JP2023139792A - Quantum digital signature system and quantum digital signature method - Google Patents

Abstract

The present invention provides a quantum digital signature system and quantum digital signature method that distributes authentication keys using a simpler configuration and simpler procedures. [Solution] The system includes a transmitting device 2 that broadcasts a pulse train that is less than 1 photon/pulse and has a phase difference between adjacent pulses of 0, π/2, π, or 3π/2 to a receiving device; One pulse train is input, the delay time is equal to the pulse train interval, and the transmission phase difference is 0.The other pulse train is input, the delay time is equal to the pulse train interval, and the transmission phase difference is 0. a second Mach-Zehnder interferometer that is π/2; detectors 313 and 314 that detect the output photons of the first Mach-Zehnder interferometer; detectors 323 and 324 that detect the output photons of the second Mach-Zehnder interferometer; The receiving device includes a control unit 35 that records photons and a detector, attaches the phase of the pulse as a signature key, and generates an authentication key to be verified against the signature key based on the information recorded by the control unit 35. [Selection diagram] Figure 2

Description

The present invention relates to a quantum digital signature system and a quantum digital signature method.

When transmitting and receiving digital data, it is important to determine whether the received data is sent from an authorized sender in order to prevent information leakage. A digital signature method is known as a system for authenticating a sender. In the digital signature method, a data sender distributes an authentication key to multiple recipient candidates before transmitting the data. The sender attaches a signature key to the data to be sent and sends the data. The recipient of the data verifies the previously distributed authentication key with the signature key attached to the data, and determines whether the source of the data is correct or not based on the consistency or mismatch between the two. The security of such a digital signature method is based on the premise that a third party cannot generate a signature key from an authentication key. The process of generating a signature key from an authentication key is unrealistic because it requires a huge amount of calculations, and this point is the basis for security. However, the problem of the amount of calculation does not guarantee security in principle, and there is a risk that security will be compromised by the development of efficient calculation means (for example, quantum computers).

As a digital signature that takes the above points into consideration, a quantum digital signature (hereinafter referred to as "QDS") system, which guarantees fundamental security based on the principles of quantum mechanics, is being researched. Such a QDS method is known from, for example, Non-Patent Document 1 and Non-Patent Document 2.

Here, the QDS digital signature will be explained. FIG. 1 is a diagram for explaining a known QDS digital signature system. There are multiple protocols for the QDS system. ”). FIG. 1 shows a case where communication is performed between one transmitting device T and two receiving devices Ra and Rb, and communication between the transmitting device T and receiving devices Ra and Rb is performed through communication channels 11 and 12. . Communication is performed by exchanging authentication keys between the transmitting device T and the receiving devices Ra, Rb, and then transmitting data from the transmitting device T to the receiving devices Ra, Rb.

In authentication key distribution, a bit string serving as a common secret key is shared between the sender and the recipient candidate. This secret key is a bit string (shift key before data processing such as error correction and confidentiality enhancement in QKD) that contains bit errors and may have been partially intercepted. The transmitting device T and the receiving devices Ra and Rb, which are reception candidates, compare parts of the shared secret key as test bits and estimate the error rate of the shared secret key. Next, the receiving devices Ra and Rb randomly extract half of the secret key excluding the test bit and exchange them using the communication channel 13. The communication channel 13 is a secret communication channel, specifically a communication channel protected by QKD, so that the sender cannot know the bit strings exchanged by the potential recipients.

The authentication key is generated by adding the unextracted bit string of the private key and the exchanged bit string. In this way, the QDS system does not directly use the bit string exchanged between the sender and the recipient candidate as the authentication key, but uses only part of it as the authentication key. You can prevent it from being known. Therefore, the QDS system can prevent a malicious sender from manipulating the authorization or denial of a particular recipient. On the other hand, the sender associates and labels the secret key shared with the recipient candidate with the recipient. Then, all the private keys of the recipient candidates are added together to form a signature key. When a sender sends data to a recipient, the sender attaches this signature key to the data and sends it.

