JP2000286841A - Key delivery means using quantum encryption - Google Patents

Abstract

PROBLEM TO BE SOLVED: To enhance the transmission efficiency and to enhance the detection sensitivity against tapping. SOLUTION: A sender 101 of this key delivery method selects a bit value and a polarization rotation angle θ at random from an optical pulse 103 emitted from a single photon light source 108. The sender 101 uses a modulator 109 and a polarization rotator A1 to sequentially process the optical pulse 103. When the optical pulse 103 reaches a recipient site 104B via a transmission line section 104C, the sender 101 informs a recipient 102 of the value of the polarization rotation angle θ through a classical public channel 105. the recipient 102 rotates a polarization axis of the optical pulse 103 outputted from a delay C by (-θ) by using the polarization rotator A2, uses a light receiving unit B2 consisting of a O-degree system measurement device to measure the polarization axis to generate a receiver side random number table 107. The sender 101 extracts a test bit from a sender side random number table 106, the recipient 102 extracts the test bit from the receiver side random number table 107 and they collate the test bit by communication them with each other through the classical public channel 105.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a key distribution method using quantum cryptography, which distributes keys for cryptography while monitoring the presence or absence of eavesdropping based on the uncertainty principle of quantum mechanics.

[0002]

2. Description of the Related Art Quantum cryptography exchanges a random number table, which is a key to encryption, while monitoring the presence or absence of eavesdropping based on the uncertainty principle of quantum mechanics. This is a procedure for distributing keys between remote locations while confirming that eavesdropping has not been performed, by using traces left on quantum level signals. As a key distribution method using quantum cryptography, each protocol of four-state encryption, two-particle interference encryption, non-orthogonal two-state encryption, and time difference interference encryption has been proposed to date.

Hereinafter, a four-state encryption according to an example of the prior art will be described with reference to FIGS. 3 and 4. FIG. FIG. 3 is a configuration diagram of a communication system 10 that realizes a key distribution method using four-state encryption according to an example of the related art. Four-state cryptography is a quantum cryptography protocol originally devised, commonly called BB.
84 protocol. Regarding four-state encryption, for example, reference: [1] CH Bennett and G. Brassard, in
Proceedings of IEEE International Conference on Com
puters, Systems and Signal Processing, Bangalore,
India (IEEE, New York, 1984), p.175, [2] A.
Eckart / Nobuyuki Imoto "Invitation to Quantum Cryptography" Parity,
vol.7, No.2, p.26 (1992), [3] Collins /
Parity, vo, translated by Nobuyuki Imoto, "Quantum cryptography is the strongest cryptography ever"
l.8, No. 5, p.31 (1993). Communication system 10 for implementing key distribution method using four-state encryption
Is, as shown in FIG. 3, a sender 11, a receiver 12,
An optical pulse (carrier pulse) 13 containing only one quantum of, for example, a photon as a carrier carrying one bit of information; a quantum channel 14 of, for example, an optical fiber transmitting a time series of the optical pulse 13; A classical public channel 15, such as a wireless or telephone line, for checking transmission and reception states between the receiver 11 and the receiver 12, a sender random number table 16, a receiver random number table 17, a light source 18,
It comprises a modulator 19 and a light receiver B2. The quantum channel 14 includes a sender site 14A, a receiver site 14B, and a transmission path unit 14C.
4B cannot be physically accessed. Also,
It is assumed that an eavesdropper can eavesdrop on the information on the classic public channel 15 but cannot falsify it.

In the BB84 protocol, one-bit information of "0" or "1" is placed on the polarization state of a photon, and a binary sequence is represented by a time series of light pulses 13 having different polarization states. In coding 1-bit information into the optical pulse 13, the inclination from the horizontal axis is 0 ° (horizontal) and 90 °.
Two types of basis vectors: 0 ° -90 ° linearly polarized light having a polarization axis in the (vertical) direction, and 45 ° -135 ° linearly polarized light having a polarization axis of 45 ° and 135 ° from the horizontal axis. Is used. Here, the sender 11 and the receiver 1
2 defines a coding method to be used for communication in advance, and when using a 0 ° -90 ° linearly polarized light basis, “0”
° ”to“ 0 ”,“ 90 ° ”to“ 1 ”,
When using a 45 ° -135 ° linearly polarized light base, “45 °
° is “0” and “135 °” is “1”. Note that a combination of linearly polarized light and circularly polarized light (clockwise, counterclockwise) may be used as a set of these two types of basis vectors. Thus, the four quantum states of one photon (0 °, 45 °
°, 90 °, and 135 ° polarization axes). Here, a measuring device capable of discriminating a photon having a 0 ° -90 ° linear polarization state without errors is a 0 ° measuring device, and a measuring device capable of discriminating a photon having a 45 ° -135 ° linear polarization state without errors is a 45 ° system. It is called a measuring instrument. These measuring devices include, for example, a polarizer and a photon detector, and further include an electro-optic polarization rotator such as a Pockels cell to provide a 0 ° measuring device and a 45 ° measuring device.
It can be used by switching to a system measuring instrument. However, if the light pulse 13 contains only one photon at most, the uncertainty principle indicates that 0 °
The −90 ° linear polarization state and the 45 ° -135 ° linear polarization state cannot be determined simultaneously.

Next, the operation of the key distribution method using four-state encryption in the communication system 10, that is, the communication protocol between the sender 11 and the receiver 12 will be described with reference to FIG. Step 1: The sender 11 determines four polarization states (0 °, 45 °, 90 °, 135
°), one polarization is randomly selected n times with equal probability, and the modulator 19 sequentially modulates the time-series polarization of the optical pulse 13. Step 2: Each light pulse 13 in the time series of the light pulse 13
Contains only one photon, and the receiver 12 randomly determines n times whether to use a 0 ° measuring instrument or a 45 ° measuring instrument as the light receiver B and sequentially measures each optical pulse 13 I do. The receiver 12 creates a receiving-side random number table 17 from the bits obtained by the measurement. Here, the recipient 12
A correct measuring instrument (0 ° measuring instrument or 45 ° measuring instrument) that can reliably identify the polarization state selected by the sender 11
Is selected, the mutual information amount between the sender 11 and the receiver 12 becomes 1 (a perfect correlation is formed), and the receiver 12
Can share the same bit value with the sender 11. On the other hand, when the transmitter 11 selects the photodetector B2 which cannot identify the selected polarization state, the probability of obtaining the bits “0” and “1” for each of these bits is １ ／, and
Mutual information amount between 1 and receiver 12 is 0 (completely uncorrelated)
Becomes Step 3: After the measurement of the optical pulse 13 is completed (either after measuring all the time series of the optical pulse 13 or after measuring each bit), the receiver 12 sets the 0 ° measuring instrument and the 45 ° measuring instrument. Is notified to the sender 11 via the classical public channel 15. At this time, the result of measurement by the selected measuring instrument, that is, the obtained bit “0” or “1” is not notified. The sender 11 informs the recipient 12 via the classical public channel 15 whether or not the selection of the recipient 12 was correct.

Step 4: The sender 11 and the receiver 12
If the receiver 11 has selected the correct instrument, only about half of the relevant bits are taken and the other half is discarded. If there is no eavesdropping, the transmission side random number table 16 and the reception side random number table 17 are the same. Step 5: The sender 11 extracts test bits from the random number table 16 on the transmitting side and the receiver 12 extracts test bits from the random number table 17 on the receiving side at an appropriate ratio, and notifies each other via the classical public channel 15 to perform verification. I do. Step 6: If an appropriate and sufficient number of test bits match between the sender 11 and the receiver 12 in Step 5, it is concluded that the eavesdropping has not been performed with a probability close to 1, and the bits used for matching are excluded. The random number tables 16 and 17 correspond to the sender 11
And the same value that only the receiver 12 knows is guaranteed, and these random number tables 16 and 17 are used as a common key. Step 7: If a mismatch bit is found during the verification in step 5, it is considered that someone has eavesdropped, and all data including the random number tables 16 and 17 are discarded, and the sender 11 and the receiver 12 , The quantum channel 14 is changed, and the procedure from step 1 is repeated.

According to the documents [1], [2] and [3],
Eavesdropping on the key distribution method using the above four-state encryption is described as follows. The eavesdropper is transmission path unit 1
4C is accessed to measure the polarization of the light pulse 13.
The probability that an eavesdropper will accidentally select the correct instrument is one-half, and eavesdroppers can use, for example, quantum nondestructive measurement (cloning).
Or a photon of exactly the same polarization state can be reproduced after the destructive measurement, and the bit value of the light pulse 13 can be reliably known without the sender 11 and the receiver 12 being aware of eavesdropping. On the other hand, the probability that an eavesdropper selects the wrong measuring device is also 1/2, and this eavesdropping disturbs the polarization state of photons.
If the receiver 12 measures the photon in the disturbed polarization state with the correct measuring device, the probability of obtaining the same bit value as that of the sender 11 is １ ／. Therefore, the probability that wiretapping will not be detected is (1-1 / 2 × 1/2) = 3/4 for one bit data. The probability that eavesdropping will not be detected when s bits are collated is (3/4) ^s , and is close to 1 if the appropriate and sufficient number of s test bits match between the sender 11 and the receiver 12. It is concluded that there is no probability of eavesdropping. According to the above procedure, it is possible to generate the common key while monitoring that the eavesdropping is not performed by information exchange in the classic public channel 15. If eavesdropping is detected during the verification of the test bits, all communications during the eavesdropping detection period are invalidated, and for example, the quantum channel 14 is checked or a new quantum channel 14 is constructed.

