CN105959113A - Quantum password allocation method for preventing detector side channel attacks - Google Patents

Abstract

The invention relates to a quantum password allocation method for preventing detector side channel attacks. A quantum correlation between Alice and Bob is checked by random Bell detection on a receiving end Bob party under the condition that a detection device used in an existing measuring quantum password allocation scheme does not need to be improved, so that the presence of the detector side channel attacks is detected. Through adoption of the quantum password allocation method, existing detection side channel attacks can be effectively detected in a measuring quantum password allocation process, and the problem of leakage of detector side channel information is solved.

Description

For preventing the quantum key distribution method of detector side channel attack

Technical field

The present invention relates to quantum cryptography field, a kind of for preventing the quantum cryptography of detector side channel attack from dividing Method of completing the square.

Background technology

Preparation is measured quantum key distribution scheme and is had the advantage that speed is fast, password production rate is high, be easily achieved.But visit The attack surveying device side channel greatly destroys its safety, and listener-in Eve is can be in order under conditions of quantum principles Its invalid information is obtained, it means that she can eavesdrop communication and not be found by the defect of detector.Detector side channel is attacked Hit the safety to quantum key distribution and cause the biggest harm.Therefore detector must be carried out bigger improvement, to avoid detection The attack of device wing passage.

Taking some measures at present prevents these from attacking, for example unrelated with measurement apparatus quantum cryptography system System.In this case, the safety of measurement result depends on the monogynous tangled, it is achieved increasingly complex, and password production rate is relatively Low.Or use more perfect detector just to prevent from attacking.

Summary of the invention

It is an object of the invention to provide a kind of quantum key distribution method for preventing detector side channel attack, in order to Solve the dependence of existing method to tangle or the problem of detector.

For achieving the above object, the solution of the present invention includes:

Step one, transmitting terminal A select an information embedded mode at random, and random 0 or 1 are enrolled the quantum state of photon, send out To receiving terminal B；

Step 2, receiving terminal B arrange both of which: signal mode and test pattern；Receiving terminal B randomly chooses according to probability One of which pattern；In the signal mode, randomly choose that information reading manner reads that photon carries 0 or 1；Work as receiving terminal When B selects signal mode, the information that transmitting terminal A and receiving terminal B announces them by common signal channel embeds and reading manner, will letter Cease embedded mode those bits consistent with reading manner as cipher bits；At test pattern, specific information is selected to read Mode carries out Bell test；When receiving terminal B selects test pattern, transmitting terminal A and receiving terminal B calculates S by common signal channel_CHSH Value announce they base lose select and measurement result.

Step 3, after password distributes, cipher bits is carried out error correcting and privacy and is amplified by transmitting terminal A and receiving terminal B, For generating security password；Described S_CHSHValue be used for carrying out privacy amplification, according to S_CHSHSize and formula (6) judge to be marked The amount of the information of note number, if the amount of labeled information beyond the threshold value preset, then abandons；If below default threshold value, Then by relevant means, label information can be eliminated.Due to concrete elimination means and the application inquire into content without Close, and the paper in quantum cryptography field relates to more, therefore do not repeat them here.

Further, the information embedded mode of described transmitting terminal A includes oblique line baseWith straight line baseLetter Under number pattern, receiving terminal B basic vector existsWithIn randomly choose.

Further, under test pattern, receiving terminal B basic vector existsWithIn with Machine selects；S_CHSH≡<A₁B₁+A₁B₂+A₂B₁-A₂B₂>。

Further, the upper limit of the quantity of information of labeled receiving terminal B is estimated by following formula:

$I_E\&le;H_2\left(\frac{1+\sqrt{{(S_{CHSH}/2)}^2-1}}{2}\right),---\left(6\right)$

Wherein H₂(x)=-xlog₂x-(1-x)log₂(1-x) it is binary information entropy.

Further, receiving terminal B is respectively labeled as D except being used for decoding the detector of 0 and 1₀And D₁, also there is a spy Survey device D_t；Each detector arranges a time window, and in window, detector can detect the signal pulse of entrance effectively, Effective pulse can not be obtained at window external detector；D₀And D₁Detection efficient be labeled as η and D_tDetection efficient be η_t, than Relatively η and η_tWork as η_tDuring ＞ η, it is judged that detector side channel attack.

According to the custom of this area, transmitting terminal A is Alice, and receiving terminal B is Bob, listener-in Eve.The present invention need not Under conditions of the detection device used in existing preparation measurement quantum key distribution scheme is improved, by receiving terminal Bob side enters row stochastic Bell and checks the Quantum Correlation between Alice and Bob, thus detects detector side channel and attack Hit and whether exist.During quantum key distribution is measured in preparation, can effectively detect the detector side channel attack of existence, solve Detector side channel information leakage problem.Advantages of the present invention also includes: need not change preparation and measures quantum key distribution side Case (such as changes the quantum cryptography system unrelated with measurement apparatus into), it is ensured that the dispensing rate of quantum cryptography, password production rate etc. Unaffected.The program is not worried the efficiency of detector, because photon the most labeled in scheme can be used to calculate CHSH multinomial.The program realizes in quantum key distribution mode is measured in preparation, therefore without the concern for tangling.