The recipient who has received the data extracts the bit string corresponding to his or her own authentication key from the attached signature key, and checks it against the authentication key that he or she owns. If the probability of bit errors in the extracted bit string for the authentication key is less than or equal to the value predicted from the previously estimated bit error rate, the recipient certifies that the signature key is genuine. This is because the secret key shared by the QKD device between the sender and the receiver has bit errors due to imperfections in the actual device.

Since such a known QDS system uses a QKD device to generate the signature key, it is possible to prevent the signature key from being forged. However, there is a possibility that a portion of the private key initially shared between the sender and the potential recipient may be intercepted. Further, since the candidate recipient has exchanged part of the bit string of the private key, he/she knows part of the authentication key of the other candidate recipient. Thus, for example, a recipient at receiving device Ra may forge a signature key and transmit data to other recipient candidates while impersonating the authorized sender. To prevent this, recipient candidates estimate the expected bit leakage rate, and if the consistency rate of the signature key with the authentication key is less than the value expected from the leakage rate, the signature key is assumed to be forged. to decide.

“Differential-quadrature-phase-shift quantum key distribution,” Kyo Inoue and Yuuki Iwai, Phys. Rev. A 79, 022319 - Published 20 February 2009. "Experimental demonstration of kilometer-range quantum digital signatures," Ross J. Donaldson, Robert J. Collins, Klaudia Kleczkowska, Ryan Amiri, Petros Wallden, Vedran Dunjko, John Jeffers, Erika Andersson, and Gerald S. Buller, Phys. Rev. A 93, 012329 - Published 19 January 2016.

In the above-mentioned conventional technology, a secret key is shared between the sender and each recipient candidate in the authentication key distribution process. Since the secret key is shared for each recipient candidate, as many QKD transmitting and receiving devices as there are to be distributed are required. If secret keys are shared in chronological order, only one transmitting device is required, but it takes time to complete sharing with everyone. Furthermore, the QKD device is also used to exchange part of the secret key shared with the sender between potential recipients. Therefore, especially when there are a large number of recipient candidates, QKD signal transmission must be performed many times, making the entire system complicated and expensive.

The present invention has been made in view of the above points, and relates to a quantum digital signature system and a quantum digital signature method that can distribute authentication keys with a simpler configuration and simpler procedures.

In order to achieve the above object, a quantum digital signature system according to one embodiment of the present invention is a digital quantum system that guarantees the sender of digital data based on quantum mechanical properties, and is a digital quantum system that guarantees the sender of digital data based on quantum mechanical properties. a transmitting device that broadcasts a pulse train to a plurality of receiving devices, the pulse train having a phase difference of less than 1 photon/pulse and having a phase difference between adjacent pulses of 0, π/2, π, or 3π/2; the receiving device receives the pulse train transmitted to the device, the receiving device receives one of the branched pulse trains, the delay time is equal to the interval between the pulse trains, and the transmission phase difference is 0, and a second Mach-Zehnder interferometer into which the other pulse train from which the pulse train is branched is input, the delay time is equal to the interval of the pulse train, and the transmission phase difference is π/2. , a first photon detector and a second photon detector that detect photons output from the first Mach-Zehnder interferometer, a third photon detector that detects photons output from the second Mach-Zehnder interferometer, and a fourth photon detector; a photon detected in the first photon detector, the second photon detector, the third photon detector, and the fourth photon detector; a photon recording unit that records data in association with one of the detector, the second photon detector, the third photon detector, and the fourth photon detector, and records the pulse train transmitted from the transmitting device. The phase of the included pulse is attached as a signature key when transmitting data, and an authentication key that is checked against the signature key is generated based on information recorded by the photon recording unit.

