1

5th ETSI/IQC Workshop on Quantum-Safe Cryptography13-15 Sep 2017

QKD applications in Japan: Healthcare and IoT

Masahide SasakiEmail: psasaki@nict.go.jp

Tel: 042-327-6524

2

Tokyo QKD Network since 2010

Keys

Drone communication

Smartphone

Medical record system

TV conference

Secure IP router

(3) Continuous variable-QKD (Gakushuin U)

(1) BB84 (NEC and Toshiba)(2) DPS-QKD (NTT-NICT)

Mission critical lines “Dark fibers”

Core & access NW“WDM fibers”

3

Gakushuin U

Continuous variable QKD

Alice Bob

570cm

632cm

T. Hirano, et al., Quantum Sci. Technol. 2(2), 024010/1--15,June (2017).

Local oscillator (LO)HomodyneLaser QAM

Q

I

Q

I

CV-QKD

100km

CV-QKD can coexist with optical communications in wavelength division multiplexed fibers.

LO can filter out background noises

Low cost deployment !!Expensive fiber rental fee was a bottleneck.

10 MHz clock

4

Running key Running key

Decode

Seed key at 200~300bps

LOHomodyne 1538.8 nm

100kmLaser 128

QAM

CV-QKD system of Gakushuin U

Quantum Stream Cipher

70 Gbps at 100kmNakazawa et al. , ECOC2016; IEEE J. of QE (2017)

High speed photonic cipher with CV-QKD

Cipher text

100kmSecure against individual attack

Tohoku U

5

QKD application to long-lived system

To transmit, store, and process critical data securely for a century time span even against

“Store now, read later”attack.

Ex. Genome dataMedical records

6

Requirements for long-lived system

1. Confidentiality : The data should be accessible only to authorized parties.

Information theoretically secure scheme2. Integrity :

The data should remain unaltered. Signature, authentication

3. Availability : The data should be available whenever required.

Redundant data backup, fail safe mechanism4. Functionality :

The data can be processed without decryption. Full homomorphic function

7

Secret sharing(k, n)-threshold scheme

An implementation of long-lived system

New multiple data are created from the original data,and stored in multiple data servers.

8

Attacker

Owner

Shares

Data restored

Shareholder

Create n of coordinates “shares” [1, f(1)], ⋯ , [n, f(n)]

Secret data sf(0)=s

Generate a polynomial of order k-1 f(x) = s+a1x+…+ak-1xk-1

x

- Collect k of shares - Interpolate the polynomial - Reconstruct secret data s as f(0)

(k, n) threshold secret sharing Shamir, 1979

9

(3, 5) threshold secret sharing

Attacker

Owner

Shares

Data restored

Data

Shareholders

Ex. (3,5)-threshold scheme With 2 shares or less, the original data can never be reconstructed. There remain infinitely many possibilities of polynomial.

Information theoretic confidentiality

Shares can be added and multiplied.

Availability

Even if 2 shares are lost, the data can be reconstructed.

Functionality (Full homomorphism)

10

Shamir’s secret sharing needs“private channels”

11

Secret sharing

QKDQKD

(k, n)-threshold scheme

1. Confidentiality of storage 3. Availability4. Functionality

1. Confidentiality of data link

“QKD + OTP” realizes private channels

12

Shamir’s secret sharing itselfcan NOT realize integrity.

13

Secret sharing

QKDQKD

(k, n)-threshold scheme

1. Confidentiality of storage 3. Availability4. Functionality

1. Confidentiality of data link

Integrity protection by time-stamp chains

Time-stamp chains of signature

2. Integrity

14

Integrity Confidentiality

Distributed storage network

- Commitment- Timestamp

- Secret sharing- QKD

Private channelsAuthenticated channels

Long-term Integrity & Confidentiality Protection SystemProposed and demonstrated by TU Darmstadt and NICT,

J. Braun et al., Proc. ACM Asia CCS2017, pp. 461-468.; ePrint 2016/742

“LINCOS”

15

QKD link

Private channel

Point of interface

Document owner

Secure key supply

KMS

NEC-0

NEC-1

NTT-NICT ToshibaSeQureNetGakushuin

Tokyo QKD Network

Secret sharing

Shareholder

Confidentiality protection

- Encrypting private channels

- Generating polynomials for secret sharing

16

Timestamp chains of Pedersen’s commitments

T. P. Pedersen, CRYPTO '91, 1992.Info-th secure verifiable secret sharing

c = gshr for secret s and random number r- Information theoretically hiding (no information leak on s)- Computationally binding (discrete log, h=gz with secret RN z)

Integrity protection

Prolong the validity of signatures for any length of time

Signatures are renewed before weakened

17

Long-lived system for healthcare

18

Medical information systems “Past & Now”

- Each hospital has its own closed network.- Medical record format differs from hospital to hospital.

