 Secure key agreement with non-trusted devices
专利摘要:
Traditional key generation methods in a noisy network often assume trusted devices and are thus vulnerable o many attacks including covert channels. The present invention differs from previous key generation schemes in that it presents a mechanism which allows secure key generation with untrusted devices in a noisy network with a prescribed access structure. 公开号:EP3709563A1 申请号:EP18849475.1 申请日:2018-11-08 公开日:2020-09-16 发明作者:Marcos Curty Alonso;Lo HOI-KWONG 申请人:Universidade de Vigo; IPC主号:H04L9-00
专利说明:
[0001] The present invention relates to a secure method and system for generating a random cryptographic key in a noisy network. Background of the invention [0002] Cryptography is the art of code-making. In cryptography, the security of a protocol often relies on the secrecy of a cryptographic key. A cryptographic key is usually a random string of numbers. If two parties, Alice and Bob, share a common secret cryptographic key, K, then they can achieve both secure communication and authentication (two important applications of cryptography) using several known cryptographic procedures. How to generate and distribute a key between two or more parties is a major challenge in cryptography. It is called the key distribution problem. Various methods for solving the key distribution problem have been proposed. Let us give a few examples here. The first example is public key cryptography. In public key cryptography, the key distribution problem is solved by making computational assumptions. There is a pair of keys, for example, one for encryption and one for decryption. Given the encryption key, in principle, the information for the decryption key is available. But, in practice, it would take too long for a conventional computer to figure out the decryption key, provided that some problems such as factoring large integers are assumed to be intractable with conventional computers. The second example of a key distribution method is quantum cryptography, more specifically, quantum key distribution (QKD). For a review on QKD, see, for example, Lo, H.-K., Curty, M. and Tamaki, K. Secure quantum key distribution. Nat. Photon. 8, 595-604 (2014). In QKD, the key distribution problem is solved by using the no-cloning theorem in quantum mechanics. For instance, in the known standard Bennett-Brassard BB84 protocol for QKD (see for example, Bennett, C. H. and Brassard, G. Quantum cryptography: public key distribution and coin tossing. Proc. IEEE Int. Conf. Comp. Systems Signal Processing 175- 179 (IEEE, 1984)), say one party, Alice, sends to a second party, Bob, a sequence of photons prepared in different polarisation states, which are chosen from two possible conjugate bases, X and Z,. For each photon, Bob selects randomly one of the two conjugate bases and performs a measurement. He records the outcome of his measurement and the basis choice. Through an authenticated channel, Alice and Bob broadcast their measurement bases. They discard all polarisation data sent and received in different bases and use the remaining data to generate a shifted key. To test for tampering they compute the quantum bit error rate (QBER) of a randomly selected subset of data and verify that the QBER is below a certain threshold value. By applying classical post-processing protocols such as error correction and privacy amplification, they generate a secure key. This way, during an eavesdropping attack, an eavesdropper, Eve, who does not have the basis information, would introduce unavoidable disturbance to the signals, which would be detectable by the legitimate users, Alice and Bob. The third example is Maurer's public key agreement protocol (see Maurer U. M. Secret key agreement by public discussion from common information. IEEE Trans. on Inf. Theory 39, 733-742 (1993)). There, for instance, two parties, Alice and Bob, might be receiving broadcast signals from a common source, Charlie, in a distant galaxy. If one assumes that the noises suffered by the receiving devices of the two parties are independent of the noise suffered by the receiving devices of an eavesdropper, Eve, a shared key can be distilled by the two parties, Alice and Bob, in such a way that it is secure against Eve. [0003] Secret sharing schemes are commonly used in cryptography. In a secret sharing scheme, it is often important to define an access structure. For instance, in a (n, r) threshold secret sharing scheme, a secret string, say K, is divided by a dealer into shares that are distributed among n parties such that any subset of r parties getting together will be able to recover the value of the string, K, but any subset of less than r parties would have absolutely no information whatsoever about the value of the string, K. We note that non-threshold secret sharing schemes do exist and they allow more general access structures. To address the possibility that the dealer himself could be dishonest, and in order to guarantee that the shares distributed during the different steps of the protocol are consistent, verifiable secret sharing schemes have been proposed. Regarding applications, secret sharing can be used to split a generated key in a hardware secure module (HSM). Note that, in these cases, it is often assumed that the channels are noiseless, but some of the participants could be untrusted. [0004] In contrast, in both QKD and Maurer's key agreement model, it is assumed that the channels used to generate a key may be noisy. For instance, QKD often uses as signals weak coherent light pulses or entangled photon pairs. These signals may be sent over long distance of open air or telecom fibers. For example, QKD has been recently performed over 404 km of ultra-low-loss fibers with the measurement-device-independent quantum key distribution protocol and entanglement has been sent over 1200 km (through a quantum communication satellite link). Note that an eavesdropper is free to eavesdrop such quantum channel (a communication channel which can transmit quantum information) in QKD. Owing to channel noise and potential eavesdropping attacks, there is often substantial quantum bit error rate (QBER) of order 0.5% to 13% in a quantum channel. To be able to generate a secret key in this situation, QKD typically assumes that, in addition to a quantum channel, there is an authenticated classical channel (or a public channel) between Alice and Bob. Such an authenticated classical channel can be used for the public discussion phase of a QKD protocol. It allows, for instance, Alice and Bob to compare a subset of quantum signals to estimate the QBER in a quantum transmission. When the QBER is too high, Alice and Bob can simply abort the QKD protocol. Otherwise, Alice and Bob proceed to distil a secure key by applying some classical post-processing protocol, which may include several steps like, for instance, post-selection of data, adding noise, parameter estimation, information reconciliation (which typically includes an error correction step together with an error verification step), and privacy amplification. This is so because there are some problems that need to be solved in order to distil a secure usable key: First, the keys held by Alice and Bob, kA raw and kB raw respectively, might be different from each other. It is important for them to perform some process to correct potential discrepancies in their raw keys; Such a process is called information reconciliation. One way to perform information reconciliation is for Alice to employ some conventional error correcting codes and compute and announce in public the resulting error syndrome. Bob, on receiving the error syndrome, can then reconcile his key with Alice. At the end, Alice and Bob might perform an error verification step to confirm that they hold reconciled keys, kA rec and kB rec, that are the same as each other with high probability. Second, an eavesdropper or adversary might have partial information on the raw key. The goal of privacy amplification is to remove with high probability any residual information that Eve might have on the raw key. Privacy amplification is a process in which a long string of partially secure numbers is compressed into a shorter string that is almost perfectly secure against an adversary, Eve. Privacy amplification could be achieved by applying a two-universal hash function, see Bennett, C. H., Brassard, G., Crepeau, C. and Maurer, U. M. Generalized privacy amplification. IEEE Trans. on Inf. Theory 41, 1915-1923 (1995). For instance, one particularly simple example of privacy amplification is to use random hashing. More concretely, given an input n-bit string represented by a column vector, X, one might first generate a random m x n matrix, M, (where m < n) of randomly chosen binary entries and then compute an output m-bit string, Y=M X, by performing matrix multiplication between the two matrices M and X in modulo 2 algebra. In the case of QKD, Alice might choose the entries of M and then broadcast their values to Bob through an authenticated classical channel. [0005] Schemes such as secret sharing, QKD and Maurer's key agreement scheme can provide information-theoretic security, which is also called unconditional security. That is security based on information theory and that is not dependent on any computational assumptions. [0006] There have been a lot of interests in quantum hacking against practical QKD systems. These hacking attacks typically exploit the fact that the behaviour of real QKD devices usually deviates from that considered in the security proofs of QKD. This opens security loopholes which could be used by the eavesdropper to attack QKD implementations. For instance, a memory attack has been proposed as a method to foil even device-independent (DI)-QKD schemes. In a memory attack, Eve hides a memory in say Alice's system to store up all the key material generated in each QKD run. Afterward, the memory leaks the key material to the channel by hiding it in say the decision of abort or not abort of a subsequent QKD session, or in the public discussion of subsequent QKD runs. This could be done by properly modifying the raw key and/or the protocol information that is sent, in that round, to the classical post-processing unit(s) (CLPU) that perform the classical post-processing protocol of the QKD system. Memory attacks constitute an example of covert channels, which together with Trojan Horses, are known to be major challenges to the security of conventional cryptographic systems. Note that Trojan Horses could be hidden in both hardware or software modifications of the cryptographic systems. SUMMARY OF THE INVENTION [0007] The problems found in prior art techniques are generally solved or circumvented, and technical advantages are generally achieved, by the disclosed embodiments which provide a method and system wherein two or more cryptographic stations generate a shared key secure within a prescribed access structure, in the presence of a noisy channel in a network and possibly un-trusted components inside cryptographic station(s). [0008] Considering the functional decomposition of a cryptographic station into key generation units and classical post-processing units, the present invention provides security in the presence of both untrusted key generation units and untrusted classical post-processing units. In an embodiment, in order to counter untrusted key generation units, privacy amplification is applied by classical post-processing units to ensure security against information obtained by the untrusted components inside the cryptographic stations and in order to counter untrusted classical post-processing units, a raw cryptographic key is divided into shares and distributed among multiple classical post-processing units. The invention can be used to foil covert channels and defeat both hardware and software Trojan Horses. It can provide information-theoretic security for the generated key, which can subsequently be used to achieve communication and authentication with unconditional security. [0009] In a first aspect, the present invention proposes a method for secure cryptographic keys generation in the presence of untrusted units in a cryptographic system, the system comprising a first and a second cryptographic stations (A,B), where each cryptographic station comprises n raw data generation units, KGUA i, KGUB i with i=1, 2, ..., n, where n>1, and at least one post-processing unit CLPUA CLPUB, where the method comprises the following steps: Each pair of raw data generation units, KGUA i and KGUB i, with i=1, 2, ..., n, generating a pair of (raw) data strings and sending (via secure communication channels) the generated data string by KGUA i to the at least one post-processing unit of the first cryptographic station and sending the generated data string by KGUB i to the at least one post-processing unit of the second cryptographic station. Each pair of data strings (one generated by a raw data generation unit of the first cryptographic station KGUA i and one generated by a raw data generation unit of the second cryptographic station KGUB i, with i=1, 2, ..., n,) usually will be correlated in the sense that it will be generated using a mechanism (for example QKD, Quantum Key Distribution) which allows that each pair of data springs of the first and second cryptographic stations are correlated (also called statistically correlated). That is each pair of data strings are not statistically independent of each other but statistically dependent, so if the value of one of the data strings is known, information about the value of the other data string could be obtained. The at least one post-processing units of the first and second cryptographic station, CLPUA, CLPUB: applying a post-processing procedure to each received data string for generating a cryptographic key, KA i, KB i i=1, 2, ..., n, or an error symbol (an error symbol will be generated if the raw data generations unit it has not been able to generate a cryptographic key) for each raw data generation unit, where the post-processing procedure includes at least one information reconciliation operation between the post-processing units of both cryptographic stations via an authenticated communication channel and a first privacy amplification procedure to extract a shorter key; concatenating the generated cryptographic keys to form a first concatenated cryptographic key KA'=[KA 1, KA 2,..., KA M] and a second concatenated cryptographic key KB'=[KB 1, KB 2,..., KB M] where M is the number of pairs of generated cryptographic keys in both cryptographic stations which are different from the error symbol; applying an additional privacy amplification procedure operation to the first concatenated cryptographic key and to the second concatenated cryptographic key to extract a first and a second secure cryptographic keys respectively, KA and KB. [0010] According to another aspect, it is proposed a method for secure cryptographic keys generation in the presence of untrusted units in a cryptographic system, the