Quantum key distribution has been implemented since the past using coherent light with aligned wavelength and phase and possessing coherence, such as a laser beam. When quantum key distribution is implemented with weak coherent light, multiple photons are generated at a high probability that cannot be ignored. When quantum key distribution is thus implemented with weak coherent light, the photon detection probability by a photon detector is directly proportional to the number of photons, and inversely proportional to the photon loss rate of the channel. Moreover, the photon loss rate is directly exponential to the distance. In the descriptions hereafter, the sender of the weak coherent light is referred to as Alice, while the receiver is referred to as Bob.
Photon number splitting attack is an attack that is possible in principle when multiple photons are generated. For instance, photon number splitting attack is described as “storage attack” and “intercept-resend with unambiguous discrimination attack” in the non-patent document 1 below. “Storage attack” is an attack wherein some of the photons are separated from the pulse that includes multiple photons, and are stored in quantum memory, the remaining photons are sent to Bob through the lossless channel, and the photons stored in the quantum memory are appropriately observed to obtain secret key information from the subsequent transmission contents between Bob and Alice. The “intercept-resend with unambiguous discrimination attack” refers to an attack wherein the probabilities of respective quantum states can be judged with certainty by simultaneously measuring multiple photons from a pulse that includes the multiple photons; a new quantum state is generated when this judgment is made, and the new quantum state is sent to Bob through the lossless channel.
When photon number splitting attack is made, the photon detection probability by the photon detector is directly proportional to the number of photons sent by the adversary to Bob. At this stage, that adversary can successfully perform attacks without detection thereof by controlling the frequency of the attacks such that the photon detection probability becomes the same as when there is no attack. Especially, during quantum key distribution over large distances, the photon loss rate of the channel becomes high, and the photon detection probability becomes low. As a result, the frequency of attacks by the adversary increases, and the mutual information amount (that is, the leaked information amount) of the key leaked to the adversary increases.
To resolve the problem of vulnerability to storage attack of the BB84 protocol proposed in non-patent document 1, the SARG protocol has been proposed in non-patent document 2. The transmission content of the classic channel and the key sifting method differ in the BB84 protocol and the SARG protocol. The key generation efficiency per pulse of the SARG protocol is only half that of the BB84 protocol. Therefore, the intensity of coherent light is doubled (that is, the average photon number per pulse is doubled) to make the key generation efficiency the same as that of the BB84 protocol in order to implement the SARG protocol with weak coherent light. Even so, it was demonstrated that the SARG protocol was more robust against storage attacks than the BB84 protocol. The problem of limitation in the distance over which secure transmission can be carried out is well known when both these protocols are used. For instance, when BB84 protocol and SARG protocol were used, and when the communication distances were equal to or greater than 50 km and equal to or greater than 100 km respectively, it was demonstrated in the non-patent document 2 that secure transmissions could not be carried out.
Non-patent document 1: C. H. Bennett and G. Brassard, “Quantum Cryptography: Public Key Distribution and Coin Tossing”, Proceedings of IEEE Conference on Computers, Systems and Signal Processing, pp. 175-179, 1984
Non-patent document 2: V. Scarani, A. Acin, G. Ribordy, and N. Gisin, “Quantum Cryptography Protocol Robust against Photon Number Splitting Attacks for Weak Laser Pulse Implementations”, Physical Review Letters, vol. 92, no. 5, 2004
Non-patent document 3: Charles H. Bennett, Gilles Brassard, Claude Crepeau, and Ueli M. Maurer, “Generalized Privacy Amplification”, IEEE Transaction on Information Theory, vol. 41, no. 6, pp. 1915-1923, November 1995