Multi-Matrix Post-Processing for Quantum Key Distribution

Post-processing is a significant step in quantum key distribution(QKD), which is used for correcting the quantum-channel noise errors and distilling identical corrected keys between two distant legitimate parties. Efficient error reconciliation protocol, which can lead to an increase in the secure key generation rate, is one of the main performance indicators of QKD setups. In this paper, we propose a multi-low-density parity-check codes based reconciliation scheme, which can provide remarkable perspectives for highly efficient information reconciliation. With testing our approach through data simulation, we show that the proposed scheme combining multi-syndrome-based error rate estimation allows a more accurate estimation about the error rate as compared with random sampling and single-syndrome estimation techniques before the error correction, as well as a significant increase in the efficiency of the procedure without compromising security and sacrificing reconciliation efficiency.


INTRODUCTION
Quantum Key Distribution (QKD) is a class of protocols where the two separated users, Alice and Bob, can share identical secret keys which are secure from the eavesdropper (Eve) [1].Since it provides unconditional security guaranteed by laws of quantum mechanics [2], QKD has attracted wide attention and many advanced works have been published over recent years [3][4][5][6].Generally, a QKD protocol can be divided into quantum and classical parts.In the former part, Alice generates and transmits a set of raw key through the quantum channel.Due to Eve's attacks [7], channel noise, and device imperfection [8][9][10], the keys are weakly correlated and partially secure, and Eve may obtain some information about the keys.The classical part, also known as postprocessing, is used to correct the errors, and to remove information leakage.
Post-processing consists of base sifting [7], error estimation [6,11,12], key reconciliation [13] and privacy amplification [14,15].During base sifting, the bits measured with correct measurement bases in the raw key are kept and constitute the sifted key.Subsequently, Bob uses a key reconciliation algorithm to correct the errors in the sifted key based on the estimated error rate.Finally, Alice and Bob implement privacy amplification to remove information leakage and obtain the final key, which is secure from Eve.
In error estimation, the accuracy of the estimated quantum bit error rate(QBER) effects the operational efficiency of post-processing.If the actual QBER for a given block is larger than the estimate, Bob might end up with a wrong final key.A common method to obtain the QBER for legitimate users is to exchange and compare random sampled sifted key, which can lower the key generation rate due to disclosed bits.Recently, Kiktenko etal [12] proposed a distinct approach based on the use of syndromes of low-density parity-check (LDPC) codes to obtain the QBER for each block of the sifted key, allowing more accurate estimation.The suggested algorithm is also suitable for irregular LDPC codes.
In parallel, key reconciliation is the most crucial step of post-processing, which is responsible for correcting the errors in Bob's sifted key, in such a way that it ensures consistency between Alice's and Bob's sifted keys.Belief Propagation (BP) [13] is the most widely used key reconciliation algorithm, and has attracted intensive study [16][17][18][19][20][21][22][23][24].There are three criteria for judging a key reconciliation algorithm, namely, convergence speed, bit error rate (BER) and success rate.However, it is hard to meet the three criteria at the same time, which often appears if the syndrome decoding, based on an iterative BP algorithm, fails to converge within the predefined number of iterations (e.g., it could be caused by an inappropriate choice of the LDPC parity-matrices relative to the actual errors in raw keys).This makes key reconciliation the bottleneck of QKD and severely affects the key generation rate for industrial QKD systems.
In this paper, we extend the blind information reconciliation [25] to multiple LDPC codes and estimate the QBER more accurately by virtue of multiple syndromes without disclosing redundant bits.Experimental results show that a significant increase in the efficiency of the procedure, i.e. faster convergence speed with higher success rate.To prevent extra information leakage in our post-processing scheme, we also give a multiple LDPC codes construction method.Security analysis shows that our key reconciliation scheme does not reveal extra information.
The rest of the paper is organized as follows: in Section II, a briefly review of error estimation and key reconciliation is given, followed by a detail description of the process and advantages of our scheme.Section III provides the novel multi-matrix post-processing approach for error estimation and correction.In Section IV a set of data simulation are carried out to fully evaluate these advantages.The proposed construction method of multiple matrices and the security analysis of the proposed scheme are given in the appendix.

PRELIMINARIES
In this section, we will first review error estimation and reconciliation.Other parts of post-processing can be referred to [7,14,15].

