On the security of AlphaEta: Response to `Some attacks on quantum-based cryptographic protocols'
ABSTRACT Lo and Ko in [1] have developed some attacks on the cryptosystem called AlphaEta [2], claiming that these attacks undermine the security of AlphaEta for both direct encryption and key generation. In this paper, we show that their arguments fail in many different ways. In particular, the first attack in [1] requires channel loss or length of known-plaintext that is exponential in the key length and is unrealistic even for moderate key lengths. The second attack is a Grover search attack based on `asymptotic orthogonality' and was not analyzed quantitatively in [1]. We explain why it is not logically possible to ``pull back'' an argument valid only at n=infinity into a limit statement, let alone one valid for a finite number of transmissions n. We illustrate this by a `proof' using a similar asymptotic orthogonality argument that coherent-state BB84 is insecure for any value of loss. Even if a limit statement is true, this attack is a priori irrelevant as it requires an indefinitely large amount of known-plaintext, resources and processing. We also explain why the attacks in [1] on AlphaEta as a key-generation system are based on misinterpretations of [2]. Some misunderstandings in [1] regarding certain issues in cryptography and optical communications are also pointed out. Short of providing a security proof for AlphaEta, we provide a description of relevant results in standard cryptography and in the design of AlphaEta to put the above issues in the proper framework and to elucidate some security features of this new approach to quantum cryptography.
- [Show abstract] [Hide abstract]
ABSTRACT: Nishioka et al claim in [1], elaborating on their earlier paper [2], that the direct encryption scheme called Y-00 [3,4] is equivalent to a classical non-random additive stream cipher, and thus offers no more security than the latter. In this paper, we show that this claim is false and that Y-00 may be considered equivalent to a \emph{random} cipher. We explain why a random cipher provides additional security compared to its nonrandom counterpart. Some criticisms in [1] on the use of Y-00 for key generation are also briefly responded to.10/2005; - [Show abstract] [Hide abstract]
ABSTRACT: We provide a security analysis of the Y-00 protocol under heterodyne measurement and correlation attack. We show that the secrecy of the data encryption scheme is extremely sensitive to the running-key generation process. In many situations our simple attack succeeds in recovering the initial shared secret key. Our simulation results suggest that a truly secure implementation of the protocol should take into account the effective key generation method.Physics Letters A 08/2006; · 1.63 Impact Factor
Page 1
arXiv:quant-ph/0509091v3 12 Jul 2006
Quantum Information and Computation, Vol. 0, No. 0 (2003) 000–000
c ? Rinton Press
ON THE SECURITY OF αη: RESPONSE TO
‘SOME ATTACKS ON QUANTUM-BASED CRYPTOGRAPHIC PROTOCOLS’
Horace P. Yuena, Ranjith Nair, Eric Corndorf, Gregory S. Kanter, and Prem Kumar
Center for Photonic Communication & Computing,
Department of Electrical Engineering & Computer Science, Department of Physics & Astronomy,
Northwestern University, Evanston, IL, 60208, USA.
Received (received date)
Revised (revised date)
Lo and Ko in [1] have developed some attacks on the cryptosystem called αη [2], claiming
that these attacks undermine the security of αη for both direct encryption and key
generation. In this paper, we show that their arguments fail in many different ways.
In particular, the first attack in [1] requires channel loss or length of known-plaintext
that is exponential in the key length and is unrealistic even for moderate key lengths.
The second attack is a Grover search attack based on ‘asymptotic orthogonality’ and
was not analyzed quantitatively in [1]. We explain why it is not logically possible to
“pull back” an argument valid only at n = ∞ into a limit statement, let alone one valid
for a finite number of transmissions n. We illustrate this by a ‘proof’ using a similar
asymptotic orthogonality argument that coherent-state BB84 is insecure for any value of
loss. Even if a limit statement is true, this attack is a priori irrelevant as it requires an
indefinitely large amount of known-plaintext, resources and processing. We also explain
why the attacks in [1] on αη as a key-generation system are based on misinterpretations of
[2]. Some misunderstandings in [1] regarding certain issues in cryptography and optical
communications are also pointed out. Short of providing a security proof for αη, we
provide a description of relevant results in standard cryptography and in the design
of αη to put the above issues in the proper framework and to elucidate some security
features of this new approach to quantum cryptography.
Communicated by: to be filled by the Editorial
1 Introduction
In [1], Lo and Ko describe, without quantitative calculations, some attacks on the direct en-
cryption protocol of [2], interpreted by them also as a key generation scheme. They draw the
firm conclusion that our protocol is fundamentally insecure, that these attacks were neglected
by us as they are “outside the original design,” and that they “can, to some extent, be imple-
mented with current technology.” We contend that the strength and weakness of our scheme
have been totally misrepresented in [1], which does not analyze the relevant cryptographic
problems in a meaningful framework. Although we have already commented briefly on the
attacks of [1] in [3] and [5], and some related comments are given by Hirota et al in [6], [1] is
still often quoted without also referring to our partial rejoinder. Thus, we feel it appropriate
that a specific response to [1] be made in a complete paper. In particular, we would like to
ayuen@eecs.northwestern.edu
1
Page 2
2 Title ...
clear up at the same time many issues in the practical use of quantum cryptography and in
the properties of αη that have so far not been elucidated in the literature. We do not attempt
to give a complete security proof of αη in this paper. Such a proof is not available and is the
subject of ongoing research. See [4] for recent results. Nevertheless, it is possible to refute the
arguments of Lo and Ko taken by themselves, and this will be the main aim of this paper.
