WO2024034699A1 - Method for carrying out user authentication in quantum communication system, and device therefor - Google Patents

Abstract

The present specification provides a method for carrying out user authentication in a quantum communication system. More specifically, the method comprises the steps of: transmitting, to a receiving end, quantum bit error rate (QBER) estimation information generated on the basis of a checking sequence for QBER estimation for determining whether eavesdropping has occurred on a quantum channel; carrying out the QBER estimation with the receiving end on the basis of the QBER estimation information; and, on the basis of the result of the QBER estimation, carrying out authentication with the receiving end by reusing the checking sequence, wherein the authentication is carried out on the basis of (i) the reused checking sequence, and (ii) a symmetric key pre-shared to the transmitting end and the receiving end.

Description

Method and device for performing user authentication in a quantum communication system

This specification relates to a quantum communication system, and more specifically, to a method and device for performing user authentication in a quantum communication system.

Wireless communication systems are being widely deployed to provide various types of communication services such as voice and data. In general, a wireless communication system is a multiple access system that can support communication with multiple users by sharing available system resources (bandwidth, transmission power, etc.). Examples of multiple access systems include Code Division Multiple Access (CDMA) systems, Frequency Division Multiple Access (FDMA) systems, Time Division Multiple Access (TDMA) systems, Space Division Multiple Access (SDMA), and Orthogonal Frequency Division Multiple Access (OFDMA) systems. , SC-FDMA (Single Carrier Frequency Division Multiple Access) system, IDMA (Interleave Division Multiple Access) system, etc. In addition, research is continuing on quantum communication, a next-generation communication technology that can overcome the limitations of existing information and communication, such as security and high-speed computation, by applying quantum mechanical characteristics to the information and communication field. Unlike existing communication, which is based on binary bit information, quantum communication provides a means of generating, transmitting, processing, and storing information in the form of a superposition of 0 and 1. In existing communication technologies, wavelength or amplitude is used to transmit information between the transmitting end and the receiving end, but unlike this, in quantum communication, photons, the smallest unit of light, are used to transmit information between the transmitting end and the receiving end.

The purpose of this specification is to provide a method and device for performing user authentication in a quantum communication system.

Additionally, the purpose of this specification is to provide a method and device for performing user authentication using information transmitted through a quantum channel in a quantum communication system.

Additionally, the purpose of this specification is to provide a method and device for user authentication using information used to estimate QBER (Quantum bit error rate) in a quantum communication system.

Additionally, the purpose of this specification is to provide a method and device for updating a symmetric key for user authentication pre-shared between the transmitting end and the receiving end in a quantum communication system.

The technical problems to be achieved in this specification are not limited to the technical problems mentioned above, and other technical problems not mentioned will be clearly understood by those skilled in the art from the description below. You will be able to.

This specification provides a method and device for performing user authentication in a quantum communication system.

More specifically, in this specification, a method for a transmitter to perform authentication in a quantum communication system involves, at the receiver, estimating QBER (Quantum Bit Error Rate) to determine whether or not there is eavesdropping on a quantum channel. Transmitting QBER estimation information generated based on a checking sequence for; performing the QBER estimation based on the receiving end and the QBER estimation information; And based on the result of the QBER estimation, performing authentication with the receiving end by reusing the checking sequence, wherein the authentication is performed by (i) the reused checking sequence and (ii) the transmitting end and the receiving end. It is characterized in that it is performed based on a pre-shared symmetric key.

In addition, this specification provides, at the receiving end, to correct errors between (i) the bit value of the checking sequence generated by the transmitting end and (ii) the bit value of the receiving end checking sequence obtained by the receiving end by measuring the QBER estimation information. It may further include the step of transmitting error correction information.

In addition, in this specification, the error correction information includes (i) information about the bit value of the checking sequence and (ii) information about the basis used for polarization coding for a bit at a specific position within the bit string of the checking sequence. It may be characterized as including.

In addition, this specification provides (a) (i) a basis used for polarization coding for a bit at a specific position within the bit stream of the checking sequence at the transmitting end and (ii) a bit stream of the checking sequence at the transmitting end. The basis used for measuring the QBER estimation information corresponding to a specific position is the same, and (b) (i) the bit value of the bit at the specific position and (ii) the QBER estimation information corresponding to the specific position. When the measured values are different, the measured value at the receiving end of the QBER estimation information corresponding to the specific location is corrected to the same value as the bit value of the bit of the specific location based on the error correction information. .

Additionally, the present specification may be characterized in that an authentication message for the authentication is generated based on (i) the reused checking sequence and (ii) the pre-shared symmetric key.

Additionally, in this specification, the pre-shared symmetric key may be used to determine the positions of bits used for generating the authentication message in the bit string of the reused checking sequence.

Additionally, this specification may feature that the length of the bit string of the pre-shared symmetric key and the length of the bit string constituting the reused checking sequence are the same.

In addition, the present specification provides that at least one bit in the bit string of the reused checking sequence at a position corresponding to the position of at least one bit with a specific bit value in the bit string of the pre-shared symmetric key is used for the authentication. It can be characterized as a message.

In addition, this specification provides that, based on the bit value of the first position of the bit string of the pre-shared symmetric key, the bit values of the odd positions or the bit values of the even positions in the bit string of the reused checking sequence are used to authenticate the authentication. It may be characterized as being used in the creation of a message.

Additionally, in this specification, the authentication message is based on (i) the pre-shared symmetric key and (ii) an XOR operation on the bit values at odd positions or the bit values at even positions in the bit string of the checking sequence. It can be characterized as being created.

In addition, this specification provides that, when bit values in odd positions in the bit string of the checking sequence are used to generate the authentication message, bit values in odd positions in the pre-shared symmetric key are used in an XOR operation, When bit values in even positions in the bit string of the checking sequence are used to generate the authentication message, bit values in even positions in the pre-shared symmetric key may be used for an XOR operation. there is.

Additionally, in this specification, the pre-shared symmetric key may be used to select a hash function for generating the authentication message.

Additionally, in this specification, the reused checking sequence is used as an input to a hash function that is mapped to the bit value of the pre-shared symmetric key, and the output value of the hash function that is mapped to the bit value of the pre-shared symmetric key is used for the authentication. It may be characterized as a message.

Additionally, this specification includes the steps of transmitting message information to the receiving end over a quantum channel based on the authentication result; and (i) updating the pre-shared symmetric key based on the message information and (ii) the pre-shared symmetric key.

Additionally, this specification may feature that the pre-shared symmetric key is updated based on (i) the message information and (ii) an XOR operation on the pre-shared symmetric key.

Additionally, in this specification, a transmitter that performs authentication in a quantum communication system includes a transmitter for transmitting a wireless signal; A receiver for receiving wireless signals; at least one processor; and at least one computer memory operably connectable to the at least one processor and storing instructions that, when executed by the at least one processor, perform operations, the operations comprising: , transmitting QBER estimation information generated based on a checking sequence for QBER (Quantum Bit Error Rate) estimation for determining whether or not there is eavesdropping on a quantum channel; performing the QBER estimation based on the receiving end and the QBER estimation information; And based on the result of the QBER estimation, performing authentication with the receiving end by reusing the checking sequence, wherein the authentication is performed by (i) the reused checking sequence and (ii) the transmitting end and the receiving end. It is characterized in that it is performed based on a pre-shared symmetric key.

In addition, this specification provides that a method for a receiving end to perform authentication in a quantum communication system is a checking sequence for QBER (Quantum Bit Error Rate) estimation to determine whether or not there is eavesdropping on a quantum channel from the transmitting end. Receiving QBER estimation information generated based on a checking sequence; performing the QBER estimation based on the transmitter and the QBER estimation information; And based on the result of the QBER estimation, performing authentication with the transmitting end by reusing the checking sequence, wherein the authentication is performed by (i) the reused checking sequence and (ii) the transmitting end and the receiving end. It is characterized in that it is performed based on a pre-shared symmetric key.

Additionally, in this specification, a receiving end that performs authentication in a quantum communication system includes a transmitter for transmitting a wireless signal; A receiver for receiving wireless signals; at least one processor; and at least one computer memory operably connectable to the at least one processor and storing instructions that, when executed by the at least one processor, perform operations, the operations comprising: , receiving QBER estimation information generated based on a checking sequence for QBER (Quantum Bit Error Rate) estimation for determining whether or not there is eavesdropping on a quantum channel; performing the QBER estimation based on the transmitter and the QBER estimation information; And based on the result of the QBER estimation, performing authentication with the transmitting end by reusing the checking sequence, wherein the authentication is performed by (i) the reused checking sequence and (ii) the transmitting end and the receiving end. It is characterized in that it is performed based on a pre-shared symmetric key.

Additionally, the present specification provides that, in a non-transitory computer readable medium (CRM) storing one or more instructions, one or more instructions executable by one or more processors are provided at a transmitting end: a receiving end, a quantum channel (Quantum channel) ) Control to transmit QBER estimation information generated based on a checking sequence for QBER (Quantum Bit Error Rate) estimation for determining whether or not there is eavesdropping on the device, and the receiving end and the QBER estimation information based on the QBER estimation information. Control to perform QBER estimation, and control to perform the authentication with the receiving end by reusing the checking sequence based on the result of the QBER estimation, wherein the authentication is performed by (i) the reused checking sequence and (ii) the It is characterized in that it is performed based on a symmetric key previously shared between the transmitting end and the receiving end.

In addition, the present specification is directed to a device including one or more memories and one or more processors functionally connected to the one or more memories, wherein the one or more processors are used by the device as a receiving end on a quantum channel. Controls to transmit QBER estimation information generated based on a checking sequence for QBER (Quantum Bit Error Rate) estimation for determining whether or not to be wiretapping, and performs the QBER estimation on the receiving end and the QBER estimation information. Control to perform, and based on the result of the QBER estimation, control to perform authentication with the receiving end by reusing the checking sequence, wherein the authentication is performed with (i) the reused checking sequence and (ii) the transmitting end. It is characterized in that it is performed based on a symmetric key pre-shared with the receiving end.

This specification has the effect of performing user authentication in a quantum communication system.

Additionally, this specification has the effect of performing user authentication using information transmitted through a quantum channel in a quantum communication system.

In addition, since this specification performs user authentication using information transmitted through a quantum channel in a quantum communication system, safety can be secured without assuming that the transmitting and receiving ends of the classical channel and the quantum channel are the same.

In addition, this specification has the effect of performing user authentication using information used to estimate QBER (Quantum bit error rate) in a quantum communication system.

Additionally, this specification has the effect of enabling user authentication in a quantum communication system without generating a separate authentication message.

Additionally, this specification does not generate a separate authentication message for user authentication in a quantum communication system, which has the effect of saving communication resources.

Additionally, this specification has the effect of updating the symmetric key for user authentication that is pre-shared between the transmitting end and the receiving end in a quantum communication system.

In addition, this specification has the effect of ensuring safety because it is possible to update the symmetric key for user authentication that is pre-shared between the transmitting end and the receiving end in a quantum communication system.

Additionally, this specification has the effect of increasing the efficiency of generating secret keys used for data encryption and decryption in a quantum key distribution system.

The effects that can be obtained in this specification are not limited to the effects mentioned above, and other effects not mentioned can be clearly understood by those skilled in the art from the description below. .

The drawings attached below are intended to aid understanding of the present specification and may provide embodiments of the present specification along with a detailed description. However, the technical features of this specification are not limited to specific drawings, and the features disclosed in each drawing may be combined to form a new embodiment. Reference numerals in each drawing may refer to structural elements.

Figure 1 is a diagram showing an example of a communication system applicable to this specification.

Figure 2 is a diagram showing an example of a wireless device applicable to this specification.

Figure 3 is a diagram showing a method of processing a transmission signal applicable to this specification.

Figure 4 is a diagram showing another example of a wireless device applicable to this specification.

Figure 5 is a diagram showing an example of a portable device applicable to this specification.

Figure 6 is a diagram showing physical channels applicable to this specification and a signal transmission method using them.

Figure 7 is a diagram showing the structure of a wireless frame applicable to this specification.

Figure 8 is a diagram showing a slot structure applicable to this specification.

Figure 9 is a diagram showing an example of a communication structure that can be provided in a 6G system applicable to this specification.

Figure 10 shows an example of a man-in-the-middle attack that can occur in quantum communication.

Figure 11 is a diagram showing an example of a MAC-based authentication technique.

Figure 12 is a diagram showing an example of an authentication method based on Wegman & Carter Authentication (WCA).

Figure 13 is a diagram to explain the correlation between the number of hash functions and collision probability.

Figure 14 is a diagram showing an example of a symmetric key update method in the quantum key distribution technique.

