A quantum key distribution system is configured with a transmitter, a receiver, and an optical fiber link that connects the transmitter and the receiver. The transmitter transmits photons to the receiver via the optical fiber link (a quantum communication channel) that serves as the communication channel for optical fiber. After that, the transmitter and the receiver exchange control information with each other, and share cryptographic keys. This technology is implemented using the technology generally referred to as quantum key distribution (QKD).
In order to share cryptographic keys between a transmitter and a receiver using quantum key distribution, it is necessary to perform key distillation in the transmitter as well as in the receiver. The key distillation includes sifting, error correction, and privacy amplification. As a result of performing the key distillation, the transmitter and the receiver share cryptographic keys. The shared cryptographic keys are used while performing cryptographic data communication between the transmitter and the receiver or between applications connected to the transmitter and the receiver. The amount of the shared cryptographic keys generated per unit time is called a secure key rate. Being able to use a number of cryptographic keys enables performing high-speed and safer cryptographic data communication. Hence, it can be said that, higher the secure key rate, the more enhanced is the performance of a quantum key distribution system.
In the quantum key distribution, the photons used for the purpose of sharing cryptographic keys possess quantum uncertainty which is one of the basic principles of quantum mechanics indicating that the photons undergo physical changes when tapped. Due to such a principle, if the photons including the information of the cryptographic key are transmitted from a transmitter and are tapped in the quantum communication channel by an eavesdropper, then the photons undergo physical changes thereby enabling the receiver that receives the photons to know that the photons have been tapped by an eavesdropper. At that time, the changes in the physical state of the photons appears in the form a quantum bit error rate (QBER) of the link between the transmitter and the receiver. When an eavesdropper attempts to tap the photons, the physical state of the photons undergoes physical changes thereby leading to an increase in the QBER. That enables the transmitter and the receiver to know about the presence of an eavesdropper.
Regarding such a quantum key distribution system, a system is proposed in which a decoy-state protocol and a protocol having a bias in the selection probabilities of the bases for observing polarization of photons are used, and highly-safe cryptographic keys from which the amount of information leaked to the eavesdropper is removed are generated in an efficient manner. The decoy-state protocol represents a protocol for generating a photon string using pulses for generating cryptographic key (hereinafter, called signal pulses) and laser pulses having a lower intensity than the signal pulses (hereinafter, called decoy pulses). Since the output photons follow the Poisson distribution, if generation of photons is done using only the signal pulses, then there is a probability of two or more photons being included in a single signal pulse, thereby allowing the eavesdropper to perform an attack of tapping a single photon (i.e., allow a photon number splitting attack). In order to deal with the attack, in the decoy-state protocol, decoy pulses are used that are different pulses than the signal pulses as described above. Moreover, there is also a method in which laser pulses having a lower intensity than the decoy pulses (hereinafter, called vacuum pulses) are used. The photons included in the decoy pulses and the vacuum pulses are not used for generating cryptographic keys. Besides, from among the signal pulses, the decoy pulses, and the vacuum pulses, it is not possible to distinguish the pulses in which the photons tapped by an eavesdropper were included. Meanwhile, the protocol having a bias in the selection probabilities of the bases represents a protocol in which the transmitter and the receiver do not randomly select one of two types of bases (for example, a rectilinear base and a diagonal base) for observing polarization of photons. Instead, the selection probabilities are set to have a bias, so that the bit loss attributed to sifting is reduced and the length of the eventually-obtained cryptographic key is increased. In the following explanation, of the two types of bases, one type is referred to as “+ base” (for example, the rectilinear base) and the other type is referred to as “x base” (for example, the diagonal base).
In such a quantum key distribution system, in order to obtain the length of the final cryptographic key, it is common practice to use the QBER for estimating the amount of information leaked to the eavesdropper. In the case of using the decoy-state protocol and the protocol having a bias in the selection probabilities of the bases while observing polarization of photons, it is necessary to calculate the QBER of bit data for each combination of the type of pulse and the type of base. That is, it is necessary to calculate the QBER of bit data corresponding to each combination of three types of pulses (the signal pulses, the decoy pulses, and the vacuum pulses) and two types of bases (the +base and the ×base). Hence, it is possible to think of a method in which bit data is classified for each combination of the type of pulse and the type of base, and error correction is performed for each piece of classified bit data to calculate the QBER.
However, if the error correction is performed after classifying the bit data for each combination of the type of pulse and the type of base, since the decoy pulses and the vacuum pulses have a low laser intensity, the decoy pulses and the vacuum pulses happen to have a high QBER of 20[%] and 50[%], respectively. Hence, errors in the bit data cannot be corrected, or it takes a long period of time for the error correction. That may lead to a decline in the generation efficiency of cryptographic keys.