JP2007189517A - Quantum cryptography device - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a quantum cryptography device which has simple configuration of device to be held by a regular user and requires small burden and cost for device operation. <P>SOLUTION: The device 21 to be held by a regular user comprises a feeble coherent light source 1 for generating a photon used as an information carrier of a quantum bit; a modulator 4 for preparing a BB84 status for the quantum bit; and a classic computer 9 for calculating a parity between a variable value (common variable) informed from a third party device 22, and a variable value retained by itself. The device 21 sends the quantum bit to the third party device 22 through a quantum channel 5, and performs classic transmission with other regular users through a classic channel 10. The third party device 22 comprises a single photon filter 6 for filtering multiple photon components from feeble light sent from the device 21 to transform them into a single photon, and a quantum computer 7 for calculating the common variable of two quantum bits. The calculated common variable is informed to the device 21 through a classic channel 8. <P>COPYRIGHT: (C)2007,JPO&INPIT

Description

  The present invention relates to a quantum cryptography apparatus, and more particularly to an apparatus that performs quantum cryptography key distribution that shares an encryption key by optical fiber communication.

  With the explosive spread of the Internet and the practical application of electronic commerce, there is an increasing social need for cryptographic technologies such as confidentiality and tampering prevention of communications and personal authentication. Currently, in communication using encryption, a common key method such as DES encryption and a public key method such as RAS encryption are widely used as encryption methods. However, these cryptosystems are based on "computational security" that a huge amount of computation should be required for decryption. In other words, current cryptosystems are always threatened by advances in computer hardware and decryption algorithms. In particular, in fields where extremely high security is required, such as transactions between banks and information related to military and diplomacy, the impact will be given if a principle-safe encryption method becomes practical without relying on computational security. Is very big.

  There is a one-time pad method as an encryption method whose unconditional security is proved in information theory. The one-time pad method is characterized in that an encryption key having the same length as the communication text is used and the encryption key is discarded once. Bennett and Brassard proposed a specific protocol in NPL 1 for securely delivering an encryption key used in the one-time pad method, which is now widely known as the BB84 protocol. With this proposal, research on quantum cryptography has become active. In quantum cryptography, the laws of physics guarantee the security of cryptography, so that it is possible to guarantee the ultimate security that does not depend on the limits of computer capabilities. The quantum cryptography currently being studied is to transmit 1-bit information as a single photon state. For this reason, when the state of a photon is changed by an optical fiber that is a transmission path, the security of the quantum cryptography is greatly impaired.

  In a quantum cryptography device whose security is theoretically proved as described in Non-Patent Document 1, two distinct states of a system having two-dimensional degrees of freedom and its coherent superposition state The secret key is transmitted securely using. The quantum state including such a superposition state is called quantum information from the viewpoint of application to information communication. A system carrying quantum information is called a qubit, which is mathematically equivalent to a spin 1/2 system. Hereinafter, a conventional quantum cryptography device will be described using terms related to the spin 1/2 system, but any kind of quantum mechanical two-level system may be used as a carrier system for carrying quantum information.

In the conventional quantum cryptography apparatus, as described in Non-Patent Document 1, the sender Alice determines the state to be modulated to each qubit as x basis (eigenstate of σ _x operator:

) And the z basis (the eigenstates of the σ _z operator:

) Are randomly selected, and the qubits modulated according to the selected state are sent to the receiver Bob. Status

Indicates bit value 0, status

Negotiates to represent a bit value of 1. The x-basis state and the z-basis state are called complementary states, and there is no measurement means that can determine both of the individual qubits simultaneously and without error. This is because [σ _x , σ _z ] ≠ 0, that is, there is no simultaneous eigenstate of σ _x and σ _z for each qubit, and there is no simultaneous eigenvalue of both variables. It is a reflection of. Non-commutative variables such as σ _x and σ _z are called complementary or conjugate variables. Hereinafter, preparing these four non-orthogonal states (at the base and bit value tags) at random is referred to as BB84 state preparation.

