1. Field of the Invention
This application is based upon and claims the benefit of priority from Japanese Patent Application No. 2006-340750, filed on Dec. 19, 2006, the disclosure of which is incorporated herein in its entirety by reference.
The present invention relates to a method and system for managing information shared between communication devices.
2. Description of the Related Art
The Internet is an economic and social infrastructure over which various kinds of data are exchanged, and therefore it is an important issue to provide for preventive measures to protect the data flowing over the Internet from risks of eavesdropping. A secret communication system that encrypts data for communication can be cited as one of such preventive measures.
A key, which is required to encrypt and decrypt information, needs to be shared as secret information between a sending side and a receiving side. The quantum key distribution (QKD) technology is regarded as a promising technology for generating and sharing such secret information.
A. QKD
According to the QKD technology, unlike ordinary (classical) optical communications, random numbers are transmitted by using a single photon per bit, whereby a sending device and a receiving device can generate and share a common key. The QKD technology ensures security not based on the amount of calculation as in conventional cases but based on the principle of the quantum mechanics that a once-observed photon cannot be perfectly returned to its quantum state before observation.
According to the QKD technology, several steps should be gone through before a cryptographic key used for cryptographic communication is generated. A typical process of cryptographic key generation will be described below with reference to FIG. 1.
A.1) Single-Photon Transmission
In single-photon transmission, as mentioned above, random numbers are transmitted over a quantum channel by using very weak light in which the number of photons per bit is reduced to one. Among several QKD protocols proposed, for example, the BB84 protocol, which uses four quantum states, is widely known (see Bennett and Brassard, “QUANTUM CRYPTOGRAPHY, PUBLIC KEY DISTRIBUTION AND COIN TOSSING,” IEEE International Conference on Computers, Systems, and Signal Processing, Bangalore, India, Dec. 10-12, 1984, pp. 175-179). A sender phase-modulates each single photon for transmission by using any one of four types of information obtained by the combination of two-valued random data (0, 1) and two bases (D, R) representing quantum states. A receiver receives each single photon by using any one of the bases (D, R) determined independently of the sender. A sequence of bits that have been successfully received by the receiver is called a raw key. Most of the random numbers sent by the sender are lost due to the loss along a transmission path and the like.
A.2) Basis Reconciliation
Next, bit comparison and basis reconciliation are performed using a communication channel of ordinary light (classical channel) that is different from the transmission path (quantum channel) used for the photon transmission. The receiver notifies the sender, through the classical channel, of the bit numbers of the successfully received bits and corresponding reception bases. The sender compares the received reception bases with transmission bases that were used to send bits corresponding to the received bit numbers, thereby sifting out only those bits corresponding to transmission and reception bases that have matched. A sequence of these sifted-out bits is called a sifted key.
A.3) Error Correction
Since there is a possibility that the sifted key thus generated may include communication errors, the random number sequence obtained by the sender and the random number sequence obtained by the receiver are not always identical to each other. Therefore, error correction processing is repeated until the sender's and receiver's sifted keys become identical. For a method for error correction processing, a BCH code, LDPC (Low-Density Parity Check) code, or the like can be used, which are also used in conventional communications.
A.4) Privacy Amplification
However, it cannot be affirmed that the errors corrected as described in A.3 are those caused only by the loss along the transmission path. The QKD technology always assumes an eavesdropper to be present. If an eavesdropper is present, it reflects on the error rate. Accordingly, to make an eavesdropping act ineffective, privacy amplification processing is performed on the identical sifted keys (for example, see Bennett, C. H., Brassard, G., Crepeau, C., and Maurer, U. M., “Generalized Privacy Amplification,” IEEE Transactions on Information Theory, Vol. 41, No. 6, pp. 1915-1923). In the privacy amplification processing, the sifted key is given a shuffle by using another random numbers separately prepared. A key thus obtained finally by subjecting the error-corrected sifted key to the privacy amplification processing is called a final key.
As shown in FIG. 1, most of the original random numbers generated by the sender are lost in the course of single-photon transmission. In addition, the bits disclosed in the steps of basis reconciliation, error correction, and privacy amplification, as well as the bits used to eliminate the probability of eavesdropping, are also discarded from the raw key received by the receiver. For example, through the process of cryptographic key generation according to such QKD, several tens kilobits of a final key can be generated per second.
B. Encryption Method
In addition, it is possible to provide perfectly safe cryptographic communication by using the key generated by the QKD technology as a key for a one-time pad cipher, which is proved to be unbreakable. In the one-time pad encryption, a cryptographic key used by the sender for encryption must be always used by the receiver for decryption, and a cryptographic key used by the receiver for encryption must be always used by the sender for decryption. That is, the sender and the receiver need to determine in advance which of them will use a cryptographic key for which of encryption and decryption. Moreover, in the one-time pad encryption, since a key is discarded once it is used, a technique for managing key generation and consumption is important.
For example, Japanese Patent Unexamined Publication No. 2004-501532 discloses a technique for managing one-time pad keys. Here, a third party (central key provider) other than the sender and the receiver manages cryptographic keys in files. The central key provider encrypts a cryptographic key with an identifier assigned thereto and distributes it to each of the sender and the receiver. Moreover, a method of separately managing encryption keys and decryption keys in order to make associations between the encryption keys used for encryption and the decryption keys used for decryption is also disclosed.
Although the QKD technology includes various steps as shown in FIG. 1, cryptographic key data itself is sent and received only in the first step of single-photon transmission. In the subsequent steps, the cryptographic key data itself is not exchanged between the sender and the receiver although a fraction of the bits are disclosed. Accordingly, in the steps of basis reconciliation, error correction, and privacy amplification, the sender and the receiver independently perform computing and individually keep generating the respective versions of the final key moment by moment. However, in the process of key generation, the key generation rates of the sender and the receiver are not always the same for the reason that their throughputs are different, and the like. Further, since the sender and the receiver communicate with each other during key generation, a time lag in communication is also unignorable. Accordingly, the respective versions of the final key generated by the sender and the receiver independently of each other, as they are, cannot be used as a common key.
Moreover, in the one-time pad encryption, since a cryptographic key is discarded each time it is used, cryptographic keys are inevitably consumed. Accordingly, in the case where cryptographic keys generated and stored through the QKD technology are used as one-time pad keys, the amount of the stored keys is repeatedly increased and reduced. Therefore, it cannot be said that the sender and the receiver share always-matching stored keys. Furthermore, in the case where the stored keys are managed as encryption keys and decryption keys separately as described in the above-mentioned Publication No. 2004-501532, the consumption of the encryption keys differ from that of the decryption keys, depending on the direction of communication. Therefore, the problem arises that an encrypted communication cannot be performed when either the encryption keys or the decryption keys are used up. Additionally, in the system according to the above-mentioned Publication No. 2004-501532, a third party (central key provider) is needed to manage the cryptographic keys in files and distribute to each of the sender and the receiver.