# On the security of AlphaEta: Response to `Some attacks on quantum-based cryptographic protocols'

**ABSTRACT** Lo and Ko in [1] have developed some attacks on the cryptosystem called AlphaEta [2], claiming that these attacks undermine the security of AlphaEta for both direct encryption and key generation. In this paper, we show that their arguments fail in many different ways. In particular, the first attack in [1] requires channel loss or length of known-plaintext that is exponential in the key length and is unrealistic even for moderate key lengths. The second attack is a Grover search attack based on `asymptotic orthogonality' and was not analyzed quantitatively in [1]. We explain why it is not logically possible to ``pull back'' an argument valid only at n=infinity into a limit statement, let alone one valid for a finite number of transmissions n. We illustrate this by a `proof' using a similar asymptotic orthogonality argument that coherent-state BB84 is insecure for any value of loss. Even if a limit statement is true, this attack is a priori irrelevant as it requires an indefinitely large amount of known-plaintext, resources and processing. We also explain why the attacks in [1] on AlphaEta as a key-generation system are based on misinterpretations of [2]. Some misunderstandings in [1] regarding certain issues in cryptography and optical communications are also pointed out. Short of providing a security proof for AlphaEta, we provide a description of relevant results in standard cryptography and in the design of AlphaEta to put the above issues in the proper framework and to elucidate some security features of this new approach to quantum cryptography.

**0**Bookmarks

**·**

**87**Views

- [Show abstract] [Hide abstract]

**ABSTRACT:**Nishioka et al claim in [1], elaborating on their earlier paper [2], that the direct encryption scheme called Y-00 [3,4] is equivalent to a classical non-random additive stream cipher, and thus offers no more security than the latter. In this paper, we show that this claim is false and that Y-00 may be considered equivalent to a \emph{random} cipher. We explain why a random cipher provides additional security compared to its nonrandom counterpart. Some criticisms in [1] on the use of Y-00 for key generation are also briefly responded to.10/2005; - [Show abstract] [Hide abstract]

**ABSTRACT:**We provide a security analysis of the Y-00 protocol under heterodyne measurement and correlation attack. We show that the secrecy of the data encryption scheme is extremely sensitive to the running-key generation process. In many situations our simple attack succeeds in recovering the initial shared secret key. Our simulation results suggest that a truly secure implementation of the protocol should take into account the effective key generation method.Physics Letters A 01/2006; · 1.63 Impact Factor

Page 1

arXiv:quant-ph/0509091v3 12 Jul 2006

Quantum Information and Computation, Vol. 0, No. 0 (2003) 000–000

c ? Rinton Press

ON THE SECURITY OF αη: RESPONSE TO

‘SOME ATTACKS ON QUANTUM-BASED CRYPTOGRAPHIC PROTOCOLS’

Horace P. Yuena, Ranjith Nair, Eric Corndorf, Gregory S. Kanter, and Prem Kumar

Center for Photonic Communication & Computing,

Department of Electrical Engineering & Computer Science, Department of Physics & Astronomy,

Northwestern University, Evanston, IL, 60208, USA.

Received (received date)

Revised (revised date)

Lo and Ko in [1] have developed some attacks on the cryptosystem called αη [2], claiming

that these attacks undermine the security of αη for both direct encryption and key

generation. In this paper, we show that their arguments fail in many different ways.

In particular, the first attack in [1] requires channel loss or length of known-plaintext

that is exponential in the key length and is unrealistic even for moderate key lengths.

The second attack is a Grover search attack based on ‘asymptotic orthogonality’ and

was not analyzed quantitatively in [1]. We explain why it is not logically possible to

“pull back” an argument valid only at n = ∞ into a limit statement, let alone one valid

for a finite number of transmissions n. We illustrate this by a ‘proof’ using a similar

asymptotic orthogonality argument that coherent-state BB84 is insecure for any value of

loss. Even if a limit statement is true, this attack is a priori irrelevant as it requires an

indefinitely large amount of known-plaintext, resources and processing. We also explain

why the attacks in [1] on αη as a key-generation system are based on misinterpretations of

[2]. Some misunderstandings in [1] regarding certain issues in cryptography and optical

communications are also pointed out. Short of providing a security proof for αη, we

provide a description of relevant results in standard cryptography and in the design

of αη to put the above issues in the proper framework and to elucidate some security

features of this new approach to quantum cryptography.

Communicated by: to be filled by the Editorial

1 Introduction

In [1], Lo and Ko describe, without quantitative calculations, some attacks on the direct en-

cryption protocol of [2], interpreted by them also as a key generation scheme. They draw the

firm conclusion that our protocol is fundamentally insecure, that these attacks were neglected

by us as they are “outside the original design,” and that they “can, to some extent, be imple-

mented with current technology.” We contend that the strength and weakness of our scheme

have been totally misrepresented in [1], which does not analyze the relevant cryptographic

problems in a meaningful framework. Although we have already commented briefly on the

attacks of [1] in [3] and [5], and some related comments are given by Hirota et al in [6], [1] is

still often quoted without also referring to our partial rejoinder. Thus, we feel it appropriate

that a specific response to [1] be made in a complete paper. In particular, we would like to

ayuen@eecs.northwestern.edu

1

Page 2

2 Title ...

clear up at the same time many issues in the practical use of quantum cryptography and in

the properties of αη that have so far not been elucidated in the literature. We do not attempt

to give a complete security proof of αη in this paper. Such a proof is not available and is the

subject of ongoing research. See [4] for recent results. Nevertheless, it is possible to refute the

arguments of Lo and Ko taken by themselves, and this will be the main aim of this paper.