Recipient Bob selects whether to measure the complementary observable bit value of σ _x (x basis) or σ _z (z basis) at random for the qubits received from sender Alice, Perform individual projection measurements. In this way, the projection measurement of the four non-orthogonal states at random (recording the base and bit value tags) is called BB84 state measurement. If Bob's measurement basis matches Alice's readiness basis, the measured bit value exactly matches Alice's sent bit value. In the case of mismatch, the bit values of both are completely uncorrelated. Alice and Bob extract only the preparation and measurement data related to the matched base qubits, and use a random bit string consisting of the bit value data as a secret key. Since any wiretapping will cause a finite error in the secret key data, Alice and Bob use a sub-ensemble sampled from the key data ensemble to evaluate the degree of key data error, The upper limit of the amount of information leakage can be grasped. Alice and Bob can share a provably secure secret key by shortening the key data corresponding to the upper limit of the amount of information leaked to an eavesdropper.

  After that, Ekart proposed a quantum cryptography method based on quantum correlation called EPR correlation in Non-Patent Document 2. It is shown that the system of Non-Patent Document 2 has the same safety as the system of Non-Patent Document 1. In this scheme, Alice prepares an ensemble of two qubit pairs prepared for the maximum quantum correlation state. The maximum quantum correlation state is a cooperative variable of 2 qubits

It is a simultaneous eigenstate of. here,

Is the sum modulo 2.

Represents the parity between Alice's σ _x measurement bit value and Bob's σ _x measurement bit value. This is consistent with [σ _x , σ _z ] ≠ 0. Because [σ _x , σ _z ] + [σ _z , σ _x ] = 0,

Because it becomes. Alice sends one qubit of each pair sequentially to Bob. For photons belonging to each pair, Alice and Bob choose at random independently, sigma _x or measuring the bit values of both of the server Bull (x basal) and sigma _z (z basal), local Measure. The local variable sigma _x and sigma _z and Bob local variable sigma _x and sigma _z qubit of qubits Alice not been finalized in advance, the measurement results are random unpredictable regardless of the selection of the base It is. However, a two-qubit cooperative variable

Are pre-determined to known values that depend on the EPR state prepared by Alice, and their measurements are deterministic and predictable. In other words, when the measurement bases of Alice and Bob match, the observed bit value has a predetermined parity value. Therefore, the EPR state prepared by Alice is known, and when the measurement bases of Alice and Bob match, the measurement result of the other person can be known from the own measurement result and the predetermined parity value. it can. In this way, Alice and Bob can share random number data that can be used as a secret key by extracting only the data set with the consistent measurement base.

  Error-free (no error) random number data sharing is possible in this way only when the two qubit pairs shared by Alice and Bob are in the maximum quantum correlation state. Any wiretapping act is an act of quantum-correlating ancilla with two qubit pairs, changing the two-qubit pair from the maximum quantum correlation state to the mixed state and inducing an error in the shared key data. As before, Bob with Alice can grasp the upper limit of the amount of information leaked to an eavesdropper by evaluating the degree of error in the key data using a sub-ensemble sampled from the ensemble of key data. . Alice and Bob can share a provably secure secret key by shortening the key data corresponding to the upper limit of the amount of information leaked to an eavesdropper. Up to this point, the two-qubit pair used for key distribution has been described on the assumption that Alice prepares, but this assumption is unnecessary, and a third party other than Alice and Bob may prepare the two-qubit pair. In this case, a third party who prepares two quantum pair bits cannot obtain any key information like an eavesdropper.

In addition, as patent documents regarding the quantum cryptography device, for example, there are Patent Documents 1 to 5. Moreover, as a prior art for distributing a quantum encryption key, there exists a thing of patent document 6. FIG. Patent Document 7 discloses a common key distribution system using public key cryptography.
JP 2003-37593 A Special table 2000-511016 gazette Special Table 2000-517499 JP-T 9-502322 JP 2000-174747 A JP 2005-217676 A Japanese Patent No. 2563518 International Conference on IEEE Computers, Systems and Signal Processing by Bennett and Brassard (IEEE Int. Conf. On Computers, Systems, and Signal Processing, Bangalore, India, p. 175 (1984)) Physical review by Ekert, Letters (Phys. Rev. Lett., 67, 661 (1991))

  However, the quantum cryptography devices disclosed in Non-Patent Document 1 and Non-Patent Document 2 described above have the following problems.

