post-selected” Gaussian-modulated protocol,
where one can use the optimality of Gaussian attacks 关12,13兴
in order to prove that the protocol is secure against arbitrary
general collective attacks.
Here we are interested in the problem of extending
continuous-variable QKD over longer distances without
post-selection, but with proven security. The main idea is as
follows: whereas Gaussian random values are centered
around 0, this is not the case for the norm of a Gaussian
random vector. Such a vector lies indeed on a shell which
gets thinner as the dimension of the space increases 共see
Fig. 1兲. Thus, if one performs a clever rotation 共see Fig. 2兲
before encoding the key in the sign of the coordinates, one
automatically gets rid of the small absolute value coordinates
without post-selection. Whereas this effect gets stronger and
stronger for large dimensions, we will show that we are in-
trinsically limited to performing such rotations in R
8
.Aswe
will show below, this is related to the algebraic structure of
octonions. For our purpose, working in R
8
is already a sig-
PHYSICAL REVIEW A 77, 042325 共2008兲
1050-2947/2008/77共4兲/042325共8兲 ©2008 The American Physical Society042325-1
nificant improvement since it allows one to exchange secure
secret keys over more than 50 km, without post-selection and
with a reasonable complexity for the reconciliation protocol.
The paper is organized as follows: Section II presents the
link between the reconciliation and the security of the proto-
col, Sec. III describes the reconciliation in the case of
discrete-variable QKD protocols, Sec. IV shows how to gen-
eralize this approach to Gaussian-variable protocols, and
Sec. V presents a realistic reconciliation protocol for the
continuous-variable QKD, whose performance is analyzed in
Sec. VI.
II. RECONCILIATION AND SECURITY
Let x and y be the classical random variables associated
with the measured quantities of the legitimate parties Alice
and Bob, and let E be the quantum state in possession of the
eavesdropper. It has been shown 关12,13兴 that the theoretical
secret key rate K obtained using one-way reconciliation is
bounded from below by
K ⱖ I共x:y兲 − S共x:E兲⬅K
th
.
Here I共x: y兲 and S共x:E兲 refer, respectively, to the Shannon
mutual information 关14兴 between classical random values x
and y and to the quantum mutual information 关15兴 between x
and the quantum state E. Recall that S共x:E兲 can also be seen
as the Holevo quantity associated with the quantum measure-
ments performed by Eve. The above bound corresponds to
the case where Alice and Bob are “classical” whereas Eve is
“quantum,” which means that Eve is allowed to use a quan-
tum memory and a quantum computer to perform her attack.
This secret key rate is valid for one-way reconciliation: the
classical communication between Alice and Bob is therefore
restricted to be unidirectional, and not interactive. For the
protocol described above, the quantum mutual information
between Bob and Eve is smaller than between Alice and Eve.
As a consequence, one will use reverse reconciliation 关2兴: the
final key is extracted from Bob’s data, and Bob sends extra
information to Alice on the authenticated classical channel to
help her correct her “errors.” The secret key rate K
th
is secure
against collective attacks. Note that it is conjectured that, as
is the case for discrete-variable protocols 关16兴, coherent at-
tacks are not more powerful than collective attacks
关12,13,17兴, which would imply that K
th
is the secure key rate
against the most general attacks allowed by quantum me-
chanics.
An important property of the continuous-variable QKD is
that for a reasonably low excess noise 共which is the noise not
directly caused by the losses兲, K
th
remains strictly positive
for any value of the transmission, meaning that there is no
theoretical limitation to the range of this protocol. However,
K
th
is relevant only in the case where one has access to a
perfect reconciliation scheme, allowing Alice and Bob to ex-
tract all the information available in their correlated data.
How should K
th
be modified in the case of a real-world im-
perfect reconciliation scheme? In order to extract a secret
from their data, Alice and Bob have access to a classical
authenticated channel and have agreed on a particular code
C
N
whose size N is such that log
2
共N兲ⱕI共x;y兲. The principle
of the reconciliation protocol is the following: Alice chooses
randomly an element U僆 C
N
and sends some information
␣
to Bob who should be able to efficiently recover U from the
knowledge of y and
␣
—i.e., H共兩U兩y,
␣
兲=0, the conditional
entropy of U given y and
␣
is null, or equivalently
I共U:y,
␣
兲=H共U兲. In this case, Alice and Bob have extracted
a common string U from their data, which they will be able
to turn into a secret key thanks to privacy amplification, but
they have also given the extra information
␣
to the eaves-
dropper. As a consequence, the effective key rate after the
reconciliation becomes
K ⱖ H共U兲 − S共U:E,
␣
兲⬅K
real
.
