 Secure key agreement with untrusted devices (Machine-translation by Google Translate, not legally bi
专利摘要:
Traditional methods of generating cryptographic keys in a noisy network often assume that the devices are reliable, and therefore vulnerable to numerous attacks, including attacks based on hidden channels. The present invention differs from the previous methods of generating keys in the sense that it presents a mechanism that allows the secure generation of cryptographic keys with unreliable devices in a noisy network with a prescribed access structure. (Machine-translation by Google Translate, not legally binding) 公开号:ES2717548A1 申请号:ES201700755 申请日:2017-11-08 公开日:2019-06-21 发明作者:Curty Alonso Marcos;Lo Hoi-Kwong 申请人:Universidade de Vigo; IPC主号:
专利说明:
[0001] [0002] Secure key agreement with untrusted devices [0003] [0004] SECTOR OF THE TECHNIQUE [0005] [0006] DESCRIPTION [0007] [0008] FIELD OF THE INVENTION [0009] This invention relates to a secure method and system for the generation of a random cryptographic key in a noisy network. [0010] [0011] STATE OF THE ART [0012] Cryptography is the art of making codes. In cryptography, the security of a protocol often depends on the secret of a cryptographic key. A cryptographic key is usually a random sequence of numbers. If two parties, Alice and Bob, share a common secret cryptographic key, K, then they can achieve both communications and secure data authentication (two important applications of cryptography) using various known cryptographic procedures. The way to generate and distribute a secret cryptographic key between two or more parts is an important challenge for cryptography: this is what is called the problem of key distribution. Several methods have been proposed to solve the problem of the distribution of the key, of which we offer some examples here. The first example is public-key cryptography. In public key cryptography, the problem of key distribution is solved by computational assumptions. There are a couple of keys, for example one for encryption and another for decryption. Given the encryption key, in principle all the necessary information is available to obtain also the decryption key. However, assuming that conventional computers can not efficiently solve certain problems, such as the factorization of large integers, in practice a conventional computer would take too long to discover the decryption key. The second example of a method for the distribution of keys is quantum cryptography, more specifically, the quantum distribution of keys (QKD, from the Anglo-Saxon term "Quantum Key Distribution"). To see a summary of the QKD, see, for example, Lo, H.-K., Curty, M. and Tamaki, K. Secure quantum key distribution. Nat. Photon. 8, 595-604 (2014). In the QKD, the problem of the distribution of the key is solved using the theorem of non-cloning in quantum mechanics. For example, in the known standard QKD protocol proposed by Bennett-Brassard, and designated BB84 (see, for example, Bennett, CH and Brassard, G. Quantum cryptography: public key distribution and coin tossing, Proc. IEEE Int. Conf. Comp. Systems Signal Processing 175- 179 (IEEE, 1984)), a part, say Alice, sends to a second part, Bob, a sequence of photons prepared in different states of polarization, which are chosen between two possible conjugate bases, X and Z. For each photon received, Bob randomly selects one of the two conjugate bases and performs a photon measurement with the chosen base. Likewise, Bob records the result of his measurement and the choice of base. Then, through an authenticated channel, Alice and Bob transmit the bases on which they prepared and measured the photons respectively. They discard all the data associated with events where the photons were sent and measured in different bases, and use the remaining data to generate a key that is called "filtered key" (from the Anglo-Saxon term "sífted key"). To check if there has been an attack on the communications channel Alice and Bob calculate the quantum bit error rate (QBER, of the Anglo-Saxon term "quantum bit error rate") of a subset of data randomly selected from the "filtered key" , and verify that the QBER is below a certain limit value. If this is the case, Alice and Bob use classic data post-processing protocols, such as error correction and privacy amplification techniques, and generate a secure cryptographic key from the "filtered key". In this way, if an attack occurs in the channel, the person trying to do it, say Eve (from the English term "eavesdropper"), not having the information about the bases used, would introduce an unavoidable disturbance in the signals transmitted, that would be detectable by legitimate users, Alice and Bob. The third example of a method for the distribution of keys is Maurer's public key agreement protocol (see Maurer UM Secret key agreement by public discussion from common information, IEEE Trans. On Inf. Theory 39, 733-742 (1993) ). In it, for example, two parts, Alice and Bob, could receive signals from a common source, Charles, in a distant galaxy. If we assume that the noise experienced by the receiving devices of the two parties is independent of the noise suffered by the receiving devices of Eve, then the two parties, Alice and Bob, can extract a common key of such so that it is safe against the eavesdropping of Eve. [0013] [0014] In cryptography, schemes for sharing secrets are often used. In a scheme of sharing secrets, it is often important to define an access structure. For example, in a scheme of sharing secrets of type threshold (n, r), a distributor divides a sequence of secret data, say K, into different portions that are distributed among n parts in such a way that any subset of r parts that collaborate together be able to recover the value of the data stream, K, but any subset of less than r parts would have absolutely no information about the value of the data stream, K. Note that there are schemas for sharing secrets of type threshold (n, r), a distributor sharing secrets that are not threshold type and that allow more general access structures. In order to face the possibility that the distributor itself is dishonest, and in order to guarantee that the portions of data distributed during the different steps of the protocol of sharing secrets are consistent, schemes of sharing of verifiable secrets have been proposed. As for possible applications, secret sharing schemes can be used, for example, to divide a cryptographic key generated in a hardware security module (HSM, from the English term "hardware secure module"). Note that, in these cases, a It is often assumed that communication channels do not introduce noise, but some of the parts may be unreliable. [0015] [0016] In contrast, both in the QKD model and in the Maurer public key agreement protocol, it is assumed that the communication channels used to generate a cryptographic key can be noisy. For example, QKD systems often use strongly attenuated coherent light pulses or interlaced pairs of photons as signals. These signals can be sent over long distances through free space or by optical fibers. For example, a QKD system on a very low loss fiber optic channel 404 km long has recently been implemented. To this end, a QKD protocol has been used that provides security without the need to characterize the measuring device that measures the photons received ("measurement-device-independent quantum key distribution protocol" in the Anglo-Saxon terminology). Likewise, pairs of interlaced photons have been distributed through 1200 km (using a satellite link of quantum communications). Note that in the QKD systems a possible The attacker, Eve, can try to obtain information about the signals transmitted by the communications quantum channel (a quantum communications channel is a communication channel that can transmit quantum information). Due to the intrinsic noise introduced by the channels and possible Eve attacks, a quantum channel often has a quantum bit error rate (QBER) of the order of 0.5% to 13%. In order to generate a secret cryptographic key in this situation, the QKD systems usually assume that, in addition to a quantum communication channel, between Alice and Bob there is an authenticated classic channel (or a public channel). Said authenticated classic channel can be used in the public discussion phase of the QKD systems. For example, this channel allows Alice and Bob to compare a subset of quantum signals to estimate QBER in a quantum transmission. If the QBER is too high, Alice and Bob can simply abort the QKD protocol. Otherwise, that is, when the QBER is below a certain value, Alice and Bob proceed to extract a secure cryptographic key through the use of some classic protocol of post-processing of data. This classic data post-processing protocol may include several steps or protocols such as, for example, post-selection of data, addition of noise, estimation of certain parameters, reconciliation of information (which typically includes a step of error correction and a verification step), and the amplification of privacy. This is because there are certain problems that need to be resolved in order to extract a secure cryptographic key. The first of these problems is that the "filtered keys" that Alice and Bob get, kAraw and kBraw respectively, may be different from each other, which is why it is important that Alice and Bob perform some procedure to correct possible discrepancies between their "keys". "This process is called information reconciliation." One way to reconcile the information is for Alice to use some conventional error correction code and to calculate and publicly announce the resulting error syndrome. About the error syndrome, you can reconcile your key with Alice's. As a last step, Alice and Bob can perform an error verification process to confirm that the new keys obtained, which we will call kArec and kBrec respectively, are reconciled, this is , both are equal with high probability, Secondly, we must bear in mind that a possible attacker, Eve, could have partial information about the content of the reconciled key. The purpose of the privacy amplification procedure is precisely to eliminate with high probability any residual information that Eve could have on the reconciled key. Privacy amplification is a process in which a long sequence of partially secure numbers is compressed into a shorter sequence of numbers that is almost perfectly safe against an adversary, Eve. The amplification of privacy can be achieved by applying a 2-universal hash function, see for example Bennett, CH, Brassard, G., Crepeau, C. and Maurer, UM Generalized privacy amplification. IEEE Trans. on Inf. Theory 41, 1915-1923 (1995). A particularly simple example of privacy amplification is the use of random "hashing." More specifically, given a binary input sequence of n bits represented by a column vector, X, we could first generate a matrix, M, of mxn ( where m <n) random bits and then calculate the binary output sequence of m bits, Y = M * X, simply by multiplying matrices M and X in module 2 algebra. In the case of QKD systems, Alice could choose the M entries and then transmit their values to Bob through an authenticated classic channel. [0017] [0018] Secrecy sharing schemes, QKD systems and the Maurer public key agreement protocol can provide security in the information theory paradigm (also known as "unconditional security"). This is security based on principles of information theory and does not depend on any hypothesis about the computing capacity of the possible attacker, Eve. [0019] [0020] The quantum hacking of practical implementations of QKD systems has recently attracted great interest. These attacks often exploit the fact that the real devices of the QKD systems behave differently than the ones considered in the mathematical models that are normally used to demonstrate the safety of these systems. This opens security gaps that could be used by Eve to attack the implementations of the QKD systems. For example, an attack has been proposed that, through the use of a memory, can disrupt the security of even those QKD systems whose theoretical security does not require the characterization of their devices (these QKD systems are called DI-QKD, of the term Anglo-Saxon "device-independent QKD"). In this particular type of attacks, Eve hides a memory in the transmitter system of, for example, Alice with the aim of storing all the cryptographic keys generated in each of the executions of the QKD system. Next, this memory sends the information about the generated cryptographic keys to the communication channel, that is, to Eve, hiding it for example in the decision to abort or not a specific session of later QKD, or hiding it in the public discussion of some of the post protocols -processed data used in subsequent executions of the QKD system. This could be done by means of the appropriate modification of the "brute key" (that is, of the key from which the "filtered key" is obtained) and / or the protocol information that is sent, in each execution, to the unit / units of post-processing data (CLPU, from the Anglo-Saxon term "classical post-processing unit") of the QKD system. This type of attacks based on the use of memories, is an example of the attacks based on "hidden channels" (from the Anglo-Saxon term "covert channels") that, together with Trojan horses, or Trojans, are known to represent uppercase challenges for the security of conventional cryptographic systems Note that Trojan horses can be hidden both in hardware modifications and in software modifications of cryptographic systems. [0021] [0022] SUMMARY OF THE INVENTION [0023] [0024] Problems encountered in the prior art are solved or avoided, and technical advantages are usually obtained, through the exposed embodiments that provide a method and a system according to which two or more cryptographic stations generate a common secure key (shared ) within the framework of a prescribed access structure, in the presence of a noisy channel in a network and possibly of unreliable components within one or more cryptographic stations. [0025] [0026] Taking into account the functional decomposition of a cryptographic station into key generating units and classical data post-processing units, the present invention provides security in the presence of both unreliable key generating units and in the presence of classic post units. processed unreliable data. In one embodiment, to counter the unreliable key generation units, the classical data post processing units employ privacy amplification techniques and thus guarantee security despite the information obtained by the unreliable components within the stations. cryptographic To counteract the units classic un-trusted data post-processing a "raw" cryptographic key (from the Anglo-Saxon term "raw key") is divided into several portions and distributed among multiple classical units of post-processing data.The invention can be used to avoid attacks that exploit hidden channels and also to protect against the presence of Trojans in both hardware and software, in this way, the security of the cryptographic key generated in the paradigm of information theory can be guaranteed. , the security of the key generated does not depend on any hypothesis about the computing capacity of the possible attacker, this key can be used later to achieve communications and authentication of unconditionally secure data. [0027] [0028] In a first aspect, the present invention proposes a method for the generation of secure cryptographic keys in the presence of unreliable units in a cryptographic system. This cryptographic system includes a first and a second cryptographic station (A, B), and each station includes n units of generation of raw keys (from the Anglo-Saxon term "key generation unit"), KGUA, KGUB with i = 1, 2 , n, and where n> 1, and, at least, a classic unit of post-processing data CLPUA, CLPUB, including the method the following steps: [0029] [0030] - Each pair of raw key generation units, KGUA¡ and KGUBi, with i = 1, 2, ..., n, generates a pair of data sequences (raw key) and sends (through secure communication channels) ) the data sequence generated by KGUA¡ at least one classical unit of post-processing data from the first cryptographic station, and sends the data sequence generated by KGUB to at least one classic post-processing unit of data from the second cryptographic