First of all, we note that the attacks in [1] do not contradict our claim in [2] that αη

encryption provides exponential complexity-based security against known-plaintext attacks

using a particular ‘assisted’ brute-force search. See [2] or alternatively, [4] for a more detailed

description. Although we mention the possibility of key generation with αη, we do not

present an explicit scheme to do so in [2]. The authors of [1] assume that the protocol of

[2] works without any additions or modifications for key generation, which was not claimed

by us at all. While they arrive at attacks that purport to show that αη is insecure in the

information-theoretic sense against known-plaintext attacks — already believed by us to be

quite possible [3] — we claim that the two attacks in [1] do not conclusively prove insecurity

of any finite-n system. Proof is important in this quantum situation because αη falls outside

the class of classical nonrandom ciphers for which known-plaintext attacks can be proved to

succeed. But perhaps more significantly, the Lo-Ko attacks are unrealistic in the fundamental

sense of having exponential complexity and requiring an exponential amount of resources. In

Section 2.2, we bring out the important point that, in contrast to other kinds of complexity,

exponential complexity offers realistic security as good as unconditional security.

We shall explain fully our criticisms of [1] in the course of this paper. In this introductory

section, we will lay out three major general defects in [1] which in our opinion are also implicit

in various papers on theoretical quantum cryptography. We will later have occasion to indicate

specific points where these defects arise when we reply in detail in Section 4 to the attacks in

[1].

In the first place, vague qualitative arguments are often offered as rigorous proofs, while

at the same time not giving precise conditions under which a result is claimed to be valid.

In [1], there are even several claims made without any argument at all. Rigorous proofs are

important in quantum cryptography because the main superiority it claims over standard

cryptography is the possibility of rigorous proof of security, unconditional or otherwise. A

more subtle point is that many arguments, including one in [1], rely on statements valid at

n = ∞ which cannot be cast into limiting statements on the relevant quantities. Indeed, limit

and continuity questions at n = ∞ are especially subtle in quantum mechanics owing to the

nonseparable Hilbert space, i.e., a Hilbert space with an uncountable basis, that arises when

n = ∞. One pitfall of such a leap of faith is illustrated in Section 5.

Secondly, strong claims are made with no actual numbers or numerical ranges indicated

for the validity of the results. Thus, results are often claimed to be valid asymptotically as the

number of bits n in a sequence goes to infinity, without any estimate on the convergence rate.

Such limiting results alone are of no use to an experimentalist or designer of a real system.

As security proofs, they offer no quantitative guarantee of any kind on an actual realistic

system where n is often not even very large. As attacks, they imply nothing about the level of

insecurity of any finite n system without convergence-rate estimates. Thus, showing a scheme

to be insecure simply as a limiting statement when n → ∞ has no practical implication.

(See Section 4 for a complete discussion.) A related point is with regard to the realistic

Page 3

Author(s) ...3

significance of quantities that vary exponentially with respect to some system parameter.

Thus, consideration of attacks, as is the case in one attack in [1], that succeed only when

the channel-transmittance (the output-to-input power ratio) η ∼ 2−|K|, where |K| is the key

length, is seen to be practically irrelevant by plugging in typical numbers for |K|. More

significantly, attacks that require exponential resources or processing like those in [1] are

irrelevant in a fundamental sense, because the situation cannot be changed by technological

advances, similar to the case of unconditional security.

These points are important because security in cryptography is a quantitative issue. For

example, in quantum key generation, the exact amount of Eve’s uncertainty determines how

much key is generated. To ensure that one generates a sufficiently large key, it is not sufficient

to use qualitative arguments that are valid only at extreme limits, since they may break down

quantitatively in realistic systems.

Thirdly, the general approach to quantum cryptography underlying αη, called ‘Keyed

Communication in Quantum Noise’ (KCQ) [3], is not well understood. In particular, the

various and distinct issues in connection with direct encryption and key generation with (or

even without) a secret key, which have to be clearly delineated for a proper analysis, are

lumped together in [1], generating considerable confusion even in the context of classical

cryptography. Since our approach is novel, this current situation is perhaps understandable.

While the full story of this field of research is still to be understood, some clarifications can

be made to clear up the various confusions.

In addition to the above, some specific details of implementation of αη are also miscon-

strued in [1]. Along with responding to the Lo-Ko arguments, one main purpose of this paper

is to provide the proper framework for security analysis of αη, for direct encryption as well as

key generation. It is not the purpose of this paper to provide any detailed security analysis of

αη, which is a huge undertaking and an on-going effort. However, we will indicate the many

features that make αη uniquely interesting and useful at various places in the paper.

The plan of this paper is as follows: In Section 2, we provide an outline of relevant

results and facts in symmetric-key cryptography, which are not well-known. Our statements

on direct encryption cryptography in this paper refer only to the symmetric-key case, and

not to public-key cryptography. In fact, public-key cryptography is not used for encryption

of data sequences of more than a few hundred bits owing to its slow speed. We discuss

in a subsection the current knowledge regarding security against known-plaintext attacks in

standard cryptography and discuss the concepts of a random cipher and a nondegenerate

cipher. Much of this subsection as well as Appendix A are our own contributions. They

contain subtle distinctions needed to precisely state important results, and may be regarded

as providing the basic framework in which to view known-plaintext attacks on αη or any

other randomized encryption system. In Section 3, we review our αη scheme and the different

security issues associated with its use in direct encryption and key generation. In Section 4, the

Lo-Ko attacks and their specific criticisms are explained and responded to, both specifically

and generally in view of the above-mentioned defects. It will be shown that their arguments

are deficient in many different ways. To illustrate the fallacy of the ‘asymptotic orthogonality’

argument, a ‘proof’ that coherent-state BB84 using a classical error-correction code is insecure

for any loss, no matter how small, is presented in Section 5. Various other misconceptions in

[1] are listed in Section 6. A brief summary of our conclusions is given in Section 7.

