Quantum key distribution system
The quantum key distribution system addresses eavesdropping vulnerabilities by employing biased basis selection and bit removal techniques to generate a secure key, enhancing detection and prevention of eavesdropping attacks.
Patent Information
- Authority / Receiving Office
- JP · JP
- Patent Type
- Applications
- Current Assignee / Owner
- KDDI CORP
- Filing Date
- 2024-12-20
- Publication Date
- 2026-07-02
AI Technical Summary
Existing quantum key distribution systems, such as BB84 and efficient BB84, are vulnerable to eavesdropping attacks where eavesdroppers intercept and measure only a portion of the photon sequence using the Z basis, leading to undetected eavesdropping due to low probability of basis mismatch detection.
The quantum key distribution system employs a biased basis selection (p ≤ 1/2 for one basis and 1-p for the other) with a receiving device that measures bits using the same probabilities, and includes units for basis information exchange, bit removal, key distillation, and key generation to generate a secret key from matching bits, excluding potential eavesdropped bits.
The system enhances eavesdropping detection and prevention, improving security by reliably excluding eavesdropped bits and generating a secure key, resistant to various attack patterns.
Smart Images

Figure 2026110176000001_ABST
Abstract
Description
Technical Field
[0001] The present invention relates to a countermeasure technology against eavesdropping in quantum key distribution.
Background Art
[0002] In BB84, which is a typical method of quantum key distribution, first, a photon sequence in a quantum state created based on the bit information and transmission basis selected by the sender is sent, and the receiver creates a bit sequence from the photon sequence in the quantum state using the reception basis selected by the receiver itself. Next, the sender and the receiver exchange the basis information selected by each other, and discard the bits for which the selected bases do not match. Then, the sender and the receiver calculate the bit error rate QBER using a part of the remaining bits. If the QBER is greater than the threshold, it is regarded as being eavesdropped, and the sender sends the photon sequence in the quantum state again. On the other hand, when the QBER is below the threshold, the sender and the receiver perform a key distillation process for correcting bit errors and removing leaked information, and share a secret key.
[0003] In normal BB84, the transmission basis and the reception basis are each randomly selected uniformly, and the QBER is calculated independently of the basis from the bits extracted from both bases. On the other hand, an efficient BB84 is defined in which one basis (X basis) is selected with a probability p (0 < p ≤ 1 / 2) and the other basis (Z basis) is selected with a probability 1 - p, giving a bias to the basis selection, and the QBER is calculated from the bits extracted for each basis.
[0004] The bias in the basis selection increases the efficiency by increasing the coincidence probability of the bases selected by the sender and the receiver, and the QBER calculation for each basis prevents an attack in which all photon sequences in the quantum state are eavesdropped using the basis with a high selection probability without being detected. For example, in Non-Patent Document 1, it is shown that an attack in which all photon sequences in the quantum state are eavesdropped in the Z basis can detect eavesdropping because the QBER in the X basis increases.
Prior Art Documents
Non-Patent Documents
[0005] [Non-Patent Document 1] Hoi-Kwong Lo, HF Chau, and M. Ardehali, "Efficient Quantum Key Distribution Scheme and a Proof of Its Unconditional Security," J. Cryptology, 18(2):133-165, 2005. [Overview of the Initiative] [Problems that the invention aims to solve]
[0006] In quantum key distribution, it is desirable that the private key information is not leaked to eavesdroppers and that the sender and receiver can securely share the private key. BB84's eavesdropping detection uses the QBER value, and eavesdropping increases the QBER value when the sender and receiver select the same basis, but the eavesdropper selects a different basis, causing the bits of the sender and receiver to not match due to eavesdropping.
