JPWO2010103677A1 - Cryptographic communication system - Google Patents

Abstract

Utilizing the current optical fiber network, we will realize highly secure communications for information leakage. (1) A seed key is shared in advance between the sender and receiver, and carrier light with fluctuation is used, and a random number is transmitted and received using a base determined by the random number. The sender / receiver collates the shared basis determined by the seed key and the random number basis, adopts only the random number signal superimposed on the matched slot, and shares the random number between the sender / receiver. At this time, there is a bit error in the reception result because the carrier light fluctuates, but thanks to the seed key, the legitimate receiver can receive with a bit error rate smaller than the illegal receiver. (2) The random amount shared between the sender and receiver is reduced to a safe amount of information by a privacy amplifier, and is used as a secret key. (3) Send and receive actual signals using the obtained secret key.

Description

  The present invention relates to an optical communication system, and more particularly to an encryption communication system with improved safety in optical communication.

  The demand for confidentiality in communications has been an eternal theme from the past to the future, and in the recent network society, the demand has been secured by the development of cryptography. Ciphers can be broadly divided into common key systems and public key systems. The reason for security is that the common key method cannot be easily deciphered even if it is eavesdropped, and the reason for safety is that the public key requires an unrealistic time to decipher although the deciphering algorithm is known. However, in the case of a common key, a cryptanalysis method may be discovered, and in the case of a public key, a faster solution than the currently known decryption algorithm may be discovered, and a quantum computer is realized. As a result, quantum cryptography has attracted attention because it can be decrypted relatively easily using the current algorithm.

  Quantum cryptography uses a quantum mechanical property to try to guarantee security based on physical laws. Whereas it is based on the safety that ordinary ciphers can be eavesdropped and difficult to decipher, quantum ciphers achieve safety in terms of physical laws. However, there is no worry that the safety will be threatened (Non-patent Document 1). However, as a matter of course, the quantum cryptography must use the quantum mechanical state. The quantum mechanical state easily changes from its original state (decoherence) due to interaction with the environment (decoherence), so there are many restrictions when applying quantum cryptography to an actual communication system. A transmission line such as an optical fiber always has a loss, and the loss changes the quantum state. Therefore, quantum cryptography is first limited in distance. For example, the maximum transmission distance is about 100 km. If there is a loss, it is normal communication to amplify to compensate for that, but amplification is also not allowed in quantum cryptography because it decoherens the original state. Furthermore, the feature of quantum cryptography is to use ultra-weak light. In order to operate such a quantum cryptography, there is a problem that the current optical communication system must be reconstructed. As seen above, it can be seen that there are many restrictions in operating quantum cryptography.

  A method called the αη scheme was proposed to solve the above-mentioned problems in quantum cryptography, and wiretapping was performed by setting signal bases to multiple values in phase space and setting adjacent bases within the range of quantum fluctuations. In such a case, accurate information is not given to a person (Non-patent Document 2). Since this scheme uses quantum fluctuations as a basis for safety, if the signal light intensity is too large, the effect of quantum fluctuations can be ignored, and sufficient safety cannot be obtained. Light intensity greater than that of quantum cryptography can be used, but the intensity needs to be sufficiently weaker than that in normal optical communication. Therefore, a method using anti-squeeze has been proposed as being applicable even with light intensity comparable to that of normal optical communication (Patent Document 1). It tries to make eavesdropping difficult by using multi-valued bases and anti-squeezed (spread) fluctuations. Anti-squeezed fluctuations are much larger than quantum fluctuations, so they are no longer quantum but classical fluctuations.

When considering the safety of communication in terms of information theory, it is not distinguished whether the signal light is quantum or classical (Non-Patent Documents 3 and 4). Due to the difference between the mutual information amount I (X; Y) between the sender and the regular receiver and the mutual information amount I (X; Z) between the sender and the unauthorized receiver, a safe information amount C = I (X; Y ) -I (X; Z) is obtained. The mutual information amount I is a function of the bit error rate (BER). When there is no bit error, the mutual information amount I coincides with the information source entropy H (A) of the sender and decreases as the BER increases. If the BER (E _E ) of the unauthorized recipient is larger than the BER (E _B ) of the regular recipient, a safe amount of information (C> 0) is secured, and information-safe communication is possible. An important point in realizing information security is how to form a difference between an authorized recipient and an unauthorized recipient to achieve E _E > E _B. In the quantum cryptography, there is a function in which a legitimate transmitter / receiver detects when eavesdropping is performed using quantum mechanical properties, and E _E > E _B is realized by using the function. The quantum mechanical properties are not used in other parts of the quantum cryptography. Therefore, safe communication is possible if there is a method that can realize E _E > E _B without using quantum mechanical properties.
JP 2007-129386 A N. Gisin, G. Ribordy, W. Tittel and H. Zbinden, Rev. Mod. Phys. 74, 145-195 (2002). GA Barbosa, E. Corndorf, P. Kumar and HP Yuen, Phys. Rev. Lett. 90 (2003) 227901. AD Wyner, “The wire-tap channel,” Bell Syst. Tech. J., 54, 1335 (1975). UM Maurer, “Secret key agreement by public discussion from common information,” IEEE Trans. Inf. Theory, 39, 733 (1993).

  Quantum cryptography has emerged as a breakthrough improvement in security, but there are many problems in practical use, and one way to solve it is to use classic fluctuations like anti-squeezed light. The accompanying carrier light is used. However, it is an unresolved issue how to form the difference between a legitimate recipient and an unauthorized recipient that is required to realize secure communication. The present invention discloses a method for forming this difference using classical fluctuations.

  By sharing the seed key between the sender and receiver, a difference is formed between the authorized recipient and the unauthorized recipient. A binary random number is transmitted on two bases (generally, n and m are positive integers and n-value m-base) using a carrier light with classical fluctuation. Which of the two bases is adopted is determined by a random number. When operated ideally, since it is a random number-based random number signal, an unauthorized recipient cannot obtain any information. A regular sender / receiver shares a base time series for transmitting / receiving a random number signal using a shared seed key (shared base). Random numbers to be transmitted / received are not regarded as signals, but a random number base and a shared base are compared bit by bit, and only when they match, a random number superimposed thereon is shared between authorized senders and receivers. When a regular receiver collates a random number basis and a shared basis, a determination error occurs due to fluctuation of the carrier light, but it is corrected by using an error correction code. Since a legitimate receiver has base information, in principle, it is only necessary to make a binary decision with one known base. However, since an illegal receiver has no base information, a binary judgment must be made with two bases. The signal appears to the quaternary to the unauthorized recipient. The BER when the binary determination is made from the quaternary signal is larger than that when the binary determination is made from the binary signal. This is the difference between legitimate recipients and unauthorized recipients. The amount of information corresponding to this difference is the source of safe information. A safe secret key can be obtained by correcting the safe information amount according to the redundancy of the error correction code and generating a random number of the corrected information amount by a privacy amplifier from a random number shared between the sender and the receiver. Using the obtained secret key, secure communication is realized by performing encrypted communication of an actual signal.

  In the present invention, a new encryption key (secret key) is generated using a seed key as a starting point. Although this method is based on a seed key, there is no effective attack method other than a brute force attack on the seed key because the newly generated secret key has been guaranteed in terms of information theory. Become. If there is no more effective attack method than a brute force attack on a seed key in cryptography, it is considered sufficiently secure. In that sense, the present invention realizes a sufficiently secure communication system. Furthermore, since the fluctuations used in the present invention are classical, they are resistant to loss and amplification, and are not subject to transmission distance limitations as in the case of transmitting quantum states. According to the present invention, it is possible to perform safe communication over a long distance using an existing optical fiber network.

It is the figure which showed the physical principle of this invention. It is the block diagram which showed the principle for implement | achieving this invention. It is the block diagram which showed the structural example of the encryption communication system by this invention. It is a figure which shows the signal example at the time of implement | achieving this invention based on the block diagram of FIG. It is the figure which showed the relationship between the area | region showing the signal value on phase space, and fluctuation. It is a figure which shows an example of the plot which shows the bit error rate of a regular receiver and an unauthorized receiver. It is the block diagram which showed the structural example of the encryption communication system by this invention. It is a figure which shows the signal example at the time of implement | achieving this invention based on the block diagram of FIG. It is the block diagram which showed the structural example of the encryption communication system by this invention. FIG. 10 is a signal example when the present invention is realized based on the block diagram of FIG. 9. FIG. It is a figure which shows typically the signal state on the phase space in the case of a binary 4 base. It is a figure which shows typically the signal state on the phase space in the case of quaternary 2 base. It is a block diagram which shows the structural example for fluctuation light production | generation. It is a block diagram which shows the structural example for fluctuation light production | generation. It is a block diagram which shows an example of the structure which superimposes a fluctuation on a laser and implement | achieves a fluctuation light source equivalently. It is a block diagram which shows an example of the structure which superimposes a fluctuation on a modulator and implement | achieves a fluctuation light source equivalently. It is the figure which showed intensity distribution of each signal in the case of an intensity modulation system. It is the block diagram which showed the structural example of the encryption communication system by this invention. It is a figure which shows the example of a signal at the time of implement | achieving this invention based on the block diagram of FIG. It is the block diagram which showed the structural example of the encryption communication system by this invention. FIG. 21 is a signal example when the present invention is realized based on the block diagram of FIG. 20. FIG.

