JP5498234B2 - Quantum cryptography communication system - Google Patents

Description

  The present invention relates to a quantum cryptography communication system for delivering a quantum cryptography key from a transmitter to a receiver.

  Conventionally, as a cryptographic technique, an encryption method based on mathematical calculation difficulty of a mathematical formula (for example, a long time is required for calculation for decryption) has been used, but recently, a single photon level is used. Research on quantum cryptography that uses light to guarantee physical security is ongoing.

  Quantum cryptography is a cryptographic technique that uses the theory of quantum mechanics, and is known as the ultimate cryptographic technique in which the content becomes meaningless even if eavesdropping, and the eavesdropping is understood.

  In the field of quantum communication, there is known a system that supplies a secret key for performing cryptographic communication between two parties present at points distant from each other, and this system is also called a quantum key distribution system. There are various methods for quantum key distribution. In this specification, a “differential phase shift quantum key distribution method” (see Non-Patent Document 1) will be described as a conventional technique.

  FIG. 1A shows a basic configuration of a “differential phase shift quantum key distribution system” of the prior art. The transmitter transmits a coherent optical pulse train having a constant interval arbitrarily phase-modulated with 0 or π to the transmission line at an average of less than 1 photon per pulse (for example, 0.1 photon / pulse). The state where the average number of photons is less than one is realized by greatly attenuating normal laser light.

  When such an optical pulse train is detected as a photon, the detection result indicates that no photon is detected by the pulse. The pulse at which a photon is detected is uncertain until it is measured.

  As shown in FIG. 1A, the pulse train sent from the transmitter reaches the receiver via the transmission path. First, in the receiver, using the optical branching means, the optical pulse train received from the transmitter is split into two so as to be equally divided in energy, and each branched optical pulse train is sent to the long path and the short path. To do. In the long path, a certain delay time T is added to the optical pulse train. Thereafter, the optical pulse trains that have passed through the long path and the short path are combined again in the 2 × 2 multiplexing coupler. The 2 × 2 multiplexing coupler includes first and second input terminals connected to the long path and the short path, respectively, and receives an optical pulse train that has passed through the long path and the short path. The 2 × 2 multiplexing coupler also includes first and second output terminals, and the first and second photon detectors are connected to the respective output terminals.

  Assuming that the constant delay time T given to one optical pulse in the long path is equal to the constant interval T of the optical pulse train input from the transmitter to the receiver via the transmission line, 2 × 2 In the wave coupler, the preceding and following pulses are overlapped and combined. The manner in which the pulses overlap is illustrated in FIG.

  The optical pulse train input to the receiver is phase-modulated by 0 or π as described above. Therefore, if the propagation phase of the branching / combining path from the optical branching means in the receiver to the 2 × 2 multiplexing coupler is appropriate, the phase difference between the overlapping pulses is 0 or π.

  As a result of multiplexing by the 2 × 2 multiplexing coupler, both pulses interfere. If the phase difference is 0, the second photon detector detects the photon, and if the phase difference is π, the first photon detector detects the photon. Will be detected.

  Using the above configuration, the transmitter and the receiver obtain a secret key by the following procedure.

  First, the receiver detects a photon from a pulse transmitted from the transmitter having the above-described configuration and passing through the transmission path. At this time, the receiver records the detected time and the photon detector. After a predetermined number of photons are received, the receiver notifies the transmitter of the time when the photons are detected (hereinafter also referred to as “photon detection time”). However, this notification path is not limited to the transmission path.

  The transmitter can know from the photon detection time notified from the receiver and the phase modulation data of the transmitter itself whether the receiver has detected the photon by the first or second photon detector. it can.

  Therefore, if the photon detection by the first photon detector is determined as bit “0” and the photon detection by the second photon detection is determined as bit “1” in advance, both the transmitter and the receiver can The same bit string can be obtained.

  In the above procedure, since only the photon detection time is notified from the receiver to the transmitter, the bit information does not go outside the receiver and is not wiretapped.