Unfortunately, one always has K
real
⬍K
th
and K
real
reaches 0
for a finite channel transmission. In other words, the range of
the protocol is limited because of the imperfect reconcilia-
tion. It should be noted that this is one of the main differ-
ences with discrete-variable protocols which are limited by
technology and more particularly by the dark counts of the
photodetectors. A real difficulty lies in the estimation of
S共U:E,
␣
兲. One specificity of QKD is that it allows Alice and
Bob to estimate an upper bound of S共x: E兲 by comparing a
subset of their data. However, it is generally impossible to
deduce S共U:E,
␣
兲 from it. One exception is when U and
␣
0
0.5
1
1.5
2
0 0
.
5
1 1.
5
2 2.
5 3
χ(1)
χ(2)
χ(4)
χ(8)
FIG. 1. 共Color online兲 Probability distributions
共1兲,
共2兲,
共4兲,
and
共8兲 of the radius of a Gaussian vector of dimensions 1, 2, 4,
and 8. When the dimension goes to infinity, the distribution gets
closer to a Dirac distribution.
b)
x2 x2x2
x1 x1 x
1
a) c)
FIG. 2. 共Color online兲 Consider two successive states X
1
and X
2
sent by Alice: the states really sent correspond to X
1
⬎0,X
2
⬎0. 共a兲,
共b兲, and 共c兲 show the four possible states Bob needs to discriminate
after Alice has sent him some side information over the classical
authenticated channel. 共a兲 corresponds to slice reconciliation 关3,5兴:
the four states are well separated, but the Gaussian symmetry is
broken. 共b兲 corresponds to the case where the information is en-
coded on the sign of the Gaussian value 关7兴: the symmetry of the
problem is preserved but some states are very close and thus diffi-
cult to discriminate. 共c兲 corresponds to the approach presented in
this paper where the states are well separated and the symmetry is
preserved.
LEVERRIER et al. PHYSICAL REVIEW A 77, 042325 共2008兲
042325-2
are independent, in which case the following lemma applies.
Lemma 1. Let A and B be two classical random values,
and let E be a random quantum state. If A and B are inde-
pendent, then S共A:E,B兲ⱕ S共A, B: E兲.
Proof. The chain rule for mutual quantum information
reads
S共A,B:E兲 = S共B:E兲 + S共A:兩E兩B兲 ⱖ S共A:兩E兩B兲,
where the inequality results from the non-negativity of mu-
tual quantum information. Then, by definition of conditional
mutual information,
S共A:兩E兩B兲 = S共兩A兩B兲 − S共兩A兩E ,B兲
= S共A兲 − S共兩A兩E,B兲
= S共A:E,B兲,
where the second equality follows from independence of A
and B. 䊏
In the reconciliation protocol, U is chosen randomly by
Alice, independently of x, meaning that S共x, U: E兲= S共x: E兲.
Then, since
␣
is a function of x and U, the data-processing
inequality gives S共U,
␣
:E兲ⱕ S共x: E兲. In addition, in the case
where
␣
is independent of U, Lemma 1 gives S共U: E,
␣
兲
ⱕS共x: E兲.
If one defines the efficiency of reconciliation

=
H共U兲
I共x:y兲
, one
obtains finally
K
real
ⱖ

I共x:y兲 − S共x:E兲,
which is the usual expression of the secret key rate taking
into account the imperfect reconciliation protocol.
III. RECONCILIATION OF BINARY VARIABLES
Reconciliation is a means for Alice and Bob to extract
available common information from their correlated data. In
the case when the data consist of binary strings, it is very
similar to the problem of channel coding where the goal is
for Alice to send information to Bob through a noisy chan-
nel. Channel coding is solved by appropriately choosing sub-
sets of binary strings: codes. When Alice restricts her mes-
sages to code words, Bob can recover them with high
probability if the code size is not too large, given the channel
noise. More precisely, Shannon’s theorem 关18兴 states that the
size of the code 兩C兩 is bounded by the mutual information
between Alice and Bob: log
2
共兩C兩兲ⱕI共x: y兲. The problem of
channel coding has been extensively studied during the past
60 years, but only recently were codes almost achieving Sh-
annon’s limit discovered while being efficiently decoded
thanks to iterative algorithms: turbocodes 关19兴 and low-
density parity-check 共LDPC兲 codes 关20,21兴.
The main difference between reconciliation and channel
coding is that in the case of reconciliation, Alice does not
choose what she sends and thus cannot restrict her messages
to code words of a given code. However, if one wants to take
advantage of the code formalism, knowing what she sent,
Alice can describe to Bob a code for which her word is a
code word. Thus if Bob can guess what code word Alice
sent, they will effectively share a common sequence of bits.
