阅读说明：本技术 一种用于在量子密钥分发中实现隐私放大的方法及装置 (Method and device for realizing privacy amplification in quantum key distribution ) 是由 马雄峰 黄溢智 于 2021-09-17 设计创作，主要内容包括：本发明实施例提供了一种用于在量子密钥分发中实现隐私放大的方法及装置,量子密钥分发的参与方包括第一参与方和第二参与方,第一参与方和第二参与方拥有共享的第一密钥池,第一密钥池中包括若干密钥,方法在第一和第二参与方中任意一方的终端上执行,该方法包括：获取本轮隐私放大处理所用的辅助字符串,其中,辅助字符串基于从第一密钥池中确定出的种子密钥、以及与另一参与方约定的第一哈希函数而确定；流式获取经过信息协商的第一密钥中的若干第一比特位；对若干第一比特位和所述辅助字符串中对应位置的比特,进行预设的比特间运算操作,得到若干第二比特位,用以形成隐私放大后的第二密钥。(The embodiment of the invention provides a method and a device for realizing privacy amplification in quantum key distribution, wherein participants of the quantum key distribution comprise a first participant and a second participant, the first participant and the second participant have a shared first key pool, the first key pool comprises a plurality of keys, the method is executed on a terminal of any one of the first participant and the second participant, and the method comprises the following steps: acquiring an auxiliary character string used for the privacy amplification processing of the current round, wherein the auxiliary character string is determined based on a seed key determined from a first key pool and a first hash function agreed with another party; the method comprises the steps that a plurality of first bits in a first key subjected to information negotiation are obtained in a streaming mode; and carrying out preset inter-bit operation on the plurality of first bits and bits at corresponding positions in the auxiliary character string to obtain a plurality of second bits for forming a second secret key after privacy amplification.)

1. A method for privacy amplification in quantum key distribution, the participants of the quantum key distribution including a first participant and a second participant, the first and second participants possessing a shared first key pool, the first key pool including a number of keys, the method being performed on a terminal of either of the first and second participants, the method comprising:

determining an auxiliary character string used for the privacy amplification processing of the current round based on the seed key determined from the first key pool and a first hash function agreed with another party;

the method comprises the steps that a plurality of first bits in a first key subjected to information negotiation are obtained in a streaming mode;

and carrying out preset inter-bit operation on the plurality of first bits and bits at corresponding positions in the auxiliary character string to obtain a plurality of second bits for forming a second secret key after privacy amplification.

2. The method of claim 1, wherein determining an auxiliary string for the current round of privacy amplification processing comprises:

determining a seed key from the first key pool, wherein the length of the seed key is determined according to the number of non-secure bits in the first key;

and applying the first hash function to the seed key to obtain the auxiliary character string, wherein the length of the auxiliary character string is equal to that of the first key.

3. The method of claim 1, wherein the first and second parties also own a shared library of hash functions;

the first hash function agreed with the other participant comprises a first hash function determined in advance from the hash function library.

4. The method of claim 1, wherein the predetermined inter-bit arithmetic operation is an exclusive or operation.

5. The method of claim 2, wherein the number of unsecure bits in the first key is determined based on quantum operations in the quantum key distribution.

6. The method of claim 2, wherein determining the seed key from the first key pool comprises:

and determining the seed key from the first key pool according to the corresponding information of the seed key, which is published by the other participant.

7. The method of claim 2, wherein after determining the seed key from the first key pool, further comprising:

and publishing the corresponding information of the seed key to the other participant.

8. The method as claimed in claim 2, wherein the first hash function agreed with the other participant is implemented based on a hash matrix obtained by:

determining an auxiliary key from the first key pool, and generating a hash matrix based on the auxiliary key and an agreed error correcting code, wherein the dimension of the hash matrix is k × n, n is the length of the first key, and k is the number of non-secure bits contained in the first key;

the applying the first hash function to the seed key to obtain an auxiliary character string includes:

converting the seed key into a first row vector;

and right-multiplying the hash matrix by the first row vector to obtain a second row vector, and converting the second row vector into the auxiliary character string.

9. The method of claim 1, further comprising,

the second key is saved to the first key pool.