Page 4

4 Title ...

2 Cryptography

2.1 Direct Encryption

We assume that the basics of symmetric-key data encryption are known to the reader (See,

e.g., [7, 8]). Thus, the n-symbol long plaintext is denoted by the random variable Xn, the

corresponding ciphertext is denoted Ynand the secret key is denoted K. In standard cryp-

tography, one usually deals with nonrandom ciphers, namely those cryptosystems for which

the conditional entropy

H(Yn|KXn) = 0. (1)

Thus, the plaintext and key uniquely determine the ciphertext. In such a case, Xnand Yn

are usually taken to be from the same alphabet. Note that in this paper, equations involving

n as a parameter are assumed to be valid for all n unless stated otherwise. Ciphers for which

Eq.(1) is relaxed so that the same plaintext may be mapped for a given key to many different

ciphertexts, perhaps drawn from a different alphabet than Xn, will be called random ciphers.

Thus, a random cipher is defined by

H(Yn|KXn) ?= 0. (2)

Such ciphers are called ‘privately randomized ciphers’ in Ref. [8] as the different ciphertexts

Ynfor a given Xnare obtained by privately (i.e., in an unkeyed fashion known only to the

sender Alice) randomizing on a specific Yn. We will just call such a cipher a random cipher

(Note that ‘random cipher’ is used in a completely different sense by Shannon [9]). For both

random and nonrandom ciphers, we enforce the condition that the plaintext be recoverable

from the ciphertext and the key, i.e.,

H(Xn|KYn) = 0. (3)

A detailed quantitative characterization of classical and quantum random ciphers is available

in [4].

By standard cryptography, we shall mean that Eve and Bob both observe the same cipher-

text random variable, i.e., YE

n= Yn. Note that in such a standard cipher, random or

nonrandom, the following Shannon limit [8, 9] applies:

n= YB

H(Xn|Yn) ≤ H(K). (4)

By information-theoretic security on the data, we mean that Eve cannot pin down uniquely

the plaintext from the ciphertext, i.e.,

H(Xn|Yn) ?= 0. (5)

The level of such security is quantified by H(Xn|Yn). Shannon has defined perfect security

[9] to mean that the plaintext is statistically independent of the ciphertext, i.e.,

H(Xn|Yn) = H(Xn). (6)

We shall use near-perfect security to mean H(Xn|Yn) ∼ H(Xn). Security statements on

ciphers are naturally made with respect to particular possible attacks. We will discuss the

usual cases of ciphertext-only attack, known-plaintext attack, and statistical attack in the

next subsection. We now turn to key generation.

Page 5

Author(s) ...5

2.2Key Generation

The objective of key generation is to generate fresh keys. By a fresh key, we mean a random

variable Kgshared by the users from processing on Xnfor which

H(Kg|KYE

n) ∼ H(Kg) (7)

for some n. Here K is any secret key used in the key generation protocol. In other words,

one needs to generate additional randomness statistically independent of previous shared

randomness such as a secret key used in the protocol. The two major approaches to key

generation are via classical noise [10] and BB84-type [11] quantum cryptography. With the

advent of quantum cryptography, the term ‘unconditional security’ has come to be used,

unfortunately, in many possible senses. By unconditional security, we shall mean near-perfect

information-theoretic security against all attacks consistent with the known laws of quantum

physics.

Using Eq. (3), it is easily seen that, in standard cryptography, Xn, or any publicly an-

nounced function thereof, cannot serve as fresh key. This is because all the uncertainty in Xn

is derived from K, however long n is, and therefore H(Kg|KYn) = 0.

While key generation is impossible in standard cryptography, it becomes possible in prin-

ciple in a situation where YE

n. This necessary condition must be supplemented by a

condition for advantage creation [3], e.g.,

n ?= YB

H(Xn|KYE

n) > H(Xn|KYB

n). (8)

In (8), the key K is conceptually granted to Eve after her measurements to bound the infor-

mation she may possibly obtain by any collective classical processing that takes advantage

of the correlations introduced by K. We mention here that even when there is no a priori

advantage, provided YB

n, advantage may often be created by advantage distillation,

as e.g., through post-detection selection so that Eq.(8) is satisfied for the selected results.

Keyed Communication in Quantum Noise, called KCQ in [3] and hereafter, provides one way

of creating advantage for fresh key generation from the performance difference between the

optimal quantum receivers designed with and without knowledge of the secret key. Some of

the advantages of such an approach to key generation would be indicated later, and further

details can be found in [3, 12].

Even when information-theoretic security does not obtain, so that the data or the key is in

fact uniquely determined by the ciphertext (we shall see in Subsection 2.4 that this is the usual

situation in standard cryptography when the plaintext has known nonuniform statistics), we

may still speak of complexity-based security. This refers to the amount of computation or

resources required to find the unique plaintext Xnor key K corresponding to the observed

Yn. In practice, forcing a large amount of computation on Eve can provide very effective

security. In fact, standard ciphers owe their widespread use to the absence of known efficient

algorithms that can find the unique key or plaintext from the ciphertext, with or without some

known plaintext. Note that the security of a system is especially good if the complexity goes

exponentially in |K|, resulting in a search problem that cannot be efficiently handled even

by a quantum computer. In contrast to merely ‘hard’ problems such as factoring integers or

even NP-complete problems, for which complexity is not quantified, exponential complexity is

a guarantee of realistic security as good as unconditional security. This is because a quantity

n ?= YE

Page 6

6Title ...

that is exponential in a system parameter can easily become so large as to be impossible

to achieve. For example, it is a fact as certain as any physical law that one cannot have

10600beamsplitters (See our response to the first attack of Lo and Ko in Section 4.) on the

earth, or in the whole known universe for that matter — this can be seen merely from size

considerations. Similar remarks hold for exponential computing time requirements. However,

neither αη nor any standard cipher has been proven to require exponential resources to break.