Figure 15 is a diagram showing an example of the tag creation process in the existing authentication technique.

Figure 16 is a diagram showing an example in which user authentication is performed through a classical channel in quantum communication.

Figure 17 is a diagram illustrating an example in which user authentication is performed using QBER estimation information transmitted through a quantum channel in quantum communication.

Figure 18 is a diagram for explaining how a pre-shared symmetric key is used to determine the location of authentication information.

Figure 19 is a diagram showing the overall sequence of the user authentication process to which the method proposed in this specification is applied.

Figure 20 is a diagram illustrating an example of a method in which a pre-shared symmetric key is used for an XOR operation with a message for MAC generation.

Figure 21 is a diagram showing the overall sequence of the user authentication process to which the method proposed in this specification is applied.

Figure 22 is a diagram to explain how a pre-shared symmetric key is used to select a hash function to be used for MAC generation among hash functions constituting the hash function set H used in the MAC algorithm.

Figure 23 is a diagram showing the overall sequence of the user authentication process to which the method proposed in this specification is applied.

Figure 24 is a diagram for explaining a pre-shared symmetric key update method.

Figure 25 is a flowchart showing an example of how the user authentication method proposed in this specification is performed at the transmitting end.

Figure 26 is a flowchart showing an example of how the user authentication method proposed in this specification is performed at the receiving end.

The following embodiments combine the elements and features of the present specification in a predetermined form. Each component or feature may be considered optional unless explicitly stated otherwise. Each component or feature may be implemented in a form that is not combined with other components or features. Additionally, embodiments of the present specification may be configured by combining some components and/or features. The order of operations described in the embodiments of this specification may be changed. Some features or features of one embodiment may be included in another embodiment or may be replaced with corresponding features or features of another embodiment.

In the description of the drawings, procedures or steps that may obscure the gist of the present specification are not described, and procedures or steps that can be understood at the level of those skilled in the art are not described.

Throughout the specification, when a part is said to “comprise or include” a certain element, this means that it does not exclude other elements but may further include other elements, unless specifically stated to the contrary. do. In addition, terms such as "... unit", "... unit", and "module" used in the specification refer to a unit that processes at least one function or operation, which refers to hardware, software, or a combination of hardware and software. It can be implemented as: In addition, “a or an,” “one,” “the,” and similar related terms may be used differently in this specification (particularly in the context of the following claims) in the context of describing this specification. It may be used in both singular and plural terms, unless indicated otherwise or clearly contradicted by context.

Embodiments of the present specification have been described focusing on the data transmission and reception relationship between the base station and the mobile station. Here, the base station is meant as a terminal node of the network that directly communicates with the mobile station. Certain operations described herein as being performed by the base station may, in some cases, be performed by an upper node of the base station.

That is, in a network comprised of a plurality of network nodes including a base station, various operations performed for communication with a mobile station may be performed by the base station or other network nodes other than the base station. At this time, 'base station' is a term such as fixed station, Node B, eNB (eNode B), gNB (gNode B), ng-eNB, advanced base station (ABS), or access point. It can be replaced by .

Additionally, in the embodiments of the present specification, a terminal may include a user equipment (UE), a mobile station (MS), a subscriber station (SS), a mobile subscriber station (MSS), It can be replaced with terms such as mobile terminal or advanced mobile station (AMS).

Additionally, the transmitting end refers to a fixed and/or mobile node that provides a data service or a voice service, and the receiving end refers to a fixed and/or mobile node that receives a data service or a voice service. Therefore, in the case of uplink, the mobile station can be the transmitting end and the base station can be the receiving end. Likewise, in the case of downlink, the mobile station can be the receiving end and the base station can be the transmitting end.

Embodiments of the present specification include wireless access systems such as the IEEE 802.xx system, 3GPP (3rd Generation Partnership Project) system, 3GPP LTE (Long Term Evolution) system, 3GPP 5G (5th generation) NR (New Radio) system, and 3GPP2 system. It may be supported by at least one standard document disclosed in the present specification, and in particular, the embodiments of the present disclosure are supported by the 3GPP TS (technical specification) 38.211, 3GPP TS 38.212, 3GPP TS 38.213, 3GPP TS 38.321 and 3GPP TS 38.331 documents. It can be.

Additionally, embodiments of the present specification can be applied to other wireless access systems and are not limited to the above-described system. As an example, it may be applicable to systems applied after the 3GPP 5G NR system and is not limited to a specific system.

That is, obvious steps or parts that are not described among the embodiments of the present specification can be explained with reference to the documents. Additionally, all terms disclosed in this specification can be explained by the standard document.

Hereinafter, preferred embodiments according to the present specification will be described in detail with reference to the attached drawings. The detailed description to be disclosed below along with the accompanying drawings is intended to describe exemplary embodiments of the present specification and is not intended to represent the only embodiments in which the technical features of the present specification may be implemented.

In addition, specific terms used in the embodiments of the present specification are provided to aid understanding of the present specification, and the use of such specific terms may be changed to other forms without departing from the technical spirit of the present specification.

The following technologies include code division multiple access (CDMA), frequency division multiple access (FDMA), time division multiple access (TDMA), orthogonal frequency division multiple access (OFDMA), and single carrier frequency division multiple access (SC-FDMA). It can be applied to various wireless access systems.

In the following, for clarity of explanation, the description is based on the 3GPP communication system (e.g., LTE, NR, etc.), but the technical idea of the present invention is not limited thereto. LTE is 3GPP TS 36.xxx Release 8 and later. In detail, LTE technology after 3GPP TS 36.xxx Release 10 may be referred to as LTE-A, and LTE technology after 3GPP TS 36.xxx Release 13 may be referred to as LTE-A pro. 3GPP NR may refer to technology after TS 38.xxx Release 15. 3GPP 6G may refer to technology after TS Release 17 and/or Release 18. “xxx” refers to the standard document detail number. LTE/NR/6G can be collectively referred to as a 3GPP system.

Regarding background technology, terms, abbreviations, etc. used in this specification, reference may be made to matters described in standard documents published prior to the present invention. As an example, you can refer to the 36.xxx and 38.xxx standard documents.

Communication systems applicable to this specification

Although not limited thereto, various descriptions, functions, procedures, suggestions, methods and/or operational flowcharts disclosed herein may be applied to various fields requiring wireless communication/connection (e.g., 5G) between devices.

Hereinafter, a more detailed example will be provided with reference to the drawings. In the following drawings/descriptions, identical reference numerals may illustrate identical or corresponding hardware blocks, software blocks, or functional blocks, unless otherwise noted.

1 is a diagram illustrating an example of a communication system applied to this specification. Referring to FIG. 1, the communication system 100 applied herein includes a wireless device, a base station, and a network. Here, a wireless device refers to a device that performs communication using wireless access technology (e.g., 5G NR, LTE) and may be referred to as a communication/wireless/5G device. Although not limited thereto, wireless devices include robots (100a), vehicles (100b-1, 100b-2), extended reality (XR) devices (100c), hand-held devices (100d), and home appliances (100d). appliance) (100e), IoT (Internet of Thing) device (100f), and AI (artificial intelligence) device/server (100g). For example, vehicles may include vehicles equipped with wireless communication functions, autonomous vehicles, vehicles capable of inter-vehicle communication, etc. Here, the vehicles 100b-1 and 100b-2 may include an unmanned aerial vehicle (UAV) (eg, a drone). The XR device 100c includes augmented reality (AR)/virtual reality (VR)/mixed reality (MR) devices, including a head-mounted device (HMD), a head-up display (HUD) installed in a vehicle, a television, It can be implemented in the form of smartphones, computers, wearable devices, home appliances, digital signage, vehicles, robots, etc. The mobile device 100d may include a smartphone, smart pad, wearable device (eg, smart watch, smart glasses), computer (eg, laptop, etc.), etc. Home appliances 100e may include a TV, refrigerator, washing machine, etc. IoT device 100f may include sensors, smart meters, etc. For example, the base station 120 and the network 130 may also be implemented as wireless devices, and a specific wireless device 120a may operate as a base station/network node for other wireless devices.

Wireless devices 100a to 100f may be connected to the network 130 through the base station 120. AI technology may be applied to the wireless devices 100a to 100f, and the wireless devices 100a to 100f may be connected to the AI server 100g through the network 130. The network 130 may be configured using a 3G network, 4G (eg, LTE) network, or 5G (eg, NR) network. Wireless devices 100a to 100f may communicate with each other through the base station 120/network 130, but communicate directly (e.g., sidelink communication) without going through the base station 120/network 130. You may. For example, vehicles 100b-1 and 100b-2 may communicate directly (eg, vehicle to vehicle (V2V)/vehicle to everything (V2X) communication). Additionally, the IoT device 100f (eg, sensor) may communicate directly with other IoT devices (eg, sensor) or other wireless devices 100a to 100f.

Wireless communication/connection (150a, 150b, 150c) may be established between the wireless devices (100a to 100f)/base station (120) and the base station (120)/base station (120). Here, wireless communication/connection includes various methods such as uplink/downlink communication (150a), sidelink communication (150b) (or D2D communication), and inter-base station communication (150c) (e.g., relay, integrated access backhaul (IAB)). This can be achieved through wireless access technology (e.g. 5G NR). Through wireless communication/connection (150a, 150b, 150c), a wireless device and a base station/wireless device, and a base station and a base station can transmit/receive wireless signals to each other. For example, wireless communication/ connection 150a, 150b, and 150c may transmit/receive signals through various physical channels. To this end, based on the various proposals in this specification, various configuration information setting processes for transmitting/receiving wireless signals, various signal processing processes (e.g., channel encoding/decoding, modulation/demodulation, resource mapping/demapping, etc.) , at least some of the resource allocation process, etc. may be performed.

Communication systems applicable to this specification

FIG. 2 is a diagram illustrating an example of a wireless device that can be applied to this specification.

Referring to FIG. 2, the first wireless device 200a and the second wireless device 200b can transmit and receive wireless signals through various wireless access technologies (eg, LTE, NR). Here, {first wireless device 200a, second wireless device 200b} refers to {wireless device 100x, base station 120} and/or {wireless device 100x, wireless device 100x) in FIG. } can be responded to.

The first wireless device 200a includes one or more processors 202a and one or more memories 204a, and may further include one or more transceivers 206a and/or one or more antennas 208a. Processor 202a controls memory 204a and/or transceiver 206a and may be configured to implement the descriptions, functions, procedures, suggestions, methods and/or operational flowcharts disclosed herein. For example, the processor 202a may process information in the memory 204a to generate first information/signal and then transmit a wireless signal including the first information/signal through the transceiver 206a. Additionally, the processor 202a may receive a wireless signal including the second information/signal through the transceiver 206a and then store information obtained from signal processing of the second information/signal in the memory 204a. The memory 204a may be connected to the processor 202a and may store various information related to the operation of the processor 202a. For example, memory 204a may perform some or all of the processes controlled by processor 202a or instructions for performing the descriptions, functions, procedures, suggestions, methods and/or operational flowcharts disclosed herein. Software code containing them can be stored. Here, the processor 202a and the memory 204a may be part of a communication modem/circuit/chip designed to implement wireless communication technology (eg, LTE, NR). Transceiver 206a may be coupled to processor 202a and may transmit and/or receive wireless signals via one or more antennas 208a. Transceiver 206a may include a transmitter and/or receiver. The transceiver 206a may be used interchangeably with a radio frequency (RF) unit. In this specification, a wireless device may mean a communication modem/circuit/chip.

The second wireless device 200b includes one or more processors 202b, one or more memories 204b, and may further include one or more transceivers 206b and/or one or more antennas 208b. Processor 202b controls memory 204b and/or transceiver 206b and may be configured to implement the descriptions, functions, procedures, suggestions, methods and/or operational flowcharts disclosed herein. For example, the processor 202b may process information in the memory 204b to generate third information/signal and then transmit a wireless signal including the third information/signal through the transceiver 206b. Additionally, the processor 202b may receive a wireless signal including the fourth information/signal through the transceiver 206b and then store information obtained from signal processing of the fourth information/signal in the memory 204b. The memory 204b may be connected to the processor 202b and may store various information related to the operation of the processor 202b. For example, memory 204b may perform some or all of the processes controlled by processor 202b or instructions for performing the descriptions, functions, procedures, suggestions, methods, and/or operational flowcharts disclosed herein. Software code containing them can be stored. Here, the processor 202b and the memory 204b may be part of a communication modem/circuit/chip designed to implement wireless communication technology (eg, LTE, NR). Transceiver 206b may be coupled to processor 202b and may transmit and/or receive wireless signals via one or more antennas 208b. The transceiver 206b may include a transmitter and/or a receiver. The transceiver 206b may be used interchangeably with an RF unit. In this specification, a wireless device may mean a communication modem/circuit/chip.