100 Transmitters 111 to 114 Random number generators 121 and 122 Seed keys 123 and 124 Pseudo random number generators 131 to 134 Buffer 151 Fluctuating light source 161 Modulator 171 Privacy amplifier executor 181 Encryption unit 182 Optical transmitter 183 Signal processing units 201 and 202 Optical transmission line 300 Receiver 311 to 313 Photo detector 321 and 322 Seed key 323 and 324 Pseudo random number generator 333 and 334 Buffer 341 Error correction decoder 371 Privacy amplifier executor 381 Photo detector 382 Encryption decoder 383 Signal processing unit 1510 Laser 1520 Fluctuation generator 1521 Optical amplifier 1522 Bandpass filter 1523 Optical fiber 1524 Circulator 1525 Faraday mirror 1530, 1630 Fluctuation source

  Before describing specific embodiments of the present invention, first, general points will be described. In order to improve the safety of communication according to the present invention, it is important that the signal light fluctuates. Even if there is no fluctuation, the complexity of the protocol increases the difficulty of deciphering illegal recipients, but fluctuation is important to obtain sufficient security. Light fluctuations can be broadly classified into amplitude fluctuations and phase fluctuations, and the present invention is effective for both fluctuations. In the following embodiments, the case of phase fluctuations will be mainly shown as an example. Since the phase fluctuation is used, the modulation method is a phase modulation type. Either phase-shift keying (PSK) that requires reference light or differential-type differential-phase-shift keying may be used. For simplicity, the signal is binary and the base number is 2. In this case, the signal appears to have four values. However, in the present invention, n and m can be positive integers and can be easily extended to an n-value m basis, and in that case, an apparent signal has an n × m value.

  In order to realize secure communication, it is necessary to create a situation in which an authorized receiver has an advantage over an unauthorized receiver. FIG. 1 shows the principle for realizing it. It is assumed that legitimate transceivers share a seed key in advance, and the seed key is used to determine whether it is a q-axis basis or a p-axis basis. FIG. 1A is a binary signal in the case of the q-axis basis, and the shape of the crescent moon represents fluctuations in the phase space of each signal state “0” and “1”. If the absolute value of the amplitude of the signal light is E, the signal “0” corresponds to (q, p) = (E, 0), and the signal “1” corresponds to (q, p) = (− E, 0). However, if the signal light is measured due to the fluctuation of the carrier light, the signal “0” is (q, p) = (E + δq, δp), and the signal “1” is (q, p) = ( −E + δq, δp). δq and δp are fluctuations. The crescent moon in FIG. 1 represents this fluctuation range, and the measured value is approximately one point within the fluctuation range. FIG. 1B shows a binary signal in the case of a p-axis basis.

  The legitimate receiver can be detected on the correct basis by the seed key, and in principle, binary determination can always be made in the state of fluctuation as shown in FIG. 1C, but the unauthorized receiver does not know the seed key, so FIG. It looks like a quaternary signal as shown in (d). As for the fluctuation of the quaternary signal, the overlap between adjacent ones increases, and the BER of the unauthorized recipient increases. Bit errors also occur in legitimate receivers, but the difference from unauthorized receivers is clear. This difference in bit error rate ensures a safe amount of information. The important point here is that an authorized receiver needs to make a binary decision from a quaternary signal, while an authorized recipient should make a binary decision from a binary signal. This difference produces a bit error rate difference. However, simply using the same key allows unauthorized recipients to estimate the basis, so it is a problem to devise a protocol that does not allow the basis estimation, and the present invention provides a solution to this.

  FIG. 2 shows an overview of a communication protocol according to the present invention. In the layer 1, random numbers are transmitted and received using the fluctuation light. The safe amount of information is determined by the difference between the BER of the legitimate recipient and the unauthorized recipient. In Layer 2, the amount of random number data is reduced by the privacy amplifier to that amount of information and used as a secret key (CH Bennett, G. Brassard, C. Crepeau, and UU Maurer, “Generalized privacy amplification,” IEEE Trans. Inf. Theory 41, 1915 (1995).). The layer 3 represents a normal signal transmission path, and uses the secret key obtained by the layer 2 to perform encrypted communication of the actual signal. In layer 3, it is not necessary to use fluctuation light.

  Layer 1 sends and receives random numbers on a random basis. In principle, since the signal of the layer 1 is composed of only genuine random numbers including the base, no information is leaked even if it is illegally received. However, since there is signal redundancy by an error correction code described later, it is necessary to correct the information amount. The regular sender / receiver shares the shared basis in advance with the seed key, and only the data of the slot that matches the shared basis is adopted as the random number signal among the random number signals transmitted on the random number basis. Since the legitimate receiver also has a bit error, the actual processing is somewhat complicated as shown in the following specific embodiment, but in principle, the binary signal is binary-determined thanks to the seed key. . Since the unauthorized receiver must make a binary decision from the quaternary signal, the unauthorized receiver must receive random number data with a BER that is more disadvantageous than the authorized receiver. This difference in BER provides a safe amount of information between the legitimate sender and receiver, and a private key is obtained by the privacy amplifier (layer 2). The obtained secret key is extracted from the communication result using the seed key, but it is extracted from the difference in BER between the authorized recipient and the unauthorized recipient, and the extraction process is information-theoretic It is. This is important.

  The layer 3 is a normal communication path and may be exposed to various attacks such as a known plaintext attack and a selected plaintext attack. In addition, the layer 1 may be illegally received as a quaternary signal although there is a bit error. Therefore, there is a possibility that the ciphertext may be decrypted by comparing the illegal reception results of the layer 1 and the layer 3. However, in the method of the present invention, since the secret key is extracted based on the difference regarding the BER between the authorized receiver and the unauthorized receiver, the unauthorized reception results of the layer 1 and the layer 3 are uncorrelated in information theory. . Since the layer 1 transmits and receives only random number signals, the illegal recipient cannot obtain data such as the correspondence between the ciphertext and the plaintext. An illegal recipient can be obtained only with a true random number sequence except for the redundant portion of the error correction code. That is, when the amount of redundant information is removed by the privacy amplifier, there is no effective decryption method other than a brute force attack on the seed key. In order for an unauthorized receiver to realize decryption by an attack method that is more efficient than the brute force method, at least the layer 1 must be able to detect a random number signal with the same BER as the regular receiver. When this condition is satisfied, there is a possibility that a correlation appears between the unauthorized reception results of the layer 1 and the layer 3.

  If there is no effective attack method other than the brute force attack on the seed key, it is freed from the threat that a cryptanalysis method can be found, and the security can be evaluated only by the calculation time for exhaustive search (brute force attack). In this sense, the method of the present invention is one-step security improved over ordinary encryption.

  Examples of the present invention will be described in detail below.

  If both the base and the signal are converted into intrinsic random numbers, only a completely random signal sequence can be seen by unauthorized recipients. FIG. 3 shows a configuration example of a cryptographic communication system according to the present invention. In the transmitter 100, three random number generators (111, 112, 113) and two types of seed keys (121, 122) composed of random numbers are arranged. The random number generator and the seed key can be divided into one each by dividing the output from one random number generator into three parts and dividing one kind of seed key into two parts. The output of the random number generator 1 (111) is a random number that becomes a signal for generating a secret key, is encrypted using the seed key 2 (122), is encoded by the error correction encoder 141, and is stored in the buffer 131. Prepare to be sent. The buffer 132 prepares the output of the random number generator 2 (112) as a random number for the dummy signal. The random number generator 3 (113) converts the base into a random number, and the signal transmission of the layer 1 is performed based on the random number base. In order for a legitimate receiver to receive correctly, a base shared between legitimate senders and receivers must be used. For this purpose, the seed key 1 (121) is used. The base is completely randomized by the random number generator 3 (113), but not all the random numbers transmitted and received are used as signals, but the random number base matches the base determined by the seed key 1 (121) It is assumed that random numbers are seen by unauthorized recipients, but regular recipients are seen by regular recipients.

  A specific example of the random number signal and the dummy random number processed by the above mechanism is shown in FIG. To specify the base, the q-axis base in FIG. 1 is set to “0”, and the p-axis base is set to “1”. Assume that the random number base determined by the output of the random number generator 3 (113) is 010011101000100 as shown in FIG. On the other hand, the base shared in advance between the sender and the receiver is 110100001101100. In FIG. 4, the first basis of the shared basis is “1”, but the first of the random number basis determined by the random number generator 3 (113) is “0”, which is inconsistent. In this case, a dummy random number ( A signal is transmitted by superimposing a standby in the buffer 132. The superimposition of the signal is performed through the modulator 161 on the output light from the fluctuation light source 151. The second output of the random number base (random number generator 3 (113)) is “1”. In this case, since it matches the second output of the shared base, the random number signal (waiting in the buffer 131) is superimposed and transmitted. To do. Since the next shared basis and random number basis are both “0”, the random number signal is continuously superimposed and transmitted. Thereafter, the same is repeated.