system comprising a first and a second cryptographic stations (A,B), where each cryptographic station comprises at least one raw data generation unit, KGUA, KGUB respectively and more than one post-processing units CLPUA l, CLPUB l', l= 1, 2, ..., s, l'=1, 2,....s', where the method comprises the following steps: KGUA generating s data strings and sending one generated data string to each CLPUA l and KGUB generating s' data strings and sending one different generated data string to each CLPUB l'; Each pair of data strings (one generated by the raw data generation unit of the first cryptographic station KGUA and one generated by the raw data generation unit of the second cryptographic station KGUB) will be correlated in the sense that it will be generated using a mechanism (for example QKD), so each pair of data springs of the first and second cryptographic stations are correlated (also called statistically correlated). That is, each pair of data strings are not statistically independent of each other, so if the value of one of the data strings is known, information about the value of the other data string could be obtained. Each post-processing unit of the first and second cryptographic stations: applying a post-processing procedure to each received data string generating a cryptographic key or an error symbol for each received data string, where the post-processing procedure includes at least one information reconciliation operation between the post-processing units of both cryptographic stations via an authenticated communication channel and a first privacy amplification procedure to extract a shorter key; dividing the generated cryptographic keys into two or more shares and distributing them among the rest of post-processing units of the first and second cryptographic stations respectively; generating a share of a secure cryptographic key by applying an error verification procedure and an additional privacy amplification procedure operation to the received cryptographic keys shares; [0011] According to another aspect, it is proposed a method for secure cryptographic keys generation in the presence of untrusted units in a cryptographic system, the system comprising a first and a second cryptographic stations (A,B), where each cryptographic station comprises at least one raw data generation unit, KGUA, KGUB and more than one post-processing units CLPUA i, CLPUB i', i= 1, 2, ..., s, i'=1, 2,....s', where the method comprises the following steps: The at least one raw data generation units in the first and second cryptographic stations generating a data string, RA, RB respectively, dividing the generated data strings into two or more shares and distributing them among the post-processing units of the first and second cryptographic stations respectively where K'A ij is the j-th share of RA received by CLPUAi and K'B i'j' is the j'-th share of RB received by CLPUB i'. The pair of data strings (one generated by the raw data generation unit of the first cryptographic station KGUA and one generated by the raw data generation unit of the second cryptographic station KGUB) will be correlated in the sense that it will be generated using a mechanism (for example QKD), so each pair of data springs of the first and second cryptographic stations are correlated (also called statistically correlated). That is each pair of data strings are not statistically independent of each other, so if the value of one of the data strings is known, information about the value of the other data string could be obtained. [0012] The number of shares j, j', in which the data strings are divided, could be equal to the number of CLPUs (so each CLPU receives one share) or could be lower or higher (so each CLPU could receive more than one share). Each post-processing unit of the first and second cryptographic stations: obtaining from each received share of the data string RA, RB a key generation sub-string share K'A ij,key, K'Bi'j',key (this sub-string could be just a part of the received share of the data strings, that is, the received shares could be divided in several sub-strings and one of these sub-strings will be used for key generation) ; from each received share of the data string it could be also obtained a parameter estimation sub-string share K'5 ij,est, K5 i'j',est and said parameter estimation sub-strings shares will be send to the rest of post-processing units of the cryptographic unit. applying a post-processing procedure to the key generation sub-strings shares generating secure cryptographic key shares, where said post-processing procedure includes at least one information reconciliation operation between the post-processing units of both cryptographic stations via an authenticated communication channel and a privacy amplification procedure to extract a shorter key. [0013] In this last embodiment, the information reconciliation operation could include an error correction procedure which comprises: applying certain predefined matrices MEC to the key generation sub-strings shares obtaining data strings sA ij=MEC ∗K'A ij,key, sB j'=MEC ∗K'B ij',key respectively; obtaining in each post-processing unit a reconstructed data string sA, sB defined sA=sA 1⊕... ⊕A q and S B=S B 1⊕... ⊕sB q' respectively, where sA j is obtained from sA ij by using majority voting and sB j' is obtained from sB i'j' by using majority voting; modifying the value of the key generation sub-strings K'A ij,key, K'B i'j',key depending on the actual values of sA and sB; repeat the three steps of the error correction procedure until the error is below a predefined threshold; [0014] In this last embodiment, the information reconciliation operation could include an error verification procedure which comprises: The post-processing units of the first cryptographic station randomly selecting a two-universal hash function, hash, and applying it to the key generation sub-strings shares obtained after the error correction procedure, KA ij,key, obtaining hA ij=hash(KA ij,key), and each post-processing unit of the second cryptographic station obtaining hB i'j'=hash(KB i'j',key) and each post-processing unit sending the shares hA ij and hB i'j' to all the post-processing units in his own cryptographic unit and to all the post-processing units in the other cryptographic unit; obtaining in each post-processing unit a reconstructed data string hA, hB respectively as hA=hA 1⊕... ⊕hA q and hB=hB 1⊕... ⊕hB q' respectively, where hA j is obtained from hA ij by using majority voting and hB j' is obtained from hB i'j' by using majority voting. Each of the post-processing units checking whether or not hA=hB and if they are equal they proceed to the privacy amplification procedure, otherwise outputting an abort symbol. [0015] In this last embodiment, the privacy amplification procedure may comprise: The post-processing units of the first cryptographic station randomly selecting a two-universal hash function hashPA, and then obtaining shares of a secure cryptographic unit as KA ij=hashPA(KA ij,key) and each post-processing unit of the second cryptographic station obtaining shares of a secure cryptographic unit as KB i'j'=hashPA(KB i'j',key). [0016] According to another aspect, it is proposed a method for secure cryptographic keys generation in the presence of untrusted units in a cryptographic system, the system comprising a first and a second cryptographic stations (A,B), where each cryptographic station comprises a plurality of raw data generation units, KGUA i, KGUB i with i=1, 2, ..., n, n>1 and a plurality of post-processing units CLPUA l, CLPUB l', l=1, 2, ..., s, 1'=1, 2,....s', where the method comprises the following steps: Each raw data generation unit in the first and second cryptographic stations generating data strings, RA i, RB i with i= 1, 2, ..., n, respectively, dividing the generated data strings into two or more shares and distributing them among the post-processing units of the first and second cryptographic stations respectively. Each pair of data strings (RA i, RB i with i= 1, 2, ..., n) usually will be correlated in the sense that it will be generated using a mechanism (for example QKD) that makes that each pair of data springs of the first and second cryptographic stations are correlated (also called statistically correlated). That is, each pair of data strings are not statistically independent of each other, so if the value of one of the data strings is known, information about the value of the other data string could be obtained. Each post-processing unit applying a post-processing procedure to each received data string share, generating a first cryptographic key shares K'A lij, K'B l'ij' or an error symbol for each received data string share, where the post-processing procedure includes at least an information reconciliation operation between the processing units of both cryptographic stations via an authenticated communication channel and a first privacy amplification procedure, where K'A lij is the j-th share of the cryptographic key for RA i obtained by CLPUA l, and K'B l'ij' is the j'-th share of the cryptographic key for RB i obtained by CLPUB l'; Each post-processing unit obtaining shares of a secure cryptographic key by concatenating the obtained first cryptographic key shares and applying an additional privacy amplification procedure operation to the concatenated string. This last step may comprise: Concatenation sub-step: Each CLPUA l, with l=1,..,s obtaining bit strings K"A lij=[01, ..., 0i-1, K'A lij,0i+1, ..., 0M], where 0i, with i=1,..., M, represents a zero vector, and M is the number of pairs of raw generation units (one from each cryptographic station) which generate data strings different from an error symbol and each CLPUB l', with l'=1,..,s' obtaining bit strings K"B l'ij'=[01, ..., 0i-1, K'B l'ij',0i+1, ..., 0M], with i=1,..., M; Privacy amplification sub-step: Each CLPUA l, with l=1,..,s, randomly selecting a two-universal hash function hashPA, and then obtaining shares of a secure cryptographic key as KA lij= hashPA(K"A lij) and each CLPUB l', with l'=1,..,s' obtaining shares of a secure cryptographic key as KB l'ij'=hashPA(K"B l'ij'). [0017] The pair of data strings generated by each pair of raw data generation units (one of the first cryptographic station and one of the second cryptographic station respectively) may be generated using a quantum key distribution mechanism. [0018] For dividing in shares a secret sharing scheme or a verifiable secret sharing scheme could be employed. At the end of the methods, a reconstruct scheme could be applied to the secure cryptographic shares obtained in order to obtain a first and a second final cryptographic keys respectively. [0019] In other aspects, systems for secure cryptographic keys generation are proposed. Said systems will comprise a first and a second cryptographic stations (A,B), where each cryptographic station comprises at least one raw data generation units and at least one post-processing unit CLPUA CLPUB, with means for implementing the methods proposed above. [0020] In a last aspect of the present invention, a computer program is disclosed, comprising computer program code means adapted to perform the steps of the described methods, when said program is run on processing means of a network entity of an OFDM network, said proccesing means being for example a computer, a digital signal processor, a field-programmable gate array (FPGA), an application-specific integrated circuit (ASIC), a micro-processor, a micro-controller, or any other form of programmable hardware. A non-transitory digital data storage medium is also provided for storing a computer program comprising instructions, causing a computer executing the program to perform all steps of the disclosed methods when the program is run on a computer. Description of Figures [0021] To complete the description that is being made and with the object of assisting in a better understanding of the characteristics of the invention, in accordance with preferred example of practical embodiments thereof, accompanying said description as an integral part thereof, is a set of drawings wherein, by way of illustration and not restrictively, the following has been represented:Figure 1 shows a schematic block diagram of a prior art cryptographic set-up. Figure 2 shows a schematic block diagram illustrating a memory attack against a prior art cryptographic set-up with two cryptographic stations, A and B. Figure 3 shows a schematic block diagram of a secure key generation procedure according to one embodiment of the invention, in a scenario where at least one key generation unit KGU, is untrusted. Figure 4 shows a schematic block diagram of a secure key generation procedure according to one embodiment of the invention, in a scenario where at least one key classical processing unit untrusted. Figure 5 shows schematic block diagrams illustrating the share and the reconstruct protocols of an example of verifiable secret sharing scheme. Figure 6 shows a schematic block diagram of a secure key generation procedure according to an embodiment of the invention, in a scenario where each cryptographic station contains more than one key generation unit, KGU, and more than one classical post-processing unit, CLPU. Description of the Invention [0022] The invention describes methods and systems for, in general terms, generating a secure shared key between two or more cryptographic stations (an station which is able to generate cryptographic keys for example for secure communication or authentication between two electronic devices). Said shared key is generated in the presence of a noisy channel in a communications network (communicating the cryptographic stations) and possibly un-trusted components inside cryptographic station(s). [0023] Consider a communication network allowing communication between various cryptographic stations together with any intermediary or ancillary nodes. Each cryptographic station may represent, for example, an electronic node as a secure site such as a data center, or a co-location facility, a service provider or an end user electronic communications device such as a smart phone held by an end user or for example, a mobile phone, laptop, i-pad, tablet, PC ... or generally speaking, any other type of electronic device which may generate cryptographic keys for communication or authentication with another party. To achieve either unconditional secure communication or authentication between, for example, two cryptographic stations, traditionally called, A and B or Alice and Bob (where Alice and Bob are supposed to be the parties or users controlling each cryptographic station respectively) in the presence of an adversary or eavesdropper, Eve, it is important for Alice and Bob to share a cryptographic key, K, that is random and secret. [0024] A cryptographic station contains both key generation unit(s) (KGU) and classical post-processing unit(s) (CLPU). Key generation units (also called raw data generation units) generate correlated raw data (also known as primary