  As a typical wiretapping method for the “differential phase shift quantum key distribution method”, a method called “spoofing method” is known. FIG. 2A is an explanatory diagram of impersonation wiretapping. In the figure, the photon detector is labeled “DET” for convenience. An eavesdropper (the eavesdropper) receives a transmission signal sent by the transmitter in the same way as the original receiver in the middle of the transmission path, and sends a dummy signal to the original receiver based on the reception result. Transmit using an optical transmitter. If the eavesdropper (the eavesdropper) can correctly receive the transmission signal from the transmitter, the dummy signal is the same as the original transmission signal, and information can be obtained without the receiver being aware of the eavesdropping action.

  However, in the above-mentioned “differential phase shift quantum key distribution method”, the transmission signal from the transmitter is an optical pulse train having an average of less than 1 photon (for example, 0.1 photon / pulse) per pulse. Even if a signal is received, photons are detected only once per 10 pulses on average.

  Therefore, the eavesdropper (the eavesdropper) knows the phase difference between the two pulses corresponding to the time when the photon can be detected, but cannot detect the phase difference in other cases. When an eavesdropper (wiretap) tries to send a dummy signal based on such a detection result, for the pulse corresponding to the time when the phase difference could not be detected, the phase selected by the guess is allocated and retransmitted (impersonation). Eavesdropping 1) or no signal (spoofing 2) can only be taken.

  In the former case (spoofing spoofing 1), when the receiver detects the phase difference selected by guesswork, there is a high possibility that it differs from the signal sent by the transmitter. In the latter case (spoofing spoofing 2), signal mismatch still occurs. The reason is that an eavesdropper (the eavesdropper) in this case sends a pulse train including two pulses corresponding to the time when a photon is detected, but it is an empty pulse except for two consecutive isolated pulses. That is, when the receiver receives two consecutive isolated pulses, a photon can be detected at three times when it is output from the 2 × 2 multiplexing coupler.

  The manner in which photons are detected at these three times is illustrated in FIG. In FIG. 2B, among the optical pulse trains branched by the optical branching means, a non-delayed optical pulse train (the optical pulse train described below) and a delayed optical pulse train (the optical pulse train described above) are time-series. It is shown schematically.

  In FIG. 2, three times when the optical pulse trains overlap each other are shown. When a photon is detected at the middle time (referred to as “second time”) t 2, the detection result is According to the phase difference of the two pulses, a photon is detected by a photon detector as intended by the transmitter.

  However, when a photon is detected at the first time t1 or the third time t3, which is before or after the second time t2 of the time when the two optical pulse trains overlap, there is no other party to interfere with, so the first Whether the photon is detected by the second photon detector or the second photon detector occurs at random.

  Therefore, when the receiver obtains the secret key bit from the photon detection result at the first time t1 or the third time t3, the bit is different from the one intended by the transmitter.

  In this way, when spoofing is performed, a bit mismatch occurs between the transmitter and the receiver. This is called a bit error. Therefore, the transmitter and the receiver obtain a secret key in accordance with a normal procedure, and then perform a verification check using some test bits. If the system is operating normally, the bit information of both will match, but if there is spoofing, there will be bits that do not match.

  More specifically, if an eavesdropper transmits a dummy signal containing one photon, the probability that the receiver will detect a photon at the first or third time is ½, and it can be derived from this photon detection. Since the probability that the generated bits do not match is further ½ of that, a bit error occurs at a rate of ¼. If there is a bit error, it is determined that the system is not operating normally and the private key is discarded. In other words, if the test bits match, it can be determined that there was no wiretapping, and the secret key is guaranteed to be secure.

  In this way, in the differential phase shift quantum key distribution method, even if spoofing is performed, an eavesdropper (eavesdropper) transmits an accurate dummy signal because the transmission signal is less than one photon per pulse. However, a bit error occurred between the transmitter and the receiver due to an inaccurate dummy signal, and the presence or absence of eavesdropping could be determined.

K. Inoue, E. Waks, Y. Yamamoto, ‘‘ Differential-phase-shift quantum key distribution using coherent light, ’’ Physical Review A, 2003, vol. 68, paper number 022317 T. Tsurumaru, ‘‘ Sequential attack with intensity modulation on differential-phase-shift quantum key distribution protocol, ’’ Physical Review A, 2007, vol. 75, paper number 062319

  In the above description, it has been described that the obtained secret key is secure on the assumption that the performance of the transceiver is ideal. However, the bit error rate inherent in the system is actually generated due to imperfect performance of the transceiver.

