Asymmetric Adaptive LDPC-Based Information Reconciliation for Industrial Quantum Key Distribution

Abstract

We develop a new approach for asymmetric LDPC-based information reconciliation in order to adapt to the current channel state and achieve better performance and scalability in practical resource-constrained QKD systems. The new scheme combines the advantages of LDPC codes, a priori error rate estimation, rate-adaptive and blind information reconciliation techniques. We compare the performance of several asymmetric and symmetric error correction schemes using a real industrial QKD setup. The proposed asymmetric algorithm achieves significantly higher throughput, providing a secret key rate that is close to the symmetric one in a wide range of error rates. Thus, our approach is found to be particularly efficient for applications with high key rates, limited classical channel capacity and asymmetric computational resource allocation.

1. Introduction

Quantum key distribution (QKD) systems are considered as unconditionally secure trusted couriers for symmetric-key encryption of classical communication. According to the common principle of QKD, the so-called “quantum” part of a protocol is followed by the classical post-processing procedure in order to distill the raw key copies and form a common secret key for both participants. This post-processing procedure consists of the following basic steps: sifting, error correction, parameter estimation, privacy amplification and session authentication [1]. In particular, the error correction (EC) process is executed in order to find and correct all incompatible bits using a classical public channel but still maintaining most of the key data that is unrevealed. This step is thought to be the most computationally complex and time-consuming of the entire procedure [2] and therefore includes the potential for optimization. It is also the most secret-key-reducing part [3,4].

The EC procedure, often referred to as information reconciliation (IR), can be implemented in QKD using various EC techniques [3,5,6,7,8,9]. Among them, the low-density parity-check (LDPC) codes [10] are well studied and widely applied in modern telecommunication systems. The main advantage of the LDPC codes is the possibility to reach information rates that are arbitrarily close to the Shannon limit for a wide variety of channels [11]. That possibility can be implemented by satisfying several basic conditions, such as efficient decoder design, parity check matrix construction and apropos code rate adaptation.

The straightforward LDPC-based EC is asymmetric since the syndrome decoding process is much more computationally complex than the encoding one. In a scheme where the transmitter (Alice) performs encoding and the receiver (Bob) is decoding, Alice’s computer is idle most of the time, and the entire throughput is determined by the decoding speed of Bob’s computer. Therefore, to avoid this asymmetric and inefficient use of computational resources, some modern industrial point-to-point QKD solutions implement a bi-directional [12,13] or symmetric blind IR approach [14].

The first approach is based on the parallel processing of different sifted key frames by Alice and Bob, achieving a Mbps key throughput. The second one combines the advantages of LDPC and the interactivity of the Cascade IR protocol in the correction of the same frame, achieving fail-resistant performance and high information efficiency simultaneously. These highly-efficient reconciliation schemes, however, remain practical only if both Alice and Bob possess sufficiently powerful computing devices.

Currently, the latest commercially available QKD devices (manufactured by, e.g., ID Quantique, QuantumCTek, Toshiba) are designed as 19-inch rack modules, having the same size specifications for both transmitter and receiver. However, in some practical QKD schemes and applications, one may prefer to minimize the size and cost of the transmitter device and, as a consequence, reduce its computational load. For instance, in an urban star-topology quantum network with one powerful receiver server connecting multiple users, it would be ideal in the future to develop a user’s transmitter device of the PCI-e card form factor to be installed inside a normal personal computer. In order to save the processor’s computation resources and power consumption, such a transmitter has to execute minimum complex EC operations.

Another example is the satellite QKD in which the satellite is a transmitter playing the role of a trusted node [15]. For the same reasons, such a device requires minimization of the load on its computing module and on the service channel, preserving efficient performance under unstable quantum channel conditions. One can also consider hand-held devices [16]. Therefore, for such applications, one has to reconsider the EC workflow considering the inequality of computational resources of transmitter and receiver. The design must be aimed to provide a real-time post-processing service for such asymmetric QKD systems.

In this work, we consider the decoy-state BB84 protocol [17,18,19,20] and revisit the asymmetric LDPC-based reconciliation [12,21,22,23,24,25], in which the syndrome decoding is performed only on Bob’s side, by modifying and improving the existing symmetric blind IR scheme [14]. We develop a novel rate-adaptive algorithm that employs a new optimal code rate selection approach based on our a priori quantum bit error rate estimation method. It is shown that the knowledge of the precise error rate value and the proper code rate choice is crucial for high-performance EC.