In order to achieve the above object, a quantum digital signature method according to one embodiment of the present invention is a digital quantum signature method in a quantum digital signature system, in which the average number of photons is less than 1 photon/pulse, and the distance between adjacent pulses is Broadcasting a pulse train having a phase difference of 0, π/2, π, or 3π/2 from a transmitting device to a plurality of receiving devices, and branching the pulse train in each of the plurality of receiving devices. input one of the pulse trains into a first Mach-Zehnder interferometer whose delay time is equal to the interval between the pulse trains and whose transmission phase difference is 0; Inputting photons to a second Mach-Zehnder interferometer whose transmission phase difference is π/2 equal to the interval of the pulse train, and photons output from the first Mach-Zehnder interferometer to a first photon detector and a second photon detector. detecting photons output from the second Mach-Zehnder interferometer with a third photon detector and a fourth photon detector; and detecting the photons output from the second Mach-Zehnder interferometer with a third photon detector and the second photon detector. , the photons detected by the third photon detector and the fourth photon detector are transferred to the first photon detector that detected the photons, the second photon detector, the third photon detector, and the fourth photon detector. recording the signature in association with one of the photon detectors; generating a signature key to be attached at the time of data transmission based on the phase of the pulse included in the pulse train transmitted from the transmitting device; The method includes generating an authentication key to be verified against the key based on information recorded by the photon recording unit.

As described above, according to the present invention, it is possible to provide a quantum digital cryptographic system that distributes authentication keys with a simpler configuration and a simpler procedure than conventional systems.

FIG. 2 is a diagram for explaining a known QDS digital signature system. FIG. 1 is a diagram for explaining a quantum digital authentication system according to an embodiment of the present invention. 3 is a table showing the relationship between the phase difference of the pulse train shown in FIG. 2 and the probability that a detector detects a photon. FIG. 2 is a sequence diagram for explaining a digital signature method performed in a digital signature system. FIG. 3 is a diagram illustrating photon detection data according to an embodiment of the present invention.

A quantum digital authentication system and a quantum digital authentication method according to an embodiment of the present invention will be described below.

[Quantum digital authentication system]
FIG. 2 is a diagram for explaining the quantum digital authentication system of this embodiment. The quantum digital authentication system shown in FIG. 2 includes a transmitting device 2 and receiving devices 3a and 3b. Of the receiving devices 3a and 3b, FIG. 2 shows the internal configuration of the receiving device 3a, but the receiving device 3b has the same configuration as the receiving device 3a.

(transmission device)
The transmitting device 2 includes a pulse light source 21, a phase adjustment section 22, and an attenuator 23. Further, the transmitter 2 includes a pulse light source 21, a phase adjuster 22, and a controller 25 that controls communication with the receivers 3a and 3b. The pulse light source 21 is a laser light source, and continuously outputs, for example, a rectangular pulse train. According to the laser light source, it is possible to obtain coherent light having good coherence. The phase adjustment unit 22 sets the phase difference between adjacent pulses in the continuous coherent pulse train outputted by the pulsed light source 21 to 0, π/2, π, or 3π/2. The attenuator 23 attenuates the pulse train so that the number of photons per pulse (average photon) included in the phase-adjusted pulse train becomes 1 or less, for example, 0.1. The pulse train is broadcast-transmitted to both receiving devices 3a and 3b that are candidates for reception. This point differs from known digital signature systems in which an authentication key distribution step is performed for each receiving device that is a reception candidate, and the digital signature system of this embodiment simplifies the authorization key distribution and shortens the time.

The pulse trains Pc and Pd attenuated by the attenuator 23 are transmitted to the receiving devices 3a and 3b via communication lines 41 and 42, respectively. The pulse trains Pc and Pd are digital signals that follow pulses, and continuous digital signals are also referred to as bit sequences.

(Receiving device)
The receiving devices 3a and 3b have similar configurations, and the configuration of the receiving device 3a will be described below instead of the description of the receiving device 3b. The receiving device 3a includes, for example, a waveguide (not shown) that branches the pulse train Pc received from the transmitting device 2. Further, the receiving device 3a includes a Mach-Zehnder interferometer 31 and a Mach-Zehnder interferometer 32. The Mach-Zehnder interferometers 31 and 32 each receive the pulse train Pc branched in the receiving device 3a, and further branch this into two paths. In the Mach-Zehnder interferometer 31, the propagation phase difference between the two branched paths is set to 0, and in the Mach-Zehnder interferometer 32, the propagation phase difference between the two paths is set to π/2. That is, in the Mach-Zehnder interferometers 31 and 32, the pulse train passing through one of the two paths is delayed with respect to the other pulse train, and in this embodiment, one is a non-delayed pulse train, and the other pulse train is The other pulse that is delayed corresponds to a delayed pulse train. Furthermore, the delay times in the Mach-Zehnder interferometers 31 and 32 are set equal to the interval between pulses included in the pulse train. The Mach-Zehnder interferometer 31 corresponds to the first Mach-Zehnder interferometer of this embodiment, and the Mach-Zehnder interferometer 32 corresponds to the second Mach-Zehnder interferometer.

