Quantum Stream Cipher Based on Holevo-Yuen Theory-Part II

1. Introduction

Shannon has developed a historically groundbreaking theory for evaluating cryptographic functionality, utilizing his own entropy theory to analyze whether a cipher is decipherable [1]. On the other hand, Shannon offers two important cautions for applications to the real world. One is that entropy does not cover all the information that humans deal with, so to discuss indecipherability, one should carefully consider its limits. The other is that a principle always has ancillary conditions, and when one speaks of a principle, one should carefully take into account its ancillary conditions. Massey, on the other hand, offered a cryptographic direction that addresses real-world challenges while respecting the Shannon’s concept [2]. The conditions that a cipher for information theoretic data encryption corresponding to the real world should have are given in the Figure 1. It is essential that the ciphers actually used satisfy the above in a balanced manner.

Massey suggested a concept to realize the above conditions as a technology as follows:

• (1). A short symmetric key is set, and it is mathematically extended.
• (2). Private randomization techniques is useful.
• (3). Randomization for plaintext is a candidate of private randomization.

Unfortunately, these can only be used for immunity against ciphertext-only attacks, and the theoretical system has only gone so far as to justify inefficient one time pad cipher as its ultimate goal. Modern mathematical cryptography requires at least a guarantee of computational security against known-plaintext attacks. Thus, it was considered a difficult question whether or not information-theoretic cipher can guarantee immunity against known-plaintext attacks.

To solve the above problem, H.P.Yuen established the basic concept of a new cipher under the collaboration of P.Kumar and O.Hirota, and he disclosed a physical example in a white paper of 2000 and an experimental result in the QCMC of 2002 with Kumar group [3]. It is called quanum stream cipher at present. More detailed name is a quantum noise randomized stream cipher operated by Y-00 protocol.

His idea consiste of the following structure to satisfy Massey’s conditions on utility: Figure 1

• (1). A short symmetric key is set and it is mathematically extended.
• (2). Randomization techniques for ciphertext are adopted.).
• (3). The randomization is implemented as private randomization.

The crucial difference between Massey and Yuen is that the randomisation moves from plaintext to ciphertext (See Figure 2). To realise these configurations, Yuen proposed a scheme based on communication theory to differentiate between the signal detection capabilities of the legitimate receiver and the eavesdropper. This is called advantage creation by secret key. The way to do this is to adopt a communication scheme such that the ciphertext received by the eavesdropper is hidden by quantum noise. Such a principle is called keyed communication in quantum noise (KCQ). This principle leads to a situation where the ciphertexts that can be received by receivers for legitimate communicator and eavesdropper are different (See Figure 3).

Applications of such a physical encryption technique appear to be limited, not general communication networks. But to diversify communication functions, quantum stream cipher which utilizes physical phenomena is beginning to be considered for the ultrafast optical backborn network by several industries. However, this cryptographic technique has extremely complicated mechanisms, and some aspects have emerged that are difficult to communicate even among experts in cryptography. The first paper in 2022 with the same title [4] has explained the position of quantum stream cipher from a broad perspective as a cryptographic technique. In this second paper, we introduce the principles of security guarantees for quantum stream cipher. Then we describe the theoretical structure of security, and explain final target of it as shown in Figure 4.

Since the main purpose of this paper is to explain how the random cipher based on the KCQ principle differs from the conventional Shannon random cipher, we first summarize Shannon’s concept in the section II, which is based on information theory, and explain a generalized Shannon random cipher in this context as a conceptual model in the section III. Then, we list the theoretical structure and performance of quantum stream ciphers such as Type-I , Type-II, and Type-III as concrete implementation of the conceptual model in the subsequent sections. In such models, we show that there exists quantum stream cipher which is not broken even if the secret key is stolen after communications.

2. Review of Shannon-Massey Theory of Cryptography

2.1. Historical View

It is well known that Shannon published in BSTJ in 1949 his attempt to apply the entropy-based information theory to clarify a fundamental concept of cryptography. Many well-known researchers have explained its purpose [2,5,6], and the authors have nothing to add. However, in view of the development of cryptology after Shannon, it is worthwhile to explain the position of Shannon’s cryptology once again based on Massey’s concept [2].

Today’s practical cryptography has moved away from Shannon’s information-theoretic viewpoint to mathematical cryptography based on computer science, which has developed into the fundamental technology of the modern information society. One of the reasons for this is that the modern information infrastructure, of which the Internet is the main form of communication, is extremely large and cannot be handled only by Shannon’s cryptosystem. Mathematical cryptography based on computer science can handle large-scale systems and is absolutely indispensable for the ever-expanding communication infrastructure.

On the other hand, in recent years, ultrahigh-speed backbone communication networks have become necessary as communication infrastructure to support huge systems represented by cloud computing, and thanks to the efforts of optical communication researchers, optical backbone communication lines are reaching the point of completion to support huge cloud computing systems. Against this backdrop, an environment has emerged in which information-theoretic cryptography can play an active role as a security technology for backbone communication networks.

Taking this opportunity, we believe it is worthwhile to analyze Shannon-Massey scheme of cryptology again from various point of views. In the following sections, we describe our attempt.

2.2. Conventional Definition of Information Theoretics Security for Symmetric Key Cipher

First, let us set a cipher mechanism to be considered. When a plaintext sequence is X and a secret key is K, the ciphertext is given by

$$Y=F_{enc}(X,K)$$

(1)

where $F_{enc}$ is a encryption function. The secret key includes running key sequence from PRNG with a short initial key or a true long random sequence.

We begin by stating a basic assumption of Shannon theory. In Shannon theory, when one constructs a cryptographic mechanism, there is an assumption that a ciphertext $Y^A$ is set by the legitimate sender and it can be correctly received by both legitimate receiver and eavesdropper. Namely,

$$Y^A=Y^B=Y^E\equiv Y$$

(2)

where $Y^B$ and $Y^E$ are ciphertext sequences that can be received by legitimate receiver and eavesdropper. Under this precondition, both the legitimate one and the eavesdropper can decrypt the correct ciphertext with the correct key sequence based on a secret key and PRNG. Such a mechanism can be expressed using the entropy theory developed by Shannon as follows:

$$H\left(X\right|K,Y^B)=H\left(X\right|K,Y^E)=0$$

(3)

Thus the security of Shannon’s cryptology is defined as follows:

$\mathbf{Definition}$ :

An eavesdropper who does not know the secret key cannot decrypt the ciphertext $Y(=Y^E=Y^B)$ with probability 1. This is equivalent to

$$H\left(X\right|Y)\ne 0.$$

(4)

This cryptosystem is said to be information-theoretically secure against a ciphertext-only attack (COA).

On the other hand, the following theorem holds for cryptosystems with the conditions of Equation (2) [2,5,6].

$\mathbf{Theorem}$ :

When ciphertext consists of plaintext and key sequence, the ambiguity of the plaintext has the following limitations.

$$H\left(X\right|Y)\le H(K)$$

(5)

This theorem is called the Shannon limit. In the following, we explain specific features of Shannon’s cipher under the conditions of Equation (2).

2.2.1. Non-Randam Cipher

Prepare a key sequence K to encrypt a plaintext sequence X. Assume that the ciphertext is composed of these two sequences. In this case, a non-random cipher is defined as follows:

$\mathbf{Definition}$:

A cryptosystem whose constructed ciphertext satisfies the following properties is called a non-random cipher:

$$H\left(Y^E\right|X,K)=H\left(Y^B\right|X,K)=0$$

(6)

A typical example of this type of cipher is an additive stream cipher. Let $X=x_1,x_2,x_3,\cdots x_n$ and $K=k_1,k_2,k_3,\cdots k_n$ be a plaintext and a key sequence, respectively. Then the ciphertext is as follows.

$$Y^A=X\oplus K=Y^B=Y^E$$

(7)

Here, Shannon gives the following definition of full confidentiality for the above cryptographic mechanism.

$\mathbf{Definition}$:

A cryptosystem is fully confidential (or perfect security in the sense of entropy) if it satisfies the following properties

$$H\left(X\right|Y)=H(X)$$

(8)

Based on this definition, the conditions for achieving perfect security in the sense of entropy are as follows

$\mathbf{Theorem}$:

For a cipher system to be perfect security in the sense of entropy for any plaintext statistics, the key sequence length must be equal to or greater than the plaintext sequence length, i.e,

$$\left|X\right|\le \left|K\right|$$

(9)

where the key sequence must be a sequence of true random numbers.

A cryptographic mechanism that meets the above conditions is called the 0ne Time Pad (or Vernum cipher). It is inefficient and leaves excesses in key management and known plaintext attacks [7,8]

2.2.2. Shannon Random Cipher

In Shannon theory, we can consider an information-theoretically secure cipher even if it does not satisfy the full confidentiality condition. It is called a random cipher and is defined as follows:

$\mathbf{Definition}$:

When a cryptosystem constructed under the conditions of Equations (2), (3) and (5) has the following properties

$$H\left(Y\right|X,K)\ne 0$$

(10)

it is called random cipher in the sense of Shannon.

In the case of ciphertext only attack, a cryptosystem with these properties can be realized by adopting a private randomization mechanism originating from Gauss, and its information-theoretic security is evaluated by the Unicity distance theory. Its concrete stracture is shown below [2,5,6].