In the above-described key distribution method using four-state encryption, since the receiver 12 makes a mistake in selecting a measuring instrument with a probability of 1/2, all bits obtained here are rejected and the sender 1
There is a problem that half of the optical pulses 13 transmitted by 1 are wasted. As a method to prevent this, FIG.
As shown in the block diagram of the communication system 20 that realizes the key distribution method using the delayed four-state encryption shown in FIG.
, There is known a method of providing a signal delay C before a light receiver B. Next, the operation of the key distribution method using the delayed four-state encryption will be described with reference to FIG. Note that the delay C has a predetermined length, and it is assumed that the receiver 12 can execute Step 3 of the communication protocol described below.

Step 1: The sender 11 determines four polarization states (0 °, 45 °, 90
°, 135 °), one polarization at random with equal probability
And sequentially modulates the time-series polarization of the light pulse 13 using the modulator 19. Step 2: When the optical pulse 13 reaches the receiver site 14B via the transmission line section 14C, the sender 11 determines whether the transmitted optical pulse 13 is a correct measuring instrument, that is, a 0 ° measuring instrument or a 45 ° measuring instrument. Is notified to the recipient 12 through the classical public channel 15. Step 3: The receiver 12 measures the optical pulse 13 coming out of the delay C using the optical receiver B2 composed of the correct measuring instrument notified by the classical public channel 15, and according to the measurement result, the receiving side random number table 17 Create Step 4: The sender 11 extracts test bits from the sender random number table 16 and the receiver 12 extracts test bits from the receiver random number table 17 at an appropriate ratio, and notifies each other via the classical public channel 15 for verification. I do. Step 5: Since there is no change in the eavesdropping method of the eavesdropper, the probability that eavesdropping will not be detected when s bits are collated is (3
/ 4) s. If in step 4 an appropriate sufficient number of test bits match between sender 11 and receiver 12,
It is concluded that there is no eavesdropping with a probability close to 1, and it is guaranteed that each of the random number tables 16, 17 excluding the bits used for matching has the same value known only to the sender 11 and the receiver 12. These random number tables 16 and 17 are used as a common key. Step 6: If a mismatch bit is found during the verification in step 4, it is considered that someone has eavesdropped, and all data including the random number tables 16 and 17 are discarded, and the sender 11 and the receiver 12 Then, measures such as changing the communication channel, that is, the quantum channel 14, are taken, and the procedure after step 1 is repeated.

Next, the two-particle interference encryption will be described with reference to FIGS. FIG. 5 is a configuration diagram of a communication system 30 that realizes a key distribution method using two-particle interference encryption according to an example of the related art. Note that the same reference numerals are assigned to the same parts as those of the above-described conventional technology, and the description is omitted or simplified. Two-particle interference encryption is based on EPR (Einstein-Podolsky-Rose).
n) A quantum cryptography that uses a long-range correlation based on the non-separability of the quantum mechanical state of a complex system called a correlation.
It is called the 91 protocol. Two-particle interference encryption is described, for example, in the literature: [4] AK Ekert, Phys. Rev. Lett. 67, 661.
(1991), [5] AK Ekert et al., Phys. Rev. Let
t. 69, 1293 (1992), [6] CH Bennet
et al., Phys. Rev. Lett. 68, 557 (1992)
It has been proven to be equivalent to state encryption. less than,
Reference: The E91 protocol described in [6] will be described on the assumption that a photon pair is used as a particle pair and a quantum correlation is formed in the polarization attribute. As shown in FIG. 5, a communication system 30 that implements a key distribution method using two-particle interference encryption includes a sender 11, a receiver 12, and a pair of optical pulses 13 as shown in FIG.
a, 13b, a quantum channel 14 for transmitting a time series of optical pulses 13b, a classical public channel 15, a transmitting random number table 16, a receiving random number table 17, a light source 20, light receivers B1, B2, It is composed of The particle source 20 is an EP
It generates a particle pair having a quantum correlation called an R particle pair, for example, a frequency down-conversion due to an optical parametric effect, or a photon pair accompanying a cascade transition of atoms.
Here, a quantum correlation is formed in a polarization attribute, a phase, a light emission direction, and the like. The light receivers B1 and B2 are composed of, for example, a polarimeter constituted by a 0 ° measuring instrument and a 45 ° measuring instrument, and a switching device for these measuring instruments.

When there is no eavesdropping, the sender 11 and the receiver 1
For each of the optical pulses 13a and 13b that have reached 2, the same measuring instrument (0 ° measuring instrument or 45 ° measuring instrument)
, The mutual information amount between the sender 11 and the receiver 12 becomes 1 by EPR correlation (complete correlation or anti-correlation is formed), and the receiver 12 has the same bit value as the sender 11. Can be shared. On the other hand, sender 11 and receiver 1
If the two choose different measuring instruments, the probability that the sender 11 and the receiver 12 share the same bit value is 、,
The mutual information amount between the sender 11 and the receiver 12 is 0 (completely uncorrelated). Next, the operation of the key distribution method using two-particle interference encryption will be described with reference to FIG. Step 1: Prepare n photon pairs whose polarization axes are not determined, and sequentially send one of the photon pairs to the sender 11 and the other to the receiver 12. Step 2: The sender 11 and the receiver 12 communicate with each other using the photodetectors B1,
As B2, a 0 ° measuring instrument and a 45 ° measuring instrument are independently selected at random each time to sequentially measure the polarization axis directions of the optical pulses 13a and 13b. Step 3: The sender 11 and the receiver 12 exchange information on the type of the selected measuring instrument through the classical public channel 15, leaving the bit measured using the same measuring instrument and discarding the other bits. By doing so, a transmission-side random number table 16 and a reception-side random number table 17 are created.

Step 4: Sender 11 sends sender random number table 1
6, the receiver 12 extracts test bits from the random number table 17 on the receiving side at an appropriate ratio, and notifies each other via the classical public channel 15 to perform verification. Step 5: If an appropriate and sufficient number of test bits match between the sender 11 and the receiver 12 in Step 4, it is concluded that the eavesdropping has not been performed with a probability close to 1, and the bits used for collation are excluded. The random number tables 16 and 17 correspond to the sender 11
And the same value that only the receiver 12 knows is guaranteed, and these random number tables 16 and 17 are used as a common key. Step 6: If a mismatch bit is found during the verification in step 4, it is considered that someone has eavesdropped, and all data including the random number tables 16 and 17 are discarded, and the sender 11 and the receiver 12 Then, measures such as changing the communication channel, that is, the quantum channel 14, are taken, and the procedure after step 1 is repeated.

According to the document [6], eavesdropping on the key distribution method using the two-particle interference cryptography is as follows. The eavesdropper accesses the transmission path section 14C and measures the polarization of the light pulse 13b. The probability that an eavesdropper will accidentally select the same type of instrument as the sender 11 and receiver 12 is は, and the eavesdropper may perform, for example, a quantum nondestructive measurement (cloning), or Photons of the same polarization state can be reproduced, and the sender 11
And the light pulse 13 without fail of the receiver 12
The bit value of b can be known. On the other hand, the probability that the eavesdropper selects a different type of measuring device than the sender 11 and the receiver 12 is １ ／, and this eavesdropping disturbs the polarization state of the photon.
When the receiver 12 measures a photon in a disturbed polarization state,
The probability that there is no inconsistency in the measurement results between the sender 11 and the receiver 12 is ２. Therefore, the probability that wiretapping will not be detected is (1-1 / 2 × 1/2) = 3 per 1-bit data.
/ 4. The probability that eavesdropping will not be detected when s bits are collated is (3/4) ^s , and is close to 1 if the appropriate and sufficient number of s test bits match between the sender 11 and the receiver 12. It is concluded that there is no probability of eavesdropping. According to the above procedure, it is possible to generate the common key while monitoring that the eavesdropping is not performed by information exchange in the classic public channel 15.

In the above-described key distribution method using two-particle interference cryptography, since the selection of each measuring device between the sender 11 and the receiver 12 is different with a probability of 1/2, the bits obtained here are all There is a problem that half of the optical pulses 13b that are rejected and transmitted from the sender site 14A are wasted. As a method for preventing this, as shown in the block diagram of the communication system 40 for realizing the key distribution method using the delayed two-particle interference encryption shown in FIG. 6, the signal delay C at the receiver site 14B before the light receiver B2. Is known. Next, the operation of the key distribution method using the delayed two-particle interference encryption will be described with reference to FIG.
Note that the delay C has a predetermined length, and it is assumed that the receiver 12 can execute Step 3 of the communication protocol described below.