data, that is, data obtained directly from a data source) between distant parties, which is afterwards processed by the CLPU to obtain the cryptographic key. For instance, in Maurer's scheme, key generation units could be antennas that are receiving signals from a common source in a distant radio galaxy. Classical post-processing units (also called just post-processing units) can be any conventional processing devices (also called processing units or processing modules) such as for example. Central Processing Units (CPUs), Graphical Processing Units (GPUs), and Field Programmable Gate Arrays (FPGAs)) or any other electronic unit with computation capabilities. A pair of KGUs distributed between the two cryptographic stations, A and B, use some physical means to generate correlated noisy (raw) data between the cryptographic stations. Such physical means for generating correlated data could be, for example, QKD. In the case of QKD, such raw data could be either prepared or measured polarization data of single photon signals. Each single photon has a polarization. For instance, in the rectilinear basis Z, a vertically polarized photon could represent a "0" whereas a horizontally polarized photon could represent a "1". Similarly, in the diagonal basis X, a 45-degree polarized photon could represent a "0" whereas a 135-degree polarized photon could represent a "1". Each KGU then passes the correlated noisy raw data to classical post-processing unit(s) to be processed, obtaining cryptographic key K. While this discussion is general, for ease of illustration, we take the example of QKD. In QKD, Alice and Bob are connected by two channels, one quantum and one classical. The quantum channel is used for the transmission of quantum signals such as polarization data of single photons. Such quantum signals can be used to generate raw key material. Eve is free to tamper with the quantum channel, which can be an optical fiber or free space or other media (e.g. water). The term "classical" channel simply means a conventional communication channel that can transmit conventional information. The classical channel may be of any form including a phone line, Internet, Ethernet, the known channels of a mobile communications network (GSM, UMTS, LTE, 3G, 4G or whatever) or a WI_FI network, even a direct wire or generally speaking any communications channel of any known conventional wired or wireless communications network. The classical channel may also be in the same medium as the quantum channel, for example, through spatial, time or frequency multiplexing. The classical channel is often assumed to be authenticated using any known authentication mechanism. CLPU(s) receive the correlated noisy raw key data and may apply various processing operations to it (which includes, for example, post-selection of data, adding noise, parameter estimation, information reconciliation, typically including an error correction step together with an error verification step, and privacy amplification). These operations will be described below in more detail. A. A prior art key distribution method and its insecurity [0025] Figure 1 shows a prior art key distribution method with two cryptographic stations, A and B, in the presence of an eavesdropper, Eve, where each cryptographic station contains only one key generation unit (KGU) and one classical post-processing unit (CLPU). In other words, cryptographic station A contains KGUA and CLPUA while cryptographic station B contains KGUB and CLPUB. In the figures, a superscript indicates whether the devices and keys correspond to the cryptographic station A or to the cryptographic station B. Each KGU generates a raw key, R, and each CLPU outputs a cryptographic key, K. CLPUA and CLPUB are connected through an authenticated conventional communication channel ("A.C. channel" in the figure, also called authenticated classical channel), and, within each cryptographic station, KGU and CLPU are connected through a classical (conventional) channel ("C. channel" in the figure). In QKD, a quantum channel ("Q. channel" in the figure) connects KGUA and KGUB; in the case of Maurer's public key agreement protocol the KGUs could receive broadcast classical signals from a common source. [0026] For instance, in a known QKD protocol (standard Bennett-Brassard BB84 protocol), two distant parties, Alice and Bob, would like to establish a secure cryptographic key between them. The cryptographic station A is controlled by one party, Alice (for example, the user of a first electronic communications device where the cryptographic station A is located), whereas cryptographic station B is controlled by another party, Bob (for example, the user of a second electronic communications device where the cryptographic station B is located). Now, KGUA prepares and sends via a quantum channel to the KGUB, a sequence of photons prepared in different polarisation states, which are chosen by KGUA from two possible conjugate bases, X and Z. For each photon, KGUB selects randomly one of the two conjugate bases and performs a measurement. KGUB records the outcome of the measurement and the basis choice. Then, KGUA passes the polarization data, RA, and other relevant ancillary information such as the basis information to CLPUA and KGUB passes the polarization data, RB, and other relevant ancillary information such as the basis information to CLPUB. [0027] Through an authenticated channel (A.C. channel), CLPUA and CLPUB broadcast their preparation and measurement bases. They discard all polarisation data sent and received in different bases and use the remaining data to generate a sifted key. To test for tampering, CLPUA and CLPUB compute the quantum bit error rate (QBER) of a randomly selected subset of data and verify that the QBER is below a certain threshold value. By applying classical post-processing protocols such as for example, information reconciliation (which typically includes an error correction step together with an error verification step) and privacy amplification, CLPUA and CLPUB generate a secure key, KA and KB, where with high probability a) KA=KB and b) KA is secure against an eavesdropper. [0028] In such a set-up, it is commonly assumed that all the KGUs (i.e., KGUA and KGUB) and all the CLPUs (i.e., CLPUA and CLPUB) are trusted. For instance, both device-independent and device-dependent settings of QKD are included in this framework. Standard device-dependent QKD assumes that QKD devices function correctly by, for example, preparing the correct state and performing perfect measurements in accordance with some theoretical protocols. In contrast, device-independent QKD has the advantage of allowing QKD devices to function in an arbitrary manner as long as there is no information leakage (e.g. about the final key) from cryptographic stations, A, and, B, to an eavesdropper. Unfortunately, such a prior art set-up is highly vulnerable to malicious attacks in either software and/or hardware. For example, if the eavesdropper Eve plants a memory in say, for example, KGUA, then the security of such prior art key distribution method may be compromised. This is illustrated in Figure 2. Eve could use this memory to store up the key material generated in a QKD session and then leak this information to the channel in subsequent QKD runs. For this, Eve could exploit for example the fact that each QKD run is often associated with a decision of abort or not abort depending on the observed QBER. The memory could then decide whether or not make KGUA to output a raw key, RA, with a high QBER (and then force the protocol to abort) depending on the value of a certain bit of the key generated in a previous QKD run. Alternatively, the memory might also leak the key material of a certain QKD round by simply hiding it in the public discussion of subsequent QKD runs. [0029] Hence, the way to perform secure key distribution when some of the KGUs or CLPUs are untrusted is an important non-solved challenge to prior art key distribution schemes. B. Scenario 1: A key distribution method with untrusted key generation units inside a cryptographic station. [0030] The key goal of the invention is to achieve security of key distribution in the presence of untrusted devices. These untrusted devices could be, for example, KGUs, CLPUs, or both of them together. In this section, it is considered the case when some KGUs might be untrusted but the CLPUs are assumed to be trusted. [0031] In this case, we consider a new key distribution protocol with multiple KGUs, as shown in Figure 3. This figure shows two cryptographic stations, A and B, in the presence of an eavesdropper (for example, in the channels that connect the cryptographic stations A and B and also in some of Alice's and Bob's KGUs, making these KGUs untrusted KGUs), Eve. Each cryptographic station contains n (more than one) key generation units, KGU, as well as at least one classical post-processing unit, CLPU. The i-th KGU generates a raw key, Ri. The channel that connects CLPUA and CLPUB is a conventional authenticated communication channel ("A.C. channel" in the figure, also called authenticated classical channel). The channel that connects KGUA i and CLPUA as well as the channel that connects KGUB i and CLPUB are secure classical (conventional) channels ("S.C. channel" in the figure) for all i=1,...,n. Also, in QKD, the channel that connects KGUA i and KGUB i is a quantum channel ("Q. channel" in the figure) for all i=1,...,n. [0032] That is, in this figure, the cryptographic station A has n (where n > 1) units KGUA 1, KGUA 2,... KGUA n, and the cryptographic station B has n units KGUB 1, KGUB 2,... KGUB n. As a side remark, note that low-cost KGUs exist because of the development of chip-based QKD transmitters. Our invention can leverage such devices. Note that the various KGU pairs could be purchased from different vendors. Our invention allows us to increase trust and construct a secure key generation system with components from cheap untrusted vendors. [0033] Of course, if all KGUs are compromised, then it is impossible to prove security so it is supposed that at least one of them is not compromised (that is, there is at least one trusted KGU). It is thus useful to define the access structure or adversary structure. By adversary structure, we mean what subsets of pairs of units KGUAi and KGUB i with i=1,..., n, might be dishonest (untrusted) without affecting the security of the final key (a pair of units KGUAi and KGUB i is dishonest if at least one of its units is dishonest). In the definition of the adversary structure one could distinguish between dishonest devices which are passively controlled by Eve and those that are actively controlled by Eve. For example, a device passively controlled by Eve can leak its information to her, but otherwise it follows all the indications of the protocol correctly. A device actively controlled by Eve, on the other hand, can leak its information to her and, moreover, it does not have to necessarily follow the prescriptions of the protocol but its behaviour is fully governed by Eve. An example of adversary structure could be that at most 3 out of 4 pairs of units KGUAi and KGUBi might be dishonest and actively controlled by Eve. This means that at least one of the 4 pairs of units KGUAi and KGUBi is honest. [0034] In Figure 3 we assume that each cryptographic station, A and B, has at least one classical post-processing unit, CLPUA and CLPUB respectively. In this scenario, all the CLPUs are supposed to be trusted. Also, each KGUA i is connected to CLPUA via a secure classical (conventional) channel (denoted as "S.C. channel iA" in Figure 3), and each KGUB i is connected to CLPUB via a secure classical (conventional) channel (denoted as "S.C. channel iB" in Figure 3). In all this text, it is meant with "secure classical or conventional channel", a channel that provides both secrecy and authentication. This could be achieved, for instance, by using the one-time-pad together with say the Wegman-Carter authentication scheme or any other known mechanism. Note that in practice one may also use as secure classical channel, for example, a physically protected path (e.g., a physical wire that protects against damage and intrusion) that connects only the prescribed devices. We remark that all secure classical channels are used to connect devices which are located inside a cryptographic station. Moreover, there is an authenticated classical (conventional) channel that connects CLPUA and CLPUB (denoted as "A.C. channel" in Figure 3). This could be achieved by using any known authentication scheme. In addition, in QKD, the units KGUA i and KGUB i, with i=1,..., n, are connected to each other through a quantum channel, denoted as "Q. channel i" in Figure 3, which is accessible to Eve. Note that all KGUA i and KGUB i could even share the same physical quantum channel (e.g. a single optical fiber) through various multiplexing techniques (e.g. wavelength multiplexing and spatial multiplexing). [0035] Each unit KGUA i in cryptographic station A sends the generated raw key, RA i, to CLPUA via the "S.C. channel iA" shown in Figure 3. If the cryptographic station A has more than one CLPU, then each KGUA i might send either its raw key RA i to each CLPU or its shares to one or more of the CLPUs in cryptographic station A. Similarly, each unit KGUB i sends the generated raw key, RB i, to CLPUB via the "S.C. channel iB". If the cryptographic station B has more than one CLPU, then each KGUB i might send either its raw key RB i or its shares to one or more of the CLPUs in cryptographic station B. If one assumes that here all CLPUs are trusted, then the direct transmission of the raw keys (i.e., without splitting them in shares) from the different KGUs to the CLPUs (within each cryptographic station) does not compromise the security. [0036] The CLPUs may apply various classical post-processing steps to the raw keys received. Owing to environmental disturbances and potential eavesdropping attacks by Eve, the raw key RA i generated by KGUA i might be different from the raw key RB i generated by KGUB i. Therefore, these classical post-processing steps usually should include information reconciliation and privacy amplification to ensure that the final keys generated, KA and KB, in cryptographic stations A and B are secret and probably the same. In an information reconciliation step one or more of the CLPUs in cryptographic stations A and B may first interchange error correction information, which is then used to correct their data such that KA and KB are with high probability equal. This can be done using any known procedure (see, for example, Brassard G. and Salvail, L. Secret key reconciliation by public discussion. Université de Montreal Proc. of Advances in Cryptology (Eurocrypt 93), 410-23 (1993)). Next, cryptographic stations A and B might perform an error verification step to confirm that KA and KB are indeed equal to each other with high probability. The privacy amplification step is used to guarantee that the