station. Each pair of data sequences (one generated by a unit of generation of raw keys KGUAi of the first cryptographic station and another generated by a unit of generation of raw keys KGUBi of the second cryptographic station, with i = 1, 2,. ... n.) will normally present correlations in the sense that these data sequences will be generated using a mechanism (eg, QKD, quantum key distribution) that allows each pair of data sequences from the first and second cryptographic stations are statistically correlated. That is, each pair of data sequences are not statistically independent of each other, but are statistically dependent, so if the value of one of the data sequences is known, information could be obtained about the value of the other. [0031] - The classic data post-processing units (at least one) of the first and second cryptographic stations, CLPUA, CLPUB: [0032] - apply a data post-processing procedure to each received data sequence and generate a cryptographic key, KAi, KBi, with i = 1, 2, n, or an error symbol (an error symbol will be generated if the raw key generating unit has not been able to generate a data sequence from which a cryptographic key can be obtained) for each raw key generation unit, where the post-processing data procedure includes at least one reconciliation of information between the classical units of post-processing of data from both cryptographic stations through an authenticated communications channel and a first privacy amplification procedure to extract a shorter key; [0033] [0034] - concatenate the generated cryptographic keys to form a first concatenated cryptographic key KA '= [KAi, KA2, ..., K am ] and a second concatenated cryptographic key KB' = [KBi, KB2, ..., K bm ] where M is the number of cryptographic key pairs generated in both cryptographic stations that differ from the error symbol; [0035] [0036] - apply an additional privacy amplification procedure to the first concatenated cryptographic key and to the second concatenated cryptographic key to extract a first and second secure cryptographic keys, respectively, KA and KB. [0037] [0038] According to another aspect, a method is proposed for the generation of secure cryptographic keys in the presence of unreliable units of a cryptographic system, the system includes a first and a second cryptographic station (A, B), and each cryptographic station includes at least one unit of generation of raw keys, KGUA, KGUB respectively and more than one classic unit of post-processing of data CLPUAi, CLPU8r, with l = 1, 2, .... s and 1-1, 2 .... s' , where the method includes the following steps: [0039] [0040] - KGUA generates data sequences and each generated data sequence is sent to a different unit CLPUAi, and KGUB generates s' data sequences and each Generated data stream is sent to a different CLPUBi unit. Each pair of data sequences (one generated by the raw key generating unit KGUA of the first cryptographic station and another generated by the raw key generation unit KGUB of the second cryptographic station) will present correlations in the sense that these sequences Data will be generated using a mechanism (eg, QKD) that allows each pair of data sequences of the first and second cryptographic stations to be statistically correlated. That is, each pair of data sequences are not statistically independent of each other, but are statistically dependent, so if the value of one of the data sequences is known, information could be obtained about the value of the other. [0041] [0042] - Each classic unit of post-processing data of the first and second cryptographic stations: [0043] [0044] - applies a data post-processing procedure to each received data sequence and generates either a cryptographic key or an error symbol for each received data sequence, where the post-processing data procedure includes at least one data operation reconciliation of information between the classical units of post-processing data of the two cryptographic stations through an authenticated communications channel and a first privacy amplification procedure to extract a shorter key; [0045] [0046] - divides the cryptographic keys generated in two or more portions and distributes them among the rest of the classic units of post-processed data of the first and second cryptographic stations, respectively; [0047] [0048] - generates a portion of a secure cryptographic key by applying an error verification procedure and an additional privacy amplification operation to the portions of the received cryptographic keys; [0049] [0050] According to another aspect, a method is proposed for the generation of secure cryptographic keys in the presence of unreliable units of a cryptographic system, the system includes a first and a second cryptographic station (A, B), and each cryptographic station includes at least one gross keys generation unit, KGUA, KGUB respectively, and more than one classical data post-processing unit CLPUA¡, CLPUBr, with i = 1, 2 ...... s and i-1, 2, ... s where the method includes the following steps: [0051] [0052] - The raw key generating units (at least one) of the first and second cryptographic stations generate a data sequence, RA, RB respectively, and divide the generated data sequences into two or more portions and distribute them among the units classic post-processing data of the first and second cryptographic stations respectively, where K'Aj is the portion of RA received by CLPUA, and K'Bj is the portion j 'a of RB received by CLPUB -. The pair of data sequences (one generated by the raw key generating unit KGUA of the first cryptographic station and another generated by the raw key generating unit KGUB of the second cryptographic station) will present correlations in the sense that these sequences Data will be generated using a mechanism (eg, QKD) that allows the data sequences of the first and second cryptographic stations to be statistically correlated. That is, the generated data sequences are not statistically independent of each other, but are statistically dependent, so if we know the value of a data sequence we could obtain information about the value of the other. [0053] [0054] The number of portions j, j ', into which the data sequences are divided could be equal to the number of CLPU units (such that each CLPU receives a portion) or lower or higher (such that each CLPU could receive more than one portion). [0055] [0056] - Each classic unit of post-processing data of the first and second cryptographic stations: [0057] [0058] - obtains from each portion received from the data sequence RA, RB a portion, K'Aj, key, K'Vkey, of a sequence of data that will be used to generate the cryptographic key. The portions obtained K'Ajrkey, K'Bjjkey could simply be a part of the received portion of the data sequences RA, Rs. That is, the received portions of RA, RB could be divided into several subsequences and one of them will be used for the generation of keys; For each portion received from RA, RB, a portion, K'Aj, © st, K'Vest, could also be obtained from a sequence of data that will be used for the estimation of parameters and these portions K'A, j.est, K'B¡j.est, will be sent to the rest of the classic data post-processing units of the two cryptographic stations. [0059] [0060] - applies a procedure of post-processing of data to the portions K'A¡¡, key. K'B¡j key and generates portions of a secure cryptographic key, where the post-processing data procedure includes at least one information reconciliation operation between the classical units of post-processing data from both cryptographic stations through of an authenticated communications channel, and a privacy amplification procedure to extract a shorter key. [0061] [0062] In this last embodiment, the information reconciliation operation could include an error correction procedure that involves: [0063] - apply certain predefined matrices M ec to the data portions K'Aj, key, K'Br, key to obtain the data sequences sAij = MEc * K'Aj, key, sBjj = MEc * K'Bij ', key respectively; [0064] - obtain in each of the classic data post-processing units a reconstructed data sequence sA, sB defined as sA = sAi ©. . . © sAq and s8 = sBi © ... © sBq respectively, where sAi is obtained from sAy using a decision strategy based on majority voting and sB, - it is obtained from sBij- using a decision based strategy in a majority vote; [0065] - modify the value of the data sequences K'Vey, K'B¡j key depending on the values obtained from sA and sB; [0066] - repeat the three steps of the error correction procedure until the error rate is below a predefined threshold; [0067] [0068] In this last embodiment, the information reconciliation operation could include an error verification procedure that involves: [0069] - that the classical data post-processing units of the first cryptographic station randomly select a 2-universal hash function, which we shall call hash, and apply it to the KAij, key portions obtained from K'Aj, key by means of the error correction procedure, to obtain hAi = hash (KAij.key), and each classical unit of post-processing data of the second cryptographic station obtains hBiy = hash (KVkey) where the portions K e 'j ,, key are obtained from K' Bj, key through the error correction procedure, and then each classical data post-processing unit sends the portions hAjj and hBjja all the classic units of post-processing of data of its own cryptographic station and to all the classic units of post-processing of data of the other cryptographic station; [0070] - obtain in each conventional data post-processing unit two reconstructed data sequences hA, hB respectively and defined as hA = hAi ©. . . © hAq and hB = hBi ©. . . © hBq 'respectively, where hAi is obtained from hAy using a decision strategy based on majority voting and hBj is obtained from hB¡y using a decision strategy based on majority voting. [0071] - each of the classic data post-processing units checks whether hA = hB and if they are the same they go to the privacy amplification procedure, otherwise they produce an abort symbol. [0072] [0073] In this latter embodiment, the privacy amplification procedure may include: [0074] - that the classical data post-processing units of the first cryptographic station randomly select a 2-universe hash function, which we will call hashPA, and apply it to the KAi, key portions to obtain portions of a secure cryptographic key as KAj = hashPA (KAj, key), and each classic post-processing data unit of the second cryptographic station obtains portions of a secure cryptographic key such as KBj = hashPA (KBij.key). [0075] [0076] According to another aspect, a method for the generation of secure cryptographic keys in the presence of unreliable units in a cryptographic system is proposed, the system includes a first and a second cryptographic station (A, B), and each cryptographic station includes a plurality of gross key generating units, KGUA, KGUB, with i = 1, 2, ..., n, n> 1 and a plurality of classical units of post-processing data CLPUA, CLPUBi, 1 = 1, 2, .... s, 1-1, 2, .... s', where the method includes the following steps: [0077] [0078] - Each unit of generation of raw keys of the first and second cryptographic stations generates data sequences, RAi, RB¡ with i = 1, 2, .... n, respectively, and divides the generated data sequences into two or more portions and distributes them among the classical units of post-processed data of the first and second cryptographic stations respectively. Each pair of data sequences (RA1, RB¡ with ¡= 1, 2, .... n) will present correlations in the sense that these data sequences will be generated using a mechanism (eg, QKD) that allows RA¡ and R6i are statistically correlated, with i = 1, 2, .... n. That is, each pair of data sequences are not statistically independent of each other, but are statistically dependent, so if the value of one of the data sequences, for example RA, is known, information about the value could be obtained. of the other, RB¡. [0079] [0080] - Each classic data post-processing unit applies a data post-processing procedure to each received data portion, generating either portions, K'Aj, K'8rj, of a first cryptographic key, or an error symbol for each portion of the received data sequence, where the post-processing data procedure includes at least one information reconciliation operation between the classical units of post-processing data from both cryptographic stations through an authenticated communications channel and a first privacy amplification procedure, where K'Alij is the ja portion of the cryptographic key corresponding to the sequence RA¡ obtained by the unit CLPUAi, and K'Br¡r is the portion j 'a of the cryptographic key corresponding to the sequence RB¡ obtained by the CLPUBi unit; [0081] [0082] - Each classic CLPUAi data post-processing unit obtains portions of a secure cryptographic key by first concatenating the K'Aij portions of the cryptographic key obtained in the previous step, and each classic CLPUBr data post-processing unit obtains portions of a secure cryptographic key by concatenating the K'V portions of the cryptographic key obtained in the previous step, and then applying an additional privacy amplification procedure to the obtained concatenated sequences. This last step can include: [0083] [0084] - Concatenation sub-step: each CLPUAi, with 1 = 1, ... s obtains data sequences K "A¡¡j = [0i, ..., 0¡-i, K'Ai¡j, 0i + i, ..., 0m], where 0¡, with i = 1, M, represents a zero vector, and M is the number of pairs of raw key generating units (each pair is composed of a generation unit of raw key of each cryptographic station) that generate sequences of data that, after the execution of the previous steps, result in a key and not in the error symbol, and each CLPUei ', with l-1, .., s' obtains sequences of bits K "Br¡j = [0i, 0¡-i, K'Bnj, 0¡ + i , .... Om], with i = 1 ..... M; [0085] [0086] - Privacy amplification sub-step: The CLPUAi units, with l = 1, .., s, randomly select a 2-universal hash function, hashPA, and then obtain portions of a secure cryptographic key such as KAi¡j = hashPA ( K "Ai¡j), and each CLPUBi, with r = 1, .., s' gets portions of a secure cryptographic key such as KBr¡¡ = hashPA (K"Bi'iJ). [0087] [0088] The pair of data sequences generated by each pair of raw key generation units (one of the first cryptographic station and one of the second cryptographic station respectively) can be generated using a quantum key distribution mechanism. [0089] [0090] To divide a sequence of data into portions, a secret sharing scheme or a verifiable secret sharing scheme could be used. At the end of the procedures described in the different methods, a reconstruction protocol could be applied to obtain, from the portions of the secure cryptographic key generated, a final cryptographic key in each of the cryptographic stations. [0091] [0092] In other aspects, systems for the generation of secure cryptographic keys are proposed. Said systems will include a first and a second cryptographic station (A, B), and each cryptographic station will include at least one gross key generating unit and at least one classic CLPUA data post-processing unit, with means to implement the methods previously proposed. [0093] [0094] In a last aspect of the present invention, a computer program is disclosed which includes computer program code means adapted to perform the steps of the described methods, when said program is executed in processing means of a network entity of an OFDM network ; said processing means are for example a computer, a digital signal processor, a programmable gate array (FPGA, of the English term "field-programmable gate array"), a specific application integrated circuit (ASIC, of the term Anglo-Saxon "application-specific integrated Circuit"), a microprocessor, a microcontroller or any other form of programmable hardware, and a non-transient digital data storage medium is also provided for storing a computer program that includes instructions, which make a computer run the program carry out all the steps of the disclosed methods when the program runs on a computer. [0095] [0096] Description of the figures [0097] [0098] To complete the description that is made and in order to facilitate the understanding of the characteristics of the invention, according to the preferred example of practical embodiments thereof and accompanying said description as an integral part of it, a set of