A whole configuration chart in FIG. 5 illustrates conventional techniques represented by quantum cryptography which was first proposed by Bennett and Brassard in 1984 (Document 1: C. H. Bennett and G. Brassard, “Quantum Cryptography: Public Key Distribution and Coin Tossing,” in Proc. IEEE International Conference on Computers, Systems, and Signal Processing, Bangalore, India, PP175-179, (1984), and Document 2: C. H. Bennett, F. Bessette, G. Brassard, and L. Salvail, “Experimental Quantum Cryptography,” J. Cryptology, pp. 3-28, (1992)), for example.
In FIG. 5, a quantum sending device 100 is a device which sends a ciphertext by using the quantum cryptography, and a quantum receiving unit 200 is a device which receives the ciphertext by using the quantum cryptography. A quantum cryptography communication channel 1 is a communication channel for transmitting a qubit from the quantum sending device 100 to the quantum receiving device 200.
Here, the qubit includes arbitrary two-level states:|0, |1.The qubit is a quantum state where even linear superposition of the statesα|0+β|1is allowed. Specifically, in quantum cryptography communication field, a polarization state, a phase state, etc. of a photon are often used to represent a state of the qubit.
A classical communication network 2 connects the quantum sending device 100 and the quantum receiving device 200. The classical communication network 2 is a network for performing communication between the both devices in a conventional communication method.
Secretly shared information 3 and secretly shared information 21 are information secretly shared between the quantum sending device 100 and the quantum receiving device 200 in advance. It is an object of the quantum cryptography to share random information which is much larger than the above secretly shared information between the quantum sending device 100 and the quantum receiving device 200 while maintaining the privacy.
A qubit generating means 4 outputs a predefined qubit|0periodically.
A random number generating means 5 outputs a first random number bit.
A random number generating means 6 outputs a second random number bit.
A quantum encoding means X7 performs quantum encoding of the qubit which has been generated by the qubit generating means 4, in accordance with the first random number bit which has been output from the random number generating means 5. The quantum encoding rule will be described below.
When the first random number bit is 0,                an identity transformation:|00|+|11|.        
When the first random number bit is 1,                an X transformation:|01|+|10|.        
The X transformation in the above rule is a bit-flip transformation, and an x element in Pauli matrix corresponds to the X transformation.
A quantum modulating means H8 performs quantum modulation of the qubit on which quantum encoding has been performed by the quantum encoding means X7, in accordance with the second random number bit which has been output from the random number generating means 6. The modulation rule will be described below.
When the random number bit is 0,                an identity transformation:|00|+|11|.        
When the random number bit is 1,                an H transformation:(|00|+|01|+|10|−11|)/√{square root over (2)}.        
The H transformation in the above rule is a Hadamard transformation, and the H transformation corresponds to a base transformation.
As stated above, a protocol for transmitting the qubit using two conjugate bases of +base and ×base is called BB84 protocol. The two conjugate bases of +base and ×base will be described later.
Further, in comparison with the above BB84 protocol where the qubit has been transmitted using two modulation rules of the identity transformation and the H transformation, in six-state quantum cryptography (Document 3: D. Bruss, “Optimal Eavesdropping in Quantum Cryptography with Six States,” Phys. Rev. 81, pp. 3018-3021, (1998)), the modulation is performed by using three bases (modulation rules) by adding                a phase • Hadamard transformation,SH: (|00|+|01|+i|10|−i|11|)/√{square root over (2)}to the transformations used for quantum modulation. In this case, the above three base transformations are selected for the second random number which has three values of 0, 1, and 2.        
A base exchanging means 9 performs classical communication with the quantum receiving device 200 for the first random number which has been output by the random number generating means 5, and extracts random shared information.
An error correcting means 10 performs the classical communication with the quantum receiving device 200 through the classical communication network 2 for the random shared information which has been output by the base exchanging means 9 and performs error correction.
A classical communication means with authentication 11 is provided so that the base exchanging means 9 and the error correcting means 10 perform the classical communication with the quantum receiving device 200. As explicitly described in Document 1 and Document 2, the secretly shared information 3 is used for authentication by the classical communication means with authentication 11.
A privacy amplifying means 12 amplifies the privacy of the error-corrected random shared information, which has been output from the error correcting means 10.
An eavesdropping detecting means 13 judges whether there has been eavesdropping based on additional information which has been output from the error correcting means 10.
A private key 14 is a key which is output from the privacy amplifying means 12 and shared with the quantum receiving device 200 while the privacy with the quantum receiving device 200 is maintained.
A random number generating means 22 outputs a third random number bit.
A quantum demodulating means H23 performs quantum demodulation for the qubit transmitted through the quantum cryptography communication channel 1, in accordance with the third random number bit which has been output from the random number generating means 22. A demodulation rule will be described below.
When the random number bit is 0,                an identity transformation:|00|+|11|.        
