A Simple Approach to Error Reconciliation in Quantum Key Distribution
aa r X i v : . [ c s . D S ] M a y A Simple Approach to Error Reconciliation inQuantum Key Distribution ∗ Richard P. Brent7 May 2010
Abstract
We discuss the error reconciliation phase in quantum key distri-bution (QKD) and analyse a simple scheme in which blocks with badparity (that is, blocks containing an odd number of errors) are dis-carded. We predict the performance of this scheme and show, using asimulation, that the prediction is accurate. ∗ Presented at the 53rd Annual Meeting of the Australian Mathematical Society,Adelaide, 1 Oct. 2009. Copyright c (cid:13)
Introduction and Assumptions
Suppose that Alice sends n random bits to Bob over a quantum channel. Thebits that Bob receives have a probability p < / . Thiscould be due to noise and/or to the effect of eavesdropping by Eve. InitiallyAlice and Bob have an estimate of p . This estimate can be improved later,after they have some information to estimate the actual error rate.Alice and Bob want to agree on a smaller number of random bits foruse as a secret key or other cryptographic purposes. They can communicateover a classical channel, but it is assumed that Eve can eavesdrop on allcommunications over this channel (even though, in practice, it would beprotected by classical cryptography). It is assumed that communicationsover the classical channel are authenticated to rule out “man-in-the-middle”attacks, but we do not discuss authentication here (see for example [14,15]). Because some random bits need to be shared between Alice and Bobfor authentication purposes, QKD is more accurately called “quantum keyexpansion”.It is important that Eve does not know the random number generatorthat Alice uses to generate her n random bits to send over the quantum chan-nel – this random number generator should involve some random physicaldevice so that it is unpredictable even if Eve has unlimited computationalpower.Alice and Bob share a pseudo-random number generator that is usedto generate pseudo-random permutations. The seed for this random num-ber generator could be part of their shared initial information, or couldbe sent during an earlier secure communication session. If necessary, Alicecould send Bob the key over the classical channel, after sending her ran-dom bits over the quantum channel. Although Eve is assumed to know thepseudo-random permutations, it is important that she can not predict themin advance, so can not use them to decide which bits to intercept on thequantum channel.We assume that Eve is unable to store quantum states for a significanttime. Thus, any eavesdropping has to be done on the fly and can not bedelayed until Alice and Bob communicate over the classical channel. Ofcourse, Alice and Bob can delay communication over the classical channelfor as long as they wish, in order to make Eve’s task more difficult. We do not discuss the post-selection/sifting phase where Alice and Bob may discardcertain bits. This requires communication over the classical channel but relatively littlecomputation. Expected Distribution of Errors in Blocks
Alice and Bob choose a blocksize b depending on their common estimate of p . We assume 2 ≤ b ≤ n and for simplicity ignore the problem of what todo with the last block if b is not a divisor of n (since n is assumed to belarge, whatever we do will make a negligible difference to the analysis).Alice and Bob apply the same random permutation to their n -bit se-quences, using their shared pseudo-random number generator (see above).They should use a good random permutation algorithm (see Appendix A).Because of the first random permutation, we can assume that errors oc-curring in a block are independent, even if the original errors are correlated.We use the generating function G ( x ) = ( q + px ) b , where q = 1 − p . The coefficient of x k in G ( x ) gives the probability that ablock of length b contains exactly k errors. Clearly this probability is p k q b − k (cid:18) bk (cid:19) , but it is convenient to avoid expressions involving sums of binomial coeffi-cients by working with G ( x ).Alice and Bob compute the parities of their blocks, and compare paritiesusing the classical channel. Thus, they can detect blocks with an odd numberof errors . We say that a block is bad if the computed parities disagree, and good if the parities agree. Note that a good block may contain an evennumber of errors.Let P be the probability that a given block contains no errors. Clearly P = G (0) = q b = (1 − p ) b . Let P be the probability that a block is bad (contains an odd number oferrors). Thus P = G (1) − G ( − − (1 − p ) b Of course, Alice and Bob could use more sophisticated error detection/correction thansimple parity bits, but it is not clear that this is desirable since it would disclose moreinformation to Eve. q + p = 1, q − p = 1 − p ≥ bp ≤