  In this method, the timing at which the random number signal and the dummy random number are superimposed is determined depending on the output of the random number base (random number generator 3 (113)), so that the buffer 131 and the buffer 132 as shown in FIG. And waiting for a random number signal and a dummy random number. Since the signal (random signal and dummy random number) is binary and the base is also binary, the signal at the time of transmission is quaternary. In the column of “Transmission signal” in FIG. 4, signal values at the time of allocation in the phase space as shown in the lower left diagram are described. The random number in the “Signal” column is a random number signal, and the random number in the “Dummy” column is a dummy random number. Note that the random number data is error-corrected and encoded by an error correction encoder 141 in order to correct a bit error that occurs for a legitimate receiver.

Signals (random number signals and dummy random numbers) are transmitted through the optical transmission line 201 and received by the detector 311 in the receiver 300. The detector 311 performs quaternary determination and binary determination simultaneously. This process is easy. Two quadrature components (q-axis component and p-axis component) are measured by two sets of homodyne detectors. A binary determination result for each base is obtained by performing binary determination (each component is positive or negative) on the output values I _q and I _p of each homodyne detector. If the phase φ is determined by arctan (I _p / I _q ) from the output values I _q , I _{p of the} two sets of homodyne detection results, four-value determination (“0”, “1”, “2”, “3”: (See FIG. 4). Since the base is randomized, the signal state appears to be four values even for a legitimate receiver. Therefore, it is first determined which base was used by determining four values. If the quaternary determination result is “0” or “2”, the base “0” is determined, and if the quaternary determination result is “1” or “3”, the base “1” and the random number base are determined. This is checked against a shared basis determined by the seed key 1 (321) (the same as the seed key 1 (121) in the transmitter). If they match, the superimposed signal is determined as a random number signal, and if they do not match, a dummy is determined. Judged as a random number. An example of the above processing on the receiving side is shown on the right side of FIG. However, since the base is determined based on the quaternary determination, there are many base determination errors, that is, collation determination errors with the shared base.

  In order to correct this, a parity check function of an error correction code incorporated in the random number signal is used. If there is no error in the collation between the random number basis and the shared basis, the BER of the random number data becomes a small value estimated in advance, but if there is an error in the collation, a bit error will occur with a probability of 1/2 after the bit in which the error occurred. Therefore, the position where the bit error starts by the parity check can be almost specified. The position where this bit error has started is either whether a dummy random number has entered or the random number signal has dropped out. Therefore, the parity check is performed by removing the bit at the position where the bit error has started, and the parity check is performed by returning the bit discarded because it is determined to be a dummy, and a bit string almost free of bit errors is searched.

  A specific example of what happens when there is a bit error is also shown in FIG. For the sake of simplicity, let us consider a case in which a rudimentary parity check bit is inserted in error correction coding by the error correction encoder 141. It is assumed that random number data is divided every 5 bits, and if the number of “1” is an odd number, it is “1”, and if it is an even number, it is “0”. The random number signal is shown in the “Signal” column on the transmission side in FIG. Parity for 5 bits from the left is inserted in the 6th bit. In FIG. 4, the parity bits are shown in italics. If there is no bit error during reception, the calculated parity of the received random number signal matches the value of the parity bit. Assume that the determination of the random number base on the receiving side is incorrect at the sixth bit from the left in FIG. In the example of the receiving side in FIG. 4, the bit with the underline added is a determination error. In this case, bits that are not originally signal bits are treated as signal bits, and the shared random number increases by one bit. As a result, the position of the parity check bit is shifted by 1 bit (on the receiving side in FIG. 4, the bit that the receiver recognizes as the parity bit is in italics. The bit is shifted by 1 bit depending on whether there is a bit error or not. ).

  If the receiver performs a parity check without noticing that one bit has been shifted, the parity does not match with probability 1/2 after the bit in which the bit error has occurred. This makes it possible to roughly determine where a bit error has occurred. The determination of the random number base of the bit that seems to be a bit error is changed and the processing of the receiver is repeated, and a bit string in which the parity is almost normal is searched. In the example on the receiving side in FIG. 4, an underlined bit is an error, and this bit is deleted from the shared random number, so that the bit error-free state can be restored. When returning a bit that has been discarded because it is determined to be a dummy, the base collation is incorrect, and therefore, when returning, signal determination is performed based on a base different from the initial determination. The signal determination at this time is binary determination because the base is fixed. The processing in the receiver of this system is temporarily determined in four values, but is reduced to binary determination in the process of correcting the base determination error. In the case of binary determination, the BER is smaller than in the case of 4-level determination. This is a factor in which the legitimate receiver becomes informationally advantageous to the illegal receiver, and is brought about by the seed key 1 (121 and 321) shared in advance between the sender and the receiver.

  When the bit error is almost eliminated and the BER that can be corrected by the error correction decoder 341 is reached, the error correction code is decoded and the seed key 2 (322) is decoded. As a result, the output of the random number generator 1 (111) in the transmitter can be reproduced in the receiver. In order to generate a final secret key, the difference in information amount determined by the BER between the case of 1-base binary determination (regular receiver) and the case of 2-base binary determination (illegal receiver) And the privacy amplifier (171 and 371) reduces the information amount of the random number signal shared between the sender and the receiver to the corrected information amount.

  The privacy amplifier can be realized through logical operations, for example. Assume that 20% of the random number shared between the sender and the receiver is a safe amount of information and the shared random number is ‘01001 01110’. If an exclusive OR is performed every 5 bits, it becomes “01”. In this process, all data are handled equally and the amount of information is reduced to 20%. This is an example of a privacy amplifier.

The BER of regular recipients and unauthorized recipients can be estimated as follows. As shown in FIG. 5, the directions of “0” and “1” of each base are assigned. If the signal state is taken as the signal “0” of the q-axis base (base “0”), the authorized receiver who knows that it is the q-axis base determines whether the measured value is on the right or left side with the p-axis as the boundary. do it. A bit error occurs when the authorized receiver obtains a measured value in the negative region of the q axis with respect to the signal “0”. If the fluctuation spread is sufficiently large compared to the quantum fluctuation and the classical handling of measurement is possible, the probability distribution of the signal “0” on the q-axis basis is given by the phase-related function P (θ). The BER of the authorized recipient is described by the equation (1).

An unauthorized recipient will make a binary decision from a signal that appears to be quaternary, and if it finds a measurement value in areas 0 and 1, it will decide that the signal is “0”, and if it finds a measurement value in areas 2 and 3, it will Since it is determined as “1”, a bit error occurs when the measurement value is found in the region 2 and the region 3 for the signal “0”. Therefore, the BER of the unauthorized recipient is given by equation (2).

Probability distribution of the fluctuation P (theta) is, if using the magnitude δθ fluctuations given by equation (3), specifically the legitimate receiver bit error rate E _B and unauthorized recipients bit error rate E _E Can be requested.

FIG. 6 is a plot of E _B and E _E with 2δθ as a variable. If the fluctuation of the Gaussian distribution is set so that the BER of the regular receiver is 10 ⁻¹² , the BER of the illegal receiver is about 10 ⁻⁴ .

The error correction code (141) applied to the random number signal (111) does not need to be able to correct an error in the case of quaternary determination (two-base binary determination). In the base collation process in the receiver, it is only necessary to determine only positions where bit errors occur continuously. If the bit at the starting point of the continuous bit error can be specified, by correcting the bit, the BER is reduced to an expected value when the binary determination (one base binary determination) can be performed. On the contrary, if error correction can be performed with respect to quaternary determination (binary binary determination), the difference in BER based on the effect of fluctuation between the regular receiver and the illegal receiver is lost. That is, there is no difference between an authorized recipient who is guaranteed in terms of information theory and an unauthorized recipient. Therefore, in order to form a difference between an authorized recipient and an unauthorized recipient in terms of information in this protocol, an authorized recipient (for example, BER) whose ability of an error correction code applied to a random number signal can be determined based on one base binary value. Is sufficient for 10 ⁻¹² ), and is insufficient for unauthorized recipients (for example, BER of 10 ⁻⁴ ) that requires two-base binary determination. Furthermore, it is desirable that the error correction code is designed so that the continuous bit error starting points generated in the base matching process can be determined as easily as possible.

  The signal transmitted / received by the layer 1 is a random number, and the base is also determined by a true random number. Although the random number signal is encrypted with the seed key 2 (122), the seed key 2 (122) is not estimated by an unauthorized recipient because the signal is a random number. Since the seed key 1 (121) for determining the shared base is also buried in the random number base, an unauthorized recipient cannot be estimated here either. Since the illegal receiver cannot obtain meaningful information in the layer 1, the difference in BER formed between the legitimate receiver and the illegal receiver leads to a safe amount of information. However, it is necessary to correct the error correction code with redundancy. If the privacy amplifier executor 171 in the transmitter 100 and the privacy amplifier executor 371 in the receiver 300 operate with the same algorithm, a common secret key is formed between the transceivers.

