1. Field of the Invention
The present invention relates to an apparatus for performing secret communication in order to avoid illegal eavesdropping and interception by a third party. More specifically, the present invention relates to a data transmitting apparatus for performing data communication through selecting and setting a specific encoding/decoding (modulation/demodulation) method between a legitimate transmitter and a legitimate receiver.
2. Description of the Background Art
Conventionally, in order to perform communication between specific parties, there has been adopted a structure for realizing secret communication by sharing original information (key information) for encoding/decoding between transmitting and receiving ends and by performing, based on the original information, an operation/inverse operation on information data (plain text) to be transmitted, in a mathematical manner.
On the other hand, there have been suggested, in recent years, several encryption methods, which positively utilize physical phenomenon occurring in a transmission line. As one of the encryption methods, there is a method called Y-00 protocol performing the secret communication by utilizing a quantum noise generated in an optical transmission line. An exemplary transmitting apparatus utilizing the Y-00 protocol method is disclosed in Japanese Laid-Open Patent Publication No. 2005-57313 (hereinafter referred to as Patent Document 1).
FIG. 25 is a block diagram showing an exemplary configuration of a conventional transmitting and receiving apparatus using the Y-00 protocol. As shown in FIG. 25, A transmitting section 901 includes a first multi-level code generation section 911, a multi-level processing section 912, and a modulator section 913. A receiving section 902 includes a demodulator section 915, a second multi-level code generation section 914, and a decision section 916. The transmitting section 901 and the receiving section 902 previously retain first key information 91 and second key information 96, respectively, which are identical in content to each other. The first multi-level code generation section 911 generates, based on the first key information 91, a multi-level code sequence 92, which is a multi-level pseudo random number series having M values from “0” to “M−1”.
The multi-level processing section 912 combines information data 90 and the multi-level code sequence 92, and generates a signal, which has a level corresponding to a combination between a level of the information data 90 and a level of the multi-level code sequence 92, as a multi-level signal 93. Specifically, the multi-level processing section 912 generates the multi-level signal 93, which is an intensity-modulated signal, by using a signal format as shown in FIG. 26. That is, the multi-level processing section 912 divides signal intensity of the multi-level code sequence 92 into 2M levels, makes, from these levels, M combinations each having 2 levels, and allocates “0” of the information data 90 to one level of each of the M combinations, and “1” of the information data 90 to the other level of each of the M combinations. The multi-level processing section 912 allocates “0” and “1” of the information data 90 such that the levels corresponding to “0” and “1” are evenly distributed over the whole of the 2M levels. In an example shown in FIG. 26, “0” and “1” are allocated alternately.
In accordance with a value of the multi-level code sequence 92 to be inputted, the multi-level processing section 912 selects one combination from among the M combinations of levels of the multi-level code sequence 92. Next, in accordance with a value of the information data 90, the multi-level processing section 912 selects one level of the selected one combination of the multi-level code sequence 92, and generates the multi-level signal 93 including the selected one level. In Patent Document 1, the first multi-level code generation section 911 is described as a transmitting pseudo random number generation section, the multi-level processing section 912 as a modulation method specification section and a laser modulation driving section, the modulator section 913 as a laser diode, the demodulator section 915 as a photo detector, the second multi-level code generation section 914 as a receiving pseudo random number generation section, and the decision section 916 as a determination circuit.
FIG. 27 is a schematic diagram illustrating a signal form used in a conventional transmitting and receiving apparatus. (a), (b), (c), (d), (e), (f), (g) of FIG. 27 shows an exemplary signal change in the case of M=4. For example, in the case where the value of the information data 90 changes “0 1 1 1” (see FIG. 27(a)), and in the case where the value of the multi-level code sequence 92 changes “0 3 2 1” (see FIG. 27(b)), the multi-level signal 93 changes as shown in FIG. 27(c). The modulator section 913 converts the multi-level signal 93 into a modulated signal 94, which is an optical intensity modulated signal, and transmits the modulated signal 94 via an optical transmission line 910.
The demodulator section 915 performs photoelectric conversion of the modulated signal 94 having been transmitted via the optical transmission line 910, and outputs a multi-level signal 95. The second multi-level code generation section 914 generates, based on the second key information 96, a multi-level code sequence 97, which is a multi-level pseudo random number series, and which is identical to the multi-level code sequence 92. The decision section 916 determines, based on a value of the multi-level code sequence 97, which one of a combination of signal levels shown in FIG. 27 is used as the multi-level signal 95, and decides, in binary form, two signal levels included in the combination.