  In the method shown in Non-Patent Document 1, if Alice is a key sender and Bob is a key receiver, the role is asymmetrical. The equipment to be used is also very different. Receiving devices held by Recipient Bob include devices that require individual measurements of a single quantum and that require significant skill and cost to operate and maintain. For example, photons are used as carriers for qubits in quantum cryptography, but single photon detectors are required for single quantum individual measurements. This type of detector requires special device development, requires low-temperature operation, requires detailed adjustments, and requires careful consideration for operational stability. It is a device that is difficult to handle. On the other hand, the transmitting device possessed by Alice is composed of only a light source and a modulator, and is very simple. In particular, when a weak coherent light source (laser light source) is used as the light source, the transmitter can be made very compact, can be easily handled by the user, and mass production and cost reduction are easy. As described above, in order to spread the conventional quantum cryptography apparatus, the complexity of the receiving apparatus becomes a bottleneck, which is a problem that needs to be solved.

  Further, in the case of the quantum cryptography device disclosed in Non-Patent Document 2, if a third party prepares 2 qubits, Alice and Bob who are regular users are both receivers of qubits, Its role is symmetric. All receiving devices that should be possessed by regular receivers are equivalent, and there are advantages in terms of mass production of devices. However, the problem of the difficulty of handling a receiving device that should be held by a regular user still remains, and the quantum cryptography device of Non-Patent Document 2 is more difficult to realize than the device of Non-Patent Document 1. ing.

  Furthermore, even if the techniques described in Patent Documents 1 to 7 described above are used, the problem of difficulty in handling a receiving apparatus that should be held by a regular user cannot be solved.

  The present invention has been made in view of the above-described problems of the prior art, and an object of the present invention is to provide a quantum cryptography device in which all devices that should be possessed by a regular user can have an equivalent and simple device configuration. .

  The quantum cryptography device of the present invention is a third party device having a quantum calculation means for calculating a co-variable of 2 qubits, and a weak coherent light source that is provided for each authorized user and generates photons that serve as information carriers of qubits. A modulator for preparing a BB84 state in the qubit, a means for calculating the parity of the variable value notified from the third party device and the variable value held by itself, and the modulator A quantum communication path for sending the output quantum bits to a third party device.

  In the quantum cryptography device of the present invention, classical communication is performed between the first classical communication path for notifying the calculation result of the cooperative variable from the third party device to each authorized user device, and each authorized user device. It is preferable to further provide a second classical communication channel for the purpose. Further, it is preferable to further include means for filtering the multiphoton component from the weak light transmitted via the quantum communication path to the third party device, converting it into a single photon, and supplying it to the quantum calculation means.

  Hereinafter, the operating principle of the quantum cryptography apparatus of the present invention will be described with reference to FIG.

As shown in FIG. 3, the quantum cryptography apparatus of the present invention has a probability distribution of event occurrence when each qubit of two qubit pairs prepared in the maximum quantum correlation state is individually measured. Utilizing the fact that there is a one-to-one correspondence between the two, which corresponds to the probability distribution of event occurrence when two qubits that are individually prepared and can be regarded as bells are collectively measured. Bell collective measurement is a cooperative variable of 2 qubits without knowing the values of the variables σ _x and σ _z of each qubit that cannot be measured without error at the same time.

Is a quantum computation process that calculates and determines the values simultaneously, and can be executed by a quantum computer.

  In the present invention, by utilizing such a correspondence relationship, it is possible to mount the quantum cryptography device disclosed in Non-Patent Document 2 by a time-reversed version. That is, according to the present invention, similar to the quantum cryptography device disclosed in Non-Patent Document 2, the roles of the two authorized receivers Alice and Bob are symmetric, but the authorized receiver is the sender, It is possible to implement a quantum cryptography apparatus in which three parties are receivers. In the quantum cryptography device disclosed in Non-Patent Document 2, error-free random number data can be shared between authorized users only when the two qubit pairs shared by Alice and Bob are in the maximum quantum correlation state. However, with the time-reversed version implementation according to the present invention, error-free random number data can be shared between authorized users because a third party measures the two qubit pairs individually prepared by Alice and Bob. Limited to. Any wiretapping act will act to correlate ancilla with 2 qubit pairs, changing the measurement of 2 qubit pairs from the bell collective measurement and inducing an error in the shared key data. Alice and Bob can grasp the upper limit of the amount of information leaked to the eavesdropper by evaluating the degree of key data error using a sub-ensemble sampled from the ensemble of key data, By shortening the key data corresponding to the leakage amount upper limit, it is possible to share a secret key with provable security. The third party can only know the parity value of the measurement result of the regular user of each qubit. A third party cannot know the measurement value itself, and therefore cannot obtain any key information, like an eavesdropper.