Error Estimation
We assume that Alice and Bob possess random sifted keys of equal length, and Bob needs to estimate the error rate e of the sifted keys before executing key reconciliation, since e is an important input parameter of reconciliation algorithms.The estimation accuracy of e directly effects the operational efficiency of post-processing.If e is overestimated, Alice will place superfluous information on her syndrome, i.e., more leakage needed to be removed during privacy amplification, leading to relatively low key generation rate.On the contrary, if e is underestimated, less information is provided, so Bob spends more time to correct errors during key reconciliation or even end up with wrong final key.
Error estimation can be executed in the several ways.The most well-known method is the random sampling [6].But its drawback is that if Alice and Bob want to estimate more accurate error rate, they inevitably sacrifice key bits.To solve this problem, P.Treeviriyanupab et al. proposed a new method [11].In this protocol, Alice and Bob use their syndromes ) as input to calculate the maximum likelihood estimation of error rate.Syndromes are generated from a kind of data structure, LDPC code [26], which can be presented by a m × n matrix or a Tanner Graph (TG) [27].In Fig. 1 (a), an example of binary LDPC matrix H m×n is given.The variable nodes v i (i ∈ {1, • • • , n}) (blue circles ) and check nodes c j (j ∈ {1, • • • , m}) (yellow squares) represent bits of key and parity-check equations, respectively [26].TG corresponding to this matrix is shown in Fig. 1 (b).An edge connecting a variable node and a check node indicates that the variable node participates in the parity-check equation.In a LDPC code, the degree of a variable node (or check node) is the number of check nodes (or variable nodes) connected to it.The syndromes, z A (or z B ), are simply obtained by multiplying a LDPC matrix and Alice's (or Bob's) sifted key.But the method [11] is applicable only to regular LDPC code, in which all of the variable nodes have the same degrees and so does all check nodes.So Kiktenko et al. extend the scope of application [12] (hereinafter referred to as the single-syndrome error estimation), which is also suitable for irregular LDPC code.

Key Reconciliation
BP [13], also known as the Sum Product (SP) algorithm, can be used for error-correction.Due to its relatively high decoding efficiency and low executing complexity, BP has been widely adopted in QKD to correct the key errors caused by Eve's attacks, channel noise, etc.
In QKD, if Bob uses BP to correct his sifted key y T = [y 1 , . . ., y n ], he first needs to initializes P b i (b ∈ {0, 1}), v i and variable-to-check (V2C) information L vi→cj as follows, P 0 i = 1 − e, P 1 i = e y i = 0 where ) is the prior probability of the candidate value b of v i , e is the result of error estimation, L Pi represents the log likelihood ratio of P b i .Secondly, as shown in Fig. 2 (a), he generates and propagates check-to-variable (C2V) information L cj →vi by where z denotes the Alice's syndrome [28], which is the product of H m×n and Alice's sifted key, tanh() is the hyperbolic tangent function, tanh −1 () is the inverse function of tanh(), v i ∈ N (c j )\i represents the set of adjacent variable nodes of check nodes c j except v i , sign() is a sign function defined as follows: Thirdly, as plotted in Fig. 2 (b), Bob updates and propagates V2C information by substituting the generated C2V information into the following equation.
where, c j ∈ N (v i )\j represents the set of adjacent check nodes of v i except c j .All of L cj →vi and L vi→cj contain information of posterior probabilities of v i .Finally, he calculates the soft-decision value of every variable node v i as follows, then performs the decoding decision on every variable node according to the following equation, Bob iterates the last three steps until the decoding is successful (i.e., the equation z = H m×n • y is satisfied) or the number of iterations reaches the pre-set upper limit.
In each iteration, BP can use different scheduling strategies, which can be divided into three categories [29]: Flooding, Shuffled, and Layer.Flooding first goes through all the check nodes and generates C2V information, then traverses all the variable nodes and updates V2C information.Shuffled uses variable nodes as the traversal sequence, sequentially updates C2V and V2C information between variable nodes and their adjacent check nodes.Layer, on the contrary, uses check nodes as the traversal sequence, sequentially updates C2V and V2C information between check nodes and their adjacent variable nodes.In practical applications, BP, Shuffled Belief Propagation (SBP) [17], and Layer Belief Propagation (LBP) [18,19] are the typical representatives of the above three scheduling strategies.For convenience, the algorithms based on single matrix are hereinafter referred to as the single-matrix reconciliation.