The Mach-Zehnder interferometer 31 receives one of the branched pulse trains. The Mach-Zehnder interferometer 31 includes a half mirror 311 that is a splitter that branches an input pulse train, and a half mirror that is a combiner that is branched into the half mirror 311 and combines a non-delayed pulse train and a delayed pulse train to interfere with each other. 312. The pulse train incident on the half mirror 312 is combined and interferes, and is emitted in two directions.

Furthermore, the Mach-Zehnder interferometer 32 receives the other of the branched pulse trains. The Mach-Zehnder interferometer 32 includes a half mirror 321 that is a splitter that branches an input pulse train, and a half mirror that is a combiner that combines the non-delayed pulse train branched by the half mirror 321 and the delayed pulse train to interfere with each other. 322. In the Mach-Zehnder interferometer 32 as well, the pulse train incident on the half mirror 322 combines and interferes, and is emitted into two directions.

However, in this embodiment, the splitting and combining of pulse trains is not limited to using a half mirror, and a beam splitter may also be used.

The receiving device 3a also includes detectors 313 and 314 that detect photons output from the Mach-Zehnder interferometers 31 and 32 with a probability corresponding to the phase difference between the non-delayed pulse train and the delayed pulse train that interfered in the half mirror 322; 323, 324, and a control unit 35 that records photons detected by the detectors 313, 314, 323, and 324 in association with these detectors. Detectors 313, 314, 323, and 324 correspond to a first detector, a second detector, a third detector, and a fourth detector, respectively.

In such a receiving device 3a, the pulse train transmitted from the transmitting device 2 is branched and input into the Mach-Zehnder interferometers 31 and 32, respectively, and further branched into two parts in the Mach-Zehnder interferometers 31 and 32, one of which is split into two. Phased to delay. At this time, in the outputs of the Mach-Zehnder interferometers 31 and 32, the pulses included in the continuous pulse train are time-shifted by one pulse. The non-delayed pulse train and the delayed pulse train overlap in the half mirrors 312 and 322 and interfere with each other. As a result, two adjacent pulses interfere with each other, and photons are detected by the detectors 313 and 314 or the detectors 323 and 324 according to their phase difference. However, the pulse train is attenuated by the attenuator 23 so that the average number of photons per pulse is less than one. Therefore, in the receiving device 3a shown in FIG. 2, the probability that photons are detected by the detectors 313, 314, 323, and 324 is sufficiently low and random.

FIG. 3 is a diagram showing the relationship between the phase difference between adjacent pulses and a detector that detects photons. Each of the transmitted pulses is randomly phase-modulated with either 0, π, π/2, or 3π/2, and the phase difference between adjacent pulses is measured on the receiving side. In the table shown in FIG. 3, the leftmost column shows the number of the detector shown in FIG. 2, and the second row shows the phase difference of the pulses. According to the table, for example, when the phase difference of the pulses is 0, the detection probability is 0.5 for the detector 313, 0 for the detector 314, and 0.25 for the detectors 323 and 324. The detection probability of each detector is also referred to as "conditional detection probability" below.

In the receiving device 3a, information related to photons and the detector that detected the photons are recorded in association with each other. The information related to photons may be information based on the timing of photon detection, for example. The example shown in FIG. 3 shows an example in which a number such as #1 and a detector are recorded in association with each other based on the order of photon detection. Information related to photons is not limited to the order of detection, and may be, for example, the time of photon detection.