This is the method used for discrete QKD protocols. Indeed,
given a linear code C and its parity check matrix H , the group
F
2
n
=兵0,1其
n
of possible states sent by Alice can be seen as the
product of code words and syndromes: if Alice sends x to
Bob, she can tell him the syndrome of x, which is H· x, thus
defining a coset code containing x. This coset code is the
ensemble 兵y僆 兩F
2
n
兩H· y= x其. An equivalent solution is for Al-
ice to randomly choose a code word U from a given code
and to send U
丣 x=
␣
to Bob where 丣 represents the addition
in the group F
2
n
. Bob then computes y 丣
␣
which allows him
to retrieve U if the code is well adapted to the channel be-
tween Alice and Bob. This coset coding scheme was initially
suggested by Wyner 关22兴.
In a way, the side information 共information sent by Alice
over the classical authenticated channel兲 corresponds to a
change of coordinates allowing one to transform the initial
reconciliation problem into the well-known problem of chan-
nel coding.
Two properties are essential for this approach to work:
first, the probability distribution of the states sent by Alice is
uniform over F
2
n
; second, the total space is a partition of the
cosets of a linear code. Thus, any word can be seen as a
unique code word for a unique coset code and telling which
coset code contains the word gives zero information about
the code word. The question is then whether or not it is
possible to generalize this approach to continuous variables.
IV. RECONCILIATION OF GAUSSIAN VARIABLES
A. Gaussian modulation
One of the main differences between discrete and continu-
ous QKD protocols is the probability distribution of Alice’s
variables: the uniform distribution on F
2
n
is changed into a
nonuniform Gaussian distribution on R
n
. This is rather un-
fortunate since the uniformity of the distribution on F
2
n
is an
essential assumption in order to prove that the side informa-
tion 共e.g., the syndrome兲 Alice sends to Bob on the public
channel does not give any relevant information to Eve about
the code word chosen by Alice. An interesting property of
the Gaussian distribution N共0,1
n
兲 on R
n
whose covariance
matrix is the identity is that it has a spherical symmetry in
R
n
. In other words, if the vector x follows such a distribution,
then the normalized random vector
x
兩x兩
has a uniform distri-
bution on the unit sphere S
n−1
of R
n
. Thus, spherical codes,
codes for which all code words lie on a sphere centered on 0,
can play the same role for continuous-variable protocols as
binary codes for discrete protocols. Some very good codes
are known for binary channels: LDPC codes and turbocodes
both almost achieve the Shannon limit and can be efficiently
decoded thanks to iterative decoding algorithms. Are there
codes with similar qualities among the spherical codes? The
answer is almost. There is indeed a canonical way to convert
binary codes into binary spherical codes, and this can be
achieved thanks to the following mapping of F
2
n
onto an iso-
morphic image in the n-dimensional sphere:
F
2
n
→S
n−1
傺 R
n
, 共b
1
, ...,b
n
兲 哫
冉
共−1兲
b
1
冑
n
, ...,
共−1兲
b
n
冑
n
冊
.
Then, as LDPC codes and turbocodes can both be optimized
for binary symmetric channels, they can also be optimized
MULTIDIMENSIONAL RECONCILIATION FOR A … PHYSICAL REVIEW A 77, 042325 共2008兲
042325-3
for a binary phase shift keying 共BPSK兲 modulation, where
the bit 0 共1兲 is encoded into the amplitude +A 共−A兲 and
where the channel noise is considered to be additive white
Gaussian noise 共AWGN兲. Thus, one has access to a family of
very good codes 共in the sense that they are very close to the
Shannon limit兲 for which very efficient iterative decoding
algorithms are available. It is important to note that there are
actually two different Shannon limits considered here de-
pending on the modulation—BPSK or Gaussian
modulation—but these limits become asymptotically close
when the signal-to-noise ratio 共SNR兲 is small. Thus, at low
SNR, a binary code optimized for a BPSK modulation can
almost achieve the Shannon limit for a Gaussian modulation.
A remark is in order: the use of binary codes as described
above limits the rate of the code to less than 1 bit per channel
use, whereas one of the interests of a Gaussian modulation is
precisely to get rid of this limit. Actually, one could use
nonbinary spherical codes, but their decoding is more com-
plicated and thus slows down the reconciliation protocol. In
addition, this is not really needed, since in the high-loss sce-
nario which interests us most here, the secret key rate is
always much less than 1 bit per channel use. Consequently
the use of binary codes turns into an advantage, since they
can be decoded very efficiently. In the low-loss case,
however—that is, for short distances—one can hope to distill
more than 1 bit per channel use, and the “usual” approach
关23兴 will be more suitable than the one described in the
present article 共see also discussion in Sec. VI兲.
