1. Field of the Invention
The present invention relates to a system and method for monitoring degradation in the communication quality of a communication system and, when detecting it, recovering from the degradation.
2. Description of the Related Art
The internet, which continues growing rapidly, is convenient on one hand, but its security is quite uncertain on the other hand. There is an increasing need for cryptographic technologies in order to maintain the secrecy of communications. Cryptographic schemes currently used in general can be classified into two categories: private key cryptography such as DES (Data Encryption Standard) and triple DES, and public key cryptography such as RSA (Rivest Shamir Adleman) and ECC (Elliptic Curve Cryptography). However, these techniques are cryptographic communication methods that ensure the security of communications based on the “complexity of computation” and are always fraught with the danger that ciphertext could be broken with the advent of an algorithm enabling a vast amount of computation or a cryptanalysis algorithm. With such a background, quantum key distribution (QKD) systems receive attention as the cryptographic key distribution technologies that are “absolutely immune against eavesdropping.”
In QKD, a photon is generally used as a communication medium, and transmission is performed by superimposing information on the quantum state (such as polarization and phase) of the photon. An eavesdropper present on a transmission line intercepts the information by tapping photons being transmitted, or by other methods. However, according to the Heisenberg's uncertainty principle, it is impossible to perfectly return the quantum state of a photon once observed to its original state before observation, and resultantly, a change occurs in the statistic values of received data detected by a legitimate receiver. By monitoring this change, the receiver can detect the presence or absence of an eavesdropper on the transmission line.
In the case of a quantum key distribution method utilizing the phase of a photon, a sender/transmitter and a receiver (hereinafter, referred to as “Alice” and “Bob” respectively, as have been used traditionally) constitute an optical interferometer. Alice and Bob individually perform random phase modulation on each of single photons. Output of 0 or 1 is obtained depending on the difference between the depths of these phase modulations. Thereafter, Alice and Bob check part of the respective conditions they used when the output data were measured against each other, whereby the same bit string can be shared between Alice and Bob finally. Next, the most typical quantum key distribution algorithm by the name of BB84 protocol will be described briefly (see Bennett and Brassard, “Quantum Cryptography: Public Key Distribution and Coin Tossing,” IEEE International Conference on Computers, Systems and Signal Processing, Bangalore, India, pp. 175-179.)
FIG. 1 is a schematic diagram showing a concept of a quantum key distribution method according to the BB84 protocol. Here, it is assumed that Alice 141 and Bob 143 are connected through an optical transmission line 142.
According to this method, Alice 141 has two random number sources, one of which (random number 1) provides random numbers representing cryptographic key data (0/1), and the other one of which (random number 2) is for determining the way of coding the information of the random number 1. In quantum key distribution methods utilizing the phase of a photon, two coding sets are used: a coding set for representing a set of phases of 0 and π that correspond to “0” and “1” in the cryptographic key, respectively (hereinafter, this set will be referred to as “+basis”), and a coding set for representing a set of phases of π/2 and 3π/2 that correspond to “0” and “1” in the cryptographic key, respectively (hereinafter, this set will be referred to as “× basis”). The random number 2 is used to make a selection from the two bases. That is, any one of the four types of modulation (0, π/2, π, 3π/2) is randomly performed on each of single photons, which are then sent to Bob one by one.
On the other hand, Bob 143 has a random number source (random number 3) corresponding to the bases and uses it to decode the single photons sent from Alice 141. When a value of the random number 3 is “0”, a modulation of 0 phase (+ basis) is performed on a photon. When a value of the random number 3 is “1”, a modulation of π/2 phase (× basis) is performed on a photon. Here, random numbers obtained as the output of the optical interferometer are collectively referred to as random number 4.
When a basis Alice used in modulation is the same as a basis Bob used in modulation (random number 2=random number 3), Bob can correctly detect a value of the Random number 1 (random number 1=random number 4). When a basis Alice used in modulation is different from a basis Bob used in modulation (random number 2≠random number 3), Bob randomly obtains a value of 0 or 1 for the random number 4, independently of a value of the random number 1. Since each of the random numbers 1, 2 and 3 is a collection of random numbers varying with each one bit, the probability that a basis match occurs and the probability that no basis match occurs are both 50%. However, since those bits corresponding to the non-matching bases are removed through basis reconciliation at a subsequent stage, Alice 141 and Bob 143 can share a bit string composed of 0s and 1s based on the random number 1.