After transmitting the pulse train, the control unit 25 of the transmitting device 2 transmits information regarding the phase of the transmitted pulse train to the receiving device 3a. This information groups phase 0 and phase π in advance, groups phase π/2 and phase 3π/2, indicates which group the phase difference of the pulse train is included in, and indicates whether the phase difference of the pulse train is included in either group, π or π/2. It does not include the phase value itself.

The receiving device 3a estimates the error rate of the received pulse train based on the group indicated by the information. For example, when the information indicates a group including phase 0 and phase π, the receiving device 3a discards the detection data of photons detected by the detectors 323 and 324 (the order of photon detection and the combination of detectors). A portion of the remaining photon detection data is then used as test data for bit error rate estimation. Specifically, the control unit 35 requests the transmitting device 2 to notify the phase difference of the pulses included in the pulse train Pc. The control unit 25 notifies the receiving device 3a of the phase difference in response to a request. If the notified phase difference is 0, the control unit 35 determines that the photon detected by the detector 313 is a correctly received signal, and that the others are bit errors. If the phase is π, the photon is a correctly received signal by the detector 314, and the others are bit errors.

Further, when the information indicates a group including phases π/2 and 3π/2, the receiving device 3a discards data of photons detected by the detectors 313 and 314. Then, when the notified phase is π/2, the control unit 35 determines that the photon detected by the detector 324 is a correctly received signal, and that the others are bit errors. If the phase is 3π/2, the photon detected by the detector 323 is a correctly received signal, and the others are considered to be bit errors. Further, the control unit 35 discards the detection data used for the test data and uses the remaining photon detection data as an authentication key. With the above processing, the authentication key distribution process of this embodiment is completed.

In the subsequent data transmission via the network, the transmitting device 2 uses the phases of all pulses included in the pulse sequences Pc and Pd broadcasted to the receiving devices 3a and 3b in the authentication key distribution process as a signature key. Then, the transmission data to which the signature key is attached is transmitted to the receiving devices 3a and 3b. The authentication key generated by the receiving device 3a is verified against the attached signature key. The recipient verifies that the data sender and the authentication key distributor are the same by checking the authentication key in his possession and the attached signature key.

(Digital signature method)
FIG. 4 is a sequence diagram for explaining the digital signature method performed by the digital signature system described above, and shows the processing performed on the sender side and the receiver side. Since the operations of a plurality of recipients are similar, the operation of one recipient will be described in FIG. FIG. 5 is a schematic diagram illustrating detection data D ₃₁₃ , D ₃₁₄ , D 323 , and D 324 of the four detectors 313, 314, ₃₂₃ , and ₃₂₄ included in the receiving device 3a. The illustrated detection data D ₃₁₃ , D ₃₁₄ , D ₃₂₃ , and D ₃₂₄ indicate the overall detection order of photons detected by each detector.

As shown in FIG. 4, the transmitter uses the transmitter 2 to broadcast a pulse train having a phase difference of 0, π/2, π, or 3π/2 to the plurality of receivers 3a and 3b. (401). The receiving device 3a that has received the pulse train assigns a pulse number to the pulse whose photon was detected by the detectors 313, 314, 323, and 324, and records the number in association with the detector that detected the photon (402). Next, the receiving device 3a requests notification about the group to which the phase difference of the pulse train belongs, and the sender notifies the group of 0, π/2 or π, 3π/2 in response to the request (403). . The receiving device 3a discards detection data of a detector with a detection probability of 0.25 shown in FIG. 3 according to the phase group (404). At this time, for example, if a group of phase 0 and phase π is notified, the control unit 35 discards the detection data D ₃₂₃ and D ₃₂₄ of FIG. 5.

Next, in response to the phase notification request from the receiving device 3a, the transmitting device 2 notifies the phase difference of the previously sent pulse train (405). The control unit 35 performs a process of estimating the bit error rate by assuming that the photons of the detection data D ₃₁₃ in FIG. 5 are normally received signals and that the photons of the detection data D ₃₁₄ are bit errors (406). Then, the test data used for bit error rate estimation is discarded (407), and the remaining bit string is used to generate an authentication key (408). In subsequent communication via the network, the sender generates an authentication key based on the phase of the pulse included in the pulse train broadcast to the receiving devices 3a and 3b (409). Then, a signature key is attached to the transmission data to be transmitted to the receiving device 3a, and the data is transmitted (410). The receiver compares the attached signature key with the authentication key and determines whether the sender is correct or not based on the bit error rate (411).