MULTI-MATRIX POST-PROCESSING
In this section, we propose a post-processing scheme where users estimate error rate with multiple syndromes and correct errors with multiple matrices (hereinafter referred to as the multi-matrix post-processing).In the multi-matrix post-processing, base sifting and privacy amplification are the same as the original postprocessing (hereinafter referred to as the single-matrix post-processing).Here we introduce only error estimation and key reconciliation in the frame of multiple syndromes.

Multi-syndrome Error Estimation
Each bit of a syndrome represents the relationship of the parity-check equation and the key.By comparing Alice's syndrome and his own syndrome, Bob can extract some information about error rate.If he uses multiple matrices, he can obtain multiple syndromes, which can be used to estimate the error rate more accurately.Above all, Bob obtains u syndromes from Alice and performs XOR as follows, where ⊕ is the XOR operation, z A|k and z B|k is the k th syndromes of Alice and Bob respectively.Then Bob calculates the maximum likelihood estimation of e by, e = arg max where e is a possible value that e may take, In equation (10), M e | Z can be obtained via, p(e , d k cj ) = P r( z k j = 1) where M e | Z is the likelihood function of e , p(e , d k cj ) is the priori probability of that z A|k j and z B|k j are different, is the j th bit of z B|k , d k cj is the degree of check node c j of k th matrix.As shown in equation ( 10), e evaluates to e that maximizes M e | Z .The "threshold" [30,31] is the upper limit of error rate that can be acceptable.If e exceeds the "threshold", the sifted key will be abandoned.
Our method (hereinafter referred to as the multisyndrome error estimation) is based on the singlesyndrome error estimation, but can bring out higher accuracy of estimation.Meanwhile, compared with the random sampling, our method doesn't need to discard any key bit.

Multi-matrix Key Reconciliation
Although, theoretical analysis and simulation results show that the single-matrix reconciliation can correct the errors to some extent [32], the performances of convergence speed and BER are still limited [29,33], and the success rate is decreased when LDPC code is not cyclefree [27,34].To overcome these problems, we propose a new reconciliation strategy that uses two or more matrices to correct errors in parallel.Let us take multi-matrix BP (MBP) as an example to show the detailed process and advantages of our strategy.
Suppose Alice and Bob have prepared and shared u LDPC codes H 1 , . . ., H u .After obtaining the sifted key x T = [x 1 , . . ., x n ] (x i ∈ {0, 1}), Alice calculates u syndromes according to the following equation: and sends them to Bob over the classical channel.Because of Eve's attacks, channel noise, or device imperfection, Bob inevitably obtain different sifted keys with Alice, denoted as y T = [y 1 , . . ., y n ], (y i ∈ {1, 0}).
In our strategy, Bob first initializes the prior probabilities P b i (b ∈ {0, 1}), log likelihood ratios L k Pi and V2C information L k vi→cj for all matrices according to equations (1), ( 2) and (3), respectively.
Secondly, Bob generates and propagates C2V information L k cj →vi according to equation (4).Thirdly, by substituting C2V information into equation (6), Bob updates and propagates V2C information.
Finally, he goes through all variable nodes to obtain their soft-decision values by and makes decoding decisions according to equation (8).
Because once Bob's key is corrected, i.e. y is equal to x, all his syndromes satisfy z k = H k • y.Thus he randomly selects a matrix H k , and judges whether z k is equal to H k • y.If so, Bob terminates the algorithm and stores y.
Otherwise, he starts another iteration.The reconciliation is considered as a failure when the number of iterations exceeds the upper limit.
There is an important figure called the reconciliation efficiency f [25].It shows the ratio of practical information leakage to theoretical floor for successful reconciliation.It serves to imply the efficiency and security of a reconciliation strategy and help privacy amplification to remove information leakage.For the single-matrix reconciliation, the reconciliation efficiency f is represented as where m and n are the numbers of check nodes and variable nodes of the LDPC code, e is the result of error estimation, h is the Shannon binary entropy: For the multi-matrix reconciliation, however, f is given by where α is a constant which is relative to u and the structures of u matrices.Fortunately, if the construction method of multiple matrices (see Appendix B) is used, it can be proved that the practical information leakage is equal to m (see Appendix A), i.e., α is equal to 1, without sacrificing the reconciliation efficiency compared with single-matrix post-processing.Obviously, our strategies is portable, it can be easily applied to SBP, LBP (see Appendix C), and other algorithms to achieve the following improvements: 1. Faster Convergence Speed In our strategy, when Bob generates C2V and updates V2C information, all matrices operate in parallel.And as shown in equation ( 14), Bob obtains the soft-decision value of each variable node v i by gathering all the C2V information sent to v i in every matrix.The amount of C2V information gathered within one iteration in the multi-matrix reconciliation is equal to information gathered in numerous iterations in the single-matrix reconciliation.
2. Higher Success Rate Once C2V and V2C information of a matrix are trapped in a cycle, the other matrices without this cycle can help the trapped matrix jump out the cycle, leading to higher success rate.
3. Lower BER The value of each key bit is determined according to the information provided by multiple matrices.The accuracy of error-correction is effectively improved, resulting in lower BER.