final key, KA and KB, is indeed probably secret (i.e., Eve has only negligible information about it). For this, privacy amplification removes the partial information that Eve could have obtained about say for instance the raw keys RA i, with i=1,...,n. Eve might have obtained information about these raw keys by eavesdropping the quantum channels that connect the units KGUAi and KGUBi for all i, as well as by listening to the contents of the authenticated classical channel that connects CLPUA and CLPUB. Also, all dishonest pairs KGUA i and KGUB i could directly leak RA i to Eve. As mentioned earlier, privacy amplification may be done by hashing a raw key by applying a two-universal hash function (for example, by multiplying a string with a random matrix of binary entries). [0037] In addition, the classical post-processing steps may also include, for example, post-selection of data, adding noise, parameter estimation and error verification. In each of these classical post-processing steps one or more of the CLPUs in cryptographic stations A and B can use the authenticated classical channel between them to interchange information and post-process their data. For instance, in the step of data post-selection the CLPUs divide the raw data RA i and RB i into different data sets. Just as an example, the CLPUs may divide the raw data in three main data sets. The first data set contains the raw data that will be post-processed to obtain a secure key, KA and KB; the second data set (also denoted as parameter estimation data set) contains the raw data that will be used for parameter estimation in order to determine the parameters that are needed to generate KA and KB from the data in the first data set; and the third data set contains the raw data that is discarded. For instance, in the standard Bennett-Brassard BB84 protocol Alice and Bob usually discard the raw data associated to basis mismatched events. Also, the CLPUs may add noise to the raw data by flipping some of their bits (see, for example, Renner, R., Gisin, N. and Kraus B. An information-theoretic security proof for QKD protocols. Phys. Rev. A 72, 012332 (2005)) or any other known mechanism to add noise. In the parameter estimation step, on the other hand, the CLPUs use the data from the parameter estimation data set to determine bounds on the quantities that are needed to generate a secure key. These quantities may include, for example, the QBER, the phase error rate, the number of single-photon pulses emitted by Alice that contribute to the data set that is used to generate a secure key, etc. Finally, in the error verification step the CLPUs confirm that KA and KB are equal with certain probability. An information reconciliation process may consist of many steps and error verification may be the final step in the information reconciliation process. The purpose of error verification is to confirm that the information reconciliation process is successful. For this, they could use for example a two-universal hash function to compute a hash of both KA and KB and then they could check if both hashes are equal. [0038] Below we describe, as an example, a protocol for key distillation that achieves security against dishonest KGUs. It can be decomposed in two main conceptual steps. In particular, suppose that all the units KGUA i in cryptographic station A have sent the raw key data RA i to CLPUA, and also suppose that all the units KGUB i in cryptographic station B have sent the raw key data RB i to CLPUB. Then, in a first step, the units CLPUA and CLPUB post-process the data RA i and RB i for all i to obtain a secret key, KA i and KB i, or the abort symbol ⊥i. In the case of using QKD for raw data generation, an abort symbol may be generated when the Quantum Bit Error Rate is higher than some prescribed value (e.g. 11% in the case of Shor-Preskill proof for the Bennett-Brassard BB84 protocol). For this, CLPUA and CLPUB may use some of the classical post-processing steps described above. These classical post-processing steps may include a privacy amplification step to remove Eve's partial information about KA i and KB i due to her eavesdropping on the "Q. channel i" (see Figure 3) that connects KGUA i and KGUB i as well as due to Eve listening to the contents of the authenticated classical channel that connects the units CLPUA and CLPUB. Next comes a key step in this embodiment of the invention. In particular, in a second step, CLPUA and CLPUB apply an additional privacy amplification step to KA'=[KA 1, KA 2,..., KA M] and KB'= [KB 1, K B 2,..., K B M], where M represents the number of pairs KA i and KB i that are different from the abort symbol ⊥i. The purpose of this second privacy amplification step is to remove the information that the dishonest pairs of KGUs could leak to Eve about say KA'. To simplify the discussion, let us consider for instance that the length of all KA i and KB i is N bits for all i=1,..., M. Also, let us consider for example an adversary structure where at most t<n pairs of units, KGU A i and KGUB i, might be dishonest and actively controlled by Eve. This means that at most t∗N bits of KA' could be compromised and known to Eve. Then, the application of a privacy amplification step on KA' and KB' removes this compromised information and results in a final key, KA and KB, of about (M-t)∗N bits. Next we describe the step by step implementation of this specific example. The goal is to generate a secure key in the standard composable setting in cryptography. More concretely, to generate an epsilon-secure key, KA and KB. That is, KA and KB must be both epsilon_cor-correct and epsilon_sec-secret. Epsilon, epsilon_cor and epsilon_sec are design parameter for the key generation system which fulfill epsilon_cor+epsilon_sec ≤ epsilon (roughly speaking, a key is epsilon_cor-correct if KA=KB except for a small probability of at most epsilon_cor. And, a key is epsilon_sec-secret if it is random and secret from an eavesdropper Eve, except for a small failure probability of at most epsilon_sec). [0039] The protocol for secure key generation may comprise the following steps (this is only a possible embodiment, and not all the cited steps are essential and mandatory in all the embodiments of the present invention): Protocol 1: [0040] 1. Distribution of the raw data: Each KGUA i sends to CLPUA the raw key RA i or the abort symbol ⊥i. Also, each KGUB i sends to CLPUB the raw key RB i or the abort symbol ⊥i.2. Generation of an epsilon_cor-correct key KA' and KB': CLPUA and CLPUB use a key post-processing protocol to generate a (epsilon_cor/M)-correct and (epsilon_sec/M)-secret key (with epsilon_cor+epsilon_sec ≤ epsilon), KA i and KB i, from RA i and RB i, or they generate the symbol ⊥i to indicate abort (that is, to indicate that the post-processing procedure was not success and it was not possible to generate a valid key from the raw data) for all i = 1,...,n. Afterward, CLPUA concatenates the M keys KA i which are different from ⊥i to form KA'=[KA 1, KA 2,..., KA M]. Also, CLPUB concatenates the keys KB i which are different from ⊥i to form KB'=[KB 1, KB 2,..., KB M].3. Generation of a epsilon-secure key KA and KB: CLPUA and CLPUB apply a privacy amplification step to extract from KA' and KB' a shorter key, KA and KB, of length of about (M-t)*N bits. This can be done by using random hashing with a random matrix as explained before or using any other known privacy amplification mechanism. [0041] We remark that Protocol 1 is just a non-limitative example of an embodiment of the invention. For example, note that a naive method for implementing the additional privacy amplification step which is applied to KA' is simply for Alice to take the bit-wise XOR of the various keys, KA i (and similarly for Bob). Also, in general, there is no need to apply privacy amplification in two different steps (i.e., for generating first KA' and KB' and, afterwards, for generating KA and KB from KA' and KB') but it could be applied in one single step. That is, one could directly generate an epsilon-secure key, KA and KB, in one single step from all the raw keys, RA i and RB i, together. Importantly, Protocol 1 illustrates that privacy amplification can be used to guarantee the secrecy of the final key, KA and KB, in the presence of dishonest KGUs with a prescribed access structure. C. Scenario 2: A key distribution method with untrusted classical post-processing units inside a cryptographic station. [0042] In this section, it is considered a scenario where some CLPUs in a cryptographic station may be untrusted but the KGUs are trusted. Once again, to improve security, it is considered using multiple CLPUs in a cryptographic station, as shown in Figure 4. This figure shows two cryptographic stations, A and B, in the presence of an eavesdropper (for example, in the channels that connect the cryptographic stations A and B and also in some of Alice's and Bob's CLPUs, making these CLPUs untrusted CLPUs), Eve. Each cryptographic station contains more than one processing units (known as classical post-processing units, CLPUs). Each CLPU generates shares of a cryptographic key, K. [0043] While the scope of the invention is general and applies to a general adversary structure with dishonest CLPUs which could be passively or actively controlled by Eve, for illustrative purposes, we will describe here the simple threshold case with a fixed number of dishonest CLPUs actively controlled by Eve (however, the invention can be applied to other more complex cases). More concretely, consider the situation where the cryptographic stations A and B have one trusted KGU each, and, moreover, the cryptographic station A has "s" classical post-processing units CLPUA 1, CLPUA 2,... , CLPUA s, and the cryptographic station B has "s''' classical post-processing units CLPUB 1, CLPUB 2,... , CLPUB s'. Also, suppose that up to t < s/3, CLPUA i and up to t' < s'/3 CLPUB j could be dishonest and actively controlled by Eve, with i=1,..., s, and j=1,..., s'. Note that the various CLPUs could be purchased from different vendors. The present invention allows to construct a secure key generation system with components from untrusted vendors. [0044] Since some CLPUs are dishonest (untrusted), the present invention does not allow them to have the final key, KA and KB, instead, they are only allowed to produce some shares of the final key, KA and KB. For instance, in Figure 4, we denote the shares of KA generated by CLPUA i (for i=1, 2, .., s) as KA ixy and similarly, we denote the shares of KB generated by CLPUB j (for j= 1, 2, .., s') as KB jxy for certain indexes x and y. [0045] KGUA is connected to each CLPUA i via a secure classical (conventional) channel (denoted as "S.C. channel iA" in Figure 4), and KGUB is connected to each CLPUB j (conventional) via a secure classical channel (denoted as "S.C. channel jB" in Figure 4). Moreover, each pair of units CLPUA i and CLPUA i', with i,i'=1,...,s, is connected to each other via a secure classical (conventional) channel (denoted as "S.C. channel ii'A" in Figure 4), and each pair of units CLPUB j and CLPUB j', with j,j'=1,...,s', is connected to each other via a secure classical channel (denoted as "S.C. channel jj'B" in Figure 4). In addition, each pair of units CLPUA i and CLPUB j is connected to each other via an authenticated classical (conventional) channel (denoted as "A.C. channel ijAB" in Figure 4). Furthermore, in QKD, KGUA and KGUB are connected to each other through a quantum channel (denoted as "Q. channel" in Figure 4), which is accessible to Eve. [0046] In this situation, it is considered a new key distribution protocol where KGUA sends shares of the generated raw key, RA, to one or more of the CLPUA i. Similarly, KGUB sends shares of the raw key, RB, to one or more of the CLPUB j. In Figure 4, SA i denote the shares of RA that KGUA sends to CLPUA i and SB j are the shares of RB that KGUB sends to CLPUB j. If the cryptographic station A and/or B have more than one KGU, then each KGU might send shares of its raw key to one or more of the CLPUs in that cryptographic station. Next, the units CLPUA i and CLPUB j post-process the raw key, RA and RB, in a distributed setting by acting on the shares, SA i and SB j, received and they generate shares, KA i,1, KA i,2,..., KA i,n_i and KB j,1, KB j,2,..., KB j,m_j, of the final key, KA and KB. Here n_i denotes the total number of shares of KA generated by the unit CLPUA i and m_j denotes the total number of shares of KB generated by the unit CLPUB j. Again, this classical data post-processing may include several steps like, for example, post-selection of data, adding noise, parameter estimation, information reconciliation, and privacy amplification. [0047] To split the raw key, RA and RB, into shares, the KGUs could use any known method, for instance, secret sharing schemes or verifiable secret sharing schemes. In a secret sharing scheme, the person/device that is splitting the secret is called the dealer. In the case where a dealer might be dishonest, it is important to verify that the values of shares sent by the dealer are consistent with each other. Also, in the presence of dishonest parties, it is important to be able to guarantee that all honest parties can reconstruct the same secret from the shares received, and, moreover, if the dealer is honest, the reconstructed secret should be equal to that originally distributed by the dealer. Such verification can be done by a verifiable secret sharing scheme. In a verifiable secret sharing scheme, a dealer further splits each share into "shares of share" and sends those shares of share to various participants. Those participants may then verify the consistency of the values of those shares of shares. [0048] In the presence of dishonest CLPUs, the use of a verifiable secret sharing scheme can guarantee the consistency of the shares distributed. Therefore, the use of an information reconciliation step (which might include an error verification step) can guarantee the correctness of the final key, KA and KB. [0049] Below we include the step by step implementation of an example of a verifiable secret sharing scheme from Maurer, U. Secure multi-party computation made simple. Discrete Appl. Math. 154, 370-381 (2006). It uses a (q,q) threshold secret sharing scheme, to distribute a message to n parties. This last scheme could be implemented, for instance, by splitting the message X, to be distributed, into a random sum of q shares Xi, with i = 1,...,q. This could be done, for example, by selecting the first q-1 shares Xi of X at random, and then by choosing Xq = X⊕X1⊕... ⊕Xq-1, where the symbol ⊕ denotes summation in modulo 2 algebra. A verifiable secret sharing scheme usually can be decomposed into two protocols: the share and the reconstruct protocols. The example of verifiable secret sharing scheme presented below allows to split a message X between n parties, and provides information-theoretic security against a threshold active adversary structure with at most t<n/3 dishonest parties. Again, by (general) adversary structure we mean a set of subsets that identifies which combinations of parties could be passively corrupted, and a set of subsets that identifies which combinations of parties could be actively corrupted. Note that verifiable secret sharing schemes that are secure against general adversary structures also exist. In order to simplify the explanation, it has been assumed here a threshold active adversary structure where at most t parties could be actively corrupted (however, the invention can be applied to other more complex cases). So the example of verifiable secret sharing scheme described above and whose share and reconstruct protocols are given below is secure against such threshold active adversary structure but it is not always secure against general adversary structures. However, if one wishes, one could modify it to make it secure against a general adversary structure. Actually such modification was introduced in the document cited before Maurer, U. Secure multi-party computation made simple. Discrete Appl. Math. 154, 370-381 (2006). Share protocol: [0050] 1. The dealer uses a (q,q) threshold secret sharing scheme to split the message X into q=n!