|
1.IntroductionRecent heating-up in the development race of quantum computers brings attention to secure communications that are resistant to quantum computers. Quantum key distribution (QKD) has been said to be the most promising technology to protect communications from cryptanalysis even with quantum computers. On the other hand, Y00 protocol proposed by Yuen (its original name is ) in 20001–3 is compatible to conventional high-speed and long-distance optical communication technologies while it sends messages directly and hides them under quantum noise, enhancing the security of conventional cryptographies.4–14 However, its security has not been well-understood except some evaluations by unicity distance,15,16 numerical analyses by masking sizes that are the numbers of signal levels hidden under quantum noise,17,18 or error probability in eavesdropping on individual signals.19 Therefore, since fast correlation attack on Y00 protocol was found,20,21 Y00 protocol has been believed to be computationally secure while QKDs are information-theoretically secure, although “irregular mapping” was equipped on Y00 systems as a countermeasure to fast correlation attack.22 This study gives the first example of security analysis on Y00 protocol with an unlimitedly long known-plaintext attack (KPA) by quantum multiple hypotheses testing theory. It shows that Y00 protocol is secure with guessing probabilities on the two shared secret keys of 128 bits strictly even under unlimitedly long KPA. However, as time passes the attack increases the guessing probability, hence fresh keys have to be sent instead of messages before Y00 communication systems are breached. In this case, if the probability distribution of the provided fresh key is uniform, the guessing probability on the key has to be evaluated by ciphertext-only attack (COA). There are still some assumptions in this study, therefore, this study is not rigorous yet. However, it will give a better understanding of the security of Y00 protocol and some insights for detailed future works. One of the major methods to evaluate information-theoretic security has been calculation of the guessing probability on secret keys since Shannon23 and in the literature following.24,25 Therefore, this study follows these concepts as well to evaluate the security of Y00 protocol. 2.Known Works on Security Evaluations on Information-Theoretic Secure CryptographyThe founder of the information theory, Shannon proved that the “perfect secrecy” is satisfied only when the length of the encryption key with its probability distribution independent and identically distributed has to be longer than the plaintext , which is one-time pad.23 Then the ciphertext string is given by the modulo-2 addition of and : Therefore, Alimomeni and Safavi-Naini24 proposed “guessing secrecy,” generalizing Shannon’s concept; the encryption is not perfectly secure, but the key is obtained only probabilistically by Eve’s guess as Iwamoto and Shikata25 proposed “worst-case guessing secrecy,” considering the worst scenario such as Therefore, this study follows the above concepts “guessing probability on the key” to evaluate the security of Y00 protocol.3.Security of Conventional Stream Ciphers Under Long Known-Plaintext AttackThis section treats the security of conventional stream ciphers with KPA; those are not randomized by quantum noise to give a better understanding on the security of Y00 protocol, which is a stream cipher randomized by quantum noise. In conventional stream ciphers, a shared secret key is fed into the pseudorandom number generator (PRNG) to generate a key stream . A plaintext string from a sender, Alice, is converted into a ciphertext string mod 2. To decode , the receiver, Bob, feeds the shared into his common PRNG, then recovers mod 2. If Eve has the same PRNG and knows during a period of , she obtains completely, hence her correspondence table of recovers the original key no matter how much computationally complex the key expansion process is. Then Eve can read all messages from the next period. In terms of conditional probability, this means 4.Security of Y00 protocol Under KPA During Least Common Multiple of PRNGs’ PeriodsThis section describes the security of Y00 protocol with KPA during the least common multiple (LCM) of the two PRNGs’ periods using quantum multiple hypotheses testing theory.26,27 4.1.Principles of Binary Y00 Quantum Stream CipherTo start Y00 protocol, the legitimate users Alice and Bob have to share a secret key . Then they expand into a key stream using a common PRNG equipped in each transmitter/receiver. Then is chopped every bits to form -ary string of times lot while a message bit is encoded into a coherent state using as is a projection from to . Therefore, the message bit corresponds to a set of quantum states for even number , otherwise . On the other hand, Bob’s receiver sets an optimal threshold(s) to discriminate