  The actual signal is encrypted by the encryptor 181 using the secret key generated in the transmitter, superimposed on the carrier light by the optical transmitter 182, and transmitted to the receiver 300 by the optical transmission path 202. The optical transmitter 182 includes a light source and a modulator that modulates light emitted from the light source.

  The receiver 300 receives the transmitted signal light by the photodetector 381 and converts it into an electric signal, and the encryption / decryption device 382 uses the secret key to make a plain. This completes a series of secure cryptographic communication processes.

  Communication performed on the optical transmission line 202 does not need to use carrier light accompanied by fluctuation, and may be ordinary optical communication. The optical transmission lines 202 and 201 may be physically different, or wavelength multiplexing may be performed using the same optical transmission line.

  In the first embodiment, the random number base and the shared base are compared for each bit to determine whether to transmit a random number signal or a dummy random number. A method other than the first embodiment is also possible as a method for selecting the shared basis from the random number basis, and FIG. 7 shows an example of the configuration of a cryptographic communication system that realizes the method. In the present embodiment, the shared basis and the random number basis are collated to determine which of the random number signal and the dummy random number is transmitted, as in the first embodiment. However, when the shared basis and the random number basis do not match, the shared basis that has been rejected is checked again with the random number basis with the next bit to determine whether to transmit a random number signal or a dummy random number. The shared basis is repeated until it matches the random number basis. In other words, the operation is performed so that the sequence of bases on which the random number signal is superimposed is aligned with the shared bases.

  FIG. 8 shows the above mechanism as a specific example. The random number base determined by the output of the random number generator 3 (113) is 00011101000100 in FIG. On the other hand, the base shared in advance between the sender and receiver by the seed key 1 (121, 321) made up of random numbers is 10110000. On the transmitter side, first, preparations are made for transmitting random number signals in a sequence of bases determined by shared bases. In the example of FIG. 8, the first base of the shared base is “1”, but the first of the random base determined by the random number generator 3 (113) is “0”, which is inconsistent. A signal is transmitted by superimposing a dummy random number (output of the random number generator 2 (112)). The shared basis “1” that was not matched is checked again with the next random number basis. The second output of the random number base (random number generator 3 (113)) is “1”. In this case, since it coincides with the first base “1” of the shared base, the random number signal is superimposed and transmitted. The random number signal is subjected to error correction coding in the same manner as in the first embodiment, and for simplification, a parity bit is added every 5 bits as in the first embodiment. On the transmission side in FIG. 8, the parity bits are italicized.

  The processing on the receiver 300 side is also modified from the processing in the first embodiment based on the modification of the processing on the transmitter 100 side. First, quaternary determination is performed to determine which base is used in the same manner as in the first embodiment. This is compared with the shared basis, and if it matches, the random number data is adopted, and if it does not match, it is determined as a dummy random number. The shared base that did not match is checked again with the random number base determined from the received signal next, and if it matches, the base and the random number data are adopted. When there is a base determination error, the parity after that position becomes an error with a probability of 1/2, and the position where the determination error has occurred is almost specified. The position where this determination error occurred is either a dummy random number entered or the random number signal dropped out, so remove the bit near the position where the determination error occurred and repeat the base verification after that position to check the parity again. In order, perform a parity check by returning the bits discarded because it was determined to be a dummy near the position where there was a determination error, and performing the base check again after that position, and a bit string with almost no bit errors look for. An example where there is no bit error and when there is no bit error is shown on the right side of FIG. In this example, the base verification of the second bit from the left results in a determination error (indicated by an underline on the receiving side), and the random number signal that should originally be a shared random number is determined as a dummy random number. For this reason, the number of bits of the adopted data is reduced, the position of the parity bit is shifted, and the shared random number is completely different. In the example of FIG. 8, it can be seen that when there is a basis determination error, the slot position of the shared random number changes so as not to retain the original pattern. In this case, the subsequent parity bits are erroneous with a probability of ½, and the position where the bit error occurred can be generally understood. If the position of the bit error can be almost specified, the bits in the vicinity thereof are corrected, and the correction is repeated until the bit error is almost eliminated and a BER that enables decoding of the error correction code is reached.

  In the system of the second embodiment, when signal bits are inserted or removed on the basis of an error in the base determination in the receiver, it is necessary to redo the subsequent base collation, so that compared with the system of the first embodiment. There is a disadvantage that the processing is increased, but there is an advantage that the sequence of shared bases is completely determined only by the seed key.

  In order not to give meaningful information to unauthorized recipients by transmission / reception of random numbers in the layer 1, the base as well as the signal needs to be determined by random numbers. However, the process of extracting the shared base from the random base is somewhat complicated because there is a bit error for the regular receiver as seen in the first and second embodiments. I would like to achieve this in a slightly simpler way from the point of view of practical operation. One of the systems for realizing this is the cryptographic communication system shown in FIG.

  In the protocol shown in FIG. 9, three random number generators (111, 112, 114) and three seed keys (122, 123, 124) composed of random numbers are used. Similar to the first embodiment, there is a method in which the output of one random number generator and one seed key are divided into three parts. In the first embodiment, the arrangement of slots for sending random number signals and slots for sending dummy random numbers is determined by true random numbers using the random number generator 3 (113), but is determined by the pseudo random number generator 124 in this embodiment. The base of the slot for transmitting the random number signal (output of the random number generator 1 (111)) is a shared base determined by the pseudo random number generator 123, and the slot of the slot for transmitting the dummy random number (output of the random number generator 2 (112)). The base is determined by the random number generator 3 (114). In the present embodiment, it is determined in advance between the sender and the receiver by the seed key 2 (pseudorandom number generator 124) which slot of the transmission signal is embedded with the random number signal. The transmission base is no longer a true random number, and the security is inferior to that of the first and second embodiments, but the data processing becomes easy.

  FIG. 10 shows a specific example of the base and random number signal processing. The shared base determined by the pseudo random number generator 123 is 10110000, and the random base determined by the random number generator 3 (114) is 0010111. It is the output 000111101000101 of the pseudo random number generator 124 that determines the arrangement of these two types of base information (the column “adopted slot” on the left side of FIG. 10). When “0”, the shared basis is the transmission basis, and when “1”, the random number basis is the transmission basis. The transmission base of the result is 100101011000101. The basis seen by unauthorized recipients is a sequence of true random numbers (random number generator 3 (114)) and pseudorandom numbers (pseudorandom number generator 123) using another pseudorandom number (pseudorandom number generator 124), Although pseudorandom number generators 123 and 124 are used, it is difficult to decipher the basis of each signal. Whether the random number signal is transmitted or the dummy random number is transmitted is determined by the pseudo random number generator 124, and the buffers 133 and 134 are provided as in the first and second embodiments so that the signal can be transmitted in accordance with the timing. . In this embodiment, since the random number signal and the shared base form a pair, and the dummy random number and the dummy base form a pair, the buffers 133 and 134 temporarily stand by each of these pairs. The point that the random number signal (the output from the random number generator 1 (111)) is encrypted by the seed key 3 (122) and the point that the error correction encoding (141) is performed are the same as in the first and second embodiments. It is the same that the transmission signal appears to have four values.

  The receiver uses two sets of homodyne detectors 312 and 313 to perform projection detection on the q-axis base (base “0”) and the p-axis base (base “1”), and respectively performs binary determination. Only the detection result of the slot whose output of the pseudo random number generator 324 (the same as the output of the pseudo random number generator 124) corresponds to “0” is processed as the received random number, and the dummy slot (the output of the pseudo random number generator 324 is “ 1 ") signal is ignored. Since the basis of the random number signal is determined by the output of the pseudo random number generator 323 (the same as the output of the pseudo random number generator 123), it is determined which of the two sets of homodyne outputs is to be adopted.

  Although the output of the pseudo random number generator 324 that determines the slot of the shared base is synchronized with the transmission clock, the random number signal is a part of the transmitted signal, so the output of the pseudo random number generator 323 that determines the shared base is the buffer 333. Wait for a while and adjust to the timing when the random number signal comes. Based on the output (shared base) of the pseudo-random number generator 323, the output of one of the two photodetectors 312 and 313 is adopted, and the output value (shared random number) is input to the buffer 334, and the output timing is adjusted. The data is input to the error correction code decoder 341. Thereafter, the cipher is decrypted with the seed key 3 (322) (the same as the seed key 3 (122)), and the output of the random number generator 1 (111) in the transmitter is reproduced. As described above, since the random number signal can be shared between the transmitter and the receiver, the processing by the privacy amplifier executors (171 and 371) is performed in both the transmitter and the receiver, and the secret key is shared. The actual signal encryption communication using the secret key is the same as in the first and second embodiments.