As explained above, the security of the QDS system of this embodiment is guaranteed by using a weak coherent pulse train phase-modulated at 0, π/2, π, and 3π/2 in the authentication key distribution process. . This point will be explained below.

(Forgery of signature key)
The signature key of the QDS system of this embodiment is the phase of all pulses included in the pulse train transmitted at the time of authentication key distribution. This pulse train is a weak pulse train with a small number of photons, and is difficult to clarify by measuring between pulses. Therefore, it is not possible to create a signature key from the pulse train when distributing the authentication key. However, even if a complete signature key cannot be created, if the target recipient's authentication key is known, a signature key valid for the target recipient can be forged by randomly assigning phases other than the authentication key bits. There is a fear. In consideration of this point, the digital signature system of this embodiment uses a weak pulse train in which the number of photons per pulse is one or less in the authentication key distribution process. Detecting photons from such a weak pulse train is rare, and the timing is random. For this reason, it is not possible to select the phase of the pulse train by receiving the broadcast pulse train and predicting the photons that will be detected by the receiving device of the target recipient. Therefore, the digital signature system of this embodiment cannot know the target recipient's authentication key from the broadcast pulse train, and cannot forge a signature key that matches it.

Furthermore, as a more extensive eavesdropping method, there is impersonation eavesdropping. Spoofing wiretapping is wiretapping in which an eavesdropper receives and measures all pulse train signals on the transmission path between the transmitter 2 and, for example, the receiver 3a, and transmits a forged signal to the receiver 3a based on the measurement results. It's a method. If the eavesdropper retransmits only the pulse train that was successfully measured with an intensity of one photon or more, the receiver will receive the pulse train measured by the eavesdropper, and the bits transmitted by the eavesdropper and the bits generated by the receiver will be approximately the same. It will be the same. In other words, the recipient's private key is known to the eavesdropper. However, when this eavesdropping occurs, the bit error rate of the private key generated by the recipient becomes greater than the value expected from the imperfections of the device. The reason is as follows.

What is being transmitted here is a pulse train whose phase difference is one of four values {0, π/2, π, 3π/2}. As a measurement system for this phase difference, it is conceivable to use two delay interferometers with different delay phase differences, as shown in FIG. However, as shown in FIG. 3, there is no one-to-one correspondence between the phase difference and the photon detectors. That is, the phase difference of the four values can only be measured probabilistically. Even if any other measurement system is used, since the four phase states have a quantum mechanical non-orthogonal relationship, a definitely correct value cannot be obtained. Therefore, the falsified signal that the eavesdropper retransmits based on the result of the interrupt measurement will be different from the original transmitted signal. If a portion of the secret key generated from such a retransmitted signal is matched against the transmitted signal, the bit error rate will be higher than that due to device imperfections.

As described above, when spoofing eavesdropping is performed, the bit error rate of the receiver increases. In other words, the presence or absence of eavesdropping is detected by checking the bit error rate. This will deter impersonation eavesdropping.

As described above, this embodiment prevents signature key forgery by using a weak coherent pulse train phase-modulated at 0, π/2, π, or 3π/2 in the authentication key distribution process. Preventing. The security of the QDS system also requires that the recipient's authentication key be kept secret from the data sender. This prevents a malicious sender from creating a signature key that authorizes or denies a specific recipient, and ensures the fairness of the signature key. Using a weak coherent pulse train for authentication key distribution also contributes to meeting this requirement. That is, when the transmitter 2 transmits a weak pulse train with a small number of photons, the receiver 3a side detects a photon from which adjacent pulse pair in the pulse train, which is completely random and unknown to the sender. Therefore, the authentication key generated from the photon detection data is kept secret from the sender.

