EP4635126A1 - Quantenverteilungsverfahren und zugehörige telekommunikationsvorrichtungen - Google Patents

Quantenverteilungsverfahren und zugehörige telekommunikationsvorrichtungen

Info

Publication number
EP4635126A1
EP4635126A1 EP23806308.5A EP23806308A EP4635126A1 EP 4635126 A1 EP4635126 A1 EP 4635126A1 EP 23806308 A EP23806308 A EP 23806308A EP 4635126 A1 EP4635126 A1 EP 4635126A1
Authority
EP
European Patent Office
Prior art keywords
key
bits
alice
bob
quantum
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
EP23806308.5A
Other languages
English (en)
French (fr)
Inventor
Yann Oster
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Thales SA
Original Assignee
Thales SA
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Thales SA filed Critical Thales SA
Publication of EP4635126A1 publication Critical patent/EP4635126A1/de
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0852Quantum cryptography
    • H04L9/0858Details about key distillation or coding, e.g. reconciliation, error correction, privacy amplification, polarisation coding or phase coding

Definitions

  • the invention lies in the field of generating and sharing a symmetrical secret key between two remote telecommunications devices associated with their respective users called Alice and Bob below: Alice and Bob's devices must use a strictly identical key to be able to encrypt/decrypt their messages.
  • the invention relates more particularly to quantum key distribution (QKD: Quantum Key Distribution) and the underlying communication of information such as parity bits or choice of bases used or selection of the measures retained.
  • QKD Quantum Key Distribution
  • Quantum cryptography is based on the transmission of qubits (quantum bits) or coherent states generated randomly, to develop and distribute secret keys usable by classic encryption protocols such as one-time mask encryption (One Time Pad). . Since the first protocol proposed in 1984 (BB84), multiple QKD protocols have been defined. We distinguish between protocols with discrete variables (qubits, DV-QKD) and those with continuous variables (CV-QKD). Some protocols (BB84, DV-QKD) are based on the random choices of a generation and measurement base (or quadrature), and involve the communication of these base choices. Other protocols (CV-QKD with heterodyne receiver) do not involve communications on the choice of a measurement base.
  • Some protocols based on photon entanglement involve a source of photons external to Alice and Bob's devices. But all QKD protocols integrate a residual error correction step to develop a shared key between Alice and Bob, implementing the communication of parity bits, for various error detection or correction techniques (FEC (Forward Error) codes Correction code) such as LDPC (Low Density Parity Code), interactive and iterative protocols such as Cascade or Winnow, etc.).
  • FEC Forward Error codes Correction code
  • LDPC Low Density Parity Code
  • iterative protocols such as Cascade or Winnow, etc.
  • quantum objects that is to say physical objects that behave according to the laws of quantum physics; in practice, these objects are light pulses in the quantum regime (photons), which can take several forms: single photons, coherent states, pairs of entangled photons, etc. ; the photon allows the encoding of information on observable variables such as the polarization of light, its frequency, its phase, etc. ; a quantum channel, which allows the transit of light pulses; a classic communication channel (also known as a public channel) (typically Internet, wireless, optical transmission over fiber or in free space).
  • Quantum key distribution is a technique exploiting quantum properties to guarantee randomness making it possible to detect interception and re-emission by a malicious third party, let's call it Eve (Eavesdropper ), of an initial message generated by Alice to Bob.
  • Eve Eve
  • reading qubits during their transmission between two interlocutors wishing to encrypt their communications with a secret key issued from these qubits by an intruder can be immediately detected: an interception will be immediately detected by the devices of Alice and Bob, who will give up this key.
  • a reference QKD technique is the BB84 protocol published by C. Bennett and G. Brassard in 1984 and using discrete variables: qubits.
  • a qubit takes a value 0 or 1, and is represented by the polarization of a single photon, on two possible quadratures (bases): HA/ or D/A (the capital letter H, V, D, A indicates the type of polarization : H for horizontal, V for vertical, D for diagonal and A for Antidiagonal).
  • Alice's device generates a sequence of random bits and encodes each bit on each light pulse, then transmits it to Bob's device through the quantum channel.
  • the devices of Alice and Bob evaluate a level of interception of the information exchanged on the quantum channel according to the differences between the data transmitted and those measured and if the level is greater than a fixed threshold, the operation is terminated quantum distribution. If not, the extraction of the secret key from the correlated data is carried out via a so-called data reconciliation step: in this reconciliation step, a bit string shared by the Alice and Bob devices is determined from the data. correlated data and an error correction algorithm using parity bits.
  • a secrecy amplification step is generally implemented to neutralize the information leak during reconciliation.
  • Bob's device After transmission, Bob's device therefore has a set of measurements which are correlated with the data sent by Alice's device, but whose information could have been spied on by Eve.
  • a so-called sifting step selects the transmitted qubits for which the Alice and Bob devices use the same generation and detection quadrature : to do this, the devices of Alice and Bob communicate in clear on the classic channel to broadcast the quadratures used, either symmetrically and explicitly, or asymmetrically with one part broadcasting its used quadratures then the other part determining and broadcasting the selection of the retained qubits (identical Tx/Rx quadratures); this makes it possible to develop two versions of a so-called “sifted key” respectively on the side of Alice and Bob, by separating on average 50% of the qubits (different Tx/Rx quadratures); an estimate of the error rate is carried out, to determine the possible presence of Eve (case of rejection of the key), and to select an error correcting code (choice code and performance) or to configure an interactive and iterative error correction protocol by request/response for further processing; a step of detection and