However, the bit string thus shared contains errors caused by the transmission line 142 and/or the receiver, and therefore, to correct these errors, error correction processing is needed. In addition to this, errors also occur in the shared bit string when an eavesdropper present on the transmission line intercepts the photon information. Accordingly, to share a cryptographic key for final use, not only the error correction processing for correcting errors, privacy amplification is also needed to reduce the amount of information that conceivably has been intercepted, based on the frequency of errors (error rate). Incidentally, methods of estimating “the amount of information that conceivably has been intercepted” are described in the following documents:
N. Lutkenhaus, “Estimates for practical quantum cryptography,” Physical Review A, Vol. 59, No. 5, p. 3301 (hereinafter, this document will be referred to as Lutkenhaus); and
M. Williamson, “Eavesdropping on practical quantum cryptography,” quantum-ph/0211155 (hereinafter, this document will be referred to as Williamson).
FIG. 2 is a flowchart showing a flow of quantum key generation in general. Among original random numbers for a cryptographic key (source of key) sent from Alice, most amount of the information is lost through quantum key distribution (single-photon transmission) S1. A key shared between Alice and Bob at this stage is called a raw key. The key that has lost approximately one half the amount of information after basis reconciliation S2 mentioned above, is called a sifted key. Thereafter, error correction S3 for correcting errors that were contained in the key at the stage of quantum key distribution is carried out, followed by privacy amplification S4 for eliminating the amount of information that conceivably has been leaked to an eavesdropper. Then, the remains are made to be a final key, which will be actually used as a cryptographic key.
However, if an attempt is made to implement the above-described quantum key distribution in a real world, there are some cases where the above-mentioned error rate is increased due to various factors. Conventionally, an increase in the error rate means the presence of an act of eavesdropping. Therefore, whenever an increase in the error rate is detected, generation of a cryptographic key needs to be stopped.
For example, a change in the environmental temperature might cause delay variation in an optical transmission line and/or among electric circuits, resulting in the occurrence of a deviation between the timing when a photon is passing through a phase modulator, or the timing when a photon arrives at a photon detector, and the timing of driving these devices in accordance with a clock signal. If the error rate is increased due to this deviation, a cryptographic key cannot be generated as a result. Hereinafter, a deviation between the timing of the passage/arrival of a photon and the clock timing will be referred to as “phase deviation,” and the processing for correcting the phase deviation to exactly synchronize these timings will be referred to as “phase correction processing.”
Moreover, since information is superimposed on signal photons for transmission, many of bits are lost on the way along a transmission line. Consequently, incorrect recognition of a bit-to-bit correspondence is likely to occur between Alice and Bob. This incorrect recognition causes deterioration in the error rate, and resultantly, generation of a cryptographic key cannot be performed. Hereinafter, a state where synchronization of information bits is established between Alice and Bob, that is, a state where correct recognition of a bit-to-bit correspondence is established between Alice and Bob, will be referred to as “frame synchronization.” In addition, a state where a bit-to-bit correspondence is incorrectly recognized will be referred to as “frame synchronization deviation,” and the processing for correctly adjusting the state of frame synchronization deviation to the state of frame synchronization will be referred to as “frame synchronization processing.”
FIG. 3 is a flowchart showing an example of a conventional supervisory control method. As shown in FIG. 3, according to the conventional method, a threshold value QEve for eavesdropping detection is set in advance. When the error rate QBER (Quantum Bit Error Rate) becomes equal to or larger than QEve, it is determined that there is a possibility of eavesdropping, and the cryptographic key generation is stopped. Then, the processing for recovering from the degradation in the system performance is carried out, whereby the system restores its performance it had before degradation. Hereinafter, this processing will be referred to as “system recovery.”
As described above, there are plural factors for deterioration in the rate of cryptographic key generation. However, in a conventional quantum key distribution technology, since deterioration in the error rate is construed all alike as the presence of an act of eavesdropping, it is necessary to stop cryptographic key generation and perform system recovery when an increase in the error rate is detected, as shown in FIG. 3. That is, when a fault is detected during cryptographic key generation, there is no other choice but to use a method of restarting cryptographic key generation in which a cause of the fault is manually analyzed; it is checked that a key can be generated safely; all the setups of the devices are then performed from the start. Accordingly, it has been impossible to achieve efficient cryptographic key generation.
Therefore, the present inventors have focused attention on the fact that, for degradation in the performance of a communication system, there are various factors, which should not be treated alike, and each of the plurality of degradation factors appears as a communication-degrading phenomenon peculiar to the factor.
When conventional technologies are reviewed from this point of view, no conventional technology has introduced a concept of separating the degradation factors. Therefore, in a quantum key distribution system to which a conventional supervisory control method is applied, when deterioration occurs in the error rate, cryptographic key generation is stopped, with this deterioration being regarded as due solely to an act of eavesdropping, irrespective of whether the deterioration has occurred due to delay variation caused by change in the environmental temperature, or due to unavoidable extinction of bits during single-photon transmission, or due to a fault of a component, or due to an act of eavesdropping.