We also propose a different additional round organization rule that allows a direct code efficiency control without round number limitation. Using the simulated and real experimental data, we demonstrate that the new asymmetric scheme is able to achieve almost the same efficiency as a symmetric one while maintaining the low failure probability and time consumption. The performance of our scheme on data is also compared with two blind asymmetric schemes, proposed in [22,26], that use different bit disclosure rules during additional rounds.

The paper is organized as follows. In Section 2, we review the basics of the IR procedure, particularly focusing on asymmetry-related solutions. In Section 3, we discuss the details of the code rate scheme adaptation changes that have to be made in order to save a satisfactory overall efficiency parameter of the cryptosystem. In Section 4, we compare the asymmetric and symmetric approaches using a set of benchmarks. We summarize our results in Section 5.

2. Information Reconciliation with LDPC Codes

In the BB84 QKD protocol [27] the sifted keys of Alice and Bob, made out of raw keys by rejecting events with incompatible bases, are not 100% identical and contain quantum bit errors that must be found and corrected. After correction and subsequent verification, the key passes to the privacy amplification step—a special contraction of the verified key with 2-universal hash functions into a shorter unconditionally secure secret key in order to minimize information of potential eavesdropper (Eve) to an arbitrarily low value. For practical reasons, the sifted key is accumulated in blocks of fixed size ${\ell }_{\mathrm{block}}$.

In order to minimize the effect of statistical fluctuations on the final secret key length evaluation and consequently obtain a less conservative result, ${\ell }_{\mathrm{block}}$ has to be of the order of ${10}^6$ and larger. Since such bit string size is too large for high-speed and efficient LDPC-based EC; the block is split into a number of smaller subblocks of length ${\ell }_{\mathrm{subblock}}\sim {10}^3$–${10}^5$ bits and EC is performed on each subblock separately.

Each subblock correction starts with an a priori quantum bit error rate (QBER) estimation. The straightforward approach is to disclose and publicly compare a random sample of the sifted key. The disclosed bits have to be discarded by Alice and Bob. To avoid such excessive key consumption, the estimation can be done by analyzing only indirect information about errors, such as the polarization drift [28] for polarization-encoding protocol or LDPC syndrome [29,30] for general discrete variable QKD protocol.

Originally, the LDPC codes were designed for a one-way EC scheme [11]. In this scheme, Alice selects an appropriate code of rate R that fits the quantum channel capacity, determines the corresponding sparse parity-check matrix $H_R$, calculates the syndrome ${\mathit{s}}_A$ of length $(1-R){\ell }_{\mathrm{subblock}}$ from her message (key) ${\mathit{x}}_A$,

$${\mathit{s}}_A=H_R{\mathit{x}}_A\left(\mathrm{mod}2\right)$$

(1)

and sends it to Bob via a classic authenticated channel. Bob, in turn, computes the syndrome ${\mathit{s}}_B=H_R{\mathit{x}}_B$ from their sifted bit string ${\mathit{x}}_B$ and performs Alice’s syndrome decoding that can be interpreted as searching for error pattern $\mathit{e}$ such that

$$H_R\mathit{e}\left(\mathrm{mod}2\right)={\mathit{s}}_A\oplus {\mathit{s}}_B.$$

(2)

Solving (2), Bob corrects their bit string: ${\mathit{x}}_B\to {\mathit{x}}_B\oplus \mathit{e}\equiv {\mathit{x}}_A$. If the solution is not found within a limited period of time, the decoding fails.

The efficiency of LDPC algorithms can be further increased using the rate-adaptive [4,21] and blind reconciliation [22] methods. To adapt the code rate R more precisely to the current quantum channel state, we use the puncturing (and shortening) technique [31,32]. This is based on the idea of extending subblock (payload data) to a new EC unit, hereafter called frame, by inserting additional noise (punctured bits) into ${\mathit{x}}_{A,B}$. Then, the blind IR can be applied to increase the EC success probability. In this approach, an accurate a priori QBER estimation and initial choice of R are considered to be unnecessary.

Instead, if Bob reports their basic round decoding failure, during additional rounds, Alice discloses some fraction of her punctured bit values and Bob makes another decoding attempt, this time with more information about the frame. The resulting efficiency deteriorates with the number of disclosed bits and the number of additional rounds. Consequently, the frame correction running time and the load on the classical channel increase, and the EC success probability increases.