  In this case, a part of the key may be eavesdropped due to the bit error. For example, assume that the original bit error rate of the system was e. On the other hand, it is assumed that an eavesdropper (eavesdropping machine) performs the above-described spoofing eavesdropping 2 (no signal is output for a pulse whose phase difference cannot be detected) only for a part of the transmission signal. When the wiretapping rate is x, the bit error rate generated thereby is x × 1/4 = x / 4.

  Here, when x / 4 <e, that is, when the original bit error rate of the system is higher than the bit error rate caused by eavesdropping, the transmitter and the receiver have the system original bit error and eavesdropping. It is difficult to distinguish from a bit error due to eavesdropping and it is difficult to notice wiretapping. That is, the key information corresponding to the ratio x may be stolen by an eavesdropper without the transmitter and the receiver noticing.

  In the above description, since the bit error rate caused by eavesdropping is ¼, the eavesdropping success condition is x / 4 <e, that is, x <4e. If the bit error rate due to eavesdropping is 1 / m smaller than 1/4 (m> 4), the eavesdropping success condition is x <me. That is, if the eavesdropper can reduce the bit error rate caused by eavesdropping, the amount of eavesdropping using the original bit error can be increased. As an eavesdropping method for doing so, a method called “continuous click attack” is known (Non-Patent Document 2). This wiretapping method is considered to be the most powerful wiretapping method compared to the “differential phase shift quantum key distribution method”. Hereinafter, the “continuous click attack” will be described.

  In the above-mentioned “spoofing attack”, bit errors due to eavesdropping occur when the receiver detects photons at the first time or the third time. In other words, this is the time at both ends of the time when photons can be detected. If a dummy signal sent by an eavesdropper has a large number of continuous pulses in which photons can exist, the probability of detecting photons at the time at both ends becomes relatively small. In the above-mentioned “spoofing attack”, the photon can be present in the dummy signal sent by the eavesdropper in two consecutive pulses, so the receiver can detect the photon at three times, and at one end of the time. The probability of detecting a photon was 1/4 and 1/2 at both ends. For example, if a photon can exist in 4 consecutive pulses, the receiver may detect the photon at 5 times. The probability of detecting photons at one end of the time is 1/8, and both ends are 1/4. If the probability of photon detection at the time at both ends decreases, the probability of causing a bit error also decreases. As a result, the amount of eavesdropping also increases.

The “continuous click” attack is an eavesdropping method using the above-described principle. FIG. 3A is an explanatory diagram of a continuous click attack on the differential phase shift quantum key distribution system. Similar to the spoofing attack, the eavesdropper receives a transmission signal sent by the transmitter in the middle of the transmission path, and transmits a dummy signal photon to the original receiver using the optical transmitter based on the reception result. . However, a dummy photon is not transmitted every time a photon is detected as in a spoofing attack, but a dummy photon is transmitted only when photons are detected continuously. Since the optical pulse train sent from the transmitter is, for example, 0.1 photon / pulse, the probability of detecting photons twice consecutively is (0.1) ² , and the probability of detecting photons three times consecutively is (0.1). ³ , which is smaller than the one-time detection probability, but not zero.

  An eavesdropper can know the phase difference of the continuous pulses when detecting continuous photons. Therefore, as shown in FIG. 3A, the obtained continuous pulse to which the phase difference is added is transmitted to the original receiver. Further, at this time, transmission is performed so that the envelope of the continuous pulse becomes a Gaussian waveform having the middle pulse as a peak. That is, transmission is performed such that the photon existence probability in the pulses at both ends of the continuous pulse is reduced.

  Further, the eavesdropper transmits the continuous pulse to the original receiver via an extremely low loss transmission path. This is to prevent the receiver from detecting eavesdropping from a decrease in the number of photons received. As described above, in the continuous click attack, the eavesdropper transmits a dummy signal only when photons are continuously detected, and does not send anything during single detection. Therefore, if a dummy signal is transmitted through the same transmission path as the original, the total number of photons received by the receiver is reduced, and wiretapping is detected. Therefore, an eavesdropper uses an extremely low loss transmission path.