schemes is attached by way of illustration and not limiting that they represent the following: [0099] [0100] Figure 1 shows a schematic block diagram of a cryptographic configuration representing the state of the prior art. [0101] [0102] Figure 2 shows a schematic block diagram illustrating an attack based on the use of a memory against a cryptographic configuration corresponding to the state of the prior art with two cryptographic stations, A and B. [0103] [0104] Figure 3 shows a schematic block diagram of a secure cryptographic key generation method according to an embodiment of the invention, in a scenario where at least one KGU key generating unit is not reliable. [0105] [0106] Figure 4 shows a schematic block diagram of a method for generating secure cryptographic keys according to an embodiment of the invention, in a scenario where at least one classic post-processing data unit is not reliable. [0107] [0108] Figure 5 shows schematic block diagrams that illustrate the protocols of distribution and reconstruction for an example of a verifiable secret sharing scheme. [0109] [0110] Figure 6 shows a schematic block diagram of a secure method of generating cryptographic keys according to an embodiment of the invention, in a scenario where each cryptographic station contains more than one key generating unit, KGU, and more than one classical unit of post-processing of data, CLPU. [0111] [0112] Description of the invention [0113] [0114] The invention describes methods and systems for, in general terms, generating a common secure cryptographic key between two or more cryptographic stations (a station that is capable of generating cryptographic keys, for example, for communications or authentication of secure data between two electronic devices) . Said common key is generated in the presence of a noisy channel in a communications network (communicating the cryptographic stations) and possibly unreliable components within the cryptographic stations. [0115] [0116] Consider a communications network that allows communication between several cryptographic stations together with any intermediate or auxiliary node. Each cryptographic station can represent, for example, an electronic node as a secure site, such as a shared data center or facilities, a service provider or an end user's electronic communications device, such as a smartphone or, for example, a mobile phone, a laptop, an iPad, a tablet, a PC ... or, in general terms, any other type of electronic device that can generate cryptographic keys for communications or data authentication with another device. To achieve unconditionally secure communications or data authentication between, for example, two cryptographic stations, traditionally called, A and B or Atice and Bob (where Alice and Bob are supposed to be the parties or users that control each cryptographic station respectively) in the presence of an adversary or spy, Eve, it is important that Alice and Bob share a cryptographic key, K, that is random and secret. [0117] A cryptographic station contains one or more key generation units (KGU) and one or more classic data post-processing units (CLPU). Key generation units (also called gross key generation units) generate statistically correlated data (also known as raw data, or raw key, that is, data obtained directly from a data source) between distant parties, which are subsequently processed by the CLPUs to obtain the cryptographic key. For example, in the Maurer public key agreement protocol, the key generation units could be antennas that are receiving signals from a common source in a distant radio galaxy. The classic data post-processing units (also called simply post-processing units) can be any conventional data processing device (also called processing modules or processing units), such as central processing units (CPUs) , graphic processing units (GPUs) and programmable door arrays (FPGAs) or any other electronic unit with calculation capabilities. A pair of KGUs distributed between the two cryptographic stations, A and B, use some physical means to generate statistically correlated noisy (gross) data between the cryptographic stations. These physical means for generating statistically correlated data could be, for example, QKD systems. In the case of QKD systems, this raw data could be data related to the polarization state in which individual photons are prepared or with the polarization states that are obtained after measuring them. Each individual photon has a polarization. For example, in the rectilinear base Z, a vertically polarized photon could represent a "0" while a horizontally polarized photon could represent a "1". Similarly, at the diagonal X base, a 45 degree polarized photon could represent a "0", while a 135 degree polarized photon could represent a "1". Each KGU then passes the noisy gross data statistically correlated to one or several units of post-processing of data to be processed, obtaining the cryptographic key K. Although this is a general argument, to facilitate its illustration we will take the example of the systems of QKD. In QKD systems, Alice and Bob are connected by two communication channels, one quantum and one classical. The quantum channel is used for the transmission of quantum signals, such as individual photons prepared in different polarization states. These quantum signals can be used to generate a raw key, Eve can attack the quantum channel, which can be a fiber optical or free space or other means (for example, water). The term "classical channel" simply means a conventional communication channel that can transmit conventional information. The classic channel can be of any form, which includes telephone lines, Internet, Ethernet, the known channels of a mobile communications network (GSM, UMTS, LTE, 3G, 4G or any other) or a Wi-Fi network, including a cable direct or, in general, any communications channel of any conventional wired or wireless communications network. The classical channel can also be in the same medium as the quantum channel, for example, through the spatial, temporal or frequency multiplexing of the signals. It is often assumed that the classic channel is authenticated using any known data authentication mechanism. CLPUs receive the noisy and statistically correlated data of the raw key and can apply various data processing operations (which may include, for example, post-selection of data, addition of noise, estimation of parameters, reconciliation of the information, which usually includes a step of correcting errors together with an error verification step, and amplification of privacy). These operations will be described in more detail below. [0118] [0119] A. A key distribution method of the prior art and its insecurity [0120] [0121] Figure 1 shows a key distribution method of the prior art with two cryptographic stations, A and B, in the presence of a spy, Eve, in which each cryptographic station contains a single key generation unit (KGU) and a single classic data post-processing unit (CLPU). In other words, the cryptographic station A contains KGUA and CLPUA while the cryptographic station B contains KGUB and CLPU6. In the figures, a superscript indicates whether the devices and the cryptographic keys correspond to the cryptographic station A or the cryptographic station B. Each KGU generates a raw key, R, and each CLPU produces a cryptographic key, K. CLPUA and CLPU8 are connected through an authenticated conventional communications channel ("Channel Cl. A." in the figure, also called authenticated classic channel), and, within each cryptographic station, KGU and CLPU are connected through a classic channel (conventional) ("Channel Cl." In the figure). In QKD systems, a quantum channel ("Channel C." in the figure) connects KGUA and KGUB; in the case of Maurer's public key agreement protocol, the KGUs could receive classic signals broadcast by a common source. [0122] [0123] For example, in a known QKD protocol (the Bennett-Brassard standard protocol BB84), two distant parties, Alice and Bob, wish to establish a secure cryptographic key between them. The cryptographic station A is controlled by one of the parties, Alice (for example, the user of a first electronic communications device where the cryptographic station A is located), while the cryptographic station B is controlled by another party, Bob (by example, the user of a second electronic communications device where the cryptographic station B) is located. Now, KGUA prepares and sends through a quantum channel a sequence of photons prepared in different states of polarization at KGUB, these states of polarization are chosen by KGUA between two possible conjugate bases, X and Z. For each photon received, KGUB selects randomly one of the two conjugate bases and make a measurement. KGUB records the result of the measurement and the choice of the base. Next, KGUA sends the polarization data, RA, and other relevant auxiliary information such as the information on the bases to CLPUA, and KGUB sends the polarization data, RB, and other relevant auxiliary information such as the information on the bases to CLPUB. [0124] [0125] Through an authenticated channel ("Cl. A. Channel" in Figure 1), CLPUA and CLPUB transmit their preparation and measurement bases respectively. They discard all the polarization data sent and received in different bases and use the remaining data to generate a "filtered key". To check if an attack has occurred, CLPUA and CLPUB calculate the quantum bit error rate (QBER) of a subset of data randomly selected among the filtered key and verify that the QBER is below a certain threshold value. Applying classic data post-processing protocols, such as information reconciliation (which usually includes an error correction step along with an error verification step), and privacy amplification, CLPUA and CLPUB generate a secure cryptographic key , KA and KB, where with a high probability KA = KB and KA is safe against a spy. [0126] [0127] In this type of configuration, it is commonly assumed that all KGUs (ie, KGUA and KGUB) and all CLPUs (ie, CLPUA and CLPUB) are reliable. For example, this framework includes both QKD systems that do not require characterize the devices (of the Anglo-Saxon term "device-independent QKD") as those that require characterizing the devices (from the Anglo-Saxon term "devicedependent QKD"). The standard systems of QKD require characterizing the devices and assume that the QKD devices work correctly, for example, preparing the correct state and making perfect measurements according to some theoretical protocols, On the other hand, QKD systems that do not require characterizing the devices have the advantage of allowing the QKD devices to work arbitrarily as long as there is no leakage of information (for example, about the final cryptographic key) from the cryptographic stations, A and B, to a spy Unfortunately, this configuration of the prior art is highly vulnerable to the presence of programs and / or devices malicious in the software and / or hardware, for example, if the If Eve plants a memory say, for example, in KGUA, then the security of said key distribution method corresponding to the prior state of the art may be compromised. This is illustrated in Figure 2. Eve could use this memory to store the generated cryptographic key in a QKD session and then filter this information to the communication channel in later executions of the QKD system. For this, Eve could exploit for example the fact that each execution of QKD is usually associated with a decision to abort or not abort depending on the QBER observed. The memory could then decide whether or not to make KGUA produce a raw key, RA, with a high QBER (and thus force the protocol to abort) depending on the value of a given bit of the key generated in a previous QKD execution. Alternatively, the memory could also filter the cryptographic key generated in a certain execution of QKD by simply hiding it in the public discussion of subsequent QKD executions. [0128] [0129] Therefore, the way to distribute a secure cryptographic key when some of the KGUs or CLPUs are unreliable is a major problem that is not solved by the key distribution systems of the prior art. [0130] [0131] B. Scenario 1: A method of distributing keys with untrusted key generation units in a cryptographic station. [0132] [0133] The main objective of the invention is to achieve security in the distribution of keys in the presence of unreliable devices. These unreliable devices could be, for example, KGUs or CLPUs or a combination of both. In this section, the case is considered in which some KGUs may not be reliable but it is assumed that the CLPUs are. [0134] [0135] In this case, we consider a new key distribution protocol with multiple KGUs, as shown in Figure 3. This figure shows two cryptographic stations, A and B, in the presence of an Eve spy (for example, in the channels that connect the cryptographic stations A and B and also in some of the KGUs of Alice and Bob, which makes these KGUs unreliable). Each cryptographic station contains n (more than one) key generating units, KGUs, in addition to at least one classic post-processing data unit, CLPU. The ia KGU generates a raw key, R¡. The channel that connects CLPUA and CLPUB is a conventional authenticated communications channel ("Channel Cl. A." in the figure, also called authenticated classic channel). The channel connecting KGUA¡ and CLPUA as well as the channel connecting KGUB¡ and CLPUB are classic (conventional) safe channels ("Cl.S. Channel" in the figure) for all i = 1, ..., n. In addition, in a QKD system, the channel connecting KGUAi and KGUB¡ is a quantum channel ("Channel C." in the figure) for all i = 1 ..... n. [0136] [0137] That is, in this figure, the cryptographic station A has n (where n> 1) units KGUAi, KGUA2, ... KGUAn, and the cryptographic station B has n units KGUBi, KGUB2, ... KGUBn. As an additional comment, note that there are low cost KGUs due to the development of chip-based QKD transmitters. Our invention can take advantage of these devices. Also, note that different pairs of KGUs can be purchased from different suppliers. Our invention allows us to increase reliability and build a secure key generation system with cheap components from unreliable suppliers. [0138] [0139] Obviously, if all the KGUs are compromised it is impossible to achieve security, so we will assume that at least one of them is not compromised (that is, we will assume that there is at least one reliable KGU). Thus, it is useful to define the access structure or the adversarial structure. By adversarial structure we refer to which subsets of pairs of units KGUA¡ and KGUB¡ with i = 1 n, could be dishonest (unreliable) without affecting the security of the final key (a couple of units KGUA¡ and KGUB) It is dishonest if at least one of the units is). In the definition of the adversarial structure one could distinguish between dishonest devices that are passively controlled by Eve and those that are actively controlled by Eve. For example, a device passively controlled by Eve can filter your information, but otherwise correctly follows all the indications of the protocol. A device actively controlled by Eve, on the other hand, can filter your information and, in addition, does not necessarily have to follow the protocol's requirements, but its behavior is completely controlled by Eve. An example of an adversarial structure could be that at most 3 out of 4 pairs of units KGUA and KGUB could be dishonest and be actively controlled by Eve. This means that at least one of the 4 pairs of KGUA and KGUB units is honest. [0140] [0141] In Figure 3 we assume that each cryptographic station, A and B, has at least one classic data post-processing unit, CLPUA and CLPUB respectively. In this scenario, all CLPUs are assumed to be reliable. In addition, each KGUAi is connected to CLPUA through a classic (conventional) secure channel (called "Channel Ci. S. iA" in Figure 3), and each KGUB¡ is connected to CLPUB through a classical channel (conventional ) secure (referred to as "Canal CI S. iB" in Figure 3). Throughout this text, "secure classic or conventional channel" is understood to be a channel that provides both confidentiality and authentication.This could be achieved, for example, by using the encryption protocol called "single-use booklet" or also known as encryption of Vemam, along with the