  • the present invention describes a method for quantum distribution of a key, named K QK D_N, to a first and a second telecommunications device to implement between them a telecommunications encrypted by said key K QK D_N, said first and a second telecommunications devices each being connected to a first respective telecommunications link and interconnected by a second telecommunications link, said first link being an optical transmission link and being hereinafter called quantum channel, said second link telecommunications being hereinafter called classic channel; said method comprising the following steps of determining K QK D_N, implemented by at least one device considered among the first and second devices: implementation, on the quantum channel, of communication of a random sequence of bits under the shape of a sequence of light pulses in the quantum regime such that for each light pulse of the sequence of pulses, a physical parameter of each light pulse encodes the value of at least one of said bits of the random sequence of bits; said sequence of bits being memorized by each of the first and second
  • the proposed solution greatly reduces information leakage and improves the level of secrecy. There is no clear transmission (or with public key encryption) of choice of bases used, and/or information relating to parities on the public channel. This sensitive information is previously encrypted from at least one secret key previously generated by QKD via the quantum channel and the classical channel in a previous step. [0017] The use of a key obtained by QKD guarantees unconditional security relative to the computing power of a third party (Eve).
  • Eve has a sequence of qubits without being able to identify which ones are correct (on average 75% of the sequence) and which ones are retained to form the key.
  • the present invention describes a method for quantum distribution of a key, named K QK D_N, to a first and a second telecommunications device to implement between them a telecommunications encrypted by said key K QK D_N, said first and a second telecommunications devices each being connected to a first respective telecommunications link and interconnected by a second telecommunications link, said first link being an optical transmission link and being hereinafter called quantum channel, said second link telecommunications being hereinafter called classic channel; said method comprising the following steps of determining K QK D_N, implemented by at least one device considered among the first and second devices: implementation, on the quantum channel, of communication of a random sequence of bits under the shape of a sequence of light pulses in the quantum regime such that for each light pulse of the sequence of pulses, a physical parameter of each light pulse encodes the value of at least one of said bits of the random sequence of bits; said sequence of bits being memorized by each of the first and second devices;
  • said communication of information indicating parity bit values between the first and the second device is further encrypted or decrypted by said device considered as a function of at least one key KQ K D_N-K previously determined by implementing a previous iteration of a QKD quantum key distribution method to said first and second devices.
  • the encryption or decryption of the information is carried out according to a symmetric encryption or decryption key determined by concatenation and permutation type operations and/or logical combination at the bit level of at least one key previously determined by quantum distribution of QKD key to said first and second devices; - said information used for QKD reconciliation encrypted or decrypted according to at least the key K Q KD_N-K previously determined is random and independent information.
  • the invention describes a computer program intended to be stored in the memory of a telecommunications device and further comprising a microcomputer, said computer program comprising instructions which, when are executed on the microcomputer, orchestrate the steps of a process according to the first or second aspect of the invention.
  • the invention describes a telecommunications device adapted to be connected to a first telecommunications link, adapted to be connected to another telecommunications device by a second telecommunications link, and to implement with said other device a telecommunications encrypted by a key KQKD_N, said first link being an optical transmission link and being hereinafter called a quantum channel, said second telecommunications link being hereinafter called a classical channel; said device being adapted to determine K QK D_N, by: implementing, on the quantum channel, communication of a random sequence of bits in the form of a sequence of light pulses in quantum regime such that for each pulse light of the sequence of pulses, a physical parameter of each light pulse encodes the value of at least one of said bits of the random sequence of bits; said sequence of bits being memorized by the device; by putting, on the conventional channel, communication with the other device, of information indicating parity bit values, said parity bit values having been calculated by at least one first device among
  • the invention describes a telecommunications device adapted to be connected to a first telecommunications link, adapted to be connected to another telecommunications device by a second telecommunications link, and to implement with said other device a telecommunications encrypted by a key KQKD_N, said first link being an optical transmission link and being hereinafter called a quantum channel, said second telecommunications link being hereinafter called a classical channel; said device being adapted to determine K QK D_N, by: implementing, on the quantum channel, communication of a random sequence of bits in the form of a sequence of light pulses in quantum regime such that for each light pulse of the sequence of pulses, a physical parameter of each light pulse encodes the value of at least one of said bits of the random sequence of bits; said sequence of bits being memorized by the device; by putting, on the conventional channel, communication with the other device, of information indicating, for each bit of the stored sequence, the base, among at least two distinct coding bases
