The conventional quantum cryptograph system is explained below. In recent years, optical communication is widely used as a high-speed large-capacity communication technology. In such an optical communication system, communication is performed according to ON/OFF of light and a large quantity of photons are transmitted when light is ON. Thus, the optical communication system is not a communication system in which a quantum effect is developed directly.
On the other hand, in the quantum cryptograph system, photons are used as communication media to transmit information of one bit using one photon such that a quantum effect such as uncertainty principle is developed. In this case, when a wiretapper selects a base at random and measures photons without knowing a quantum state such as polarization and a phase of the photons, the quantum state changes. Therefore, on the reception side, it is possible to recognize, by confirming the change in the quantum state of the photons, whether transmitted data has been wiretapped.
FIG. 10 is a schematic of the conventional quantum key distribution using polarized light. For example, a measuring device, which is capable of identifying polarized light in horizontal and vertical directions, identifies light polarized in the horizontal direction (0°) and light polarized in the vertical direction (90°) on a quantum communication path correctly. On the other hand, a measuring device, which is capable of identifying polarized light in oblique directions (45° and 135°), identifies light polarized in the 45° direction and 135° direction on a quantum communication path correctly.
In this way, the respective measuring devices can recognize light polarized in the defined directions correctly. However, for example, when the measuring device, which is capable of identifying polarized light in the horizontal and vertical directions (0° and 90°), measures light polarized in an oblique direction, the measuring device identifies light polarized in the horizontal direction and light polarized in the vertical direction at random at a probability of 50 percent, respectively. In other words, when the measuring device that does not cope with identifiable polarization directions is used, it is impossible to identify a direction in which light is polarized even if a result of measurement by the measuring device is analyzed.
In the conventional quantum key distribution shown in FIG. 10, a sender and a receiver share a key while keeping the key secret from wiretappers (see, for example, Bennett, C. H. and Brassard, G.: Quantum Cryptography: Public Key Distribution and Coin Tossing, In Proceedings of IEEE Conference on Computers, System and Signal Processing, Bangalore, India, pp. 175-179 (December 1984)). Note that the sender and the receiver can use a public communication path other than the quantum communication path.
A procedure for sharing a key is explained. First, the sender generates a random number sequence (a sequence of 1 and 0: transmission data) and determines transmission codes (+: a code corresponding to the measuring device capable of identifying light polarized in the horizontal and vertical directions, x : a code corresponding to the measuring device capable of identifying light polarized in the oblique directions) at random. A polarization direction of light to be transmitted is automatically determined according to combinations of the random number sequence and the transmission codes. Light polarized in the horizontal direction according to a combination of 0 and +, light polarized in the vertical direction according to a combination of 1 and +, light polarized in the 45° direction according to a combination of 0 and x, and light polarized in the 135° direction according to a combination of 1 and x are transmitted to the quantum communication path, respectively (transmission signals).
The receiver determines reception codes (+: a code corresponding to the measuring device capable of identifying light polarized in the horizontal and vertical directions, x: a code corresponding to the measuring device capable of identifying light polarized in the oblique directions) at random and measures light on the quantum communication path (reception signals). The receiver obtains reception data according to combinations of the reception codes and the reception signals. The receiver obtains 0, 1, 0, and 1 as reception data according to a combination of the light polarized in the horizontal direction and +, a combination of the light polarized in the vertical direction and +, a combination of the light polarized in the 45° direction and x, and a combination of the light polarized in the 135° direction and x, respectively.
In order to check whether measurement for the receiver has been performed by a correct measuring device, the receiver sends the reception codes to the sender thorough the public communication path. The sender, who has received the reception codes, checks whether the measurement has been performed by a correct measuring device and returns a result of the check to the receiver through the public communication path.
The receiver keeps only the reception data corresponding to the reception signals received by the correct measuring device and disposes of other reception data. At this point, the reception data kept can be shared by the sender and the receiver surely.
The sender and the receiver send a predetermined number of data selected from the shared data to each other through the public communication path. Then, the sender and the receiver check whether the reception data coincide with the data held by the sender and the receiver themselves. For example, if at least one data among the data checked does not coincide with the data held by the sender and the receiver, the sender and the receiver judge that a wiretapper is present, dispose of the shared data, and repeat the procedure for sharing a key from the beginning. On the other hand, when all the data checked coincide with the data held by the sender and the receiver, the sender and the receiver judge that no wiretapper is present, dispose of the data used for the check, and use the remaining shared data as a shared key for the sender and the receiver.
On the other hand, as an application of the conventional quantum key distribution method, for example, there is a quantum key distribution method that is capable of correcting a data error on a transmission path (see, for example, Brassard, G. and Salvail, L. 1993 Secret-Key Reconciliation by Public Discussion, In Advances in Cryptology—EUROCRYPT' 93, Lecture Notes in Computer Science 765, 410 to 423).
In this method, to detect a data error, a sender divides transmission data into plural blocks and sends a parity for each block on a public communication path. Then, a receiver compares the parity for each block received through the public communication path and a parity of a corresponding block in reception data to check a data error. In this case, when there is a different parity, the receiver returns information indicating a block of the different parity on the public communication path. The sender further divides the pertinent block into a former half block and a latter half block and returns, for example, a former half parity on the public communication path (binary search). Thereafter, the sender and the receiver specify a position of an error bit by repeatedly executing the binary search. Finally, the receiver corrects the bit.
Moreover, assuming that a parity is judged as correct because of an even number of errors regardless of an error in data, the sender rearranges transmission data at random (random replacement) to divide the transmission data into plural blocks and performs the error correction processing with the binary search again. Then, the sender repeatedly executes this error correction processing with the random replacement to thereby correct all the data errors.
However, an error communication path is not assumed in the conventional quantum key distribution shown in FIG. 10. Therefore, when there is an error, the sender and the receiver dispose of the common data (the common key) judging that a wiretapping act is performed. This extremely deteriorates efficiency of generation of a common key depending on a transmission path.
In the quantum key distribution method capable of correcting a data error on the transmission path, parities are exchanged an extremely large number of times to specify an error bit and the error correction processing by the random replacement is performed for a predetermined number of times. Therefore, a great deal of time is consumed for the error correction processing.
The present invention has been devised in view of the circumstances and it is an object of the present invention to provide a quantum key distribution method that is capable of generating a common key, security of which is highly guaranteed, while correcting a data error on a transmission path using an error correcting code having an extremely high property.