Step 1: N photon pairs whose polarization axes are not determined are prepared, and one of the photon pairs is sequentially transmitted to the transmitter 11 and the other is transmitted to the receiver 12. Step 2: The sender 11 randomly selects any one of the 0 ° system measuring device and the 45 ° system measuring device as the light receiver B1 and measures the polarization axis direction of the optical pulse 13a every time.
When the optical pulse 3b sent to the receiver arrives at the receiver site 14B via the transmission path section 14C, the type of measuring instrument selected by the transmitter 11 is notified to the receiver 12 via the classical public channel 15. Step 3: The receiver 12 uses the receiver B2 consisting of a measuring device notified on the classical public channel 15 to delay C
The optical pulse 13b coming out of is measured, and the receiving-side random number table 17 is created according to the measurement result. Step 4: The sender 11 extracts test bits from the sender random number table 16 and the receiver 12 extracts test bits from the receiver random number table 17 at an appropriate ratio, and notifies each other via the classical public channel 15 for verification. I do. Step 5: If an appropriate and sufficient number of test bits match between the sender 11 and the receiver 12 in Step 4, it is concluded that the eavesdropping has not been performed with a probability close to 1, and the bits used for collation are excluded. The random number tables 16 and 17 correspond to the sender 11
And the same value that only the receiver 12 knows is guaranteed, and these random number tables 16 and 17 are used as a common key. Step 6: If a mismatch bit is found during the verification in step 4, it is considered that someone has eavesdropped, and all data including the random number tables 16 and 17 are discarded, and the sender 11 and the receiver 12 Then, measures such as changing the communication channel, that is, the quantum channel 14, are taken, and the procedure after step 1 is repeated.

Next, the non-orthogonal two-state encryption will be described with reference to FIG. FIG. 7 is a configuration diagram of a communication system 50 that realizes a key distribution method using non-orthogonal two-state encryption according to an example of the related art. Note that the same reference numerals are assigned to the same parts as those of the above-described conventional technology, and the description is omitted or simplified.
The non-orthogonal two-state encryption communicates two non-orthogonal quantum states in correspondence with bits “0” and “1”, and is generally called a B92 protocol. Non-orthogonal two-state encryption is described in, for example, reference: [7] CH Benett, Phys. Rev.
Lett. 68, 3121 (1992), [8] B. Huttner, N. Imot
o, N. Gisin, and T. Mor, Phys. Rev. A51, 1863 (199
5), [9] AK Ekert, B. Huttner, GM Palma, an
d A. Peres, "Eavesdropping on quantum-cryptography
Cal systems ", Phys. Rev. A50, 1047 (1994). The transmitter 11 transmits a coherent light pulse 51 having an average number of photons of at most one to a light pulse 51a by a 50% beam splitter 52. And the optical pulse 51b, and the bit value of the phase of the optical pulse
When the bit value is “1”, the modulation is performed at 0 °, and when the bit value is “1”, the modulation is performed at 180 ° and sent to the optical fibers 53 and 54 of the transmission line section 14C of the quantum channel 14. And the light pulse 51a and the light pulse 51b
Cause interference.

The beam splitter 52 to the beam splitter 55 constitute one Mach-Zehnder (MZ) interferometer. The receiver 21 outputs the light pulses 51 a and 51 b having the bit value “0” from the beam splitter 55 to the light receiver 5.
In FIG. 8, the phase shift θ between the optical fiber 53 and the optical fiber 54 is controlled by the phase shift 19 so that the optical pulses 51 a and 51 b having the bit value “1” are emitted to the light receiver 59. The coherent light pulse 51 is light in a coherent state in which the average number of photons is smaller than 1 (for example, 0.1). This is to make the probability that the number of photons included in the light pulses 51a and 51b becomes 2 or more as close to 0 as possible. Non-orthogonality (overlap) with a vacuum state (state with an average number of photons of 0) is increased. In addition to the large non-orthogonality with the vacuum state, that is, the large contribution of the vacuum state, the light receivers 58 and 5
9 does not count the vacuum state, the light pulses 51a, 51
In most cases, the photons are not counted in either of the light receivers 58 and 59 upon arrival of b, and the bit value cannot be determined for the receiver 12. Is "1", and when the photons are counted by the light receiver 58, the bit value can be definitely determined to be "0".

Next, the operation of the key distribution method using non-orthogonal two-state encryption, that is, the communication protocol between the sender 11 and the receiver 12, will be described with reference to FIG. Step 1: The sender 11 randomly selects one phase n times from two phases, that is, 0 ° and 180 °, with equal probability, and sequentially modulates the time-series phase of the optical pulse 51a using the phase modulator D. Thereby sending a random bit time series. Step 2: The receiver 12 performs photon counting measurement with the light receivers 58 and 59. When the light receiver 58 or the light receiver 59 counts photons, the receiver 12 can know the bit value transmitted by the transmitter 11. The receiver 12 notifies the sender 11 via the classical public channel 15 whether or not the counting is performed by the light receiver 58 or the light receiver 59. At this time, it is not notified which of the light receiver 58 and the light receiver 59 has counted the photons. Step 3: The sender 11 determines that the bit announced by the receiver 12 as not being counted is not transmitted to the receiver 12, discards this bit, and leaves only the bit counted by the receiver 12. . If there is no eavesdropping, the sender random number table 16 and the receiver random number table 17 created from the remaining bits
Are the same. Step 4: The sender 11 extracts test bits from the transmission-side random number table 16 and the receiver 12 extracts test bits from the reception-side random number table 17 at an appropriate ratio, and notifies each other via a classical public channel (not shown). Perform collation by Step 5: If an appropriate and sufficient number of test bits match between the sender 11 and the receiver 12 in Step 4, it is concluded that the eavesdropping has not been performed with a probability close to 1, and the bits used for collation are excluded. The random number tables 16 and 17 correspond to the sender 11
And the same value that only the receiver 12 knows is guaranteed, and these random number tables 16 and 17 are used as a common key. Step 6: If a mismatch bit is found during the verification in step 4, it is considered that someone has eavesdropped, and all data including the random number tables 16 and 17 are discarded, and the sender 11 and the receiver 12 Then, measures such as changing the communication channel, that is, the quantum channel 14, are taken, and the procedure after step 1 is repeated.

According to literatures [7], [8], [9],
Eavesdropping on the key distribution method using the non-orthogonal two-state encryption is described as follows. The eavesdropper accesses the optical fibers 53 and 54 of the transmission path section 14C and measures the phase difference between the light pulse 51a and the light pulse 51b. Therefore, the eavesdropper performs photon counting by causing the light pulse 51a and the light pulse 51b to interfere with each other, similarly to the beam splitter 55 of the receiver 12. The optical pulses 51a and 51b that have been successfully counted can be retransmitted by reproducing the same interference state as sent by the sender 11 and by making the same device as the sender. On the other hand, as for the light pulses 51a and 51b whose photons have not been counted, there is no choice but to reject the false pulse and retransmit a false pulse having a random phase difference. In the former case, the transmission efficiency is reduced from the original value, and in the latter case, inconsistency is caused in the test bit collation, so that eavesdropping is detected by the sender 11 and the receiver 12.

Next, the time difference interference encryption will be described with reference to FIG. FIG. 8 shows a communication system 6 for implementing a key distribution method using time difference interference encryption according to an example of the prior art.
FIG. Note that the same reference numerals are assigned to the same parts as those of the above-described conventional technology, and the description is omitted or simplified. For the time difference interference encryption, see, for example, [10] L. Golde
nberg and L. Vaidman, "Quantum Cryptography Based
on Orthogonal States ", Phys. Rev. Lett. 75, 1239
(1995). The sender 11 refers to the random number table 16 on the transmission side to input the optical pulse 13 to the port A when the bit is “0” and to the port B when the bit is “1”.
The optical pulse 13 contains only one photon and is split into two by a 50% beam splitter 52, one optical pulse 61 is on the optical fiber 53 of the transmission line section 14C, and the other optical pulse 62 is on the transmitter site 14A. Transmission line section 14C after delay 63
Are transmitted to the respective optical fibers 53. The delay 63 is longer than the optical fiber 53, and the optical pulse 62 enters the optical fiber 54 after the optical pulse 61 arrives at the receiver site 14B. At the receiver side site 14B, a delay 64 having the same length as the delay 63 is provided for the optical pulse 61. Thereby, in the 50% beam splitter 55,
The optical pulse 61 and the optical pulse 62 interfere with each other, and the optical pulse 13 that has entered the port A exits to the port A ′, and the optical pulse 13 that has entered the port B exits to the port B ′. The receiver 12 detects whether the output of the optical pulse 13 is the port A 'or the port B' by the respective light receivers 58 and 59.

Next, the operation of the key distribution method using the time difference interference encryption, that is, the communication protocol between the sender 11 and the receiver 12 will be described with reference to FIG. Step 1: The sender 11 follows the sender random number table 16
The time series of the optical pulse 13 is incident on either port A or port B. At this time, instead of the light pulse 13 being incident at an appropriate constant period, the incident time is selected at random and the incident time is recorded. Step 2: The receiver 12 counts photons with the light receivers 58 and 59, creates the receiving-side random number table 17 based on the measurement results, and records the time when each photon was counted. Step 3: The sender 11 sets the incident time of the light pulse 13,
Recipients 12 collate by notifying each other of the photon counting times via a classical public channel (not shown). Step 4: If there is no problem in the test of step 3, it is guaranteed that each of the random number tables 16, 17 constituted by the photon counted bits has the same value known only to the sender 11 and the receiver 12. Are used as common keys.

