1. Introduction
Shannon has developed a historically groundbreaking theory for evaluating cryptographic functionality, utilizing his own entropy theory to analyze whether a cipher is decipherable [
1]. Massey, on the other hand, offered a cryptographic direction that addresses real-world challenges while respecting Shannon’s concept [
2]. The conditions that must be satisfied by ciphers for data to be useful in the real world are shown in
Figure 1. That is, it is important that the ciphers used in practice satisfy the above in a balanced manner.
Massey suggested a concept to realize the above conditions as a technology, as follows:
- (1)
A short symmetric key is set and it is extended by a pseudo-random number generator (PRNG).
- (2)
The data are encrypted by the output of the PRNG.
- (3)
Private randomization techniques are useful to attain information theoretic security.
- (4)
Randomization for plaintext is a candidate for private randomization.
These are applicable for immunity against ciphertext-only attacks. A symmetric key cipher in modern mathematical cryptology requires at least a guarantee of computational security against known plaintext attacks. Thus, it was considered a difficult question whether or not an information-theoretic cipher can guarantee immunity against known plaintext attacks. To solve the above problem, H.P. Yuen proposed the basic concept of a new cipher, the so-called “generalized random cipher”, in collaboration with P. Kumar and O. Hirota; he disclosed a physical example of the generalized random cipher in a white paper in 2000, and the first experimental demonstration was reported in the QCMC in 2002 with the Kumar group [
3]. The realization of the generalized random cipher is called the quantum stream cipher, at present. A more detailed name is the quantum noise randomized stream cipher operated by the Y-00 protocol. His fundamental idea consists of the following structure to satisfy Massey’s conditions of utility, as shown in
Figure 1:
- (1)
Use a high-powered laser with a coherent state as the light source and use optical amplifiers for long transmissions.
- (2)
Use the mathematical cipher to diffuse the data into a set of M-ary coherent states that make up the transmission medium.
- (3)
Adopt randomizations of ciphertext in order to effectively control the quantum noise of the high-powered laser.
What crucially distinguishes Yuen’s idea from Massey’s is that the randomization moves from plaintext to ciphertext to achieve information-theoretic security against known plaintext attacks (see
Figure 2). To realize these configurations, Yuen proposed a scheme based on communication theory to differentiate between the physical signal detection capabilities of the legitimate receiver and the eavesdropper. This is called “advantage creation by secret key”. The way to perform this is to adopt a communication scheme such that the ciphertext received by the eavesdropper is hidden by quantum noise. Such a principle is called keyed communication in quantum noise (KCQ). This principle leads to a situation where the ciphertexts that can be received by the receivers for legitimate communicators and for eavesdroppers are different.
Figure 3 shows the scheme of the conventional mathematical stream cipher.
Figure 4 and
Figure 5 show the scheme and the concept of the quantum stream cipher based on the Holevo–Yuen theory.
Applications of such a physical encryption technique appear to be limited, not applicable to general communication networks. But to diversify communication functions, a quantum stream cipher which utilizes physical phenomena is beginning to be considered for the ultrafast optical backbone network by several industries. However, this cryptographic technique has extremely complicated mechanisms, and some aspects have emerged that are difficult to communicate, even among experts in cryptography. The first paper in 2022 with the same title [
4] has explained the position of the quantum stream cipher from a broad perspective as a cryptographic technique. In this second paper, we introduce the principles of security guarantees for quantum stream ciphers. Then, we describe the theoretical structure of security and explain its final target, as shown in
Figure 6.
Since the main purpose of this paper is to explain how the random cipher based on the KCQ principle differs from the conventional Shannon random cipher, we first summarize Shannon’s concept in
Section 2, which is based on information theory, and explain a generalized Shannon random cipher in this context as a conceptual model in
Section 3. Then, we list the theoretical structure and performance of quantum stream ciphers such as Type-I, Type-II, and Type-III as concrete implementations of the conceptual model in the subsequent sections. In such models, we show that there exists a quantum stream cipher which is not broken, even if the secret key is stolen after communications.
2. Review of Shannon–Massey Theory of Cryptography
2.1. Historical View
It is well known that Shannon published in BSTJ, in 1949, his attempt to apply the entropy-based information theory to clarify a fundamental concept of cryptography. Many well-known researchers have explained its purpose [
2,
5,
6,
7], and the authors have nothing to add. However, in view of the development of cryptology after Shannon, it is worthwhile to explain the position of Shannon’s cryptology once again based on Massey’s concept [
2].
Today’s practical cryptography has moved away from Shannon’s information-theoretic viewpoint to mathematical cryptography based on computer science, which has developed into the fundamental technology of the modern information society. One of the reasons for this is that the modern information infrastructure, of which the Internet is the main form of communication, is extremely large and cannot be handled only by Shannon’s cryptosystem. Mathematical cryptography based on computer science can handle large-scale systems and is absolutely indispensable for the ever-expanding communication infrastructure.
On the other hand, in recent years, ultrahigh-speed backbone communication networks have become necessary as a communication infrastructure to support huge systems represented by cloud computing, and thanks to the efforts of optical communication researchers, optical backbone communication lines are reaching the point of completion to support huge cloud computing systems. Against this backdrop, an environment has emerged in which information-theoretic cryptography can play an active role as a security technology for backbone communication networks.
Taking this opportunity, we believe it is worthwhile to analyze the Shannon–Massey scheme of cryptology again from various point of views. In the following sections, we describe our attempt.
2.2. Conventional Definition of Information-Theoretic Security for Symmetric Key Cipher
First, let us set a cipher mechanism to be considered. When a plaintext sequence is
X and a secret key is
K, the ciphertext is given by
where
is a encryption function. The secret key includes a running key sequence from PRNG with a short initial key or a true long random sequence.
We begin by stating a basic assumption of Shannon theory. In Shannon theory, when one constructs a cryptographic mechanism, there is an assumption that the ciphertext
is set by the legitimate sender and it can be correctly received by both legitimate receiver and eavesdropper. Namely,
where
and
are ciphertext sequences that can be received by the legitimate receiver and eavesdropper. Under this precondition, both the legitimate one and the eavesdropper can decrypt the correct ciphertext with the correct key sequence based on a secret key and PRNG. Such a mechanism can be expressed using the entropy theory developed by Shannon as follows:
Thus, the security of Shannon’s cryptology is defined as follows:
Definition 1. An eavesdropper who does not know the secret key cannot decrypt the ciphertext with probability 1. This is equivalent toThis cryptosystem is said to be information-theoretically secure against a ciphertext-only attack (COA). On the other hand, the following theorem holds for cryptosystems with the conditions of Equation (
2) [
2,
5,
6].