This embodiment described above operates as a QDS system. In the publicly known technology, each sender and receiver share a secret key through QKD transmission, and then exchange data between receivers through a QKD channel to generate an authentication key. The authentication key distribution process is completed by simply broadcasting the data to recipients and discarding part of the received data, realizing a simpler system configuration and authentication key generation than in the past.

2 Transmitting devices 3a, 3b Receiving devices 11, 12, 13 Communication channel 21 Pulsed light source 22 Phase adjustment section 23 Attenuators 25, 35 Control sections 31, 32 Mach-Zehnder interferometers 41, 42 Communication lines 311, 312, 321, 322 Half Mirrors 313, 314, 323, 324 Detector

Claims (4)

A digital quantum system that guarantees the sender of digital data based on quantum mechanical properties,
A transmitting device that broadcasts a pulse train having an average number of photons less than 1 photon/pulse and a phase difference between adjacent pulses of 0, π/2, π, or 3π/2 to a plurality of receiving devices. and,
the receiving device receiving the pulse train transmitted to the transmitting device,
The receiving device includes:
a first Mach-Zehnder interferometer into which one of the branched pulse trains is input, the delay time is equal to the interval between the pulse trains, and the transmission phase difference is 0;
a second Mach-Zehnder interferometer into which the other pulse train from which the pulse train is branched is input, the delay time is equal to the interval of the pulse train, and the transmission phase difference is π/2;
a first photon detector and a second photon detector that detect photons output from the first Mach-Zehnder interferometer;
a third photon detector and a fourth photon detector that detect photons output from the second Mach-Zehnder interferometer;
Information related to photons detected in the first photon detector, the second photon detector, the third photon detector, and the fourth photon detector is transmitted to the first photon detector that detected the photon, and the first photon detector that detected the photon. a photon recording unit that records in association with one of the second photon detector, the third photon detector, and the fourth photon detector;
The phase of the pulse included in the pulse train transmitted from the transmitting device is attached as a signature key when transmitting data, and an authentication key to be checked against the signature key is generated based on information recorded by the photon recording unit. quantum digital signature system. The first Mach-Zehnder interferometer includes a splitter that branches the input pulse train, a non-delayed pulse train among the pulse trains branched by the splitter, and a delayed pulse train that has a delay with respect to the non-delayed pulse train. a coupler that combines and interferes with the non-delayed pulse train and the delayed pulse train, the first photon detector and the second photon detector having a phase difference between the non-delayed pulse train and the delayed pulse train that interfere with each other in the combiner. The digital signature system of claim 1, wherein the photon is detected with probability. The digital signature system according to claim 1 or 2, wherein the transmitting device includes a laser light source that emits light that generates the pulse train. A digital quantum signature method in a quantum digital signature system, comprising:
Broadcast transmission from a transmitting device to multiple receiving devices of a pulse train in which the average number of photons is less than 1 photon/pulse and the phase difference between adjacent pulses is 0, π/2, π, or 3π/2. to do and
In each of the plurality of receiving devices,
inputting one of the branched pulse trains into a first Mach-Zehnder interferometer whose delay time is equal to the interval between the pulse trains and whose transmission phase difference is 0;
Inputting the other pulse train from which the pulse train is branched into a second Mach-Zehnder interferometer whose delay time is equal to the interval of the pulse train and whose transmission phase difference is π/2;
Detecting photons output from the first Mach-Zehnder interferometer with a first photon detector and a second photon detector;
Detecting photons output from the second Mach-Zehnder interferometer with a third photon detector and a fourth photon detector;
Information related to photons detected in the first photon detector, the second photon detector, the third photon detector, and the fourth photon detector is transmitted to the first photon detector that detected the photon, and the first photon detector that detected the photon. Recording in association with any one of the second photon detector, the third photon detector, and the fourth photon detector;
Generating a signature key to be attached when transmitting data based on the phase of a pulse included in the pulse train transmitted from the transmitting device;
The authentication key to be verified against the signature key is associated with any one of the first photon detector, the second photon detector, the third photon detector, and the fourth photon detector and is recorded in the information recorded. A quantum digital signature method, comprising: generating a quantum digital signature based on;

Images