2.3 Classes of attacks in quantum cryptography

In our KCQ approach, we conceptually grant a copy of the transmitted state to Eve for

the purpose of bounding her information. Thus, there is no need of considering what kind

of probe she uses. For further details, see [3, 12]. Accordingly, we will classify attacks a

little differently from the usual case in BB84 protocols, basing our classification only on the

quantum measurement or processing Eve may make.

By an individual attack, we mean one where the same measurement is made in every

qubit/qumode and the results are processed independently of one another. Obviously, the

latter is an artificial and unrealistic constraint on an attack, but analyses under this assump-

tion are standard for BB84. In this connection, we note that in the BB84 literature, one often

finds individual attacks being defined only by Eve’s qubit-by-qubit probes and measurements,

but with the actual analysis of such attacks being carried out with the further assumption that

no classical collective processing is used, so that Eve has independent, identically distributed

(iid) random variables on her bit estimates. This assumption renders the results rather mean-

ingless, as Eve can easily jointly process the quantum measurement results to take advantage

of the considerable side information available to her from announcements on the classical

public channel. It is a subtle task to properly include such side information in the security

proofs of BB84-type protocols, one that we will elaborate upon in future papers. However, it

is this definition of individual attack that has been used for our information-theoretic security

claims in [2].

By a collective attack, we mean one where the same measurement is made in every

qubit/qumode but where joint classical processing of the results is allowed. Conceptually,

one may also consider the most general attacks on classical systems to be in this class. We

will refer to a particular collective attack on αη using heterodyne or phase measurement on

each qumode later in this paper. Note also that encryption of a known plaintext with all pos-

sible keys followed by comparison of the result to the observed mode-by-mode measurement

result YE

n (i.e. a brute-force search) is a collective attack, since the correlations between the

ciphertext symbols introduced during encryption are being used. Note that our use of the

term “collective attack” is different from the BB84 case, due to the fact that there is no need

to account for probe setting in our KCQ approach. Finally, for us, a joint attack refers to one

where a joint quantum measurement on the entire sequence of qubits/qumodes is allowed.

This is the most general attack in the present circumstance, and must be allowed in any claim

of unconditional security.

2.4Security against known-plaintext attacks and statistical attacks

In this subsection, we describe some results in classical cryptography that are not readily

available in the literature. For a standard cipher, the conditional entropy H(Xn|Yn) de-

scribes the level of information-theoretic security of the data Xn, and H(K|Yn) describes

Page 7

Author(s) ...7

the information-theoretic security of the key. The attacks considered in cryptography are

ciphertext-only attacks, and known-plaintext or chosen-plaintext attacks. There is in the

literature an ambiguity in the term ‘ciphertext-only attack’ regarding whether the a priori

probability distribution p(Xn) of the data is considered known to the attacker or is com-

pletely random to her. To avoid confusion, we will use the term ciphertext-only attack to

refer to the case where p(Xn) is completely random to Eve, statistical attack to refer to the

case when some information on Xnin the form of a nonuniform p(Xn) is available to Eve,

known-plaintext attack to refer to the case when some specific Xn is known to Eve, and

chosen-plaintext attack to refer to the case when some specific Xnis chosen by Eve. Gener-

ally, our results referring to known-plaintext attacks are valid in their qualitative conclusions

also for chosen-plaintext attacks. (Note that we are restricting ourselves to private-key cryp-

tography – This is not generally true in public-key cryptography.) Therefore, our use of

the term ‘known-plaintext attack’ may be taken to include chosen-plaintext attacks also, for

symmetric-key direct encryption.

In standard cryptography, one typically does not worry about ciphertext-only attack on

nonrandom ciphers, for which Eq. (4) is satisfied with equality for large n for the designed

key length |K| = H(K) under some ‘nondegeneracy’ condition [13]. In such situations, it is

also the case that H(K|Yn) = H(K) so that no attack on the key is possible [13]. However,

under statistical and known-plaintext attacks, this is no longer the case and Eve can launch an

attack on the key and use her resulting information on the key to get at future data. Indeed,

it is such attacks that are the focus of concern in standard ciphers such as the Advanced

Encryption Standard (AES). For statistical attacks, Shannon [9] characterized the security

by the unicity distance n0(for statistical attacks), which is defined to be the input data length

at which H(K|Yn0) = 0. For a nonrandom cipher defined by (1), he derived an estimate on n0

that is independent of the cipher in terms of the data entropy. This estimate is, unfortunately,

not a rigorous bound. Indeed, one of the inequalities in the chain goes in the wrong direction

in the derivation, although it works well empirically for English where n0∼ 25 characters.

Generally, it is easy to see that a finite unicity distance exists only if, for some n, there is

no redundant key use in the cryptosystem, i.e., no plaintext sequence Xnis mapped to the

same ciphertext Ynby more than one possible key value. With redundant key use, one cannot

pin down the key but it seems one also could not enhance the system security either, and so

is merely wasteful. The exact possibilities will be analyzed elsewhere. A nonrandom cipher

is called nondegenerate in this paper if it has no redundant key use either at some finite n

or for n → ∞. A random cipher will be called nondegenerate when each of its nonrandom

reductions is nondegenerate (See [4]). Under the condition

lim

n→∞H(Yn|Xn) = H(K), (9)

which is similar but not identical to the definition of a ‘nondegenerate’ cipher given in [13],

one may show that, when (1) holds, one has

lim

n→∞H(K|XnYn) = 0. (10)

In general, for a nonrandom cipher, we define a nondegeneracy distance ndto be the smallest

n such that

H(Yn|Xn) = H(K) (11)

Page 8

8 Title ...

holds, with nd= ∞ if (9) holds and there is no finite n satisfying (11). Thus, a nonrandom

cipher is nondegenerate in our sense if it has a nondegeneracy distance, finite or infinite. In

general, of course, the cipher may be degenerate, i.e., it has no nondegeneracy distance. We

have the result given by Proposition A of Appendix A that, under known-plaintext attack, a

nonrandom nondegenerate cipher is broken at data length n = nd. This is also the minimum

length of data needed to break the cipher for any possible known-plaintext Xn. Many ciphers

including the one-time pad and LFSRs (linear feedback shift registers [7]) have finite nd. For

chosen-plaintext attacks, the above definitions and results apply when the random variable

Xnis replaced by a specific Xn= xn.