In the above-described key distribution method using time-difference interference encryption, a bit value is coded and transmitted using two orthogonal quantum states. Since the two orthogonal states are completely identifiable, the receiver 12 can determine all transmitted bit strings, and can construct a receiving-side random number table 17, that is, a common key, from all the optical pulses 13. However,
The security of the common key is not guaranteed by checking the test bits extracted from each of the transmission-side random number table 16 and the receiving-side random number table 17. This is because, since the bit information is coded in two orthogonal states, the eavesdropper has room for eavesdropping without leaving any trace. If the beam splitters 52, 55 have a reflectivity of 50%, that is, a transmittance of 50%, the light pulse 61 merely serves as a reference to the light pulse 62 and alone does not provide any bit value information. Not included. In this case, even if the eavesdropper does not know the bit value selected by the sender 11 when the optical pulse 61 arrives, the eavesdropper generates and receives a fake of the optical pulse 61 by the same type of device as the device used by the sender 11. To the transmitter 12 and the real optical pulse 61 is transmitted to the transmission path 1
The data is stored in the delay path provided at 4C. The eavesdropper is a light pulse 6
2 is received and made to interfere with the optical pulse 61, the bit value is known, and then a fake optical pulse 62 that has been subjected to an appropriate phase shift based on the information is transmitted to the receiver 12. Send bit value to sender 11
And the bit value sent by the sender 11 can be known without knowing eavesdropping.

In order to prevent such eavesdropping, the transmission time of the optical pulse 13 is randomized and the arrival time at the receiver 12 is stored. The randomization of the transmission time of the light pulse 13 is performed by appropriately changing a state indicating bits “0” and “1” and a light pulse in a non-orthogonal vacuum state in which no information is carried in order to detect the presence or absence of eavesdropping. Corresponding to the transmission at a ratio (for example, a bit "
A protocol for mixing and sending non-orthogonal states without information such as "0" and "1" is called a rejected data protocol.) In this case, the sender 11 and the receiver 12 use synchronized clocks. Must be prepared.
In addition, light pulses in a vacuum state used for checking do not carry information, so they have to be discarded. That is, randomizing the time interval of pulse transmission necessarily causes a reduction in transmission efficiency as compared with a case where the optical pulse 13 is periodically transmitted at the minimum technically possible time interval. .
A time-difference interference cipher using an asymmetric Mach-Zehnder interferometer that does not require a test for lowering the transmission efficiency as described above is disclosed in, for example, Reference: [11] Japanese Patent Laid-Open No. Hei 10-32232.
9 "How to configure quantum cryptography", [12] M. Koashi and N.
Imoto, "Quantum Cryptography Based on Split Trans
mission of One-Bit Information in Two Steps ", Phy
s. Rev. Lett. 79, 2383 (1997).

Next, a key distribution method using time-difference interference encryption using an asymmetric Mach-Zehnder (MZ) interferometer will be described with reference to FIG. FIG. 9 is a configuration diagram of a communication system 60 that realizes a key distribution method using time-difference interference encryption using an asymmetric Mach-Zehnder interferometer according to an example of the related art. Note that the same reference numerals are assigned to the same parts as those of the above-described conventional technology, and the description is omitted or simplified. The sender 11 refers to the transmission-side random number table 16 and sets the bit “0”
In the case of (1), the optical pulse 13 is incident on the port A, and when the bit is "1", the optical pulse 13 is incident on the port B. The light pulse 13 is only one photon
And the beam splitter 71 splits it into two hands. Since the reflectivity and the transmissivity of the beam splitter 71 are not equal, the branching ratio between the light pulse 72 and the light pulse 73 is 1:
Not set to 1. One of the optical pulses 72 after the splitting is transmitted to the optical fiber 53 of the transmission path section 14C, and the other optical pulse 73 is transmitted to the transmission path section 14C via the delay 63 in the sender site 14A.
Are transmitted to the respective optical fibers 53. The optical path length of the delay 63 is longer than the difference between the linear distance between both ends of the transmission path section 14C and the optical path length of the transmission path section 14C. Thereafter, the light pulse 72 cannot be accessed. That is, the order in which the eavesdropper accesses the light pulses 72 and 73 is always the light pulse 72 first. Recipient site 14B
For the optical pulse 72, a delay 6 having the same length as the delay 63
4 is provided. Further, a phase shift 74 of 180 ° is provided on one arm of the asymmetric Mach-Zehnder interferometer, and the difference between the optical path lengths of both arms is set to a half wavelength. As a result, in the beam splitter 74 having the same reflectance and transmittance as the beam splitter 71, the light pulse 72 and the light pulse 73 interfere with each other, and the light pulse 13 incident on the port A changes to the port A '.
Then, the optical pulse 13 incident on the port B exits to the port B '. The receiver 12 outputs the light pulse 13 to the port A '.
Or B 'is detected by each of the light receivers 58 and 59.

Next, the operation of the key distribution method using time difference interference encryption using an asymmetric Mach-Zehnder (MZ) interferometer, that is, the communication protocol between the sender 11 and the receiver 12 will be described with reference to FIG. I will explain it. Step 1: The sender 11 follows the sender random number table 16
The time series of the optical pulse 13 is incident on either port A or port B. Step 2: The receiver 12 counts photons with the light receivers 58 and 59, and creates a receiving-side random number table 17 based on the measurement results. If there is no eavesdropping, the receiving random number table 17 is the same as the transmitting random number table 16. Step 3: The sender 11 extracts test bits from the transmission-side random number table 16 and the receiver 12 extracts test bits from the reception-side random number table 17 at an appropriate ratio, and notifies each other via a classical public channel (not shown). Perform collation by Step 4: If an appropriate and sufficient number of test bits match between the sender 11 and the receiver 12 in Step 3, it is concluded that the eavesdropping has not been performed with a probability close to 1, and the bits used for collation are excluded. The random number tables 16 and 17 correspond to the sender 11
And the same value that only the receiver 12 knows is guaranteed, and these random number tables 16 and 17 are used as a common key.

In this case, the security against eavesdropping is that the information of the bit value is divided into two light pulses 72 and 73 and carried. That is, the light pulse 7 sent out earlier
2, only the receiver 12 can obtain the information of the bit value to a certain extent incompletely.
Is a state in which, after transmitting the optical pulse 72, the bit value can be changed at a certain success rate which is not certain by accessing only the optical pulse 73. When such two light pulses 72, 73 are sent out one by one with a time difference, and the eavesdropper can access each light pulse 72, 73 only sequentially, the partial bit information contained in each pulse is copied. The inability to do so, in other words, the inability to extract bit information without leaving a trace, is guaranteed by causality and quantum mechanics (Ref. [13] T. Mor, "No clon
ing of orthogonal states in composite systems, "Ph
ys. Rev. Lett. 80, 3137-3140 (1998), [14] Y. Ah
aronov and DZ Albert, "Can we make sense out of
the measurement processin relativistic quantum me
chanics ?, "Phys. Rev. D24, 359 (1981), [15] YA
haronov, DZ Albert and L. Vaidman, "Measurement
process in relativistic quantum theory, "Phys. Re
v. D34, 1805 (1986), [16] S. Popescu and L. Vai
dman, "Causality constraints on non-local quantum
measurements, "Phys. Rev. A49, 4331 (1994)).
Also, if the optical pulses 72 and 73 are replaced with counterfeits without knowing the bit information, an error occurs in the bit value of the receiver 12, so that the presence of an eavesdropper can be detected in step 3.

The above-mentioned asymmetric Mach-Zehnder (MZ)
In the key distribution method using time-difference interference encryption using an interferometer, two quantum states are communicated in correspondence with bits “0” and “1”, so that there is no need to switch the measurement system of the receiver 12, and Since two orthogonal quantum states are used, the receiver 12 can determine all transmitted bits in principle, and does not require any test other than the verification of bit values. However, even in this case, it is necessary to discard test bits necessary for detecting wiretapping. Reference: [12]
According to the report, in order to maximize the security against eavesdropping, the transmittance of the beam splitters 71 and 75 is set to cos.
² (π / 8) (reflectance is sin ² (π / 8)) or transmittance is sin ² (π / 8) (reflectance is cos ² (π /
8)). At this time,
The probability that an eavesdropper obtains a bit value without detecting eavesdropping is cos ² (π / 8) to 0.85 per bit data.
The probability that wiretapping will not be detected when s bits are collated is (0.85) ^s .

Next, the principle of the above-described key distribution method using quantum cryptography according to the prior art will be described with reference to the accompanying drawings. FIG. 10 is a communication line diagram between a sender and a receiver (including an eavesdropper) in a four-state encryption, a two-particle interference encryption, and a time difference interference encryption using an asymmetric Mach-Zehnder (MZ) interferometer. 11 is a communication line diagram in non-orthogonal two-state encryption, and FIG. 12 is a communication line diagram in time difference interference encryption using a symmetric Mach-Zehnder (MZ) interferometer. Here, p (i | j) (= p (j |
i)) indicates that when the sender 11 sends the bit “j ({0, 1})”, the receiver sets the bit “i ({0, 1})”.
Is a conditional probability (also called a transition probability). p (i | j) (i = j) is the probability that the receiver correctly determines the bit, and p (i | j) (i ≠ j) is the probability that the receiver incorrectly determines the bit. The value of p (i | j) in each communication route map is represented by four-state encryption, two-particle interference encryption,
Table 1 summarizes the non-orthogonal two-state encryption and the time difference interference encryption. In Table 1, the value in parentheses is a value measured with a 22.5 ° measuring instrument described later.
For example, in the four-state encryption (without delay) in Table 1, p
(0 | 0) = p (1 | 1) = 3/4 is a value when the receiver performs measurement using a 0 ° measuring instrument or a 45 ° measuring instrument, and p (0 | 0) = P (1 | 1) = cos ² (π
/ 8) is a value when the receiver performs measurement using a 22.5 ° system measuring instrument.