Wegman-Carter authentication scheme, or any other known mechanism Note that in practice you can also use as a secure classic channel, for example, a physically protected channel (for example, a physical cable that protects against damage and intrusions) and that only connects the prescribed devices Note that all classic secure channels are used to connect devices located inside a cryptographic station.In addition, there is a classic (conventional) authenticated channel that connects CLPUA and CLPUB (called "Channel CI. '' In Figure 3.) This could be achieved using any known authentication system. a QKD system, the KGUA, and KGUBt units, with i = 1 n, are connected to each other through a quantum channel, called "Channel C. i" in Figure 3, which Eve can access. Note that all KGUA¡ and KGUB¡ could even share the same physical quantum channel (eg, a single optical fiber) by various multiplexing techniques (eg, wavelength multiplexing and multiplexing). space). [0142] [0143] Each unit KGUA of the cryptographic station A sends the generated raw key, RA, to CLPUA through the "Cl. S.A.A." channel shown in FIG. 3. If the cryptographic station A has more than one CLPU, then each KGUA can either send its raw key RA¡ to each CLPU or portions of it to one or more of the CLPUs of the cryptographic station A. Similarly, each KGUB unit sends the generated raw key, RB¡, to CLPUB through the "Canal Cl. S. iB". If the cryptographic station B has more than one CLPU, then each KGUB¡ can either send its raw key RB¡ or portions thereof to one or more of the CLPUs of the cryptographic station B. Assuming that all the CLPUs here are reliable, then the direct transmission of the raw keys (that is, without dividing them into portions) generated by the different KGUs to the CLPUs (within each cryptographic station) does not compromise security. [0144] [0145] The CLPUs can apply several classic protocols of post-processing of data to the received raw keys. Due to environmental disturbances and possible espionage attacks by Eve, the raw key RA, generated by KGUA, could be different from the raw key RB, generated by KGUB. Therefore, these classic data post-processing protocols should generally include a protocol for information reconciliation and a privacy amplification protocol to be able to guarantee that the generated final keys, KA and KB, in the cryptographic stations A and B are secret and probably equal to each other. In an information reconciliation protocol, one or more of the CLPUs of the cryptographic stations A and B can first exchange information for the correction of errors, which is used to correct their data in such a way that KA and KB are with a high probability equal to each other. This can be done using any known method (see, for example, Brassard G. and Salvail, L. Secret key reconciliation by public discussion, Proc.of Advances in Cryptology (Eurocrypt 93), 410-23 (1993)). Next, cryptographic stations A and B could perform an error verification step to confirm that KA and KB are effectively equal to each other with a high probability. The privacy amplification step is used to ensure that the final key, KA and KB, is in fact probably secret (that is, Eve has little information about it). For this, the privacy amplification removes the partial information that Eve may have obtained about, for example, the raw keys RA, with i = 1 ..... n. Eve could have obtained information about these crude keys by spying on the quantum channels that connect the KGUAi and KGUB¡ units for all i, as well as listening to the content of the authenticated classic channel that connects CLPUA and CLPUB. In addition, all KGUA and KGUB pairs that are dishonest could directly leak RA to Eve. As mentioned above, the privacy amplification can be performed by applying a 2-universal hash function to the reconciled key (for example, multiplying the key reconciled by a random matrix of binary inputs). [0146] [0147] In addition, classical data post-processing protocols may include, for example, post-selection of data, addition of noise, estimation of parameters and verification of errors. In each of these classical data post-processing protocols, one or more of the CLPUs of the cryptographic stations A and B can use the classic channel authenticated between them to exchange information and post process their data. For example, in the post-data selection step, the CLPUs divide the raw keys RAi and RBi into different data sets. As an example, CLPUs can divide the raw keys into three main sets of data. The first data set contains the data of the raw keys that will be post processed to obtain a secure key, KA and KB; the second data set (also called the data set for parameter estimation) contains the data of the raw keys that will be used for parameter estimation in order to determine the parameters needed to generate KA and KB from the data of the first data set; and the third data set contains the data of the raw keys that are discarded. For example, in the standard protocol of Bennett-Brassard BB84, Alice and Bob usually discard the data of the raw keys associated with those events in which Alice and Bob use different bases. In addition, the CLPUs can add noise to the raw keys by performing the NOT operation or by logically denying some of their bits (see, for example, Renner, R., Gisin, N. and Kraus B An information-theoretic security proof for QKD protocols, Phys. Rev. A 72, 012332 (2005)) or any other known mechanism for adding noise. In the parameter estimation step, on the other hand, the CLPUs use data from the data set for the estimation of parameters in order to determine higher or lower levels for those quantities or parameters that are necessary to generate a secure key. These parameters may include, for example, the QBER, the quantum rate of phase error, the number of pulses containing a single photon emitted by Alice and that contribute to the data set that is used to generate a secure key, etc. Finally, in the error verification step, as already mentioned, the CLPUs confirm that KA and KB are equal with some probability. A protocol of reconciliation of information can consist of many steps and verification of errors can be the last step. The purpose of the error verification is to confirm that the information reconciliation protocol has been successful. For this, they could use, for example, a 2-universal hash function to calculate a "hash" of both KA and KB, and then check if both "hashes" are the same. [0148] [0149] Below we describe, as an example, a protocol for key distribution that achieves security against dishonest KGUs. The protocol can be broken down into two main conceptual steps. In particular, suppose that all the KGUA units of the cryptographic station A have sent the data of the raw key RAi to CLPUA, and suppose also that all the units KGUBi of the cryptographic station B have sent the data of the raw key RB¡ to CLPUB. Then, in a first step, the units CLPUA and CLPUB post-process the data RA, and RB¡ to obtain a secret key, KA, and KB¡, or the symbol of abort 1, for all i. If a QKD system is used for the generation of raw keys, note that an abort symbol can be generated, for example, when the quantum bit error rate (QBER) is higher than some prescribed value (for example, 11% in the case of the Shor-Preskill safety test for the Bennett-Brassard BB84 protocol). For this, CLPUA and CLPUB can use some of the classic data post-processing protocols described above. These classic data post-processing protocols may include a privacy amplification step to eliminate the partial information that Eve might have about KA and KB, due to an attack on "Channel C." (see Figure 3) that connects KGUA¡ and KGUBj, as well as the fact that Eve listens to the content of the authenticated classic channel that connects the CLPUA and CLPUB units. Next comes a key step in this embodiment of the invention. In particular, in a second step, CLPUA and CLPUB apply an additional privacy amplification step to KA '= [KAi, KA2, ..., Kam] and KB- [KBi, K b2, _K bm ], where M represents the number of pairs KAi and KBi that are different from the abort symbol ± ¡. The purpose of this second step of privacy amplification is to eliminate the information that dishonest KGU peers could filter Eve about, say, KA '. To simplify the discussion, consider for example that the length of all the keys KAi and KBi is N bits for all i = 1, ..., M. Consider also for example an adversarial structure where at most t <n pairs of units, KGU A¡ and KGUB¡, could be dishonest and be actively controlled by Eve. This means that at most t * N bits of KA 'could be compromised and be known by Eve. Then, the application of a privacy amplification step to KA 'and K2 * 6 *' removes this compromised information and results in a final key, KA and KB, of approximately (Mt) * N bits. Below we describe the step-by-step implementation of this specific example. The goal is to generate a secure cryptographic key in the standard cryptography composability scenario. More specifically, the goal is to generate an epsilon-secure cryptographic key, KA and K9. That is, KA and KB must be epsilon_correct and epsilon_sec-secret. Epsilon, epsilon cor and epsilon ^ sec are design parameters of the key generation system that satisfy the condition epsilon_cor + epsilon_sec <epsilon (roughly, a key is epsilon_corcorrecta if KA = KB except for a small probability of, at most, epsilon_cor.A key is epsilon_sec-secret if it is random and secret to a spy, Eve, except for a small probability of failure of, at most, epsilon sec). [0150] [0151] The protocol for generating a secure cryptographic key can include the following steps (this is only a possible embodiment, and not all of the steps cited are essential and mandatory in all embodiments of the present invention): [0152] [0153] Protocol 1: [0154] [0155] 1. Distribution of the raw keys: each KGUA sends to CLPUA the raw key RAi or the abort symbol _Li. In addition, each KGUB sends to CLPU9 the raw key RB or the abort symbol _L¡. [0156] [0157] 2. Generation of an epsilon_cor-correct key KA 'and KB': CLPUA and CLPUB use a post-processing data protocol to generate a key (epsilon_cor / M) -correct and (epsilon_sec / M) -secret (with epsilon_cor + epsilon_sec <epsilon), KA¡ and KB¡, from RA¡ and RB¡, or generate the abort symbol ± ¡(to indicate that the data post-processing protocol has not been successful and that it has not been possible generate a valid key from the raw keys) for all i = 1, ..., n. Then, CLPUA concatenates the M keys KAi that are different from 1¡ to form KA '= [KAi, KA2, ..., K am ]. In the same way, CLPUB concatenates the M keys KBi that are different from ± ¡to form KB '= [KBi, KB2, ..., KBM], [0158] [0159] 3. Generation of an epsilon-secure key KA and KB: CLPUA and CLPUB apply a privacy amplification step to extract from KA 'and KB' a shorter key, KA and KB, of an approximate length of (Mt) * N bits. This can be done using a random hashing with a random matrix, as explained above, or using any other known mechanism of privacy amplification. [0160] [0161] Note that Protocol 1 is only a non-limiting example of an embodiment of the invention. For example, note that a simplistic method to implement the additional privacy amplification step that applies to KA 'is simply that Atice perform the XOR operation bit by bit between the different keys, KAi (and likewise Bob). In addition, in general, it is not necessary to apply the privacy amplification in two different steps (that is, to generate first KA 'and KB' and, subsequently, to generate KA and KB from KA 'and KB'), but rather it could be applied in one step. That is, a epsilonsecure cryptographic key, KA and KB, could be generated directly in a single step, from all the raw keys, RAi and RBi, together. It is important to note that Protocol 1 illustrates that the privacy amplification can be used to guarantee the secrecy of the final key, KA and KB, in the presence of dishonest KGUs with a prescribed access structure. [0162] [0163] C. Scenario 2: A method of distributing keys with classic units of post-processing of unreliable data in a cryptographic station. [0164] [0165] In this section, a scenario is considered in which some CLPUs of a cryptographic station may not be reliable, but the KGUs are. Again, to improve security, the use of multiple CLPUs in a cryptographic station is considered, as shown in Figure 4. This figure shows two cryptographic stations, A and B, in the presence of an Eve spy (for example, in the channels that connect the cryptographic stations A and B and also in some of the CLPUs of Alice and Bob, which makes said CLPUs unreliable). Each station Cryptographic contains more than one processing unit (known as classic units of post-processing data, CLPUs). Each CLPU generates portions of a cryptographic key, K. [0166] [0167] While the scope of protection of the invention is general and applies to a general adversarial structure with dishonest CLPUs that could be passively or actively controlled by Eve, we will describe here for illustrative purposes the simple case of an adversarial threshold structure with a fixed number of dishonest CLPUs actively controlled by Eve (however, the invention can be applied to other more complex adversary structures). More specifically, consider the situation in which the cryptographic stations A and B have a reliable KGU each and, in addition, the cryptographic station A has "s" classic units of post-processing of data CLPU CLPUA2 ...... CLPUAS , and the cryptographic station B has "s" 'classic units of post-processed data CLPUBi, CLPUB2, ..., CLPUBS'. Suppose further that until t <s / 3, CLPUAi and even t '<s' / 3 CLPUBj could be dishonest and be actively controlled by Eve, with i = 1 s, and j = 1, ..., s'. Note that different CLPUs can be purchased from different providers. The present invention allows the construction of a secure cryptographic key generation system with components from unreliable vendors. [0168] [0169] As some CLPUs are dishonest (unreliable), the present invention does not allow them to access the final key, KA and KB, but they are only allowed to produce some portions of the final key, KA and KB. For example, in Figure 4 we indicate the portions of KA generated by CLPUA, (for i = 1, 2, ... s) as KAxy and, in the same way, we indicate the portions of KB generated by CLPUBj (for j = 1, 2, .., s') as KBjxy for certain indexes x and y. [0170] [0171] KGUA is connected to each CLPUA through a classic (conventional) secure channel (called "Cl. S. iA Channel" in Figure 4), and KGUB is connected to each CLPUB¡ through a classic channel (conventional) This is called "Channel Cl. S. jB" in Figure 4. In addition, each pair of units CLPUA¡ and CLPUAr, with i, i '= 1, ..., s, are connected to each other through a classic (conventional) secure channel (referred to as "Cl. S. ii'A Channel" in Figure 4), and each pair of CLPUBj and CLPUBj units, with j, j '= 1, ..., s', are connected each other through a secure classical channel (called "Cl. S. jj'B Channel" in Figure 4.) Also, each pair of CLPUAi and CLPUB¡ units is they connect to each other through an authenticated classic channel (called "Cl. Channel A. ijAB" in Figure 4). And, in the case of a QKD system, KGUA and KGUB are connected to each other through a quantum channel (called "Channel C." in Figure 4), which is accessible to Eve. [0172] [0173] In this situation, a new cryptographic key distribution protocol is considered in which KGUA sends portions of the generated raw key, RA, to one or more of the CLPUAs. Similarly, KGUB sends portions of the raw key, RB, to one or more of the CLPUB¡. In Figure 4, SAi indicates the portions of RA that KGUA sends to CLPUA, and S6, are the portions of RB that KGUB sends to CLPUBj. If the cryptographic station A and / or B has more than one KGU, then each KGU can send portions of its raw key to one or more of the CLPUs of that cryptographic station. Next, the CLPUA¡ and CLPUB¡ units post-process the raw key, RA and RB, in a distributed environment acting on the portions, SA¡ and SBj, received and generate portions, KA¡.i, KA¡, 2, ..., K Ai, nj and KB¡, t, «V ..... K Bjrmj, of the final key, KA and KB. Here n j Indicates the total number of KA portions generated by the CLPUA unit, and m j indicates the total number of KB portions generated by the CLPUBj unit. Again, this classic post-processing of data can include