the set of quantum states. Therefore, he decodes since he knows thanks to the common PRNG and the shared . On the other hand, the eavesdropper, Eve, has to discriminate -ary signals hidden under overlapping quantum and classical noise since she does not know whether is even or odd, hence neither.When Eve launches KPA, a number of the hidden signal level under noise effectively halves, hence it might help Eve to guess . To avoid the situation, overlap-selection-keying was proposed.28 An additional pair of PRNGs with another shared key are equipped in both a transmitter and a receiver to randomize the plaintext with pseudorandom number as Then the transmitter Alice sends a coherent state with classical randomizations named DSR and DER19 although these are omitted in this study for simplicity.Eve obtains coherent states separated from a beam-splitter and stores its time sequence in her quantum memory. Denote the quantum sequence with the splitting ratio as Note that a set of () is generated from () . Therefore, there are only patterns of signal sequences, although the number of signal levels is and the period of KPA is . Hence, what Eve needs is not -ary quantum decision theory but -ary one, no matter how long the key-stream lengths of and are. Therefore, the main problem is whether Eve can determine the correct in the LCM of the periods of denoted as , like in case of the conventional stream cipher explained in Sec. 3 or she needs longer than .4.2.Brief Description of -ary Quantum Detection TheoryBefore this section starts, here are some assumptions to be satisfied.
The set of Eve’s measurement operators satisfies By the Born rule, the measurement operator gives Eve a measurement result from a quantum state with a probability of Quantum multiple hypotheses testing theory based on the Bayes criterion is applicable to decide which () is the most possible. Let the Bayes cost in the theory be as described in When the prior probability is , the average Bayes cost is The Hermitian risk operators are To minimize Eve’s error probability, the necessary and sufficient conditions are26 Then Eve’s maximum success probability of obtaining the correct () is Now, denote as From Eq. (15), For pure states, from Eq. (8), Therefore, Eq. (20) gives equalities and Eq. (21) gives equalities. Thus there are equations in total, and there are variables including .To remove remained variables , apply Cauchy–Schwarz inequality to Eq. (18): Let Eve know the prior probability under Shannon’s maxim. Then Eve can choose her so that the equality of Eq. (23) is satisfied Therefore, the prior probability distribution vanishes as follows: The condition Eq. (23) satisfies Eq. (14) trivially, and Eqs. (15) and (16) are converted as follows: Therefore, Eq. (26) originated from Eq. (16) is also satisfied while a new condition is Eq. (25). The absolute value of Eq. (25) is4.3.Security of Y00 under KPA on Secret Key: In Case of Exact Signal Detections for EveAlthough it is impossible for Eve to obtain the correct signal sequence without any errors because of quantum noise in Y00 protocol, it is worth considering an imaginary case where Eve could detect signals without any errors to compare Y00 protocol with conventional stream ciphers in Sec. 3. The situation where Eve could detect signals without any errors is that, from the Born rule, Equation (28) also implies from Eq. (21) that Then from the left-hand side of Eq. (22), Therefore, through one period of (), that is , Eve would obtain the correct () with a probability of 1. Then the situation is the same as conventional stream ciphers. Therefore, the effect of unavoidable quantum noise in Eq. (28) as a nonzero factor should play an important role in Y00 protocol.4.4.Security of Y00 under KPA on Secret Key: In Case of Erroneous Signal Detections for EveUnless Eve’s detections are error-free expressed by Eq. (28), from Eq. (21), Therefore, Eq. (24) satisfies the following inequality as well: Even if is uniform, that is , since Eve has to make the success probability in measurement larger than the failure probability, Then from Eqs. (21) and (22), Therefore, Eve has an advantage in obtaining the correct () compared to pure-guessing. Thus even Eve launches KPA using quantum multiple hypotheses testing theory during an LCM of the periods of two PRNGs; she cannot pin down the keys deterministically, far different from conventional stream ciphers. The problem is how long Y00 protocol stays secure.5.Security of Y00 Protocol under Unlimitedly Long KPAThis section describes the security of Y00 protocol under unlimitedly long KPA so that Eve guesses the most likely by the Bayes criterion.29 5.1.Y00 Protocol Under Unlimitedly Long KPASince () is pseudorandom of a period of while the plaintext is supposed not to repeat, Eve can statistically confirm the most likely () during periods as shown in Table 1. Table 1A timetable of a set of variables (m, s, Δx, and x).