[0029]

[Table 1]

Assuming that the receiver performs a standard measurement using a 0 ° measuring instrument or a 45 ° measuring instrument, the communication route diagram of the four-state encryption and the two-particle interference encryption is as shown in FIG. Binary Symmetric Channel (BS)
C). In the case of four-state encryption and two-particle interference encryption without delay, the value of p (i | j) is the same for a legitimate recipient and an eavesdropper. In the case of delayed four-state and delayed two-particle interferometric encryption, the value of p (i | j) is the normal p The receiver differs from an eavesdropper who cannot eavesdrop on information about the measuring device before the bit value is measured.
The legitimate receiver can always receive the orthogonal quantum states of the two sets of carriers with the correct measuring device, so that the bit value transmitted by the sender can be reliably identified. Therefore, p (i | j) =
0 (i ≠ j), and no measurement error occurs. Therefore, a communication path connecting the bit value “0” on the sender side and the bit value “1” on the receiver side, and the bit value “1” on the sender side. Also, there is no communication path connecting the bit value “0” on the receiver side. The transition probability for an eavesdropper is the same as that of the 4-state encryption and the two-particle interference encryption without delay.

The communication path diagram of the non-orthogonal two-state encryption is based on the assumption that the receiver performs standard measurement using a measuring device that can identify the non-orthogonal two state and the nearest orthogonal two state.
As shown in (a), it becomes a binary symmetric channel (BSC). Here, the non-orthogonal two states and the nearest orthogonal two states are:
As shown in FIG. 13, two orthogonal states | e ₁ > and | e ₀ > having the same angle (α) with each of the two non-orthogonal states consisting of | 1> and | 0>. Meanwhile, literature:
As shown in [7] and [9], assuming that a generalized measurement that allows an unidentifiable measurement result is performed, a communication path diagram of the non-orthogonal two-state encryption is as shown in FIG. The Binary Eraser Channel (BE)
C). Here, in FIG. 11B, the? Is an indistinguishable measurement result.

As shown in FIG. 12, the communication path diagram of the time difference interference encryption using the symmetric Mach-Zehnder (MZ) interferometer is a two-way erasure communication path (reverse BEC) in the opposite direction. Here, in FIG. Means the delivery of a vacuum state. Assuming that the sender sends the bit values “0” and “1” mixed with the vacuum state at the rate of β, p
The value of (i | j) (i {0,1}; j {0,1 ,?}) is the same for a legitimate receiver and an eavesdropper.

As shown in FIG. 10, a communication path diagram of a time difference interference cipher using an asymmetric Mach-Zehnder (MZ) interferometer is a binary symmetric communication path (BSC). in this case,
Transition between a legitimate receiver that can recognize the orthogonal state by interfering the output of each carrier pulse from the two interference paths and an eavesdropper who can only access the carrier pulses in the two interference paths sequentially, that is, cannot simultaneously access The probabilities p (i | j) are different. Since a legitimate recipient can reliably identify the bit value sent by the sender, p (i | j) = 0
(I ≠ j), and no measurement error occurs. Therefore, a communication path connecting the bit value “0” on the sender side and the bit value “1” on the receiver side, and the bit value “1” on the sender side and There is no communication path connecting the bit value “0” on the receiver side. The transition probability for an eavesdropper is given by p
(I | j) = cos ² (π / 8) (i = j) and p (i
| J) = sin ² (π / 8) (i ≠ j).

From the communication route diagrams shown in FIGS. 10 to 12,
The above-described key distribution method using quantum cryptography according to the related art can be said to be a method of physically realizing a communication path satisfying the following two conditions X1 and X2. X1: A legitimate receiver communicates on a channel other than the channel represented by p (0 | 0) = p (1 | 1) by exchanging information of the quantum channel and the classical public channel or measuring interference between the two quantum channels. Roads can be eliminated. As a result,
The bit value sequence on the sender side with respect to the carrier is completely correlated with the bit value sequence on the receiver side. X2: The eavesdropper cannot use the information on the classic public channel or the interference information of the two quantum channels, and p (0 |
0) = P (1 | 1) cannot be deleted. As a result, there remains a bit value sequence for the carrier that is not correlated with the bit value sequence on the sender side and the bit value sequence on the eavesdropper side.

In the case of four-state encryption and two-particle interference encryption without delay, only legitimate recipients exchanging information about the measuring instrument in the classical public channel, for example in the case of two-particle interference encryption, the same measurement as the sender. It is possible to ask the sender to leave only the measured bits by selecting the transmitter and to discard the measured bits by selecting a different measuring device from the sender. In exchange for discarding about half of the bits in the bit value sequence, p (0 |
0) = p (1 | 1) can be deleted. In the case of delayed four-state encryption and delayed two-particle interference encryption, only the legitimate recipient selects the same measuring instrument as the sender in the case of two-particle interference encryption, for example, based on communication with the sender via a classical public channel. Thus, the bit value of the carrier can be reliably measured.

In the case of the non-orthogonal two-state encryption, the legitimate receiver performs a generalized measurement, leaving only the bits that could be measured via the classical public channel and was indistinguishable. The sender can be arbitrarily asked to discard the bits, and s
In exchange for discarding bits in the ratio of in (2α), communication paths other than the communication path represented by p (0 | 0) = p (1 | 1) can be deleted. Here, the eavesdropper has p (0 |) in both the standard measurement and the generalized measurement.
0) = p (1 | 1) It is not possible to delete communication paths other than the communication path represented by p (1 | 1). Symmetric Mach-Zehnder (M
Z) In the case of time-difference interference encryption using an interferometer, only a legitimate receiver can interfere with the output of the carrier pulse from the two interference paths and detect it as an orthogonal state. The transmission timing of a vacuum state mixed at random timing can be known through a classical public channel, and p (0 | 0) = p (1 | 1)
Can be deleted. At the point when the eavesdropper has access to the carrier pulse, no information has been exchanged on the classic public channel yet, and since the eavesdropper has no decision to decide whether or not to send a fake carrier pulse, p (0 | 0) = p
It is impossible to completely erase communication paths other than the communication path represented by (1 | 1). Asymmetric Mach-Zehnder (M
Z) In the case of time-difference interference encryption using an interferometer, only a legitimate receiver can cause the outputs from the two interference paths to interfere and detect the orthogonal state, and p (0 | 0) = p (1 |
Communication paths other than the communication path represented by 1) can be deleted. Even if the eavesdropper sends out a false carrier pulse using the measurement result of one of the interference paths, p (0 |
0) = p (1 | 1) It is impossible to completely delete communication paths other than the communication path represented by p (1 | 1).

Next, the relationship between the transmission efficiency and the security of the above-described key distribution method using quantum cryptography according to the prior art will be described. In order to increase the transmission efficiency of the key distribution method using quantum cryptography, the following two conditions Y1 and Y2 need only be satisfied. Y1: p (0 | 0) = p (1 |) as viewed from a legitimate recipient
1) approach 1 This makes it possible to reduce the number of bits to be discarded in order to select a bit string that is completely correlated between the transmitter and the receiver before bit collation for wiretapping detection. Y2: p (0 | 0) = p (1 | 1) as seen from an eavesdropper is made as small as possible. Thus, wiretapping can be detected by comparing fewer test bits, and the sensitivity of wiretapping detection can be increased.

In order for the eavesdropper to maximize the mutual information with the sender, a standard measurement represented by the projection to the orthogonal ground state is performed. All other measurement methods have less mutual information than the standard measurement. In this case, due to the nature of BSC, the sender needs p (0
| 0) = p (1 | 1) may be approximated to 1/2. Also, in a non-orthogonal two-state encryption, when an eavesdropper performs generalized measurement, p (0 | 0) = p (1) from the property of BEC.
By making | 1) close to 0, the mutual information amount between the sender and the eavesdropper can be close to 0, but in this case, the conditions Y1 and Y2 are not satisfied at the same time.
The probability that eavesdropping is not detected when collating s bits is determined by p (0 | 0) as seen by an eavesdropper in any of the above-described key distribution methods using quantum cryptography according to the related art.
= P (1 | 1) = p _eav and given by (p _eav ) ^s , the condition Y2 is also a condition for lowering the risk factor, that is, increasing the security. Therefore, the conditions Y1 and Y2 are sufficient conditions for improving the transmission efficiency and the security.