Theorem 1. When the ciphertext consists of plaintext and the key sequence, the ambiguity of the plaintext has the following limitations. This theorem is called the Shannon limit. In the following, we explain specific features of Shannon’s cipher under the conditions of Equation (
2).
2.2.1. Non-Random Cipher
Prepare a key sequence K to encrypt a plaintext sequence X. Assume that the ciphertext is composed of these two sequences. In this case, a non-random cipher is defined as follows:
Definition 2. A cryptosystem whose constructed ciphertext satisfies the following properties is called a non-random cipher: A typical example of this type of cipher is an additive stream cipher. Let
and
be a plaintext and a key sequence, respectively. Then the ciphertext is as follows.
Here, Shannon gives the following definition of full confidentiality for the above cryptographic mechanism.
Definition 3. A cryptosystem is fully confidential (or has perfect security in the sense of entropy) if it satisfies the following properties Based on this definition, the conditions for achieving perfect security in the sense of entropy are as follows.
Theorem 2. For a cipher system to have perfect security in the sense of entropy for any plaintext statistics, the key sequence length must be equal to or greater than the plaintext sequence length, i.e.,where the key sequence must be a sequence of true random numbers. The cryptographic mechanism that meets the above conditions is called the One Time Pad (or Vernum cipher). It is inefficient and leaves excesses in key management and known plaintext attacks [
8,
9].
2.2.2. Shannon Random Cipher
In Shannon theory, we can consider an information-theoretically secure cipher even if it does not satisfy the full confidentiality condition. It is called a random cipher and is defined as follows:
Definition 4. When a cryptosystem constructed under the conditions of Equations (2), (3), and (5) has the following propertiesit is called a random cipher in the sense of Shannon. In the case of a ciphertext-only attack, a cryptosystem with these properties can be realized by adopting a private randomization mechanism originating from Gauss, and its information-theoretic security is evaluated by the unicity distance theory. Its concrete structure is shown below [
2,
5,
6].
2.3. Unicity Distance Theory
2.3.1. Summary
Shannon and his successors have discussed cases where Theorem 2 does not hold but the encryption cannot be uniquely decrypted by a ciphertext-only attack. To simplify the discussion, we take a stream cipher encrypted by a pseudo-random number generator (PRNG) with a short secret key. In order to evaluate the degree of information-theoretic security of such a cipher system, the following unicity distance is defined.
Definition 5. Let be a sequence of ciphertexts for an eavesdropper and be the minimum number of ciphertexts for which the ambiguity of the secret key is zero. Then, it is called the unicity distance of a ciphertext-only attack. That is, Here, we assume that the statistical structure of the plaintext is known, the entropy per symbol is
, and the entropy of the key sequence is
. Then, the number of key–plaintext pairs per each ciphertext is given by
Since
in the above equation is equivalent to zero key ambiguity, the unicity distance is as follows [
5,
6]
The above equation shows that the unicity distance depends on the statistical structure of the plaintext.
2.3.2. Shannon Random Cipher and Its Unicity Distance
Homophonic substitution is an example of a method to increase the entropy per symbol of plaintext, independent of the key sequence. When this method is introduced, the ciphertext is not uniquely determined by the key–plaintext pair. In this case, Equation (
10) holds. Therefore, this cipher system is a random cipher. In such a random cipher, the larger the entropy of the plaintext, the more difficult it becomes to estimate the key from the ciphertext. In other words, the unicity distance becomes larger. If
, the unicity distance becomes infinite and the key cannot be uniquely determined even from an infinite number of ciphertexts. This is called an ideal cipher. However, if the eavesdropper obtains the correct key after obtaining the ciphertext, the correct plaintext can be decrypted since
is a precondition. Thus, the Shannon limit holds.
2.4. Known Plaintext Attack Against Conventional Cipher
As introduced in the previous section, the cryptography theory of Shannon and his successors ends with a formulation for a ciphertext-only attack. In this section, we explain how Shannon’s theory holds when we assume a known plaintext attack (for simplicity, we assume an additive stream cipher).
Definition 6. Let be the ciphertexts of length n of the eavesdropper, and assume that the plaintexts of the same length are known. The minimum number of ciphertexts for which the ambiguity with respect to the key is zero is defined as follows.The in the above equation is called the unicity distance of known plaintext attacks. In the following, we show some properties of the unicity distance for non-random ciphers and random ciphers in the Shannon theory.
2.4.1. Non-Random Cipher
Since
in a non-random cipher, the following holds if a ciphertext of length equal to the key length and the corresponding plaintext are known.
where
and
are the ciphertext equal to the key length and the corresponding known plaintext, respectively. From the above,
This means that non-random ciphers can be decrypted in principle. Thus, the conventional symmetric key cryptography has only the above degree of information-theoretic security, and the rest relies on computational security.
2.4.2. Shannon Random Cipher
For a random cipher in Shannon theory, one has
under the condition
. From the theory of entropy, the following holds in general.
Assuming equality in the Shannon limit
, there exists a finite
n, namely
, for which
from the above formula. Therefore, even if
is infinite, a random cipher can be formally deciphered by a known plaintext attack. From the above, it is expected that conventional random ciphers are not very effective against known plaintext attacks because they depend on plaintexts, and if the structure of the plaintext is known, the randomization has little effect.
Thus, the conventional cryptographic techniques can provide information-theoretic security against a ciphertext-only attack, but these cannot provide information-theoretic security against known plaintext attacks.
3. Conceptual Generalized Random Cipher and Its Fundamental Properties
3.1. Conceptual Mechanism
Even with a cryptographic mechanism that uses a short secret key and PRNG, it is still possible to resist ciphertext-only attacks to a practical extent. In order to realize a cryptosystem with information-theoretic security for general attacks, it is necessary to develop a random cipher that goes beyond the existing concept of random ciphers. In this section, we provide an overview of the generalization of the Shannon random cipher as a conceptual mechanism.
Here, we define a generalized Shannon random cipher as a cryptosystem such that the ciphertext of the cryptosystem is hidden by ideal noise, and it has the following features.
where
and
are the ciphertexts of the legitimate communicator and
is the ciphertext received by the eavesdropper. In other words, this is achieved by creating a situation where the ciphertext received by the legitimate receiver and the ciphertext that can be received by the eavesdropper are different. If we describe this in a sequence, it is as follows:
where
denote errors due to true noise. If this situation could be realized, then the following conceptual relations would be held.
Such a random cipher is a completely different form of random cipher than the conventional Shannon random cipher. Why this is possible is explained in a later section.