Now that we have a probabilistic space with a uniform
probability distribution and a family of codes for this space,
we need to see if the total space is a partition of a code and
of its “generalized coset codes.” First, the canonical hyper-
cube of R
n
共which is the image of F
2
n
by the isomorphism
defined above兲 is described as a partition of a linear code and
its cosets. The question that remains to be solved is whether
or not the unit sphere is a partition of such hypercubes. An-
other way to see this problem is the following: given a ran-
dom point in S
n−1
, is there a hypercube inscribed in the
sphere for which this point is a vertex. Surely there are such
hypercubes, many in fact. Actually, the manifold of these
hypercubes is a 关共n−1兲共n−2兲/ 2兴-dimensional manifold 共this
is the dimension of the subgroup of orthogonal group O
n
that
transports the canonical hypercube onto the ensemble of hy-
percubes containing the point in question兲.
Yet another way to express the problem is the following:
given two points x, y僆 S
n−1
, is it possible to find an orthogo-
nal transformation mapping x to y? One can immediately
think of transformations such as the reflection across the me-
diator hyperplane of x and y. Unfortunately, such an orthogo-
nal transformation gives some information about x and y as
soon as n⬎ 2 共this is linked to the phenomenon of the con-
centration of the measure for spheres in dimensions n⬎ 2兲
and therefore cannot be used by Alice as legitimate side in-
formation, which should be independent from the key in or-
der to fulfill the hypothesis of Lemma 1.
A correct solution would then be to randomly choose an
orthogonal transformation with uniform probability in the
ensemble of orthogonal transformations mapping x to y. This
can be done in the following way: one first draws a random
orthogonal transformation mapping x to some random x
⬘
.
Then one composes this transformation with the reflection
across the mediator hyperplane of x
⬘
and y. Although theo-
retically correct, this procedure is not doable in practice for
nⰇ1 since generating a random orthogonal transformation
on R
n
is a computational demanding task requiring one to
draw an n⫻ n Gaussian random matrix and to calculate its
QR decomposition 共i.e., its decomposition into an orthogonal
and a triangular matrix兲 which is an operation of complexity
O共n
3
兲.
A practical solution involves the following: for each word
x僆 S
n−1
sent by Alice, for each code word U僆 S
n−1
chosen
by Alice 共not necessarily a binary code word兲, there should
exist an continuous application M of the variables x and U
such that M共x, U兲僆 O
n
and M共x, U兲x=U. Then, if Alice
gives M共x, U兲 to Bob, one has the continuous equivalent of
U
丣 x in the discrete protocol. The following theorem shows
that the existence of such an application M restricts the pos-
sible values of n to be 1, 2, 4, or 8.
Theorem 2. If there exists a continuous application
M:S
n−1
⫻ S
n−1
→ O
n
, 共x,y兲 哫 M共 x,y兲
such that M共x, y兲· x= y for all x, y僆 S
n−1
, then n=1,2,4,or
8.
The proof of this theorem uses a result from Adams 关24兴,
which quantifies the number of independent vector fields on
the unit sphere of R
n
.
Theorem 3. Independent vector fields on S
n−1
关24兴. For
n=a·2
b
with a odd and b=c+4d, one defines
n
=2
c
+8d.
Then the maximal number of linearly independent vector
fields on S
n−1
is
n
−1.
In particular, the only spheres for which there exist 共n
−1兲 independent vector fields are the unit spheres of R, R
2
,
R
4
, and R
8
, which can, respectively, be seen as units of the
real numbers, the complex numbers, the quaternions, and the
octonions.
Proof of Theorem 2. The idea of the proof is to use the
existence of such a continuous function M to exhibit a family
of 共n−1兲 independent vector fields on S
n−1
.
Let 共e
1
,e
2
,...,e
n
兲 be the canonical orthonormal basis of
R
n
. For 1 ⱕ iⱕ n, let u
i
共x兲= M共e
n
,x兲· e
i
. One has u
n
共x兲= x and
„u
i
兩共x兲兩u
j
共x兲… = e
i
T
M共 e
n
,x兲
T
M共 e
n
,x兲e
j
=
␦
i,j
since M共e
n
,x兲 僆 O
n
.
Then, for x僆 S
n−1
, u
1
共x兲, u
2
共x兲,...,u
n−1
共x兲 are 共n−1兲 inde-
pendent vector fields on S
n−1
and finally n=1,2,4,or8.䊏
V. ROTATIONS ON S
1
, S
3
,ANDS
7
Now that we have proved that such an application M can
only exist in R, R
2
, R
4
, and R
8
, we need to answer three
more questions: does it exist? Can Alice compute it effi-
ciently? Does it leak any information about the code word to
Eve? Note that the trivial case of R for which the unit sphere
is 兵−1,1其 corresponds to the method where one encodes a bit
in the sign of the Gaussian variable 关7兴.
A. Existence
Let us start with the easiest case: R
2
. The existence of
such an application M verifying M共x, y兲· x= y for the unit
LEVERRIER et al. PHYSICAL REVIEW A 77, 042325 共2008兲
042325-4