[0007] In the case of an efficient BB84 with a bias in basis selection, the probability of both the sender and receiver selecting the X basis is low, so if the eavesdropper selects the Z basis, the probability of detection of eavesdropping is small. However, if eavesdropping is performed using the Z basis for all photon sequences of the quantum state, as in conventional methods, there is a small probability that both the sender and receiver will select a different X basis than the eavesdropper, resulting in a situation where the sender and receiver's bits do not match. In this case, the QBER of the X basis increases, allowing for detection of eavesdropping. On the other hand, one possible attack involves the eavesdropper intercepting only a portion of the photon sequence from the beginning, rather than the entire sequence of photons in the quantum state, measuring it using only the Z basis, and then retransmitting the photon sequence of the Z basis's eigenstates corresponding to the measurement result to the receiver. In this case, there was a probability that the eavesdropping would not be detected.
[0008] The present invention aims to provide a quantum key distribution system that can more reliably prevent eavesdropping in quantum key distribution. [Means for solving the problem]
[0009] The quantum key distribution system according to the present invention transmits a photon sequence in a state corresponding to the value of each bit while selecting one basis in quantum key distribution with a probability p (0 < p ≤ 1 / 2) and selecting the other basis with a probability 1 - p, and a receiving device that, when receiving the photon sequence, measures the value of each bit while selecting one basis with a probability p and selecting the other basis with a probability 1 - p. The transmitting device and the receiving device each include a basis information exchange unit that exchanges information on the basis selected by each other and generates a first bit sequence including only the bits for which the bases match, a bit removal unit that generates a second bit sequence by removing at least the first (2 / p 2 ) - 1 bits of the first bit sequence, a key distillation processing unit that performs a predetermined key distillation process on the second bit sequence, and a key generation unit that generates a secret key common to the transmitting device and the receiving device based on the bit sequence after the key distillation process is performed.
[0010] The bit removal unit may generate the second bit sequence by removing a plurality of consecutive (2 / p 2 ) - 1 bits from the first bit sequence.
[0011] The key generation unit may hold a plurality of bit sequences after the key distillation process is performed and generate the secret key by combining the plurality of bit sequences.
[0012] The key generation unit may hold a plurality of bit sequences after the key distillation process is performed and calculate the secret key by inputting them into a one-way function.
Advantages of the Invention
[0013] According to the present invention, eavesdropping in quantum key distribution can be more reliably prevented.
Brief Description of the Drawings
[0014] [Figure 1] It is a block diagram showing the functional configuration of the quantum key distribution system in the first embodiment. [Figure 2]It is a diagram showing a part removed from a bit string in the first embodiment. [Figure 3] It is a diagram exemplifying a part removed from a bit string in the second embodiment.
Embodiments for Carrying Out the Invention
[0015] Hereinafter, embodiments of the present invention will be illustrated and described. When the quantum key distribution system of the embodiment adopts the efficient BB84 that selects the aforementioned X basis with a probability p (0 < p ≤ 1 / 2), it is resistant to an attack method that utilizes the bias of the basis selection and improves security.
[0016] Specifically, the probability p of being detected as eavesdropping 2 / 2 and the expected value of the geometric distribution, which is the expected value of the number of bits until it is first detected as eavesdropping (2 / p 2 ) - 1 bit is intercepted by the attacker, measured using only the Z basis, and a photon string in the eigenstate of the Z basis corresponding to the measurement result is resent to the receiver. An attack method can be considered.
[0017] [First Embodiment] In the first embodiment, a countermeasure method against an attack method of eavesdropping (2 / p 2 ) - 1 bit from the head of the photon string in the quantum state using the Z basis is shown.
[0018] FIG. 1 is a block diagram showing the functional configuration of the quantum key distribution system 1 in the first embodiment. The quantum key distribution system 1 includes a transmission device 10 and a reception device 20 that transmit and receive a photon string in a quantum state.
