JP4231926B2 - Quantum key distribution method and communication apparatus - Google Patents

Description

  The present invention relates to a quantum key distribution method capable of generating a highly secure common key, and in particular, a quantum key distribution method capable of correcting a data error using an error correction code and The present invention relates to a communication device capable of realizing quantum key distribution.

  Hereinafter, a conventional quantum cryptography system will be described. In recent years, optical communication is widely used as a high-speed and large-capacity communication technology. In such an optical communication system, communication is performed by turning on / off light, and a large number of photons are transmitted when turned on. Therefore, it is not a communication system in which the quantum effect appears directly.

  On the other hand, in a quantum cryptography system, photons are used as a communication medium, and 1-bit information is transmitted by one photon so that a quantum effect such as an uncertainty principle occurs. At this time, if the eavesdropper appropriately selects a base without knowing the quantum state such as polarization and phase and measures a photon, the quantum state changes. Therefore, on the receiving side, it is possible to recognize whether or not the transmission data has been wiretapped by confirming the change in the quantum state of the photon.

  FIG. 9 is a diagram showing an outline of conventional quantum key distribution using polarized light. For example, a measuring instrument capable of discriminating horizontal and vertical polarization correctly discriminates between light polarized in the horizontal direction (0 °) and light polarized in the vertical direction (90 °) on the quantum communication path. On the other hand, a measuring device capable of discriminating polarized light in an oblique direction (45 °, 135 °) correctly identifies light polarized in the 45 ° direction and light polarized in the 135 ° direction on the quantum communication path.

  In this way, each measuring device can correctly recognize light polarized in a prescribed direction, but can identify light polarized in an oblique direction in the horizontal and vertical directions (0 °, 90 °), for example. When measured with a measuring instrument, light polarized in the horizontal direction and the vertical direction is randomly identified with a probability of 50%. That is, when a measuring instrument that does not correspond to an identifiable polarization direction is used, even if the measurement result is analyzed, the polarized direction cannot be correctly identified.

  In the conventional quantum key distribution shown in FIG. 9, a key is shared between a sender and a receiver without using the above-described uncertainty (randomness) (for example, Non-Patent Document 1). reference). In addition, the sender and the receiver can use the public communication channel in addition to the quantum communication channel.

  Here, a key sharing procedure will be described. First, the sender generates a random number sequence (sequence of 1, 0: transmission data), and further transmits a transmission code (+: corresponds to a measuring device that can identify light polarized in the horizontal and vertical directions, x: in an oblique direction (Corresponding to a measuring device capable of discriminating polarized light) is determined at random. The combination of the random number sequence and the transmission code automatically determines the polarization direction of the transmitted light. Here, the light polarized in the horizontal direction by the combination of 0 and +, the light polarized in the vertical direction by the combination of 1 and +, the light polarized in the 45 ° direction by the combination of 0 and x, 1 The light polarized in the 135 ° direction by the combination of and x is transmitted to the quantum communication path (transmission signal).

  Next, the receiver randomly determines a reception code (+: a measuring device that can discriminate light polarized in the horizontal and vertical directions, x: a measuring device that can discriminate light polarized in the oblique direction), and quantum The light on the communication path is measured (received signal). Then, received data is obtained by a combination of the received code and the received signal. Here, as received data, a combination of light polarized in the horizontal direction and + is 0, a combination of light polarized in the vertical direction and + is 1, and a combination of light polarized in the 45 ° direction and x is x. 0 is obtained, and 1 is obtained by the combination of light polarized in the 135 ° direction and x.

  The receiver then sends the received code via the public channel to determine whether his measurement is based on the same basis as the sender, i.e., whether the measurement was made with the correct instrument. To the sender. The sender who has received the received code checks whether or not the measurement has been performed with the correct measuring device, and returns the result to the receiver via the public communication path.

  Next, the receiver leaves only the received data corresponding to the received signal received by the correct measuring instrument and discards the others. At this point, the remaining received data can be shared between the sender and the receiver.

  Next, the sender and the receiver transmit a predetermined number of data selected from the shared data to the respective communication partners via the public communication path. Then, it confirms whether the received data matches the data it has. For example, if at least one of the confirmed data does not match, it is determined that there is an eavesdropper, the shared data is discarded, and the key sharing procedure is restarted from the beginning. On the other hand, if all the confirmed data matches, it is determined that there is no eavesdropper, the data used for confirmation is discarded, and the remaining shared data is used as a shared key between the sender and the receiver.

Bennett, C. H. and Brassard, G .: Quantum Cryptography: Public Key Distribution and Coin Tossing, In Proceedings of IEEE Conference on Computers, System and Signal Processing, Bangalore, India, pp.175-179 (DEC.1984).

  However, since the conventional quantum key distribution shown in FIG. 9 does not assume an error communication path, if there is an error, the common data (common key) is discarded as if there is an eavesdropping action. There is a problem that the generation efficiency of the common key becomes very poor depending on the transmission path.

  The present invention has been made in view of the above, and achieves high key generation efficiency by correcting a data error on a transmission path using an error correction code having extremely high characteristics, and a transmitter and a receiver. The purpose is to obtain a highly secure quantum key distribution method even in a practical implementation where there is an error.

  In order to solve the above-described problems and achieve the object, a quantum key distribution method according to the present invention is a first communication device that transmits photons on a quantum communication channel in a quantum state defined by a combination of a random number sequence and a basis. , And a second communication device that obtains data defined by the combination of the measurement result and the basis of the photon on the quantum communication path, and obtains the data obtained by the measurement using the same basis as the transmission side. 1 is a quantum key distribution method in which the first transmission data is a random number sequence corresponding to the first reception data, and each communication device, for example, includes the first transmission data and the first transmission data. A predetermined number of data at the same bit position is extracted from each received data, and the extracted partial data is mutually notified via a public communication channel, and then the degree of agreement (error probability) of both partial data And an error probability estimating step for estimating an error probability of data used for key generation, and first data using the remaining data other than the disclosed partial data as second transmission data and second reception data, respectively. And a compression step, wherein the first communication device notifies the second communication device of predetermined error correction information via a public communication path, and the second communication device is based on the error correction information. An error correction step for correcting an error in the second received data, and compressing the second transmission data and the second received data after the error correction according to the amount of the disclosed error correction information; The second data compression step in which the third transmission data and the third reception data are used as the data, and whether each communication device matches the third transmission data and the third reception data. Predetermined determination information for determining whether or not the information is transmitted to each other via the public communication path, and further, the determination processing is performed based on the determination information. A match determination step of discarding data and the third reception data; and if the determination result is a match, compressing the third transmission data and the third reception data according to the amount of determination information disclosed, Based on a third data compression step in which the compressed data is the fourth transmission data and the fourth reception data, respectively, the error probability estimation value, and the quantum state (transmission state) of the output of the first communication device An information amount estimation step for estimating the amount of information leaked to the eavesdropper through the quantum communication channel, and the fourth transmission data and the fourth reception based on the estimated value of the information amount leaked to the eavesdropper And a shared key generating step of compressing the data and using the compressed data as an encryption key shared between the communication devices.