3.2. Generalized Unicity Distance
First, if the ciphertext received by a legitimate receiver and the ciphertext that can be received by an eavesdropper are different, the following situation is possible in the practical sense.
In other words, the legitimate receiver can obtain the correct plaintext with the correct key, but because the ciphertext of the eavesdropper has errors, the possibility appears such that the correct plaintext is not obtained even with the correct key. We need a generalization of the unicity distance to evaluate the security of the system in such cases. The unicity distances for such a cryptographic mechanism are described below [
10,
11,
12].
3.2.1. Ciphertext-Only Attack
The unicity distance of a ciphertext-only attack is described for the eavesdropper’s ciphertext as follows:
Definition 7. Let be the minimum length of the ciphertext that has zero key ambiguity for the eavesdropper’s ciphertext. Then, it is given by is called the unicity distance of the ciphertext-only attack for a generalized random cipher. Unlike the conventional type, the above equation does not depend on the statistical structure of the plaintext, but on the randomness of the ciphertext that can be obtained by the eavesdropper. The error sequence in Equation (
20) should be completely random numbers or its equivalent.
To achieve this, it is convenient to use the quantum noise effects of light. As an example, if the signal system consists of non-orthogonal quantum states when the eavesdropper receives the signal, the theory is that an ideal random number error effect will appear in the received signal. This is due to quantum irregularities (Born effect) when quantum superpositions are collapsed by measurement. Detailed discussions will be given in the subsequent sections.
3.2.2. Known Plaintext Attack
The conventional random ciphers can achieve a large unicity distance for a ciphertext-only attack, but the technology to achieve this is very complicated. Furthermore, it is difficult to guarantee information-theoretic security more than a key length in the known plaintext attack.
Here, we consider a known plaintext attack on a generalized random cipher. First, the information-theoretic security evaluation for the known plaintext attack is given as follows.
Definition 8. The unicity distance of known plaintext attacks for generalized random ciphers is defined as follows: In the case of the generalized random cipher, since it does not depend on the structure of the plaintext, the known plaintexts do not have much effect on the unicity distance. In other words, the following can be expected.
Later sections will discuss specific examples of this.
3.2.3. Secret Key Leakage Attack in COA
In conventional symmetric-key ciphers, an eavesdropper can retain the correct ciphertext, and if she can obtain the secret key after the communication, the correct plaintext can be obtained. This is due to
. However, in generalized random ciphers, a possibility of Equation (
24) arises because the eavesdropper’s ciphertext will be inaccurate. Therefore, we can define the following evaluation function.
Definition 9. When the secret key (initial key for PRNG) is stolen after communication, the minimum length of ciphertext needed by the eavesdropper to obtain the correct plaintext is as follows:The above is called the unicity distance of the secret key leakage attack. 4. Concrete Evaluation Method of Generalized Shannon Random Cipher
In the above section, we defined several unicity distances for several attacks. The main purpose of a generalized Shannon random cipher is to improve security against known plaintext attacks (KPAs). In order to perform a quantitative evaluation of security, it is necessary to develop a method for its calculation. We discuss a method in the following.
In the case of KPA for the conventional cipher, an eavesdropper can obtain the correct running key sequence which corresponds to the output sequence from the PRNG.
The purpose of the eavesdropper is to estimate the secret key of the PRNG from the running key sequence. Assume that the PRNG consists of a linear shift register (LFSR) with a secret key (e.g., 256 bits) and a nonlinear filter. In general, one can adopt information theoretic analysis in an immunity evaluation in the conventional stream ciphers. The technique is called a fast correlation attack.
The efficiency of key estimation is evaluated by considering the following model. Suppose that the LFSR output is regarded as a linear code word of
and the nonlinear filter section is modeled as a noisy communication channel with an error rate of
which depends on the structure of the nonlinear part. So, the model corresponds to a decoding problem for a linear code word of length
n and information bit
K. The feature of this method is that the computational security of the nonlinear filter section is analyzed by an information-theoretic model. Such a theory was developed by Siegenthaler [
13], Chepyzhov-Smeets [
14], and others, from which the following theorem was derived [
13].
Theorem 3. When the length n of the code word, which corresponds to the length of the output sequence obtained by the eavesdropper, is satisfied as follows:then, the probability of a key being correct is greater than if the total search complexity of the decryption algorithm iswhere is the maximum mutual information of the communication channel model with error ϵ. Although this body of theory analyzes computational problems in the context of information theory, it was pointed out by Yuen et al. that these theories are rather appropriate for the ITS analysis of generalized random ciphers [
10,
11]. Here, we apply this theory to a detailed characterization of generalized random ciphers.
The generalized random cipher consists of a PRNG with a short key and real noise for randomization of the ciphertext or running key sequences. The nonlinear filter part of the running key sequence of the generalized random cipher does not make sense from an information-theoretic point of view. Therefore, the model is replaced as follows.
A sequence of LFSR with an initial key is the channel input, and this sequence is perturbed by true noise and a channel model by the nonlinear part. But, the main issue is a perturbation by real noise. Then, the procedure of the eavesdropper is to use decoding theory for the code word (LFSR) based on the sequence with errors due to the true noise.
Conventional theories that use communication channel models for computational problems lose the rigor of applying code theory because the noise model is not an independent process, but in a generalized random cipher, noise is a true independent process, so the above idea is more valid. From the above, the aforementioned theorem can be read into the problem of information-theoretic cryptography.
As a result, if we consider the meaning of the unicity distance, we can set up the following relation.
is the maximum mutual information of the measurement channel where the eavesdropper receives the running key sequence. is the error probability due to true noise.
5. Protocol and Structure of Standard Quantum Stream Cipher
The challenge is how to show that the conceptually presented generalized random ciphers are real. The Y-00 protocol was proposed to solve this problem. The Y-00 protocol is a technique that combines cryptographically secure pseudo-random numbers and quantum noise effects, and is characterized by the fact that it can be equivalently regarded as a function to hide the ciphertext of mathematical ciphers with quantum noise. In this section, we show a simple explanation of the original scheme of a quantum stream cipher based on the Y-00 protocol [
10,
11], which is called a basic quantum stream cipher or standard quantum stream cipher.