EXPERIMENTAL EVALUATION
To fully evaluate the above advantages of multi-matrix post-processing, in this session we first give some detailed comparisons among three methods of error estimation.Then for the other three parts, the experiments about the three criteria of key reconciliation algorithms are carried out.All simulation data used in our experiments are generated by real random number generator IDQ EasyQuantis 2.1.For comparison, we also set the upper limit of iterations to 100, which is similar to existing implementations [35,36], and the code rate and code length of LDPC codes are set to 0.8 and 10000, respectively.

Error Estimation
We have described the three methods of error estimation hereinbefore, including the random sampling, the single-syndrome error estimation and the multisyndrome error estimation.To compare these three methods, we generate 2000 sets of keys at error rates of 0.0068, 0.0166, and 0.0267, respectively.The sampling rate of random sampling is set to 0.5.For any set of key, we use these methods to get three error rates.As shown in Fig. 3, it is clear that our method (black lines) is more accurate and stable than the random sampling (magenta lines) and the single-syndrome error estimation (red lines).

Convergence Speed
For key reconciliation, since the faster the convergence speed is, the smaller the average number of iterations becomes, we evaluate the convergence speed of different algorithms by calculating their average numbers of iterations under different error rates.We first prepare a matrix for the single-matrix algorithms, then add four more matrices for the multi-matrix algorithms (see the next section for the detailed method of generating LDPC codes).At a certain error rate, we generate 100 sets of keys, perform each algorithm on the keys, and calculate the average number of iterations.The results are shown in Fig. 4. Clearly, under different error rates, the average numbers of iterations of the multi-matrix algorithms are significantly decreased compared with their single-matrix versions.MBP cuts down 43.15∼46.06% of average iteration number of BP, while MLBP is 38.16∼40.21%and MSBP is 47.87∼53.38%.
We can further increase the convergence speed of the multi-matrix algorithms by adjusting two factors.One is the number of matrices used in reconciliation.We generate 100 sets of keys with error rate 0.0246, run the multimatrix algorithms with different number of matrices to correct these keys.The relationship between the average number of iterations and the number of matrices is plotted in Fig. 5. Clearly, the average number of iterations and the number of matrices are inversely proportional.
Another factor is the number of waves.The variable nodes with larger degrees can get more information, thus can be corrected earlier and can provide useful information to help other variable nodes.This process spreads from large-degree to small-degree variable nodes, behaving like a wave, so it is called the wave effect [37].For a multi-matrix algorithm, the multiple waves can be formed simultaneously to correct errors.We refer this phenomenon as the multi-wave effect, which obviously leads to faster convergence speed.However, if the waves are close to each other, they spread as one wave.This greatly discounts the performance of the multi-wave effect.On the contrary, if the large-degree variable nodes are dispersed in different matrices, the multiple waves spread and correct errors at the same time, resulting in faster convergence speed.We construct 5 matrices with close waves to compare with 5 matrices with separated ones, and plot the results in Fig. 6.Clearly, the algorithms using matrices with separated waves outperform the others.
Therefore, our strategy can significantly improve the convergence speed compared with the single-matrix reconciliation, and the speed can be further improved if Bob uses more or designs better matrices.