1, we have P = bp + O ( b p ) . Let P be the probability that a block contains errors that are not detected(so it must contain an even number of errors). Since P + P + P = 1, wehave P = 1 − − p ) b + (1 − p ) b b ( b − p + O ( b p ) . The expected number of errors in a good block is E u = G ′ (1) − G ′ ( − G (1) + G ( − , where the prime indicates differentiation with respect to x , so G ′ ( x ) = bp ( q + px ) b − . Thus E u = bp (cid:18) − (1 − p ) b − − p ) b (cid:19) = b ( b − p + O ( b p ) . Note that E u is the expected number of errors in a good block before its firstbit is discarded (see § (cid:18) b − b (cid:19) E u = ( b − p (cid:18) − (1 − p ) b − − p ) b (cid:19) = ( b − p + O ( b p ) . After bad blocks have been discarded we expect the error probability for theremaining bits to be e p = E u /b = p (cid:18) − (1 − p ) b − − p ) b (cid:19) = ( b − p + O ( b p ) . (2)The process of doing a permutation, comparing parities and discarding somebits is called a round . There will be several rounds, until Alice and Bob haveagreed on a string of bits that is unlikely to contain any errors . Actually, once Alice and Bob estimate that the expected number of errors remainingis ≪
1, they will (for reasons of efficiency) adopt a different strategy to confirm (or deny)that there are no remaining errors – see § Re-estimation of Error Probability
Let E b be the observed block error rate, that is the number of blocks inwhich an error is detected, normalised by the total number n/b of blocks .Thus the expectation E ( E b ) of E b is P , and we can obtain a new estimate p ′ of p from equation (1): E b = 1 − (1 − p ′ ) b E b < / p ′ = E b = 0, (cid:0) − (1 − E b )) /b (cid:1) / < E b < / / In this section we consider the case that there is little or no eavesdropping.The strategy discussed here may have to be modified if a substantial amountof eavesdropping is detected – see § . They also discard one bit, say thefirst bit, from each block in which no error is detected, to compensate forthe parity information that Eve might have obtained about the block byeavesdropping on the classical channel. Thus, the expected number of bitsdiscarded per block is P b + (1 − P ) = 1 + P ( b − . Discarding bad blocks reduces the number of bits from n to an expected(1 − P ) n . Discarding one bit from each good block reduces this further,to (1 − P )(1 − /b ) n . However, to partially compensate for this reduction,the “quality” of the bits should have improved. We can quantify this in thefollowing way. From Shannon’s coding theorem [12] (see also [13, § We ignore the complication that b might not be a divisor of n Unlike the Cascade algorithm [3, §
7] (also [13, Ch. 3]), where a binary search isperformed to find an error in the block. Cascade discards fewer correct bits, but requiresmore communication over the classical channel. This is significant if the bandwidth orlatency of the classical channel is a limiting factor in the overall performance. p p − / b n noisybits is (1 − H ( p )) n , where H ( p ) = − ( p log p + q log q ) , ( q = 1 − p ) (4)is the usual Shannon entropy , and p is the error probability. After discardsthe estimated error probability improves to e p , so Bob now has about(1 − P )(1 − /b )(1 − H ( e p )) n useful bits of information. Dividing by n to normalize, define J ( b ) = (1 − P )(1 − /b )(1 − H ( e p )) . (5)A reasonable criterion for choosing b is to maximise J ( b ), subject to theconstraints that b ≥ b ≤ n . If p is close to 0 .
5, the maximum can easilybe obtained numerically by computing J ( b ) for b = 2 , , . . . , using equations(1)–(2): see Table 1. If bp ≤
1, then J ( b ) = 1 + p − ( bp + 1 /b ) + O ( | bp log( bp ) | ) , and the maximum occurs when b ≈ p − / . It is clear from Table 1 that p − / is a good approximation for p ≤ .
