List Privacy Amplification (LPA) in QKD
- List Privacy Amplification (LPA) is a relaxation of standard privacy amplification that extracts a list of candidate keys, ensuring one key remains secret even against quantum adversaries.
- It leverages the hidden index entropy to achieve an additive gain of log L in extractable key length while retaining smooth min-entropy and composable security.
- Explicit constructions using polynomial inner-product and Toeplitz-based hashing balance seed usage and computational efficiency, facilitating practical implementations.
Searching arXiv for the cited LPA papers to ground the article in current preprint metadata. List Privacy Amplification (LPA) is a relaxation of the final privacy-amplification step in quantum key distribution (QKD) in which Alice and Bob extract a list of candidate keys from a raw string correlated with an eavesdropper Eve, with the guarantee that at least one key is perfectly secret while Eve cannot identify which entry is secure (Kulkarni, 18 Mar 2026). In the formal setting introduced in “One Key Good, L Keys Better: List Decoding Meets Quantum Privacy Amplification” (Kulkarni, 18 Mar 2026), LPA preserves the standard adversarial model of privacy amplification with quantum side information, retains smooth min-entropy as the relevant entropy measure, but changes the task from unique-key extraction to list extraction. This relaxation is explicitly compared to the passage from unique decoding to list decoding in coding theory: allowing a short list of outputs exposes an additive gain in extractable key length (Kulkarni, 18 Mar 2026). Related work on list privacy outside QKD studies list-based privacy under utility constraints, but in a different operational model centered on function recoverability rather than composable secret-key extraction (Nageswaran et al., 2023).
1. Formal definition and ideal functionality
In the LPA setting, after sifting, error correction, and parameter estimation, Alice and Bob share an -bit classical string that is partially known to Eve, who holds a quantum system correlated with . The joint state is a CQ state
Instead of extracting a single secret key, LPA requires that Alice and Bob produce candidate keys such that at least one is information-theoretically secret from Eve and Eve cannot determine which one (Kulkarni, 18 Mar 2026).
The formalization is given in the abstract cryptography framework as a resource construction from a noisy resource and an authenticated classical channel to an ideal list-key functionality 0 (Kulkarni, 18 Mar 2026). This functionality outputs 1 independently uniform 2-bit strings 3, chooses a secret index 4 uniformly at random, gives Alice and Bob the entire list together with 5, and gives Eve only the off-list keys 6, without revealing either 7 or 8 (Kulkarni, 18 Mar 2026). When 9, the functionality reduces exactly to the standard unique-key resource (Kulkarni, 18 Mar 2026).
The ideal joint state is written as
0
where each 1 is maximally mixed on 2 bits (Kulkarni, 18 Mar 2026). The real-world protocol samples 3 independent strongly two-universal hash functions 4, computes 5, and then samples the secret index 6 after hashing and independently of 7 and 8 (Kulkarni, 18 Mar 2026).
Security is defined by trace-distance indistinguishability from the ideal list-key resource: 9 This list-0-security notion is composable: no environment can distinguish the real protocol from 1 except with advantage 2 (Kulkarni, 18 Mar 2026). Operationally, this means that there is, up to 3, exactly one index 4 for which 5 is uniform and independent of Eve, while Eve’s view does not reveal which position is the good one (Kulkarni, 18 Mar 2026).
2. Relation to standard privacy amplification and list-based privacy
Standard privacy amplification with a quantum adversary is governed by the Quantum Leftover Hash Lemma (QLHL). For a CQ state 6, a strongly two-universal family 7, and 8, the QLHL states that
9
provided
0
Thus one may extract approximately 1 nearly uniform bits when 2, and this bound is tight in the unique-key setting (Kulkarni, 18 Mar 2026).
LPA keeps the same adversarial model and the same smooth min-entropy measure, but replaces the requirement of a unique secret output by the weaker requirement that one element of a list be secret and hidden among the other entries (Kulkarni, 18 Mar 2026). The comparison to list decoding is explicit: unique decoding outputs a single codeword, list decoding outputs a short list of candidates; analogously, standard privacy amplification outputs one key, whereas LPA outputs a list and thereby exceeds the standard QLHL bound (Kulkarni, 18 Mar 2026).
The broader notion of list privacy appears in other contexts. “List Privacy Under Function Recoverability” (Nageswaran et al., 2023) studies a finite-alphabet setting in which a user releases a randomized response subject to a 3-recoverability constraint for a function 4, while minimizing the probability that a querier can place 5 inside a list of prescribed size 6. In that model, the privacy criterion is
7
and the optimal tradeoff curve is
8
(Nageswaran et al., 2023). This is not the same task as LPA in QKD, but it provides a related list-based privacy perspective in which privacy is measured by adversarial list failure under a utility constraint (Nageswaran et al., 2023). A plausible implication is that LPA belongs to a wider family of privacy notions where the object of protection is not unique reconstruction but ambiguity over a small candidate set.