The above result has not been given in the literature, perhaps because H(K|XnYn) has

not been used previously to characterize known-plaintext attacks. But it is assumed to be true

in cryptography practice that K would be pinned down for sufficiently long n in a nonrandom

‘nondegenerate’ cipher. However, there is no analogous result on random ciphers, since under

randomization Eq. (1), and usually (11) also, does not hold for any n.

The following result is similar to one in [13, 14]. The homophonic substitution algorithms

provided in these references work also for finite sequences, and may result in data compression

rather than data expansion depending on the plaintext.

Proposition B

In a statistical attack on nonuniform iid Xn, homophonic substitution randomization [13, 14]

on a nonrandom nondegenerate cipher can be used to convert the attack into a ciphertext-only

one, thus completely protecting the key.

This reduction does not work for known-plaintext attacks.

symmetric-key random cipher has received limited attention because they are not used in

practice due to the associated reduction in effective bandwidth or data rate, and also due to

the uncertainty on the actual input statistics needed for homophonic substitution random-

ization. Thus, the quantitative security of random ciphers against known-plaintext attacks

is not known theoretically or empirically, although in principle random ciphers could defeat

statistical attacks according to Proposition B. All that is clear is that random ciphers are

harder to break than the corresponding nonrandom ones, because a given pair (Xn,Yn) may

arise from more possible keys due to the randomization. See ref. [4] for a detailed elucidation.

The problem of attacking a

If a random cipher is nondegenerate, we say it has information-theoretic security against

known-plaintext attacks when

inf

nH(K|XnYn) > 0, (12)

i.e., if H(K|XnYn) cannot be made arbitrarily small whatever n is. The actual level of the

information-theoretic security is quantified by the left side of (12). As in the nonrandom

case, only for a nondegenerate cipher, i.e., one with no redundant key use, is it meaningful

to measure key security with entropy. It is possible that some random ciphers possess such

information-theoretic security. See Appendix A.

We define the unicity distance n1 for known-plaintext attacks, for both nondegenerate

Page 9

Author(s) ...9

random and nonrandom ciphers, as the smallest n, if it exists, for which

H(K|XnYn) = 0. (13)

The unicity distance n1 is defined to be infinity if (13) holds for n → ∞. Any cipher with

information-theoretic security against known-plaintext attacks has no unicity distance n1. For

a nondegenerate nonrandom cipher, we have shown in Appendix A that n1= nd. We shall

see in the next section that αη can be considered a random cipher in the above sense under

collective attacks, but with no reduction in effective data rate. (Recall that collective attacks

are the most general in classical ciphers.) Thus, the statement in [1] that “known-plaintext

attacks are rather standard and were successfully launched against both the Germans and

the Japanese in World War II” is an oversimplification, since the ciphers referred to in it were

nonrandom.

3 αη Direct Encryption and Key Generation

Consider the original experimental scheme αη (called Y-00 in Japan) as described in [2] and

depicted in Fig. 1. Alice encodes each data bit into a coherent state in a qumode, i.e., an

infinite-dimensional Hilbert space (the terminology is analogous to the use of qubit for a two-

dimensional Hilbert space), of the form (we use a single qumode representation rather than

a two-qumode one for illustration)

|αℓ? = |α0(cosθℓ+ isinθℓ)? (14)

where α0is real, θℓ= 2πℓ/M, and ℓ ∈ {0,...,M − 1}. The M states are divided into M/2

basis pairs of antipodal signals {|±αℓ?} with −αℓ= αℓ+M/2. A seed key K of bit length |K|

is used to drive a conventional encryption mechanism whose output is a much longer running

key K′that is used to determine, for each qumode carrying the bit b{= 0,1}, which pair

{| ± αℓ?} is to be used. The bit b could either be part of the plaintext in a direct encryption

system (as is the case in [2]) or it could be a raw key bit from a random number generator.

Bob utilizes a quantum receiver to decide on b knowing which particular pair {|±αℓ?} is to be

discriminated. On the other hand, Eve needs to pick a quantum measurement for her attack

in the absence of the basis knowledge provided by the seed or running key. The difference in

their resulting receiver performances is a quantum effect that constitutes the ground, as we

shall see in subsequent subsections, both for making αη a random cipher for direct encryption,

and for possible advantage creation vis-a-vis key generation. To avoid confusion, we shall use

the term ‘αη’ to refer only to the direct encryption system following our practice in [2].

When we want to use the same system as part of a key generation protocol, we shall refer

to it as ‘αη-Key Generation’ or ‘αη-KG’. We discuss αη and αη-KG in turn in the next two

subsections.

Note that since the quantum-measurement noise is irreducible, such advantage creation

may result in an unconditionally secure key-generation protocol. In contrast, in a classical

situation including noise, the simultaneous measurement of the amplitude and phase of the

signal, as realized by heterodyning, provides the general optimal measurement for both Bob

and Eve; thus preventing any advantage creation under our approach that grants Eve a copy

of the state for the purpose of bounding her information.We may remark that since a

Page 10

10Title ...

1

0

0 (I)

(II) 1

M

π

2

φ

=

.

.

.

.

.

.