  There is a transmission loss in the original transmission path, and some of the photons transmitted from the transmitter disappear during transmission and do not reach the receiver. The rate of disappearance increases as the transmission distance increases. For example, in the case of a fiber transmission line having a propagation loss of 0.3 dB / km, 99.9% of photons disappear in the 100 km transmission line.

  If an eavesdropper uses very low loss transmission, the dummy photons reach the original receiver without disappearing. If the percentage of photons that are blocked by an eavesdropper because of single detection is the same as the percentage of photons that disappear in the original transmission path (99.9% in the above example), photons that reach the receiver The number remains the same with and without eavesdropping. Therefore, the receiver is unaware of the wiretapping action from the number of received photons.

  A dummy signal sent from an eavesdropper reaches a legitimate receiver via an extremely low loss transmission path. The receiver passes the received signal through the branching / multiplexing circuit from the optical branching means to the 2 × 2 multiplexing coupler, and then detects the photons. Here, if the number of continuous pulses in which a photon can exist in the dummy signal is N, the photon can be detected at (N + 1) times at the stage of output from the branching / combining circuit. The manner in which photons are detected at these times is illustrated in FIG. 3B (N = 6 in the example in the figure).

  As shown in FIG. 3B, when a photon is detected at the first time or the (N + 1) th time among (N + 1) times, there is no interfering partner, so the first Whether the photon is detected by the second photon detector or the second photon detector occurs at random. Therefore, when the receiver obtains the secret key bit from the photon detection result at the first time or the (N + 1) th time, the bit is different from the one intended by the transmitter.

  The probability of bit mismatch at the transceiver due to the wiretapping and the bit error rate are determined by the probability that a photon is detected at the first time or the (N + 1) th time. This probability is higher than the probability in the above-mentioned impersonation wiretapping because the number of continuous photon pulses N of the dummy signal sent by the wiretap is 3 or more and the envelope is a Gaussian wave shape having a peak at the center pulse. small. Therefore, the bit error rate caused by continuous click attack is smaller than the bit error rate caused by spoofing. As a result, the amount of wiretapping by the former is larger than that by the latter.

  Based on the above principle, the continuous click attack is regarded as the most powerful wiretapping method for the differential phase shift quantum key distribution system.

  The present invention has been made in view of such problems, and an object thereof is to provide a quantum cryptography communication system capable of finding a continuous click attack.

  In order to achieve such an object, according to a first aspect of the present invention, there is provided a quantum cryptography communication system that distributes a quantum cryptography key from a transmitter to a receiver, wherein the transmitter has a continuous pulse of a constant time interval T. A light source for transmitting an optical pulse train comprising: a phase modulator for phase-modulating the optical pulse train with 0 or π; and transmitting the phase-modulated optical pulse train with an average number of photons per pulse attenuated to less than one photon And an attenuator. Further, the receiver receives the optical pulse train transmitted from the transmitter and splits it into a first optical pulse train and a second optical pulse train, and the first optical pulse train as the second optical pulse train. A delay means for delaying the optical pulse train by a time equal to the fixed time interval T, and the first optical pulse train and the second optical pulse train delayed by the delay means are multiplexed and combined. A 2 × 2 optical coupler that generates a later optical pulse, and a first photon that detects a photon when the relative phase difference between the delayed first optical pulse train and the second optical pulse train is zero A detector, a second photon detector for detecting a photon when the relative phase difference between the delayed first optical pulse train and the second optical pulse train is π, and the first or second The photon detection time when the photon was detected by The photon detector that records the detected photon detector and the photon detection time recorded by the recording unit are collated, and photons are detected at two times (n is a predetermined natural number) separated by n · T. It is characterized by comprising counting means for counting the number of times detected, and wiretapping detection means for determining that there is wiretapping when the number of times counted by the counting means is different from a predetermined value.

  The second aspect of the present invention is the first aspect, wherein the predetermined natural number n is assumed to be a continuous pulse number N assumed to be sent from an eavesdropper in a continuous click attack on the quantum cryptography communication system. In this case, the constant value satisfies n> N + 1.