First of all, we note that the attacks in [1] do not contradict our claim in [2] that αη
encryption provides exponential complexity-based security against known-plaintext attacks
using a particular ‘assisted’ brute-force search. See [2] or alternatively, [4] for a more detailed
description. Although we mention the possibility of key generation with αη, we do not
present an explicit scheme to do so in [2]. The authors of [1] assume that the protocol of
[2] works without any additions or modifications for key generation, which was not claimed
by us at all. While they arrive at attacks that purport to show that αη is insecure in the
information-theoretic sense against known-plaintext attacks — already believed by us to be
quite possible [3] — we claim that the two attacks in [1] do not conclusively prove insecurity
of any finite-n system. Proof is important in this quantum situation because αη falls outside
the class of classical nonrandom ciphers for which known-plaintext attacks can be proved to
succeed. But perhaps more significantly, the Lo-Ko attacks are unrealistic in the fundamental
sense of having exponential complexity and requiring an exponential amount of resources. In
Section 2.2, we bring out the important point that, in contrast to other kinds of complexity,
exponential complexity offers realistic security as good as unconditional security.
We shall explain fully our criticisms of [1] in the course of this paper. In this introductory
section, we will lay out three major general defects in [1] which in our opinion are also implicit
in various papers on theoretical quantum cryptography. We will later have occasion to indicate
specific points where these defects arise when we reply in detail in Section 4 to the attacks in
[1].
In the first place, vague qualitative arguments are often offered as rigorous proofs, while
at the same time not giving precise conditions under which a result is claimed to be valid.
In [1], there are even several claims made without any argument at all. Rigorous proofs are
important in quantum cryptography because the main superiority it claims over standard
cryptography is the possibility of rigorous proof of security, unconditional or otherwise. A
more subtle point is that many arguments, including one in [1], rely on statements valid at
n = ∞ which cannot be cast into limiting statements on the relevant quantities. Indeed, limit
and continuity questions at n = ∞ are especially subtle in quantum mechanics owing to the
nonseparable Hilbert space, i.e., a Hilbert space with an uncountable basis, that arises when
n = ∞. One pitfall of such a leap of faith is illustrated in Section 5.
Secondly, strong claims are made with no actual numbers or numerical ranges indicated
for the validity of the results. Thus, results are often claimed to be valid asymptotically as the
number of bits n in a sequence goes to infinity, without any estimate on the convergence rate.
Such limiting results alone are of no use to an experimentalist or designer of a real system.
As security proofs, they offer no quantitative guarantee of any kind on an actual realistic
system where n is often not even very large. As attacks, they imply nothing about the level of
insecurity of any finite n system without convergence-rate estimates. Thus, showing a scheme
to be insecure simply as a limiting statement when n → ∞ has no practical implication.
(See Section 4 for a complete discussion.) A related point is with regard to the realistic
Page 3
Author(s) ...3
significance of quantities that vary exponentially with respect to some system parameter.
Thus, consideration of attacks, as is the case in one attack in [1], that succeed only when
the channel-transmittance (the output-to-input power ratio) η ∼ 2−|K|, where |K| is the key
length, is seen to be practically irrelevant by plugging in typical numbers for |K|. More
significantly, attacks that require exponential resources or processing like those in [1] are
irrelevant in a fundamental sense, because the situation cannot be changed by technological
advances, similar to the case of unconditional security.
These points are important because security in cryptography is a quantitative issue. For
example, in quantum key generation, the exact amount of Eve’s uncertainty determines how
much key is generated. To ensure that one generates a sufficiently large key, it is not sufficient
to use qualitative arguments that are valid only at extreme limits, since they may break down
quantitatively in realistic systems.
Thirdly, the general approach to quantum cryptography underlying αη, called ‘Keyed
Communication in Quantum Noise’ (KCQ) [3], is not well understood. In particular, the
various and distinct issues in connection with direct encryption and key generation with (or
even without) a secret key, which have to be clearly delineated for a proper analysis, are
lumped together in [1], generating considerable confusion even in the context of classical
cryptography. Since our approach is novel, this current situation is perhaps understandable.
While the full story of this field of research is still to be understood, some clarifications can
be made to clear up the various confusions.
In addition to the above, some specific details of implementation of αη are also miscon-
strued in [1]. Along with responding to the Lo-Ko arguments, one main purpose of this paper
is to provide the proper framework for security analysis of αη, for direct encryption as well as
key generation. It is not the purpose of this paper to provide any detailed security analysis of
αη, which is a huge undertaking and an on-going effort. However, we will indicate the many
features that make αη uniquely interesting and useful at various places in the paper.
The plan of this paper is as follows: In Section 2, we provide an outline of relevant
results and facts in symmetric-key cryptography, which are not well-known. Our statements
on direct encryption cryptography in this paper refer only to the symmetric-key case, and
not to public-key cryptography. In fact, public-key cryptography is not used for encryption
of data sequences of more than a few hundred bits owing to its slow speed. We discuss
in a subsection the current knowledge regarding security against known-plaintext attacks in
standard cryptography and discuss the concepts of a random cipher and a nondegenerate
cipher. Much of this subsection as well as Appendix A are our own contributions. They
contain subtle distinctions needed to precisely state important results, and may be regarded
as providing the basic framework in which to view known-plaintext attacks on αη or any
other randomized encryption system. In Section 3, we review our αη scheme and the different
security issues associated with its use in direct encryption and key generation. In Section 4, the
Lo-Ko attacks and their specific criticisms are explained and responded to, both specifically
and generally in view of the above-mentioned defects. It will be shown that their arguments
are deficient in many different ways. To illustrate the fallacy of the ‘asymptotic orthogonality’
argument, a ‘proof’ that coherent-state BB84 using a classical error-correction code is insecure
for any loss, no matter how small, is presented in Section 5. Various other misconceptions in
[1] are listed in Section 6. A brief summary of our conclusions is given in Section 7.