1. Table 2 gives the crossoverpoints for small blocksizes b . The table gives, for each blocksize b ≤
10, the We use classical Shannon entropy throughout, although in some situations Von Neu-mann entropy is appropriate – see [10, § Strictly speaking, the coding theorem does not apply to our situation, since Aliceand Bob are trying to agree on some common sequence of bits, and they are allowed toexchange information over the classical channel. However, inclusion of the entropy termin (5) seems to be a useful heuristic. See also [9]. b p p (rounded to 5 decimals) for which that b is optimal. For example,a blocksize of 2 is optimal for 0 . < p < .
5, and a blocksize of 9 isoptimal for 0 . < p < . b outside the range of Table 2, agood approximation to the crossover point is p ≈ /b .Recall that the expected error probability after the first round is, from (2), e p = p (cid:18) − (1 − p ) b − − p ) b (cid:19) . It is interesting to consider two extreme cases. First, suppose that p is smalland b ≈ p − / . Then (2) gives e p = p / + O ( p ) . This means that the error probability converges to zero rapidly (in factsuperlinearly, with order 3 / p is initially small.Now consider the case that p is close to 1 /
2, say p = 1 − q = 1 / − ε ,where ε is small but positive. In this case we can assume that b = 2. Write e p = 1 / − e ε . From (2), we have e p = p − p + 2 p = p p + q , which gives e ε = 2 ε ε . Thus, when ε is small, e ε ≈ ε . After about log (1 /ε ) rounds the errorprobability will no longer be close to 1 / p = 0 . n = 1000000. p b n errors bad blks new n p = 0 . n = 1000000. p b n errors bad blks new n δ after aboutlog (cid:18) − p (cid:19) + log / log (cid:16) n f δ (cid:17) rounds, where n f is the number of bits remaining after discards.Table 3 gives the predicted behaviour if Alice and Bob start with n = 10 bits, and the error probability is p = 0 .
25. The errors are removed with fiverounds, and at that point Alice and Bob share 99642 bits. This is beforeverification (described in §
5) and privacy amplification ( § n = 10 bits and various error probabilitiesin the range 0 . ≤ p ≤ .
49. 8able 5: Prediction for various p , n = 1000000. p final n After enough rounds, the estimated error probability is small, and the ex-pected number of remaining bit errors is less than 1. At this point Aliceand Bob should verify that their bit sequences are identical. More precisely,they should perform a probabilistic test which fails to find any discrepancywith extremely low probability, say η , while at the same time disclosing aslittle information as possible to Eve.Alice and Bob could continue as before for about 2 ln(1 /η ) / ln( n ) furtherrounds (where n is the number of bits remaining), but this would be veryinefficient and would unnecessarily disclose many parity bits (that is, linear relations between the bits) to Eve, who is assumed to be eavesdropping onthe classical channel. It is much better for Alice and Bob to compute asuitable hash of their data and then compare this hash. If a good 64-bithash agrees, then the probability that any undetected discrepancies remainshould be of order 2 − ≈ × − .One possibility for a k -bit hash function is to compute the parities of k randomly chosen subsets (each of size about n/
2, where n is the numberof bits to be verified). Each bit of the hash can be computed efficiently bygenerating a pseudo-random sequence of n bits, performing a bitwise “and” Parity information is a linear relation over the field GF(2). If Eve gets enough suchrelations, she can solve for the unknown bits using linear algebra over GF(2). .Random-subset hashing is inefficient because only one bit of the hash isgenerated for each pass through the data. Alternatives exist that are aboutas good and much faster in practice [4, 11, 17].If the verification phase fails to confirm that Alice and Bob have identicalsequences of bits, it is necessary to return to computing parities of blocks (ofsize b ≤ n / ) to eliminate the remaining error(s), then try verification again.The number of bits communicated over the classical channel during theverification phase(s) should be taken into account when estimating the in-formation available to Eve. See the remarks at the end of § In the following summary, all communication between Alice and Bob is overthe classical channel except for step 1, which uses the quantum channel. Itis assumed that Eve can eavesdrop on the classical channel. “Both” meansboth Alice and Bob, performing identical steps using the same algorithm,and obtaining the same results (except for the block parities computed atstep 7). For example, it is crucial that Alice and Bob use the same blocksizesand the same random permutations.1. Alice sends Bob n bits (where n is a predetermined number) over thequantum channel.2. Optionally, the following steps can be delayed for as long as Alice andBob wish (see the remark at the end of § p to a predetermined constant.4. Both initialise their pseudo-random number generator with the sameseed (either part of their initially shared information, or communicatedon the classical channel after step 1).5. If n is too small, the process fails (as in step 13). Otherwise, both applya pseudo-random permutation to their n bits, as described in § b as described in §
2, subject to2 ≤ b ≤ n / . If necessary, the last block is padded with zeros whichwill be removed at step 8. (See also § For the sake of efficiency, the logical operations should be performed using full-wordoperations.