/[(n-t)!t!] shares Xi, with i = 1,...,q.2. Let {σ1,..., σq} denote all (n-t)-combinations of the set of n parties. Then, for each i=1,...,q, the dealer sends Xi over a secure channel to each party in the set σi. If a party does not receive his share, he takes as default share, for example, a bit string with all its components equal to zero.3. All pairs of parties in σi send each other their shares Xi over a secure channel to check that their shares are indeed equal. If an inconsistency is found, they complain using a broadcast channel.4. If a complaint is raised in σi, the dealer broadcasts Xi to all parties and they accept the share received. If the dealer refuses (or he is not able) to broadcast Xi to all the parties when there is a complaint in σi, the protocol aborts. Reconstruct protocol: [0051] 1. All pairs of parties send each other their shares over an authenticated classical channel.2. Each party uses majority voting to reconstruct the shares Xi Vi, and then they obtain X=X1 ⊕.. ⊕Xq. [0052] Figure 5 provides a graphical representation of the share and the reconstruct protocols above explained for the case of a threshold adversary structure where at most 1 out of 4 parties could be dishonest (i.e., n=4 and t=1). In the verifiable secret sharing scheme shown in figure 5, the message, X, is split between four parties Pi, with i=1,...,4, and provides information-theoretic security against a threshold active adversary structure with at most t=1 dishonest parties. In the figure, Xi={x,y,z} denotes the shares Xx, Xy and Xz of X. In the share protocol all channels are secure classical (conventional) channels while in the reconstruct protocol the channels are authenticated classical (conventional) channels. [0053] In the case shown in the figure, the sets σ1={P2,P3,P4}, σ2={P1,P3,P4}, σ3={P1,P2,P4} and σ4={P1,P2,P3}, are defined. As q=n!/[(n-t)!t!=4, the message X has been splitted into 4 shares X1, X2, X3 and X4. Then the dealer sends Xi over a secure channel to all parties in σi. For example, he sends X1 to P2, P3 and P4, and similarly for the other shares. [0054] We note that the broadcast channel which is required to perform steps 3 and 4 of the share protocol above does not have to be a physical channel but it could be a simulated channel. [0055] The above presented verifiable secret sharing scheme is only a non-limitative example and any other known or yet to be developed verifiable secret sharing mechanisms could be used. For example, if the number n of parties is large, there exist other efficient verifiable secret sharing schemes or if a physical broadcast channel is actually available, there exist verifiable secret sharing schemes which can guarantee security given that there is a majority of honest parties (see, for example, Rabin, T. and Ben-Or, M. Verifiable secret sharing and multiparty protocols with honest majority. Proc. 21th Annual ACM Symposium on Theory of Computing (STOC'89) 73-85 (ACM, New York, NY, USA, 1989)). [0056] To implement several of the classical post-processing steps which are required to distil a secure key, the CLPUs might need to generate random numbers between mutually untrusted parties. Next we present the step by step implementation of an example of a scheme which could be used to solve this task. It follows directly from verifiable secret sharing schemes and it can generate a common perfectly unbiased random l-bit string r between n parties when up to t<n/3 of them could be dishonest and actively controlled by Eve. For convenience, we denote it the Random Bit String (RBS) protocol. RBS protocol: [0057] 1. Say each of the first t+1 parties produces locally a random l-bit string ri and sends it to all the other parties using the share protocol of a verifiable secret sharing scheme.2. Each party uses a broadcast channel to confirm that it has received the shares from the first t+1 parties. Otherwise, the protocol aborts.3. All parties use the reconstruct protocol of a verifiable secret sharing scheme to obtain ri for all i = 1,...,t+1. Afterward, each of them calculates locally r = r1⊕... ⊕rt+1. [0058] Like above, we note that the broadcast channel required in step 2 of the RBS protocol could be implemented with a simulated broadcast channel. Also, note that in order to generate random numbers between mutually untrusted parties which are secure against general adversary structures one could simply use in the RBS protocol above the share protocol (in step 1) and the reconstruct protocol (in step 3) of a verifiable secret sharing scheme that is secure against general adversary structures, like for instance that introduced in Maurer, U. Secure multi-party computation made simple. Discrete Appl. Math. 154, 370-381 (2006). [0059] To illustrate the present invention in this scenario, next we describe two protocols (see Protocols 2 and 3 below) which could be used to achieve secure key distribution with untrusted CLPUs. They are two examples of embodiments of the present invention. For ease of illustration we will consider in these two examples that the number of CLPUs in cryptographic station A is equal to that of B, i.e., s=s', but of course, this is not a required condition and the number of CLPUs in each cryptographic station can be different. [0060] The first example (see Protocol 2 below) can be decomposed in two main conceptual steps. In a first step, KGUA and KGUB perform s independent key generation sessions, each of them is performed with a different pair of units CLPUA i and CLPUB i, with i=1,...,s. The goal of each session is to generate a say (epsilon/s)-secure key, KA i and KB i, or the abort symbol ⊥i. For easy of illustration, consider that the length of each KA i and KB i is N bits for all i. If say the pair CLPUA i and CLPUB i is dishonest then we have that KA i and KB i could be compromised and known to Eve. A pair CLPUA i and CLPUB i is dishonest if at least one of its units is dishonest. Then, in a second step, the keys KA i and KB i are concatenated to form KA'=[KA 1, KA 2,..., KA M] and KB'= [KB1, KB 2,..., KB M], where M denotes the number of keys KA i and KB i which are different from the abort symbol, and the CLPUs apply an error verification step and a privacy amplification step to KA' and KB'. Here comes a key contribution of this embodiment of the invention: this second step is performed in a distributed setting by acting only on shares of KA' and KB'. We remark that this is possible because all these post-processing techniques are usually "linear" in nature (i.e., they typically involve simple functions in linear algebra such as bit-wise XOR and multiplications of matrices) and thus they can be easily implemented by acting only on shares of KA' and KB'. In certain steps, the CLPUs might need information about shares which are in the hands of other CLPUs. To obtain such information, they could use for instance the reconstruct protocol of a verifiable secret sharing scheme. That is, all the units which have the information simply send it to the unit which requires it and the use of majority voting allows this unit to discriminate the information which is correct. Next we describe the protocol in more detail: Protocol 2 (this is only a possible embodiment, and not all the cited steps are essential and mandatory in all the embodiments of the present invention): [0061] 1. Generation of KA i and KB i: KGUA and KGUB perform s independent key generation sessions, each of which with a different pair of units CLPUA i and CLPUA i, with i=1,...,s. For this they use the "Q. channel", the "S.C. channel iA", the "S.C. channel iB", and the "A.C. channel iiAB" shown in Figure 4. The result of each key generation session will be two bit strings, KA i and KB i, which are supposed to be say (epsilon_cor/s)-correct and (epsilon_sec/s)-secret (with epsilon_cor+epsilon_sec ≤epsilon), or the symbol ⊥i to indicate abort.2. Distribution of shares of KA i and KB i: Each CLPUA i splits KA i into shares and sends them to the other CLPUs in cryptographic station A following for example the share protocol of a verifiable secret sharing scheme and using the secure classical channels "S.C. channel ilA" shown in Figure 4, and all CLPUA l, with l=1,..,s and l≠i, confirm to each other that they have received their shares. Let K'A lij be the j-th share of KA i received by CLPUA i. Likewise, the units CLPUB i act similarly with KB i. Let K'B lij be the j-th share of KA i received by CLPUB l.3. Generation of K"A lij and K"B lij: Each CLPUA l, with l=1,..,s, defines locally the bit strings K"A lij =[01,..., 0i-1, K'A lij,0i+1,..., 0M], where 0i, with i=1,..., M, represents the N-bit zero vector, and M is the number of pairs CLPUA i and CLPUB i which did not output the abort symbol ⊥i. Likewise, the units CLPUB l act similarly and they obtain K"B lij.4. Error verification: The CLPUA l, with l=1,..,s, use for example the RBS scheme to select a random bit string and with it they choose at random a two-universal hash function from a pre-fixed set of two-universal hash functions. Then, each of them computes locally a hash hA lij =hash(K"A lij) of length say ┌log2 (4/epsilon_cor)┐ bits for all its bit strings K"A lij, and say the first 2t+1 CLPUA l send the hash function to all CLPUB l' through the authenticated classical channels "A.C. channel ∥'AB" shown in Figure 4, with l'=1,..,s. Each CLPU B l' reconstructs locally the hash function by using majority voting and obtains hB l'ij=hash(K"B l'ij) for all its bit strings K"B l'ij. Next, all CLPUA I and CLPUB l' use the reconstruct protocol to obtain hA= hA 11⊕... ⊕hA Mq and hB= hB 11⊕... ⊕hB Mq, where q=s!/[(s-t)!t!] is the number of shares for each KA i and KB i. For this, they send each other the bit strings hA lij and hB l'ij through the channels "A.C. channel ∥'AB", "S.C. channel ll'A" and "S.C. channel ∥'B" shown in Figure 4, and each of them uses majority voting to obtain hA ij and hB ij from hA lij and hB l'ij. Finally, each CLPUA l and CLPUB l' checks locally that hA=hB. If they are not equal, they output the abort symbol. If they are equal, they proceed to step 5. This error verification step guarantees that K"A=K"A 11⊕.. . ⊕K"A Mq and K"B=K"B 11⊕... ⊕K"B Mq are equal except for probability at most epsilon_cor, where K"A ij denote the bit strings that would be obtained from K"A lij by using majority voting, and the definition of K"B ij is analogous.5. Privacy amplification: The CLPUA l use the RBS scheme to randomly select a two-universal hash function, hashPA, from a pre-fixed set of them. They compute KA iij= hashPA(K"A lij), and say the first 2t+1 CLPUA I send hashPA to all CLPUB l' through the authenticated classical channels "A.C. channel ∥'AB" shown in Figure 4, with l'=1,..,s. Next, the CLPUB l' use majority voting to determine hashPA from the information received and compute KB l'ij=hashPA(K"B l'ij). The function hashPA maps the (M*N)-bit strings K"A lij and K"B l'ij to two shorter bit strings, KA lij and KB l'ij respectively, of size about (M-2*t)*N-┌log2 (4/epsilon_cor)┐ bits. The reason for subtracting 2*t*N bits is that, in the worst case scenario, the presence of t dishonest parties CLPUA I and t independent dishonest parties CLPUB l' could result in 2*t dishonest pairs CLPUA l and CLPUB l, with l=1,...,s, and, therefore, 2*t*N bits from K"A could be compromised. [0062] Given that t<MA i/3 and t<MB i/3 for all i=1,..., M, where MA i denotes the number of CLPUA I that do not produce the abort symbol but generate post-processed shares, KA lij, from KA i, and MB i denotes the number of CLPUB l' that do not produce the abort symbol but generate post-processed shares, KB l'ij, from KB i, then the bit strings KA lij and KB l'ij produced by the units CLPUA I and CLPUB l' in step 5 of Protocol 2 are shares of a final epsilon-secure key, KA and KB. As mentioned above, in this scenario the units CLPUA i and CLPUB i are only allowed to produce shares of KA and KB. Say a secure lab in cryptographic station A could use majority voting to obtain KA ij from KA lij. Similarly, say a secure lab in cryptographic station B could use majority voting to obtain KB ij from KB l'ij. Then, the final key could be obtained as KA= KA 11⊕... ⊕KA Mq and KB= KB 11⊕... ⊕KB Mq. [0063] Next we present the second example of a protocol that can provide secure key distribution with untrusted classical post-processing units (see Protocol 3 below). This protocol has two main advantages with respect to Protocol 2. First, it does not require to run s independent key generation sessions but it can distil an epsilon-secure key from one single key generation run. And, second, it is more efficient in terms of the secret key rate, as it delivers a secret key rate that could be about s/(s-2*t) times higher than that provided by Protocol 2. While the scope of application of the present invention is general, for ease of illustration below we will consider that the key distillation procedure does not use random post-selection of data from the raw key (however, the invention can be applied to other more complex cases where random post-selection of data from the raw key is performed). Also, for ease of illustration it will be assumed that the classical post-processing protocol does not estimate the actual QBER but it uses a pre-fixed QBER value for the error correction step followed by an error verification step. Protocol 3 below can be decomposed in two main conceptual steps. In a first step, KGUA and KGUB generate a raw key, RA and RB respectively. Next comes a key step in this embodiment of the invention. KGUA splits RA in shares by using, for instance, the share protocol of a verifiable secret sharing scheme and then sends these shares to the units CLPUA i. This step is illustrated in Figure 4, where SAi represents the shares of RA that are sent to CLPUA i through the secure channel "S.C. channel iA". Likewise, RB is sent to the units CLPUB i split into shares. Then, in a second step, each CLPUA i and CLPUB i' with i,i'=1,...,s, applies the classical post-processing protocol to the shares received. That is, each CLPU may apply data post-selection, adding noise, parameter estimation, information reconciliation, and privacy amplification in a distributed setting by acting directly on the shares received. Like in the case of steps 4 and 5 in Protocol 2, this is possible because all these post-processing techniques involve simple functions in linear algebra and thus they are easily implementable by acting only on shares. Next we describe the steps of Protocol 3 in more detail: Protocol 3 (this is only a possible embodiment, and not all the cited steps are essential and mandatory in all the embodiments of the present invention): [0064] 1. Distribution of RA and RB: KGUA and KGUB first generate a raw key, RA and RB. Next, KGUA uses the share protocol of a verifiable secret sharing scheme to create q=s!