Page 4
4 Title ...
2 Cryptography
2.1 Direct Encryption
We assume that the basics of symmetric-key data encryption are known to the reader (See,
e.g., [7, 8]). Thus, the n-symbol long plaintext is denoted by the random variable Xn, the
corresponding ciphertext is denoted Ynand the secret key is denoted K. In standard cryp-
tography, one usually deals with nonrandom ciphers, namely those cryptosystems for which
the conditional entropy
H(Yn|KXn) = 0. (1)
Thus, the plaintext and key uniquely determine the ciphertext. In such a case, Xnand Yn
are usually taken to be from the same alphabet. Note that in this paper, equations involving
n as a parameter are assumed to be valid for all n unless stated otherwise. Ciphers for which
Eq.(1) is relaxed so that the same plaintext may be mapped for a given key to many different
ciphertexts, perhaps drawn from a different alphabet than Xn, will be called random ciphers.
Thus, a random cipher is defined by
H(Yn|KXn) ?= 0. (2)
Such ciphers are called ‘privately randomized ciphers’ in Ref. [8] as the different ciphertexts
Ynfor a given Xnare obtained by privately (i.e., in an unkeyed fashion known only to the
sender Alice) randomizing on a specific Yn. We will just call such a cipher a random cipher
(Note that ‘random cipher’ is used in a completely different sense by Shannon [9]). For both
random and nonrandom ciphers, we enforce the condition that the plaintext be recoverable
from the ciphertext and the key, i.e.,
H(Xn|KYn) = 0. (3)
A detailed quantitative characterization of classical and quantum random ciphers is available
in [4].
By standard cryptography, we shall mean that Eve and Bob both observe the same cipher-
text random variable, i.e., YE
n= Yn. Note that in such a standard cipher, random or
nonrandom, the following Shannon limit [8, 9] applies:
n= YB
H(Xn|Yn) ≤ H(K). (4)
By information-theoretic security on the data, we mean that Eve cannot pin down uniquely
the plaintext from the ciphertext, i.e.,
H(Xn|Yn) ?= 0. (5)
The level of such security is quantified by H(Xn|Yn). Shannon has defined perfect security
[9] to mean that the plaintext is statistically independent of the ciphertext, i.e.,
H(Xn|Yn) = H(Xn). (6)
We shall use near-perfect security to mean H(Xn|Yn) ∼ H(Xn). Security statements on
ciphers are naturally made with respect to particular possible attacks. We will discuss the
usual cases of ciphertext-only attack, known-plaintext attack, and statistical attack in the
next subsection. We now turn to key generation.
Page 5
Author(s) ...5
2.2Key Generation
The objective of key generation is to generate fresh keys. By a fresh key, we mean a random
variable Kgshared by the users from processing on Xnfor which
H(Kg|KYE
n) ∼ H(Kg) (7)
for some n. Here K is any secret key used in the key generation protocol. In other words,
one needs to generate additional randomness statistically independent of previous shared
randomness such as a secret key used in the protocol. The two major approaches to key
generation are via classical noise [10] and BB84-type [11] quantum cryptography. With the
advent of quantum cryptography, the term ‘unconditional security’ has come to be used,
unfortunately, in many possible senses. By unconditional security, we shall mean near-perfect
information-theoretic security against all attacks consistent with the known laws of quantum
physics.
Using Eq. (3), it is easily seen that, in standard cryptography, Xn, or any publicly an-
nounced function thereof, cannot serve as fresh key. This is because all the uncertainty in Xn
is derived from K, however long n is, and therefore H(Kg|KYn) = 0.
While key generation is impossible in standard cryptography, it becomes possible in prin-
ciple in a situation where YE
n. This necessary condition must be supplemented by a
condition for advantage creation [3], e.g.,
n ?= YB
H(Xn|KYE
n) > H(Xn|KYB
n). (8)
In (8), the key K is conceptually granted to Eve after her measurements to bound the infor-
mation she may possibly obtain by any collective classical processing that takes advantage
of the correlations introduced by K. We mention here that even when there is no a priori
advantage, provided YB
n, advantage may often be created by advantage distillation,
as e.g., through post-detection selection so that Eq.(8) is satisfied for the selected results.
Keyed Communication in Quantum Noise, called KCQ in [3] and hereafter, provides one way
of creating advantage for fresh key generation from the performance difference between the
optimal quantum receivers designed with and without knowledge of the secret key. Some of
the advantages of such an approach to key generation would be indicated later, and further
details can be found in [3, 12].
Even when information-theoretic security does not obtain, so that the data or the key is in
fact uniquely determined by the ciphertext (we shall see in Subsection 2.4 that this is the usual
situation in standard cryptography when the plaintext has known nonuniform statistics), we
may still speak of complexity-based security. This refers to the amount of computation or
resources required to find the unique plaintext Xnor key K corresponding to the observed
Yn. In practice, forcing a large amount of computation on Eve can provide very effective
security. In fact, standard ciphers owe their widespread use to the absence of known efficient
algorithms that can find the unique key or plaintext from the ciphertext, with or without some
known plaintext. Note that the security of a system is especially good if the complexity goes
exponentially in |K|, resulting in a search problem that cannot be efficiently handled even
by a quantum computer. In contrast to merely ‘hard’ problems such as factoring integers or
even NP-complete problems, for which complexity is not quantified, exponential complexity is
a guarantee of realistic security as good as unconditional security. This is because a quantity
n ?= YE
Page 6
6Title ...
that is exponential in a system parameter can easily become so large as to be impossible
to achieve. For example, it is a fact as certain as any physical law that one cannot have
10600beamsplitters (See our response to the first attack of Lo and Ko in Section 4.) on the
earth, or in the whole known universe for that matter — this can be seen merely from size
considerations. Similar remarks hold for exponential computing time requirements. However,
neither αη nor any standard cipher has been proven to require exponential resources to break.