2.3. Unicity Distance Theory

2.3.1. Summary

Shannon and his successors have discussed cases where Theorem 2 does not hold but the encription cannot be uniquely decrypted by a ciphertext only attack. To simplify the discussion, we take a stream cipher encrypted by a pseudo-random number generator (PRNG) with a short secret key. In order to evaluate the degree of information-theoretic security of such a cipher system, the following unicity distance is defined.

$\mathbf{Definition}$:

Let $Y_n=y_1,y_2,y_3,\cdots ,y_n$ be a sequences of ciphertexts for an eavesdropper and $n_0$ be the minimum number of ciphertexts for which the ambiguity to the secret key is zero. Then it is called unicity distance of a ciphertext only attack. That is,

$$n_0:H\left(K\right|Y_{n_0})=0$$

(11)

Here we assume that the statistical structure of the plaintext is known and the entropy per symbol is $H\left(p\right)$, and the entropy of the key sequence is $H\left(K\right)$. Then, the number of key-plaintext pairs per each ciphertext is given by

$$F={\displaystyle \frac{2^{H\left(K\right)}{2}^{nH\left(p\right)}}{2^n}}=2^{H\left(K\right)-nH\left(p\right)-n}$$

(12)

Since $F=1$ in the above equation is equivalent to zero key ambiguity, the unicity distance is as follows [5,6]

$$n_0={\displaystyle \frac{H\left(K\right)}{1-H\left(p\right)}}$$

(13)

The above equation shows that the unicity distance depends on the statistical structure of the plaintext.

2.3.2. Shannon Random Cipher and Its Unicity Distance

Homophonic substitution is an example of a method to increase the entropy per symbol of plaintext, independent of the key sequence. When this method is introduced, the ciphertext is not uniquely determined by the key-plaintext pair. In this case, Equation (10) holds. Therefore, this cipher system is a random cipher. In such a random cipher, the larger the entropy of the plaintext, the more difficult it becomes to estimate the key from the ciphertext. In other words, the unicity distance becomes larger. If $H\left(X\right)=nH\left(p\right)=n$, the unicity distance becomes infinite, and the key cannot be uniquely determined even from an infinite number of ciphertexts. This is called an ideal cipher. However, if the eavesdropper obtains the correct key after obtaining the ciphertext, the correct plaintext can be decrypted since $H\left(X\right|K,Y)=0$ as a precondition. Thus, the Shannon limit holds.

2.4. Known Plaintext Attack against Conventional Cipher

As introduced in the previous section, the cryptography theory of Shannon and his successors ends with a formulation for a ciphertext only attack. In this section, we explain how Shannon’s theory holds when we assume a known plaintext attack (for simplicity, we assume an additive stream cipher).

$\mathbf{Definition}$:

Let $Y_n=y_1,y_2,y_3,\cdots ,y_n$ be the ciphertexts of length n of the eavesdropper, and assume that plaintexts of the same length are known. The minimum number of ciphertexts for which the ambiguity with respect to the key is zero is defined as follows.

$$n_1:H\left(K\right|Y_{n_1},X_{n_1})=0$$

(14)

The $n_1$ in the above equation is called the unicity distance of known plaintext attacks.

In the following, we show some properties of the unicity distance for non-ranndom cipher and random cipher in the Shanon theory.

2.4.1. Non-Random Cipher

Since $H\left(Y\right|K,X)=0$ in a non-random cipher, the following is hold if a ciphertext of length equal to the key length and the corresponding plaintext are known.

$$H\left(K\right|Y_{\left|K\right|},X_{\left|K\right|})=0$$

(15)

where $Y_{\left|K\right|},X_{\left|K\right|}$ are the ciphertext equal to the key length and the corresponding known plaintext, respectively. From the above,

$$n_1\le \left|K\right|$$

(16)

This means that non-random ciphers can be decrypted in principle. Thus, the conventional symmetric key cryptography has only the above degree of information-theoretic security, and the rest relies on computational security.

2.4.2. Random Cipher

For a random cipher in Shannon theory, one has $H\left(X\right|K,Y)=0,H(X\left|Y\right)\le H\left(K\right)$ under the condition $H\left(Y\right|K,X)\ne 0$. From the theory of entropy, the following holds in general.

$$\begin{array}{ccc}& & H\left(X_n\right|Y_n)+H\left(K\right|X_n,Y_n)\hfill \\ & & =H\left(K\right|Y_n)+H\left(X_n\right|K,Y_n)\hfill \end{array}$$

(17)

Assuming equality in the Shannon limit $H\left(X_n\right|Y_n)\le H\left(K\right)$, there exists a finite n, namely $n_1$, for which $H\left(K\right|X_n,Y_n)=0$ from the above formula. Therefore, even if $n_0$ is infinite, a random cipher can be formally deciphered by a known-plaintext attack. From the above, it is expected that conventional random ciphers are not very effective against known-plaintext attacks because they depend on plaintexts, and if the structure of the plaintext is known, the randomization has little effect.

Thus, the conventional cryptographic techniques can provide information-theoretic security against a ciphertext only attack, but these cannot provide information-theoretic security against known-plaintext attack.

3. Conceptual Generalized Random Cipher and Its Fundamental Properties

3.1. Conceptual Mechanism

Even with a cryptographic mechanism that uses a short secret key and PRNG, it is still possible to resist ciphertext only attacks to a practical extent. In order to realize a cryptosystem with information-theoretic security for general attacks, it is necessary to develop a random cipher that goes beyond the existing concept of random ciphers. In this section, we provide an overview on a generalization of Shannon random cipher as conceptual mechanism.

Here we define a generalized Shannon random cipher as a cryptosystem such that the ciphertext of the cryptosystem is hidden by ideal noise, and it has the following features.

$$Y^A=Y^B\ne Y^{Eq}$$

(18)

where $Y^A$ and $Y^B$ are the ciphertexts of the legitimate communicator, $Y^{E_q}$ is the ciphertext received by the eavesdropper. In other words, this is achieved by creating a situation where the ciphertext received by the legitimate receiver and the ciphertext that can be received by the eavesdropper are different. If we describe this in a sequence, it is as follows:

$$\begin{array}{ccc}& & Y_n^B=y_1^A,y_2^A,y_3^A,\cdots ,y_n^A\hfill \\ & & Y_n^{Eq}=y_1^{E_q},y_2^{E_q},y_3^{E_q},\cdots ,y_n^{E_q}\hfill \end{array}$$

(19)

$$\begin{array}{ccc}& & =y_1^A\oplus q_1,y_2^A\oplus q_2,y_3^A\oplus q_3,\cdots ,y_n^A\oplus q_n\hfill \end{array}$$

(20)

where $q_1,q_2,q_3,\cdots$ denote errors due to true noise. If this situation could be realized, then the following conceptual relations would be held.

$$\begin{array}{ccc}& & H\left(Y^B\right|K,X)=0,\hfill \end{array}$$

(21)

$$\begin{array}{ccc}& & H\left(Y^{Eq}\right|K,X)\ne 0\hfill \end{array}$$

(22)

Such a random cipher is a completely different form of random cipher than the conventional Shannon random cipher. Why this is possible is explained in a later section.

3.2. Generalized Unicity Distance

First, if the ciphertext received by a legitimate receiver and the ciphertext that can be received by an eavesdropper are different, the following situation is possible in the practical sense.

$$\begin{array}{ccc}& & H\left(X_n\right|K,Y_n^B)=0\hfill \end{array}$$

(23)

$$\begin{array}{ccc}& & H\left(X_n\right|K,Y_n^{Eq})\ne 0\hfill \end{array}$$

(24)

In other words, the legitimate receiver can obtain the correct plaintext with the correct key, but because the ciphertext of the eavesdropper has errors, the possibility appears such that the correct plaintext is not obtained even with the correct key. We need a generalization of the unicity distance to evaluate a security of system in such cases. The unicity distances for such a cryptographic mechanism are described below [3,9,10].

3.2.1. Ciphertext Only Attack

The unicity distance of a ciphertext only attack is described for the eavesdropper’s ciphertext as follows:

$\mathbf{Definition}$:

Let $n_0^Q$ be the minimum length of the ciphertext that has zero key ambiguity for the eavesdropper’s ciphertext. Then it is given by

$$n_0^Q:H\left(K\right|Y_{n_0^Q}^{Eq})=0$$

(25)

$n_0^Q$ is called the unicity distance of ciphertext only attack for generalized random cipher.

Unlike the conventional type, the above equation does not depend on the statistical structure of the plaintext, but on the randomness of the ciphertext that can be obtained by the eavesdropper. The error sequence in Equation (20) should be completely random numbers or its equivalent.

To achieve this, it is convenient to use the quantum noise effects of light. As an example, if the signal system consists of non-orthogonal quantum states when the eavesdropper receives the signal, the theory is that an ideal random number error effect will appear in the received signal. This is due to quantum irregularities (Born effect) when quantum superpositions are collapsed by measurement. The detailed discussions will be given in the susequent sections.

3.2.2. Known Plaintext Attack

The conventional random ciphers can achieve a large unicity distance for a ciphertext-only attack, but the technology to achieve this is very complicated. Furthermore, it is difficult to guarantee information-theoretic security more than a key length in the known plaintext attack.