  • a telecommunications device is adapted to encrypt or decrypt said communication of information indicating parity bit values between said and said other device as a function of at least one key KQ K D_N-K previously determined by prior implementation of a quantum distribution of QKD key to said device and said other device.
  • a telecommunications device is adapted to perform encryption or decryption of information according to a symmetric encryption or decryption key determined by encryption operations.
  • type concatenation and permutation and/or logical combination at the bit level of at least one key previously determined by quantum distribution of QKD key to said first and second devices (D_ALICE, D_BOB).
  • Figure 1 schematically represents a QKD key generation system in one embodiment of the invention
  • Figure 2 represents the steps of a quantum key distribution method in one embodiment of the invention
  • FIG. 3 Figure 3 illustrates the transmission and detection of a sequence of qubits in one embodiment of the invention
  • Figure 4 is a table illustrating the implementation of a method in one embodiment of the invention, at start-up;
  • Figure 5 is a table illustrating the implementation of a process in one embodiment of the invention, in steady state
  • Figure 1 represents a symmetric key generation system by QKD in one embodiment of the invention, comprising two telecommunications devices 10, 20 linked together by a quantum channel 30 and a classical channel 40.
  • Each or one of the telecommunications devices 10, 20 is for example on the ground, or embedded in a satellite, an aircraft, etc.
  • the quantum channel 30 is a telecommunications channel which allows the transit of information (binary in DV-QKD or continuous in CV-QKD) carried by a physical property of a quantum object (e.g. polarization of a photon) transmitted on this channel; here the quantum channel 30 is adapted to transmit light pulses (generated by a source of photons, the transmission being carried out on an optical link of the optical fiber type or simply by free propagation in the free air, the atmosphere, Space ).
  • information binary in DV-QKD or continuous in CV-QKD
  • a physical property of a quantum object e.g. polarization of a photon
  • the classic channel 40 is a standard communication channel, for example (e.g.: radio frequency link, internet network, optical fiber, etc.), assumed to be accessible in plain text by everyone (including a malicious third party Eve), to allow devices to telecommunications 10 and 20 to converge towards the definition of a secret key on the basis of transmitted qubits, as described below for the BB84 protocol.
  • a standard communication channel for example (e.g.: radio frequency link, internet network, optical fiber, etc.), assumed to be accessible in plain text by everyone (including a malicious third party Eve), to allow devices to telecommunications 10 and 20 to converge towards the definition of a secret key on the basis of transmitted qubits, as described below for the BB84 protocol.
  • the telecommunications device 10 hereinafter named D_ALICE, for user Alice, comprises a control block 11, a quantum transmission block 12, a radio frequency (RF) transmission/reception block 13 and a memory 14.
  • the control block 11 comprises a cryptography block 110 and a memory 111 associated with the cryptography block 110 and storing secret keys previously generated by the QKD process between D_ALICE 10 and D_BOB 20.
  • the telecommunications device 20 hereinafter named D_BOB, for user Bob, comprises a control block 21, a quantum reception block 22, a radio frequency (RF) transmission/reception block 23 and a memory 24
  • the control block 21 comprises a cryptography block 210 and a memory 211 associated with the block. cryptography 210 and storing secret keys previously generated by QKD between D_ALICE 10 and D_BOB 20.
  • the radio frequency (RF) transmission/reception blocks 13 and 23 are adapted to communicate together via the conventional channel 40.
  • the control block 11, respectively 21, comprises for example a memory and a microprocessor (not shown).
  • the memory of the control block 11, respectively 21, comprises software instructions, which when executed on the microprocessor of the control block 11, respectively 21, implement the steps incumbent on the control block 11, respectively 21, and described further, in particular with reference to Figure 2.
  • the radio frequency (RF) transmission/reception block 13, respectively 23, typically comprises a modem and a radio frequency transmission and reception antenna (not shown).
  • the quantum emission block 12 includes a generation block, named GEN 121, and a polarization block, named Pol 122.
  • the GEN 121 block is adapted to randomly generate a sequence of bits to be transmitted.
  • the Pol 122 block is adapted to randomly choose, for each bit to be transmitted, a base from a set of bases comprising several reference polarization bases (these bases are also called modes or quadratures) and to transmit a light pulse with a polarization corresponding to the value of the bit to be transmitted in the base chosen randomly for this bit.
  • the Pol 122 block includes for example a polarization rotator, capable of rotating the polarization of the emitted light signal, selectively by 0° (if H/V base is chosen by the Pol 132 block) or by 45° (if basic choice D/A), the selection between angles 0° and 45° being made randomly.
  • the polarization rotator is made with a half-wave delay blade whose rotation is ensured by an actuator.
  • Another embodiment uses an electro-optical polarization modulator, adapted for high rates of polarization change.
  • All of the bases comprise two bases for example: a first Horizontal/Vertical (H/V) base in which "1" is coded by a photon with a polarization axis 0° and "0" by a photon of 90° polarization; a second Diagonal/Antidiagonal base (D/A) in which “0” is coded by a photon with a polarization axis of 45° and “1” by a photon with a polarization of 135°.
  • the quantum reception block 22 includes a polarization block, called Pol 132, and a measurement block 131.
  • the Pol 132 block Before the expected arrival of a photon, the Pol 132 block is adapted to carry out a polarization rotation in order to randomly choose a base from the two bases H/V and D/A.
