Next Article in Journal
Low-Complexity Alternatives to the Optimal Linear Coding Scheme for Transmitting ARMA Sources
Next Article in Special Issue
Error Performance of Amplitude Shift Keying-Type Asymmetric Quantum Communication Systems
Previous Article in Journal
Kibble–Zurek Scaling from Linear Response Theory
Previous Article in Special Issue
Non-Orthogonality Measure for a Collection of Pure Quantum States
 
 
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Review

Quantum Stream Cipher Based on Holevo–Yuen Theory

Quantum ICT Research Institute, Tamagawa University, Tokyo 194-8610, Japan
*
Author to whom correspondence should be addressed.
These authors contributed equally to this work.
Entropy 2022, 24(5), 667; https://doi.org/10.3390/e24050667
Submission received: 1 April 2022 / Revised: 29 April 2022 / Accepted: 5 May 2022 / Published: 10 May 2022
(This article belongs to the Special Issue Quantum Communication, Quantum Radar, and Quantum Cipher)

Abstract

:
In this review paper, we first introduce the basic concept of quantum computer-resistant cryptography, which is the cornerstone of security technology for the network of a new era. Then, we will describe the positioning of mathematical cryptography and quantum cryptography, that are currently being researched and developed. Quantum cryptography includes QKD and quantum stream cipher, but we point out that the latter is expected as the core technology of next-generation communication systems. Various ideas have been proposed for QKD quantum cryptography, but most of them use a single-photon or similar signal. Then, although such technologies are applicable to special situations, these methods still have several difficulties to provide functions that surpass conventional technologies for social systems in the real environment. Thus, the quantum stream cipher has come to be expected as one promising countermeasure, which artificially creates quantum properties using special modulation techniques based on the macroscopic coherent state. In addition, it has the possibility to provide superior security performance than one-time pad cipher. Finally, we introduce detailed research activity aimed at putting the quantum stream cipher into practical use in social network technology.

1. General View of Cryptography or Cipher in Social Network Systems

At first, we introduce a comment on a general view of cryptography in our research project. In the recent book [1] and a technical paper [2], S. Tsujii, who is one of the leaders of the cyber security community and industry, explains the current situation of the cyber security community and industry on the current trend of the security technology, as follows. “Quantum computer capable of breaking public key cryptographies, such as RSA or elliptic curve cryptography, that relies on mathematical decipherability due to prime number factorization or discrete logarithm problems, will not be developed within 20 years. Nevertheless, the jeopardy due to the cooperative effect with the development of mathematics remains. Thus, NIST is in the process of selecting candidates for quantum computer-resistant cryptography. The applications of cryptography for confidentiality are categorized into the confidential transmission of data itself and the key delivery or storage for that purpose. Then from the viewpoint of academic methods, they are categorized into mathematical cryptography and quantum cryptography. In the former case, there are two types such as public key cryptography and symmetric key cipher. Public key cryptography has the advantage of securely delivering and storing the initial key for data encryption and transmission. However, its processing speed is slow, so symmetric key cipher is responsible for data encryption. On the other hand, quantum cryptography is a cryptographic technique that uses quantum phenomena to improve security performance. The technique that uses quantum communication to perform the key delivery function of public key cryptography is quantum key distribution (QKD: BB-84 et al.), while the technique that uses quantum communication to perform the cryptographic transmission of data itself is called Y-00 quantum stream cipher (see Figure 1). QKD cannot be used to supply keys to One Time Pad cipher, because its data rate is too slow. Y-00 for data encryption is extremely novel in its ability to prevent eavesdroppers from obtaining the ciphertext of the symmetric key cipher. In addition, it is amazing that the strong quantum-ness is created by modulation scheme with multi-ary coherent state signals without any quantum device”.
Let us now turn our focus to quantum cryptography. Both of these quantum technologies are based on designing communication systems to make it difficult for eavesdroppers to steal signals on the communication channels. Such a function to protect the signal itself cannot be realized by mathematical cryptography. As mentioned above, there are two possible system operation methods for these quantum cryptography techniques. One is to use BB-84 quantum key distribution for key delivery and conventional mathematical cryptography for authentication and data encryption. The other is to use Y-00 quantum stream cipher for data encryption and conventional public key cryptography (or quantum computer resistant type) for authentication and key delivery. These quantum cryptography technologies are positioned as technologies to ensure the ultimate security of communication between data center stations, that is of special importance in next-generation 5G and 6G systems. In the following, we will explain the technical contents, applicability to the real world, and development trends.