Here, we consider a known-plaintext attack on generalized random cipher. First, the information-theoretic security evaluation for the known-plaintext attack is given as follows.

$\mathbf{Definition}$:

The unicity distance of known plaintext attacks for generalized random cipher is defined as follows:

$$n_1^Q:H\left(K\right|X_{n_1^Q},Y_{n_1^Q}^{Eq})=0$$

(26)

In the case of generalized random cipher, since it does not depend on the structure of the plaintext, the known plaintexts do not have much effect on the unicity distance. In other words, the following can be expected.

$$\left|K\right|\ll n_1^Q\le 2^{\left|K\right|}$$

(27)

Later sections will discuss specific examples of this.

3.2.3. Secret Key Leakage Attack in COA

In conventional symmetric-key cipher, an eavesdropper can retain the correct ciphertext, and if she can obtain the secret key after the communication, the correct plaintext can be obtained. It is due to $H\left(X\right|K,Y)=0$. However, in generalized random cipher, a possibility of Equation (24) arises because the eavesdropper’s ciphertext will be inaccurate. Therefore, we can define the following evaluation function [3,9,10].

$\mathbf{Definition}$:

When the secret key(initial key for PRNG) is stolen after communication, minimum length of ciphertext needed by the eavesdropper to obtain the correct plaintext is as follows:

$$n_2^Q:H\left(X_{n_2^Q}\right|K,Y_{n_2^Q}^{E_q})=0$$

(28)

The above is called the unicity distance of the secret key leakage attack.

4. Concrete Evaluation Method of Generalized Shannon Random Cipher

In the above section, we defined several unicity distances for several attacks. The main purpose of a generalized Shannon random cipher is to improve a security against known plaintext attack (KPA). In order to perform a quantitative evaluation of security, it is necessary to develop a method for its calculation. We discuss a method in the following.

In the case of KPA for the conventional cipher, an evesdropper can obtain a correct running key sequence which corresponds to the output sequence from the PRNG.

The purpose of the eavesdropper is to estimate the secret key of PRNG from the running key sequence. Assume that a PRNG consists of a linear shift register (LFSR) with a secret key (e.g., 256 bits) and a nonlinear filter. In general, one can adopt information theoretic analysis to an immunity evaluation in the conventional stream ciphers. The technique is called a fast correlation attack.

The efficiency of key estimation is evaluated by considering the following model. Suppose that the LFSR output is regarded as a linear code word of $(n,|K\left|\right)$ and the nonlinear filter section is modeled as a noisy communication channel with an error rate of $ϵ$ which depends on the structure of the nonlinear part. So the model corresponds to the decoding problem for linear code word of the length n and informatin bit K. The feature of this method is that the computational security of the nonlinear filter section is analyzed by an information-theoretic model. Such a theory was developed by Siegenthaler [11], Chepyzhov-Smeets [12], and others, from which the following theorem was derived [11].

$\mathbf{Theorem}$ :

When the length n of the code word, which corresponds to the length of output sequence obtained by eavesdropper, is satisfied as follow:

$$n>N={\displaystyle \frac{\left|K\right|}{C\left(ϵ\right)}}$$

(29)

Then, the probability of a key being correct is greater than $1/2$ if the total search complexity of the decryption algorithm is

$$O(2^{\left|K\right|}\times {\displaystyle \frac{\left|K\right|}{C\left(ϵ\right)}})$$

(30)

where $C\left(ϵ\right)$ is the maximum mutual information of the communication channel model with error $ϵ$.

Although this body of theory analyzes computational problems in the context of information theory, it was pointed out by Yuen et al. that these theories are rather appropriate for the ITS analysis of generalized random cipher [13,14]. Here we apply this theory to a detailed characterization of generalized random cipher.

The generalized random cipher consists of a PRNG with short key and real noise for randomization of ciphertext or runnning key sequences. The nonlinear filter part of the running key sequence of generalized random cipher does not make sense from an information-theoretic point of view. Therefore, the model is replaced as follows.

A sequence of LFSR with initial key is channel input, and this sequence is perturbed by a true noise and channel model by nonlinear part. But the main issue is a perturbation by real noise. Then, the procedure of the eavesdropper is decoding theory for a code word (LFSR) based on the sequence with errors due to the true noise.

Conventional theories that use communication channel models for computational problems lose the rigor of applying code theory because the noise model is not an independent process, but in generalized random cipher, noise is a true independent process, so the above idea is more valid. From the above, the aforementioned theorem can be read into the problem of information-theoretic cryptography.

As a result, if we consider the meaning of the unicity distance, we can set up the following relation.

$$n_1^Q\ge {\displaystyle \frac{\left|K\right|}{C\left({ϵ}_q\right)}}$$

(31)

$C\left({ϵ}_q\right)$ is the maximum mutual information of the measurement channel where the eavesdropper receives the running key sequence. ${ϵ}_q$ is the error probability due to a true noise.

5. Structure of Standard Quantum Stream Cipher

The challenge is how to show that the conceptually presented generalized random ciphers are real. The Y-00 protocol was proposed to solve this problem. Y-00 protocol is a technique that combines cryptographically secure pseudo-random numbers and quantum noise effects, and is characterized by the fact that it can be equivalently regarded as a function to hide the ciphertext of mathematical ciphers with quantum noise. In this section, we show a simple explanation of the original scheme of quantum stream cipher based on Y-00 protocol [13,14] which is called basic quantum stream cipher or standard quantum stream cipher.

In order to guarantee ultrahigh speed and long-distance transmission, it is necessary to adopt optical signals with high energy, not single photon or entanglement light. However, in general, high power signals have little quantum effect and it does not adequately hide the ciphertext. Therefore, we introduce a mechanism in which the receiver of Bob (the legitimate receiver) can ignore the quantum effect such as quantum noise and receiver of Eve (the eavesdropper) cannot avoide the quantum effect, even though the light is strong. This scheme is called “Advantage creation by secret key". It is designed as follows:

(a) Let us consider two optical signals with quantum coherent state sending 0 and 1 data. Let us denote the two coherent state signals as follows: $|\alpha >$ and $|-\alpha >$ with $\left|\alpha \right|\gg 1$ which is an amplitude of laser light. A pair of two coherent states is called the communication basis $Ba\left(g\right)$ for transmitting a “Binary Signal Data"as a plaintext where $g=1,2,3,\cdots ,M$. It means to prepare a set M of different pair $Ba\left(g\right)$ of two coherent states with different complex amplitude as follows:

$$\begin{array}{ccc}& & Ba\left(1\right)=\left\{\right|\alpha e^{i{\theta }_1}>,|-\alpha e^{i{\theta }_1}>\},\hfill \\ & & Ba\left(2\right)=\left\{\right|\alpha e^{i{\theta }_2}>,|-\alpha e^{i{\theta }_2}>\},\hfill \\ & & ⋮\hfill \\ & & Ba\left(M\right)=\left\{\right|\alpha e^{i{\theta }_M}>,|-\alpha e^{i{\theta }_M}>\}\hfill \end{array}$$

(32)

The selection can be realized by a unitary transformation controlled by the running key. In the standard quantum stream cipher, the data information $x=0,1$ are assigned regularly to one of signal of each basis. Thus, in general there is a correlation between plaintext and running key as the conventional cipher.

(b) Alice and Bob share the same PRNG with the same secret key (for example 256 bits) as the conventional stream cipher. A sequence is generated by the output of PRNG. This is called “running key" sequence in a stream cipher. Alice`s transmitter selects a communication basis in Equation (32) following the running key of M values, and then one of binary data is transmitted by using the selected communication basis. Thus, a sequence of $2M$-ary optical signal with coherent state of diferent amplitude or phase is transmitted. It is a quantum ciphertext that must be converted into an electrical signal by quantum measurement for cryptanalysis.

(c) Alice and Bob share the same running key, so Bob can know which basis was selected. That is, he can receive the optical signal as the binary signal after an inverse unitary transformation. So the quantum signals for Bob are as follows:

$$\begin{array}{ccc}& & {\rho }_0^B=|\alpha ><\alpha |,\hfill \\ & & {\rho }_1^B=|-\alpha ><-\alpha |\hfill \end{array}$$

(33)

This is independent of the communication basis.

But Eve has no information on the running key, because she does not know the secret key for PRNG. So Eve has to use a receiver for $2M$ valued signals, and has to discriminate $2M$-ary phase shift keying (PSK) signals. In the case of phase shift keying, the set of quantum states is described by

$$\begin{array}{ccc}& & {\rho }_m^E=|\alpha e^{i{\theta }_m}><\alpha e^{i{\theta }_m}|\hfill \\ & & m=1,2,3,\cdots ,2M\hfill \end{array}$$

(34)

where m is controlled by binary data and M-ary running key. Thus the eroor performance of Bob is given by binary quantum detection, and the error performance of Eve is formulated by $2M$-ary quantum detection for cryptanalysis.