In order to guarantee ultrahigh-speed and long-distance transmission, it is necessary to adopt optical signals with high energy, not single photon or entanglement light. However, in general, high-power signals have little quantum effect and do not adequately hide the ciphertext. Therefore, we introduce a mechanism in which the receiver Bob (the legitimate receiver) can ignore the quantum effect, such as quantum noise, and the receiver Eve (the eavesdropper) cannot avoid the quantum effect, even though the light is strong. This scheme is called “Advantage creation by secret key”. It is designed as follows:
- (a)
Let us consider two optical signals with quantum coherent states sending 0 and 1 data. Let us denote the two coherent state signals as follows:
and
, with
, which is an amplitude of laser light. A pair of two coherent states is called the communication basis
for transmitting the “Binary Signal Data” as plaintext, where
. It means to prepare a set
M of different pairs
of two coherent states with different complex amplitudes, as follows:
The selection can be realized by a unitary transformation controlled by the running key. In the standard quantum stream cipher, the data information are assigned regularly to one of the signals of each basis. Thus, in general there is a correlation between the plaintext and running key as in the conventional cipher.
- (b)
Alice and Bob share the same PRNG with the same secret key (for example 256 bits) as the conventional stream cipher. A sequence is generated by the output of PRNG. This is called a “running key” sequence in a stream cipher. Alice’s transmitter selects a communication basis in Equation (
32) following the running key of
M values, and then one of the binary data is transmitted by using the selected communication basis. Thus, a sequence of
-ary optical signals with coherent states of different amplitudes or phases is transmitted. It is a quantum ciphertext that must be converted into an electrical signal by quantum measurement for cryptanalysis.
- (c)
Alice and Bob share the same running key, so Bob can know which basis was selected. That is, he can receive the optical signal as the binary signal after an inverse unitary transformation. So, the quantum signals for Bob are as follows:
This is independent of the communication basis.
But Eve has no information on the running key, because she does not know the secret key for PRNG. So Eve has to use a receiver for
-valued signals, and has to discriminate
-ary phase shift keying (PSK) signals. In the case of phase shift keying, the set of quantum states is described by
where
m is controlled by the binary data and
M-ary running key. Thus the error performance of Bob is given by binary quantum detection, and the error performance of Eve is formulated by the
-ary quantum detection for cryptanalysis.
- (d)
The Y-00 protocol requires a signal constellation such that the binary detection is error free, but the
-ary signal detection suffers from the quantum noise effect based on the Helstrom–Holevo–Yuen principle [
15,
16,
17,
18]. That is, a non-orthogonal quantum state signal cannot be discriminated without error. The above structures satisfy this condition, because a binary detection of two coherent states is regarded as nearly orthogonal for
, but the
-ary detection for the complex amplitude
is regarded as a non-orthogonal quantum state system. The concrete signal constellation based on phase shift keying (PSK) is given in [
10].
- (e)
Consequently, Bob can obtain directly a data bit sequence without serious error. However, Eve can only obtain a multi-level signal sequence which corresponds to ciphertext as the measurement result of quantum ciphertext. This electrical sequence of the ciphertext has errors. So Eve has to recover the data sequence or secret key of the PRNG from this sequence with errors.
Thus a quantum stream cipher based on the Y-00 protocol is a candidate for the generalized random cipher in which Eve cannot obtain the correct ciphertext (see
Figure 7). Moreover, this scheme has technical advantages in real world applications. That is, the noise for randomization is only generated in the measurement process, and it does not disturb the bandwidth of the channel or data speed of the legitimate communicator. Thus, it is applicable to the conventional optical communication systems for ultrafast data transmission.
6. Quantum Communication Theory for Cryptanalysis
The security of the cipher relies on errors in the ciphertext that an eavesdropper can obtain. Therefore, quantum communication theory plays an essential role in analyzing errors in the ciphertext received by the eavesdropper. In the following, we will denote a formulation of the error analysis of the ciphertexts of legitimate receivers and eavesdroppers based on the quantum communication theory.
6.1. Fundamental Formulae
The quantum communication theory was initiated in the 1970s and 1980s by pioneers such as C. Helstrom, R. Kennedy, A. Holevo, V. Belavkin, H.P. Yuen, S. Personic, and V.W.Chan, and its whole formulation was integrated by Helstrom [
15] and Holevo [
16]. Specifically, Holevo [
17] and Yuen [
18] clarified the optimum conditions of the quantum Bayes detection rule for multi-level signals independently, and Hirota–Ikehara formulated the quantum minimax detection rule with the admissibility and completeness [
19] that corresponds to the quantum version of the Wald–Middleton decision theory [
20,
21]. An introduction is available in [
22]. Let us describe the formulation of quantum detection theory of the core of quantum Shannon theory. When the
-ary coherent state signal is received at each slot, the optimizing variable of the quantum measurement channel is described by a compact set of the positive operator-valued measure (POVM):
,
. Then, these operations are interpreted as the projector acting on the quantum state of each slot, and these provide error or detection probabilities as follows:
The appearance of quantum effects in the reception process of signals is characterized by the above formula. The quantum Bayes rule is formulated as follows:
where a priori probability is
for the admissibility in the decision theory. The necessary and sufficient conditions are given as follows [
17,
18]:
Theorem 4. : On the other hand, the quantum minimax rule is formulated as follows [
19]:
The necessary and sufficient conditions are given as follows [
19]:
Theorem 5. : In general, it is very difficult to find the solutions of the above two quantum detection rules. However, in the standard quantum stream cipher system, quantum state signals have a property of the covariant as defined below.
Definition 10. Let G be a group with an operation ∘
. The set of quantum state signals is called the group covariant if there exist unitary operators such thatIt characterizes the quantum states . The general properties of the quantum Bayes rule for the covariant case of multi parameters are given by Ban [
23]. One of the results for coherent state signals is as follows:
Theorem 6. If the signal set is a covariant, the optimum POVM is given by using Gram operator H as follows:and the optimum quantum Bayes solution iswhere is the base state. The error probability for Eve for
covariant signals can be given as follows [
15,
24,
25]:
where
. In addition, Osaki showed that the worst a priori probability in the quantum minimax rule for the covariant signals becomes the uniform distribution and the minimax solution is also given by Equations (41) and (42) [
26].
6.2. Advantage Creation by Differentiation of Quantum Detection Performance by Secret Key
Let us apply the above formulae to cryptanalysis. Bob can control the unitary transformation to convert back to binary optical signals by using the running key from the pseudo-random number for the
optical signals. Then, the quantum detection model becomes the binary quantum states of
: Equation (
33), independent of the communication basis. The average error probability is given by the Helstrom formula, as follows [
15]:
On the other hand, “in order for Eve to perform the cryptanalysis”, she has to obtain the information of the running key sequence by her quantum measurement to the
-ary quantum ciphertext. The first step in the procedure leading to an attack is to receive a signal flowing through the real communication channel. The average minimum error probability for the adopted quantum state signal scheme (or equivalently, the maximum detection probability) can be given by the following formulae: Equations (38), (39), (41), and (43). For
, it becomes
Thus, these formulae provide the theoretical accuracy of the ciphertext that the eavesdropper can obtain.