Channel

X

data

X

data

K

K

key

key

Y (X,K')

Demod

ENC

ENC

Mod

K'

K'

Alice

Bob

φ

α1

α2

Fig. 1. Left:Overall schematic of the αη scheme. Right: Depiction of M/2 bases with interleaved

logical state mappings.

discrete quantum measurement is employed by the users, αη and αη-KG are not continuous-

variable quantum cryptosystems. In particular, their security is not directly derived from any

uncertainty relation for observables with either continuous or discrete spectrum.

3.1

Let Xn,YE

vation, and Bob’s observation. Eve may make any quantum measurement on her copy of the

quantum signal to obtain YE

nin her attack. One then considers the error in her estimation

of Xn. As an example, consider the attack where Eve makes a heterodyne measurement or a

phase measurement on each qumode [3, 5]. Under such an attack, αη becomes essentially a

classical random cipher (in the sense of Section 2), because it satisfies

αη Direct Encryption

n,YB

nbe the classical random vectors describing respectively the data, Eve’s obser-

H(Xn|YE

n,K) ∼ 0 (15)

along with Eq. (2) for the experimental parameters of [2, 15, 16, 17]. Under Eq. (15), Eq. (4)

also obtains and the data security is no better than |K| as in all standard symmetric key

ciphers. Still, heterodyning by Eve does not reduce αη to a classical nonrandom stream

cipher, as claimed in [18]. Rather, it becomes a random cipher as already pointed out in [3].

For each transmitted qumode, the plaintext alphabet is {0,1} and the ciphertext alphabet is

any point on the circle of Fig. 1 when a phase measurement is made by Eve, and is any point

in the plane when a heterodyne measurement is made. Note that the ciphertext alphabet

depends on what quantum measurement is made by the attacker. However, it can at most be

reduced to an M-ary one by collapsing the continuous outcomes into M disjoint sets. This

is so because such an alphabet is the smallest possible ciphertext alphabet such that it is

possible to decrypt for every possible value of ciphertext and key. We have elaborated on

this point in Section 5 of [4]. Hence, αη is a random cipher against attacks on the key, and

cannot be reduced to an additive stream cipher, which is nonrandom. When it is forced to

become nonrandom, even just for Bob, it becomes noisy. See our reply [5] to the attack in

[18] for more details. Also see their subsequent response [19] based on a confusion regarding

the interpretation of Eq.(15), which is valid for our αη system of [2]. Further elaboration is

available in [4].

Page 11

Author(s) ... 11

Observe that the randomization in αη can be accomplished classically in principle, but not

in current practice. This is because true random numbers can only be generated physically,

not by an algorithm, and the practical rate for such generation is many orders of magnitude

below the ∼ Gbps rate in our experiments where the coherent-state quantum noise does the

randomization automatically. Furthermore, our physical “analog” scheme does not sacrifice

bandwidth or data rate compared to other known randomization techniques. This is because

Bob resolves only two, not M possibilities. Another important point with regard to physical

cryptosystems like αη, whether random or nonrandom, is that they require the attacker to

make analog or at least M-ary observations, i.e., to attack the system at the physical level,

even though the data transmitted is binary. In particular, as indicated above, it is impossible

to launch a known-plaintext attack on the key using just the binary output, available for

instance at a computer terminal.

While the original αη scheme of Fig. 1 is a random cipher under collective attacks made

without knowledge of the key K, or more generally, under qumode-by-qumode measurements

that can vary from qumode to qumode, it is still a nonrandom cipher in the sense of quantum

states. See also ref. [4]. The technique called Deliberate Signal Randomization (DSR)

described in [3] would make it a random cipher even with respect to quantum states. This

amounts to randomizing (privately in the sense of [8]) the state transmitted so as to cover

a half-circle around the basis chosen by the running key. The security of such ciphers is an

open area of research. While we will not delve into the details of DSR in this paper, it may

be mentioned that at the mesoscopic signal levels used in [2, 15, 16, 17], DSR with an error-

correcting code on top may be expected to induce many errors for Eve while Bob remains

essentially error-free. The reason is similar to that for Eq. (4) in Ref. [5], with advantage

for Bob due to the optimal receiver performance difference described in the next subsection

and in [3]. Thus, information-theoretic security is expected [3] for the key, and at a level far

exceeding the Shannon limit for the data, when DSR is employed on αη. Instead of DSR, a

keyed ‘mapper’ that varies the mapping from the running key to the basis from qumode to

qumode can also be employed, including perhaps a polarity (0 or 1) bit to enhance security.

Even with the original αη, it can be expected that the randomization or coherent-state noise

would increase the unicity distance n1 compared to the ENC box alone used as a cipher.

Further details can be found in [4].

For the direct-encryption experiments in Refs. [2, 15, 16, 17], we have claimed “uncondi-

tional” security only against ciphertext-only individual attacks. We have claimed only expo-

nential complexity-based security against assisted brute-force search (See [4]) known-plaintext

attacks, which is more than the security provided just by the ENC box of Fig.1 [5]. How-

ever, information-theoretic security, even at the near-perfect level for both the key and the

data, is possible with additional techniques or CPPM-type schemes described in [3]. Detailed

treatment will be given in the future. But see also ref. [4].

We summarize the main known advantages of αη compared to previous ciphers:

(1) It has more assisted brute-force search complexity for attacks on the key compared to the

case when the quantum noise is turned off. For an explicit claim, see [4].

(2) It may, especially when supplemented with further techniques, have information-theoretic

security against known-plaintext attacks that is not possible with nonrandom ciphers.

Page 12

12Title ...

(3) With added Deliberate Signal Randomization (DSR), it is expected to have information-

theoretic security on the data far exceeding the Shannon limit.

(4) It has high-speed private true randomization (from quantum noise that even Alice does

not know), which is not possible otherwise with current or foreseeable technology.

(5) It suffers no reduction in data rate compared to other known random ciphers.

(6) The key cannot be successfully attacked from a computer terminal with bit outputs, as

is possible with standard ciphers.