Specifically, the decision section 916 sets a decision level in accordance with the value of the multi-level code sequence 97, as shown in FIG. 27(e), and decides whether the multi-level signal 95 is larger (upper) or smaller (lower) than the decision level. In this example, decisions made by the decision section 916 are “lower, lower, upper, and lower”. Next, the decision section 916 decides that a lower side is “0” and an upper side is “1” in the case where the multi-level code sequence 97 is even-numbered, and also decides that the lower side is “1” and the upper side is “0” in the case where the multi-level code sequence 97 is odd-numbered. The decision section 916 then outputs information data 98. In this example, the multi-level code sequence 97 is composed of “even number, odd number, even number, and odd number”, and thus the information data 98 comes to be “0 1 1 1”, in turn. Although the multi-level signal 95 includes a noise, as long as a signal intensity is selected appropriately, it is possible to suppress the noise to the extent that occurrence of an error at the time of a binary decision can be ignored.
Next, possible eavesdropping will be described. An eavesdropper attempts decryption of information data 90 or the first key information 91 from the modulated signal 94 without having key information which is shared between the transmitting and receiving parties. In the case where the eavesdropper performs the binary decision in the same manner as the legitimate receiving party, since the eavesdropper does not have the key information, the eavesdropper needs to attempt decision of all possible values that the key information may take. When this method is used, the number of such attempts increases exponentially with respect to a length of the key information. Accordingly, if the length of the key information is significantly long, the method is not practical.
As an effective method, it is assumed that, with the use of the eavesdropper receiving section 903, the eavesdropper attempts decryption of the information data 90 or the first key information 91 from the modulated signal 94. In the eavesdropper receiving section 903, the demodulator section 921 demodulates the modulated signal 94 which is obtained after having being branched off from the optical transmission line 910, and reproduces the multi-level signal 95. The multi-level decision section 922 performs a multi-level decision with respect to a multi-level signal 81, and outputs obtained information as a received sequence 82. The decryption processing section 923 performs decryption with respect to the received sequence 82 and attempts identification of the information data 90 or the first key information 91. In the case of using a decryption method as above described, if the eavesdropper receiving section 903 can perform the multi-level decision with respect to the received sequence 82 without mistake, the eavesdropper receiving section 903 can decrypts the first key information 91 from the received sequence 82 at a first attempt.
However, at the time of photoelectric conversion by the demodulator section 921, a shot noise is generated, and is overlapped on the multi-level signal 81. It is known that the shot noise is inevitably generated based on the principle of quantum mechanics. In the case where an interval (hereinafter referred to as a step width) between signal levels of a multi-level signal is set significantly smaller than a level of the shot noise, a possibility cannot be ignored that the multi-level signal 81 received based on erroneous decision may take various multi-levels other than a correct signal level. Therefore, the eavesdropper needs to perform the decryption processing in consideration of the possibility that the correct signal level may have a value different from that of a signal level obtained through the decision. In such a case, compared to a case without the erroneous decision (a stream cipher using a random number generator identical to that used for the first multi-level code generation section 911), the number of attempts, that is, computational complexity required for decryption is increased. As a result it is possible to improve security against the eavesdropping.
However, a probability distribution of the signal level, on which the shot noise is overlapped, conforms with a Poisson distribution. Therefore, in the case where the eavesdropper performs multi-level decision with respect to the multi-level signal 81, a probability of each of the levels of the multi-level signal to be decided will not be uniform, and spread of the distribution will become small. For example, as shown in FIG. 28, in the case where a level of the multi-level signal having been transmitted is “4”, a probability distribution of a multi-level which the eavesdropper obtains based on the multi-level decision has its maximum at “4”, which is a correct level. A second highest probability appears at “3” and “5”, which are adjoining levels to “4”. Further, a probability of deciding remaining levels (“2” or lower, or “6” or higher) will be a value which can be ignored virtually. Therefore, the eavesdropper may only consider the possibility of these three levels of the multi-level signal to be decided, and thus the computational complexity require for the decryption will not be increased significantly.
Further, the eavesdropper can obtain a part of the information data 90 (plain text) such as header information used commonly for a certain electronic file format, and the modulated signal 94 (cipher text) corresponding thereto. It is assumed that, by using the part of the information data 90 and the modulated signal 94, the eavesdropper attempts identification of the key information from a value of a multi-level code sequence and also attempts decryption of remaining information data by using the obtained key information. An eavesdropping method like this is called a known plaintext attack. In this case, the values “1” and “0” of the information data are allocated to the levels of the multi-level signal alternately. Accordingly, with respect to each of the values the information data, a value of the level of the multi-level signal is taken alternately, which is equivalent to a case where the step width is substantially doubled. Therefore, a probability that the eavesdropper can decide a correct level of the multi-level signal is further increased, and the level of the multi-level signal can be identified uniquely as a matter of practice. In this situation, an effect of increase in the number of attempts required for the decryption cannot be obtained at all.
On the other hand, if the step width is reduced, the probability cannot be ignored that levels of multi-level, which are other than the correct level and the adjoining levels, will be taken. Accordingly, it is possible to increase the computational complexity required for the decryption. However, in that case, a multi-level number needs to be extremely large (for example, the multi-level number M needs to be several thousand, or several ten thousand or more). Accordingly the step width becomes significantly small, and as a result significantly fine accuracy is required for controlling the multi-level number. Therefore, a hardware configuration becomes complicated, which leads to a problem of a cost increase.