(d) Y-00 protocol requires a signal constellation such that the binary detection is error free, but the $2M$-ary signal detection sufferes quantum noise effect based on Helstrom-Holevo-Yuen principle [15,16,17]. That is, a non-orthogolal quantum state signal cannot be discriminated without error. The above structures satisfy this condition, because a binary detection of two coherent states is regarded as nealy orthogonal for $\left|\alpha \right|\gg 1$, but $2M$-ary detection for complex amplitude ${\alpha }_m,m=1,2,3,\cdots ,2M$ is regarded as non-orthognal quantum state system. The concrete signal constellation based on phase shift keying (PSK) was given in [13].

(e) Consequently, Bob can obtain directly a data bit sequence without serious error. However, Eve can only obtain a multi-level signal sequence which corresponds to ciphertext as the measurement result of quantum ciphertext. This electrical sequence of the ciphertext has error. So Eve has to recover data sequence or secret key of PRNG from this sequence with error.

Thus a quantum stream cipher based on Y-00 protocol is a candidate of generalized random cipher in which Eve cannot obtain correct ciphertext. Moreover, this scheme has technical advantages in the real world applications. That is, the noise for randamization is only generated in the measurement process, and it does not disturbe the bandwidth of channel or data speed of the legitimate communicator. Thus it is applicable to the conventional optical communication systems for ultrafast data transmission.

6. Quantum Communication Theory for Cryptanalysis

6.1. Fundamental Formulae

The quantum communication theory was formulated by pioneers such as Helstrom, Holevo, Yuen, and its whole formulation was integrated by Holevo [18]. Especially, Holevo [16] and Yuen [17] clarified optimum conditions of the quantum Bayes detection rule for multi-level signals independently, and Hirota-Ikehara foumulated quantum minimax detection rule with admissibility and completeness [19] that corresponds to quantum version of Wald-Middleton decision theory [20].

Let us describe the formulation of quantum detection theory of the core of quantum Shannon theory. When $2M$-ary coherent state signal is received at each slot, the optimizing variable of the quantum measurement channel is described by a compact set of the positive operator valued measure (POVM): ${\mathrm{\Pi }}_m$, $m=1,2,3,\cdots ,2M$. Then these operations are interpreated as the projector acting on the quantum state of each slot, and these provide error or detection probabilities as follows:

$$\begin{array}{ccc}\hfill P\left({\alpha }_l\right|{\alpha }_m)& =& Tr{\rho }_m{\mathrm{\Pi }}_l,m,l=1,2,3,\cdots ,2M\hfill \\ \hfill {\rho }_m& =& |{\alpha }_m><{\alpha }_m|\hfill \\ \hfill \sum _l{\mathrm{\Pi }}_l& =& I,{\mathrm{\Pi }}_l\ge 0\forall l\hfill \end{array}$$

(35)

The appearance of quantum effects in reception process of signals is characterized by the above foumula. The quantum Bayes rule is formulated as follows:

$${\overline{P}}_e=\underset{\left\{\mathrm{\Pi }\right\}}{min}\{1-\sum _{m=1}^{2M}{\xi }_{m}Tr{\rho }_m{\mathrm{\Pi }}_m\}$$

(36)

where a priori probability is $({\xi }_m>0,\forall m)$ for the admissibility in the decision theory. The necessary and sufficient condition are given as follows [16,17]:

$\mathbf{Theorem}$$\{Holevo,Yuen\}$:

$$\begin{array}{ccc}& & {\mathrm{\Pi }}_m[{\xi }_m{\rho }_m-{\xi }_l{\rho }_l]{\mathrm{\Pi }}_l=0,\forall l,m\hfill \\ & & \gamma -{\xi }_l{\rho }_l\ge 0,\forall l\hfill \\ & & \gamma =\sum _l{\xi }_l{\rho }_l{\mathrm{\Pi }}_l\hfill \end{array}$$

(37)

On the other hand, the quantum minimax rule is formulated as follows [19]:

$${\overline{P}}_e=\underset{\left\{\xi \right\}}{max}\underset{\left\{\mathrm{\Pi }\right\}}{min}\{1-\sum _{m=1}^{2M}{\xi }_{m}Tr{\rho }_m{\mathrm{\Pi }}_m\}$$

(38)

The necessary and sufficient condition are given as follows [19]:

$\mathbf{Theorem}$$\{Hirota·Ikehara\}$:

$$\begin{array}{ccc}& & Tr{\mathrm{\Pi }}_l{\rho }_l=Tr{\mathrm{\Pi }}_m{\rho }_m,\forall l,m\hfill \\ & & {\mathrm{\Pi }}_m[{\xi }_m{\rho }_m-{\xi }_l{\rho }_l]{\mathrm{\Pi }}_l=0,\forall l,m\hfill \\ & & \gamma -{\xi }_l{\rho }_l\ge 0,\forall l\hfill \\ & & \gamma =\sum _l{\xi }_l{\rho }_l{\mathrm{\Pi }}_l\hfill \end{array}$$

(39)

In general, it is very difficult to find the solutions of the above two quantum detection rules. However, in the standard quantum stream cipher system, quantum state signals have a property of the covariant as defined below.

$\mathbf{Definition}$:

Let G be a group with an operation ∘. The set of quantum state signals is called group covarinat if there exist unitary operators $U_k(k\in G)$ such that

$$U_k|{\psi }_m>=|{\psi }_{k\circ m}>,\forall m,k\in G$$

(40)

It characterizes quantum states $\left\{\right|{\psi }_m>,m\in G\}$.

The general properties of quantum Bayes rule for covariant case of multi parameters are given by Ban [21]. One of the results for coherent state signals is as follows:

$\mathbf{Theorem}$

If the signal set $\left\{\right|{\alpha }_m>\}$ is a covariant, the optimum POVM is given by using Gram operator H as follows:

$$\begin{array}{ccc}& & {\mathrm{\Pi }}_l=|{\mu }_l><{\mu }_l|\hfill \\ & & |{\mu }_l>=H^{-1/2}|{\alpha }_l>\hfill \\ & & H=\sum _{m=1}^M|{\alpha }_m><{\alpha }_m|\hfill \end{array}$$

(41)

and the optimum quantum Bayes solution is

$${\overline{P}}_e=1-|<{\alpha }_1|H^{-1/2}{|{\alpha }_1>|}^2$$

(42)

where $|{\alpha }_1>$ is the base state.

The error probability for Eve for $2M$ covariant signals can be given as follows [15,22,23]:

$$\begin{array}{ccc}\hfill {\overline{P}}_e^E& =& 1-{\displaystyle \frac{1}{{\left(2M\right)}^2}}{\left(\sum _{m=1}^{2M}{\sqrt{\lambda }}_m\right)}^2\hfill \\ \hfill {\lambda }_m& =& \sum _{k=1}^{2M}<{\alpha }_1|{\alpha }_k>u^{-(k-1)m}\hfill \end{array}$$

(43)

where $u=exp[\pi i/M]$. In addition, Osaki showed that the worst priori probability in the quantum minimax rule for the covariant signals becomes the uniform distribution and the minimax solution is also given by Equation (41) and Equation (42) [24].

6.2. Advantage Creation by Differenciation of Quantum Detection Performance by Secret Key

Bob can control the unitary transformation to convert back to binary optical signals by using a running key from a pseudo-random number for the $2M$ optical signals. Then, the quantum detection model becomes the binary quantum states of $\{{\rho }_0^B,{\rho }_1^B\}$ :Equation (33) independent of the communication basis. The average error probability is given by Helstrom formula as follows [15]:

$$\begin{array}{ccc}\hfill {\overline{P}}_e^B& =& \underset{\left\{\mathrm{\Pi }\right\}}{min}\{1-\sum _{m=0}^1{\xi }_{m}Tr{\rho }_m^B{\mathrm{\Pi }}_m\}\hfill \\ & =& {\displaystyle \frac{1}{2}}[1-\sqrt{1-4\xi (1-\xi )Tr\left({\rho }_0^B{\rho }_1^B\right)}]\hfill \\ & \ll & {\displaystyle \frac{1}{2}}\hfill \end{array}$$

(44)

On the other hand, “in order for Eve to perform the cryptanalysis", she has to obtain the information of running key sequence by her quantum measurement to $2M$-ary quantum ciphertext. The first step in the procedure leading to an attack is to receive a signal flowing through the real communication channel. The average minimum error probability for the adopted quantum state signal scheme (or equivalently maximum detection probability) can be given by the formulae: Equation (38), Equation (39), Equation (41), Equation (43). For $M\gg 1$, it becomes

$${\overline{P}}_e^E=\underset{\left\{\xi \right\}}{max}\underset{\left\{\mathrm{\Pi }\right\}}{min}\{1-\sum _{m=1}^{2M}{\xi }_{m}Tr{\rho }_m{\mathrm{\Pi }}_m\}\sim 1$$

(45)

Thus these formulae provide the theoretical accuracy of the ciphertext that the eavesdropper can obtain.