Hereinafter, the hardware elements of the wireless devices 200a and 200b will be described in more detail. Although not limited thereto, one or more protocol layers may be implemented by one or more processors 202a and 202b. For example, one or more processors 202a and 202b may operate on one or more layers (e.g., physical (PHY), media access control (MAC), radio link control (RLC), packet data convergence protocol (PDCP), and radio resource (RRC). control) and functional layers such as SDAP (service data adaptation protocol) can be implemented. One or more processors 202a, 202b may generate one or more Protocol Data Units (PDUs) and/or one or more service data units (SDUs) according to the descriptions, functions, procedures, suggestions, methods, and/or operational flowcharts disclosed herein. can be created. One or more processors 202a and 202b may generate messages, control information, data or information according to the descriptions, functions, procedures, suggestions, methods and/or operational flowcharts disclosed herein. One or more processors 202a and 202b generate signals (e.g., baseband signals) containing PDUs, SDUs, messages, control information, data or information according to the functions, procedures, proposals and/or methods disclosed herein. , can be provided to one or more transceivers (206a, 206b). One or more processors 202a, 202b may receive signals (e.g., baseband signals) from one or more transceivers 206a, 206b, and the descriptions, functions, procedures, suggestions, methods, and/or operational flowcharts disclosed herein. Depending on the device, PDU, SDU, message, control information, data or information can be obtained.

One or more processors 202a, 202b may be referred to as a controller, microcontroller, microprocessor, or microcomputer. One or more processors 202a and 202b may be implemented by hardware, firmware, software, or a combination thereof. As an example, one or more application specific integrated circuits (ASICs), one or more digital signal processors (DSPs), one or more digital signal processing devices (DSPDs), one or more programmable logic devices (PLDs), or one or more field programmable gate arrays (FPGAs) May be included in one or more processors 202a and 202b. The descriptions, functions, procedures, suggestions, methods and/or operational flowcharts disclosed in this specification may be implemented using firmware or software, and the firmware or software may be implemented to include modules, procedures, functions, etc. Firmware or software configured to perform the descriptions, functions, procedures, suggestions, methods and/or operational flowcharts disclosed herein may be included in one or more processors 202a and 202b or stored in one or more memories 204a and 204b. It may be driven by the above processors 202a and 202b. The descriptions, functions, procedures, suggestions, methods and/or operational flowcharts disclosed herein may be implemented using firmware or software in the form of codes, instructions and/or sets of instructions.

One or more memories 204a and 204b may be connected to one or more processors 202a and 202b and may store various types of data, signals, messages, information, programs, codes, instructions and/or commands. One or more memories 204a, 204b may include read only memory (ROM), random access memory (RAM), erasable programmable read only memory (EPROM), flash memory, hard drives, registers, cache memory, computer readable storage media, and/or It may be composed of a combination of these. One or more memories 204a and 204b may be located internal to and/or external to one or more processors 202a and 202b. Additionally, one or more memories 204a and 204b may be connected to one or more processors 202a and 202b through various technologies, such as wired or wireless connections.

One or more transceivers (206a, 206b) may transmit user data, control information, wireless signals/channels, etc. mentioned in the methods and/or operation flowcharts of this specification to one or more other devices. One or more transceivers 206a, 206b may receive user data, control information, wireless signals/channels, etc. referred to in the descriptions, functions, procedures, suggestions, methods and/or operational flowcharts disclosed herein, etc. from one or more other devices. there is. For example, one or more transceivers 206a and 206b may be connected to one or more processors 202a and 202b and may transmit and receive wireless signals. For example, one or more processors 202a, 202b may control one or more transceivers 206a, 206b to transmit user data, control information, or wireless signals to one or more other devices. Additionally, one or more processors 202a and 202b may control one or more transceivers 206a and 206b to receive user data, control information, or wireless signals from one or more other devices. In addition, one or more transceivers (206a, 206b) may be connected to one or more antennas (208a, 208b), and one or more transceivers (206a, 206b) may be connected to the description and functions disclosed herein through one or more antennas (208a, 208b). , may be set to transmit and receive user data, control information, wireless signals/channels, etc. mentioned in procedures, proposals, methods and/or operation flow charts, etc. In this specification, one or more antennas may be a plurality of physical antennas or a plurality of logical antennas (eg, antenna ports). One or more transceivers (206a, 206b) process the received user data, control information, wireless signals/channels, etc. using one or more processors (202a, 202b), and convert the received wireless signals/channels, etc. from the RF band signal. It can be converted to a baseband signal. One or more transceivers (206a, 206b) may convert user data, control information, wireless signals/channels, etc. processed using one or more processors (202a, 202b) from a baseband signal to an RF band signal. To this end, one or more transceivers 206a, 206b may include (analog) oscillators and/or filters.

Figure 3 is a diagram illustrating a method of processing a transmission signal applied to this specification. As an example, the transmission signal may be processed by a signal processing circuit. At this time, the signal processing circuit 300 may include a scrambler 310, a modulator 320, a layer mapper 330, a precoder 340, a resource mapper 350, and a signal generator 360. At this time, as an example, the operation/function of FIG. 3 may be performed in the processors 202a and 202b and/or transceivers 206a and 206b of FIG. 2. Additionally, as an example, the hardware elements of FIG. 3 may be implemented in the processors 202a and 202b and/or transceivers 206a and 206b of FIG. 2. For example, blocks 310 to 350 may be implemented in the processors 202a and 202b of FIG. 2, and block 360 may be implemented in the transceivers 206a and 206b of FIG. 2, but are not limited to the above-described embodiment.

The codeword can be converted into a wireless signal through the signal processing circuit 300 of FIG. 3. Here, a codeword is an encoded bit sequence of an information block. The information block may include a transport block (eg, UL-SCH transport block, DL-SCH transport block). Wireless signals may be transmitted through various physical channels (eg, PUSCH, PDSCH) in FIG. 6. Specifically, the codeword may be converted into a scrambled bit sequence by the scrambler 310. The scramble sequence used for scrambling is generated based on an initialization value, and the initialization value may include ID information of the wireless device. The scrambled bit sequence may be modulated into a modulation symbol sequence by the modulator 320. Modulation methods may include pi/2-binary phase shift keying (pi/2-BPSK), m-phase shift keying (m-PSK), and m-quadrature amplitude modulation (m-QAM).

The complex modulation symbol sequence may be mapped to one or more transport layers by the layer mapper 330. The modulation symbols of each transport layer may be mapped to corresponding antenna port(s) by the precoder 340 (precoding). The output z of the precoder 340 can be obtained by multiplying the output y of the layer mapper 330 by the N*M precoding matrix W. Here, N is the number of antenna ports and M is the number of transport layers. Here, the precoder 340 may perform precoding after performing transform precoding (eg, discrete Fourier transform (DFT) transform) on complex modulation symbols. Additionally, the precoder 340 may perform precoding without performing transform precoding.

The resource mapper 350 can map the modulation symbols of each antenna port to time-frequency resources. A time-frequency resource may include a plurality of symbols (eg, CP-OFDMA symbol, DFT-s-OFDMA symbol) in the time domain and a plurality of subcarriers in the frequency domain. The signal generator 360 generates a wireless signal from the mapped modulation symbols, and the generated wireless signal can be transmitted to another device through each antenna. To this end, the signal generator 360 may include an inverse fast fourier transform (IFFT) module, a cyclic prefix (CP) inserter, a digital-to-analog converter (DAC), a frequency uplink converter, etc. .

The signal processing process for a received signal in a wireless device may be configured as the reverse of the signal processing processes 310 to 360 of FIG. 3. As an example, a wireless device (eg, 200a and 200b in FIG. 2) may receive a wireless signal from the outside through an antenna port/transceiver. The received wireless signal can be converted into a baseband signal through a signal restorer. To this end, the signal restorer may include a frequency downlink converter, an analog-to-digital converter (ADC), a CP remover, and a fast fourier transform (FFT) module. Afterwards, the baseband signal can be restored to a codeword through a resource de-mapper process, postcoding process, demodulation process, and de-scramble process. The codeword can be restored to the original information block through decoding. Accordingly, a signal processing circuit (not shown) for a received signal may include a signal restorer, resource de-mapper, postcoder, demodulator, de-scrambler, and decoder.

Wireless device structure applicable to this specification

Figure 4 is a diagram showing another example of a wireless device applied to this specification.

Referring to FIG. 4, the wireless device 400 corresponds to the wireless devices 200a and 200b of FIG. 2 and includes various elements, components, units/units, and/or modules. ) can be composed of. For example, the wireless device 400 may include a communication unit 410, a control unit 420, a memory unit 430, and an additional element 440. The communication unit may include communication circuitry 412 and transceiver(s) 414. For example, communication circuitry 412 may include one or more processors 202a and 202b and/or one or more memories 204a and 204b of FIG. 2 . For example, transceiver(s) 414 may include one or more transceivers 206a, 206b and/or one or more antennas 208a, 208b of FIG. 2. The control unit 420 is electrically connected to the communication unit 410, the memory unit 430, and the additional element 440 and controls overall operations of the wireless device. For example, the control unit 420 may control the electrical/mechanical operation of the wireless device based on the program/code/command/information stored in the memory unit 430. In addition, the control unit 420 transmits the information stored in the memory unit 430 to the outside (e.g., another communication device) through the communication unit 410 through a wireless/wired interface, or to the outside (e.g., to another communication device) through the communication unit 410. Information received through a wireless/wired interface from another communication device can be stored in the memory unit 430.

The additional element 440 may be configured in various ways depending on the type of wireless device. For example, the additional element 440 may include at least one of a power unit/battery, an input/output unit, a driving unit, and a computing unit. Although not limited thereto, the wireless device 400 may include a robot (FIG. 1, 100a), a vehicle (FIG. 1, 100b-1, 100b-2), an XR device (FIG. 1, 100c), and a portable device (FIG. 1, 100d). ), home appliances (Figure 1, 100e), IoT devices (Figure 1, 100f), digital broadcasting terminals, hologram devices, public safety devices, MTC devices, medical devices, fintech devices (or financial devices), security devices, climate/ It can be implemented in the form of an environmental device, AI server/device (FIG. 1, 140), base station (FIG. 1, 120), network node, etc. Wireless devices can be mobile or used in fixed locations depending on the usage/service.

In FIG. 4 , various elements, components, units/parts, and/or modules within the wireless device 400 may be entirely interconnected through a wired interface, or at least some of them may be wirelessly connected through the communication unit 410. For example, within the wireless device 400, the control unit 420 and the communication unit 410 are connected by wire, and the control unit 420 and the first unit (e.g., 430, 440) are connected wirelessly through the communication unit 410. can be connected Additionally, each element, component, unit/part, and/or module within the wireless device 400 may further include one or more elements. For example, the control unit 420 may be comprised of one or more processor sets. For example, the control unit 420 may be comprised of a communication control processor, an application processor, an electronic control unit (ECU), a graphics processing processor, and a memory control processor. As another example, the memory unit 430 may be comprised of RAM, dynamic RAM (DRAM), ROM, flash memory, volatile memory, non-volatile memory, and/or a combination thereof. It can be configured.

Mobile devices to which this specification applies

Figure 5 is a diagram showing an example of a portable device applied to this specification.

Figure 5 illustrates a portable device to which this specification applies. Portable devices may include smartphones, smart pads, wearable devices (e.g., smart watches, smart glasses), and portable computers (e.g., laptops, etc.). A mobile device may be referred to as a mobile station (MS), user terminal (UT), mobile subscriber station (MSS), subscriber station (SS), advanced mobile station (AMS), or wireless terminal (WT).

Referring to FIG. 5, the portable device 500 includes an antenna unit 508, a communication unit 510, a control unit 520, a memory unit 530, a power supply unit 540a, an interface unit 540b, and an input/output unit 540c. ) may include. The antenna unit 508 may be configured as part of the communication unit 510. Blocks 510 to 530/540a to 540c correspond to blocks 410 to 430/440 in FIG. 4, respectively.

The communication unit 510 can transmit and receive signals (eg, data, control signals, etc.) with other wireless devices and base stations. The control unit 520 can control the components of the portable device 500 to perform various operations. The control unit 520 may include an application processor (AP). The memory unit 530 may store data/parameters/programs/codes/commands necessary for driving the portable device 500. Additionally, the memory unit 530 can store input/output data/information, etc. The power supply unit 540a supplies power to the portable device 500 and may include a wired/wireless charging circuit, a battery, etc. The interface unit 540b may support connection between the mobile device 500 and other external devices. The interface unit 540b may include various ports (eg, audio input/output ports, video input/output ports) for connection to external devices. The input/output unit 540c may input or output video information/signals, audio information/signals, data, and/or information input from the user. The input/output unit 540c may include a camera, a microphone, a user input unit, a display unit 540d, a speaker, and/or a haptic module.