10. Both compute parities of their blocks and exchange these parities.Both then compare parities and identify bad blocks (that is, blockswith an odd number of errors).8. Both delete zero padding from the last block if it is a good block. Bothdelete the bad blocks and also delete the first bit of each good block.Let b n be the number of bits remaining.9. Both compute a new estimate p ′ using equation (3) and the observedblock error rate E b (the number of bad blocks divided by the totalnumber ⌈ n/b ⌉ of blocks). Both set p ← p ′ , and n ← b n .10. Both compute an estimated error probability e p for the remaining bits,using equation (2). Both set p ← e p . Both return to step 5 if p ≥ /n ,otherwise they continue with step 11.11. Both perform verification as described in §
5. If verification fails, bothset p ← /n and return to step 5.12. Both compute the number ∆ of bits of information that Eve couldhave obtained (taking into account bits exchanged in the verificationstep(s)), perform privacy amplification as outlined in §
7, and decrease n accordingly.13. If n is sufficiently large, both consider the process successful, otherwisereset n (perhaps to a larger value than before) and return to step 1.14. Both retain some of their n bits for future use in authentication andas seeds for their random number generators; the remaining bits areavailable for use as a one-time pad or for other purposes. Notes
The seed for the random number generator at step 4 could be derived from apreviously shared key if this is not the first run (and similarly for the randombits required for authentication on the classical channel) – see step 14. Notethat Eve’s chance of cracking the system is negligible unless she can predictthe random permutations that are used by Alice and Bob, because withoutthis knowledge the best she could obtain by eavesdropping on both channelswould be a random permutation of the final shared key.In our simulations we found that a good strategy was to send a 64-bithash with the parity bits at step 7 whenever p < /n . If their parities agree11 nd the hashes agree, then Alice and Bob assume that their reconciliationhas been successful and proceed to step 12. An important aspect of QKD is privacy amplification , in which the block ofbits that Alice and Bob have agreed on is reduced in size to compensate forthe information that Eve may have about these bits.More precisely, after Alice and Bob reach agreement on a block of say m random bits, they need to estimate how many useful bits (say ∆) ofinformation Eve could have gleaned, and reduce the size of their agreedblock by ∆ bits using a process such as random subset hashing (or give upif m − ∆ is too small). An upper bound on ∆ depends on the physics of thequantum communication and the observed error rate. For details see [13,Ch. 7].Conventional cryptography gives security by imposing a time-consumingcomputational task on Eve. Except in the case of the one-time-pad method,Eve can break the system if she can perform enough computations to doa brute-force search through the key space. In practice, keys are chosenlarge enough that this is impractical (at present). However, it is difficultto be confident that it will be impractical in the future. For example, theRSA cryptosystem depends on the difficulty of factoring large integers, butthis has not been proved to be difficult. It is quite possible that a practi-cal polynomial-time algorithm for factoring exists (as it does for the relatedproblems of primality testing and factoring polynomials over finite fields).Also, if a quantum computer can be built, then factoring (and other prob-lems of cryptographic interest such as discrete logarithm problems) will bepossible in polynomial time.QKD, on the other hand, does not