If Eve were to attempt to decode the binary data directly, she would adopt the binary quantum optimal measurement for the following mixed quantum states.

$$\begin{array}{ccc}\hfill {\rho }_0^E& =& {\displaystyle \frac{1}{M}}\sum _{m=1}^M|{\alpha }_{(m=even)}><{\alpha }_{(m=even)}|\hfill \\ \hfill {\rho }_1^E& =& {\displaystyle \frac{1}{M}}\sum _{m=1}^M|{\alpha }_{(m=odd)}><{\alpha }_{(m=odd)}|\hfill \end{array}$$

(46)

This structure of mixed state is called doubly symmetric mixed state, and Kato gives the quantum Bayes(also minimax) solution for such as mixed states of coherent state [25]. Then the average error probability for binary data is given as follows:

$${\overline{P}}_e^E=\underset{\left\{\xi \right\}}{max}\underset{\left\{\mathrm{\Pi }\right\}}{min}\{1-{\displaystyle \frac{1}{2}}\sum _{l=0}^{1}Tr{\rho }_l^E{\mathrm{\Pi }}_l\}\sim {\displaystyle \frac{1}{2}},M\gg 1$$

(47)

The difference between Equation (44) vs Equation (45) and Equation (44) vs Equation (47) is called the advantage creation by a secret key.

6.3. Physical Processes for Cryptanalysis against PRNG

A sequence of length n of quantum ciphertext from a transmitter of standard quantum stream cipher is described as follows:

$${\rho }^E(x_1,k_1^R)\otimes {\rho }^E(x_2,k_2^R)\otimes \cdots \otimes {\rho }^E(x_n,k_n^R)$$

(48)

$x\in X$ is binary data (plaintext), $k^R\in K^R$ is running key of M values from PRNG. Let us denote the physical attack process for cryptanalysis in the following.

6.3.1. Individual Quantum Measurement-Collective Procedure

Let us assume that Eve adopts a quantum optimum mesurement $\left\{{\mathrm{\Pi }}_i\right\}$ for each slot. The observed sequence coresponds to a sequence of the decision output for $2M$ valued signal at each slot. The randomness of signals is represented by Equation (38), and its randomness automatically provides a fully independent true random noise. The target for Eve is data (binary plaintext) or secret key of PRNG, and she has to estimate them from a sequence with errors based on a security analysis like correlation attack or other attack. Such a procedure is called “$\mathit{individual}$$\mathit{quantum}$$\mathit{measurement}$-$\mathit{collective}$$\mathit{attack}$".

6.3.2. Collective Quantum Measurement-Collective Procedure

On the other hand, Eve can adopt a collective quantum measurement. It is a quantum measurement such that one treats some slots of a coherent state sequence of $2M$-ary as one block quantum state. Here Eve has to construct a quantum entanglement measurement system of ${\left(2M\right)}^{{\left|N\right|}_{Bl}}$ signals, where ${\left|N\right|}_{Bl}$ is the length of the block. Based on such a measured sequence, she analyzes several attacks against the sequence. This scheme is called “$\mathit{collective}$$\mathit{quantum}$$\mathit{measurement}$- $\mathit{collective}$$\mathit{attack}$. When ${\left|N\right|}_{Bl}$ is large number, it seems that this physical implimentation is impossible. After such physical manipulations, an eavesdropper would be forced to make some cryptanalytic attempts.

7. Cryptological Attack for Quantum Stream Cipher and Its Performance

7.1. The Main Attack Scheme

Here let us describe the concept on cryptological attacks against the standard and some generalized quantum stream ciphers. Since the receiver of Bob adopts a binary detection scheme by the communication basis synchronized with the same PRNG with the same secret key, there is no mismatch in the communication basis. Then it outputs a binary signal as data without serious error, because the signal power is strong and the signal distance of two signals in a basis is large. However, Eve’s received signals are $2M$-ary and contain errors, because the signal distances between several signals are small. The extent of the error is called a noise masking region.

$\mathbf{Definition}$:

Let “ $\mathrm{\Gamma }$ " be the number of signals masked by quantum noise in the several measurement processes.

7.1.1. Legitimate Receiver Simulation Attack

Let us consider the KPA based on the exhaustive search. This attack clarifies the difference between standard symmetric key cipher and quantum stream ciphers. In the standard quantum stream cipher based on Y-00 protocol, the data (plaintext) of the signal of each basis is deterministically set such that data 0 and 1 are regularly mapped to neighboring signals composed of a communication basis [13]. That is, the data information is mapped to $0,1,0,1,\cdots$ clockwise of the phase signal in the phase space. This menas that the standard quantum stream ciphers have a correlation between basis and data,

As a result, each signal of $2M$ valued signals has information for the plaintext(data) and the communication basis simultaneously. The information of the basis corresponds to that of runnning key. Therefore, if the each signal value can be determined by $2M$-ary detection, the plaintext and running key sequence information can be obtained directly.

In the above scheme, the information of binary plaintext in neighboring signals is completely masked by noises, but the information of running key of M values has finite ambiguity, because the $\mathrm{\Gamma }$ is small. In such a situation, it is easy for Eve to memorize digital ciphertext sequence of $2M$-ary signals containing errors. Eve can try KPA based on exhaustive search for all binary decisions similar to Bob on the stored sequence. This is called a $\mathit{legitimate}$$\mathit{receiver}$$\mathit{simulation}$$\mathit{attack}$.

Here, let us denote a rough approximate analysis for intuitive understanding. If the length of known plaintext is $\left|X\right|=\left|K\right|/logM$ which corresponds to the equivalent key length and also equals the length of the ciphertext, then the probability of the correct decision for the running key $K_R=\left\{\alpha e^{i{\theta }_m}\right\}$ of $\left|K\right|/logM$ length is

$$P\left(K_R\right|Y^{E_q})\cong {(\mathrm{\Gamma }/2)}^{-{\displaystyle \frac{\left|K\right|}{logM}}}\ll 1$$

(49)

Equation (49) means that the following many number of key corresponds to the correct plaintext of $\left|K\right|/logM$ length in the exhaustive search.

$${(\mathrm{\Gamma }/2)}^{{\displaystyle \frac{\left|K\right|}{logM}}}$$

(50)

This means

$$n_1^Q>{\displaystyle \frac{\left|K\right|}{logM}}$$

(51)

In other words, these features correspond to the property of the random cipher based on the degeneracy structure [13]. On the other hand, if there is no error, the cipher is

$$\begin{array}{ccc}& & P\left(K_R\right|Y^{E_q})=1,\hfill \\ & & n_1^Q={\displaystyle \frac{\left|K\right|}{logM}}\hfill \end{array}$$

(52)

The above characteristics indicate the fact that the criticism such that the standard quantum stream is the same as a conventional cipher is incorrect.

7.1.2. Fast Correlation Attack

Let us assume that no restriction is placed on the known plaintext length. At this situation, one can consider the runing key sequence (LFSR output) as a linear code and attempt a fast correlation attack on the received sequence with errors. The $2M$-valued running key sequence of the LFSR output is stored with errors. Then the $2M$-valued sequence is converted to binary values and a fast correlation attack is performed. The performance is evaluated by the unicity distance. From the definition of unicity distance, it can be evaluated by the channel capacity of Eve’s measurment channel. In general, the standard quantum stream cipher does not have sufficient performance against the fast correlation attack when the $\mathrm{\Gamma }$ is small. The concrete example to overcome it will be shown in the subsequent section.

7.1.3. Secret Key Leakage Attack

Assume that Eve memorizes digital ciphertext sequence of $2M$-ary signals containing errors. After communication, we assume that Eve can obtain the secret key of PRNG. Eve will try an attack to estimate plaintext that uses the correct secret key to the measured sequence with errors. That is, Eve can adopt the threshold for binary decision depending on the correct runing key, and she collects the plaintext sequence. The performance against such an attack is the most important in the generalized Shannon random cipher. Unfortunately, the standard quantum stream cipher does not have immunity against this type of attack.

7.2. Role of Additional Randomization Techinique

In generalized random ciphers, the ciphertext or running key sequence obtained by an eavesdropper is perturbed by a true noise (such as quantum noise). If the noise effect is small, it naturally cannot provide sufficient information-theoretic security from the above theory. For realistic applications, it is necessary to develop techniques to reduce the channel capacity in Equation (31). Since noise must physically appear, such a generalized random cipher can be realized only at the physical layer.

The problem to make increasing noise, as described above, has little precedent in information theory and is the exact opposite of what has been done so far. That is, the technological development is to increase the noise effect of the eavesdropper, but it does not affect the legitimate communicator. In the channel model of receiving process of an eavesdropper, a research to reduce its maximum mutual information is called “Randomization technology", and several examples have already been studied. Specific models will be presented later, but further research is expected.

8. Randomizations Towards Generalized Quantum Stream Cipher

The standard quantum stream cipher introduced in the previous section is highly practical and has affinity with real communication networks. However, it may have weaknesses in terms of the quantitative security evaluation. Randomization techniques are needed to realize a generalized quantum stream cipher with high-performance. This section presents some examples of randomisation methods and gives a rough description of improvements achieved by each method.

8.1. Overlap Selection Keying (OSK)

The OSK is a mechanism to randomize the geometrical relation between data (plaintext) and signal value of communication basis, patented by Tamagawa University (Patent number 4451085, 2003-June 27) [26]. It is to randomize the relation between data and given basis based on a sequence from a branch of the PRNG. By this method, the correlation of geometrical relation of data and communication basis is broken inside of the region of quantm noise masking $\mathrm{\Gamma }$. So we have the following performance instead of Equation (49):

$$P\left(K_R\right|Y^{E_q})\cong {\left(\mathrm{\Gamma }\right)}^{-{\displaystyle \frac{\left|K\right|}{logM}}}$$

(53)

In addition, the KPA is converted to the ciphertext only attack. So the legitimate receiver simulation attack does not work. Thus, the unicity distance for KPA is guaranteed to have the following performance.

$$n_1^Q\gg \left|K\right|$$

(54)

The other effect of OSK is that plaintext is automatically encrypted with pseudo-random numbers, and the plaintext itself becomes a kind of ciphertext called Y-00 plaintext.