The number of additional rounds is limited by the amount of information to be revealed and the revealing strategy. In the original blind reconciliation scheme [22], during every additional round, Alice discloses the fixed number of punctured bits, $d_k=p/N_{\mathrm{add}}^{max}$, where $p=\alpha {\ell }_{\mathrm{frame}}$ is the total number of punctured bits in the frame, defined by empiric code rate adaptation parameter $\alpha$, and $N_{\mathrm{add}}^{max}$ is the maximum allowed number of additional rounds. Another method, proposed in an attempt to make the decoder converge faster, is the linearly increasing with iteration number k step $d_k=k\delta$ ($k\ge 1$) where $\delta$ is determined empirically [26].

In symmetrically organized reconciliation [14], Alice and Bob share their syndromes and both perform belief-propagation decoding of (2). In the case of failure, they compute the log-likelihood ratio (LLR) for every bit in the frame and then disclose to each other only the bits with minimal LLR. To increase the decoding success probability, both punctured and payload bits are allowed to be disclosed (of course, such payload bits are excluded from the final secret key). Then, Alice and Bob refresh their EC frames using new data and perform another decoding attempt. In [14], the following heuristic rule is used to determine the disclosed data amount: $d_k\left(R\right)=\lceil {\ell }_{\mathrm{frame}}(0.028-0.02R)\beta \rceil$, $\beta \in \{0.5,1\}$.

In the case of unsuccessful decoding, the process is stopped if all bits are disclosed, or the frame correction time budget is over. The authors of [14] compared the blind approach with the rate-adaptive regime under the assumption that the QBER level is known and performed a simulation that showed better efficiency and number of iterations.

The symmetric strategy shows itself to be highly efficient; however, for the asymmetric scheme, Alice has no intermediate decoder parameters, such as positions of bits with minimal LLR, and thus she cannot disclose this auxiliary data to Bob blindly anymore. Using different ideas, some solutions were proposed in Refs. [24,25]. In this work, we step aside from the blind reconciliation principle and develop further the additional rounds’ organization strategy that preserves the efficiency of symmetric IR in the presence of limited computational resources.

IR Performance Metrics

Since Eve can, in principle, extract some partial useful information from syndromes and other data, exchanged via the classic channel during the IR communication rounds, this potential leakage has to be subtracted and considered in the final key length estimation. In order to quantify the EC efficiency and estimate the amount of disclosed information about the key, the following metric is introduced [21]:

$$f_{\mathrm{ec}}=\frac{{\ell }_{\mathrm{syndrome}}-p+d}{({\ell }_{\mathrm{frame}}-p-s)h_2\left(E_{\mu }\right)}$$

(3)

with ${\ell }_{\mathrm{syndrome}}=(1-R){\ell }_{\mathrm{frame}}$ and $p+s={\ell }_{\mathrm{frame}}-{\ell }_{\mathrm{subblock}}=\alpha {\ell }_{\mathrm{frame}}$ where

• $E_{\mu }$—the average signal pulse QBER of a subblock.
• p—the number of punctured bits in a frame.
• s—the number of shortened bits in a frame.
• $d={\sum }_k{d}_k$—the total number of disclosed bits in additional rounds.
• $h_2\left(x\right)=-x{log}_{2}x-(1-x){log}_2(1-x)$—the Shannon binary entropy.

This metric represents the ratio of the information content used to reconcile one data frame over the minimal information theoretically required [4]. Thus, a large $f_{\mathrm{ec}}$ implies less efficient EC. A large $f_{\mathrm{ec}}$ also indicates the process interactivity. Note that $f_{\mathrm{ec}}$ cannot approach values less than 1 due to Shannon’s limit. In this way, for purely theoretical studies, the average information leakage per successfully corrected subblock can be estimated as ${\ell }_{\mathrm{subblock}}{f}_{\mathrm{ec}}{h}_2\left(E_{\mu }\right)$.

Another important code quality metric that also affects the secret key generation rate is the frame error rate (FER)—the frame decoding failure probability. Considering FER, the modified formula for the average secret key length from [20] can be written as follows,

$${\ell }_{\sec }\simeq {\ell }_{\mathrm{block}}(1-\mathrm{FER})\left\{{\kappa }_1^l[1-h_2\left(E_1^u\right)]-f_{\mathrm{ec}}{h}_2\left(E_{\mu }\right)\right\}$$

(4)

where ${\kappa }_1^l$ is a lower bound on the fraction of bits in the verified key obtained from single-photon pulses, and $E_1^u$ is an upper bound on the fraction of errors in such positions in the sifted keys (for their estimations, see, e.g., [20,33]). The trade-off between low (high) $f_{\mathrm{ec}}$ and high (low) FER is the main objective of this IR research.