2.3 Classes of attacks in quantum cryptography
In our KCQ approach, we conceptually grant a copy of the transmitted state to Eve for
the purpose of bounding her information. Thus, there is no need of considering what kind
of probe she uses. For further details, see [3, 12]. Accordingly, we will classify attacks a
little differently from the usual case in BB84 protocols, basing our classification only on the
quantum measurement or processing Eve may make.
By an individual attack, we mean one where the same measurement is made in every
qubit/qumode and the results are processed independently of one another. Obviously, the
latter is an artificial and unrealistic constraint on an attack, but analyses under this assump-
tion are standard for BB84. In this connection, we note that in the BB84 literature, one often
finds individual attacks being defined only by Eve’s qubit-by-qubit probes and measurements,
but with the actual analysis of such attacks being carried out with the further assumption that
no classical collective processing is used, so that Eve has independent, identically distributed
(iid) random variables on her bit estimates. This assumption renders the results rather mean-
ingless, as Eve can easily jointly process the quantum measurement results to take advantage
of the considerable side information available to her from announcements on the classical
public channel. It is a subtle task to properly include such side information in the security
proofs of BB84-type protocols, one that we will elaborate upon in future papers. However, it
is this definition of individual attack that has been used for our information-theoretic security
claims in [2].
By a collective attack, we mean one where the same measurement is made in every
qubit/qumode but where joint classical processing of the results is allowed. Conceptually,
one may also consider the most general attacks on classical systems to be in this class. We
will refer to a particular collective attack on αη using heterodyne or phase measurement on
each qumode later in this paper. Note also that encryption of a known plaintext with all pos-
sible keys followed by comparison of the result to the observed mode-by-mode measurement
result YE
n (i.e. a brute-force search) is a collective attack, since the correlations between the
ciphertext symbols introduced during encryption are being used. Note that our use of the
term “collective attack” is different from the BB84 case, due to the fact that there is no need
to account for probe setting in our KCQ approach. Finally, for us, a joint attack refers to one
where a joint quantum measurement on the entire sequence of qubits/qumodes is allowed.
This is the most general attack in the present circumstance, and must be allowed in any claim
of unconditional security.
2.4Security against known-plaintext attacks and statistical attacks
In this subsection, we describe some results in classical cryptography that are not readily
available in the literature. For a standard cipher, the conditional entropy H(Xn|Yn) de-
scribes the level of information-theoretic security of the data Xn, and H(K|Yn) describes
Page 7
Author(s) ...7
the information-theoretic security of the key. The attacks considered in cryptography are
ciphertext-only attacks, and known-plaintext or chosen-plaintext attacks. There is in the
literature an ambiguity in the term ‘ciphertext-only attack’ regarding whether the a priori
probability distribution p(Xn) of the data is considered known to the attacker or is com-
pletely random to her. To avoid confusion, we will use the term ciphertext-only attack to
refer to the case where p(Xn) is completely random to Eve, statistical attack to refer to the
case when some information on Xnin the form of a nonuniform p(Xn) is available to Eve,
known-plaintext attack to refer to the case when some specific Xn is known to Eve, and
chosen-plaintext attack to refer to the case when some specific Xnis chosen by Eve. Gener-
ally, our results referring to known-plaintext attacks are valid in their qualitative conclusions
also for chosen-plaintext attacks. (Note that we are restricting ourselves to private-key cryp-
tography – This is not generally true in public-key cryptography.) Therefore, our use of
the term ‘known-plaintext attack’ may be taken to include chosen-plaintext attacks also, for
symmetric-key direct encryption.
In standard cryptography, one typically does not worry about ciphertext-only attack on
nonrandom ciphers, for which Eq. (4) is satisfied with equality for large n for the designed
key length |K| = H(K) under some ‘nondegeneracy’ condition [13]. In such situations, it is
also the case that H(K|Yn) = H(K) so that no attack on the key is possible [13]. However,
under statistical and known-plaintext attacks, this is no longer the case and Eve can launch an
attack on the key and use her resulting information on the key to get at future data. Indeed,
it is such attacks that are the focus of concern in standard ciphers such as the Advanced
Encryption Standard (AES). For statistical attacks, Shannon [9] characterized the security
by the unicity distance n0(for statistical attacks), which is defined to be the input data length
at which H(K|Yn0) = 0. For a nonrandom cipher defined by (1), he derived an estimate on n0
that is independent of the cipher in terms of the data entropy. This estimate is, unfortunately,
not a rigorous bound. Indeed, one of the inequalities in the chain goes in the wrong direction
in the derivation, although it works well empirically for English where n0∼ 25 characters.
Generally, it is easy to see that a finite unicity distance exists only if, for some n, there is
no redundant key use in the cryptosystem, i.e., no plaintext sequence Xnis mapped to the
same ciphertext Ynby more than one possible key value. With redundant key use, one cannot
pin down the key but it seems one also could not enhance the system security either, and so
is merely wasteful. The exact possibilities will be analyzed elsewhere. A nonrandom cipher
is called nondegenerate in this paper if it has no redundant key use either at some finite n
or for n → ∞. A random cipher will be called nondegenerate when each of its nonrandom
reductions is nondegenerate (See [4]). Under the condition
lim
n→∞H(Yn|Xn) = H(K), (9)
which is similar but not identical to the definition of a ‘nondegenerate’ cipher given in [13],
one may show that, when (1) holds, one has
lim
n→∞H(K|XnYn) = 0. (10)
In general, for a nonrandom cipher, we define a nondegeneracy distance ndto be the smallest
n such that
H(Yn|Xn) = H(K) (11)
Page 8
8 Title ...
holds, with nd= ∞ if (9) holds and there is no finite n satisfying (11). Thus, a nonrandom
cipher is nondegenerate in our sense if it has a nondegeneracy distance, finite or infinite. In
general, of course, the cipher may be degenerate, i.e., it has no nondegeneracy distance. We
have the result given by Proposition A of Appendix A that, under known-plaintext attack, a
nonrandom nondegenerate cipher is broken at data length n = nd. This is also the minimum
length of data needed to break the cipher for any possible known-plaintext Xn. Many ciphers
including the one-time pad and LFSRs (linear feedback shift registers [7]) have finite nd. For
chosen-plaintext attacks, the above definitions and results apply when the random variable
Xnis replaced by a specific Xn= xn.
