Key Distillation

After Key Sifting the key should be free of errors if no eavesdropper was present during the transmission and the apparatus used is ideal. In practice, eavesdropping is not the only cause of errors in the raw key. Indeed, all practical quantum cryptography feature an intrinsic error rate caused by component imperfections or environmental perturbations of the quantum channel.

In order to avoid jeopardizing the security of the key, these errors are all attributed to the eavesdropper. A post processing phase, also known as Key Distillation, is then performed. It takes place after the sifting of the key and consists of two steps. The first step corrects all the errors in the key, by using a classical error correction protocol. This step also allows to precisely estimate the actual error rate. With this error rate, it is possible to accurately calculate the amount of information the eavesdropper may have on the key. The second step is called privacy amplification and consists in compressing the key by an appropriate factor to reduce the information of the eavesdropper. The compression factor depends on the error rate. The higher it is, the more information an eavesdropper might have on the key and the more it must be compressed to be secure.

The following figure schematically shows key distillation.

JPEG - 172 kb
key size along the different steps of the QKD

This procedure works up to a maximum error rate. Above this threshold, the eavesdropper can have too much information on the sequence to allow the legitimate parties to produce a secret key. Because of this, it is essential for a quantum cryptography system to have a low intrinsic error rate.

Key distillation is then complemented by an authentication step in order to prevent a “man in the middle” attack, where the eavesdropper would cut the communication channels and pretend to the emitter that he is the receiver and vice-versa. This is possible thanks to the use of a pre-established secret key in the emitter and the receiver, which is used to authenticate the communications on the classical channel. This initial secret key serves only to authenticate the first quantum cryptography session. After each session, part of the key produced is used to replace the previous authentication key.