Success Rate
The success rate of reconciliation may be negatively impacted by the cycles.For example, suppose Alice's sifted key is x T = [1, 0, 1, 0, 1], Bob's sifted key is y T = [1, 0, 0, 0, 1], the error rate e is 0.2, LDPC code has 5 variable nodes labeled as {v 1 , . . ., v 5 } and 4 check nodes denoted as {c 1 , . . ., c 4 }.As shown in Fig. 7 (a), in LDPC code there is a 4-member cycle which is represented by a blue circle and red edges, respectively.If Bob uses BP algorithm to correct the key, the reconciliation is failed in each iteration.It is because that there is always a difference between the signs of soft-decision values of v 2 and v 4 .Therefore, they cannot be decoded as 1 at the same time.The 4-member cycle makes new information  always be excluded and old information always loop in the cycle.Thus, as recorded in Tab.I, no matter how large the upper limit of iterations is, the single-matrix reconciliation always fails.We generate 100 sets of keys at each error rate, perform each algorithm on the keys using 5 matrices with compact and separated waves respectively, and calculate the average number of iterations.
II, MBP correct the error within two iterations.We carry out a test to fully represent the performance of reducing the impact of cycles.In this test, we generate 1000 sets of keys with error rate 0.0275, perform the 6 reconciliation algorithms on the generated keys, and calculate the success rate.As shown in Fig. 8, the average success rate of the multi-matrix algorithms is 96.33%, nearly double that, 48.83%, of the single-matrix algorithms.

Bit Error Rate
Compared with the single-matrix reconciliation, the multi-matrix algorithms decode the key according to information provided by multiple matrices.The decoding results are more accurate and reliable.We generate 100 sets of keys with error rate 0.0267, perform BP and MBP on the generated keys to calculate the number of corrected bits N c and the number of misjudged bits N m in each iteration, and plot the valid number of corrected bits N c − N m in Fig. 9.We can see that MBP can correct more errors in each iteration, and most of the errors are corrected at the beginnings of the iterations.It achieves faster convergence speed and lower BER compared with BP.
To further evaluate the BER performances of the multi-matrix algorithms, five QBER values ranging from 0.0202 to 0.0256 are selected.At each error rate, we generate 1000 sets of keys, perform 5-matrix algorithms and their single-matrix versions on these generated keys.Af- and draw the results in Fig. 10.It is obvious that all three multi-matrix algorithms achieve lower BERs under different error rates compared with their single-matrix versions.For example, the BER of SBP is 0.0030832 when the error rate is 0.0202, while MSBP is 0.0000045, between which there is a difference of 3-order magnitude.

CONCLUSION
In this paper, a highly efficient error reconciliation protocol for QKD is proposed, whose core is using likelihood of multiple syndromes obtained from multiple LDPC codes for QBER estimation and correction.Security analysis and multi-matrix construction method are provided.Evaluation results show that the proposed approach allows improving the accuracy of QBER estimation in contract to previous works.Additionally, the scheme can greatly increase the convergence speed, success rate, and significantly improve the BER performance during key reconciliation without compromising the reconciliation efficiency and significant expenditure of authentication and time resources.Our findings can lower the complexity for post-processing procedure, thus will promote the commercialization of QKD.
Generally, Alice and Bob can use the following method to abandon the m bits information leakage.If the matrix H m×n has the following structure, where H m×t is a matrix which has m rows and t columns, E m is an m-order identity matrix, then H m×n is called a system code.In other words, m vectors of E m are linearly independent in H m×n .Under this circumstance, Alice can calculate and send the syndrome by From Theorem 1, we know that Eve can obtain at most m bits of information about x.Assume these m bits of information is m bits of x.If the matrix H m×n is a non-system code, a system code can be formed by a series of elementary row transformations and column exchanges based on where A is a m-order invertible square matrix representing a whole train of primary row transformation.B is a n-order square matrix representing a series of column exchanges.Denote z Similarly, after Alice and Bob abandon the m bits key [x t+1 , • • • , x n ] T , even if Eve knows H m×t and z , she will not be able to get any information about From the above analysis, we can see that if we first select m linearly independent columns in H m×n , then discard the corresponding bits of these columns, the m bits information leakage can be removed, thus ensuring the security of the key.Therefore, we design a multiple matrices construction method as shown in the Appendix B. And all matrices used in the simulation are prepared according to the the method.
Through the above method, we can construct a series of matrices (H 1 , • • • , H u ) of the same size.Let H i and H j denote any two matrices from (H 1 , • • • , H u ).They can be represented as follows: Their syndromes z i and z j can be represented as: More precisely, From the above matrices construction method, we can see that [x i t+1 , • • • , x i n ] and [x j t+1 , • • • , x j n ] are not equal, but their corresponding variable nodes sets are the same.Similarly, assume Eve knows [x i t+1 , • • • , x i n ] and [x j t+1 , • • • , x j n ], then she has to solve the system of equation.Because H i and H j are construct with the method in the Appendix B, the two sets of underdetermined systems of equation in equations (33) and (34) are the same.In other word, it is impossible to form a determined or overdetermined system of equation.After Alice and Bob discard those m bits, even if Eve knows H i , H j , z i , and z j , she cannot obtain any information about [x i 1 , • • • , x i t ] and [x j 1 , • • • , x j t ].In fact, any two matrices constructed by this method will not reveal extra information during reconciliation.Accordingly, in the case of reconciliation with more than two matrices, because the discarded m bits information is corresponding to the same m linearly independent columns, multiple syndromes transmitted through the classical channel do not reveal extra information, i.e. = H(z 1 ) (36) where Z = {z 1 , z 2 , • • • , z u }.Therefore, if Alice and Bob use our method to construct matrices, they can guarantee the security of the key, i.e., guarantee the security of the multi-matrix post-processing.