Finally, the last important factor is the CPU load. As already mentioned above, the LDPC decoder complexity essentially depends on the frame length ${\ell }_{\mathrm{frame}}$. Hence, the processing time consumption is linearly dependent on the total number of decoding iterations that can be used to analyze the load of Bob’s module. Therefore, for practical QKD applications, even more crucial performance criterion is the average secret key generation rate, which can be estimated as

$$R_{\sec }=\frac{{\ell }_{\sec }}{\tau }$$

(5)

where $\tau$ is the time needed to produce a secret key of length ${\ell }_{\sec }$ or equivalently the overall block generation and post-processing time. In this way, Equations (4) and (5) can be used as the main benchmarks when comparing various EC schemes with different $f_{\mathrm{ec}}$, FER and number of additional EC rounds.

3. Adaptive Code Rate Method for Asymmetric Blind Reconciliation

In this section, we describe the proposed asymmetric algorithm, schematically shown in Figure 1, which contains three key steps explained below. Before going into detail, let us first list the used basic IR parameters and tools.

In our study, the appropriate frame length is chosen to be ${\ell }_{\mathrm{frame}}$ = 32,000 bits. Then, the key subblock length is computed as

$${\ell }_{\mathrm{subblock}}={\ell }_{\mathrm{frame}}(1-\alpha ).$$

(6)

Using $\alpha =0.15$ [8], one obtains ${\ell }_{\mathrm{subblock}}$ = 27,200 bits. Since the post-processing block size has to be at least of the order of ${10}^6$, we take ${\ell }_{\mathrm{block}}=50{\ell }_{\mathrm{subblock}}=1.36\times {10}^6$.

In order to reduce the impact of error bursts on the decoding process and to randomize the locations of errors, we apply the interleaving technique [2]. Alice and Bob simultaneously reorder bits in the subblock according to the permutation law, determined by two synchronized pseudo-random number generators based on Mersenne Twister.

The LDPC matrices $\left\{H_R\right\}$ are generated for the code pool $R\in \{0.5,0.55,\dots ,0.9\}$ with the Progressive Edge-Growth algorithm [34] and Tanner graph node degree distributions described in [7]. The values of shortened and punctured bits are defined by pseudo-random and true number generators, respectively (see [14] for detailed information). The untainted puncturing technique of the proper punctured bit position choice is also used [35].

The Sum-Product decoder [11] is the popular belief propagation LDPC syndrome decoder. However, it employs rather heavy computational operations and thus is not efficient enough for high-speed data processing. Therefore, we apply its effective approximation—the variable-scaled Min-Sum decoder [36] with the scaling parameter step equal to $12.5$, which is chosen empirically and gives the best efficiency in our tests.

3.1. A Priori QBER Estimation

The EC of a new frame starts with the LDPC code rate choice based on the a priori error rate estimation. Although the blind rate-adaptive reconciliation is supposed to work without exact knowledge of QBER [22], it remains rather sensitive to the initial code rate value. The main idea of the blind reconciliation is to use an LDPC code of fixed rate that can be adapted by iterative disclosure of punctured bits. Therefore, in order to choose the optimal code rate, in this work, we propose to estimate the current a priori QBER using the a posteriori QBER information from the previously corrected and verified frames. We also consider the non-zero frame error rate (FER), caused by either LDPC code imperfections or unexpected QBER fluctuations and propose a simple feedback loop.

In our scheme, the a priori QBER for arbitrary i-th frame ${\widehat{E}}_{\mu }^{\left(i\right)}$ is estimated by the exponential moving average of the previous verified frame, ${\mathrm{EMA}}^{(i-1)}$, defined iteratively as

$${\mathrm{EMA}}^{\left(j\right)}=\left\{\begin{array}{c}{E}_{\mu }^{(i-6)}j=i-6\hfill \\ \gamma E_{\mu }^{\left(j\right)}+(1-\gamma ){\mathrm{EMA}}^{(j-1)}i-5\le j\le i-1\hfill \end{array}\right.$$

(7)

with the empirical smoothing factor $\gamma =0.33$. The exponential weights lead to a more optimal code rate choice from the pool in the case of gradual QBER variation, while the average value smooths possible sporadic error bursts and, therefore, results in stable EC performance.