  • the Pol 132 block includes a polarization rotator, capable of rotating the polarization of the emitted light signal, selectively by 0° (if choice of H/V base by the Pol 132 block) or by 45° (if choice of D/ base). HAS).
  • the polarization rotator is made with a half-wave delay blade whose rotation is ensured by an actuator.
  • the measuring block 131 is adapted to measure two light polarization components in quadrature at the output of the polarization rotator Pol 132, either on the H/V basis if the polarization rotation is 0°, or on the basis D/A if the polarization rotation is 45°.
  • the measurement block is made with a polarizing beam splitter (PBS) generating a quadrature, and two photon detectors (SPD) for the two components of the quadrature.
  • PBS polarizing beam splitter
  • SPD photon detectors
  • a photon polarized along an axis of angle 'a' passing through a polarizing filter along an axis of angle 'b' has a probability equal to cos 2 (ba) of passing the polarizing filter, according to Malus' law.
  • the starting context is as follows: Alice wishes to exchange an Nth message, named M_N, with Bob.
  • a secret key, K QK D_N must be generated by QKD, shared between D_ALICE 10 and D_BOB 20, to allow one to encrypt, and the other to decrypt this Nth message which can be transmitted with maximum security.
  • Eve tries to intercept communications to determine the key.
  • Kerckhoff principles we assume for example that Eve has access to the communication channels used by D_ALICE 10 and D_BOB 20, that she knows the protocol used perfectly and has unlimited calculation resources.
  • the security of encrypted communications between D_ALICE 10 and D_BOB 20 is then ensured solely by the secret key that the method described below results in generating and distributing.
  • the GEN block 121 in response to a corresponding command from the control block 11 to the GEN block 121, the GEN block 121 randomly generates a sequence of 2T bits therefore taking the value 0 or 1; T is an integer typically greater than 10,000;
  • the Pol block 122 randomly chooses, for each bit generated, a polarization base among the two polarization bases and transmits on the quantum channel 30, photon per photon, a photon whose polarization is a function of the value of the generated bit and the polarization base chosen for this qubit; each photon is emitted at regular intervals.
  • the qubits are thus transmitted.
  • sequence of choices of bases and bits corresponding to the sequence of qubits generated is then stored by the control block 11 in the memory 14 and the value of each bit is stored there, associated with the polarization base chosen for the bit by the Pol 122 block and at the rank of the bit in the sequence and.
  • the Pol block 132 randomly chooses a base (by modifying the orientation of a rotator or by modifying the control of a polarization modulator ).
  • the measuring block 131 performs a measurement of what comes out of the polarizing filter on the selected components.
  • the control block 21 determines the value of the bit corresponding to the photon detected as a function of the measurement carried out and the base chosen for the measurement (corresponding to the polarization rotation carried out by the Pol block 132) and stores in the memory 24, for each photon detected, the value of the bit determined, in association with the chosen base and the reception rank of the photon (and therefore of the qubit).
  • Figure 3 represents in a table, the rank number of the first 8 bits of a sequence generated in step 101 (first line of the table) and the randomly generated value for these bits (second line). These bits thus take the following values: 0 for the bit of rank 1, 4, 6 and 7 and 1 for the bit of rank 2, 3, 5 and 8.
  • the third line indicates the base chosen for the transmission of each bit by the D_ALICE 10 device: the “+” sign indicates that the H/V base has been chosen while the “x” sign indicates that the D base /A was chosen.
  • the base HA/ was chosen, and the base D/A was chosen for bits of rank 3, 5 to 7.
  • the fourth line indicates the polarization of the emitted photon: vertical for the bit of rank 1, 4, horizontal for the bit of rank 2 and 8, diagonal for the bit of rank 6 and 7, antidiagonal for the bits of rank 3 and 5.
  • the fifth line of the table indicates the base chosen by the device D_BOB 20, in reception: H/V for the photon received at rank 1, 5, 7 and 8 and D/A for the photon of rank 2, 3, 4 and 6.
  • the sixth line illustrates the result of the measurement by the D_BOB 20 device: for photons of rank 1, 3, 6, 8 the measurement base corresponds to the emission base and the polarization of the detected photon corresponds in general to the polarization at the emission of the photon; for photons of rank 2, 4, 5, 7 the measurement base is different from the emission base and the polarization of the detected photon is completely random.
  • the value of the determined qubit stored in memory 24 is 0 for the photon of rank 1 and 6 and is 1 for the photon of rank 3 and 8.
  • the binary sequence ⁇ bases ⁇ BO b which is stored in the memory 24, successively defining the polarization base chosen to detect each photon of the sequence received in step 102 is provided in entry of cryptography block 210; for example, if the set of bases only includes the two bases H/V and D/A, in the binary sequence indicating the choice of bases, a “0” (respectively a “1”) at rank n of this sequence ⁇ bases ⁇ BO b will indicate that the base H/V (respectively D/A) was used to detect the qubit of rank n at the step considered (step 102) ;
  • the cryptography block 210 encrypts using at least one of the secret keys stored in the memory 211 and previously generated by QKD by D_ALICE 10 and D_BOB 20, this binary sequence indicating the chosen bases;
  • the controller 21 of the D_BOB device 20 then transmits to the D_ALICE device 10, via the RF transmission/reception block 23, on the conventional channel 40, the binary sequence thus encrypted indicating the polarization base chosen to detect each photon of the sequence received in step 102;
  • the controller 11 of the D_ALICE device 10 receives, via the RF transmission/reception block 13, the encrypted binary sequence ⁇ bases ⁇ BO b, which is then processed by the cryptography block 110; the latter decrypts it using the secret key(s) stored in memory 111 which was(were) used for the encryption of this sequence.
  • Step 104 (sifting)