/[(s-t)!t!] shares of RA and then distributes them among the CLPUA i, with i = 1,...,s, by using the secure classical channels "S.C. channel iA" shown in Figure 4. For instance, for this KGUA can use the share protocol previously described above. Likewise, KGUB does the same with RB and the units CLPUB i with i= 1,...,s. Let K'A ij be the j-th share of RA received by CLPUA i and let K'B ij be the j-th share of RB received by CLPUB i (j=1,....,q). The set of shares K'A ij received by CLPUA i and the set of shares K'B ij received by CLPUB i are represented in Figure 4 as SA i and SB i respectively.2. Post-selection of data: Each CLPUA i for all i extracts from the shares K'A ij received two bit strings: K'A ij,key and K'A ij,est. The first bit string will be used for key generation (transformed in a secure key thanks to the post-processing) and the second bit string will be used for parameter estimation. Likewise each CLPUB i for all i does the same with K'B ij to obtain K'A ij,key and K'B ij,est.3. Parameter estimation: All CLPUA i and CLPUBi', with i,i'=1,...,s, use the reconstruct protocol of a verifiable secret sharing scheme to obtain both KA est and KB est, which are the parts of K'A and K'B that are used for parameter estimation. For this, they send each other their shares K'A ij,est and K'B i'j,est through the channels "S.C. channel iA", "S.C. channel i'B" and "A.C. channel ii'AB" shown in Figure 4. That is, each unit CLPUA i receives the shares K'A i'j,est and KB i'j,est which are in the hands of all the other CLPUs. Similarly, each unit CLPUB i receives the shares K'A i'j,est and KB i'j,est which are in the hands of all the other CLPUs. Then, each of them uses majority voting to obtain both KA j,est and KB j,est from K'A ij,est and K'B ij,est for all j = 1,...,q. Afterward, they calculate KA est= KA 1,est⊕... ⊕KA q,est and KB est= KB 1,est⊕... ⊕KB q,est. With this information, each CLPUA i and CLPUB i' performs locally the parameter estimation step of the protocol (e.g., they estimate the phase error rate). If the phase error is too high, an abort symbol is outputted.4. Error Correction: The CLPUA i and CLPUB i perform error correction on the parts of K'A and K'B that are used for key distillation, K'A key and K'B key. This process is done by acting on their shares K'A ij,key and K'Bij,key respectively. For this, each CLPUA i applies certain matrices MEC to K'A ij,key to obtain sA ij=MEc ∗K'A ij,key. Similarly, each CLPUB i applies MEC to K'B ij,key to obtain sB ij=MEc ∗K'B ij,key. Afterward, CLPUA i and CLPUB i use the reconstruct scheme of a verifiable secret sharing scheme to guarantee that all CLPUB i can obtain sA=MEC ∗K'A key and sB=MEC ∗K'B key. For this, all CLPUA i send to all CLPUB i' the bit strings sA ij via the authenticated classical channel "A.C. channel ii'AB" shown in Figure 4. Also, all CLPUB i in cryptographic station B send each other the bit strings sB ij via the "S.C. channel ii'B" shown in Figure 4. Then, each CLPUB i uses majority voting to reconstruct locally sA j and sB j, for all j, from sA ij and sB ij. Finally, they obtain S A=S A 1⊕... ⊕sA q and sB=sB 1⊕... ⊕sB q. Next, the CLPUs in cryptographic station B correct K'B key. For this, say all CLPUB i which have for instance the j-th share K'B ij,key of K'B key for a pre-fixed index j = 1,...,q, flip certain bits of this share depending on the value of sA and sB. This whole process is repeated until the error correction procedure ends. The end of the error correction procedure is determined by the particular error correction protocol implemented as well as by the value of the QBER. Let KA ij,key and KB ij,key denote the shares K'A ij,key and K'B ij,key after error correction, and let leakEC bits be the syndrome information. Here syndrome information refers to the information that the CLPUs at one cryptographic station send to the CLPUs at the other cryptographic station (and vice versa) during this error correction process. For example, in each iteration of error correction the CLPUs at cryptographic station A send |sA| bits of syndrome information to the CLPUs at cryptographic station B.5. Error verification: The CLPUA i, with i=1,...,s, use the RBS scheme to randomly select a two-universal hash function. Then, each of them computes locally a hash hA ij=hash(KA ij,key) of length say ┌log2 (4/epsilon_cor)┐ bits and say the first 2t+1 CLPUA i send the hash function to all CLPUB i', with i'=1,...,s, through the authenticated classical channels "A.C. channel ii'AB" shown in Figure 4. Each CLPUB i reconstructs locally the hash function by using majority voting and obtains hB ij=hash(KB ij,key). Next, all CLPUA i and CLPUB i use the reconstruct protocol of a verifiable secret sharing scheme to obtain both hA= hA 1⊕... ⊕hA q and hB= hB 1⊕... ⊕hB q from hA ij and hB ij. For this, they send each other hA ij and hB ij through the channels "A.C. channel ii'AB", "S.C. channel ii'A" and "S.C. channel ii'B" shown in Figure 4 with i,i'=1,...,s. That is, each unit CLPUA i' receives the shares hA ij and hB ij which are in the hands of all the other CLPUs. Similarly, each unit CLPUB i, receives the shares hA ij and hB ij which are in the hands of all the other CLPUs. Then, each of them uses majority voting to determine both hA j and hB j for all j from hA ij and hB ij. Finally, each of them checks locally whether or not hA=hB. If they are not equal, they output the abort symbol. If they are equal they proceed to step 6. This error verification step guarantees that K'A key=KA 1,key⊕...⊕KA q,key and K'B key=KB 1,key⊕...⊕KB q,key are equal except for probability at most epsilon_cor, where KA j,key and KB j,key denote, respectively, the bit strings that would be obtained from KA ij,key and KB ij,key by using majority voting.6. Privacy amplification: The CLPUA i use for instance the RBS protocol to randomly select a two-universal hash function, hashPA. Next, they compute KA ij=hashPA(KA ij,key), and say the first 2t+1 CLPUA ¡ send hashPA to all CLPUB i' through the authenticated classical channels "A.C. channel ii'AB" shown in Figure 4, with i'=1,...,s. Next, the CLPUB i use majority voting to determine hashPA from the information received and calculate KB ij=hashPA(KB ij,key). The function hashPA removes Eve's partial information on the final key, KA and KB, which includes the syndrome information leakEC disclosed during the information reconciliation step, the hash value disclosed during the error verification step, and Eve's information about the key which can be estimated from the phase error rate. [0065] We note that if the number of dishonest units CLPUA i satisfies t<MA/3 and the number of dishonest units CLPUB i satisfies t<MB/3, where MA is the number of units CLPUA i that do not abort and MB is the number of units CLPUB i that do not abort, then from the bit strings KA ij and KB ij produced in step 6 of Protocol 3 it is possible to reconstruct an epsilon-secure key, KA and KB. For this, say a secure lab in cryptographic station A could use majority voting to obtain KA j from KA ij for all j=1,...,q. Similarly, say a secure lab in cryptographic station B could use majority voting to obtain KB j from KB ij for all j=1,... ,q. Then, KA=KA 1⊕. ..⊕KA q and KB=KB 1⊕... ⊕KB q. [0066] We remark that Protocols 2 and 3 are just non-limitative examples of embodiments of the invention. Note that these protocols could be modified to guarantee security against general adversary structures. For this, one could basically replace the verifiable secret sharing scheme above which is secure against threshold active adversary structures with another known one robust against general adversary structures (see, for example, Maurer, U. Secure multi-party computation made simple. Discrete Appl. Math. 154, 370-381 (2006)), and, in addition, the method to announce the hash functions hash and hashPA may now depend on the adversary structure. Importantly, Protocols 2 and 3 highlight a key contribution of the present invention, which is that the use of secret sharing schemes could guarantee the security of key distribution in the presence of dishonest CLPUs. D. Scenario 3: A key generation method with untrusted key generation units and untrusted classical post-processing units in a cryptographic station. [0067] Here, it is considered the more general scenario (preferred embodiment of the invention), in which both the KGUs and the CLPUs in a cryptographic station may be untrusted. Again, to guarantee security multiple CLPUs and KGUs are used in each cryptographic station, as shown in Figure 6, where there are two cryptographic stations, A and B, in the presence of an eavesdropper, Eve, and each cryptographic station contains more than one key generation unit, KGU, and more than one classical post-processing unit, CLPU. Like in the previous scenarios, for illustrative purposes below we will describe the simple situation of a threshold active adversary structure with a fixed number of dishonest KGUs and CLPUs both of them actively controlled by Eve. More precisely, consider the situation where the cryptographic station A has n units KGUA 1, KGUA 2,..., KGUA n, as well as s units CLPUA 1, CLPUA 2,... , CLPUA s, and the cryptographic station B has n units KGUB 1, KGUB 2,... , KGUB n and s' units CLPUB 1, CLPUB 2,... , CLPUB s' (here it is supposed that station A and B have the same number of KGUs but this is only an example for illustration purposes and they may have a different number of KGUs). Also, consider that up to t<s/3 units CLPUA l, up to t'<s'/3 units CLPUB j, and up to t"<n pairs of key generation units KGUA i and KGUB i with i=1,...,n, could be dishonest (untrusted) and actively controlled by Eve. A pair of units KGUA i and KGUB i is dishonest if at least one of its units is dishonest. This is only a non-limitative example and, of course, the invention can be applied to any general adversary structure. [0068] Once again, since some CLPUs are dishonest, it is not allowed for any of them to have the final cryptographic key, KA and KB, but they can only produce shares of it. For instance, in Figure 6, the shares of KA which are produced by CLPUA I (for l=1,2,..,s) are denoted by KA lxy for certain indexes x and y and, similarly, the shares of KB which are produced by CLPUB j (for j=1,2,..,s') are denoted by KB jxy. Also, like in the previous cases, we consider that each KGUA i is connected to each CLPUA I via a secure classical (conventional) communication channel (denoted as "S.C. channel ilA" in Figure 6), with i=1,...,n and l=1,...,s, each KGUB i is connected to each CLPUB j via a secure classical (conventional) communication channel (denoted as "S.C. channel ijB" in Figure 6), with j= 1,...,s', each pair of units CLPUA l and CLPUA l', with l,l'=1,...,s, is connected to each other via a secure classical (conventional) communication channel (denoted as "S.C. channel ll'A''' in Figure 6), each pair of units CLPUB j and CLPUB j', with j,j'=1,...,s', is connected to each other via a secure classical (conventional) communication channel (denoted as "S.C. channel jj'B''' in Figure 6), each pair of units CLPUA I and CLPUB j is connected to each other via an authenticated classical (conventional) communication channel (denoted as "A.C. channel ljAB" in Figure 6), and, in QKD, each pair of units KGUA i and KGUB i are connected to each other through a quantum channel (denoted as "Q. channel i" in Figure 6 with i=1,...,n), which is accessible to Eve. [0069] In order to illustrate the invention, below it is described an example of a protocol (see Protocol 4) which could be used to achieve secure key distribution in this scenario according to the present invention. For ease of illustration, in this example we consider that the number of CLPUs in cryptographic station A is equal to that of B, i.e., s=s' (this is only an example for illustration purposes and they may have a different number of CLPUs). Protocol 4 can be decomposed in two main conceptual steps. In a first step, each pair of units KGUA i and KGUB i generates a raw key and then they implement, together with the classical post-processing units CLPUA I and CLPUB l, the Protocol 3 described above. As a result, the units CLPUA I and CLPUB l with l=1,...,s, obtain shares of an (epsilon/n)-secure key, KA i and KB i (i=1,....,n) , or the abort symbol ⊥i. In particular, let K'A lij be the j-th share of KA i received by CLPUA l, and similarly let K'B lij be the j-th share of KB i received by CLPUB l. Moreover, to simplify the discussion (but not with limitative purposes), let us consider for instance that the length of all KA i and KB i is N bits for all i. Next the CLPUs proceed similarly to Protocol 2. That is, the keys KA i and KB i are concatenated to form KA'=[KA 1, KA 2,..., KA M] and KB'= [KB 1, KB 2,..., KB M], where M denotes the number of keys KA i and KA i which are different from the abort symbol, and the CLPUs apply a privacy amplification step to KA' and KB'. This privacy amplification step removes the information that the dishonest pairs of KGUs could leak to Eve about say KA'. This second step is performed in a distributed setting by acting only on the shares K'A lij and K'B lij. Next the protocol is described in more detail: Protocol 4 (this is only a possible embodiment, and not all the cited steps are essential and mandatory in all the embodiments of the present invention): [0070] 1. Generation and distribution of shares of KA i and KB i: Each pair KGUA i and KGUB i, with i=1,...,n, generates a raw key and then they implement, together with the classical post-processing units CLPUA l and CLPUB l, all the steps of the Protocol 3 described above. As a result, the units CLPUA l and CLPUB l, with l=1,...,s, obtain shares of a (epsilon /n)-secure key, KA i and KB i, or the symbol ⊥i to indicate abort. Let K'A lij be the j-th share of KA i received by CLPUA l, and similarly let K'B lij be the j-th share of KB i received by CLPUB l.2. Generation of K"A lij and K"B lij: Each CLPUA l, with l=1,..,s, defines locally the bit strings K"A lij =[01 , ..., 0i-1, K'A lij,0i+1, ..., 