need to impose any limits on Eve’scomputational power. It is only assumed that Eve has to obey the laws ofphysics. By taking advantage of these laws and designing their system cor-rectly, Alice and Bob can detect any significant attempt by Eve to eavesdropon the quantum communication channel. We distinguish between useful information, which is relevant to the bits that Alice andBob retain, and useless information, which is only relevant to bits that Alice and Bob havediscarded. We can assume that Eve’s useful information per bit does not increase whenAlice and Bob discard bad blocks (in fact it is more likely to decrease, since eavesdroppingtends to increase Bob’s error rate). Random subset hashing is similar to the first hashing method described in §
5, with k = m − ∆. . Before performing privacy amplification, Alice and Bob need to estimate(an upper bound on) the amount of information (measured in bits) thatEve could have obtained about their shared secret bit-string. Eve has twopossible sources of information – eavesdropping on the quantum channel,and eavesdropping on the classical channel. As mentioned above, we assumethat Eve can break any encryption used on the classical channel. In par-ticular, Eve can learn the parities of blocks as they are exchanged by Aliceand Bob (step 7 of the summary above). However, since she does not knowthe seed for Alice and Bob’s pseudo-random number generator, she can notpredict in advance the random permutations that Alice and Bob apply .The physics of the quantum channel allows Alice and Bob to give anupper bound on the number of bits ∆ that Eve learns by eavesdropping onthe quantum channel. Let p e = ∆ /n , so p e is the fraction of bits that Eve This is not an argument for using weak or no encryption on the classical channel. Weshould make life as difficult as possible for Eve by using strong encryption on the classicalchannel. Even if Eve can crack this encryption, it should take her a significant amount oftime to do so, making it difficult for her to mount a collective attack [10, § Apart from human error, physical theft, etc. If she could predict these permutations in advance, Eve could use this information tochoose which bits to eavesdrop on the quantum channel. Assume that the initial blocksizeis two, as in the example given in Table 4. Suppose that Eve learns one bit from eachblock of two bits (she can predict which bits will be in each block from knowledge of thefirst permutation). Then, once she learns the parities of the blocks, she can deduce thevalues of all the bits that were transmitted over the quantum channel, even though Aliceand Bob might think that she only knows 50% of them. et al [1], ∆ ≤ p √
8, where p is the error rate observed by Aliceand Bob (this can be estimated as in § .The protocol used by Alice and Bob ensures that Alice’s relevant infor-mation ∆ does not increase as a result of Eve eavesdropping on the classicalchannel. For example, whenever Eve learns the parity of a good block, onebit of that block is discarded. If Eve did not already know that bit, herparity information is useless. If she did know that bit, then she gains parityinformation about the remaining bits in the block, but in compensation sheloses a bit of information about Alice and Bob’s (retained) data. In eithercase, her information (in the sense of Shannon’s information theory) doesnot increase, although the actual information may change.The fact that Eve’s useful information does not increase is sufficientfor Alice and Bob’s purposes if p e and p are sufficiently small. For example,consider Table 3 or Table 4, which assume p = 0 .
25 and n = 10 . If p e < . ≈ n f > p = 0 . n f > p e = p √ ≈ . p e is too large for this argument to be useful (for example, if p e ≥ . p = 0 .