several steps such as, for example, post-selection of data, addition of noise, estimation of parameters, reconciliation of information and amplification of privacy. [0174] [0175] To divide the raw key, RA and RB, in portions, the KGUs could use any known method, for example, secret sharing schemes or verifiable secret sharing schemes. In a scheme of sharing secrets, the person or device that divides the secret is called a distributor. In case a distributor could be dishonest, it is important to verify that the values of the portions sent by the distributor are consistent with each other. In addition, in the presence of dishonest parties, it is important to be able to guarantee that all honest parties can reconstruct the same secret from the received portions and, in addition, if e! Distributor is honest, the reconstructed secret must be equal to the one originally distributed by the distributor. These conditions can be guaranteed through a verifiable secret sharing scheme. In a verifiable secret sharing scheme, a distributor divides each portion into additional portions or "portions of a portion" and sends said portions of a portion to several participants. These participants can then verify the consistency of the values of said portions of portions. [0176] [0177] In the presence of dishonest CLPUs, the use of a verifiable secret sharing scheme can guarantee the consistency of the distributed portions. Therefore, the use of an information reconciliation protocol (which could include an error verification step) can guarantee that the final key, KA and KB, is correct. [0178] [0179] Next, we include the step-by-step implementation of an example of a verifiable secret sharing scheme proposed in Maurer, U. Secure multi-party computation made simple. Discrete Appl. Math, 154, 370-381 (2006). Uses a scheme of sharing secrets of type threshold (q, q). This latter system could be implemented, for example, by dividing the message X, to be distributed, into a random sum of q portions X, with i = 1, ..., q. This could be done, for example, by selecting the first q-1 Xi shares of X at random, and then choosing Xq = XffiXi ©. . . © Xq-i, where the symbol © indicates a sum in algebra of module 2. A verifiable secret sharing scheme can usually be broken down into two protocols: the distribution protocol and the reconstruction protocol. The example of a verifiable secret sharing scheme presented below allows dividing an X message into n parts, and provides security in the information theory paradigm against an active threshold threshold structure with a maximum of t <n / 3 parts dishonest Again, by adversarial structure (general) we understand a set of subsets that identifies which combinations of parts could be passively corrupted, and a set of subsets that identifies which combinations of parts could be actively corrupted. Note that there are also schemes of sharing of verifiable secrets that are safe against general adversarial structures. In order to simplify the explanation, here we assume an active adversary threshold structure in which there could be a maximum of t actively corrupted parts (however, the invention can be applied to other more complex adversary structures). Therefore, the example of the verifiable secret sharing scheme described above and whose distribution and reconstruction protocols are detailed below is safe against said active threshold adversarial structure, but is not always safe against general adversarial structures. However, if desired, it can be modified to make it secure against an adversarial structure general. In fact, this modification was introduced in the aforementioned document, Maurer, U. Secure multi-party computation made simple. Discrete Appl. Math. 154, 370-381 (2006). [0180] [0181] Distribution protocol: [0182] [0183] 1. The distributor uses a scheme of sharing secrets of threshold type (q, q) to divide the message X into q = n! / [(Nt)! T!] Portions X, with i = 1 .... q. [0184] [0185] 2. Let {in .... erq} be all (n-t) -combinations of the set of n parts. [0186] Then, for each i = 1, ..., q, the distributor sends X¡ through a secure channel to each part of the set <r¡. If a part does not receive its portion, it takes as a predetermined portion, for example, a sequence of bits with all its components equal to zero. [0187] [0188] 3. All pairs of parts in oi send each other their portions X¡ through a secure channel to verify that their portions are effectively equal. If an inconsistency is found, they complain using a broadcast channel. [0189] [0190] 4. If a complaint is filed in the set oi, the distributor broadcasts X¡ to all parties and they accept the received portion. If the distributor refuses to broadcast Xi to all parties (or is unable to do so) when there is a complaint in <r, the protocol aborts. [0191] [0192] Reconstruction protocol: [0193] [0194] 1. All pairs of parties send each other their portions through an authenticated classic channel. [0195] [0196] 2. Each party uses a majority vote as a method of decision to reconstruct the portions X¡ Vi, and then X = Xi © ... © Xq. [0197] [0198] Figure 5 provides a graphic representation of the distribution protocols and reconstruction explained above for the case of an adversarial structure of threshold type in which at most 1 of 4 parties could be dishonest (ie, n = 4 and t = 1). In the verifiable secret sharing scheme shown in Figure 5, the message, X, is distributed among four parts Pi, with i = 1 ..... 4, and provides security in the paradigm of information theory against an active adversary structure of threshold type with a maximum of t = 1 dishonest parts. In the figure, Xi = {X, y, z> indicates the X *, Xy and Xz portions of X. In the distribution protocol all the channels are classic (conventional) safe channels, while in the reconstruction protocol the channels they are classic (conventional) authenticated channels. [0199] [0200] In the case shown in the figure, the sets ai = {P2, P3, p4}, 02K P 1.P3.P4} are defined. ct3 = {Pi, P2, P4} and ct4 = {Pi, P2, P3}. Since q = n! / [(Nt)! T! = 4, the message X has been divided into 4 parts, Xi, X2, X3 and X4. Next, the distributor sends X¡ through a secure channel to all parts in a¡. For example, send X1 to P2, P3 and P4, and the same for the other portions. [0201] [0202] Note that the broadcast channel that is required to perform steps 3 and 4 of the distribution protocol does not have to be a physical channel, but could be a simulated channel. [0203] [0204] The verifiable secret sharing scheme presented above is a non-limiting example, and any other verifiable secret sharing mechanism known or still to be developed could be used instead. For example, if the number n of parts is high, there are other efficient schemes of sharing of verifiable secrets, or if there is a physical diffusion channel available there are schemes of sharing of verifiable secrets that can guarantee security whenever there is a majority of honest parties. (see, for example, Rabin, T. and Ben-Or, M. Verifiable secret sharing and multiparty protocols wlth honest majority. Proc. 21 th Annual ACM Symposium on Theory of Computing (STOC'89) 73-85 (ACM, New York, NY, USA, 1989)). [0205] [0206] To implement several of the classic data post-processing protocols that are required to generate a secure cryptographic key, CLPUs may need to generate random numbers between unreliable parts. Then We present the step-by-step implementation of an example of a protocol that could be used to solve this task. It is obtained directly from the verifiable secret sharing schemes and can generate a completely random common sequence of l-bits between n parts when up to t <n / 3 of them could be dishonest and be actively controlled by Eve. For convenience, we call it RBS protocol, from the Anglo-Saxon term "Random Bit String" (or sequence of random bits). [0207] [0208] RBS Protocol: [0209] 1. Let's say that each of the first t + 1 parts locally produces a random sequence of l-bits r and sends it to all other parties using the distribution protocol of a verifiable secret sharing scheme. [0210] [0211] 2. Each of the parties uses a broadcast channel to confirm that it has received the portions of the first t + 1 parts. Otherwise, the protocol aborts. [0212] [0213] 3. All parties use the reconstruction protocol of a verifiable secret sharing scheme to obtain n for all i = 1 .... t + 1. Subsequently, each part calculates locally r = n ® ... © rt + i. [0214] [0215] As in the previous case, note that the diffusion channel required in step 2 of the RBS protocol could be done with a simulated broadcast channel. Also, note that in order to generate random numbers between mutually unreliable parts, so that they are safe against general adversarial structures, one could simply use in the RBS protocol described above a distribution protocol (in step 1) and a protocol reconstruction (in step 3) of a verifiable secret sharing scheme that is safe against general adversarial structures, such as the one proposed in Maurer, U. Secure multi-party computation made simple. Discrete Appl. Math. 154, 370-381 (2006). [0216] [0217] To illustrate the present invention in this scenario, we will now describe two protocols (see Protocols 2 and 3, below) that could be used to achieve the distribution of secure cryptographic keys with untrusted CLPUs. There are two examples of embodiments of the present invention. To facilitate its description, we will consider in these two examples that the number of CLPUs of the cryptographic station A is equal to that of B, that is, s = s', although, of course, this is not a necessary condition and the number of CLPUs of each cryptographic station can to be different. [0218] [0219] The first example (see Protocol 2 below) can be broken down into two main conceptual steps. In a first step, KGUA and KGUB carry out independent sessions for the generation of cryptographic keys, and each of these sessions is carried out with a pair of different CLPUA¡ and CLPUB¡ units, with i = 1 ..... s. The objective of each session is to generate, for example, a key (epsilon / s) -secure, KA¡ and KB¡, or the abort symbol J_¡. To facilitate the illustration, consider that the length of each key KAi and KBi is N bits for all the i. If, for example, the pair CLPUAi and CLPUB¡ are dishonest, then it must be that KA¡ and KB¡ could be compromised and be known by Eve. A pair CLPUA¡ and CLPUB¡ is dishonest if at least one of its units is dishonest. Next, in a second step, the keys KAi and KBi are concatenated to form KA = [KAi, KA2 .... Kam] and KB - [Kei, KB2 ...... Kbm], where M indicates the number of keys KA¡ and KB¡ that are different from the abort symbol, and the CLPUs apply an error verification protocol and a privacy amplification step to KA 'and KB'. Here comes a fundamental contribution of this embodiment of the invention: this second step is carried out in a distributed environment acting only on portions of KA 'and KB'. Note that this is possible because all the post-processing data techniques described above are usually "linear" in nature (that is, they usually involve applying simple linear algebra functions such as XOR of bits and matrix multiplications) and therefore can be easily implemented by acting only on portions of KA 'and KB'. In certain steps, CLPUs may need information about portions that are in the hands of other CLPUs. To obtain this information, they could use, for example, the reconstruction protocol of a verifiable secret sharing scheme. That is, all the units that have the information are limited to send it to the unit that requires it and it can use a decision method based on majority voting to discriminate which information is correct. Next we describe the protocol in more detail: [0220] [0221] Protocol 2 (this is only a possible embodiment, and not all of the steps cited are essential and mandatory in all embodiments of the present invention): Generation of KA¡ and KB¡: KGUA and KGUB carry out independent sessions of generation of cryptographic keys, each of these sessions is done with a pair of different units CLPUA¡ and CLPUA¡, with i = 1, ..., s . For this, they use "Channel C.", "Channel Cl. S. iA", "Channel Cl. S. iB", and "Channel Cl. A. iiAB" shown in Figure 4. The result of each key generation session will be two sequences of bits, KAi and KBi, which are supposed to be a key (epsilon_cor / s) -correct and (epsilon_sec / s) -secret (with epsilon_cor + epsilon_sec <epsilon), or the symbol indicating abortion ± ¡. [0222] [0223] Distribution of portions of KAi and KBi: each CLPUA divides KA into portions and sends them to the other CLPUs of the cryptographic station A following, for example, the distribution protocol of a verifiable secret sharing scheme and using the channels classic insurance "Canal Cl. S. ilA" shown in Figure 4, and all the CLPUAi, with 1 = 1, ... syl î, mutually confirm that they have received their portions. Let K'Ai¡j be the portion of KA¡ received by CLPU A l . In the same way, the CLPUB¡ units act in a similar way with KB¡. K 'B l¡j the jth portion KA¡ received by CLPUBi. [0224] [0225] Generation of K "Aiy and K" Bi¡j: each CLPUAi, with 1 = 1, .., s, defines locally the bit sequences K "Alíj = [ 0i , ..., Ou, K'Ai¡j, 0i + i, _O m ], where 0¡, with i = 1 ....... M, represents the zero vector of N bits, and M is the number of pairs CLPUA¡ and CLPUB that did not produce the symbol of abort ± ¡. Similarly, CLPUBi units act similarly and obtain K''Bi¡j. [0226] [0227] Verification of errors: The CLPUAi, with 1 = 1, .., s, use for example the RBS protocol to select a random sequence of bits and with it randomly choose a 2-universal hash function between a preset set of hash functions 2 -universals Then, each of them calculates locally a hash hAiy = hash (K "Anj) of a length say [log2 (4 / epsilon_cor) l bits for all its bit sequences K" Aij, and for example the first 2t + 1 CLPUAi send the chosen hash function to all CLPUBi through the classic channels authenticated "Canal Cl. A. H'AB" shown in Figure 4, with 1-1, ... s. Each CLPUBi reconstructs the hash function locally using a decision method based on majority voting and get hBnj = hash (K "Br¡¡) for all its bit sequences K" Br, j. Next, all CLPUAi and CLPUBr use the reconstruction protocol of a verifiable secret sharing scheme to obtain hA = hAn®,. . © hAMq and hB = hBn®. . . © hBMq, where q = s! / [(St)! T!] Is the number of portions of each KAi and KBi. For this, the bit streams hAi¡j and hBr¡ja are sent to each other through authenticated classic channels, and each of them uses a decision method based on majority voting to obtain hA¡¡ and hBy from LA jy hBi¡j. Finally, each CLPUAi and CLPUBi checks locally that hA = hB. If they are not equal, the result is the abort symbol. If they are the same, go to step 5. This error verification step guarantees that K "A = K" An®. . . ®K "AMq and K" B = K''Bn®. . [0228] . © K " 6 mc are equal except with probability, at most, epsilon_cor, where K" A¡j indicates the sequence of bits that would be obtained from K "Anj using majority voting, and the definition of K" Bjj is analogous [0229] [0230] 5. Amplification of privacy: the CLPUAi use, for example, the RBS protocol to randomly select a 2-universal hash function, hashPA, between a pre-established set of them. They calculate KAi¡j = hashPA (K "Ahj), and, for example, the 2t + 1 first CLPUAi send the hashPA function to all CLPUBr through the classic channels authenticated" A C. channel H'AB "shown in the Figure 4, with F = 1,., S Then, the CLPUBi use a decision method based on majority voting to determine hashPA from the received information and calculate KBnj = hashPA (K "Br, j). hashPA function transforms the sequences of (M * N) bits K "Ai¡j and K" Bnj into two sequences of shorter bits, KAi¡j and KBi¡j respectively, of an approximate size of (M-2 * t) * N - [log2 (4 / epsilon_cor) l bits.) The reason for subtracting 2 * t * N bits is that, in the worst case, the presence of t dishonest parts CLPUAi and t independent dishonest parts CLPUBi could result in 2 * t pairs dishonest CLPUAiy CLPUBi, with 1 = 1 ..... s, and, therefore, 2 * t * N bits of K "A could be compromised. [0231] [0232] If t <MA¡ / 3 and t <MB¡ / 3 for all i = 1, ..., M, where MA¡ indicates the number of CLPUAi that do not produce the abort symbol, but generate post-processed portions, KAiy, from KA¡, and MB¡ indicates the number of CLPUBi