At the th period of , Eve measures coherent states with a set of operators denoted as based on known plaintext : Since Eve just performs -ary quantum hypotheses testing to obtain () based on known , the results are independent of . Therefore, from the Born rule, define as follows: Suppose that Eve has obtained times of her measurement result during periods, then such a probability isAt the boundary where Eve makes a wrong decision, the Bayes criterion requests, Two nearest probability distributions give the following boundary conditions: Substituting Eqs. (43) and (44) into Eq. (42), is given in This situation is depicted in Fig. 1.There are patterns of possible probability distributions, and only one is for the correct . Therefore, maximizing by all wrong sets of and defining it as max , Thus Eve’s success probability in obtaining the correct corresponding to the shared secret keys in the Y00 system is Pr(success) = 1–Pr(fail).To perform numerical simulation, all conditional probabilities defined in Eq. (39) have to be determined. However, those parameters are dependent on implementations of Y00 systems including key-expansion algorithms. Therefore, this study gives numerical examples as follows. Assume initial key lengths are bits and The numerical simulation result with the above situation is shown in Fig. 2.As Eve’s success probability of obtaining the correct () in one smaller, Eve needs a larger number of , which is a repetition number of the period of the two PRNGs. However, note that even with , Eve needs periods to pin-down the correct () with a probability of almost 1. When , even periods are not enough for Eve, only allowing her to guess the correct () with a probability of about . Therefore, it was shown that Y00 protocol can go beyond the Shannon Limit of cryptography.30 While Eve’s success probability is small enough, Alice has to send fresh keys to Bob to continue secure quantum communications. In this case, Eve’s probability of obtaining the fresh keys has to be evaluated by COA with probabilistically known (), that is, 6.Results and Discussions: Assumptions Used in Security Analysis and Future WorksIn this work, it was shown that even a Y00 system with a few-hundred bits of shared keys can be secure far longer than the period of its PRNGs, such as periods if its implementations are well-designed. The security analyses in this study applied the following assumptions.
Hence, there are still necessities of further studies to give mathematically more rigorous analyses when the above assumptions are not satisfied. Also, the security of fresh keys is not given in this study yet. Hence, it has to be analyzed in the next work. 7.Appendix A: Simulation Code for Fig. 2 on Mathematica 11.3Simulation code for Fig. 2 on Mathematica 11.3 ps[p_]: = p; pf[p_]: = (1 - ps[p])/(2^(128*2)-1); nth[n_, p_]: = n*Log[2, (1 - pf[p])/(1 - ps[p])]/Log[2, ps[p]*(1 - pf[p]) / pf[p] / (1 - ps[p])]; prob[n_,p_]: = 1 - CDF[BinomialDistribution[n, ps[p]], Floor[nth[n, p]]]; Show [Table [LogLogPlot [prob [Floor[m], 2^(-b)], {m, 1,10^6}, PlotRange -> {{1, 10^6}, {5*10^(-21), 4}}, Frame -> True, PlotLegends -> {Switch[b, 8, “p=2-8”, 16, “p=2-16”, 32, “p=2-32”, 64, “p=2-64”]}, PlotStyle->{Switch[b, 8, Blue, 16, Orange, 32, Green, 64, Red]}], {b, {8, 16, 32, 64}}]] ReferencesH. P. Yuen,