Nevertheless, the EMA method does not allow to detect and quickly adapt R to a sudden significant leap of QBER level. Therefore, we check the presence of error bursts by analyzing the set of weak decoy pulse QBERs of the block, $\{E_{{\nu }_1}^{\left(1\right)},\dots E_{{\nu }_1}^{\left(50\right)}\}$. Since decoy pulses are not used for the key formation, Alice can safely send a string of decoy bit values to Bob who compares it with their own one and computes decoy QBERs straightforwardly.

We set the following condition: if $|E_{{\nu }_1}^{\left(i\right)}-\mathbb{E}\left[E_{{\nu }_1}\right]|\ge 3\sigma \left[E_{{\nu }_1}\right]$, where $\mathbb{E}\left[E_{{\nu }_1}\right]$ and $\sigma \left[E_{{\nu }_1}\right]$ are the mean value and the standard deviation, respectively, the sporadic error burst is detected. Using the simplest theoretical model for QBER prediction, e.g., from Ref. [19], one can show that $E_{\mu }$ and $E_{{\nu }_1}$ have very similar behavior and that $\mathbb{E}\left[E_{\mu }\right]\le \mathbb{E}\left[E_{{\nu }_1}\right]$ due to the $\mu >\nu$ condition. Thus, we can use ${\widehat{E}}_{\mu }^{\left(i\right)}=E_{{\nu }_1}^{\left(i\right)}$ as an upper bound for the signal a priori QBER instead of the EMA estimation.

After the i-th frame correction the verification step is performed, where we propose a simple performance control rule: in the case of frame verification failure, the EMA is calculated with penalty value ${\widehat{E}}_{\mu }^{\left(i\right)}=0.5$. Such a feedback loop provides a temporal decrease of the algorithm efficiency, increasing the probability of successful EC of the next frame.

The workflow of our a priori QBER estimation is shown in Figure 2. One can observe high consistency of $E_{\mu }$ and its estimation ${\widehat{E}}_{\mu }$ even in the presence of the error burst from $2\%$ up to $8\%$ values of $E_{\mu }$ (frames 200–250).

3.2. Code Rate Selection

It is crucial for the entire algorithm to set up a proper initial efficiency value of $f_{\mathrm{ec}}$ before the code rate is chosen. We use $f_{\mathrm{start}}=1.15$ as an empirical optimum. In this way, we can directly control the reconciliation scheme efficiency. Considering the LDPC code’s imperfection, the desired code rate is defined by Shannon’s capacity of the binary symmetric channel,

$$R_{\mathrm{desired}}=1-f_{\mathrm{start}}{h}_2\left({\widehat{E}}_{\mu }\right).$$

(8)

If $0.5\le R_{\mathrm{desired}}\le 0.9$, then, for every code rate R from the pool $\{0.5,0.55,\dots ,0.9\}$, the total numbers of punctured (p) and shortened (s) bits are estimated as

$$\begin{array}{cc}\hfill p& ={\ell }_{\mathrm{frame}}\lceil 1-R-(1-\alpha )f_{\mathrm{start}}{h}_2({\widehat{E}}_{\mu })\rceil \hfill \\ \hfill s& =\alpha {\ell }_{\mathrm{frame}}-p.\hfill \end{array}$$

(9)

This list of sets $\{R,p,s\}$ is sifted considering the following conditions:

$$p,s\ge 0p\le p_R{\widehat{E}}_{\mu }<t_R.$$

(10)

Here, $t_R$ is the error rate threshold defined in [7], $p_R$ is the maximum amount of punctured bits calculated by the untainted puncturing technique [35]. The rest of appropriate sets $\{R,p,s\}$ forms a list, from which the algorithm chooses the one with maximum R. A similar rule to calculate $p,s$ values was proposed in [7]; however, with no proper QBER estimation and pool of codes, it appears to be ineffective compared to blind schemes.

For very high/low QBER, the list is found to be empty. In this case, the algorithm chooses either $\{0.5,0,\alpha {\ell }_{\mathrm{frame}}\}$ if $R_{\mathrm{desired}}\le R_{\min }=0.5$, or $\{0.9,p_{R_{\max }},\alpha {\ell }_{\mathrm{frame}}-p_{R_{\max }}\}$ if $R_{\mathrm{desired}}\ge R_{\max }=0.9$.