The above result has not been given in the literature, perhaps because H(K|XnYn) has
not been used previously to characterize known-plaintext attacks. But it is assumed to be true
in cryptography practice that K would be pinned down for sufficiently long n in a nonrandom
‘nondegenerate’ cipher. However, there is no analogous result on random ciphers, since under
randomization Eq. (1), and usually (11) also, does not hold for any n.
The following result is similar to one in [13, 14]. The homophonic substitution algorithms
provided in these references work also for finite sequences, and may result in data compression
rather than data expansion depending on the plaintext.
Proposition B
In a statistical attack on nonuniform iid Xn, homophonic substitution randomization [13, 14]
on a nonrandom nondegenerate cipher can be used to convert the attack into a ciphertext-only
one, thus completely protecting the key.
This reduction does not work for known-plaintext attacks.
symmetric-key random cipher has received limited attention because they are not used in
practice due to the associated reduction in effective bandwidth or data rate, and also due to
the uncertainty on the actual input statistics needed for homophonic substitution random-
ization. Thus, the quantitative security of random ciphers against known-plaintext attacks
is not known theoretically or empirically, although in principle random ciphers could defeat
statistical attacks according to Proposition B. All that is clear is that random ciphers are
harder to break than the corresponding nonrandom ones, because a given pair (Xn,Yn) may
arise from more possible keys due to the randomization. See ref. [4] for a detailed elucidation.
The problem of attacking a
If a random cipher is nondegenerate, we say it has information-theoretic security against
known-plaintext attacks when
inf
nH(K|XnYn) > 0, (12)
i.e., if H(K|XnYn) cannot be made arbitrarily small whatever n is. The actual level of the
information-theoretic security is quantified by the left side of (12). As in the nonrandom
case, only for a nondegenerate cipher, i.e., one with no redundant key use, is it meaningful
to measure key security with entropy. It is possible that some random ciphers possess such
information-theoretic security. See Appendix A.
We define the unicity distance n1 for known-plaintext attacks, for both nondegenerate
Page 9
Author(s) ...9
random and nonrandom ciphers, as the smallest n, if it exists, for which
H(K|XnYn) = 0. (13)
The unicity distance n1 is defined to be infinity if (13) holds for n → ∞. Any cipher with
information-theoretic security against known-plaintext attacks has no unicity distance n1. For
a nondegenerate nonrandom cipher, we have shown in Appendix A that n1= nd. We shall
see in the next section that αη can be considered a random cipher in the above sense under
collective attacks, but with no reduction in effective data rate. (Recall that collective attacks
are the most general in classical ciphers.) Thus, the statement in [1] that “known-plaintext
attacks are rather standard and were successfully launched against both the Germans and
the Japanese in World War II” is an oversimplification, since the ciphers referred to in it were
nonrandom.
3 αη Direct Encryption and Key Generation
Consider the original experimental scheme αη (called Y-00 in Japan) as described in [2] and
depicted in Fig. 1. Alice encodes each data bit into a coherent state in a qumode, i.e., an
infinite-dimensional Hilbert space (the terminology is analogous to the use of qubit for a two-
dimensional Hilbert space), of the form (we use a single qumode representation rather than
a two-qumode one for illustration)
|αℓ? = |α0(cosθℓ+ isinθℓ)? (14)
where α0is real, θℓ= 2πℓ/M, and ℓ ∈ {0,...,M − 1}. The M states are divided into M/2
basis pairs of antipodal signals {|±αℓ?} with −αℓ= αℓ+M/2. A seed key K of bit length |K|
is used to drive a conventional encryption mechanism whose output is a much longer running
key K′that is used to determine, for each qumode carrying the bit b{= 0,1}, which pair
{| ± αℓ?} is to be used. The bit b could either be part of the plaintext in a direct encryption
system (as is the case in [2]) or it could be a raw key bit from a random number generator.
Bob utilizes a quantum receiver to decide on b knowing which particular pair {|±αℓ?} is to be
discriminated. On the other hand, Eve needs to pick a quantum measurement for her attack
in the absence of the basis knowledge provided by the seed or running key. The difference in
their resulting receiver performances is a quantum effect that constitutes the ground, as we
shall see in subsequent subsections, both for making αη a random cipher for direct encryption,
and for possible advantage creation vis-a-vis key generation. To avoid confusion, we shall use
the term ‘αη’ to refer only to the direct encryption system following our practice in [2].
When we want to use the same system as part of a key generation protocol, we shall refer
to it as ‘αη-Key Generation’ or ‘αη-KG’. We discuss αη and αη-KG in turn in the next two
subsections.
Note that since the quantum-measurement noise is irreducible, such advantage creation
may result in an unconditionally secure key-generation protocol. In contrast, in a classical
situation including noise, the simultaneous measurement of the amplitude and phase of the
signal, as realized by heterodyning, provides the general optimal measurement for both Bob
and Eve; thus preventing any advantage creation under our approach that grants Eve a copy
of the state for the purpose of bounding her information.We may remark that since a
Page 10
10Title ...
1
0
0 (I)
(II) 1
M
π
2
φ
=
.
.
.
.
.
.
Channel
X
data
X
data
K
K
key
key
Y (X,K')
Demod
ENC
ENC
Mod
K'
K'
Alice
Bob
φ
α1
α2
Fig. 1. Left:Overall schematic of the αη scheme. Right: Depiction of M/2 bases with interleaved
logical state mappings.
discrete quantum measurement is employed by the users, αη and αη-KG are not continuous-
variable quantum cryptosystems. In particular, their security is not directly derived from any
uncertainty relation for observables with either continuous or discrete spectrum.
