1
5th ETSI/IQC Workshop on Quantum-Safe Cryptography13-15 Sep 2017
QKD applications in Japan: Healthcare and IoT
Masahide SasakiEmail: [email protected]
Tel: 042-327-6524
2
Tokyo QKD Network since 2010
Keys
Drone communication
Smartphone
Medical record system
TV conference
Secure IP router
(3) Continuous variable-QKD (Gakushuin U)
(1) BB84 (NEC and Toshiba)(2) DPS-QKD (NTT-NICT)
Mission critical lines “Dark fibers”
Core & access NW“WDM fibers”
3
Gakushuin U
Continuous variable QKD
Alice Bob
570cm
632cm
T. Hirano, et al., Quantum Sci. Technol. 2(2), 024010/1--15,June (2017).
Local oscillator (LO)HomodyneLaser QAM
Q
I
Q
I
CV-QKD
100km
CV-QKD can coexist with optical communications in wavelength division multiplexed fibers.
LO can filter out background noises
Low cost deployment !!Expensive fiber rental fee was a bottleneck.
10 MHz clock
4
Running key Running key
Decode
Seed key at 200~300bps
LOHomodyne 1538.8 nm
100kmLaser 128
QAM
CV-QKD system of Gakushuin U
Quantum Stream Cipher
70 Gbps at 100kmNakazawa et al. , ECOC2016; IEEE J. of QE (2017)
High speed photonic cipher with CV-QKD
Cipher text
100kmSecure against individual attack
Tohoku U
5
QKD application to long-lived system
To transmit, store, and process critical data securely for a century time span even against
“Store now, read later”attack.
Ex. Genome dataMedical records
6
Requirements for long-lived system
1. Confidentiality : The data should be accessible only to authorized parties.
Information theoretically secure scheme2. Integrity :
The data should remain unaltered. Signature, authentication
3. Availability : The data should be available whenever required.
Redundant data backup, fail safe mechanism4. Functionality :
The data can be processed without decryption. Full homomorphic function
7
Secret sharing(k, n)-threshold scheme
An implementation of long-lived system
New multiple data are created from the original data,and stored in multiple data servers.
8
Attacker
Owner
Shares
Data restored
Shareholder
Create n of coordinates “shares” [1, f(1)], ⋯ , [n, f(n)]
Secret data sf(0)=s
Generate a polynomial of order k-1 f(x) = s+a1x+…+ak-1xk-1
x
- Collect k of shares - Interpolate the polynomial - Reconstruct secret data s as f(0)
(k, n) threshold secret sharing Shamir, 1979
9
(3, 5) threshold secret sharing
Attacker
Owner
Shares
Data restored
Data
Shareholders
Ex. (3,5)-threshold scheme With 2 shares or less, the original data can never be reconstructed. There remain infinitely many possibilities of polynomial.
Information theoretic confidentiality
Shares can be added and multiplied.
Availability
Even if 2 shares are lost, the data can be reconstructed.
Functionality (Full homomorphism)
10
Shamir’s secret sharing needs“private channels”
11
Secret sharing
QKDQKD
(k, n)-threshold scheme
1. Confidentiality of storage 3. Availability4. Functionality
1. Confidentiality of data link
“QKD + OTP” realizes private channels
12
Shamir’s secret sharing itselfcan NOT realize integrity.
13
Secret sharing
QKDQKD
(k, n)-threshold scheme
1. Confidentiality of storage 3. Availability4. Functionality
1. Confidentiality of data link
Integrity protection by time-stamp chains
Time-stamp chains of signature
2. Integrity
14
Integrity Confidentiality
Distributed storage network
- Commitment- Timestamp
- Secret sharing- QKD
Private channelsAuthenticated channels
Long-term Integrity & Confidentiality Protection SystemProposed and demonstrated by TU Darmstadt and NICT,
J. Braun et al., Proc. ACM Asia CCS2017, pp. 461-468.; ePrint 2016/742
“LINCOS”
15
QKD link
Private channel
Point of interface
Document owner
Secure key supply
KMS
NEC-0
NEC-1
NTT-NICT ToshibaSeQureNetGakushuin
Tokyo QKD Network
Secret sharing
Shareholder
Confidentiality protection
- Encrypting private channels
- Generating polynomials for secret sharing
16
Timestamp chains of Pedersen’s commitments
T. P. Pedersen, CRYPTO '91, 1992.Info-th secure verifiable secret sharing
c = gshr for secret s and random number r- Information theoretically hiding (no information leak on s)- Computationally binding (discrete log, h=gz with secret RN z)
Integrity protection
Prolong the validity of signatures for any length of time
Signatures are renewed before weakened
17
Long-lived system for healthcare
18
Medical information systems “Past & Now”
- Each hospital has its own closed network.- Medical record format differs from hospital to hospital.