2. Current Status of Quantum Communication Security Technology

2.1. Quantum Cryptography

As introduced in the above section, there are two quantum cryptography techniques. Let us give their brief introduction below.
(1)
Quantum Key Distribution
BB-84 quantum key distribution (QKD) was proposed by C. H. Bennett and G. Brassard in 1984. It is a protocol to share a secret key sequence by using photon communication, that is guaranteed to be quantum nature. Since the photons used in this protocol are weak light, the transmission speed and distance are limited. In addition, many of the sequence of photons that carry information are lost due to attenuation effects in the transmission line, and the sequence of photons that reaches the receiver is also subject to errors due to noise effects. So, the operation involves discarding the majority of the received bit sequence. Therefore, data itself cannot be sent, only random numbers can be sent. Thus, only the delivery of the secret key for symmetric key cipher is possible. This is why it is called QKD. Recently, many newspapers have reported that several R&D groups can provide the commercial systems of QKD. The transmission speed is the order of 100 Kbit/s, and transmission length is below 100 km. The satellite system is one of the solutions to cope with the distance. However, the transmission speed is so small. In any case, if one tries to increase the transmission speed, then there is a trade-off, and one has to shorten the relay interval. Since the maximum transmission speed is about a megabit, it is difficult to supply keys to the one-time pad cipher for data after key delivery, and it is likely to be limited to supplying initial keys (secret keys) for AES and others.
(2)
Quantum Stream Cipher
Y-00 quantum stream cipher is a protocol for physical symmetric key cipher proposed by H.P. Yuen of Northwestern University in the DARPA project (2000) [3]. The details are explained in the next section, but a simple concept is presented here.
This technique is characterized by the fact that it does not allow the physical signals consisting of the mathematical random generator and information data to be obtained without error. In this scheme, the ciphertext in Y-00 circuit system of the mathematical cipher consisting of the generator and data, which is the target of the eavesdropper, as described by y = α i ( X , f g ( K s ) , R p ) . Then, we design the system such that the ciphertext y = α i ( X , f g ( K s ) , R p ) is mapped into ensemble of coherent state Ψ ( X , K s , R p ) > with the quantumness based on the Holevo–Yuen theory [4,5,6]. This is called Y-00 signal, which corresponds to ciphertext on the Hilbert space. Thus, the ciphertext as the classical signal is protected by the quantumness. Let us describe it shortly. Although ordinary laser light of high power is used as the transmission signal, signals on the communication channel can be made to have very strong quantum properties in the sense of quantum detection theory [7]. This is the Y-00 principle [3]. That is, a large number of physical binary light communication base is prepared to transmit electric binary data, and the binary data is transmitted by using one communication base which is randomly selected from many communication bases by a mathematical cipher. Let M be the number of the base. The optical signals on the communication channel become ultra-multiple-valued signals ( 2 M = 4096 or more values are common) against the eavesdropper without the knowledge of communication base. At this time, strong quantum nature in the signal ensemble appears even if the one signal is in high power light, when it is constructed by such ultra-multiple-valued signal. In other words, this method means that the quantum nature in the sense of quantum detection theory [7] is created artificially by modulation schemes, so that it does not require light with strong physical quantum nature, such as a photon. The Y-00 signals of the length m (number of slot) are described as follows:
Ψ ( X , K s , R p ) > = α i ( X , f g ( K s ) , R p ) > 1 α j ( X , f g ( K s ) , R p ) > 2 α k ( X , f g ( K s ) , R p ) > m
where α i ( X , f g ( K s ) , R p ) > is coherent state with amplitude α ( · ) , i , j , k = 1 , 2 , 3 , 2 M , X is plaintext, f g ( K s ) is a mathematical pseudo random function of secret key K s , and R p is additional randomization. The set of these coherent states is designed to be strong non-orthogonal property, even if each amplitude of the signals is | α k ( X , f g ( K s ) , R p ) | 1 .
A legitimate receiver with the knowledge for communication base to which the data is sent can ignore the quantum nature of the data, because it is a binary transmission by high-power signal. That is, one can receive the error-free data. On the other hand, an eavesdropper, who does not know the information of the communication base, must receive a sequence of a ultra-multi-valued optical signal that consists of non-orthogonal quantum states of Equation (1). The quantum noise generated by quantum measurement based on the Holevo–Yuen theory on quantum detection [8,9,10] masks the received signal, resulting in errors. Thus, even if the eavesdropper tries to record the ciphertext, the masking effect of the quantum noise makes it impossible to accurately recover the ciphertext. This fact is a novel function in the cryptology. Figure 2 shows the scheme of Y-00 principle (Appendix A).

2.2. Comparison of Services Based on Each Quantum Cryptosystem

QKD and Y-00 are about 40 and 20 years old, respectively. At the time of their invention, the principle models of both quantum cryptography technologies were not very attractive in terms of security and communication performance. However, nowadays, the systems and security assurance technologies of both technologies have evolved dramatically. Based on the results, business models for security services using these quantum cryptography technologies have been proposed. Figure 3 shows the current status.

3. Feature of Quantum Stream Cipher

In the near future, optical networks will move toward even higher speeds, but the Y-00 quantum stream cipher can solve technical requirement from the real world. Since there are few introductions to this technology, we describe the details of this technology in the following section.

3.1. Basic Scheme

As explained in the previous section, the quantum stream cipher is expected to accelerate advanced application in future communication systems. The reason for this is that this scheme can utilize ordinary optical communication devices and is compatible with existing communication systems. In its design, optical communication, quantum theory, and cryptography are effectively integrated. Therefore, it is also called “Y-00 optical communication quantum cryptography” in implementation studies. Pioneering research on practical experiment for this system has been reported by Northwestern University [8,9], Tamagawa University [10], and Hitachi Ltd. [11]. Theories of system design for the basic system have been given by Nair and others [12,13,14,15].
Let us explain the principle of Y-00 quantum stream cipher. First, the Y-00 protocol starts by specifying the signal system that use the transmission medium. The actual signal to be transmitted is selected in terms of amplitude or intensity, phase, quadrature amplitude, etc., having coherent state | α in quantum optics. Then, the design is made accordingly. Depending on the type of signal to be used, it is called ISK:Y-00, PSK:Y-00, QAM:Y-00, etc.
Here, one communication base consisting of various binary signals is randomly selected for each data slot. Then, a binary data is transmitted by using the communication base selected. Thus, ultra-multi-valued signals appear to be transmitted on the channel. The eavesdropper has to receive the ultra-multi-valued signal, because they do not know which communication base was selected.

3.2. Progress in Security Theory

The BB-84 protocol is a key delivery technique for securely sharing secret key sequences (random numbers). The Y-00 protocol is a symmetric key stream cipher technique for cryptographically transmitting data. As mentioned above, both quantum cryptography techniques enhance security by preventing eavesdroppers from taking the exact signal on the communication channel. The models that explains the principle of such physical technology is called the “basic model”. It is this basic model that can be found in textbooks for beginners.
Let us start with a QKD, such as BB-84. If the basic model of the BB-84 protocol is implemented in a real optical fiber communication system, then it can be eavesdropped. Therefore, in order to guarantee security even in systems with noise and energy loss, a technique that combines error correction and privacy amplification (universal hashing) was proposed, and then a theoretical discussion of security assurance became possible. That is, in 2000, P. Shor, et al. [16] proposed a mathematical security theory for BB-84 on an abstract mathematical model called the Shor model, which was later improved by R. Renner [17]. In brief, the security of the BB-84 protocol is evaluated by quantifying quantum trace distance of the two density operators to the ideal random sequence and the random sequence shared by the real system. This is the current standard theory for the security of QKD. It is very difficult to realize a real system that the quantum trace distance is sufficiently small.
On the other hand, from the beginning, the Y-00 protocol can consider the effects of non-ideal communication systems. As mentioned at the above section, the selection of communication base of the Y-00 protocol is encrypted by conventional mathematical cipher. The Y-00 quantum ciphertext, which is an optical signal, is emitted as the transmission signal. So, the ciphertext of the mathematical symmetric key cipher that an eavesdropper needs to decipher corresponds to the Y-00 quantum ciphertext. However, since the set of ultra-multi-valued signals, which is Y-00 quantum ciphertext, are a non-orthogonal quantum state ensemble, their received signals are inaccurate due to errors caused by quantum noise. Therefore, the discussion based on the computational security of the mathematical cryptographic part of Y-00 mechanism to be attacked is replaced by the problem of combination of information theoretic analysis and computational analysis. However, we should emphasize that the discussion with infinite number or asymptotic theory are not our concern, because our concern is a physical system under practical situation. For example, if an attacker needs circuits of the number of the size of the universe to perform the brute-force attack, the system is unbreakable. Or, if an attacker needs 100 years to collect the ciphertext for trying the cryptoanalysis, it is also impractical and unbreakable.