Further, according to a third aspect of the present invention, the predetermined natural number n is N, where n _min is a continuous pulse number assumed to be sent from an eavesdropper in a continuous click attack on the quantum cryptography communication system, and n _min is n _min > N _min < n < n _max when the natural number n _max satisfying N + 1 is defined as an average value of the number of pulses required until the next N consecutive photon detections start after the eavesdropper detects N photons consecutively And the number of times counted by the counting means is an integrated value for n where n _min < n < n _max .

  According to the present invention, in a receiver of a quantum cryptography communication system, a continuous click attack is detected by counting the number of times photons are detected at two times (n is a predetermined natural number) separated by n · T. can do.

(A) is a figure which shows the basic composition of the conventional differential phase shift quantum key distribution system, (b) is a figure which shows a mode that a pulse overlaps in the 2 * 2 multiplexing coupler of a receiver. (A) is explanatory drawing of the conventional spoofing wiretapping, (b) is a figure which shows a mode that a pulse overlaps in the 2 * 2 multiplexing coupler of the receiver which received two isolated continuous pulses. (A) is explanatory drawing of the continuous click attack with respect to the conventional differential phase shift quantum key distribution system, (b) is a figure which shows a mode that a pulse overlaps in the 2 * 2 multiplexing coupler of a receiver. 1 is a configuration diagram of a quantum cryptography communication system according to a first embodiment of the present invention. It is a figure for demonstrating the dummy signal which an eavesdropper sends out in a continuous click attack. It is a figure for demonstrating wiretapping detection by the quantum cryptography communication system which concerns on 1st Embodiment. It is a figure for demonstrating wiretapping detection by the quantum cryptography communication system which concerns on 2nd Embodiment.

  Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings.

(First embodiment)
FIG. 4 is a configuration diagram of the quantum cryptography communication system according to the first embodiment of the present invention. In FIG. 4, the transmitter 410 includes a light source 411, a phase modulator 412, and an attenuator 413. The light source 411 generates an optical pulse train having a constant interval T. The phase modulator 412 randomly modulates each pulse with 0 or π. Then, the average number of photons per pulse is attenuated to less than 1 using an attenuator 413 and sent to the transmission line. As the attenuator 413, any means may be used as long as it is a means for largely attenuating light incident from the light source 411 such as an ND filter. The configuration of the transmitter 410 is the same as that of the conventional differential phase shift quantum key distribution system.

  A receiver 420 as a light detection device includes an optical branching unit 421, a 2 × 2 optical coupler 422, first and second photon detectors 423 and 424, a memory 425 (corresponding to “recording unit”), The CPU 426 is configured. The light input to the receiver 420 is branched into two by the optical branching means 421, and given a delay time T by one of the long paths (corresponding to “delaying means”), the light is combined again by the 2 × 2 optical coupler 422. Waved. The delay time T is assumed to be equal to the pulse interval of the input pulse train. First and second photon detectors 423 and 424 are connected to first and second output terminals of the 2 × 2 optical coupler 422, respectively.

  With the above configuration, the transmitter 410 transmits an optical pulse train having a constant interval (pulse interval) T that is randomly phase-modulated with 0 or π as an average of less than one photon per pulse (for example, 0.1 photon / pulse). To do. The coherence time of the optical pulse is sufficiently longer than the pulse interval T. The receiver 420 inputs the pulse train transmitted from the transmitter 410 via the optical transmission path to the optical branching unit 421. The branched optical pulse trains are combined by the 2 × 2 optical coupler 422 and detected by the first and second photon detectors 423 and 424, respectively.

  When the receiver 420 is configured in this manner, in the 2 × 2 optical coupler 422, the front and rear pulses overlap and cause interference. If the phase difference between the pulses is zero as a result of the interference, the second photon detector 424 detects the photon, and if it is π, the first photon detector 423 detects the photon. However, since the transmitted light averages less than one photon per pulse, photons are rarely detected.