10. The method of claim 1, wherein the first and second parties have a shared first key pool, including the first and second parties respectively having local backups of the first key pool;

the determining the seed key from the first key pool includes determining the seed key from a local backup of the first key pool.

11. An apparatus for privacy amplification in quantum key distribution, the participants of the quantum key distribution including a first participant and a second participant, the first and second participants possessing a shared first key pool, the first key pool including a number of keys, the apparatus being implemented on a terminal of any one of the first and second participants, the apparatus comprising:

an auxiliary character string determining unit, configured to determine an auxiliary character string used in the privacy amplification processing of the current round based on the seed key determined from the first key pool and a first hash function agreed with another party;

the key acquisition unit is configured to acquire a plurality of first bits in a first key subjected to information negotiation in a streaming mode;

and the privacy amplification unit is configured to perform preset inter-bit operation on the plurality of first bits and bits at corresponding positions in the auxiliary character string to obtain a plurality of second bits, so as to form a second key after privacy amplification.

12. A computer-readable storage medium, on which a computer program is stored which, when executed in a computer, causes the computer to carry out the method of any one of claims 1-10.

13. A computing device comprising a memory having executable code stored therein and a processor that, when executing the executable code, implements the method of any of claims 1-10.

Technical Field

The present invention relates to the field of quantum communication, and in particular, to a method and an apparatus for implementing privacy amplification in quantum key distribution.

Background

Quantum Key Distribution (QKD) is a technique for ensuring communication security by using Quantum mechanical characteristics, so that both parties in communication can generate and share a random and secure Key to encrypt and decrypt messages, and has wide application in fields such as practical cryptography, information security, national defense and various secure communication environments. The Quantum key distribution process can be divided into two parts, namely Quantum Operation (Quantum Operation) and Post Processing (Post Processing). The data post-processing can be divided into two parts, namely Information negotiation (Information reconstruction) and privacy amplification (privacy amplification). The former is mainly used to ensure that the keys held by the users are the same, i.e. the keys are consistent. The latter is mainly used to make key information unavailable to a potential eavesdropper, i.e. to ensure the security of the key.

The current common privacy amplification scheme is to select a matrix which is paired with an error correction code and act on a key string after information negotiation, and obtain a final key in the information theory security meaning by a method of shortening the key string. However, such a scheme usually requires a long enough input key string to be accumulated before a process can be performed, and in many scenarios, such as satellite-based quantum key distribution, such a privacy amplification scheme has the problems of inefficiency and impracticality, and also has the problem of error diffusion during the process.

Therefore, a new privacy amplification scheme is needed.

Disclosure of Invention

The embodiment of the invention provides a method and a device for realizing privacy amplification in quantum key distribution. By using the method, the initial key can be received and processed bit by bit in the privacy amplification process, so that the initial key can be processed without accumulating an input key string with a long enough length, and the time efficiency of the processing is improved. Meanwhile, the method also solves the problem that error bit diffusion occurs in the privacy amplification process in the existing scheme.

In order to solve the above technical problems, in one aspect, the present invention provides a method for implementing privacy amplification in quantum key distribution, where participants of the quantum key distribution include a first participant and a second participant, the first participant and the second participant have a shared first key pool, the first key pool includes a plurality of keys, and the method is performed on a terminal of any one of the first participant and the second participant, and the method includes:

determining an auxiliary character string used for the privacy amplification processing of the current round based on the seed key determined from the first key pool and a first hash function agreed with another party;

the method comprises the steps that a plurality of first bits in a first key subjected to information negotiation are obtained in a streaming mode;

and carrying out preset inter-bit operation on the plurality of first bits and bits at corresponding positions in the auxiliary character string to obtain a plurality of second bits for forming a second secret key after privacy amplification.

Preferably, determining the auxiliary character string used in the current round of privacy amplification processing includes:

determining a seed key from the first key pool, wherein the length of the seed key is determined according to the number of non-secure bits in the first key;

and applying the first hash function to the seed key to obtain the auxiliary character string, wherein the length of the auxiliary character string is equal to that of the first key.

Preferably, the first and second parties also have a shared library of hash functions;

the first hash function agreed with the other participant comprises a first hash function determined in advance from the hash function library.

Preferably, the predetermined inter-bit operation is an exclusive or operation.

Preferably, the number of non-secure bits in the first key is determined based on quantum operations in said quantum key distribution.