4. Survey of the Mathematical Security Analysis

4.1. The Main Story of Security

In the conventional symmetric key cipher, we have
H ( C X , f ( K s ) ) = 0
where X is plaintext, K s is secret key, f ( K s ) corresponds to running key and | f ( K s ) | | K s | , and C is ciphertext. However, in physical cipher system, the eavesdropper cannot do anything without obtaining the ciphertext from the physical signal. In the case of the Y-00 scheme, the eavesdropper has no other way but to observe the non-orthogonal signal, because the Y-00 signals corresponding to the ciphertext in the symmetric key cipher are an ensemble of non-orthogonal quantum states. Thus, the ciphertext that the eavesdropper can obtain are randomized by its quantum nature for any quantum processing by several quantum no-go theorems developed by Holevo and Yuen. This result means that the ciphertext cannot be determined correctly, even if the eavesdropper obtains the secret key K s and the plaintext X. That is,
H ( C X , f ( K s ) ) 0
This is the definition of so called “Random Cipher”. Thus, Y-00 scheme is a typical example of the random cipher. Here, let us describe the security evaluation in the practical setting based on two issues.
(i) The first issue:
The first issue was raised by the community of cryptology. The question of the cryptocommunity is how to formulate the error or correct estimation of ciphertext based on closeness between the sequence of ciphertext from the Y-00 signals received by the eavesdropper and a true random number sequence. Let us consider a quantum trace distance between density operators on the tensor product Hilbert space that corresponds to the ideal random sequence and the random sequence received by the eavesdropper. It can be denoted by following form, based on the Holevo–Yuen theory on quantum detection:
Δ q = max Π T r Π ( y p ( y ) ρ C I C E y ρ C I ρ C E ) Π : P O V M
In this case, C I is the ideal ciphertext, and C E is the output of the Eve’s receiver. Then, ρ C I corresponds to the density operator for ideal randomness, and that of Eve is ρ C E which depends on the randomization based on quantum noise effect and the artificial scheme designed in the Y-00 scheme.
Closeness of the ciphertext sequence of the eavesdropper to a true random number based on the above equation is evaluated as follows [18]:
Theorem 1.
Trace distance is bounded by Holevo information, as follows:
Δ q 2 B χ ( ϵ )
where B is a constant depending on the definition of relative entropy, and χ ( ϵ ) is Holevo information from the channel to the eavesdropper.
χ ( ϵ ) = S ( ρ C E ) y p ( y ) S ( ρ C E y )
where S ( ρ ) is the von Neumann entropy. The above Holevo information is a decrease function by the appropriate randomization technique under the fixed M.
Next, the probability that an eavesdropper can estimate the ciphertext y = α k ( X , f g ( K s ) , R p ) of Y-00 quantum stream cipher is given as follows. Let Δ q be the trace distance of the quantum density operators between an actual protocol and the ideal one. Then the average guessing probability for ciphertext of Y-00 cipher is bounded as follows:
1 N P g u e s s 1 N + Δ q 1 N + B χ ( ϵ )
where N = 2 | C y | . | C y | is the length of binary sequence converted from 2M-ary signal with the length m (number of slot). Thus, the guessing probability for the ciphertext y = α k ( X , f g ( K s ) , R p ) is controlled by Holevo information. In conclusion, under the fixed number of N, one can try to design the randomization technique such that χ ( ϵ ) 0 , and P g u e s s 1 / N . Indeed, the Y-00 scheme provides this situation under ciphertext-only attack.
(ii) The second issue:
The next issue is information-theoretic security analysis for symmetric key cipher. In general security analysis for the symmetric key cipher, we have three problems—ciphertext-only attack (COA), statistical attack (SA), and known-plaintext attack (KPA), respectively.
The main issue is that, assess to that information-theoretic security (ITS) can be guaranteed depending on how much ciphertext under COA (or plaintext at KPA) an eavesdropper obtains. Shannon gave the following inequality for general mathematical symmetric key ciphers under ciphertext-only attack:
H ( X | C ) H ( K s )
This is called the Shannon limit. Thus, one has the following property under KPA for the conventional additive stream cipher.
H ( K s X n = | K s | , C n = | K s | ) = 0
where X n = | K s | , C n = | K s | mean plaintext and ciphertext of the length n = | K s | , respectively.
A random physical cipher, such as the Y-00 scheme, may break the above relation. We describe the story of the theory in the following. Here, in the Y-00 scheme, the following is guaranteed:
H ( X C B , f ( K s ) ) = 0
where C B is the ciphertext received by a legitimate receiver. From here, we discuss the new potential of Y-00 scheme. In the case of a ciphertext-only attack, from Equation (3), this system provides the ability to break the Shannon limit in the cryptology as follows [19,20]:
H ( K s ) H ( X n | C n E )
where X n , C n E mean the plaintext sequence and ciphertext sequence of the length n received by the eavesdropper, respectively. We emphasize that C n E is different of the original ciphertext created by Y-00 mechanism.
Let us consider statistical attack and the known-plaintext attack. Here, the security evaluation is given by the quantum unicity distance [12,19] under the Holevo–Yuen theory on quantum detection [4,5,6], as follows:
n 0 : H ( K s C n 0 E ) = 0
n 1 : H ( K s X n 1 , C n 1 E ) = 0
where n 0 and n 1 are the unicity distances for ciphertext-only attack and known-plaintext attack, respectively. These mean the number of observations needed to find the secret key with and without known plaintext in the sense of information theoretic security. For exceeded number of n 0 and n 1 , it still provides the algorithm independent computational security.
The formulae of the unicity distance for the concrete Y-00 scheme were given by Nair et al. [12]. Let us compare Equations (9) and (13). If the Y-00 scheme can provide
n 1 | K s | ,
then the Y-00 scheme has the great advantage in comparison with the conventional cipher technology. For more rigorous analysis, we have the following criteria proposed by Yuen.
W ( n ) = max C E max K s K C E P ( K s | C n E )
Thus, it is possible to evaluate the security of this cipher quantitatively. This is a very significant feature in the history of cryptography.