If Eve were to attempt to decode the binary data directly, she would adopt the binary quantum optimal measurement for the following mixed quantum states.
This structure of mixed states is called doubly symmetric mixed state, and Kato gives the quantum Bayes (also minimax) solution for such as mixed states of the coherent state [
27]. Then, the average error probability for binary data is given as follows:
The difference between Equation (
44) vs. Equation (
45) and Equation (
44) vs. Equation (
47) is called the advantage creation by the secret key.
6.3. Physical Processes for Cryptanalysis Against PRNG
A sequence of length
n of quantum ciphertext from a transmitter of a standard quantum stream cipher is described as follows:
are binary data (plaintext) and
is the running key of
M values from PRNG. Let us denote the physical attack process for cryptanalysis in the following.
6.3.1. Individual Quantum Measurement-Collective Procedure
Let us assume that Eve adopts a quantum optimum measurement
for each slot. The observed sequence corresponds to a sequence of the decision output for the
-valued signal at each slot. The randomness of signals is represented by Equation (
38), and its randomness automatically provides a fully independent true random noise. The target for Eve is data (binary plaintext) or the secret key of PRNG, and she has to estimate them from the sequence with errors based on the security analysis like in the correlation attack or other attack. Such a procedure is called an “
-
”.
6.3.2. Collective Quantum Measurement-Collective Procedure
On the other hand, Eve can adopt a collective quantum measurement. It is a quantum measurement such that one treats some slots of the coherent state sequence of -ary as one block quantum state. Here, Eve has to construct a quantum entanglement measurement system of signals, where is the length of the block. Based on such a measured sequence, she analyzes several attacks against the sequence. This scheme is called a “ - ”. When is a large number, it seems that this physical implementation is impossible. After such physical manipulations, the eavesdropper would be forced to make some crypt analytic attempts.
7. Cryptological Attack for Quantum Stream Cipher and Its Performance
7.1. The Main Attack Schemes of Symmetric Key Ciphers with PRNG
The PRNG used in this cipher is guaranteed to be computationally secure. If the eavesdropper’s error in the quantum stream cipher is zero, then the security is consistent with the security of the PRNG itself. Therefore, the security analysis of the quantum stream cipher is based on the error in the ciphertext received by the eavesdropper, which is an investigation of how the cryptanalysis of the mathematical cipher is invalidated. This is because the purpose of this cipher is to make the mathematical analysis and exhaustive search for symmetric key ciphers impossible. Thus, it is sufficient to mention exhaustive search, correlation attacks, and key compromise as attack methods for the discussion of information-theoretic security against symmetric key ciphers.
Here, let us describe briefly the concept of cryptological attacks against the standard and some generalized quantum stream ciphers. At first, we denote a notion of the quantum noise effect in the Y-00 protocol. Since the receiver Bob adopts a binary detection scheme by the communication basis synchronized with the same PRNG with the same secret key, there is no mismatch in the communication basis. Then, it outputs a binary signal as data without serious error, because the signal power is strong and the signal distance of the two signals in the basis is large (See
Figure 4). However, Eve’s received signals are
-ary and contain errors, because the signal distances between several signals are small. The extent of the error is called the noise masking region (See
Figure 8).
Definition 11. Let “ Γ ” be the number of signals masked by quantum noise in several measurement processes. Then, is the correct probability of signals in the wedge approximation.
7.1.1. Legitimate Receiver Simulation Attack
Let us consider the KPA based on the exhaustive search. This attack clarifies the difference between the standard symmetric key cipher and quantum stream ciphers. In the standard quantum stream cipher based on the Y-00 protocol, the data (plaintext) of the signal of each basis are deterministically set such that data 0 and 1 are regularly mapped to neighboring signals composed of a communication basis [
10]. That is, the data information is mapped to
clockwise of the phase signal in the phase space. This means that the standard quantum stream ciphers have a correlation between basis and data.
As a result, each signal of -valued signals has information for the plaintext (data) and the communication basis, simultaneously. The information of the basis corresponds to that of the running key. Therefore, if the each signal value can be determined by -ary detection, the plaintext and running key sequence information can be obtained directly.
In the above scheme, the information of binary plaintext in neighboring signals is completely masked by noises, but the information of the running key of M values has finite ambiguity, because the is small. In such a situation, it is easy for Eve to memorize the digital ciphertext sequence of the -ary signals containing errors. Eve can try KPA based on exhaustive search for all binary decisions similar to Bob on the stored sequence. This is called a .
Here, let us denote a rough approximate analysis for intuitive understanding. If the length of known plaintext is
which corresponds to the equivalent key length and also equals the length of the ciphertext, then the probability of the correct decision for the running key
of
length is
Equation (
49) means that the following number of keys corresponds to the correct plaintext of
length in the exhaustive search.
This means
In other words, these features correspond to the property of the random cipher based on the degeneracy structure [
10]. On the other hand, if there is no error, the cipher is
The above characteristics indicate that the criticism stating that the standard quantum stream is the same as the conventional cipher is incorrect.
7.1.2. Fast Correlation Attack
Let us assume that no restriction is placed on the known plaintext length. In this situation, one can consider the running key sequence (LFSR output) as a linear code and attempt a fast correlation attack on the received sequence with errors. The
-valued running key sequence of the LFSR output can be stored with errors. Then the
-valued sequence is converted to binary values and a fast correlation attack is performed. The performance is evaluated by the unicity distance. From the definition of unicity distance, we can obtain the channel capacity of Eve’s measurement channel. In general, the standard quantum stream cipher does not have sufficient performance against the fast correlation attack when
is small [
28]. The concrete example to overcome this will be shown in the subsequent section.
7.1.3. Secret Key Leakage Attack
Assume that Eve memorizes the digital ciphertext sequence of -ary signals containing errors. After communication, we assume that Eve can obtain the secret key of PRNG. Eve will try an attack to estimate the plaintext that uses the correct secret key to the measured sequence with errors. That is, Eve can adopt the threshold for the binary decision depending on the correct running key, and she collects the plaintext sequence. The performance against such an attack is the most important in the generalized Shannon random cipher. Unfortunately, the standard quantum stream cipher does not have immunity against this type of attack.