3.3. Additional Correction Rounds

Next, we modify the scheme of additional rounds organization. If the basic decoding round does not converge successfully, Bob reports to Alice about the occurred fail, and Alice, in return, begins disclosing punctured node values. Since the punctured nodes are generated true-randomly, their values’ disclosure eliminates rather a high amount of uncertainty for Bob’s decoder, and hence, with high probability, these nodes have the smallest LLR values. If all punctured bits are already disclosed but the decoding is still unsuccessful, Alice continues additional rounds by disclosing pseudo-randomly chosen payload bits. In general, provided that the previous $k-1$ rounds failed, in the next k-th round, the number of disclosed punctured/payload bits is calculated according to our rule,

$${\displaystyle d_k=|\frac{{\ell }_{\mathrm{syndrome}}-p+{\sum }_{l=0}^{k-1}{d}_l}{({\ell }_{\mathrm{frame}}-p-s)h_2\left({\widehat{E}}_{\mu }\right)}-f_k|{\ell }_{\mathrm{frame}}{\widehat{E}}_{\mu }k\ge 1}$$

(11)

with $d_0=0$ and $f_k=f_{\mathrm{start}}+0.03k$. The additional rounds take place until the successful decoding result, or in the case of continuous fails, either the frame correction time budget or the maximum allowed number of iterations ($N_{\mathrm{add}}^{max}$) exceeds its limit. In the latter case, Bob reports their failure status to Alice, and both sides discard the corresponding subblock from the block. We evaluate the time budget out of timeouts for data transfer operations, i.e., based on the Quality of Service (QoS) of the classic channel (main factor), sifted key generation rate and hardware computational resources, which results in a value of the order of milliseconds.

4. Simulation and Experimental Results

In order to analyze the proposed asymmetric error correction (AEC) algorithm and compare it with the improved symmetric (SEC) approach and other asymmetric schemes as well, we first generate numerous bit strings of raw key for various average signal QBER values, $E_{\mu }\in \{0.005,0.01,\dots ,0.105\}$, using a theoretical model of the decoy-state BB84 protocol with the parameters listed in

Table 1. The decoy-state BB84 setup parameters, used in both simulated and experimental data analysis: the mean photon number per pulse of signal ($\mu$), week (${\nu }_1$) and vacuum (${\nu }_2$) decoy states, corresponding state generation probabilities $\{p_{\mu },p_{{\nu }_1},p_{{\nu }_2}\}$, single-photon detector quantum efficiency $\eta$, dark count probability $p_{\mathrm{dc}}$, dead time ${\tau }_{\mathrm{dead}}$ and optical error probability $p_{\mathrm{opt}}$.

$\mathit{\mu }$	${\mathit{\nu }}_1$	${\mathit{\nu }}_2$	${\mathit{p}}_{\mathit{\mu }}$	${\mathit{p}}_{{\mathit{\nu }}_{1,2}}$	$\mathit{\eta }$	${\mathit{p}}_{\mathbf{dc}}$	${\mathit{\tau }}_{\mathbf{dead}}$	${\mathit{p}}_{\mathbf{opt}}$
$0.30$	$0.09$	$0.003$	$0.50$	$0.25$	$0.13$	${10}^{-6}$	$5$ μs	$0.02$

. The results of our simulations are presented in Figure 3 where we plot the efficiency $f_{\mathrm{ec}}$ (3) and the average number of decoding iterations as functions of the average QBER.

For reference, on the upper-left plot, we also used the theoretical efficiency of a code with a fixed rate for a given $E_{\mu }$ interval, $f_{\mathrm{th}}=(1-R)/h_2\left(E_{\mu }\right)$, which is the best efficiency that an EC scheme without rate-adaptive technique can achieve without frame correction failure. Note that, in our scheme, $f_{\mathrm{ec}}$ cannot be smaller than the initial value $f_{\mathrm{start}}$ due to additional EC rounds. The important result of this work is that the proposed AEC scheme closely approaches the SEC efficiency for error rates $E_{\mu }\gtrsim 2\%$. On the contrary, in the lower QBER region, the AEC efficiency increases faster than SEC but still does not exceed by more than $5\%$. Furthermore, one can notice the increase of the $f_{\mathrm{ec}}$ variance due to significant error fluctuations that induce the instability in the performance of any scheme with fast LDPC codes ($R\ge 0.75$).