For example, in the case of data communication, the input/output unit 540c acquires information/signals (e.g., touch, text, voice, image, video) input from the user, and the obtained information/signals are stored in the memory unit 530. It can be saved. The communication unit 510 can convert the information/signal stored in the memory into a wireless signal and transmit the converted wireless signal directly to another wireless device or to a base station. Additionally, the communication unit 510 may receive a wireless signal from another wireless device or a base station and then restore the received wireless signal to the original information/signal. The restored information/signal may be stored in the memory unit 530 and then output in various forms (eg, text, voice, image, video, haptic) through the input/output unit 540c.

Physical channels and general signal transmission

In a wireless access system, a terminal can receive information from a base station through downlink (DL) and transmit information to the base station through uplink (UL). Information transmitted and received between the base station and the terminal includes general data information and various control information, and various physical channels exist depending on the type/purpose of the information they transmit and receive.

Figure 6 is a diagram showing physical channels applied to this specification and a signal transmission method using them.

A terminal that is turned on again from a power-off state or newly entered a cell performs an initial cell search task such as synchronizing with the base station in step S611. To this end, the terminal receives the primary synchronization channel (P-SCH) and secondary synchronization channel (S-SCH) from the base station to synchronize with the base station and obtain information such as cell ID. .

Afterwards, the terminal can obtain intra-cell broadcast information by receiving a physical broadcast channel (PBCH) signal from the base station. Meanwhile, the terminal can check the downlink channel status by receiving a downlink reference signal (DL RS) in the initial cell search stage. After completing the initial cell search, the UE receives a physical downlink control channel (PDCCH) and a physical downlink shared channel (PDSCH) according to the physical downlink control channel information in step S612 and further You can obtain specific system information.

Thereafter, the terminal may perform a random access procedure such as steps S613 to S616 to complete access to the base station. To this end, the terminal transmits a preamble through a physical random access channel (PRACH) (S613), and RAR (RAR) for the preamble through the physical downlink control channel and the corresponding physical downlink shared channel. A random access response) can be received (S614). The terminal transmits a physical uplink shared channel (PUSCH) using scheduling information in the RAR (S615), and a contention resolution procedure such as reception of a physical downlink control channel signal and a corresponding physical downlink shared channel signal. ) can be performed (S616).

The terminal that has performed the above-described procedure can then receive a physical downlink control channel signal and/or a physical downlink shared channel signal (S617) and a physical uplink shared channel (physical uplink shared channel) as a general uplink/downlink signal transmission procedure. Transmission of a channel (PUSCH) signal and/or a physical uplink control channel (PUCCH) signal may be performed (S618).

The control information transmitted from the terminal to the base station is collectively referred to as uplink control information (UCI). UCI includes HARQ-ACK/NACK (hybrid automatic repeat and request acknowledgment/negative-ACK), SR (scheduling request), CQI (channel quality indication), PMI (precoding matrix indication), RI (rank indication), and BI (beam indication). ) information, etc. At this time, UCI is generally transmitted periodically through PUCCH, but depending on the embodiment (e.g., when control information and traffic data must be transmitted simultaneously), it may be transmitted through PUSCH. Additionally, at the request/instruction of the network, the terminal may transmit UCI aperiodically through PUSCH.

Figure 7 is a diagram showing the structure of a wireless frame applicable to this specification.

Uplink and downlink transmission based on the NR system may be based on the frame shown in FIG. 7. At this time, one wireless frame has a length of 10ms and can be defined as two 5ms half-frames (HF). One half-frame can be defined as five 1ms subframes (SF). One subframe is divided into one or more slots, and the number of slots in a subframe may depend on subcarrier spacing (SCS). At this time, each slot may include 12 or 14 OFDM(A) symbols depending on the cyclic prefix (CP). When normal CP (normal CP) is used, each slot may include 14 symbols. When extended CP (extended CP) is used, each slot may include 12 symbols. Here, the symbol may include an OFDM symbol (or CP-OFDM symbol) and an SC-FDMA symbol (or DFT-s-OFDM symbol).

Table 1 shows the number of symbols per slot according to SCS, the number of slots per frame, and the number of slots per subframe when a general CP is used, and Table 2 shows the number of symbols per slot according to SCS when an extended CSP is used. Indicates the number of symbols, the number of slots per frame, and the number of slots per subframe.

In Tables 1 and 2, Nslotsymb represents the number of symbols in a slot, Nframe,μslot represents the number of slots in a frame, and Nsubframe,μslot may represent the number of slots in a subframe.

Additionally, in a system to which this specification is applicable, OFDM(A) numerology (eg, SCS, CP length, etc.) may be set differently between a plurality of cells merged into one terminal. Accordingly, the (absolute time) interval of a time resource (e.g., SF, slot, or TTI) (for convenience, referred to as a time unit (TU)) composed of the same number of symbols may be set differently between merged cells.

NR can support multiple numerologies (or subcarrier spacing (SCS)) to support various 5G services. For example, if SCS is 15kHz, it supports wide area in traditional cellular bands, and if SCS is 30kHz/60kHz, it supports dense-urban, lower latency. And it supports a wider carrier bandwidth, and when the SCS is 60kHz or higher, it can support a bandwidth greater than 24.25GHz to overcome phase noise.

The NR frequency band is defined as two types (FR1, FR2) of frequency range. FR1 and FR2 can be configured as shown in the table below. Additionally, FR2 may mean millimeter wave (mmW).

Additionally, as an example, the above-described numerology may be set differently in a communication system to which this specification is applicable. As an example, a terahertz wave (THz) band may be used as a higher frequency band than the above-described FR2. In the THz band, the SCS can be set larger than the NR system, and the number of slots can also be set differently, and is not limited to the above-described embodiment.

Figure 8 is a diagram showing a slot structure applicable to this specification.

One slot includes multiple symbols in the time domain. For example, in the case of normal CP, one slot includes 7 symbols, but in the case of extended CP, one slot may include 6 symbols. A carrier includes a plurality of subcarriers in the frequency domain. RB (Resource Block) can be defined as multiple (eg, 12) consecutive subcarriers in the frequency domain.

Additionally, BWP (Bandwidth Part) is defined as a plurality of consecutive (P)RBs in the frequency domain and may correspond to one numerology (e.g., SCS, CP length, etc.).

A carrier wave may contain up to N (e.g., 5) BWPs. Data communication is performed through an activated BWP, and only one BWP can be activated for one terminal. Each element in the resource grid is referred to as a Resource Element (RE), and one complex symbol can be mapped.

6G communication system

6G (wireless communications) systems require (i) very high data rates per device, (ii) very large number of connected devices, (iii) global connectivity, (iv) very low latency, (v) battery- The goal is to reduce the energy consumption of battery-free IoT devices, (vi) ultra-reliable connectivity, and (vii) connected intelligence with machine learning capabilities. The vision of the 6G system can be four aspects such as “intelligent connectivity”, “deep connectivity”, “holographic connectivity”, and “ubiquitous connectivity”, and the 6G system can satisfy the requirements as shown in Table 4 below. In other words, Table 4 is a table showing the requirements of the 6G system.

At this time, the 6G system includes enhanced mobile broadband (eMBB), ultra-reliable low latency communications (URLLC), massive machine type communications (mMTC), AI integrated communication, and tactile communication. tactile internet, high throughput, high network capacity, high energy efficiency, low backhaul and access network congestion, and improved data security. It can have key factors such as enhanced data security.

Figure 9 is a diagram showing an example of a communication structure that can be provided in a 6G system applicable to this specification.

Referring to Figure 9, the 6G system is expected to have simultaneous wireless communication connectivity 50 times higher than that of the 5G wireless communication system. URLLC, a key feature of 5G, is expected to become an even more mainstream technology in 6G communications by providing end-to-end delays of less than 1ms. At this time, the 6G system will have much better volume spectrum efficiency, unlike the frequently used area spectrum efficiency. 6G systems can provide very long battery life and advanced battery technologies for energy harvesting, so mobile devices in 6G systems may not need to be separately charged. Additionally, new network characteristics in 6G may include:

- Satellites integrated network: 6G is expected to be integrated with satellites to serve the global mobile constellation. Integration of terrestrial, satellite and aerial networks into one wireless communications system could be critical for 6G.

- Connected intelligence: Unlike previous generations of wireless communication systems, 6G is revolutionary and will update the wireless evolution from “connected things” to “connected intelligence.” AI can be applied at each stage of the communication procedure (or each procedure of signal processing, which will be described later).

- Seamless integration wireless information and energy transfer: 6G wireless networks will deliver power to charge the batteries of devices such as smartphones and sensors. Therefore, wireless information and energy transfer (WIET) will be integrated.

- Ubiquitous super 3-dimemtion connectivity: Connectivity of drones and very low Earth orbit satellites to networks and core network functions will create super 3D connectivity in 6G ubiquitous.

In the above new network characteristics of 6G, some general requirements may be as follows.

- Small cell networks: The idea of small cell networks was introduced to improve received signal quality resulting in improved throughput, energy efficiency and spectral efficiency in cellular systems. As a result, small cell networks are an essential feature for 5G and Beyond 5G (5GB) communications systems. Therefore, the 6G communication system also adopts the characteristics of a small cell network.

- Ultra-dense heterogeneous network: Ultra-dense heterogeneous networks will be another important characteristic of the 6G communication system. Multi-tier networks comprised of heterogeneous networks improve overall QoS and reduce costs.

- High-capacity backhaul: Backhaul connections are characterized by high-capacity backhaul networks to support high-capacity traffic. High-speed fiber and free-space optics (FSO) systems may be possible solutions to this problem.

- Radar technology integrated with mobile technology: High-precision localization (or location-based services) through communication is one of the functions of the 6G wireless communication system. Therefore, radar systems will be integrated with 6G networks.

- Softwarization and virtualization: Softwarization and virtualization are two important features that are fundamental to the design process in 5GB networks to ensure flexibility, reconfigurability, and programmability. Additionally, billions of devices may be shared on a shared physical infrastructure.

quantum communication

Quantum communication is a next-generation communication technology that can overcome the limitations of existing information and communication, such as security and high-speed computation, by applying quantum mechanical characteristics to the information and communication field. Quantum communication provides a means of generating, transmitting, processing, and storing information that cannot be expressed or is difficult to express in the form of 0 and 1 according to the binary bit information used in existing communication technology. In existing communication technologies, wavelength or amplitude is used to transmit information between the transmitting end and the receiving end, but unlike this, in quantum communication, photons, the smallest unit of light, are used to transmit information between the transmitting end and the receiving end. In particular, in the case of quantum communication, quantum uncertainty, quantum irreversibility, and unclonability can be used for the polarization or phase difference of photons (light), so quantum communication has the characteristic of enabling communication with complete security. Additionally, quantum communication may enable ultra-fast communication using quantum entanglement under certain conditions.

This specification covers various quantum communications, such as quantum key distribution (QKD), which is applied as a security technology for 4G/5G communication networks, as well as quantum direct communication (QDC), which safely transmits message information through quantum channels. We propose a method and device that can be applied to the user authentication process of the protocol. Here, user authentication refers to a procedure to confirm whether the transmitting and receiving entity exchanging information through a channel is an authorized entity. Here, the channel may include a classical channel and a quantum channel. More specifically, this specification provides an ideal assumption in the existing authentication method that performs user authentication between the transmitting and receiving end using information transmitted in a quantum channel, and performs authentication with information transmitted in a classical channel. It complements the shortcomings of existing authentication methods by eliminating the possibility of information manipulation/falsification by eavesdroppers, and presents an efficient user authentication method that can reuse existing resources without creating additional resources for authentication.

Term Definition

For convenience of explanation, the following symbols/abbreviations/terms may be used interchangeably in this specification.

- QDC: Quantum Direct Communication

- QSDC: Quantum Secure Direct Communication

- QBER: Quantum Bit Error Rate

- QKD: Quantum Key Distribution

- MIMA: Man-in-middle-attack

- MAC: Message Authentication Code

- WCA: Wegman-Carter Authentication

- OTP: One Time Pad

- ITS: Information Theoretically Secure

Below, to help understand the method proposed in this specification, the general contents of user authentication will first be described.