“KCQ: a new approach to quantum cryptography I. General principles and key generation,”
(2003). Google Scholar
G. A. Barbosa et al.,
“Secure communication using mesoscopic coherent states,”
Phys. Rev. Lett., 90
(22), 227901
(2003). https://doi.org/10.1103/PhysRevLett.90.227901 PRLTAO 0031-9007 Google Scholar
H. P. Yuen,
“Key generation: foundations and a new quantum approach,”
IEEE J. Sel. Top. Quantum Electron., 15 1630
–1645
(2009). https://doi.org/10.1109/JSTQE.2009.2025698 IJSQEN 1077-260X Google Scholar
E. Corndorf et al.,
“Quantum-noise randomized data encryption for wavelength-division-multiplexed fiber-optic networks,”
Phys. Rev. A, 71 062326
(2005). https://doi.org/10.1103/PhysRevA.71.062326 Google Scholar
C. Liang et al.,
“Quantum noise protected data encryption in a WDM network,”
IEEE Photonic Technol. Lett., 17 1573
–1575
(2005). https://doi.org/10.1109/LPT.2005.848264 Google Scholar
O. Hirota et al.,
“Quantum stream cipher by the Yuen 2000 protocol: design and experiment by an intensity-modulation scheme,”
Phys. Rev. A, 72 022335
(2005). https://doi.org/10.1103/PhysRevA.72.022335 Google Scholar
Y. Doi et al.,
“360 km field transmission of 10 Gbit/s stream cipher by quantum noise for optical network,”
in Proc. Optical Fiber Communication Conf. (OFC),
OWC4
(2010). https://doi.org/10.1364/OFC.2010.OWC4 Google Scholar
K. Harasawa et al.,
“Quantum encryption communication over a 192-km 2.5-Gbit/s line with optical transceivers employing Yuen-2000 protocol based on intensity modulation,”
J. Lightwave Technol., 29
(3), 316
–323
(2011). https://doi.org/10.1109/JLT.2010.2099207 JLTEDG 0733-8724 Google Scholar
F. Futami,
“Experimental demonstrations of Y-00 cipher for high capacity and secure optical fiber communications,”
Quantum Inf. Process., 13 2277
–2291
(2014). https://doi.org/10.1007/s11128-014-0771-5 QIPUAT 1570-0755 Google Scholar
M. Nakazawa et al.,
“QAM quantum stream cipher using digital coherent optical transmission,”
Opt. Express, 22 4098
–4107
(2014). https://doi.org/10.1364/OE.22.004098 OPEXFF 1094-4087 Google Scholar
M. Yoshida et al.,
“Single-channel 40 Gbit/s digital coherent QAM quantum noise stream cipher transmission over 480 km,”
Opt. Express, 24 652
–661
(2016). https://doi.org/10.1364/OE.24.000652 OPEXFF 1094-4087 Google Scholar
F. Futami et al.,
“Experimental investigation of security parameters of Y-00 quantum stream cipher transceiver with randomization technique, part I,”
Proc. SPIE, 10409 104090I
(2017). https://doi.org/10.1117/12.2273462 PSISDG 0277-786X Google Scholar
F. Futami et al.,
“Dynamic routing of Y00 quantum stream cipher in field-deployed dynamic optical path network,”
in Optical Fiber Communication Conf.,
Tu2G-5
(2018). Google Scholar
F. Futami et al.,
“Y-00 quantum stream cipher overlay in a coherent 256-Gbit/s polarization multiplexed 16-QAM WDM system,”
Opt. Express, 25
(26), 33338
–33349
(2017). https://doi.org/10.1364/OE.25.033338 OPEXFF 1094-4087 Google Scholar
R. Nair et al.,
“Quantum-noise randomized ciphers,”