  In this method, since the adopted slot and the adopted base are determined in advance, it is not possible to guarantee the information-theoretic security as in the case of the true random number basis system of the first and second embodiments, but it is difficult to decipher the illegal recipient. As a result, it is possible to construct a system that is difficult to decipher by an unauthorized recipient and that is relatively easy to operate.

  Up to the third embodiment, binary binary basis phase modulation schemes have been shown. In general, the system of the present invention can be operated on an n-value m basis with n and m being positive integers. For example, FIG. 11 is a diagram illustrating a signal state on the phase space in the case of the binary 4-base phase modulation method. FIG. 11A shows a binary signal based on the q-axis, and FIG. 11B shows a binary signal based on 45 ° rotated from the q-axis. FIG. 11C shows a p-axis base binary signal, and FIG. 11D shows a base binary signal rotated −45 ° from the q-axis. FIG. 12 is a diagram illustrating a signal state on the phase space in the case of the quaternary two-basis phase modulation method. 12A shows a quaternary signal based on the q-axis and the p-axis, and FIG. 12B shows a quaternary signal rotated by 45 ° from the case of FIG. 12A.

  Here, the fluctuation light source 151 which is an element common to each embodiment will be described. Various forms of the fluctuation light source 151 are conceivable, but a method using the Kerr effect of an optical fiber is convenient. An example is shown in FIG. The output light from the laser light source 1510 is amplified by the optical amplifier 1521, passes through the band filter 1522, and propagates through the optical fiber 1523. At this time, phase fluctuation is applied through the Kerr effect of the optical fiber. The laser output light can be described relatively well in the coherent state, and the shape of the fluctuation in the phase space is circular, but it becomes elliptical through the Kerr effect of the optical fiber, and further progresses into a crescent shape. Light with an elliptical or crescent shape is called anti-squeezed light (T. Tomaru, and M. Ban, “Secure optical communication using antisqueezing,” Phys. Rev. A 74, 032312 (2006 ), T. Tomaru, “LD light antisqueezing through fiber propagation in reflection-type interferometer,” Opt. Exp. 15, 11241 (2007)). Since the Kerr effect increases in proportion to the light intensity, it is effective to increase the peak intensity using pulsed light. In this case, it is effective to suppress the pulse spread accompanying the fiber propagation, and it is preferable to select the pulse width, the light intensity, and the fiber dispersion value so as to satisfy the soliton condition (Japanese Patent Laid-Open No. 2008-003339). Further, if the light intensity is increased further than the above soliton condition, it becomes possible to satisfy the condition of higher-order solitons (Japanese Patent Laid-Open No. 2008-003339), and the pulse width reduction effect works to enhance the Kerr effect. it can. Further, at that time, the spectrum width is expanded, and the spectrum expansion exhibits the same effect as the phase fluctuation in phase detection, so that the effect of the fluctuation is further enhanced. Similar to the Kerr effect, the Raman effect is also effective in expanding phase fluctuations.

  FIG. 14 shows an embodiment in which the fiber propagation part is reciprocated using an optical circulator 1524 and a Faraday mirror 1525. The advantage is that the fiber length can be halved. Also, since the polarization rotates exactly 90 degrees when the fiber 1523 is reciprocated once regardless of the polarization state during fiber propagation, it is effective when it is desired to stabilize the polarization at the time of fluctuation generator output. It is also effective to increase the phase fluctuation effect by incorporating a fiber interferometer in the fluctuation generator 1520 and increasing the ratio of phase fluctuation to amplitude (T. Tomaru, “LD light antisqueezing through fiber propagation in reflection-type interferometer, ”Opt. Exp. 15, 11241 (2007)).

  As described above, the phase fluctuation is generated by the Kerr effect of the optical fiber. It is also possible to output light accompanied by phase fluctuation directly from a laser diode (LD). If the LD is operated near the oscillation threshold, the phase fluctuation is large. It is one method to use this property as it is.

  An injection current is required for LD oscillation. It is also possible to superimpose fluctuations (noise) on the injected current to generate the same effect as the fluctuation of the light source itself. FIG. 15 shows such a case. As a fluctuation generation source, for example, use of thermal fluctuation can be considered. In addition, since fluctuation can be considered as an analog random number, the output of the random number generator can be multivalued to make it equivalent to fluctuation.

  The superimposition of fluctuations can also be performed in the modulator 161. The modulator 161 is installed for signal superimposition. If the fluctuation is superimposed simultaneously with the signal superimposition, the modulator 161 works equivalent to the case where the light source fluctuates (FIG. 16). As the fluctuation generation source 1630, it is conceivable to use thermal fluctuation, to make the output of the random number generator multivalued, and to make it equivalent to fluctuation.

  So far, the phase modulation method has been shown as an example. However, the present invention can also be applied to the intensity modulation method. FIG. 17 shows the state of the intensity distribution function when operating on a binary binary basis. In the intensity modulation method, the signal intensity of “0” and “1” varies depending on the base. FIG. 17A and FIG. 17B are binary signals when the bases are different. Due to the difference in the basis, the threshold values of “0” and “1” are different between FIG. 17A and FIG. When the base is not known, the signal state has a total of four values as shown in FIG. Since there is an overlap in the probability distribution, bit errors increase. The regular receiver who knows the base may make a quaternary determination once in the determination process as in the first and second embodiments. However, since a binary determination can be made in principle, as shown in FIG. Binary determination can be performed with almost no overlapping distribution.

  The binary determination and quaternary determination are the same in the case of the phase modulation method and the intensity modulation method. Therefore, the signal processing for the phase modulation method shown in the first to third embodiments can be similarly performed for the intensity modulation method.

  The embodiments of the present invention have been described above using the phase modulation method as a main example. However, as mentioned in the fifth embodiment, the present invention is established without distinction between the phase modulation method and the intensity modulation method. In addition, although the embodiment has been described mainly taking the binary base as an example, as described with reference to FIGS. 11 and 12, the present invention can also be applied to a case of a multi-value multi-base.

  In the present invention, an error correction code is used to correct a bit error that remains even in a regular receiver and to correct a base verification error in the receiver. The random number data made redundant by the error correction code is transmitted through the optical transmission line 201 shown in FIGS. Originally, in the optical transmission line 201, it is ideal that a random number signal is transmitted on a random number basis. Therefore, consider transmitting the error correction code redundancy by the optical transmission line 202. As a result, only a complete random number signal is transmitted to the optical transmission line 201. Since the optical transmission line 202 is a normal transmission line, there is no safety for redundancy, but the amount of information for redundancy is originally subtracted from the amount of safe information in the process of secret key generation, so this is not a problem. In addition, by reliably sending the redundant part through the optical transmission line 202, the complexity of processing on the receiver side is reduced. In the first and second embodiments, the parity check function inherent in the error correction code is used to determine the basis, the basis verification error is corrected based on the result of the parity check, and the random number signal and the dummy random number are obtained. I was identifying. In the first and second embodiments, the signal redundancy is also transmitted as a series of data together with the random data, so it is not determined at the first processing stage of the receiver which is the random data and which is the redundancy. The redundant part was fixed while correcting the base verification error. Therefore, the data processing has to be complicated. However, if the redundant part is transmitted through the optical transmission line 202, the redundant part data for the parity check is fixed and reaches the receiver without fail, so the complexity of the base determination process in the receiver is reduced, and the circuit implementation When doing so, calculation time and calorific value are alleviated. An embodiment based on the above idea will be described below.

  If both the base and the signal are converted into intrinsic random numbers, only a completely random signal sequence can be seen by unauthorized recipients. FIG. 18 shows a configuration example of a cryptographic communication system according to the present invention. In the transmitter 100, three random number generators (111, 112, 113) and two kinds of seed keys (121, 122) composed of random numbers are arranged. The random number generator and the seed key can be divided into one each if the output from one random number generator is divided into three parts and one kind of seed key is divided into two parts. The output of the random number generator 1 (111) is a random number that becomes a signal for generating a secret key, is encrypted using the seed key 2 (122), and is encoded by the error correction encoder 141. In error correction coding, an information symbol portion and a parity check symbol portion are separated, and the former is called a random number code and the latter is called a check symbol. The random number code is prepared for transmission in the buffer 131. The buffer 132 prepares the output of the random number generator 2 (112) as a random number for the dummy signal. The random number generator 3 (113) converts the base into a random number, and the signal transmission of the layer 1 is performed based on the random number base. In order for a legitimate receiver to receive correctly, a base shared between legitimate senders and receivers must be used. For this purpose, the seed key 1 (121) is used. The base is completely randomized by the random number generator 3 (113), but not all the random numbers transmitted and received are used as signals, but the random number base matches the base determined by the seed key 1 (121) It is assumed that random numbers are seen by unauthorized recipients, but regular recipients are seen by regular recipients.