4.2. Randomization Technology

In the early days when Y-00 was invented, the model used was the so-called basic model, and it just explained the principle. In order to achieve sufficient quantitative security, the randomization technique described here is necessary. In the criteria of cryptography by Shannon, such as Equations (12) and (13), the Y-00 scheme has a potential to have excellent quantitative security by additional randomization technology.
In this point of view, we have developed a new concept such as “quantum noise diffusion technology” [13,14]. In addition, several randomizations based on Yuen’s idea [3] have been discussed [21]. Using these techniques, it is expected to have security against known-plaintext attacks on key that cannot be achieved by a conventional cipher, as follows:
H ( X n C n E , K s ) 0
for certain finite n = n 2 > | K s | under the condition Equation (10). This means that one cannot pin-down the data under the finite length of ciphertext with error even if the secret key is provided to the attacker after they have received the Y-00 signals by their instruments [19,20]. This comes from the fact that the ciphertext for attacker is not correct ciphertext. This is called advantage creation based on receivers with key and without key.
This is an amazing capability, and this cannot be achieved even with “One Time Pad Cipher”. However, as the pointed out in the above, these security of abilities are limited to finite n 1 , and n 2 in principle, and these depend on the randomization technique. The general quantitative evaluation for the concrete randomization is still an open question. In this way, we can say that the Y-00 quantum stream cipher has the ability to provide security that exceeds the performance of conventional cryptography while maintaining the capabilities of ordinary optical communication. To date, there have been several criticisms of the security of the Y-00 principle, but one can see that they all turn out to be based on misunderstandings of the structure and claim of the Y-00 principle.

5. Concrete Applications of Quantum Stream Cipher

As mentioned above, the Y-00 quantum stream cipher has not yet reached its ideal performance, but in practical use, it has achieved a high level of security that cannot be achieved with conventional techniques, and it can be said that the ciphers are now at a level where they can be introduced to the market. To date, the development of transceiver for the Y-00 quantum stream cipher has been funded by the university president’s discretionary fund, as well as external funds from the Ministry of Education, Science and Technology (MEXT), and the Defense Acquisition Agency (DEA). Here, we introduce examples of the use case of the Y-00 quantum stream cipher.

5.1. Optical Fiber Communication

Large amounts of important data are instantaneously exchanged on the communication lines between data centers where various data are accumulated. It is important from the viewpoint of system protection to eliminate the risk that the data are copied in their entirety from the communication channel. We believe that the Y-00 quantum stream cipher is the best technology for this purpose (see Figure 4). On the other hand, this technology can be used for optical amplifier relay system. Hence, it can apply to the current optical communication systems. Transceivers capable of cryptographic transmission at speeds from one Gbit/s to 10 Gbit/s have already been realized, and by wavelength division multiplexing, a 100 Gbit/s system has been tested. Furthermore, communication distances of 1000 km–10,000 km have been demonstrated. In offline experiments, 10 Tbit/s has been demonstrated. In general, a dedicated line such as dark fiber is required. If we want to apply this technology to network function, then we need the optical switching technology developed by the National Institute of Advanced Industrial Science and Technology (AIST). Thus, in collaboration with AIST and other organizations, we have successfully demonstrated the feasibility of using the Y-00 transceiver in testbed optical switching systems (see Figure 5). Furthermore, Figure 6 shows the recent activities of the experimental research group at Tamagawa University towards practical application to the real world [22,23,24,25,26,27,28,29].

5.2. Optical Satellite Communication

The Y-00 quantum stream cipher, which was developed for fiber-optic communications, can also be applied to satellite communications. In satellite communication applications, the rate of operation is an important factor because communication performance depends on the weather conditions. With QKD, it is difficult to keep communications up and running except on clear-air nights. In the case of Y-00, communication by any satellite system can be almost ensured when the weather is clear. In case of bad weather, the effects of atmospheric turbulence and scattering phenomena need to be considered. We are currently analyzing the performance of the system in such cases at 10 Gbps operation [30].

5.3. Optical Communication from Base on the Moon to Earth

The Japanese government has initiated a study to increase the user transmission rate of optical space communications from 1.8 Gbps to more than 10 Gbps. Furthermore, in the future, the government aims to achieve higher transmission rates in ultra-long-distance communications required for lunar and planetary exploration. This plan is called LUCAS. We have started to design for an implementation of 1 Gbps communication system at a transmission distance of 380,000 km between the Moon and the Earth using the high-speed performance of the Y-00 quantum stream cipher.

