On the security of AlphaEta: Response to `Some attacks on quantum-based cryptographic protocols'

Department of Electrical Engineering and Computer Science, Northwestern University, Evanston, Illinois, United States
Quantum information & computation (Impact Factor: 1.39). 10/2005; 6(7).
Source: arXiv


Lo and Ko in [1] have developed some attacks on the cryptosystem called AlphaEta [2], claiming that these attacks undermine the security of AlphaEta for both direct encryption and key generation. In this paper, we show that their arguments fail in many different ways. In particular, the first attack in [1] requires channel loss or length of known-plaintext that is exponential in the key length and is unrealistic even for moderate key lengths. The second attack is a Grover search attack based on `asymptotic orthogonality' and was not analyzed quantitatively in [1]. We explain why it is not logically possible to ``pull back'' an argument valid only at n=infinity into a limit statement, let alone one valid for a finite number of transmissions n. We illustrate this by a `proof' using a similar asymptotic orthogonality argument that coherent-state BB84 is insecure for any value of loss. Even if a limit statement is true, this attack is a priori irrelevant as it requires an indefinitely large amount of known-plaintext, resources and processing. We also explain why the attacks in [1] on AlphaEta as a key-generation system are based on misinterpretations of [2]. Some misunderstandings in [1] regarding certain issues in cryptography and optical communications are also pointed out. Short of providing a security proof for AlphaEta, we provide a description of relevant results in standard cryptography and in the design of AlphaEta to put the above issues in the proper framework and to elucidate some security features of this new approach to quantum cryptography.

Download full-text


Available from: Gregory Kanter, Jan 28, 2014
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: Nishioka et al claim in [1], elaborating on their earlier paper [2], that the direct encryption scheme called Y-00 [3,4] is equivalent to a classical non-random additive stream cipher, and thus offers no more security than the latter. In this paper, we show that this claim is false and that Y-00 may be considered equivalent to a \emph{random} cipher. We explain why a random cipher provides additional security compared to its nonrandom counterpart. Some criticisms in [1] on the use of Y-00 for key generation are also briefly responded to.
    Full-text · Article · Oct 2005
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: We review the notion of a classical random cipher and its advantages. We sharpen the usual description of random ciphers to a particular mathematical characterization suggested by the salient feature responsible for their increased security. We describe a concrete system known as AlphaEta and show that it is equivalent to a random cipher in which the required randomization is effected by coherent-state quantum noise. We describe the currently known security features of AlphaEta and similar systems, including lower bounds on the unicity distances against ciphertext-only and known-plaintext attacks. We show how AlphaEta used in conjunction with any standard stream cipher such as AES (Advanced Encryption Standard) provides an additional, qualitatively different layer of security from physical encryption against known-plaintext attacks on the key. We refute some claims in the literature that AlphaEta is equivalent to a non-random stream cipher. Comment: Accepted for publication in Phys. Rev. A; Discussion augmented and re-organized; Section 5 contains a detailed response to 'T. Nishioka, T. Hasegawa, H. Ishizuka, K. Imafuku, H. Imai: Phys. Lett. A 327 (2004) 28-32 /quant-ph/0310168' & 'T. Nishioka, T. Hasegawa, H. Ishizuka, K. Imafuku, H. Imai: Phys. Lett. A 346 (2005) 7'
    Preview · Article · Mar 2006 · Physical Review A
  • [Show abstract] [Hide abstract]
    ABSTRACT: We provide a security analysis of the Y-00 protocol under heterodyne measurement and correlation attack. We show that the secrecy of the data encryption scheme is extremely sensitive to the running-key generation process. In many situations our simple attack succeeds in recovering the initial shared secret key. Our simulation results suggest that a truly secure implementation of the protocol should take into account the effective key generation method. (c) 2006 Elsevier B.V. All rights reserved.
    No preview · Article · Aug 2006 · Physics Letters A
Show more