3. Quantum List Leftover Hash Lemma
The central theorem of LPA is the Quantum List Leftover Hash Lemma (QLLHL) (Kulkarni, 18 Mar 2026). Let
9
If Alice and Bob sample 0 independent strongly two-universal hashes 1, define 2, and then sample a secret index 3 independently of everything else, then the protocol is list-4-secure whenever
5
This is Theorem 3.1 of (Kulkarni, 18 Mar 2026). Relative to the standard QLHL bound
6
the list version yields an additive gain of 7, with the main asymptotic gain equal to 8 (Kulkarni, 18 Mar 2026).
The paper attributes this gain to the hidden index 9, which is selected after hashing and is initially hidden from Eve (Kulkarni, 18 Mar 2026). The joint variable 0 derives entropy from both 1 and the independent randomness of 2, so one obtains schematically
3
Applying the standard QLHL to the 4-bit pair 5 then yields the list-extraction bound (Kulkarni, 18 Mar 2026). The paper describes this as the hidden index effectively contributing 6 bits of entropy (Kulkarni, 18 Mar 2026).
The result is also accompanied by a converse. Theorem 4.1 of (Kulkarni, 18 Mar 2026) shows that for any 7 there exists a worst-case source 8 for which any list-9-secure protocol must satisfy
0
The converse uses a syndrome source in which Eve learns a linear projection 1 of dimension 2, leaving 3 uniform on a coset of size 4 (Kulkarni, 18 Mar 2026). In that case, conditioning on Eve leaves effective support size at most 5, and the independent index contributes at most another 6 (Kulkarni, 18 Mar 2026). This establishes that the additive 7 gain is optimal up to lower-order terms.
4. Security interpretation, composability, and authentication
The phrase “at least one key is perfectly secret” has a precise meaning in the ideal functionality 8: the index 9 is uniformly random and known only to Alice and Bob, the key 0 is uniform and independent of Eve’s quantum system 1 and all off-list keys, and Eve’s view consists only of 2 together with the 3 off-list keys (Kulkarni, 18 Mar 2026). Because the real protocol is 4-close to the ideal resource, these properties hold except with probability at most 5 (Kulkarni, 18 Mar 2026).
Within abstract cryptography, a protocol 6 7-constructs an ideal resource 8 if, for every environment 9,
0
For LPA, the protocol constructs 1 with error 2, and standard composition theorems then imply additive accumulation of failure parameters across error correction, privacy amplification, and authentication (Kulkarni, 18 Mar 2026). The total QKD security parameter is written as
3
where 4 comes from list privacy amplification (Kulkarni, 18 Mar 2026).
After generating the list, Alice must reveal 5 to Bob so that both can use the same final key. The paper proposes Wegman–Carter authentication for this step: Alice sends 6 together with a MAC tag using a short pre-shared key, and Eve cannot forge or modify 7 except with probability 8 (Kulkarni, 18 Mar 2026). The authentication cost is stated as only 9 bits of pre-shared key usage (Kulkarni, 18 Mar 2026). Once 00 is authenticated, both parties use 01 as an ordinary unique secret key, and the list structure disappears for subsequent cryptographic use (Kulkarni, 18 Mar 2026). This is the basis for the claim that LPA is fully composable with standard QKD and with primitives that consume a unique session key (Kulkarni, 18 Mar 2026).
5. Application to BB84-type QKD
For BB84, after sifting, Alice and Bob share 02 bits with bit error rate 03 and phase error rate 04. Finite-key analysis gives
05
where 06 is a finite-size correction term of order 07 (Kulkarni, 18 Mar 2026). Standard privacy amplification then gives an asymptotic key rate
08
which vanishes when 09; for symmetric channels this corresponds to the familiar 10 phase-error threshold (Kulkarni, 18 Mar 2026).
Under LPA, the extractable list-key length satisfies
11
and therefore, after substituting the BB84 min-entropy lower bound,
12
Requiring 13 yields
14
(Kulkarni, 18 Mar 2026). For list size 15 and 16, this becomes asymptotically
17
which the paper summarizes as a threshold shift from
18
According to (Kulkarni, 18 Mar 2026), this means that standard BB84 with unique-key privacy amplification cannot extract positive key beyond roughly 19 phase error, whereas BB84 with LPA can tolerate strictly larger phase error for any 20. The paper also proves tightness in the QKD setting via a matching intercept–resend attack: the attack can be tuned so that the bit and phase error rates lie exactly at the threshold predicted by QLLHL, and beyond the shifted threshold even list privacy amplification cannot generate key (Kulkarni, 18 Mar 2026). This shows that the increased tolerable phase-error threshold is not merely an artefact of analysis.