3.2αη Key Generation

One needs to clearly distinguish the use of such a scheme for key generation versus data

encryption. It may first appear that if the system is secure for data encryption, it would also

be secure for key generation if the transmitted data are subsequently used as new key. It

seems to be the view taken in [1, 18, 20] that we have made such a claim, which we have not.

The situation may be delineated as follows. Following the notations of the last subsection,

Eve may make any quantum measurement on her copy of the quantum signal to obtain YE

in her attack. Such a measurement is made without the knowledge of K. It is then used

together with the value of K to estimate the data Xn. Although Eve is not actually given

K after her measurements, we give it to her conceptually for the purpose of bounding her

information. The conditions for unconditional security are complicated, and to satisfy them

one needs to extend αη-KG in different possible ways, such as DSR and CPPM described in

[3]. However, against attacks with a fixed qumode measurement, Eq. (8) is sufficient and can

be readily seen to hold as follows.

With S ≡ |α0|2being the average photon number in the states (11), the bit-error rate for

Bob with the optimum quantum receiver [22] is

n

Pb=1

4e−4S. (16)

The bit-error rate for heterodyning, considered as a possible attack, is the well-known Gaus-

sian result

Phet

b

∼1

2e−S, (17)

and that for the optimum-phase measurement tailored to the states in (14) is

Pph

b

∼1

2e−2S

(18)

over a wide range of S. The difference between Eq. (16) and Eq. (17-18) allows key generation

at any value of S if n is long enough. With a mesoscopic signal level S ∼ 7 photons,

one has Pb ∼ 10−12, Phet

b

∼ 10−3, and Pph

b

Gbps, Bob is likely to have 109error-free bits in 1 second, while Eve would have at least

(recall that she actually does not have the key even after her measurements) ∼ 106or ∼ 103

errors in her 109bits with heterodyne or the optimum-phase measurement (which has no

known experimental realization). With the usual privacy amplification [23], the users can

then generate ∼ 106or ∼ 103bits in a 1 second interval by eliminating Eve’s information.

∼ 10−6. If the data arrives at a rate of 1

Page 13

Author(s) ...13

While these parameter values are not particularly remarkable due to the loose bound and have

not been experimentally demonstrated, they illustrate the new KCQ principle of quantum

key generation introduced in [3] that creates advantage via the difference between optimal

quantum receiver performance with versus without knowledge of a secret key, which is more

powerful than the previous BB84 principle since it does not rely on intrusion-level estimation

to create advantage. Also note that due to the 3 dB advantage limitation of binary signaling

(compare Eq. (18)and Eq.(16)), one may use the CPPM scheme [3] and its extensions instead

of αη-KG for key generation over long distances. Within the confines of binary signaling, the

throughput, though not the advantage, can be greatly increased even for large S by moving

the state close to the decision boundary. Detailed treatments will be given in the future.

The heterodyne attack on αη discussed above can of course be launched also on an αη

Key Generation system. For parameter values, i.e., values of S, M and n, such that Eq.

(15) holds, key generation with information-theoretic security is impossible in principle, since

the Shannon limit (4) holds. This point is missed in all the criticisms of αη Key Generation

[1, 18, 20], but was explicitly stated in the first version of Ref. [3]. It is at least implicit in Ref.

[2] where we said the experiment has to be modified for key generation, and also mentioned

the KCQ Key Generation Principle of optimal quantum receiver performance difference. One

simple way to break the Shannon limit (4) and protect the key at the same time, is to

employ DSR. As noted in Section 3.1, its use in αη direct encryption is expected to provide

information-theoretic security for the key and at a level far exceeding the limit (4) for the

data. We mention these possible approaches to make it clear that we were aware of the

limitations of αη and that we need additional techniques to obtain unconditinal security.

4The Lo-Ko Attacks

4.1Review of Attacks in [1]

Ref. [1] first describes a known-plaintext attack on the original αη of [2] that can be launched

when the channel loss allows Eve to have 2|K|copies of the states Bob would receive. With 2|K|

copies, it is claimed that Eve can use each possible seed key to implement a decryption system

similar to Bob’s, and by comparing the outputs to the known-plaintext of some unspecified

length s, can determine the key. Eve thus needs only beamsplitters and detectors similar to

Bob’s to undermine the system. We shall call this attack Attack I in the sequel. A variant of

this attack is also described, in which Eve is assumed to know r s−bit sequences of plaintext,

where r(1 − η) ≥ 2|K|η. In other words, the channel transmittance η is such that Eve has

in her possession, including repeated copies, 2|K|ciphertext-states, each corresponding to

a known s−bit sequence. What s needs to be is again unspecified. It is claimed that an

exhaustive trial of keys would again pin down the key in this case. These attacks are also

claimed to work, without any supporting argument, when the plaintext is not exactly known,

but is drawn from a language, e.g., English.

It is further argued that even in just 3 dB loss (which is not required under our approach

of granting Eve a copy of the quantum signal), a Grover quantum search (that will be called

Attack II) would succeed in finding K under a known-plaintext attack when n = ∞, because

then there is only a single possible key value that would give rise to the overall ciphertext-state

from the known data Xn. This latter claim is in turn justified by the “asymptotic orthogo-

nality” of the ciphertext-states corresponding to different key values, although exactly how

Page 14

14 Title ...

this asymptotic orthogonality occurs for different choices of the ENC box in Fig.1, includ-

ing the LFSR used, is not described. The purpose of this argument is presumably to claim

that a limiting statement such as (10) must be true, thus undermining the system under a

known-plaintext attack for large enough n. When the plaintext Xnis not exactly known but

is not completely random, i.e., under a statistical attack, such a result is also claimed to hold

without any argument. Also, no estimate of the convergence rate in n is provided for either

asymptotic orthogonality or for Eq.(10).