  • the controller 11 compares for each rank in the sequence of qubits, the chosen polarization base received on the conventional channel 40 and the polarization base associated with this rank which is stored in the memory 14 of the device 10; it selectively retains (Sifting step) only the qubits which have been generated (D_ALICE 10) and measured (D_BOB 20) on the same basis. Statistically only 50% of the bits are retained.
  • the list of indexes of the only qubits retained is then provided as input to the cryptography block 110 which encrypts it, using at least one of the secret keys stored in the memory 111 and previously generated by QKD by D_ALICE 10 and D_BOB 20.
  • the controller 11 of the D_ALICE 10 device then transmits to the D_BOB 20 device, via the RF transmission/reception block 13, on the classic channel 40, the list of qubits retained thus encrypted.
  • the controller 21 of the D_BOB device 20 receives, via the RF transmission/reception block 23, the encrypted list of retained indexes and provides it to the cryptography block 210; the latter decrypts it using the secret key(s) stored in memory 211 which was(were) used for the encryption of this sequence.
  • the controller 21 of the D_BOB device 20 in turn selectively retains, among all the qubits received in step 102, only the qubits whose index (ie the rank in the sequence transmitted by D_ALICE/received by D_BOB ) is indicated in the received list, which are the qubits generated (D_ALICE 10) and measured (D_BOB 20) on the same basis. [0076] The qubits thus retained by D_ALICE 10, D_BOB 20, form their respective “sifted key”.
  • bits of rank 1, 3, 6 and 8 are thus the only ones retained by D_ALICE 10 and D_BOB 20, among the first eight bits of the sequence, for the rest of the steps (see . “sifted key” line)
  • the control blocks 11 and 21 then evaluate the transmission error rate of the qubits (QBER for 'Quantum Bit Error Rate) affecting their respective sets of bits retained in the sifting step 104, in order to detect the possible interception by Eve, to evaluate the quantity of information intercepted by Eve on the quantum channel during transmission in step 101 and to possibly select, depending on the evaluated error rate, an error correcting code ( choice of code and performance) or to configure an iterative error correction protocol per request/response for further processing.
  • an error correcting code choice of code and performance
  • an iterative error correction protocol per request/response for further processing.
  • a certain number of qubits are "sacrificed" since they are communicated on the classic channel 40: they are also removed from the bits retained by the control blocks 11 and 21 for the rest of the post-processing.
  • the Sifted Key consists of t qubits.
  • step 106 is implemented.
  • D_ALICE and D_BOB Due to the limitations of photon sources and photon detectors, imperfections in production, adjustments or synchronization, the bits of the Sifted Key retained at this stage by D_ALICE and D_BOB are not generally perfectly identical.
  • the set of steps 106-108 below of the reconciliation phase aims to detect/correct the residual errors of the qubits of the “Sifted Key” determined respectively by D_ALICE and D_BOB, using an error correcting code of type FEC (Forward Error Correction code), or an interactive and iterative request/response protocol between Alice and Bob, to determine and transmit parity bits associated with subgroups (ie packets) of the qubits of the key.
  • FEC Forward Error Correction code
  • Sifted Key in order to detect/correct residual errors between Alice's key and Bob's key and so that they then have a strictly identical key.
  • Redundant parity type information is then generated either by D_ALICE 10, or by D_BOB 20, or by both, then transmitted by one or the other.
  • these parities are transmitted via the public channel to the other party, so that the latter can identify the residual errors on a key sifted relative to the other (D_ALICE/D_BOB), in accordance with the protocol of error detection and correction retained, according to the parities received and its own sifted key.
  • each control block 11, 21, in parallel with each other calculates parity bits from subgroups of t bits of the Sifted Key after estimation of the QBER error rate in step 105, depending on the error detection and correction protocol selected (here Cascade or Winnow type iterative protocol).
  • the values of the parity bits calculated by each control block 11, respectively 21 are stored in memory 14, 24.
  • One of the cryptography blocks 110, respectively 210 encrypts these parity values, using at least one of the secret keys stored in the memory 111, respectively 211 and previously generated by QKD by D_ALICE 10 and D_BOB 20.
  • one of the control blocks 21, respectively 11 transmits the values of these parity bits thus encrypted on the classic channel 40 via the Em/Rec RF blocks 23, respectively 13.
  • One of the control blocks 11, respectively 21, receives on the classic channel the values of these parity bits thus encrypted and supplies them to the cryptography block 110 , respectively 210, which decrypts them using that(s) of the secret keys stored in the memory 111 respectively 211 which was(were) used for the encryption of these values.
  • One of the control blocks 11, respectively 21, compares the received value of each parity bit, which has been calculated for a given subgroup of bits, with the value that it itself has calculated for this same subgroup. -group of bits of its own key sifted.
  • the parity comparison allows either to detect/correct an erroneous bit, or to direct the error search process via a new parity calculation request on another subgroup of bits.
  • the residual errors between the Sifted Key held by D_ALICE 10 and D_BOB 20 can thus be detected and corrected according to this comparison carried out for each parity bit. Bits detected in error can either be corrected or discarded. This process makes it possible to obtain, in D_ALICE 10 and D_BOB 20, a secret key ideally strictly identical, shared between them, of size v.
  • An iterative Cascade or Winnow type protocol involves a variable number of requests/responses between D_ALICE 10 and D_BOB 20, depending on the number of residual errors;
  • an FEC (Forward Error Correction code) type error correcting code involves a single message sent by only one of the devices 10, 20 to the other of the devices 20, 10 to detect/correct residual errors. Exchanges take place on public channel 40.