Detailed description of the invention

The present invention will be further described in detail below.

The basic ideas of the present invention are to use preparation-measurement Bell test in quantum key distribution, and ultimate principle is:

According to the custom of this area, transmitting terminal A is Alice, and receiving terminal B is Bob, listener-in Eve.If Alice has one Individual single-photon source (can use weak coherent light source) in actual experiment, she is randomly chosenOrLight is prepared with 0 or 1 Sub-B, before measuring photon B, the state of photon B remains the quantum state prepared by Alice；

Bob is randomly chosen at baseWithThe upper photon measuring entrance laboratory；

Alice and Bob selects with their base and preparation (measurement) result calculates CHSH multinomial, if CHSH inequality Classical limit is broken, and illustrates that Quantum Correlation exists, and otherwise Quantum Correlation does not exists.

If the base of photon B is become estranged by Alice, value selects is completely random, then at S_CHSH≡<A₁B₁+A₁B₂+ A₂B₁-A₂B₂Can obtain in >

$<A_2{B}_1>={\frac{1}{2}}_B<0\left|B_1\right|0>-\frac{1}{2}<1\left|B_1\right|1{>}_B---\left(1\right)$

Similarly have,

$\begin{array}{c}<A_2{B}_2>={\frac{1}{2}}_B<0\left|B_2\right|0{>}_B-{\frac{1}{2}}_B<1\left|B_2\right|1{>}_B\\ <A_1{B}_1>={\frac{1}{2}}_B<+\left|B_1\right|+>-{\frac{1}{2}}_B<-\left|B_1\right|-{>}_B\\ <A_1{B}_2>={\frac{1}{2}}_B<+\left|B_2\right|+>-{\frac{1}{2}}_B<-\left|B_2\right|-{>}_B\end{array}---\left(2\right)$

WithWithSubstitute B₁、B₂, obtainTherefore can obtain

Quantum theory and local hidden variable theories are the most incompatible, and the conflict without leak Bell inequality means office Territory hidden variable theory can be excluded.Otherwise, if the conflict without leak Bell inequality cannot be obtained, mean that quantum is managed Opinion is wrong.Recently, the conflict without leak Bell inequality has obtained the verification experimental verification of three groups.These important results Mean that local hidden variable theories is incorrect.Based on the fact that, we can be by a simple and effective way Prevent preparation measure quantum key distribution process when present in the attack of detector side channel.Need not experimental provision Under conditions of improving, the amount checking between Alice and Bob by receiving terminal Bob side is entered row stochastic Bell test Son association, thus detect whether detector side channel attack exists.

The method that the present invention is described below as a example by the BB84 scheme improved, it should be noted that the method for the present invention is not Can be only used for BB84 scheme, it is also possible to for other quantum key distribution schemes.

BB84 scheme based on preparation-measurement Bell test:

Step one, Alice laboratory generate n single photon, Alice is at oblique line baseStraight line baseWith 0, any value in 1 randomly chooses and prepares these photons, and then these photons send and give Bob.

Step 2, Bob have both of which: he selects the probability of signal mode to be p, and the probability selecting test pattern is 1-p (preferably, only Bob oneself knows the value of p).In signal mode, measure basic vector existWithIn select at random Select, test pattern is measured basic vector and existsWithIn randomly choose.

When Bob selects signal mode, Alice and Bob announces their measurement basic vector by common signal channel, and they are him Measurement result be saved in identical basic vector as screening cipher bits.

When Bob selects test pattern, Alice and Bob calculates S by common signal channel_CHSHValue announce their base Lose and select and measurement result.

Step 3, after password distributes, the cipher bits of screening is carried out error correcting and privacy and is amplified by Alice and Bob, If security password can be generated, then password distribution task just completes, and otherwise task just have failed.Above-mentioned error correction process Relevant to the result of above-mentioned signal mode, privacy is amplified relevant to the measurement result of test pattern.Error correcting i.e. passes through error code Rate judges whether the process of fatal eavesdropping.

The principle of such scheme is, by increasing a test pattern in password assigning process, by test pattern Result carries out privacy amplification such that it is able to generate security password.