6. Explicit constructions and computational complexity
The QLLHL is stated for any strongly two-universal family, and (Kulkarni, 18 Mar 2026) gives two explicit constructions.
The first is a polynomial inner-product hash over 21. Assuming 22 and 23, the input 24 is represented as 25. For each list position 26, one samples 27 and 28, computes
29
and sets
30
before encoding as an 31-bit string (Kulkarni, 18 Mar 2026). The family is strongly two-universal, yields list-32-security under the QLLHL bound, uses 33 random bits per hash, and runs in 34 bit operations overall, with 35 working memory per hash and 36 storage for all keys (Kulkarni, 18 Mar 2026).
The second construction is Toeplitz-based and operates over 37. For each list element 38, one samples a Toeplitz generator 39, defining an 40 Toeplitz matrix 41, samples an offset 42, and computes
43
using convolution and FFT-based acceleration (Kulkarni, 18 Mar 2026). Toeplitz hashing is also strongly two-universal, satisfies the same list-44 guarantee, uses 45 random bits per list element, and has total running time 46 for 47, with 48 FFT workspace and 49 key storage (Kulkarni, 18 Mar 2026).
| Construction | Seed usage per list element | Time |
|---|---|---|
| Polynomial inner-product hash over 50 | 51 bits | 52 total |
| Toeplitz-based list hash | 53 bits | 54 total |
Both constructions satisfy the strong two-universality required by QLLHL (Kulkarni, 18 Mar 2026). The paper characterizes the trade-off as one between conceptual simplicity and FFT-based asymptotic acceleration: inner-product hashing is simpler and linear-time in 55, whereas the Toeplitz construction is more implementation-intensive but benefits from convolution-based computation (Kulkarni, 18 Mar 2026).
7. Conceptual significance, neighboring frameworks, and limitations
The stated reason for the 56 gain is index-hiding entropy. In standard privacy amplification, the key is a function 57 of the source alone, so all usable entropy must come from 58. In LPA, Alice and Bob derive many outputs 59, then choose the index 60 afterwards and keep it hidden from Eve. The pair 61 therefore draws entropy both from 62 and from the independent uniform index 63, yielding the additional 64 term (Kulkarni, 18 Mar 2026). The analogy with list decoding is structural rather than metaphorical: relaxing uniqueness opens degrees of freedom that are unavailable in the standard formulation (Kulkarni, 18 Mar 2026).
The paper explicitly contrasts LPA with classical fuzzy and list fuzzy extractors. Those constructions concern noisy inputs and classical adversaries, whereas LPA addresses a clean classical source 65 entangled with arbitrary quantum side information and provides a composable security statement in a quantum setting (Kulkarni, 18 Mar 2026). It states that LPA is the first approach to be simultaneously quantum, list-output, composable, and tight (Kulkarni, 18 Mar 2026).
Other forms of privacy amplification by list-like outputs exist in different settings. “Privacy Amplification via Shuffled Check-Ins” (Liew et al., 2022) studies a shuffle-model protocol in which each round outputs an unordered list of locally randomized reports from independently self-sampled users. There, privacy amplification arises from random participation and shuffling, and the RDP analysis is expressed as a binomial mixture over all possible list sizes 66 (Liew et al., 2022). This is not LPA in the QKD sense, but it shows that list-structured outputs also play a central role in differential privacy and shuffle-model amplification (Liew et al., 2022). This suggests a broader methodological theme: privacy gains can emerge when the released object is a list whose latent structure conceals the identity or status of a privileged element.
The limitations recorded in (Kulkarni, 18 Mar 2026) are concrete. The model assumes authenticated classical communication and trusted local devices; it is not device-independent. Finite-size corrections 67 may substantially reduce the asymptotic gain for small block lengths. For very large 68, the authentication cost of transmitting 69 scales as 70 bits of pre-shared key, which can materially reduce net key rate; accordingly, the paper suggests small constant list sizes such as 71 as more realistic (Kulkarni, 18 Mar 2026). It also does not treat device-independent QKD, continuous-variable QKD, or entropy accumulation frameworks, and identifies low-seed list privacy amplification as an open problem, asking whether nearly optimal seed length can be achieved while remaining information-theoretic (Kulkarni, 18 Mar 2026).
In summary, LPA is a composable reformulation of privacy amplification in which secrecy is attached not to a unique hash output but to a hidden position within a list. The resulting Quantum List Leftover Hash Lemma establishes that the secret index contributes an additive 72 to the extractable key length, the converse shows that this gain is tight, and the BB84 analysis shows that the effect translates into a genuine increase in tolerable phase error (Kulkarni, 18 Mar 2026). Within the technical landscape of list-based privacy notions, LPA is distinguished by its quantum adversarial model, its AC-level composability, and its explicit identification of hidden index entropy as a cryptographic resource (Kulkarni, 18 Mar 2026).