Preferably, determining the seed key from the first key pool comprises:

and determining the seed key from the first key pool according to the corresponding information of the seed key, which is published by the other participant.

Preferably, after determining the seed key from the first key pool, the method further includes:

and publishing the corresponding information of the seed key to the other participant.

Preferably, the first hash function agreed with the other participant is implemented based on a hash matrix, and the hash matrix is obtained through the following processes:

determining an auxiliary key from the first key pool, and generating a hash matrix based on the auxiliary key and an agreed error correcting code, wherein the dimension of the hash matrix is k × n, n is the length of the first key, and k is the number of non-secure bits contained in the first key;

the applying the first hash function to the seed key to obtain an auxiliary character string includes:

converting the seed key into a first row vector;

and right-multiplying the hash matrix by the first row vector to obtain a second row vector, and converting the second row vector into the auxiliary character string.

Preferably, the method further comprises the step of,

the second key is saved to the first key pool.

Preferably, the first and second parties have a shared first key pool, including the first and second parties respectively having local backups of the first key pool;

the determining the seed key from the first key pool includes determining the seed key from a local backup of the first key pool.

In a second aspect, an apparatus for privacy amplification in quantum key distribution is provided, where participants of the quantum key distribution include a first participant and a second participant, the first participant and the second participant have a shared first key pool, the first key pool includes a plurality of keys, and the apparatus is implemented on a terminal of any one of the first and second participants, the apparatus including:

an auxiliary character string determining unit, configured to determine an auxiliary character string used in the privacy amplification processing of the current round based on the seed key determined from the first key pool and a first hash function agreed with another party;

the key acquisition unit is configured to acquire a plurality of first bits in a first key subjected to information negotiation in a streaming mode;

and the privacy amplification unit is configured to perform preset inter-bit operation on the plurality of first bits and bits at corresponding positions in the auxiliary character string to obtain a plurality of second bits, so as to form a second key after privacy amplification.

In a third aspect, there is provided a computer readable storage medium having stored thereon a computer program which, when executed in a computer, causes the computer to perform the method of the first aspect.

In a fourth aspect, a computing device is provided, which includes a memory and a processor, wherein the memory stores executable code, and the processor executes the executable code to implement the method of the first aspect.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without creative efforts.

Fig. 1 is a schematic diagram of a conventional method for implementing privacy amplification in quantum key distribution according to an embodiment of the present invention;

fig. 2 is a schematic diagram illustrating a method for implementing privacy amplification in quantum key distribution according to an embodiment of the present invention;

fig. 3 is a flowchart of a method for implementing privacy amplification in quantum key distribution according to an embodiment of the present invention;

fig. 4 is a flowchart of a method for privacy amplification in quantum key distribution according to another embodiment of the present invention;

fig. 5 is a block diagram of an apparatus for implementing privacy amplification in quantum key distribution according to an embodiment of the present invention.

Detailed Description

In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

To facilitate explanation of the spirit and underlying principles of the invention. The following is a summary description of the privacy amplification scheme and the problems thereof in the conventional quantum key distribution.

The Quantum Key Distribution (QKD) process can be generally divided into Quantum operation and data post-processing stages. In the quantum operation phase, for example, two parties (or users, such as Alice and Bob) distribute quantum states between the two parties through a physical method, and measure the quantum states to obtain an initial key. The quantum states may be distributed and measured in different specific ways according to different QKD protocols. However, the initial keys held by Alice and Bob may have the following problems: first, the initial key held by the two is not exactly the same during the distribution of the quantum state and the measurement, for example, due to the use of an instrument that is not perfectly accurate or affected by environmental noise. Second, the initial key is not completely secret, since an eavesdropper (e.g., Eve) may exist during the quantum operation, which may obtain the information of the key through illegal means.

Therefore, each participant needs to perform data post-processing to obtain a consistent and confidential final key, and this stage can be generally divided into two parts, namely Information negotiation (Information reconstruction) and Privacy Amplification (Privacy Amplification). The information negotiation is similar to the classical error correction process, and some existing keys shared among all the participants (or randomness shared among users) are consumed in the process, so that initial keys in the hands of Alice and Bob become completely the same; the privacy amplification is to remove information that may be known to an eavesdropper from the initial key so that the final key is completely secret to people other than the participating parties (or the final key is a key that is information-theoretic secure).