Man-in-the-middle attacks and user authentication in general

In quantum communication, the safety of information transmitted through quantum channels is guaranteed through the non-cloning theorem, a characteristic of quantum mechanics. More specifically, through the QBER (Quantum Bit Error Rate) estimation process using some of the information transmitted through the quantum channel, it is possible to determine whether message information transmitted through the quantum channel has been eavesdropped by a third party, and through this, the transmission message safety can be guaranteed. However, as shown in Figure 10, which shows an example of a third-party attack that can occur in quantum communication, a third party Eve (1030) exists between Alice (1010), the transmitter, and Bob (1020), the receiver. When a man-in-the-middle attack is attempted in which Alice (1010) acts as a receiving end and Bob (1020) acts as a transmitting end, the QBER estimation results through information transmission between Alice (1010) and Eve (1030) and Eve (1030) As a result of QBER estimation through information transmission between and Bob (1020), it cannot be confirmed whether there is a man-in-the-middle attack by a third party, Eve (1030). Through a man-in-the-middle attack, a third party, Eve (1030), can know the contents of the data transmitted while relaying data between Alice (1010) and Bob (1020), and can also attempt to forge/falsify the data. It may be possible. Therefore, in order to prevent man-in-the-middle attacks, a user authentication process is necessary to confirm whether the transmitter and receiver, who are the subjects of information exchange, are authorized users.

Existing authentication techniques can be divided into hash function-based authentication methods that include cryptographically strong elements and authentication methods based on security from an information theory perspective. In the hash function-based authentication method, the collision probability of the hash function is used as an authentication technology based on computational complexity, and a representative hash function-based technology is the SHA technique. However, because the hash function-based authentication method is based on computational complexity, there is a high possibility that its security will be threatened in the future due to the emergence of quantum computers. In addition, in order to enhance safety in quantum cryptographic communication systems, authentication technology using a keyed hash function family that combines a symmetric key and a hash function based on information theoretic safety is applied and used, and ETSI (European Telecommunications Standards Institute), etc. The quantum communication standards organization is adopting the method of using the keyed hash function family as a standard authentication method. The method uses a hash function called Strongly Universal Hashing as a Message authentication code (MAC) algorithm to generate a Message authentication code (MAC) to be used in the authentication process, and an additional one time pad is added during the generation process. It uses a symmetric key used as (OTP), and is known to be the most secure because the possibility of information being recovered through the reverse process from MAC is very low if the symmetric key information is not known. A representative example of a method using the keyed hash function family is the Wegman & Carter Authentication (WCA) technique proposed by M. Wegman and J. Carter.

Message authentication code (MAC) by Wegman & Carter

Figure 11 is a diagram showing an example of a MAC-based authentication technique.

MAC is used to verify the integrity of the message, and is an authentication technique based on the fact that it is difficult for a third party who does not know the one-time symmetric key information pre-shared between the transmitter and receiver (1110 and 1120) to know which MAC algorithm was used when creating the MAC. am. First, before the authentication process is performed, the transmitting end 1110 and the receiving end 1120 share the same symmetric key information 1100 and MAC algorithms 1101 and 1103. Afterwards, when the transmitter 1110 inputs a plaintext message to be used for authentication into the MAC algorithm 1101, which of the MAC algorithms will be used is selected from the value of the pre-shared key 1100. Next, when the plaintext message 1103 is input to the MAC algorithm 1101 selected at the transmitting end 1110, the MAC 1105 is obtained as the output value, and to generate the MAC of the receiving end 1120, the transmitting end 1110 uses a classic It transmits the plaintext message (1103) and MAC (1105) it created through the channel. The receiving end inputs the received plaintext message 1104 into the MAC algorithm 1102 of the receiving end 1120. At this time, since the receiving end 1120 has the same pre-shared key as the transmitting end 1110, the MAC can be generated using the same MAC algorithm 1102 as that of the transmitting end 1110. Finally, the receiving end 1120 compares whether the MAC 1105 transmitted by the transmitting end 1110 matches the MAC generated by the receiving end 1120. If the value of the MAC 1105 transmitted by the transmitting end 1110 matches the MAC value generated by the receiving end 1120, authentication is passed/successful. If the two values do not match, the authentication fails.

In the case of an authentication method using MAC, the pre-shared symmetric key information is not information transmitted through a classical channel, but is information held only by the pre-arranged transmitter and receiver, so a third party who does not know the pre-shared symmetric key information can use the message information. Even if a symmetric key is not secured, it is impossible to know which MAC algorithm was applied from the message information obtained by a third party, and thus safety can be guaranteed. Therefore, the security of the authentication method using MAC can be understood to be higher as the variety of methods for configuring the MAC algorithm increases.

In the case of the quantum key distribution (QKD) protocol currently applied as a security technology for 4G LTE/5G, the WCA technique proposed by Wegman and Carter is adopted and used as a standard authentication technology, and a symmetric key is generated in the form of a one time pad. A method is used to create a Tag with MAC to be used for authentication using the Strongly Universal Hash class. Figure 12 is a diagram showing an example of an authentication method based on Wegman & Carter Authentication (WCA).

The authentication method of FIG. 12 can be applied to both user authentication to check whether the sender and receiver have changed during message transmission, and message authentication to check whether the contents and order of message information have changed. In FIG. 12, the transmitting end 1210 generates tag information 1205 serving as a MAC from message information 1203 using a pre-shared key 1200 and a MAC algorithm 1201, similar to the MAC of FIG. 11. However, the Hash function of the Strongly Universal Hash class is used as the MAC algorithm. At this time, the pre-shared key information 1200 is a hash function in H (1201 and 1202) of the transmitting and receiving ends (1210 and 1210).

It plays a role in selecting whether to use, and the length of the pre-shared key is

Allocated as bits, where

represents the number of hash functions constituting the hash function set. The tag information (1205) is

It is expressed as a hash function selected from the pre-shared key with the message m of the authentication process as the input value.

It is obtained from the results obtained after passing. Afterwards, the receiving end 1220 uses the message 1203 received by the receiving end 1220 to obtain the tag information 1206 of the receiving end 1220 from the pre-shared key 1200 and the hash function 1202 of the receiving end 1220. ) is compared with the tag information 1205 received from the transmitting end 1210, it is confirmed whether the two tag information matches, and then authentication is determined (1208).

In the Wegman & Carter authentication technique, as mentioned earlier, a hash function is used as the MAC algorithm. The hash function is a function that receives information of a random length and outputs a hash value of a fixed length, and the sentence of the original length is It is also called Message digest because it is reduced to a certain length.

The hash function can be used as a MAC in the authentication process based on the three characteristics below.

One sayness: For any given output value y, it is computationally impossible to find an input value x that satisfies y=h(x).

2nd Preimage resistance: When there is h(x) for a given input value x, and h(x)=h(x`), another input value x` that satisfies x=/x` is used. It is computationally impossible to find.

Collision resistance: It is computationally impossible to find two input values x and x` that satisfy the hash value h(x) = h(x`).

Figure 13 is a diagram to explain the correlation between the number of hash functions and collision probability.

WCA attempts a man-in-the-middle attack when a third party, eve, replaces message m with m' and guesses the tag and sends it. Since eve does not know what hash function the sender and receiver used, a random Since the tag is estimated by selecting a hash function, the success probability is

This happens. here

means the number of tags. In other words, the number of tags depends on the type of hash function used.

Since it is determined by the number of hash functions, it can be said that the more types of hash functions used, the lower the possibility of eve estimating the tag. Therefore, as shown in the collision probability formula of FIG. 13, it can be seen that the larger the number of hash functions, the lower the collision probability.

The following problems can be solved through the user authentication method proposed in this specification.

(1) In existing authentication techniques, user authentication for the secret key transmitted through a quantum channel or user authentication for message information is performed through a classical channel, resulting in a man-in-the-middle attack (Man in middle attack) through the quantum channel through which the actual message information is transmitted. There is a possibility of attack

More specifically, user authentication in the QKD protocol, a representative user authentication protocol, uses a method in which secret key information is exchanged between the transmitter and receiver through a quantum channel, and then user authentication is performed in a classical channel. However, this authentication method includes the ideal assumption that the quantum channel and the classical channel are always connected between the same user, so even if eve does not exist in the classical channel, a situation may occur where a Man in middle attack attempt is made in the quantum channel. In this case, the QKD technique cannot secure/guarantee unconditional security. In addition, classical channels and quantum channels are used not only in QKD but also in general quantum communication techniques, and verification of the sender and receiver of the message transmitted through the quantum channel must be based on the information transmitted through the quantum channel. Since the integrity of can be guaranteed, an authentication technique using authentication message information transmitted through a quantum channel is required.

(2) Additional creation of authentication message information to be used for user authentication is required.

More specifically, in the case of the existing authentication technique, the transmitting end separately generates message information for user authentication in addition to the message and QBER estimation information, and uses the separately generated message information for user authentication as input information for MAC generation in the authentication process. use. In quantum communication, the fact that additional authentication information is separately generated can result in more time delay between the transmitter generating a single block of transmission information and sending the next block's transmission information. Additionally, from an implementation perspective, greater power consumption occurs in the process of creating more signals. Therefore, there is a need for a method that can generate information for user authentication without allocating additional resources to generate a separate message for user authentication.

(3) In the case of existing authentication techniques that use symmetric keys, a method is needed to update a once-used symmetric key with new symmetric key information to ensure security, but there is no method for updating symmetric key information. In addition, in the case of QKD, which presents the only method of updating the symmetric key, a method is used to convert some of the secret keys used for encryption of transmission classical information into authentication key information for updating the symmetric key used for authentication, so the secret key There is a problem with reduced production efficiency.

Figure 14 is a diagram showing an example of a symmetric key update method in the quantum key distribution technique. Referring to FIG. 14, in the quantum key distribution technique (QKD), information is exchanged through a quantum channel (S1410), and then the final key is obtained through post-processing processes through a classical channel (S1420 to S1440). Afterwards, some of the final keys are used as pre-shared keys to be used in the next authentication process (1401), and previously used pre-shared keys are discarded after one use. Therefore, a significant portion of the secret key obtained through a complex process cannot be used to encrypt the classical message information to be transmitted but is used as an authentication message, resulting in a decrease in the efficiency of secret key generation. Even in quantum communication techniques other than QKD, for security purposes, the preshared key used in the authentication process cannot be reused and requires a process of discarding and renewing. However, since the renewal method has not been clearly presented to date, there is an efficient way to renew the preshared key. This is needed.

(4) In the case of existing authentication techniques, a large-sized hash function set is used as the MAC algorithm, and a complex computational process in a tree structure must be performed to generate tag information from the hash function, so the tag creation process is highly complex.

Figure 15 is a diagram showing an example of the tag creation process in the existing authentication technique. Referring to FIG. 15, in the existing authentication technique proposed by Wegman & Carter, the authentication message is divided into several blocks (1510), the blocks are grouped into two blocks, and the Strongly Universal (SU) hash function selected by the first preshared key is used. After generating an output value corresponding to one block by passing it (1520), the reduced blocks are grouped into two again, and the process of passing the hash function selected by the second pre-shared key is repeated, resulting in one final block. After performing the hash output until there are no remaining hash outputs (1530 and 1540), only the block corresponding to the length of the lowest tag is separated and used as tag information (1550). As such, the existing authentication technique is very complex because the MAC algorithm, which takes a message as an input value and sends a tag as an output value, follows a tree-structured iterative compression method.

Below, a method for solving the above-mentioned problems will be described in detail. More specifically, this specification is intended to exclude the possibility of third-party attacks that occur in existing authentication techniques that are performed with subjects connected through classical channels in the authentication process of the transmitter and receiver, which is the subject of transmission, even though information is transmitted through a quantum channel. , we propose a method and device configuration for performing authentication based on information transmitted through a quantum channel. The method proposed in this specification proposes a method of reusing checking sequence information transmitted through a quantum channel for QBER estimation as message information for authentication without separately generating message information required for the authentication process. Through this, authentication can be performed without generating additional information for user authentication. Additionally, the method proposed in this specification presents a method of simply performing authentication using a pre-shared symmetric key and authentication message information without using a complicated MAC algorithm. In addition, the method proposed in this specification proposes a method in which, after the transmitting and receiving end performs authentication, the pre-shared symmetric key used once is discarded for security and updated with a new symmetric key. In the case of this method, a method of generating a new symmetric key by combining the transmitted message and the used pre-shared symmetric key can be used.

The method proposed in this specification proceeds with the user authentication process in the following order.

(1) First, the transmitter generates sequence information for QBER estimation.

(2) Next, the transmitting end transmits sequence information for QBER estimation through a quantum channel, then estimates QBER through measurement at the receiving end and determines whether to proceed with authentication through the estimation result.

(3) When authentication is in progress based on the QBER estimation result, the transmitting end and the receiving end reuse the information used for QBER estimation and perform an error correction process to use it as message information for authentication. Through this process, the message information used for authentication at the transmitting and receiving end can be matched.