  In the next invention, in the error probability estimation step, the error probability is set so as to satisfy a predetermined “upper limit value of the probability that the estimated error probability is estimated to be smaller than the true error probability”. Is estimated.

  In the next invention, the determination information used in the coincidence determination step is information corresponding to the number of bits determined according to the safety required by the system.

  In the next invention, in the information amount estimating step, the transmission state is disclosed to the second communication device in advance, and both the first communication device and the second communication device are used. The amount of information leaked to an eavesdropper is estimated.

  In the next invention, in the information amount estimation step, an amount of information leaked to an eavesdropper in the first communication device is estimated, and the estimated value is transmitted to the second communication via a public communication path. The communication device is notified.

  In the next invention, photons are transmitted on a quantum communication path in a quantum state defined by a combination of a random number sequence and a basis, and data obtained by measurement using the same basis as that on the transmitting side is transmitted to the communication device on the photon receiving side. In the communication device on the photon transmission side using the corresponding random number sequence as the first transmission data, for example, data of a predetermined number of bit positions is extracted from the first transmission data, and the extracted partial data is Data to be used for key generation based on the degree of coincidence (error probability) with partial data at the same bit position obtained from the receiving side communication device via the public communication path The error probability estimation function that uses the remaining data other than the public partial data as the second transmission data and the predetermined error correction information via the public communication path An error correction function that notifies the second communication device, compresses the second transmission data in accordance with the amount of error correction information disclosed, and sets the compressed data as third transmission data; Determination information for determining whether transmission data and data obtained from the communication device on the reception side match is notified to the communication device on the reception side via a public communication path, and determination based on the determination information If the results do not match, the third transmission data is discarded. On the other hand, if the determination results match, the third transmission data is compressed according to the amount of determination information disclosed, and the compressed data is 4 based on the estimated value of the amount of information leaked to the eavesdropper, and the estimation function for estimating the amount of information leaked to the eavesdropper through the quantum communication path Compress the data and use the compressed data And having a, a shared key generation function to share the encryption key in.

  In the next invention, photon reception in which data obtained by measurement using the same base as that on the transmission side is the first received data among the data defined by the combination of the photon measurement result and the base on the quantum communication path. In the communication device on the side, for example, data of a predetermined number of bit positions is extracted from the first received data, and the extracted partial data is notified to the communication device on the photon transmission side via the public communication path Then, based on the degree of coincidence (error probability) with the partial data at the same bit position obtained from the communication device on the transmitting side, the error probability of the data used for key generation is estimated. The error of the second received data is corrected based on an error probability estimation function that uses the remaining data as second received data and error correction information obtained from the communication device on the transmitting side. An error correction function that compresses the second received data after error correction according to the amount of error correction information disclosed by the communication device on the transmitting side, and uses the compressed data as third received data; Notification information for determining whether or not third received data matches with data obtained from the transmission-side communication device is notified to the transmission-side communication device via a public communication path, and the determination is made. If the determination result based on the information does not match, the third reception data is discarded. On the other hand, if the determination result is the same, the third reception data is compressed according to the amount of the determination information disclosed, and after the compression A matching determination function using the received data as the fourth received data, an estimation function for estimating the amount of information leaked to the eavesdropper through the quantum communication path, and the estimated value of the information amount leaked to the eavesdropper Compress the fourth received data, And having a, a shared key generation function of a cryptographic key shared between the device data after condensation.

  In the next invention, photon reception in which data obtained by measurement using the same base as that on the transmission side is the first received data among the data defined by the combination of the photon measurement result and the base on the quantum communication path. In the communication device on the side, for example, data of a predetermined number of bit positions is extracted from the first received data, and the extracted partial data is notified to the communication device on the photon transmission side via the public communication path Then, based on the degree of coincidence (error probability) with the partial data at the same bit position obtained from the communication device on the transmitting side, the error probability of the data used for key generation is estimated. The error of the second received data is corrected based on an error probability estimation function that uses the remaining data as second received data and error correction information obtained from the communication device on the transmitting side. An error correction function that compresses the second received data after error correction according to the amount of error correction information disclosed by the communication device on the transmitting side, and uses the compressed data as third received data; Notification information for determining whether or not third received data matches with data obtained from the transmission-side communication device is notified to the transmission-side communication device via a public communication path, and the determination is made. If the determination result based on the information does not match, the third reception data is discarded. On the other hand, if the determination result is the same, the third reception data is compressed according to the amount of the determination information disclosed, and after the compression 4th received data based on the coincidence determination function using the received data as fourth received data and the “estimated value of information amount leaked to eavesdropper through quantum communication channel” obtained from the communication device on the transmitting side Compress the data after compression. And having a, a shared key generation function of a cryptographic key shared between the device data.

  According to the present invention, the error probability estimation step, the error correction step, the coincidence determination step, and the information amount estimation step are executed, and further, an eavesdropping is performed through the information amount and the quantum communication path disclosed via the public communication path in the process. The data is compressed based on the estimated amount of information leaked to the user, and the compressed data is used as a shared encryption key between apparatuses. As a result, even in a practical implementation, there is an effect that it is possible to efficiently generate a highly secure common key.

  Hereinafter, embodiments of a quantum key distribution method and a communication device according to the present invention will be described in detail with reference to the drawings. Note that the present invention is not limited to the embodiments.

  Quantum key distribution is a key distribution method that guarantees security regardless of the computational capability of an eavesdropper. For example, in order to generate a shared key more efficiently, data generated by passing through a transmission path is used. It is necessary to remove the mistake. Therefore, in this embodiment, quantum key distribution in the case where error correction is performed using a low-density parity check (LDPC) code that is known to have extremely high characteristics will be described. .

FIG. 1 is a diagram showing a configuration of a communication device (transmitter, receiver) in a quantum cryptography system according to the present invention. The quantum cryptography system, a transmitting communication device having a function of transmitting the information m _a, information m _a which affected such as noise on a transmission path, that is, the reception side having the function of receiving the information m _b And a communication device.

The communication apparatus on the transmission side, an encryption key based on the transmitted information m _a through a quantum communication path, the amount of information leaked to the information and eavesdropper to send and receive further through the public communication path (estimated amount) An encryption key generation unit 1 that generates (a common key with the receiving side), and a communication unit 2 that exchanges data encrypted by the encryption unit 21 based on the encryption key via a public communication path. comprises, receiving communication device based on the received information m _b through the quantum communication path, the amount of information leaked to the information and eavesdropper to send and receive further through the public communication path (estimated value) An encryption key generation unit 3 that generates an encryption key (a common key with the transmission side), and a communication unit that exchanges data encrypted by the encryption unit 42 based on the encryption key via a public communication path 4 is provided.

  The encryption key generation unit 1 includes a parity check matrix generation unit 10, a random number generation unit 11, a photon generation unit 12, a public channel communication unit 13, a syndrome generation unit 14, and a shared key generation unit 15. The encryption key generation unit 3 includes a parity check matrix generation unit 30, a random number generation unit 31, a photon reception unit 32, a syndrome decryption unit 33, a public channel communication unit 34, and a shared key generation unit. 35.

In the communication device on the transmission side, as information m _a transmitted on the quantum communication path, light polarized in a predetermined direction using a polarizing filter (see FIG. 9) is transmitted to the communication device on the reception side. On the other hand, the communication device on the receiving side uses a measuring device that can identify polarized light in the horizontal and vertical directions (0 °, 90 °) and a measuring device that can identify polarized light in the oblique direction (45 °, 135 °), Discriminate between light polarized in the horizontal direction (0 °), light polarized in the vertical direction (90 °), light polarized in the 45 ° direction, and light polarized in the 135 ° direction on the quantum channel. . Note that each measuring device can correctly recognize light polarized in a prescribed direction, but for example, measurement capable of distinguishing polarized light in the horizontal and vertical directions (0 °, 90 °) from light polarized in an oblique direction. When measured by the instrument, the light polarized in the horizontal direction and the vertical direction is randomly identified with a probability of 50%. That is, when a measuring instrument that does not correspond to an identifiable polarization direction is used, even if the measurement result is analyzed, the polarized direction cannot be correctly identified.

  Hereinafter, the operation of each communication device in the quantum cryptography system, that is, the quantum key distribution in the present embodiment will be described in detail. FIG. 2 is a flowchart showing quantum key distribution according to the present embodiment. Specifically, FIG. 2-1 shows processing of the communication device on the transmission side, and FIG. 2-2 shows processing of the communication device on the reception side. Show.

First, in the communication device on the transmission side and the communication device on the reception side, the parity check matrix generation units 10 and 30 obtain a parity check matrix H (n columns × k rows) of a specific linear code, and this parity check matrix H To obtain a generator matrix G ((n−k) columns × n rows) satisfying “HG = 0”, and further, an inverse matrix G ⁻¹ (n columns) of G ⁻¹ · G = I (unit matrix) X (n−k) rows) (step S1, step S11). In the present embodiment, quantum key distribution in the case where an LDPC code having excellent characteristics very close to the Shannon limit is used as the specific linear code will be described. In this embodiment, the LDPC code is used as the error correction method. However, the present invention is not limited to this, and another linear code such as a turbo code may be used. Further, for example, any matrix H may be used as long as error correction information (syndrome), which will be described later, and information m _A are ensured in linearity.

  Here, the configuration method of the LDPC code in the parity check matrix generation unit 10 will be described in detail with respect to the configuration method of “Irregular-LDPC code” based on finite affine geometry (an example of step S1 in FIG. 2). FIG. 3 is a flowchart showing an example of a configuration method of “Irregular-LDPC code” based on finite affine geometry. Note that the parity check matrix generation unit 30 performs the same processing as that of the parity check matrix generation unit 10, and thus the description thereof is omitted. Moreover, the parity check matrix generation unit 10 may perform the parity check matrix generation processing according to the present embodiment, for example, according to a set parameter, or may be performed by another control device (such as a computer) outside the communication device. It may be executed. When the check matrix generation processing in the present embodiment is executed outside the communication device, the generated check matrix is stored in the communication device. In the following embodiments, a case will be described in which the parity check matrix generation unit 10 performs a check matrix generation process.

First, the parity check matrix generation unit 10 selects a finite affine geometric code AG (2, 2 ^s ) as a base of the check matrix for the “Irregular-LDPC code” (FIG. 3, step S21). Here, the row weight and the column weight are each 2 ^s . FIG. 4 is a diagram showing a matrix of finite affine geometric codes AG (2, 2 ² ), for example (blank represents 0). Next, the parity check matrix generation unit 10 determines the coding rate rate (1-syndrome length / key length) (step S22).

  Next, the parity check matrix generation unit 10 uses the optimization based on the Gaussian approximation method to calculate the column weight distribution after division (division into n columns × k rows) based on the coding rate rate. The line weight distribution is obtained (step S23).

  Finally, the parity check matrix generation unit 10 divides the rows and columns in the finite affine geometry based on the weight distribution obtained above (step S24), and generates a parity check matrix H of n columns × k rows. . At this time, the finite affine geometric code division processing according to the present embodiment does not divide regularly but divides by randomly extracting the number “1” from each row or each column. Note that this extraction process may use any method as long as the randomness is maintained.

For example, the row number of “1” in one column in AG (2, 2 ⁵ )
B _l (x) = {1 32 114 136 149 223 260 382 402 438 467 507 574 579 588 622 634 637 638 676 717 728 790 851 861 879 947 954 971 977 979 998}
In the case of, in the first to fourth columns R _m (n) in the divided matrix, the number “1” is randomly extracted from B _l (x).
R ₁ (n) = {1 114 574 637 851 879 977 979}
R ₂ (n) = {32 136 402 467 588 728 861 971}
R ₃ (n) = {149 260 382 438 579 638 717 998}
R ₄ (n) = {223 507 622 634 676 790 947 954}
It becomes.

  As described above, in the present embodiment, by performing the “Irregular-LDPC code” configuration method based on the finite affine geometry shown in FIG. 3, a deterministic and stable characteristic for the “Irregular-LDPC code” is obtained. A check matrix H (n columns × k rows) is generated.

As described above, after generating the parity check matrix H and the generation matrices G and G ⁻¹ (G ⁻¹ · G = I: unit matrix), the random number generation unit 11 in the communication device on the transmission side A column (1,0 column: transmission data) is generated, and a transmission code (+: a code corresponding to a measuring device that can discriminate light polarized in the horizontal and vertical directions, x: light polarized in an oblique direction A code corresponding to an identifiable measuring instrument) is randomly determined (step S2). On the other hand, in the communication device on the receiving side, the random number generation unit 31 identifies the received code (+: a code corresponding to a measuring device that can identify light polarized in the horizontal and vertical directions, x: light polarized in the oblique direction) A code corresponding to a possible measuring instrument) is randomly determined (step S12).

  Next, in the communication device on the transmission side, the photon generator 12 transmits photons in the polarization direction automatically determined by the combination of the random number sequence and the transmission code (step S3). For example, light polarized in the horizontal direction with a combination of 0 and +, light polarized in the vertical direction with a combination of 1 and +, and light polarized in the 45 ° direction with a combination of 0 and x Lights polarized in the 135 ° direction with a combination of × are transmitted to the quantum communication paths (transmission signals).

  The photon receiver 32 of the receiving communication device that has received the optical signal generated by the photon generator 12 measures the light on the quantum communication path (received signal). Then, received data automatically determined by the combination of the received code and the received signal is obtained (step S13). Here, as received data, a combination of light polarized in the horizontal direction and + is 0, a combination of light polarized in the vertical direction and + is 1, and a combination of light polarized in the 45 ° direction and x is x. 0 is obtained, and 1 is obtained by the combination of light polarized in the 135 ° direction and x.

  Next, in the communication device on the receiving side, in order to check whether the above measurement is performed using the same base as that on the transmitting side, that is, whether the measurement is performed with a correct measuring instrument, The reception code (base) corresponding to the reception data and the position where the photon could not be detected are transmitted to the communication device on the transmission side via the public communication path (step S13). In the communication device on the transmission side that has received the reception code, the random number generation unit 11 checks whether the measurement at the position where the photon can be detected on the reception side has been performed by the correct measuring device, and discloses the investigation result. The data is transmitted to the receiving side communication device via the communication path (step S3).

Then, in the communication device on the receiving side, the random number generation unit 31 leaves only the received data measured by the correct measuring device based on the investigation result and discards the others (step S13). Also in the communication device on the transmission side, the random number generator 11 leaves only the transmission data corresponding to the reception data measured by the correct measuring device on the reception side, and discards others (step S3). afterwards,
A set of remaining bit positions: data (transmission data m _A [C] and reception data m _B [C]) corresponding to C is stored in a memory or the like (m _B [C] is an influence of noise or the like on the transmission path) _{M A} [C].

Next, the reception side communication device and the transmission side communication device check the degree of coincidence between the transmission data m _A [C] and the reception data m _B [C] (steps S4 and S14). Specifically, first, the shared key generation unit 15 reads out the transmission data m _A [C], a set of bit positions of the bit position used to match-checking (transmission data m _A [C]: randomly extracted from C The bit position subset: R) is transmitted to the communication device on the receiving side via the public communication path. Note that the disclosure of the subset R may be performed by a communication device on the receiving side. At this point, the subset R can be shared between the transmitting side and the receiving side. Then, the shared key generation unit 15 sends a part of the transmission data m _A [C] corresponding to the subset R, that is, the transmission data m _A [R] to the receiving side communication device via the public communication path. Send.

On the other hand, in the shared key generation unit 35 of the communication device on the reception side, a part of the reception data m _B [C] corresponding to the subset R, that is, the reception data m _B [R] is transmitted to the transmission side via the public communication path. To the other communication device. Since the subset: R is open to the public, transmission data m _A (n) and reception data m _B (n) corresponding to other n (= CR) bits are data for generating a shared key. It becomes. In the present embodiment, for example, if the subset R is large, the accuracy of the matching level check is improved, but the key length is shortened. Conversely, if the subset: R is small, the matching level check is performed. Although the accuracy decreases, the key length can be increased.

Thereafter, the shared key generation unit 15 compares the transmission data m _A [R] with the reception data m _B [R] sent from the reception side. For example, the number of subsets R and n _R (the number of sets of remaining bit positions and n _CR), when the number of data that did not match the results of comparison (number of errors) was n _e, the received data The error probability P _R = _ne / n _R of m _B [R] is obtained. On the other hand, the shared key generation unit 35 compares the reception data m _B [R] with the transmission data m _A [R] sent from the transmission side, and similarly to the above, the error probability P of the reception data m _B [R]. Request _R = n _e / n _R. At this point, the error probability P _R is can be shared by the sender and the receiver.

Then, the shared key generation unit 15, as a final result of the match-checking, for example, based on the error probability P _R, to calculate the estimated value P _E error probability by the following equation (1). Here, a security parameter Δp ^* is introduced.
_{P E = n e / n R} + Δp * ... (1)

At this time, the upper limit value ε ^* of the probability P _r [P _E ≦ P _T ] that the estimated value P _E of the error probability is estimated to be smaller than the true value P _T is _expressed as follows using the security parameter Δp ^*. It is given by equation (2). The upper limit value ε ^* shown below is only required to be an upper limit value of the probability that the estimated value P _E is estimated to be smaller than the true value P _T , and its form is not limited to the following equation (2). The same applies to the following ε ₀ ^* and ε ₁ ^* .
ε ^* = exp (−2n _R (Δp ^* ) ² ) ≧ P _r [P _E ≦ P _T ] (2)

Also in the shared key generation unit 35, obtains an estimated value P _E error probability in the same process. In the above description, ε ^* is a fixed value and the security parameter Δp ^* is obtained so as to be equal to or less than ε ^* . However, the present invention is not limited to this, and ε ^* is such that Δp ^* is fixed and the error probability P _E is satisfied ^. It is good also as seeking.

Next, in the communication device on the transmission side, the syndrome generation unit 14 uses the parity check matrix H (n columns × k rows) and the transmission data m _A (n) to generate a syndrome S _A = Hm _{A of} m _A (n). (N) is calculated, and the result is notified to the communication device on the receiving side via the public communication path (step S5). Figure 5 is a diagram showing S _A generated by the syndrome generating unit 14. At this stage, the syndrome S _A (k bits of information) of m _A (n) may be known to the eavesdropper. On the other hand, the receiving side of the communication device receives the syndrome S _A of m _A (n) in the public communication path communication unit 34, and notifies the syndrome decoding unit 33 (step S15).

The syndrome decoding unit 33 calculates a syndrome S _B = Hm _B (n) of m _B (n) using the parity check matrix H generated in advance the received data m _B (n), further, m _A The syndrome S = S _A + S _B is calculated using the syndrome S _{A in} (n) and the syndrome S _B in m _B (n). Then, the transmission data m _A (n) is estimated based on the syndrome S. That is, the received data m _B (n) ′ after error correction is obtained (step S16). here,
m _B (n) = m _A (n) + e (noise etc.) (3)
Then, after modifying the syndrome S as shown in the following equation (4), e is obtained by syndrome decoding, and the transmission data is estimated. Note that + in S _A + S _B , m _A (n) + e represents an exclusive OR.
S = S _A + S _B
= Hm _A (n) + Hm _B (n)
= H (m _A (n) + m _B (n))
= H (m _A (n) + m _A (n) + e)
= He (4)

Next, in the communication device on the receiving side, the shared key generation unit 35 makes the error correction information (the information for the k bits that may have been wiretapped: S _A ) disclosed in the processes of steps S5 and S15. Accordingly, a part of the reception data m _B (n) ′ is discarded, and reception data m _B (n−k) ′ having an information amount of (n−k) bits is generated (step S17). That is, the shared key generation unit 35 generates reception data m _B (n−k) ′ by the following equation (5) using G ⁻¹ (n × (n−k)) calculated in advance. .
m _B (n−k) ′ = G ⁻¹ m _B (n) ′ (5)

On the other hand, also in the communication device on the transmission side, the shared key generation unit 15 transmits the transmission data m _A (n) according to the publicly disclosed error correction information (the information for the k bits that may have been wiretapped: S _A ). ) Is discarded, and transmission data m _A (n−k) having an information amount of n−k bits is generated (step S6). That is, the shared key generation unit 15 generates transmission data m _A (n−k) by the following equation (6) using G ⁻¹ (n × (n−k)) calculated in advance.
m _A (n−k) = G ⁻¹ m _A (n) (6)

Next, in the communication device on the transmission side and the communication device on the reception side, it is checked whether the transmission data m _A (n−k) and the reception data m _B (n−k) ′ match each other (step S7). , Step S18). Specifically, first, shared key generation units 15 and 35 determine security parameter: s. This security parameter s (corresponding to the bit length disclosed in this step) is a value determined according to the safety required by the system. If it is a fixed value, both are stored in advance and are variable values. If there is, either one will be open to the other. When the security parameter s is large, the key length is shortened but the safety is improved. On the other hand, when the security parameter s is small, the security is lowered but the key length can be increased.

For example, either the one of the shared key generation unit, (n-k) to generate a random matrix M _PC columns × s rows, and transmits the random matrix M _PC, via a public communication path to the other communication device . At this point, random matrix M _PC is can be shared by the sender and the receiver. Further, each shared key generation unit obtains a generation matrix G (M _PC ) of (n−k−s) columns × (n−k) rows satisfying “M _PC G = 0” from the random matrix M _PC. Further, an inverse matrix G ⁻¹ (M _PC ) of G (M _PC ) satisfying G ⁻¹ (M _PC ) · G (M _PC ) = I (unit matrix) is obtained (G ⁻¹ (M _PC )) (N−k) column × (n−k−s) row matrix).

Then, for example, the shared key generation unit 15 calculates “random matrix M _PC × transmission data m _A (n−k)” and discloses information M _PC m _A (n−k) corresponding to security parameter s bits. The data is transmitted to the communication device on the receiving side via the communication path. FIG. 6A is a diagram illustrating information M _PC m _A (n−k). On the other hand, the shared key generation unit 35 calculates “random matrix M _PC × received data m _B (n−k) ′” and discloses information M _PC m _B (n−k) ′ corresponding to security parameter s bits. The data is transmitted to the communication device on the transmission side via the communication path. FIG. 6B is a diagram illustrating information M _PC m _B (n−k) ′.

Thereafter, in the shared key generation unit 15, the information M _PC m _B (n−k) ′ obtained from the communication device on the receiving side matches the information M _PC m _A (n−k) as the calculation result. Check if it is. If they match, the following equation (7) is calculated to compress the transmission data m _A (n−k). That is, (n−k−s) -bit transmission data m _A ′ after compression is obtained. FIG. 7A is a diagram illustrating transmission data m _A ′. If they do not match, the transmission data m _A (n−k) is discarded.
m _A ′ = G ⁻¹ (M _PC ) m _A (n−k) (7)

In the shared key generation unit 35, the information M _PC m _A (n−k) obtained from the communication device on the transmission side coincides with the information M _PC m _B (n−k) ′ that is the calculation result. Check if it is. If they match, the following equation (8) is calculated to compress the received data m _B (n−k) ′. That is, (n−k−s) -bit received data m _B ′ after compression is obtained. FIG. 7-2 is a diagram showing received data m _B ′. If they do not match, the received data m _B (n−k) ′ is discarded.
m _B ′ = G ⁻¹ (M _PC ) m _B (n−k) ′ (8)

In the present embodiment, the received data m _B (n−k) ′ after error correction and the transmitted data m _A (n−k) do not match even though they match in the above check. The probability ε is
ε = 2 ^−s (9)
The probability decreases when s is large, and the probability increases when s is small.

  Next, in the communication device on the transmission side and the communication device on the reception side, the information amount T leaked to the eavesdropper through the quantum communication path is estimated (step S8, step S19). Here, the information amount T (estimated value of the information amount leaked through the quantum communication path) leaked to the eavesdropper in both the transmission side communication device and the reception side communication device may be calculated, or Alternatively, T may be calculated by the communication device on the transmission side, and the result may be disclosed to the reception side. Below, especially the case where T is calculated by both is demonstrated.

In the communication apparatus on the transmission side, for example, when the transmitter is ideal (when there is no transmitter error: 0 °, 45 °, 90 °, 135 °), the shared key generation unit 15 causes the transmission data m _{A to be} transmitted. Based on ′ and the estimated value P _E of error probability, the amount of information T leaked to the eavesdropper is calculated as in the following equation (10).
T = | m _A ′ | H ₂ (P _E )
H ₂ (P _E ) = − P _E logP _E − (1−P _E ) log (1−P _E ) (10)

Similarly, in the communication apparatus on the reception side, the shared key generating unit 35, based on the estimated value P _E of the received data m _B 'and the error probability, as described below (11), leakage in eavesdropper Information amount T is calculated.
T = | m _B ′ | H ₂ (P _E ) (11)

On the other hand, when the transmitter is not ideal (when there is a transmitter error), in the communication device on the transmission side, the shared key generation unit 15 calculates the amount of information T leaked to the eavesdropper as described below. . First, the quantum states (transmission states including transmitter errors) of photons polarized in the 0 °, 90 °, 45 °, and 135 ° directions that are actually output from the transmitter are represented by ρ ₀₀ , ρ ₀₁ , ρ ₁₀ , ρ _It is expressed as ₁₁ . The quantum states ρ ₀₀ , ρ ₀₁ , ρ ₁₀ , and ρ ₁₁ are disclosed in advance to the communication device on the receiving side. However, when T is calculated by the communication device on the transmission side and the result is disclosed to the reception side, it is not necessary to disclose the quantum states ρ ₀₀ , ρ ₀₁ , ρ ₁₀ , ρ ₁₁ .

In this state, the shared key generation unit 15 matches the base used on the transmission side with the subset R of the bit positions, and further uses data (transmission data m _A ′ and reception data m _B ′) used for key generation. The upper limit value P _F ^* of the error probability P _F when the receiving side observes using the inverted base in the set K of bit positions (corresponding to the above) is calculated by the following equation (12). Here, the number of sets K is n _K , and the superscript T represents a complex conjugate transpose.
^{_{P F * = P E + n}} K T r | Δ | / 2 = P E + n K T r (√Δ T Δ) / 2
Δ = (ρ ₀₀ + ρ ₀₁ −ρ ₁₀ −ρ ₁₁ ) / 2 (12)

When error estimation and error correction are performed at the same time, for example, an appropriate linear code family is formed, and adaptive decoding is performed by additional syndrome processing. In such a case, the calculation formulas of P _F ^* and ε ^* are replaced with the following formula (13).
^{_{P F * = P E + n}} K T r | Δ | / 4 = P E + n K T r (√Δ T Δ) / 4
ε ^* = 1− (1-ε ′) ²
ε ′ = exp (−n _R (Δp ^* ) ² ) (13)
However, R = K, is an n _R = n _K.

Further, the holevo capacity when the 0 ° and 90 ° bases are used on the transmission side is C _0, and the holevo capacity when the 45 ° and 135 ° bases are used is C _1, and C ₀ and C ₁ is calculated by the following equations (14) and (15) using von Neumann entropy: “S (ρ) = − T _r ρlogρ”.
C ₀ = S (ρ ₀ ) − (S (ρ ₀₀ ) + S (ρ ₀₁ )) / 2
ρ ₀ = (ρ ₀₀ −ρ ₀₁ ) / 2 (14)
C ₁ = S (ρ ₁ ) − (S (ρ ₁₀ ) + S (ρ ₁₁ )) / 2
ρ ₁ = (ρ ₁₀ −ρ ₁₁ ) / 2 (15)

The condition for the above error probability P _F can be considered a condition for operation to transmit quantum states by eavesdropper. Thereby, the amount of information leaked to the eavesdropper can be estimated according to the following procedure. First, in the same manner as described above, a case where the receiving side performs measurement using a base opposite to the transmitting side in the data portion is considered, and the measured value is fixed. Further, consider a mixed state of transmission quantum states in which the measured value and error probability are related to P _F. Introducing a projection operator that preserves this mixed state with a high probability (states match before and after projection), and fixed the transmission state (transmission data) by applying this projection operator to the transmission state. In this case, the upper limit value of the conditional probability related to the measured value of the eavesdropper is obtained. From this upper limit, it is possible to estimate the conditional information amount (conditional entropy) of the measurement value of the eavesdropper when the transmission data is used as a condition. Can be estimated. By maximizing this with respect to the transmission state and the measured value on the receiving side under the condition of “P _F ≦ P _F ^* ”, the upper limit value of the amount of information leaked to the eavesdropper can be obtained. The implementation example of the above procedure is shown below.

Here, the shared key generation unit 15 uses the error probability P _F and the quantum states ρ ₀₀ , ρ ₀₁ , ρ ₁₀ , ρ _11, and uses the four mixed states P ₀ , P ₀ ′, P ₁ , P ₁ ′. Are obtained by the following equations (16) to (19), respectively. However, the rightmost side of each of the above equations represents the spectral decomposition of each state such that p ₀ , p ₀ ′, p ₁ , and p ₁ ′ are ½ or less. E ₀ , E ₀ ′, E ₁ , E ₁ ′ are projection operators.
_{P 0 = P F ρ 10 +} (1-P F) ρ 11 = p 0 E 0 + (1-p 0) (I-E 0)
... (16)
_{P 0 '= P F ρ 11} + (1-P F) ρ 10 = p 0'E 0' + (1-p 0 ') (I-E 0')
... (17)
_{P 1 = P F ρ 00 +} (1-P F) ρ 01 = p 1 E 1 + (1-p 1) (I-E 1)
... (18)
_{P 1 '= P F ρ 01} + (1-P F) ρ 00 = p 1'E 1' + (1-p 1 ') (I-E 1')
... (19)

Further, the maximum value of the diagonal component when the quantum states ρ ₀₀ and ρ ₀₁ are represented using the orthonormal basis for diagonalizing P ₀ is defined as q _0, and similarly q ₀ ′, q ₁ , q _{When 1} ′ is defined, q ₀ , q ₀ ′, q ₁ and q ₁ ′ are given by the following equations (20) to (23).
q ₀ = max {T _r ρ ₀₀ E ₀ , 1-T _r ρ ₀₀ E ₀ , T _r ρ ₀₁ E ₀ , 1-T _r ρ ₀₁ E ₀ }
... (20)
q ₀ ′ = max {T _r ρ ₀₀ E ₀ ′, 1−T _r ρ ₀₀ E ₀ ′, T _r ρ ₀₁ E ₀ ′, 1−T _r ρ ₀₁ E ₀ ′}
... (21)
_{q 1 = max {T r ρ} 10 E 1, 1-T r ρ 10 E 1, T r ρ 11 E 1, 1-T r ρ 11 E 1}
... (22)
q ₁ ′ = max {T _r ρ ₁₀ E ₁ ′, 1−T _r ρ ₁₀ E ₁ ′, T _r ρ ₁₁ E ₁ ′, 1−T _r ρ ₁₁ E ₁ ′}
... (23)

As a result, the conditional probability p (m _E | m _A ) regarding the measurement value m _E of the eavesdropper when the transmission data m _A is fixed can be estimated as the following equation (24).

…（２４）

... (24)

However, Δp ₀ ^* is a security parameter, and the upper limit value ε ₀ ^* of the probability that this estimation fails is given by the following equation (25).
ε ₀ ^* = exp (−2n _K (Δp ₀ ^* ) ² ) (25)

At this time, the conditional information amount H (m _E | m _A ) of the measured value m _E of the eavesdropper when the transmission data m _A is a condition satisfies the following inequality (26).
H (m _E | m _A ) ≧ −logmaxp (m _E | m _A )
= −n _K (H ₂ (p _max + Δp ₀ ^* ) + log q _max ) (26)

Therefore, the mutual information amount I (m _A : m _E ) between m _A and m _E can be estimated as the following equation (27).
I (m _A : m _E ) = H (m _E ) −H (m _E | m _A )
≦ n _K + n _K (H ₂ (p _max + Δp ₀ ^* ) + log 2q _max )
= N _K (H ₂ (p _max + Δp ₀ ^* ) + log 2q _max )
= I _max (m _A : m _E ) (27)

Finally, the information amount T leaked to the eavesdropper can be estimated as in the following equation (28). However, in the set K of data bit positions used for key generation, the number of bits in which the 0 ° and 90 ° bases are used is n ₀ , and the number of bits in which the 45 ° and 135 ° bases are used is n ₁ . did.

…（２８）

... (28)

The above ε _T ^* only needs to be an upper limit value of the probability that at least one of the events having occurrence probabilities of ε ^* , ε ₀ ^* , and n _K T _r | Δ | The shape is not limited to the above equation (28).

The T can be calculated as follows, for example. First, the number n _{0 of} bits in which the 0 ° and 90 ° bases are used in the set K of bit positions of data used for key generation, and the number n of bits in which the 45 ° and 135 ° bases are used in the set K. ₁ and two security parameters Δp ₀ ^* , Δp ₁ ^* and the above p ₀ , p ₀ ′, p ₁ , p ₁ ′, q ₀ , q ₀ ′, q ₁ , q ₁ ′, Information amounts T ₀ , T ₀ ′, T ₁ , T ₁ ′ are calculated according to equations (33) to (33).
T ₀ = n ₀ (H ₂ (p ₀ + Δp ₀ ^* ) + log 2q ₀ ) (29)
T ₀ ′ = n ₀ (H ₂ (p ₀ ′ + Δp ₀ ^* ) + log 2q ₀ ′) (30)
T ₁ = n ₁ (H ₂ (p ₁ + Δp ₁ ^* ) + log 2q ₁ ) (31)
T ₁ '= n ₁ (H ₂ (p ₁ ' + Δp ₁ ^* ) + log 2q ₁ ') (32)
_{H 2 (p) = - plogp-} (1-p) log (1-p) ... (33)

Then, using the information amounts T ₀ , T ₀ ′, T ₁ , T ₁ ′ obtained above, the information amount T leaked to the eavesdropper is calculated as in the following equation (34).

…（３４）

... (34)

The security parameters Δp ^* , Δp ₀ ^* , Δp ₁ ^* used above are preferably determined so as to minimize the amount of information T leaked to an eavesdropper from the viewpoint of system performance. However, even if it cannot be minimized for some reason, if the parameters can be shared between the transmitting side and the receiving side, the security of the system is guaranteed by using them. The above parameters can be shared by making either the transmission side or the reception side open.

The information amounts T ₀ , T ₀ ′, T ₁ , T ₁ ′ may be calculated by the following processing. For example, let S ₀ be a set of real numbers obtained by selecting either q ₀ or 1-q ₀ n ₀ times and multiplying all selected _ones . That is, if the weight of x (number of 1s) is represented by w (x) for the bit string x, S ₀ can be defined by the following equation (35), and T ₀ can be defined by the following (36 ) Expression. Thereafter, the information amounts T ₀ ′, T ₁ , T ₁ ′ are similarly calculated. By this calculation, the information amount T leaked to the eavesdropper can be estimated small.

…（３５）

... (35)

…（３６）

... (36)

  In the present embodiment, the amount of information T leaked to the eavesdropper is also calculated by the same processing as described above in the communication device on the receiving side.

Next, in the communication device on the transmission side and the communication device on the reception side, a part of the transmission data m _A ′ and the reception data m _B ′ is discarded based on the information amount T calculated in the processes in steps S8 and S19. Thus, an encryption key r having an information amount of (n−ks−T′−v) bits is generated (steps S9 and S20). The shared key generation units 15 and 35 determine the security parameter: v as the margin of the information amount T. This security parameter v is a value determined according to the safety required by the system. When the security parameter v is large, the key length is shortened but the safety is improved. On the other hand, when the security parameter v is small, the security is lowered but the key length can be increased. Further, T ′ represents an integer greater than or equal to the information amount T leaked to the eavesdropper obtained above.

Specifically, for example, the shared key generation unit 15 randomly selects the original Hu from the universal hash function family of {0, 1} ^nks → {0, 1} ^nksTv . This can be realized, for example, by taking a full-rank (rank Hu = n−k−s−T−v) random matrix as Hu. Then, the hash function Hu is transmitted to the receiving communication device via the public communication path. Note that this process may be performed by the shared key generation unit 35 of the receiving communication device.

Then, the shared key generation unit 15 generates the encryption key r by the following equation (37) using the Hu. FIG. 8A is a diagram illustrating the encryption key r generated by the shared key generation unit 15. The communication device on the transmission side uses this encryption key r as a shared key with the communication device on the reception side.
r = Hum _A ′ (37)

On the other hand, the shared key generation unit 35 generates the encryption key r by the following equation (38) using the Hu. FIG. 8B is a diagram illustrating the encryption key r generated by the shared key generation unit 35. The communication device on the reception side uses this encryption key r as a shared key with the communication device on the transmission side.
r = Hum _B ′ (38)

In the above description, the compression in steps S6 and S17 and the compression in steps S9 and S20 are individually performed. However, the present invention is not limited to this, and for example, a random matrix of {0, 1} ^nks → {0, 1} ^nksTvk Hu may be generated, and then the above expressions (37) and (38) may be executed.

As described above, in the present embodiment, steps S4 and S14 are performed while correcting the data error of the shared information using the parity check matrix for the “Irregular-LDPC code” having deterministic and stable characteristics. Steps S7 and S18 and steps S8 and S19 are executed, and further, data according to the information amount disclosed through the public communication path in the course of the above processing and the estimated value of the information amount leaked to the eavesdropper through the quantum communication path The compressed data is used as an encryption key shared between apparatuses. As a result, it is possible to efficiently generate a highly secure common key. That is, it is possible to realize a quantum key distribution method in which the success probability is (1−ε) or more and the amount of information leaked to an eavesdropper is (2 ^−v / ln2) or less.

  As described above, the quantum key distribution method and the communication device according to the present invention are useful as a technique for generating a highly secure common key, and particularly on a transmission path where an eavesdropper may exist. Suitable for communication.

It is a figure which shows the structure of the communication apparatus in the quantum cryptography system concerning this invention. It is a flowchart which shows the quantum key distribution of this invention. It is a flowchart which shows the quantum key distribution of this invention. It is a flowchart which shows an example of the construction method of "Irregular-LDPC code" based on finite affine geometry. It is a figure which shows the matrix of finite affine geometric code AG (2, 2 ² ). It is a diagram illustrating an S _A generated by the syndrome generating section. Is a diagram showing information _{M PC m A (n-k} ). Is a diagram showing information _{M PC m B (n-k} ) '. It is a figure which shows transmission data m _A '. It is a diagram illustrating a received data m _B '. It is a figure which shows the encryption key r produced | generated in the communication apparatus of the transmission side. It is a figure which shows the encryption key r produced | generated with the communication apparatus of the receiving side. It is a figure which shows the outline | summary of the quantum key distribution using the conventional polarization.

Explanation of symbols

DESCRIPTION OF SYMBOLS 1,3 Encryption key generation part 2,4 Communication part 10,30 Parity check matrix generation part 11,31 Random number generation part 12 Photon generation part 13,34 Public channel communication part 14 Syndrome generation part 15,35 Shared key generation part 21 , 42 Encryption unit 22, 41 Transmission / reception unit 32 Photon reception unit 33 Syndrome decryption unit

Claims (8)

A first communication device that transmits a photon on a quantum channel in a quantum state defined by a combination of a random number sequence and a basis, and a second unit that obtains data defined by a measurement result of the photon on the quantum channel and a basis The data obtained by measurement using the same base as that on the transmission side is used as first reception data, and a random number sequence corresponding to the first reception data is defined as first transmission data. In the quantum key distribution method to
A shared key generation unit of each communication device extracts a predetermined number of data at the same bit position from the first transmission data and the first reception data, and the extracted partial data is transmitted via a public communication channel. An error probability estimation step for estimating the error probability of data used for key generation based on the degree of coincidence (error probability) of both partial data after notification to each other;
A first data compression step in which each shared key generation unit uses the remaining data other than the disclosed partial data as second transmission data and second reception data, respectively;
The syndrome generation unit of the first communication device notifies predetermined error correction information to the second communication device via a public communication path, and the syndrome decoding unit of the second communication device performs the error correction. An error correction step of correcting an error of the second received data based on the information;
In accordance with the amount of the error correction information disclosed, the shared key generation unit of the first communication device generates the second transmission data, and the shared key generation unit of the second communication device performs the error correction after the error correction. A second data compression step of compressing the received data of each of the second data and using the compressed data as third transmission data and third received data, respectively;
Each shared key generation unit notifies predetermined determination information for determining whether or not the third transmission data and the third reception data match with each other via a public communication path, and A matching determination step of performing the determination processing based on the determination information and discarding the third transmission data and the third reception data when the determination result is inconsistent;
If the determination results are the same, the shared key generation unit of the first communication device converts the third transmission data into the shared key generation unit of the second communication device according to the amount of determination information disclosed. Compressing the third reception data, respectively, and a third data compression step using the compressed data as fourth transmission data and fourth reception data, respectively.
When there is no error in the output of the first communication device, each of the shared key generation unit of the first communication device or the shared key generation unit of each communication device is based on the estimated value of the error probability. When the amount of information leaked to an eavesdropper through a quantum communication channel is estimated, and there is an error in the output of the first communication device, the shared key generation unit of the first communication device or each communication Each of the shared key generation unit of the device, based on the estimated value of the error probability and the quantum state reflecting the error, an information amount estimation step for estimating the amount of information leaked to the eavesdropper through the quantum communication path;
Based on the estimated value of the amount of information leaked to the eavesdropper, the shared key generation unit of the first communication device uses the fourth transmission data, and the shared key generation unit of the second communication device uses the first communication data. Each of the received data is compressed, and the compressed data is used as a shared encryption key between the communication devices;
A quantum key distribution method comprising:   In the error probability estimation step, the error probability is estimated so as to satisfy a predefined “upper limit value of an probability that an estimated value of error probability is estimated to be smaller than a true error probability”. The quantum key distribution method according to claim 1.   3. The quantum key distribution method according to claim 1, wherein the determination information used in the match determination step is information corresponding to the number of bits determined according to security required by the system.   In the information amount estimating step, the transmission state is disclosed to the second communication device in advance, and information leaked to an eavesdropper in both the first communication device and the second communication device. The quantum key distribution method according to claim 1, wherein the quantity is estimated.   In the information amount estimation step, the amount of information leaked by an eavesdropper in the first communication device is estimated, and the estimated value is notified to the second communication device via a public communication path. The quantum key distribution method according to claim 1, 2, or 3. Random number sequence corresponding to the data obtained by transmitting photons on the quantum communication path in the quantum state defined by the combination of the random number sequence and the basis, and measuring using the same base as the photon transmitting side in the communication device on the photon receiving side In the communication device on the photon transmission side with the first transmission data as
Extract data of a predetermined number of bit positions from the first transmission data, notify the extracted partial data to the communication device on the reception side via a public communication path, and then from the communication device on the reception side Based on the degree of coincidence (error probability) with the obtained partial data at the same bit position, the error probability of the data used for key generation is estimated, and the remaining data other than the disclosed partial data is used as the second transmission data. Error probability estimating means for
Predetermined error correction information is notified to the second communication device via a public communication path, the second transmission data is compressed according to the amount of the disclosed error correction information, and the compressed data is converted into the third data. Error correction means for transmission data of
The determination information for determining whether or not the third transmission data and the data obtained from the communication device on the reception side match is notified to the communication device on the reception side via a public communication path, and the determination When the determination result based on the information does not match, the third transmission data is discarded. On the other hand, when the determination result is the same, the third transmission data is compressed according to the amount of the determination information disclosed, and after the compression A coincidence determination means using the data of the fourth as transmission data,
If there is no error in the output of the own device, the amount of information leaked to the eavesdropper through the quantum communication path is estimated based on the estimated value of the error probability , and if there is an error in the output of the own device, the error An estimation means for estimating an amount of information leaked to an eavesdropper through a quantum communication path based on an estimated value of a probability and a quantum state (transmission state) reflecting an error of the own device;
A shared key generating means for compressing the fourth transmission data based on an estimated amount of information leaked to the eavesdropper and using the compressed data as a shared encryption key between devices;
A communication apparatus comprising: A communication device on the photon reception side using, as the first reception data, data obtained by measurement using the same base as that on the photon transmission side among the data defined by the combination of the measurement result and the basis of the photons on the quantum communication path In
Extract data of a predetermined number of bit positions from the first received data, notify the extracted partial data to the communication device on the photon transmission side via the public communication path, and then from the communication device on the transmission side Based on the degree of coincidence (error probability) with the obtained partial data at the same bit position, the error probability of the data used for key generation is estimated, and the remaining data other than the disclosed partial data is set as the second received data. Error probability estimating means for
An error of the second received data is corrected based on error correction information obtained from the communication device on the transmission side, and the error-corrected information is corrected according to the amount of error correction information disclosed by the communication device on the transmission side. Error correction means for compressing the second received data and using the compressed data as the third received data;
Notification information for determining whether or not the third received data and data obtained from the communication device on the transmission side match is notified to the communication device on the transmission side via a public communication path, If the determination result based on the determination information does not match, the third reception data is discarded. On the other hand, if the determination result is the same, the third reception data is compressed according to the amount of the determination information disclosed, and compressed. A coincidence determination means that uses the subsequent data as fourth received data;
When there is no error in the output of the communication device on the photon transmission side, the amount of information leaked to the eavesdropper through the quantum communication path is estimated based on the estimated value of the error probability , and there is an error in the output of the communication device on the photon transmission side. If there is an error, the amount of information leaked to the eavesdropper is estimated through the quantum communication path based on the estimated value of the error probability and the quantum state (transmission state) reflecting the error of the photon transmission side communication device. An estimation means ;
A shared key generating means for compressing the fourth received data based on an estimated value of the amount of information leaked to the eavesdropper and using the compressed data as an encryption key shared between devices;
A communication apparatus comprising: A communication device on the photon reception side using, as the first reception data, data obtained by measurement using the same base as that on the photon transmission side among the data defined by the combination of the measurement result and the basis of the photons on the quantum communication path In
Extract data of a predetermined number of bit positions from the first received data, notify the extracted partial data to the communication device on the photon transmission side via the public communication path, and then from the communication device on the transmission side Based on the degree of coincidence (error probability) with the obtained partial data at the same bit position, the error probability of the data used for key generation is estimated, and the remaining data other than the disclosed partial data is set as the second received data. Error probability estimating means for
An error of the second received data is corrected based on error correction information obtained from the communication device on the transmission side, and the error-corrected information is corrected according to the amount of error correction information disclosed by the communication device on the transmission side. Error correction means for compressing the second received data and using the compressed data as the third received data;
Notification information for determining whether or not the third received data and data obtained from the communication device on the transmission side match is notified to the communication device on the transmission side via a public communication path, If the determination result based on the determination information does not match, the third reception data is discarded. On the other hand, if the determination result is the same, the third reception data is compressed according to the amount of the determination information disclosed, and compressed. A coincidence determination means that uses the subsequent data as fourth received data;
The estimated value of the amount of information leaked to an eavesdropper through the quantum communication channel estimated by the communication device on the photon transmission side according to claim 6 is received via a public communication channel, and the first value is based on the estimated value. A shared key generating unit that compresses the received data of 4 and uses the compressed data as an encryption key shared between the devices;
A communication apparatus comprising:

Images