Therefore, the fast codes have more strict requirements for the compliance of the selected set $\{R,p,s\}$ to an actual QBER of the frame, particularly in an asymmetric scheme. In particular, this implies more precise a priori QBER estimation for low $E_{\mu }$. In terms of the number of decoding iterations, AEC performs slightly better than SEC in the lower range $E_{\mu }<2\%$, while, for $E_{\mu }\gtrsim 2\%$, they demonstrate nearly the same results.

The basic principle of our method is a union of adaptive code rate selection and strategy of additional rounds organization. This could be potentially applied to the code represented by arbitrary parity check matrix (PCM) with any ${\ell }_{\mathrm{frame}}$ and $\alpha$ values. We compare our EC with two asymmetric blind IR schemes that use different data disclosure rules for additional reconciliation rounds using common codes pool with fixed ${\ell }_{\mathrm{frame}}$ = 32,000 bits in order to provide fair comparison. Key features of the compared approaches are summarized in

Table 2. Key features of various EC schemes. Both AEC schemes with fixed and variable step $d_k$ are conceptually blind, using no precise a priori QBER estimation and payload bits disclosure. The adaptive AEC proposed in this work is described in Section 3. The adaptive SEC scheme is based on the original one [14] but with the proposed a priori QBER estimation and code rate selection method.

EC Scheme	A Priori QBER	Code Rate	Payload Bits	${\mathit{d}}_{\mathit{k}}$
	Estimation	Adaptation	Disclosure
AEC (blind, fixed $d_k$)	✗	✓	✗	480
AEC (blind, variable $d_k$)	✗	✓	✗	$480k$
AEC (this work)/SEC (adaptive)	✓	✓	✓	Equation (11)

.

In the AEC scheme, proposed in [22,37], in each additional round, the number of disclosed bits is equal and fixed, $d_k=\delta$. In another AEC scheme from Ref. [26], it is increased with iterations, $d_k=d_{k-1}+\delta$. In both schemes, no initial shortened bits are generated, and only punctured bits are used in additional rounds. Thus, in these two schemes, $s=0$ and $p=\alpha {\ell }_{\mathrm{frame}}$. The results obtained with these two methods are highly dependent on initial settings, such as the LDPC code frame length, the quality of parity check matrices and the amount of punctured bits.

Therefore, we set our implementations of these methods maintaining the original number of additional rounds (or larger), which defines the maximum $f_{\mathrm{ec}}$ and FER for any blind method. We set the maximum number of additional rounds equal to 10 and 4 for AEC with fixed and variable steps, respectively. This, in turn, results to $\delta =480$ bits. The parameter list of the original works and our adaptation to our LDPC setup is presented in

Table 3. The list of parameters for blind AEC schemes with fixed ($d_k=\delta$) and increased ($d_k=k\delta$) number of disclosed bits during additional rounds. In this work, we slightly modify some QBER intervals from Refs. [22,26] to cover the entire QBER range and use the maximum total number of reconciliation rounds $N_{\mathrm{add}}^{max}$, which is expected to show better $f_{\mathrm{ec}}$. For fixed $d_k$, doubled $N_{\mathrm{add}}^{max}$ is used. The code rates and ${\ell }_{\mathrm{frame}}$ in Ref. [37] insignificantly differ from those in Ref. [22].

	EC Scheme	${\mathit{\ell }}_{\mathbf{frame}}$	$\mathit{\alpha }$	$\mathit{R}:[{\mathit{E}}_{\mathit{\mu }}^{\mathbf{min}},{\mathit{E}}_{\mathit{\mu }}^{\mathbf{max}}]$	${\mathit{N}}_{\mathbf{add}}^{\mathbf{max}}$	$\mathit{\delta }$
$d_k=\delta$	[22,37]	2000	0.1	$0.8:[0.01,0.035]$, $0.7:[0.02,0.06]$,	1–5	$\frac{\alpha {\ell }_{\mathrm{frame}}}{N_{\mathrm{add}}^{max}}$
				$0.6:[0.04,0.09]$, $0.5:[0.07,0.12]$
	this work	32,000	0.15	$0.8:[0,0.03]$, $0.7:[0.03,0.05]$,	10	480
				$0.6:[0.05,0.08]$, $0.5:[0.08,0.11]$
$d_k=k\delta$	[26]	64,800	0.1	$0.8:[0.01,0.02]$, $0.6:[0.03,0.07]$,	4	648
				$0.5:[0.08,0.1]$
	this work	32,000	0.15	$0.8:[0,0.03]$, $0.6:[0.03,0.08]$,	4	480
				$0.5:[0.08,0.11]$

. One can see from Figure 3 that our AEC efficiency performs significantly better compared with both blind AEC schemes in the entire QBER region.