6. Future Outlook and Conclusions

The current optical network was not laid out in a planned manner, but was configured by extending the existing communication lines for adapting the demand. In the future, the configuration and specifications of the optical network will be determined following to new urban planning. An actual example is the smart city that Toyota Motor Corporation et al. have disclosed as a future plan. Many ideas are also being discussed in other organizations. Recently, NTT has announced a future network concept so called IOWN. In these systems, the security of the all optical network with ultra-high speed is also important issue. The group of QKD and the group of Y-00 are promoting their respective technologies. However, recently, NSA and others announced the international stance on QKD [31]. They have a negative view of QKD, because the communication performance of QKD based on weak signal is not sufficient for applications to real situations. So, we do not employ QKD for key distribution of the initial key of Y-00, as shown in Figure 3 (Appendix B).
On the other hand, the Y-00 quantum stream cipher is a technology that can realize the specification of high speed and long communication distance. In addition, the signals of Y-00 cipher with ultra-multiple-valued scheme for coherent state signal, so called quantum modulation, can have stronger quantum properties than QKD in the sense of quantum detection theory. So, the security is protected by many quantum no-go theorems (Appendix C). Although it is difficult to make an accurate prediction, there is a good chance that such a new technology will be used in the future. In view of the situation described in this paper, the Y-00 quantum stream cipher will contribute to real-world applications of quantum technology for Society 5.0, and new business development can be expected. Finally, we would like to note that Chinese research institutes have recently been actively working on Y-00 quantum stream cipher. Figure 7 shows a list of academic papers on their activities [32,33,34,35,36,37,38,39]. It is expected that many research institutes will participate in this technological development.

Author Contributions

Conceptualization, M.S. and O.H.; methodology, M.S. and O.H.; validation, M.S. and O.H.; formal analysis, M.S. and O.H.; investigation, M.S. and O.H.; writing—original draft preparation, O.H.; writing—review and editing, M.S. and O.H. All authors have read and agreed to the published version of the manuscript.

Funding

This research recieved no external funding.

Acknowledgments

We are grateful to F. Futami, K. Tanizawa on experimental research, K. Nakahira, K. Kato and T. S. Usuda for discussions on theory.

Conflicts of Interest

The authors declare no conflict of interest.

Explanation of Symbols

Here we give the explanation on the several symbols.
  • (a) Conventional cipher:
  • X is plaintext; { 0 , 1 } , K s is secret key, f ( K s ) is running key; { 0 , 1 } ,
  • C is ciphertext; { 0 , 1 } .
  • (b) Y-00 quantum stream cipher:
  • X is plaintext; { 0 , 1 } , K s is secret key, f ( K s ) is running key of PRNG; { 0 , 1 } ,
  • Y-00 running key is f ( K s ) f g ( K s ) ; { 1 , 2 , 3 , M } ,
  • Y-00 ciphertext is y = α i ( X , f g ( K s ) , R p ) ; { 1 , 2 , 3 , 2 M } ,
  • R p is additional randomization,
  • Y-00 signal (quantum) is α i ( X , f g ( K s ) , R p ) > ,
  • C y is binary representation of Y-00 ciphertext; { 0 , 1 } ,
  • C E is ciphertext received by eavesdropper; { 1 , 2 , 3 , 2 M } , C I is the true random sequence.

Appendix A. Simple Explanation of Y-00 Principle

Here, we introduce the mathematical formulation of the Y-00 principle. Let us define signals. The information is binary, 0 or 1. Bit symbols i = 0, 1 are transmitted by many kinds of coherent state signals indexed by j. Here, j means the jth communication base in j M . Then, we have the following signal ensemble:
ρ ( i , j ) = | α ( i , j ) α ( i , j ) | , i = 0 , 1 , j = 1 , 2 , 3 , , M
where α ( i , j ) is a complex amplitude of coherent state, and the total number of signals becomes 2 M . It is important that we here set the following signal (see references [1,5,6,7]):
(1) Signal setting-A
α ( 0 , j ) | α ( 1 , j ) = η 1 , j
(2) Signal setting-B
Even if α ( 0 , j ) | α ( 1 , j ) = η 1 , j , we can arrange the signal configuration as follows:
α ( k = M / 2 ) | α ( k = M / 2 ) ± h 1
where M / 2 h M / 2 .
The communication channel for the legitimate user having the knowledge of j becomes the binary channel. That is, the signal is | α ( 0 , j ) or | α ( 1 , j ) , j . Let Π ( i o u t ) = { Π ( 0 ) , Π ( 1 ) } be the POVM for the binary detection. The conditional probability of the legitimate receiver is given as follows:
P ( i o u t i ) = T r | α ( i ) α ( i ) | Π ( i o u t ) 0 , j
where i = 0 , 1 , i o u t = 0 , 1 . On the other hand, when one does not know the j, the channel becomes the binary vs. 2 M . That is, the input signals are | α ( 0 , j ) or | α ( 1 , j ) , and the output signals are 2 M coherent states { | α ( i , j ) } . Let { Π ( k ) } , k = 1 , 2 , 3 , , 2 M be the POVM for 2 M signal detection, where k is the combination of i and j. The average correct probability of the eavesdropper is given by the Holevo–Yuen theory as follows:
P c o r r e c t ( k ) = max Π ( k ) k P ( k ) T r | α ( k ) α ( k ) | Π ( k ) 1 2 M
Here, we give more simple explanation how the data (plaintext) is protected under the ciphertext-only attack. Let us consider the accessible information. From signal setting A, the channel with the knowledge on j is based on Equations (A2) and (A4) as follows:
P ( i | i o u t ) δ i , i o u t
Thus, the accessible information on the data (plaintext) to the ensemble { ρ ( i , j ) } with the knowledge on j is
I ( X , Y ) A , B = H ( X ) H ( X | Y ) H ( X ) = 1
The channel without the knowledge on j is based on Eq(A-21) as follows:
P ( i = 0 | k ) 1 2 ϵ k , P ( i = 1 | k ) 1 2 + ϵ k
where ϵ k 0 . Thus, the accessible information on the data (plaintext) of the eavesdropper is
I ( X , Y ) A , E = H ( X ) H ( X | Y ) 0
The difference between I ( X , Y ) A , B and I ( X , Y ) A , E is called the advantage creation by the knowledge on j. This is a core of the Y-00 principle.