that do not produce the abort symbol, but generate post-processed portions, KBnj, from KB¡, then The bit sequences KAij and KBi j produced by the CLPUAi and CLPUBi units in step 5 of Protocol 2 are portions of an epsilon-secure final key, KA and KB. As mentioned above, in this scenario, the CLPUA and CLPUB units are only allowed to produce portions of KA and KB. For example, a secure lab located at cryptographic station A could use majority voting to obtain KAi¡ from the KAi¡j sequences. Similarly, a secure lab located at cryptographic station B could use majority voting to obtain KB from the KBrj sequences. In this way, the final key could be obtained as KA = KAn ©. .. ®KAMq and KB = KB 11 ®. . , ®KBMq. [0233] [0234] Here is a second example of a protocol that can provide a secure distribution of cryptographic keys with classic units of post-processing of unreliable data (see Protocol 3, below). This protocol has two main advantages with respect to Protocol 2. First, it does not require executing independent key generation sessions, but it can generate an epsilon-secure cryptographic key from the execution of a single key generation session. And, secondly, it is more efficient in terms of the rate of secret key generation, since it provides a rate of secret key generation that could be around as / (s-2 * t) times higher than that provided by Protocol 2. While the scope of protection of the present invention is general, to facilitate the description of Protocol 3, we will next consider that the cryptographic key generation procedure does not use a random post-selection of raw key data ( however, the invention can be applied to other more complex cases in which a random post-selection of raw key data is carried out). In addition, to facilitate the illustration, it will be assumed that the classic data post-processing protocol does not estimate the value of the real QBER, but uses a pre-established QBER value for the error correction protocol, followed by a verification step of errors. Protocol 3, indicated below, can be broken down into two main conceptual steps. In a first step, KGUA and KGUB generate a raw key, RA and RB respectively. Next comes a key step in this embodiment of the invention. KGUA divides RA into portions using, for example, the distribution protocol of a verifiable secret sharing scheme and then sends those portions to the CLPUA units. This step is illustrated in Figure 4, where SAi represents the portions of RA that are sent to CLPUA¡ through the secure channel "Canal Cl. S. iA". RB is sent to CLPU bí portioned units. Then, in a second step, each CLPUA¡ and CLPUB¡ with i, ¡'= 1,.,., S, applies the classic protocol of post-processing of data to the received portions. That is, each CLPU can apply a post-selection of data, add noise, realize the estimation of parameters, the reconciliation of information and the amplification of privacy in a distributed environment acting directly on the received portions. As in the case of steps 4 and 5 of Protocol 2, this is possible because all these post-processing data techniques employ simple functions of linear algebra and therefore are easily implemented by acting only on portions. Next we describe the steps of Protocol 3 in more detail: [0235] [0236] Protocol 3 (this is only a possible embodiment, and not all of the steps cited are essential and mandatory in all embodiments of the present invention): [0237] [0238] 1. Distribution of RA and RB: KGUA and KGUB first generate a raw key, RA and RB. Next, KGUA uses the distribution protocol of a verifiable secret sharing scheme to create q = s! / [(St)! Tl] portions of RA and then distributes them among the CLPUA¡, with i = 1, .. ., s, using the classic secure channels "Channel Cl. S. A" shown in Figure 4. For example, for this KGUA can use the distribution protocol described above. In turn, KGUB does the same with RB and the units CLPUB¡ with ¡= 1, ..., s, Let K'Aj the portion of RA received by CLPUAi and be K'B¡¡ the portion of RB received by CLPUBi (j = 1 ..... q). The set of portions K'Aj received by CLPUA, and the set of portions K'Bj received by CLPU8, are represented in Figure 4 as SAi and SBi respectively. [0239] [0240] 2. Post-selection of data: each CLPUA for all the i extracts from the portions K'Aj received two sequences of bits: K'Vey and K, Ajj est. The first bit sequence will be used to generate the key (transformed into a secure key thanks to the post-processing of data) and the second bit sequence will be used for parameter estimation. In turn, each CLPUBi for all i does the same with K'B¡j to get K'A¡j.key and K'Bij.est. [0241] [0242] 3. Parameter estimation: all CLPUA and CLPUBr, with i, i '= 1, ..., s, use the reconstruction protocol of a verifiable secret sharing scheme to obtain both KAesi and KBeS !, which are the parts of RA and RB that are used for parameter estimation. For this, its K'Aj, Est and K'B¡j.est portions are sent through authenticated classic channels. That is, each CLPUA unit receives the portions K'Ajj.est and KBjj, which are in the hands of all the other CLPUs. In the same way, each CLPUBi unit receives the portions K'Aj, est and KBjjest that are in the hands of all the other CLPUs. Next, each of them uses majority voting to get both KAj, est and KBj, est from K'Vst and K'B¡j, est for all j = 1 ... q. Subsequently, they calculate KAesi = KAi, est. . . © KAq, est and KBest = KBi, est®. . . © KBq, est. With this information, each CLPUA¡ and CLPUBr performs the protocol parameter estimation step locally (for example, they calculate the quantum error rate of the phase). If the quantum rate of phase error is too high, the abort symbol is generated. [0243] [0244] Correction of errors: the CLPUA¡ and CLPUB¡ execute an error correction protocol in the parts of RA and RB that are used for the extraction of the key, K'V and and K'Bkey. This process is performed by acting on its K'Aij.key and K'Bij, key portions respectively. For this, each CLPUA applies certain MEC matrices to K'Aj, key to obtain sAij = MEc * K'Aj, key. In the same way, each CLPUB¡ applies M ec to K ' key to obtain sB¡j = MEc * K'B¡j.key. Then, CLPUaí and CLPUB¡ use the reconstruction protocol of a verifiable secret sharing scheme to ensure that all CLPUB¡ can obtain sA = MEc * K'Akey and sB = MEC * K'Bkey. To this end, all CLPUAs send to all CLPUB¡ the bit sequences sA¡ja through the authenticated classic channel "Channel Cl. A. ii'AB" shown in Figure 4. In addition, all CLPUB¡ of the station Cryptographic B send each other sBij bit streams through authenticated classic channels, then each CLPUB uses majority voting to locally reconstruct sA and sB, for all j, from sA and sB Finally, you get sA = sAi © © sAq and sB = sBi © ... sBq Next, the CLPUs of cryptographic station B correct K'Bkey, for this, let's say that all the CLPUB¡ they have for example the ja portion K'B¡j, the key of K'Bkey for a prefixed index j = 1 .... q, perform the operation NOT or denial logic of certain bits of this portion depending on the value of sA and sB. All this process is repeated until the error correction protocol ends. The end of the error correction protocol is determined by the concrete error correction protocol implemented, as well as by the value of the QBER. Let KVey and KBij.key be the K'Vey and K'B¡j.key portions after error correction, and be leaksc bits the syndrome information. Here the syndrome information refers to the information that the CLPUs of a cryptographic station send to the CLPUs of the other cryptographic station (and vice versa) during the error correction protocol. For example, in each iteration of the error correction protocol the CLPUs of the cryptographic station A send | sAi syndrome information bits to the CLPUs of the cryptographic station B. [0245] [0246] Verification of errors: CLPUA, with i = 1 ..... s, use the RBS protocol to randomly select a 2-universal hash function. Then, each of them calculates locally a hash h ^ hashíKVey) of a length of say flog2 (4 / epsilon_cor) l bits and for example the first 2t + 1 CLPUAi send the hash function to all the CLPU6 ,, with i-1 , ..., s, through the authenticated classic channels "Channel Cl A. ii'AB" shown in Figure 4. Each CLPUB¡ rebuilds the hash function locally by majority voting and obtains hB¡j = hash (KB J, key). Next, all CLPUA¡ and CLPUB¡ use the reconstruction protocol of a verifiable secret sharing scheme to obtain both hA = hAi®. . . © hAq as hB = hBi ©. . . © hBq from hA¡j and hB¡j. To do this, they send each other hAj and h8 through classical authenticated channels. That is, each CLPUAr unit receives the hAyj and hBy portions that are in the hands of all the other CLPUs. In the same way, each CLPUB unit receives the portions hAy and hB¡¡ that are in the hands of all the other CLPUs. Then, each of them uses majority voting to determine both hAi and hBj for all of them starting with hAj and hBj. Finally, each of them checks locally whether hA = hB or not. If they are not equal, they generate the abort symbol. If they are equal, proceed to step 6. This error verification step guarantees that K 'Akey = KA i, key ®. . . © K Aq, key and K 'Bkey = K Bi, k ey ©. . . © K Bq, keys are equal except with probability, at most, epsilon_cor, where KA j.key and K Bi , ke and indicate, respectively, the bit sequences that are they would obtain from KAj, key and KBjj, key using majority voting. [0247] [0248] 6. Amplification of privacy: the CLPUAi use for example the RBS protocol to randomly select a 2-universal hash function, hashPA. Then, they calculate KAij = hashPA (KAj, key), and for example the 2t + 1 first CLPUA¡ send the hashPA function to all CLPUB¡ through the authenticated classic channels "Channel Cl. A. ii'AB" shown in Figure 4, with i '= 1, ..., s. Next, the CLPUB¡ use majority voting to determine the hashPA function from the received information and calculate KB¡j = hashPA (KB, j, key). The hashPA function removes the partial information that Eve might have on the final key, KA and KB, which includes leakec syndrome information revealed during the information reconciliation protocol, the hash value revealed during the error verification protocol , as well as the additional information that Eve could have about the key and that can be calculated from the quantum error rate of phase. [0249] [0250] Note that if the number of dishonest units CLPUA¡ satisfies í <Ma / 3 and the number of dishonest units CLPUB¡ satisfies t <MB / 3, where MA is the number of units CLPUA¡ that do not abort and M b is the number of units. CLPUB¡ units that do not abort, then from the sequences of bits Kaij and KBy produced in step 6 of Protocol 3 it is possible to reconstruct an epsilon-safe key, KA and KB. For this, for example, a secure laboratory located at the cryptographic station A could use majority voting to obtain KAi from KAi¡ for all j = 1 ..... q. Similarly, for example, a secure lab located at cryptographic station B could use majority voting to obtain KBj from KBj for all j = 1 ..... q. Finally we have that KA = KAi® ... © KAq and KB = KBi® ... © KBq. [0251] [0252] Note that Protocols 2 and 3 are only non-limiting examples of embodiments of the invention. Also, note that these protocols can be modified to guarantee security against general adversarial structures. For this, one could basically replace the verifiable secret sharing scheme described above, and that is safe against threshold-type adversarial structures, by another known robust against general adversarial structures (see, for example, Maurer, U. Secure multi -party computation made simple. Discrete Appl. Math. 154, 370-381 (2006)), and, in addition, the method for announcing hash and hashPA functions it may now depend on the adversarial structure. It is important to note that Protocols 2 and 3 highlight a fundamental contribution of the present invention, which is that the use of secret sharing schemes could guarantee the security of the cryptographic key distribution systems in the presence of dishonest CLPUs. [0253] [0254] D. Scenario 3: A method of distributing keys with untrusted key generation units and classic units of unreliable data post-processing in a cryptographic station [0255] [0256] Here the most general scenario is considered (preferred embodiment of the invention), in which both the KGUs and the CLPUs of a cryptographic station may not be reliable. Again, to ensure security, multiple CLPUs and KGUs are used in each cryptographic station, as shown in Figure 6, where there are two cryptographic stations, A and B, in the presence of a spy, Eve, and each cryptographic station contains more than one unit of generation of cryptographic keys, KGU, and more than one classic unit of post-processing of data, CLPU. As in the previous scenarios, for illustrative purposes we will describe below the simplest situation of an active adversary structure of threshold type with a fixed number of KGUs and dishonest CLPUs, all actively controlled by Eve. More specifically, consider the situation in which the cryptographic station A has n units KGUAi, KGUA2, ..., KGUAr., As well as s units CLPUAi, CLPUA2, ..., CLPUAS, and the cryptographic station B has n units KGUBi , KGUB2, ..., KGUBn and s' units CLPUBi, CLPUB2, ..., CLPUBS (here it is assumed that stations A and B have the same number of KGUs, although this is only an illustrative example and can have a number different from KGUs). Consider also that up to t <s / 3 CLPUAi units, up to t '<s' / 3 CLPUB units, and even t "<n pairs of key generation units KGUA¡ and KGUB¡ with i = 1, ..., n, they could be dishonest (untrustworthy) and be actively controlled by Eve. A pair of units KGUA¡ and KGUB¡ is dishonest if at least one of their units is dishonest. This is only a non-limiting example and, of course, the invention can be applied to any generated adversarial structure. [0257] [0258] Again, since some CLPUs are dishonest, none of them is allowed to access the final cryptographic key, KA and KB, but can only produce portions of it. For example, in Figure 6, the portions of KA produced by CLPUAi (for! = 1,2, .., s) are denoted as K and for certain indexes x and y, and likewise the portions of KB produced by CLPUBj (for j = 1,2, ..., s') are denoted as KBjxy. Also, as in the previous cases, we consider that each KGUA¡ is connected to each CLPUAi through a secure (conventional) communications channel (indicated as "Channel Cl. S. ilA" in Figure 6), with i = 1 ...., r »and 1 = 1, ..., s, each KGUB¡ is connected to each CLPUBj through a classic (conventional) secure communication channel (indicated as" Channel Cl. S. ijB " in Figure 6), with j = 1, ..., s each pair of units CLPUAi and CLPU , with l, r = 1, ..., s, is connected to each other through a communications channel classical (conventional) safe (indicated as "Channel Cl. S. H'A '" in Figure 6), each pair of units CLPUBj and CLPUBj-, with j, j' = 1 ..... s', is connected to each other through a secure classic (conventional) communications channel (indicated as "Cl. S. Channel in Figure 6), each pair of CLPUAi and CLPUB units is connected to each other through a classic communications channel ( conventional) authenticated (indicated as Channel Cl. A. ljAB "in Figure 6), and, in QKD systems, each pair of units KGUA¡ and KGUB¡ is connected to each other through a quantum channel (indicated as" Channel C. i "in Figure 6 with i = 1, ..., n), which is accessible to Eve. [0259] [0260] To illustrate the invention, an example of a protocol (see Protocol 4) that could be used to achieve secure distribution of cryptographic keys in this scenario according to the present invention is described below. To facilitate the description of the protocol, in this example we consider that the number of CLPUs of the cryptographic station A is equal to that of B, that is, s = s' (this is only an example for illustrative purposes and the cryptographic stations can have a different number of CLPUs). Protocol 4 can be broken down into two main conceptual steps. In a first step, each pair of units KGUA¡ and KGUB¡ generates a raw key and then implements, together with the classic data post-processing units CLPUAi and CLPUBi, the previously described Protocol 3. As a result, the CLPUAi and CLPUBi units, with 1 = 1, - s, obtain portions of a key (epsilon / n) -secure, KA¡ and KB¡ (¡= 1 ...., n), or the symbol to abort _L¡. Specifically, let K'Ai¡j be the portion of KA¡ received by the CLPUAi, and in the same way be K'Bi¡j the portion of KB¡ received by the CLPUBi. Also, to simplify the discussion (although not for limiting purposes), consider for example that the length of all the keys KAi and KBi is N bits for all i. Next, the CLPUs proceed in a similar way to Protocol 2. This is, the keys KAi and KBi are concatenated to form KA = [KAi, KA2 .... K am ] and K B '= [KBi, KB2, ..., Kbm], where M indicates the number of keys KA¡ and KA¡ that are different from the abort symbol, and the CLPUs apply a privacy amplification step to KA and KB. This step of amplifying privacy removes the information that dishonest peers from KGUs could filter Eve about, say, KA. This second step is performed in a distributed scenario acting only on the K'Aiy and K'V portions. The protocol is described in more detail below: [0261] [0262] Protocol 4 (this is only a possible embodiment, and not all of the steps cited are essential and mandatory in all embodiments of the present invention): [0263] [0264] 1. Generation and distribution of portions of KA, and KBi: each pair KGUAi and KGUBi, with i = 1,.,., N, generates a raw key and then implements, together with the classic units of post-processed data CLPUAi and CLPUBi, all steps of Protocol 3 described above. As a result, the CLPUAi and CLPUBi units, with 1 = 1, ..., s, obtain portions of a key (epsilon / n) -secure, KAi and KBi, or the abort symbol _Li. Let K'Ai¡j be the portion of KA¡ received by the C LP lA and in the same way be K'Bi¡j the portion of KB¡ received by the CLPU6 ,. [0265] 2. Generation of K "Aiy and! <'%: Each CLPUAi, with 1 = 1, .., s, defines locally the bit sequences K" ai ¡ j = [0 i ...... O h , K'Aiy, 0¡ + i ........ 