Past

NowMinistry of Health, Labor and Welfare in Japan has formulated- Standard data structure for medical information exchange

SS-MIX- Healthcare PKI (H-PKI) to certify medical documents

Medical record Medical record

19

Standard Storage Root Folder

Patient ID: upper 3 digit

Patient ID: lower 3 digit

Patient IDExamination date

Type of Data

Patient Data

SS-MIX“Standardized Structured Medical Information eXchange”

specifies standard storage format for medical records

Simple and extendableHierarchical directory structure of folder files

based on patient ID.

20

Issues electronic certificate for medical documents for user identification and access control of healthcare workers.

H-PKI

It refers to ・ IETF/RFC3647 Internet X.509,

PKI Certificate Policy and Certification Practice Framework・ ISO/IS 17090:2008 Health informatics - PKI

Name, AddressAge, Male/Female…..

Name, AddressAge, Male/Femalehealthcare Role…..

PKICertificate

H-PKICertificate

Medical DoctorPharmacistMedical TechnologistRadiological TechnologistRegistered NursePublic Health NursePhysical TherapistOccupational Therapist….

- User identification- Integrity protection- Access control

- User identification- Integrity protection- Access control based onnational qualification certificate in healthcare

H-PKI Certificate Policy v1.4 by Ministry of Health, Labor and Welfare, Feb 2016

Totally 26

21

Doctor

PatientMedical certificate Patient referral

Root CAMinistry HLW

CAJapan Medical Association

CABased on H-PKI PolicyH-PKI

Certificate

Doctor

Doctor can check the validity

Patient can check the validity

Structure of H-PKI

NurseNurse

22

It is time to consider H-PQ-PKI. Quantum threats!

H-PQ-PKIH-PKI

23

Medical information systems in the future

Inter-hospital networks

HIS gateway HIS gatewayLong-term data backup

H-PQ-PKICertificate

HIS:Hospital Information System

SS-MIX

Certificate

LINCOS

- Integrity protection- User identification - Access control

24

Kochi Health Science Center

Kochi Health Science Center

Osaka Nagoya

Otemachi

Tokyo QKD Network

Medical data backup experiment with LINCOS (2017~)

- VPN, H-PKI, PQ-PKI (~800km range)- QKD (~90km range)

25

Summary

H-PKI should be updated to H-PQ-PKI.

This can then be combined with QKD to realize a long-lived system for healthcare.

26

Thank you for your attention

27

To go beyond the limit of threshold number “k”

An attacker may actively move around the shareholders. It is likely that the number of corrupted shareholders must increase as time elapses.

Proactive secret sharingA. Herzber, S. Jarecki, H. Krawczyk, M. Yung, CRYPT0'95, LNCS 963, 339, 1995.

Renewal of shares at certain intervals

Keys are consumed.

28

Key rates of QKD

QKD link vender ProtocolTransmission

Length (km) Secure key rate (bps)

Loss (dB)

NEC-0 BB84 with decoy 50 (Spooled fiber NICT premise) 200k 10

NEC-1 BB84 with decoy 22 (field installed 95% areal line) 200k 13

Toshiba BB84 with decoy 45 (field installed 50% areal line) 300k 14.5

NTT-NICT DPS-QKD 90 (field installed 50% areal line) 10k 28.6

Gakushuin CV-QKD 2 (NICT premise) 100k 2

To prevent from being bottlenecked by slowest QKD links (10kb/s), keys are relayed between appropriate KMAs.

The minimum throughput of key supply to each private channel can be raised up to KeyRateQKD=40 kb/s.

29

Document size to be handled

- Dense wavelength division multiplexing (100~1000 channels)- Fast key distillation processing

The document size we can handle, sizes = ts*KeyRateQKD/n(n-1)

Interval of share renewal Number of shareholders

KeyRateQKD=40 kb/s(our current network)

Assume that ts=10years, n=4sizes = 131 GB

KeyRateQKD=1 Mb/s @50km(in a few years)

sizes = 3.3 TB

Petabytes size KeyRateQKD=1 Gb/s @50km

Challenge

Human genomic data of 4100 persons