Although the efficiency metric (3) is informative when comparing different EC schemes, one has to consider another critical quantity of practical IR process—the decoding time consumption that is proportional to the total number of decoder iterations. On the bottom plot in Figure 3, we show the average total number of iterations depending on the QBER level. This number evaluation includes both basic and additional reconciliation rounds. We have to mention that all results are obtained on a single-processor setup without parallel computing. One can see that the proposed adaptive AEC method is approximately two-times faster than AEC with fixed step and slightly faster than AEC with a variable step for $E_{\mu }\gtrsim 4\%$.

Finally, we tested the real EC performance on experimental data, obtained with industrial QKD devices manufactured by QRate [38] for various losses in the quantum channel up to 20 dB (100 [email protected] dB/km). Our results are presented in Figure 4. The upper plots show similar behavior as in Figure 3: the proposed AEC and SEC are very close in terms of efficiency, and SEC is slightly faster than AEC in terms of decoder iterations. The AEC scheme with a fixed step is less efficient and slower in the entire loss range. Although AEC with variable step is a bit faster for losses up to 7 dB; however, it has much worse efficiency.

Having a great deal of experimental data at our disposal (45,000 frames per dot), we also studied the frame correction failure probability. One can see, from Figure 4, that the FER of our AEC scheme is less than ${10}^{-3}$, which is about one order of magnitude smaller than the FER of AEC with fixed/increased step, which can reach 10% at 20 dB. Furthermore, the failure probability of the AEC scheme is slightly better than of SEC for losses starting from 5 dB.

For a practical QKD setup, the IR throughput has to be analyzed as well [37]. The throughput defines how many bits per second the EC algorithm can proceed and depends on two basic factors. The first is the decoder’s iteration cost, i.e., the time spent on one belief propagation algorithm execution, determined by CPU performance, number of threads and chosen code rate. The second factor is the total number of iterations in all rounds, which increases with additional rounds.

Both blind AEC approaches have the lowest throughput because of their high number of iterations and FER. The SEC approach needs a smaller number of additional rounds since the knowledge of the smallest LLR positions leads to faster convergence of the decoder. However, the cost of each decoder iteration overweights the number of rounds and leads to lower throughput in comparison to our AEC approach. For these reasons, the developed AEC scheme demonstrates about two-times better throughput with respect to the three other schemes.

On the bottom plots in Figure 4, we present the overall result of all previously discussed metrics and effects—the normalized secret key length and generation rate. One observes that AEC and SEC have almost identical results and gain enhancement of about 20% (40%) in ${\ell }_{\sec }$ and $R_{\sec }$ with respect to AEC with fixed (variable) step. This fact clearly confirms the advantage of our AEC approach over the previously studied blind AEC versions. Another important conclusion is that the introduced AEC algorithm demonstrates practically the same or sometimes even better performance compared with SEC.

5. Discussion

In this work, we suggested a new approach to asymmetric error correction that could be used in practical QKD systems with limited computational resources on one side. We took the symmetric blind information reconciliation [14] as a basis and proposed improvements, such as a priori QBER estimation, different code rate selection and the punctured bits disclosure rule. In particular, using the exponential moving average QBER of the previous verified frame together with decoy-state QBER allows the algorithm to detect gradual error rate changes and sudden bursts as swells and quickly adapt the code.

Novel a priori error estimation methods were efficiently applied together with a slightly changed rate-adaptive technique and blind-like interactive information reconciliation. Then, for the first time, we applied these features in an asymmetric approach. To compare various schemes, we studied several EC performance metrics and the secret key length/rate as final benchmarks on simulated and real data. We found that the improved symmetric and new asymmetric schemes demonstrated close efficiencies and average numbers of decoding iterations in rather wide QBER range ($E_{\mu }\gtrsim 2\%$).

Thus, a crucial result of this work is that our asymmetric scheme was found to be not inferior to the symmetric one regarding either the efficiency or in the secret key generation rate. We also made a comparison with two asymmetric blind schemes with the fixed and variable steps of the number of disclosed bits per additional round. We found that both proposed non-blind interactive approaches demonstrated a clear advantage over the blind ones. In this way, we conclude that the developed adaptive error correction approach can be efficiently used in decoy-state BB84 setups with fluctuating QBER levels and asymmetric computational resource allocation.