8.2. Deliberate Signal Randomization (DSR)

Assume that a communication basis consists of a binary phase shift signal. A basis is randomly selected by the running key sequence from PRNG, and one signal for data is transmitted by the selected basis. Then M signals are located on the upper plain of the phase space, and other M signals are located on the lower plain of the phase space [13]. Here phase space means a space by quadrature amplitude $X_C$ and $X_S$.

Even $M\gg 1$, the masking effect $\mathrm{\Gamma }$ by quantum noise in Eve’s receiver is not enough, because the quantum noise is small. To enhance the error of Eve, the signal for transmission is randomly shifted by a true noise on the upper plain when the signal belongs the upper plain, and is shifted on the lower plain when it belongs the lower plain. This scheme is called Deliberate Signal Randomization (DSR) which corresponds to “$\mathit{private}$$\mathit{randomization}$". The strength of DSR is described by $|R_p|$. As a result, the masking region is enhanced by $\sigma |R_p|$, where $\sigma$ is the quantum noise effect. This was proposed by Yuen in 2003-Nov 10 [14]. When we adopt OSK and DSR with $\sigma |R_p|=M$, we may have the ideal performance such as

$$P\left(K_R\right|Y^{E_q})\cong 2^{-\left|K\right|}$$

(55)

Thus, this may improve the unicity distance in Equation (54). The concrete example will be given in the subsequent section.

8.3. Quantum Noise-Diffusion Mapping

The unicity distance of the generalized random cipher may be evaluated by the channel capacity of Eve from Equation (31). In this theory, it can be regarded such that a linear code with the initial value of LFSR as information propagates through a noisy channel. Thus, the decoding capability as the decryptobility at that time is evaluated by the channel capacity. In other words, as the length of the LFSR increases and the rate decreases, it becomes smaller than the channel capacity and the decoding accuracy increases. To obtain a large unicity distance, it is necessary to reduce the eavesdropper’s channel capacity by additional randamization like DSR. However, there is a trade-off in that it requires sacrificing the communication performance of the legitimate communicator. Therefore, a method to increase the unicity distance while keeping the amount of noise fixed is the subject of research.

Hirota-Kurosawa proposed in 2007 a method to introduce a mapping mechanism from a sequence of PRNG to actual quantum states such that the input to the noisy channel is regarded as a nonlinear code [27]. This is achieved by re-diffusing the signal masked by a small quantum noise. This mechanism renders the fast correlation attack inoperative. In addition, it provides the immunity against algebra attacks [28]. The detailed information-theoretic analysis of this method is still incomplete, but we look forward to further research.

8.4. Phase Masking by Symplectic Matrix

A theory for a randomization of code form of coherent states is given by Sohma [29,30]. It consists of the unitary operator $\mathbf{U}$ associated with a symplectic transformation in which any unitary operator composed of beamsplitters and phase shifters can be described by a symplectic transformation. First, let us consider a general code form of coherent state as follows:

$$|\varphi >=|{\alpha }_1>|{\alpha }_2>\cdots |{\alpha }_N>$$

(56)

From Stone-von Neumann theorem, the quantum characteristic function for the class of quantum Gaussian state is given as follows:

$$\begin{array}{ccc}\hfill \mathrm{\Phi }\left(\mathbf{z}\right)& =& Tr\mathbf{U}|\varphi ><\varphi |{\mathbf{U}}^{†}\mathbf{V}\left(\mathbf{z}\right)\hfill \\ & =& Tr|\varphi ><\varphi |\mathbf{V}\left({\mathbf{L}}^T\mathbf{z}\right)\hfill \end{array}$$

(57)

where

$$\begin{array}{ccc}\hfill \mathbf{V}\left(\mathbf{z}\right)& =& exp\left\{i{\mathbf{R}}^T\mathbf{z}\right\}\hfill \end{array}$$

(58)

$$\begin{array}{ccc}\hfill \mathbf{R}& =& {[({\mathbf{q}}_1,{\mathbf{p}}_1),\cdots ,({\mathbf{q}}_N,{\mathbf{p}}_N),]}^T\hfill \end{array}$$

(59)

and where $({\mathbf{q}}_i,{\mathbf{p}}_i)$ are the canonical conjugate operators. Then $\mathbf{L}$ is a symplectic matrix, and it is given by

$$\begin{array}{ccc}& & \mathbf{L}=\left(\begin{array}{cccc}{r}_{11}{e}^{i{\theta }_{11}}& \cdots & \cdots & r_{1N}{e}^{i{\theta }_{1N}}\\ r_{21}{e}^{i{\theta }_{21}}& \cdots & \cdots & r_{2N}{e}^{i{\theta }_{2N}}\\ ⋮& \cdots & \cdots & ⋮\\ r_{N1}{e}^{i{\theta }_{N1}}& \cdots & \cdots & r_{NN}{e}^{i{\theta }_{NN}}\end{array}\right)\hfill \end{array}$$

(60)

Here let us denote a vector of complex amplitudes $\alpha$ as follows:

$${\overrightarrow{\alpha }}_{in}=({\alpha }_1,{\alpha }_2,\cdots ,{\alpha }_N)$$

(61)

then we have the following relation.

$${\overrightarrow{\alpha }}_{out}=\mathbf{L}{\overrightarrow{\alpha }}_{in}=({\alpha }_1^{out},{\alpha }_2^{out},\cdots ,{\alpha }_N^{out})$$

(62)

As a result, the unitary transformation for the coherent state sequence is given as follows:

$$\mathbf{U}|\varphi >=|{\varphi }_{out}>=|{\alpha }_1^{out}>|{\alpha }_2^{out}>\cdots |{\alpha }_N^{out}>$$

(63)

Thus, by scrambling the elements of Equation (60) with pseudo-random numbers, one can construct codes with any waveform. This technology is useful to realize a coherent PPM scheme proposed by Yuen [14].

9. Generalized Quantum Stream Cipher of Type-I and Its Performance

A quantum stream cipher that adds randomization techniques like OSK and DSR to the standard quantum stream is called a Type-I generalized quantum stream cipher. In this section, we show the scheme and performance.

9.1. Communication Scheme

Let us describe a communication scheme for phase shift keying (PSK). A running key sequence is generated by PRNG with short secret key. The selection scheme of communication basis by the running key is the same as the standard quantum stream cipher. In addition, several randomizations described above may be installed. Then $2M$ valued signals are transmitted. Bob can adopt the binary quantum optimum receiver, but in practice he can adopt an optical heterodyne receiver.

In the latter case, the output of the receiver is an analog electrical currents consisting of signal and quantum noise. For decoding, the threshold for binary decision is controlled based on the running key. Using the selected threshold, the binary decision is performed to obtain data. This type of communication scheme can be realized by the current optical communication technology.

9.2. Unicity Distance of Known Plaintext Attack

Here, let us assume a phase shift keying (PSK) quantum stream cipher with DSR and OSK. Eve is forced to adopt a detection of $2M$-ary signals and proceeds the conventional fast correlation attack. Once the eavesdropper’s channel is set, the lower bound of the unicity distance is obtained by its channel capacity. The optimum condition of maximum mutual information for multi-valued quantum state signal is given by Holevo [18], and the optimum POVM is given by Osaki [31] based on a prediction of Fuchs-Peres [32] as follows:

$\mathbf{Theorem}$$\left\{Osaki\right\}$:

The optimum POVM for maximum mutual information is given by the quantum minimax detection operator when the signal set is covariant and linearly independent.

The numerical performance has been verified for the maximum mutual information property based on the above theorem. As a result, when $M\gg 1$, it is possible to approximate its properties by heterodyne receiver [31]. In fact, $M\gg 1$ means that the signal set is regarded as almost analog signal. To confirm it, we can estimate the optimality for an analog signal by the following theorem [33].

$\mathbf{Theorem}$$\{Yuen·Lax\}$: The estimation bound for complex amplitudes are given by following formula.

$$Var\left(\widehat{\alpha }\right)\ge {\displaystyle \frac{1}{Tr\rho \mathcal{L}{\mathcal{L}}^{†}}}$$

(64)

where the right logarithm derivative is defined by

$${\displaystyle \frac{\partial \rho }{\partial \alpha }}={\mathcal{L}}^{†}\rho$$

(65)

And its solution is as follows:

$$\mathcal{L}=\mathbf{a}$$

(66)

where $\mathbf{a}$ is a photon annihiration operator, and it corresponds to a hetrodyne measurement.

