A quantum key distribution system is configured with a transmitter, a receiver, and an optical fiber link that connects the transmitter and the receiver. The transmitter transmits a string of single photons to the receiver via the optical fiber link (a quantum communication channel) that serves as the communication channel for optical fiber. After that, the transmitter and the receiver exchange control information with each other, and share cryptographic keys. This technology is implemented using the technology generally referred to as quantum key distribution (QKD).
In the quantum key distribution, the photons used for the purpose of sharing cryptographic keys possess quantum uncertainty which is one of the basic principles of quantum mechanics indicating that the photons undergo physical changes when tapped. Due to such a principle, if the photons including the information of a cryptographic key are transmitted from a transmitter and are tapped in the quantum communication channel by a wiretapper, then the photons undergo physical changes thereby enabling the receiver that receives the photons to know that the photons have been tapped by a wiretapper. Hence, if control information is exchanged between the transmitter and the receiver based on the photon string obtained in the transmitter and the photon string detected in the receiver, it becomes possible to eventually obtain a safe cryptographic key.
Each application connected to two nodes (for example, the transmitter and the receiver described above) performs encryption and decryption using a cryptographic key shared between the two nodes, and performs cryptographic data communication according to a cryptographic communication method called the one-time pad method. Each application connected to a plurality of nodes is assumed to be connected to some kind of a safe communication link or is installed in the same housing or the same premises as the corresponding node, and thus can be ensured to be safe as far as the communication with the node is concerned. In order to enable an application in one node and an application in the other node to perform cryptographic data communication at the same timing, the shared cryptographic key needs to be assorted as a transmission key to be used in encryption during transmission and as a reception key to be used in decryption during reception. In the one-time pad method, one byte of data is sent after being encrypted using one byte of the cryptographic key, and the received data is decrypted using the same one byte of the cryptographic key. Moreover, once used, the cryptographic key is destroyed; and a new key is used on a constant basis. In the cryptographic communication using a cryptographic key according to the one-time pad method, it is ensured according to the information theory that no wiretapper having whatever knowledge can decipher the cryptographic communication.
In this way, as the most common method implemented in the operation of sharing cryptographic keys, firstly, there is a link key method in which a key distillation process is performed to generate a cryptographic key from bit information based on a photon string that is a string of single photons shared via a quantum communication channel. The key distillation process includes a sifting process, an error correction process, and a privacy amplification process. A cryptographic key generated as a result of performing the key distillation process is referred to as a link key. In the link key method, encryption and decryption as well as cryptographic data communication is performed using link keys. Herein, as the cryptographic algorithm, the one-time pad method is assumed to be implemented.
A link key needs to be assorted in advance as a transmission key to be used in encryption by the node during transmission and as a reception key to be used in decryption by the node during reception. Regarding the operation of storing a link as a transmission key and a reception key, protocol handling using quantum point-to-point protocol (Q3P) is performed. In Q3P, firstly, processes according to a STORE sub-protocol are performed in which link keys generated as a result of the key distillation process and stored in a plurality of storages called pickup stores are subjected to synchronization control so that identical link keys are selected in the transmitter and the receiver; and the selected link keys are moved at the same timing to a single storage called a common store. Moreover, in Q3P, processes according to a LOAD sub-protocol are performed in which the link keys stored in the common store are assorted in a transmission buffer used to store transmission keys and a reception buffer used to store reception keys.
As another method implemented in the operation of sharing cryptographic keys, the explanation is given for a method called an application key method that is different than the link key method. In the application key method, up to the process of assorting a cryptographic key as a transmission key and a reception key using Q3P, the details are identical to the link key method. One of the two nodes generates random numbers using a random number generator and independent of the already-shared link key, and treats the random numbers as a cryptographic key (called an application key). Then, the same node encrypts the application key using the link keys representing transmission keys and sends the encrypted application key to the other node. Upon receiving the application key, the other node decrypts it using the link keys representing the corresponding reception keys, and stores the original application key. If the node that transmits the application key (the cryptographic key) also attaches the ID of the application key and role information of the application key (i.e., the information enabling distinction of whether the application key is a transmission key or a reception key), it becomes possible to achieve synchronization between the nodes about whether the application key is to be used as a transmission key or as a reception key. Moreover, the application is shared between the nodes only after being encrypted according to the one-time pad method and using the link keys that are generated and shared by means of quantum key distribution. Hence, the application key has an identical safety level to that of the link keys. Meanwhile, the operations including generating random numbers, treating them as a cryptographic key (an application key), encrypting the application key, and sharing the encrypted application key are not limited to only one of the two nodes. Alternatively, each of the two nodes can generate an application key, encrypt it using transmission keys representing link keys, and share the encrypted application key with the other node. A significant advantage of the application key method is that it becomes possible to perform relay and networking of the cryptographic key. Generally, key sharing by means of quantum key distribution is based on the premise of transmission and detection of single photons. Hence, if there is attenuation of the light in the optical fiber, the cryptographic keys can no more be shared. That leads to a physical restriction on the distance between the nodes that can share link keys. The distance is restricted to be equal to or shorter than 100 [km]. On the other hand, if the application key method is implemented, if a node is installed at an intermediate position and if safety of that node is hypothesized, then it becomes possible to break through the restriction on the distance.
However, in the link key method and the application key method, the operation of assorting the link keys according to Q3P requires each node to exchange control data for the purpose of data synchronization and to perform protocol handling. That leads to an increase in the processing delay.