3.1
Let Xn,YE
vation, and Bob’s observation. Eve may make any quantum measurement on her copy of the
quantum signal to obtain YE
nin her attack. One then considers the error in her estimation
of Xn. As an example, consider the attack where Eve makes a heterodyne measurement or a
phase measurement on each qumode [3, 5]. Under such an attack, αη becomes essentially a
classical random cipher (in the sense of Section 2), because it satisfies
αη Direct Encryption
n,YB
nbe the classical random vectors describing respectively the data, Eve’s obser-
H(Xn|YE
n,K) ∼ 0 (15)
along with Eq. (2) for the experimental parameters of [2, 15, 16, 17]. Under Eq. (15), Eq. (4)
also obtains and the data security is no better than |K| as in all standard symmetric key
ciphers. Still, heterodyning by Eve does not reduce αη to a classical nonrandom stream
cipher, as claimed in [18]. Rather, it becomes a random cipher as already pointed out in [3].
For each transmitted qumode, the plaintext alphabet is {0,1} and the ciphertext alphabet is
any point on the circle of Fig. 1 when a phase measurement is made by Eve, and is any point
in the plane when a heterodyne measurement is made. Note that the ciphertext alphabet
depends on what quantum measurement is made by the attacker. However, it can at most be
reduced to an M-ary one by collapsing the continuous outcomes into M disjoint sets. This
is so because such an alphabet is the smallest possible ciphertext alphabet such that it is
possible to decrypt for every possible value of ciphertext and key. We have elaborated on
this point in Section 5 of [4]. Hence, αη is a random cipher against attacks on the key, and
cannot be reduced to an additive stream cipher, which is nonrandom. When it is forced to
become nonrandom, even just for Bob, it becomes noisy. See our reply [5] to the attack in
[18] for more details. Also see their subsequent response [19] based on a confusion regarding
the interpretation of Eq.(15), which is valid for our αη system of [2]. Further elaboration is
available in [4].
Page 11
Author(s) ... 11
Observe that the randomization in αη can be accomplished classically in principle, but not
in current practice. This is because true random numbers can only be generated physically,
not by an algorithm, and the practical rate for such generation is many orders of magnitude
below the ∼ Gbps rate in our experiments where the coherent-state quantum noise does the
randomization automatically. Furthermore, our physical “analog” scheme does not sacrifice
bandwidth or data rate compared to other known randomization techniques. This is because
Bob resolves only two, not M possibilities. Another important point with regard to physical
cryptosystems like αη, whether random or nonrandom, is that they require the attacker to
make analog or at least M-ary observations, i.e., to attack the system at the physical level,
even though the data transmitted is binary. In particular, as indicated above, it is impossible
to launch a known-plaintext attack on the key using just the binary output, available for
instance at a computer terminal.
While the original αη scheme of Fig. 1 is a random cipher under collective attacks made
without knowledge of the key K, or more generally, under qumode-by-qumode measurements
that can vary from qumode to qumode, it is still a nonrandom cipher in the sense of quantum
states. See also ref. [4]. The technique called Deliberate Signal Randomization (DSR)
described in [3] would make it a random cipher even with respect to quantum states. This
amounts to randomizing (privately in the sense of [8]) the state transmitted so as to cover
a half-circle around the basis chosen by the running key. The security of such ciphers is an
open area of research. While we will not delve into the details of DSR in this paper, it may
be mentioned that at the mesoscopic signal levels used in [2, 15, 16, 17], DSR with an error-
correcting code on top may be expected to induce many errors for Eve while Bob remains
essentially error-free. The reason is similar to that for Eq. (4) in Ref. [5], with advantage
for Bob due to the optimal receiver performance difference described in the next subsection
and in [3]. Thus, information-theoretic security is expected [3] for the key, and at a level far
exceeding the Shannon limit for the data, when DSR is employed on αη. Instead of DSR, a
keyed ‘mapper’ that varies the mapping from the running key to the basis from qumode to
qumode can also be employed, including perhaps a polarity (0 or 1) bit to enhance security.
Even with the original αη, it can be expected that the randomization or coherent-state noise
would increase the unicity distance n1 compared to the ENC box alone used as a cipher.
Further details can be found in [4].
For the direct-encryption experiments in Refs. [2, 15, 16, 17], we have claimed “uncondi-
tional” security only against ciphertext-only individual attacks. We have claimed only expo-
nential complexity-based security against assisted brute-force search (See [4]) known-plaintext
attacks, which is more than the security provided just by the ENC box of Fig.1 [5]. How-
ever, information-theoretic security, even at the near-perfect level for both the key and the
data, is possible with additional techniques or CPPM-type schemes described in [3]. Detailed
treatment will be given in the future. But see also ref. [4].
We summarize the main known advantages of αη compared to previous ciphers:
(1) It has more assisted brute-force search complexity for attacks on the key compared to the
case when the quantum noise is turned off. For an explicit claim, see [4].
(2) It may, especially when supplemented with further techniques, have information-theoretic
security against known-plaintext attacks that is not possible with nonrandom ciphers.
Page 12
12Title ...
(3) With added Deliberate Signal Randomization (DSR), it is expected to have information-
theoretic security on the data far exceeding the Shannon limit.
(4) It has high-speed private true randomization (from quantum noise that even Alice does
not know), which is not possible otherwise with current or foreseeable technology.
(5) It suffers no reduction in data rate compared to other known random ciphers.
(6) The key cannot be successfully attacked from a computer terminal with bit outputs, as
is possible with standard ciphers.