H(z
15: if stopping rule is not satisf ied then for i = 1 to n do 4: for every c k j ∈ neighborhood of v k i do

5:
Generate and propagate L k cj →vi 6: end for 7: for every c k j ∈ neighborhood of v k i do 8: Generate and propagate L k vi→cj 9: end for 10: end for 11: end for 12: M ake decoding decisions 13: if stopping rule is not satisf ied then end for 11: end for 12: M ake decoding decisions 13: if stopping rule is not satisf ied then

Figure 1 :
Figure 1: A binary m × n LDPC matrix (a) and its corresponding TG (b).

Figure 2 :
Figure 2: (a)Generated C2V information L cj →vi by Alice.(b) Updated V2C information L vi→cj by Bob.

Figure 3 :
Figure 3: Comparison of random sampling, single-syndrome and multi-syndrome for error estimation with 2000 sets of keys at the QBER of 0.0068 (top), 0.0166 (middle), and 0.0267 (bottom), respectively.(a) Results of multi-syndrome error estimation (black lines) and random sampling method (magenta lines).(b) Results of multi-syndrome error estimation (black lines) and single-syndrome error estimation (red lines).

Figure 4 :
Figure 4: Comparison about convergence speed of 6 reconciliation algorithms by calculating their average numbers of iterations for different error rates.

Figure 5 :
Figure 5: Relationship about the convergence speed and the number of matrices (1∼5) in reconciliation.The error rate for data simulation is 0.0246.

Figure 6 :
Figure 6: The convergence speed of the multi-matrix algorithms relative to the number of waves is shown.We generate 100 sets of keys at each error rate, perform each algorithm on the keys using 5 matrices with compact and separated waves respectively, and calculate the average number of iterations.

Figure 7 :
Figure 7: One matrix with a 4-member cycle (a) and two additional matrices (b).

Figure 8 :
Figure 8: Reconciliation success rate for single-and multi-matrix algorithms.1000 sets of keys with error rate of 0.0275 are generated for the comparison.

Figure 9 :
Figure 9: The valid number of corrected bits N c − N m (N c the number of corrected bits; N m is the number of misjudged bits) in each iteration for single-and multi-matrix algorithms.100 sets of keys with error rate of 0.0267 are considered.

Figure 10 :
Figure 10: The BER performances of the multi-matrix algorithms after 5 iterations are shown.Five QBER ranging from 0.0202 to 0.0256 are selected.For each error rate, we generate 1000 sets of keys, perform 5-matrix algorithms and single-matrix versions on these generated keys.

2 :
for every parity-check matrix H k do 3:

2 : 3 :j = 1 to m do 4 :every v k i ∈ neighborhood of c k j do 5 :
for every parity-check matrix H k do for for

14 :
Go back to line 2 15: end if

Table I :
Soft-decision Values of v 2 and v 4

Table II :
Soft-decision Values of v 2 and v 4 in 3-matrix reconciliation And for Eve, it is in her best interests if the m bits of x are [x t+1 , • • • , x n ] T .Then Eve has to solve a underdetermined system of equation, which has no unique solution.Moreover, after Alice and Bob discard the m bits key [x t+1 , • • • , x n ] T, Eve cannot even form the system of equation and get any information about [x 1 , • • • , x t ] T , even if she knows H m×t and z.