The basic process of the privacy amplification scheme widely used at present is as follows: first, after information negotiation, both parties hash their coordinated key strings using an agreed hash function (e.g., Alice randomly selects one and sends it to Bob over a public classical channel) and obtain the final key. In practice, a hash function implemented based on a Toeplitz matrix is widely adopted. Fig. 1 is a schematic diagram illustrating a conventional method for implementing privacy amplification in quantum key distribution. For example, two parties may estimate the proportion of information h (e) in the initial key that may be compromised_p) And then obtaining the number k of bits which may be leaked in the initial key (which may be according to nh (e))_p) N is the length of the initial key), and based on the ratio, selecting an error correcting code to obtain a corresponding hash matrix, wherein the row-column ratio of the hash matrix is (n: k). Then, a dual matrix of the hash matrix is selected as a privacy amplification matrix M' (the row-column ratio is n: n-k). Then, the initial key after information negotiation is continuously received until the whole initial key with the length of n is received(symbol)The vector is represented by a vector of values,a vectorized representation of the initial key). Finally, the privacy amplification matrix is acted on the accumulated initial key through matrix multiplication to obtain a final key with the length of n-k

The existing scheme has the following problems in practical use: first, in this scheme, in order to improve the ratio of the final key to the initial key, i.e. to ensure the efficiency of privacy amplification, it is usually necessary to accumulate a sufficient number of initial keys subjected to information negotiation to perform privacy amplification once, for example, on the order of megabits. In a scene that the initial key acquisition speed is slow or the acquisition condition is unstable, the waiting time for obtaining the final key is long. For example, in a satellite-based quantum key distribution protocol, since quantum signals can only be transmitted when a ground station can 'see' a satellite with clear atmosphere, multiple orbits of the satellite may be required to accumulate enough data for one privacy amplification. However, such delays can be as long as several days due to the often unpredictable nature of atmospheric conditions. Second, during the initial key accumulation, a large amount of time is not available for effective operation, and the time is inefficient to use. Third, as mentioned above, a sufficient number of initial keys that have undergone information negotiation need to be accumulated to perform a privacy amplification. Similarly, the privacy amplification matrix used for performing privacy amplification once is quite huge. It is technically difficult to efficiently input such a large amount of data into a calculation module and perform calculations. Fourthly, the process of information negotiation has a certain failure probability, that is, the original keys of the two parties subjected to information negotiation are not completely the same, an error occurs, and the user is difficult to know the position of the error. Because the length m of the original key processed by the information negotiation at one time is shorter, so that m is less than n, namely, the result of the information negotiation of multiple rounds can be processed by one round of privacy amplification. If an error occurs in the result of one round of information negotiation, the privacy amplification matrix acts on all n bits and the linear property of the privacy amplification matrix in calculation, so that the error is spread to all n × k bits of the output, and the number of errors is greatly increased compared with that before the privacy amplification.

In view of the above problems, embodiments of the present specification provide a new privacy amplification scheme. According to the scheme, on the premise of not additionally increasing the computational complexity, the bit of a safe final key can be output every time a bit of the key subjected to information negotiation is received by consuming the sharing randomness among users. Since the output of its final key can be made bit by bit, that is, the output is a stream (stream), this scheme is also referred to as a privacy amplification scheme of stream output in this specification. The scheme can effectively solve the problems existing in the existing privacy amplification scheme. Fig. 2 is a schematic diagram illustrating a principle of a method for implementing privacy amplification in quantum key distribution according to an embodiment of the present invention. As shown in fig. 2, the privacy amplification scheme for streaming output is based on an existing pool of shared keys, some of which have been distributed in advance among the users. Note that the key pool is a shared resource used in many cryptographic protocols, including information negotiation. Thus, in a practical production scenario, the key pool is often an existing resource, not an extra required resource.

First, in a scenario where a round of privacy amplification processing will process an initial key of, for example, n bits, each participant may take out a certain amount of keys from a key pool, and generate the same hash matrix M based on the same error correction code, where the size of the hash matrix is k × n (k is the number of bits that may be leaked out in the initial key, and may be determined based on the previous quantum operation process). Each column of the hash matrix can be considered as a string (column vector) of {0, 1}, and thus, the hash matrix can be represented, for example, asWherein the content of the first and second substances,for each column vector it contains. In various embodiments, the key consumption to generate the hash matrix may be determined based on the particular error correction code.