(4) Finally, the transmitting and receiving ends each set the message information to be used for error-corrected authentication as input values, the sending and receiving ends generate a MAC using the pre-shared key information, and the transmitting and receiving ends compare the MACs each created. The user authentication process is performed based on whether there is a match or not.

First, we look at a method to solve the problem of additional resource allocation for authentication by reusing the information transmitted for QBER estimation through a quantum channel as message information for the user authentication technique after QBER estimation.

User authentication technique that recycles information used in QBER estimation

Figure 16 is a diagram showing an example in which user authentication is performed through a classical channel in quantum communication.

Referring to FIG. 16, message information 1610 for authentication is separately generated, the generated message information 1610 is shared through a classical channel, and the transmitting end and receiving end each use the same authentication message information 1610 using the MAC algorithm. After outputting the MAC used for authentication by using it as an input value, the authentication process was performed by applying the WCA technique that compares the MAC values between the transmitting and receiving ends.

Figure 17 is a diagram illustrating an example in which user authentication is performed using QBER estimation information transmitted through a quantum channel in quantum communication. That is, Figure 17 relates to a user authentication method performed by reusing information used for QBER estimation. Referring to FIG. 17, the checking sequence information 1710 used in the QBER estimation process to check whether message information transmitted through a quantum channel is eavesdropped is reused as message information for user authentication after the QBER estimation process is completed. It is used. In other words, the user authentication method proposed in this specification uses the checking sequence information used in QBER estimation as authentication message information and applies it as the input value of the MAC algorithm. Afterwards, the MAC value to be used for authentication is derived through a pre-shared key-based MAC algorithm. Next, the transmitting and receiving end derives the MAC value through the same process, checks whether the two values match, and decides whether to pass authentication.

Unlike existing user authentication methods, the method proposed in this specification does not separately generate message information for authentication, so there is no need for additional resource allocation for the authentication process. Additionally, in the existing user authentication method that performs authentication using message information transmitted through a classical channel, the ideal assumption is required that the quantum channel and the classical channel are always connected to the same sender and receiver. This assumption makes it possible for the transmission information to be transmitted through the quantum channel. It is transmitted through a channel, but if the user is authenticated by transmitting authentication information through a classical channel, it is determined that the user authentication is complete based on the assumption that the quantum channel is also connected to the same transmitter and receiver. However, in the case of the method proposed in this specification, since authentication is performed using information transmitted through a quantum channel, the integrity of the transmitter and receiver connected to the quantum channel can be directly verified without assuming an ideal situation.

User authentication method based on use of pre-shared symmetric key

This method concerns a method for solving the high configuration complexity problem of the complex MAC algorithm used in existing user authentication methods. More specifically, this method proposes three user authentication methods based on the role/use of the pre-shared symmetric key.

How pre-shared symmetric keys are used to determine the location of authentication information

This method uses a pre-shared symmetric key to determine the location of authentication information. More specifically, based on the position of each bit of the bit string constituting the pre-shared symmetric key and the bit value of the corresponding position, the bits of authentication information corresponding to the positions of each bit are used as authentication information.

Figure 18 is a diagram for explaining how a pre-shared symmetric key is used to determine the location of authentication information. Referring to FIG. 18, the pre-shared symmetric key 1820 is used to select a portion of the checking sequence 1810 for QBER estimation, which is message information input for MAC generation, and the bits of the entire checking sequence 1810. Among these, some bits selected by the pre-shared symmetric key 1820 constitute the MAC. That is, the pre-shared symmetric key (Pre-shared key) 1820 is used to determine which position value in the checking sequence (1810) will be used as MAC information for authentication. More specifically, from the bit string constituting the pre-shared symmetric key, the checking sequence value corresponding to the position of the bit whose bit value is 1 is extracted, and the extracted sequence is used as MAC information. The remaining sequences other than the extracted sequence, that is, the checking sequence values corresponding to the positions of bits with a bit value of 0, are not used as MAC information and are discarded. Conversely, the checking sequence value corresponding to the position of the bit where the bit value is 0 is extracted, and the extracted sequence may be used as MAC information. In this method, the length of the bit string constituting the pre-shared symmetric key and the length of the bit string constituting the reused checking sequence may be the same. In summary, at least one bit in the bit string of the reused checking sequence at a position corresponding to the position of at least one bit with a specific bit value in the bit string of the shared symmetric key is sent to the authentication message (MAC). can be used

Since only the pre-arranged transmitting and receiving ends have the same symmetric key, the transmitting and receiving ends can generate the same MAC information, and this method can be used as an authentication method between the transmitting and receiving ends. This method is effective in generating MAC information from an authentication message with low complexity when configuring the authentication protocol without using a complex MAC algorithm as before.

Figure 19 is a diagram showing the overall sequence of the user authentication process to which the method proposed in this specification is applied.

S1910: In this step, QBER estimation information is generated. More specifically, the transmitting end 1910 generates QBER estimation information (checking sequence) (1.), converts it into a quantum state corresponding to the value of the QBER estimation information, and transmits it to the receiving end 1920 through a quantum channel (2.) . and 3.). Afterwards, the receiving end (1920) measures the QBER estimation information converted to a quantum state based on random measurement (4.), and determines the location of the measured information and the basis used for measurement (5.). Next, the receiving end 1920 transmits information about the location of the measured information and basis information used for measurement to the transmitting end 1910 (6.). Next, the transmitting end 1910 selects information corresponding to the location where the receiving end 1920 performed the measurement using the same basis as the basis used for quantum state conversion at the transmitting end (7.).

S1920: At this stage, it is decided whether to proceed with authentication using QBER estimation and the estimation result. More specifically, the receiving end 1920 stores the measured value and basis (8.). Next, the receiving end 1920 transmits the value measured at the receiving end to the transmitting end 1910 (9.). Afterwards, the transmitting end 1910 compares the information generated and transmitted by the transmitting end 1910 with the measured value at the receiving end 1920 and performs QBER estimation (10.). At this time, if the QBER estimate value is equal to or smaller than the preset threshold, user authentication is performed. If the QBER estimate value is greater than the preset threshold, the transmission process is stopped and user authentication is not performed (11.)

S1930: In this step, a process is performed to match the message information used for authentication between the transmitting and receiving ends. More specifically, since a certain percentage of errors occur in the checking sequence for QBER estimation transmitted as authentication message information through a quantum channel due to the quantum channel passing process, etc., the checking sequence at the transmitting and receiving end may not completely match. . In other words, the QBER estimation result (ex) 5%) is lower than the threshold (ex) 11%), so it can be determined that there is no eavesdropper, but the value of the QBER estimation result is not 0, and in this case, the QBER estimation result is not 0. The value of may be due to a certain ratio occurring due to the quantum channel passing process in the checking sequence for QBER estimation. Because of this, the checking sequence generated at the transmitting end 1910 and the checking sequence determined from the measured value at the receiving end 1920 may not completely match. At this time, if the checking sequence generated by the transmitting end (1910) and the checking sequence measured by the receiving end (1920), which do not completely match, are applied as the message value for authentication at the sending and receiving end, the sending end (1910) due to message mismatch And the receiving end 1920 cannot output the same MAC, so authentication always fails. To solve the problem that the checking sequence generated at the transmitting end 1910 and the checking sequence measured at the receiving end 1920 do not completely match, step S1930, which is an error correction process of message information to be used for authentication, may be added. Through step S1930, the checking sequence generated at the transmitting end 1910 and the receiving checking sequence in which an error occurred due to the receiving process at the receiving end 1920 can be completely matched.

More specifically, the transmitter 1910 starts the user authentication process (11.) and transmits the basis and measurement value corresponding to the measurement position (12.). In other words, the transmitting end 1910 transmits (i) location information on what basis was used to convert the bits constituting the checking sequence into a quantum state and (ii) information about the checking sequence value converted to a quantum state. do. Next, based on the position information, the receiving end 1920 selects only the measurement values corresponding to the same position as the basis used for quantum state conversion at the transmitting end 1910 and the basis used for measurement at the receiving end 1920. Select (13.), and compare the information on the checking sequence value converted to quantum state transmitted from the transmitting end (1910) with the value measured by the receiving end (1920) (14.). As a result of the comparison, bit flip error correction is performed on the discrepancy between the information received from the transmitting end 1910 and the value measured by the receiving end 1920 (15.).

S1940: In this step, user authentication is performed. More specifically, since the message information to be used in the authentication process of the transmitting and receiving ends matches through step S1930, based on the matched message information (checking sequence), the sending and receiving ends each use the method described in FIG. 18 (the pre-shared symmetric key is used in the MAC (used to determine the location of message information to be used) is applied to generate and output the MAC (16.). Afterwards, the receiving end 1920 transmits the generated MAC to the transmitting end 1910 (17.). The transmitting end 1910 compares the MAC generated by the transmitting end 1910 with the MAC received from the receiving end 1920 (18.), and if the MAC of the transmitting end 1910 matches the MAC of the receiving end 1920, authentication is successful. If the MAC of the transmitting end 1910 and the MAC of the receiving end 1920 do not match, it is determined that authentication has failed. At this time, even if there is a third party attempting a man-in-the-middle attack on the channel between the transmitter and receiver, the third party does not possess the symmetric key information pre-shared with the transmitter and receiver, so even if the third party steals the message information, the third party Since the user cannot know which location value is used to generate the MAC, it is impossible for a third party to generate MAC information identical to the MAC generated at the transmitting and receiving end.

How the pre-shared symmetric key is used for XOR operation with the message to generate MAC

This method uses a pre-shared symmetric key to perform an XOR operation with the message for MAC generation. Figure 20 is a diagram illustrating an example of a method in which a pre-shared symmetric key is used for an XOR operation with a message for MAC generation. Referring to FIG. 20, the checking sequence used for QBER estimation is used as an input message in the authentication process (S2010), and according to the value of the first bit information of the pre-shared symmetric key, the odd position of the input message (checking sequence) The value of or the value of the even position is used as input information to be used for authentication (S2020). Here, the pre-shared symmetric key can be set/generated to be half the length of the checking sequence. At this time, if the value of the first bit information of the pre-shared symmetric key is 0, then the value of the odd-numbered position in the input message, and if the value of the first bit information of the pre-shared symmetric key is 1, the value of the even-numbered position of the input message This is used as input information for authentication. Conversely, if the value of the first bit of the pre-shared symmetric key is 0, the value of the even-numbered position in the input message is 1. If the value of the first bit of information of the pre-shared symmetric key is 1, the value of the odd-numbered position of the input message is It can also be used as input information for authentication. Step S2020 corresponds to step 16 of FIG. 21, which will be described below. After reducing the size of the input value required for MAC generation by half through the S2020 step, XOR operation is used as the MAC algorithm, and a pre-shared symmetric key and compressed message value are used as the MAC algorithm input value. Afterwards, the MAC is output by performing an XOR operation on the pre-shared symmetric key and the compressed message value (S2030). Step S2030 corresponds to step 17 of FIG. 21, which will be described below.

In this method, only half the length of the checking sequence is used for the XOR operation with the pre-shared symmetric key, so the length of the pre-shared symmetric key can be configured to be shorter than the checking sequence length. When the length of the bit string of the checking sequence is an even number, the length of the bit string of the pre-shared authentication key may be set to half the length of the bit string of the checking sequence. In addition, when the length of the bit string of the checking sequence is an odd number: When bit values at odd positions in the bit string of the checking sequence are used to generate the authentication message, the length of the bit string of the pre-shared authentication key is set to a length obtained by rounding up half the length of the bit string of the checking sequence, and when bit values at even positions in the bit string of the checking sequence are used to generate the authentication message, the pre-shared authentication key The length of the bit string of may be set to a length obtained by rounding down half of the length of the bit string of the checking sequence.

Figure 21 is a diagram showing the overall sequence of the user authentication process to which the method proposed in this specification is applied.

S2110: In this step, QBER estimation information is generated. More specifically, the transmitting end 2110 generates QBER estimation information (checking sequence) (1.), converts it into a quantum state corresponding to the value of the QBER estimation information, and transmits it to the receiving end 2120 through a quantum channel (2.) . and 3.). Afterwards, the receiving end 2120 measures the QBER estimation information converted to a quantum state based on random measurement (4.), and determines the location of the measured information and the basis used for measurement (5.). Next, the receiving end 2120 transmits information about the location of the measured information and basis information used for measurement to the transmitting end 2110 (6.). Next, the transmitting end 2110 selects information corresponding to the location where the receiving end 2120 performed the measurement using the same basis as the basis used for quantum state conversion at the transmitting end (7.).