[0039]

In the above-described key distribution method using quantum cryptography according to the prior art, as shown in Table 1, conditions Y1 and Y2 are not simultaneously satisfied. Condition Y
1 and the condition Y2 may be satisfied at the same time because the condition Y
1 is a delay four-state encryption, a delay two-particle interference encryption, and a time difference interference encryption using an asymmetric Mach-Zehnder interferometer. Here, for example, 22.5 ° -112.5
When measurement is performed using a 22.5 ° measuring instrument, which is a measuring device that can identify photons having a linear polarization state of ° without error,
The mutual information amount between the sender and the eavesdropper can be maximized, and the eavesdropper can determine the bit value of the sender with the least error. At this time, p (0 | 0) = p
(1 | 1) = cos ² (π / 8), p (1 | 0) = p
(0 | 1) = sin ² (π / 8).

Therefore, the delay four-state encryption, the delay two-particle interference encryption, and the time difference interference encryption using the asymmetric Mach-Zehnder interferometer satisfying the condition Y1 all have communication paths characterized by the same transition probability. , S bits, the probability (risk rate) that wiretapping is not detected converges in proportion to about (0.85) ^s . FIG. 14 is a diagram showing a risk factor corresponding to each of p _eav = 0.85, _{0.75, and} 0.5 with respect to the number s of test bits. Here, if wiretapping is to be detected at a risk of 10 ⁻¹⁰ , the number of test bits s required is about 33 digits when p _eav = 0.5, whereas p _eav = 0.75. At about 80 digits, and at p _eav = 0.85, to about 145 digits. For example, if it is desired to detect the presence or absence of eavesdropping during the operation of generating a 100-digit key, the risk factor of 10 ^-10 cannot be achieved when p _eav = 0.85.

As described above, in a four-state encryption, a two-particle correlation encryption, and a time difference interference encryption using an asymmetric Mach-Zehnder interferometer, the only way to reduce the risk of missing wiretapping is to increase the number s of test bits. However, this leads to a decrease in transmission efficiency. In the non-orthogonal two-state encryption, the risk factor can be reduced by increasing the non-orthogonality of the two states, but the number of carrier pulses that cannot be identified and are discarded increases, resulting in a decrease in transmission efficiency. In the time difference interference encryption using the symmetric Mach-Zehnder interferometer, the risk factor can be reduced by increasing the ratio of the vacuum state mixed with the carrier pulse time series, but the transmission efficiency is reduced. The present invention has been made in view of the above circumstances, and provides a key distribution method using quantum cryptography capable of reducing the risk factor without lowering the transmission efficiency and improving the security against eavesdropping. Aim.

[0042]

In order to solve the above-mentioned problems and to achieve the above object, a key distribution method using quantum cryptography according to the present invention according to the first aspect of the present invention provides a key distribution method using two orthogonal orthogonal keys. Modulating a first signal by associating one bit of data with a quantum mechanical state and distributing a random number table by transmitting the first signal to a recipient over a quantum channel; After the signal reaches the receiver, the receiver is informed of the method of measuring the first signal via a classical channel, and the receiver receives the first received signal.
Is held for a predetermined time, the random number table is created from 1-bit data obtained by the measurement based on the measurement method of the first signal, and the sender is, from the transmitted random number table, the receiver: Each test data is extracted from the received random number table, collated by notifying each other of the test data via a classical channel, and thinning out the test data after confirming that there is no eavesdropping on the quantum channel. In the key distribution method using quantum cryptography using the random number table as a common key, the sender randomly selects the two orthogonal quantum mechanical states from a plurality of quantum mechanical states for each of the first signals. It is characterized by selecting a state.

Further, in the key distribution method using quantum cryptography according to claim 2, the first signal is composed of a single photon time series, and the two orthogonal quantum mechanical states are the polarization states of photons. It is characterized by being done.

Further, in the key distribution method using quantum cryptography according to claim 3, the first signal comprises a single-electron time series, and the two orthogonal quantum mechanical states correspond to an electron spin state. It is characterized by being done.

According to a fourth aspect of the present invention, there is provided a key distribution method using quantum cryptography, wherein 1-bit data is made to correspond to a pair of physical systems having a quantum correlation, and the first physical system is composed of each of the pair of physical systems. A carrier and a second carrier are distributed to a sender and a receiver via a quantum channel, and the sender obtains a random number on a transmission side from 1-bit data obtained by measuring a quantum mechanical state of the first carrier. Creating a table, after the second carrier reaches the recipient,
Notifying the receiver of the method of measuring the first carrier via a classical channel, wherein the receiver receives the received second
Are held for a predetermined time, and the method of measuring the second carrier is determined based on the method of measuring the first carrier and the quantum correlation. From the 1-bit data obtained by the measurement of the second carrier, Create a random number table on the receiving side, the sender extracts test data from the random number table on the transmitting side, and the receiver extracts test data from the random number table on the receiving side, and notifies each other of the test data via a classical channel. In a key distribution method using quantum cryptography, wherein the random number table obtained by thinning out the test data after confirming that there is no eavesdropping on the quantum channel is used as a common key, the sender includes: For each measurement of the first carrier, the measurement method is randomly selected from measurement methods for each of a plurality of quantum mechanical states. That.

Further, the key distribution method using quantum cryptography according to claim 5 is characterized in that the pair of physical systems having the quantum correlation are photon pairs having the polarization correlation.

Further, the key distribution method using quantum cryptography according to claim 6 is characterized in that the pair of physical systems having the quantum correlation are electron pairs having the spin correlation.

In the key distribution method using the quantum cryptography according to the present invention as described above, the coding method used for communication is not determined in advance in the protocol, but the sender is given the room to actively select the protocol. It allows the sender to control the amount of mutual information. In this case, the coding method selected by the sender is random and unpredictable, but only the legitimate receiver detects the carrier pulse train as a quadrature state using an appropriate measuring device based on information obtained from the classical public channel. And in principle the receiver can determine all transmitted bits deterministically,
It is possible to eliminate useless bits. On the other hand, the mutual information amount that can be shared by the receiver other than the authorized receiver, for example, the eavesdropper, with the sender is zero. In addition, since the state of the carrier pulse propagating in the transmission path is unknown, quantum mechanics guarantees that eavesdropping by, for example, cloning is impossible.

[0049]

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Hereinafter, a first embodiment of a key distribution method using quantum cryptography according to the present invention will be described with reference to the accompanying drawings. FIG. 1 is a configuration diagram of a communication system embodying a key distribution method using quantum cryptography according to the first embodiment of the present invention. Note that the same reference numerals are assigned to the same portions as those of the above-described conventional technology, and the description is omitted or simplified. As shown in FIG. 1, a communication system 100 that implements a key distribution method using quantum cryptography according to the present embodiment includes a sender 101
, A receiver 102, an optical pulse 103 including only one photon carrying one-bit information, a quantum channel 104 composed of, for example, an optical fiber for transmitting a time series of the optical pulse 103, and a sender 101. A classical public channel 105 composed of, for example, a wireless or telephone line for confirming transmission and reception states between the parties 102, and a sender random number table 106
A receiving-side random number table 107, a single-photon light source 108, a modulator 109, and polarization rotators A1 and A2 including electro-optical polarization rotators such as a Pockels cell.
And a light receiver B2 composed of a ° -system measuring device.
Note that the quantum channel 104 is a sender site 104A.
, A receiver site 104B having a delay C, and a transmission path unit 104C, and an eavesdropper cannot physically access the sender site 104A and the receiver site 104B. Also, it is assumed that an eavesdropper can eavesdrop on the information on the classic public channel 105 but cannot falsify it.

Here, in the light pulse 103, 1-bit information of “0” or “1” is placed in the polarization state of the photon.
The binary sequence is represented by a time series of photons having different polarization states. As a method of coding 1-bit information into the optical pulse 103, the sender 101 and the receiver 102 use orthogonal base vectors of linearly polarized light having a polarization axis whose inclination from the horizontal axis is θ and (θ + 90 °). θ ”to“
It is negotiated that only “0” and “θ + 90 °” be “1”. Is an arbitrary angle satisfying 0 ° ≦ θ <180 °. Since the value of θ is not defined in the protocol, the coding method is not determined in the protocol. The sender 101 refers to the random number table 106 on the transmitting side and uses the modulator 109 to change the time-series polarization of the optical pulse 103 composed of a single photon emitted from the single-photon light source 108 when the bit is “0”. Polarization axis is horizontal, ie 0 °
When the direction is "0", the polarization axis is vertical, that is, 90 degrees.
The modulation is performed sequentially so as to be in each direction. The time series of the modulated light pulse 103 passes through a polarization rotator A1 composed of an electro-optic polarization rotator such as a Pockels cell, for example, whereby the polarization axis is sequentially rotated by θ °. Therefore,
The sender 101 can freely control the polarization rotation angle of each light pulse 103 in the time series of the modulated light pulse 103.

The time series of the optical pulse 103 passes through the quantum channel 104 composed of an optical fiber, and further passes through the delay C. It is assumed that the delay C has a predetermined length and that the receiver 102 can execute Step 3 of the protocol described below. The receiver 102 is provided with a polarization rotator A2 composed of an electro-optic polarization rotator similarly to the sender 101, and can freely control the polarization rotation angle of the received optical pulse 103. The optical pulse 103 that has passed through the polarization rotation element A2 of the receiver 102 is measured by a photodetector B2 constituted by a 0-degree measuring device that can identify photons having a horizontal or vertical linear polarization state without error. By exchanging information via the classical public channel 105, the sender 101 and the receiver 102 match the setting conditions of the polarization rotator A1 on the sender 101 side and the polarization rotator A2 on the receiver 102 side. , The mutual information amount of each other can be set to one. In addition, the combination of the polarization rotator A2 and the photodetector B2 composed of a 0-degree measuring device can correctly identify a photon having a linear polarization state having a polarization axis of θi and (θi + 90 °) from the horizontal axis. It operates as a possible θi measuring instrument.