Concrete theory analysis is as follows: because Alice randomly chooses basic vector and the value of photon B, stateUnder conditions of conjugated radicle loses, the preparation of state is consistent, Eve Which can not find out state to prepare.If she carries out state recognition task to photon, it is necessary for introducing interference.The most any Under conditions of loss, it can be assumed that Eve acts on photon B with a probe.If depending on the phase interaction between probe and photon With for unitary evolution, can obtain

$\begin{array}{c}\left|0{>}_A\right|0{>}_B|E>\stackrel{U}{\&RightArrow;}|0{>}_A\left(\sqrt{f}\right|0{>}_B|0{>}_E+\sqrt{e}|1{>}_B)\left|1{>}_E\right),\\ \left|1{>}_A\right|1{>}_B|E>\stackrel{U}{\&RightArrow;}|1{>}_A\left(\sqrt{f}\right|1{>}_B|0{>}_E+\sqrt{e}|0{>}_B)\left|1{>}_E\right),\\ |+{>}_A|+{>}_B|E>\stackrel{U}{\&RightArrow;}|+{>}_A\left(\sqrt{f}\right|+{>}_B|+{>}_E+\sqrt{e}|-{>}_B)|-{>}_E),\\ |-{>}_A|-{>}_B|E>\stackrel{U}{\&RightArrow;}|-{>}_A\left(\sqrt{f}\right|-{>}_B|+{>}_E+\sqrt{e}|+{>}_B)|-{>}_E).\end{array}---\left(3\right)$

Here | E > it is the blank state of Eve probe, f and e is that photon B polarization is constant and polarization occurs the general of upset respectively Rate, e generally also shows quantum bit error rate in the information that Eve eavesdrops.Quantity of information H between Alice and Bob₂E () is generally used Correct their Bit String mistake, and binary entropy is H₂(x)=-xlo₂gx-(1-x)lo₂gx。

After under Eve attacks, < A₂B₁> result that recalculates is

$\begin{array}{c}<A_2{B}_1>=f({\frac{1}{2}}_B<0|B_1|0{>}_B-{\frac{1}{2}}_B<1|B_1|1{>}_B+e({\frac{1}{2}}_B<1\left|B_1\right|1{>}_B-{\frac{1}{2}}_B<0\left|B_1\right|0{>}_B\\ =(f-e)({\frac{1}{2}}_B<0|B_1|0{>}_B-{\frac{1}{2}}_B<1|B_1|1>)\end{array}---\left(4\right)$

It is likewise possible to obtain

$<A_2{B}_2>=(f-e)({\frac{1}{2}}_B<0|B_2|0{>}_B-{\frac{1}{2}}_B<1|B_2\left|1{>}_B\right),$

$<A_1{B}_1>=(f-e)({\frac{1}{2}}_B<+|B_1|+{>}_B-{\frac{1}{2}}_B<-|B_1|-{>}_B),---\left(5\right)$

$<A_1{B}_2>=(f-e){({\frac{1}{2}}_B<+|B_2|+)}_B-{\frac{1}{2}}_B<-\left|B_2\right|-{>}_B).$

After Eve attacks, obtainIn quantum key distribution is measured in preparation, the eavesdropping energy of Eve Hard to bear collective attacks restriction.The upper limit of the quantity of information of Eve labelling Bob can be estimated by following formula:

$I_E\&le;H_2\left(\frac{1+\sqrt{{(S_{CHSH}/2)}^2-1}}{2}\right),---\left(6\right)$

Wherein H₂(x)=-xlog₂x-(1-x)log₂(1-x) it is binary information entropy.

If the detector of Bob is the most perfect, then it may happen that detector side channel information is revealed.Eve meeting Detector side channel is attacked by the shortcoming utilizing Bob detector side channel.In the embodiment above, Bob is not required to The detector of Bob is improved.Further, Bob can also increase the improvement to detector, is described as follows:

If Bob is respectively labeled as D except the detector being used for decoding 0 and 1₀And D₁, he also has a detector D_t, for Reduce the impact of secret mark number, often give in the middle of password generation process each detector plus time window, in window Detector can detect the signal pulse of entrance effectively, can not obtain effective pulse at window external detector, be experimentally Time window is realized by open and close detector.Assume D_tHave and D₀And D₁The same detection efficient still has sufficiently large Time window ensure all can be by D₀And D₁The signal detected all can be by D_tDetect.D₀And D₁Detection efficient be labeled as η and D_tDetection efficient be η_t, without η in the case of detector side channel attack_t=η.Once there is detector side channel Attack, it appeared that η_t＞ η,Therefore Eve obtains in the middle of detector side channel attack process Quantity of information just can be estimated effectively:

$I_E\&le;H_2\left(\frac{1+\sqrt{{(S_{CHSH}^{side-channel}/2)}^2-1}}{2}\right)---\left(7\right)$

Theory analysis is as follows:

Theorem 1: the attack of detector side channel can successfully be carried out, the bit value of the Alice of Eve acquisition that and if only if Measurement result relative to Bob is partially or completely to determine.