Ref. [1] then assumes that αη Key Generation, in which Xn is taken to be completely

random as in all key-generation protocols (so that there is no possibility of a known-plaintext

or statistical attack of any kind, at least before the generated key is used in another cipher),

proceeds by utilizing the output bits Yn= Xndirectly as key bits to XOR or “one-time pad”

on new data. With known-plaintext attack on these new data, the Xnwould be known and the

previously described known-plaintext attacks I and II can be applied on the ciphertext-states

to find K.

4.2 Response to Attacks

We will first respond to these attacks for direct encryption. The first gap in Attack I is

that the length of known-plaintext n1needed to uniquely fix the key is not specified. From

Subsection 2.3, we see that Eve needs length equal to the nondegeneracy distance nd(11) of

the ENC box of Fig.1 to fix the key from exact input-output pairs of the ENC box alone.

Actually, s = n1needs to be larger than this nondegeneracy distance nddue to the quantum

noise randomization. Note also that the ENC box could be chosen to be degenerate, so that

it does not even have a nondegeneracy distance and the key could never be pinned down.

However, since the LFSR used in [2] is actually nondegenerate, we will not dwell on this

point. As it stands, the attack is seriously incomplete without specifying what s = n1is or

at least providing estimates of it. This corresponds to defect One in our Introduction.

Furthermore, Attack I requires the product r(1−η) to be bigger than η2|K|, which implies

either r or 1/η is at least exponential in |K|/2. Thus, Attack I can be thwarted by increasing

the key length linearly, which is relatively easy. As an example, for the key length |K| ∼ 2×103

used in [2], one needs a loss of 6 × 103dB for r = 1, which corresponds to propagation over

∼ 3 × 104km in the best available fiber, which has a loss of 0.2 dB/km. No conceivable

one-stage communication line can be expected to operate over such a long distance. Any

future improvements in the loss figure of fibers can only make Eve’s task harder because the

number of copies she can tap decreases along with the loss.

If the exponential loss requirement is replaced by that of an exponential length of data, it is

equally fanciful. For the key length |K| ∼ 2×103, r = 2|K|corresponds to ∼ 10600bits of data.

How could Eve input ∼ 10600bits of data in a chosen-plaintext attack, or know ∼ 10600bits

in a known-plaintext attack? In any case, even if such large loss obtains, the attacker still has

the problem of requiring an exponential number of devices (beamsplitters and detectors in this

case) and doing an exponential amount of processing. Apart from size and time limitations

mentioned in Section 2, it seems not possible to ever get ∼ 10600devices corresponding to the

above key length, considering that the total number of elementary particles in the universe is

less than 10100. This corresponds to defect Two in the Introduction. We should also mention

that αη was claimed in [2] to be proved secure against known-plaintext attacks only in the

Page 15

Author(s) ... 15

brute-force search sense and not information-theoretically, and so the above attacks do not

contradict any claim in [2] even if they were successful.

Before proceeding to Attack II, we first distinguish the following four distinct kinds of

statements that can be made on a quantity ǫ(n), basing roughly on the value of n being

considered:

(i) The value of ǫ(n) at a finite n. This is of interest for a realistic implementation —

typically n ∼ 102− 104is the limit for joint processing of a single block.

(ii) The case expressed by a limit statement on some quantity of interest ǫ(n) → 0 with

quantitative convergence rate estimate 0 ≤ ǫ(n) ≤ f(n) for n ≥ N and some large

enough N and a known function f(n) → 0.

(iii) The case of the limit statement limn→∞ǫ(n) = 0 without convergence rate estimate.

Thus, it is not known how large n needs to be for ǫ(n) to be below a certain given level

ǫ0.

(iv) The case of the value ǫ(∞) at ∞. Note that the limiting value of ǫ(n) in Case (iii) above

may be different from ǫ(∞) due to failure of continuity at n = ∞.

Observe that the statements in Cases (i)-(iii) are, in that order, progressively weaker

statements on the quantity of interest. Case (iv), however, is independent of the previous

cases, and can be asserted by evaluating ǫ(∞) by a route that does not even require ǫ(n) at

finite n. In turn, knowing ǫ(∞) does not allow one to make even a limit statement of the form

of Case (iii) unless one can prove continuity at n = ∞. We have classified the above cases in

order to delineate exactly what Lo and Ko can claim for their Attack II.

Let us now consider Attack II. The first obvious problem with the argument is that Eve

does not need to attack the system if she already knows the entire n → ∞ plaintext that will

be transmitted using the particular seed key. Lo and Ko give no analysis of their attack for

the relevant case in which the plaintext is partially known, i.e., for the case of a statistical

attack (this includes the case of Eve knowing a fraction of the plaintext exactly) even in the

n → ∞ situation. A little thought will show that the oracle required in Grover search would

have an implementation complexity that increases indefinitely with n, making it prohibitive

to build in the n → ∞ limit. In other words, the search complexity is not simply ∼ 2|K|/2

but rather increases with n as well. When there is more than one plaintext possible, Lo

and Ko presumably intend to apply Grover search for each plaintext in turn. The number

of such repeated applications would obviously grow indefinitely with n if Eve knows only a

fraction of plaintext. In case they intend that a single Grover search be applied to cover all

possible plaintexts, they need to produce a specific oracle that would work for this case and

analyze its performance. The issue is more critical in actual practice, because it typically

does not happen that Eve knows a large length of plaintext, let alone one that is arbitrarily

long in the unquantified sense of (iii) above, which is what their attack entails. Furthermore,

even if its n dependence is ignored, the ∼ 2|K|/2complexity of the Grover’s search makes it

practically impossible to launch for |K| ∼ 2 × 103. Similar to Attack I, Attack II retains all

the limitations of being exponential in the key length. This point is an instance of the second

defect mentioned in Section 1.

#### View other sources

#### Hide other sources

- Available from Gregory Kanter · May 31, 2014
- Available from arxiv.org