When the random number bit is 1,                an H transformation:(|00|+|01|+|10|−|11|)/√{square root over (2)}.Further, in the six-state quantum cryptography, the demodulation is performed by using three bases by adding        a Hadamard • anti-phase transformation,HS−1: (|00|−i|01|+|10|+i|11|)/√{square root over (2)}to the transformations used for the quantum demodulation. In this case, the above three base transformations are selected for the random numbers which have three values of 0, 1, and 2.        
A quantum measuring means 24 performs quantum measurement for the qubit on which quantum demodulation has been performed. As the measuring result,                for qubit |0, “0” is output, and        for qubit |1, “1” is output.Specifically, in a case that a polarization state of a photon is used as the qubit, it can be easily realized using a polarizing beam-splitter and two photon detectors, for example.        
A base exchanging means 25 performs the classical communication with the quantum sending device 100 and extracts the random shared information, with respect to the measuring result which has been output by the quantum measuring means 24 and the third random number which has been output by the random number generating means 22.
An error correcting means 26 performs the classical communication with the quantum sending device 100 and performs error correction, with respect to the random shared information which has been output from the base exchanging means 25.
A classical communication means with authentication 27 is provided for performing the classical communication with the quantum sending device 100 at a time of using the base exchanging means 25 and the error correcting means 26. The secretly shared information 21 is used for authentication with the quantum sending device 100.
A privacy amplifying means 28 amplifies the privacy of the random shared information on which error correction has been performed.
An eavesdropping detecting means 29 judges whether there has been eavesdropping based on additional information which has been output by the error correcting means 26.
A private key 30 is a key which is output from the privacy amplifying means 28 and shared with the quantum sending device 100 while the privacy with the quantum sending device 100 is maintained.
Next, operations will be explained.
A whole process chart in FIG. 6 shows the conventional technique of the quantum cryptography communication method, represented by Document 1 and Document 2.
A whole process can be divided into two large steps, i.e., a large step of quantum cryptography communication (S100) and a large step of classical data processing (S200). The processing on a left side is performed by the quantum sending device 100, and the processing on a right side is performed by the quantum receiving device 200.
The large step of quantum cryptography communication (S100) is a step of transmitting a qubit string from the quantum sending device 100 to the quantum receiving device 200. For each qubit, following six steps (S11-S16) are repeated.
First, in a qubit generating step (S11), the qubit generating means 4 generates a predefined qubit|0periodically.
Next, in a quantum encoding step (S12), the quantum encoding means X7 encodes the generated qubit based on the first random number bit which has been output by the random number generating means 5.
In a quantum modulating step (S13), the quantum modulating means H8 modulates the encoded qubit based on the second random number bit which has been output by the random number generating means 6.
By this modulation, the qubit becomes a modulation bit which has four states
first random number01+base|0 |1 ×base(|0  + |1 )/√{square root over (2)}(|0  − |1 )/√{square root over (2)}representing 0 and 1 by two pairs of mutually conjugate bases (+base and ×base).
In a quantum transmitting step (S14), the above modulation bit is transmitted from the quantum sending device 100 to the quantum receiving device 200 through the quantum cryptography communication channel 1.
In a quantum demodulating step (S15), the quantum demodulating means H23 demodulates the transmitted qubit (modulation bit) based on the third random number bit which has been output by the random number generating means 22.
Here, by using a characteristic that if the identity transformation and the Hadamard transformation which have been used in the quantum modulation and the quantum demodulation are repeated twice, the transformation becomes the identity transformation, it can be known that only when the second random number and the third random number are identical and the same transformation is used for the quantum modulation and the quantum demodulation, the quantum encoding is performed, and the quantum demodulation of the qubit on which quantum modulation has been performed is correctly performed.
In a quantum measuring step (S16), the quantum measuring means 24 performs quantum measurement of the qubit on which quantum demodulation has been performed. In the quantum measurement,                when the qubit is |0, bit “0” is output, and        when the qubit is |1, bit is “1” is output.Therefore, only when the quantum demodulation has been correctly performed in the quantum demodulating step (S15), a measurement bit and the first random number bit become identical. When the quantum demodulation has been wrongly performed, the measurement bit becomes identical with the first random number bit only with ½ probability.        
As described above, after repeating the six steps of the qubit generating step (S11) through the quantum measuring step (S16) for all of the qubits, the large step of quantum cryptography communication (S100) ends.
In the large step of classical data processing (S200), the following four steps are performed.
First, in a base exchange processing step (S21), base information, second random number bit information and third random number bit information which have been used for the quantum modulation and the quantum demodulation in transmission of the qubit, which has been performed in the large step of quantum cryptography communication (S100), are exchanged between the quantum sending device and the quantum receiving device through the classical communication network 2. At this time, if the exchanged base information is identical, it can be known that the correct quantum modulation and the correct quantum demodulation have been performed. Therefore, only the first random number bit and the quantum measurement bit in transmission of a qubit where the base information is identical, and correct quantum modulation and correct quantum demodulation have been performed are extracted and output as random shared information. Since a half of the base information is not identical, about a half of the qubits which have been transmitted from the quantum sending device 100 to the quantum receiving device 200 becomes invalid. In the six-state quantum cryptography in Document 3, about ⅔ of the transmitted qubits becomes invalid.