  A specific example of the random number signal and the dummy random number processed by the above mechanism is shown in FIG. To specify the base, the q-axis base in FIG. 1 is set to “0”, and the p-axis base is set to “1”. The random number base determined by the output of the random number generator 3 (113) is assumed to be 010011101000100 as shown in FIG. On the other hand, the base shared in advance between the sender and the receiver is 110100001101100. In FIG. 19, the first basis of the shared basis is “1”, but the first of the random number basis determined by the random number generator 3 (113) is “0”, which is inconsistent. In this case, a dummy random number ( A signal is transmitted by superimposing a standby in the buffer 132. The superimposition of the signal is performed through the modulator 161 on the output light from the fluctuation light source 151. The second output of the random number base (random number generator 3 (113)) is “1”. In this case, since it matches the second output of the shared base, the random number code (waiting in the buffer 131) is superimposed and transmitted. To do. Since the next shared basis and random number basis are both “0”, the random number code is continuously superimposed and transmitted. Thereafter, the same is repeated.

  In this method, the timing at which the random number code and the dummy random number are superimposed is determined depending on the output of the random number base (random number generator 3 (113)). Therefore, as shown in FIG. And waiting for a random number code and a dummy random number. Since the signal (random number code and dummy random number) is binary and the base is also binary, the signal at the time of transmission is quaternary. In the column of “Transmission signal” in FIG. 19, signal values when allocation in the phase space as shown in the lower left diagram is described. The random number in the “Signal” column is a random number code, and the random number in the “Dummy” column is a dummy random number. The “parity check” column represents a parity check symbol. Here, as an example, the parity for every 5 bits of the random number signal is treated as a check symbol.

  The parity check symbol generated by the error correction encoder 141 is multiplexed with another signal sent through the normal transmission line in the signal processing unit 183 for transmission through the normal optical transmission line 202. This multiplexing is a method performed in normal communication such as packetization or time multiplexing. Thereafter, the light is guided to the optical transmitter 182 and transmitted to the receiver 300 through the optical transmission path 202. Light is received by the photodetector 381, converted into an electrical signal, and sent to the signal processing unit 383. The signal processing unit 383 separates the multiplexed signal sequence into a state before multiplexing, and the check symbol is separated from other signals here.

The signals (random code and dummy random number) are transmitted by the optical transmission line 201 and received by the detector 311 in the receiver 300. The detector 311 performs quaternary determination and binary determination simultaneously. This process is easy. Two quadrature components (q-axis component and p-axis component) are measured by two sets of homodyne detectors. A binary determination result for each base is obtained by performing binary determination (each component is positive or negative) on the output values I _q and I _p of each homodyne detector. If the phase φ is determined by arctan (I _p / I _q ) from the output values I _q , I _{p of the} two sets of homodyne detection results, four-value determination (“0”, “1”, “2”, “3”: (See FIG. 19). Since the base is randomized, the signal state appears to be four values even for a legitimate receiver. Therefore, it is first determined which base was used by determining four values. If the quaternary determination result is “0” or “2”, the base “0” is determined, and if the quaternary determination result is “1” or “3”, the base “1” and the random number base are determined. This is compared with a shared basis determined by the seed key 1 (321) (the same as the seed key 1 (121) in the transmitter). If they match, the superimposed signal is determined as a random number code. Judged as a random number. An example of the above processing on the receiving side is shown on the right side of FIG. However, since the base is determined based on the quaternary determination, there are many base determination errors, that is, collation determination errors with the shared base.

  In order to correct this, a parity check symbol transmitted through the optical transmission line 202 is used. If there is no error in the collation between the random number basis and the shared basis, the BER of the random number data becomes a small value estimated in advance, but if there is an error in the collation, a bit error will occur with a probability of 1/2 after the bit in which there is an error. Therefore, if a parity check is performed, the position where the bit error has started can be almost specified. The position at which this bit error has started is either a dummy random number has been entered or the random number code has been dropped. Therefore, the parity check is performed by removing the bit at the position where the bit error has started, and the parity check is performed by returning the bit discarded because it is determined to be a dummy, and a bit string almost free of bit errors is searched.

  A specific example of what happens when there is a bit error is also shown in FIG. For the sake of simplicity, consider the case where error correction coding with an elementary parity check function is performed in the error correction encoder 141. Random number data is divided every 5 bits. If the number of “1” is odd, “1” is used, and if it is even, “0” is used as a check symbol. The random number code is shown in the “Signal” column on the transmission side in FIG. The parity for 5 bits from the left is 1 and is shown in the “parity check” column. If there is no bit error at the time of reception, the calculated parity of the received random number code matches the value of the check symbol. It is assumed that the determination of the random number base on the receiving side is incorrect at the sixth bit from the left in FIG. In the example on the receiving side in FIG. 19, the bit with the underline added is a determination error. In this case, bits that are not originally signal bits are treated as signal bits, and the shared random number increases by one bit.

  If the receiver performs a parity check without noticing that one bit has been increased, the parity will not match with probability 1/2 after the bit in which the bit error has occurred. This makes it possible to roughly determine where a bit error has occurred. The determination of the random number base of the bit that seems to be a bit error is changed and the processing of the receiver is repeated, and a bit string in which the parity is almost normal is searched. In the example on the receiving side in FIG. 19, an underlined bit is an error, and this bit is deleted from the shared random number, so that the bit error-free state can be restored. When returning a bit that has been discarded because it is determined to be a dummy, the base collation is incorrect, and therefore, when returning, signal determination is performed based on a base different from the initial determination. The signal determination at this time is binary determination because the base is fixed. The processing in the receiver in this system is temporarily determined in four values, but is reduced to binary determination in the process of correcting the base error. In the case of binary determination, the BER is smaller than in the case of 4-level determination. This is a factor in which the legitimate receiver becomes informationally advantageous to the illegal receiver, and is brought about by the seed key 1 (121 and 321) shared in advance between the sender and the receiver.

  When the bit error is almost eliminated and the BER that can be corrected by the error correction decoder 341 is reached, the error correction code is decoded and the seed key 2 (322) is decoded. As a result, the output of the random number generator 1 (111) in the transmitter can be reproduced in the receiver. In order to generate a final secret key, the difference in information amount determined by the BER between the case of 1-base binary determination (regular receiver) and the case of 2-base binary determination (illegal receiver) And the privacy amplifier (171 and 371) reduces the information amount of the random number signal shared between the sender and the receiver to the corrected information amount.

  The privacy amplifier can be realized through logical operations, for example. It is assumed that 20% of the random numbers shared between the sender and the receiver is a safe information amount and the shared random number is ‘01001 01110’. If an exclusive OR is performed every 5 bits, it becomes “01”. In this process, all data are handled equally and the amount of information is reduced to 20%. This is an example of a privacy amplifier.

The BER of regular recipients and unauthorized recipients can be similarly estimated by the method described in the first embodiment. As shown in FIG. 6, if the fluctuation of the Gaussian distribution is set so that the BER of the regular receiver is 10 ⁻¹² , the BER of the unauthorized receiver is about 10 ⁻⁴ .

The error correction code (141) applied to the random number signal (111) does not need to be able to correct an error in the case of quaternary determination (two-base binary determination). In the base collation process in the receiver, it is only necessary to determine only positions where bit errors occur continuously. If the bit at the starting point of the continuous bit error can be specified, the bit is corrected, so that the BER is reduced to an expected value when binary (one base binary) can be determined. On the other hand, if error correction can be performed with respect to quaternary (binary binary) determination, the difference in BER based on the effect of fluctuations between the regular recipient and the unauthorized recipient is lost. That is, there is no informationally guaranteed difference between the legitimate recipient and the illegal recipient. Therefore, in order to form a difference between an authorized recipient and an unauthorized recipient in terms of information in this protocol, the ability of an error correction code applied to a random number signal is judged as a regular recipient (one base binary signal determination) For example, it is necessary that the BER is 10 ⁻¹² ), and that it is insufficient for an unauthorized receiver (for example, the BER is 10 ⁻⁴ ) that needs to determine a signal with a binary basis. Furthermore, it is desirable that the error correction code is designed so that the continuous bit error starting points generated in the base matching process can be determined as easily as possible.

  A signal transmitted and received on the optical transmission line 201 is a random number, and a base is also determined by a true random number. Although the random number signal is encrypted with the seed key 2 (122), the seed key 2 (122) is not estimated by an unauthorized recipient because the signal is a random number. Since the seed key 1 (121) for determining the shared base is also buried in the random number base, an unauthorized recipient cannot be estimated here either. Since the illegal receiver cannot obtain meaningful information on the optical transmission line 201, the difference in BER formed between the regular receiver and the illegal receiver brings a safe amount of information. However, it is necessary to correct the error correction code with redundancy. If the privacy amplifier executor 171 in the transmitter 100 and the privacy amplifier executor 371 in the receiver 300 operate with the same algorithm, a common secret key is formed between the transceivers.

  The actual signal is encrypted by the encryptor 181 using the secret key generated in the transmitter, multiplexed with other signals by the signal processing unit 183, and superimposed on the carrier light by the optical transmitter 182 for optical transmission. The signal is transmitted to the receiver 300 through the path 202. The optical transmitter 182 includes a light source and a modulator that modulates light emitted from the light source.