7.2. Role of Additional Randomization Technique
In generalized random ciphers, the ciphertext or running key sequence obtained by an eavesdropper is perturbed by a true noise (such as quantum noise). If the noise effect is small, it naturally cannot provide sufficient information-theoretic security from the above theory. For realistic applications, it is necessary to develop techniques to reduce the channel capacity in Equation (
31). Since noise must physically appear, such a generalized random cipher can be realized only at the physical layer.
The problem to make increasing noise, as described above, has little precedent in information theory and is the exact opposite of what has been done so far. That is, the technological development is to increase the noise effect of the eavesdropper, but it does not affect the legitimate communicator. In the channel model of the receiving process of the eavesdropper, the research to reduce its maximum mutual information is called “Randomization technology”, and several examples have already been studied. Specific models will be presented later, but further research is expected.
8. Randomizations Towards Generalized Quantum Stream Ciphers
The standard quantum stream cipher introduced in the previous section is highly practical and has affinity with real communication networks. However, it may have weaknesses in terms of the quantitative security evaluation. Randomization techniques are needed to realize a generalized quantum stream cipher with high performance. This section presents some examples of randomization methods and gives a rough description of the improvements achieved by each method.
8.1. Overlap Selection Keying (OSK)
The OSK is a mechanism to randomize the geometrical relation between the data (plaintext) and signal value of the communication basis, patented by Tamagawa University (Patent number 4451085, 27 June 2003) [
29]. It is to randomize the relation between the data and given basis based on a sequence from a branch of the PRNG. By this method, the correlation of the geometrical relation of the data and communication basis is broken inside of the region of quantum noise masking
. So, we have the following performance instead of Equation (
49):
In addition, the KPA is converted to the ciphertext-only attack. So the legitimate receiver simulation attack does not work. Thus, the unicity distance for KPA is guaranteed to have the following performance.
The other effect of OSK is that plaintext is automatically encrypted with pseudo-random numbers, and the plaintext itself becomes a kind of ciphertext called Y-00 plaintext.
8.2. Deliberate Signal Randomization (DSR)
Assume that a communication basis consists of a binary phase shift signal. A basis is randomly selected by the running key sequence from PRNG, and one signal for data is transmitted by the selected basis. Then,
M signals are located on the upper plain of the phase space, and the other
M signals are located on the lower plain of the phase space [
10]. Here, phase space means a space by quadrature amplitude
and
.
Even if
, the masking effect
by quantum noise in Eve’s receiver is not enough, because the quantum noise is small. To enhance Eve’s error, the signal for transmission is randomly shifted by true noise on the upper plain when the signal belongs to the upper plain, and is shifted on the lower plain when it belongs to the lower plain. This scheme is called Deliberate Signal Randomization (DSR) which corresponds to “
”. The strength of DSR is described by
. As a result, the masking region is enhanced by
, where
is the quantum noise effect. This was proposed by Yuen in 10 November 2003 [
30]. When we adopt OSK and DSR with
, we may have the ideal performance such as
Thus, this may improve the unicity distance in Equation (
54). The concrete example will be given in the subsequent section.
8.3. Quantum Noise Diffusion Mapping
The unicity distance of the generalized random cipher may be evaluated by the channel capacity of Eve from Equation (
31). In this theory, it can be regarded that the linear code has the initial value of LFSR as information propagates through the noisy channel. Thus, the decoding capability, as the decryptability, at that time is evaluated by the channel capacity. In other words, as the length of the LFSR increases and the rate decreases, it becomes smaller than the channel capacity and the decoding accuracy increases. To obtain a large unicity distance, it is necessary to reduce the eavesdropper’s channel capacity by additional randomization like DSR. However, there is a trade-off in that it requires sacrificing the communication performance of the legitimate communicator. Therefore, a method to increase the unicity distance while keeping the amount of noise fixed is the subject of research.
In 2007, Hirota–Kurosawa proposed a method to introduce a mapping mechanism from a sequence of PRNG to actual quantum states, such that the input to the noisy channel is regarded as a nonlinear code [
31]. This is achieved by re-diffusing the signal masked by a small quantum noise. This mechanism renders the fast correlation attack inoperative. In addition, it provides the immunity against algebra attacks. The detailed information-theoretic analysis of this method is still incomplete, but we look forward to further research.
8.4. Phase Masking by Symplectic Matrix
A theory for the randomization of the code form of coherent states is given by Sohma [
32]. It consists of the unitary operator
associated with a symplectic transformation in which any unitary operator composed of beamsplitters and phase shifters can be described by a symplectic transformation. First, let us consider the general code form of the coherent state, as follows:
From the Stone–von Neumann theorem [
33], the quantum characteristic function for the class of quantum Gaussian state is given as follows:
where
and where
are the canonical conjugate operators. Then
is a symplectic matrix, and it is given by
Here, let us denote a vector of complex amplitudes
, as follows:
then, we have the following relation.
As a result, the unitary transformation for the coherent state sequence is given as follows:
Thus, by scrambling the elements of Equation (
60) with pseudo-random numbers, one can construct codes with any waveform. This technology is useful to realize the coherent PPM scheme proposed by Yuen [
30].
9. Generalized Quantum Stream Cipher of Type-I and Its Performance
A quantum stream cipher that adds randomization techniques like OSK and DSR to the standard quantum stream is called a Type-I generalized quantum stream cipher. In this section, we show the scheme and its performance.
9.1. Communication Scheme
Let us describe the communication scheme for phase shift keying (PSK). A running key sequence is generated by PRNG with a short secret key. The selection scheme of communication basis by the running key is the same as the standard quantum stream cipher. In addition, several randomizations described above may be installed. Then, -valued signals are transmitted. Bob can adopt the binary quantum optimum receiver, but in practice he can adopt an optical heterodyne receiver.
In the latter case, the output of the receiver is an analog electrical current consisting of signal and quantum noise. For decoding, the threshold for binary decisions is controlled based on the running key. Using the selected threshold, the binary decision is performed to obtain data. This type of communication scheme can be realized by the current optical communication technology.
9.2. Unicity Distance of Known Plaintext Attack
Here, let us assume a phase shift keying (PSK) quantum stream cipher with DSR and OSK. Eve is forced to adopt a detection of
-ary signals and proceeds with the conventional fast correlation attack. Once the eavesdropper’s channel is set, the lower bound of the unicity distance is obtained by its channel capacity. The optimum condition of maximum mutual information for multi-valued quantum state signals is given by Holevo [
17], and the optimum POVM is given by Osaki [
34], based on the prediction of Fuchs–Peres [
35], as follows:
Theorem 7. : The optimum POVM for maximum mutual information is given by the quantum minimax detection operator when the signal set is covariant and linearly independent.