0M], where 0i, with i=1,..., M, represents the N-bit zero vector, and M is the number of keys KA i and KB i which are different from the abort symbol ⊥i. Likewise, the units CLPUB l act similarly and they obtain K"B lij.3. Privacy amplification: The CLPUA I use the RBS scheme to randomly select a two-universal hash function, hashPA. They compute KA lij=hashPA(K"A lij), and say the first 2t+1 CLPUA I send hashPA to all CLPUB l' through the authenticated classical channels "A.C. channel ∥'AB" shown in Figure 6, with l'=1,..,s. Next, the CLPUB l' use majority voting to determine hashPA from the information received and compute KB l'ij=hashPA(K"B l'ij). The function hashPA maps the (M∗N)-bit strings K"A lij and K"B l'ij to two shorter bit strings, KA lij and KB l'ij respectively, of size about (M-t")∗N bits. [0071] Given that t<MA i/3 and t'<MB i/3 for all i=1,..., M, where MA i denotes the number of CLPUA l that do not produce the abort symbol but generate post-processed shares, KA lij, from KA i, and MB i denotes the number of CLPUB l' that do not produce the abort symbol but generate post-processed shares, KB l'ij, from KB i, then a final epsilon-secure key, KA and KB, can be reconstructed from the shares KA lij and KB l'ij by following the same procedure that reconstructs the final key in Protocol 2. We remark that Protocol 4 is just an example of an embodiment of the invention. By following similar ideas, one could define alternative protocols that also allow secure key distribution in this scenario. For instance, one could replace the first step of Protocol 4 with an step where each group of units KGUA i, KGUB i, CLPUA i and CLPUB i, with i=1,...,n, first performs a key generation session to produce a epsilon-secure key, KA i and KB i, or the abort symbol ⊥i, followed by the distribution of KA i among all CLPUA l and the distribution of KB i among all CLPUB l' by using the share protocol of a verifiable secret sharing scheme. In this last case, to guarantee the correctness of the final, one could include an error verification step implemented in a distributed setting by acting on shares. Also, we remark that Protocol 4, and similar protocols, could be modified to guarantee security against general adversary structures by following the techniques explained for the two previous cases. Importantly, the example given by Protocol 4 illustrates one key contribution of the invention, that is, the combination of secret sharing schemes and privacy amplification techniques could guarantee secure key distribution with dishonest KGUs and CLPUs. [0072] Summarizing, it can be said that the main goal of the present invention is to obtain a secure key generation system with components purchased/made by various untrusted vendors. The invention can be used to defend against both untrusted key generation units (KGUs) and untrusted classical post-processing units (CLPUs). Moreover, the present invention has the advantage of being robust against a denial-of-service attack as trust is distributed across multiple KGUs that could be using entirely different channels. [0073] For simplicity, the invention has so far been discussed for specific examples where there are only two users. It should be noted that it can be applied to a network setting where there are multiple users (and therefore multiple cryptographic stations). Also, it can be applied to a network setting where the multiple users are connected to each other through multiple paths, and it allows the users to combine the multiple keys generated from the multiple paths into a final key that is secure against untrusted devices and it is also secure against compromised paths that contain nodes which are controlled by the eavesdropper. In addition, for simplicity, we have assumed that each user is located physically in just one local cryptographic station. It should be noted that what we draw as a single cryptographic station in Figures 3, 4 and 6 could potentially be a collection of physical nodes that are distributed in distant locations in a communication network. [0074] The invention can be combined with both trusted relays and untrusted relays. Also, the invention may apply to a measurement-device-independent QKD set-up where an untrusted intermediate, Charles, performs some measurements (e.g. Bell state measurements) on quantum states sent by cryptographic stations of Alice and Bob. Moreover, the invention can be combined with quantum repeaters. [0075] The invention can be combined with various classical post-processing protocols including post-selection protocols or, as already mentioned previously, adding noise protocols. [0076] The invention is compatible with various QKD protocols including, for example, decoy state QKD, COW protocol, RR-DPS QKD protocol and entanglement-based QKD. It applies as well to various encoding schemes and to both discrete variable and continuous variable schemes for key generation. [0077] Even though we have discussed our invention in the composable security framework (where a protocol can be combined with other protocols in an arbitrary manner), the present invention works also for other security frameworks including one that involves computational assumptions. [0078] While the invention has been described with reference to the preferred and alternative embodiments thereof, it will be appreciated that various modifications can be made to the parts and methods that comprise the invention without departing from the spirit and scope thereof. [0079] A person skilled in the art would readily recognize that steps of various above-described methods can be performed by programmed computers. Herein, some embodiments are also intended to cover program storage devices, e.g., digital data storage media, which are machine or computer readable and encode machine-executable or computer-executable programs of instructions, wherein said instructions perform some or all of the steps of said above-described methods. The program storage devices may be, e.g., digital memories, magnetic storage media such as a magnetic disks and magnetic tapes, hard drives, or optically readable digital data storage media. The embodiments are also intended to cover computers programmed to perform said steps of the above-described methods. [0080] The description and drawings merely illustrate the principles of the invention. Although the present invention has been described with reference to specific embodiments, it should be understood by those skilled in the art that the foregoing and various other changes, omissions and additions in the form and detail thereof may be made therein without departing from the scope of the invention as defined by the following claims. [0081] Furthermore, all examples recited herein are principally intended expressly to be only for pedagogical purposes to aid the reader in understanding the principles of the invention and the concepts contributed by the inventor(s) to furthering the art, and are to be construed as being without limitation to such specifically recited examples and conditions. Moreover, all statements herein reciting principles, aspects, and embodiments of the invention, as well as specific examples thereof, are intended to encompass equivalents thereof. [0082] It should be appreciated by those skilled in the art that any block diagrams herein represent conceptual views of illustrative circuitry embodying the principles of the invention. Similarly, it will be appreciated that any flow charts, flow diagrams, state transition diagrams, pseudo code, and the like represent various processes which may be substantially represented in computer readable medium and so executed by a computer or processor, whether or not such computer or processor is explicitly shown.
权利要求:
Claims (14) [0001] A method for secure cryptographic keys generation in the presence of untrusted units in a cryptographic system, the system comprising a first and a second cryptographic stations (A,B), where each cryptographic station comprises n raw data generation units, KGUA i, KGUB iwith i=1, 2, ..., n, where n>1, and at least one post-processing unit CLPUA CLPUB, where the method comprises the following steps: - Each pair of raw data generation units, KGUA i and KGUB i, with i=1, 2, ..., n, generating a pair of data strings which are correlated to each other and sending the generated data string by KGUA i to the at least one post-processing unit of the first cryptographic station and sending the generated data string by KGUB i to the at least one post-processing unit of the second cryptographic station; - The at least one post-processing units of the first and second cryptographic station, CLPUA, CLPUB: - applying a post-processing procedure to each received data string for generating a cryptographic key, KA i, KB i or an error symbol for each raw data generation unit, where the post-processing procedure includes at least one information reconciliation operation between the post-processing units of both cryptographic stations via an authenticated communication channel and a first privacy amplification procedure to extract a shorter key; - concatenating the generated cryptographic keys to form a first concatenated cryptographic key KA'=[KA 1, KA 2,..., KA M] and a second concatenated cryptographic key KB'=[KB 1, KB 2,..., KB M] where M is the number of pairs of generated cryptographic keys in both cryptographic stations which are different from the error symbol; - applying an additional privacy amplification procedure operation to the first concatenated cryptographic key and to the second concatenated cryptographic key to extract a first and a second secure cryptographic keys respectively, KA and KB. [0002] A method for secure cryptographic keys generation in the presence of untrusted units in a cryptographic system, the system comprising a first and a second cryptographic stations (A,B), where each cryptographic station comprises at least one raw data generation unit, KGUA, KGUB respectively and more than one post-processing units CLPUA l, CLPUB l', l = 1, 2, ..., s, l'=1, 2,....s', where the method comprises the following steps: - KGUA generating s data strings and sending one generated data string to each CLPUA l and KGUB generating s' data strings which are correlated to the data strings generated by KGUA and sending one generated data string to each CLPUB l'; - Each post-processing unit of the first and second cryptographic stations: - applying a post-processing procedure to each received data string generating a cryptographic key or an error symbol for each received data string, where the post-processing procedure includes at least one information reconciliation operation between the post-processing units of both cryptographic stations via an authenticated communication channel and a first privacy amplification procedure to extract a shorter key; - dividing the generated cryptographic keys into two or more shares and distributing them among the rest of post-processing units of the first and second cryptographic stations respectively; - generating a share of a secure cryptographic key by applying an error verification procedure and an additional privacy amplification procedure operation to the received cryptographic keys shares; [0003] A method for secure cryptographic keys generation in the presence of untrusted units in a cryptographic system, the system comprising a first and a second cryptographic stations (A,B), where each cryptographic station comprises at least one raw data generation unit, KGUA, KGUB and more than one post-processing units CLPUA i, CLPUB i', i= 1, 2, ..., s, i'=1, 2,....s', where the method comprises the following steps: - The at least one raw data generation units in the first and second cryptographic stations generating a data string, RA, RB respectively which are correlated to each other, dividing the generated data strings into two or more shares and distributing them among the post-processing units of the first and second cryptographic stations respectively where K'A ij is the j-th share of RA received by CLPUA i and K'B i'j' is the j'-th share of RB received by CLPUB i'; - Each post-processing unit of the first and second cryptographic stations: - obtaining from each received share of the data strings a key generation sub-string share K'A ij,key, K'B i'j',key; - applying a post-processing procedure to the key generation sub-strings shares generating secure cryptographic key shares, where said post-processing procedure includes at least one information reconciliation operation between the post-processing units of both cryptographic stations via an authenticated communication channel and a privacy amplification procedure to extract a shorter key. [0004] A method according to claim 3: - where the information reconciliation operation includes an error correction procedure which comprises: - applying certain predefined matrices MEC to the key generation sub-strings shares obtaining data strings sA ij=MEC ∗K'A ij,key, sB j'=MEC ∗K'B i'j',key respectively; - obtaining in each post-processing unit a reconstructed data string sA, sB defined sA=sA 1⊕... ⊕A q and sB=sB 1⊕... ⊕sB q' respectively, where sA j is obtained from sA ij by using majority voting and sB j' is obtained from sB i'j' by using majority voting; - modifying the value of the key generation sub-strings K'A ij,key, K'B i'j',key depending on the actual values of sA and sB; - repeat the three steps of the error correction procedure until the error is below a predefined threshold; - where the information reconciliation operation includes an error verification procedure which comprises: - The post-processing units of the first cryptographic station randomly selecting a two-universal hash function, hash, and applying it to the key generation sub-strings shares obtained after the error correction procedure, KA ij,key, obtaining hA ij=hash(KA ij,key), and each post-processing unit of the second cryptographic station obtaining hB i'j'=hash(KB i'j',key) and each post-processing unit sending the shares hA ij and hB i'j' to all the post-processing units in his own cryptographic unit and to all the post-processing units in the other cryptographic unit; - obtaining in each post-processing unit a reconstructed data string hA, hB respectively as hA=hA 1⊕... ⊕hA q and hB=hB 1⊕... ⊕hB q' respectively, where hA j is obtained from hA ij by using majority voting and hB j' is obtained from hB i'j' by using majority voting. - Each of the post-processing units checking whether or not hA=hB and if they are equal they proceed to the privacy amplification procedure, otherwise outputting an abort symbol. - Where the privacy amplification procedure comprises: - The post-processing units of the first cryptographic station randomly selecting a two-universal hash function hashPA, and then obtaining shares of a secure cryptographic unit as KA ij=hashPA(KA ij,key) and each post-processing unit of the second cryptographic station obtaining shares of a secure cryptographic unit as KB i'j'=hashPA(KB i'j',key). [0005] A method