  The receiver 300 receives the transmitted signal light by the photodetector 381 and converts it into an electrical signal. The electrical signal is returned to the state of the signal before multiplexing by the signal processing unit 383, and the encrypted signal is received. The separated and encrypted signal is decrypted in the decryptor 382 using the secret key. This completes a series of secure cryptographic communication processes.

  Communication performed on the optical transmission line 202 does not need to use carrier light accompanied by fluctuation, and may be ordinary optical communication. The optical transmission lines 202 and 201 may be physically different, or wavelength multiplexing may be performed using the same optical transmission line.

  In the sixth embodiment, a random number base and a shared base are compared in pairs for each bit, and it is determined whether to transmit a random number code or a dummy random number. A method other than the sixth embodiment is also possible as a method for selecting a shared basis from among random number bases, and FIG. 20 shows a configuration example of a cryptographic communication system that realizes the method. The present embodiment is the same as the method of the sixth embodiment in that the shared basis and the random number basis are collated to determine which of the random number code and the dummy random number is transmitted. However, when the shared basis and the random number basis do not match, the shared basis that has been rejected is checked again with the random number basis with the next bit to determine whether to transmit a random number code or a dummy random number. The shared basis is repeated until it matches the random number basis. In other words, the operation is performed so that the sequence of bases on which the random number codes are superposed coincides with that of the shared bases.

  FIG. 21 shows the above mechanism as a specific example. The random number base determined by the output of the random number generator 3 (113) is 010011101000100 in FIG. On the other hand, the base shared in advance between the sender and receiver by the seed key 1 (121, 321) made up of random numbers is 10110000. On the transmitter side, first, preparations are made for transmitting random number signals in a sequence of bases determined by shared bases. In the example of FIG. 21, the first basis of the shared basis is “1”, but the first of the random number basis determined by the random number generator 3 (113) is “0” and does not match. A signal is transmitted by superimposing a dummy random number (output of the random number generator 2 (112)). The shared basis “1” that was not matched is checked again with the next random number basis. The second output of the random number base (random number generator 3 (113)) is “1”. In this case, since it coincides with the first base “1” of the shared base, the random number code is superimposed and transmitted. The random number signal is subjected to error correction coding in the same manner as in the sixth embodiment, and is separated by the error correction encoder 141 into a random number code in the information symbol portion and a redundant parity check symbol. For simplification, the parity for every 5 bits is a check symbol as in the sixth embodiment.

  The processing on the receiver 300 side is also modified from the processing of the sixth embodiment based on the modification of the processing on the transmitter 100 side. First, quaternary determination is performed, and which base is used is the same as in the method of the sixth embodiment. This is compared with the shared base, and if it matches, the random number data is adopted as a random number code, and if it does not match, it is determined as a dummy random number. The shared base that did not match is checked again with the random number base determined from the received signal next, and if it matches, the base and the random number data are adopted. If there is a base determination error, the parity after that position becomes an error with a probability of 1/2, and the position where the determination error has occurred is almost specified. The position where this determination error occurred was either a dummy random number entered or the random number code was missing, so remove the bits near the position where the determination error occurred and repeat the base verification after that position to perform the parity check again. In order, perform a parity check by returning the bits discarded because it was determined to be a dummy near the position where there was a determination error, and performing the base check again after that position, and a bit string with almost no bit errors look for. Examples of cases where there is no basis determination error and cases where there is no basis determination are shown on the right side of FIG. In this example, the base verification of the second bit from the left results in a determination error (indicated by an underline on the receiving side), and the random number signal that should originally be a shared random number is determined as a dummy random number. For this reason, the number of bits of the adopted data is reduced, and the shared random number is completely different. In the example of FIG. 21, it can be seen that the slot position of the shared random number changes so as not to remain the original when there is a basis determination error. In this case, the subsequent parity check is erroneous with a probability of ½, and the position where the bit error occurred can be generally understood. If the position of the bit error can be almost specified, the bits in the vicinity thereof are corrected, and the correction is repeated until the bit error is almost eliminated and a BER that enables decoding of the error correction code is reached.

  In the system according to the seventh embodiment, when signal bits are inserted or removed based on an error in base determination in the receiver, it is necessary to perform the subsequent base collation again. Therefore, compared with the system according to the sixth embodiment. There is a disadvantage that the processing is increased, but there is an advantage that the sequence of shared bases is completely determined only by the seed key.

  In the present invention, it has been shown that a secure secret key can be generated using fluctuations with the seed key as a starting hand. Although the present invention is based on the seed key, the process of generating the secret key is guaranteed in terms of information theory. Therefore, even if an unauthorized recipient tries to decipher the ciphertext, there is no effective attack method other than a brute force attack on the seed key. In other words, it is freed from the threat that an efficient cryptanalysis method may be discovered. The system according to the present invention can use the current optical communication network as it is, and is a realistic and highly applicable system. For these two reasons, the present invention has high industrial applicability.

Claims (14)