Eve and photon B interacts with acquisition Alice to the state of photon B, after Bob measured the photon received, He and Alice announce that their basic vector selects.The entropy minimizing of Eve state can make Eve obtain information from Alice to be limited.

I_E=H_{a priori}-H_{a posteriori} (7)

Under the attack of detector side channel, the task of Eve is the uncertainty eliminating Alice state, although the detection of Bob There is various defect in device, but assumes that it is necessary for not having unnecessary information to reveal from his laboratory.Otherwise, quantum key distribution Safety it cannot be guaranteed that, this explanation Eve should be from detector steal information indirectly.If the state that Alice is to photon B Prepare identical, then H_{a priori}=1.

In view of H_{a posteriori}=∑_rP (r) H (i | r), represent Bob with P (r) and obtain the probability that measurement result is r, H (i | r) represent the probability that quantum state is i of Alice when measurement result is r.Ideally, the measurement result of Bob should be divided equably Cloth is 0 and 1.If Eve does not interacts with photon B, then announce then H after his base selects at Bob_{a posteriori}=1, Therefore I_E=0, Eve can not steal any information from Alice over there.In order to meet I_E＞ 0, H_{a posterior}＜ 1 must expire Foot, again because ∑ must at any time be met_rP (r)=1, then Eve just can not get H (i | r)=1, this represents that Eve is at Bob Obtain under conditions of measurement result r the message part of the quantum state i to Alice or determine completely.

If therefore detector side channel attack can successfully be implemented, Eve must control detector D₀And D₁Produce Detection efficient is poor, and this inefficient is random and cannot be found by Bob from the point of view of time average.But this efficiency Difference can pass through η/η_tEstimate and be embodied inOn, therefore can be used to estimate that Eve is in detection Quantity of information acquired in device side-channel attack.

It is presented above the detailed description of the invention that the present invention relates to, but the present invention is not limited to described embodiment. Under the thinking that the present invention provides, use the mode being readily apparent that to those skilled in the art to the skill in above-described embodiment Art means carry out converting, replace, revise, and the effect played is essentially identical with the relevant art means in the present invention, realize Goal of the invention the most essentially identical, so formed technical scheme above-described embodiment is finely adjusted formation, this technology Scheme still falls within protection scope of the present invention.

Claims (5)

1. for preventing the quantum key distribution method of detector side channel attack, it is characterised in that step is as follows:

Step one, transmitting terminal A select an information embedded mode at random, random 0 or 1 are enrolled the quantum state of photon, issues and connect Receiving end B；

Step 2, receiving terminal B arrange both of which: signal mode and test pattern；Receiving terminal B randomly chooses wherein according to probability A kind of pattern；In the signal mode, randomly choose that information reading manner reads that photon carries 0 or 1；When receiving terminal B selects When selecting signal mode, the information that transmitting terminal A and receiving terminal B announces them by common signal channel embeds and reading manner, by information Embedded mode those bits consistent with reading manner are as cipher bits；At test pattern, select specific information reading side Formula carries out Bell test；When receiving terminal B selects test pattern, transmitting terminal A and receiving terminal B calculates S by common signal channel_CHSH's Value is announced that their base loses and is selected and measurement result；

Step 3, after password distributes, cipher bits is carried out error correcting and privacy and is amplified by transmitting terminal A and receiving terminal B, is used for Generate security password；Described S_CHSHValue be used for carrying out privacy amplification.

The most according to claim 1 for preventing the quantum key distribution method of detector side channel attack, its feature exists In, the information embedded mode of described transmitting terminal A includes oblique line baseWith straight line baseUnder signal mode, receiving terminal B basic vector existsWithIn randomly choose.

The most according to claim 2 for preventing the quantum key distribution method of detector side channel attack, its feature exists In, under test pattern, receiving terminal B basic vector existsWithIn randomly choose；S_CHSH≡< A₁B₁+A₁B₂+A₂B₁-A₂B₂>。

The most according to claim 3 for preventing the quantum key distribution method of detector side channel attack, its feature exists In, the upper limit of the quantity of information of labeled receiving terminal B is estimated by following formula:

$I_E\&le;H_2\left(\frac{1+\sqrt{{(S_{CHSH}/2)}^2-1}}{2}\right),---\left(6\right)$

Wherein H₂(x)=-xlog₂x-(1-x)log₂(1-x) it is binary information entropy.

5. according to the quantum key distribution side for preventing detector side channel attack according to any one of claim 1-4 Method, it is characterised in that receiving terminal B is respectively labeled as D except the detector being used for decoding 0 and 1₀And D₁, also there is a detector D_t；Each detector arranges a time window, and in window, detector can detect the signal pulse of entrance effectively, at window Mouth external detector can not obtain effective pulse；D₀And D₁Detection efficient be labeled as η and D_tDetection efficient be η_t, compare η and η_tWork as η_tDuring ＞ η, it is judged that detector side channel attack.