The communication system 100 embodying the key distribution method using quantum cryptography according to the present embodiment has the above-described configuration. Next, the operation of the key distribution method using quantum cryptography in the communication system 100, that is, The communication protocol between the sender 101 and the receiver 102 will be described with reference to FIG.

Step 1: The sender 101 randomly assigns a bit value xi (“0”) to each light pulse 103-i in the time series of n light pulses 103 emitted from the single-photon light source 108. Or “1”), and the polarization rotation angle θi (0 ° ≦ θi <180) of the polarization rotator A1.
°). Note that i = 1, 2,..., N. The sender 101 determines the light pulse 1 according to the selected bit value xi.
03 is sequentially modulated using the modulator 109, and the polarization rotation angle of the polarization rotator A1 is modulated in accordance with the selected polarization rotation angle θi to change the polarization of each time series of the optical pulse 103. Rotate sequentially. Step 2: When the optical pulse 103 reaches the receiver site 104B via the transmission path unit 104C, the sender 101
Represents each light pulse 103 through the classical public channel 105
-Notify the receiver 102 of the value of the polarization rotation angle θi with respect to i. Step 3: Recipient 102 establishes classic public channel 10
5, the polarization axis of each light pulse 103-i coming out of the delay C is rotated (-θi) by the polarization rotator A2 in accordance with the value of the rotation angle θi clarified in step 5, and the optical receiver is composed of a 0 ° measuring device. The polarization axis is measured using B, and the receiving-side random number table 107 is created according to the measurement result.

Step 4: The sender 101 extracts test bits from the random number table 106 on the transmitting side and the receiver 102 extracts test bits from the random number table 107 on the receiving side at appropriate ratios, and notifies each other via the classical public channel 105. Perform collation by Step 5: If in step 4 an appropriate sufficient number of test bits match between sender 101 and receiver 102,
It is concluded that there is no eavesdropping with a probability close to 1, and it is guaranteed that each of the random number tables 106 and 107 excluding the bits used for matching has the same value that only the sender 101 and the receiver 102 know, These random number tables 106, 1
07 is a common key. Step 6: If a mismatch bit is found during the verification in step 4, it is determined that someone has eavesdropped, and all data including the random number tables 106 and 107 are discarded, and the sender 101 and the receiver 102 Steps such as changing the communication channel, ie, the quantum channel 104 between
Repeat the following steps.

According to the key distribution method using quantum cryptography according to the present embodiment, only the legitimate receiver 102 can always reliably identify the polarization state of the optical pulse 103 sent by the sender 101. Since the transmitter can be selected, the mutual information amount between the sender 101 and the legitimate receiver 102 becomes 1 (a perfect correlation is formed), and the legitimate receiver 102 receives the light transmitted by the sender 101. All of the pulses 103 can be used and can share the same bit value with the sender 101. In addition, the eavesdropper has the proper θi
Since a system measuring device cannot be prepared, the probability that an eavesdropper obtains the measurement results of bits “0” and “1” for each bit is equal to そ れ ぞ れ, respectively, and the mutual information amount between the sender 101 and the eavesdropper is 0 (completely uncorrelated), and the eavesdropper cannot obtain effective information by eavesdropping. The probability that eavesdropping will not be detected is 1/2 for 1-bit data. For example, the probability that eavesdropping will not be detected when s bits are collated is (1/2) ^s . If there is a match between the sender 101 and the receiver 102, it is concluded that the eavesdropping has a probability close to one. Thereby, the secret key can be generated while monitoring that the eavesdropping is not performed by information exchange in the classic public channel 105.

In the present embodiment, the carrier on which information is carried is assumed to be a photon, and the attribute for coding information is assumed to be polarization. Alternatively, the attribute for coding the information may be another attribute, for example, a spin attribute or a phase attribute of the carrier. In short, the carrier may be any quantum having an internal degree of freedom (two discrete eigenstates) sufficient to carry 1-bit information. The quantum channel 104 is an optical fiber or a propagation mode in free space when photons are used as quanta, and is a waveguide circuit of electrons when electrons in a solid are used as quanta.

Next, a second embodiment of the key distribution method using quantum cryptography according to the present invention will be described with reference to the accompanying drawings. FIG. 2 is a configuration diagram of a communication system embodying a key distribution method using quantum cryptography according to the second embodiment of the present invention. The same parts as those in the above-described embodiment are denoted by the same reference numerals, and the description is omitted or simplified. As shown in FIG. 2, a communication system 200 that implements a key distribution method using quantum cryptography according to the present embodiment includes a sender 101, a receiver 102, a pair of optical pulses 103a and 103b, and an optical pulse 103b. Channel 104 transmitting the time series of
, Classical public channel 105, and sender random number table 106
, A receiving-side random number table 107, a two-photon light source 110, polarization rotators A1 and A2, and photodetectors B1 and B2, which are, for example, 0-degree measuring devices.

As the two-photon light source 110, for example, a polarization-correlated photon pair generated due to frequency down-conversion due to an optical parametric effect or cascade transition of atoms is used. The two-photon light source 110 is installed in the sender site 104A, and the time series of one light pulse 103a of the pair of light pulses 103a and 103b generated by the two-photon light source 110 is transmitted to the sender 101 side. It is used for monitoring the polarization state of the photon pair and the generation time. The time series of the other light pulse 103b is transmitted to the receiver 102 via the quantum channel 104. Here, in the light pulse 103, 1-bit information of “0” or “1” is placed in the polarization state of the photon,
The hexadecimal sequence is represented by a time series of photons having different polarization states. The sender 101 passes a time series of one optical pulse 103a composed of a single photon through the polarization rotator A1,
The polarization axis of the light pulse 103a is sequentially rotated (−θ). The sender 101 can select the polarization rotation angle (−θ) of each light pulse in the time series of the light pulse 103a within a range satisfying 0 ≦ θ <180 °. Sender 101 is polarization rotator A
The polarization direction of the light pulse 103 that has passed through is measured by the photodetector B composed of a 0 ° measuring device. If the measured polarization axis is in the horizontal (0 °) direction, a bit value “0” is recorded and the In the case of the direction of 90 °), the bit value “1” is recorded and the transmission-side random number table 106 is created.

Assuming that the polarization state of the photon pair from the two-photon light source 110 is a triplet state having perfect correlation (ie, a singlet or triplet state having perfect anticorrelation), The time-series polarization state of the other light pulse 103b transmitted to the receiver 102 by the channel 104 is such that the time-series polarization axis of the one light pulse 103a measured by the sender 101 is in the horizontal (0 °) direction ( Bit value "0")
Is a linearly polarized light having a polarization axis in the θ direction (θ + 90 °), and one of the optical pulses 103a measured by the sender 101.
In the case where the polarization axis of the time series is in the vertical (90 °) direction (bit value “1”), the light is linearly polarized light having the polarization axis in the θ + 90 ° direction (θ). Since the value of θ is not defined in the protocol, the coding method is not determined in the protocol. The time series of the optical pulse 103b sent to the receiver 102 is based on the transmission path 104C of the quantum channel 104 and the delay C
Pass through. The delay C has a predetermined length and is sufficient for the receiver 102 to execute step 4 of the protocol described below.

The receiver 102 includes the polarization rotator A2 similarly to the sender 101, and can freely control the polarization rotation angle of the received optical pulse 103. The optical pulse 103 that has passed through the polarization rotating element A of the receiver 102 is measured by a photodetector B constituted by a 0-degree measuring device that can identify photons having a horizontal or vertical linear polarization state without error. By exchanging information via the classical public channel 105, the sender 101 and the receiver 102 match the setting conditions of the polarization rotator A1 on the sender 101 side and the polarization rotator A2 on the receiver 102 side. , The mutual information amount is 1
Can be Note that the combination of the polarization rotator A1 and the light receiver B1 composed of the 0 ° measuring instrument, and the combination of the polarization rotator A2 and the light receiver B2 composed of the 0 ° measuring instrument have inclinations from the horizontal axis. Are θi and (θi + 90
It operates as a θi-based measuring device that can identify photons having a linear polarization state having a polarization axis of (°) without error.

The communication system 200 embodying the key distribution method using quantum cryptography according to the present embodiment has the above-described configuration. Next, the operation of the key distribution method using quantum cryptography in the communication system 200, that is, The communication protocol between the sender 101 and the receiver 102 will be described with reference to FIG.