First random number generator, error correction encoder, second random number generator, third random number generator, first light source, first modulator, privacy amplifier, cipher, second light source and second light source A transmitter comprising an optical transmitter having two modulators;
A receiver comprising a first photodetector, an error correction decoder, a privacy amplifier, a second photodetector, and an encryption decoder;
An optical transmission line connecting the transmitter and the receiver;
The transmitter and the receiver share a first seed key consisting of a random number in advance, the first seed key gives a shared base to the transmitter and the receiver,
The transmitter performs error correction encoding by the error correction encoder as a random number signal from the output of the first random number generator,
When the output of the second random number generator is a dummy random number, the output of the third random number generator is a random number base for transmitting the random number signal and the dummy random number, and the random number base and the shared base match The random number signal is a signal, and when the random basis and the shared basis do not match, the dummy random number is a signal,
The first modulator superimposes the signal on the random number basis to the output light from the first light source by the first modulator,
At that time, the output light from the first light source is accompanied by fluctuations, or fluctuations are superimposed on the first light source or the first modulator,
The first signal light is output to the optical transmission line;
The privacy amplifier generates a secret key by reducing the number of bits of the random number signal that is the output of the first random number generator,
The encryptor encrypts a transmission signal using the secret key,
A second signal light modulated by the encrypted transmission signal is output from the optical transmitter;
The receiver receives the first signal light by the first photodetector;
The random number base and the signal value are determined, the received random base and the shared base are collated, and the signal in the case of matching is decoded as an error correction encoded random signal by the error correction decoder,
Reduce the number of bits by the privacy amplifier and take out the secret key,
Receiving the second signal light by the second photodetector;
An encryption communication system, wherein the transmission signal is decrypted from the signal received by the second photodetector by the encryption / decryption device using the extracted secret key. First random number generator, error correction encoder, second random number generator, third random number generator, first light source, first modulator, privacy amplifier, cipher, second light source and second light source A transmitter comprising an optical transmitter having two modulators;
A receiver comprising a first photodetector, an error correction decoder, a privacy amplifier, a second photodetector, and an encryption decoder;
An optical transmission line connecting the transmitter and the receiver;
The transmitter and the receiver share a first seed key consisting of a random number in advance, the first seed key gives a shared base to the transmitter and the receiver,
The transmitter performs error correction encoding by the error correction encoder as a random number signal from the output of the first random number generator,
The output of the second random number generator is a dummy random number, the output of the third random number generator is the random number base for transmitting the random number signal and the dummy random number,
When the random number basis and the shared basis match, the random number signal is a signal, and when the random number basis and the shared basis do not match, the dummy random number is a signal, thereby determining the signal of each random number basis, In the process of determining the next basis, the shared basis that did not match the random number basis and the next random number basis are collated, and if they match, the random number signal is a signal, and if not, the dummy random number is a signal, Repeat the process of matching and signal determination until the shared basis matches the random number basis, and after matching the shared basis and the random number basis, proceed to the next shared basis and repeat the same process,
The first modulator superimposes the signal on the random number basis to the output light from the first light source by the first modulator,
At that time, the output light from the first light source is accompanied by fluctuations, or fluctuations are superimposed on the first light source or the first modulator,
The first signal light is output to the optical transmission line;
The privacy amplifier generates a secret key by reducing the number of bits of the random number signal that is the output of the first random number generator,
The encryptor encrypts a transmission signal using the secret key,
A second signal light modulated by the encrypted transmission signal is output from the optical transmitter;
The receiver receives the first signal light by the first photodetector;
The random number base and the signal value are determined, the received random base is compared with the shared base, and the matching with the random base is repeated with the same shared base until they match. Go to the shared base of and repeat the same process,
The error correction decoder decodes the signal obtained by the above series of processes as an error correction encoded random number signal,
Reduce the number of bits by the privacy amplifier and take out the secret key,
Receiving the second signal light by the second photodetector;
An encryption communication system, wherein the transmission signal is decrypted from the signal received by the second photodetector by the encryption / decryption device using the extracted secret key. A first random number generator, an error correction encoder, a second random number generator, a third random number generator, a first pseudo random number generator, a second pseudo random number generator, a first light source, a first light source, A transmitter comprising a modulator, a privacy amplifier, an encryptor, and an optical transmitter having a second light source and a second modulator;
A receiver comprising a first photodetector, a first pseudo-random number generator, a second pseudo-random number generator, an error correction decoder, a privacy amplifier, a second photodetector, and an encryption decoder;
An optical transmission line connecting the transmitter and the receiver;
The transmitter and the receiver share a first seed key and a second seed key made up of random numbers in advance, and the first seed key is a first pseudo-random number generator in each of the transmitter and the receiver. The second seed key provides a signal slot utilizing the shared basis through a second pseudo-random number generator in each of the transmitter and the receiver,
The transmitter performs error correction encoding by the error correction encoder as a random number signal from the output of the first random number generator,
The output of the second random number generator is a dummy random number, the output of the third random number generator is a dummy random number base,
In the signal slot using the shared basis, the random number signal is signaled using the shared basis, and in the signal slot not using the shared basis, the dummy random number base is used as a signal,
Using the first modulator to superimpose the signal on the output light from the first light source to form a first signal light;
At that time, the output light from the light source is accompanied by fluctuation, or fluctuation is superimposed on the light source or the modulator,
The first signal light is output to the optical transmission line;
The privacy amplifier generates a secret key by reducing the number of bits of the random number signal that is the output of the first random number generator,
The encryptor encrypts a transmission signal using the secret key,
A second signal light modulated by the encrypted transmission signal is output from the optical transmitter;
The receiver receives the first signal light by the first photodetector;
The signal transmitted in the shared base signal slot is decoded by the error correction decoder as a random number signal,
Reduce the number of bits by the privacy amplifier and take out the secret key,
Receiving the second signal light by the second photodetector;
An encryption communication system, wherein the transmission signal is decrypted from the signal received by the second photodetector by the encryption / decryption device using the extracted secret key.   4. The cryptographic communication system according to claim 1, wherein the fluctuation of output light from the first light source is phase fluctuation or intensity fluctuation, or the first light source or the first modulation. 5. The cryptographic communication system characterized in that the fluctuation superimposed by the detector gives a phase fluctuation or an intensity fluctuation to the first signal light.   3. The cryptographic communication system according to claim 1, wherein the transmitter and the receiver share a second seed key in advance, and the transmitter uses the random number signal generated from the first random number generator as the random number signal. Encrypting with the second seed key and then performing error correction coding with the error correction encoder, and the receiver using the second seed key to decrypt the signal decoded by the error correction decoder A cryptographic communication system.   4. The cryptographic communication system according to claim 3, wherein the transmitter and the receiver share a third seed key in advance, and the transmitter uses the third random number signal generated from the first random number generator as the third random number signal. And the error correction encoder performs error correction encoding, and the receiver uses the third seed key to decode the signal decoded by the error correction decoder. Cryptographic communication system.   The cryptographic communication system according to any one of claims 1 to 3, wherein the random number signal and the dummy random number are binary, the random number base is binary, and the signal is transmitted in a quaternary state. A cryptographic communication system characterized by the above.   The cryptographic communication system according to any one of claims 1 to 3, wherein the random number signal and the dummy random number have an n value, the random number base has an m base, and the signal is transmitted in an n × m value state. An encryption communication system. First random number generator, error correction encoder, second random number generator, third random number generator, first light source, first modulator, privacy amplifier, cipher, second light source and second light source A transmitter comprising an optical transmitter having two modulators;
A receiver comprising a first photodetector, an error correction decoder, a privacy amplifier, a second photodetector, and an encryption decoder;
Having first and second optical transmission lines connecting the transmitter and the receiver;
The transmitter and the receiver share a first seed key consisting of a random number in advance, the first seed key gives a shared base to the transmitter and the receiver,
The transmitter performs error correction coding by the error correction encoder using the output of the first random number generator as a random number signal, separates information and redundancy of the random number signal, checks the former as a random number code, and checks the latter Sign and
When the output of the second random number generator is a dummy random number, the output of the third random number generator is a random number base for transmitting the random number code and the dummy random number, and the random number base and the shared base match The random number code as a signal, and when the random basis and the shared basis do not match, the dummy random number as a signal,
The first modulator superimposes the signal on the random number basis to the output light from the first light source by the first modulator,
At that time, the output light from the first light source is accompanied by fluctuations, or fluctuations are superimposed on the first light source or the first modulator,
The first signal light is output to the first optical transmission line;
The privacy amplifier generates a secret key by reducing the number of bits of the random number signal that is the output of the first random number generator,
The encryptor encrypts a transmission signal using the secret key,
The encrypted transmission signal and the check symbol are multiplexed, and the second signal light modulated by the multiplexed signal is output from the optical transmitter to the second optical transmission line,
The receiver receives the second signal light with the second photodetector, separates the encrypted transmission signal and the check symbol from the received signal,
The receiver receives the first signal light with the first photodetector,
The random number base and the value of the signal are determined, the received random base and the shared base are collated, the signal when matched is a random number code, the signal when not matched is a dummy random number, and the check symbol is used Inspecting the random number code, thereby checking the base verification error, correcting the base if there is a verification error, and accordingly correcting the determination of the random number code and the dummy random number,
The error correction decoder decodes the random number code after the determination correction using the check symbol,
Reduce the number of bits by the privacy amplifier and take out the secret key,
An encryption communication system, wherein the encrypted transmission signal is decrypted into a transmission signal by the encryption / decryption device using the extracted secret key. First random number generator, error correction encoder, second random number generator, third random number generator, first light source, first modulator, privacy amplifier, cipher, second light source and second light source A transmitter comprising an optical transmitter having two modulators;
A receiver comprising a first photodetector, an error correction decoder, a privacy amplifier, a second photodetector, and an encryption decoder;
Having first and second optical transmission lines connecting the transmitter and the receiver;
The transmitter and the receiver share a first seed key consisting of a random number in advance, the first seed key gives a shared base to the transmitter and the receiver,
The transmitter performs error correction coding by the error correction encoder using the output of the first random number generator as a random number signal, separates information and redundancy of the random number signal, checks the former as a random number code, and checks the latter Sign and
The output of the second random number generator is a dummy random number, and the output of the third random number generator is the random number base for transmitting the random number code and the dummy random number,
When the random number basis and the shared basis match, the random number code is a signal, when the random number basis and the shared basis do not match, the dummy random number is a signal, thereby determining the signal of each random number basis, In the process of determining the next basis, the shared basis that did not match the random number basis and the next random number basis are collated, if they match, the random number code is a signal, and if not, the dummy random number is a signal, Repeat the process of matching and signal determination until the shared basis matches the random number basis, and after matching the shared basis and the random number basis, proceed to the next shared basis and repeat the same process,
The first modulator superimposes the signal on the random number basis to the output light from the first light source by the first modulator,
At that time, the output light from the first light source is accompanied by fluctuations, or fluctuations are superimposed on the first light source or the first modulator,
The first signal light is output to the first optical transmission line;
The privacy amplifier generates a secret key by reducing the number of bits of the random number signal that is the output of the first random number generator,
The encryptor encrypts a transmission signal using the secret key,
The encrypted transmission signal and the check symbol are multiplexed, and the second signal light modulated by the multiplexed signal is output from the optical transmitter to the second optical transmission line,
The receiver receives the second signal light with the second photodetector, separates the encrypted transmission signal and the check symbol from the received signal,
The receiver receives the first signal light with the first photodetector,
The random number basis and the signal value are determined, the received random number basis is compared with the shared basis, and the matching is repeated with the same shared basis until they match. If not, the signal is set as a dummy random number, the process proceeds to the next shared basis, the same processing is repeated, the random number code is inspected using the check symbol, thereby checking the base check error, and there is a check error. If this is the case, the basis is corrected, and the random number code and dummy random number are corrected accordingly.
The error correction decoder decodes the random number code after the determination correction using the check symbol,
Reduce the number of bits by the privacy amplifier and take out the secret key,
An encryption communication system, wherein the encrypted transmission signal is decrypted into a transmission signal by the encryption / decryption device using the extracted secret key.   11. The cryptographic communication system according to claim 9, wherein the fluctuation of the output light from the first light source is a phase fluctuation or an intensity fluctuation, or is superimposed by the first light source or the first modulator. The encryption communication system, wherein the fluctuation is to give a phase fluctuation or an intensity fluctuation to the first signal light.   11. The cryptographic communication system according to claim 9, wherein the transmitter and the receiver share a second seed key in advance, and the transmitter uses the random number signal generated from the first random number generator as the random number signal. Encrypting with the second seed key and then performing error correction coding with the error correction encoder, and the receiver using the second seed key to decrypt the signal decoded by the error correction decoder A cryptographic communication system.   11. The cryptographic communication system according to claim 9, wherein the random number signal and the dummy random number are binary, the random number base is binary, and the signal is transmitted in a quaternary state. Communications system.   11. The cryptographic communication system according to claim 9 or 10, wherein the random number signal and the dummy random number have an n value, the random number base has an m base, and the signal is transmitted in an n × m value state. Cryptographic communication system.

Images