Each participant may then take another k bits of seed key from the shared key pool, which may be expressed asWherein s is₁...s_kFor each bit contained in the seed key. Then right multiply M toOn (as a row vector), an auxiliary string of length n is obtained Wherein

Finally, each participant may stream the initial key negotiated through the information, e.g., as indicated byWherein d is₁...d_nThe bits contained in the initial key. Obtaining a privacy amplified final key of length n by an exclusive-or operation, for example, between the initial key and the helper stringWherein For exclusive or operations (or modulo-2 addition), the final key is completely secret or information-theoretic secure to third parties other than the parties involved.

The privacy amplification by the method has the advantages that: on one hand, the initial key can be obtained in a streaming mode, the obtained partial initial key can be processed immediately, and a final key is obtained by combining the processing results of all parts. Therefore, the initial key does not need to be accumulated in the privacy amplification process, and the time efficiency of processing is improved. On the other hand, in the privacy amplification process, the error bits in the initial key only affect the corresponding bits in the final key, but do not affect other bits in the final key, or do not cause error diffusion.

Fig. 3 is a flowchart of a method for implementing privacy amplification in quantum key distribution according to an embodiment of the present invention. The method is executed on a terminal of any one of the first and second participants, as shown in fig. 4, and includes at least the following steps:

step 31, determining an auxiliary character string used for the privacy amplification processing of the current round;

step 32, obtaining a plurality of first bits in the first key after information negotiation in a streaming manner;

and step 33, performing preset inter-bit operation on the plurality of first bits and the bits at the corresponding positions in the auxiliary character string to obtain a plurality of second bits for forming a second secret key after privacy amplification.

First, in step 31, an auxiliary character string used in the current round of privacy amplification processing is determined based on a seed key determined from a first key pool and a first hash function agreed with another party.

In this step, since the first keystore is shared by the participants and the first hash function is agreed upon by the participants, the seed key and the first hash function are known by the participants but not by third parties other than the participants. Furthermore, each participant terminal can obtain the same auxiliary character string according to the same seed key and the first hash function.

The participant terminal is not intended to refer to a participant terminal device, such as a workstation, but may be any computing device used by a participant to perform computing processing, including but not limited to servers, workstations, minicomputers, mobile processing terminals, and the like, or may be a coordinated operation of multiple computing devices of the participant. Since the process of quantum key distribution may include a quantum operation part and a post-processing part, in some embodiments, the terminal of the participant may also include a quantum classical hybrid server including a quantum processor by which the quantum operation part may be executed and a classical processor by which the post-processing part may be executed, that is, the privacy amplification part may be executed.

In different embodiments, the manner in which the helper strings are obtained may vary. This is not limited by the present description. For example, in one embodiment, the helper string may be obtained by: determining a seed key from a first key bank, wherein the length of the seed key is determined according to the number of non-secure bits in the first key; and applying a first hash function agreed with another party to the seed key to obtain an auxiliary character string, wherein the length of the auxiliary character string is equal to that of the first key.

As mentioned above, the whole quantum key distribution process generally includes a quantum operation process and a data post-processing process, and the data post-processing process includes information negotiation and privacy amplification. According to one embodiment, the length of the first key (i.e. the number of all bits that the first key comprises) and the number of non-secure bits therein (i.e. the number of bits that can be eavesdropped) processed by the round of privacy amplification may be determined during the quantum operation of the quantum key distribution between the participants. Therefore, in a specific embodiment, the number of non-secure bits in the first key may also be determined based on quantum operations in the quantum key distribution.

In different embodiments, the first key pool may have different ways of sharing. For example, in one embodiment, each participant may separately own a local backup of the first key pool. Further, each participant may determine a seed key from a local backup of the first key pool.

In different embodiments, the manner of and the first hash function agreed upon may be different. This is not limited by the present description. For example, in one embodiment, each participant may also have a shared library of hash functions; a first hash function may be determined in advance from the library of hash functions.