  According to the present invention, regular users are all symmetric pairs, and a device to be held is a sender that can be handled easily by a transmission device. A receiving device that is expensive and difficult for a general user to handle can be provided in a center provided in common to a plurality of authorized users. Therefore, the quantum cryptography device of the present invention can simplify the device of the authorized user and greatly reduce the burden for device operation compared with the quantum cryptography devices disclosed in Non-Patent Document 1 and Non-Patent Document 2. be able to. Further, since the transmission device can be mass-produced, the cost barrier in using the quantum cryptography device can be greatly reduced.

  Next, a preferred embodiment of the present invention will be described with reference to the drawings. FIG. 1 is a block diagram showing a configuration of a quantum cryptography apparatus according to an embodiment of the present invention.

[Description of configuration]
In the example shown in FIG. 1, there are two authorized users, Alice and Bob, each holding the same device 21. As shown in the figure, the quantum cryptography apparatus is symmetric with respect to the regular user Alice and Bob. Furthermore, a third party device (center) 22 shared by these authorized users is provided.

  The regular user device 21 selects a light source 1 that generates photons that are information carriers of qubits, a state initialization device 2 that initializes the state of photons incident from the light source 1, and a BB84 state. A true random number generator 3, a modulator 4 that modulates the BB84 state into quantum bits, and a classical computer 9. The light source 1 can be constituted by a laser light source and an appropriate light intensity attenuator as a weak coherent light source. Furthermore, each authorized user's device 21 calculates the quantum communication path 5 for sending quantum bits to the third party device 22 to the third party device (center) 22 and the third party device 22 calculates. Are connected by the classical communication channel 8 for receiving the variable values (values of the cooperative variables). Alice and Bob's device 21 are connected to each other by a classical communication channel 10 used for processes such as exchange of base information, error evaluation, error correction, and confidentiality enhancement.

  The regular user and the third party 22 are connected by the quantum communication path 5 for transmitting quantum bits and the classical information path 8 for notifying the calculation result. A normal optical fiber can be used for the quantum communication path. The classic communication channels 8 and 10 are communication channels for performing classic communication, and normal Internet communication is sufficient.

  In this embodiment, the BB84 state can be realized by superposition of two orthogonal polarizations of photons or superposition of two photon wave packets that can be distinguished in time and space, but other degrees of freedom can also be used. Good. The modulator 4 is for preparing a BB84 state for a qubit composed of photons input from the light source 1 via the state initialization device 2, and the qubit prepared for the BB84 state by the modulator 4 is a quantum communication. It is sent to the third party device 22 via the path 5. The classical computer 9 is provided to calculate the parity between the variable value notified from the third party device 22 and the variable value held by the own device.

The third-party device 22 includes a single-photon filter 6 that filters multi-photon components from weak light transmitted from the device 21 of a regular user via the quantum communication path 5 and converts them into single photons, and a quantum computer 7. And. The single photon filter 6 is provided corresponding to each device 21 of a regular user, and serves as a quantum filter for removing multiphoton components stochastically included in the weak light that is the sent qubit carrier. It is configured. Such a single photon filter 6 can be realized by a quantum nondestructive measurement technique. The quantum computer 7 has two qubits, that is, a qubit input from the Alice device 21 via one single photon filter 6 and a qubit input from the Bob device 21 via the other single photon filter 6. Calculate collaborative variables. The calculated cooperation coefficient is notified to Alice and Bob's device 21 via the classical communication path 8 respectively.
[Description of operation]
Next, the operation of the quantum cryptography device of this embodiment will be described.

In each regular user device 21, a qubit composed of photons emitted from the light source 1 is prepared in an appropriate initial state by the state initialization device 2. The normal user device 21 records a 2-bit random number (σ _x or σ _z ) generated by the true random number generator 3 and modulates the quantum bit into the BB84 state by the modulator 4 according to the random value. Is done. In the following description, when it is necessary to distinguish between the random number generated by Alice's device 21 and the random number generated by Bob's device 21, the random number generated by Alice's device 21 is expressed as σ _x ^(A) or σ _z ^{( A)} , and the random number generated by Bob's device is represented by σ _x ^(B) or σ _z ^(B) .