  Using the above configuration and operating characteristics, the transmitter 410 and the receiver 420 obtain common bits according to the following procedure. (1) The transmitter 410 and the receiver 420 transmit and receive a pulse train having a necessary length. At this time, the receiver 420 records the time when the photon is detected and the detected photon detector in the memory 425. (2) The CPU 426 of the receiver 420 examines the recorded photon detection time, and counts the number of times that a photon has been detected at two times separated by a specific time. If the number of times is the same as the predetermined value, the process proceeds to the next process. If it is different from the predetermined value, the CPU 426 determines that there is an eavesdropping and stops the bit generation work. (3) The receiver 420 notifies the transmitter of the photon detection time. (4) The transmitter 410 knows which photon detector has detected the photon in the receiver 420 from its own phase modulation data and photon detection time. (5) For the photon detection event, the transmitter 410 and the receiver 420 have bit “0” if the first photon detector 423 is used, and bit “1” if the second photon detector 424 is used. Is given. In this case, since the photon detector for detecting the photon is fixed, the transmitter 410 and the receiver 420 obtain the same bit value. This is a secret key bit.

  In the system having the above configuration and procedure, a continuous click attack is discovered based on the following principle.

  In the continuous click attack, the eavesdropper detects the transmission signal light in the middle of the transmission line, and only when the detection result is obtained continuously, the legitimate receiver has the same detection result based on the photon detection result. A dummy signal is transmitted as follows. If nothing is detected continuously, nothing is sent.

  As described above, in the present embodiment, the transmitter 410 transmits a pulse train whose transmission level is an average of less than 1 photon per pulse, for example, 0.1 photon / pulse. For this reason, it is rare that an eavesdropper continuously detects signals. Therefore, most of the dummy signals transmitted from the eavesdropper are empty pulses, and very rarely, several pulses including photons are continuously transmitted (see FIG. 5).

  On the other hand, the receiver 420 has a time interval longer than (N + 1) T, where N is the number of continuous pulses assumed to be sent from an eavesdropper in a continuous click attack (N = 6 in the example of FIG. 5). The events in which photons are detected at both times are counted. For example, if N = 6, as shown in FIG. 6, the events in which photons are detected at two times separated by 8 pulses are counted. Here, regarding the number N of continuous pulses, the following values are assumed. The value of N is a value that changes according to the transmission efficiency from the transmission side to the reception side, including transmission path loss. Each optical pulse transmitted from the transmission side includes a number of photons according to a Poisson distribution with a predetermined average number of photons (for example, 0.1 photon / pulse) as an average. Therefore, the probability that an eavesdropper can detect photons N times in succession is also determined by the average number of photons. In the continuous click attack, an eavesdropper is an attack that sends a signal to the receiving side through a one-photon, ultra-low loss transmission path when photons can be detected N times consecutively. However, there is a restriction that an eavesdropper must perform an eavesdropping action so that there is no change in the number of photon detections to be received on the receiving side in a situation where eavesdropping is not performed. This is because when there is a change in the number of detected photons, wiretapping is detected from there. Therefore, it is assumed that the eavesdropper employs the maximum N that satisfies the above-described restrictions.

In normal operation without eavesdropping, if the average number of photons per pulse reaching the receiver 420 is μ, and the detection efficiencies of the first and second photon detectors 423 and 424 are η, they are separated by 2 The probability of photon detection from both pulses is approximately (ημ) ² . On the other hand, when a continuous click attack is performed, the probability is ideally zero, and the dark count probability (probability of erroneously counting when there is no photon) of the first and second photon detectors 423 and 424 is In the case of d, (ημ) d. In any case, the two-pulse photon detection probability is different between the normal time and the continuous click attack.

  Therefore, a continuous click attack is discovered by monitoring the number of times that photons are detected with two separate pulses.

  The counting process for counting the number of times photons are detected at two times separated by a certain time, and the eavesdropping detection process for determining that there is an eavesdropping when the number of times is not within the predetermined range are shown in FIG. As described above, this can be realized by causing the CPU 426 to function as the counting unit 427 and the eavesdropping detection unit 428.

(Second Embodiment)
The system according to the first embodiment can detect a continuous click attack in principle, but may be difficult to detect when the transmission loss is large or the detection efficiency of the photon detector is poor. In such a case, ημ becomes a small value, and (ημ) ² becomes smaller. In order to detect a continuous click attack, (ημ) ² must be zero or significantly different from (ημ) d, but if (ημ) ² is very small and almost zero, normal and wiretapping Cannot be detected and wiretapping cannot be detected. The second embodiment of the present invention solves this problem.