0M], where 0¡, with i = 1, M, represents the zero vector of N bits, and M is the number of keys KA¡ and KB¡ which are different from the abort symbol ± ¡. Similarly, CLPUBi units act similarly and obtain K "Bi¡j. [0266] 3. Amplification of privacy: the CLPUAi use the RBS protocol to randomly select a 2-universal hash function, hashPA. Calculate KAi¡j = hashPA (K "Aijj), and for example the 2t + 1 first CLPUAi send the hashPA function to all CLPUBi through the classic channels authenticated" Channel Cl. A. H, AB "shown in Figure 6, with l '= 1, .., s Next, the CLPUBi use majority voting to determine the hashPA function from the received information and calculate KBnj = hashPA (K "Biij). the sequences K "Ai¡j and K" Bnj of (M * N) bits in two sequences of shorter bits, KAi¡j and KBnj respectively, of an approximate size of (M "t") * N bits. [0267] If t <MA¡ / 3 and t '<MB¡ / 3 for all i = 1, ..., M, where MA¡ indicates the number of CLPUAi that do not produce the abort symbol, but generate post-processed portions , KAi¡j, from KA ,, and MB, indicates the number of CLPUBi that do not produce the symbol of abort, but generate post-processed portions, K% from KB¡, then a final key epsilon can be reconstructed -secure, KA and KB, from the portions KAi¡j and K8i¡j following the same procedure that reconstructs the final cryptographic key of Protocol 2. Note that Protocol 4 is only an example of an embodiment of the invention. Following similar ideas, alternative protocols could be defined that also allow the secure distribution of cryptographic keys in this scenario. For example, the first step of Protocol 4 could be replaced by a step where each group of units KGUAi, KGUai, CLPUA¡ and CLPUBi, with i = 1 ..... n, first perform a key generation session to produce an epsilon-secure key, KAi and KBi, or the abort symbol _Li, followed by the distribution of KAi between all CLPUAi and the distribution of KBi among all CLPUBr using the distribution protocol of a Verifiable secret sharing scheme. In this last case, to be able to guarantee that the final key is correct, it could include an error verification step implemented in a distributed environment acting on portions of the key. Also, note that Protocol 4 and similar protocols could be modified to guarantee security against general adversarial structures, following the techniques explained for the two previous scenarios. It is important to note that the example offered by Protocol 4 illustrates a fundamental contribution of the invention, namely, the combination of secrecy sharing schemes and privacy amplification techniques could guarantee the secure distribution of cryptographic keys with dishonest KGUs and CLPUs. [0268] [0269] In summary, it can be affirmed that the main objective of the present invention is to obtain a secure cryptographic key generation system with components manufactured and / or acquired from several unreliable suppliers. The invention can be used as a defense against both unreliable key generation units (KGUs) and non-reliable classic data post-processing units (CLPUs). Furthermore, the present invention has the additional advantage of being robust to a denial-of-service attack, since trust is distributed among multiple KGUs that could be using entirely different channels. [0270] [0271] For the sake of simplicity, the invention has been discussed so far for examples specific where there are only two users. It must be taken into account that it can be applied to a network environment in which there are multiple users (and therefore multiple cryptographic stations). In addition, it can be applied to a network configuration in which multiple users connect to each other through several routes, and allows users to combine the multiple keys generated from the multiple routes in a final key that is secure against to untrusted devices and is also secure against compromised routes that contain nodes controlled by a spy. In addition, for the sake of simplicity, we have assumed that each user is physically in a single local cryptographic station. Note however that what we represent as a single cryptographic station in Figures 3, 4 and 6 could potentially be a set of physical nodes that are distributed at distant locations in a communications network. [0272] [0273] The invention can be combined with both reliable and unreliable relays. Furthermore, the invention can be applied to a QKD configuration that does not need to characterize the measuring device that measures the photons received (from the English term "measurement-device-independent QKD") in which an unreliable intermediary, Charles, makes some measurements (for example, measurements to determine the state of Bell) in the quantum states sent by the cryptographic stations of Alice and Bob. In addition, the invention can be combined with quantum repeaters. [0274] [0275] The invention can be combined with several classic data post-processing protocols, including post-selection protocols or, as already mentioned above, protocols that add noise. [0276] [0277] The invention is compatible with several QKD protocols, including, for example, QKD with decoy states, the COW protocol, the QKD RR-DPS protocol and QKD based on interlaced quantum states. It can also be applied to various information coding schemes and to QKD systems based on both discrete variable and continuous variable. [0278] [0279] Although we have discussed our invention in the framework of security of composability (in which a protocol can be combined with others arbitrarily), the present invention can also be applied to other frameworks of security, including one that involves computational assumptions. [0280] [0281] Although the invention has been described with reference to its preferred embodiment and alternative embodiments, it will be noted that various modifications can be made to the parts and methods that comprise it, without departing from its spirit or scope of protection. [0282] [0283] A person skilled in the art would readily recognize that some steps of several of the methods described above can be performed by programmed computers. Here, some embodiments are also intended to encompass program storage devices, for example, digital data storage means, which are readable by machines or computers and encode command programs executable by machines or computers, wherein said instructions perform some or all the steps of said methods described above. The program storage devices can be, for example, digital memories, magnetic storage media, such as magnetic disks and magnetic tapes, hard disks, or digital optical data storage media. The embodiments are also intended to encompass computers programmed to carry out said steps of the methods described above. [0284] [0285] The description and the drawings are limited to illustrate the principles of the invention. Although the present invention has been described with reference to specific embodiments, it will be understood by those skilled in the art that modifications, omissions and additions to the form and details described herein may be effected without departing from the scope of the invention, as defined by the following claims. [0286] [0287] In addition, all the examples listed here are primarily and expressly for pedagogical purposes, to help the reader understand the principles of the invention and the concepts provided by the inventors to extend the technique, and should be interpreted as non-limiting manner to said examples and conditions specifically listed. Furthermore, it is understood that all the references of the present document to principles, aspects and embodiments of the invention, as well as specific examples thereof, also cover equivalents thereof. [0288] Those skilled in the art will understand that any block diagram contained in this document represents conceptual views of illustrative circuits embodying the principles of the invention. Likewise, it will be understood that any graphical representation of operation, flowchart, state transition diagram, pseudocode and the like represent several processes that can be substantially represented in a computer readable medium and thus executed by a computer or processor. , regardless of whether said computer or processor is displayed explicitly or not.
权利要求:
Claims (1) [0001] . A method for the generation of secure cryptographic keys in the presence of unreliable units in a cryptographic system, the cryptographic system includes a first and a second cryptographic station (A, B), and each station includes n units of generation of raw keys, KGUAi , KGUB¡ with i = 1, 2 ...... n, and where n> 1, and, at least, a classic unit of post-processing data CLPUA, CLPUB, including the method the following steps: - Each pair of gross key generating units, KGUA¡ and KGUB¡, with ¡= 1,2, ..., n, generates a pair of data sequences (raw key) and sends (through communication channels) secure) the sequence of data generated by KGUA¡ at least one classical unit of post-processing data from the first cryptographic station, and sends the data sequence generated by KGUB¡ to at least one classic post unit -processed data from the second cryptographic station; - The classic data post-processing units (at least one) of the first and second cryptographic stations, CLPUA, CLPUB: - apply a data post-processing procedure to each received data sequence and generate a cryptographic key, KAi, KBt, with i = 1, 2, .... n, or an error symbol (a symbol will be generated of error if the raw key generating unit has not been able to generate a data sequence from which a cryptographic key can be obtained) for each unit of generation of raw keys, where the post-processing data procedure includes at least an information reconciliation operation between the classical data post-processing units of both cryptographic stations through an authenticated communications channel and a first privacy amplification procedure to extract a shorter key; - concatenate the generated cryptographic keys to form a first concatenated cryptographic key KA '= [KAi, KA2 ..... K am ] and a second concatenated cryptographic key KB' = [KBi, KB2, ..., K bm ] where M is the number of cryptographic key pairs generated in both cryptographic stations that differ from the error symbol; - apply an additional privacy amplification procedure to the first concatenated cryptographic key and to the second concatenated cryptographic key to extract a first and second secure cryptographic keys, respectively, KA and KB. . A method for the generation of secure cryptographic keys in the presence of unreliable units of a cryptographic system, the system includes a first and a second cryptographic station (A, B), and each cryptographic station includes at least one unit of generation of raw keys , KGUA, KGUB respectively and more than one classical CLPUAi data post-processing unit, CLPUBi, with l = 1,2, .... s and 1-1, 2 .... s', where the method includes the Next steps: - KGUA generates data sequences and each generated data sequence is sent to a different unit CLPUAi and KGU8 generates s' data sequences and each generated data sequence is sent to a different unit CLPUBi; - Each classic unit of post-processing data of the first and second cryptographic stations: - applies a data post-processing procedure to each received data sequence and generates either a cryptographic key or an error symbol for each received data sequence, where the post-processing data procedure includes at least one data operation reconciliation of information between the classical units of post-processing data of the two cryptographic stations through an authenticated communications channel and a first privacy amplification procedure to extract a shorter key; - divides the cryptographic keys generated in two or more portions and distributes them among the rest of the classic units of post-processed data of the first and second cryptographic stations, respectively; - generates a portion of a secure cryptographic key by applying an error verification procedure and an additional privacy amplification operation to the portions of the received cryptographic keys. . A method for the generation of secure cryptographic keys in the presence of unreliable units of a cryptographic system, the system includes a first and a second cryptographic station (A, B), and each cryptographic station includes at least one unit of generation of raw keys , KGUA, KGUB respectively, and more than one classical data post-processing unit CLPUA¡, CLPUB¡-, with i = 1, 2, .... s and i '= 1, 2, .. s', where The method includes the following steps: - The raw key generating units (at least one) of the first and second cryptographic stations generate a data sequence, RA, RB respectively, and divide the generated data sequences into two or more portions and distribute them among the units classical post-processing data of the first and second cryptographic stations respectively, where K'Aj is the ja portion of RA received by CLPUA, and K'Bjj- is the portion j 'a of RB received by CLPUBi '; - Each classic unit of post-processing data of the first and second cryptographic stations: - obtains from each portion received from the data sequence RA, RB a portion, K 'V and, K' BiT.key; - applies a data post-processing procedure to the K'Aj, key, K'Vkey portions and generates portions of a secure cryptographic key, where the post-processing data procedure includes at least one reconciliation operation of the information between the classical units of post-processing data of both cryptographic stations through an authenticated communications channel and a privacy amplification procedure to extract a shorter key. . A method according to claim 3: - in which the information reconciliation operation includes an error correction procedure that involves: - apply certain predefined matrices M ec to the data portions K'Aij, key, K'Bij, key to obtain the data sequences sA, j = MEc * K, Ajj, key, sBjj = MEc * K 'Bij .key respectively; - obtaining in each of the classical data post-processing units a reconstructed data sequence sA, sB defined as sA = sAi®. . . © sAq and sB = sBi @. .. © sBq respectively, where sA¡ is obtained from sA¡j using a decision strategy based on majority voting and sB, obtained from sB¡j using a decision strategy based on majority voting; - modify the value of the data sequences K'Aj, key, K'V key depending on the values obtained from sA and sB; - repeat the three steps of the error correction procedure until the error rate is below a predefined threshold; - in which the information reconciliation operation includes an error verification procedure that involves: - that the classic data post-processing units of the first cryptographic station randomly select a 2-universal hash function, which we will call hash, and apply it to the KAij, key portions obtained from K 'Aij.key by the error correction procedure, to obtain hAij = hash (KAj, key), and each classical unit of post-processing data from the second cryptographic station gets hBjj = hash (KBij, key) where the KBij, key portions are obtained from K'Bij, key through the error correction procedure, and then each classic post-processing data unit sends the hAjjy portions Take all the classic post-processing data units of your own cryptographic station and all the post-processing data units of the other cryptographic station; - obtaining in each conventional data post-processing unit two reconstructed data sequences hA, hB respectively and defined as hA = hAi®. . . © hAq and hB = hBi®. . . © hBq respectively, where hAj is obtained from hA¡j using a decision strategy based on majority voting and hBj is obtained from hB¡j using a decision strategy based on majority voting; - each of the classic data post-processing units checks whether hA = hB and if they are the same they go to the privacy amplification procedure, otherwise they produce an abort symbol; - in which the privacy amplification procedure includes: - that the classical units of post-processing data of the first cryptographic station randomly select a 2-universal hash function, which we will call hashPA, and apply it to the KAij, key portions to obtain portions of a secure cryptographic key such as KAjj = hashPA (KAij, key), and each classic post-processing data unit of the second cryptographic station obtains portions of a secure cryptographic key such as KBij '= hashPA (KBij'ikey). 