The numerical performance has been verified for the maximum mutual information property based on the above theorem. As a result, when
, it is possible to approximate its properties by the heterodyne receiver. In fact,
means that the signal set is regarded as an almost analog signal. To confirm it, we can estimate the optimality for an analog signal by the following theorem [
36].
Theorem 8. : The estimation bounds for complex amplitudes are given by the following formula.where the right logarithm derivative is defined byAnd its solution is as follows:where is a photon annihilation operator, and it corresponds to a heterodyne measurement. So, we can assume that the eavesdropper adopts the heterodyne receiver, which is the highest performance for asynchronous quantum state signals. In this case, the eavesdropper receives
original phase signals to obtain
M-valued information on the running key. The signal distance between signals is
, where
is the signal strength, and
is the masking effect of the signal by quantum noise. The amount of signal masking is
. When the strength of DSR that spreads the quantum noise effect is
, we have
. Here, the range of DSR can be set as follows.
The equivalent quantum noise of the optical heterodyne measurement is
, and the maximum mutual information in the wedge approximation is [
10]
(the exact communication channel capacity will be reported separately). Then the generalized unicity distance for KPA is
This is called the Nair–Yuen formula [
10]. If the strength of DSR is
, the generalized unicity distance is
This cannot be achieved using only a mathematical cipher. Thus, this scheme has advantages over conventional cryptographic mechanisms in terms of information-theoretic security. Although it is not the ultimate one, this type of system is expected to play a significant role in assuring the security of real optical communication systems.
9.3. Coherent Pulse Position Modulation Method
There is a method to realize the Type-I quantum stream cipher without using the above randomization technique. It is called the coherent pulse position modulation (CPPM). This mechanism takes information as M-valued and configures it as a transmitted signal system with M-ary PPM. The M-ary PPM signals are then spread like a pseudo-waveform signal into the M-ary slot by unitary transformations driven by a pseudo-random number generator. This scheme asymptotically approaches an eavesdropper’s ciphertext error of 1 as M increases. At the same time, however, it has the disadvantage of infinite baseband bandwidth, which makes it impractical. Recently, we have developed a method to avoid the bandwidth explosion. Details will be presented in another paper.
10. Generalized Quantum Stream Cipher of Type-II and Its Performance
In this section, we discuss a higher-security performance scheme than the Type-I system. When a secret key for the cipher is stolen after communications, the conventional cipher can be decrypted correctly. The most important feature of the generalized quantum stream cipher is that the cipher may not be decrypted even when the secret key is stolen. We discuss in this section “a conceptual model” to show that there exists secure communication even if the secret key is stolen.
10.1. Communication Scheme
Here we show that there exists a scheme that is resistant to the secret key leakage attack. Let us assume that a channel between Alice and Bob is low-loss.
- (a)
Alice uses PSK (phase shift keying). The set of the communication basis consists of two coherent states with small angles, as follows (See
Figure 9):
where
. When
, a set of
signals becomes covariant by Equation (
40). This communication basis is selected by a running key sequence. Then, plaintext is set to the selected basis, the same as in Type-I, or the quantum cipher text is generated by the unitary transform
to coherent states controlled by the running key sequence.
- (b)
Bob has the same unitary transform , and it inversely transforms the input quantum states depending on the running key sequence. The output quantum states from the inverse unitary transformation can be regarded as binary quantum states.
- (c)
Bob adopts the quantum optimum receiver with the Helstrom limit for these binary quantum states. The concrete system is called the Dolinar receiver. The average error for the data
is independent of the basis and it is given by Equation (
44), as follows:
The amplitude and phase difference are designed so that the above equation holds sufficiently small.
- (d)
Eve has to discriminate
-valued coherent state signals. Since Eve does not know the a priori probability distribution for the
-valued signals, she has to adopt a quantum minimax rule, as follows:
where
is a set of Equation (
71).
Figure 9.
The signal arrangement above is the conventional form in the PSK scheme, while the one below is the proposed form; 0 and 1 are the information of the plaintext.
Figure 9.
The signal arrangement above is the conventional form in the PSK scheme, while the one below is the proposed form; 0 and 1 are the information of the plaintext.
10.2. Secret Key Leakage Attack
Here, we show that the system is resistant to the secret key leakage attack. At first, Eve has to store a sequence of -valued signals received by the above quantum minimax receiver to try the crypto analysis. Once Eve has the secret key and the correct running key sequence after the measurement, she can try a classical binary decision scheme on sequences with errors in the 2M values for each slot.
Let us show how it works. When a set of quantum states is a covariant, the solution of the minimax rule is equivalent to the quantum Bayes rule with the worst a priori probability distribution:
[
26]. When
, one can approximate the error performance based on quantum noise by the analog version in the quantum decision theory. The solution becomes the heterodyne receiver. Thus, let us assume that Eve adopts the heterodyne receiver with an analog-to-digital converter with infinite bandwidth. She can store the almost analog signal consisting of signals and quantum Gaussian noise.
When Eve obtains the secret key and the correct running key sequence, she adopts the binary threshold decision based on the classical Bayes rule depending on the running key. It corresponds to a model for the binary decision for binary signals with Gaussian quantum noise, because the uncertainty caused by pseudo-random numbers will disappear. The error probability for the binary data (plaintext) is
The relation between Bob’s error, Equation (
72), and Eve’s errors, Equation (
74), with secret the key provided after communication for the plaintext (data) is as follows:
Thus, the sequences of plaintexts that Bob and Eve can obtain become as follows:
where
,
. As a result, Eve’s sequence consists of the plaintext
X and the quantum error sequence.
Here, we can regard the quantum error as the random key:
. The structure of Eve’s sequence of plaintext, Equation (
77), is equivalent to the Shannon cipher with the key sequence
. So the unicity distance of the final sequence for Eve is as follows.
where
is the entropy of the quantum error sequence and
is the entropy per symbol of the plaintext.
Thus, in principle, there exists the generalized Shannon random cipher with the following performance:
However, we emphasize that this is intended to provide theoretical evidence and is applicable only to channels with very low losses. Therefore, more careful research is needed for practical application.
11. Generalized Quantum Stream Cipher of Type-III and Its Performance
The principle of the previous schemes was to adopt a pseudo-random number generator (PRNG) for the diffusion of the quantum noise effect. Here, we show new schemes such that the quantum ciphertext is constructed by directly mapping the plaintext regularly to the quantum state signal without an encryption mechanism by the PRNG and secret key.