In the classical communication used in this step, eavesdropping action can be ignored. However, tampering and spoofing by a third party must be prevented. If the spoofing is allowed, a device owned by an eavesdropper relays in each of the quantum cryptography communication channel 1 and the classical communication network 2 connecting the quantum sending device 100 and the quantum receiving device 200. The device owned by the eavesdropper can act as a false quantum receiving device 200 for the quantum sending device 100 and act as a false quantum sending device 100 for the quantum receiving device 200. Therefore, an attack becomes possible, that a private key is shared respectively between the quantum sending device 100 and the device of the eavesdropper and between the device of the eavesdropper and the quantum receiving device 200, the quantum sending device 100 sends a ciphertext using the key shared in the quantum cryptography communication by regarding the device of the eavesdropper as the appropriate quantum receiving device 200, and the device of the eavesdropper decrypts the ciphertext using the key which has been shared with the quantum sending device 100, encrypts again using the private key which has been shared with the quantum receiving device 200, and sends the ciphertext to the quantum receiving device 200. Therefore, for preventing the tampering and the spoofing by the third party, authentication using the secretly shared information which has been secretly shared in advance between the quantum sending device and the quantum receiving device must be performed.
Generally, in the quantum transmitting step (S14), even if the device of the eavesdropper eavesdrops the transmitted qubit, the device of the eavesdropper cannot always perform correct quantum demodulation as the device of the eavesdropper does not know the base information which has been used for the quantum modulation. If quantum demodulation is carried out wrongly, the transmitted qubit changes to a qubit in a completely different state according to uncertainty principle in the quantum mechanics. Therefore, a trace of eavesdropping remains.
In an error correcting step (S22), the error is corrected based on the random shared information which has been output in the base exchange processing step (S21) while the classical communication which allows the eavesdropping but does not allow the tampering and the spoofing is performed via the classical communication network 2 between the quantum sending device and the quantum receiving device. Therefore, the authentication must be performed using the secretly shared information which has been secretly shared in advance between the quantum sending device and the quantum receiving device. Further, data processing is performed, in which the error correction is performed, however volume of information leaked to the third party is small and the privacy is maintained. At this time, a bit rate and a bit error rate are output as additional information. It is judged if there has been the eavesdropping based on a size, change, etc. of this value.
In a privacy amplification processing step (S23), by adopting a hash function to the error-corrected random shared information, the privacy of the information regarding the information volume is amplified.
In a secretly shared information updating step (S24), the secretly shared information is updated for next quantum cryptography communication using a part of the random shared information of which privacy has been amplified, and remaining random shared information is output as a private key.
Further, a procedure of outputting the random shared information from the above secretly shared information in the conventional cryptography which is not the quantum cryptography will be explained briefly.
In this case, secretly shared information which has been secretly shared in advance between a sending device and a receiving device is used as an encryption key and a decryption key, encryption communication of random information which is larger than the above secretly shared information is performed, by using common key block cryptography, stream cryptography, etc., and the random information is shared while the privacy being maintained.
However, in the conventional cryptography, there is no eavesdropping detecting function. Therefore, if the eavesdropper can perform processing in a sufficiently large computation volume, the eavesdropper can cryptanalyze the random information which has been encrypted. Specifically, in the conventional cryptography, the privacy of the random shared information which has been transmitted is secured only based on the security of the computational volume. Meanwhile, in the quantum cryptography, when the eavesdropping is detected based on the eavesdropping detection function according to the quantum mechanics, the communication is discarded, and processing such as repeating the communication until it is confirmed that there is no eavesdropping is performed, therefore, the privacy is secured based on the security of the information volume of the transmitted qubit for which no eavesdropping is guaranteed.
In the conventional quantum cryptography communication device and communication method, there is a problem that the authentication must be performed in classical communication, using the secretly shared information which has been prepared in advance. Further, there is a problem that the base exchange in which information on the quantum modulation and quantum demodulation is exchanged between the sending device and the receiving device via the classical communication network, must be performed, in order to extract a valid bit from the measurement bit which has been obtained in the quantum communication, and consequently, about a half (about ⅔ in a case of six-state quantum cryptography) of the qubit strings on which quantum transmission has been performed is lost.
Further, since there is no eavesdropping detecting function in the conventional cryptography, there is a problem that the privacy is threatened depending on processing capacity of the eavesdropper regarding the computation volume.
It is an object of this invention to provide a quantum cryptography communication device and a quantum cryptography communication method which do not require the authentication in the classical communication nor the base exchange and further which can use all of the transmitted qubits for signal transmission while maintaining the security of the transmitted qubit regarding the information volume by the eavesdropping detecting function.