Step 1: Sender 101 is a two-photon light source 1
10, a pair of light pulses 10 whose polarization axis is not determined
N time series of 3a and 103b are prepared, one optical pulse 103a-i (i = 1, 2,..., N) is transmitted to the sender 101 side, and the other optical pulse 103bi-i (i = 1) , 2,
.., N) are sent to the receiver 102 side. Step 2: Sender 101 receives one light pulse 103a
N time-series optical pulses 103a-i (i = 1,
, N), the polarization rotation angle (-θi) of the polarization rotator A1 is selected at random. The sender 101 modulates the polarization rotation angle (−θi) of the polarization rotator A1 according to the selected polarization rotation angle θi, and sequentially rotates (−θi) the time-series polarization axis of the optical pulse 103a. The sender 101 sequentially measures the polarization axis of the optical pulse 103a that has passed through the polarization rotator A1 using the photodetector B1 composed of a 0 ° measuring device, and records a bit value corresponding to the measurement result in the transmission-side random number table 106. . Step 3: Light pulse 103b sent to receiver 102
Reaches the recipient site 104B via the transmission line section 104C, the sender 101
, The receiver 102 is notified of the value of the polarization rotation angle (−θi) for each light pulse 103a-i. Step 4: Recipient 102 establishes classic public channel 10
In accordance with the value of the polarization rotation angle (−θi) revealed in FIG. 5, the polarization axis of the optical pulse 103b-i coming out of the delay C is sequentially rotated (−θi) by the polarization rotator A2, and then 0 °.
The polarization axis is measured using a light receiver B2 composed of a system measuring device,
The receiving-side random number table 107 is created according to the measurement result.

Step 5: The sender 101 extracts test bits from the random number table 106 on the transmitting side and the receiver 102 extracts test bits from the random number table 107 on the receiving side at an appropriate ratio, and notifies each other via the classical public channel 105. Perform collation by Step 6: If in step 4 the appropriate sufficient number of test bits match between sender 101 and receiver 102,
It is concluded that there is no eavesdropping with a probability close to 1, and it is guaranteed that each of the random number tables 106 and 107 excluding the bits used for matching has the same value that only the sender 101 and the receiver 102 know, These random number tables 106, 1
07 is a common key. Step 7: If a mismatch bit is found during the verification in step 5, it is determined that someone has eavesdropped, and all data including the random number tables 106 and 107 are discarded, and the sender 101 and the receiver 102 Steps such as changing the communication channel, ie, the quantum channel 104 between
Repeat the following steps.

According to the key distribution method using quantum cryptography according to the present embodiment, θi-based measurement in which only the authorized receiver 102 can always reliably identify the polarization state of the optical pulse 103 sent by the sender 101 You can choose the vessel,
The mutual information amount between the sender 101 and the legitimate receiver 102 becomes 1 (a perfect correlation is formed), and the legitimate receiver 10
2 can use all of the optical pulses 103 sent by the sender 101 and share the same bit value with the sender 101. Further, since the eavesdropper cannot prepare an appropriate θi-based measuring device, the probability that the eavesdropper obtains the measurement results of the bits “0” and “1” for each bit is equal to そ れ ぞ れ, respectively. Is 0 (completely uncorrelated), and the eavesdropper cannot obtain effective information by eavesdropping. The probability that eavesdropping will not be detected is 1/2 for 1-bit data. For example, when s bits are collated, the probability that eavesdropping will not be detected is (1/2) ^s . If the sender 101 and the receiver 102 match, 1
It is concluded that eavesdropping has a probability close to. This makes it possible for classical public channel 1
The secret key can be generated while monitoring by the information exchange in 05.

In the present embodiment, the carrier on which information is carried is assumed to be a photon, and the attribute for coding the information is assumed to be polarization. However, the present invention is not limited to this. Alternatively, the attribute for coding the information may be another attribute, for example, a spin attribute or a phase attribute of the carrier. In short, the carrier may be any quantum having an internal degree of freedom (two discrete eigenstates) sufficient to carry 1-bit information. The quantum channel 104 is an optical fiber or a propagation mode in free space when photons are used as quanta, and is a waveguide circuit of electrons when electrons in a solid are used as quanta.

[0066]

As described above, according to the key distribution method using quantum cryptography of the present invention, the mutual information amount between the sender and the receiver becomes 1 (perfect correlation), and the receiver transmits The same random number table can be shared with the sender by using all of the data sent by the sender. Furthermore, the mutual information amount between the sender and the eavesdropper is 0 (completely uncorrelated), and the probability that eavesdropping will not be detected is 1/2 for 1-bit data. For example, when s bits are collated, The probability that eavesdropping will not be detected is (1/2) ^s , and the risk factor is not reduced without lowering the transmission efficiency compared to the above-described conventional four-state encryption, delayed four-state encryption, non-orthogonal two-state encryption, and time difference interference encryption. And the security against eavesdropping can be improved.

[Brief description of the drawings]

FIG. 1 is a configuration diagram of a communication system that embodies a key distribution method using quantum cryptography according to a first embodiment of the present invention.

FIG. 2 is a configuration diagram of a communication system that implements a key distribution method using quantum cryptography according to a second embodiment of the present invention.

FIG. 3 is a configuration diagram of a communication system that realizes a key distribution method using four-state encryption according to an example of the related art.

FIG. 4 is a configuration diagram of a communication system that realizes a key distribution method using delayed four-state encryption according to an example of the related art.

FIG. 5 is a configuration diagram of a communication system that realizes a key distribution method using two-particle interference encryption according to an example of the related art.

FIG. 6 is a configuration diagram of a communication system that realizes a key distribution method using delayed two-particle interference encryption according to an example of the related art.

FIG. 7 is a configuration diagram of a communication system that implements a key distribution method using non-orthogonal two-state encryption according to an example of the related art.

FIG. 8 is a configuration diagram of a communication system that realizes a key distribution method using time difference interference encryption according to an example of the related art.

FIG. 9 is a configuration diagram of a communication system that realizes a key distribution method using time-difference interference encryption using an asymmetric Mach-Zehnder interferometer according to an example of the related art.

FIG. 10 is a communication path diagram between a sender and a receiver in a four-state encryption, a two-particle interference encryption, and a time difference interference encryption using an asymmetric Mach-Zehnder (MZ) interferometer.

FIG. 11 is a communication line diagram in non-orthogonal two-state encryption, showing a case where standard measurement is performed (a) and a case where generalized measurement is performed (b).

FIG. 12 is a communication path diagram in time difference interference encryption using a symmetric Mach-Zehnder (MZ) interferometer.

FIG. 13 is a diagram illustrating two orthogonal states that are the closest to the two non-orthogonal states.

FIG. 14 is a diagram illustrating a risk factor corresponding to each of p _eav = 0.85, _{0.75, and} 0.5 with respect to the number s of test bits.

[Explanation of symbols]

 Reference Signs List 101 sender 102 receiver 103 optical pulse 104 quantum channel 104A sender site 104B receiver site 104C transmission line section 105 classical public channel 106 sender random number table 107 receiver random number table 108 single photon light source 109 modulator 110 two photon Light source A1, A2 Polarization rotator B1, B2 Receiver C Delay

Claims (6)

[Claims] 1. A transmitter modulates a first signal by associating one bit of data with two orthogonal quantum mechanical states, and transmits the first signal to a receiver via a quantum channel. By performing the distribution of the random number table by the above, after the first signal reaches the receiver, notifies the receiver of the measurement method of the first signal via a classical channel, the receiver, The received first signal is held for a predetermined time, and the random number table is created from 1-bit data obtained by measurement based on the first signal measurement method. The receiver extracts test data from the received random number table,
The test data was compared with each other by notifying each other via a classical channel, and after confirming that there was no eavesdropping on the quantum channel, the random number table obtained by thinning out the test data was used as a quantum key and a common key was used. In the key distribution method, the sender uses, for each of the first signals, randomly selects the orthogonal two quantum mechanical states from a plurality of quantum mechanical states. Key distribution method. 2. The quantum cryptography according to claim 1, wherein the first signal is composed of a single photon time series, and the two orthogonal quantum mechanical states are photon polarization states. Key distribution method. 3. The quantum cryptography according to claim 1, wherein the first signal is composed of a single-electron time series, and the two orthogonal quantum mechanical states are electron spin states. Key distribution method. 4. A 1-bit data is made to correspond to a pair of physical systems having a quantum correlation, and a first carrier and a second carrier made of each of the pair of physical systems are transmitted and received via a quantum channel via a quantum channel. The sender creates a random number table on the transmission side from 1-bit data obtained by measuring the quantum mechanical state of the first carrier, and the second carrier reaches the receiver. Then, the receiver is notified of the method of measuring the first carrier via a classical channel, and the receiver holds the received second carrier for a predetermined time, and the method of measuring the first carrier is performed. And determining the method of measuring the second carrier based on the quantum correlation, creating a random number table on the receiving side from 1-bit data obtained by measuring the second carrier, From the random number table on the transmitting side, the receiver extracts test data from the random number table on the receiving side,
The test data is compared with each other by notifying each other via a classical channel, and after confirming that there is no eavesdropping in the quantum channel, a quantum cryptography using the random number table obtained by thinning out the test data as a common key is used. In the key distribution method, the sender randomly selects the measurement method from among the measurement methods for a plurality of quantum mechanical states for each measurement of the first carrier. Key distribution method using. 5. The key distribution method using quantum cryptography according to claim 4, wherein said pair of physical systems having a quantum correlation are photon pairs having a polarization correlation. 6. The key distribution method using quantum cryptography according to claim 4, wherein said pair of physical systems having quantum correlation are electron pairs having spin correlation.