In another embodiment, the first hash function may be implemented based on a hash matrix, which may be obtained by: determining an auxiliary key from the first key base, and generating a hash matrix based on the auxiliary key and an agreed error correcting code, wherein the dimension of the hash matrix is k × n, n is the length of the first key, and k is the number of non-secure bits included in the first key. In different embodiments, different error correction codes may be used, which is not limited in this description. In this embodiment, the specific way of using the hash matrix is as follows: converting the seed key into a first row vector; and right-multiplying the hash matrix by the first row vector to obtain a second row vector, and converting the second row vector into the auxiliary character string.

From the above embodiments, it can be seen that the hash matrix can be generated according to an error correction code, the number of non-secure bits, and the length of the initial key. In actual production, parameters such as error correction codes, the number of non-secure bits, etc. may be determined based on the actual quantum system. Due to the fact that quantum systems in actual production have certain stability, the parameters can not be changed in the multiple rounds of privacy amplification processes. Thus, in some embodiments, the same hash matrix may be used in multiple rounds of privacy amplification. In other cases, actual quantum systems, vary to some extent between runs of privacy amplification. Thus, in further embodiments, these parameters may also be determined based on the worst case of the actual system (e.g., the hash matrix may be generated based on the maximum possible number of non-secure bits), which may also allow the generated hash matrix to be used in multiple rounds of privacy amplification.

In various embodiments, the first hash function may be implemented in software and hardware. For example, in one embodiment, the first hash function may be implemented by a hash circuit shared by the participants in advance.

Then, in step 32, a number of first bits in the first information negotiated key are streamed.

In this step, the first key is the key processed by the privacy amplification of the current round. As mentioned above, after the quantum operation phase of quantum key distribution is completed, information negotiation and privacy amplification are usually required, where the information negotiation is a way of key Error Correction (Error Correction) to ensure consistency of keys commonly owned by each participant of key distribution. The process of information negotiation is often done on a common channel basis, due to eavesdropping by third parties other than the parties that may be key distributed. Privacy amplification is a method to reduce or remove portions of key information that are eavesdropped by third parties. The partial key information may be intercepted during the transmission of the key in the quantum operation stage or may be acquired later through information coordination of a public channel. Thus, privacy amplification is typically performed after information negotiation, that is, the first key is typically obtained by the first party and the second party through information negotiation.

The first bit may be any bit in the first key. In this step, based on the form of the bit Stream (Stream), a plurality of bits in the first key are obtained, and then the plurality of bits can be processed in the subsequent step, and subsequent processing can be performed without waiting for the completion of the reception of the entire first key.

Finally, in step 33, a predetermined inter-bit operation is performed on the first bits and the bits at the corresponding positions in the auxiliary character string to obtain second bits for forming a privacy-amplified second key.

In this step, a bit operation, such as an exclusive or operation, may be performed on a plurality of bits (first bits) in the first key received in step 32 and corresponding bits in the auxiliary character string to obtain a plurality of new second bits. Further, second bits obtained from all first bits of the first key may be combined to form a final key (second key) after privacy amplification.

It should be noted that, for better security, it is desirable to make the ratio of the number of bits of the second key with values of '0' and '1' converge to 1: 1. therefore, in one embodiment, the predetermined inter-bit arithmetic operation may preferably be an exclusive or operation. In another embodiment, the predetermined inter-bit arithmetic operation may also preferably be an exclusive nor operation. The reason for this is that when the input bits of the bit operation exhibit an even distribution, for example, an exclusive or operation or an exclusive or operation is performed, the distribution of '0' and '1' in the obtained output result tends to be 1: 1.

in various embodiments, the number of bits may be one or more bits. The predetermined inter-bit operation may also be a bit operation agreed among the participants. For example, in one embodiment, each participant has agreed on a first operation that may generate a two-bit output from two-bit inputs, essentially by xoring two bits of, for example, the first key after swapping their positions with, for example, two bits of the helper string, resulting in two bits of the output. Table 1 shows the correspondence of the input and output of the first operation.

TABLE 1 input and output of first operation

In other embodiments, each participant may also have, for example, a second operation, which may be applied to pairs of three or more bits, and the essence of this operation may be, for example, selecting one of two input bit strings, exchanging the positions of the bits, and performing bitwise xor with the other to obtain an output result. In different examples, the switching rules of the bit positions may also be agreed in advance by the participants. For example, as a result of bit position swapping a three-bit string denoted as 'a 1a2a 3', for example, the three-bit string may be 'a 1a3a 2' or 'a 2a3a 1' that is agreed in advance in different examples.