according to claims 3 or 4, where the method further includes: - Each post-processing unit of the first and second cryptographic stations, obtaining from each received share of the data strings, a parameter estimation sub-string share K'A ij,est, K'B i'j',est and sending said parameter estimation sub-strings shares to the rest of post-processing units of the cryptographic unit. [0006] A method for secure cryptographic keys generation in the presence of untrusted units in a cryptographic system, the system comprising a first and a second cryptographic stations (A,B), where each cryptographic station comprises a plurality of raw data generation units, KGUA i, KGUB i with i=1, 2, ..., n, n>1 and a plurality of post-processing units CLPUA l, CLPUB i', 1=1, 2, ..., s, l'=1, 2,....s', where the method comprises the following steps: - Each raw data generation unit in the first and second cryptographic stations generating correlated data strings, RA i, RB i with i= 1, 2, ..., n, respectively, dividing the generated data strings into two or more shares and distributing them among the post-processing units of the first and second cryptographic stations respectively, - Each post-processing unit applying a post-processing procedure to each received data string share, generating a first cryptographic key shares K'A lij, K'B l'ij' or an error symbol for each received data string share, where the post-processing procedure includes at least an information reconciliation operation between the processing units of both cryptographic stations via an authenticated communication channel and a first privacy amplification procedure, where K'A lij is the j-th share of the cryptographic key for RA i obtained by CLPUA l, and K'B l'ij' is the j'-th share of the cryptographic key for RB i obtained by CLPUB l'; - Each post-processing unit obtaining shares of a secure cryptographic key by concatenating the obtained first cryptographic key shares and applying an additional privacy amplification procedure operation to the concatenated string. [0007] A method according to claim 6, where the last step of claim 6 comprises: - Each CLPUA l, with l=1,..,s obtaining bit strings K"A lij=[01, ..., 0i-1, K'A lij, 0i+1, ..., 0M], where 0i, with i=1,..., M, represents a zero vector, and M is the number of pairs of raw generation units which generate data strings different from an error symbol and each CLPUB i', with l'=1,..,s' obtaining bit strings K"B l'ij'=[01, ..., 0i-1, K'B l'ij', 0i+1, ..., 0M], with i=1,..., M; - Each CLPUA l, with l=1,..,s, randomly selecting a two-universal hash function hashPA, and then obtaining shares of a secure cryptographic key as KA lij=hashPA(K"A lij) and each CLPUB i', with l'=1,..,s' obtaining shares of a secure cryptographic key as KB l'ij'=hashPA(K"B l'ij'). [0008] A method according to claim 1 or 6 or 7 where the pair of data strings generated by each pair of raw data generation units, KGUA i and KGUB i, i=1, 2, ..., n, of the first and second cryptographic stations respectively, are generated using a quantum key distribution mechanism. [0009] A method according to claims 2 or 3 or 4 or 5 where each pair of data strings generated by each pair of raw data generation units KGUA and KGUB of the first and second cryptographic stations respectively are generated using a quantum key distribution mechanism. [0010] A system for secure cryptographic keys generation in the presence of untrusted units, the system comprising a first and a second cryptographic stations (A,B), where each cryptographic station comprises n raw data generation units, KGUA i, KGUB i with i=1, 2, ..., n, where n>1, and at least one post-processing unit CLPUA CLPUB, where: - Each pair of raw data generation units, KGUA i and KGUB i, comprising means for generating a pair of data strings which are correlated to each other and sending the generated data string by KGUA i to the at least one post-processing unit of the first cryptographic station and sending the generated data string by KGUB i to the at least one post-processing unit of the second cryptographic station; - The at least one post-processing units of the first and second cryptographic station, CLPUA, CLPUB being configured for: - applying a post-processing procedure to each received data string for generating a cryptographic key, KA i, KB i or an error symbol for each raw data generation unit, where the post-processing procedure includes at least one information reconciliation operation between the post-processing units of both cryptographic stations via an authenticated communication channel and a first privacy amplification procedure to extract a shorter key; - concatenating the generated cryptographic keys to form a first concatenated cryptographic key KA'=[KA 1, KA 2,..., KA M] and a second concatenated cryptographic key KB'=[KB 1, KB 2,..., KB M] where M is the number of pairs of generated cryptographic keys in both cryptographic stations which are different from the error symbol; - applying an additional privacy amplification procedure operation to the first concatenated cryptographic key and to the second concatenated cryptographic key to extract a first and a second secure cryptographic keys respectively, KA and KB. [0011] A system for secure cryptographic keys generation in the presence of untrusted units, the system comprising a first and a second cryptographic stations (A,B), where each cryptographic station comprises at least one raw data generation unit, KGUA, KGUB respectively and more than one post-processing units CLPUA l, CLPUB l', l= 1, 2, ..., s, l'=1, 2,....s', where: - KGUA comprising means for generating s data strings and sending one generated data string to each CLPUA l and KGUB comprising means for generating s' data strings which are correlated to the data strings generated by KGUA and sending one generated data string to each CLPUB l'; - Each post-processing unit of the first and second cryptographic station being configured for: - applying a post-processing procedure to each received data string generating a cryptographic key or an error symbol for each received data string, where the post-processing procedure includes at least one information reconciliation operation between the post-processing units of both cryptographic stations via an authenticated communication channel and a first privacy amplification procedure to extract a shorter key; - dividing the generated cryptographic keys into two or more shares and distributing them among the rest of post-processing units of the first and second cryptographic stations respectively; - generating a share of a secure cryptographic key by applying an error verification procedure and an additional privacy amplification procedure operation to the received cryptographic keys shares; [0012] A system for secure cryptographic keys generation in the presence of untrusted units, the system comprising a first and a second cryptographic stations (A,B), where each cryptographic station comprises at least one raw data generation unit, KGUA, KGUB and more than one post-processing units CLPUA i, CLPUB i', i= 1, 2, ..., s, i'=1, 2,....s', where: - The at least one raw data generation units in the first and second cryptographic stations generating a data string, RA, RB respectively which are correlated to each other, comprising means for dividing the generated data strings into two or more shares and distributing them among the post-processing units of the first and second cryptographic stations respectively where K'A ij is the j-th share of RA received by CLPUA i and K'B i'j' is the j'-th share of RB received by CLPUB i'; - Each post-processing unit of the first and second cryptographic station being configured for: - obtaining from each received share of the data strings a key generation sub-string share K'A ij,key, K'B i'j',key; - applying a post-processing procedure to the key generation sub-strings shares generating secure cryptographic key shares, where said post-processing procedure comprises an information reconciliation operation between the processing units of both cryptographic stations via an authenticated communication channel and a privacy amplification procedure. [0013] A system for secure cryptographic key generation in the presence of untrusted units, the system comprising a first and a second cryptographic stations (A,B), where each cryptographic station comprises a plurality of raw data generation units, KGUA i, KGUB i with i=1, 2, ..., n, n>1, and a plurality of post-processing units CLPUA l, CLPUB i', l= 1, 2, ... , s, l'=1, 2,....s', where: - Each raw data generation unit in the first and second cryptographic stations comprising means for generating correlated data strings, RA i, RB i with i=1, 2, ..., n, respectively, dividing the generated data strings into two or more shares and distributing them among the post-processing units of the first and second cryptographic stations respectively, - Each post-processing unit being configured for: - applying a post-processing procedure to each received data string share, generating a first cryptographic key shares K'A lij, K'B l'ij' or an error symbol for each received data string share, where the post-processing procedure includes at least an information reconciliation operation between the processing units of both cryptographic stations via an authenticated communication channel and a first privacy amplification procedure, where K'A lij is the j-th share of the cryptographic key for RA i obtained by CLPUA l, and K'B l'ij' is the j'-th share of the cryptographic key for RB i obtained by CLPUB l'; - obtaining shares of a secure cryptographic key by concatenating the obtained first cryptographic key shares and applying an additional privacy amplification procedure operation to the concatenated string. [0014] A non-transitory digital data storage medium for storing a computer program which comprises instructions causing a computer executing the program to perform the method according to any of the claims 1-9.
类似技术:
公开号 | 公开日 | 专利标题 Liu et al.2016|An efficient privacy-preserving outsourced calculation toolkit with multiple keys Wang et al.2015|Survey on channel reciprocity based key establishment techniques for wireless systems Liang et al.2015|A secure and efficient ciphertext-policy attribute-based proxy re-encryption for cloud data sharing Gao et al.2019|Quantum private query: A new kind of practical quantum cryptographic protocol Gao et al.2014|Postprocessing of the oblivious key in quantum private query Shacham et al.2013|Compact proofs of retrievability Jung et al.2013|Privacy-preserving data aggregation without secure channel: Multivariate polynomial evaluation Alléaume et al.2014|Using quantum key distribution for cryptographic purposes: a survey Jarecki et al.2018|OPAQUE: an asymmetric PAKE protocol secure against pre-computation attacks Tseng et al.2012|New quantum private comparison protocol using EPR pairs Niu et al.2011|An anonymous key agreement protocol based on chaotic maps Noura et al.2018|One round cipher algorithm for multimedia IoT devices Boyd et al.2003|Protocols for authentication and key establishment CA2883313C|2020-06-16|Multi-factor authentication using quantum communication Niu et al.2018|Measurement-device-independent quantum communication without encryption EP2637350B1|2018-08-29|Key escrow KR100960635B1|2010-06-07|Generation of perfectly secret keys in wireless communication networks US8082443B2|2011-12-20|Pedigrees for quantum cryptography Tseng et al.2009|A chaotic maps-based key agreement protocol that preserves user anonymity US9781079B2|2017-10-03|Security key generator US7925010B2|2011-04-12|Message deciphering method, system and article JP4734344B2|2011-07-27|Method and system for deriving encryption key using joint randomness | not shared with others Müller-Quade et al.2009|Composability in quantum cryptography Maurer et al.2003|Secret-key agreement over unauthenticated public channels-Part II: The simulatability condition Saxena et al.2014|EasySMS: A protocol for end-to-end secure transmission of SMS
同族专利:
公开号 | 公开日 ES2717548B2|2020-11-26| WO2019092299A1|2019-05-16| ES2717548A1|2019-06-21| CN111566990A|2020-08-21|
引用文献:
公开号 | 申请日 | 公开日 | 申请人 | 专利标题
法律状态:
2019-03-08| STAA| Information on the status of an ep patent application or granted ep patent|Free format text: STATUS: UNKNOWN | 2019-05-18| STAA| Information on the status of an ep patent application or granted ep patent|Free format text: STATUS: THE INTERNATIONAL PUBLICATION HAS BEEN MADE | 2020-08-14| STAA| Information on the status of an ep patent application or granted ep patent|Free format text: STATUS: REQUEST FOR EXAMINATION WAS MADE | 2020-08-14| PUAI| Public reference made under article 153(3) epc to a published international application that has entered the european phase|Free format text: ORIGINAL CODE: 0009012 | 2020-09-16| AK| Designated contracting states|Kind code of ref document: A1 Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR | 2020-09-16| 17P| Request for examination filed|Effective date: 20200428 | 2020-09-16| AX| Request for extension of the european patent|Extension state: BA ME | 2021-02-17| DAX| Request for extension of the european patent (deleted)| 2021-02-17| DAV| Request for validation of the european patent (deleted)| 2021-08-25| STAA| Information on the status of an ep patent application or granted ep patent|Free format text: STATUS: GRANT OF PATENT IS INTENDED | 2021-08-25| GRAP| Despatch of communication of intention to grant a patent|Free format text: ORIGINAL CODE: EPIDOSNIGR1 | 2021-09-22| INTG| Intention to grant announced|Effective date: 20210826 | 2021-12-20| GRAS| Grant fee paid|Free format text: ORIGINAL CODE: EPIDOSNIGR3 | 2021-12-24| STAA| Information on the status of an ep patent application or granted ep patent|Free format text: STATUS: THE PATENT HAS BEEN GRANTED | 2021-12-24| GRAA| (expected) grant|Free format text: ORIGINAL CODE: 0009210 | 2022-01-26| AK| Designated contracting states|Kind code of ref document: B1 Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR | 2022-01-26| REG| Reference to a national code|Ref country code: GB Ref legal event code: FG4D | 2022-01-31| REG| Reference to a national code|Ref country code: CH Ref legal event code: EP | 2022-02-15| REG| Reference to a national code|Ref country code: AT Ref legal event code: REF Ref document number: 1466131 Country of ref document: AT Kind code of ref document: T Effective date: 20220215 | 2022-02-16| REG| Reference to a national code|Ref country code: IE Ref legal event code: FG4D | 2022-02-17| REG| Reference to a national code|Ref country code: DE Ref legal event code: R096 Ref document number: 602018030283 Country of ref document: DE |
优先权:
[返回顶部]
申请号 | 申请日 | 专利标题 相关专利
Sulfonates, polymers, resist compositions and patterning process
Washing machine
Washing machine
Device for fixture finishing and tension adjusting of membrane
Structure for Equipping Band in a Plane Cathode Ray Tube
Process for preparation of 7 alpha-carboxyl 9, 11-epoxy steroids and intermediates useful therein an
国家/地区
|