Appendix B. Quantum Computer and Quantum-Computer-Resistant Cryptography

It is difficult to predict the realization of a quantum computer capable of cryptoanalysis. It was discovered in our recent paper [40] that a new type of error so called nonlinear error or bust error occurs in general quantum computer. Therein, an error probability for single qubit increases depending on number of qubits in the system. These nonlinear errors and bust errors are caused by the recurrence effect due to quantum correlation or the collective decoherence, and by cosmic ray. They cause serious damage to scalable quantum computers, and cause serious degradation to the capability of the quantum computer. In addition, a number of previously unknown and extremely difficult problems in the development for an error correctable quantum computer have been reported [41,42,43,44]. Thus, the capability of a real quantum computer is strictly limited and that the current cryptography is not subject to the danger posed by current quantum computers. However, we believe that the ideal quantum computer will be realized in the future. So, one should develop quantum computer-resistant cryptosystems based on mathematical analysis, or by physical cipher on the assumption that an ideal quantum computer or new mathematical discovery can be realized in the future. Recently, J. P. Mattsson, B. Smeets, and E. Thormarker [45] have provided an excellent survey for the NIST quantum-computer-resistant cryptography standardization effort, the migration to quantum-resistant public-key cryptography, and the relevance of quantum key distribution as a complement to conventional cryptography. In particular, these algorithms of quantum-resistant public-key cryptography can execute completely in software on classical computers, in contrast to, e.g., quantum key distribution, which requires very expensive custom hardware. For functions of authentication, signature, and key distribution, such capability provided by software is very important in real-world applications.

Appendix C. Advanced Quantum Detection and Estimation Theory

The development of modern optical communications has been remarkable and its communication abilities are providing its benefits to all regions of the globe. Any communication technology must assume the current performance of optical communication when one intends to provide new functions in communication technology. It is not acceptable to sacrifice this communication ability in order to provide new functions. The communication distance and speed required by the real world cannot be achieved except in a conventional light source. One of the reasons for this is that laser light as a light source has a very stable quantum property called coherent state. The Y-00 quantum stream cipher is the most typical technology to provide a new feature of security to ordinary optical communications having a coherent state. Its basic technology is to use the quantum communication theory [4,5,46] in order to enhance the quantumness of the signal ensemble under high power coherent state signal. Further development along this concept is expected in the future. In particular, the theories of M. Ban [47], S. van Enk [48], S. Pirandola [49,50], M. G. A. Paris [51], and others will contribute to the development of generalized Y-00, and others. In fact, attempts have been made to integrate these theories as a no-go theorem [52,53,54,55].