S2120: At this stage, it is decided whether to proceed with authentication using QBER estimation and the estimation result. More specifically, the receiving end 2120 stores the measured value and basis (8.). Next, the receiving end 2120 transmits the value measured at the receiving end to the transmitting end 2110 (9.). Afterwards, the transmitting end 2110 compares the information generated and transmitted by the transmitting end 2110 with the measured value at the receiving end 2120 and performs QBER estimation (10.). At this time, if the QBER estimate value is equal to or smaller than the preset threshold, user authentication is performed. If the QBER estimate value is greater than the preset threshold, the transmission process is stopped and user authentication is not performed (11.)

S2130: In this step, a process is performed to match the message information used for authentication by the transmitting and receiving ends. More specifically, since a certain percentage of errors occur in the checking sequence for QBER estimation transmitted as message information through a quantum channel due to the quantum channel passage process, etc., the checking sequence at the transmitting and receiving end may not completely match. In other words, the QBER estimation result (ex) 5%) is lower than the threshold (ex) 11%), so it can be determined that there is no eavesdropper, but the value of the QBER estimation result is not 0, and in this case, the QBER estimation result is not 0. The value of may be due to a certain ratio occurring due to the quantum channel passing process in the checking sequence for QBER estimation. Because of this, the checking sequence generated by the transmitting end 2110 and the checking sequence determined from the values measured by the receiving end 2120 may not completely match. At this time, if the checking sequence generated by the transmitting end (2110) and the checking sequence measured by the receiving end (2120), which do not completely match, are applied as the message value for authentication at the sending and receiving end, the sending end (2110) due to message mismatch And the receiving end 2120 cannot output the same MAC, so authentication always fails. To solve the problem that the checking sequence generated at the transmitting end 2110 and the checking sequence measured at the receiving end 2120 do not completely match, step S2130, which is an error correction process of message information to be used for authentication, may be added. Through step S2130, the checking sequence generated at the transmitting end 2110 and the receiving checking sequence in which an error occurred due to the receiving process at the receiving end 2120 can be completely matched.

More specifically, the transmitter 2110 starts the user authentication process (11.) and transmits the basis and measurement value corresponding to the measurement position (12.). In other words, the transmitting end 2110 transmits (i) location information on what basis was used to convert the bits constituting the checking sequence into a quantum state and (ii) information about the checking sequence value converted to a quantum state. do. Next, based on the position information, the receiving end 2120 selects only the measurement values corresponding to the position where the basis used for quantum state conversion at the transmitting end 2110 and the basis used for measurement at the receiving end 2120 are the same. Select (13.), and compare the information on the checking sequence value converted to quantum state transmitted from the transmitting end (2110) with the value measured by the receiving end (2120) (14.). As a result of the comparison, bit flip error correction is performed on the discrepancy between the information received from the transmitting end 2110 and the value measured by the receiving end 2120 (15.).

S2140: In this step, user authentication is performed. More specifically, since the message information to be used in the authentication process of the transmitting and receiving ends matches through step S2130, based on the matched message information (checking sequence), the sending and receiving ends each use the method described in FIG. 20 (the pre-shared symmetric key is used in the MAC (used in XOR operation with input information to generate message information to be used) is applied to generate and output MAC (16.). Afterwards, the receiving end 2120 transmits the generated MAC to the transmitting end 2110 (17.). The transmitting end 2110 compares the MAC generated by the transmitting end 2110 with the MAC received from the receiving end 2120 (18.), and if the MAC of the transmitting end 2110 matches the MAC of the receiving end 2120, authentication is successful. If the MAC of the transmitting end 2110 and the MAC of the receiving end 2120 do not match, it is determined that authentication has failed. At this time, even if there is a third party attempting a man-in-the-middle attack on the channel between the transmitter and receiver, the third party does not possess the symmetric key information pre-shared with the transmitter and receiver, so even if the third party steals the message information, the third party Since the user cannot know which location value is used to generate the MAC, it is impossible for a third party to generate MAC information identical to the MAC generated at the transmitting and receiving end.

In the case of this method, since the authentication message information is compressed, this has the effect of reducing the size of the pre-shared symmetric key by half. Since the symmetric key must be discarded and renewed after one use, minimizing the size of the symmetric key is essential to simplify the renewal process. In QKD, some of the secret keys are used as symmetric keys for the authentication process, so minimizing the symmetric key size It has the effect of minimizing the loss of the secret key.

A method in which a pre-shared symmetric key is used to select a hash function to be used for MAC generation among the hash functions that constitute the hash function set H used as the MAC algorithm.

This method relates to a method in which a pre-shared symmetric key is used to select a hash function to be used for MAC generation among the hash functions constituting the hash function set H used as the MAC algorithm. Figure 22 is a diagram to explain how a pre-shared symmetric key is used to select a hash function to be used for MAC generation among hash functions constituting the hash function set H used in the MAC algorithm. Referring to Figure 22, the checking sequence (2210) used in QBER estimation is used as an input value of the Hash function set used in the MAC algorithm, and the value of the pre-shared symmetric key is used to configure the hash function set H (2220). It is decided which hash function to select among the many hash functions. Therefore, the length of the pre-shared key is

It is bits (R: the number of hash functions that make up H), and is set to a length that can distinguish all the hash functions that make up the hash function set H.

Figure 23 is a diagram showing the overall sequence of the user authentication process to which the method proposed in this specification is applied. In the case of this method, the transmission and reception starts the authentication process after sharing not only the preshared key but also the Universal 2 hash function set to be used as the MAC algorithm in advance before the authentication process.

S2310: In this step, QBER estimation information is generated. More specifically, the transmitting end 2310 generates QBER estimation information (checking sequence) (1.), converts it into a quantum state corresponding to the value of the QBER estimation information, and transmits it to the receiving end 2320 through a quantum channel (2.) . and 3.). Afterwards, the receiving end 2320 measures the QBER estimation information converted to a quantum state based on random measurement (4.), and determines the location of the measured information and the basis used for measurement (5.). Next, the receiving end 2320 transmits information about the location of the measured information and basis information used for measurement to the transmitting end 2310 (6.). Next, the transmitting end 2310 selects information corresponding to the location where the receiving end 2320 performed the measurement using the same basis as the basis used for quantum state conversion at the transmitting end (7.).

S2320: At this stage, it is decided whether to proceed with authentication using QBER estimation and the estimation result. More specifically, the receiving end 2320 stores the measured value and basis (8.). Next, the receiving end 2320 transmits the value measured at the receiving end to the transmitting end 2310 (9.). Afterwards, the transmitting end 2310 compares the information generated and transmitted by the transmitting end 2310 with the measured value at the receiving end 2320 and performs QBER estimation (10.). At this time, if the QBER estimate value is equal to or smaller than the preset threshold, user authentication is performed. If the QBER estimate value is greater than the preset threshold, the transmission process is stopped and user authentication is not performed (11.)

S2330: In this step, a process is performed to match the message information used for authentication by the transmitting and receiving ends. More specifically, since a certain percentage of errors occur in the checking sequence for QBER estimation transmitted as message information through a quantum channel due to the quantum channel passage process, etc., the checking sequence at the transmitting and receiving end may not completely match. In other words, the QBER estimation result (ex) 5%) is lower than the threshold (ex) 11%), so it can be determined that there is no eavesdropper, but the value of the QBER estimation result is not 0, and in this case, the QBER estimation result is not 0. The value of may be due to a certain ratio occurring due to the quantum channel passing process in the checking sequence for QBER estimation. Because of this, the checking sequence generated at the transmitting end 2310 and the checking sequence determined from the measured value at the receiving end 2320 may not completely match. At this time, if the checking sequence generated by the transmitting end (2310) and the checking sequence measured by the receiving end (2320), which do not completely match, are applied as the message value for authentication at the sending and receiving end, the sending end (2310) due to message mismatch And the receiving end 2320 cannot output the same MAC, so authentication always fails. In order to solve the problem that the checking sequence generated at the transmitting end 2310 and the checking sequence measured at the receiving end 2320 do not completely match, step S2330, which is an error correction process of message information to be used for authentication, may be added. Through step S2330, the checking sequence generated at the transmitting end 2310 and the receiving checking sequence in which an error occurred due to the receiving process at the receiving end 2320 can be completely matched.

More specifically, the transmitter 2310 starts the user authentication process (11.) and transmits the basis and measurement value corresponding to the measurement position (12.). In other words, the transmitting end 2310 transmits (i) location information on what basis was used to convert the bits constituting the checking sequence into a quantum state and (ii) information about the checking sequence value converted to a quantum state. do. Next, based on the position information, the receiving end 2320 selects only the measurement values corresponding to the same position as the basis used for quantum state conversion at the transmitting end 2310 and the basis used for measurement at the receiving end 2320. Select (13.), and compare the information on the checking sequence value converted to quantum state transmitted from the transmitting end (2310) with the value measured by the receiving end (2320) (14.). As a result of the comparison, bit flip error correction is performed on the discrepancy between the information received from the transmitting end 2310 and the value measured by the receiving end 2320 (15.).

S2340: In this step, user authentication is performed. More specifically, since the message information to be used in the authentication process of the transmitting and receiving ends matches through step S2330, based on the matched message information (checking sequence), the sending and receiving ends each use the method described in FIG. 20 (the pre-shared symmetric key hash A MAC is generated and output by applying the function set (used to select a specific hash function to be used for MAC generation) (16.). Afterwards, the receiving end 2320 transmits the generated MAC to the transmitting end 2310 (17.). The transmitting end 2310 compares the MAC generated by the transmitting end 2310 with the MAC received from the receiving end 2320 (18.), and if the MAC of the transmitting end 2310 matches the MAC of the receiving end 2320, authentication is successful. If the MAC of the transmitting end 2310 and the MAC of the receiving end 2320 do not match, it is determined that authentication has failed. At this time, even if there is a third party attempting a man-in-the-middle attack on the channel between the transmitter and receiver, the third party does not possess the symmetric key information pre-shared with the transmitter and receiver, so even if the third party steals the message information, the third party Since the user cannot know which location value is used to generate the MAC, it is impossible for a third party to generate MAC information identical to the MAC generated at the transmitting and receiving end.

In the case of this method, since third parties other than the transmitting end and the receiving end cannot share the pre-shared key information and the hash function set, MAC information is output using one function among the many hash functions that make up the hash function set. Since there is no choice but to take this method, the more hash functions are used, the higher safety can be guaranteed.

How to update pre-shared symmetric key

This method relates to a method for updating a pre-shared symmetric key. The user authentication technique using the MAC algorithm uses symmetric key information in the form of one time pad (OTP) to ensure high security in the authentication process. Therefore, when one user authentication is completed, the updated symmetric key is used for the next authentication to prevent the same symmetric key from being used more than once, thereby ensuring safety. To update symmetric key information, the QKD technique among existing quantum communication techniques proposes a method of using some of the final secret keys shared between the transmitter and receiver as a preshared key for authentication, and ETSI also uses this method to update the symmetric key. It is presented as a standard technique for

Since secret keys are not used in general quantum communication technologies except QKD, a symmetric key update method for quantum communication techniques in which secret keys are not used is needed. In this case, in order to update a symmetric key that has already been used, information in a form that has a different value from the existing symmetric key and at the same time a different value each time is required.

Figure 24 is a diagram for explaining a pre-shared symmetric key update method.

Referring to FIG. 24, an XOR operation 2430 is performed to combine message information 2410 transmitted through a quantum channel, which is information that changes every time, and preshared key information 2420 used for the last user authentication, and the result of the XOR operation is Used as an updated preshared key to be used for next user authentication.

Through this method, it is possible to update preshared key information for user authentication even in quantum communication techniques that do not use secret keys.

effect

This specification proposes a method to increase the reliability and efficiency of the user authentication process of the transmitter and receiver, who are the users of information transmitted through a quantum channel, and can have the following effects.

(1) It has the effect of not using additional resources for authentication by suggesting a method of recycling existing transmission information without creating additional message information for authentication. To this end, this specification explains that the checking sequence used in the QBER estimation step transmitted through a quantum channel can be reused rather than discarded after the QBER estimation step is completed and used as a message in the authentication process.

(2) Since the existing user authentication technique is performed through information transmitted through the classical channel, it is possible to verify whether the user connected to the classical channel is a trustworthy user, but there are limitations to the authentication process that must assume that the quantum channel will always be the same user. This exists. To solve this problem, this specification has the effect of ensuring the reliability of the authentication process by performing authentication using information used for QBER estimation transmitted on a quantum channel.

(3) In this specification, we propose a method to generate MAC with low complexity by using the preshared key value to select location information/operation factors/hash function for MAC generation, thereby creating a MAC algorithm with a complex structure such as a universal hash function. It has the effect of solving the problem of existing authentication techniques with high complexity by repeatedly applying the Hash function and Preshared key in the MAC creation process.