Phys. Rev. A, 74 052309
(2006). https://doi.org/10.1103/PhysRevA.74.052309 Google Scholar
R. Nair and H. P. Yuen,
“Comment on: ‘Exposed-key weakness of ’ [Phys. Lett. A 370 (2007) 131],”
Phys. Lett. A, 372 7091
–7096
(2008). https://doi.org/10.1016/j.physleta.2008.10.037 PYLAAG 0375-9601 Google Scholar
O. Hirota,
“Practical security analysis of a quantum stream cipher by the Yuen 2000 protocol,”
Phys. Rev. A, 76 032307
(2007). https://doi.org/10.1103/PhysRevA.76.032307 Google Scholar
T. Iwakoshi, F. Futami and O. Hirota,
“Quantitative analysis of quantum noise masking in quantum stream cipher by intensity modulation operating at G-bit/sec data rate,”
Proc. SPIE, 8189 818915
(2011). https://doi.org/10.1117/12.897783 PSISDG 0277-786X Google Scholar
K. Kato,
“Enhancement of quantum noise effect by classical error control codes in the intensity shift keying Y00 quantum stream cipher,”
Proc. SPIE, 9225 922508
(2014). https://doi.org/10.1117/12.2060631 PSISDG 0277-786X Google Scholar
S. Donnet et al.,
“Security of Y-00 under heterodyne measurement and fast correlation attack,”
Phys. Lett. A, 356 406
–410
(2006). https://doi.org/10.1016/j.physleta.2006.04.002 PYLAAG 0375-9601 Google Scholar
M. J. Mihaljevic,
“Generic framework for the secure Yuen 2000 quantum-encryption protocol employing the wire-tap channel approach,”
Phys. Rev. A, 75 052334
(2007). https://doi.org/10.1103/PhysRevA.75.052334 Google Scholar
T. Shimizu, O. Hirota and Y. Nagasako,
“Running key mapping in a quantum stream cipher by the Yuen 2000 protocol,”
Phys. Rev. A, 77 034305
(2008). https://doi.org/10.1103/PhysRevA.77.034305 Google Scholar
C. E. Shannon,
“Communication theory of secrecy systems,”
Bell Syst. Tech. J., 28
(4), 656
–715
(1949). https://doi.org/10.1002/bltj.1949.28.issue-4 BSTJAN 0005-8580 Google Scholar
M. Alimomeni and R. Safavi-Naini,
“Guessing secrecy,”
Lect. Notes Comput. Sci., 7412 1
–13
(2012). https://doi.org/10.1007/978-3-642-32284-6 LNCSD9 0302-9743 Google Scholar
M. Iwamoto and J. Shikata,
“Information theoretic security for encryption based on conditional Rényi entropies,”
Lect. Notes Comput. Sci., 8317 103
–121
(2013). https://doi.org/10.1007/978-3-319-04268-8_7 LNCSD9 0302-9743 Google Scholar
C. W. Helstrom,
“Quantum detection and estimation theory,”
J. Stat. Phys., 1
(2), 231
–252
(1969). https://doi.org/10.1007/BF01007479 JSTPBS 0022-4715 Google Scholar
H. P. Yuen, R. Kennedy and M. Lax,
“Optimum testing of multiple hypotheses in quantum detection theory,”
IEEE Trans. Inf. Theory, 21
(2), 125
–134
(1975). https://doi.org/10.1109/TIT.1975.1055351 IETTAW 0018-9448 Google Scholar
O. Hirota et al.,
“Quantum key distribution with unconditional security for all-optical fiber network,”
Proc. SPIE, 5161 320
–332
(2004). https://doi.org/10.1117/12.504978 PSISDG 0277-786X Google Scholar
H. L. Van Trees, K. L. Bell and Z. Tian, Detection, Estimation, and Modulation Theory, Part I: Detection, Estimation, and Linear Modulation Theory, 2nd edn.Kindle, John Wiley & Sons, New York
(2004). Google Scholar
O. Hirota et al.,
“Getting around the Shannon limit of cryptography,”
SPIE Newsroom,
(2010). https://doi.org/10.1117/2.1201008.003069 Google Scholar
|