[0019] The transmission device 10 selects one basis in quantum key distribution with a probability p (0 < p ≤ 1 / 2) by the photon transmission unit 11, selects the other basis with a probability 1 - p, and transmits a photon string in a state corresponding to the value of each bit to the reception device 20. When the receiving device 20 receives a photon sequence from the transmitting device 10 using the photon receiving unit 21, it selects one basis with probability p and the other basis with probability 1-p, while measuring the value of each bit. Furthermore, in order to transmit, receive, and measure the photon train, known devices corresponding to the base used may be employed for the photon transmitter 11 and the photon receiver 21.
[0020] Furthermore, the transmitting device 10 and the receiving device 20 each include control units (12, 22) for obtaining common secret key information from the transmitted and received bit information, and this function is performed by reading and executing a program stored in the storage units (13, 23). In other words, each of the following functional units may be implemented by a conventional information processing device (computer).
[0021] The control units (12, 22) of the transmitting device 10 and the receiving device 20 each include a base information exchange unit (121, 221), a bit removal unit (122, 222), a key distillation processing unit (123, 223), and a key generation unit (124, 224), respectively.
[0022] The base information exchange unit (121,221) exchanges base information selected by each other between the transmitting device 10 and the receiving device 20, and generates a first bit sequence consisting only of bits whose bases match.
[0023] The bit removal unit (122,222) removes at least the leading bit (2 / p) from the first bit sequence. 2 Remove the -1 bit to generate a second bit sequence.
[0024] The key distillation processing unit (123,223) performs a predetermined key distillation process on the second bit sequence. The key distillation process may be a known one.
[0025] The key generation unit (124,224) generates a secret key common to the transmitter 10 and the receiver 20 based on the bit sequence after the key distillation process. The secret key may be directly adopted as the bit sequence obtained by the key distillation process, or may be calculated by a common operation in both key generation units (124, 224).
[0026] FIG. 2 is a diagram showing a part removed from the bit sequence in the first embodiment. If an attacker eavesdrops on (2 / p 2 ) - 1 bits from the beginning of the photon sequence transmitted and received between the transmitter 10 and the receiver 20, for the first bit sequence retained after the basis information exchange, there is also a possibility that up to (2 / p 2 ) - 1 bits have been eavesdropped.
[0027] Therefore, the transmitter 10 and the receiver 20 exclude (2 / p 2 ) - 1 bits from the beginning of the first bit sequence, and perform the conventional key distillation process on the remaining part.
[0028] [Second Embodiment] In the first embodiment, among the photon sequences in the quantum state, the part eavesdropped by the attacker is limited to the beginning. However, in the second embodiment, the part to be eavesdropped is not limited.
[0029] Therefore, the bit removal units (122, 222) generate a second bit sequence by removing (2 / p 2 ) - 1 consecutive bits at multiple positions in the first bit sequence.
[0030] FIG. 3 is a diagram illustrating the parts removed from the bit sequence in the second embodiment. In this example, the transmitter 10 and the receiver 20, in addition to (2 / p <00000११>) - 1 bits from the beginning of the first bit sequence, further exclude (2 / p 2 ) - 1 consecutive bits at two more positions, and perform the conventional key distillation process on the remaining part.
[0031] This improves the security of the quantum key distribution system 1 by increasing the likelihood that it can exclude bits read by an attacker even if the attacker attempts to eavesdrop using a pattern other than sequentially from the first bit.
[0032] Furthermore, the portion removed from the first bit sequence may be in many more places, (2 / p 2 )-1 bit may be a longer portion.
[0033] [Differentiation] In the first and second embodiments, a configuration for preventing eavesdropping by an attacker was described, but this configuration may also be combined with a method for preventing the generation of a secret key from the intercepted bit information.
[0034] In other words, the key generation units (124, 224) of the transmitting device 10 and the receiving device 20 may each hold multiple common bit sequences after performing key distillation, and generate a secret key by combining these multiple bit sequences.
[0035] Specifically, for example, the key generation unit (124,224) may calculate a single secret key by inputting multiple bit sequences obtained after key distillation into a one-way function such as a hash function. This prevents an attacker from generating the same secret key as the transmitter 10 and receiver 20.