  • Steps 106, 107, 108 above describe by way of example the case of an iterative request/response protocol of the Cascade or Winnow type (calculation of the parity bits in the devices 10, 20 transmission by a device to another, comparison within a device).
  • the D_ALICE 11 control block calculates for example the parity bits from the bits of Alice's sifted key (after sifting, step 104, and after estimation of the QBER error rate, step 105); these parities are transmitted encrypted to the control block 21 of D_BOB 20, which decrypts them, then decodes them with its version of the sifted key, to identify errors on its key (Bob); then D_BOB 20 corrects its errors; and or - the control block of D_BOB 21 calculates for example the parity bits from the bits of Bob's sifted key; these parities are transmitted encrypted to the control block 11 of D_ALICE 10, which decrypts them, then decodes them with its version of the sifted key, to identify errors on its key (Alice); then D_ALICE corrects its errors.
  • a secret amplification step optional and which can in any case be reduced compared to the prior art, implements hashing functions to combine the bits of the key obtained at the end of the step 108 and thus reduce Eve's information on the final key, at the cost of reducing the size of the key.
  • Hash functions are very difficult to invert, and can be used to generate pseudo-random numbers. They often use modular arithmetic.
  • D_ALICE 10 and D_BOB 20 have a shared secret key, K QK D_N, which they will then each use as a symmetric encryption key for one encode and the other decode the M_N message exchanged between them on the public channel or another channel.
  • Each control block 11, respectively 21, stores the QKD key thus newly generated, K QK D_N, in the memory 111, 211, for a limited duration.
  • K QK D_N The size of K QK D_N is equal to v (ie it has v bits, with v ⁇ t, v ⁇ T).
  • QKD is therefore used according to the invention.
  • D_ALICE 10 and D_BOB 20 can therefore safely encrypt this information from at least one previous secret key obtained by QKD without compromising the security of previous transmissions with this same key. It is the same when one party (D_BOB) broadcasts its choice of bases then the other party (D_ALICE) broadcasts the selection of the qubits retained: these sequences are random and independent, D_ALICE 10 and D_BOB 20 can therefore safely encrypt this information from at least one previous secret key obtained by QKD.
  • the secret key K QK D_ NI used to encrypt the (N-1)th message, named M_N-1, exchanged between D_ALICE 10 and D_BOB 20, can be reused to encrypt the information on the choice of Alice's bases, as well as the parity bits, during the construction of the key K QK D_N-
  • the key K QK D_ N-2 used to encrypt the (N-2)th message, M_N-2 can be reused to encrypt the information on Bob's choice of bases to construct the key KQKD_ N- - - -
  • the secret key K QK D_ NI used to encrypt the (N-1)th message, named, M_N-1, exchanged between D_ALICE 10 and D_BOB 20 can be reused to encrypt the information on the choice of bases by D_BOB, then to encrypt the parity bits, during the construction of the key K QK D_N-
  • the key K QK D_ N-2 used to encrypt the (N -2)th message, M_N-2 can be reused by D_ALICE to encrypt the information on the selection of the qubits retained to construct the key KQ K D_ N- - - -
  • the 2 sequences of qubits respectively generated (step 101, that of D_ALICE) and received (step 102, that of D_BOB), ie considered before sifting, have a size 2T.
  • Each of the two binary sequences defining the choices of bases used, ⁇ bases ⁇ A ii Ce and ⁇ bases ⁇ BO b have the same size. This size is equal to 2T when only two bases appear in the set of bases. The size is greater than 2T when more than one bit is necessary to identify the chosen base (ie in the cases where D_ALICE 10 and D_BOB 20 choose their base from a set of bases comprising a number of bases strictly greater than two).
  • the 2 sequences after sifting have a variable size t close to T, the sifting removing on average 50% of the qubits emitted by D_ALICE.
  • the 2 sequences after estimation of the QBER error rate (step 105) have a size u less than t.
  • sequence of parities has a possibly variable size, which for example can be considered less than 2T, the invention also being suitable for sequences to be encrypted of size greater than 2T.
  • each secret key has a size v strictly less than u, t and T.
  • Symmetric key encryption of these different sequences therefore requires keys of size 2T. We can nevertheless use secret keys of size less than T.
  • a classic approach consists of using an encryption algorithm using a key of size independent of that of the message, which is conditional on the availability/distribution of keys for D_ALICE and D_BOB.
  • Another solution consists of using the One Time Pad cipher of Vernam, to reuse secret keys obtained by QKD in particular by combining them by operations of concatenation, permutation and/or logical combination ( XOR or exclusive operator) at the bit level, to form keys of larger sizes to encrypt information on the choices of the bases of Alice and/or Bob, on the selection of the qubits retained as well as on the parities.
  • the same secret encryption key can be used to encrypt this information (basic choice of a single party, ie either D_ALICE or D_BOB, selection of the qubits retained and parity information), without compromising the security of this key.
  • Option A (we wait until we have the required number of previous keys to encrypt on the classic channel)
  • each key K QK D_I, respectively K QK D_2, K QK D_3 makes it possible to encrypt a useful message M_1, respectively M_2, M_3 (a priori carrying meaning, ie no random sequence).
  • Option B (we produce the required number of previous keys before starting to encrypt useful messages and on the classic channel)
  • Option AB intermediate (we reuse at least one previous key to form keys of size 2T to encrypt the classic channel)
  • D_ALICE 10 and D_BOB 20 keep a register, in the memories 111, 211, of the last secret keys used during the session. This allows them to secretly generate (by encrypting sensitive information) new secret keys.
  • the table in Figure 4 illustrates the transient regime at start-up, in one embodiment of the invention, with the use of previous QKD secret key(s) to encrypt the choice information bases used by D_ALICE 10 and D_BOB 20 and parity information.