So we can assume that the eavesdropper adopts heterodyne receiver, which is the highest performance for asynchronous quantum state signals. In this case, the eavesdropper receives $2M$ original phase signals to obtain M valued information on the running key. The signal distance between signals is $\pi \sqrt{S}/M$, where $S=\left|\alpha \right|$ is the signal strength, and $\sigma$ is the masking effect of the signal by quantum noise. The amount of signal masking is ${\mathrm{\Gamma }}_g=2M\sigma /\pi \sqrt{S}$. When the strength of DSR that spreads quantum noise effect is $|R_p|$, we have ${\mathrm{\Gamma }}_g=2\left|R_p\right|\sigma M/\pi \sqrt{S}$. Here, the range of DSR can be set as follows.

$$1\le \sigma |R_p|<{\displaystyle \frac{1}{2}}\pi \sqrt{S}$$

(67)

The equivalent quantum noise of the optical heterodyne measurement is $\sigma =1$, and the maximum mutual information in the wedge approximation is [13]

$$C_{Hetero}\cong {log}_2{\displaystyle \frac{\pi \sqrt{S}}{2|R_p|}}$$

(68)

(the exact communication channel capacity will be reported separately). Then the generalized unicity distance for KPA is

$$n_1^Q>{\displaystyle \frac{\left|K\right|}{{log}_2\frac{\pi \sqrt{S}}{2|R_p|}}}$$

(69)

This is called Nair-Yuen formula [13]. If the strength of DSR is $|R_p|>{\displaystyle \frac{1}{4}}\pi \sqrt{S}$, the generalized unicity distance is

$$\left|K\right|\ll n_1^Q\le 2^{\left|K\right|}$$

(70)

This cannot be achieved using only mathematical cipher. Thus, this scheme has advantages over conventional cryptographic mechanisms in terms of information-theoretic security. Although it is not the ultimate one, this type of system is expected to play a significant role in assuring the security of real optical communication systems.

9.3. Coherent Pulse Position Modulation Method

There is a method to realize Type I quantum stream cipher without using the above randomization technique. It is called a coherent Pulse Position Modulation (CPPM). This mechanism takes information as M-ary and configures it as a transmitted signal system with M-ary PPM. The M-ary PPM signals are then spread like a pseudo-waveform signal into the M- ary slot by unitary transformations driven by pseudo-random numbers generator. We recently proposed a method for implementing this scheme using Sohma’s method (Section VIII-D). Details will be presented in another paper.

10. Generalized Quantum Stream Cipher of Type-Ii and Its Performance

In this section, we discuss a higher-security performance scheme than the Type-I system. When a secret key for the cipher is stolen after communications, the conventional cipher can be decripted correctlly. The most important feature of generalized quantum stream cipher is that the cipher may not be decrypted even the secret key is stolen. We discuss in this section “a conceptual model" to show that there exists secure communication even if the secret key is stolen.

10.1. Communication Scheme

Here we show that there exists a scheme that is resistant to the secret key leakage attack. Let us assume that a channel between Alice and Bob is low-loss.

(a) Alice uses PSK (phase shift keying). The set of communication basis consists of two coherent states with small angles as follows (See Figure 5):

$$\begin{array}{ccc}\hfill Ba\left(1\right)& =& \left\{\right|{\alpha }_1>,|{\alpha }_1{e}^{i\Delta \theta }>\},\hfill \\ \hfill Ba\left(2\right)& =& \left\{\right|{\alpha }_2{e}^{i2\Delta \theta }>,|{\alpha }_2{e}^{i3\Delta \theta }>\},\hfill \\ \hfill Ba\left(3\right)& =& \left\{\right|{\alpha }_3{e}^{i4\Delta \theta }>,|{\alpha }_3{e}^{i5\Delta \theta }>\},\hfill \\ & & ⋮\hfill \\ \hfill Ba\left(M\right)& =& \left\{\right|{\alpha }_M{e}^{i(M-1)\Delta \theta }>,|{\alpha }_M{e}^{iM\Delta \theta }>\}\hfill \end{array}$$

(71)

where $\Delta \theta =\pi /M$. When $\alpha ={\alpha }_m,\forall m$, a set of $2M$ signals becomes covariant by Equation (40). These communication basis is selected by a running key sequence. Then plaintext is set to the selected basis as same as the type-I. Or the quantum cipher text is generated by the unitary transform $U\left(x\right)U\left(k^R\right)$ to coherent states controlled by a running key sequence.

(b) Bob has the same unitary transform $U\left(k^R\right)$, and it inversely transforms the input quantum states depending on the running key sequence. The output quantum states from the inverse unitary transformation can be regarded as binary quantum states.

(c) Bob adopts the quantum optimum receiver with Helstrom limit for these binary quantum states. The concrete system is called Dolinar receiver. The average error for the data $x=0,1$ is independent of the basis and it is given by Equation (44) as follows:

$${\overline{P}}_e^B={\displaystyle \frac{1}{2}}\{1-\sqrt{1-|<\alpha |-\alpha e^{i\Delta \theta }{>|}^2}\}$$

(72)

Design the amplitude and phase difference so that the above equation holds sufficiently small.

(d) Eve has to discriminate $2M$ valued coherent state signals. Since Eve does not know a priori probability distribution for $2M$ valued signals, she has to adopt a quantum minimax rule as follows:

$${\overline{P}}_e^E=\underset{\left\{\xi \right\}}{max}\underset{\left\{\mathrm{\Pi }\right\}}{min}[1-\sum _{m=1}^{2M}{\xi }_{m}Tr{\tilde{\rho }}_m^E{\mathrm{\Pi }}_m]$$

(73)

where $\left\{{\tilde{\rho }}_m^E\right\}$ is a set of Equation (71).

10.2. Secret Key Leakage Attack

Here, we show that the system is resistant to the secret key leakage attack. At first, Eve has to store a sequence of $2M$-valued signals received by the above quantum minimax receiver to try the crypto analysis. Once Eve has the secret key and the correct running key sequence after the measurement, she can try a classical binary decision scheme to sequences with errors in the 2M values for each slot.

Let us show how it works. When a set of quantum states is a covariant, the solution of the minimax rule is equivalent to quantum Bayes rule with the worst a priori probability distribution: ${\xi }_m=1/2M,\forall m$ [24]. When $M\gg 1$, one can aproximate the error performance based on quantum noise by analog version in the quantum decision theory. The solution becomes the heterodyne receiver. Thus, let us assume that Eve adopts heterodyne receiver with an analog to digital converter of the infinite bandwidth. She can store the almost analog signal consisted of signals and quantum Gaussian noise.

When Eve obtains the secret key and the correct running key sequence, she adopts the binary threshold decision based on classical Bayes rule depending on the running key. It corresponds to a model for the binary decision for binary signals with Gaussian quantum noise, because the uncertainty caused by pseudo-random numbers will disappear. The error probability for the binary data (plaintext) is

$${\overline{P}}_e^E\left(x\right)\cong \mathrm{erfc}\left\{{\displaystyle \frac{\left|\alpha \right|(1-cos\Delta \theta )}{{\sigma }_{eq}}}\right\}$$

(74)

The relation between Bob’s error:Equation (72) and Eve’s errors: Equation (74) with secret key provided after communication for the plaintext (data) is as follows:

$${\overline{P}}_e^E\left(x\right)\gg {\overline{P}}_e^B\left(x\right)$$

(75)

Thus, the sequences of plaintexts that Bob and Eve can obtain become as follows:

$$\begin{array}{ccc}& & X_n^B\cong x_1,x_2,x_3,\cdots ,x_n\hfill \\ & & X_n^{Eq}=x_1^{E_q},x_2^{E_q},x_3^{E_q},\cdots ,x_n^{E_q}\hfill \end{array}$$

(76)

$$\begin{array}{ccc}& & =x_1\oplus q_1,x_2\oplus q_2,x_3\oplus q_3,\cdots ,x_n\oplus q_n\hfill \end{array}$$

(77)

where $x_i:\{0,1\}$, $q_i:\{0,1\}$. As a result, the sequence of Eve consists of the plaintext X and the quantum error sequence.

Here we can regard the quantum error as random key: $K_q=q_1,q_2,\cdots ,q_n$. The structure of Eve’s sequence of plaintext : Equation (77) is equivalent to Shannon cipher with key sequence $K_q$. So the unicity distance of the final sequence for Eve is as follows.

$$n_2^Q={\displaystyle \frac{H\left(K_q\right)}{1-H\left(p\right)}}$$

(78)

where $H\left(K_q\right)$ is an entropy of quantum error sequence, $H\left(p\right)$ is an entropy per symbol of the plaintext.

Thus, in principle, there exists the generalized Shannon random cipher with following performance:

$$\begin{array}{ccc}\hfill H\left(X\right|Y^B,K)& \cong & 0,for\mathrm{Bob}\hfill \end{array}$$

(79)

$$\begin{array}{ccc}\hfill H\left(X\right|Y^E,K)& >& 0,for\mathrm{Eve}\hfill \end{array}$$

(80)

However, we emphasize that this is intended to provide theoretical evidence and is applicable only to channels with very low losses. Therefore, more careful research is needed for practical application.

11. Generalized Quantum Stream Cipher of Type-Iii and Its Performance

The principle of the previous schemes was to adopt a pseudo-random number generator (PRNG) for diffusion of quantum noise effect. Here, we show new schemes such that the quantum ciphertext is constructed by directly mapping the plaintext regularly to the quantum state signal without an encryption mechanism by PRNG and secret key.

11.1. Communication Scheme 1

First, let us consider an encryption as a kind of game based on the strategy of Bob and Eve’s receiving mechanism. This correspoonds to a model based on only error performances between quantum Bayes rule and quantum minimax rule. The communication scheme is as follows:

(a) Plaintext consists of combination of J bits.

$$\begin{array}{ccc}\hfill X_1& =& (1,0,0,\cdots ,0)\hfill \\ \hfill X_2& =& (0,1,0,\cdots ,0)\hfill \\ & & ⋮\hfill \\ \hfill X_M& =& (1,1,1,\cdots ,1)\hfill \end{array}$$

(81)

Then we assume that Alice can control a priori probability distribution $\left\{{\xi }_m^A\right\}$ of M valued signals and the structure of quantum state ensemble $\left\{{\rho }_m^A\right\}$. The structure of quantum states is opened. Unknown is only a priori probability disribution.

(b)M-valued plaintext is mapped regularly to one of M-valued quantum states as follows:.

$$\left\{\right|{\alpha }_m>,m=1,2,3,\cdots ,M\}$$

(82)

For example M-ary PSK scheme.

(c) Bob has an information for the a priori probability for M signals and has an information of the structure of the quantum state ensemble ${\rho }_m^A$. Then he can adopt the quantum Bayes decision rule. His error probability is given by

$${\overline{P}}_{e,Bayes}^B=\underset{\left\{\mathrm{\Pi }\right\}}{min}[1-\sum _{m=1}^M{\xi }_m^{A}Tr{\rho }_m^A{\mathrm{\Pi }}_m]$$

(83)

Eve knows the structure of quantum state signals, but she does not know a priori probability distribution. So she adopts the quantum minimax decision rule as follows:

$${\overline{P}}_{e,min}^E=\underset{\left\{\xi \right\}}{max}\underset{\left\{\mathrm{\Pi }\right\}}{min}[1-\sum _{m=1}^M{\xi }_{m}Tr{\rho }_m{\mathrm{\Pi }}_m]$$

(84)

Then her error probability is given by the quantum Bayes with the worst a priori probability. We wish to enlarge the absolute quantity of Eve’s error performance. To do it, we can adopt a concept of covariant and noncovariant signals which are descrived as follows [34]:

$\mathbf{Theorem}$$\{Usuda·Takumi\}$:

M-ary signals $\left\{\right|{\psi }_m>,m=1,2,3,\cdots ,M\}$ are group cavarinat with respect to a group $(G;\circ )$ of order M if and only if the following relation is hold:

$$<{\psi }_{k\circ m}|{\psi }_{k\circ l}>=<{\psi }_m|{\psi }_l>,\forall k,l,m\in G$$

(85)

where $G=\{1,2,3,\cdots M\}$ and ∘ is the operation of the group G.

Minimax decision rule gives a solution assuming an a priori probability distribution that gives the maximum value of the Bayes rule solution. Here, when the signal system is not group covariant, the worst a priori probability distribution of minimax is not uniform [24].

According to the general theory of quantum detection theory [16,19], we have the following relation.

$$\begin{array}{ccc}& & {\overline{P}}_{e,Bayes}^E\left(Covariant\right)={\overline{P}}_{e,minimax}^E\left(Covariant\right)\hfill \\ & & <{\overline{P}}_{e,minimax}^E\left(Noncovariant\right)\hfill \end{array}$$

(86)

That is, when the set of quantum states is not covariant, the error performances for the minimax rules themselves is greatly degraded, depending of signal properties [24,35,36]. Thus we can have the following relation.

$${\overline{P}}_{e,Bayes}^B\left(Noncovariant\right)<{\overline{P}}_{e,minimax}^E\left(Noncovariant\right)$$

(87)

Using this property, the system uses a signal set that is not group covariant and transmits with an a priori probability distribution ${\xi }_m^A$ that maximizes the characteristic difference between Bayes and minimax. The optimization problem is given as follows:

$$\begin{array}{ccc}& & \underset{\left\{{\rho }_m\right\}}{max}\underset{\left\{{\xi }_m^A\right\}}{max}\mid {\overline{P}}_{e,Bayes}^B\left(Noncovariant\right)\hfill \\ & & -{\overline{P}}_{e,minimax}^E\left(Noncovariant\right)\mid \hfill \end{array}$$

(88)

where ${\xi }_m^A$ is a priori probability distribution that Alice can control, and the relation among a priori probability distributions is ${\xi }_m^A={\xi }_m^B\ne {\xi }_m^E$. $\left\{{\rho }_m\right\}$ is a structure of noncovariant states. Here, the worst a priori probability distribution ${\xi }_m^E$ for the minimax is determined only by the structure of noncovariant quantum states.

Thus, even if the legitemate communicators do not have secret symmetric key, we can realize the quantum advantage creation. The details of this property require numerical analysis and it will be shown in the subsequent paper.

11.2. Communication Scheme 2

Let us discuss a modification of wire-tap channel scheme in the sense of quantum advantage creation principle.

11.2.1. Secret Capacity

The conventional wire-tap channel model requires a special channel such that the signal to noise ratio of Bob is greater than that of Eve as the system requirement. We replace its condition to the notion of the quantum advantage creation in quantum measurements.

According to quantum Shannon theory established by Holevo and others [18], the capacity formula for lossy Gaussian noise channel for coherent states is given as follows [37]:

$\mathbf{Theorem}$:$\{Holevo·Sohma·Hirota\}$

The capacity formula of the quantum lossy Gaussian noise channel for coherent state signals is given as follows:

$$\begin{array}{ccc}\hfill C_H& =& log(1+{\displaystyle \frac{S}{1+<n>}})+Slog(1+{\displaystyle \frac{1}{S+<n>}})\hfill \\ & -& <n>log\left({\displaystyle \frac{1+\frac{S}{<n>}}{1+\frac{S}{1+<n>}}}\right)\hfill \end{array}$$

(89)

where S and $<n>$ are average photon numbers of received signal and additive noise, respectively.

The above formula is in general greater than the Shannon classical capacity. To achieve this Holevo capacity in the realization stage, Alice and Bob must have prior knowledge of the quantum signal and other various conditions. The capacity can only be achieved by adopting a quantum measurement under those conditions [18]. Especially, the time synchronisation between Alice and Eve is necessary, but Eve cannot obtain such an information before communication. If these conditions are not known, a heterodyne receiver would be optimal. With this differentiation, it is possible to construct a modified wire-tap channel communication scheme. The secret capacity is defined as follows:

$$C_S=\underset{\left\{\xi \right\},\left\{{\mathrm{\Pi }}^B\right\}}{max}{\mathbf{I}}^B(X,Y)-\underset{\left\{\xi \right\},\left\{{\mathrm{\Pi }}^E\right\}}{max}{\mathbf{I}}^E(X,Y)$$

(90)

where $\left\{{\mathrm{\Pi }}^B\right\}$ and $\left\{{\mathrm{\Pi }}^E\right\}$ are POVM for Bob and Eve, respectively. Eve’s POVM is restricted to heterodyne when there is no synchronisation. A conjecture of the concrete formula of secret capacity for this model based on coherent state is as follows [38,39].

$$\begin{array}{ccc}& & C_S=C_H-C_{Shannon}=\hfill \\ & & log(1+{\displaystyle \frac{S^B}{1+<n{>}^B}})\hfill \\ & & +S^{B}log(1+{\displaystyle \frac{1}{S^B+<n{>}^B}})\hfill \\ & & -<n{>}^{B}log\left({\displaystyle \frac{1+\frac{S^B}{<n{>}^B}}{1+\frac{S^B}{1+<n{>}^B}}}\right)\hfill \\ & & -log(1+{\displaystyle \frac{S^E}{1+<n{>}^E}})\hfill \end{array}$$

(91)

where $S^B,<n{>}^B$ are the average photon number of signal and noise for Bob, and $S^E,<n{>}^E$ are those for Eve. When the above formula is positive, one can implement the secure communication system in principle.

11.2.2. Coding Problem

For the practical discussions, we assume that the system is finite and discrete scheme. The problem is to construct a coding theory that creates the advantage of the legitemate communicators. It is equivalent to constract a superadditivity of mutual information (or accessible information) [40]. The first challenge to clarify the effect of coding was made in Ref. [41].

12. Conclusion

In this paper, we explained that generalized random cipher, which can improve the shortcomings of one time pad ciphers, can be realized by applying quantum effects. To evaluate such ciphers, we have introduced the generalized unicity distance, and showed some examples. A more detailed theoretical analysis needs to be developed for realization of the ultimate performance such as Type-II, Type-III.

On the other hand, a number of experimental studies for the standard quantum stream cipher have already been initiated on the basis of the the above theory. As a result, promising results for practical application have been obtained by groups of USA, Japan and China [42,43,44,45,46,47,48,49]. In addition, the generalized quantum stream cipher with randamizations of Type-I has been implemented by Futami group [50]. This is the first demonstration for quantum stream cipher with sufficient information theoretic security.

Another possibility of the generalized random ciphers are Shapiro’s scheme so called quantum low probability of intercept [51], and Lloyd’s scheme [52]. These will be introduced in the part III.