5. A method according to claim 3 or 4, wherein the method further includes: - that each classical unit of post-processing data of the first and second cryptographic stations obtains from each received portion of the data sequences a portion of the subsequence for the estimation of parameters K 'Ay, est, K' Bj .is t and sends said portions of subsequences for the estimation of parameters a! rest of classic units of post-processed data of the two cryptographic stations. 6. A method for the generation of secure cryptographic keys in the presence of unreliable units in a cryptographic system, the system includes a first and a second cryptographic station (A, B), and each cryptographic station includes a plurality of generating units. Gross keys, KGUA, KGUB, with i = 1, 2, ..., n, n> 1 and a plurality of classical units of data post-processing CLPU A l , CLPU B l ' , l = 1, 2. ..... s, l '= 1, 2, ..... s', where the method includes the following steps: - Each unit generating raw keys of the first and second cryptographic stations generates data sequences, RA, RB¡ with i = 1, 2, n, respectively, and divides the generated data sequences into two or more portions and distributes them between the classical units of post-processing data of the first and second cryptographic stations respectively; - Each classic data post-processing unit applies a post-processing procedure of data to each received data portion, generating either portions, K'Aij, K'V, of a first cryptographic key, or a symbol of error for each portion of the received data sequence, where the data post-processing procedure includes at least one information reconciliation operation between the classical data post-processing units of both cryptographic stations through an authenticated communications channel and a first privacy amplification procedure, where K ' aiíj is the ja portion of the cryptographic key corresponding to the sequence RA¡ obtained by the unit CLPUAi, and K'% is the portion j 'a of the cryptographic key corresponding to the sequence RB Obtained by the CLPUBi unit; - Each classic CLPUAi data post-processing unit obtains portions of a secure cryptographic key by first concatenating the "%" portions of the cryptographic key obtained in the previous step, and applying an additional privacy amplification procedure to the obtained concatenated sequences. . A method according to claim 6. wherein the last step of claim 6 includes: - each CLPUAi, with 1 = 1, ... s obtains sequences of data K "Ai¡j = [0i ...... 0m, K'VOm ........ 0m], where 0¡, with i = 1 M, represents a zero vector, and M is the number of pairs of raw key generating units that generate sequences of data that result in a key and not the error symbol, and each CLPUBr, with I-1, ..., s' obtains sequences of bits K "Bn¡ = [0i, .... O m , K'Bnj, 0¡ + i ........ .... 0M], with ¡= 1 M; - The C LPU units with 1 = 1 ..... s, randomly select a 2-universal hash function, hashPA, and then obtain portions of a secure cryptographic key such as KAi, j = hashPA (K "Aij) , and each CLPUBr, with l-1, ..., s' gets portions of a secure cryptographic key such as KBr¡¡ = hashPA (K "Bi¡¡). A method according to claims 1 or 6 or 7 wherein the pair of data sequences generated by each pair of raw key generation units, KGUA and KGUB, i = 1, 2 ... n, of the first and second cryptographic stations respectively, is generated using a quantum key distribution mechanism. . A method according to claims 2 or 3 or 4 or 5 eri that each pair of data sequences generated by each pair of generation units of KGUA and KGUB raw keys of the first and second cryptographic stations respectively, are generated using a quantum key distribution mechanism. 10. A system for the generation of secure cryptographic keys in the presence of unreliable units, the system includes a first and a second cryptographic station (A, B), where each cryptographic station includes n units of generation of raw keys, KGUA, KGUB¡ with i = 1, 2 ...... n, where n> 1, and at least one classic unit of post-processing data CLPUA, CLPUB, where: - Each pair of raw key generating units, KGUA¡ and KGUB¡, includes means for generating a pair of data sequences that are correlated with each other and sends the data sequence generated by KGUA¡ to at least one classical unit of post-processing data from the first cryptographic station and sending the data sequence generated by KGUB¡ to at least one classic post-processing data unit of the second cryptographic station; - At least one of the classic data post-processing units of the first and second cryptographic stations, CLPUA, CLPUB, are configured to: - applying a data post-processing procedure to each received data sequence to generate a cryptographic key, KA, KB, or an error symbol for each unit of generation of raw keys, in which the post-processing procedure data includes at least one information reconciliation operation between the post-processing units of both cryptographic stations through an authenticated communications channel and a first privacy amplification procedure to extract a shorter key; - concatenate the generated cryptographic keys to form a first concatenated cryptographic key KA '= [KAi, KA2, ..., K am ] and a second concatenated cryptographic key KB' = [KBi, KB2, ..., K bm ] where M is the number of cryptographic key pairs generated in both cryptographic stations that differ from the error symbol; - apply an additional privacy amplification procedure to the first concatenated cryptographic key and the second concatenated cryptographic key to extract a first and a second secure cryptographic keys, respectively, KA and KB. . A system for the generation of secure cryptographic keys in the presence of untrusted units, the system includes a first and a second cryptographic station (A, B), in which each cryptographic station includes at least one gross key generating unit, KGUA , KGUB respectively and more than one data post-processing unit CLPUAi, CLPUBr, 1 = 1, 2, .... s, 1-1, 2, _s', where: - KGUA includes means for generating data sequences and sending a generated data sequence to each CLPUAi and KGUB includes means for generating s' data sequences which are correlated with the data sequences generated by KGUA and sending a generated data sequence to each CLPUBi; - Each classic unit of post-processing data of the first and second cryptographic stations is configured to: - applying a data post-processing procedure to each received data sequence to generate a cryptographic key or an error symbol for each received data sequence, where the post-processing procedure includes at least one information reconciliation operation between the post-processing units of the two cryptographic stations through an authenticated communications channel and a first privacy amplification procedure to extract a shorter key; - dividing the generated cryptographic keys into two or more portions and distributing them among the rest of the classic units of post-processed data of the first and second cryptographic stations, respectively; - generate a portion of a secure cryptographic key by applying an error verification procedure and an additional privacy amplification operation to the portions of the received cryptographic keys. 12. A system for the generation of secure cryptographic keys in the presence of unreliable units, the system includes a first and a second cryptographic station (A, B), in which each cryptographic station includes at least one unit of generation of raw keys , KGUA, KGUB and more than one data post-processing unit CLPUA¡, CLPUBr, i = 1, 2, .... s, i - 1, 2, .... s', where: - At least one of the raw key generation units of the first and second cryptographic stations generate a sequence of data, RA, RB respectively that are correlated with each other, and include means for dividing the data sequences generated in two or more portions and distribute them among the classical units of post-processed data of the first and second cryptographic stations respectively, where K'Aj is the portion ja of RA received by CLPUA¡ and K'B¡ j- is the portion j'a of RB received by CLPUBr; - Each classic unit of post-processing data of the first and second cryptographic stations is configured to: - obtain from each portion received from the data sequence a portion of the key generation subsequence K 'A¡j.key, K' V k e and i - applying a post-processing procedure to the portions of the key generation subsequences to generate portions of secure cryptographic keys, where said post-processing procedure includes an information reconciliation operation between the processing units of both cryptographic stations through an authenticated communications channel and a privacy amplification procedure. 13. A system for the generation of secure cryptographic keys in the presence of unreliable units, the system includes a first and a second cryptographic station (A, B), where each cryptographic station includes a plurality of gross key generation units, KGUA ¡, KGUBi with i = 1, 2, n, n> 1, and a plurality of data post-processing units CLPUAi, CLPUBi, l = 1, 2, ..., s, l '= 1, 2. ... s where: - Each unit generating raw keys of the first and second cryptographic stations includes means for generating sequences of correlated data, RAi, RB¡ with i = 1, 2, .... n, respectively, and dividing the generated data sequences in two or more portions and distribute them among the classical units of post-processing data of the first and second cryptographic stations respectively, - Each data post-processing unit is configured to: - applying a data post-processing procedure to each portion of the received data sequence, generating a first K'V K'Biy portions of a cryptographic key or an error symbol for each portion of the received data sequence, where the data post-processing procedure includes at least one information reconciliation operation between the processing units of both cryptographic stations through an authenticated communication channel and a first privacy amplification procedure, where K ' is the portion ja of the cryptographic key associated with RA¡ and obtained by C LP lA and «'% ■ is the portion j' a of the cryptographic key associated with RB¡ obtained by CLPUBr¡ - obtain portions of a secure cryptographic key by concatenating the portions of the first cryptographic keys obtained and applying an additional privacy amplification procedure to the concatenated sequence, 14. A non-transient digital data storage medium for storing a computer program including instructions, which causes a computer executing the program to carry out the method according to any of claims 1-9.
类似技术:
公开号 | 公开日 | 专利标题 Chandra et al.2014|A comparative survey of symmetric and asymmetric key cryptography US20200328886A1|2020-10-15|A system and method for quantum-safe authentication, encryption, and decryption of information US9270655B1|2016-02-23|Configurable one-time authentication tokens with improved resilience to attacks ES2842954T3|2021-07-15|Devices and key agreement method ES2858435T3|2021-09-30|Devices and key exchange method CN105228157B|2019-05-17|A kind of wireless sensor network security light weight reprogramming method US20200322141A1|2020-10-08|Key exchange system, terminal device, key exchange method, program, and recording medium US9300469B2|2016-03-29|Secure computing system, secure computing method, secure computing apparatus, and program therefor Qi et al.2018|Two authenticated quantum dialogue protocols based on three-particle entangled states Chikouche et al.2019|A privacy-preserving code-based authentication protocol for Internet of Things Pacher et al.2016|Attacks on quantum key distribution protocols that employ non-ITS authentication Winnie et al.2018|Enhancing data security in IoT healthcare services using fog computing RU2752697C1|2021-07-30|Cryptographic device with variable configuration Hwang et al.2015|Probabilistic authenticated quantum dialogue Singh et al.2014|A key hiding communication scheme for enhancing the wireless LAN security Olumide et al.2015|A hybrid encryption model for secure cloud computing Costea et al.2018|Secure opportunistic multipath key exchange ES2717548B2|2020-11-26|Secure key agreement with untrusted devices Chang et al.2016|An efficient quantum private comparison of equality over collective-noise channels US10924278B2|2021-02-16|Method and apparatus for authentication and encryption service employing unbreakable encryption Naik et al.2015|Towards secure quantum key distribution protocol for wireless LANs: a hybrid approach Lin et al.2014|Attacks and improvement on “Quantum direct communication with mutual authentication” CN110046511A|2019-07-23|Leaking data method, apparatus, equipment and storage medium are prevented based on alliance's chain Wu et al.2016|A lightweight authentication and key agreement scheme for mobile satellite communication systems Kumar et al.2012|Mobile proactive secret sharing in cloud computing
同族专利:
公开号 | 公开日 US20210385079A1|2021-12-09| WO2019092299A1|2019-05-16| ES2717548B2|2020-11-26| EP3709563B1|2022-01-26| EP3709563A1|2020-09-16| CN111566990A|2020-08-21|
引用文献:
公开号 | 申请日 | 公开日 | 申请人 | 专利标题 US20070076871A1|2004-07-29|2007-04-05|University Of New Mexico|Quantum key distribution| EP1811719A1|2006-01-24|2007-07-25|BRITISH TELECOMMUNICATIONS public limited company|Internetwork key sharing| US20160149700A1|2014-10-30|2016-05-26|Alibaba Group Holding Limited|Method, apparatus, and system for quantum key distribution, privacy amplification, and data transmission|
法律状态:
2019-06-21| BA2A| Patent application published|Ref document number: 2717548 Country of ref document: ES Kind code of ref document: A1 Effective date: 20190621 | 2020-11-26| FG2A| Definitive protection|Ref document number: 2717548 Country of ref document: ES Kind code of ref document: B2 Effective date: 20201126 |
优先权:
[返回顶部]
申请号 | 申请日 | 专利标题 ES201700755A|ES2717548B2|2017-11-08|2017-11-08|Secure key agreement with untrusted devices|ES201700755A| ES2717548B2|2017-11-08|2017-11-08|Secure key agreement with untrusted devices| US16/762,464| US20210385079A1|2017-11-08|2018-11-08|Secure key agreement with untrusted parties| CN201880085831.XA| CN111566990A|2017-11-08|2018-11-08|Secure key agreement with untrusted devices| EP18849475.1A| EP3709563B1|2017-11-08|2018-11-08|Secure key agreement with untrusted parties| PCT/ES2018/070722| WO2019092299A1|2017-11-08|2018-11-08|Secure key agreement with non-trusted devices| 相关专利
Sulfonates, polymers, resist compositions and patterning process
Washing machine
Washing machine
Device for fixture finishing and tension adjusting of membrane
Structure for Equipping Band in a Plane Cathode Ray Tube
Process for preparation of 7 alpha-carboxyl 9, 11-epoxy steroids and intermediates useful therein an
国家/地区
|