  • the table in Figure 5 illustrates, in one embodiment of the invention, in steady state, this time the use of previous secret keys to form secret keys of size 2T to encrypt the information on the choice of bases used by D_ALICE 10 and D_BOB 20, as well as to encrypt parity information.
  • Each line in these tables corresponds to the step of constructing a QKD key, of size u less than T and indicated in the left column.
  • the box in the second column indicates how, during this construction, the sequence ⁇ bases ⁇ A
  • the box in the fourth column indicates how, during this construction, the sequence of parity bits of size less than 2T is encrypted (or not) (in the error detection protocol considered here, only D_ALICE 10 transmits the parity bits to D_BOB 20, the latter not sending them).
  • the size of the MJ message is less than or equal to the size of KQKD_ r
  • K QK D_ I During the development by QKD protocol of the first session key, K QK D_ I, the sequences of chosen bases and parity values are transmitted in clear text. At the end of this construction, the key K QK D_ I is used to encrypt a first useful message, M_1, exchanged between D_ALICE 10 and D_BOB 20.
  • the second key K QK D_2 is generated by encrypting transmissions on the classic channel, using sequences derived from the first secret key (concatenation, logical combination, bit permutations). For example, during the development by QKD protocol of the second session key, K QK D_2:
  • ⁇ bases ⁇ BO b is encrypted according to the key K QK D_ I, but distinctly and independently (at the level of each bit) with respect to ⁇ bases ⁇ A
  • the sequence of parities is for example encrypted with the same encryption key as for the sequence ⁇ bases ⁇ A
  • K QK D_2 the key K QK D_2 is used to encrypt a second useful message, M_2, exchanged between D_ALICE 10 and D_BOB 20.
  • a set of the last secret keys shared by D_ALICE 10 and D_BOB 20 (here the last 3 K QK D_ N- 3, K QK D_ N-2, and K QK D_ NI) is for example used to construct, by concatenation, encryption keys of sufficient size to (decrypt the sequences of binary information relating to the bases used by D_ALICE, by D_BOB , and to encrypt the parities;
  • a permutation on the keys concatenated by D_BOB with respect to D_ALICE is carried out in order to hide from Eve which qubits are retained/discarded during sifting: thus for example in the present case, the symmetric encryption key used to decrypt ⁇ bases ⁇ Alice (and the parity bits) is K QK D_N-I IK QK D_N-2
  • an example of encryption by the cryptography block 110, 210 of the sequence with the encryption key is to perform an OR operation EXCLUSIVE between the bit of the sequence of rank n and the bit of rank n of the encryption key, for all n ranging from 1 to the size of the sequence.
  • the invention has been described above with reference to the implementation of the transmission of random binary information by the polarization of photons, for example within the framework of the BB84 protocol; the invention is however applicable to any protocol (e.g. E91, B92, etc.) and symmetric key generation system of the QKD type, among others QKD protocols with discrete variables, with other physical parameters used for encode the bits on qubits, for example the frequency or phase of a photon, optionally in a differential manner (frequency-coded QKD or phase-coded QKD or Differential Phase-coded QKD; in the case of using the phase , the coding is based on a phase modulator instead of a rotator/polarization modulator) instead of or in addition to the polarization of the photons, protocols using continuous variables (GG02), and/or using the transmission of several photons per light pulse...
  • any protocol e.g. E91, B92, etc.
  • QKD protocols with discrete variables
  • the invention also applies in the case where a parameter of the photon transmitted on the quantum channel codes several bits , based for example on protocols allowing several bits to be encoded per light pulse such as the GG02, GMCS Gaussian Modulated Coherent-States protocols.
  • the encryption is implemented on the sequences of choice of bases, on the sequences of selection of the qubits retained and the sequences of parity values; in embodiments, only the sequences of choice of bases or selection of the retained qubits or only the sequences of parity values are encrypted.
  • the invention can also be implemented in embodiments without random choice of base used in reception and/or transmission such as for example in a Differential Phase-coded QKD protocol; the step of correcting residual errors is nevertheless still necessary.
  • the invention can also be implemented in embodiments where the QKD protocol used uses the polarization of photons to encode the bits, but with a number of states considered different from the four states considered in BB84: for example BB92 uses 2 polarizations, SSP uses 6.
  • control block 11, 21 can be implemented by the execution of software instructions on a processor. Alternatively, they can be implemented by dedicated hardware, typically a digital integrated circuit, either specific (ASIC) or based on programmable logic (for example FPGA/Field Programmable Gate Array).
  • ASIC application specific
  • FPGA Field Programmable Gate Array
  • bit designates the binary information itself (“0” or “1”)
  • qubit designates more specifically this binary information when it is carried by a quantum state of an elementary particle , in particular of a photon (ie generation and polarization in the device 10, propagation in the quantum channel and measurement in the device 20); however, in the preceding description, one or the other of the two terms may have been used indiscriminately to designate the corresponding binary information.
  • the random choice of the polarization base is achievable in different ways: as described below, with a polarization modulator or by mechanical switching of a controlled polarization rotator by a quantum random generator, a beam splitter such as a semi-reflecting plate, a fixed polarization rotator such as a half-wave plate, etc. according to known techniques.
  • the QKD protocol implemented is based on entanglement (for example protocol E91) for which the photons are generated by a source which can be external to D_ALICE and D_BOB.
  • D_ALICE does not generate the binary sequence: D_ALICE and D_BOB receive this sequence and are like 2 receivers which agree between them on the decoding of the sequence of qubits received, with random base choices (A and B) (or not), in accordance with steps 102 and following described above.