[0036] According to the embodiment described above, the quantum key distribution system 1 is difficult to detect by utilizing the bias in basis selection from the bit sequence remaining after basis information exchange between the transmitter 10 and the receiver 20 (2 / p 2 For attacks that eavesdrop down to -1 bit, the key distillation process is performed after removing the number of bits that may have been intercepted. As a result, the quantum key distribution system 1 can suppress the reduction in the security of the secret key due to bias in basis selection and more reliably prevent eavesdropping in quantum key distribution.
[0037] Furthermore, the quantum key distribution system 1, in the bit sequence remaining after the basis exchange information exchange, extracts not only from the beginning but also from multiple points (2 / p 2 By removing the -1 bit, security can be improved not only against continuous eavesdropping from the beginning, but also against other attack patterns.
[0038] Furthermore, the quantum key distribution system 1 does not use the bit sequence after key distillation as the secret key, but rather stores the bit sequence after key distillation a predetermined number of times and generates a secret key by combining the stored bit sequences, thereby suppressing the generation of secret keys by attackers.
[0039] Furthermore, this embodiment makes it possible to achieve both efficiency and security in quantum key distribution, thereby contributing to Goal 9 of the United Nations-led Sustainable Development Goals (SDGs), "Build resilient infrastructure, promote sustainable industrialization and foster innovation."
[0040] Although embodiments of the present invention have been described above, the present invention is not limited to the embodiments described above. Furthermore, the effects described in the embodiments described above are merely a list of the most preferred effects resulting from the present invention, and the effects of the present invention are not limited to those described in the embodiments.
[0041] The quantum key distribution method of the quantum key distribution system 1 is implemented by software. When implemented by software, the programs constituting this software are installed on an information processing device (computer). These programs may be distributed to users by being recorded on removable media such as a CD-ROM, or by being downloaded to the user's computer via a network. Furthermore, these programs may be provided to the user's computer as a web service via a network without being downloaded. [Explanation of Symbols]
[0042] 1. Quantum Key Distribution System 10 Transmitter 11 Photon Transmitter 12 Control Unit 13 Storage section 20 Receiving device 21 Photon Receiver 22 Control Unit 23 Memory section 121 Photon train transmission section 122 Basic Information Exchange Department 123-bit removal section 124 Key generation section 221 Photon train transmission section 222 Basic Information Exchange Department 223-bit removal section 224 Key generation section
Claims
1. A transmitting device that selects one basis in quantum key distribution with probability p (0 < p ≤ 1 / 2) and the other basis with probability 1-p, while transmitting a sequence of photons in a state corresponding to the value of each bit, The system includes a receiving device that, upon receiving the aforementioned photon sequence, selects one basis with probability p and the other basis with probability 1-p, while measuring the value of each bit. The transmitting device and the receiving device are, respectively, A base information exchange unit exchanges base information selected by each party and generates a first bit sequence consisting only of bits whose bases match. Of the first bit sequence, at least the leading (2 / p 2 A bit removal unit that removes -1 bit to generate a second bit sequence, A key distillation processing unit that performs a predetermined key distillation process on the second bit sequence, A quantum key distribution system comprising: a key generation unit that generates a secret key common to the transmitting device and the receiving device based on the bit sequence after performing the key distillation process.
2. The bit removal unit removes consecutive (2 / p) bits from the first bit sequence. 2 The quantum key distribution system according to claim 1, wherein the second bit sequence is generated by removing -1 bits at multiple locations.
3. The quantum key distribution system according to claim 1 or 2, wherein the key generation unit holds a plurality of bit sequences after the key distillation process, and generates the secret key by combining the plurality of bit sequences.
4. The quantum key distribution system according to claim 3, wherein the key generation unit holds a plurality of bit sequences after performing the key distillation process and calculates the secret key by inputting them into a one-way function.