25, see Table 3), Alice and Bob can use a different argument,which we now describe. We consider two cases. In the first case, which weassume occurs initially, Eve’s information is about individual bits. That is,Eve knows about p e n of the n bits transmitted from Alice to Bob. Eventually(after Alice and Bob have used a blocksize greater than two), Eve may havegained information in the form of nontrivial linear relations (over GF(2))between bits by eavesdropping on parity information that is exchanged onthe classical channel. (Because Alice and Bob discard a bit from each goodblock, Eve does not gain such information while the blocksize is two.) IfEve gains enough such relations she can solve for the unknown bits (or atleast restrict a brute-force search to a low-dimensional space) by performinglinear algebra over GF(2). Thus we have to count each linear relation as abit of information. If Eve is expected to have n e bits of information aboutthe n bits that have not yet been discarded, then the current value of p e is n e /n . It is convenient to define q e = 1 − p e . Here as elsewhere we have ignored the fact that our estimate of Eve’s knowledge isstatistical rather than deterministic. For safety we should include “five standard devia-tion” terms. These have been omitted because they are O ( n − / ) and we assume that n is large. However, such terms would need to be included in the final analysis. .1 Case 1: Eve knows only individual bits Consider the effect of a round with blocksize b in the first case (when Eveknows some individual bits but no nontrivial relations). With probability q e ,Eve does not know the first bit in a given block, so the parity information inthat block is useless to her (since the first bit will be discarded). Thus, Eve’sprobability of knowing any of the remaining bits in the block is unchanged.Also, with probability p be , Eve already knows all the bits in a given block, sothe parity information tells her nothing new. In the remaining cases, whichoccur with probability 1 − q e − p be = p e − p be , Eve already knows the firstbit but not all bits in the block, and she gains parity information about theremaining bits, that is a linear relation satisfied by these bits. Thus, overall,the effect of one round is to replace p e by p ′ e = p e + p e − p be b − . (6)Since p e − p be b − p e q e (cid:18) p e + · · · + p b − e b − (cid:19) ≤ p e q e , we have 1 − p ′ e = q ′ e ≥ q e . Equality holds iff b = 2 or p e = 0 or q e = 0. Because a nontrivial relation involves two or more bits, the argument givenfor Case 1 does not apply if Eve knows some nontrivial relations . In Case 2,Eve’s knowledge might increase by one bit for each parity block. Thus, (6)has to be replaced by p ′ e = min(1 , p e + 1 /b ) . (7)Note that (7) applies whether or not Alice and Bob discard a bit fromeach good block. However, it seems plausible that Eve’s task is made moredifficult by such discards. The blocksize selection strategy considered in § p e is large(or equivalently, if q e is small). Note that no strategy can work if q e ≤ p e ,because this inequality can be interpreted as saying that Eve’s informationis better than Bob’s (and it will continue to be at least as good if Eve It is plausible that a nontrivial relation is no more use to Eve than knowledge of asingle bit, so (6) applies in all cases, but we can not prove this. q e > p e . The strategy suggested below should work (in the sense of givingAlice and Bob a significant advantage over Eve) provided there is some slackin this inequality. Our simulations suggest that it works if q e /p e ≥
4, and insome circumstances (depending on p e and what we regard as a “significant”advantage) if 1 < q e /p e < b . In order toreduce the error rate substantially each round (see equation (2)), Alice andBob want to choose b significantly smaller than 1 /p . On the other hand,in order not to give Eve too much information in the form of parity bits,they want b significantly larger than 1 /q e . Since we assume p < q e , we have1 /q e < /p , and we should choose b ∈ (1 /q e , /p ). A reasonable compromiseis to take the geometric mean, that is b = 1 / √ pq e . Of course, we also haveto restrict b to be an integer (and at least two).Simulations indicate that, if q e /p e is close to 1, it is best to choose b = 2so that we stay in case 1 above and can use (6) instead of (7) to updatethe estimate p e of Eve’s useful information per bit. While b = 2, both p and q e are approximately squared each round, so the ratio q e /p increases,although both p and q e decrease. Once q e /p increases above some threshold,it is possible to use a larger blocksize, even though this means that case 2applies in later rounds. A good strategy is to take b = ( p > q e , ⌊ max(2 , / √ pq e ) ⌋ otherwise. (8)Consider an example with n = 10 , p = 0 . p e = 0 .