3.2αη Key Generation
One needs to clearly distinguish the use of such a scheme for key generation versus data
encryption. It may first appear that if the system is secure for data encryption, it would also
be secure for key generation if the transmitted data are subsequently used as new key. It
seems to be the view taken in [1, 18, 20] that we have made such a claim, which we have not.
The situation may be delineated as follows. Following the notations of the last subsection,
Eve may make any quantum measurement on her copy of the quantum signal to obtain YE
in her attack. Such a measurement is made without the knowledge of K. It is then used
together with the value of K to estimate the data Xn. Although Eve is not actually given
K after her measurements, we give it to her conceptually for the purpose of bounding her
information. The conditions for unconditional security are complicated, and to satisfy them
one needs to extend αη-KG in different possible ways, such as DSR and CPPM described in
[3]. However, against attacks with a fixed qumode measurement, Eq. (8) is sufficient and can
be readily seen to hold as follows.
With S ≡ |α0|2being the average photon number in the states (11), the bit-error rate for
Bob with the optimum quantum receiver [22] is
n
Pb=1
4e−4S. (16)
The bit-error rate for heterodyning, considered as a possible attack, is the well-known Gaus-
sian result
Phet
b
∼1
2e−S, (17)
and that for the optimum-phase measurement tailored to the states in (14) is
Pph
b
∼1
2e−2S
(18)
over a wide range of S. The difference between Eq. (16) and Eq. (17-18) allows key generation
at any value of S if n is long enough. With a mesoscopic signal level S ∼ 7 photons,
one has Pb ∼ 10−12, Phet
b
∼ 10−3, and Pph
b
Gbps, Bob is likely to have 109error-free bits in 1 second, while Eve would have at least
(recall that she actually does not have the key even after her measurements) ∼ 106or ∼ 103
errors in her 109bits with heterodyne or the optimum-phase measurement (which has no
known experimental realization). With the usual privacy amplification [23], the users can
then generate ∼ 106or ∼ 103bits in a 1 second interval by eliminating Eve’s information.
∼ 10−6. If the data arrives at a rate of 1
Page 13
Author(s) ...13
While these parameter values are not particularly remarkable due to the loose bound and have
not been experimentally demonstrated, they illustrate the new KCQ principle of quantum
key generation introduced in [3] that creates advantage via the difference between optimal
quantum receiver performance with versus without knowledge of a secret key, which is more
powerful than the previous BB84 principle since it does not rely on intrusion-level estimation
to create advantage. Also note that due to the 3 dB advantage limitation of binary signaling
(compare Eq. (18)and Eq.(16)), one may use the CPPM scheme [3] and its extensions instead
of αη-KG for key generation over long distances. Within the confines of binary signaling, the
throughput, though not the advantage, can be greatly increased even for large S by moving
the state close to the decision boundary. Detailed treatments will be given in the future.
The heterodyne attack on αη discussed above can of course be launched also on an αη
Key Generation system. For parameter values, i.e., values of S, M and n, such that Eq.
(15) holds, key generation with information-theoretic security is impossible in principle, since
the Shannon limit (4) holds. This point is missed in all the criticisms of αη Key Generation
[1, 18, 20], but was explicitly stated in the first version of Ref. [3]. It is at least implicit in Ref.
[2] where we said the experiment has to be modified for key generation, and also mentioned
the KCQ Key Generation Principle of optimal quantum receiver performance difference. One
simple way to break the Shannon limit (4) and protect the key at the same time, is to
employ DSR. As noted in Section 3.1, its use in αη direct encryption is expected to provide
information-theoretic security for the key and at a level far exceeding the limit (4) for the
data. We mention these possible approaches to make it clear that we were aware of the
limitations of αη and that we need additional techniques to obtain unconditinal security.
4The Lo-Ko Attacks
4.1Review of Attacks in [1]
Ref. [1] first describes a known-plaintext attack on the original αη of [2] that can be launched
when the channel loss allows Eve to have 2|K|copies of the states Bob would receive. With 2|K|
copies, it is claimed that Eve can use each possible seed key to implement a decryption system
similar to Bob’s, and by comparing the outputs to the known-plaintext of some unspecified
length s, can determine the key. Eve thus needs only beamsplitters and detectors similar to
Bob’s to undermine the system. We shall call this attack Attack I in the sequel. A variant of
this attack is also described, in which Eve is assumed to know r s−bit sequences of plaintext,
where r(1 − η) ≥ 2|K|η. In other words, the channel transmittance η is such that Eve has
in her possession, including repeated copies, 2|K|ciphertext-states, each corresponding to
a known s−bit sequence. What s needs to be is again unspecified. It is claimed that an
exhaustive trial of keys would again pin down the key in this case. These attacks are also
claimed to work, without any supporting argument, when the plaintext is not exactly known,
but is drawn from a language, e.g., English.
It is further argued that even in just 3 dB loss (which is not required under our approach
of granting Eve a copy of the quantum signal), a Grover quantum search (that will be called
Attack II) would succeed in finding K under a known-plaintext attack when n = ∞, because
then there is only a single possible key value that would give rise to the overall ciphertext-state
from the known data Xn. This latter claim is in turn justified by the “asymptotic orthogo-
nality” of the ciphertext-states corresponding to different key values, although exactly how
Page 14
14 Title ...
this asymptotic orthogonality occurs for different choices of the ENC box in Fig.1, includ-
ing the LFSR used, is not described. The purpose of this argument is presumably to claim
that a limiting statement such as (10) must be true, thus undermining the system under a
known-plaintext attack for large enough n. When the plaintext Xnis not exactly known but
is not completely random, i.e., under a statistical attack, such a result is also claimed to hold
without any argument. Also, no estimate of the convergence rate in n is provided for either
asymptotic orthogonality or for Eq.(10).