  The qubits modulated by the Alice and Bob devices 10 to the BB84 state are sent to the third party device 22 via the quantum communication path 5. In the third party device 22, the weak light that is the transmitted qubit carrier is converted into a single photon by the single photon filter (quantum filter) 6. Based on the qubits input from both devices 21 and converted into single photons, the quantum computer 7 uses the parity of the x basis as a cooperative variable.

And z-base parity

Calculate The calculation result is notified to the device 21 of the authorized user (Alice and Bob) through the classical communication channel 8.

The regular user devices 21 mutually exchange basis information through the classical communication channel 10, and each of them sorts out sub-ensembles whose bases are matched among the ensembles of qubits transmitted to the third-party device 22. In authorized user of the device 21, a classical computer 9, and the bit values of the qubits of each respective sub-ensemble, among the reported p _x or p _z, and those that match the base used when sending Parity

Calculate This parity calculation allows the regular user device 21 to know the individual bit values of the qubits prepared and sent by the other party. The data obtained in this way is used as a selection key.

  If there is no eavesdropping action, the selection key is error-free, but if there is an eavesdropping action, an error is included. As described in Non-Patent Documents 1 and 2, a legitimate user can perform error evaluation by sampling from a selection key and calculate an eavesdropping information upper limit amount. Based on this, the classical error correction and confidentiality enhancement protocol can be executed using the classical communication path 10 to obtain a secure final key.

  The feature of the quantum cryptography device of the present embodiment is that the installation and maintenance operation of a receiving device that is difficult to handle and manage and operate can be outsourced to a third party as a third party device 22, while that third party's There is no need to assume reliability and safety. As such a third-party device 22, it is assumed that a center 24 operated by collecting a usage fee from a regular user is operated by a telecommunications carrier as a specialist group. At this time, as shown in FIG. 2, an optical switch 23 that switches a communication path on demand according to a request from the authorized user device 21 is provided between the authorized user device 21 and the third party device 22. By inserting, the limited resources of the third party device 22 can be shared in time division among many regular users. A third party such as a telecommunications carrier may manage the center 24 including the third party device 22 and the optical switch 23.

It is a block diagram which shows the structure of the quantum cryptography apparatus of one Embodiment of this invention. It is a figure explaining the role which the third party plays in the quantum cryptography device of the present invention. It is a figure explaining the operating principle of the quantum cryptography apparatus of this invention.

Explanation of symbols

DESCRIPTION OF SYMBOLS 1 Light source 2 State initialization apparatus 3 Intrinsic random number generator 4 Modulator 5 Quantum communication channel 6 Single photon filter 7 Quantum computer 8, 10 Classical communication channel 9 Classical computer 21 Regular user device 22 Third party device 23 Optical switch 24 Center

Claims (6)

A third-party device having a quantum computing means for calculating a two-qubit cooperative variable;
A weak coherent light source that is provided for each regular user and generates a photon serving as a qubit information carrier, a modulator for preparing a BB84 state in the qubit, and a variable value notified from the third party device And a device for calculating the parity of the variable value held by itself,
A quantum communication path for sending qubits output from the modulator to the third party device;
A quantum cryptography device. A first classical communication path for notifying the calculation result of the cooperative variable from the third party device to the device of each regular user;
A second classical communication channel for classical communication between the devices of the respective regular users;
The quantum cryptography device according to claim 1, further comprising:   The apparatus further comprises means for filtering a multiphoton component from weak light transmitted via the quantum communication path to the third party device, converting the multiphoton component into a single photon, and supplying the single photon to the quantum calculation means. Or the quantum cryptography apparatus of 2.   4. The device according to claim 1, further comprising a switch unit connected to the third-party device and coupling any two devices among the plurality of devices of the authorized user to the third-party device on demand. 2. A quantum cryptography device according to claim 1.   Weak coherent light source that generates photons serving as information carriers of qubits, a modulator for preparing a BB84 state for the qubits, a variable value notified from a third party device, and a parity of a variable value held by itself And a quantum cryptography device that sends a qubit output from the modulator to the third party device via a quantum communication path.   Quantum calculation means for receiving a qubit from a device of a different regular user via a quantum communication path and calculating a cooperative variable of 2 qubits, and a quantum for making the calculated cooperative variable a device notification of the regular user Crypto device.

Images