(4) This specification proposes a method of performing authentication by generating a new preshared key by combining newly transmitted message information and the used preshared key each time. In order to ensure high security of the authentication process, the preshared key information is used for one authentication only. When the process is completed, it is discarded, updated with new key information, and must be used in the next authentication process. However, the existing key renewal technique is presented only in QKD, and there is no method of updating the preshared key in the authentication process of the remaining quantum communication techniques, and the QKD method Even in this case, it has the effect of solving the problem of using an inefficient method of discarding some of the resources used for communication for authentication by replacing some of the secret keys used for information encryption with a preshared key for authentication. In particular, when the method proposed in this specification is applied to QKD, unlike the existing method, there is no need to use some of the secret keys for authentication, which has the effect of improving the key rate of the quantum cryptography communication process.

Figure 25 is a flowchart showing an example of how the user authentication method proposed in this specification is performed at the transmitting end.

First, the transmitting end transmits QBER estimation information generated based on a checking sequence for QBER (Quantum Bit Error Rate) estimation to determine whether or not there is eavesdropping on a quantum channel to the receiving end (S2510) ).

Next, the transmitting end performs the QBER estimation based on the receiving end and the QBER estimation information (S2520).

Thereafter, the transmitting end performs the authentication with the receiving end by reusing the checking sequence based on the result of the QBER estimation (S2530). At this time, the authentication is performed based on (i) the reused checking sequence and (ii) a symmetric key previously shared between the transmitting end and the receiving end.

Additionally, the transmitting end includes a transmitter for transmitting a wireless signal; A receiver for receiving wireless signals; at least one processor; and at least one computer memory operably connectable to the at least one processor and storing instructions that, when executed by the at least one processor, perform operations. At this time, the operations include the steps described in FIG. 25 above.

Additionally, the operations described in FIG. 25 may be stored in a non-transitory computer readable medium (CRM) that stores one or more instructions. The non-transitory computer-readable medium stores one or more instructions executable by one or more processors, and the one or more instructions cause the transmitter to perform the operation described in FIG. 25.

Additionally, a device including one or more memories and one or more processors functionally connected to the one or more memories, wherein the one or more processors control the device to perform the operations described in FIG. 25 .

Figure 26 is a flowchart showing an example of how the user authentication method proposed in this specification is performed at the receiving end.

First, the receiving end receives QBER estimation information generated based on a checking sequence for QBER (Quantum Bit Error Rate) estimation to determine whether or not there is eavesdropping on a quantum channel from the transmitting end (S6510). .

Next, the receiving end performs the QBER estimation based on the transmitting end and the QBER estimation information (S2620).

Thereafter, the receiving end performs the authentication with the transmitting end by reusing the checking sequence based on the result of the QBER estimation (S2630). At this time, the authentication is performed based on (i) the reused checking sequence and (ii) a symmetric key previously shared between the transmitting end and the receiving end.

Additionally, the receiving end includes a transmitter for transmitting a wireless signal; A receiver for receiving wireless signals; at least one processor; and at least one computer memory operably connectable to the at least one processor and storing instructions that, when executed by the at least one processor, perform operations. At this time, the operations include the steps described in FIG. 26 above.

Additionally, the operations described in FIG. 26 may be stored in a non-transitory computer readable medium (CRM) that stores one or more instructions. The non-transitory computer-readable medium stores one or more instructions executable by one or more processors, and the one or more instructions cause the receiving end to perform the operation described in FIG. 26.

Additionally, a device including one or more memories and one or more processors functionally connected to the one or more memories, the one or more processors control the device to perform the operations described in FIG. 26.

The embodiments described above combine the elements and features of the present specification in a predetermined form. Each component or feature should be considered optional unless explicitly stated otherwise. Each component or feature may be implemented in a form that is not combined with other components or features. Additionally, it is possible to configure embodiments of the present specification by combining some components and/or features. The order of operations described in the embodiments of this specification may be changed. Some features or features of one embodiment may be included in other embodiments or may be replaced with corresponding features or features of other embodiments. It is obvious that claims that do not have an explicit reference relationship in the patent claims can be combined to form an embodiment or included as a new claim through amendment after filing.

Embodiments according to the present specification may be implemented by various means, for example, hardware, firmware, software, or a combination thereof. In the case of implementation by hardware, an embodiment of the present specification includes one or more application specific integrated circuits (ASICs), digital signal processors (DSPs), digital signal processing devices (DSPDs), programmable logic devices (PLDs), and FPGAs ( It can be implemented by field programmable gate arrays, processors, controllers, microcontrollers, microprocessors, etc.

In the case of implementation by firmware or software, an embodiment of the present specification may be implemented in the form of a module, procedure, function, etc. that performs the functions or operations described above. Software code can be stored in memory and run by a processor. The memory is located inside or outside the processor and can exchange data with the processor through various known means.

It is obvious to those skilled in the art that the present specification can be embodied in other specific forms without departing from the essential features of the present specification. Accordingly, the above detailed description should not be construed as restrictive in all respects and should be considered illustrative. The scope of this specification should be determined by reasonable interpretation of the appended claims, and all changes within the equivalent scope of this specification are included in the scope of this specification.

This specification has been explained with a focus on examples applied to 3GPP LTE/LTE-A, 5G systems, and quantum communication systems, but it can also be applied to various wired/wireless communication systems in addition to 3GPP LTE/LTE-A, 5G systems, and quantum communication systems. possible.

Claims (20)

1. The method for the transmitter to perform authentication in a quantum communication system is:

   Transmitting, to a receiving end, QBER estimation information generated based on a checking sequence for QBER (Quantum Bit Error Rate) estimation for determining whether or not there is eavesdropping on a quantum channel;

   performing the QBER estimation based on the receiving end and the QBER estimation information; and

   Based on the result of the QBER estimation, performing the authentication with the receiving end by reusing the checking sequence,

   The method is characterized in that the authentication is performed based on (i) the reused checking sequence and (ii) a symmetric key pre-shared between the transmitting end and the receiving end.
2. According to claim 1,

   To the receiving end, error correction information is provided to correct errors between (i) the bit value of the checking sequence generated by the transmitting end and (ii) the bit value of the receiving end checking sequence obtained by the receiving end by measuring the QBER estimation information. A method further comprising the step of transmitting.
3. According to claim 2,

   The error correction information includes (i) information about the bit value of the checking sequence and (ii) information about the basis used for polarization coding for a bit at a specific position within the bit string of the checking sequence. How to.
4. According to clause 3,

   (a) (i) the basis used for polarization coding for a bit at a specific position within the bit string of the checking sequence at the transmitting end and (ii) at a specific position within the bit string of the checking sequence at the transmitting end. When the basis used to measure the corresponding QBER estimation information is the same, and (b) (i) the bit value of the bit at the specific position and (ii) the measured value of the QBER estimation information corresponding to the specific position are different , A method characterized in that the measured value at the receiving end of the QBER estimation information corresponding to the specific location is corrected to the same value as the bit value of the bit of the specific location based on the error correction information.
5. According to claim 1,

   A method wherein an authentication message for the authentication is generated based on (i) the reused checking sequence and (ii) the pre-shared symmetric key.
6. According to claim 5,

   wherein the pre-shared symmetric key is used to determine the positions of bits used in generating the authentication message in the bit string of the reused checking sequence.
7. According to claim 6,

   A method wherein the length of the bit string of the pre-shared symmetric key and the length of the bit string constituting the reused checking sequence are the same.
8. According to claim 7,

   Characterized in that at least one bit in the bit string of the reused checking sequence at a position corresponding to the position of at least one bit with a specific bit value in the bit string of the pre-shared symmetric key is the authentication message. How to.
9. According to claim 6,

   Based on the bit value of the first position of the bit string of the pre-shared symmetric key, the bit values of odd positions or the bit values of even positions of the bit string of the reused checking sequence are used to generate the authentication message. Method characterized by being used.
10. According to clause 9,

    The authentication message is characterized in that it is generated based on (i) the pre-shared symmetric key and (ii) an XOR operation on bit values in odd positions or bit values in even positions in the bit string of the checking sequence. How to.
11. According to claim 10,

    When bit values in odd positions in the bit string of the checking sequence are used to generate the authentication message, bit values in odd positions in the pre-shared symmetric key are used in an XOR operation,

    When bit values in even positions in the bit string of the checking sequence are used to generate the authentication message, bit values in even positions in the pre-shared symmetric key are used in an XOR operation. .
12. According to claim 5,

    wherein the pre-shared symmetric key is used to select a hash function for generating the authentication message.
13. According to claim 12,

    The reused checking sequence is used as an input to a hash function that is mapped to the bit value of the pre-shared symmetric key,

    A method wherein the output value of the hash function mapped to the bit value of the pre-shared symmetric key is the authentication message.
14. According to claim 1,

    Based on the authentication result, transmitting message information to the receiving end over a quantum channel; and

    The method further comprising updating the pre-shared symmetric key based on (i) the message information and (ii) the pre-shared symmetric key.
15. According to claim 14,

    Based on (i) the message information and (ii) an XOR operation on the pre-shared symmetric key, the pre-shared symmetric key is updated.
16. The transmitting end that performs authentication in the quantum communication system is,

    A transmitter for transmitting wireless signals;

    A receiver for receiving wireless signals;

    at least one processor; and

    at least one computer memory operably connectable to the at least one processor and storing instructions that, when executed by the at least one processor, perform operations;

    The above operations are,

    Transmitting, to a receiving end, QBER estimation information generated based on a checking sequence for QBER (Quantum Bit Error Rate) estimation for determining whether or not there is eavesdropping on a quantum channel;

    performing the QBER estimation based on the receiving end and the QBER estimation information; and

    Based on the result of the QBER estimation, performing the authentication with the receiving end by reusing the checking sequence,

    A transmitting end, characterized in that the authentication is performed based on (i) the reused checking sequence and (ii) a symmetric key pre-shared between the transmitting end and the receiving end.
17. The method for the receiving end to perform authentication in a quantum communication system is:

    Receiving, from a transmitting end, QBER estimation information generated based on a checking sequence for QBER (Quantum Bit Error Rate) estimation for determining whether or not there is eavesdropping on a quantum channel;

    performing the QBER estimation based on the transmitter and the QBER estimation information; and

    Based on the result of the QBER estimation, performing the authentication with the transmitting end by reusing the checking sequence,

    The method is characterized in that the authentication is performed based on (i) the reused checking sequence and (ii) a symmetric key pre-shared between the transmitting end and the receiving end.
18. The receiving end that performs authentication in the quantum communication system is,

    A transmitter for transmitting wireless signals;

    A receiver for receiving wireless signals;

    at least one processor; and

    at least one computer memory operably connectable to the at least one processor and storing instructions that, when executed by the at least one processor, perform operations;

    The above operations are:

    Receiving, from a transmitting end, QBER estimation information generated based on a checking sequence for QBER (Quantum Bit Error Rate) estimation for determining whether or not there is eavesdropping on a quantum channel;

    performing the QBER estimation based on the transmitter and the QBER estimation information; and

    Based on the result of the QBER estimation, performing the authentication with the transmitting end by reusing the checking sequence,

    A receiving end, characterized in that the authentication is performed based on (i) the reused checking sequence and (ii) a symmetric key pre-shared between the transmitting end and the receiving end.
19. In a non-transitory computer readable medium (CRM) storing one or more instructions,

    One or more instructions executable by one or more processors are provided by the transmitting end:

    To the receiving end, control to transmit QBER estimation information generated based on a checking sequence for QBER (Quantum Bit Error Rate) estimation for determining whether or not there is eavesdropping on a quantum channel,

    Controlling the receiving end to perform the QBER estimation based on the QBER estimation information,

    Based on the result of the QBER estimation, control is performed to perform the authentication with the receiving end by reusing the checking sequence,

    The authentication is performed based on (i) the reused checking sequence and (ii) a symmetric key pre-shared between the transmitting end and the receiving end.
20. A device comprising one or more memories and one or more processors functionally connected to the one or more memories,

    The one or more processors allow the device to:

    To the receiving end, control to transmit QBER estimation information generated based on a checking sequence for QBER (Quantum Bit Error Rate) estimation for determining whether or not there is eavesdropping on a quantum channel,

    Controlling the receiving end to perform the QBER estimation based on the QBER estimation information,

    Based on the result of the QBER estimation, control is performed to perform the authentication with the receiving end by reusing the checking sequence,

    The authentication is performed based on (i) the reused checking sequence and (ii) a symmetric key pre-shared between the transmitting end and the receiving end.

Images