Ref. [1] then assumes that αη Key Generation, in which Xn is taken to be completely
random as in all key-generation protocols (so that there is no possibility of a known-plaintext
or statistical attack of any kind, at least before the generated key is used in another cipher),
proceeds by utilizing the output bits Yn= Xndirectly as key bits to XOR or “one-time pad”
on new data. With known-plaintext attack on these new data, the Xnwould be known and the
previously described known-plaintext attacks I and II can be applied on the ciphertext-states
to find K.
4.2 Response to Attacks
We will first respond to these attacks for direct encryption. The first gap in Attack I is
that the length of known-plaintext n1needed to uniquely fix the key is not specified. From
Subsection 2.3, we see that Eve needs length equal to the nondegeneracy distance nd(11) of
the ENC box of Fig.1 to fix the key from exact input-output pairs of the ENC box alone.
Actually, s = n1needs to be larger than this nondegeneracy distance nddue to the quantum
noise randomization. Note also that the ENC box could be chosen to be degenerate, so that
it does not even have a nondegeneracy distance and the key could never be pinned down.
However, since the LFSR used in [2] is actually nondegenerate, we will not dwell on this
point. As it stands, the attack is seriously incomplete without specifying what s = n1is or
at least providing estimates of it. This corresponds to defect One in our Introduction.
Furthermore, Attack I requires the product r(1−η) to be bigger than η2|K|, which implies
either r or 1/η is at least exponential in |K|/2. Thus, Attack I can be thwarted by increasing
the key length linearly, which is relatively easy. As an example, for the key length |K| ∼ 2×103
used in [2], one needs a loss of 6 × 103dB for r = 1, which corresponds to propagation over
∼ 3 × 104km in the best available fiber, which has a loss of 0.2 dB/km. No conceivable
one-stage communication line can be expected to operate over such a long distance. Any
future improvements in the loss figure of fibers can only make Eve’s task harder because the
number of copies she can tap decreases along with the loss.
If the exponential loss requirement is replaced by that of an exponential length of data, it is
equally fanciful. For the key length |K| ∼ 2×103, r = 2|K|corresponds to ∼ 10600bits of data.
How could Eve input ∼ 10600bits of data in a chosen-plaintext attack, or know ∼ 10600bits
in a known-plaintext attack? In any case, even if such large loss obtains, the attacker still has
the problem of requiring an exponential number of devices (beamsplitters and detectors in this
case) and doing an exponential amount of processing. Apart from size and time limitations
mentioned in Section 2, it seems not possible to ever get ∼ 10600devices corresponding to the
above key length, considering that the total number of elementary particles in the universe is
less than 10100. This corresponds to defect Two in the Introduction. We should also mention
that αη was claimed in [2] to be proved secure against known-plaintext attacks only in the
Page 15
Author(s) ... 15
brute-force search sense and not information-theoretically, and so the above attacks do not
contradict any claim in [2] even if they were successful.
Before proceeding to Attack II, we first distinguish the following four distinct kinds of
statements that can be made on a quantity ǫ(n), basing roughly on the value of n being
considered:
(i) The value of ǫ(n) at a finite n. This is of interest for a realistic implementation —
typically n ∼ 102− 104is the limit for joint processing of a single block.
(ii) The case expressed by a limit statement on some quantity of interest ǫ(n) → 0 with
quantitative convergence rate estimate 0 ≤ ǫ(n) ≤ f(n) for n ≥ N and some large
enough N and a known function f(n) → 0.
(iii) The case of the limit statement limn→∞ǫ(n) = 0 without convergence rate estimate.
Thus, it is not known how large n needs to be for ǫ(n) to be below a certain given level
ǫ0.
(iv) The case of the value ǫ(∞) at ∞. Note that the limiting value of ǫ(n) in Case (iii) above
may be different from ǫ(∞) due to failure of continuity at n = ∞.
Observe that the statements in Cases (i)-(iii) are, in that order, progressively weaker
statements on the quantity of interest. Case (iv), however, is independent of the previous
cases, and can be asserted by evaluating ǫ(∞) by a route that does not even require ǫ(n) at
finite n. In turn, knowing ǫ(∞) does not allow one to make even a limit statement of the form
of Case (iii) unless one can prove continuity at n = ∞. We have classified the above cases in
order to delineate exactly what Lo and Ko can claim for their Attack II.
Let us now consider Attack II. The first obvious problem with the argument is that Eve
does not need to attack the system if she already knows the entire n → ∞ plaintext that will
be transmitted using the particular seed key. Lo and Ko give no analysis of their attack for
the relevant case in which the plaintext is partially known, i.e., for the case of a statistical
attack (this includes the case of Eve knowing a fraction of the plaintext exactly) even in the
n → ∞ situation. A little thought will show that the oracle required in Grover search would
have an implementation complexity that increases indefinitely with n, making it prohibitive
to build in the n → ∞ limit. In other words, the search complexity is not simply ∼ 2|K|/2
but rather increases with n as well. When there is more than one plaintext possible, Lo
and Ko presumably intend to apply Grover search for each plaintext in turn. The number
of such repeated applications would obviously grow indefinitely with n if Eve knows only a
fraction of plaintext. In case they intend that a single Grover search be applied to cover all
possible plaintexts, they need to produce a specific oracle that would work for this case and
analyze its performance. The issue is more critical in actual practice, because it typically
does not happen that Eve knows a large length of plaintext, let alone one that is arbitrarily
long in the unquantified sense of (iii) above, which is what their attack entails. Furthermore,
even if its n dependence is ignored, the ∼ 2|K|/2complexity of the Grover’s search makes it
practically impossible to launch for |K| ∼ 2 × 103. Similar to Attack I, Attack II retains all
the limitations of being exponential in the key length. This point is an instance of the second
defect mentioned in Section 1.
View other sources
Hide other sources
- Available from Gregory Kanter · May 31, 2014
- Available from arxiv.org