Papers
Topics
Authors
Recent
Search
2000 character limit reached

List Privacy Amplification (LPA) in QKD

Updated 5 July 2026
  • List Privacy Amplification (LPA) is a relaxation of standard privacy amplification that extracts a list of candidate keys, ensuring one key remains secret even against quantum adversaries.
  • It leverages the hidden index entropy to achieve an additive gain of log L in extractable key length while retaining smooth min-entropy and composable security.
  • Explicit constructions using polynomial inner-product and Toeplitz-based hashing balance seed usage and computational efficiency, facilitating practical implementations.

Searching arXiv for the cited LPA papers to ground the article in current preprint metadata. List Privacy Amplification (LPA) is a relaxation of the final privacy-amplification step in quantum key distribution (QKD) in which Alice and Bob extract a list of LL candidate keys from a raw string XX correlated with an eavesdropper Eve, with the guarantee that at least one key is perfectly secret while Eve cannot identify which entry is secure (Kulkarni, 18 Mar 2026). In the formal setting introduced in “One Key Good, L Keys Better: List Decoding Meets Quantum Privacy Amplification” (Kulkarni, 18 Mar 2026), LPA preserves the standard adversarial model of privacy amplification with quantum side information, retains smooth min-entropy as the relevant entropy measure, but changes the task from unique-key extraction to list extraction. This relaxation is explicitly compared to the passage from unique decoding to list decoding in coding theory: allowing a short list of outputs exposes an additive logL\log L gain in extractable key length (Kulkarni, 18 Mar 2026). Related work on list privacy outside QKD studies list-based privacy under utility constraints, but in a different operational model centered on function recoverability rather than composable secret-key extraction (Nageswaran et al., 2023).

1. Formal definition and ideal functionality

In the LPA setting, after sifting, error correction, and parameter estimation, Alice and Bob share an nn-bit classical string X{0,1}nX \in \{0,1\}^n that is partially known to Eve, who holds a quantum system EE correlated with XX. The joint state is a CQ state

ρXE=x{0,1}npxx ⁣xXρEx.\rho_{XE} = \sum_{x \in \{0,1\}^n} p_x\, |x\rangle\!\langle x|_X \otimes \rho_E^x.

Instead of extracting a single secret key, LPA requires that Alice and Bob produce LL candidate keys such that at least one is information-theoretically secret from Eve and Eve cannot determine which one (Kulkarni, 18 Mar 2026).

The formalization is given in the abstract cryptography framework as a resource construction from a noisy resource (X,E)(X,E) and an authenticated classical channel to an ideal list-key functionality XX0 (Kulkarni, 18 Mar 2026). This functionality outputs XX1 independently uniform XX2-bit strings XX3, chooses a secret index XX4 uniformly at random, gives Alice and Bob the entire list together with XX5, and gives Eve only the off-list keys XX6, without revealing either XX7 or XX8 (Kulkarni, 18 Mar 2026). When XX9, the functionality reduces exactly to the standard unique-key resource (Kulkarni, 18 Mar 2026).

The ideal joint state is written as

logL\log L0

where each logL\log L1 is maximally mixed on logL\log L2 bits (Kulkarni, 18 Mar 2026). The real-world protocol samples logL\log L3 independent strongly two-universal hash functions logL\log L4, computes logL\log L5, and then samples the secret index logL\log L6 after hashing and independently of logL\log L7 and logL\log L8 (Kulkarni, 18 Mar 2026).

Security is defined by trace-distance indistinguishability from the ideal list-key resource: logL\log L9 This list-nn0-security notion is composable: no environment can distinguish the real protocol from nn1 except with advantage nn2 (Kulkarni, 18 Mar 2026). Operationally, this means that there is, up to nn3, exactly one index nn4 for which nn5 is uniform and independent of Eve, while Eve’s view does not reveal which position is the good one (Kulkarni, 18 Mar 2026).

2. Relation to standard privacy amplification and list-based privacy

Standard privacy amplification with a quantum adversary is governed by the Quantum Leftover Hash Lemma (QLHL). For a CQ state nn6, a strongly two-universal family nn7, and nn8, the QLHL states that

nn9

provided

X{0,1}nX \in \{0,1\}^n0

Thus one may extract approximately X{0,1}nX \in \{0,1\}^n1 nearly uniform bits when X{0,1}nX \in \{0,1\}^n2, and this bound is tight in the unique-key setting (Kulkarni, 18 Mar 2026).

LPA keeps the same adversarial model and the same smooth min-entropy measure, but replaces the requirement of a unique secret output by the weaker requirement that one element of a list be secret and hidden among the other entries (Kulkarni, 18 Mar 2026). The comparison to list decoding is explicit: unique decoding outputs a single codeword, list decoding outputs a short list of candidates; analogously, standard privacy amplification outputs one key, whereas LPA outputs a list and thereby exceeds the standard QLHL bound (Kulkarni, 18 Mar 2026).

The broader notion of list privacy appears in other contexts. “List Privacy Under Function Recoverability” (Nageswaran et al., 2023) studies a finite-alphabet setting in which a user releases a randomized response subject to a X{0,1}nX \in \{0,1\}^n3-recoverability constraint for a function X{0,1}nX \in \{0,1\}^n4, while minimizing the probability that a querier can place X{0,1}nX \in \{0,1\}^n5 inside a list of prescribed size X{0,1}nX \in \{0,1\}^n6. In that model, the privacy criterion is

X{0,1}nX \in \{0,1\}^n7

and the optimal tradeoff curve is

X{0,1}nX \in \{0,1\}^n8

(Nageswaran et al., 2023). This is not the same task as LPA in QKD, but it provides a related list-based privacy perspective in which privacy is measured by adversarial list failure under a utility constraint (Nageswaran et al., 2023). A plausible implication is that LPA belongs to a wider family of privacy notions where the object of protection is not unique reconstruction but ambiguity over a small candidate set.

3. Quantum List Leftover Hash Lemma

The central theorem of LPA is the Quantum List Leftover Hash Lemma (QLLHL) (Kulkarni, 18 Mar 2026). Let

X{0,1}nX \in \{0,1\}^n9

If Alice and Bob sample EE0 independent strongly two-universal hashes EE1, define EE2, and then sample a secret index EE3 independently of everything else, then the protocol is list-EE4-secure whenever

EE5

This is Theorem 3.1 of (Kulkarni, 18 Mar 2026). Relative to the standard QLHL bound

EE6

the list version yields an additive gain of EE7, with the main asymptotic gain equal to EE8 (Kulkarni, 18 Mar 2026).

The paper attributes this gain to the hidden index EE9, which is selected after hashing and is initially hidden from Eve (Kulkarni, 18 Mar 2026). The joint variable XX0 derives entropy from both XX1 and the independent randomness of XX2, so one obtains schematically

XX3

Applying the standard QLHL to the XX4-bit pair XX5 then yields the list-extraction bound (Kulkarni, 18 Mar 2026). The paper describes this as the hidden index effectively contributing XX6 bits of entropy (Kulkarni, 18 Mar 2026).

The result is also accompanied by a converse. Theorem 4.1 of (Kulkarni, 18 Mar 2026) shows that for any XX7 there exists a worst-case source XX8 for which any list-XX9-secure protocol must satisfy

ρXE=x{0,1}npxx ⁣xXρEx.\rho_{XE} = \sum_{x \in \{0,1\}^n} p_x\, |x\rangle\!\langle x|_X \otimes \rho_E^x.0

The converse uses a syndrome source in which Eve learns a linear projection ρXE=x{0,1}npxx ⁣xXρEx.\rho_{XE} = \sum_{x \in \{0,1\}^n} p_x\, |x\rangle\!\langle x|_X \otimes \rho_E^x.1 of dimension ρXE=x{0,1}npxx ⁣xXρEx.\rho_{XE} = \sum_{x \in \{0,1\}^n} p_x\, |x\rangle\!\langle x|_X \otimes \rho_E^x.2, leaving ρXE=x{0,1}npxx ⁣xXρEx.\rho_{XE} = \sum_{x \in \{0,1\}^n} p_x\, |x\rangle\!\langle x|_X \otimes \rho_E^x.3 uniform on a coset of size ρXE=x{0,1}npxx ⁣xXρEx.\rho_{XE} = \sum_{x \in \{0,1\}^n} p_x\, |x\rangle\!\langle x|_X \otimes \rho_E^x.4 (Kulkarni, 18 Mar 2026). In that case, conditioning on Eve leaves effective support size at most ρXE=x{0,1}npxx ⁣xXρEx.\rho_{XE} = \sum_{x \in \{0,1\}^n} p_x\, |x\rangle\!\langle x|_X \otimes \rho_E^x.5, and the independent index contributes at most another ρXE=x{0,1}npxx ⁣xXρEx.\rho_{XE} = \sum_{x \in \{0,1\}^n} p_x\, |x\rangle\!\langle x|_X \otimes \rho_E^x.6 (Kulkarni, 18 Mar 2026). This establishes that the additive ρXE=x{0,1}npxx ⁣xXρEx.\rho_{XE} = \sum_{x \in \{0,1\}^n} p_x\, |x\rangle\!\langle x|_X \otimes \rho_E^x.7 gain is optimal up to lower-order terms.

4. Security interpretation, composability, and authentication

The phrase “at least one key is perfectly secret” has a precise meaning in the ideal functionality ρXE=x{0,1}npxx ⁣xXρEx.\rho_{XE} = \sum_{x \in \{0,1\}^n} p_x\, |x\rangle\!\langle x|_X \otimes \rho_E^x.8: the index ρXE=x{0,1}npxx ⁣xXρEx.\rho_{XE} = \sum_{x \in \{0,1\}^n} p_x\, |x\rangle\!\langle x|_X \otimes \rho_E^x.9 is uniformly random and known only to Alice and Bob, the key LL0 is uniform and independent of Eve’s quantum system LL1 and all off-list keys, and Eve’s view consists only of LL2 together with the LL3 off-list keys (Kulkarni, 18 Mar 2026). Because the real protocol is LL4-close to the ideal resource, these properties hold except with probability at most LL5 (Kulkarni, 18 Mar 2026).

Within abstract cryptography, a protocol LL6 LL7-constructs an ideal resource LL8 if, for every environment LL9,

(X,E)(X,E)0

For LPA, the protocol constructs (X,E)(X,E)1 with error (X,E)(X,E)2, and standard composition theorems then imply additive accumulation of failure parameters across error correction, privacy amplification, and authentication (Kulkarni, 18 Mar 2026). The total QKD security parameter is written as

(X,E)(X,E)3

where (X,E)(X,E)4 comes from list privacy amplification (Kulkarni, 18 Mar 2026).

After generating the list, Alice must reveal (X,E)(X,E)5 to Bob so that both can use the same final key. The paper proposes Wegman–Carter authentication for this step: Alice sends (X,E)(X,E)6 together with a MAC tag using a short pre-shared key, and Eve cannot forge or modify (X,E)(X,E)7 except with probability (X,E)(X,E)8 (Kulkarni, 18 Mar 2026). The authentication cost is stated as only (X,E)(X,E)9 bits of pre-shared key usage (Kulkarni, 18 Mar 2026). Once XX00 is authenticated, both parties use XX01 as an ordinary unique secret key, and the list structure disappears for subsequent cryptographic use (Kulkarni, 18 Mar 2026). This is the basis for the claim that LPA is fully composable with standard QKD and with primitives that consume a unique session key (Kulkarni, 18 Mar 2026).

5. Application to BB84-type QKD

For BB84, after sifting, Alice and Bob share XX02 bits with bit error rate XX03 and phase error rate XX04. Finite-key analysis gives

XX05

where XX06 is a finite-size correction term of order XX07 (Kulkarni, 18 Mar 2026). Standard privacy amplification then gives an asymptotic key rate

XX08

which vanishes when XX09; for symmetric channels this corresponds to the familiar XX10 phase-error threshold (Kulkarni, 18 Mar 2026).

Under LPA, the extractable list-key length satisfies

XX11

and therefore, after substituting the BB84 min-entropy lower bound,

XX12

Requiring XX13 yields

XX14

(Kulkarni, 18 Mar 2026). For list size XX15 and XX16, this becomes asymptotically

XX17

which the paper summarizes as a threshold shift from

XX18

(Kulkarni, 18 Mar 2026).

According to (Kulkarni, 18 Mar 2026), this means that standard BB84 with unique-key privacy amplification cannot extract positive key beyond roughly XX19 phase error, whereas BB84 with LPA can tolerate strictly larger phase error for any XX20. The paper also proves tightness in the QKD setting via a matching intercept–resend attack: the attack can be tuned so that the bit and phase error rates lie exactly at the threshold predicted by QLLHL, and beyond the shifted threshold even list privacy amplification cannot generate key (Kulkarni, 18 Mar 2026). This shows that the increased tolerable phase-error threshold is not merely an artefact of analysis.

6. Explicit constructions and computational complexity

The QLLHL is stated for any strongly two-universal family, and (Kulkarni, 18 Mar 2026) gives two explicit constructions.

The first is a polynomial inner-product hash over XX21. Assuming XX22 and XX23, the input XX24 is represented as XX25. For each list position XX26, one samples XX27 and XX28, computes

XX29

and sets

XX30

before encoding as an XX31-bit string (Kulkarni, 18 Mar 2026). The family is strongly two-universal, yields list-XX32-security under the QLLHL bound, uses XX33 random bits per hash, and runs in XX34 bit operations overall, with XX35 working memory per hash and XX36 storage for all keys (Kulkarni, 18 Mar 2026).

The second construction is Toeplitz-based and operates over XX37. For each list element XX38, one samples a Toeplitz generator XX39, defining an XX40 Toeplitz matrix XX41, samples an offset XX42, and computes

XX43

using convolution and FFT-based acceleration (Kulkarni, 18 Mar 2026). Toeplitz hashing is also strongly two-universal, satisfies the same list-XX44 guarantee, uses XX45 random bits per list element, and has total running time XX46 for XX47, with XX48 FFT workspace and XX49 key storage (Kulkarni, 18 Mar 2026).

Construction Seed usage per list element Time
Polynomial inner-product hash over XX50 XX51 bits XX52 total
Toeplitz-based list hash XX53 bits XX54 total

Both constructions satisfy the strong two-universality required by QLLHL (Kulkarni, 18 Mar 2026). The paper characterizes the trade-off as one between conceptual simplicity and FFT-based asymptotic acceleration: inner-product hashing is simpler and linear-time in XX55, whereas the Toeplitz construction is more implementation-intensive but benefits from convolution-based computation (Kulkarni, 18 Mar 2026).

7. Conceptual significance, neighboring frameworks, and limitations

The stated reason for the XX56 gain is index-hiding entropy. In standard privacy amplification, the key is a function XX57 of the source alone, so all usable entropy must come from XX58. In LPA, Alice and Bob derive many outputs XX59, then choose the index XX60 afterwards and keep it hidden from Eve. The pair XX61 therefore draws entropy both from XX62 and from the independent uniform index XX63, yielding the additional XX64 term (Kulkarni, 18 Mar 2026). The analogy with list decoding is structural rather than metaphorical: relaxing uniqueness opens degrees of freedom that are unavailable in the standard formulation (Kulkarni, 18 Mar 2026).

The paper explicitly contrasts LPA with classical fuzzy and list fuzzy extractors. Those constructions concern noisy inputs and classical adversaries, whereas LPA addresses a clean classical source XX65 entangled with arbitrary quantum side information and provides a composable security statement in a quantum setting (Kulkarni, 18 Mar 2026). It states that LPA is the first approach to be simultaneously quantum, list-output, composable, and tight (Kulkarni, 18 Mar 2026).

Other forms of privacy amplification by list-like outputs exist in different settings. “Privacy Amplification via Shuffled Check-Ins” (Liew et al., 2022) studies a shuffle-model protocol in which each round outputs an unordered list of locally randomized reports from independently self-sampled users. There, privacy amplification arises from random participation and shuffling, and the RDP analysis is expressed as a binomial mixture over all possible list sizes XX66 (Liew et al., 2022). This is not LPA in the QKD sense, but it shows that list-structured outputs also play a central role in differential privacy and shuffle-model amplification (Liew et al., 2022). This suggests a broader methodological theme: privacy gains can emerge when the released object is a list whose latent structure conceals the identity or status of a privileged element.

The limitations recorded in (Kulkarni, 18 Mar 2026) are concrete. The model assumes authenticated classical communication and trusted local devices; it is not device-independent. Finite-size corrections XX67 may substantially reduce the asymptotic gain for small block lengths. For very large XX68, the authentication cost of transmitting XX69 scales as XX70 bits of pre-shared key, which can materially reduce net key rate; accordingly, the paper suggests small constant list sizes such as XX71 as more realistic (Kulkarni, 18 Mar 2026). It also does not treat device-independent QKD, continuous-variable QKD, or entropy accumulation frameworks, and identifies low-seed list privacy amplification as an open problem, asking whether nearly optimal seed length can be achieved while remaining information-theoretic (Kulkarni, 18 Mar 2026).

In summary, LPA is a composable reformulation of privacy amplification in which secrecy is attached not to a unique hash output but to a hidden position within a list. The resulting Quantum List Leftover Hash Lemma establishes that the secret index contributes an additive XX72 to the extractable key length, the converse shows that this gain is tight, and the BB84 analysis shows that the effect translates into a genuine increase in tolerable phase error (Kulkarni, 18 Mar 2026). Within the technical landscape of list-based privacy notions, LPA is distinguished by its quantum adversarial model, its AC-level composability, and its explicit identification of hidden index entropy as a cryptographic resource (Kulkarni, 18 Mar 2026).

Definition Search Book Streamline Icon: https://streamlinehq.com
References (3)

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to List Privacy Amplification (LPA).