25. The predictedoutcome is shown in Table 6. The last column ( n ′ − ∆ ′ ) gives Alice andBob’s advantage over Eve. It can be seen that Alice and Bob end up withmore than 88 ,
000 bits (out of 211 ,
767 bits) that are unknown to Eve. SinceEve started with knowledge of 250 ,
000 bits, using monotonicity of ∆ wouldnot be sufficient.Table 7 shows the predicted advantage n ′ − ∆ ′ for various p and p e , allfor n = 10 .Table 8 shows the predicted advantage for various p and the ratio q e /p ∈{ , , , } , also for n = 10 . In the table, a dash means that the advantageis smaller than 64. It can be seen that the advantage is always significant if q e /p ≥
4, and can be significant even for q e = 2 p .The number of bits communicated over the classical channel during theverification phase(s) should be taken into account when estimating the in-16able 6: Prediction for p = 0 . p e = 0 . n = 1000000. p b n errors bad blks n ′ n ′ − ∆ ′ p , p e , n = 1000000. p e \ p p and q e /p , n = 1000000. q e \ p p — — 94 5593 p — 109 6253 155394 p
90 784 12139 595485 p
329 3237 40606 13001717ormation available to Eve. This would decrease the advantage predicted inTables 6–8 by about 64 bits (but the change does not scale with n ). Appendix A: Permutation Generators
Alice and Bob should use a good pseudo-random permutation generatorsuch as the Durstenfeld shuffle. This is often called the
Knuth shuffle [8,Alg. P], but was first published by Durstenfeld [5]. It is sometimes called the
Fisher-Yates shuffle , but this is incorrect because the algorithm proposedby Fisher and Yates, while suitable for hand computation, is inefficient ona computer [6, 16].It turns out that, at least for large blocksizes, the most expensive part ofAlice and Bob’s computation is performing random permutations. This ispartly due to the fact that the permutation accesses bits at random addressesin a “cache-unfriendly” manner. For the sake of efficiency we use a “cache-friendly” permutation which restricts the distance that bits may move toless than a suitable fraction of the L2 cache size. Since the L2 cache istypically at least 64 KB , this is good enough, although the output is nolonger uniformly distributed over all n ! possible permutations. References [1] Charles H. Bennett, Fran¸cois Bessette, Giles Brassard, Louis Salvailand John Smolin, Experimental quantum cryptography,
J. Cryptology (1992), 3–28.[2] Daniel J. Bernstein, The Salsa20 family of stream ciphers , availablefrom http://cr.yp.to/snuffle.html .[3] Giles Brassard and Louis Salvail, Secret-key reconciliation by publicdiscussion,
Advances in Cryptology – Eurocrypt 93 , Lecture Notes inComputer Science , 1994, 411–423.[4] Richard P. Brent,
Uses of Randomness in Computation , Technical Re-port TR-CS-94-06, CSL, ANU, June 1994. .[5] Richard Durstenfeld, Algorithm 235: Random permutation,
Comm.ACM , 7 (1964), 420. 186] Ronald A. Fisher and Frank Yates, Statistical Tables for Biological,Agricultural and Medical Research , third edition, Oliver and Boyd, Lon-don, 1938, pp. 26–27. (Note: the sixth edition is available on the web,but gives a different shuffling algorithm.)[7] Jozef Gruska,
Quantum Computing , McGraw-Hill, 1999. [8] Donald E. Knuth,
The Art of Computer Programming , Vol. 2, thirdedition, 1998 (Algorithm P, § Communications and Cryptography – Two Sides of One Tapestry (edited by R. Blahut et al ), Kluwer, 1994, 271–285.[10] Michael A. Nielsen and Isaac L. Chuang,
Quantum Computation andQuantum Information , Cambridge University Press, 2000. http://michaelnielsen.org/qcqi/ [11] Michael O. Rabin, Probabilistic algorithms, in
Algorithms and Com-plexity (edited by J. F. Traub), Academic Press, New York, 1976, 21–39.[12] Claude E. Shannon,
A Mathematical Theory of Communication , Uni-versity of Illinois Press, Urbaba, Illinois, 1949 (reprinted 1998). See also http://en.wikipedia.org/wiki/Shannon_limit .[13] Vikram Sharma,
Informatic Techniques for Continuous Variable Quan-tum Key Distribution , PhD thesis, Australian National University, Oc-tober 2007.[14] Richard Taylor, Near optimal unconditionally secure authentication,
Proc. Eurocrypt 1994 , LNCS , Springer-Verlag, 1995, 244–253.[15] M. N. Wegman and J. L. Carter, New hash functions and their use inauthentication and set equality,
J. Computer and System Sciences (1981), 265–279.[16] Wikipedia, Fisher-Yates shuffle , http://en.wikipedia.org/wiki/Knuth_shuffle .[17] Wikipedia, Hash function , http://en.wikipedia.org/wiki/Hash_functionhttp://en.wikipedia.org/wiki/Hash_function