11.1. Communication Scheme as Protocol 1
First, we consider the encryption mechanism such that the advantage creation is given only by the difference of Bob’s and Eve’s receiving mechanisms. Let us assume that Alice can control the a priori probability of M-valued coherent state signals. So, Bob can use the quantum Bayes rule because Bob knows the a priori probability of the ciphertext, and Eve is forced to use the quantum minimax rule because she does not know the a priori probability of the ciphertext. This corresponds to the advantage creation based on only error performances between the quantum Bayes rule and quantum minimax rule. The communication scheme of the protocol is as follows:
- (a)
The plaintext consists of a combination of
J bits
. The information data becomes
, as follows:
Next, assume that Alice can control the prior probability distribution of M-valued coherent state signals. However, the structure of the quantum state set will be exposed. In other words, the only thing unknown to Eve is the a priori probability distribution.
- (b)
The
M-valued plaintext is mapped regularly to one of the
M-valued quantum states as follows:
For example, an M-ary PSK scheme can be used, but the signal constellation may not be covariant.
- (c)
Bob has information for the a priori probability for
M signals and has information about the structure of the quantum state ensemble
. Then, he can adopt the quantum Bayes decision rule. His error probability is given by
Eve knows the structure of quantum state signals, but she does not know the a priori probability distribution. So, she has to adopt the quantum minimax decision rule as follows:
Then, her error probability is given by the quantum Bayes rule with the worst a priori probability. We wish to enlarge the absolute quantity of Eve’s error. To achieve this, we can adopt the concept of covariant and non-covariant signals [
37,
38,
39]. For discrete signals, the criterion of these is given by the following [
40].
Theorem 9. :
M-ary signals are group covariant with respect to a group of order M if and only if the following relation holds:where and ∘
is the operation of the group G. The minimax decision rule gives a solution assuming an a priori probability distribution that gives the maximum value of the Bayes rule solution. Here, when the signal system is not group covariant, the worst a priori probability distribution of minimax is not uniform [
26]. According to the general theory of quantum detection theory [
17,
19], we have the following relation.
That is, when the set of quantum states is not covariant, the error performances for the minimax rules themselves is greatly degraded, depending on the signal properties [
26,
41]. Thus, we can have the following relation.
Using this property, the system uses a signal set that is not group covariant and transmits with an a priori probability distribution
that maximizes the characteristic difference between Bayes and minimax. The optimization problem is given as follows:
where
is the a priori probability distribution that Alice can control, and the relation among the a priori probability distributions is
.
is a structure of non-covariant states. Here, the worst a priori probability distribution
for the minimax is determined only by the structure of non-covariant quantum states. Thus, even if the legitimate communicators do not have PRNG with the secret symmetric key, we can realize an encryption scheme based on the advantage creation due to the Holevo–Yuen theory. The details of this property require numerical analysis and it will be shown in the subsequent paper.
11.2. Communication Scheme as Protocol 2
Here, we consider the second candidate of the encryption without PRNG applicable to space communication. In general, space communication is modeled by a continuous waveform communication model [
42]. In such purposes, a wire-tap channel model assumes poor signal-to-noise ratio conditions for eavesdroppers under natural conditions. However, the wire-tap channel models based on the Holevo–Yuen theory are different to conventional theories, because they are characterized by creating an advantage for legitimate communicators by legitimate communicators. Let us discuss the basic concept of the wire-tap channel scheme in the sense of the advantage creation principle based on the quantum communication theory by Holevo–Yuen.
The conventional wire-tap channel model requires a special channel such that the signal-to-noise ratio of Bob is greater than that of Eve, as the system requirement. We replace its condition with the notion of advantage creation in the quantum measurements. According to the quantum Shannon theory established by Holevo and others [
16], the capacity formula for the lossy Gaussian noise channel for coherent states is given as follows [
43]:
Theorem 10. The capacity formula of the quantum lossy Gaussian noise channel for coherent state signals is given as follows:where S and are average photon numbers of the received signal and additive noise, respectively. The above formula is in general greater than the Shannon classical capacity. To achieve this Holevo capacity in the realization stage, the communicators must have prior knowledge of the quantum signal structure, time–phase synchronization and other various conditions. The capacity can only be achieved by adopting a quantum optimum measurement under those conditions. The time–phase synchronization between Alice and Bob is available, but Eve cannot obtain such system parameter information.
The secret capacity is defined as follows:
where
and
are POVMs for Bob and Eve, respectively. The mutual information for Eve is formulated under the condition that Eve does not know the system parameter information. If the system parameter is not known, a heterodyne receiver would be optimal. Thus, Eve’s POVM is restricted to the heterodyne. With this differentiation, it is possible to construct a modified wire-tap channel communication scheme.
A conjecture of the concrete formula of the secret capacity for this model based on the coherent state is as follows [
44].
where
and
are the average photon numbers of signal and noise for Bob.
and
are those for Eve. When the above formula is positive, one can implement the secure communication system in principle.
For the practical discussions, we need a discretization technique like the realization of classical waveform communication [
42]. Then we need to construct a coding theory that creates an advantage for the legitimate communicators. It is equivalent to constructing the super-additivity of mutual information. The first challenge to clarify the effect of coding was made in [
45].
12. Conclusions
In this paper, we explained that generalized quantum stream ciphers, which can improve the shortcomings of one-time pad ciphers, are realizable by applying quantum effects. The most important claim of this paper is that the quantum stream cipher based on the Holevo–Yuen theory is guaranteed to be information-theoretically secure, even though it consists of a PRNG with a short secret key.
Figure 10 shows the difference in principles that guarantee the security. To demonstrate the performance of such ciphers, we have introduced the generalized unicity distance and showed some examples. A more detailed theoretical analysis needs to be developed for the realization of the ultimate performance, such as for Type-II and Type-III.
On the other hand, a number of experimental studies for the standard quantum stream cipher have already been initiated on the basis of the above theory. As a result, promising results for practical application have been obtained by groups in the USA, Japan, and China [
46,
47,
48,
49,
50,
51,
52,
53]. In addition, the generalized quantum stream cipher with randomizations of Type-I has been implemented by the Futami group [
54]. This is the first demonstration of a quantum stream cipher with sufficient information-theoretic security.
The purpose and methods of development of such research and development are quite different from those of quantum technology in physics, which currently has the largest research population. As a result, the concept of security and the method of proof are completely different, making some aspects difficult to explain.
Figure 11 illustrates the difference in concepts.
Figure 12 shows the summary of the comparisons among several schemes of stream ciphers.
Finally, another possibility of the generalized random ciphers is Shapiro’s scheme, the so-called quantum low probability of intercept [
55], and Lloyd’s scheme [
56]. These will be introduced in part III.