References

  1. Tsujii, S. The Fight against Fakes; Kotoni Publishing Co.: Chiba Prefecture, Japan, 2021. [Google Scholar]
  2. Hirota, O.; Tsujii, S. Quantum noise analysis for quantum computer. IEICE Jpn. Tech. Rep. Inf. Theory 2021, 121, 28–33. [Google Scholar]
  3. Yuen, H.P. KCQ: Keyed communication in quantum noise. arXiv 2003, arXiv:0311061. [Google Scholar]
  4. Holevo, A.S. Statistical decision theory for quantum systems. J. Multivar. Anal. 1973, 3, 337–394. [Google Scholar] [CrossRef] [Green Version]
  5. Yuen, H.P.; Kennedy, R.S.; Lax, M. Optimum testing of multiple hypotheses in quantum detection theory. IEEE Trans. Inf. Theory 1975, 21, 125–134. [Google Scholar] [CrossRef]
  6. Hirota, O.; Ikehara, S. Minimax strategy in the quantum detection theory and its application to optical communications. Trans. IEICE Jpn. 1982, 65E, 627. [Google Scholar]
  7. Kato, K. Non-orthogonality measures for a collection of pure quantum states. Entropy 2022, 24, 581. [Google Scholar] [CrossRef]
  8. Borbosa, G.A.; Corndorf, E.; Kumar, P.; Yuen, H.P. Secure communication using mesoscopic coherent states. Phys. Rev. Lett. 2003, 90, 227901. [Google Scholar] [CrossRef] [Green Version]
  9. Kanter, G.S.; Reillly, D.; Smith, N. Practical physical layer encryption:The marriage of optical noise with traditional cryptography. IEEE Commun. Mag. 2009, 47, 74–81. [Google Scholar] [CrossRef]
  10. Hirota, O.; Sohma, M.; Fuse, M.; Kato, K. Quantum stream cipher by Yuen 2000 protocol: Design and experiment by intensity modulation scheme. Phys. Rev. A 2005, 72, 022335. [Google Scholar] [CrossRef] [Green Version]
  11. Ohhata, K.; Hirota, O.; Honda, M.; Akutsu, S.; Doi, Y.; Harasawa, K.; Yamashita, K. 10 Gbit/s optical transceiver using the Yuen 2000 encryption protocol. IEEE. J. Lightw. Technol. 2010, 28, 2714–2723. [Google Scholar] [CrossRef]
  12. Nair, R.; Yuen, H.P.; Corndolf, E.; Kumar, P. Quantum noise randomized ciphers. Phys. Rev. A 2006, 74, 052309. [Google Scholar] [CrossRef] [Green Version]
  13. Hirota, O.; Kurosawa, K. Immunity against correlation attack on quantum stream cipher by Yuen 2000 protocol. Quantum Inf. Process. 2007, 6, 81–91. [Google Scholar] [CrossRef] [Green Version]
  14. Hirota, O. Practical security analysis of quantum stream cipher by Yuen protocol. Phys. Rev. A 2007, 76, 032307. [Google Scholar] [CrossRef]
  15. Yuen, H.P. Key generation: Foundation and new quantum approach. IEEE Sel. Top. Quant. Electron. 2009, 15, 1630–1645. [Google Scholar] [CrossRef] [Green Version]
  16. Shor, P.; Preskill, J. Simple proof of security of the BB84 quantum key distribution protocol. Phys. Rev. Lett. 2000, 85, 441. [Google Scholar] [CrossRef] [PubMed] [Green Version]
  17. Renner, R. Security of quantum key distribution. Int. J. Quantum Inf. 2008, 6, 1. [Google Scholar] [CrossRef]
  18. Hirota, O. Application of quantum Pinsker inequality to quantum communications. arXiv 2020, arXiv:2005.04553. [Google Scholar]
  19. Yuen, H.P.; Nair, R.; Corndorf, E.; Kanter, G.S.; Kumar, P. On the security of αη response to some attacks on quantum-based cryptographic protocols. Quantum Inf. Comput. 2006, 6, 561–582. [Google Scholar]
  20. Hirota, O.; Sohma, M.; Kawanishi, K. Quantum noise randamized stream cipher:Y-00. Jpn. J. Opt. 2010, 39, 17. [Google Scholar]
  21. Kato, K.; Hirota, O. Quantum stream cipher part IV, Effects of the deliberate signal randomization and deliberate error randomization. In Proceedings of the SPIE Conference on Quantum Communciations and Quantum Imaging IV, San Diego, CA, USA, 13–17 August 2006; Volume 6305. [Google Scholar]
  22. Futami, F.; Guan, K.; Gripp, J.; Kato, K.; Tanizawa, K.; Chandrasekhar, S.; Winzer, P.J. Y-00 quantum stream cipher overlay in a coherent 256-Gbit/s polarization multiplexed 16-QAM WDM. Opt. Express 2017, 25, 33338. [Google Scholar] [CrossRef]
  23. Futami, F.; Tanizawa, K.; Kato, K. Y-00 quantum-noise randomized stream cipher using intensity modulation signals for physical layer security of optical communications. IEEE/OSA J. Lightw. Technol. 2020, 38, 2773–2780. [Google Scholar] [CrossRef]
  24. Tanizawa, K.; Futami, F. 214 intensity-level 10-Gbaud Y-00 quantum stream cipher enabled by coarse-to-fine modulation. IEEE Photonics Technol. Lett. 2018, 30, 1987–1990. [Google Scholar] [CrossRef]
  25. Tanizawa, K.; Futami, F. Digital coherent PSK Y-00 quantum stream cipher with 217 randomized phase levels. Opt. Express 2019, 27, 1071–1079. [Google Scholar] [CrossRef] [PubMed]
  26. Tanizawa, K.; Futami, F. Single channel 48-Gbit/s DP-PSK Y-00 quantum stream cipher transmission over 400- and 800-km SSMF. Opt. Express 2019, 27, 25357–25363. [Google Scholar] [CrossRef] [PubMed]
  27. Tanizawa, K.; Futami, F. Quantum noise-assisted coherent radio-over-fiber cipher system for secure optical fronthaul and microwave wireless links. IEEE/OSA J. Lightw. Technol. 2020, 38, 4244–4249. [Google Scholar] [CrossRef]
  28. Chen, X.; Tanizawa, K.; Winzer, P.; Dong, P.; Cho, J.; Futami, F.; Kato, K.; Melikyan, A.; Kim, K.W. Experimental demonstration of 4,294,967,296-QAM based Y-00 quantum stream cipher template carrying 160-Gb/s 16-QAM signals. Opt. Express 2021, 29, 5658–5664. [Google Scholar] [CrossRef] [PubMed]
  29. Tanizawa, K.; Futami, F. Ultra-long-haul digital coherent PSK Y-00 quantum stream cipher transmission system. Opt. Express 2021, 29, 10451–10464. [Google Scholar] [CrossRef]
  30. Hirota, O.; Kato, K.; Sohma, M. Application of Y-00 quantum stream cipher to satellite communication-Mathematical model of weather disturbance. IEICE Jpn. Tech. Rep. Inf. Theory 2022, 121, 143–148. [Google Scholar]
  31. NSA. Quantum Computing and Post-Quantum Cryptography FAQs, National Security Agency Central Security Service. 2021. Available online: https://www.quantum.gov/nsa-updates-faq-on-post-quantum-cybersecurity/?msclkid=525975f1cdce11eca34ea2e9f2b11545 (accessed on 1 March 2022).
  32. Chen, Y.; Jiao, H.; Zhou, H.; Zheng, J.; Pu, T. Security analysis of QAM quantum noise randomized cipher system. IEEE Photonics J. 2020, 12, 7904114. [Google Scholar] [CrossRef]
  33. Tan, Y.; Pu, T.; Zhou, H.; Zheng, J.; Su, G. Performance analysis of physical layer security in ISK quantum noise randomized cipher based on wiretap channel. Opt. Commun. 2020, 461, 125151. [Google Scholar] [CrossRef]
  34. Jiao, H.; Pu, T.; Zheng, J.; Xiang, P.; Fang, T. Physical layer security analysis of a quantum noise randomized cipher based on the wire tap channel model. Opt. Express 2017, 25, 10947. [Google Scholar] [CrossRef] [PubMed]
  35. Jiao, H.; Pu, T.; Zheng, J.; Xiang, P.; Fang, T.; Zhu, H. Physical-layer security analysis of PSK quantum-noise randomized cipher in optically amplified links. Quant. Inf. Process. 2017, 16, 189. [Google Scholar] [CrossRef]