Past
NowMinistry of Health, Labor and Welfare in Japan has formulated- Standard data structure for medical information exchange
SS-MIX- Healthcare PKI (H-PKI) to certify medical documents
Medical record Medical record
19
Standard Storage Root Folder
Patient ID: upper 3 digit
Patient ID: lower 3 digit
Patient IDExamination date
Type of Data
Patient Data
SS-MIX“Standardized Structured Medical Information eXchange”
specifies standard storage format for medical records
Simple and extendableHierarchical directory structure of folder files
based on patient ID.
20
Issues electronic certificate for medical documents for user identification and access control of healthcare workers.
H-PKI
It refers to ・ IETF/RFC3647 Internet X.509,
PKI Certificate Policy and Certification Practice Framework・ ISO/IS 17090:2008 Health informatics - PKI
Name, AddressAge, Male/Female…..
Name, AddressAge, Male/Femalehealthcare Role…..
PKICertificate
H-PKICertificate
Medical DoctorPharmacistMedical TechnologistRadiological TechnologistRegistered NursePublic Health NursePhysical TherapistOccupational Therapist….
- User identification- Integrity protection- Access control
- User identification- Integrity protection- Access control based onnational qualification certificate in healthcare
H-PKI Certificate Policy v1.4 by Ministry of Health, Labor and Welfare, Feb 2016
Totally 26
21
Doctor
PatientMedical certificate Patient referral
Root CAMinistry HLW
CAJapan Medical Association
CABased on H-PKI PolicyH-PKI
Certificate
Doctor
Doctor can check the validity
Patient can check the validity
Structure of H-PKI
NurseNurse
22
It is time to consider H-PQ-PKI. Quantum threats!
H-PQ-PKIH-PKI
23
Medical information systems in the future
Inter-hospital networks
HIS gateway HIS gatewayLong-term data backup
H-PQ-PKICertificate
HIS:Hospital Information System
SS-MIX
Certificate
LINCOS
- Integrity protection- User identification - Access control
24
Kochi Health Science Center
Kochi Health Science Center
Osaka Nagoya
Otemachi
Tokyo QKD Network
Medical data backup experiment with LINCOS (2017~)
- VPN, H-PKI, PQ-PKI (~800km range)- QKD (~90km range)
25
Summary
H-PKI should be updated to H-PQ-PKI.
This can then be combined with QKD to realize a long-lived system for healthcare.
26
Thank you for your attention
27
To go beyond the limit of threshold number “k”
An attacker may actively move around the shareholders. It is likely that the number of corrupted shareholders must increase as time elapses.
Proactive secret sharingA. Herzber, S. Jarecki, H. Krawczyk, M. Yung, CRYPT0'95, LNCS 963, 339, 1995.
Renewal of shares at certain intervals
Keys are consumed.
28
Key rates of QKD
QKD link vender ProtocolTransmission
Length (km) Secure key rate (bps)
Loss (dB)
NEC-0 BB84 with decoy 50 (Spooled fiber NICT premise) 200k 10
NEC-1 BB84 with decoy 22 (field installed 95% areal line) 200k 13
Toshiba BB84 with decoy 45 (field installed 50% areal line) 300k 14.5
NTT-NICT DPS-QKD 90 (field installed 50% areal line) 10k 28.6
Gakushuin CV-QKD 2 (NICT premise) 100k 2
To prevent from being bottlenecked by slowest QKD links (10kb/s), keys are relayed between appropriate KMAs.
The minimum throughput of key supply to each private channel can be raised up to KeyRateQKD=40 kb/s.
29
Document size to be handled
- Dense wavelength division multiplexing (100~1000 channels)- Fast key distillation processing
The document size we can handle, sizes = ts*KeyRateQKD/n(n-1)
Interval of share renewal Number of shareholders
KeyRateQKD=40 kb/s(our current network)
Assume that ts=10years, n=4sizes = 131 GB
KeyRateQKD=1 Mb/s @50km(in a few years)
sizes = 3.3 TB
Petabytes size KeyRateQKD=1 Gb/s @50km
Challenge
Human genomic data of 4100 persons
Top Related