In one embodiment, after obtaining the final key, the final key (second key) may also be saved to a key pool shared by the participants, i.e., the first key pool.

Fig. 4 is a flowchart of a method for implementing privacy amplification in quantum key distribution according to another embodiment of the present invention. In the embodiment shown in fig. 4, one of the parties may also publish corresponding information of the seed key to the other party after determining the seed key from the first key store, for example, the location of the determined seed key in the shared key store. And after receiving the correspondence of the seed key, the other participants can determine the seed key from the first key bank according to the correspondence information of the seed key. Therefore, each participant can obtain the same auxiliary character string and further obtain the same final key respectively according to the same seed key. As shown in fig. 4, after extracting the seed key from its local key pool (step 41), the terminal, for example, Alice, sends the location of the seed key in the key pool to the terminal, for example, Bob, through the public channel (step 43), so that Bob can obtain the same seed key from its local key pool according to the location information (step 44). Then, the terminals of the Alice side and the Bob side respectively obtain the helper strings according to the seed keys obtained by the terminals (at step 45 and step 46, respectively). Finally, when the terminals of the Alice and Bob parties acquire the first key (step 47, which may correspond to step 31 in fig. 3), a predetermined bit operation, such as an exclusive-or operation, may be performed on the first key and the auxiliary string, respectively, to obtain a final key (step 49 and step 48, respectively).

In summary, the privacy amplification method provided by the embodiments of the present specification has the following advantages: firstly, the operation can be carried out according to the initial key obtained in the streaming mode, and the corresponding output result is obtained, so that the streaming output effect is achieved, and the data of the initial key does not need to be accumulated. Secondly, the process of acquiring the auxiliary character string is irrelevant to the acquisition of the initial key, and the auxiliary character string can be independently calculated, for example, in the scene of QKD based on satellite and the like, the idle time which cannot be communicated can be used for calculation in advance, and the utilization efficiency in time is greatly improved. Thirdly, the granularity of each processing is one bit in the initial key, so that any initial bit has an error, and in the output final key, only the bit corresponding to the initial bit with the error has the error, and other bits are not affected.

According to an embodiment of yet another aspect, an apparatus for privacy amplification in quantum key distribution is provided. Fig. 5 is a block diagram of an apparatus for implementing privacy amplification in quantum key distribution according to an embodiment of the present invention, where participants of the quantum key distribution include a first participant and a second participant, the first participant and the second participant have a shared first key pool, the first key pool includes a plurality of keys, and the apparatus is implemented on a terminal of any one of the first and second participants, as shown in fig. 5, where the apparatus 500 includes:

an auxiliary character string determination unit 51 configured to determine an auxiliary character string used for the current privacy amplification processing based on the seed key determined from the first key pool and a first hash function agreed with another party;

a key obtaining unit 52 configured to obtain, in a streaming manner, a number of first bits in the first key subjected to the information negotiation;

the privacy amplification unit 53 is configured to perform a preset inter-bit operation on the plurality of first bits and bits at corresponding positions in the auxiliary character string to obtain a plurality of second bits, so as to form a privacy amplified second key.

According to an embodiment of yet another aspect, there is also provided a computer readable medium comprising a computer program stored thereon, which computer when executed performs the method described above.

According to an embodiment of another aspect, there is also provided a computing device including a memory and a processor, the memory having stored therein executable code, the processor implementing the above method when executing the executable code.

The foregoing description has been directed to specific embodiments of this disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims may be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may also be possible or may be advantageous.

Those of skill would further appreciate that the various illustrative components and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.

The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied in hardware, a software module executed by a processor, or a combination of the two. A software module may reside in Random Access Memory (RAM), memory, Read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.

The above-mentioned embodiments are intended to illustrate the objects, technical solutions and advantages of the present invention in further detail, and it should be understood that the above-mentioned embodiments are merely exemplary embodiments of the present invention, and are not intended to limit the scope of the present invention, and any modifications, equivalent substitutions, improvements and the like made within the spirit and principle of the present invention should be included in the scope of the present invention.