  36. Zhang, M.; Li, Y.; Song, H.; Wang, B.; Zhao, Y.; Zhang, J. Security Analysis of Quantum Noise Stream Cipher under Fast Correlation Attack. In Optical Fiber Communication Conference (OFC) 2021; Optical Society of America: Washington, DC, USA, 2021. [Google Scholar]
  37. Yang, X.; Zhang, J.; Li, Y.; Zhao, Y.; Zhang, H. DFTs-OFDM based quantum noise stream cipher system. Opt. Commun. 2019, 445, 29. [Google Scholar] [CrossRef]
  38. Yang, X.; Zhang, J.; Li, Y.; Gao, G.; Zhang, H. Single Carrier QAM/QNSC and PSK/QNSC Transmission Systems with Bit Resolution Limited DACs; OECC Technical Digest, 5D1-3; OECC: Camden, AR, USA, 2018. [Google Scholar]
  39. Yu, Q.; Wang, Y.; Li, D.; Song, H.; Fu, Y.; Jiang, X.; Huang, L.; Cheng, M.; Liu, D.; Deng, L. Secure 100 Gb/s IMDD Transmission Over 100 km SSMF Enabled by Quantum Noise Stream Cipher and Sparse RLS-Volterra Equalizer. IEEE Access 2020, 8, 63585. [Google Scholar] [CrossRef]
  40. Hirota, O. Introduction to semi-classical analysis for digital errors of qubit in quantum prosessor. Entropy 2021, 23, 1577. [Google Scholar] [CrossRef] [PubMed]
  41. Dinc, F.; Bran, A.M. Non-Markovian super-superradiance in a linear chain of up to 100 qubits. Phys Rev. Res. 2019, 1, 032042. [Google Scholar] [CrossRef] [Green Version]
  42. Fang, K.; Liu, Z. No-Go Theorems for Quantum Resource Purification. Phys. Rev. Lett. 2020, 125, 060405. [Google Scholar] [CrossRef]
  43. Bousba, Y.; Russell, T. No quantum Ramsey theorem for stabilizer codes. IEEE Trans. Inform. Theory 2021, 67, 408–415. [Google Scholar] [CrossRef]
  44. Asiani, M.; Chai, J.; Whitney, R.; Auffeves, A.; Ng, H. Limitations in quantum computing from resource constraints. arXiv 2020, arXiv:2007.01966. [Google Scholar]
  45. Mattsson, J.P.; Smeets, B.; Thormarker, E. Quantum-Resistant Cryptography. arXiv 2021, arXiv:2112.00399. [Google Scholar]
  46. Helstrom, C.W. Quantum Detection and Estimation Theory; Academic Press: New York, NY, USA, 1976. [Google Scholar]
  47. Ban, M.; Kurokawa, K.; Momose, R.; Hirota, O. Optimum measurements for discrimination among symmetric quantum states and parameter estimation. Int. J. Theor. Phys. 1997, 36, 1269–1288. [Google Scholar] [CrossRef]
  48. van Enk, S.J. Unambiguous state discrimination of coherent states with linear optics: Application to quantum cryptography. Phys. Rev. A 2002, 66, 042313. [Google Scholar] [CrossRef] [Green Version]
  49. Pirandola, S. Quantum reading of a classical digital memory. Phys. Rev. Lett. 2011, 106, 090504. [Google Scholar] [CrossRef] [PubMed] [Green Version]
  50. Pirandola, S.; Lupo, C.; Giovannetti, V.; Mancini, S.; Braunstein, S.L. Quantum reading capacity. New J. Phys. 2011, 13, 113012. [Google Scholar] [CrossRef]
  51. Paris, M.G.A. Quantum estimation for quantum technology. Int. J. Quantum Inf. 2009, 7, 125. [Google Scholar] [CrossRef]
  52. Nakahira, K.; Kato, K.; Usuda, T. Minimax strategy in quantum signal detection with inconclusive results. Phys. Rev. A 2013, 88, 032314. [Google Scholar] [CrossRef]
  53. Nakahira, K.; Kato, K.; Usuda, T. Generalized quantum state discrimination problems. Phys. Rev. A 2015, 91, 052304. [Google Scholar] [CrossRef] [Green Version]
  54. Nakahria, K.; Usuda, T.; Kato, K. Finding Optimal Solutions for Generalized Quantum State Discrimination Problems. IEEE Trans. Inf. Theory 2017, 63, 7845. [Google Scholar] [CrossRef] [Green Version]
  55. Nakahira, K.; Kato, K. Generalized quantum process discrimination problems. Phys. Rev. A 2021, 103, 062606. [Google Scholar] [CrossRef]
Figure 1. Classification of cryptographic techniques.
Figure 1. Classification of cryptographic techniques.
Entropy 24 00667 g001
Figure 2. Principle of operation of Y-00 quantum stream cipher. Classical signal means that they have distinguishability, and quantum signal means it is impossible to distinguish them precisely. Y-00 encryption is the function of converting a classical signal into a quantum signal. It is also called quantum modulation.
Figure 2. Principle of operation of Y-00 quantum stream cipher. Classical signal means that they have distinguishability, and quantum signal means it is impossible to distinguish them precisely. Y-00 encryption is the function of converting a classical signal into a quantum signal. It is also called quantum modulation.
Entropy 24 00667 g002
Figure 3. Comparison of product capabilities for two types of quantum cryptography services.
Figure 3. Comparison of product capabilities for two types of quantum cryptography services.
Entropy 24 00667 g003
Figure 4. Application to data center communication security (protection against eavesdropping, tampering, and virus injection from communication lines). Commercial transceiver is for 1 Git/s optical ethernet. This can be mass produced.
Figure 4. Application to data center communication security (protection against eavesdropping, tampering, and virus injection from communication lines). Commercial transceiver is for 1 Git/s optical ethernet. This can be mass produced.
Entropy 24 00667 g004
Figure 5. Scheme of optical network by dynamic path and experimental demonstration of service of the Y-00 quantum stream cipher by Tamagawa University and AIST in Tokyo Bay Coastal area.
Figure 5. Scheme of optical network by dynamic path and experimental demonstration of service of the Y-00 quantum stream cipher by Tamagawa University and AIST in Tokyo Bay Coastal area.
Entropy 24 00667 g005
Figure 6. Recent activities of experiment of Y-00 quantum stream cipher at Tamagawa University.
Figure 6. Recent activities of experiment of Y-00 quantum stream cipher at Tamagawa University.
Entropy 24 00667 g006
Figure 7. Research activities on the Y-00 quantum stream cipher in China.
Figure 7. Research activities on the Y-00 quantum stream cipher in China.
Entropy 24 00667 g007
Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Share and Cite

MDPI and ACS Style

Sohma, M.; Hirota, O. Quantum Stream Cipher Based on Holevo–Yuen Theory. Entropy 2022, 24, 667. https://doi.org/10.3390/e24050667

AMA Style

Sohma M, Hirota O. Quantum Stream Cipher Based on Holevo–Yuen Theory. Entropy. 2022; 24(5):667. https://doi.org/10.3390/e24050667

Chicago/Turabian Style

Sohma, Masaki, and Osamu Hirota. 2022. "Quantum Stream Cipher Based on Holevo–Yuen Theory" Entropy 24, no. 5: 667. https://doi.org/10.3390/e24050667

APA Style

Sohma, M., & Hirota, O. (2022). Quantum Stream Cipher Based on Holevo–Yuen Theory. Entropy, 24(5), 667. https://doi.org/10.3390/e24050667

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop