Errors and Their Mitigation at the Kirchhoff-Law-Johnson-Noise Secure Key Exchange

A method to quantify the error probability at the Kirchhoff-law-Johnson-noise (KLJN) secure key exchange is introduced. The types of errors due to statistical inaccuracies in noise voltage measurements are classified and the error probability is calculated. The most interesting finding is that the error probability decays exponentially with the duration of the time window of single bit exchange. The results indicate that it is feasible to have so small error probabilities of the exchanged bits that error correction algorithms are not required. The results are demonstrated with practical considerations.


Introduction 1.1 The KLJN secure key exchange
In today's era, network security has become one of the most important aspects in everyday life.Whether it is a large, small, private, or a government organization, it is very important to focus on security, especially when the data being sent, received, or stored contain confidential, sensitive information, such as personal information.
In private-key based secure communication, the two communicating parties (Alice and Bob) generate and share a secure key, which is typically represented by a random bit sequence.It is important to note that the security of a communication cannot be better than the security of the exchange of the key it uses.During this key exchange, the eavesdropper (often referred to as Eve) is continuously monitoring the related data.In today's Internet-based secure communications, typically a software-based key generation and distribution is utilized.However, in this method the whole information about the secure key is publicly available [1] and Eve's access to this information is limited only by her computational power.In other words, this method provides only a (computationally) conditional security level, which represents a non-future-proof-security [2][3][4].It means that with a sufficiently enhanced computation power or an efficient future algorithm, Eve may be able to crack the key and all the information in the communication may become accessible.Therefore, scientists and researchers have been working on exploring proper laws of physics to find new key exchange schemes where the information that can be measured by Eve is zero.Particularly, they have been exploring key exchange schemes where the amount of information extracted by Eve does not depend on her computational power.When the security measures are determined at Eve's maximal ability (limited only by the laws of physics and the protocols working conditions), that is referred as unconditional security, a term that is often interchanged with information theoretic security [1].Information theoretic (unconditional) security can be perfect if Eve can extract no information, or imperfect, if Eve can extract only a small, commonly accepted amount of information.(This is allowed for practical purpose because this small information leak can further be decreased by privacy amplification, if the fidelity of the key exchange between Alice and Bob is good enough.)These terms are often misunderstood, and it is a frequent mistake in claims to misuse unconditional security and imply perfect security by that.
It is important to emphasize that the goal to generate/distribute a perfectly secure key is similar to approaching infinity.Perfectly secure key distribution of a key of finite length can never be reached with a real physical system within a finite duration of time.However, it is one of the goals of physical informatics to find out schemes that can arbitrarily approach (though never reach) perfect security [2].
The earliest and most famous scheme based on the laws of physics that is claiming unconditional security is the Quantum Key Distribution (QKD) [5].The information theoretic security of this scheme is usually based on the assumption that Eve's actions will disturb the system (in accordance with the theory of quantum measurements and the no-cloning theorem) and cause errors, which uncover the eavesdropping.Note, there are some promising non-QKD initiatives that involve new types of quantum effects [6,7].
Until 2005 QKD was the only accepted scheme that was able to offer a key exchange with information theoretic security in the ideal (mathematical) situation.In 2005, the Kirchhoff-Law-Johnson-(like)-Noise (KLJN) secure key distribution was introduced [28], where the term "totally secure" was used instead of the correct "perfectly secure" expression.Later (2006), the KLJN system had been built and demonstrated [29].KLJN is also a key exchange scheme with information theoretic security [3] and it is based on Kirchhoff's Loop Law of quasi-static electrodynamics and the Fluctuation and Dissipation theorem of statistical physics.Its security against passive attacks is ultimately based on the Second Law of Thermodynamics [28], which means that it is as hard to crack the key exchange as to build a perpetual motion machine (of the second kind).At practical conditions it uses enhanced (electronically generated) Johnson noise with high noise temperature, where quasi-static and thermodynamic aspects must be emulated as exactly as possible in order to approach perfect security.
First, we present a brief description (based on [2][3][4]28]) of the working principle of the KLJN system.The core KLJN system, without the defense circuitry against invasive attacks and vulnerabilities represented by non-ideal building elements is shown in the following figure.The core KLJN channel, see Fig. 1, is a wire line to which Alice and Bob connect randomly selected resistors R A and R B , respectively, where bit and R 1 the high (1) bit, respectively [28].At the beginning of each bit exchange period, BEP, (also called KLJN clock period), Alice and Bob, who possess identical pairs of the resistors R 0 and R 1 , randomly select and connect one of these resistors.The Gaussian voltage noise generators represent either the Johnson noises of the resistors or external noise generators delivering band-limited white noise with publicly known bandwidth and effective noise temperature eff T [2, 3, 28, 29].Alice and Bob measure the mean-square noise voltage and/or current amplitudes, that is 2 ( ) ch u t and/or 2 ( ) ch i t , within the BEP in the line.Thus, by applying Johnson's noise formula and Kirchhoff's loop law the theoretical prediction is that the mean-square noise voltage and current (i.e. the integral of the corresponding power spectral densities [2,28]) for a given channel noise bandwidth KLJN B and temperature eff T are given as follows: where represents ideal (infinite-time) time average, S u,ch ( f ) is the power density spectrum Ideally, by comparing the result of the accurate measurement of the mean-square channel voltage or current with the corresponding theoretical value in Eqs. 1, the total loop resistance will be publicly known.Alice and Bob know their own resistor values and thus they can deduce that resistance value from the loop resistance to learn the resistance at the other end.Consequently, they can distill the actual bit value at the other side of the wire.
If Alice and Bob use the same resistance values, Eve can also recognize that bit situation because the total resistance is either the lowest or the highest value of the three possible resistance values.Thus, the resistor situations ( R 0 , R 0 ) and ( R 1 , R 1 ) represent a non-secure bit exchange since Eve can also find out the resistors values, their exact locations, and the status of the bits.On the other hand, the cases ( R 0 , R 1 ) and ( R 1 , R 0 ), which yield identical mean-square noise in the line, represent a secure bit exchange situation because Eve is unable to locate the resistors, therefore, she cannot decide if Alice (and Bob) has a bit 1 or 0. This security is provided by the Second Law of Thermodynamics, which prohibits any directional information concerning the resistors at the two sides in thermal equilibrium [2,28].In other words, it is as difficult to extract these secure bits by Eve as to build a perpetual motion machine (of the second kind).In conclusion, on average, 50% of the bits can be kept because they are secure.The other 50% of the bits representing the non-secure situations is discarded by the protocol.
Note: the securely exchanged bits have opposite values at Alice and Bob, thus they must publicly agree which one of them will invert the exchanged bit to have identical keys at the two ends. ( The fully armed KLJN system is secure even against the man-in-the-middle-attack [30].One of the important potential applications [32] is to integrate the KLJN system on computer chips and provide unconditional security within computers and high-security instrumentations where the processors, hard drives, keyboards, etc. would secure their communications by keys shared via the KLJN protocol.Another, potential application is, at a much greater scale, to build a network of KLJN systems utilizing already existing wire lines [4,33,34], particularly, realizing and unconditionally secure "smart grid" [4] (advanced electrical power distribution network).

Known attack types
Below, based on [2], we briefly survey all the published attack types.Due to the simplicity of the KLJN system, there are very few attack types available.The method of comparing the instantaneous values of voltage and current at the two ends and discarding risky 01/10 bits [28,30,31] (not discussed here in details) protects against all these types of attacks.But even without discarding the risky bits, passive attacks by Eve utilizing non-idealities suffer from weak signalto-noise ratio due to poor statistics, see below.
A practically unimportant but theoretically valid type of attack was shown by Hao [36] who pointed out that the non-ideal situation of different temperatures could separate the noise levels of the 01 and 10 bit situations, thus they could give out some information to Eve.In a response by Kish [37], it was pointed out that practical problems of accuracy do not challenge the conceptual security of ideal schemes and was estimated that, even at practical situations, the information leak is negligible due to this attack.Later, it was shown in the experimental paper of Mingesz et al. [29] that a modest 14-bit accuracy of temperatures (noise generators) practically prohibit Eve to extract any useful information (with information leak less than 10 -10 ) by utilizing the Hao attack.
Scheuer and Yariv [38] analyzed the case of non-zero wire resistance where the mean-square voltages are different at the two ends in the case of the 01 and 10 bit situations.However, their calculation was incorrect including the physical units of some of the main results.Kish and Scheuer [39] carried out new, correct calculations and showed that the actual effect is about 1000 times weaker than predicted by Scheuer and Yariv.Earlier, Kish pointed out [37] in his response to [36] that at similar conditions Eve's statistic was very poor and the extracted information was practically miniscule even without the defense of discarding the risky bits.This claim was experimentally verified by Mingesz et al. [29], who showed that at clock period of 50 times of the noise correlation time, R 0 = 2000 Ω , R 1 = 9000 Ω , and wire resistance 200 Ω , the information leak of exchanged raw bits to Eve was 0.19% while the fidelity between Alice and Bob was 99.98%.These results indicate that the key exchange has excellent fidelity even without error correction and that the security can be made reasonably good even without dropping the risky 01/10 bits (after current/voltage comparison at the two ends) and without privacy amplification [29].
Liu [41] used a cable simulator to evaluate the impact of delays and reflections on the security.He obtained the surprising results that, with the experimental parameters [6], Eve successfully guessed 70-80% of the key bits.In a critical study of Lui's simulations, Kish and Horvath [31] pointed out that the chosen wave impedances of the simulated cable to reach these results were unphysical: for example, a center wire diameter of 1 millimeter implies a coaxial cable with outer diameter of 28000 times greater than the size of the known universe.
Observing transients after switching the resistors has been mentioned as a potential source of information leak; however, so far they have never been utilized.During the experimental studies, the noise was ramped up at the beginning of the clock period and ramped down at the end, thus the switching of resistors took place when the voltage and currents were zero in the line.
Note, a fully transient-free protocol is described in a recent work [48].
According to [40], one of the most efficient attack types would be utilizing capacitive currents via the cable capacitance, though it has never been tested.Mingesz et al. [29] showed a hardware based defense "capacitance killer" against this attack.Ultimately, the method of discarding the risky bits after current/voltage comparison at the two ends [28,30,31] and/or, in the case of negligible error probability, privacy amplification [35] are the tools to approach perfect security.

Bit errors in the KLJN key exchange
Due to the finite duration τ of the bit exchange period BEP, the measurement results of mean- square amplitudes have statistical inaccuracies.The duration τ of the BEP must be long-enough compared to the correlation time of the noise (approximately the reciprocal noise-bandwidth ) to achieve a satisfactory statistics and safely distinguish between the different resistor situations.Still, with a low probability, these uncertainties can trigger a bit error.
In the experimental demonstration Mingesz et al. [29] were able to optimize the system to have a fidelity of 99.98% (error probability 0.02%) however no mathematical analysis or design tools have been shown to address this problem.Therefore, our goal in this paper is to classify the different types of bit errors in the ideal KLJN system and analyze their impact.

KLJN Errors
In this "startup" paper about error analysis, we assume the ideal situation of the KLJN system where all the non-ideal features of real systems are neglected.The error analysis of non-ideal systems will be done in future works.
Bit errors occur when the actual value of the mean-square noise results in an incorrect bit interpretation.Figure 2  The threshold values 1 Δ and 2 Δ provide the boundaries to interpret the measured mean-square channel voltage over the τ time window, see Fig. 2. The bit interpretation is 00 when  An example for a bit error is the rare occurrence when the finite-time mean-square voltage of the 00 case, u 00 2 (t) τ ≥ u 00 2 (t) + Δ 1 , is interpreted as the 01/10 bit situation, which is incorrect and an example of a bit error.
The different types of errors are shown in Table 1.*The rest of the paper addresses these errors and their probability.Some of the errors situations, as shown in Table 1, are considered to be self-corrected by the protocol.This is because, as aforementioned, the 00 and 11 bit situations are discarded.
The rest of the paper is dealing with the analysis of errors indicated with * in Table 1.

Error probabilities in the KLJN scheme
Alice and Bob can calculate the total resistance in the system by measuring the mean-square noise voltage and/or current amplitudes, that is, u ch 2 (t) τ and/or i ch 2 (t) τ .Below we evaluate the errors in the former case while the case of current-based evaluation can be done in a very similar fashion.

Error probability due to inaccuracies in noise voltage measurements a) Probability of the 00 ==> 01/10 type errors
Let R 0 = R and R 1 = α R with α >> 1. Note, the choice of α does not influence the resulting equations but it determines the upper limit at choosing the values of Δ 1 and Δ 2 (see Eqs. 1).Then, the mean-square channel noise voltage for infinite-time average at the 00 bit situation is given as: where S 00 ( f ) = S u,ch ( f ) at the bit situation 00.Because R || = R / 2 , from Eqs. 1, we obtain: During the BEP, only the duration τ is available for Alice, Bob and Eve to determine the mean- square channel noise because, after that, a new bit exchange begins.The block diagram of the measurement process is shown in Fig. 3.The channel voltage enters into a squaring unit.At its output, the signal is still voltage (because it is a voltage-signal-based electronics) and the numerical value of its instantaneous amplitude is equal to the square of the instantaneous amplitude of the input voltage.This fact is mathematically expressed by Du 00 2 (t) , where D = 1 Volt is the transfer coefficient of the device to provide a Volt unit also for the square [42].After averaging for the finite-time τ duration, the obtained measurement result is Du 00 , where the averaging can be represented by a low-pass filtering with cut-off frequency f B ≈ 1 /τ .
While u 00 2 (t) is not Gaussian, its finite-time average u τ (t) is Gaussian with high accuracy due to the Central Limit Theorem, because τ is much longer than the correlation time of the AC component u 2,00 (t) = Du 00 2 (t) − Du 00 2 (t) of Du 00 2 (t) , as f B << B KLJN .The probability of 00 ==> 01/10 type errors is the probability that the AC component remaining after the finite-time average of Du 00 2 (t) defined as u τ (t) = Du 00 2 (t) τ − Du 00 2 (t) is beyond the threshold: This can be evaluated by the error function, however, requires numerical integration.
To have an analytic formula, which is a good approximation and has the exact scaling in the small error probability limit, that is, when u τ (t) << Δ 1 is satisfied, we can use Rice's formula [43,44] of threshold crossing frequency, see similar solutions for estimating the probability of thermal noise induced switching errors [45][46][47].The estimation of error probability is based on the fact that, in the small error limit, the probability of repeated threshold crossings within the correlation time of the band-limited noise converges to zero.The correlation time of u τ (t) is also equal to τ thus each threshold crossing (in a chosen but fixed direction) indicates an independent error.The ratio of the mean threshold crossing frequency ν(Δ 1 ) and τ is a good estimation of the error probability in this limit [45,46].We compared the predictions of the Rice formula with the prediction based on numerically evaluated error function and found that the Rice formula gave always more pessimistic error estimation.The variation of the threshold resulted in changing the error probability prediction by the Rice formula and the error function by factors of ~10 43 and ~10 44 , respectively.In the large error probability situation, the Rice formula predicted about 2 times greater error while, in the low error probability situation, about 18 times greater error.This is a negligible difference not only due to the 10 43 -10 44 variation during the study but also because the exact error probability slightly depends on the fine details of the protocol not discussed here.To have analytic error estimation, we proceed as follows.
According to Rice, the mean frequency ν of crossing the level Δ 1 by a Gaussian with power density spectrum S τ ( f ) is given as: where S τ ( f ) is the power density spectrum of u τ (t) and ûτ is its RMS value, For normalization purposes, we choose the 1 Δ threshold level as a fraction of the measured mean-square channel noise, where the transfer coefficient D of the squaring unit is also taken into the account: According to [42], the power density spectrum, S 2,00 ( f ) , of the AC component u 2,00 (t) of the (non-averaged) u 00 2 (t) is given as (note typos of missing factor of 2 in Eqs.6 and 7 in [42], see Fig. 4):  Let us suppose that see text above and Figure 3 for explanation of the approximation.The frequency ν ↑ (Δ 1 ) of unidirectional level crossings is half of the level crossing frequency predicted by the Rice formula: where From Eqs. 7 and 9, we obtain In the high threshold situation the errors follow a Poisson statistics, thus the error probability during a time interval is equal to the expected numbers of errors within this interval provided this number is much less than 1.
Thus the probability ε 00 of 00==>01/10 type of errors in the case of ε 00 << 1 is: It is important to realize that the error probability is an exponential function of the parameters.The γ parameter (which is proportional to the length of time average) is particularly important because it is not limited in size.

b) Probability of the 11 ==> 01/10 type errors
We can follow the same procedure as above.Instead of β we introduce δ with similar meaning, see Fig. 2 and Eq.5: where 2 Δ is the threshold for the 11==>01/10 type errors and S 11 ( f ) is the channel noise spectrum at the 11 bit situation.
The same type of calculations as given above yields the probability 11 ε of 11==>01/10 type errors: The error probability is again an exponential function of the parameters.

Illustration of the results with practical parameters
To demonstrate the results, we assign possible practical values to the parameters.
For γ = 100 and 0.5 β = (a choice allowed due to the α >> 1 condition, see Eqs. 1) the bit error probability 00 ε is: which is a value near to the experimental value (0.0002) obtained in [29] with the same γ = 100 value (note the β value is not available in [29] however the β = 0.5 choice is a practical one).If this value is too large, just by increasing the γ parameter (and the time average window τ ) by a factor of 2, and in this way slowing down the bit exchange by the same factor, will result in the square of the above error probability value: which is satisfactory for most applications.It is important to note that no error correction algorithm is used for this error reduction.

Methods and Conclusions
We have classified and analyzed the types of errors of bit exchange between Alice and Bob in the KLJN secure key exchange.Some types of errors are automatically removed by the original protocol.We mathematically analyzed the error probabilities and their dependence on the KLJN parameters of the errors that are not removed by the protocol.We identified the important parameters and the results show that the error probability decays exponentially by increasing these parameters.The most important of such parameters is the duration τ of key exchange because its value is not limited.The results indicate that it is reasonable to achieve error probabilities that are small enough to avoid the need for error correction algorithms.
Further open questions are how to combine current and voltage measurements to further reduce these errors and what is the error situation in the new advanced KLJN protocols proposed recently [48].

Figure 1 .
Figure 1. Outline of the core KLJN secure exchange scheme [2-4, 28] without the defense elements against active (invasive) attacks or attacks utilizing non-ideal components and conditions.
the wire line and the ground and a channel noise current ( ) ch i t in the wire.

Figure 2 .
Figure 2. Illustration of the fluctuations of the finite-time mean-square voltage levels around their exact value and thresholds for interpretation (the scale is arbitrary).

Figure 3 .
Figure 3. Illustration of the measurement process at 00.

Figure 4 .
Figure 4. Power Spectral Density (PSD) of the product of two independent noises.The low-pass filtering effect the time averaging cuts off this spectrum for f > f B but keeps the S 2,00 ( f ) spectrum for f < f B .Because f B << B KLJN , the value of S 2,00 ( f ) within the f B frequency band can be approximated by its maximum, S τ ( f ) ≈ S 2,00 (0) .Figure5summarizes these findings.
represents the mean-square channel noise voltage levels, where