Landscapes

  • Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Electromagnetism (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Optical Communication System (AREA)
EP23806308.5A 2022-12-15 2023-11-16 Quantenverteilungsverfahren und zugehörige telekommunikationsvorrichtungen Pending EP4635126A1 (de)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
FR2213411A FR3143923B1 (fr) 2022-12-15 2022-12-15 Procédé de distribution quantique et dispositifs de télécommunication associés
PCT/EP2023/082133 WO2024125942A1 (fr) 2022-12-15 2023-11-16 Procedes de distribution quantique et dispositifs de telecommunication associes

Publications (1)

Publication Number Publication Date
EP4635126A1 true EP4635126A1 (de) 2025-10-22

Family

ID=86099738

Family Applications (1)

Application Number Title Priority Date Filing Date
EP23806308.5A Pending EP4635126A1 (de) 2022-12-15 2023-11-16 Quantenverteilungsverfahren und zugehörige telekommunikationsvorrichtungen

Country Status (3)

Country Link
EP (1) EP4635126A1 (de)
FR (1) FR3143923B1 (de)
WO (1) WO2024125942A1 (de)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN119892361B (zh) * 2025-03-28 2025-08-01 安徽国科量子网络有限公司 采用量子随机数进行实体鉴别的设备及其实体鉴别方法

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US12010223B2 (en) * 2020-07-13 2024-06-11 Arizona Board Of Regents On Behalf Of The University Of Arizona Joint twin-field quantum key distribution cryptosystem

Also Published As

Publication number Publication date
WO2024125942A1 (fr) 2024-06-20
FR3143923A1 (fr) 2024-06-21
FR3143923B1 (fr) 2025-10-24

Similar Documents

Publication Publication Date Title
US7983422B2 (en) Quantum cryptography
Dušek et al. Quantum cryptography
US8995650B2 (en) Two non-orthogonal states quantum cryptography method and apparatus with intra- and inter-qubit interference for eavesdropper detection
EP2951944A1 (de) Verfahren für homomorphe xor-verschlüsselung und sichere berechnung einer hamming-distanz
WO2009095574A2 (fr) Procede et entite de chiffrement symetrique probabiliste
EP2887574A1 (de) Umwandlungsverfahren eines Inhalts mit bedingtem Zugriff
US20250023720A1 (en) Quantum key generation method and system
WO2023046557A1 (fr) Système et méthode de génération de clé secrète sûre
Lo et al. Quantum cryptography: from theory to practice
WO2011083232A1 (fr) Procede de chiffrement et de dechiffrement
EP4635126A1 (de) Quantenverteilungsverfahren und zugehörige telekommunikationsvorrichtungen
FR2948518A1 (fr) Procede de conversion d'un premier chiffre en un deuxieme chiffre
EP4026272A1 (de) Verfahren zum sicheren übertragen von quantenzuständen zwischen einer mehrzahl von online-teilnehmern über einen quanten-kommunikationskanal
WO2024023234A1 (fr) Procédés de distribution quantique et dispositifs de télécommunication associés
FR3152937A1 (fr) Procédé et dispositif de partage de clés secrètes dans un réseau comprenant un satellite
FR3079989A1 (fr) Procédés, dispositifs et programmes d'ordinateur pour le chiffrement et le déchiffrement de données pour la transmission ou le stockage de données
WO2012089632A1 (fr) Procede et systeme permettant de tester une integrite cryptographique d'une donnee tolerante aux erreurs
US7606367B2 (en) Quantum cryptography with fewer random numbers
Gehring et al. Implementation of quantum key distribution with composable security against coherent attacks using Einstein-Podolsky-Rosen entanglement
Sujatha et al. Proficient capability of QKD in Wi-Fi network system implementation
Bruß et al. Quantum cryptography
Gupta et al. Quantum cryptographic protocols for secure comunication
FR3158003A1 (fr) Procédé amélioré d'échange de clés s'appuyant sur un réseau quantique ; infrastructure de communication associée.
FR3158002A1 (fr) Procédé amélioré d’échange de clés s’appuyant sur un réseau quantique et un service de sécurité ; infrastructure de communication associée.
Ajish Efficient High Capacity Quantum Cryptography Based Key Distribution in WI-FI Network

Legal Events

Date Code Title Description
STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: UNKNOWN

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE INTERNATIONAL PUBLICATION HAS BEEN MADE

PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: REQUEST FOR EXAMINATION WAS MADE

17P Request for examination filed

Effective date: 20250528

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC ME MK MT NL NO PL PT RO RS SE SI SK SM TR