The apparatus configuration of the second embodiment is the same as that of the first embodiment except for the processing in the CPU 426. In the first embodiment, the CPU 426 counts the number of times that photon detection occurs with two separate pulses from the photon detection time recorded in the memory 425. As shown in FIG. 6, the time interval between the two pulses in this case is a specific time interval, for example, when the continuous pulse interval is T, a time interval of n ₁ · T (n ₁ is a natural number satisfying n ₁ > N + 1) )Met. On the other hand, in the present embodiment, the number of detections of two-pulse photons within a certain time width rather than a specific constant value is monitored. That is, for n ₂ satisfying the following equation, the integrated value of the number of photon detections in two pulses with a time interval of n ₂ · T is monitored (see FIG. 7).
n _min < n ₂ < n _max
Here, n _min , n ₂ , and n _max are natural numbers, and n _min > N + 1. n _max is defined as follows. As described above, each optical pulse transmitted from the transmission side includes a number of photons according to a Poisson distribution that averages a predetermined average number of photons (for example, 0.1 photon / pulse). Yes. Therefore, after the eavesdropper detects photons N times consecutively, the number of pulses m required until the next N consecutive photon detections start is also probabilistic. Therefore, the average value of m is n _max .

In this way, since the photon detection probability is uniform in the normal state, the two-pulse photon detection integrated value is (n _max −n _min +1) times the number of two-pulse photon detections at a specific time interval. On the other hand, in the two-pulse photon detection integrated value at the time of eavesdropping, n _min satisfies n _min > N + 1, and n _max is a value smaller than the average value of the adjacent photon pulse intervals of the dummy signal assumed in the continuous click attack. Therefore, it is zero or (ημ) d as in the first embodiment. That is, the difference between normal and wiretapping increases. Therefore, even when the transmission loss is large or the detection efficiency of the photon detector is poor, wiretapping can be detected.

Claims (3)

In a quantum cryptography communication system that delivers a quantum cryptography key from a transmitter to a receiver,
The transmitter is
A light source for transmitting an optical pulse train composed of continuous pulses at a constant time interval T;
A phase modulator for phase modulating the optical pulse train with 0 or π;
An attenuator for transmitting the phase-modulated optical pulse train with an average number of photons per pulse attenuated to less than one photon;
The receiver
Optical branching means for receiving the optical pulse train sent from the transmitter and branching it into a first optical pulse train and a second optical pulse train;
Delay means for delaying the first optical pulse train by a time equal to the constant time interval T with respect to the second optical pulse train;
A 2 × 2 optical coupler that generates a combined optical pulse by combining the first optical pulse train and the second optical pulse train delayed by the delay unit;
A first photon detector that detects photons when the relative phase difference between the delayed first optical pulse train and the second optical pulse train is zero;
A second photon detector for detecting photons when the relative phase difference between the delayed first optical pulse train and the second optical pulse train is π;
Recording means for recording the photon detection time when the photon is detected by the first or second photon detector and the detected photon detector;
Counting means for collating the photon detection times recorded by the recording means and counting the number of times photons are detected at two times separated by n · T (n is a predetermined natural number);
A quantum cryptography communication system comprising: eavesdropping detection means for determining that there is an eavesdropping when the number of times counted by the counting means is different from a predetermined value.   The predetermined natural number n is a constant value satisfying n> N + 1, where N is the number of continuous pulses assumed to be sent from an eavesdropper in a continuous click attack on the quantum cryptography communication system. The quantum cryptography communication system according to claim 1. The predetermined natural number n is the number of continuous pulses assumed to be transmitted from an eavesdropper in a continuous click attack on the quantum cryptography communication system, N _min is a natural number satisfying n _min > N + 1, and n _max is an eavesdropper. When the average value of the number of pulses required until the next N consecutive photon detections start after N consecutive photon detections, n _min < n < n _max is satisfied,
2. The quantum cryptography communication system according to claim 1, wherein the number of times counted by the counting unit is an integrated value for n where n _min < n < n _max .

Images